{“lastseen”:”2025-08-26T17:15:02″,”description”:”_In this blog, you will hear directly from Corporate Vice President and Deputy Chief Information Security Officer (CISO) for Identity, Igor Sakhnov, about how to secure and govern autonomous agents. This blog is part of a new ongoing series where our Deputy CISOs share their thoughts on what is most important in their respective domains. In this series you will get practical advice, forward-looking commentary on where the industry is going, things you should stop doing, and more._\\n\\n## By 2026, enterprises may have more autonomous agents than human users. Are we ready to secure and govern them?\\n\\n2024 was a year defined by learning about generative AI. Organizations were experimenting with it: testing its boundaries and exploring its potential. In 2025, organizations moved into execution. Autonomous agents are no longer theoretical. They\u2019re now being deployed across development, operations, and business workflows.\\n\\nThis shift is being driven by platforms like Microsoft Copilot Studio and Azure AI Foundry and accelerated by patterns like Model Context Protocol (MCP) and Agent-to-Agent (A2A) interactions. These agents are evolving from tools into digital actors\u2014ones capable of reasoning, acting, and collaborating.\\n\\nThat evolution brings real value. But it also introduces a new class of risk\u2014and with it, a new set of responsibilities.\\n\\n## The rise of the agent: What’s here and what’s next\\n\\nTo understand the rise of autonomous agents, it\u2019s worth starting at the beginning. Generative AI first captured the spotlight with models that could produce human-like text, code, and imagery. Meanwhile, researchers were also advancing autonomous systems designed to perceive, decide, and act independently. As these two domains converged, a new class of AI emerged\u2014agents capable not just of generating output, but of taking action towards goals with limited human input. Today, these agents are beginning to surface across each layer of the cloud stack, each designed to tackle different layers of complexity:\\n\\n * **Software as a service (SaaS)-based agents** , often built using low-code or no-code platforms like Copilot Studio, are enabling business users to automate tasks with minimal technical support.\\n * **Platform as a service (PaaS)-based agents** support both low-code and pro-code development, offering flexibility for teams building more sophisticated solutions. Azure AI Foundry is a good example.\\n * **Infrastructure as a service (IaaS)-based agents** are typically deployed in virtual networks (VNETs), virtual private clouds (VPCs), or on-premises environments, often as custom models or services integrated into enterprise infrastructure.\\n\\n\\n\\nEach of these categories includes both custom-built first-party and third-party individual software vendors (ISVs) agents, all of whom are rapidly multiplying across the enterprise. As organizations embrace this diversity and scale, the number of agents will soon outpace human users\u2014making visibility, oversight, and robust governance not just important, but essential.\\n\\n## The new risk landscape: Why agents are different\\n\\nWhile autonomous agents unlock new levels of efficiency, scalability, and continuous operation for organizations, they also introduce a fundamentally different risk profile:\\n\\n * **Self-initiating** : Agents can act without direct human prompts, enabling automation and responsiveness at scale\u2014but this autonomy also means they may take unintended actions or operate outside established guardrails.\\n * **Persistent** : Running continuously with long-lived access allows agents to deliver ongoing value and handle tasks around the clock. However, persistent presence increases the risk of over-permissioning, lifecycle drift, and undetected misuse.\\n * **Opaque** : Their ability to operate as \u201cblack boxes\u201d can simplify complex workflows and abstract away technical details, but it also makes them difficult to audit, explain, or troubleshoot\u2014especially when built on large language models (LLMs).\\n * **Prolific** : The ease with which agents can be created, even by non-technical users, accelerates innovation and experimentation\u2014while simultaneously increasing the risk of shadow agents, sprawl, and inconsistent governance.\\n * **Interconnected** : By calling other agents and services, they can orchestrate complex, multi-step processes\u2014but this interconnectedness creates complex dependencies and new attack surfaces that are challenging to secure and monitor.\\n\\n\\n\\nGiven this new risk profile, these autonomous agents aren\u2019t a minor extension of existing identity or application governance\u2014they\u2019re a new workload. Treat them accordingly.\\n\\nWhat\u2019s more\u2014as they scale, **they will soon outnumber human users in the enterprise**.