Agent Control Standard aims to govern AI agent runtime behavior

A new open standard released in May 2026 seeks to address a critical gap in enterprise AI deployment: governing what autonomous AI agents actually do once they're running inside corporate systems.

The Agent Control Standard (ACS) provides a vendor-agnostic framework for controlling AI agents at runtime through middleware hooks positioned at key decision points. When an AI agent receives input, calls a tool, transitions from planning to execution, stores a memory, executes code, or invokes a sub-agent, ACS creates an observation point where the action can be examined and potentially blocked.

Why it matters

As enterprises deploy autonomous AI agents with the authority to take actions without human approval, they face a fundamental visibility problem. Unlike traditional software with predictable execution paths, AI agents make dynamic decisions that can inadvertently violate security policies, regulatory requirements, or business rules. Without standardized control points, organizations have no systematic way to observe or correct agent behavior before damage occurs.

Addressing the context problem

The standard emerged from recognition that existing AI protocols don't address runtime governance. The Model Context Protocol standardizes how AI agents access data and tools, while the Agent2Agent Protocol governs how agents communicate with each other. Neither addresses what happens when an agent makes a dangerous decision.

"With ACS, we're trying to create a standard for handling the new threats and control points within an agent's lifecycle," Ariel Fogel, founding engineer and researcher with Pillar Security, told No Jitter. "You can't just look at what a tool does at any given moment. You have to see it within the larger landscape, the context of what has been happening through to the point where something potentially dangerous happened."

Real-world vulnerability example

The need for such controls became concrete when Bar Kaduri, principal researcher with Capsule Security, discovered a vulnerability in Salesforce Agentforce. The flaw enabled an indirect prompt injection attack that overrode the AI agent's legitimate instructions. Instead of retrieving leads and sending them to an approved email address as designed, malicious instructions redirected the leads to an unauthorized external address.

The organization had no visibility into what the agent was told to do versus what it actually did, and no ability to intervene. The AI agent was simply following instructions—it lacked the contextual understanding to recognize illegitimate requests.

Both Kaduri and Fogel emphasized that effective agent governance requires understanding the full context of an agent's operation, not just examining discrete actions in isolation. "We're trying to create points of observation so that we can make sure that this new employee [the AI agent] gets management when they need that management," Fogel explained.

Open-source availability

The ACS specification is available at agentcontrolstandard.ai and through GitHub, released under the MIT open-source license. An open Slack community supports ongoing development and implementation discussions.

These details were first reported by No Jitter in June 2026.