Agentic AI Defense
An Eight-Pillar Defense Strategy
A structured approach to securing agentic AI across the enterprise โ from initial visibility through to autonomous defense. Each pillar maps to Microsoft's product stack, the controls available today, and the honest gaps that remain.
Source: Microsoft RSAC 2026 ยท Vasu Jakkal ยท Agent 365 ยท ZT4AI ยท April 2026
Strategy context ยท RSAC 2026
Security must be ambient and autonomous,
just like the AI it protects.
In the agentic era, agents can become double agents โ overprivileged, manipulated, or misaligned, working against the outcomes they were built to support. The answer starts with trust. Security must be woven into and around every layer of the AI estate.
80%
Fortune 500 use agents
14.4%
Have full security approval
68%
Can't distinguish agent vs human in logs
Eight pillars
Framework overview
Click any pillar to jump to the detail.
The first diagnostic question for any organisation: how many AI agents do you have, who built them, what authentication pattern are they using, and who owns them? Most organisations do not know. The gap between perceived and actual agent estate typically reveals 3โ5ร more agents than IT believes exist. Visibility is not just an audit exercise โ it is the prerequisite for every other pillar.
Controls available now
AIAgentsInfo Advanced Hunting table โ all agent types, all platforms
Security Dashboard for AI at ai.security.microsoft.com โ GA
M365 admin center โ Agents โ All agents (AI Reader role, no licence)
Entra Internet Access Shadow AI Detection โ GA March 31 2026
Defender for Cloud Apps discovery โ GenAI, model providers, MCP servers
ARA tool โ automated pre-deployment readiness across 6 domains
Agent Model Inventory KQL โ identifies out-of-EUDB models (modelNameHint)
Products
Security Dashboard for AI
Defender Advanced Hunting
Entra Internet Access
Defender for Cloud Apps
Agent 365 Registry
ARA Tool (open source)
Key KQL
AIAgentsInfo | summarize arg_max(Timestamp,*) by AIAgentId
extract(modelNameHint) for out-of-EUDB model detection
Gaps & honest caveats
Classic agents (73% of estate) are service principals โ no agent-specific inventory fields
Cloud App discovery shows disabled in dashboard even when connected (known bug)
AIAgentsInfo requires Defender P2 โ not all tenants have it
EUDB model visibility: modelNameHint only available for Copilot Studio agents, not Foundry
๐ Recommended starting point
Run the ARA tool first โ it gives you a tenant-wide posture report in minutes. Then run the AIAgentsInfo audit KQL in Playbook 01 for agent-specific detail. Classic vs Modern split is the first thing to establish.
Identity is the most targeted layer in any environment and the first line of defence. For AI agents, the challenge is that most existing agents share the identity of the person who built them โ granting every user who runs the agent the builder's full permission set. Entra Agent ID is the structural fix: each agent gets its own service principal with scoped permissions, lifecycle governance, and full Entra security stack coverage.
Controls available now
Entra Agent ID โ Blueprint, T1/T2 auth, FIC credentials, four object types
CA for Agent ID (Preview) โ zero trust CA policies targeting agent identities
ID Protection for Agents (Preview) โ six risk detections, Risky Agents report
Custom security attributes for agent segmentation โ scalable CA scoping
Owner + Sponsor model โ technical and business accountability per agent
Sentinel Analytics Rule โ auth type change detection as high-severity Incident
Copilot Studio auto security scan โ warns at publish time on auth misconfigs
Agent runtime protection status โ Protected / Needs review / Unknown per agent
Five auth patterns (risk ladder)
โ End User (OBO) โ Low risk ยท Classic
โก Maker credentials โ Very High ยท Classic ยท most dangerous
โข App Reg Delegated โ Low ยท Classic
โฃ App Reg App Permissions โ Very High ยท Classic
โค Agent User Account โ Very High ยท Modern only
Three Agent Identity security guarantees
No admin token generation โ even Global Admins cannot generate agent identity tokens
Tenant-bound โ tokens only valid in home tenant
Impersonation model โ Blueprint performs exchange, Agent Identity appears in audit logs
Gaps & honest caveats
Classic agents (73% of estate) get zero CA, ID Protection, or lifecycle governance
Entra Agent ID requires Frontier programme โ not generally available
Any tenant user can change another agent's auth type regardless of ownership
CA carve-outs: Blueprint T1 flows excluded from CA evaluation by design
Agent User survives Blueprint deletion โ orphaned with full permissions, no flag
With AI embedded in everyday work, sensitive data moves through prompts, responses, and grounding flows faster than policies can keep up. Security teams need visibility into how AI interacts with data and the ability to stop leakage at the point of use. Microsoft's approach embeds data security directly into the AI control plane โ sensitivity labels travel with grounded data through Work IQ, enforcing governance at the intelligence layer, not just at output.
