AI has quickly become a powerful tool misused by threat actors, who use it to slip into the tiniest crack in your defenses. They use AI to automate and launch password attacks and phishing attempts at scale, craft emails that seem to come from people you know, manufacture voicemails and videos that impersonate people, join calls, request IT support, and reset passwords. They even use AI to rewrite AI agents on the fly as they compromise and traverse your network.

To stay ahead in the coming year, we recommend four priorities for identity security leaders:

1. Implement fast, adaptive, and relentless AI-powered protection.
2. Manage, govern, and protect AI and agents.
3. Extend Zero Trust principles everywhere with an integrated Access Fabric security solution.
4. Strengthen your identity and access foundation to start secure and stay secure.

Secure Access Webinar

Enhance your security strategy: Deep dive into how to unify identity and network access through practical Zero Trust measures in our comprehensive four-part series.

Sign up for the webinar

1. Implement fast, adaptive, and relentless AI-powered protection

2026 is the year to integrate AI agents into your workflows to reduce risk, accelerate decisions, and strengthen your defenses.

While security systems generate plenty of signals, the work of turning that data into clear next steps is still too manual and error-prone. Investigations, policy tuning, and response actions require stitching together an overwhelming volume of context from multiple tools, often under pressure. When cyberattackers are operating at the speed and scale of AI, human-only workflows constrain defenders.

That’s where generative AI and agentic AI come in. Instead of reacting to incidents after the fact, AI agents help your identity teams proactively design, refine, and govern access. Which policies should you create? How do you keep them current? Agents work alongside you to identify policy gaps, recommend smarter and more consistent controls, and continuously improve coverage without adding friction for your users. You can interact with these agents the same way you’d talk to a colleague. They can help you analyze sign-in patterns, existing policies, and identity posture to understand what policies you need, why they matter, and how to improve them.

In a recent study, identity admins using the Conditional Access Optimization Agent in Microsoft Entra completed Conditional Access tasks 43% faster and 48% more accurately across tested scenarios. These gains directly translate into a stronger identity security posture with fewer gaps for cyberattackers to exploit. Microsoft Entra also includes built-in AI agents for reasoning over users, apps, sign-ins, risks, and configurations in context. They can help you investigate anomalies, summarize risky behavior, review sign-in changes, remediate and investigate risks, and refine access policies.

The real advantage of AI-powered protection is speed, scale, and adaptability. Static, human-only workflows just can’t keep up with constantly evolving cyberattacks. Working side-by-side with AI agents, your teams can continuously assess posture, strengthen access controls, and respond to emerging risks before they turn into compromise.

2. Manage, govern, and protect AI and agents 

Another critical shift is to make every AI agent a first-class identity and govern it with the same rigor as human identities. This means inventorying agents, assigning clear ownership, governing what they can access, and applying consistent security standards across all identities.

Just as unsanctioned software as a service (SaaS) apps once created shadow IT and data leakage risks, organizations now face agent sprawl—an exploding number of AI systems that can access data, call external services, and act autonomously. While you want your employees to get the most out of these powerful and convenient productivity tools, you also want to protect them from new risks.

Fortunately, the same Zero Trust principles that apply to human employees apply to AI agents, and now you can use the same tools to manage both. You can also add more advanced controls: monitoring agent interaction with external services, enforcing guardrails around internet access, and preventing sensitive data from flowing into unauthorized AI or SaaS applications.

With Microsoft Entra Agent ID, you can register and manage agents using familiar Entra experiences. Each agent receives its own identity, which improves visibility and auditability across your security stack. Requiring a human sponsor to govern an agent’s identity and lifecycle helps prevent orphaned agents and preserves accountability as agents and teams evolve. You can even automate lifecycle actions to onboard and retire agents. With Conditional Access policies, you can block risky agents and set guardrails for least privilege and just in time access to resources.

To govern how employees use agents and to prevent misuse, you can turn to Microsoft Entra Internet Access, included in Microsoft Entra Suite. It’s now a secure web and AI gateway that works with Microsoft Defender to help you discover use of unsanctioned private apps, shadow IT, generative AI, and SaaS apps. It also protects against prompt injection attacks and prevents data exfiltration by integrating network filtering with Microsoft Purview classification policies.

When you have observability into everything that traverses your network, you can embrace AI confidently while ensuring that agents operate safely, responsibly, and in line with organizational policy.

3. Extend Zero Trust principles everywhere with an integrated Access Fabric security solution

There’s often a gap between what your identity system can see and what’s happening on the network. That’s why our next recommendation is to unify the identity and network access layers of your Zero Trust architecture, so they can share signals and reinforce each other’s strengths through a unified policy engine. This gives you deeper visibility into and finer control over every user session.

