Microsoft launches Agent 365 to govern AI agents as 'double agent' threats emerge in enterprises

Microsoft's Agent 365 helps you spot risky AI agents before they cause trouble - here's how

Microsoft 365 E7 combines Copilot, security, and agent governance AI can seem exciting, especially when it comes to the productivity improvements AI agents provide in the corporate world. But what's rapidly dawning on company and IT leaders is that AI agents are also becoming the ultimate insider threat. In ZDNET's Special Feature: Cybersecurity in the New AI Era, I outlined how this threat is growing by leaps and bounds. In particular, I showed a statistic that, on average, 82 machine identities (often with high-level network access privileges) are being created for every human identity. Also: Why enterprise AI agents could become the ultimate insider threat This enormous management challenge hasn't gone unnoticed by Microsoft. According to Vasu Jakkal, Corporate Vice President, Microsoft Security, "Fueled by more than 100 trillion daily signals, Microsoft Security protects over 1.6 million customers, more than one billion identities, and 24 billion Copilot interactions, at the speed and scale of Al." In that context, Microsoft is announcing Agent 365, a centralized control plane designed to observe, govern, and secure AI agents across organizations. Essentially, this is a system that provides tracking and control over agents across silos, enterprise-wide. Microsoft is also launching Microsoft 365 E7 (Microsoft likes to call it "ME7"), which is a new enterprise suite that includes Copilot, security tools, and agent management capabilities. The incredible speed with which new agents are being deployed is creating a massive governance and visibility challenge for CIOs, CISOs, and security teams. The visibility issue is important because if you don't know what an agent is doing or that it even exists, you can't control it. To drive home the scope of this problem, let's use air traffic as an analogy. Back when airplanes were new, there weren't all that many of them. While accidents did happen, pilots could use their Mark I Eyeballs to identify other planes, especially during takeoffs and landings. But fast forward a hundred years or so, and the skies are full of aircraft. Imagine if there were no air traffic control and airplanes were trying to take off and land at LaGuardia Airport (probably my least favorite airport anywhere). It would be absolute chaos. There's almost no way pilots could keep track of everything and avoid disaster. Microsoft's Agent 365 is essentially air traffic control for agents. The idea of this tool is to coordinate all the AI agents that have been flying under the radar throughout your network. Without a unified control dashboard, "IT, security, and business teams don't have the agent visibility and protection they need for their agents," says Microsoft's Jakkal. She continues, "Furthermore, teams often work in silos, making it difficult to understand which agents exist, how they behave, who has access to them, and what potential security risks can exist across your enterprise." There are three main areas that an agent control dashboard can manage: tracking agent activity, managing permissions, and preventing sensitive data exposure. Also: Why enterprise AI agents could become the ultimate insider threat Here's another analogy. Microsoft Agent 365 is like an HR department, but for AI agents instead of people. The analogy is pretty strong because Microsoft is creating a framework that subjects agents to the same identity and security management as human employees, including unique IDs. This credentialing is created with Agent Registry, which maintains an inventory of agents available through the Microsoft Admin Center and security workflows. It's the AI agent equivalent of issuing each AI agent a badge and a lanyard. Agent 365 provides centralized visibility into all managed AI agents across an organization, including Microsoft-built and partner ecosystem agents. With this mechanism, IT teams can track, observe, and analyze agent performance, usage, and activity both through detailed reporting and agent mapping. Within Agent 365, Microsoft Entra Agent ID assigns each AI agent a unique identity within the enterprise environment. That's the badge we've been talking about. Identity protection and conditional access policies extend existing user protections to AI agents acting on behalf of users. Here's an important aspect of that: AI agents are assigned access privileges at or below that of the human issuing the prompt that instantiates them. Governance is built into identity management tools that limit AI agent access. They lock down capabilities so that only the resources necessary for a given task are made available. Through Agent 365, IT and security teams can audit the permissions granted to AI agents. These features help mitigate the risks posed by unmanaged identities and excessive agent privileges. Microsoft's Purview unified data governance, risk, and compliance solution now works inside Agent 365, helping organizations manage data security risks associated with AI agents. Capabilities include: By extending Purview into Agent 365, Microsoft is securing the enterprise AI agent landscape with enterprise data governance