Microsoft used Build 2026 to expand Agent 365 from a registry and monitoring tool into a full governance control plane for AI agents, regardless of which framework built them. The product, generally available since May 1, now extends Entra ID, Defender, and Purview into what Microsoft positions as the permission layer enterprises need before deploying autonomous agents at scale.
Three Policy Categories
Windows News reported that Build 2026 introduced an enforcement framework called AI Agent Guardrails with three policy categories. Scope policies limit which data sources, APIs, and communication channels an agent can access. Action policies control whether an agent can send email, modify records, or trigger workflows without human approval, with the default for all new agents set to read-only. Audit policies capture every agent decision, including reasoning chains and data accessed, in Purview logs with immutable chain of custody.
Satya Nadella framed the stakes during the opening keynote: “Every agent is a user with superpowers. If we don’t govern them like users, we’re building a permission escalator straight to our crown jewels,” according to Windows News.
Agent Identity Perimeter
The most architecturally significant addition is what Microsoft calls Agent Identity Perimeter, a new Entra ID capability that extends Conditional Access to agent-initiated actions. Every time an agent touches a resource, Entra ID evaluates context: the agent’s current risk level, resource sensitivity, and action type, then grants or denies access in real time.
Alex Weinert, Director of Identity Security, demonstrated how an agent reading payroll data at 3 a.m. would trigger a step-up authentication challenge to a human manager. Three new Conditional Access conditions shipped for agent workloads: agent risk level (integrated with Defender for Cloud Apps signals), resource sensitivity (tied to sensitivity labels on SharePoint sites, Teams channels, and API endpoints), and action type (distinguishing read-only operations from destructive actions like delete, send, or publish), as detailed by Windows News.
Microsoft says the entire evaluation takes less than 80 milliseconds per action.
Cross-Framework Compatibility
Agent 365 operates independently from the underlying agent framework. ECI Research’s analysis noted that instead of each agent system (LangChain, OpenClaw, Anthropic SDK, CrewAI) maintaining its own permission model, Agent 365 sits above them and enforces organization-wide policy. The approach means enterprises can deploy agents from multiple frameworks without rebuilding governance for each one.
Microsoft also open-sourced two supporting projects at Build: ASSERT for safety evaluation and the Agent Control Specification for standardizing how controls are applied in the agent loop, according to ECI Research.
Lifecycle Management
Agent 365 also addresses orphaned agent risk. When an employee leaves a company, any agents they owned or delegated permissions to are automatically suspended and flagged for review by the manager. Role-based access control for agents shipped in public preview, allowing an HR agent to have read-only access to employee records while a finance agent gets write permissions to expense reports, governed through Entra ID application roles and privileged identity management for just-in-time elevation.
The Platform Consolidation Bet
Agent 365 requires Microsoft E5 as a prerequisite and is licensed on a per-user basis. ECI Research’s 2025 AI Builder Summit survey found that two-thirds of enterprise AI leaders have already implemented multi-agent collaboration in live or pilot workflows, meaning governance tooling is an active operational requirement rather than a future concern. For organizations already running M365 and Azure, Agent 365 creates a governance moat: agents built on Microsoft infrastructure get policy enforcement bundled in. For teams running OpenClaw, LangChain, or CrewAI on AWS or GCP, the cross-framework compatibility will determine whether Agent 365 becomes the default control plane or a Microsoft-ecosystem feature.