Today, enterprise organizations juggle an average of five different identity solutions and four different network access solutions, usually from multiple vendors.¹ Each solution enforces access differently with disconnected policies that limit visibility across identity and network layers. Cyberattackers are weaponizing AI to scale phishing campaigns and automate intrusions to exploit the seams between these siloed solutions, resulting in more breaches.²

An access security platform that integrates context from identity, network, and endpoints creates a dynamic safety net—an Access Fabric—that surrounds every digital interaction and helps keep organizational resources secure. An Access Fabric solution wraps every connection, session, and resource in consistent, intelligent access security, wherever work happens—in the cloud, on-premises, or at the edge. Because it reasons over context from identity, network, devices, agents, and other security tools, it determines access risk more accurately than an identity-only system. It continuously re‑evaluates trust across authentication and network layers, so it can enforce real‑time, risk‑based access decisions beyond first sign‑in.

Microsoft Entra delivers integrated access security across AI and SaaS apps, internet traffic, and private resources by bringing identity and network access controls together under a unified Zero Trust policy engine, Microsoft Entra Conditional Access. It continuously monitors user and network risk levels. If any of those risk levels change, it enforces policies that adapt in real time, so you can block access for users, apps, and even AI agents before they cause damage.

Your security teams can set policies in one central place and trust Entra to enforce them everywhere. The same adaptive controls protect human users, devices, and AI agents wherever they move, closing access security gaps while reducing the burden of managing multiple policies across multiple tools.

4. Strengthen your identity and access foundation to start secure and stay secure

To address modern cyberthreats, you need to start from a secure baseline—anchored in phishing‑resistant credentials and strong identity proofing—so only the right person can access your environment at every step of authentication and recovery.

A baseline security model sets minimum guardrails for identity, access, hardening, and monitoring. These guardrails include must-have controls, like those in security defaults, Microsoft-managed Conditional Access policies, or Baseline Security Mode in Microsoft 365. This approach includes moving away from easily compromised credentials like passwords and adopting passkeys to balance security with a fast, familiar sign-in experience. Equally important is high‑assurance account recovery and onboarding that combines a government‑issued ID with a biometric match to ensure that no bad actors or AI impersonators gain access.

Microsoft Entra makes it easy to implement these best practices. You can require phishing‑resistant credentials for any account accessing your environment and tailor passkey policies based on risk and regulatory needs. For example, admins or users in highly regulated industries can be required to use device‑bound passkeys such as physical security keys or Microsoft Authenticator, while other worker groups can use synced passkeys for a simpler experience and easier recovery. At a minimum, protect all admin accounts with phishing‑resistant credentials included in Microsoft Entra ID. You can even require new employees to set up a passkey before they can access anything. With Microsoft Entra Verified ID, you can add a live‑person check and validate government‑issued ID for both onboarding and account recovery.

Combining access control policies with device compliance, threat detection, and identity protection will further fortify your foundation. 

Support your identity and network access priorities with Microsoft

The plan for 2026 is straightforward: use AI to automate protection at speed and scale, protect the AI and agents your teams use to boost productivity, extend Zero Trust principles with an Access Fabric solution, and strengthen your identity security baseline. These measures will give your organization the resilience it needs to move fast without compromise. The threats will keep evolving—but you can tip the scales in your favor against increasingly sophisticated cyberattackers.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Secure employee access in the age of AI report, Microsoft.

²Microsoft Digital Defense Report 2025.

The post Four priorities for AI-powered identity and network access security in 2026 appeared first on Microsoft Security Blog.

Staying ahead of the evolving cyberthreat landscape

Every day, Microsoft processes more than 100 trillion signals from our services. Together with insights from researchers, law enforcement, and cybersecurity teams, these signals reveal how quickly the threat landscape continues to evolve.

We’ve observed nation-state actors and organized cybercrime groups joining forces to deploy generative AI that automates cyberattacks at unprecedented scale. With password spray or brute force attacks still accounting for more than 97% of identity-related alerts we see, more customers are turning on multifactor authentication to defend themselves.¹ Multifactor authentication also reduces the risk of identity compromise by more than 99%, making it the single most important security measure an organization can implement.¹ This is forcing bad actors to evolve their tactics.

Using sophisticated phishing attacks, they trick users into authenticating on fake sites so they can intercept multifactor authentication codes and session tokens. And now they’re even using generative AI to impersonate colleagues and help desk personnel in fraudulent emails and Microsoft Teams chats, luring users into authenticating on their behalf or into granting broad permissions to malicious applications. They’re also targeting workloads, such as AI agents, which use non-human identities that may not have the same level of protection as human users.

