Zenity & Microsoft Copilot Studio: Inline Runtime Security for Enterprise AI Agents

Zenity’s expanded integration with Microsoft Copilot Studio promises to bring native, inline attack prevention into the execution path of enterprise AI agents, positioning runtime enforcement and step-level policy controls as the new baseline for safe agent deployment at scale. (zenity.io)

Background / Overview​

Microsoft’s Copilot Studio has rapidly become the focal point for enterprise "agentic AI" — low-code and no-code tooling that lets business teams compose agents with natural-language prompts, logic flows, and pre-built connectors across Microsoft 365. Copilot Studio's Agent Store and connective model mean organizations can create and distribute agents across departments quickly, which amplifies both productivity and risk. (microsoft.com, techcommunity.microsoft.com)
Zenity, a vendor focused on securing AI agents across their lifecycle, announced an enhancement to its integration with Copilot Studio that is described as adding buildtime-to-runtime visibility, policy enforcement, and real-time threat detection and disruption. The announcement and distribution through major PR channels state the integration is available and being demonstrated publicly. (prnewswire.com, zenity.io)
This report summarizes the integration, verifies key claims against public statements from Zenity and Microsoft, analyzes technical and operational implications for IT/security teams, highlights strengths and risks, and offers practical recommendations for deploying Copilot Studio securely at scale.

---

What Zenity and Microsoft are Saying: The Core Claims​

• Zenity says the integration embeds security inline within each Copilot Studio agent, enabling controls on tool invocation (MCP servers, CRM systems, business apps, email) to prevent data exfiltration, direct and indirect prompt injection, and faulty secrets handling. (zenity.io, prnewswire.com)
• The integration is presented as delivering three principal capabilities: real-time threat disruption & prevention, step-level monitoring & policy enforcement, and continuous enterprise visibility across agents’ build and runtime lifecycle. (zenity.io, prnewswire.com)
• Microsoft frames the work as making it easier to scale agent development across organizations while retaining the security and governance enterprises require. Public Microsoft materials have separately emphasized the need for enterprise-grade controls across Copilot Studio and Azure AI Foundry as organizations move from experimentation to deployment. (microsoft.com, techcommunity.microsoft.com)

These are the most load-bearing claims made in the announcement; each is corroborated by Zenity’s product and press pages and by PR distributions summarizing the collaboration. (prnewswire.com, zenity.io)

---

Why this matters: The enterprise scale problem​

The twin forces driving risk​

Copilot Studio, Power Platform, and similar low-code tools democratize agent creation. This is a boon for productivity but creates two simultaneous problems for security teams:

• Proliferation of agents — many built by non-developers and granted access to critical systems and data.
• Compound attack surface — agents can act autonomously across connectors (email, CRM, databases), multiplying opportunities for data leakage and prompt-based exploits.

Microsoft’s own guidance on enterprise-grade controls and the increasing emphasis on runtime protection reflect this tension: security must be embedded across the development lifecycle, not bolted on after deployment. (techcommunity.microsoft.com, microsoft.com)

Market context and analyst attention​

The Gartner Market Guide for AI TRiSM (AI Trust, Risk and Security Management) has elevated enterprise expectations around runtime controls, posture management, and detection/response for AI systems. Zenity’s inclusion as a representative vendor in that market guide signals a growing category of products focused specifically on agent-level enforcement. (zenity.io)
At the same time, independent reporting has documented Microsoft’s internal efforts to expand agent management concepts (Agent Factory, Tenant Copilot) and to integrate agent strategies across its business products — a backdrop that increases urgency for vendor integrations that add security guardrails. (businessinsider.com, axios.com)

---

What the integration actually promises: feature breakdown​

1) Inline, step-level controls and policy enforcement​

• Zenity describes the integration as able to operate within each agent built in Copilot Studio, enforcing policies at the level of individual "Steps" (actions, triggers, connectors) and providing the full execution context for every agent. This is intended to prevent overly-broad permissions and risky connector usage during both build and runtime. (zenity.io, zenity.io)
• In practice this means security policies can be applied as agents are constructed — preventing the deployment of agents that request unnecessary access or include insecure secrets — and these policies carry through into runtime enforcement. Zenity explicitly maps findings to established frameworks (OWASP LLM, MITRE ATLAS) to prioritize remediation. (zenity.io, zenity.io)

2) Real-time threat disruption and contextual intent analysis​

• Zenity’s AI Detection & Response (AIDR) aims to analyze intent and behavior signals as agents run; when an agent action exhibits risk indicators (attempting to exfiltrate, unusual data access patterns, or prompt-manipulation attempts), the system can block or interrupt the action inline. Zenity positions this as "disruption before completion" rather than passive logging. (prnewswire.com, zenity.io)

3) Continuous visibility and observability​

• The platform captures granular telemetry — who built an agent, which connectors it uses, the data it touches, and every execution step. Those logs and behavioral baselines enable anomaly detection and post-event forensics. Zenity says this visibility is designed for both security and compliance teams. (zenity.io, zenity.io)

