As AI agents move from pilot projects into the operational core of large enterprises, Microsoft is warning that many of these systems are already acting in the wild with little or no oversight. Its answer is a new security and governance layer, Agent 365, and a broader enterprise bundle, Microsoft 365 Enterprise 7 (E7), both generally available May 1 and tightly coupled to the company’s Copilot business.
The strategic bet: if AI agents are going to behave like digital workers, they must be hired, monitored, and constrained with the same rigor as humans — before attackers turn them into “double agents.”
The scale of unsanctioned AI agents inside the enterprise
Microsoft’s own telemetry and research sketch a rapid, uneven shift to agentic AI inside large organizations. According to the company’s Cyber Pulse report, more than 80% of Fortune 500 firms are already using AI agents built with low-code and no-code tools. IDC projects that by 2028 there could be 1.3 billion agents in circulation worldwide.
Microsoft is using itself as a reference customer. It reports visibility into more than 500,000 AI agents operating across its internal environment, with the heaviest use in research, coding, sales intelligence, customer triage, and HR self-service. Externally, tens of millions of agents appeared in the Agent 365 Registry just two months into preview, with tens of thousands of customers starting to adopt the platform.
Beneath that growth, the governance picture is fragmented. Microsoft’s research found that 29% of agents in surveyed organizations are operating without approval from IT or security. Only 47% of organizations report using any security tools to protect their AI deployments.
For enterprise IT leaders and CISOs, that points to a familiar pattern: business units can spin up powerful automations with a credit card and a few prompts, while the corresponding identity, data protection, and monitoring controls lag months or years behind. Microsoft’s Vasu Jakkal, corporate vice president of Microsoft Security, describes this as a “visibility gap” that has quickly become a business risk as agents are “deeply embedded in organizations, in the operational structure.”
From insiders to ‘double agents’: Microsoft’s threat framing
Microsoft is putting a specific name on one emerging class of risk: “double agents.” The term, first outlined publicly by Microsoft executive Charlie Bell in 2025, describes AI agents that nominally work on behalf of an organization but are manipulated to act against it.
In Microsoft’s internal testbed research, its AI Red Team has demonstrated how that can happen. Through direct and indirect prompt injection, the team has manipulated agents into accessing unauthorized data and deviating from intended workflows. The company says it has not yet observed agent compromise at scale in the wild, but its experiments show how easily an agent with broad access can be steered.
The research extends beyond simple prompt injection. In February, Microsoft’s Defender Security Research Team documented “AI recommendation poisoning,” where hidden instructions are embedded in “Summarize with AI” buttons on websites. When a user clicks, the pre-filled prompt injects persistence commands into the assistant’s memory, such as telling it to permanently treat a particular company as a “trusted source.” The team identified more than 50 unique poisoning prompts from 31 organizations across 14 industries.
In separate work, Microsoft has also published findings on detecting backdoored language models — “sleeper agents” that behave normally in most contexts but trigger malicious behavior on specific inputs. In aggregate, these scenarios resemble a digital version of insider threat, but applied to non-human entities that can replicate and scale much faster than people.
For security leaders, the message is less about novel attack techniques and more about the expanded blast radius. An unsupervised agent with powerful connectors and no identity boundary can, in effect, turn any successful injection or poisoning attack into a persistent insider compromise.
Inside Agent 365: a control plane for AI workers
Agent 365 is Microsoft’s attempt to translate its existing identity, data protection, and threat defense stack into a coherent “control plane for agents.” Priced at $15 per user per month, it is organized around three pillars: observability, security, and governance, and is designed to apply Microsoft Defender, Entra, and Purview capabilities to non-human actors.
The foundation is an Agent Registry that catalogs AI agents across an enterprise. This includes agents built on Microsoft platforms, third-party tools, and those registered via APIs. IT administrators see the registry through the Microsoft Admin Center, while security teams view the same entities and risk signals through Defender, Entra, and Purview.
On top of this registry, Microsoft is introducing Agent ID, which assigns each agent a unique identity in Entra. That allows organizations to extend long-standing identity constructs — conditional access, least-privilege access, risk-based access decisions, and audit trails — to AI systems. Identity Protection and Conditional Access, traditionally used for human accounts, can now evaluate agents in real time based on signals about compromise or policy non-compliance.
For data protection, Purview policies carry over to AI agents. Sensitivity labels, rules to block processing of PII and other sensitive data, and insider risk monitoring are applied as if agents were users. Audit and eDiscovery workflows treat agents as first-class objects, meaning their actions can be investigated and reviewed alongside human activity.
Jakkal characterizes this as an extension of zero-trust principles from people to autonomous systems: you protect agents against threats, secure the data they access, and strictly control their identities and permissions. Importantly for incident response, Agent 365 is designed for both detection and intervention. Security teams can see risk flags and anomalous behavior, and they can block risky agents directly through the Defender portal when needed.
E7 pricing and Microsoft’s strategy to ‘hire’ AI agents
While Agent 365 can be purchased on its own, Microsoft is clearly steering larger enterprises toward Microsoft 365 Enterprise 7, its new top-tier “Frontier Worker Suite.” At $99 per user per month, E7 bundles Microsoft 365 E5, Microsoft 365 Copilot, Agent 365, the Entra Suite, and enhanced Defender, Intune, and Purview capabilities into a single license.
