Start Here Overview AI Risk Products Identity MCP Threats Frameworks Gaps Playbooks Changelog Contact
๐Ÿ“Œ Author's note: This site synthesises the author's own understanding from publicly available Microsoft documentation, official Microsoft Security blog posts, RSAC 2026 announcements, and insights from Microsoft Security professionals and MVPs. It is independent and not affiliated with or endorsed by Microsoft. Microsoft updates products and documentation frequently โ€” always verify current status directly with Microsoft before making architecture or purchasing decisions.
PERSONALISED READING GUIDE

Where should
you start?

This guide covers 8 sections of Microsoft AI security. Pick your role and we'll show you exactly which pages matter most โ€” and why.

๐Ÿ›๏ธ
CISO / Security Leader
EXECUTIVE
โš™๏ธ
Security Engineer
TECHNICAL
๐Ÿค–
Copilot / M365 Admin
OPERATIONS
๐Ÿ—๏ธ
Power Platform Maker
BUILDER
๐Ÿ“‹
Compliance / GRC
GOVERNANCE
๐Ÿ›๏ธ As a CISO, your key questions are:
What is our AI agent exposure and how do we compare to best practice?
What are the most dangerous gaps in Microsoft's current AI security stack?
What should I be asking my security team to prioritise right now?
How does this map to frameworks we're already complying with (NIST, ISO)?
YOUR READING PATH
START HERE ยท ESSENTIAL
Overview
10,000ft view of the entire stack. The visualisation alone gives you the briefing you need.
โ†’
CRITICAL ยท READ NEXT
Gaps
What's not solved yet. The availability matrix is your executive summary of control coverage.
โ†“
RECOMMENDED
Frameworks
NIST AI RMF and ISO 42001 mapping โ€” directly answers board and audit questions.
โ†’
RECOMMENDED
AI Risk Reality
The risk taxonomy and Classic vs Modern agent distinction are critical for board conversations.
โ†“ optional deep-dive
IF NEEDED
Identity
Delegate to your security architect. The Classic vs Modern table is worth scanning.
โ†’
REFERENCE
Products
Full product inventory. Useful for licensing conversations.
MUST READ
Overview
The 10,000ft stack diagram gives you an instant briefing. The RSAC 2026 callout tells you what's changed this month.
IF NEEDED
Playbooks โ†—
Playbook 04 โ€” Incident Response โ€” gives your team a structured framework if an agent compromise occurs. Worth knowing exists before you need it.
MUST READ
Gaps
The critical gaps register and availability matrix. Know what your team can't control yet and what's coming.
KEY SECTIONS
Critical Gaps table
Availability Matrix
Roadmap timeline
SHOULD READ
Frameworks
NIST AI RMF and ISO 42001 alignment โ€” directly maps to your compliance and audit obligations.
โš™๏ธ As a Security Engineer / Architect, your key questions are:
What are the specific attack vectors against AI agents and how do I detect them?
Why does OBO matter and what can I actually do about it today?
How does MCP expand the attack surface and what controls exist?
Which KQL queries do I need to start hunting for agent misconfigurations?
YOUR READING PATH
START HERE ยท ESSENTIAL
Identity
The Classic vs Modern table and maker credentials section are the most technically dense and important pages on the site.
โ†’
CRITICAL ยท READ NEXT
Threats
Five detailed attack chains with full control mappings and gap assessments. Image/URL injection is new.
โ†“
ESSENTIAL
MCP
Attack vectors, Microsoft MCP catalog implications, and the Copilot Studio MCP tool risk pattern.
โ†’
RECOMMENDED
Gaps
KQL detection queries and the full control availability matrix for your architecture review.
โ†“ reference
REFERENCE
AI Risk
Risk taxonomy and attack surface model.
โ†’
REFERENCE
Products
All 32 products with GA/Preview status and links to docs.
MUST READ
Identity
OBO flow, maker credentials, Classic vs Modern security product coverage table, name sync bug, interim mitigations ranked by availability.
KEY SECTIONS
Classic vs Modern coverage table
Maker credentials comparison
Practical controls โ€” today
MUST READ
Playbooks โ†—
Two playbooks directly relevant: Playbook 01 for your first audit KQL queries, Playbook 04 for incident response runbook when an agent is suspected compromised.
MUST READ
Threats
DPI, XPIA (including image/URL variant), maker credential blast radius, data leakage, privilege escalation โ€” with full control mappings.
MUST READ
MCP
Microsoft official MCP catalog risk, Copilot Studio MCP tools + maker credentials combination, seven attack vectors with controls.
๐Ÿค– As a Copilot / M365 Admin, your key questions are:
What Copilot Studio agent misconfigurations should I be auditing right now?
How do I detect no-auth agents and overly shared agents in my tenant?
What do I need from Power Platform admin to complete security setup?
Which Defender and Purview controls work without extra licensing?
YOUR READING PATH
START HERE ยท ESSENTIAL
