Secure AI Agents Like Identities: The New Agentic Security Gap

Technology Record’s Issue 40 lands at a moment when the AI conversation has moved decisively from experimentation to control. The magazine’s Spring 2026 cover story captures a hard truth: AI agents are no longer harmless copilots, but software actors with access, autonomy, and consequences. That shift is forcing enterprises to confront a new security gap, one that is widening faster than most governance programs can close. The core warning is simple: if organisations do not secure agents with the same seriousness they apply to employees and service accounts, they risk turning productivity gains into new exposure pathways.

Background​

The latest Technology Record feature is built around a problem Microsoft has been emphasizing throughout 2026: the rise of agentic AI as an operational reality, not a future concept. According to the issue’s cover story, IDC expects 1.3 billion AI agents in circulation by 2028, while Microsoft says more than 80 per cent of Fortune 500 companies already use agents that can access corporate data and operate across business systems. That scale matters because the security challenge is no longer theoretical. When agents can inherit permissions and move across workflows, they become part of the enterprise attack surface.
What makes the moment particularly awkward for security teams is the mismatch between adoption and control. The Technology Record article notes that fewer than half of the organisations surveyed for Microsoft’s 2026 Data Security Index have established controls for generative AI, even as leaders struggle to understand how regulators will interpret the technology. That gap between deployment and oversight is the central tension of the issue. It is also why Microsoft is pushing the message that AI agents should be governed like human identities rather than treated as loose automation scripts.
The issue’s framing fits Microsoft’s wider 2026 security narrative. In its RSAC 2026 messaging, Microsoft positioned Agent 365 as a control plane for agents, alongside expanded capabilities in Defender, Entra, Purview, Sentinel, and Security Copilot. The company’s argument is that enterprises already know how to govern users, devices, apps, and cloud workloads; now they must extend that same discipline to non-human actors that can plan, act, and hand off tasks. That is a notable shift because it moves AI security from a specialist concern into mainstream identity and governance practice.
The magazine also highlights a broader market reality: security vendors are racing to define the AI governance stack before customers settle on an architecture. Microsoft’s strategy is to position itself as the platform that can unify identity, data protection, endpoint controls, cloud posture management, and SOC automation. Competitors, meanwhile, are responding with niche guardrails, runtime protection, or independent governance layers. The result is a market that is still forming its vocabulary, let alone its standards.
That is why this cover story matters beyond Microsoft’s own product line. It is not just about one vendor’s roadmap. It is about the fact that agent governance is becoming a category, and the organisations that move early may be able to shape policy, process, and procurement before the first major incident resets the conversation. The issue’s “mind gap” framing is especially apt: the technology is moving faster than the management model around it.

---

The New Security Baseline​

The most important takeaway from Issue 40 is that AI agents have crossed the threshold from experimentation to production risk. When an agent can access email, query databases, trigger workflows, or expose data from connected repositories, it is no longer just generating text. It is executing business logic, and that puts it squarely inside the security domain. Microsoft’s own view, echoed in the feature, is that the right comparison is not to a chatbot but to an identity with delegated authority.
That change forces a practical rethinking of control points. Traditional security programs are built around files, endpoints, users, and applications. Agentic systems blur all four at once because they can pull context from one source, act in another, and leave a trail that is difficult to classify afterward. The feature’s emphasis on agent sprawl, data oversharing, and shadow AI reflects a broader concern that the biggest risk may not be malicious intent but uncontrolled inheritance.

Why identity now matters most​

Identity has become the centre of gravity because agents inherit access through the same mechanisms humans use: credentials, sessions, permissions, and service accounts. That makes the identity layer both powerful and fragile. If the identity model is loose, then every AI workflow becomes a potential overreach point, no matter how sophisticated the model itself may be.
This is why Microsoft keeps returning to Entra, access controls, and governance tooling. The company’s posture is that security for AI begins with security of identity. In enterprise terms, that means the question is not merely what the agent can do, but what the identity behind the agent can prove, inherit, and relinquish. That is a profound operational change for IT teams that have historically separated human access from machine access.

