Microsoft offers devs a better way to control AI agent behavior
Microsoft offers devs a better way to control AI agent behavior
微软为开发者提供了一种控制 AI 智能体行为的更好方法
As AI agents grow ever more capable, enterprises racing to put them to work across applications, workflows, and products face a new challenge: ensuring an agent does what it’s supposed to do when it’s deployed across different environments. 随着 AI 智能体(AI agents)的能力日益增强,企业竞相将其应用于各类应用程序、工作流和产品中,但也面临着一项新挑战:确保智能体在不同环境下部署时,能够严格按照预期执行任务。
Microsoft is trying to solve this problem with a new open source standard called Agent Control Specification (ACS) that aims to give developers a more consistent and granular way to control what AI agents are allowed to do. 微软正试图通过一项名为“智能体控制规范”(Agent Control Specification,简称 ACS)的全新开源标准来解决这一问题,旨在为开发者提供一种更一致、更细粒度的方式,以管控 AI 智能体的行为权限。
The specification essentially lets developer, compliance, and security teams define their own policies for agents to follow. The rules can define what the agent may do, what it must not do, when a human should approve an action, and what evidence should be logged for later review. 该规范本质上允许开发、合规和安全团队为智能体定义其必须遵循的策略。这些规则可以明确智能体可以做什么、禁止做什么、何时需要人工审批操作,以及应记录哪些证据以供后续审查。
These policy files are checked at several “interception points” when the agent is off performing a task to make sure it stays within the guardrails. The spec comes as developers are improvising ways to control what their AI sees and does, especially with conversations focusing on AI workflows going wrong due to tool misuse, or unintended actions that result in cascading failures. 当智能体执行任务时,这些策略文件会在多个“拦截点”进行检查,以确保其始终处于安全护栏之内。该规范的推出正值开发者们纷纷尝试各种临时方案来管控 AI 的感知与行为之际,尤其是当前业界正密切关注因工具滥用或意外操作导致连锁故障而引发的 AI 工作流失控问题。
Today, developers might specify instructions in a system prompt, add custom checks in the application code, or use classifiers to catch problematic inputs and outputs. Those approaches work, but they often leave companies with fragmented controls that are hard to audit and harder to reuse across different frameworks, interfaces, and systems. 目前,开发者可能会在系统提示词(system prompt)中指定指令、在应用程序代码中添加自定义检查,或使用分类器来捕获有问题的输入和输出。这些方法虽然有效,但往往会导致企业的管控措施碎片化,不仅难以审计,更难以在不同的框架、接口和系统之间复用。
ACS aims to integrate those controls into a common governance layer. Microsoft says the specification can be used to check whether an agent is sticking to guardrails at multiple points in its workflow — before it receives input, before it calls a tool, after a tool returns a result, and before the final response is sent to the user. ACS 旨在将这些管控措施整合到一个通用的治理层中。微软表示,该规范可用于在工作流的多个环节检查智能体是否遵守了安全护栏——包括在接收输入前、调用工具前、工具返回结果后,以及最终响应发送给用户之前。
A policy may allow an action, block it, redact sensitive information, or even ask a person to approve it. Developers can also insert classifiers for inputs and outputs to categorize information, predict outcomes, or determine how an agent should respond; add LLMs with prompts to act as a “judge” for policies; and logic for checking tool calls, tool selection, input accuracy, output usage, and responses. 策略可以允许或阻止某项操作、对敏感信息进行脱敏,甚至要求人工审批。开发者还可以插入输入和输出分类器来对信息进行分类、预测结果或确定智能体的响应方式;添加带有提示词的大语言模型(LLM)作为策略的“裁判”;并加入用于检查工具调用、工具选择、输入准确性、输出使用情况及响应内容的逻辑。
And because these policies can be written as single files, they can be bundled with agents, allowing a security policy to follow an agent across different frameworks and environments. ACS is shipping as an SDK with plug-ins for LangChain, the OpenAI Agents SDK, the Anthropic Agents SDK, AutoGen, CrewAI, Semantic Kernel, Microsoft.Extensions.AI, MCP tools, and more. 由于这些策略可以编写为单一文件,它们能够与智能体打包在一起,从而使安全策略能够跟随智能体跨越不同的框架和环境。ACS 目前以 SDK 的形式发布,并提供针对 LangChain、OpenAI Agents SDK、Anthropic Agents SDK、AutoGen、CrewAI、Semantic Kernel、Microsoft.Extensions.AI、MCP 工具等插件的支持。