Enterprises spent the last year racing to deploy AI agents. Microsoft just pointed out the part nobody planned for: most of those agents are running unmanaged, invisible to IT, with access to corporate data and no one watching. At Build 2026 it shipped the tooling to find them, and the pitch is blunt: you cannot secure what you cannot see.
What Actually Happened
On June 2 at Build 2026, Microsoft expanded Agent 365, the control plane it sells for managing AI agents the way IT already manages laptops and user accounts. The centerpiece of the update is the Agent 365 Agent Registry, which surfaces unmanaged local agents discovered across the environment by Microsoft Defender, Microsoft Entra, and Microsoft Intune working in concert. The premise is that companies have already lost track of how many agents are running inside their walls, and the first job of governance is simply taking inventory of what exists before any of it can be controlled or shut down. The registry frames every agent as a managed object with an owner, a scope, and a lifecycle, the same way a laptop or a service account is managed today. That reframing is the real product: it converts a chaotic swarm of scripts and bots into a list that a security team can sort, audit, and revoke from one console, turning what was an invisible standing liability into a properly governed corporate asset.
The new security capabilities arrive in stages. Context mapping, policy-based controls, plus runtime blocking and alerts are landing in Agent 365 through Intune and Defender in public preview in June 2026. A broader integration that pulls Defender, Entra, Intune, and Purview protections together to constrain and secure local agents is slated for preview in July. Agent 365 itself reached general availability on May 1, 2026, priced at $15 per user for the commercial segment, so Build did not launch the product, it armed it with the security teeth that make the control-plane story credible to a CISO.
The architecture leans on Microsoft's existing security stack rather than inventing a parallel one. Entra enforces consistent, risk-based access controls for both users and the agents acting on their behalf, ensuring an agent only reaches resources its human principal is authorized to touch. Purview supplies data-risk visibility through information protection, data loss prevention, and risk safeguards. Defender and Intune handle discovery and device-level enforcement. Microsoft recommends customers hold Entra P1, P2, or the Entra Suite alongside Purview DLP to get the full benefit, which tells you the model is to extend the security tools enterprises already pay for outward to cover a new class of non-human identity.
Why This Matters More Than People Think
The agent gold rush created a governance vacuum that almost no one priced in. Every team that wired up an autonomous agent to read email, query a database, or take actions in a SaaS app created a new actor with credentials and reach, and in most organizations those actors were never registered, never scoped, and never monitored. Microsoft is naming this problem agent sprawl, and the Agent Registry is the admission that it has already happened at scale. The shift here is from building agents to accounting for them, and that transition usually marks the moment a hyped technology starts being treated as real infrastructure.
What makes this strategically sharp is that Microsoft is selling the cure for a disease its own products helped spread. Copilot Studio, the agent frameworks shown at the same conference, and the broader push to make every employee an agent builder all accelerate the proliferation that Agent 365 now charges $15 a head to manage. That is not a criticism so much as a description of a complete platform: Microsoft profits when you build agents and profits again when you need to govern them. The company has positioned itself on both sides of the same wave, which is the most defensible place a platform vendor can stand. Salesforce, ServiceNow, and Google are all making versions of the same bet, but only Microsoft sits underneath the operating system, the directory, and the productivity suite at once, which lets it meter the entire agent lifecycle from creation to retirement inside tools the customer already runs every day.
The deeper point is that agents are becoming a new identity class, and identity is the most durable lock-in in enterprise software. For thirty years the company that owned corporate identity, the directory that says who is allowed to do what, owned the account. Microsoft owns that through Active Directory and Entra. By extending identity governance to agents, it is making sure that when the org chart fills up with non-human workers, those workers are provisioned, authenticated, and audited through Microsoft's directory too. Whoever becomes the system of record for agent identity inherits the same gravitational pull that made Active Directory impossible to leave. Once payroll, provisioning, and audit logs all route through one directory, ripping it out means re-plumbing the entire company, and almost no one does. Agent identity is being wired into that same directory before any standard can form around a neutral alternative, which is precisely how the previous lock-in became permanent.
The Competitive Landscape
Microsoft is not the only company that spotted the agent governance gap. Okta has moved to extend its identity platform to non-human and agent identities, betting that the neutral identity layer should not belong to the same vendor selling the agents. CrowdStrike and Palo Alto Networks are pushing agent security from the threat-detection side. A wave of startups is selling agent observability and guardrail tooling as standalone products. The difference is that none of them own the directory, the device management layer, the email, and the productivity suite where the agents actually live. Microsoft is assembling the governance story out of pieces enterprises already deployed.
The historical parallel is the arrival of mobile device management in the early 2010s. When employees flooded workplaces with personal phones, a generation of standalone MDM vendors like AirWatch and MobileIron built businesses on the chaos. Then Microsoft folded the capability into Intune and bundled it with the licenses enterprises already held, and the standalone market compressed hard. Agent governance is following the same arc: an urgent new management problem, a burst of point solutions, and a platform owner moving to absorb the category into a suite it can give away at the margin. The independent agent-governance startups are watching that movie play again with themselves as the supporting cast.
