What Microsoft Actually Shipped on May 1
Microsoft’s general availability announcement for Agent 365 is denser than most. Strip away the positioning language and four concrete capabilities emerged at launch.
Delegated-access agent governance (GA). Agents that operate with delegated user access — meaning they act on behalf of a human identity — are now fully manageable through Agent 365. IT administrators can view, pause, and terminate these agents from a single console. This addresses the most common current deployment pattern: RPA-style automation bots that inherit user credentials and operate within the same permission envelope as the user who created them.
Independent-credential agent governance (GA). The more consequential capability: agents with their own enterprise identities, issued through Microsoft Entra. Each such agent receives a unique principal, role-based access control policies, least-privilege enforcement by default, and conditional access that adapts based on real-time risk signals. This is the foundation for governing autonomous agents that operate without human-in-the-loop oversight — the agents that procurement, compliance, and security teams most fear losing track of.
Multi-cloud discovery and registry sync (Public Preview). Agent 365 can now discover and inventory agents running in AWS Bedrock and Google Cloud, sync them into the Agent 365 registry, and apply lifecycle governance (start, stop, delete) from the central console. This removes the most common objection to enterprise agent governance: “We can’t govern what we can’t see, and we can’t see what runs outside Microsoft.”
Shadow AI detection. Working through Microsoft Defender and Intune, Agent 365 discovers unmanaged local agents — including those spawned by Claude Code, GitHub Copilot CLI, and other developer tools. By June 2026, the platform will add asset relationship mapping that shows which devices, MCP servers, identities, and cloud resources each agent can reach. This is the audit trail that compliance teams need before any regulated workload can run on autonomous infrastructure.
Why This Matters More Than the Product Sheet Suggests
Enterprise AI governance has been the discipline that everyone agreed was necessary and nobody shipped a production system for. The failure mode was structural: agent governance tools could not operate where agents actually ran.
The Agent 365 GA changes this in three ways that the product sheet underemphasises.
First, the identity architecture. By issuing every agent an Entra principal, Microsoft has extended the same zero-trust identity model it spent a decade building for human users to autonomous systems. An agent with an Entra identity can be subject to conditional access policies, privileged identity management reviews, and lifecycle revocation — the same controls that govern service accounts and privileged users. Security teams that know how to govern human identities in Entra now have a direct, transferable skill set for governing agent identities. This is not a minor convenience — it eliminates the need for a separate agent identity platform.
Second, the Defender integration. Microsoft Defender’s “early detection of abnormal activity such as excessive data retrieval, privilege escalation attempts, or unexpected cross-system communication” applies the same threat detection logic to agents that it applies to humans. When an agent that normally retrieves 50 records per hour suddenly retrieves 50,000, Defender surfaces the anomaly with the same fidelity it surfaces a compromised human account. Security teams do not need to build agent-specific monitoring pipelines — they inherit the detection infrastructure they already fund.
Third, the pricing structure. At $15 per user per month, Agent 365 is priced at the same tier as Microsoft’s security and compliance add-ons. This means it fits within existing Microsoft 365 licensing discussions rather than requiring a separate procurement cycle. For enterprises already on M365 E7, it is included — removing the budget conversation entirely. This pricing decision is more strategic than it looks: it removes the friction point that has historically caused governance tooling to be purchased after incidents rather than before them.
Advertisement
The Shadow AI Problem Agent 365 Addresses
The June 2026 asset relationship mapping feature is worth unpacking specifically. When it ships, Agent 365 will be able to answer the question that no enterprise security team can currently answer at scale: for any given local or cloud-hosted agent, what can it reach?
Today, most enterprises have no systematic inventory of their agents. Developers running Claude Code, GitHub Copilot CLI, or open-source agent frameworks locally have access to file systems, terminals, API keys, and cloud credentials — and none of this is visible to the IT team managing the company’s security posture. The “autonomous agents will soon outnumber human users inside enterprise systems” framing that Microsoft uses is not marketing hyperbole; it is a factual description of the trajectory of developer tooling in 2026.
The shadow AI problem is structurally identical to the shadow IT problem of the 2010s: technology that employees find valuable proliferates faster than governance structures can adapt. Agent 365’s shadow detection capability does not eliminate shadow AI — developers will continue to run local agents regardless of policy. What it does is make shadow AI visible, auditable, and subject to the same conditional access logic that governs the rest of the enterprise environment.
What Enterprise AI Teams Should Do Now
1. Inventory Every Agent Running in Your Environment Before June
The June 2026 asset relationship mapping update will surface agents that IT has no current visibility into. That visibility cut is going to be uncomfortable for most enterprises, revealing more autonomous activity than CISOs expect. Get ahead of it: start the manual inventory now.
The practical first step is a cross-team survey of every engineering team that has deployed any agent-based tooling in the past 18 months — including local developer agents (Claude Code, Copilot CLI), cloud-hosted agents (AWS Bedrock, Azure AI Foundry), and SaaS-integrated agents (Zendesk AI, Salesforce Einstein). The result is a risk-ranked list of agent deployments that can be systematically onboarded into Agent 365’s governance framework before the mapping feature arrives and surfaces them automatically.