• Agents inherit permissions, so weak identity governance becomes AI risk.
• Service accounts and tokens need the same scrutiny as user accounts.
• Access reviews must account for non-human actors.
• Auditability becomes as important as prevention.
• Least privilege is harder, but more necessary, in agentic environments.

The hidden cost of convenience​

AI agents are attractive because they reduce friction. They can connect systems, summarise information, and act across workflows with minimal human intervention. But convenience has a hidden cost: every extra permission granted to make the agent useful also expands the blast radius if something goes wrong. That trade-off is what makes the current wave of adoption so precarious.
The feature’s language around data oversharing is particularly important. In a classic security model, overexposure is a configuration problem. In an agentic model, overexposure can become a behaviour problem, because the agent may surface material that is technically authorised but contextually inappropriate. That distinction will matter a great deal in compliance investigations and board-level risk discussions.

---

Microsoft’s Platform Play​

Microsoft is clearly trying to make AI governance feel familiar by anchoring it in existing enterprise control planes. The message is that customers do not need to invent a separate discipline for AI; they can extend the one they already use. That is a strategically smart move because it lowers adoption friction and gives CISOs a place to start. It also reinforces Microsoft’s broader pitch that it can provide a single operating layer for identity, data, endpoint, and agent management.
At the centre of that story is Agent 365, which Microsoft describes as a control plane for agents. The idea is to let teams observe, secure, and govern agents using the same infrastructure that already supports Defender, Entra, and Purview. The commercial logic is obvious: if Microsoft can fold agent governance into the stack buyers already trust, it can turn a new category into an extension of an existing budget.

Why bundling matters​

Bundling is not just a pricing tactic; it is an architectural argument. By tying agent controls to broader Microsoft 365 and security capabilities, Microsoft is saying the AI problem cannot be solved in fragments. That matters for large customers because it gives them a path to implementation that is both operationally coherent and financially easier to defend.
There is also a competitive dimension. Microsoft is trying to define the category before rivals can fracture it into specialist niches. Identity vendors will argue for stronger controls at the account layer, while data-security vendors will emphasise protection around prompts, grounding, and outputs. Microsoft’s answer is to claim that all of those risks belong in one platform narrative.

• Platform bundling can reduce procurement friction.
• Single-vendor control may simplify governance reporting.
• Unified tooling can accelerate policy enforcement.
• Integrated logs may improve forensic investigations.
• The trade-off is greater dependence on one ecosystem.

The appeal of continuity​

One reason Microsoft’s approach resonates is that it promises policy continuity. Enterprises already know how to manage users, apps, and permissions. If agents can be brought under the same governance umbrella, then IT teams gain a cleaner way to write policies, track exceptions, and enforce accountability. That consistency is attractive, especially in environments where security is already fragmented across too many tools.
But continuity can also be deceptive. A control model that looks familiar on paper may still require substantial tuning in practice. Agentic workflows can be dynamic, contextual, and sometimes opaque, which means the old assumptions about access and audit may need stronger verification than many organisations are prepared to provide.

---

Data Security and Oversharing​

One of the strongest parts of the cover story is its focus on data oversharing. That is the problem that turns generative AI from a helpful interface into a potential leak path. If an agent can pull from shared drives, internal systems, or connected repositories, it may reveal information that users did not realise they had access to in the first place.
The report’s reference to Microsoft’s 2026 Data Security Index is significant because it underscores how uneven enterprise preparedness remains. Fewer than half of surveyed organisations have controls for generative AI, which suggests that many firms are still treating prompt activity as a productivity issue rather than a governed data event. That is a risky assumption when the tool can traverse so many repositories so quickly.

The difference between access and exposure​

Access does not always equal appropriate exposure. A human user may be authorised to view a file, but that does not mean an agent should surface it in a summary, combine it with other data, or pass it into a downstream workflow. The distinction sounds subtle, but it is central to how AI security teams will need to think about policy.
That is also why Microsoft and its security ecosystem are leaning into data loss prevention, classification, and policy enforcement. When AI becomes a layer on top of existing systems, the control problem shifts from preventing access entirely to governing how data is discovered, summarised, and propagated. That makes visibility a prerequisite, not a luxury.
A useful way to think about this is to compare agent activity with a chain of custody. If a response is generated from multiple sources, the organisation must be able to explain what was accessed, what was included, and why the agent was allowed to produce the result it did. Without that record, incident response becomes guesswork.