Microsoft positions E7 as a response to customer demand for fewer stitched-together tools and more integrated platforms. On price, the bundle undercuts the sum of its parts: E5 currently costs $57 per user (with a scheduled increase to $60), Copilot adds $30, and Agent 365 adds $15. E7’s pricing therefore offers a modest discount while deepening reliance on Microsoft’s environment.
Industry observers have highlighted the broader implications. Reporting ahead of launch noted that Microsoft is, in effect, asking enterprises to “hire” AI agents on a per-seat basis, similar to how they license human workers. SiliconANGLE has pointed out that as agents supplement or even replace some human work within the Microsoft 365 ecosystem, a per-agent subscription model gives Microsoft a revenue path that can grow regardless of shifts in human headcount.
For CIOs and CFOs, this reframes AI budget discussions. Instead of a one-off project cost, agents become recurring line items, with security and governance capabilities like Agent 365 tied directly to each seat. The question becomes not just how many Copilot users an organization can justify, but how many governed agents it is prepared to license and manage over time.
Copilot, Claude, and Anthropic: model diversity with geopolitical baggage
The Agent 365 and E7 launches coincide with Wave 3 of Microsoft 365 Copilot, which broadens the underlying model choices available to customers. Anthropic’s Claude is now accessible in the core Copilot chat experience alongside the latest OpenAI models. Microsoft is also testing a new feature, Copilot Cowork, in research preview. Built with Anthropic, it is designed to support long-running, multi-step workflows inside Microsoft 365.
This model diversity rollout is happening amid a more complicated geopolitical and regulatory environment for frontier AI. The U.S. Department of Defense has designated Anthropic a supply chain risk after the company declined Pentagon terms of use, according to recent reporting. In response, cloud providers including Google, Microsoft, and Amazon have said they will continue to offer Anthropic’s models for non-defense use.
At the same time, reporting has documented that the Pentagon experimented with Azure OpenAI services prior to OpenAI lifting its formal prohibition on military applications in early 2024. That history puts additional scrutiny on how cloud providers position themselves on trust, safety, and governance when offering access to multiple third-party models.
Against that backdrop, Microsoft is presenting Agent 365 and E7 as model-agnostic governance infrastructure. The company’s pitch to enterprises is that they can standardize trust, security, and compliance controls regardless of whether they use OpenAI, Anthropic, or other providers behind Copilot and their custom agents.
Security stack integration and the competitive landscape
Microsoft is not alone in trying to define a control plane for agentic AI. The company acknowledges that security vendors such as Palo Alto Networks and CrowdStrike are also building agent security and observability layers. Its argument is that tight integration across Microsoft 365, Entra, Defender, and Purview gives it a differentiating depth.
In practice, that integration shows up in shared signals and unified administration experiences. Agent 365 pulls risk and posture data into the same consoles that security teams already use for human identities and endpoints. Foundational capabilities like risk-based conditional access, sensitivity labels, and insider risk analytics are reused rather than reimplemented.
Microsoft is also providing an SDK for third-party agent frameworks — including tools such as LangChain, CrewAI, and open-source stacks — with varying levels of integration. That’s a recognition that many enterprises are building agents outside of Microsoft’s own low-code offerings but will still want central visibility and control.
The demand engine for these controls is Microsoft’s Copilot footprint. The company reports 15 million paid Copilot seats, more than 160% year-over-year growth, a tenfold increase in daily active usage, and a tripling in the number of customers deploying at scales above 35,000 seats. Large rollouts at organizations such as Mercedes-Benz, NASA, Fiserv, ING, Westpac, and Publicis, and adoption by 90% of the Fortune 500, create an installed base that is primed for upsell to governance tools.
Early adopters like Avanade, the Accenture–Microsoft joint venture, describe Agent 365 as giving them real visibility into agent activity, letting them govern “agent sprawl,” control resource usage, and manage agents as identity-aware entities in Entra — with a corresponding reduction in operational and security risk.
Will enterprises govern AI fast enough?
Agent 365 and E7 will be generally available on May 1, with some capabilities still in public preview. Those include certain Defender and Purview risk signals and security posture management for agents built on platforms like Microsoft Foundry and Copilot Studio. A runtime threat protection feature is expected to enter public preview in April, aimed at detecting and mitigating attacks while agents are executing.
Many organizations are using the move to agentic AI as a forcing function for overdue security modernization. Jakkal notes that enterprises are seizing AI transformation as an opportunity to “fix [their] foundations,” effectively linking AI deployment roadmaps with broader security transformation programs.
The structural challenge, however, is timing. Low-code and no-code tools make it trivial for business users to create and deploy agents without security expertise. By contrast, deploying governance tooling like Agent 365 and aligning IT, security, and business stakeholders around new processes requires budget cycles, implementation programs, and cultural change.
That asymmetry — fast agent creation versus slower governance adoption — is the gap Microsoft is trying to close. For CISOs and architects, the choice is whether to treat AI agents as first-class identities now, with the licensing and control that implies, or to allow a growing share of the organization’s operational work to be handled by systems that effectively sit outside the security perimeter.
As Jakkal frames it, the future of work is not only about smarter agents but “trusted agents.” With nearly a third of enterprise agents already operating without approval, trust is no longer just a product capability — it is a race condition between innovation and oversight.
Hi, I’m Cary Huang — a tech enthusiast based in Canada. I’ve spent years working with complex production systems and open-source software. Through TechBuddies.io, my team and I share practical engineering insights, curate relevant tech news, and recommend useful tools and products to help developers learn and work more effectively.
