If you have AI agents running in your business, you have probably asked this question at some point: how do I actually stop them from doing something they should not do?

It is an obvious problem, but most teams are solving it with improvised workarounds — hard-coded rules, ad hoc checks, or just crossing their fingers. Microsoft is trying to fix that with a proper standard.

On June 2, 2026, TechCrunch reported that Microsoft has introduced the Agent Control Specification (ACS), an open source standard designed to give developers and compliance teams a consistent, granular way to govern what AI agents are allowed to do at runtime.

What the Agent Control Specification Actually Does

The core idea is simple: instead of baking governance logic into each individual agent, you write a policy file that travels with the agent everywhere it runs.

That policy defines four things:

• What the agent may do — approved actions and tools
• What the agent must not do — blocked behaviours and off-limits data
• When a human needs to approve — escalation triggers before the agent proceeds
• What gets logged — evidence for audit and review

What makes ACS different from a simple blocklist is where and when the checks happen. The specification intercepts the agent at multiple points during its workflow: before it receives input, before it calls a tool, after a tool returns a result, and before the final response goes to the user. Each of those interception points can trigger an allow, block, redaction, or human-in-the-loop escalation.

You can also embed classifiers for inputs and outputs, use a separate language model as a “judge” for policy decisions, and add logic that checks tool selection, input accuracy, and output usage.

Framework Support

One of the more practical details here is that ACS ships as an SDK with plug-ins for the frameworks developers are already using: LangChain, the OpenAI Agents SDK, the Anthropic Agents SDK, AutoGen, CrewAI, Semantic Kernel, Microsoft.Extensions.AI, and MCP tools.

That means you do not have to rebuild agents from scratch to apply governance. You add the ACS layer to your existing stack.

Because policies can be written as single portable files, they can be bundled with agents directly. A compliance policy written once can follow the same agent across different frameworks, cloud environments, and deployment contexts.

Open Source and Vendor-Neutral

ACS is released under the Apache 2.0 license and is positioned as community-governed. Microsoft is involved but does not own or commercially gate the specification — the intent is that no single vendor controls it.

This is a notable move. Open source governance standards tend to get wider adoption than proprietary alternatives, and with plug-ins for every major agent framework, Microsoft is clearly betting on broad adoption rather than lock-in.

Why This Matters Right Now

The timing is not accidental. AI agents in enterprise settings have moved fast — faster than governance tooling has kept up.

Deloitte’s 2026 enterprise survey found that 80 percent of leaders piloting AI agents cite security and compliance as their leading obstacle, up from 68 percent a year earlier. Agents that can browse the web, call APIs, write to databases, and send emails on behalf of a business are genuinely powerful, which means the consequences of unchecked behaviour are also genuinely significant.

The current improvised approaches — prompt instructions, manual code checks, framework-specific workarounds — do not scale, are difficult to audit, and are inconsistent across different tools. ACS tries to give enterprises a proper governance layer that is consistent, auditable, and framework-agnostic.

What This Means for Business

If your business is running AI agents — or planning to — governance is not a nice-to-have. Regulators, auditors, and boards are increasingly asking exactly how these systems are controlled. Being able to point to a policy file that defines agent behaviour, logs decisions, and escalates to humans at the right moments is a much better answer than “we trust the model.”

There are three practical implications worth noting:

For businesses deploying agents: ACS gives you a way to translate compliance requirements into agent behaviour without rebuilding your stack. A policy that blocks agents from accessing customer payment data, or that flags any external API call for review, is now something you can write, test, and ship independently of the agent itself.

For teams using multiple frameworks: The fact that ACS works across LangChain, CrewAI, AutoGen, and the OpenAI and Anthropic SDKs means you can write governance once and apply it regardless of which tool built a specific agent. That matters a lot as businesses accumulate agents built by different teams with different tools.

For regulated industries: Finance, healthcare, legal — sectors where every action needs an audit trail — now have a path to using AI agents in production without building bespoke compliance layers from scratch.

The ACS does not make AI agents safe by itself. But it gives teams the infrastructure to define what safe means in their context, enforce it at runtime, and prove it after the fact.

Enterprise DNA’s view: AI agent governance is one of the biggest unsolved problems in the practical deployment of AI. Most frameworks hand you the power to build; they leave the responsibility of control entirely to you. A portable, vendor-neutral standard that works across the major frameworks is exactly the kind of infrastructure the industry needs. Whether ACS becomes the dominant standard is an open question, but the direction is right.

If you want to understand how to build governance-ready AI agent deployments in your business, book a discovery call with the Enterprise DNA team. We help businesses design AI agent systems that are not just capable, but controllable.