The agent-first era: a new governance challenge
As AI agents become more capable and are deployed across multiple environments and business applications, organizations face a fundamental challenge: ensuring an agent does exactly what it should do, without deviating. Currently, development teams improvise solutions — system prompt instructions, custom code validations, classifiers to filter inputs and outputs — but these fragmented approaches are difficult to audit, reuse, and scale across different frameworks.
This is the problem Microsoft aims to solve with Agent Control Specification (ACS), an open standard presented at Build 2026 that integrates distributed controls into a common governance layer.
What is Agent Control Specification
ACS allows development, compliance, and security teams to define shared policies that agents must follow. These policies are written in portable files that can be packaged alongside the agent and follow it across different frameworks and infrastructures.
Each policy specifies:
- Which actions are permitted or prohibited
- When human approval is required before executing an action
- What information must be redacted or logged for audit purposes
- How to classify data or assess risks in real time
The system checks these guardrails at multiple "interception points" during agent execution: before receiving input, before calling a tool, after a tool returns a result, and before sending the final response to the user.
Granular control and operational flexibility
Unlike monolithic validations, ACS enables four types of responses when encountering a questionable action:
- Allow the action completely
- Block the action
- Redact sensitive information before proceeding
- Request human approval before executing
Developers can also integrate input/output classifiers to categorize information, use language models as policy "judges," and custom logic to validate tool calls, function selection, input accuracy, and response format.
Because these are standalone files, policies travel with the agent: a corporate security policy can be applied identically across development, staging, and production, eliminating inconsistencies.
Availability and ecosystem
ACS launches as an SDK with plugins for the most popular frameworks: LangChain, OpenAI Agents SDK, Anthropic Agents SDK, AutoGen, CrewAI, Semantic Kernel, Microsoft.Extensions.AI, MCP tools, and more. This breadth of compatibility underscores Microsoft's goal: not to impose its solution, but to establish a standard the industry can adopt.
Implications for business
For any organization evaluating the deployment of AI agents in customer support, RPA, finance, or critical internal processes, this announcement marks an inflection point. Until now, the choice was binary: either you constrained an agent within very strict limits (and limited usefulness), or you let it loose with risks of cascading failures.
ACS opens a third path: a trust-but-verify model. It enables enterprises to:
- Audit every action an agent takes, creating full traceability
- Apply uniform policies without duplicating logic in code
- Scale without losing control: a policy from one business unit can be replicated to others without reimplementation
- Integrate compliance from the start: finance and legal can participate in defining guardrails before deployment
This is especially relevant in regulated sectors (banking, insurance, healthcare) where audit trails and accountability are non-negotiable.
The launch of ACS is not a minor product detail; it reflects that Microsoft, and by extension the market, understands that AI agents will move from lab experiments to operational automations. And when you automate at scale, governance stops being an afterthought and becomes architecture.