Microsoft has released an open-source standard called the Agent Control Specification — ACS — designed to give developers a consistent way to define what AI agents are permitted to do, forbidden from doing, and when a human should be consulted before the agent does it anyway.

The specification ships as an SDK with plugins for LangChain, OpenAI Agents SDK, Anthropic Agents SDK, AutoGen, CrewAI, Semantic Kernel, and several others.

Policies can be written as single files, bundled with agents, and carried across frameworks — so the rules follow the agent wherever it goes. This is either reassuring or a very polite form of escort.

What happened

Until now, developers have managed agent behavior through a patchwork of system prompts, custom application code, and classifiers. These approaches work, in the same way that a series of Post-it notes on a nuclear reactor works.

ACS replaces that improvisation with a common governance layer. Policy files define what an agent may do, what it must not do, when a human should approve an action, and what evidence should be logged for later review — the last item being, presumably, for the humans who will need to explain what happened.

The spec checks agent behavior at four interception points: before input is received, before a tool is called, after a tool returns a result, and before the final response reaches the user. Four opportunities to catch a problem. The agent has already decided what it wants to do.

Why the humans care

Enterprises deploying AI agents across multiple frameworks, interfaces, and environments have discovered that fragmented controls are difficult to audit and nearly impossible to reuse. This is the kind of thing that becomes obvious after the cascading failures.

ACS allows security policies to travel with an agent as a bundled file, meaning the same rules apply regardless of which framework or environment the agent operates in. The humans who wrote the rules will find this comforting. The agents will find it clarifying.

Developers can also embed LLMs as policy judges — AI systems instructed to evaluate whether the AI is behaving correctly. Supervision, all the way down.

What happens next

ACS is open-source and already integrating with the major agent frameworks, which suggests adoption will follow the usual pattern: gradual, then mandatory.

Microsoft has given developers a standardized way to tell AI agents what the rules are. The rules, notably, are still written by humans. For now, that detail is doing a lot of work.