AI agents are already running in your environment. Some were deployed intentionally: a Copilot in Teams, a Copilot Studio automation connected to your helpdesk queue. Others arrived without anyone’s permission. Employees are installing OpenClaw and Claude Code directly on managed laptops. SaaS vendors are spinning up agent backends connected to your data.
Microsoft’s answer to this problem is Agent 365, which hit general availability on May 1, 2026. It’s positioned as a control plane for agent sprawl, giving IT and security teams a single place to observe, govern, and secure agents regardless of where they run or who built them. If you’re managing an M365 environment and you haven’t started evaluating this yet, here’s what you need to know.
What Agent 365 Actually Does
The core pitch is applying the same kind of visibility you have over devices and identities to agents. Agent 365 lives in the Microsoft 365 admin center and covers three distinct agent classes:
- Delegated-access agents that act on behalf of a user (GA)
- Autonomous agents with their own credentials that operate behind the scenes without a human in the loop (GA)
- Team-workflow agents that participate in collaborative workflows using their own identity (public preview)
The distinction matters because most governance thinking today focuses only on the first type. The harder problem is agents running with their own service principals, calling APIs on a schedule that no one is actively watching, and modifying data without a user in the loop. Agent 365 extends coverage to all three patterns.
Beyond inventory, Agent 365 connects to Microsoft Defender and Intune to provide network-level controls. Through Entra’s network policies, you can restrict which destinations agents are allowed to reach and block prompt-injection-style attacks before they reach the agent runtime.
Shadow AI Discovery: The Feature That Will Change Your Endpoint Strategy
The most immediately actionable capability in this release is shadow AI discovery. Microsoft is using Defender and Intune to detect local AI agents running on Windows endpoints, starting with OpenClaw and expanding soon to GitHub Copilot CLI and Claude Code.
The operational workflow: if an employee downloads and runs OpenClaw on a managed device, that activity surfaces in a new Shadow AI page in both the M365 admin center and the Intune admin center. From there, you can push a policy to block the common execution paths for OpenClaw across your managed fleet.
In June 2026, Microsoft Defender will add asset context mapping for each discovered agent. You’ll get a relationship map showing which devices an agent runs on, which MCP servers it has configured, which identities it’s associated with, and which cloud resources those identities can reach. For a security team trying to scope the blast radius of a compromised local agent, this is exactly the data you need.
A few caveats worth knowing before you plan around this. The current scope is narrow. OpenClaw support is live today. Claude Code and GitHub Copilot CLI are listed as “expanding soon” but aren’t available yet, so if those are already deployed in your org you don’t have full coverage. The context mapping and policy-based runtime blocking features are also public preview in June 2026, not today. Factor that into any roadmap commitments.
Security Copilot Agents: Where the Measurable ROI Is
Security Copilot is included in Microsoft 365 E5 and E7 at no additional cost as of this release, which removes the pricing friction that slowed early adoption. Here’s where the real value is right now.
Phishing Triage Agent
This is the most mature agent in the portfolio and has the strongest published evidence. In an independent randomized controlled study, analysts using the Phishing Triage Agent triaged alerts 78% faster, produced 77% more accurate verdicts, and caught 6.5 times more malicious emails compared to manual review.
St. Luke’s University Health Network reports the agent saves their security team more than 200 hours every month. That’s not a marginal improvement. It’s a meaningful portion of a full-time analyst’s capacity being redirected to work that requires human judgment.
The agent is now expanding to cover identity and cloud alerts in Defender, not just phishing. Cloud alert volume is typically where SOC teams hit their capacity ceiling, so this extension matters for teams already stretched thin.
Conditional Access Optimization Agent
This agent lives in Entra and continuously analyzes your Conditional Access policies against Zero Trust baselines. In controlled productivity studies, identity admins completed policy-related tasks 43% faster and 48% more accurately when using the agent compared to working manually.
The new capabilities announced at RSA 2026 are worth noting for practical deployment. Business-context-aware recommendations and phased rollout support for new policies are now included. If your Conditional Access configuration has accumulated years of layered exceptions, most enterprise tenants have this problem, the agent can surface those gaps systematically rather than waiting for a quarterly audit to catch them.
Vulnerability Remediation Agent
This runs in Intune and continuously detects new vulnerabilities as threat intelligence updates come in. One CTO at a renewable energy company described what was previously a two-week remediation process becoming a two-minute process. That level of compression changes how security and endpoint teams budget their time.
