Microsoft Agent 365 & Enterprise 7: AI Agent Security & Governance Launch May 1st
Microsoft Warns of ‘Double Agent’ AI Risks, Launches Governance Tools
Microsoft is responding to a growing concern: as AI agents become deeply embedded in corporate operations, the risk of those agents being exploited – turned into what the company calls “double agents” – is increasing. To address this, Microsoft has announced the general availability of Agent 365 and Microsoft 365 Enterprise 7, a suite of tools designed to bring security and governance to AI agents operating within organizations. Both products will be available on May 1st, alongside updates to Microsoft 365 Copilot that expand its capabilities and model diversity.
The core of Microsoft’s response is Agent 365, described as the “control plane for agents.” It provides a centralized system for IT, security, and business teams to monitor, govern, and secure AI agents across an enterprise. The pricing for Agent 365 is $15 per user per month. For organizations seeking a comprehensive solution, Microsoft 365 Enterprise 7 bundles Agent 365 with Copilot and advanced security features for $99 per user per month.
The Rise of Ungoverned Agents
The timing of these releases isn’t accidental. Microsoft notes that AI agents have moved beyond experimental phases and are now integral to operational workflows. However, the tools to effectively manage and secure these agents have lagged behind their rapid adoption. According to Microsoft’s Cyber Pulse report, over 80% of Fortune 500 companies are actively using AI agents built with low-code and no-code tools, a figure projected to reach 1.3 billion agents globally by 2028 according to IDC. Microsoft itself currently monitors over 500,000 agents within its own corporate environment, primarily focused on tasks like research, coding, sales intelligence, customer support, and HR functions.
A significant portion of this agent deployment is happening without adequate oversight. Microsoft’s research reveals that 29% of agents in surveyed organizations operate without approval from IT or security teams, and only 47% of organizations employ any security tools to protect their AI deployments. This lack of governance creates a substantial business risk, prompting Microsoft to act proactively.
‘Double Agents’: A New Threat Model
Microsoft has coined the term “double agents” to describe the scenario where AI agents are manipulated – through techniques like prompt injection or model poisoning – to act against the interests of the organization they are intended to serve. Vasu Jakkal, corporate vice president of Microsoft Security, explained in an interview with VentureBeat that while large-scale agent compromises haven’t yet been observed, Microsoft’s AI Red Team has successfully demonstrated how agents can be exploited through simulated attacks. These experiments showed that direct and indirect prompt injections could be used to gain access to unauthorized data. Microsoft’s blog post details the urgency of addressing these vulnerabilities.
The threat extends beyond simple prompt manipulation. Microsoft’s Defender Security Research Team recently uncovered “AI Recommendation Poisoning,” where malicious instructions are embedded within website “Summarize with AI” buttons. When clicked, these prompts attempt to inject persistent commands into an AI assistant’s memory, effectively establishing a backdoor. Researchers identified over 50 such poisoning prompts across 31 companies in 14 industries. They too published research on detecting “sleeper agents” – language models that appear normal but execute malicious code when triggered by specific inputs.
Agent 365: Extending Zero-Trust to AI
Agent 365 is designed to extend Microsoft’s existing zero-trust security framework – which assumes no user or device is inherently trustworthy – to these non-human entities. The platform centers around three key pillars: observability, security, and governance. The observability layer begins with an Agent Registry, a catalog of all agents operating within an organization, regardless of their origin (Microsoft platforms, third-party partners, or custom-built). This registry is accessible through the Microsoft Admin Center and integrated with Defender, Entra, and Purview for security teams.
A new feature, Agent ID, assigns a unique identity to each agent within Microsoft Entra, enabling conditional access policies and least-privilege enforcement. This means agents will only have access to the data and resources they absolutely demand. Data protection capabilities within Purview ensure agents adhere to sensitivity labels and prevent the processing of sensitive information in prompts. Audit and eDiscovery features now treat agents as auditable entities alongside users, and applications.
Jakkal emphasizes that this approach is about extending existing security principles. “We think about security for agents remarkably similar to security for people,” she stated. “You have to protect these agents against threats. You have to secure the data that they’re accessing. You have to secure their access and identity. So extending zero trust to zero trust for AI.” Agent 365 can both observe agent behavior and intervene in real-time, blocking risky agents through the Defender portal.
Microsoft 365 Enterprise 7: An Ambitious Bundle
Microsoft 365 Enterprise 7 represents the company’s most comprehensive AI and security bundle to date. It combines Microsoft 365 E5, Microsoft 365 Copilot, Agent 365, the Microsoft Entra Suite, and advanced security capabilities from Defender, Intune, and Purview. While the $99 per user per month price point is higher than purchasing the components individually (E5 at $57/month, Copilot at $30, and Agent 365 at $15), it offers a streamlined and potentially cost-effective solution for organizations seeking a unified approach to AI governance. Learn more about Microsoft Agent 365 on the official Microsoft website.
This bundling strategy reflects a broader shift in how Microsoft views AI agents – not simply as tools, but as licensed entities akin to human employees. As SiliconANGLE notes, this approach could be both defensive (protecting the Office ecosystem) and offensive (creating a new revenue stream).
Expanding Copilot with Anthropic and OpenAI
The launch of Agent 365 and E7 coincides with Wave 3 of Microsoft 365 Copilot, which introduces greater model diversity. Anthropic’s Claude is now available alongside OpenAI models within Copilot chat. A new feature, Copilot Cowork, developed in collaboration with Anthropic, enables long-running, multi-step work within Microsoft 365. This partnership carries geopolitical implications, as Anthropic recently faced scrutiny from the U.S. Department of Defense over its terms of apply, leading to continued support from companies like Microsoft despite the Pentagon’s concerns. Microsoft Learn provides details on OpenAI Agents.
What Comes Next: A Race to Secure the Agentic Future
Agent 365 and E7 are available starting May 1st, though some capabilities, such as Defender and Purview risk signals, will remain in public preview initially. A runtime threat protection feature is expected to enter preview in April. Microsoft acknowledges that competitors like Palo Alto Networks and CrowdStrike are also developing agentic AI security layers, but argues its integration depth provides a distinct advantage. The critical question remains whether organizations will prioritize and invest in agent governance quickly enough to stay ahead of potential attackers. Many are using this push toward AI as an opportunity to address foundational security gaps, but the asymmetry between the speed of agent creation and the speed of governance remains a significant challenge.