Microsoft flipped Agent 365 to general availability on May 1, 2026, four days ago. The product, first announced at Ignite in November 2025, is now a shipping control plane that lets enterprise IT teams discover, govern, and block AI agents running across Windows endpoints, Microsoft’s cloud, AWS Bedrock, and Google Cloud. Priced at $15 per user per month or bundled in the new Microsoft 365 E7 suite, Agent 365 represents Microsoft’s most direct move yet to position itself as the governance layer for the entire agent ecosystem, not just its own.
The headline capability: Agent 365, powered by Microsoft Defender and Intune, can now detect OpenClaw agents running on managed Windows devices and enforce blocking policies against them. Microsoft plans to expand local agent detection to 18 agent types by June 2026, including GitHub Copilot CLI and Claude Code.
The Shadow AI Problem Microsoft Is Selling Against
“Most enterprises are trying to figure out how to harness the potential of autonomous agents,” David Weston, Corporate Vice President of AI Security at Microsoft, told VentureBeat in an exclusive interview. “They’re trying to find a balance between what we call YOLO, just let anything run, and ‘oh no,’ where nothing works at all.”
The framing is deliberate. Microsoft is defining a new enterprise security category called “shadow AI,” distinct from the shadow IT problem that drove cloud access security brokers a decade ago. Shadow AI, in Microsoft’s telling, refers to autonomous agents that employees install on their own devices without IT approval. These agents invoke tools, access sensitive data, chain together with other agents, and take actions on behalf of users.
According to Weston’s VentureBeat interview, Microsoft is already observing three categories of security incidents across its enterprise customer base:
-
Exposed MCP servers. Developers connect agents to backend systems and inadvertently expose sensitive infrastructure to the internet without authentication. “A canonical thing we’re seeing a lot across the board is these MCP servers that are then being connected to a sensitive back end system and then exposed unauthenticated to the internet,” Weston said. “That can lead to PII or data leaks.”
-
Cross-prompt injection. Attackers embed malicious instructions in data sources (tickets, wikis, websites) that agents ingest during normal operation. Weston described this as less common but higher impact when it occurs.
-
DLP systems that don’t understand agents. Data loss prevention tools designed for human access patterns fail to account for agentic access, exposing sensitive data to downstream vendors and unauthorized parties.
What Agent 365 Actually Does at GA
The Microsoft Security Blog announcement breaks Agent 365 into three pillars: observe, govern, secure.
Observe means a centralized registry of every agent operating within the environment. Each agent gets a record with metadata including its publisher, platform, ownership, permissions from Microsoft Graph, data access, tools access, security certifications, and usage activity. The Tech Community walkthrough describes an “agents map view” that visualizes agent-to-agent dependencies and cross-platform relationships.
Govern means lifecycle controls. IT admins can install, publish, block, unblock, delete, or reassign ownership of agents from the registry. Distribution controls determine which agents reach which users. At GA, Agent 365 supports three agent categories: agents with delegated user access (GA), agents operating with their own credentials behind the scenes (GA), and agents participating in team workflows with their own access (public preview).
Secure means Defender integration for threat detection and Intune for policy enforcement. This is where the OpenClaw-specific capabilities live.
The OpenClaw Detection Mechanism
For organizations enrolled in Microsoft’s Frontier program, Agent 365 can now surface which managed Windows devices are running OpenClaw agents. The detection works through Defender’s existing endpoint telemetry: identifying applications that call inference endpoints, then classifying them against a known agent inventory.
“Using our visibility on the endpoint, we can see the variety of apps that are basically calling inference endpoints,” Weston explained to VentureBeat. “And then we can give a collection of that to the IT and security folks, and they can decide whether that’s appropriate or something that’s putting them at risk.”
Once detected, administrators can apply Intune policies to block common OpenClaw execution methods. A dedicated “Shadow AI” page in the Microsoft 365 admin center serves as the dashboard for this discovery process, according to both the Security Blog and Tech Community post.
Why OpenClaw first? “Our criteria is simply customer demand,” Weston told VentureBeat. “We’re hearing across the board that enterprises understand OpenClaw represents a new type of software.”