Security Analyst Agent
New as of RSA 2026, this agent performs deep multi-step investigations across Defender and Sentinel telemetry. It can analyze up to approximately 100MB of security data to surface anomalies and high-impact threats. You can interact with it via chat to explore hypotheses and follow threads through the data.
This is the agent most likely to matter for security teams that don’t have dedicated threat hunters. It brings investigative depth to teams that couldn’t previously staff for it.
Cross-Cloud Agent Inventory: AWS and Google
Agent 365 Registry Sync with AWS Bedrock and Google Cloud connections is now in public preview. IT teams can automatically discover and inventory cloud agents running on those platforms and see them alongside Microsoft-native agents in a single registry.
Lifecycle governance, meaning the ability to start, stop, and delete agents across platforms, is listed as coming soon. What you have today is visibility, not control. For organizations already using multi-cloud AI pipelines, a single inventory view across clouds is still useful even before the governance controls arrive.
The practical implication for large enterprises: enable this now. The sooner Agent 365 starts building an inventory of your cloud agents, the more useful that data will be when the governance controls ship.
Windows 365 for Agents: Managed Compute for Agentic Workloads
This piece of the announcement has gotten less attention than it deserves. Windows 365 for Agents (public preview, US only) is a new class of Cloud PC built specifically for agents, not employees. It’s a policy-controlled compute environment where agents can interact with applications, use identities, and run tasks under the same Intune management controls applied to human devices.
The use case: if you’re deploying autonomous agents that need to interact with Windows applications or access internal systems, you previously had limited options for governing that compute. Windows 365 for Agents gives you Intune-managed, Entra-joined cloud VMs purpose-built for this workload. Agent 365 provides observation from the M365 admin center.
Most organizations right now are handling this with ad hoc service accounts and scripts that nobody clearly owns. This is a more defensible approach.
Ecosystem and Partner Coverage
The Security Store now has more than 70 partner-built agents. Agent 365 itself supports agents from Genspark, Zensai, Egnyte, Zendesk, Kasisto, Kore.ai, and n8n without custom integration work from your IT team. When those vendors have joined the partner program, the governance layer is already wired up.
For enterprise services support, Microsoft has partnered with Accenture, KPMG, Capgemini, Deloitte, EY, and others who offer structured onboarding engagements. The typical scope covers agent inventory and ownership mapping, least-privilege enforcement, compliance configuration, and ongoing lifecycle management.
Pricing and Licensing
Agent 365 is available standalone at $15 per user per month, or it’s included in Microsoft 365 E7. The per-user license covers individuals who manage agents, sponsor agent deployments, or use agents acting on their behalf.
One nuance to discuss with your Microsoft rep: the $15/seat covers the governance layer, not the underlying compute for agents. Windows 365 for Agents carries its own compute costs. If you’re planning high-volume autonomous agents, model the full cost stack before committing to a deployment architecture.
What to Do This Week
For most IT and security teams, the practical starting point is enabling shadow AI discovery through Defender and Intune. Even if you’re not ready to block anything yet, an accurate inventory of what AI agents are running on your endpoints is valuable input for security planning decisions you’re already making.
The second step is enabling Security Copilot agents for your SOC if you have an E5 or E7 license. Start with the Phishing Triage Agent. It has the clearest operational impact and the lowest disruption risk to existing workflows.
If you’re building or managing Copilot Studio automations or internal agentic workflows, connect to Agent 365 now and start building that inventory. The governance controls are getting more capable with each monthly update.
The June 2026 updates to context mapping and policy-based agent controls in Defender and Intune are worth calendaring a review for. Teams that have already completed the Agent 365 onboarding will be positioned to act immediately when those capabilities land.
The Coverage Gap Nobody Talks About
Agent 365 is only as good as the agents it can see. Microsoft-native agents have solid coverage today. Local agent discovery is starting with OpenClaw and expanding. Cross-cloud registry sync is in preview.
What’s missing: large categories of agentic automation that won’t appear in the Agent 365 inventory anytime soon. Custom Python scripts running as service accounts. Browser automation through RPA tools. Third-party AI APIs called directly from application code. None of that surfaces in Agent 365 until those vendors build integrations or Microsoft adds detection rules for those execution patterns.
The platform is the right direction. The coverage gaps are real and will take time to close. Treat Agent 365 as one layer of an agent governance strategy. Pair it with service account hygiene and regular reviews of API key permissions in your cloud environments.