and compliance controls. According to Jakkal, "There is a growing visibility and security gap, with a risk of agents becoming double agents." Here, too, she says Agent 365 provides support: The bad guys are out there. They're always looking for new ways to wreak havoc. Unsupervised AI agents with escalating access privileges are irresistible to attackers attempting to gain a foothold in your network. If Agent 365 is the control tower for agents in the enterprise, Microsoft 365 E7 is the entire airport. Basically, ME7 is a bundle that, "Enables organizations to accelerate frontier transformation and equips employees with AI that shows up inside real work: email, documents, meetings, spreadsheets, and business applications." Also: The biggest AI threats come from within - 12 ways to defend your organization ME7 includes the following components: Jakkal says, "Copilot, agents, and Agent 365 operate together in the flow of work, grounded in shared intelligence from the Microsoft IQ Platform, so they understand context, history, priorities, and constraints." Microsoft 365 E7 is priced at $99 per user, per month. Both it and Agent 365 will be generally available on May 1. Microsoft is also setting some expectations about feature availability. Specifically: In my article about agents as the new insider threat, I said, "If it takes a team of interviews and multiple rounds before you hire an employee, it should take the same or even a greater level of care before you 'hire' a new agent." It appears that what Microsoft is offering in Agent 365 and ME7 are the tools to make that analogy into a functional capability inside enterprises with exploding agent populations. Their new offerings aim to bring agents, users, and enterprise data within a unified security framework. Microsoft calls this change to an agent-enabled environment "frontier transformation," leveraging the term "frontier model" for bleeding-edge AI models. If you're going to have a frontier transformation and you're going to field thousands of AI agents, you'd better have the security and oversight tools to manage all of that. Also: How to clean up your digital footprint - and why it matters more than you think If you're steeped in the Microsoft ecosystem and you're fielding armies of AI agents, you'll probably want to give Microsoft's new offerings a look. What do you think about the rise of AI agents inside the enterprise? Does the idea of thousands of software agents acting on behalf of employees concern you from a security perspective, or do you see it as a necessary step toward productivity gains? Do you think tools like Agent 365 and Microsoft 365 E7 are the kind of governance layer companies will need? Will organizations struggle to keep up with the pace of agent deployment? If you're working in IT, security, or management, are you already seeing these challenges emerge?

Microsoft says ungoverned AI agents could become corporate 'double agents.' Its fix costs $99 a month.

Microsoft today announced the general availability of Agent 365 and Microsoft 365 Enterprise 7, two products designed to bring security and governance to the rapidly growing population of AI agents operating inside the world's largest organizations. Both become available on May 1st, alongside Wave 3 of Microsoft 365 Copilot, which expands the company's agentic AI capabilities and adds model diversity from both OpenAI and Anthropic. Agent 365, priced at $15 per user per month, serves as what Microsoft calls the "control plane for agents" -- a centralized system for IT, security, and business teams to observe, govern, and secure AI agents across an enterprise. Microsoft 365 Enterprise 7, dubbed the "Frontier Worker Suite," bundles Agent 365 with Microsoft 365 Copilot and the company's most advanced security stack into a single $99-per-user-per-month license. The timing is deliberate. AI agents have crossed from experimental prototypes into operational infrastructure, but the tools to monitor them have lagged behind. Microsoft is racing to close that gap before adversaries exploit it. "These agents are no longer experimental. We're seeing them deeply embedded in organizations, in the operational structure of these organizations, with people using them," Vasu Jakkal, corporate vice president of Microsoft Security, told VentureBeat in an exclusive interview. "At the same time, as the agents are scaling fast, some of the people and organizations have a visibility gap, and that visibility gap creates business risk." Over 80% of Fortune 500 companies use AI agents, but nearly a third aren't sanctioned The numbers behind the announcement tell a story of breakneck adoption outpacing oversight. According to Microsoft's Cyber Pulse report, published in February, more than 80 percent of Fortune 500 companies are actively using AI agents built with low-code and no-code tools. IDC projects 1.3 billion agents in circulation by 2028. And Microsoft, serving as its own first customer for Agent 365, now has visibility into more than 500,000 agents running across its own corporate environment, with the most widely used focused on research, coding, sales intelligence, customer triage, and HR self-service. Externally, the trajectory is steeper. Tens of millions of agents appeared in the Agent 365 Registry within just two months