Microsoft launches open-source Agent Control Specification to standardize AI agent policy controls

Microsoft has introduced the Agent Control Specification (ACS), an open-source standard and SDK that gives developers, compliance officers, and security teams a single format to define and enforce policies for AI agents. The specification targets the risk that agents will carry out unintended or unsafe actions when embedded in different applications and environments, and is designed so policy guardrails travel with agents rather than remaining scattered across bespoke application code. For builders and enterprises, ACS aims to make governance more portable and auditable.

At the core of ACS are policy files that encode explicit rules about allowed and forbidden actions, triggers for human approval, and requirements for evidence logging and auditing. Microsoft says those policy files are evaluated at several interception points in an agent’s workflow: before input is processed, before a tool is invoked, after a tool returns results, and before the agent’s final response is sent to the user. Policies can permit, block, redact, or escalate actions for human review, and can mandate evidence collection for later inspection.

The specification also supports a range of compliance and enforcement mechanisms. ACS allows insertion of classifiers to categorize inputs and outputs, integration of LLM-based “judges” to evaluate policy compliance, and embedding of logic to check tool calls, tool selection, input accuracy, output usage, and response appropriateness. These features are intended to replace ad hoc controls — such as system prompts, bespoke application checks, and separate input/output classifiers — that can fragment safeguards and complicate audits.

Microsoft is shipping ACS as an SDK with plugins and integrations for multiple agent ecosystems, including LangChain, the OpenAI Agents SDK, the Anthropic Agents SDK, AutoGen, CrewAI, Semantic Kernel, Microsoft.Extensions.AI, MCP tools and others. The SDK approach is intended to ease adoption across different runtimes and agent frameworks without forcing teams to reimplement governance code for each environment.

In practical terms, ACS lets teams bundle policy files with agent deployments so a security posture can accompany an agent as it moves between environments. The specification’s potential to reduce fragmentation and improve auditability, Microsoft and proponents say, depends on uptake by the broader agent ecosystem and whether organizations incorporate ACS into development and deployment pipelines.