Updated with RSAC 2026 GA announcements and field research findings. The Classic vs Modern agent distinction, maker credentials, and the AI Agent Inventory setup complexity are newly added gaps based on practitioner research.
Security Dashboard for AI: Now GA. Entra Internet Access Shadow AI Detection and Prompt Injection Protection both GA March 31. Purview DLP for M365 Copilot GA March 31. Entra External MFA GA.
| Gap | Why It Matters | Interim Mitigation | Expected Resolution |
|---|---|---|---|
| Classic Agents β no Entra security product coverage | Most existing Copilot Studio agents in production are Classic Agents (Service Principals). They receive zero Entra Agent ID security product coverage: no ID Protection, no Conditional Access, no lifecycle governance. This gap is invisible from Microsoft's marketing materials. Field research confirms this is the default state of most enterprise Copilot Studio deployments. | Inventory Classic vs Modern agents via AIAgentsInfo KQL; enforce end-user auth per agent via Power Platform admin; restrict org-wide sharing; manually recreate critical agents as Modern Agents | Microsoft migration tool planned β no date confirmed. Manual recreation is the only current path. |
| Maker credentials β agent authenticates as builder, not user | Copilot Studio agents authenticate to connected services as the maker (builder), not the invoking user. Combined with org-wide sharing and no authentication, a single admin-built agent extends admin permissions to every employee. This is structurally more dangerous than OBO in Copilot Studio deployments. | Enforce end-user authentication per agent (Power Platform admin); restrict sharing scope via Managed Environments; PAM hygiene on developers who build agents | Architectural β requires Power Platform admin enforcement. Product default is unlikely to change. |
| OBO β no true per-agent least privilege (non-Copilot Studio agents) | Standard agents inherit invoking user's full token scope. Overprivileged users = overprivileged agents. No changes at RSAC 2026. | PAM hygiene on users; Foundry Guardrails for tool whitelisting; Entra Workload Identity for app-level scoping; Defender Predictive Shielding during active attacks (preview) | Dependent on Entra Agent ID GA β timeline unconfirmed |
| Entra Agent ID β preview only, Modern Agents only | The primary Entra security primitive for agents isn't GA. Even when it is, it will only protect Modern Agents β Classic Agent migration must happen first. Not announced as GA at RSAC 2026. | Entra Workload Identity as stopgap; manual agent inventory; Agent 365 for discovery (GA May 1) | GA timeline not publicly committed; expected H2 2026. Migration tool needed before most orgs can benefit. |
| Per-user licensing mismatch | Agent 365 licenses per user, not per agent. Governance scope doesn't scale with agent proliferation. Not addressed at RSAC 2026. | Architect agent deployments to be user-anchored; track agent count separately | No per-agent tier announced |
| OBO audit trail β user not agent identity | Logs show user UPN (or service), not agent identity. In Copilot Studio with maker credentials, logs may show the service account β making the attacker invisible. Forensic attribution is fundamentally broken until Agent ID GA + Classic migration. | Purview AI Observability (data-access layer); Sentinel correlation; application-layer logging; AIAgentsInfo Advanced Hunting for agent-side context | Improves with Agent ID GA and ClassicβModern migration |
| Gap | Interim Mitigation |
|---|---|
| Agent sprawl β no lifecycle enforcement by default Microsoft formally defines agent sprawl as the uncontrolled expansion of agents without adequate visibility, management, or lifecycle controls. It manifests as shadow AI (agents created without IT oversight), abandoned agents (created for temporary purposes and never decommissioned), and over-privileged agents (permissions granted and never reviewed). Agent sprawl leads to increased security risk, compliance challenges, and incident response difficulty. |
Implement Entra ID Governance lifecycle management for Modern Agents β assign sponsors, configure Access Reviews, use access packages for time-bound permissions. For Classic Agents, use AIAgentsInfo KQL to audit and track all published agents quarterly. Run Playbook 01 to detect ownerless and abandoned agents. |
| Microsoft Managed Policies not widely known or deployed Microsoft Managed Policies for agents provide automatic baseline CA policies that block high-risk agents β available through Conditional Access. Many organisations are unaware these exist or have not deployed them. Without them, high-risk agent identities have no automatic blocking controls. |
Review Microsoft Managed Policies in Entra β Conditional Access β Microsoft-managed policies. Enable the agent risk baseline policy to automatically block agents flagged as high-risk by Identity Protection. Applies to Modern Agents only. |
