Digital Transformation

Microsoft Agent 365 - What It Means for Enterprise IT and Security Teams

Blue icon of a person with a gear, representing user settings or account configuration.
Pamela Sengupta
Blue calendar icon with a grid representing days and two rings at the top.
June 30, 2026

Until recently, the AI governance conversation in most enterprises centred on a relatively contained set of questions. Which tools are approved? What data can Copilot access? How do we manage sensitivity labels? These were tractable problems, and the tooling to address them had been maturing steadily inside the Microsoft security stack.

The arrival of agentic AI has changed the shape of the problem entirely. Agents do not wait for a prompt. They are assigned goals, and they figure out the steps themselves. They call APIs, read and write data, trigger workflows, and in multi-agent architectures coordinate with other agents, all without a human initiating each action. An enterprise that had one AI assistant to govern six months ago may now have dozens of agents in production, more being built by development teams, and an unknown number deployed informally by employees who found a useful tool and started using it.

Microsoft Agent 365, which became generally available on 1 May 2026, is the platform Microsoft built to answer that problem. It is not a new AI capability. It is a control plane: the place where IT and security teams can see every agent in the organisation, define what each one is permitted to do, and hold the entire agent fleet to enterprise standards. Understanding what it does, what it does not yet do, and what it demands of the organisations using it is now a practical necessity for any enterprise IT and security team operating in a Microsoft environment.

Why a Control Plane Became Necessary

The scale of the problem that Agent 365 was built to address has been developing since Copilot Studio shipped and gave non-technical users the ability to build and deploy agents without involving IT. Gartner projects that by 2028, an average global Fortune 500 enterprise will have over 150,000 agents in active use, up from fewer than 15 in 2025. That growth curve is steep, and most of it happens outside formal IT governance channels.

The pattern is recognisable to anyone who lived through the shadow IT era of the early 2010s. A finance team builds an agent in Copilot Studio to automate invoice processing. An engineer installs a local coding agent on their laptop. A vendor connects an agentic workflow to the organisation's CRM through an OAuth integration. None of these register with IT. None appear in any inventory. And unlike the shadow IT of a decade ago, each of these agents can read documents, execute code, trigger downstream workflows, and operate at machine speed across systems. The blast radius of an unmanaged agent is considerably wider than an unmanaged SaaS subscription.

The scale of the non-human identity gap

Research from Entro Security found that non-human identities now outnumber human identities at a ratio of 144 to 1 in cloud-native environments, up from 92 to 1 in early 2024. A 2026 CSA analysis found that more than 16 per cent of organisations do not track the creation of AI-related identities at all. Every agent is a non-human identity. Without a registry, security teams cannot answer the basics: which agents exist, who owns them, what data they can access, and whether they are still needed.

Traditional identity and access management frameworks were built for human users. Governance frameworks built around user accounts, conditional access policies, and endpoint management were not designed for systems that take actions autonomously on behalf of users, spawn sub-agents, and chain together operations across multiple systems and data sources. Agent 365 was built specifically to fill that gap.

The Three Pillars: Observe, Govern, Secure

Microsoft has organised Agent 365 around three core responsibilities, and the distinction between them matters for how IT and security teams should think about adoption and prioritisation.

Observe is the foundation. Before any governance or security action is possible, the organisation needs to know what agents exist. The Agent 365 overview dashboard provides a real-time view of the entire agent fleet, surfacing total registered agents, active users, growth trends, connected platforms, total runtime hours, and emerging risk signals. The registry serves as the authoritative system of record for every agent in the organisation, whether built in Copilot Studio, Azure AI Foundry, AWS Bedrock, Google Cloud, or by a third party. Each entry is enriched with metadata covering the agent's name, publisher, platform, ownership, deployment status, permissions from the Microsoft Graph, data and tool access, security and compliance details, and usage activity. The agents map view provides a visual graph of the agent ecosystem, showing individual agents, their connections to other agents, and the platform clusters they belong to.

Local agent discovery, the ability to identify agents running on Windows endpoints rather than in the cloud, is handled through Microsoft Defender and Microsoft Intune endpoint telemetry. By detecting applications calling AI inference endpoints, Agent 365 surfaces local agents to IT and security teams without requiring those agents to have been formally registered. Microsoft plans to expand local agent discovery to 18 different agent types by mid-2026, including coding agents that many organisations are discovering on employee laptops without having deployed them centrally.

Govern covers the lifecycle management and policy layer. The Agent 365 registry enables IT administrators to apply governance actions to agents, including deletion, directly from the admin centre. Registry sync connects external agent platforms, beginning with AWS and Google Cloud, to Agent 365, bringing third-party agents and their metadata into a unified view and enabling governance actions across multicloud deployments. For organisations that have not previously had visibility into which agents are running on which platforms, this is the capability that changes the operational picture most significantly.