Do not wait for the mapping feature to do this work for you. The difference between discovering your own shadow agents and having them discovered for you in an audit or incident is the difference between proactive governance and reactive remediation.
2. Extend Your Zero-Trust Identity Policy to Cover Agent Principals
Most enterprises have a mature zero-trust identity policy for human users: MFA required, conditional access enforced, privileged identity management for elevated roles. Almost none have applied the same policy to agent identities — because before Agent 365, there was no standardised way to issue and manage agent principals inside Entra.
Now there is. The action item for identity and access management teams is to draft an agent identity policy that mirrors the human identity policy: minimum required permissions for each agent function, MFA equivalent for agent credential rotation, conditional access policies that downgrade or block agent access when risk signals are high, and a lifecycle review cadence (quarterly is a reasonable starting point for agents with access to production data).
Singapore’s government AI governance framework, which requires documented access control matrices for every AI system handling citizen data, provides a useful benchmark for what a mature agent identity policy looks like in regulated environments. Algerian enterprises in regulated sectors should use it as a reference model.
3. Designate an Agent Steward Role Before the First Incident
The most common failure pattern in enterprise AI governance is not technical — it is organisational. No one owns the agent. The developer who built it has moved on to the next project. The system it automates is owned by a different business unit. The credentials it uses belong to a service account that nobody reviews. When the agent does something unexpected, the incident response team has no documented owner to call.
Fix this before the incident. The Agent Steward role is simple: for every agent registered in Agent 365, one named individual is responsible for its access policy, its behavioural baseline (what “normal” looks like for this agent), and its escalation path when anomalies are detected. The role does not require technical deep knowledge — it requires accountability. Designate the agent steward at the point of agent registration, document it in Agent 365, and require reconfirmation at each quarterly lifecycle review.
The Governance Gap Agent 365 Still Leaves Open
Agent 365 is the most complete enterprise agent governance platform available as of May 2026. It is not complete. The three gaps that enterprises should plan around:
The multi-model gap: Agent 365 governs agent identities and actions, but it does not govern the model outputs that agents act on. An agent making decisions based on a hallucinating LLM response is a governance problem that identity management cannot solve alone. Model-level monitoring (output validation, uncertainty quantification, adversarial input detection) remains a separate tooling requirement that Agent 365 does not address.
The on-premises gap: Agent 365’s multi-cloud support is limited to AWS Bedrock and Google Cloud in public preview. Agents running on fully air-gapped on-premises infrastructure (common in defence, financial services, and healthcare) are not discoverable through the platform in its current state. Enterprises in these environments need a parallel governance approach.
The third-party agent gap: Agent 365 launch partners — Genspark, Zensai, Egnyte, Zendesk, Kasisto, Kore, and n8n — have pre-configured management integrations. Agents built on platforms outside the launch partner list (LangChain-based custom agents, for example) require manual integration work to appear in the Agent 365 registry. This is a solvable problem but it is work, not a turnkey capability.
Frequently Asked Questions
What did Microsoft Agent 365 GA on May 1, 2026 actually include?
The GA release included two capabilities in full general availability: governance of agents operating with delegated user access, and governance of agents with independent Entra identities (including role-based access control, least-privilege enforcement, and conditional access). Multi-cloud discovery and sync with AWS Bedrock and Google Cloud shipped in public preview. Shadow AI detection for local developer agents (Claude Code, Copilot CLI) and Windows 365 for Agents (a secure execution environment) also launched in preview. Pricing is $15 per user per month standalone, or included in Microsoft 365 E7.
How does Agent 365 handle agents running outside the Microsoft ecosystem?
In public preview as of May 1, Agent 365 can discover and sync agents running in AWS Bedrock and Google Cloud. For agents on other platforms, discovery depends on whether the agent’s platform is an Agent 365 launch partner (Genspark, Zensai, Egnyte, Zendesk, Kasisto, Kore, n8n have pre-configured integrations) or requires manual registration. Agents running in fully air-gapped on-premises environments are not currently discoverable without custom integration work.
What is the Agent Steward role and why does it matter?
The Agent Steward is the designated human owner for a registered AI agent — responsible for its access policy, its behavioural baseline (what activity is normal), and its escalation path when anomalies are detected. This role matters because the most common enterprise AI governance failure is organisational rather than technical: agents with no documented human owner cannot be rapidly investigated when they behave unexpectedly. Agent 365’s registry infrastructure makes it possible to document and enforce agent ownership at scale.
—
Sources & Further Reading
- Microsoft Agent 365 Now Generally Available — Microsoft Security Blog
- Microsoft Agent 365 and Enterprise AI Governance — Charter Global
- Microsoft Agent 365 GA: Control Plane for Governing AI Agents — Windows News AI
- Microsoft Agent 365: Secure Agentic AI — Corsica Tech
- Microsoft Agent 365 Overview — Microsoft Learn