| Any user can change another agent's authentication type By design in Copilot Studio, any tenant user can change the authentication settings of an agent they did not create and do not own β including downgrading a published agent from authenticated to No Authentication. A single non-admin user can silently expose any published agent to anonymous access without the owner's knowledge. There is currently no platform-enforced owner-only restriction on auth type changes. |
Deploy the change-detection Sentinel Analytics Rule (see Playbooks) to alert immediately when any agent is switched to No Authentication. Audit auth type changes regularly via the AIAgentsInfo table. Restrict who can access Copilot Studio environments via Managed Environments in Power Platform Admin Center. | Cross-reference all three portals; use AIAgentsInfo Advanced Hunting table as the most granular source; treat any portal count as approximate until Microsoft resolves the consistency issue |
| Purview triage agent 90-day re-auth requirement Purview Security Copilot triage agents (DLP, IRM) run in the security context of the last user who saved the config. After 90 days, the agent stops running until config is manually re-saved. No automatic renewal. |
Create a calendar reminder at 80 days post-config to re-save. Consider assigning a shared service account as the config owner to avoid disruption if the original user departs. |
| AI Agent Inventory β complex setup requiring two admins Setup requires collaboration between Defender admin (enable 3 preview features) AND Power Platform admin (enable separate threat detection toggle). Takes up to 30 min for connection, longer for data population. Not self-service. | Assign a joint Defender + Power Platform admin workstream for onboarding. Verify via AIAgentsInfo KQL after setup. Plan for 30-minute minimum delay on initial data. |
| Agent name sync bug β Copilot Studio rename not reflected in Entra Agent ID Agents renamed in Copilot Studio keep their original "Agent #" name in Entra. Makes per-agent CA policy management nearly impossible at scale. | Use Agent ID object-ID (not name) as primary key for agent identification. Cross-reference via PowerShell script against Power Platform Admin Environment URL. Monitor for Microsoft fix β no timeline confirmed. |
| No MCP server authentication standard β MCP spec doesn't mandate cryptographic server binding | Defender for Cloud Apps MCP server registry + anomaly detection; network segmentation; Foundry Guardrails tool whitelist (Foundry agents only); Sentinel MCP Entity Analyzer (GA April) for investigation |
| Foundry Guardrails in preview, Foundry agents only β no equivalent control for Copilot Studio agents | Power Platform admin controls for Copilot Studio agents (authentication enforcement, sharing limits); Defender for Cloud Apps for API-layer controls |
| CopilotActivity table prompt sensitivity + ingestion cost The Copilot Data Connector for Sentinel ingests prompt content into the CopilotActivity table β making user prompts a sensitive artifact inside the SIEM. Standard ingestion costs apply (pay-per-GB). Organisations must apply field-level masking, retention policies, and access controls on the table before enabling in production. | Enable in a controlled test workspace first. Apply field-level masking on prompt content fields. Set short retention for sensitive fields. Restrict CopilotActivity table access to SOC personnel only. Plan and budget for ingestion volume before enabling at scale. |
| Defender for Cloud Apps RT protection β 1-second timeout If the Defender system doesn't return a block decision within 1 second, the agent proceeds to execute the tool anyway. Fast tool calls may bypass protection. | Ensure network latency between Copilot Studio environment and Defender is minimised. Treat as a detection tool, not a guaranteed prevention control. |
| ZT Assessment AI pillar not until summer 2026 | Use existing ZT Workshop assessment for Identity/Data/Network pillars; manually assess against ZT for AI reference architecture (published March 2026) |
| No platform-level agent kill switch | Entra CA for Modern Agents; Power Platform admin can disable Classic agents; Defender Predictive Shielding (preview) limits blast radius during active attacks; requires pre-planned runbook |
| Cross-user context contamination in shared agents | Architecture control: enforce session isolation in agent design; no native Microsoft platform control |
| Org-wide sharing default enables blast radius | Power Platform Managed Environments: set sharing limits; require end-user auth; AIAgentsInfo KQL to detect widely-shared no-auth agents |
These queries require the AI Agent Inventory to be enabled in Defender for Cloud Apps (requires Defender admin + Power Platform admin collaboration).