Controls available now
Purview DLP for M365 Copilot โ GA March 31 2026. Blocks PII, credit card numbers, custom SITs in prompts and web grounding
SAM Restricted Content Discovery (RCD) โ excludes SharePoint sites from Copilot grounding. Included with M365 Copilot licence
DSPM for AI โ activity explorer, sensitivity label insights, unethical behaviour detection
IRM Adaptive Protection โ auto-enrols risky users into stricter DLP based on risk score
Browser DLP (Edge for Business) โ inspects typed prompts to unmanaged GenAI apps including BYOD
Network DLP (Global Secure Access) โ network-layer enforcement
Entra Internet Access prompt injection protection โ GA March 31 2026
Work IQ โ grounding-layer governance: sensitivity labels enforced before data reaches agent context
Products
Purview DLP for Copilot
DSPM for AI
Purview Comm. Compliance
IRM Adaptive Protection
SAM + RCD
Edge for Business DLP
Global Secure Access
Work IQ
Purview Sentinel connector
Copilot Data Connector (Preview Feb 3 2026) โ CopilotActivity table. 21 record types from Purview UAL. Single-tenant only.
Gaps & honest caveats
DLP for Copilot requires two separate policies โ label-blocking and SIT prompt-blocking cannot be combined in one policy
EUDB gap: Anthropic model agents process data outside EU Data Boundary โ no native policy to prevent makers selecting these models
CW1226324 (Jan 2026): Copilot background indexing bypasses DLP for Outlook Drafts and Sent Items. Fix deployed April 2026 but confirm in your tenant
Data lifecycle retention requires Azure pay-as-you-go โ unpredictable cost
Defending at the endpoint and cloud layer means catching threats in motion โ blocking dangerous tool invocations before they execute, detecting suspicious agent behaviour, and protecting the infrastructure that agentic AI runs on. The Agent Tooling Gateway (ATG) is the primary real-time blocking mechanism, but it has a critical limitation: it only inspects the tool execution path, not model reasoning between tool calls.
Controls available now
Agent Tooling Gateway (ATG) โ evaluates every tool invocation before execution. Real-time block. 1-second timeout.
Defender for Cloud Apps RT Protection โ Copilot Studio agents via webhook connector
Defender for Cloud AI Workloads plan โ Azure AI Foundry agents and models
Prompt Shields โ direct and indirect injection detection at orchestration layer
Defender Predictive Shielding (Preview) โ dynamically adjusts identity and access policies during active attacks
Enhanced Defender for Cloud container security (Preview) โ binary drift and antimalware
Defender for Cloud posture management โ AWS and GCP coverage in preview
CloudAppEvents table โ Copilot and agent audit metadata for hunting (no prompt content)
Products
ATG (Agent Tooling Gateway)
Defender for Cloud Apps
Defender for Cloud
Prompt Shields
Defender Predictive Shielding
CloudAppEvents
CloudAppEvents key ActionTypes
UpdateCopilotAgent ยท CopilotInteraction
CopilotForSecurityTrigger ยท DLPRuleMatch
Requires M365 app connector + "M365 activities" checkbox
Gaps & honest caveats
ATG critical limitation: only inspects tool execution path โ does NOT inspect model reasoning between tool calls
ATG 1-second timeout โ fast tool calls may execute before block decision is returned
CloudAppEvents: metadata only โ no prompt or response content. Pivot to DSPM Activity Explorer for content.
Copilot Studio dual-admin setup required for RT protection โ Power Platform Admin + Defender Admin must coordinate
Zero Trust was always built on three principles: verify explicitly, use least privilege, and assume breach. As AI becomes embedded across every layer of the enterprise โ the models you build on, the data they consume, the agents that act on your behalf โ applying those principles has never been more critical. ZT4AI extends the architecture to the full AI lifecycle: data ingestion, model training, deployment, and agent behaviour at runtime.
Three principles applied to AI
Verify explicitly: Every agent needs a verified identity โ not just a name. Entra Agent ID, CA for Agents, ID Protection. Classic agents are the gap.
Least privilege / least agency: Minimum permissions AND minimum connectors per agent. Each MCP tool or connector added expands blast radius. Review what each agent can actually do, not just what it can read.
Assume breach: Design for prompt injection, data poisoning, and lateral movement. ATG at the tool layer. Sentinel for cross-signal correlation. CA policy to block high-risk agents automatically.
ZT4AI resources
ZT4AI Reference Architecture โ published RSAC 2026, free to use. Covers full AI lifecycle.
Zero Trust Workshop โ AI pillar coming summer 2026. Use Identity, Data, and Networking pillars in the interim.
ZT Assessment Tool โ AI pillar due summer 2026. Current: manual mapping to Identity/Data/Networking pillars.