4) Coverage across departments and connectors​

• The pitch explicitly calls out that marketing, HR, finance and operations teams can build agents while maintaining centralized governance — a key selling point for “citizen developer” scenarios where IT must delegate capability while retaining control. Actual coverage claims list connectors into MCP servers, CRMs, business apps and email, but vendor literature does not enumerate every supported connector or edge case. (prnewswire.com, zenity.io)

---

Independent verification and quote reconciliation​

• The availability date and launch messaging (May 22, 2025) are confirmed by Zenity’s press release and blog posts distributed via PR channels. These items also include Microsoft's supportive quote attributed to Shay Gurman, Vice President, Microsoft Copilot Studio. (prnewswire.com, zenity.io)
• Some independent outlets summarized the same claims and quoted Zenity spokespeople; the precise attribution of individual quotes varies across press syndication (for example, one summary emphasized a quote by Harrison Johnson of Zenity). When reading secondary coverage, expect vendor messages to be republished with small changes in attribution. The core technical claims (inline enforcement, step-level policy, runtime detection) are consistently stated across Zenity primary materials and PR distributions. (techedgeai.com, prnewswire.com)

Caution: a few numbers and marketing statements that appear in vendor materials — for example, the Zenity claim that “the average enterprise develops ~2,600 AI agents” — are repeated in product pages but are not traceable to a public independent study in the available corpus. Treat such quantitative claims as vendor-provided metrics until independently verified. (zenity.io)

---

Technical analysis: How inline enforcement likely works — and the limitations​

A practical model for inline control​

• Step-level policy enforcement usually requires instrumenting the orchestration layer of the agent runtime so that every planned action is intercepted and evaluated against policy before execution. That means the security layer must have situational awareness of:
  • identity used by the agent,
  • the specific connector or API being targeted,
  • the data classification of the payload or resource,
  • the business intent inferred from the agent’s logic flow.

Zenity claims to provide that execution context and to make policy decisions based on intent and behavioral signals, mapping suspicious activity to response playbooks (block, quarantine, revoke credentials). (zenity.io, zenity.io)

Key technical dependencies and constraints​

• Identity and entitlement mapping: Inline prevention is only as reliable as the identity model. If agents operate using broad service principals or shared secrets, fine-grained enforcement is difficult. A robust integration must link agents to distinct identities and to enterprise identity providers (Entra/Azure AD). Microsoft has emphasized identity-centric agent management in other materials. (businessinsider.com, techcommunity.microsoft.com)
• Connector coverage and edge cases: Vendors typically prioritize first-class support for widely used connectors (M365, common CRMs). Third-party or custom connectors, on-prem resources, and encrypted channels may require additional instrumentation or custom policies — and vendors rarely publish exhaustive supported-connector lists. (zenity.io)
• Latency and UX friction: Real-time blocking that inspects payloads and runs classification can introduce latency or false-positive blocks that interrupt legitimate workflows. Balancing security sensitivity with business continuity is a core operational challenge.
• Model- and supply-chain blind spots: Inline controls focused on agent orchestration do not necessarily inspect model weights, third-party model endpoints, or upstream supply-chain issues. Securing the runtime does not replace need for model testing, provenance checks, and supply-chain management. Gartner and Microsoft have both highlighted supply-chain and early-stage risks in AI development. (techcommunity.microsoft.com, zenity.io)

---

Operational and governance implications​

What security teams gain​

• Centralized control over disparate agent deployments, enabling consistent policy enforcement.
• Faster removal or neutralization of risky agents via automated playbooks.
• Better audit trails for compliance and incident response.
• A mechanism to safely open Copilot Studio to non-developers while retaining enterprise guardrails. (zenity.io, zenity.io)

What to plan for​

• Policy design and change management: Security must design policies that are contextual (by department, data sensitivity, regulatory regime) and maintain an approval workflow for new agent capabilities.
• Integration and onboarding: Expect a non-trivial integration project — mapping identities, classifying data, and defining playbooks takes time.
• Red-team and model testing: Runtime enforcement is one layer; teams should also run adversarial testing (prompt injection, RAG poisoning, model jailbreaks) during buildtime. Zenity’s materials recommend combining AISPM and AIDR with continuous testing. (zenity.io)

