- Runtime Governance: Microsoft is adding the Agent Control Specification to check AI-agent policies while workflows run.
- Policy Checks: The specification uses manifests and eight lifecycle checkpoints to return policy verdicts and audit evidence.
- Deployment Impact: Developers, security teams, and compliance teams gain portable rules without replacing existing agent runtimes.
- Market Context: ACS enters a guardrails market that already includes validation, output filtering, observability, and production safety tools.
- Adoption Test: Agent Governance Toolkit’s next version will show how teams test ACS across SDK adapters.
Microsoft has announced the Agent Control Specification (ACS) package as a new module within its Agent Governance Toolkit (AGT), adding a runtime-governance layer for checking AI-agent policies while agents run. Developers and security teams get a portable rule layer for workflows that call tools, inspect data, and make multi-step decisions across different frameworks.
For readers tracking agent deployment, runtime governance is a software layer that checks rules while an agent operates, rather than only before deployment or after logs are reviewed. ACS places those checks around live agent behavior, approvals, and audit records.
Before ACS, Microsoft had launched Entra Agent ID for enterprise AI agents and released RAMPART and Clarity as AI-agent safety tools. Microsoft’s earlier moves still left a separate policy problem for live agent behavior.
That leaves ACS focused on live policy decisions rather than identity discovery or design-time safety checks. ACS policy files are meant to describe what an agent can see, which actions need approval, and how risky steps should be recorded.
How Microsoft’s Agent Control Specification Works
Within Microsoft Agent Governance Toolkit, ACS uses manifest files to list runtime inputs, engine checks, and the decision returned to the agent system. That separation lets product teams use different runtimes while security or compliance teams maintain the same rule requirements.
Microsoft lists eight policy interception points: startup, inbound requests, model-call stages, tool-call stages, output, and shutdown. Each call passes a current snapshot into evidence providers and returns a normalized verdict, so the same policy pattern can follow an agent run from startup to shutdown.
At those checkpoints, the runtime shapes canonical input, runs configured evidence providers, invokes a policy engine, and returns a normalized verdict. For policy teams, that design creates one place to evaluate a rule without moving the agent loop, tool calls, or memory into the policy system.
Runtime checks create an audit record around the rule, decision, evidence, and approval path. Security teams can attach that record to the run instead of reconstructing a risky action from separate application logs after the fact.
ACS is a controls layer, not a replacement for orchestration. It does not run the agent loop, select tools, or manage memory, so product teams can keep their preferred runtime while policy teams maintain approval rules and logged decisions outside each framework. For enterprise teams, that distinction keeps ACS in the policy lane: it can describe decisions and evidence without forcing a migration away from existing agent frameworks.
Adoption now depends on adapters as much as on the specification itself. SDK support may span LangChain, OpenAI Agents SDK, Anthropic Agents SDK, AutoGen, CrewAI, Semantic Kernel, Microsoft.Extensions.AI, MCP tools, and related frameworks, an increasing plug-in list that reflects how fragmented agent stacks have become.
Agent Governance Toolkit’s next version adopts ACS as its policy language, making the repository the main implementation path to watch. For users, the standard will matter less as a document than as an adapter set teams can test against live agent workflows.
The Competitive Guardrails Market
In the broader guardrails field, ACS enters a category that already covers validation, output filtering, policy checks, observability, and production safety workflows. NVIDIA NeMo Guardrails, Guardrails AI, Lakera Guard, Galileo, and Azure Content Safety all sit in that AI guardrails market, while ACS occupies a portable runtime-policy role rather than a single validation product.
Microsoft has been building around the same enterprise safety problem. It recently released RAMPART and Clarity as open-source tools for AI-agent safety work, while peer projects have pushed runtime controls from different angles. OpenAI added Agents SDK sandboxing, and Nvidia’s NemoClaw work target policy-based controls for autonomous agents.
For enterprise deployments, agent safety is moving from identity and access checks toward runtime observability, policy evaluation, and auditable enforcement. ACS does not replace sandboxing, validation, or identity controls, but it gives policy teams a common place to express what should happen during an agent run.