Shadow AI as a governance blind spot​

The feature also highlights shadow AI, which is increasingly the enterprise equivalent of unsanctioned shadow IT. The difference is that shadow AI can inherit permissions, connect to data, and produce work product at machine speed. That makes it harder to detect and potentially more dangerous than older forms of unsanctioned software adoption.
Shadow AI often arrives through convenience. Teams adopt agents to speed up routine tasks, automate repetitive work, or test a new workflow before security has reviewed it. That grassroots adoption can be valuable, but it becomes a liability when no one has a clean inventory of which agents exist, what they can reach, or who approved them.

• Shadow AI often starts as harmless experimentation.
• It becomes dangerous when permissions are inherited unchecked.
• Uncatalogued agents are difficult to audit.
• Decentralised adoption complicates policy enforcement.
• Governance must cover both sanctioned and unsanctioned tools.

---

Regulating the Agent Layer​

The magazine’s cover story wisely notes that many leaders are still unclear on how regulators will oversee AI agents. That uncertainty matters because governance is not just an internal policy problem; it is also an external compliance question. Organisations need controls that can satisfy auditors, lawyers, and regulators, not just security teams.
That is one reason Microsoft’s framing of agents as identities is so useful. Regulators understand identity, access, logging, and accountability far better than they understand prompt chains or model routing. By translating AI risk into a governance language that is already familiar, Microsoft is making the case for faster enterprise adoption of controls.

Governance starts with inventory​

Before policy can be enforced, agents must be discovered, inventoried, and classified. That sounds obvious, but it is one of the most difficult tasks in modern enterprise environments because agents may be embedded in workflows, linked through APIs, or spun up by business teams without central review. The Microsoft narrative around Agent 365 is partly an answer to that inventory problem.
Once inventory exists, organisations can begin to apply lifecycle controls. That includes approval, role assignment, access reviews, change tracking, and retirement policies. The importance of those mundane controls cannot be overstated. AI governance will fail if it is treated as a one-time launch exercise rather than a continuous operational discipline.

• Inventory is the first step toward governance.
• Approval workflows should be tied to business ownership.
• Access reviews need to include agent identities.
• Retirement policies matter for abandoned workflows.
• Audit trails must survive incident response.

Human standards for non-human actors​

Vasu Jakkal’s argument, as captured in the issue, is that AI agents should be held to the same standards as employees or service accounts. That is the right benchmark because it makes governance practical. If an organisation already knows how to control privileged users, it can adapt the same principles to non-human identities without rebuilding the entire framework from scratch.
Herain Oberoi’s warning about AI supply chain vulnerabilities broadens the picture even further. AI risk is not confined to a model prompt or a single dataset. It can emerge through third-party integrations, model dependencies, runtime environments, and the orchestration layers that connect one system to another. In that sense, AI security looks a lot like cloud security did a decade ago: the surface is larger than the initial product diagram suggested.

---

Competitive Implications​

Microsoft’s approach has obvious competitive consequences. By presenting AI governance as a platform problem, it is effectively challenging the market to choose between integrated control and best-of-breed specialization. That split is likely to define buying behaviour over the next several quarters, especially among enterprises that already rely heavily on Microsoft 365 and Entra.
The challenge for rivals is that Microsoft’s narrative is broad enough to sound comprehensive while specific enough to feel operational. Competitors can match individual features, but they will struggle to match the ecosystem effect unless they can stitch together identity, data, endpoint, cloud, and SOC controls just as seamlessly. That is a high bar, especially for vendors that specialise in just one layer of the stack.

