Microsoft released the Agent Control Specification (ACS) at Build 2026 on June 2, an open-source standard that lets developer, compliance, and security teams define portable governance policies for AI agents. The specification ships as an SDK with plug-ins for LangChain, OpenAI Agents SDK, Anthropic SDK, AutoGen, CrewAI, Semantic Kernel, Microsoft.Extensions.AI, and MCP tools, according to TechCrunch.
The Problem ACS Targets
Enterprise teams building agents today cobble together governance from multiple sources: system prompt instructions, custom application code checks, and input/output classifiers. According to TechCrunch, those approaches leave companies with “fragmented controls that are hard to audit and harder to reuse across different frameworks, interfaces, and systems.”
The fragmentation problem gets worse as organizations scale agent deployments across multiple frameworks. An enterprise using LangChain for one workflow and Semantic Kernel for another has no portable way to enforce the same guardrails in both environments.
How ACS Works
ACS policies define what an agent may do, what it must not do, when a human should approve an action, and what evidence should be logged. These policies are checked at four interception points during agent execution:
- Before the agent receives input
- Before the agent calls a tool
- After a tool returns a result
- Before the final response reaches the user
At each checkpoint, a policy can allow an action, block it, redact sensitive information, or escalate to human approval. Developers can also plug in classifiers to categorize inputs and outputs, or use LLMs with custom prompts to act as policy “judges,” as TechCrunch reported.
The key design decision: policies are written as single files bundled with agents. A security policy travels with the agent across frameworks and environments rather than being tied to a specific runtime.
Placement in Microsoft’s Build 2026 Stack
ACS is one piece of a broader trust stack Microsoft announced at Build 2026. The official Microsoft blog described it as part of “an open, end-to-end trust stack for AI agents on any framework,” alongside ASSERT (Adaptive Spec-driven Scoring for Evaluation and Regression Testing) for policy-driven safety evaluation.
The Foundry DevBlog listed ACS alongside ASSERT and a new tool called Rubric under the trust and evaluation category, positioning it as part of the toolchain for teams moving agents from prototypes to production.
This sits alongside other Build 2026 governance announcements: MXC (Microsoft Execution Containers) for OS-level agent sandboxing, and Agent 365 for extending Entra, Defender, and Purview into a single control plane across agent estates. Where MXC handles execution isolation and Agent 365 handles identity and security monitoring, ACS handles behavioral policy at the application layer.
The Framework-Agnostic Bet
The most significant aspect of ACS is what it is not: it is not a Microsoft-only tool. The SDK ships with plug-ins for OpenAI Agents SDK, Anthropic SDK, LangChain, CrewAI, and AutoGen. That framework-agnostic approach means Microsoft is positioning itself as the governance layer for agents built on competitors’ platforms.
For enterprise teams evaluating agent governance, ACS introduces a question that did not exist a week ago: should policy live in the agent framework, the orchestration platform, or a portable specification that spans both? Microsoft is betting on the third option. Whether LangChain and Anthropic’s ecosystems adopt a Microsoft-authored governance spec at scale remains an open question, but the cross-framework SDK support suggests those conversations have already started.