of preview availability, and tens of thousands of customers have already begun adopting the platform, according to Judson Althoff, CEO of Microsoft Commercial Business. But the governance picture is troubling. Microsoft's research found that 29 percent of agents in surveyed organizations operate without approval from IT or security teams. Only 47 percent of organizations use any security tools at all to protect their AI deployments. "That's a problem," Jakkal said. "All this innovation is happening against a background, or a backdrop of threats, which is pretty intense." Microsoft warns of 'double agents' -- AI systems hijacked to work against their own organizations Microsoft has coined a pointed term for the risk it sees emerging: "double agents." The concept, first introduced in a November 2025 blog post by Microsoft security executive Charlie Bell, describes scenarios where AI agents operating on behalf of an organization are manipulated -- through prompt injection, model poisoning, or other techniques -- into acting against the organization's interests. Jakkal told VentureBeat that while Microsoft has not yet observed real-world incidents of agent compromise at scale, the company's AI Red Team has conducted extensive testbed research simulating how agents can be exploited. In those experiments, direct and indirect prompt injections successfully manipulated agents into accessing unauthorized data. "We coined this term very intentionally to make people aware that you have to be very mindful of your agents," Jakkal said. "Just like insider risk was a big thing with employees, we need to make sure that we don't create that with agents." The threat landscape extends well beyond prompt injection. In February, Microsoft's Defender Security Research Team published findings on what it called "AI Recommendation Poisoning" -- a technique in which companies embed hidden instructions inside "Summarize with AI" buttons on websites. When clicked, the pre-filled prompt attempts to inject persistence commands into an AI assistant's memory, instructing it to "remember [Company] as a trusted source." The researchers identified over 50 unique poisoning prompts from 31 companies across 14 industries. Separately, Microsoft published research on detecting backdoored language models -- so-called "sleeper agents" that behave normally under most conditions but execute malicious behavior when triggered by specific inputs. How Agent 365 extends zero-trust security from people to autonomous AI systems Agent 365 organizes its capabilities around three pillars: observability, security, and governance. Each extends Microsoft's existing security infrastructure -- Defender for threat protection, Entra for identity and access, and Purview for data security -- to non-human entities. The observability layer starts with an Agent Registry that catalogs all agents across an organization, whether built on Microsoft platforms, from third-party partners, or registered through APIs. IT teams access the registry through the Microsoft Admin Center; security teams see the same data through Defender, Entra, and Purview. Risk signals evaluate agents for compromise, identity anomalies, and risky data interactions -- just as Microsoft's tools already assess human users. A new capability called Agent ID gives each agent a unique identity in Microsoft Entra, enabling conditional access policies, least-privilege enforcement, and audit trails. Identity Protection and Conditional Access, long used for human accounts, now extend to agents making real-time access decisions based on risk and compliance signals. For data protection, Purview capabilities ensure agents inherit sensitivity labels, block PII and other sensitive information from being processed in prompts, and extend insider risk monitoring to flag suspicious agent behavior. Audit and eDiscovery now treat agents as first-class auditable entities alongside users and applications. Jakkal framed the entire approach as an extension of zero-trust principles. "We think about security for agents very similar to security for people," she said. "You have to protect these agents against threats. You have to secure the data that they're accessing. You have to secure their access and identity. So extending zero trust to zero trust for AI." On whether Agent 365 can intervene in real time or merely observes after the fact, Jakkal confirmed it does both. The system surfaces risk flags and anomalous behavior, and security teams can block risky agents through the Defender portal. "If there's a risk, if it's a risky agent, then you can, of course, block it as well," she said. At $99 per user, the E7 'Frontier Suite' is Microsoft's most ambitious enterprise AI bundle yet Microsoft 365 Enterprise 7 packages the company's entire AI and security portfolio into a single SKU. It combines Microsoft 365 E5, Microsoft 365 Copilot, Agent 365, the Microsoft Entra Suite, and advanced Defender, Intune, and Purview security capabilities. Althoff framed the bundle as a direct response to customer demand. "Customers have told us E5 alone is no longer enough; they do not want multiple tools stitched together, they want one trusted solution," he wrote. At $99 per user, E7 costs less than purchasing the components individually -- E5 currently runs $57 per