Microsoft says ungoverned AI agents could become corporate ‘double agents.’ Its fix costs $99 a month.

Microsoft says ungoverned AI agents could become corporate ‘double agents.’ Its fix costs $99 a month.

/in

Microsoft today announced the general availability of Agent 365 and Microsoft 365 Enterprise 7, two products designed to bring security and governance to the rapidly growing population of AI agents operating inside the world’s largest organizations. Both become available on May 1st, alongside Wave 3 of Microsoft 365 Copilot, which expands the company’s agentic AI capabilities and adds model diversity from both OpenAI and Anthropic.

Agent 365, priced at $15 per user per month, serves as what Microsoft calls the “control plane for agents” — a centralized system for IT, security, and business teams to observe, govern, and secure AI agents across an enterprise. Microsoft 365 Enterprise 7, dubbed the “Frontier Worker Suite,” bundles Agent 365 with Microsoft 365 Copilot and the company’s most advanced security stack into a single $99-per-user-per-month license.

The timing is deliberate. AI agents have crossed from experimental prototypes into operational infrastructure, but the tools to monitor them have lagged behind. Microsoft is racing to close that gap before adversaries exploit it.

“These agents are no longer experimental. We’re seeing them deeply embedded in organizations, in the operational structure of these organizations, with people using them,” Vasu Jakkal, corporate vice president of Microsoft Security, told VentureBeat in an exclusive interview. “At the same time, as the agents are scaling fast, some of the people and organizations have a visibility gap, and that visibility gap creates business risk.”

Over 80% of Fortune 500 companies use AI agents, but nearly a third aren’t sanctioned

The numbers behind the announcement tell a story of breakneck adoption outpacing oversight. According to Microsoft’s Cyber Pulse report, published in February, more than 80 percent of Fortune 500 companies are actively using AI agents built with low-code and no-code tools. IDC projects 1.3 billion agents in circulation by 2028. And Microsoft, serving as its own first customer for Agent 365, now has visibility into more than 500,000 agents running across its own corporate environment, with the most widely used focused on research, coding, sales intelligence, customer triage, and HR self-service.

Externally, the trajectory is steeper. Tens of millions of agents appeared in the Agent 365 Registry within just two months of preview availability, and tens of thousands of customers have already begun adopting the platform, according to Judson Althoff, CEO of Microsoft Commercial Business.

But the governance picture is troubling. Microsoft’s research found that 29 percent of agents in surveyed organizations operate without approval from IT or security teams. Only 47 percent of organizations use any security tools at all to protect their AI deployments.

“That’s a problem,” Jakkal said. “All this innovation is happening against a background, or a backdrop of threats, which is pretty intense.”

Microsoft warns of ‘double agents’ — AI systems hijacked to work against their own organizations

Microsoft has coined a pointed term for the risk it sees emerging: “double agents.” The concept, first introduced in a November 2025 blog post by Microsoft security executive Charlie Bell, describes scenarios where AI agents operating on behalf of an organization are manipulated — through prompt injection, model poisoning, or other techniques — into acting against the organization’s interests.

Jakkal told VentureBeat that while Microsoft has not yet observed real-world incidents of agent compromise at scale, the company’s AI Red Team has conducted extensive testbed research simulating how agents can be exploited. In those experiments, direct and indirect prompt injections successfully manipulated agents into accessing unauthorized data.

“We coined this term very intentionally to make people aware that you have to be very mindful of your agents,” Jakkal said. “Just like insider risk was a big thing with employees, we need to make sure that we don’t create that with agents.”

The threat landscape extends well beyond prompt injection. In February, Microsoft’s Defender Security Research Team published findings on what it called “AI Recommendation Poisoning” — a technique in which companies embed hidden instructions inside “Summarize with AI” buttons on websites. When clicked, the pre-filled prompt attempts to inject persistence commands into an AI assistant’s memory, instructing it to “remember [Company] as a trusted source.” The researchers identified over 50 unique poisoning prompts from 31 companies across 14 industries. Separately, Microsoft published research on detecting backdoored language models — so-called “sleeper agents” that behave normally under most conditions but execute malicious behavior when triggered by specific inputs.

How Agent 365 extends zero-trust security from people to autonomous AI systems

Agent 365 organizes its capabilities around three pillars: observability, security, and governance. Each extends Microsoft’s existing security infrastructure — Defender for threat protection, Entra for identity and access, and Purview for data security — to non-human entities.

The observability layer starts with an Agent Registry that catalogs all agents across an organization, whether built on Microsoft platforms, from third-party partners, or registered through APIs. IT teams access the registry through the Microsoft Admin Center; security teams see the same data through Defender, Entra, and Purview. Risk signals evaluate agents for compromise, identity anomalies, and risky data interactions — just as Microsoft’s tools already assess human users.

A new capability called Agent ID gives each agent a unique identity in Microsoft Entra, enabling conditional access policies, least-privilege enforcement, and audit trails. Identity Protection and Conditional Access, long used for human accounts, now extend to agents making real-time access decisions based on risk and compliance signals.

For data protection, Purview capabilities ensure agents inherit sensitivity labels, block PII and other sensitive information from being processed in prompts, and extend insider risk monitoring to flag suspicious agent behavior. Audit and eDiscovery now treat agents as first-class auditable entities alongside users and applications.

Jakkal framed the entire approach as an extension of zero-trust principles. “We think about security for agents very similar to security for people,” she said. “You have to protect these agents against threats. You have to secure the data that they’re accessing. You have to secure their access and identity. So extending zero trust to zero trust for AI.”