AI Risk Reality
The Copilot Studio Specific Risks section โ€” no-auth agents, org-wide sharing, maker credentials, Classic vs Modern โ€” is written for you.
โ†’
CRITICAL ยท READ NEXT
Identity
Maker credentials section and the Classic vs Modern product coverage table tell you exactly what controls you have today.
โ†“
ESSENTIAL
Gaps
KQL detection queries for no-auth agents and ownerless agents. Use these in Advanced Hunting today.
โ†’
RECOMMENDED
Products
AI Agent Inventory and Defender for Cloud Apps cards โ€” click through to the setup docs.
MUST READ
AI Risk Reality
The Copilot Studio Specific Risks section with the six risk cards โ€” no-auth, org-wide sharing, Classic vs Modern, MCP tools, name sync, ownerless agents.
KEY SECTIONS
Copilot Studio Specific Risks
Maker Credentials callout
MUST READ
Playbooks โ†—
Playbook 01 gives you the KQL queries to audit your estate right now. Playbook 03 walks you through the Security Dashboard for AI setup โ€” the dual-admin process that requires you and your Power Platform admin to coordinate.
MUST READ
Gaps
The KQL detection queries section โ€” copy-paste ready queries to find no-auth and ownerless agents in your tenant right now.
SHOULD READ
Identity
Security product coverage table โ€” understand exactly what Defender vs Entra controls you have, and what requires Modern Agents.
๐Ÿ—๏ธ As a Power Platform Maker / Developer, your key questions are:
What am I doing that creates security risk when I build a Copilot Studio agent?
What's the difference between Classic and Modern agents โ€” and does it matter to me?
How do I make my agent secure without needing advanced licensing?
What happens when I add MCP tools to my agent?
YOUR READING PATH
START HERE ยท ESSENTIAL
AI Risk Reality
Maker credentials, no-auth, org-wide sharing โ€” these are risks you create at build time. Read this first.
โ†’
ESSENTIAL
MCP
Adding MCP tools dramatically expands your agent's attack surface. Understand the risk before connecting tools.
โ†“
RECOMMENDED
Threats
The Maker Credential Blast Radius scenario is specifically about what happens when you build an agent insecurely.
โ†’
REFERENCE
Identity
Understand why your credentials matter to the security team.
MUST READ
AI Risk Reality
Everything in the "Copilot Studio Specific Risks" section applies directly to what you build. Maker credentials and org-wide sharing are configuration choices you make.
MUST READ
Playbooks โ†—
Playbook 02 is written for you โ€” it's the pre-publish security checklist for every agent you build. Run through it before you click publish.
MUST READ
Threats
Scenario 3 โ€” Maker Credential Blast Radius โ€” walks through exactly what an attacker does with an insecurely built agent. Read it. Then check your agents.
SHOULD READ
MCP
If you're adding MCP tools to your agent, read the "Maker Credentials ร— MCP Tools" section. The blast radius compounds with each tool you add.
๐Ÿ“‹ As a Compliance / GRC professional, your key questions are:
How do Microsoft's AI security controls map to NIST AI RMF and ISO 42001?
What are the gaps in coverage that affect our compliance posture?
How do we evidence AI governance controls for auditors?
What's the roadmap โ€” what's GA, what's preview, what's missing?
YOUR READING PATH
START HERE ยท ESSENTIAL
Frameworks
NIST AI RMF four functions and ISO 42001 clause-by-clause mapping โ€” with gap analysis per control.
โ†’
CRITICAL ยท READ NEXT
Gaps
Critical and significant gaps register โ€” feeds directly into your risk register and remediation plan.
โ†“
RECOMMENDED
Products
GA vs Preview status for every control โ€” evidences what's production-ready vs in-flight.
โ†’
RECOMMENDED
AI Risk Reality
Risk taxonomy maps to GOVERN and MAP functions. Classic agent gap is a key compliance exposure.
MUST READ
Frameworks
NIST AI RMF GOVERN/MAP/MEASURE/MANAGE and ISO 42001 clause-by-clause with Microsoft control mappings and gap notes per clause.
KEY SECTIONS
NIST AI RMF four functions
ISO 42001 clause table
Post-RSAC coverage callout
SHOULD READ
Playbooks โ†—
Playbook 01 gives you the KQL queries to evidence your agent inventory and configuration posture โ€” useful for audit documentation and demonstrating GOVERN and MEASURE controls.
MUST READ
Gaps
Critical and significant gaps register with interim mitigations. Classic Agent estate gap affects all four NIST functions.
SHOULD READ
Products
Full availability matrix โ€” GA vs Preview vs Coming Soon for every control. Use for gap evidence in audit documentation.
โ†’ Enter the full guide
NEXT โ†’Overview
SOURCES: Microsoft Security Blog ยท RSAC 2026 (March 20, 2026) ยท Microsoft Ignite 2025 ยท NIST AI RMF 1.0 ยท ISO/IEC 42001:2023
Last updated: March 2026 ยท Analysis covers publicly announced Microsoft security capabilities only