ZT4AI patterns and practices articles โ new guidance published at RSAC 2026.
Access Fabric
Architectural concept: treat access as a continuous end-to-end system with identity as the consistent decision point, enforcing across environments in near real time.
Maturity stages
STAGE 1 ยท VISIBILITY
Know your estate
Agent inventory ยท No-auth detection ยท Owner assignment ยท ARA assessment
STAGE 2 ยท CONTROL
Enforce least privilege
Entra Agent ID migration ยท CA for agents ยท DLP enforcement ยท ATG deployment
STAGE 3 ยท AUTOMATION
Agentic defense
ID Protection CA integration ยท Security Copilot agents ยท Sentinel automation ยท Predictive shielding
Security Copilot is now included in Microsoft 365 E5 and E7, embedding AI-powered assistance directly into the flow of security operations. New purpose-built security agents accelerate threat investigations, autonomously triage repetitive alerts, and optimise identity access policies โ reducing manual effort so defenders can focus on complex, judgement-intensive work.
Security agents available now
Security Analyst Agent (Defender, Preview Mar 26) โ contextual threat investigation with guided workflows. Multi-step autonomous analysis.
Security Alert Triage Agent (Defender, Preview Apr) โ autonomously classifies, prioritises, and resolves repetitive low-value alerts at scale across cloud and identity.
CA Optimization Agent (Entra, GA + enhancements Preview) โ context-aware CA policy recommendations with phased rollout capability.
Data Security Posture Agent (Purview, Preview) โ credential scanning to proactively detect credential exposure in your data.
Data Security Triage Agent (Purview, GA + enhancements Preview) โ advanced AI reasoning layer for DLP alert triage with improved custom SIT interpretation.
15+ partner-built agents โ available in Security Store in Defender portal.
Security Copilot licensing
Included in M365 E5: 400 SCU per 1,000 users/month
Included in M365 E7: same as E5 plus Agent 365
Standalone: SCU-based pricing
Security Store: access to 15+ partner security agents โ deploy directly in Defender portal
Products
Microsoft Security Copilot
Defender Security Analyst Agent
Alert Triage Agent
Entra CA Optimization Agent
Purview Data Security Agents
Security Store
Strategic consideration
Security agents are AI agents too โ they must be subject to the same governance as the agents they protect. Own identity, scoped permissions, Entra Agent ID where available.
Alert volume reduction is the primary value proposition: ATG generates an alert for every tool block. Without triage automation, this creates alert fatigue that undermines the defence.
Security Copilot operates under the configuring user's Entra permissions โ its blast radius matches the identity of whoever configured it.
Microsoft Sentinel is the agentic defense platform โ the correlation layer that unifies context from Defender, Entra, Purview, and external sources, automates end-to-end workflows, and gives analysts a single place to investigate and respond. RSAC 2026 significantly expanded Sentinel's AI-specific capabilities, making it the right long-term investment for organisations with a mature AI security posture.
RSAC 2026 Sentinel capabilities
Copilot Data Connector (Preview Feb 2026) โ CopilotActivity table, 21 record types from Purview UAL. Single-tenant only.
MCP Entity Analyzer (GA April 2026) โ natural language querying of MCP entity data in investigations.
Data Federation via Fabric (Preview) โ investigate external data in Databricks, Fabric, ADLS in place without moving it.
Playbook Generator (Preview) โ natural language orchestration for complex incident response workflows.
Custom Graphs via Fabric (Preview) โ custom relationship views unique to your org's environment.
GDAP + unified RBAC (Preview) โ secure cross-tenant management for MSSP/partner scenarios.
Auth-type change Analytics Rule โ fires as high-severity Incident when any agent is switched to No Authentication.
Defender vs Sentinel โ when to use each
Defender XDR: Real-time blocking (ATG), 90-day hunting, agent inventory, CloudAppEvents. Primary detection + response layer.
Sentinel: Long-term retention (years), cross-system correlation, SOAR automation, cross-tenant management. Strategic correlation + compliance layer.
Both pull from Purview UAL โ Defender via CloudAppEvents (M365 app connector), Sentinel via Copilot Data Connector. Enable both for full coverage.
Products
Microsoft Sentinel
Copilot Data Connector
MCP Entity Analyzer
Sentinel Data Federation
Playbook Generator
Key detection rules to deploy
Auth type change โ No Authentication (high-severity Incident)
Ownerless agent creation (new agent with no OwnerAccountUpns)
Maker credentials + org-wide sharing + admin builder (attack path correlation)
CopilotForSecurityTrigger volume anomalies (Security Copilot abuse)
Copilot Data Connector: single-tenant only โ partners need separate instance per customer
Ingestion costs apply โ prompt content is sensitive; apply field-level masking on CopilotActivity
The tools across Pillars 1โ7 are powerful but they require skilled people to configure, interpret, and act on them. Most organisations lack internal expertise in AI agent security architecture, Microsoft's identity stack, and the governance models needed to manage agent sprawl at scale. External technical and governance partners bridge that gap โ not just for implementation but for building the internal capability to sustain it.