The bear case, however, deserves a clear hearing, and skeptics point out the obvious tell: Microsoft only surfaces agents its own stack can see. The Agent Registry discovers agents through Defender, Entra, and Intune, which means it is strongest at finding agents built on Microsoft rails and weakest at the shadow agents running on third-party clouds, in unmanaged developer environments, or behind APIs Microsoft does not instrument. A governance tool that mainly governs the agents you built the Microsoft way risks giving security teams a false sense of completeness while the genuinely rogue agents, the ones an attacker would plant, stay invisible precisely because they avoid the instrumented paths. The history of endpoint security is a long record of coverage gaps becoming the exact place attackers operate, and an agent registry that is comprehensive only inside one vendor ecosystem hands sophisticated adversaries a clear blueprint for where to hide. Completeness, not detection, is the hard part, and it is the part the architecture cannot fully deliver.
Hidden Insight: Selling the Fire Extinguisher and the Matches
The uncomfortable structural truth is that Agent 365 is most valuable in exactly the mess that Microsoft's own agent ambitions create. The more aggressively enterprises adopt Copilot agents, the worse the sprawl, and the more indispensable the $15-per-user control plane becomes. This is the same flywheel that made Microsoft security its fastest-growing business: ship a sprawling, attack-prone platform, then sell the security layer that tames it. Critics argue this is a conflict of interest dressed as a product suite, and they are not wrong that the incentive to fully solve sprawl is blunted when sprawl drives the upsell.
Yet the move is shrewd precisely because the alternative is worse for customers. An enterprise that adopts agents without governance is genuinely exposed, and a neutral third-party tool that only watches from outside cannot enforce access the way the directory that issues the credentials can. Microsoft can block an agent at the identity layer, at the device, and at the data boundary simultaneously because it owns all three chokepoints. That integrated enforcement is real value that no standalone vendor can fully match, even if the same integration is what makes leaving Microsoft so costly. The lock-in and the protection are the same architecture viewed from two angles.
The subtler insight is about what gets measured and therefore what gets believed. Once the Agent Registry becomes the dashboard a CISO checks, the agents it counts become the agents that officially exist, and the ones it cannot see effectively do not, until one of them causes an incident. This is the quiet power of being the system of record: you do not just monitor reality, you define the boundaries of what reality the organization can perceive. An attacker who understands this will build agents that specifically avoid the instrumented Microsoft paths, knowing the registry that reassures the security team is also the map of where no one is looking.
There is a twelve-to-twenty-four month signal buried in this launch about where enterprise software is heading. The unit of management is shifting from the user to the agent, and the seat-based pricing that has defined SaaS for two decades is starting to crack. When a company has more agents than employees, charging $15 per human user is a transitional pricing model that will eventually give way to charging per agent, per action, or per unit of autonomy. Agent 365 is the beachhead for that transition, and the company that establishes the management plane now will be the one that sets the meter when the pricing model flips.
What to Watch Next
In the next 30 days, watch the June public preview adoption and the early reports from security teams running the Agent Registry against their real environments. The number that matters is the gap between how many agents IT thought it had and how many the registry actually finds. If the discovery counts come back dramatically higher than expected, that validates the sprawl thesis and Microsoft has a category. If teams find the registry mostly shows them agents they already knew about, the urgency deflates and Agent 365 looks like a solution shopping for a problem.
Over 90 days, the July preview that unifies Defender, Entra, Intune, and Purview is the real test of whether integrated enforcement works as advertised. Watch whether Microsoft can demonstrate an agent being blocked at runtime for overstepping its data boundary, not just flagged after the fact. Also watch the competitive response: if Okta, CrowdStrike, or a serious startup ships a credible cross-platform agent governance layer that sees beyond one vendor's stack, the neutrality argument becomes a live wedge against Microsoft, the same way independent identity providers carved space against the incumbent directory.
By 180 days, the metric to track is pricing and packaging. If Microsoft keeps Agent 365 at $15 per user while agent counts climb past human headcount, expect the company to introduce per-agent or consumption-based tiers, the clearest sign that the industry is moving to price autonomy directly. Watch the Agent 365 attach rate to existing Microsoft 365 E5 and security suites, because the speed at which enterprises bolt this onto licenses they already hold will tell you whether agent governance becomes a standalone market or another feature absorbed into the bundle, the way device management was a decade ago. The faster the attach rate, the more this looks like a feature that will eventually be free inside the suite rather than a product anyone pays for separately, which would quietly end the standalone agent-governance market before it matures. A slow attach rate would signal the opposite, that customers see agent governance as a deliberate, standalone buy worth evaluating on its own.
The company that defines which agents officially exist does not just secure your AI workforce. It draws the map of where no one is looking.
Key Takeaways
- Agent 365 Agent Registry launched at Build 2026 to surface unmanaged local agents via Defender, Entra, and Intune.
- June 2026 public preview brings context mapping, policy controls, and runtime blocking through Intune and Defender.
- July preview unifies Defender, Entra, Intune, and Purview to constrain and secure local agents.
- $15 per user commercial pricing since GA on May 1, 2026, with Entra P1/P2 and Purview DLP recommended.
- Agents as a new identity class extend Microsoft's directory lock-in from human users to non-human workers.
Questions Worth Asking
- If the same vendor sells you the agents and the tool to govern them, how hard will it work to actually shrink the sprawl?
- When the registry defines which agents officially exist, what happens to the ones deliberately built to stay off its map?
- When your company has more agents than employees, why are you still being charged per human seat?
