Microsoft just shipped an open source standard called Agent Control Specification (ACS), built to give developers a consistent, granular way to control what AI agents are actually allowed to do once they’re deployed. According to TechCrunch AI, the spec lands as enterprises rush to put agents to work across apps and workflows, only to hit a hard question: how do you make sure an agent behaves the same way no matter where it’s running? ACS is Microsoft’s answer.
What stands out here is the timing. Agents are getting more capable, and the horror stories are piling up: tool misuse, unintended actions, cascading failures that start small and snowball. Right now, as TechCrunch AI reports, developers patch this together by hand. They stuff rules into a system prompt, bolt custom checks onto their app code, or run classifiers to catch bad inputs and outputs. Those tricks work, but they leave companies with scattered controls that are hard to audit and nearly impossible to reuse across different frameworks.
What ACS actually does
ACS pulls those controls into one common governance layer. Developer, compliance, and security teams write their own policies that spell out what an agent may do, what it must never do, when a human has to sign off, and what evidence gets logged for later review.
The clever part is where those policies get enforced. ACS checks the agent at several “interception points” while it’s mid-task:
- Before the agent receives input
- Before it calls a tool
- After a tool returns a result
- Before the final response reaches the user
At each checkpoint, a policy can allow the action, block it, redact sensitive information, or kick it to a person for approval. Developers can also drop in classifiers to categorize information or predict outcomes, add an LLM to act as a “judge” for policies, and write logic that checks tool calls, tool selection, input accuracy, and output usage.
Why the single-file design matters
Here’s the piece that makes ACS more than another config format. Policies can be written as single files, so they travel with the agent. A security policy follows the agent across frameworks and environments instead of getting rebuilt every time the agent moves. That directly attacks the fragmentation problem TechCrunch AI flagged: controls that don’t reuse, can’t be audited cleanly, and break when you switch systems.
This is significant because governance has been the weak link in agent deployment. Capability raced ahead, control lagged behind. A portable, auditable policy layer is exactly what compliance and security teams have been improvising toward on their own.
Who can use it and where
ACS is shipping as an SDK with plug-ins for a long list of popular agent frameworks, including:
- LangChain
- OpenAI Agents SDK
- Anthropic Agents SDK
- AutoGen
- CrewAI
- Semantic Kernel
- Microsoft.Extensions.AI
- MCP tools
That lineup is a statement. Microsoft isn’t trying to lock this to its own stack. By supporting rival SDKs from OpenAI and Anthropic out of the gate, ACS is positioned as a neutral standard rather than a Microsoft-only play. For an open source spec aiming to become the default governance layer, broad framework support is the whole game.
What to watch next
The practical use cases are clear: regulated industries that need audit trails, security teams that want hard guardrails on tool access, and any company running agents across more than one framework. The logging requirement alone matters for anyone facing compliance review, since it produces the evidence trail auditors ask for.
The open question is adoption. A control spec only works if enough of the ecosystem treats it as the standard, and Microsoft is far from the only player thinking about agent governance. The framework plug-ins are a strong start, but standards live or die on whether developers actually build on them.
For now, ACS gives teams a real alternative to duct-taping controls onto every agent by hand. That’s a meaningful step toward agents you can trust in production. Full technical details are available at the original TechCrunch AI report.