Microsoft gives developers a better way to control AI agent behavior.

As AI agents become more capable, companies competing to make them work across applications, workflows, and products face new challenges in ensuring that their agents perform the tasks they are supposed to perform when deployed across a variety of environments.

Microsoft is trying to solve this problem with a new open source standard called the Agent Control Specification (ACS), which aims to give developers a more consistent and granular way to control what AI agents can do.

This specification essentially allows developers, compliance, and security teams to define their own policies for agents to follow. Rules can define what an agent can do, what it must not do, when a person must approve the action, and what evidence must be recorded for future review. These policy files are checked at several "cutoff points" when the agent is not performing any action to ensure that the action is within guardrails.

The specifications come as developers improvise ways to control what the AI ​​sees and does. This is especially true with conversations focused on unintended actions that lead to cascading errors or misplaced AI workflows due to misuse of tools.

Today, developers can specify instructions in system prompts, add custom checks to their application code, or use classifiers to catch problematic input and output. While this approach works, it often leaves companies with fragmented controls that are difficult to audit and difficult to reuse across different frameworks, interfaces, and systems.

ACS aims to integrate these controls into a common governance layer. Microsoft says this specification can be used to check whether an agent complies with guardrails at several points in the workflow, including before the agent receives input, before calling a tool, after the tool returns results, and before the final response is sent to the user. Policies can allow actions, block them, modify sensitive information, or even ask a person for approval.

Developers can also insert classifiers for inputs and outputs to classify information, predict outcomes, or determine how the agent should respond. Add LLM with a prompt to act as a 'judge' for the policy. Logic to check tool invocation, tool selection, input accuracy, output usage, and response.

And these policies can be written as a single file and therefore bundled with agents, allowing security policies to follow agents across a variety of frameworks and environments.

ACS includes plugins for LangChain, OpenAI Agents SDK, Anthropic Agents SDK, AutoGen, CrewAI, Semantic Kernel, Microsoft.Extensions.AI, MCP tools, and more. Provided as class="pn0005">SDK.