Microsoft unveils open-source standard to govern AI agents

Microsoft moved to close one of enterprise AI’s biggest gaps: proving that an autonomous agent stayed inside the rules while it worked. The company introduced Agent Control Specification, or ACS, an open, vendor-neutral standard for runtime governance that lets developer, compliance and security teams write portable policy files for agents to follow.

Those policies can spell out what an agent may do, what it must not do, when a human has to approve an action, and what evidence must be logged for later review. Microsoft said ACS checks behavior at multiple intervention points, including before input is processed, before a tool is called, after a tool returns a result and before the final response goes back to the user. Depending on the policy, the system can allow an action, block it, redact sensitive information or route the decision to a person.

The point is bigger than one product release. Enterprise teams have been improvising control layers with system prompts, custom code checks and classifiers to catch risky inputs and outputs. Those methods can work, but they leave organizations with fragmented controls that are difficult to audit and even harder to reuse across frameworks, interfaces and environments. ACS is meant to turn that patchwork into a common governance layer that can travel with the agent itself.

Microsoft said ACS ships as an SDK with plugins for LangChain, the OpenAI Agents SDK, Anthropic Agents SDK, AutoGen, CrewAI, Semantic Kernel, Microsoft.Extensions.AI and MCP tools. The company described the standard as part of its Agent Governance Toolkit, which it released on April 2, 2026, as an open-source project under the Microsoft organization and MIT license. Microsoft said the toolkit is available in Python, TypeScript, Rust, Go and .NET, and that it addresses all 10 OWASP Agentic Top 10 risks with deterministic, sub-millisecond policy enforcement.

The governance push reflects the risks companies are already confronting: agent sprawl, over-privileged access, tool misuse, misconfigured agents, prompt injection and data leakage. Microsoft has also been building Agent 365 as a centralized control plane for observing, governing and securing agents across an organization, extending Microsoft Defender, Microsoft Entra and Microsoft Purview to AI agents. On June 2, Microsoft said Windows and Agent 365 would work together on policy-based controls and introduced an early preview of the Microsoft Execution Containers, or MXC, SDK as a cross-platform, policy-driven execution layer for Windows and WSL.

The timing is deliberate. Microsoft said in April that the Colorado AI Act becomes enforceable in June 2026 and that high-risk obligations under the European Union AI Act take effect in August 2026. For companies deploying agents into real workflows, the question now is not whether they can automate more tasks, but whether they can enforce auditable rules before regulators force the issue.