Microsoft takes Agent 365 out of preview as shadow AI becomes an enterprise threat

Microsoft last week transitioned Agent 365, its AI agent management platform, from preview to general availability. This decision underscores the company’s belief that the challenge of governing autonomous AI is an urgent operational issue rather than a theoretical one.

Originally introduced at Microsoft’s Ignite conference in November, the platform serves as a unified control system for enterprise IT and security teams to manage AI agents across various environments. These include Microsoft’s ecosystem, third-party cloud platforms like AWS Bedrock and Google Cloud, employee devices, and a growing range of SaaS agents created by partner companies.

What stands out about this launch isn’t just the general availability but also Microsoft’s strong focus on identifying and managing local AI agents. These include coding assistants and productivity tools that employees install on their devices, often without IT approval. Microsoft terms this phenomenon “shadow AI,” a new category of enterprise security risk that many organizations are just beginning to address.

“Most enterprises are trying to figure out how to harness the potential of autonomous agents,” David Weston, Corporate Vice President of AI Security at Microsoft, told VentureBeat. “They’re trying to find a balance between what we call YOLO — just let anything run — and ‘oh no,’ where nothing works at all.”

Why Microsoft says rogue AI agents are already a security crisis inside the enterprise

The release of Agent 365 into general availability highlights a pressing issue: AI agents have surpassed the existing governance systems intended to manage them. Companies that have spent years establishing controls for cloud applications and SaaS software now face a new type of sprawl. Autonomous software can utilize tools, access sensitive data, collaborate with other agents, and act on behalf of users or independently.

Weston identified three main categories of security incidents observed among Microsoft’s enterprise clients. The first, and most frequent, occurs when developers hastily connect agents to backend systems, inadvertently exposing sensitive infrastructure. “A canonical thing we’re seeing a lot across the board is these MCP servers that are then being connected to a sensitive back end system and then exposed unauthenticated to the internet,” Weston said. “That can lead to PII or data leaks.”

The second category involves cross-prompt injection, where attackers embed malicious instructions in data sources like tickets or websites that an agent might ingest. “We are seeing attackers use untrusted data sources to put in what we call cross-prompt injection prompts, which will basically direct your agent to do whatever the attacker wants,” Weston explained. Although less common, these attacks have a higher impact when they occur.

The third issue involves agents accessing data sources and DLP systems that aren’t designed to understand agentic access patterns. “Data sources and DLP systems that are not agent-aware are exposing high-sensitive data down to maybe a vendor,” Weston said, noting that these incidents can be costly and risky.

Inside Agent 365, the $15-per-user control plane for governing AI agents at scale

Agent 365 operates as a centralized registry and policy engine for AI agents, offering IT administrators a comprehensive view of all agents within their environment. Whether built with Microsoft Copilot Studio, deployed on AWS Bedrock, or installed on a developer’s Windows machine, every agent is accounted for.

The platform accommodates three categories of agents, each with different availability statuses. Agents acting on behalf of users with delegated access, such as inbox organizers, are now generally available. Agents operating independently with their own credentials, like systems triaging support tickets, are also generally available. A third category, agents in team workflows with their own access, is now in public preview.

Agent 365 can be purchased as part of the Microsoft 365 E7 suite or as a standalone product for $15 per user per month. The pricing covers individuals who manage, sponsor, or use agents, with fees based on the number of users interacting with the agent ecosystem rather than the number of agents.

How Microsoft hunts for unauthorized AI tools hiding on employee laptops

One of the key new features of Agent 365 is its ability to discover and manage local AI agents that developers and knowledge workers install on their Windows devices, often without IT supervision.

Starting today, organizations in Microsoft’s Frontier program can use Agent 365, powered by Microsoft Defender and Intune, to detect OpenClaw agents on managed Windows devices. Administrators can see which devices have OpenClaw installed and apply Intune policies to block common execution methods. A new “Shadow AI” page in the Microsoft 365 admin center provides a centralized view for this process.

The focus on OpenClaw is driven by customer demand. “Our criteria is simply customer demand,” Weston told VentureBeat. “We’re hearing across the board that enterprises understand OpenClaw represents a new type of software. They want to be on the frontier, they want to leverage all the benefits, but they also want the deterministic control that lets them establish a clear boundary in their enterprise.”

By June 2026, Microsoft plans to expand local agent discovery to 18 different agent types, including GitHub Copilot CLI and Claude Code. The company uses existing endpoint telemetry to identify applications calling inference endpoints, sharing this information with IT and security teams. “Using our visibility on the endpoint, we can see the variety of apps that are basically calling inference endpoints,” Weston explained. “And then we can give a collection of that to the IT and security folks, and they can decide whether that’s appropriate or something that’s putting them at risk.”

Microsoft Defender maps the ‘blast radius’ when an AI agent goes wrong

In June, Microsoft Defender will introduce “asset context mapping” for each discovered agent. This feature creates a relationship graph showing which devices an agent runs on, its connections to MCP servers, associated identities, and accessible cloud resources. The aim is to let security teams evaluate the potential impact if an agent is compromised or malfunctions.

Weston explained the process: “Blast radius is computed by taking an asset inventory and converting each asset into a node in a graph. The edges represent how different assets or data sources are connected.” The system overlays contextual detail onto each node — for instance, flagging that a particular device runs an untrusted AI agent and is simultaneously connected to a critical business database or a machine with thousands of user accounts.

“It’s highly accurate because it’s computed from an asset graph that’s typically cloud-based, or built from endpoint data if you’ve got something like NDE deployed,” Weston said. “We’re computing it based on what you already have — which is essentially ground truth.” This type of exposure mapping is what CISOs are requesting, Weston added. “One of the first things you want to know when assessing agent risk is: what is this connected to? Is it connected to something I care about, or is it something moderate?”