Secure is the layer that turns visibility into control. Policy-based controls allow administrators to define guardrails for what agents are permitted to do. If a managed agent exhibits behaviour patterns associated with compromise or misuse, such as attempting to access or exfiltrate sensitive data, Microsoft Defender can block the agent at runtime and generate alerts with incident context to support investigation. Asset context mapping, entering preview in June 2026, builds a relationship graph for each discovered agent showing which devices it runs on, which MCP servers it connects to, which identities are associated with it, and which cloud resources those identities can reach. This is the capability that most CISOs have been waiting for: not just a dashboard, but a structure that allows security teams to understand the full blast radius of any given agent before an incident occurs.

The Shadow AI Problem Agent 365 Is Specifically Designed to Address

Shadow AI is the term that has emerged for the organisational equivalent of shadow IT in the agentic era. It refers to agents created and deployed outside approved processes, typically without IT visibility, often with excessive permissions, and almost never with monitoring in place. It is not usually malicious. It is the natural result of giving knowledge workers the ability to build and deploy AI agents without requiring IT involvement, which is precisely what Copilot Studio and similar tools were designed to do.

The governance gap this creates is serious. Agents that are not in an inventory cannot be audited. Agents that have not been through a permissions review may have access to data that is far broader than the task they are performing requires. Agents that are not monitored cannot produce the audit trail that regulated organisations need to demonstrate compliance. And agents that are not subject to lifecycle management continue running, consuming resources, and accessing data long after the use case they were built for has changed or ended.

Agent 365's approach to shadow AI is detection before remediation. The platform uses endpoint telemetry and network signals to identify agents that are running but not registered, then surfaces them to IT and security teams with enough context to make a governance decision. The options are to register the agent formally, bringing it under governance, to block it, or to investigate further. This is the model that enterprise IT teams will recognise from device management: discover first, then act from a position of visibility rather than guessing at what is running in the environment.

The 68 per cent visibility gap

Research in 2026 found that 68 per cent of employees use AI tools without IT approval. For organisations in regulated sectors where every data access needs to be auditable, this is not a statistic to note and set aside. It is the size of the governance gap that existed before a control plane was available.

Integration with the Microsoft Security Stack

One of the most practically significant aspects of Agent 365 is that it is not a standalone product. It is built on and deeply integrated with the security and governance infrastructure that Microsoft enterprises have already invested in. For organisations already running Defender, Entra, Intune, and Purview, Agent 365 extends existing controls to cover agents rather than requiring a parallel governance architecture to be built from scratch.

Microsoft Entra provides the identity layer. Every agent is assigned an identity and managed within the same identity framework as human users. Conditional access policies, workload identity management, and continuous access evaluation apply to agents, enforcing the same standards that apply to human access without requiring separate tooling. This is the mechanism that makes least-privilege access for agents operationally feasible at scale.

Microsoft Defender provides the detection and response layer. Its existing classification capabilities, which know that injecting code into a process that manages logins is always a strong signal regardless of what application is doing it, translate directly into the agentic context. Defender can detect anomalous agent behaviour, block agents at runtime, and generate incident-quality alerts that give security teams the context they need to investigate rather than a bare alert requiring significant additional work to interpret.

Microsoft Purview provides the data governance layer. Purview runtime data loss prevention for agent prompts, now in preview, detects, blocks, and audits sensitive data before it is processed by an agent, ensuring that sensitive information does not reach AI models without appropriate controls. The sensitivity labelling that governs human access to data in a Purview-governed environment applies to agents operating in the same environment. An agent inherits the same protections as a human user, preventing it from accessing labelled files or transmitting sensitive data beyond its permitted scope.

Microsoft Intune provides the endpoint management layer, extending governance to agents running locally on managed devices as well as those running in cloud environments. Policy-based controls deployed through Intune can continuously detect managed devices running specific agents and enforce permitted and prohibited behaviours at the OS level.

What It Means for IT Teams Specifically

For enterprise IT administrators, Agent 365 introduces a new operational responsibility alongside the existing workload of device management, identity governance, and platform administration. The practical demands are significant but tractable for teams that already have mature Intune and Entra practices.

The first priority is inventory. Before any governance policy can be applied, the organisation needs to understand what is actually running. The Agent 365 registry and shadow AI detection capabilities provide the mechanism; the work is ensuring that the registry is treated as the authoritative source of truth and that processes are in place for new agents to be registered before deployment rather than discovered after the fact.

The second priority is lifecycle management. Agents that are no longer actively used need to be identified and decommissioned. Permissions reviews need to be scheduled as agent use cases evolve. Ownership records need to be maintained. These are the same disciplines that apply to service accounts and application registrations, extended to cover a new class of non-human actor.

The third priority is developer engagement. The Agent 365 SDK, now generally available, allows developers to integrate Agent 365 controls directly into their development workflows, building observability, access controls, and compliance enforcement into agents at design time rather than retrofitting governance after deployment. IT teams that engage their development community early on Agent 365 standards will have a considerably easier time achieving consistent governance than those that treat it as a security review at the end of the process.

What It Means for Security Teams Specifically

For security teams, Agent 365 changes the threat model in a specific and important way. Previously, the question was how to protect the organisation from external threats that might compromise AI systems. That question remains, and the Defender integration addresses it. But the more novel and operationally challenging question is how to ensure that the organisation's own agents are behaving as intended, accessing only what they should, and producing outputs that can be trusted.