What rivals will likely emphasise​

In response, competitors are likely to stress openness, neutrality, and specialization. That may resonate with customers in mixed-cloud environments who do not want every AI governance decision routed through one platform. It may also appeal to security leaders who believe AI control is too important to be left to a single vendor’s definition of the problem.
Specialists will probably focus on areas where Microsoft’s broad platform story can feel abstract: model scanning, runtime guardrails, red teaming, or data classification tied to particular workflows. Those capabilities matter because many organisations want help at the point of risk, not just at the policy layer. The market may therefore split between platform-first buyers and those who prefer a layered, vendor-agnostic approach.

Why interoperability will decide trust​

Interoperability is the real test. Microsoft can say it supports multi-cloud realities, but customers will judge that claim by whether its controls work smoothly across AWS, Google Cloud Platform, hybrid estates, and legacy systems. In the AI era, trust is not built by a product brochure; it is built by whether the controls survive contact with the real enterprise.
That is why the issue’s broader message is so important. It is not enough to secure the Microsoft stack. Organisations need assurance that AI governance survives across the full estate, including third-party connectors, service identities, and workflows built by business units outside central IT. If Microsoft can prove that, it gains a strong advantage. If not, the market will keep room for independent control layers.

---

Strengths and Opportunities​

Microsoft’s position in Issue 40 is strong because it connects a pressing enterprise problem to tools customers already know how to use. That combination of urgency and familiarity is powerful, especially in security, where buyers value continuity as much as novelty. The opportunity is not just to sell more software, but to define the governance model for the agentic era.

• Unified control plane for agents, identity, data, and response.
• Familiar governance model that extends existing enterprise security practice.
• Platform bundling that can reduce procurement friction.
• Better auditability if the logs and controls are implemented well.
• Cross-team alignment between security, IT, and business owners.
• Operational maturity for organisations ready to move beyond pilots.
• Competitive clarity in a market that still lacks shared standards.

The biggest strength is that Microsoft is not treating AI security as a side topic. It is positioning it as a core architectural layer, which is likely to resonate with large enterprises that need scalable governance. That framing could accelerate adoption, especially where Microsoft already sits at the centre of the productivity stack.

---

Risks and Concerns​

The downside of Microsoft’s ambitious framing is that it may ask more of customers than they can realistically deliver in the short term. Many organisations are still struggling with basic identity hygiene, data classification, and access governance. Adding agent lifecycle management on top of that could become overwhelming if implementation discipline is weak.

• Operational complexity may slow deployments.
• Vendor lock-in concerns could intensify as more controls move into one ecosystem.
• Misconfiguration risk remains high even with better tooling.
• Shadow AI will still be difficult to eliminate in decentralised organisations.
• Over-automation could create false confidence in controls.
• Interoperability gaps may frustrate multi-cloud customers.
• Policy sprawl could grow if agent controls are not harmonised carefully.

There is also a more subtle concern: enterprises may assume that because AI is now inside a governed platform, it is therefore safe. That would be a mistake. Platform integration helps, but it does not replace clear ownership, training, and continuous review. In agentic environments, the organisation still owns the risk even when the software makes it easier to ignore.

---

Looking Ahead​

The next phase of this story will be less about whether AI agents are useful and more about whether they can be governed at scale. That is the real dividing line now. Every major enterprise is being pushed toward the same question: how much autonomy can be granted before control becomes brittle?
The answer will vary by industry, regulatory burden, and existing Microsoft adoption, but the strategic direction is clear. The companies that win in the next wave of AI will be the ones that can pair speed with accountability. The winners will not just deploy more agents; they will be able to explain them, audit them, constrain them, and retire them without chaos.
What to watch next:

• How quickly Agent 365 is adopted across Microsoft-heavy enterprises.
• Whether Data Security Index findings translate into concrete control investments.
• How regulators respond to the idea of agents as governed identities.
• Whether competitors sharpen their own governance stacks or double down on specialty tools.
• How enterprises measure ROI once security and compliance costs are added to AI deployments.

The broader lesson from Issue 40 is that AI is entering its institutional phase. The debate is no longer about whether organisations should experiment with agents, but about how they can build durable trust around them. If Microsoft is right, then the future of enterprise AI will be defined not just by intelligence or automation, but by the quality of the guardrails that make those systems usable in the first place.

---

Source: Technology Record Technology Record - Issue 40: Spring 2026