The platform goes beyond visibility by offering policy-based controls that allow administrators to set boundaries for agent actions. If a managed agent shows malicious behavior — like attempting to access or exfiltrate sensitive data — Microsoft Defender can block it in real-time and generate alerts with detailed incident context for investigation. Weston noted that Defender’s classification capabilities are directly applicable in the world of autonomous agents. “Injecting code into the process that manages logins, whether you’re OpenClaw or browser, that’s always going to be a strong signal,” he said. Context mapping, policy controls, and runtime blocking will be publicly previewed through Intune and Defender by June 2026.

Agent 365 reaches into AWS and Google Cloud to govern agents across rival platforms

In a strategic move, Microsoft is expanding Agent 365’s governance capabilities to rival cloud platforms. A new public preview of Agent 365 registry sync allows IT teams to connect with AWS Bedrock and Google Cloud (specifically, Google Gemini Enterprise Agent Platform, formerly Google Vertex AI). Through these connections, administrators can automatically discover and inventory agents running on those platforms and perform basic lifecycle governance actions such as starting, stopping, or deleting agents.

“If we’re going to be a single control plane, we have to meet customers where they are, and many of them are multi-cloud,” Weston told VentureBeat. He acknowledged that the depth of available controls varies somewhat by cloud provider. “Once you know it’s there, what kind of guardrails or blocking can you provide? And that’s going to be slightly different depending on what the cloud provider works with.” But he added that the platforms offer “pretty comparable capabilities” in most scenarios and expressed optimism that cross-cloud consistency will improve over time.

Additionally, Agent 365 now extends Microsoft Entra network controls to monitor agent traffic from Microsoft Copilot Studio agents and local agents like OpenClaw. These controls enable security teams to review agent network activity, identify unauthorized AI usage, limit connections to approved web destinations, filter risky file transfers, and block malicious prompts at the network layer before they result in harmful actions. This combination of cloud registry sync and network-layer enforcement provides Microsoft with a broad governance scope across cloud, endpoint, and network, surpassing many competitors.

Windows 365 for Agents gives enterprises a sandbox for high-risk AI workloads

For businesses seeking the benefits of autonomous agents without deploying them on employee devices, Microsoft has launched Windows 365 for Agents in public preview, available in the United States. This solution offers a new class of Cloud PCs designed for agentic workloads, managed through Intune, and governed by the same identity and security controls as human employees.

Weston described this as a segmentation strategy. “From a security principle standpoint, the more segmentation you can achieve, the better,” he said. “If you don’t want this on your endpoint, but you still want the capability, you can choose to have it sandboxed, isolated. We’ve seen large companies like Nvidia talk about doing this. We’re creating this pattern for everyone.”

How critical that isolation is, Weston added, depends on context. “If you’re working in a military installation, it goes without saying, you probably want to segment away that information. If you’re working in a company that’s primarily creative and you have a little higher risk tolerance, you may not want to do that.” The public preview requires an Agent 365 license, an Intune license, and an active Azure subscription.

Microsoft builds a broad partner network to manage the agentic AI ecosystem

Microsoft is positioning Agent 365 not as a closed ecosystem but as an open management layer. The company announced that ecosystem partner agents from Genspark, Zensai, Egnyte, Zendesk, and agents built on platforms including Kasisto, Kore.ai, and n8n are now fully enabled for management through Agent 365 — with no integration work required from IT teams. Additional software development company launch partners include Adobe, SAP, Manus, Nvidia, and Celonis.

For partner-built SaaS agents, onboarding begins with identity. “We have the ability for you to simply give it an identity and or use our SDK depending on the level of capability you need,” Weston explained. “Just starting with the identity, we’re able to basically see, especially for Entra users, what capabilities the application needs and what constraints should be put on that.” Deeper SDK integration provides richer observability data, but identity alone gives the platform substantial governance leverage.

In terms of services, Microsoft has partnered with firms like Accenture, KPMG, Capgemini, Protiviti, Slalom, and nearly two dozen others as Agent 365 Launch Partners. These firms have worked with Microsoft engineering to develop solutions for inventory assessment, least-privilege enforcement, compliance, multi-platform threat analysis, and ongoing lifecycle management.

Microsoft’s bigger bet: agents are the new apps, and they need the same enterprise controls

Microsoft’s introduction of Agent 365 comes at a time when the enterprise software sector is defining the “agentic era” in practice. Competitors like Google, Amazon, and Salesforce are developing their own agent orchestration and governance tools. However, Microsoft’s approach — leveraging its strong position in endpoint management (Intune), threat detection (Defender), identity (Entra), and productivity (Microsoft 365) — provides a unique cross-surface advantage.

For companies considering Agent 365, Weston suggests a phased adoption approach. “First things first, they’ll get visibility and an inventory — you can’t really secure what you don’t know about,” he said. “The next thing they’re able to do is assign identities and start to manage the access those agents have, which is a huge first step in managing the risk.” The deeper capabilities — isolation through Windows 365 for Agents, runtime blocking, blast radius mapping — come next. “Crawl is inventory. Walk is getting identity and access. Run is getting isolation, better control, deeper visibility,” Weston summarized. “I think that’s something that’s reasonable in a 90-day period.”

Whether companies move at this pace depends on their current security infrastructure and how quickly shadow AI spreads within their operations. An “Ask Microsoft Anything” session on Agent 365 is scheduled for May 12, providing IT and security professionals an opportunity to ask the engineering team specific questions.

However, a notable detail from the interview was Weston’s casual remark. “I have 18 agents running behind my team chat right now,” he said. If even Microsoft’s security chief is surrounded by autonomous agents in his daily tasks, other enterprises may soon find themselves wondering not whether they should manage the agentic workforce, but whether they can do so before it manages them.