Production-ready GA controls: Prompt Shields, Azure AI Content Safety, Defender for Cloud Apps (OAuth + SaaS governance + Copilot Studio RT protection), Purview Information Protection, Sentinel, Entra Conditional Access, Security Dashboard for AI (now GA), Entra Internet Access Shadow AI and Prompt Injection Protection (GA March 31), Purview DLP for Copilot (GA March 31), Power Platform Managed Environments (sharing limits + auth enforcement). A well-architected deployment combining these controls with Modern Agent migration provides meaningful defence in depth β but the Classic Agent estate must be addressed first.
| Control | Product | Status | Applies To | Key Caveat |
|---|---|---|---|---|
| Agent 365 Control Plane | Agent 365 | GA May 1 | All agents | Per-user, not per-agent licensing |
| Security Dashboard for AI | Defender/Entra/Purview | β Now GA | All agents + third-party AI | Previously preview |
| AI Agent Inventory (Defender) | Defender for Cloud Apps | Preview | Copilot Studio agents only | Requires Defender admin + Power Platform admin collaboration; complex setup; 30min+ data delay |
| Entra Agent ID | Entra | Preview Β· Frontier only | Modern Agents only | Classic Agents require migration first; OBO still underlying |
| ID Protection for Agents | Entra | Preview | Modern Agents only | Classic Agents not covered |
| Conditional Access for Agents | Entra | GA | Modern Agents only | Classic Agents cannot be targeted; name sync bug complicates policy management |
| Entra Workload Identity | Entra | GA | App-level (not per-agent) | Stopgap β not purpose-scoped for agent-instances |
| Entra External MFA | Entra | β Now GA | All users + agents | New at RSAC 2026 |
| Entra Backup and Recovery | Entra | Preview Β· RSAC 2026 | Entra directory objects | New capability |
| Entra Tenant Governance | Entra | Preview Β· RSAC 2026 | Multi-tenant | Shadow tenant discovery |
| Entra Internet Access β Shadow AI | Entra Suite | GA March 31 | Network-wide | β |
| Entra Internet Access β Prompt Injection | Entra Suite | GA March 31 | Network-wide | Complements Prompt Shields; not a replacement |
| Power Platform Managed Environments | Power Platform | GA | Copilot Studio agents | Primary control for maker creds + org-wide sharing risk |
| Prompt Shields | Azure AI / Foundry | GA | Foundry agents, SDK | Must be explicitly enabled per agent; not auto-applied |
| Azure AI Content Safety | Azure AI | GA | Model boundary | Separate from Prompt Shields |
| Defender for Cloud Apps RT Protection | Defender for Cloud Apps | Preview | Copilot Studio agents only | 1-second timeout β fast tool calls may bypass; complex setup |
| Defender Predictive Shielding | Defender | Preview Β· RSAC 2026 | All identities | Reactive during active attacks |
| Foundry Guardrails | Azure AI Foundry | Preview | Foundry agents only | No equivalent for Copilot Studio agents |
| Defender for Cloud Apps (CASB) | Defender | GA | All MCP-SaaS connections | Primary MCP boundary control |
| Microsoft Sentinel | Sentinel | GA | All | MCP Entity Analyzer GA April; Data Federation preview |
| Purview DSPM for AI | Purview | Preview | AI workloads | β |
| Purview DLP for M365 Copilot | Purview | GA March 31 | M365 Copilot prompts | New at RSAC 2026 |
| Purview DLP β SIT Prompt Blocking | Purview | Preview Β· GA June/July 2026 | M365 Copilot, Copilot Chat, Word/Excel/PPT | No response when triggered (does not fall back to Graph). Files uploaded to prompts not scanned. Two conditions can't be in same rule. |
| Purview Information Protection | Purview | GA | All AI workflows | β |
| Security Copilot | Security Copilot | GA Β· Included E5 + E7 | SOC workflows | 400 SCU/1K users/mo (E5); 15+ partner agents |
| Security Analyst Agent | Defender / Security Copilot | Preview March 26 | Defender investigations | New at RSAC 2026 |
| Security Alert Triage Agent | Defender / Security Copilot | Preview April | Cloud + identity alerts | New at RSAC 2026 |