CISO
Enterprise Architect
CTO
Compliance Officer
Industry relevance
Financial Services
Healthcare
Government
JUNE 2, 2026
Microsoft shipped an open standard that enforces agent control policies at runtime. It enforces the policy. It does not decide who authors or owns that policy.
On June 2, 2026, Microsoft announced the Agent Control Specification (ACS) and ASSERT at Build 2026, authored by Sarah Bird on the Microsoft Foundry Blog. ACS is an open industry specification, part of the Agent Governance Toolkit, that places deterministic safety and security controls at five validation checkpoints in an agent's lifecycle: input, LLM, state, tool execution, and output. Controls are expressed as portable, versionable, auditable policy and are designed to work across any agent framework. ASSERT, a separate open-source project, converts written policies into executable evaluation scenarios. ACS launched with customer and partner endorsement including KPMG, Zscaler, IBM, and Arize AI.
GOVERNANCE IMPLICATION
ACS is a genuine advance in agent governance and worth acknowledging plainly: it moves control from probabilistic instruction, telling a model what not to do, to deterministic enforcement at defined checkpoints, expressed as portable, versionable, auditable policy. That is real progress on the enforcement layer. It also makes the layer above it sharper rather than smaller. Sarah Bird's framing in the announcement is that written policies do not translate into working runtime controls, and ACS is the translation. What ACS assumes as input is the policy itself, the decision about what a given agent is permitted to do and who is accountable when that permission proves wrong. That authorization decision sits upstream of all five checkpoints. A better enforcement mechanism does not answer who authored the rule or who owns its outcome. When the lock on the door gets stronger, the question of who holds the key, and who decided the door should exist, gets more important, not less. ACS gives the Authorization Coverage Lifecycle a concrete enforcement target, and it leaves the authorization decision exactly where it was.
SCENARIO
A bank adopts ACS and places deterministic controls at all five checkpoints for its loan-servicing agent. The controls work exactly as specified: every blocked action, every required human approval, every state transition is enforced and logged. An examiner reviews the deployment and accepts that enforcement is sound, then asks a different question. Who decided this agent was permitted to recommend forbearance terms, on what authority, and who is the named individual accountable if that permission was set too broadly. The ACS manifest shows what is enforced. It does not show who authorized what it enforces, because that decision was made before the policy was written and was never recorded as an accountable act.
THE GOVERNANCE QUESTION
ACS enforces your agent control policy deterministically at five checkpoints. Who in your organization authored that policy, who is accountable for the authorization decision it encodes, and where is that decision recorded before it becomes a YAML manifest?
CONTROL GAP
ACS enforces a policy at five runtime checkpoints but does not author the policy or assign accountability for it. Someone must still decide what the agent is permitted to do, write that into the policy manifest, and own the consequences. ACS provides no mechanism for that authorization decision or its named owner.
REGULATORY RELEVANCE
NIST Ai RMF
OCC
SEC Cyber
PRIMARY SOURCE
Build agents you can trust across any framework with open evals and a control standard
Sarah Bird
June 2, 2026
Read the primary source →(opens in new tab)CONTINUE READING
JUNE 2, 2026
AgentsMicrosoft announced Scout at Build 2026 on June 2, 2026, as the first product in a new agent category called Autopilots. Scout is an always-on agent operating across Microsoft 365 apps including Teams, Outlook, OneDrive, and SharePoint, with its own governed Microsoft Entra identity. It is available in private preview for Frontier enterprise customers requiring a GitHub Copilot subscription, built on the OpenClaw open-source agent framework. The announcement was published on the Microsoft 365 Blog by Omar Shahine, Corporate Vice President, Microsoft 365.
MAY 11, 2026
AgentsMicrosoft Copilot Studio published April 2026 feature updates on May 11, 2026, authored by Nitasha Chopra, VP and COO of Copilot Studio. Key releases include the Analytics Viewer role reaching GA providing read-only access to agent analytics separated from configuration rights; agent nodes embeddable directly into workflows to delegate AI reasoning within deterministic automation; MCP server-enabled tools in preview for external system connectivity within workflows; and a centralized admin-controlled DLP-enforced environment for the Workflows Agent. The post also confirms Microsoft Agent 365 is now generally available as the centralized control plane for agents.
MAY 7, 2026
AgentsMicrosoft's Becoming a Frontier Firm guide, published April 16, 2026, states that Microsoft Digital had already built a firm foundation for an agent-ready data estate before deploying AI agents, and links directly to a separate internal guide on Microsoft 365 Copilot governance, published May 7, 2026 and updated June 8, 2026, both authored by Alex Fleck on the Inside Track Blog. The Copilot guide covers eight chapters of data governance: self-service container creation, sensitivity labeling, file-label inheritance, employee training, DLP verification, lifecycle attestation, sharing controls, and oversharing detection. Neither guide specifies a process for authorizing the business purpose or scope of an individual agent before deployment.