The asset context mapping capability entering preview in June 2026 is the most significant development for security operations teams. Building a relationship graph that shows which devices each agent runs on, which MCP servers it connects to, which identities are associated with it, and which cloud resources those identities can reach transforms the security team's ability to assess and contain risk. Without this graph, an incident involving an agent requires manual investigation to establish the blast radius. With it, the information needed to scope and contain an incident is available before the incident occurs.

Prompt injection remains the attack vector that most specifically requires agent-aware security controls. Unlike traditional attacks that exploit code vulnerabilities, prompt injection exploits the AI model itself, embedding malicious instructions in data that an agent will process. The policy engine approach, where every tool call and action request is evaluated against a defined rule set before execution, is the architectural control that addresses this. Purview runtime DLP for agent prompts provides the data layer of this control; Defender's runtime blocking provides the behavioural layer.

Security teams should also be tracking the boundary conditions of what Agent 365 currently covers. Local agent discovery covers agents that can be detected through endpoint telemetry on managed Windows devices. AI-enabled browser extensions, which LayerX's 2026 Enterprise Browser Extension Security Report found are present in one in six enterprise users' environments, with 73 per cent carrying high or critical permission scope, represent a vector that requires complementary controls beyond what Agent 365 currently addresses. A comprehensive agent security posture takes Agent 365 as the foundation and extends it with browser-level visibility where the risk profile warrants.

Licensing and the Microsoft 365 E7 Context

Agent 365 is available as a standalone licence at fifteen dollars per user per month. It is also bundled inside Microsoft 365 E7, the new Frontier Suite that Microsoft announced for general availability in May 2026, alongside Microsoft 365 E5, Microsoft 365 Copilot, and Microsoft Entra Suite.

The licensing model has a specific feature that organisations need to understand before scoping their deployment. The licence covers anyone who manages, sponsors, or uses an agent on their behalf. That last clause is consequential. If an agent serves a team of 200 people but was sponsored by five administrators, all 200 people whose work the agent touches require a licence. For organisations deploying agents at scale across large teams, the seat count scales with agent-touched users rather than with the number of agents deployed. This is a planning consideration that belongs in the business case conversation, not the post-deployment review.

For organisations currently on Microsoft 365 E3 or E5 that are evaluating the step up to E7, the Agent 365 inclusion is a meaningful governance argument alongside the Copilot and Entra Suite capabilities. The question to put to account teams is whether the governance gap that exists today, without a centralised control plane for agents, represents an acceptable risk posture given the rate at which agents are being deployed across the organisation.

How VE3 Supports Agent 365 Adoption

VE3 works with organisations navigating exactly the challenge that Agent 365 was built to address: the transition from AI experimentation, where governance requirements were limited, to AI at enterprise scale, where the absence of a control plane is a material risk and compliance exposure.

As a Microsoft-aligned partner with expertise across the Defender, Purview, Entra, and Intune stack, we help organisations deploy Agent 365 in a way that integrates with their existing security architecture rather than sitting alongside it as a parallel governance layer. Our work covers the initial agent inventory and shadow AI discovery exercise, the governance framework design that determines how agents are classified, approved, and managed through their lifecycle, and the security architecture review that ensures Agent 365's controls are correctly configured for the organisation's specific risk profile.

For organisations in regulated sectors where data governance obligations are strict and audit requirements are demanding, we bring a specific understanding of what the control plane needs to demonstrate to satisfy both internal governance standards and external regulatory review. The transition to agentic AI is not optional for organisations that want to remain competitive. The governance infrastructure to support it is not optional either. Agent 365 provides the platform. We help organisations make it work.

Blue upward trending arrow icon indicating growth or increase.

Recent Blogs

Microsoft Agent 365 - What It Means for Enterprise IT and Security Teams

Blue calendar icon with a white page and two rings on top.
June 30, 2026

Five Data Problems that break Enterprise AI Agents

Blue calendar icon with a white page and two rings on top.
June 30, 2026

Shadow AI: the agents you don't know are running

Blue calendar icon with a white page and two rings on top.
June 30, 2026

The right agent, the right access, the right data

Blue calendar icon with a white page and two rings on top.
June 30, 2026

The Parts Data Problem: How Aftermarket Distributors Fix Fitment, Supersessions, and Duplicate Part Numbers

Blue calendar icon with a white page and two rings on top.
June 30, 2026
Blue stylized letters and number forming the text VE3.

Innovating Ideas. Delivering Results.

ServicesExpertisePlatformsSolutionsIndustriesPartners
BlogCase StudiesResearchNewsNewsletterEvents
About usCareers at VE3Life @ VE3PoliciesCommitmentsContact Us

Subscribe to our Newsletter

Woman sitting on couch wearing a white cable-knit sweater and blue jeans, holding a phone with one hand.
  • © 2026 VE3. All rights reserved.
LinkedIn logo in white on a gray circular background.Facebook social media icon with white f on a gray circular background.Gray circle with white X symbol, indicating a close or cancel button.Gray play button icon within a rounded square with a subtle drop shadow on a white background.