Skip to content
Effloow
← Back to article
EFFLOOW LAB LAB-RUN ·2026-06-04

Microsoft ACS SDK Agent Control Sandbox PoC

Evidence notes document the bounded local or source-based checks behind an Effloow article. They are not product endorsements, legal advice, or benchmark claims.

Goal

Verify whether the public Agent Control Specification / Agent Governance Toolkit surface can be installed locally and used to intercept a tool call before execution. The backlog topic used the phrase "Microsoft ACS SDK"; current public sources separate the open Agent Control Specification/Standard from the @microsoft/agent-governance-sdk package and agent-governance-toolkit package.

Sources Checked

  • Microsoft Foundry Build 2026 recap: Agent Control Specification is open source, policy YAML oriented, and targets input, LLM, state, tool execution, and output checkpoints.
  • Microsoft Foundry trust-stack post: ACS is framed as an open industry specification for deterministic controls across agentic workflow checkpoints.
  • Agent Control Standard site and GitHub repository: ACS/AOS focuses on instrumentable, traceable, inspectable agents, OpenTelemetry mapping, and Agent Bill of Materials work.
  • Microsoft Agent Governance Toolkit GitHub repository: lists TypeScript and Python install commands and describes policy, identity, trust, audit, MCP security scanning, and runtime controls.
  • OWASP Agentic AI threats and mitigations: background risk taxonomy for goal hijacking, tool misuse, memory poisoning, identity abuse, cascading failures, and rogue agents.

Commands

Temporary sandbox:

rm -rf /tmp/effloow-acs-poc-2026
mkdir -p /tmp/effloow-acs-poc-2026
cd /tmp/effloow-acs-poc-2026
python3 --version
node --version
npm --version

Output:

Python 3.12.8
v25.9.0
11.12.1
zsh:1: command not found: pip

The system has Python and Node, but no bare pip executable. The PoC used python3 -m pip inside a venv instead.

Package discovery:

npm view @microsoft/agent-governance-sdk version name description --json
python3 -m pip index versions agent-governance-toolkit

Output:

{
  "version": "4.0.0",
  "name": "@microsoft/agent-governance-sdk",
  "description": "Public Preview — TypeScript SDK for the Agent Governance Toolkit: agent identity, trust scoring, policy evaluation, and audit logging"
}

agent-governance-toolkit (4.0.0)
Available versions: 4.0.0, 3.7.0, 3.6.0, 3.5.0, 3.4.0, 3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.0, 3.0.2, 3.0.1, 3.0.0, 2.3.0, 2.1.0

Install checks:

npm init -y
npm install @microsoft/agent-governance-sdk@4.0.0
python3 -m venv /tmp/effloow-acs-poc-2026/.venv
/tmp/effloow-acs-poc-2026/.venv/bin/python -m pip install 'agent-governance-toolkit==4.0.0'

Relevant output:

added 7 packages, and audited 8 packages in 937ms
found 0 vulnerabilities
Successfully installed agent-governance-toolkit-4.0.0 annotated-types-0.7.0 click-8.4.1 pydantic-2.13.4 pydantic-core-2.46.4 pyyaml-6.0.3 typing-extensions-4.15.0 typing-inspection-0.4.2

API surface check:

node -e "const sdk=require('@microsoft/agent-governance-sdk'); console.log(Object.keys(sdk).sort().join('\n'))"

Relevant exported names:

AgentMeshClient
AuditLogger
GenericFrameworkAdapter
GovernanceVerifier
McpSecurityScanner
PolicyEngine
TraceCapture
TrustManager

Local Tool-Call Interception Demo

Script: /tmp/effloow-acs-poc-2026/acs-checkpoint-demo.js

The script created an AgentMeshClient with policy rules:

  • allow framework.tool_call.search_docs
  • allow framework.tool_call.summarize
  • deny framework.tool_call.shell.rm
  • deny everything else

It then used GenericFrameworkAdapter.run() twice:

  1. A search_docs invocation whose handler returned a small object.
  2. A shell.rm invocation whose handler would set blockedHandlerRan = true if it executed.

Command:

node acs-checkpoint-demo.js

Output:

{
  "allowed": {
    "decision": "allow",
    "allowed": true,
    "output": {
      "items": [
        "input",
        "tool",
        "output"
      ]
    }
  },
  "blocked": {
    "decision": "deny",
    "allowed": false,
    "handlerRan": false,
    "reason": "Governance denied action \"framework.tool_call.shell.rm\""
  },
  "auditChainValid": true,
  "auditEntries": 2
}

What Worked

  • @microsoft/agent-governance-sdk@4.0.0 installed cleanly in a temporary npm project.
  • agent-governance-toolkit==4.0.0 installed cleanly in a Python 3.12 venv.
  • The TypeScript package exports a policy engine, generic framework adapter, audit logger, trace capture, governance verifier, and MCP security scanner.
  • A denied tool call was blocked before its handler executed.
  • The SDK audit chain verified successfully after one allowed action and one denied action.

What Failed or Was Not Verified

  • No live Microsoft Foundry, LangChain, CrewAI, OpenAI Agents SDK, Anthropic Agents SDK, AutoGen, Semantic Kernel, or MCP integration was executed.
  • No model call was made.
  • No production ACS YAML was validated against an external ACS conformance suite.
  • The ACS GitHub repository currently reads like an evolving specification and documentation site; the concrete SDK package tested here is the Microsoft Agent Governance Toolkit TypeScript package, not proof that every listed framework adapter is GA.
  • pip was not available as a bare shell command; python3 -m pip worked through a venv.

Conclusion

Effloow Lab can truthfully say it ran a sandbox PoC of the public Microsoft Agent Governance SDK control pattern. The PoC supports writing about ACS as a runtime-control direction and about the SDK's generic adapter as a practical local hook. It does not support claiming full multi-framework production readiness.

Read the article

This note supports the public article and records what was actually checked.

Open article →