Microsoft Foundry IQ and Agent 365: Enterprise Grounding Governance and Model Routing

Microsoft’s latest Foundry updates shift the company’s agent strategy from experimentation to an enterprise-ready operational platform, adding a managed knowledge layer, a centralized control plane, a unified tools catalog, and an intelligent model router that together aim to simplify agent creation, grounding, security, and cost management for large organizations.

Background / Overview​

Microsoft used Ignite 2025 to present a complete, integrated vision for agentic AI: make agents useful by grounding them in enterprise context, make them easy to build with low‑code and developer tools, and make them safe and auditable through enterprise identity and security primitives. This narrative stitches together Work IQ, Fabric IQ, Foundry IQ, Copilot Studio, Azure AI Foundry / Foundry Agent Service, and the new Foundry Control Plane / Agent 365 story. The announcements are positioned to solve three long-standing enterprise problems at once:

• Grounding: give agents reliable, permission-aware access to corporate knowledge so answers are accurate and auditable.
• Orchestration: provide managed runtimes and multi-agent workflows so agents can be deployed and coordinated in production.
• Governance: treat agents as first-class tenant principals with identity, lifecycle controls, telemetry, and policy enforcement.

Below is a deeper look at the new capabilities, how they work, what is verified versus still vendor‑sourced, and pragmatic guidance for IT teams planning pilots or rollouts.

---

Foundry IQ: a managed knowledge layer for agents​

What Foundry IQ is and why it matters​

Foundry IQ is a managed knowledge service that provides agents with a single API to retrieve enterprise knowledge from indexed and federated sources such as SharePoint, OneLake/ADLS, Azure data stores, and selected web content. It automates the common Retrieval‑Augmented Generation (RAG) plumbing—indexing, vectorization, query planning and synthesis—so developers don’t have to build and maintain ad‑hoc retrieval stacks for each agent. Foundry IQ is built on Azure AI Search and enforces Microsoft Purview security and sensitivity labels at query time, preserving document-level access controls. That managed grounding matters because uncontrolled or poorly secured retrieval pipelines are one of the largest sources of hallucination and data leakage in enterprise LLM applications. By centralizing indexing, relevance tuning, and query‑time policy enforcement, Foundry IQ reduces repetitive engineering work and surfaces a consistent, auditable grounding layer across agent deployments.

Technical highlights and developer ergonomics​

• Knowledge bases: reusable, topic‑centric collections developers can attach to agents.
• Agentic retrieval engine: an AI‑driven planner that performs iterative search, multi‑source synthesis, and configurable retrieval effort per query.
• Multimodal indexing: support for images, documents and complex artifacts with enrichment and vector embeddings.
• Purview alignment: sensitivity labels and ACLs are respected during indexing and query‑time retrieval so results are scoped to the calling identity.

These features are available in public preview; Microsoft’s documentation and product blog posts describe the architecture and capabilities in detail. Independent coverage (enterprise IT press and analyst commentary) confirms the product direction and the reliance on Azure AI Search and Purview for security controls.

Practical limits and verification​

Foundry IQ simplifies RAG but does not remove the need for data hygiene and ontology work. Its effectiveness depends on:

• quality of metadata and sensitivity labeling upstream,
• correct mapping of business entities to indexed content,
• governance of cached or persistent embeddings and memory artifacts.

Enterprises should validate indexing coverage, retention policies, and how Purview labels propagate into the knowledge indexes during pilot runs. The product documentation and preview notes make these caveats explicit.

---

Fabric IQ and Work IQ: semantic and people context​

Fabric IQ — a semantic business ontology​

Fabric IQ is presented as a semantic intelligence layer within Microsoft Fabric that maps analytics, time‑series, and operational systems into business entities (orders, SKUs, service incidents). The goal is to let agents query business concepts rather than raw tables, reducing brittle schema mappings and improving multi‑hop reasoning. Fabric IQ integrates with Power BI models and OneLake to accelerate semantic modeling where customers have existing BI artifacts.

Work IQ — people and behavior signals​

Work IQ draws signals from Microsoft 365 (mail, calendar, chats, meetings, relationships) to model how people work and provide memory and preference signals to agents and Copilots. The net effect is to make agent responses contextually appropriate to the person or team they serve, not just generically correct. Work IQ raises standard operational questions about retention, privacy and the governance of conversational memory.

---

Foundry Control Plane and Agent 365: governance and observability​

Foundry Control Plane (DevOps + SecOps for agents)​

The Foundry Control Plane (in preview) targets developers and DevOps teams by centralizing observability, lifecycle management, and policy enforcement for agents across Foundry and external platforms. It issues Entra Agent IDs to agents, ties runtime telemetry into Defender and OpenTelemetry traces, and surfaces fleet‑wide health, policy coverage, and cost metrics. This control plane extends the Agent 365 governance story to developer workflows so teams can act on alerts, run evaluations, and enforce behavioral guardrails. Key capabilities called out by Microsoft:

• Fleetwide visibility and unified dashboards for agents across platforms.
• Identity and access via Entra Agent ID so agents are managed like other directory principals.
• Runtime security integration with Microsoft Defender and data protection via Microsoft Purview.
• Cost and usage management, with central limits and policy enforcement through an AI Gateway and Foundry integrations.