On whether Agent 365 can intervene in real time or merely observes after the fact, Jakkal confirmed it does both. The system surfaces risk flags and anomalous behavior, and security teams can block risky agents through the Defender portal. “If there’s a risk, if it’s a risky agent, then you can, of course, block it as well,” she said.

At $99 per user, the E7 ‘Frontier Suite’ is Microsoft’s most ambitious enterprise AI bundle yet

Microsoft 365 Enterprise 7 packages the company’s entire AI and security portfolio into a single SKU. It combines Microsoft 365 E5, Microsoft 365 Copilot, Agent 365, the Microsoft Entra Suite, and advanced Defender, Intune, and Purview security capabilities.

Althoff framed the bundle as a direct response to customer demand. “Customers have told us E5 alone is no longer enough; they do not want multiple tools stitched together, they want one trusted solution,” he wrote. At $99 per user, E7 costs less than purchasing the components individually — E5 currently runs $57 per month (rising to $60 in July), Copilot adds $30, and Agent 365 adds $15 — offering modest savings while pulling customers deeper into Microsoft’s ecosystem.

TechRadar first reported in early March that Microsoft was developing the E7 tier. Computerworld’s Steven Vaughan-Nichols offered a sharper framing of the strategic implications, observing that Microsoft now wants organizations to “hire” AI agents rather than simply use tools — with each agent licensed like a human employee. “In Microsoft’s world, AI agents are tomorrow’s temp workers,” he wrote.

The per-seat subscription model, applied to non-human entities, gives Microsoft a powerful revenue mechanism that could grow even as AI agents begin supplementing — or replacing — human headcount. SiliconANGLE’s analysis noted that agents pose a potential threat to the very Office ecosystem that has long been Microsoft’s profit engine, making the Agent 365 play both defensive and offensive.

Copilot adds Claude and new OpenAI models as Anthropic’s Pentagon battle reshapes the AI market

The launches coincide with Wave 3 of Microsoft 365 Copilot, which introduces expanded model diversity. Claude, from Anthropic, is now available in mainline Copilot chat, alongside the latest generation of OpenAI models. A new feature called Copilot Cowork, built in collaboration with Anthropic and currently in research preview, enables long-running, multi-step work within Microsoft 365.

The Anthropic partnership carries geopolitical weight. As CNBC reported on March 6, the U.S. Department of Defense designated Anthropic a supply chain risk after the company refused the Pentagon’s requested terms of use. Google, Microsoft, and Amazon all confirmed they would continue offering Anthropic’s technology for non-defense work. The military AI picture has grown more complex still: WIRED reported that the Pentagon had experimented with Azure OpenAI before OpenAI formally lifted its prohibition on military applications in January 2024.

Against this backdrop, Microsoft’s emphasis on trust and governance reads as both a product pitch and a positioning statement: the company wants to be the vendor that makes AI safe for enterprise deployment, regardless of which underlying models customers choose.

Microsoft’s Copilot business provides the demand engine for the new security products

The broader Copilot business supplies the adoption base that makes Agent 365 and E7 commercially viable. Microsoft now has 15 million paid Copilot seats, with growth exceeding 160 percent year over year. Daily active usage increased tenfold. Customers deploying at significant scale — more than 35,000 seats — tripled year over year.

Major recent deployments include Mercedes-Benz, which announced a global rollout; NASA, Fiserv, ING, and Westpac, which each purchased more than 35,000 seats; and Publicis, which deployed nearly 95,000 seats across almost its entire workforce. Ninety percent of Fortune 500 companies now use Copilot, according to Microsoft.

Avanade, a joint venture between Accenture and Microsoft, offered an early endorsement of Agent 365. “Avanade has real visibility into agent activity, the ability to govern agent sprawl, control resource usage, and manage agents as identity-aware digital entities in Microsoft Entra,” said CTO Aaron Reich. “This significantly reduces operational and security risk.”

Jakkal acknowledged that competitors including Palo Alto Networks and CrowdStrike are building their own agentic AI security layers, but argued Microsoft’s integration depth sets it apart. “It’s not just this tool, and this tool, and this tool put together in a SKU — it’s more like this tool and this tool and this tool work together,” she said. For third-party agent frameworks — including LangChain, CrewAI, and other open-source tools — Agent 365 provides an SDK with varying levels of integration.

The real question is whether enterprises will pay to govern AI fast enough to stay ahead of attackers

Agent 365 and E7 reach general availability on May 1st. Several capabilities, including Defender and Purview risk signals and security posture management for Foundry and Copilot Studio agents, will remain in public preview at launch. A new runtime threat protection feature is expected to enter public preview in April.

Jakkal observed that many organizations are using the push toward agentic AI as a catalyst for long-overdue security improvements. “I’m seeing organizations use this as an opportunity to say, ‘We have to fix our foundations,'” she said. “They’re using the AI transformation and agentic transformation to go back and say, we are going to do a security transformation.”

Whether the market moves fast enough remains the open question. The tools to build agents are freely available and require no security expertise. The tools to govern them require budget approval, implementation cycles, and organizational alignment across IT, security, and business teams. That asymmetry — between the speed of agent creation and the speed of agent governance — is the gap Microsoft is trying to close.

“The future of work isn’t just about smarter agents,” Jakkal said. “It’s about trusted agents.”

For the 29 percent of enterprise agents already operating without any oversight at all, trust is not a product roadmap — it’s a race against the clock.

Security | VentureBeat – ​Read More