From Chaos to Control: Managing AI Agents at Scale with Agent 365

• Invisible

  No inventory, no owner. Shadow and ownerless agents run outside the view of the teams accountable for risk.

• Insecure

  Over-privileged access, tool misuse, and prompt injection turn a "helpful" workflow into data oversharing in seconds.

• Unmanaged

  Built across many tools and frameworks with no consistent policy, lifecycle, or audit trail.

You can't govern what you can't see, and you can't secure what you don't understand.

Observe, govern, and secure every agent (Microsoft-built, open-source, or third-party) using the admin and security workflows your teams already run.

• 01

  Observe

  One inventory of every agent: telemetry, dashboards, and an agent map across the whole fleet.

• 02

  Govern

  Identity, least-privilege access, policy templates, and full lifecycle. Manage agents like your workforce.

• 03

  Secure

  Runtime threat detection, prompt-injection defense, DLP, and compliance built in.

Your agents (Copilot, Teams, open-source, SaaS, custom) sit on top. The control plane handles Registry · Access Control · Visualization · Interoperability · Security. The four Microsoft services below are the trust fabric.

• Microsoft Entra

  Agent ID, the identity and access-control foundation.

• Microsoft Defender

  Threat detection, runtime protection, shadow-AI discovery.

• Microsoft Purview

  Data security and compliance: DLP, sensitivity labels, eDiscovery.

• Intune + Windows 365

  Device discovery and a secured, managed runtime.

No new trust fabric to rebuild. The same identity, security, and compliance stack, now covering agents.

• 01

  Registry

  Stop sprawl at the source: one inventory of every agent.

  What it does

  Single source of truth across Entra Agent ID, Teams Store, and discovered shadow agents. Defender + Intune find local and cloud agents on the Shadow AI page. Unsanctioned agents are quarantined on day one. Registry sync extends to AWS Bedrock and Google Cloud (preview).

  What we learned

  Make discovery continuous, not a one-time audit. Require an owner at registration; a registry without owners is just a list. Quarantine the unsanctioned first, then onboard the rest under policy.

• 02

  Access Control

  Every agent gets a unique identity, and only the access it needs.

  What it does

  Unique Agent ID per agent (no shared service accounts). Least privilege by default: scope access to the task, shrink the blast radius. Policy templates enforce a baseline at onboarding. Adaptive Conditional Access via Entra applies risk-based policy in real time and blocks compromised agents.

  What we learned

  One Agent ID per agent, scoped tightly to its task. Enforce the baseline with policy templates at onboarding, not later. Let Conditional Access revoke access automatically on risk signals.

• 03

  Visualization

  Move from monitoring to actionable insight across the fleet.

  What it does

  An Agent Map of every connection among agents, users, and resources. Telemetry and alerts with anomaly detection so blind spots do not become incidents. Role-based reporting: IT, security, and business leaders each see the metrics that matter. Per-agent performance plus logging and eDiscovery to stay audit-ready.

  What we learned

  Define alerts and ROI metrics before go-live, not after. Use the Agent Map to trace every agent-to-data path. Give IT, security, and business their own role-based views.

• 04

  Interoperability

  Agents get the same context as the people they work alongside.

  What it does

  Native M365 access (Word, Excel, SharePoint, Dynamics 365), the same data your users touch. Framework-agnostic: Microsoft, open-source, and third-party agents are first-class. Secure agent-to-agent interop without bespoke plumbing. Three operating modes: delegated and behind-the-scenes are GA; team workflows in preview.

  What we learned

  Grant task-scoped access through the Agent ID, never standing broad rights. Treat interop as a privilege to scope, not a door to leave open. Make OSS and third-party agents first-class, but governed.

• 05

  Security

  Defense in depth, from runtime behavior to the data agents touch.

  What it does

  Defender XDR detects threats and protects agents as they execute. Network-level protection stops prompt injection before it reaches the agent. Purview DSPM for AI, DLP, and sensitivity labels guard against oversharing. Insider risk and audit: detect, retain, and investigate risky agent interactions.

  What we learned

  Layer runtime + network + data controls. One guardrail is not enough. Assume the agent is a target and plan blast-radius containment. Use Purview DSPM/DLP to catch oversharing before it ships.

• 01

  Manage agents like a workforce

  Onboard, assign an owner, and offboard. No ownerless agents.

• 02

  Identity-first, least privilege

  A unique Agent ID per agent, scoped to its task. Templates enforce the baseline.

• 03

  Discover before you govern

  Switch on shadow-AI discovery early. Quarantine, then bring the rest under policy.

• 04

  Instrument for observability

  Define alerts and ROI metrics at launch. Watch agent-to-resource paths.

• 05

  Layer your defenses

  Runtime + network + data controls together. Assume compromise.

• 06

  Reuse the trust fabric

  Extend Entra, Defender, and Purview. Do not rebuild governance.

• 01

  Crawl

  Discover & inventory

  • Enable registry + shadow-AI discovery
  • Baseline every agent and its owner
  • Quarantine the unsanctioned
• 02

  Walk

  Govern

  • Apply policy templates and least privilege
  • Adaptive Conditional Access via Entra
  • Stand up dashboards and alerts
• 03

  Run

  Secure & scale

  • Runtime + prompt-injection defense
  • Purview DLP, labels, and eDiscovery
  • Measure ROI; sync multi-cloud agents

Two enterprise rollouts of Agent 365 from the live deck. Both sourced from Microsoft customer stories published at Microsoft Ignite 2025.

• Biotechnology & R&D Amgen

  From concept to a governed R&D agent in just six weeks.

  The challenge

  Speed up drug research without adding new governance or security risk.

  The agent

  An R&D agent that mines research data and drafts scientific insights.

  Governed by Agent 365

  A unique Entra Agent ID, least-privilege access, and full auditability.

  6 weeks

  From idea to a production-ready, governed agent.

  • Built with Microsoft Copilot Studio
  • Observed and secured end-to-end in Agent 365

  Source: Microsoft customer stories · Microsoft Ignite 2025

• Materials Science Dow

  Reimagining productivity and supply chain with a fleet of agents.

  The challenge

  Scale agents across global operations without losing oversight.

  The agent

  Productivity and supply-chain agents working alongside employees.

  Governed by Agent 365

  One control plane to observe, secure, and measure the whole fleet.

  Millions

  In targeted cost savings across global productivity and supply chain.

  • Powered by Microsoft 365 Copilot and agents
  • Every agent carries a governed identity

  Source: Microsoft customer stories · Microsoft Ignite 2025

• 01

  Visibility is the prerequisite

  You cannot govern or secure what you cannot see. Start with discovery and a single registry.

• 02

  Identity is the control point

  A unique Agent ID with least-privilege access turns ungoverned agents into managed ones.

• 03

  Extend, don't rebuild

  Agent 365 brings agents into Entra, Defender, and Purview, the trust fabric you already run.

• aka.ms/Agent365

  The official Agent 365 home: product, docs, and roadmap.

• Agent Governance Whitepaper

  Microsoft's published guidance on operating agents at enterprise scale. Linked from aka.ms/Agent365.

• This deck (PDF)

  The 17-slide deck from the session, with capability breakdowns and the customer stories.