ACS

The runtime control plane for AI agents.

Agent Control Standard (ACS) is the open standard that defines how agent platforms expose middleware hooks and how open-source tooling enforces safety policy through those hooks. Declarative controls. Portable across frameworks. Enforced at runtime.

The problem

Agents are shipping fast.
Controls are not

AI agents act, plan, and execute across organizational boundaries. They call tools, access sensitive data, collaborate with other agents, and make decisions that reach production systems in milliseconds. The industry has standardized how agents communicate (MCP, A2A) and cataloged what risks they face (OWASP Agentic Top 10). What it has not standardized is how to control them at runtime.

System prompts are not controls. Model improvements do not cover edge cases or adversarial inputs. Proprietary guardrails create vendor lock-in. Developers are scattering custom control logic across codebases with no shared vocabulary, no portability, and no way to audit what is actually enforced.

Observability tells you what an agent did after the fact. ACS enables enterprises to intercept agent actions as they happen. Enterprises cannot trust what they cannot govern. ACS closes that gap: a shared, open standard for runtime agent control that any platform can implement and any organization can enforce.

The solution

Instrument

Runtime Control Hooks

ACS defines standardized middleware hooks at every agent decision point. When an agent receives input, sends output, calls a tool, selects which tools to use, transitions from planning to execution, stores a memory, executes code, or invokes a sub-agent, ACS fires a hook. A Guardian Agent intercepts the action, evaluates it against policy, and returns a verdict: allow, deny, or modify. These are deterministic controls enforced inline before actions reach production systems. The platform exposes the hooks. Open-source tooling enforces policy through them.

Read the Instrument spec
Trace

Structured Observability via OpenTelemetry

Every agent action, decision, and reasoning step emits structured trace data through industry-standard pipelines. ACS extends OpenTelemetry with agent-specific semantic conventions and maps security events to OCSF for integration with existing SIEM infrastructure. ACS contributes these extensions upstream to the OpenTelemetry community rather than maintaining a competing trace standard. The result: full audit trails across multi-agent workflows, forensic-grade reconstruction of agent behavior, and real-time anomaly detection, all flowing through the observability tools enterprises already operate.

Read the Trace spec
Inspect

Agent Bill of Materials

Enterprises cannot secure what they cannot inventory. ACS extends CycloneDX, SPDX, and SWID to produce dynamic Agent Bills of Materials (AgBOM) that capture every tool, model, capability, knowledge source, and dependency in an agent system. Unlike static SBOMs, AgBOM updates in real time as agents discover new tools, connect to new MCP servers, or modify their own capabilities. This is supply chain transparency for a world where the software changes itself.

Read the Inspect spec

How it works

How ACS works: a three-layer control model

Platforms expose hooks. Open-source tooling enforces. Enterprises customize to fit their environment.

Tier 1Platform layer

Platform layer

Agent platforms and frameworks expose standardized middleware hooks at input, output, tool call, tool response, planning transitions, memory operations, and lifecycle events. This is a one-time implementation. The platform does not need to understand or implement the control spec itself. It exposes the hooks. That is the entire ask.

Tier 2Enforcement layer

Open-source enforcement layer

A framework-agnostic SDK reads declarative control policies and enforces them through the platform hooks. Input validation, tool call authorization, output filtering, adversarial detection: all handled here. The enforcement layer is open-source, works across any framework that exposes ACS hooks, and ships with support for popular agent development stacks. Switching frameworks does not mean rewriting safety logic.

Tier 3Enterprise layer

Enterprise customization layer

Custom classifiers, proprietary detectors, and domain-specific logic plug into the enforcement layer. Financial services bring their own data sensitivity models. Healthcare brings PHI detection. Any enterprise brings its established security tooling. None of this requires a platform change. Enterprise customization operates entirely in the open-source layer, consuming the same standardized hooks.

Why now

Regulatory frameworks demand agent oversight.
No standard tells you how to implement it.

The EU AI Act requires demonstrable human oversight of high-risk AI systems, including the ability to intervene in real time. The NIST AI Risk Management Framework calls for continuous monitoring and the capacity to disengage autonomous systems when they operate outside acceptable parameters. Enterprise compliance mandates are proliferating faster than the tooling to satisfy them.

Every governance framework agrees on what is needed: runtime visibility, intervention capability, and auditable controls. None of them specifies the implementation. ACS provides that implementation layer. It translates regulatory requirements into concrete technical controls that platforms can expose, developers can configure, and security teams can verify.

EU AI Act

Requires demonstrable human oversight of high-risk AI systems, including the ability to intervene in real time.

NIST AI RMF

Calls for continuous monitoring and the capacity to disengage autonomous systems operating outside acceptable parameters.

The window for an open standard to define this layer is narrow. Proprietary alternatives are emerging.

One standard.
Every framework.
Every platform.

Built with the ecosystem

Active workstreams

Middleware / Guardian Agent

Active

Reference implementation of the hook-based middleware layer and Guardian Agent SDK for runtime policy enforcement.

View on GitHub

OpenTelemetry Upstream

Active

Contributing agent-specific semantic conventions and OCSF mappings to the OpenTelemetry project.

View on GitHub

AgBOM Extensions

In Progress

Extending CycloneDX and SPDX with dynamic Agent Bill of Materials schemas for real-time agent inventories.

View on GitHub

Protocol Integration (MCP / A2A)

Planned

Integrating ACS hooks with Model Context Protocol and Agent-to-Agent communication standards.

View on GitHub

Contribute

Build the standard with us.

ACS is an open specification. The fastest way to shape it is to use it and tell us what breaks. We need practitioners who build agent systems, security engineers who red-team them, and platform developers who can implement hooks. Whether you want to contribute to the specification, build reference implementations, improve documentation, or pressure-test the architecture against your production workloads, there is a place for you.

Start here: read the contribution guide (CONTRIBUTING.md), open an issue for feedback or proposals, or join the discussion on GitHub. The specification is actively evolving and your input directly shapes the next release.

View the SpecificationOpen an IssueRead CONTRIBUTING.md
GitHub starsJoin us on Slack

About ACS

About the Agent Control Standard

ACS is an open-source project under the OWASP Agentic Security Initiative, licensed under Apache 2.0. The standard is developed in the open, governed by community consensus, and designed to be vendor-neutral. No single company owns, controls, or commercially gates the specification.

ACS exists because the industry needs a shared safety baseline for AI agents. The same way OpenTelemetry standardized observability and OAuth standardized authentication, ACS standardizes runtime agent control. The specification, reference implementations, and tooling are free and will remain free.

For questions, feedback, or to report issues, open a GitHub Issue or email aos@zenity.io.