✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
ACS defines the policy. Aviatrix enforces it at the wire.
The Microsoft Agent Control Specification (ACS) defines an open schema for governing AI agent behavior. Your team writes a .guardrails.yaml against it — the spec is the format, the policy is yours. The acs-to-dcf shim then compiles that policy into Aviatrix DCF rules: SmartGroups, WebGroups, default-deny. No agent code changes. No framework lock-in. Enforcement at the wire.
The agent governance gap. The network closes it.
Enterprises are not standardizing on a single agent platform — they are running LangChain, AutoGen, CrewAI, Semantic Kernel, and vendor-shipped copilots simultaneously. Without a network-layer containment posture, each of those frameworks is an ungoverned blast radius. No agent framework can guarantee every agent process will load and honor its policy contract. The network is the only layer that sees all of them.
Ungoverned agent reaches a tool endpoint
A vendor-shipped copilot or legacy workload has no ACS integration point. Its outbound tool calls reach MCP servers and LLM APIs unguarded — the framework policy is simply not applied. From the network's perspective, it is indistinguishable from an authorized agent.
Policy file present — ignored by a second process
An agent has a .guardrails.yaml. The framework honors it. A second agent process on the same host ignores it. Both generate equivalent network traffic. Only Aviatrix DCF — applying SmartGroup policy to workload identity — enforces the same rule on both without self-reported compliance.
Sensitive data routed to unauthorized MCP server
A prompt injection or misconfigured tool routes sensitive output to an attacker-controlled MCP server. The agent framework cannot enforce what it cannot see. The ACS output-validation pattern guard requires a network insertion point to fire inline before data leaves the environment.
Tool call to unauthorized MCP server — blocked
Agent calls an MCP server not listed in the ACS resource catalog. TCP connection traverses the Aviatrix Spoke Gateway. Destination SmartGroup does not match any permit rule — DCF default-deny fires. Connection never completes. No data leaves the environment.
Unified audit trail — both enforcement planes
DCF flow logs and ACS policy events (when session_id is present) are correlated in CoPilot FlowIQ. Every DENY log carries workload identity, destination FQDN, rule name, and timestamp — evidence for SOC 2, HIPAA, and EU AI Act Article 9.
ACS policy compiles to DCF. One command.
The same policy file governs both the agent runtime and the network layer. When the SDK cannot see a call — because the agent has been jailbroken, a dependency compromised, or a third-party agent has no ACS integration — the network still stops it. That's the containment layer ACS alone cannot provide.
Policy pipeline — .guardrails.yaml → CRD → DCF data plane
The customer writes a .guardrails.yaml against the ACS schema. The open-source acs-to-dcf shim reads it and compiles it into Aviatrix FirewallPolicy CRDs. Those CRDs are applied via kubectl apply to the in-cluster k8s-firewall controller, which programs the DCF data plane across clouds. The resource catalog becomes WebGroups — FQDN and URL-path classifiers for MCP servers, LLM APIs, and HTTP endpoints. The agent identity becomes a source SmartGroup. Unconditional block and allow policies become DCF deny and allow rules within a default-deny posture. Any CI runner (GH Actions, Argo, Flux) can execute this pipeline — GH Actions is one option, not the integration. For VM and serverless agents, the shim calls the Aviatrix controller API directly instead of emitting CRDs. Traditional IPS enforcement for ACS pattern guards is available today. The shim emits a coverage report distinguishing rules in effect today from those pending the Guardrail Profile feature (targeted late summer 2026).
Framework-agnostic coverage — the network sees every agent
Because Aviatrix enforces at the network layer, coverage is not gated on framework integration. LangChain, AutoGen, CrewAI, OpenAI Agents SDK, Anthropic Agents SDK, Semantic Kernel, Microsoft Copilot Studio, and vendor-shipped agents are all covered equally. Deployment environments include Kubernetes on any cloud, VMs, serverless functions (Lambda, Azure Functions, Cloud Run), managed cloud agent platforms (Bedrock AgentCore, Azure AI Foundry, Vertex AI Agent Engine), and on-premises workloads. No sidecar requirement. No mesh dependency. One consistent security policy and one unified audit trail.