Where partners add most value
AI security readiness assessment โ structured discovery across all 8 pillars. ARA tool provides the automated baseline; partners translate findings into a prioritised, business-contextualised roadmap.
Agent governance framework design โ defining who can build agents, what approval process applies, what authentication is mandated, and how owner/sponsor accountability is enforced. Policy without tooling is theatre; tooling without policy is ungoverned.
Classic Agent migration planning โ scoping the migration from Classic to Modern agents. Discovery, identity governance, testing, rollback planning. Significant effort for most tenants โ the right workstream to package as a managed service.
Security architecture review โ validating that Copilot Studio, Foundry, or third-party agent deployments meet the organisation's security baseline before go-live.
Incident response for agent compromise โ tracing what a compromised or manipulated agent accessed, what data left the tenant, and whether the cause was prompt injection, stolen credentials, or misconfiguration.
Governance workstreams
Agent lifecycle policy โ creation approval, mandatory authentication standard, owner/sponsor assignment, periodic review cadence, and decommissioning process.
Data access governance for agents โ which agents can access which data sources, under what conditions, reviewed by whom and how often.
Third-party agent vetting โ process for evaluating agents from Microsoft marketplace, partner ecosystem (SAP, ServiceNow, Workday etc.), and custom builds before onboarding.
AI security policy and standards โ organisational policy covering acceptable use, authentication mandates, data classification requirements, and monitoring obligations for AI agents.
EUDB and data residency governance โ policy for which models are approved for use in Copilot Studio agents, given the EUDB compliance risk for Anthropic and other non-Microsoft-hosted models.
Service packaging opportunities
AI Security Readiness Assessment โ Pillars 1โ4, ARA tool + KQL audit + gap register. Fixed scope, 2โ4 week engagement.
Agent Governance Design โ Pillar 2 + 3 + governance framework. Policy, process, and tooling configuration.
Classic Agent Migration โ Pillar 2 focused. Discovery, identity governance uplift, test migration, rollout plan.
AI Security Managed Service โ ongoing Pillars 4 + 7. ATG monitoring, Sentinel rule management, alert triage, monthly posture reporting.
CISO AI Risk Briefing โ Pillars 1 + 5. Executive-level gap analysis using the site's business chat mode as a live reference tool.
๐ The key insight for partner positioning
Microsoft's tooling is increasingly sophisticated but the configuration burden is high, the Classic Agent migration problem is real and requires hands-on work, and governance frameworks don't build themselves. The gap between "here is your ARA report" and "your agents are now governed and secure" is a well-defined, repeatable services opportunity.
Quick reference
Eight pillars at a glance
| # | Pillar | Start here | Key product | Critical gap |
|---|
| 1 | Visibility & Inventory | ARA tool + AIAgentsInfo KQL audit | Security Dashboard for AI | 73% of agents invisible to agent-specific controls |
| 2 | Identity | Map Classic vs Modern estate; assign Owners | Entra Agent ID | Auth type changeable by any user, no policy lock |
| 3 | Data Security | Purview DLP policy + SAM RCD for SharePoint | Purview DLP for Copilot | EUDB gap: Anthropic models process outside EU Data Boundary |
| 4 | Endpoints & Cloud | ATG + dual-admin Defender/Power Platform setup | ATG (Agent Tooling Gateway) | ATG misses reasoning layer โ model can decide before ATG fires |
| 5 | Zero Trust for AI | ZT4AI reference architecture + three-stage maturity model | ZT4AI + Entra + CA | ZT Assessment AI pillar not until summer 2026 |
| 6 | Agents in Security Workflows | Security Copilot (E5 included) + Security Analyst Agent | Microsoft Security Copilot | Security agents must be governed the same way as the agents they protect |
| 7 | Agentic SIEM Platform | Auth-type change Analytics Rule + Copilot Data Connector | Microsoft Sentinel | Copilot Data Connector single-tenant only โ MSSP limitation |
| 8 | Technical & Governance Partners | AI security readiness assessment + agent governance framework design | Partner-led services | โ |
๐ Source
Microsoft RSAC 2026 โ Vasu Jakkal, Secure agentic AI end-to-end (March 20, 2026) ยท Agent 365 GA announcement ยท ZT4AI reference architecture ยท Site content compiled from Microsoft Learn, Microsoft Security Blog, RSAC 2026 announcements, and field research from the Microsoft Security MVP community.