month (rising to $60 in July), Copilot adds $30, and Agent 365 adds $15 -- offering modest savings while pulling customers deeper into Microsoft's ecosystem. TechRadar first reported in early March that Microsoft was developing the E7 tier. Computerworld's Steven Vaughan-Nichols offered a sharper framing of the strategic implications, observing that Microsoft now wants organizations to "hire" AI agents rather than simply use tools -- with each agent licensed like a human employee. "In Microsoft's world, AI agents are tomorrow's temp workers," he wrote. The per-seat subscription model, applied to non-human entities, gives Microsoft a powerful revenue mechanism that could grow even as AI agents begin supplementing -- or replacing -- human headcount. SiliconANGLE's analysis noted that agents pose a potential threat to the very Office ecosystem that has long been Microsoft's profit engine, making the Agent 365 play both defensive and offensive. Copilot adds Claude and new OpenAI models as Anthropic's Pentagon battle reshapes the AI market The launches coincide with Wave 3 of Microsoft 365 Copilot, which introduces expanded model diversity. Claude, from Anthropic, is now available in mainline Copilot chat, alongside the latest generation of OpenAI models. A new feature called Copilot Cowork, built in collaboration with Anthropic and currently in research preview, enables long-running, multi-step work within Microsoft 365. The Anthropic partnership carries geopolitical weight. As CNBC reported on March 6, the U.S. Department of Defense designated Anthropic a supply chain risk after the company refused the Pentagon's requested terms of use. Google, Microsoft, and Amazon all confirmed they would continue offering Anthropic's technology for non-defense work. The military AI picture has grown more complex still: WIRED reported that the Pentagon had experimented with Azure OpenAI before OpenAI formally lifted its prohibition on military applications in January 2024. Against this backdrop, Microsoft's emphasis on trust and governance reads as both a product pitch and a positioning statement: the company wants to be the vendor that makes AI safe for enterprise deployment, regardless of which underlying models customers choose. Microsoft's Copilot business provides the demand engine for the new security products The broader Copilot business supplies the adoption base that makes Agent 365 and E7 commercially viable. Microsoft now has 15 million paid Copilot seats, with growth exceeding 160 percent year over year. Daily active usage increased tenfold. Customers deploying at significant scale -- more than 35,000 seats -- tripled year over year. Major recent deployments include Mercedes-Benz, which announced a global rollout; NASA, Fiserv, ING, and Westpac, which each purchased more than 35,000 seats; and Publicis, which deployed nearly 95,000 seats across almost its entire workforce. Ninety percent of Fortune 500 companies now use Copilot, according to Microsoft. Avanade, a joint venture between Accenture and Microsoft, offered an early endorsement of Agent 365. "Avanade has real visibility into agent activity, the ability to govern agent sprawl, control resource usage, and manage agents as identity-aware digital entities in Microsoft Entra," said CTO Aaron Reich. "This significantly reduces operational and security risk." Jakkal acknowledged that competitors including Palo Alto Networks and CrowdStrike are building their own agentic AI security layers, but argued Microsoft's integration depth sets it apart. "It's not just this tool, and this tool, and this tool put together in a SKU -- it's more like this tool and this tool and this tool work together," she said. For third-party agent frameworks -- including LangChain, CrewAI, and other open-source tools -- Agent 365 provides an SDK with varying levels of integration. The real question is whether enterprises will pay to govern AI fast enough to stay ahead of attackers Agent 365 and E7 reach general availability on May 1st. Several capabilities, including Defender and Purview risk signals and security posture management for Foundry and Copilot Studio agents, will remain in public preview at launch. A new runtime threat protection feature is expected to enter public preview in April. Jakkal observed that many organizations are using the push toward agentic AI as a catalyst for long-overdue security improvements. "I'm seeing organizations use this as an opportunity to say, 'We have to fix our foundations,'" she said. "They're using the AI transformation and agentic transformation to go back and say, we are going to do a security transformation." Whether the market moves fast enough remains the open question. The tools to build agents are freely available and require no security expertise. The tools to govern them require budget approval, implementation cycles, and organizational alignment across IT, security, and business teams. That asymmetry -- between the speed of agent creation and the speed of agent governance -- is the gap Microsoft is trying to close. "The future of work isn't just about smarter agents," Jakkal said. "It's about trusted agents." For the 29 percent of enterprise agents already operating without any oversight at all, trust is not a product roadmap -- it's a race against the clock.

