The agent interoperability stack has quietly settled two of its three layers. MCP won the connection layer: a standard way for an agent to reach tools and data. A2A took the second: a way for agents to discover and message each other. Both spread fast because they solved a coordination problem everyone had and nobody wanted to solve twice.

The third layer is the one that actually decides whether you can ship. Not what the agent can reach or who it can talk to, but what it is allowed to do — and, just as important, what stops it when it tries to do the wrong thing. Until this summer that layer had no standard at all. Every framework rolled its own guardrails, every team wired its own approval gates, and none of it moved when you changed frameworks. At Build 2026, Microsoft put a flag in that ground: the Agent Control Specification, an open, vendor-neutral spec for the agent control plane, shipped as v0.3.1-beta inside the Agent Governance Toolkit.

What ACS actually is#

Strip the governance language and ACS is concrete to the point of being mechanical. It defines eight intervention points in an agent's execution loop — agent_startup, input, pre_model_call, post_model_call, pre_tool_call, post_tool_call, output, agent_shutdown — and at each one the runtime evaluates a policy and returns a verdict. There are exactly five: allow, warn, transform (rewrite the thing before it proceeds), deny, and escalate (hand it to a human approval path). Any error anywhere in evaluation fails closed to deny with a reserved reason. A misconfigured manifest doesn't quietly wave actions through; it stops them.

The phrase to hold onto is structural enforcement. Microsoft's own framing draws the line cleanly: instructional guardrails tell the model what not to do and hope; ACS provides controls the model cannot override. A blocked tool call is blocked because a deny verdict at pre_tool_call means the host never executes it — not because the system prompt asked nicely. The whole config is a portable YAML or JSON manifest: versionable, auditable, diffable in a pull request. The control surface stops being a tangle of prompt instructions and becomes a file.

The smart part is what it refuses to standardize#

Here is the design decision that makes ACS more interesting than the average vendor spec: it is not a policy language. It standardizes the sockets, not the decisions.

Look at how a policy is declared and the move is obvious — a policy is bound by type: rego or type: cedar, or it names a custom host dispatcher. ACS owns where a check fires, what shape a verdict takes, and what happens when evaluation breaks. It pointedly does not own what the policy says. That stays in Rego, in Cedar, or in code you write. The runtime is stateless and deterministic; it assembles a canonical input, runs your decision engine, normalizes the answer, and enforces it.

ACS standardizes the boring, universal part — where to check, what a refusal looks like, fail closed — and leaves the contested part, what's actually allowed, exactly where the domain knowledge lives. That's not a gap. That's the whole bet.

This is the opposite of what people expect a "control standard" to do, and it is why it has a chance. The contested question — what should this agent, for this business, be permitted to do — is unstandardizable; it's domain knowledge and it changes per deployment. The universal question — at which points in any agent loop should a check be possible, and what does a portable refusal look like — is genuinely shared. ACS standardizes only the second, which is exactly the part that has to be portable for controls to survive a framework migration. You can lift the same manifest from a LangGraph agent to an AutoGen one and the gates still fire.

It crystallizes an argument the field already won#

Regular readers of this beat will recognize the thesis under the spec. We have argued before that, against prompt injection, architecture beats guardrails — that a constraint living in the system prompt is a hope, while a constraint living in code is an assertion. We have argued that 2026 reliability migrated out of the weights and into the deterministic harness around the model. ACS is that argument turned into a wire format. Its eight intervention points map almost exactly onto a harness's choke points; its verdicts are the harness's allow/deny logic, named and made portable. The market full of overlapping guardrail libraries now has a neutral interface to plug into instead of competing at.

The caveat the launch posts skip#

So adopt it and you're governed? No — and this is the honest part. ACS is, in policy-engine terms, much closer to a Policy Enforcement Point standard than a complete governance system. It reliably runs your checks at the right places and fails closed. But it assumes the decision logic exists and assumes identity and authorization are resolved upstream — it enforces a verdict; it does not decide who the agent is or what that identity is entitled to. Adopting ACS gives you a well-placed, framework-portable socket for governance. The work of writing policies that are actually correct is still entirely yours.

Which is precisely why Microsoft shipped a second tool in the same breath. ASSERT — an open eval harness that turns plain-English behavior rules into scored test cases, reportedly hitting 80–90% agreement with human annotators — exists because a control plane is only as trustworthy as the policies you can verify. A gate you can't test is just a more confident way to be wrong.

The interesting thing about a standard is not its first version; v0.3.1-beta will be unrecognizable in a year. The interesting thing is what it makes portable. MCP made connections portable and an ecosystem followed. If controls become portable too — if "what this agent may do" outlives the framework you built it in — that is the layer that finally lets the demo go to production with nobody watching.