---

Risks, unknowns and areas that need more clarity​

1. Licensing and platform prerequisites
   • Public vendor materials do not always specify whether particular Copilot Studio tiers, Microsoft 365 licensing, or Azure subscriptions are required for full inline enforcement or if additional Microsoft admin consents are necessary. Organizations should validate licensing compatibility before rollout. (prnewswire.com, microsoft.com)
2. Data residency and telemetry handling
   • Inline observability requires telemetry collection. Teams must confirm where telemetry is stored, retention policies, encryption, and whether any telemetry leaves controlled regions — particularly for regulated industries.
3. Extent of connector and on-prem support
   • Zenity documents common connector support but does not publish an exhaustive list of supported third-party or legacy systems. Organizations with bespoke systems should validate coverage and plan for custom adapters if needed. (zenity.io)
4. Performance and false positives
   • Inline blocking that inspects actions in real time will inevitably generate false positives unless finely tuned. The operational cost of tuning policies across many business units is non-trivial.
5. Vendor claims that lack independent verification
   • Certain quantitative marketing claims (for example, agent counts per enterprise) appear unverified in public independent analyses; treat them as vendor-provided metrics until corroborated. (zenity.io)

---

Practical rollout checklist for IT and security teams​

1. Inventory & discovery
   • Run an AI agent discovery to find existing Copilot Studio instances, published agents, and connector usage. Map ownership and business impact.
2. Risk profiling and classification
   • Classify agents by data sensitivity, criticality, and allowed operations. Prioritize high-risk agents for immediate protection.
3. Identity hardening
   • Ensure each agent uses distinct, least-privileged identities and integrate with enterprise identity (Azure AD / Entra). Avoid shared secrets and over-permissive service principals.
4. Policy design
   • Define step-level policies: allowed connectors, data filters, content redaction, secret-scanning rules, and escalation paths.
5. Integration & pilot
   • Start with a small set of high-impact agents and run Zenity inline enforcement in monitoring mode first to tune policies and measure false positives.
6. Red-team & adversarial testing
   • Simulate prompt injections, RAG poisoning, credential exfiltration, and connector misconfiguration to validate runtime defenses.
7. Scale & automation
   • Automate approvals, remediation playbooks, and compliance reporting. Roll out to additional departments iteratively.
8. Train and govern
   • Build governance processes for citizen developers, including mandatory security training and a simple path for security reviews prior to publishing agents.

These practical steps mirror best practices discussed in Microsoft and industry guidance about embedding security early and continuously. (techcommunity.microsoft.com, zenity.io)

---

Strategic takeaways for CIOs and CISOs​

• Embedding runtime enforcement into Copilot Studio agents is a necessary evolution. Buildtime policies alone are insufficient when agents can be altered, composed, or triggered by external inputs in production.
• Vendor integrations that combine AISPM (posture management) and AIDR (detection & response) — the approach Zenity markets — are the logical next step for organizations that plan to scale agent adoption.
• Expect an organizational shift: security teams will need to operate more like product partners to citizen developers, providing guardrails, templates, and automated remediation rather than manual approvals.
• Maintain a defense-in-depth posture: runtime protection must be complemented by model provenance checks, supply-chain controls, and continuous adversarial testing.

---

Strengths of the Zenity–Microsoft approach​

• Inline disruption capability addresses the most acute problem — an agent beginning a risky action in production — rather than leaving organizations dependent only on post-hoc detection.
• Step-level context gives defenders a richer decision surface for policies (not just “input/output” but the actual action a step was about to take), which should reduce blind-spot false positives when implemented correctly. (zenity.io, zenity.io)
• Alignment with enterprise tooling (Azure Marketplace availability, Microsoft for Startups Pegasus program, Gartner recognition) signals that Zenity’s model is being positioned for broad enterprise adoption and vendor interoperability. (zenity.io, prweb.com)

---

Where vendors and enterprises must remain cautious​

• Runtime enforcement is not a silver bullet. Unless identity, supply chain, and model governance are also addressed, runtime protection can only mitigate a subset of risk vectors.
• Over-reliance on vendor-provided metrics and marketing claims is risky; independent verification and pilot data are essential for a true risk/benefit calculation.
• Expectations management is essential: inline blocking will create operational friction if policies are too aggressive, and remediation playbooks must be battle-tested before broad enforcement. (zenity.io)

---

Conclusion​

The Zenity–Microsoft Copilot Studio integration is a significant and logical step in the maturing of enterprise AI security: it moves the conversation from observability and post-facto detection to inline prevention and control at the level of an agent’s execution steps. For organizations committed to scaling Copilot Studio use across business units, that capability addresses one of the most critical operational risks — agents acting on sensitive data or being manipulated through prompt or RAG attacks.
However, the technology is one component of a broader program. Real security gains will come from pairing inline runtime controls with identity hardening, model and supply-chain governance, continuous adversarial testing, and well-governed rollout processes. Vendor claims and marketing metrics require careful validation in each enterprise environment; pilots and red-team exercises remain indispensable.
For Windows and enterprise IT leaders, the message is clear: agentic AI is inevitable and valuable, but taking it to scale without runtime guardrails will sooner or later produce a costly incident. Integrations like Zenity’s give organizations pragmatic tools to keep productivity gains without surrendering control — provided they are implemented with clarity about their limits and operational impact. (prnewswire.com, microsoft.com)

---

Source: AiThority Zenity Expands Integration with Microsoft Copilot Studio to Secure AI Agents at Scale