As agentic AI reshapes the business and security landscape, the stakes for CISOs and technology leaders are rising dramatically. The 35th anniversary of RSAC brings this into sharp relief, as Microsoft’s new announcements reflect both the scale of adoption—80% of Fortune 500 companies now use agents—and the complexity of defending these intelligent systems. In my experience, securing agentic AI is not just about technical controls, but about rethinking governance, visibility, and defence strategies across the entire AI estate.
The Rise of Agentic AI and Its Dual Nature
Agentic AI is moving from experimental deployments to core business operations at remarkable speed. This growth is not limited to automation or analytics; it is now foundational for what Microsoft calls Frontier Firms—organisations that centre their ambitions around intelligence and trust.
Yet, with innovation comes risk. The article highlights a growing concern: agents can become double agents. This is not simply a theoretical risk but a practical challenge as attackers leverage AI’s autonomy and ubiquity to scale their campaigns or undermine trust. I see this as a pivotal moment where security must evolve from an add-on to an intrinsic element woven throughout every layer of the AI stack.
Microsoft’s Vision: Security as a Core Primitive
Microsoft’s strategy for securing agentic AI is grounded in three pillars:
Securing Agents: Direct control and oversight over autonomous agents.
Securing Foundations: Protecting identity, data, and infrastructure underpinning agentic systems.
Defending with Agents and Experts: Augmenting human defenders with intelligent agents embedded in workflows.
Below I examine each pillar through both the lens of Microsoft’s product announcements and broader strategic implications.
Securing Agents: Visibility, Governance, and Control at Scale
Agent 365: The New Control Plane
A key announcement is the general availability of Agent 365 on May 1. Positioned as the control plane for agents, Agent 365 offers IT, security, and business teams unified tools to observe, secure, and govern agents at scale using trusted infrastructure.
Integration: Bundled within Microsoft 365 E7 (The Frontier Suite), alongside Microsoft 365 Copilot, Entra Suite, and E5.
Capabilities: Extends Microsoft Defender, Entra, and Purview for agent access control, prevention of data oversharing, and defence against emerging threats.
In my view, centralising agent management is essential as organisations move from isolated pilots to scaled deployments. Without this orchestration layer, shadow agents—or unsanctioned automations—can proliferate beyond visibility or effective governance.
Recommendation: Technology leaders should prioritise integrating control planes like Agent 365 early in their agent lifecycle to establish baselines for monitoring usage patterns and enforcing policy before agents become deeply embedded in business processes.
Securing Foundations: Strengthening Identity, Data Protection, and Threat Defence
Gain Visibility into Risks Across Your Enterprise
Rapid AI adoption increases the attack surface in unpredictable ways. New capabilities announced aim to provide comprehensive visibility:
Security Dashboard for AI (generally available): Unified insight into AI-related risk.
Entra Internet Access Shadow AI Detection (generally available March 31): Network-level identification of unmanaged or unknown AI applications.
Enhanced Intune App Inventory (generally available May): Deep inventory of installed apps—including those with embedded AI—for targeted remediation.
In practice, too many organisations lack visibility into how widely generative or agentic AI is already being used by employees. These new tools allow CISOs to discover unmanaged risk pockets before they trigger incidents.
Actionable Insight: Regularly review your app inventory using enhanced Intune functionality focused on identifying unmanaged or high-risk AI-enabled software for swift mitigation actions.
Secure Identities with Continuous Adaptive Access
Identity remains the most targeted entry point in enterprise environments. Microsoft Entra introduces several capabilities that harden identity infrastructure:
Entra Backup and Recovery (preview): Automated backup of directory objects enables rapid recovery from accidental deletion or unauthorised change.
Tenant Governance (preview): Discovery and policy enforcement across shadow tenants in multi-tenant setups.
Passkey Capabilities (generally available/preview): Synced passkeys across devices integrated with Windows Hello enable flexible yet phishing-resistant authentication.
External MFA Integration (generally available): Support for external multi-factor providers leverages existing investments.
Adaptive Risk Remediation (generally available April): Automatic self-remediation during authentication without help-desk involvement.
Unified Identity Security Dashboard & Risk Score (preview): Real-time insights spanning human and non-human identities.
From my perspective, continuous adaptive access represents a paradigm shift toward contextual decisions—identity signals inform not just who accesses what but how policies adapt dynamically under attack conditions.
Strategic Implication: Leaders should treat unified identity security dashboards as command centres that break down silos between identity governance teams and incident responders. This accelerates detection-to-response cycles for identity-based threats.
For further details on Entra’s capabilities relevant to these strategies see Microsoft Entra ID.
