Back to Blog
June 2, 2026 Ram Iyer

Microsoft offers devs a better way to control AI agent behavior

Microsoft offers devs a better way to control AI agent behavior Microsoft offers devs a better way to control AI agent behavior Microsoft offers devs a better way to control AI agent behavior

Microsoft offers devs a better way to control AI agent behavior

As AI agents grow ever more capable, enterprises racing to put them to work across applications, workflows, and products face a new challenge: ensuring an agent does what it's supposed to do when it's deployed across different environments.

Microsoft is trying to solve this problem with a new open source standard called Agent Control Specification (ACS) that aims to give developers a more consistent and granular way to control what AI agents are allowed to do.

What is Agent Control Specification?

The specification essentially lets developer, compliance, and security teams define their own policies for agents to follow. The rules can define:

  • What the agent may do
  • What it must not do
  • When a human should approve an action
  • What evidence should be logged for later review

These policy files are checked at several "interception points" when the agent is off performing a task to make sure it stays within the guardrails.

Why it matters

The spec comes as developers are improvising ways to control what their AI sees and does, especially with conversations focusing on AI workflows going wrong due to tool misuse, or unintended actions that result in cascading failures.

Today, developers might:

  • Specify instructions in a system prompt
  • Add custom checks in the application code
  • Use classifiers to catch problematic inputs and outputs

Those approaches work, but they often leave companies with fragmented controls that are hard to audit and harder to reuse across different frameworks, interfaces, and systems.

How ACS works

ACS aims to integrate those controls into a common governance layer. Microsoft says the specification can be used to check whether an agent is sticking to guardrails at multiple points in its workflow:

  • Before it receives input
  • Before it calls a tool
  • After a tool returns a result
  • Before the final response is sent to the user

A policy may allow an action, block it, redact sensitive information, or even ask a person to approve it.

Developer capabilities

Developers can also:

  • Insert classifiers for inputs and outputs to categorize information, predict outcomes, or determine how an agent should respond
  • Add LLMs with prompts to act as a "judge" for policies
  • Add logic for checking tool calls, tool selection, input accuracy, output usage, and responses

Because these policies can be written as single files, they can be bundled with agents, allowing a security policy to follow an agent across different frameworks and environments.

Framework support

ACS is shipping as an SDK with plug-ins for:

  • LangChain
  • OpenAI Agents SDK
  • Anthropic Agents SDK
  • AutoGen
  • CrewAI
  • Semantic Kernel
  • Microsoft.Extensions.AI
  • MCP tools
  • And more