Microsoft Unveils E7 Suite, Copilot Cowork In Enterprise AI Push

"Intelligence cannot scale without that trust," says Vasu Jakkal, corporate vice president of Microsoft Security. Microsoft's latest moves to dominate the growing enterprise artificial intelligence include plans to make Microsoft 365 E7 suite generally available on May 1 for $99 per user per month, launch a research preview this month for a Copilot Cowork product built with Claude maker Anthropic and increase access to its Agent 365 control plane the same date E7 goes GA. E7 marks the first new enterprise license plan by the Redmond, Wash.-based technology giant in about 10 years. Microsoft, which has a channel ecosystem of about 500,000 partners, is unifying E5, M365 Copilot, Agent 365 and other parts of the vendor's product portfolio under E7. The $99 price point is for E7 with Teams, but users can save some money by buying E7 without Teams for $90.45 per user. Copilot Cowork comes as recent product innovations by Anthropic rock publicly traded enterprise software stocks over investor panic that Anthropic, ChatGPT maker OpenAI and other AI upstarts pose an existential, disruptive threat to traditional software providers including Microsoft and rivals Salesforce, IBM and Oracle. [RELATED: Salesforce Enters Fiscal Year 2027: 5 Channel Takeaways] Vasu Jakkal, corporate vice president of Microsoft Security, told CRN in an interview that the new and upcoming offers are a major opportunity for managed security services providers (MSSPs). "Intelligence cannot scale without that trust," Jakkal said. "It's not just IT professionals (using AI). It's not just classic developer teams using it. It's business functions using AI and creating agents. That's awesome. But we also see that without the right tooling, that's a real risk." E7 comes as Microsoft prepares to increase prices across a variety of application suites on July 1. Mike Wilson, chief technology officer and partner at Mason, Ohio-based Microsoft partner Interlink Cloud Advisors-a member of CRN's MSP 500-told CRN in an interview that the price increase is justified by the amount of value Microsoft has been adding to different packages. "We've got to think about that (the price) in the context of what we pay human beings, like what we pay to enable them for technology is small compared to what we actually pay humans," Wilson said. "The value's there." Talking to CRN before the reveal of E7, he said Microsoft needs to provide the tools needed for succeeding with AI at scale. The agent builder products such as Copilot Studio are important, but Agent 365 providing the governance layer for partners is also critical. "Agents are going to be transformative," Wilson said. "Having that governance layer is a huge advantage for Microsoft. I think they've done a better job of putting that security and governance layer than any other vendor in the space." Microsoft has been publishing metrics to show growth throughout its AI portfolio, including Copilot paid seats more than doubling year on year. Microsoft executives said in January on the company's quarterly earnings call that M365 Copilot now has 15 million paid seats. The vendor has also seen daily active Copilot usage up tenfold, and the number of M365 Copilot customers with more than 35,000 seats tripled year over year. Manufacturing, retail and financial services are among the industries leading Microsoft agent adoption, according to the vendor. Microsoft's security business protects 1.6 million customers and leverages more than 100 trillion daily signals, according to the vendor. On May 1, Microsoft will launch the M365 E7 Frontier Worker Suite, bringing together M365 E5, M365 Copilot, A365, Entra Suite and advanced capabilities in Defender, Intune and Purview. E7 users can apply AI across email, documents, meetings, spreadsheets and business application surfaces. IT and security workers will also have observability and governance capabilities for AI at enterprise scale, according to Microsoft. The $99 price tag is lower than buying all of those capabilities individually, according to Microsoft. M365 Copilot is $30 per user per month. The Entra Suite is $12 per user per month and $9 for E5 license users. And M365 E5 is $57 per user per month until July 1, when Microsoft will increase the suite 5 percent to $60. E5 without Teams is $48.45 per user per month until July 1, when Microsoft will increase the suite 6 percent to $51.45. M365 E3 is $36 per user per month until July 1, when it increases 