Guardrail Profile — deeper ACS enforcement (late summer 2026)
Traditional IPS enforcement for ACS pattern guards is available today — PII patterns, confidential markings, and structured data applied inline at the gateway. Semantic detection and redaction via advanced AI guardrails is a separate capability coming later this year. The Guardrail Profile (targeted late summer 2026) extends DCF further — enabling semantic parsing of agent traffic, stateful predicate evaluation, and enforcement of complex ACS constructs requiring deeper protocol understanding. Engineering requirements include MCP wire decryption and JSON-RPC parsing; L7 protocol decoders for MCP, OpenAI chat completions, Anthropic messages API, and Google A2A. Stateful predicates — sensitivity ratchets, session variables, human-approval gates — are listed as pending in the shim's coverage report until the Guardrail Profile ships.
The enforcement ecosystem — Microsoft authors the standard, Aviatrix enforces it everywhere
Microsoft
Authors the open standard. ACS is framework and cloud agnostic — not Azure-only. Policy expressed in Rego, CEL, or Cedar. Works alongside Foundry, Bedrock, Vertex, and any conformant runtime.
Aviatrix
Enforces it at the network layer — including where Microsoft Foundry does not operate. Default-deny posture. Multicloud. CoPilot FlowIQ — every connection logged with full attribution.
Enforcement architecture
ACS policy → acs-to-dcf shim → DCF data plane · multicloud enforcement · CoPilot audit
ACS constructs — what's enforced today.
The acs-to-dcf shim emits this coverage report alongside the generated FirewallPolicy CRDs. Deploy all rules in monitor mode first; promote to enforcement rule by rule after validating against production traffic.
| ACS construct | DCF object generated | Status | Notes |
|---|---|---|---|
| Agent identity | Source SmartGroup (agent-workload-sg) | Active today | Keyed to pod label, VM tag, or Lambda ARN. All DCF rules reference this SmartGroup as source. |
| Resource catalog — MCP servers | FQDN WebGroup per MCP server | Active today | Tool-to-host registry required — ACS spec carries tool names, not hostnames. Operator must supply or shim uses gateway TLS inspection to resolve. |
| Resource catalog — LLM APIs | avx-ai-llm-providers WebGroup | Active today | Aviatrix-managed AI WebGroup for known LLM providers. Custom FQDN WebGroup for non-standard endpoints. |
| Unconditional block / allow policies | DCF deny / allow rules in default-deny posture | Active today | First-match. Default-deny is the final catch-all. Every match logged to CoPilot FlowIQ. |
| Input / output pattern guards | IPS rules (traditional pattern matching) | Active today | Traditional IPS: PII patterns, confidential markings, structured data — applied inline at gateway. Semantic detection and redaction via advanced AI guardrails is a separate capability coming later this year. |
| Stateful predicates — sensitivity ratchets, session variables, conditional rules | Guardrail Profile enforcement | Pending — late summer 2026 | Requires stateful evaluation at the gateway. Listed as pending in coverage report. Not enforced until Guardrail Profile ships. |
| Human-approval gates | Guardrail Profile enforcement | Pending — late summer 2026 | Conditional gates require stateful predicate evaluation. Deferred to Guardrail Profile. |
SmartGroup and WebGroup objects
| Object | Type | Purpose |
|---|---|---|
| agent-workload-sg | Source SmartGroup | Matches agent workload by pod label, VM tag, or Lambda ARN. Source identity for all DCF rules generated from ACS policy. |
| avx-ai-llm-providers | Aviatrix-managed AI WebGroup | Curated, auto-updated destination list for major LLM API providers. |
| mcp-<tool-name> | FQDN WebGroup per MCP server | One object per MCP server from ACS resource catalog, bound to FQDN via operator-supplied tool-to-host registry. |
| default-threatgroup | Aviatrix-managed threat feed | Known malicious destinations, C2 infrastructure, newly registered domains. Priority-1 deny rule. No operator maintenance required. |
What this architecture governs — and what it does not
Out of scope
MCP-over-stdioAgents communicating via stdin/stdout generate no network traffic. DCF cannot enforce policy on these calls. Deprecate stdio MCP in governed estates.
ACS policy runtime complianceAviatrix enforces network reachability at the wire. Whether an agent loads and honors its .guardrails.yaml at the application layer is outside scope. Both layers are required.
Complementary — not a substitute
Istio reference architectureACS documentation publishes Istio as its reference network architecture. Istio's role is transport only — it carries the policy file to the sidecar and stops there. It does not translate policy into enforcement rules, covers only the Kubernetes mesh, and explicitly omits ext_authz integration. Aviatrix does the enforcement work and covers VMs, serverless, and multicloud.
Stateful predicates pendingDo not claim stateful predicate enforcement in field conversations until the Guardrail Profile ships late summer 2026.
Everything your team needs.
