📌 Author's note: This site synthesises the author's own understanding from publicly available Microsoft documentation, official Microsoft Security blog posts, RSAC 2026 announcements, and insights from Microsoft Security professionals and MVPs. It is independent and not affiliated with or endorsed by Microsoft. Microsoft updates products and documentation frequently — always verify current status directly with Microsoft before making architecture or purchasing decisions.
UPDATED · RSAC 2026 · MARCH 24, 2026

Securing AI Workloads,
Agents & MCP Ecosystems

A technical deep-dive into Microsoft's AI security architecture — covering the full stack from identity primitives and MCP attack surfaces to runtime threat detection and regulatory framework alignment. Caveats on current limitations are shown throughout.

✅ RSAC 2026 Updates — March 20, 2026

Security Dashboard for AI is now generally available. Entra Internet Access Shadow AI Detection and Prompt Injection Protection both GA on March 31. New Security Analyst Agent and Security Alert Triage Agent announced. Sentinel MCP Entity Analyzer GA in April. Several new Purview and Entra capabilities added across preview and GA. See the Gaps page for the updated availability matrix.

10,000 FT VIEW

The AI Security Stack at a Glance

How Microsoft's security controls layer across the full AI lifecycle — from model supply chain through to SOC response. Click any layer to navigate to the relevant section.

WHAT WE ARE SECURING
AI Agents & Workloads
Copilot Studio · Classic ⚠
Copilot Studio · Modern
Azure AI Foundry
Custom Agents
MCP-connected Tools
M365 Copilot
↓ full lifecycle ↓
LAYER 00
Supply Chain & Model Security
Before deployment — secure the model itself
Pre-deployment
AI Model Scanning · GA CLI + CI/CD Gating · GA GitHub Advanced Security · GA Defender for Cloud CSPM · GA ⚠ Training data provenance: limited ⚠ Hugging Face / OSS model risks
LAYER 01
Visibility & Governance
Know what you have before you can protect it
✓ Classic & Modern
Security Dashboard for AI ✓ GA Agent 365 · GA May 1 AI Agent Inventory Foundry Guardrails · Preview ⚠ Classic Agents invisible to Entra ⚠ Dual-admin setup required ⚠ Portal count inconsistency
LAYER 02
Identity & Access
Who is the agent? What can it access?
⚠ Entra ID: Modern only
⚠ OBO — agents inherit user identity ⚠ Maker credentials (Copilot Studio) Entra Agent ID · Preview only Entra Workload Identity · GA Conditional Access for AI Agents · GA Entra Internet Access · GA Mar 31 ⚠ Agent name sync bug
LAYER 03
Data Security
What data can the agent see and share?
Purview Information Protection · GA DLP for M365 Copilot · GA Mar 31 DSPM for AI · Preview AI Observability · Preview Communication Compliance · GA Copilot Data Connector · Preview ⚠ Prompt data sensitivity in Sentinel
LAYER 04
MCP & Tool Governance
What can the agent invoke? What tools can it reach?
Defender for Cloud Apps · GA OAuth Governance · GA Shadow AI Detection · GA Mar 31 Foundry Guardrails (tool whitelist) · Preview ⚠ No MCP server auth standard ⚠ Maker creds × MCP tools risk ⚠ No Copilot Studio tool whitelist
LAYER 05
Runtime Protection
Block attacks as they happen
Prompt Shields · GA Azure AI Content Safety · GA Prompt Injection Protection · GA Mar 31 Defender for Cloud Apps RT · GA Defender Predictive Shielding · Preview ⚠ 1s timeout on RT protection ⚠ Image/URL injection bypasses text filters
LAYER 06
Detect & Respond
SOC visibility into AI threats
Microsoft Sentinel · GA Defender for Cloud · GA Security Copilot · GA (E5) Copilot Data Connector · Preview Security Analyst Agent · Preview Mar 26 Alert Triage Agent · Preview Apr MCP Entity Analyzer · GA Apr
KEY
Generally Available
Preview
Gap / Limitation
Coming Soon
↗ Click any layer to learn more
Executive Summary

Why Securing AI Is a First-Class Security Problem

Organisations are deploying AI copilots and autonomous agents at scale to automate decision-making and access enterprise data. Standards like Model Context Protocol (MCP) now let AI systems invoke real enterprise tools — email, file systems, APIs, SaaS platforms — not just generate text. This transforms the AI agent from a productivity interface into a privileged digital actor operating inside the enterprise perimeter.

80% of Fortune 500 companies are already using agents according to Microsoft's research. Industry projections estimate over one billion AI agents in enterprise environments by 2028. Traditional security models built for users, endpoints, and applications break down when the actor is non-human, persistent, autonomous, and potentially opaque.

⚠ The Core Problem Security Architects Must Solve

An AI agent blends a user (accesses data, makes decisions), an application (runs code, calls APIs), and a service account (operates non-interactively, often persistently). No single existing security primitive handles all three. Microsoft is building toward this with Entra Agent ID — but it remains in limited preview for frontier customers only. Today, agents operate under OBO (On-Behalf-Of) delegation — inheriting the invoking user's identity and permissions, not a purpose-scoped identity of their own.

How to Use This Guide

AI RISK
AI Risk Reality
How AI agents break traditional security assumptions. Severity-rated risk taxonomy and the full attack surface model.
Risk FrameworkAttack Surface
↗ Learn More
PRODUCT MAP
Products
Every Microsoft security product mapped to the AI stack — updated with RSAC 2026 announcements and current availability status.
Product ReferenceRSAC Updated
↗ Learn More
IDENTITY & OBO
Agent Identity & OBO
The OBO token flow in detail. What Agent ID is vs. what's actually available. What architects should do today.
⚠ Critical GapOBO · Agent ID
↗ Learn More
MCP ECOSYSTEM
MCP
MCP architecture, six specific attack vectors, and how Microsoft controls the MCP-to-SaaS boundary — including the new Sentinel MCP Entity Analyzer.
MCPTool PoisoningXPIA
↗ Learn More
THREAT SCENARIOS
Threats
Four detailed attack chains — DPI, XPIA, data leakage, privilege escalation — with full control mappings and gap assessments.
DPIXPIAData Leakage
↗ Learn More
FRAMEWORKS
Frameworks
NIST AI RMF and ISO 42001 control mappings — with gap analysis per clause and function.
NIST AI RMFISO 42001
↗ Learn More
GAPS & ROADMAP
Gaps
Consolidated gap register with interim mitigations and updated availability matrix reflecting RSAC 2026 GA announcements.
Critical GapsRSAC Updated
↗ Learn More
📌 One-line positioning

Microsoft secures AI by bringing identity-first security, runtime threat protection, and unified visibility to AI workloads, agents, and MCP ecosystems — extending Zero Trust across the full AI lifecycle. The strategy is architecturally sound. The execution is partially complete — agent identity (OBO) and per-agent licensing remain the critical structural gaps.

← PREVIOUSStart HereNEXT →AI Risk
SOURCES: Microsoft Security Blog · RSAC 2026 (March 20, 2026) · Microsoft Ignite 2025 · NIST AI RMF 1.0 · ISO/IEC 42001:2023
Last updated: March 24, 2026 · Analysis covers publicly announced Microsoft security capabilities only