Blast Radius Mapping: June 2026 Preview
Starting in June, Defender will add “asset context mapping” for each discovered agent. This builds a relationship graph showing which devices an agent runs on, which MCP servers it connects to, which identities are associated with it, and which cloud resources those identities can reach.
“Blast radius is computed by taking an asset inventory and converting each asset into a node in a graph,” Weston told VentureBeat. “The edges represent how different assets or data sources are connected.” The system overlays criticality scores and sensitive data exposure flags onto each node, letting security teams prioritize the agents that connect to resources they care about.
Also coming in June: policy-based runtime controls. If a managed agent exhibits behavior patterns consistent with data exfiltration or process injection, Defender can block the agent at runtime and generate alerts with incident context for investigation. Context mapping, policy controls, and runtime blocking all enter public preview through Intune and Defender in June 2026, per the Microsoft Security Blog.
The Cross-Cloud Play
Agent 365’s registry sync with AWS Bedrock and Google Cloud (formerly Vertex AI) entered public preview alongside GA. Organizations can import agents from rival platforms into Agent 365’s inventory, creating a single view of their entire agent fleet regardless of where agents were built or deployed.
WinBuzzer notes the competitive tension: “AWS Bedrock AgentCore and Google Gemini Enterprise Agent Platform shipped in 2025; Salesforce Agentforce and ServiceNow AI Agents have been generally available since 2024 and are not part of the preview. Bedrock and Gemini Enterprise customers who picked those stacks specifically to avoid Microsoft lock-in have little reason to accept Microsoft as the cross-vendor control plane on the strength of registry import alone.”
Microsoft’s answer to that objection is that organizations already run Defender and Intune. Agent 365 plugs into existing security workflows rather than requiring new tooling. The bet: enterprises that already manage endpoints through Microsoft will extend that management to agents as a natural adjacency.
Windows 365 for Agents: The Sandboxed Tier
A companion launch, Windows 365 for Agents, entered public preview the same week. This creates a Cloud PC class purpose-built for agentic workloads, managed through Intune with the same identity and security posture applied to employee endpoints.
The architecture separates human user sessions from autonomous agent sessions. When an agent triggers a security alert, attribution is clean because the agent runs on its own Cloud PC rather than sharing a user’s session.
The licensing stack required, per WinBuzzer: Agent 365 license + Intune license + active Azure subscription. This pins agentic workloads firmly to the Microsoft ecosystem and rules out a cheaper standalone path for organizations that haven’t already standardized on Intune.
Pricing and Licensing Model
Agent 365 standalone: $15 per user per month. Each license covers one individual who manages, sponsors, or uses agents. The pricing is per person, not per agent, acknowledging that agent counts shift constantly in most environments.
The platform is also bundled in the Microsoft 365 E7 suite. Nerd Level Tech reports E7 pricing at $99 per user per month, positioning Agent 365 as one component of a broader “Frontier Suite” that includes the full Microsoft 365 stack.
The Open Agent Ecosystem’s Governance Gap
This launch crystallizes a dynamic NCT has tracked for months. The open agent ecosystem, led by OpenClaw’s 3.2 million users, grew faster than its governance infrastructure. Enterprises adopted local agents because they were powerful and flexible. Now those same enterprises need controls, and the controls are coming from the platform vendor with the deepest endpoint footprint on earth.
Microsoft is not trying to kill OpenClaw. Weston’s quotes are carefully calibrated: enterprises “want to leverage all the benefits” while having “deterministic control.” The product is a management layer, not a replacement. But the effect is the same dynamic that played out with Docker and Kubernetes, or with cloud VMs and cloud management platforms. The orchestration layer captures more long-term value than the runtime it manages.
SAP blocked OpenClaw from its APIs entirely last week. Microsoft chose a different strategy: don’t block, govern. Detect what’s running, map what it can reach, give IT a kill switch. The message to CISOs is clear: you can let your developers use OpenClaw, as long as it runs under our control plane.
For OpenClaw’s community, the question is whether to build native enterprise governance features that make Agent 365 unnecessary, or accept the role of runtime engine while Microsoft owns the management layer above it. The Ignite-to-GA timeline was six months. The 18-agent expansion is on a two-month cadence. Microsoft is moving fast, and the governance vacuum is filling on someone else’s terms.