\\n\\n## Common failure points in autonomous agents\\n\\nDespite their impressive capabilities, AI agents can still make mistakes. These errors tend to arise during long-running tasks, where \u201ctask drift\u201d can occur, or when the agent encounters malicious input such as Cross Prompt Injection Attacks (XPIA). In these cases, the agent may veer off course or even be manipulated into acting against its intended purpose.\\n\\nThat\u2019s why it\u2019s useful to approach agent security the same way you would approach working with a junior employee: by setting clear guardrails, monitoring behavior, and establishing strong protections. Microsoft is addressing XPIA with prompt shields and evolving best practices. Robust authentication can help counter deepfakes, and improved prompt engineering through orchestration or employee training can reduce hallucinations and strengthen overall response accuracy.\\n\\n## Understanding Model Context Protocol for agent governance\\n\\nOne of the most powerful enablers of the growth of autonomous agents is the Model Context Protocol (MCP). MCP is an open standard that allows AI agents to securely and effectively connect with external data sources, tools, and services\u2014providing flexibility to fetch real-time data, call external tools, and operate autonomously. This open standard essentially acts as a \u201cUSB-C port for AI.\u201d\\n\\nBut with that flexibility comes risk. Poorly governed MCP implementations can expose agents to data exfiltration, prompt injection, or access to unvetted services. Because MCPs are easy to create, they can proliferate quickly, often without proper access controls or oversight. This is where role-based access control (RBAC) becomes critical: MCP\u2019s ability to connect agents to a wide range of resources means that robust, granular access controls are essential to prevent misuse. However, implementing effective role-based access control for MCP-enabled agents is complex: it requires dynamic, context-aware permissions that can adapt to rapidly changing agent behaviors and access needs. Without this rigor, organizations risk over-permissioning agents, losing visibility into who can access what, and ultimately exposing sensitive data or critical services to unauthorized use.\\n\\nIn short, agents don\u2019t sleep, they don\u2019t forget, and they don\u2019t always follow the rules. That\u2019s why governance and thought-through authorization can\u2019t be optional, for both agents and MCP servers.\\n\\n## Securing and governing agents starts with visibility\\n\\nThe first challenge customers raise is simple: \u201cDo I even know which agents I have?\u201d Before any meaningful governance or security can take place, organizations must achieve observability. Without a clear inventory of agents\u2014across SaaS, PaaS, IaaS, and local environments\u2014governance is guesswork. Visibility provides the foundation for everything that follows: it helps organizations to audit agent activity, understand ownership, and assess access patterns. Only with this single, unified view can organizations move from reactive oversight to proactive control.\\n\\nOnce visibility is in place, securing and governing agents requires a layered approach built on seven core capabilities:\\n\\n### **Identity management**\\n\\nAgents must have unique, traceable identities. These identities might be identities derived, but distinguishable, from user identities or independent identities like those used by services\u2014but no matter what they are, these identities need to be governed throughout their lifecycle (from creation to deactivation) with clear sponsorship and accountability to prevent sprawl.\\n\\n### **Access control**\\n\\nAgents should operate with the minimum permissions required. Whether acting autonomously or on behalf of a user, access must be scoped, time-bound, and revocable in real time.\\n\\n### **Data security**\\n\\nSensitive data must be protected at every step. This requires implementing inline data loss prevention (DLP), sensitivity-aware controls, and adaptive policies to prevent oversharing. These safeguards are especially critical in low-code environments where agents are created quickly and often without sufficient oversight.\\n\\n### **Posture management**\\n\\nSecurity posture must be continuously assessed. Organizations need to continually identify misconfigurations, excessive permissions, and vulnerable components across the agent stack to maintain a strong baseline.\\n\\n### Threat protection\\n\\nAgents introduce new attack surfaces; therefore, prompt injection, misuse, and anomalous behavior must be detected early. To mitigate this increased surface area for attacks, signals from across the compute, data, and AI layers should feed into existing extended detection and response (XDR) platforms for proactive defense.\\n\\n### Network security\\n\\nJust like users and devices, agents need secure network access. That includes controlling which agents can access which resources, inspecting traffic, and blocking access to malicious or non-compliant destinations.