Microsoft is trying to use a new set of open source standards to help companies more controllably deploy increasingly powerful AI agents in different systems and applications. This set of standards, called the "Agent Control Specification" (ACS for short), aims to provide developers with a more consistent and fine-grained way to limit what AI agents can and cannot do, and when human intervention is necessary.
As enterprises accelerate the embedding of AI agents into various applications, workflows, and products, a prominent dilemma is how to ensure that the same agent always behaves as expected and compliant when running in different environments. At present, developers often build control mechanisms in a "spliced" manner through system prompt words, adding custom verifications to application codes, or using classifiers to intercept problem input and output. These practices may work in the short term, but they can easily result in control strategies being scattered across different frameworks and interfaces, making them difficult to audit and reuse across multiple systems. This pain point has become increasingly prominent as the industry reflects on issues such as errors in calling AI tools and chain failures caused by unexpected operations.
Microsoft says the goal of ACS is to consolidate disparate controls into a unified governance layer that allows development, compliance and security teams to constrain agent behavior through a single policy document. In these policy documents, teams can clearly state what actions are allowed and prohibited for agents, under what circumstances human approval is required, and what evidence needs to be logged for later review. The system checks against these policies at key "interception points" where the agent performs its tasks to ensure that the agent always operates within the "guardrails."
Specifically, ACS allows detection to be implemented at multiple stages of the agent workflow: before the agent receives input, before calling the tool, after the tool returns results, and before outputting a final reply to the user. Policies can give different actions on these nodes: for example, directly allowing an action, blocking execution, desensitizing or covering sensitive information, or submitting decisions to designated personnel for approval. In addition, developers can also integrate input and output classifiers to classify information, predict possible outcomes, or guide agents how to respond; they can also introduce large-scale language models to match specific prompt words, let them act as policy "referees", and add logic to check tool invocation, tool selection, input accuracy, output usage, and reply content.
A major design idea of ACS is to write these control policies into a single, independent, portable file and "package" it with the agent. In this way, the same set of security and compliance policies can be migrated with the agent between different frameworks and operating environments without repeatedly rewriting the rule logic, thereby enhancing cross-system consistency and auditability. For large enterprises that are promoting AI deployment in multiple business lines and multiple technology stacks in parallel, this "strategy follows the agent" model is expected to reduce governance costs while improving compliance transparency.
In its implementation form, ACS is provided in the form of SDK and has been integrated into multiple mainstream agent frameworks and development tools. According to reports, ACS SDK currently supports LangChain, OpenAI Agents SDK, Anthropic Agents SDK, AutoGen, CrewAI, Semantic Kernel, Microsoft.Extensions.AI and MCP tools and other ecosystems. Through these plug-ins, developers can connect ACS to existing agent applications and embed policy files into original workflows without rebuilding the system architecture from scratch.
At a time when AI agents are rapidly penetrating enterprise businesses, how to find a balance between "usable" and "easy to use" and "controllable" and "auditable" has become a realistic issue faced by technical teams, compliance departments, and security teams. The Agent Control Specification launched by Microsoft this time attempts to provide the industry with a unified governance infrastructure in an open standard manner so that AI agents can maintain flexibility while being clearly constrained and accountable when running in different scenarios.