Safeguard Sensitive Data Across AI Workflows
With sensitive information traversing prompts and responses at unprecedented speeds within generative workflows, traditional DLP solutions can fall short. Microsoft Purview steps up with:
Expanded Data Loss Prevention for Copilot (generally available March 31): Prevents sensitive data like PII or credit card numbers from being ingested by Copilot prompts or web grounding routines.
Purview Embedded in Copilot Control System (generally available April): Unifies data risk views directly within the Microsoft 365 Admin Centre.
Customisable Data Security Reports (preview March 31): Tailored reporting enables more nuanced risk prioritisation.
I believe embedding data protection directly into the AI control plane marks an important evolution—policies must operate at machine speed if they are to keep pace with automated decision-making.
Recommendation: Regularly audit prompt inputs/outputs where Copilot or other generative tools interact with sensitive datasets using Purview’s advanced reporting features.
Defending Against Threats Using Agents and Experts
Proactive Threat Defence Across Endpoints and Cloud
The threat landscape is evolving alongside agentic capabilities:
Entra Internet Access Prompt Injection Protection (generally available March 31): Blocks malicious prompts at the network level across apps/agents.
Defender for Cloud Container Security Enhancements (preview): Binary drift detection plus antimalware close gaps exploited by attackers in containerised workloads.
Defender Posture Management Expansion (preview April): Adds coverage/support for AWS/GCP environments.
Defender Predictive Shielding (preview): Dynamically adjusts identity/access policies during active attacks to limit blast radius automatically.
This expansion reflects an understanding that cloud-native applications—and now multi-cloud deployments—are integral parts of modern attack surfaces. Predictive shielding stands out as it moves towards autonomous response during live incidents rather than relying solely on post-facto investigation.
Actionable Insight: Embed predictive shielding capabilities early especially if your organisation operates across hybrid cloud environments including AWS or GCP endpoints covered by Defender posture management enhancements (Microsoft Defender for Endpoint).
Defend With Agents Embedded Into Daily Operations
Security teams are under strain from alert fatigue; embedding intelligent agents directly in workflows can reduce manual effort:
Security Analyst Agent in Defender (preview March 26): Provides contextual analysis/guided investigation workflows.
Security Alert Triage Agent in Defender (preview April): Automates triage/resolution across phishing/cloud/identity alerts.
Conditional Access Optimisation Agent in Entra: Context-aware recommendations with phased rollout options.
Data Security Posture & Triage Agents in Purview: Credential scanning/proactive exposure detection plus improved alert triage via advanced reasoning layers.
Over fifteen partner-built agents extend Security Copilot via the Security Store as well.
These enhancements reflect a recognition that human defenders need assistive automation not only to respond faster but also to focus energy on higher order threats rather than repetitive low-value tasks. In my opinion this will be critical as threat volumes continue increasing alongside adoption of autonomous IT operations platforms.
Orchestrating Defence With Sentinel Platform Extensions
To unify defence efforts across growing complexity:
Sentinel Data Federation via Fabric: Investigate external data sources while preserving governance controls.
Playbook Generator with Natural Language Orchestration: Automate complex investigations/workflows more intuitively.
Granular Delegated Administration/Unified Role-Based Access: Secure multi-org collaboration at scale.
Sentinel features such as custom graphs powered by Fabric/model context protocol entity analyser further streamline unique organisational needs via natural language acceleration.
Scaling incident response becomes much more feasible when defenders can orchestrate context-aware actions across domains without jumping between consoles or re-ingesting data unnecessarily.
Applying Zero Trust Principles Across The Full AI Lifecycle
Zero Trust principles—verify explicitly, use least privilege, assume breach—are foundational yet take on heightened importance when applied throughout model training/data ingestion/agent behaviour lifecycles rather than just at network boundaries or user endpoints.
Microsoft extends its Zero Trust reference architecture specifically for agentic AI scenarios along with workshops/tools/patterns designed for practical implementation guidance at RSAC 2026. In my judgement this will be invaluable as many organisations still struggle translating Zero Trust theory into operational reality especially given the fluid nature of generative models’ interactions with enterprise data assets.
Conclusion: From Reactive Controls to Autonomous Defence Ecosystems
The announcements leading into RSAC 2026 underscore a decisive pivot—from isolated controls towards ambient autonomous security architectures built natively around agentic operations. In practical terms this means:
Establishing unified control planes like Agent 365 before proliferation outpaces governance ability
Leveraging adaptive identity/data protection measures that respond dynamically rather than statically
Embedding defence agents directly into daily workflows while orchestrating cross-domain response through platforms like Sentinel
Applying Zero Trust not just at access points but throughout every stage of model/data/agent lifecycles
For technology leaders navigating this transition I recommend prioritising architectural choices that reinforce visibility first then layering adaptive policy enforcement mechanisms which learn/evolve alongside your own agent deployments. Above all treat trust—not just compliance—as your north star when balancing innovation against resilience imperatives in an increasingly autonomous world.