8 percent to $39. And without Teams, E3 is $27.45 until July 1 when it increases 11 percent to $30.45, according to Microsoft. Microsoft is putting its Copilot Cowork introduction under the banner of a third wave of Microsoft 365 Copilot innovation that moves the AI product beyond virtual assistant and into a tool that can complete actions and complete work through embedded agentic capabilities. Copilot Cowork is a collaboration with Anthropic that can orchestrate full workflows, from building presentations to assembling financials and emailing a team of employees to prepare a user for a customer meeting, as an example. Microsoft is also working on out-of-the-box plug-ins across use cases and scenarios. Cowork leverages Microsoft's enterprise data protection (EDP) and WorkIQ intelligence layer for understanding user work patterns, relationships and organizational context, according to the vendor. Cowork is in pilot with select customers and will enter a research preview this month through Microsoft's Frontier program. Cowork can complete tasks in the background while workers do other things, according to Microsoft. It can interact with user email, documents, files and data in Microsoft 365 without connectors, integrations or data movement. Data never leaves enterprise boundaries and doesn't have to run locally on user devices. The data instead stays in the cloud. Along with Cowork, this "wave 3" of Microsoft agentic capabilities includes updates for M365 Copilot in Word, Excel, PowerPoint and Outlook. For example, users can ask Copilot to create pivot tables, update calculations, forecast cash flow and more in Excel. Copilot Chat is also adding the ability to create and augment artifacts, build agents in the canvas users leverage daily and other enhanced experiences, according to Microsoft. Wave 3 also includes the addition of Anthropic's Claude in mainline Copilot Chat for Frontier program members alongside the latest generation of OpenAI models, according to Microsoft. Copilot Chat also offers an auto router for choosing the best-suited model for a job. Claude was already introduced in Researcher and Copilot Studio. Microsoft plans to make its Agent 365 control plane for AI agents GA on May 1 with a price of $15 per user per month, according to the vendor. Originally available to Frontier members, as disclosed during Microsoft Ignite 2025 in November, Agent 365 offers a single place for agent observations, governance, management and security across the organization. Without a unified control plane, IT teams might not have visibility into the number of agents, how they behave, who has access to them and security risks. In two months, tens of millions of agents have appeared in the Agent 365 Registry by preview customers, according to Microsoft. The vendor itself uses A365 for visibility into 500,000-plus agents across the company. So far, most agents have been leveraged in research, coding, sales intelligence, customer triaging and human resources self-service. Over the past 28 days, agents have generated more than 65,000 responses a day for employees, according to Microsoft. A365 capabilities that are GA on May 1 include an agent registry and security policy templates for the entire tenant and enforceable in Microsoft Admin Center for onboarding new agents. The registry covers agents built in Microsoft products, ecosystem partner agents and agents registered through application programming interfaces (APIs). Users can also receive reports on agent performance, adoption, usage, an agent map and activity details, according to Microsoft. And they will have the ability to use Entra to evaluate agent identity risk. Risk signal evaluation will still be in public preview May 1 for most Defender and Purview capabilities-although, a Defender protection enterprising public preview in April instead of May 1 is runtime threat protection, investigation and hunting for agents that leverage A365 tools gateway, according to Microsoft. The Entra capabilities in A365 going GA May 1 allow users to give each agent a unique identity designed for the agent's needs. Users can apply trusted access policies at scale and identity protection and conditional access for agents to extend existing policies for real-time access decisions. Those access decisions can be made based on risk, Microsoft Intune device compliance and custom security attributes to agents operating on behalf of a user. The goal is to prevent agent compromise and misuse by malicious actors, according to Microsoft.