ACS adds ASSERT verification

Microsoft on June 2 used its Build 2026 conference to pair a new Agent Control Specification, or ACS, with an evaluation framework called ASSERT, pitching the two as an open trust stack for AI agents. Microsoft said ASSERT is designed to turn written behavior requirements into executable tests, while ACS defines how policies are enforced at runtime across agent actions and tool calls. The launch addresses a problem Microsoft and other developers have been describing for months: prompt instructions and application code can suggest what an agent should do, but they do not reliably stop an agent from taking an unsafe action once it starts calling tools, retrieving data or executing workflows. Microsoft said the new stack is meant to let teams evaluate an agent, apply controls, and then rerun evaluations to see whether the controls actually worked. (devblogs.microsoft.com) ### Where does ACS fit in the agent stack? Microsoft’s Command Line documentation describes ACS as “an open, vendor-neutral standard” for applying runtime governance across the agent lifecycle, independent of framework, runtime or policy engine. The company said current controls are often embedded in prompts, app code or framework-specific hooks, which makes them fragmented and hard for security or compliance teams to audit across multiple agents. (devblogs.microsoft.com) The ACS project’s public repository describes the standard as covering runtime agent control, policy enforcement and observability across AI agent frameworks. Its documentation says agents that implement ACS are meant to be “instrumentable, traceable and inspectable,” with audit trails and inline controls. The repository and docs also say the specification is still a work in progress. ### What does ASSERT add that ACS does not? Microsoft said ASSERT, short for Adaptive Spec-driven Scoring for Evaluation and Regression Testing, is an open-source framework for converting natural-language behavior specifications into executable evaluations for models and agents. (commandline.microsoft.com) The framework generates test scenarios, datasets, metrics and scorecards from written requirements, then runs them against the target system. (github.com) Microsoft’s Foundry blog said ASSERT is intended to catch policy and safety failures that generic benchmarks miss because those benchmarks are not tailored to a company’s own use case, tools or requirements. The company said the workflow is to run ASSERT, identify defects, apply controls, and rerun ASSERT for before-and-after metrics. ### Why are Microsoft and others talking about “closed-loop” verification? (commandline.microsoft.com) Sarah Bird, writing on Microsoft’s Foundry blog, said the gap in agent trust is that “written policies do not translate into working runtime controls,” while safety evaluation is hard to maintain as contexts change. Microsoft’s answer is to connect evaluation and enforcement rather than treat them as separate steps. That pairing matters because ACS and ASSERT address different parts of the same problem. (devblogs.microsoft.com) ASSERT tests whether an agent behaves as intended under policy-driven scenarios, while ACS defines where controls can be attached during execution. Microsoft’s own description presents them as a loop: evaluate, enforce, and re-verify. ### What risks are these projects meant to limit? Microsoft said recent industry work has highlighted tool misuse, unintended actions and multi-step failures in agent workflows. (devblogs.microsoft.com) Its ACS documentation argues that traditional access control can answer whether a credential may call a resource, but not whether a call is still safe after an agent has processed new context in the same conversation. The practical target is the blast radius from prompt injection, over-broad permissions and unsafe tool use. (devblogs.microsoft.com) Microsoft did not present ACS as a standalone fix for those problems, but as a standard way for teams to define, enforce and audit policy boundaries around agent actions. TechCrunch, describing the release, said the rules can specify what an agent may do, what it must not do, when a human should approve an action and what evidence should be logged. (commandline.microsoft.com) ### Where can developers see what comes next? Microsoft published the ACS and ASSERT announcements on June 2 through its Foundry and Command Line sites, and ACS is also available through a public GitHub repository. The ACS documentation says the specification is under development and directs contributors to its GitHub issue tracker for ongoing changes and discussion. (devblogs.microsoft.com) (commandline.microsoft.com)