The 60-second answer

Agent 365 provides four categories of control over AI agents in enterprise environments: identity governance (each agent has a managed identity, access controls, and lifecycle), network controls (prompt injection protection, threat intelligence filtering, shadow AI detection, content filtering), audit observability (every agent action logged for compliance and security review), and lifecycle management (access packages, sponsor accountability, deprovisioning workflows). The four together provide enterprise-grade governance for agents that informal controls cannot deliver at scale.

Category 1: Agent identity governance

Every agent in Agent 365 has its own managed identity rather than inheriting application identity or sharing user credentials. The identity is created at agent provisioning, persists through the agent’s lifecycle, and is deprovisioned when the agent is retired. The identity is the foundation that the other three control categories build on.

The capabilities under identity governance include:

  • Access packages defining what data, services, and APIs an agent can access. The package is reviewed at agent creation and on a recurring basis (typically quarterly) through standard access review workflows.
  • Sponsor relationships tying each agent to a specific human owner accountable for its behaviour. The sponsor approves access changes, reviews audit logs, and is responsible for deprovisioning the agent when no longer needed.
  • Lifecycle workflows for the standard transitions: provision, activate, modify access, suspend, deprovision. The workflows ensure that orphaned agents do not accumulate — a common failure mode without dedicated governance.
  • Privileged access management for agents requiring elevated permissions. Time-bound, approval-gated, fully audited.

Category 2: Network controls for agent traffic

AI agents have different network behaviour and threat profiles than human users. Agent 365 provides agent-specific network controls in four areas.

Prompt injection protection. Agents that process content can be manipulated through carefully crafted prompts embedded in the content. Agent 365 includes detection for known prompt injection patterns and policy enforcement that blocks suspicious instructions from reaching agent runtimes. The protection operates at the network layer rather than the prompt-engineering layer, providing defence in depth.

Threat intelligence filtering. Outbound agent traffic to known malicious domains is blocked through integration with Microsoft Threat Intelligence and external feeds. The filtering operates differently from user-traffic filtering — agents have different normal-behaviour patterns, and the threat intelligence tuning reflects that.

Shadow AI detection. Identifies unauthorised agent or AI tool deployment in the tenant. The capability is meaningful as agent build platforms proliferate — business units sometimes deploy agents through unsanctioned tools without IT visibility. Shadow AI detection surfaces these deployments for security review.

Content filtering. URL filtering, file filtering, and content-class filtering for agent traffic. Combines with the prompt injection protection to provide multi-layer content security at the agent layer.

Category 3: Audit and observability

Every agent action is logged in detail sufficient for security investigation and compliance reporting. The audit infrastructure integrates with Microsoft Purview and Sentinel, so security teams can investigate agent activity using the same tooling they use for user activity.

The audit logs capture: agent creation and deprovisioning events; access grants and revocations; identity authentication events; data access by agents (with the data sources, query parameters, and results metadata); external API calls; communication events (messages sent, content created); and policy violations or anomaly detection events.

For regulated industries the audit completeness matters substantially. Compliance frameworks increasingly require explicit logging of AI agent decisions — SR 11-7 in US banking, EU AI Act provisions, HIPAA AI-related guidance — and Agent 365’s logging structure is designed to satisfy these requirements out of the box.

Map Agent 365 controls to your governance requirements
Different industries and organisations need different subsets of the four control categories. We help map the capability to the specific requirement.
Book a Call

Category 4: Lifecycle management

Agents need to be created, used, reviewed, modified, and eventually retired. Without dedicated lifecycle management, organisations accumulate orphaned agents — agents whose owners have left, whose business purpose has lapsed, or whose access has expanded beyond the original sponsor approval. Orphan agents are a security risk and a compliance gap.

Agent 365 lifecycle management provides:

  • Provisioning workflows requiring sponsor approval, access package selection, and audit baseline establishment at agent creation.
  • Periodic access review on a quarterly or business-cycle basis. Sponsors must affirmatively re-approve agent access; unreviewed agents are suspended pending review.
  • Modification controls requiring approval workflow when agent access expands or capabilities change materially.
  • Deprovisioning workflows ensuring clean retirement when agents are no longer needed. The workflow handles credential revocation, data access removal, audit log retention per policy, and notification to the sponsor.
  • Sponsor transition handling when the human owner changes (departure, role change, etc.). The agent does not become orphaned; sponsorship transitions explicitly.

What governance looks like without Agent 365

Organisations governing agents without Agent 365 typically rely on three improvised approaches, each with limitations.

Application identity governance. Agents are treated as applications and managed through standard application identity controls. Works at small scale (single-digit agent counts), breaks down as agent count grows because application identity governance was not designed for the agent lifecycle.

User identity sharing. Agents operate under a shared service account. Security failure mode — the audit trail becomes unusable because all agent actions trace to the same account.

Manual governance through spreadsheets and review meetings. Common in early-stage programmes. Functional up to perhaps 10–20 agents, structurally unable to scale beyond that.

Agent 365 replaces all three improvised approaches with infrastructure designed for the use case. The replacement is not the only path forward, but it is the path that scales to enterprise agent deployment without governance debt accumulating.

Action plan for security and compliance teams

  1. Inventory current agent activity. Count and document agents currently deployed. Identify which of the four governance categories are currently uncontrolled.
  2. Map governance gaps to Agent 365 capabilities. Each gap maps to one of the four control categories. The mapping produces a specific business case for Agent 365 rather than a generic one.
  3. Decide on deployment timing. Aligned with the deployment trajectory rather than commercial calendar pressure.
  4. Pilot Agent 365 against the current agent estate. Validate that the control categories actually deliver against your governance requirements before full commitment.