\\n\\n### Compliance\\n\\nAgent activities must align with internal policies and external regulations. Organizations should audit interactions, enforce retention policies, and demonstrate compliance across the agent lifecycle.\\n\\nThese are not theoretical requirements; they are essential for building trust in agentic systems at scale.\\n\\n## Building the foundation: Agent identity\\n\\nTo address the need for augmented governance, Microsoft is introducing **Entra Agent ID**\u2014a new identity designed specifically for AI agents. You can think of them the same way as managed identities (MSIs) with no default permissions. They can act on behalf of users, other agents, or independently, with just-in-time access that\u2019s automatically revoked when no longer needed. They\u2019re secure by default, auditable, and easy for developers to use. As organizations move beyond managing just users and applications, the need to extend these foundational identity principles to AI agents becomes increasingly important.\\n\\nAn emerging strategy to manage AI agents at scale and improve risk management is the concept of an agent registry. While the directory of Microsoft Entra ID is an authoritative source for both human users and application artifacts, there is a need to provide a similar authoritative store for all agent-specific metadata. This is where the concept of an agent registry comes in\u2014serving as a natural extension to the directory, tailored to capture the unique attributes, relationships, and operational context of AI agents as they proliferate across the enterprise. As these registries evolve, they are likely to integrate with core components like MCP servers, reflecting the expanding role of agents within the ecosystem. Together, these tools will allow organizations to achieve observability, manage risk, and scale governance.\\n\\n## Extending Microsoft Security to meet the moment\\n\\nTo meet organizational needs that come with autonomous agents, Microsoft is building on a strong foundation and extending our existing security products to meet the unique demands of the agentic era, grounded in a Zero Trust approach that protects both people and AI agents.\\n\\nMicrosoft\u2019s security stack\u2014including Entra, Purview, Defender, and more\u2014adapts identity management, access control, data protection, secure network access, threat detection, posture management, and compliance to support AI agents across both first-party and third-party ecosystems. We are innovating from this baseline to deliver agent-specific capabilities:\\n\\n * **Microsoft Entra** extends identity management and access control to AI agents, ensuring each agent has a unique, governed identity and operates with just-in-time, least-privilege access.\\n * **Microsoft Purview** brings robust data security and compliance controls to AI agents, helping organizations prevent data oversharing, manage regulatory requirements, and gain visibility into AI-specific risks.\\n * **Microsoft Defender** integrates AI security posture management and runtime threat protection, empowering developers and security teams to proactively mitigate risks and respond to emerging threats in agentic environments.\\n\\n\\n\\nThis isn\u2019t a separate security silo for AI. It\u2019s agent governance becoming a natural extension of the security investments customers already trust\u2014ones that are integrated, consistent, and ready to scale with them.\\n\\n## **A call to action**\\n\\nThe agentic era is here, and the opportunities are real\u2014but so are the risks.\\n\\nTo move quickly without compromising trust, we need to integrate governance into the core of agent design. This begins with visibility, scales with identity, access, and data controls, and matures with posture, threat, and compliance capabilities that treat agents as first-class workloads.\\n\\nLet\u2019s build a future where agents are not just powerful\u2014but trustworthy by design.\\n\\nLearn more: Build a strong security posture for AI\\n\\n## Learn more with Microsoft Security\\n\\nTo learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.\\n\\nThe post Securing and governing the rise of autonomous agents\u200b\u200b appeared first on Microsoft Security Blog.”,”published”:”2025-08-26T16:00:00″,”modified”:”2025-08-26T16:00:00″,”type”:”mssecure”,”title”:”Securing and governing the rise of autonomous agents\u200b\u200b”,”source”:””,”references”:””,”id”:”MSSECURE:4632F634EC8364E5BFFF7F9A8FDECB2C”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/08\/26\/securing-and-governing-the-rise-of-autonomous-agents\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-26T17:15:02″,”description”:”_In this blog, you will hear directly from Corporate Vice President and Deputy Chief Information Security Officer (CISO) for Identity, Igor Sakhnov, about how to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,110,13,33,7,11,5],"class_list":["post-14403","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-mssecure","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n