Agent 365: the administrative control plane​

Agent 365 is Microsoft’s broader administrative control plane where tenants can catalog, approve, and monitor agents. It tightly integrates with the Agent Store, Copilot Studio and admin controls in Microsoft 365. Treating agents as directory objects lets enterprises reuse existing IAM, access review and compliance flows for agent lifecycle management. The public materials show Agent 365 as a staged rollout through Microsoft’s Frontier preview program.

What’s verified and what to test​

Microsoft’s product pages, Book of News and TechCommunity posts confirm the Foundry Control Plane and Agent 365 capabilities in preview. Operational teams should validate:

• Entra Agent ID provisioning flows and how agent credentials are rotated or scoped.
• Defender signal coverage and what runtime behaviors trigger alerts.
• Purview enforcement semantics during both indexed and federated retrievals.
• Cost telemetry granularity and alerting mechanisms during high‑volume runs.

---

Model Context Protocol (MCP) tools catalog and Foundry Tools​

MCP tools catalog — a unified tool registry​

Microsoft introduced a tools catalog for Model Context Protocol (MCP) servers—an inventory of prebuilt connectors, logic app integrations, managed MCP servers, and vendor MCP implementations that agents can discover and call. The catalog aggregates thousands of connectors (Microsoft has promoted figures like 1,400+ connectors and the inclusion of Logic Apps connectors) and provides built‑in governance, lifecycle, and observability for MCP tool usage. Major partners (MongoDB, SAP, Salesforce, HubSpot) and first‑party MCP servers for Outlook, SharePoint, Teams, Dataverse, and others are surfaced as curated tools.

Why MCP matters in practice​

MCP standardizes the interface between agents and external systems, reducing bespoke integration work and making tool calls deterministic and auditable. For enterprises this means:

• Tools can expose deterministic CRUD operations (for example, Outlook calendar, SharePoint file operations) instead of ad‑hoc “scrape and hope” methods.
• IT can scope which tools an agent can see and what actions are allowed, enabling fine‑grained least‑privilege controls.
• Tool calls are traced and can be rate limited, payload‑checked and scanned for DLP policy violations at runtime.

MongoDB, among other partners, published guidance and examples showing the MongoDB MCP Server available in Foundry’s tools catalog — a concrete example of third‑party MCP servers integrated via the catalog. That validates the claim that partners can publish MCP servers into Foundry and that Foundry will manage them as governed tools.

---

Model router: dynamic model selection and the economics claim​

What the model router does​

The model router is a Foundry capability that routes each request to the most appropriate model based on configurable policies (cost, latency, accuracy) and runtime benchmarking. It exposes a single endpoint while selecting from a catalog of models—Microsoft says this reduces operational complexity and supports BYOM (bring your own model) alongside managed models. Microsoft’s Book of News and Foundry blog assert that early customer deployments show substantial gains, citing figures such as up to 40% faster responses and up to 50% lower costs, and list a roster of supported models (GPT‑4.1 family, GPT‑5 family, gpt‑oss variants, DeepSeek, Llama variants, Grok 4 and Grok 4 Fast). The model router is now generally available in Foundry and previewed inside Foundry Agent Service.

Verification and caution​

Those performance and cost numbers come from Microsoft’s Book of News and in‑product case studies; independent press coverage and early adopter reports corroborate the model router’s availability and model breadth. However, the precise percentage improvements are vendor‑reported and should be treated as directional vendor benchmarks—enterprises must validate gains on their own workloads because routing effectiveness depends heavily on the workload mix, prompt patterns, and the chosen models.

Practical implications​

• The router simplifies experimentation and lets platforms enforce routing modes (Cost Saving / Balanced / Quality) that map to business SLAs.
• For high‑volume flows, the router enables a cost tiering strategy where “mini” or OSS models handle routine queries and pro models are reserved for sensitive, high‑value requests.
• You should run a shadow‑routing trial comparing direct model calls vs. router decisions before switching production traffic wholesale.

---

Foundry Agent Service: hosted agents, memory and multi‑agent workflows​

Hosted runtime and built‑in memory​

Foundry Agent Service now provides a managed runtime for agents with built‑in memory (scoped and Entra‑governed), hosted agents (no container management), persistent state for long‑running workflows, and multi‑agent orchestration primitives (visual designer and programmatic APIs). These features close the gap between PoC agents and production services by offering autoscaling, identity integration, and telemetry out of the box.

Multi‑agent workflows and Magma​

Microsoft showcased a multi‑agent orchestration model (sometimes referenced under names such as Magma or multi‑agent goal management architecture), enabling dozens or hundreds of specialized agents to collaborate on large business processes. The visual workflow designer exports patterns for human‑in‑the‑loop gates, error recovery, and state sharing between agents. This is aimed at enterprise scenarios such as onboarding pipelines, incident response, and cross‑system approvals.