Reference Architecture
ACS policy-to-DCF translation reference, SmartGroup and WebGroup object design, tool-to-host registry setup, IPS pattern guard configuration, and coverage report interpretation. For platform engineers deploying the shim.
Download PDF →Threat Model & Enforcement
Agent network enforcement gap analysis, full kill chain with point of intervention, coverage map (enforced today vs. Guardrail Profile), known gaps with workarounds, and compliance evidence for SOC 2, HIPAA, and EU AI Act. For security architects.
Download PDF →Field & Buyer Overview
Threat narrative, framework-agnostic coverage story, competitive framing vs. Istio reference architecture, ACS partnership context, and discovery questions for security conversations.
Download PDF →acs-to-dcf Shim
Open-source CLI shim that reads a .guardrails.yaml and generates Aviatrix FirewallPolicy CRDs. Ships alongside the ACS v2 launch. Includes coverage report output, tool-to-host registry format, and optional REST API apply mode.
Attack simulation
Lab recording. An agent process running outside a governed runtime attempts to reach an unauthorized MCP server. The DCF default-deny rule fires before the TCP handshake completes. CoPilot FlowIQ logs the attempt with full workload identity and rule attribution.
Watch →Trusted by enterprise security teams
SOC 2 Type II
Independently audited
ISO 27001
Certified
500+ enterprises
Including 10% of the Fortune 500
Zero data-plane access
Aviatrix never touches your traffic
Documented before you find them in production.
Lab-validated limitations and workarounds. Published upfront so your POC matches the docs and security architects can plan before deployment day.
No Terraform blueprint — whitepaper and shim only
This entry does not ship a Terraform blueprint or the traditional VCA artifact set. What ships: the open-source acs-to-dcf shim and a technical brief. It is a containment plugin, not a deployable architecture. Do not position it as a full VCA deployment in field conversations.
Kubernetes end-to-end coverage: EKS only today
The CRD pipeline is fully tested on EKS. AKS and GKE are functional but do not yet have end-to-end validated coverage. For VM and serverless agents, the shim calls the Aviatrix controller API directly — the Helm chart and CRD path are not required for that deployment pattern.
MCP-over-stdio has no network enforcement point
Agents communicating with local MCP servers via stdin/stdout generate no network traffic — DCF cannot enforce policy on these calls. Migrate governed estates to network-transport MCP (HTTP/SSE or WebSocket). Disclose proactively in every ACS deployment conversation.
Stateful predicates require Guardrail Profile — late summer 2026
Sensitivity ratchets, session variables, conditional rules, and human-approval gates require stateful evaluation at the gateway. Listed as pending in the coverage report. Do not claim stateful predicate enforcement in field conversations until the Guardrail Profile ships.
Tool-to-host registry required for WebGroup construction
The ACS resource catalog carries tool names and path patterns, not hostnames. The shim requires an operator-supplied tool-to-host registry or gateway MCP/TLS inspection to resolve tool names to FQDNs. One-time setup step documented in the deployment guide.
Coordinate with Microsoft before external sharing
Microsoft has not yet publicly shared final ACS scope details as of the publication of this VCA. Coordinate with your Microsoft contact before sharing detailed technical integration content externally prior to the ACS v2 public launch announcement.
Coming — Guardrail Profile (late summer 2026)
Deeper ACS enforcement — semantic parsing, stateful predicates, advanced PII detection
Two separate capabilities are on the roadmap. First, semantic detection and redaction via advanced AI guardrails is coming later this year. Second, the Guardrail Profile (targeted late summer 2026) enables stateful predicate evaluation, enforcement of complex ACS constructs requiring deeper protocol understanding, MCP wire decryption and JSON-RPC parsing for tool-name and argument-level inspection, and L7 protocol decoders for MCP, OpenAI chat completions, Anthropic messages API, and Google A2A. Session_id propagation enables per-decision audit records correlated with ACS policy events in CoPilot.
The containment layer is open source.
Enforcement starts at the wire.
One ACS policy file. One acs-to-dcf command. SmartGroups, WebGroups, deny rules — and a coverage report that tells you exactly what is enforced today and what is pending. No agent code changes. No framework lock-in.
NEW TO AVIATRIX
Start with Enterprise — VCAs included free
Subscribe on AWS or Azure Marketplace, deploy Enterprise in under 15 minutes, then add this containment plugin on top. 30-day free trial — VCAs included.
Available when the ACS v2 shim ships.
ALREADY ON ENTERPRISE
Available soon on GitHub
The acs-to-dcf shim ships alongside the ACS v2 public launch. Assets and documentation are available now.