---

Security, governance and operational risks — the critical view​

Strengths​

• Platform completeness: Identity (Entra), data (Fabric + OneLake), knowledge (Foundry IQ), models (Foundry model catalog) and governance (Agent 365 / Foundry Control Plane) are tightly integrated, reducing engineering friction for Microsoft‑centric estates.
• Governance by design: Treating agents as directory principals with Entra Agent IDs, integrating Defender and Purview, and centralized telemetry materially raises the operational bar for safe production use.
• Interoperability signals: MCP adoption and partner integrations (MongoDB, ServiceNow, SAP, Salesforce) reduce lock‑in and enable richer tooling for agents across enterprise systems.

Risks and unresolved questions​

• Vendor‑sourced performance and savings claims: Metrics like “40% faster” and “50% lower costs” are vendor‑reported and based on early customer deployments; treat them as indicative but validate on representative workloads. Microsoft’s Book of News and blog posts present these results, but organizations should run their own benchmarks.
• Data provenance and leakage: Agents that access mail, files and live systems increase the attack surface. Purview integration helps, but upstream labeling quality and runtime enforcement behaviors must be audited during pilots.
• Agent sprawl and lifecycle: Low‑code authoring plus agent catalogs can lead to thousands of agents unless lifecycle, ownership, and deprovisioning are strictly enforced. Agent 365/Foundry Control Plane aim to address this, but organizational process is essential.
• Licensing and cost predictability: Per‑agent, per‑call, model compute, and tool usage create complex billing surfaces. Budget governance and quota controls should be defined before broad adoption.
• Regulatory and privacy concerns: Memory, retention of Work IQ artifacts, and cross‑tenant data flows require clear retention rules and legal review in regulated industries. Purview helps but is not a substitute for compliance verification.

---

Practical rollout checklist for IT and SecOps​

• Inventory existing automation and candidate workflows to convert into agents (ticket triage, meeting follow‑ups, provisioning tasks).
• Pilot Foundry IQ knowledge bases for one domain; verify indexing coverage, sensitivity label propagation, and query‑time enforcement.
• Start Agent 365 in monitor‑only mode: onboard a small set of read‑only agents to validate telemetry and alerting, before permitting writes.
• Shadow test the model router: compare its routing against fixed model calls on a representative workload to measure latency, accuracy and cost differences.
• Enforce Entra Agent IDs and least‑privilege MCP tool scopes; require explicit owner and cost center metadata for every published agent.
• Integrate agent telemetry into SIEM/SOAR and create runbooks for agent misbehavior (quarantine, revoke identity, rollback actions).
• Define retention and deletion policies for Work IQ memory and Foundry IQ caches; involve legal and privacy early.

---

Ecosystem and partner implications​

Microsoft positioned Foundry as a multi‑vendor model marketplace and orchestration layer. Partnerships with Anthropic, Cohere, MongoDB and many Logic Apps partners expand practical options for model choice and data connectivity, while MCP provides a common standard for tool discovery and usage. For ISVs and system integrators, the Foundry Tools catalog and Agent Store create new distribution and monetization channels—provided those partners meet enterprise governance expectations.

---

Conclusion — strategic takeaways for WindowsForum readers​

Microsoft’s Foundry upgrades are a substantial step toward operationalizing agentic AI at enterprise scale. The new stack—Foundry IQ for managed grounding, Fabric IQ/Work IQ for semantic and people context, Foundry Control Plane/Agent 365 for governance, a Model Context Protocol tools catalog, and a model router—addresses the three most common enterprise blockers: grounding, orchestration and governance. These pieces are available now in varying preview stages and are documented in Microsoft’s Book of News, product blogs and partner writeups. The practical reality for IT teams is that Microsoft reduces engineering friction but does not eliminate the need for disciplined data management, identity controls, telemetry integration and cost governance. The vendor performance and savings claims are promising, but they are vendor‑reported—enterprises must validate them on real workloads and adopt a measured, phased rollout that emphasizes monitoring, human‑in‑the‑loop approvals for high‑impact tasks, and a rigorous agent lifecycle. For WindowsForum readers focused on secure adoption: treat agents as a new class of workload—plan for identity, least‑privilege MCP tool scoping, DLP verification, and SIEM integration before you allow agentic write operations into production systems. The Foundry updates give IT teams the primitives to do this; the responsibility for secure implementation remains squarely with enterprise architects, SecOps, and application owners.

---

Note on verification: most product claims described above are documented in Microsoft’s Ignite Book of News and Foundry product blogs; independent coverage from enterprise press and partner blogs corroborates the principal features and integration patterns. Performance figures and market forecasts quoted by Microsoft should be treated as vendor‑provided and validated with pilot measurements in your environment before relying on them for capacity or financial planning.

---

Source: Petri IT Knowledgebase Microsoft Rolls Out New Foundry Upgrades for AI Agent Management