This growing cyberthreat landscape is why a comprehensive, integrated identity and access management (IAM) strategy with strong identity governance and agentic AI controls is vital to every organization’s security posture.

A unified solution to simplify and strengthen security

Microsoft Entra is our unified secure access solution that simplifies IAM and consumer IAM (CIAM) for organizations and applications of all sizes across all industries. Instead of having to assemble multiple tools or rely on fragmented processes, security teams get a streamlined experience with centralized visibility and control.

And since we have fully integrated generative AI into the Microsoft Entra admin center, strengthening security posture is as simple as chatting with Microsoft Security Copilot, for example, to create and troubleshoot lifecycle workflows that automate joiner, mover, and leaver scenarios. Security teams can also use natural language prompting to investigate and respond to cyberthreats to any kind of identity.

We’ve also made it easier for developers to integrate authentication into their apps with Microsoft Entra External ID. These include AI-based tools for creating highly customized sign-up/sign-in flows and automated tools for migrating apps from Azure AD B2C or a third-party platform to External ID.

Investing to secure identities for the AI era

A comprehensive IAM solution for non-human identities requires visibility to your organization’s AI agents. We introduced Microsoft Entra Agent ID, which creates enterprise identities for AI agents. Now identity admins can manage and govern agents using the same granular access controls and lifecycle workflows they already use to manage and govern users and applications.

We’ve also expanded Security Copilot to include agents. For example, the Conditional Access Optimization Agent detects policy gaps and provides actionable recommendations to strengthen Zero Trust enforcement and eliminate blind spots.

The Access Review agent, currently in preview, surfaces intelligent recommendations directly in Microsoft Teams. By using AI to analyze sign-in activity, peer group changes, and unusual access patterns making access reviews faster and more secure.

Innovations such as these represent the continued commitment to securing all identities and access points. Stay tuned for more exciting advancements coming your way at Microsoft Ignite.

Explore more

• Read the full 2025 Gartner® Magic Quadrant™ for Access Management report.
• Learn more about Microsoft Entra and our identity solutions.
• Visit the Microsoft Security site for the latest innovations.

Are you a regular user of Microsoft Entra ID? Share your insights on Microsoft Entra ID and get rewarded with a $25 gift card on Gartner Peer Insights™.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

¹Microsoft Digital Defense Report 2025

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. 

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. 

Gartner, Magic Quadrant for Access Management, 11, November 2025, By Brian Guthrie, Nathan Harris, Yemi Davies, Steve Wessels

The post Microsoft named a Leader in the Gartner® Magic Quadrant™ for Access Management for the ninth consecutive year appeared first on Microsoft Security Blog.

By 2026, enterprises may have more autonomous agents than human users. Are we ready to secure and govern them?

2024 was a year defined by learning about generative AI. Organizations were experimenting with it: testing its boundaries and exploring its potential. In 2025, organizations moved into execution. Autonomous agents are no longer theoretical. They’re now being deployed across development, operations, and business workflows.

This shift is being driven by platforms like Microsoft Copilot Studio and Azure AI Foundry and accelerated by patterns like Model Context Protocol (MCP) and Agent-to-Agent (A2A) interactions. These agents are evolving from tools into digital actors—ones capable of reasoning, acting, and collaborating.

That evolution brings real value. But it also introduces a new class of risk—and with it, a new set of responsibilities.

The rise of the agent: What’s here and what’s next

To understand the rise of autonomous agents, it’s worth starting at the beginning. Generative AI first captured the spotlight with models that could produce human-like text, code, and imagery. Meanwhile, researchers were also advancing autonomous systems designed to perceive, decide, and act independently. As these two domains converged, a new class of AI emerged—agents capable not just of generating output, but of taking action towards goals with limited human input. Today, these agents are beginning to surface across each layer of the cloud stack, each designed to tackle different layers of complexity:

• Software as a service (SaaS)-based agents, often built using low-code or no-code platforms like Copilot Studio, are enabling business users to automate tasks with minimal technical support.
• Platform as a service (PaaS)-based agents support both low-code and pro-code development, offering flexibility for teams building more sophisticated solutions. Azure AI Foundry is a good example.
• Infrastructure as a service (IaaS)-based agents are typically deployed in virtual networks (VNETs), virtual private clouds (VPCs), or on-premises environments, often as custom models or services integrated into enterprise infrastructure.

Each of these categories includes both custom-built first-party and third-party individual software vendors (ISVs) agents, all of whom are rapidly multiplying across the enterprise. As organizations embrace this diversity and scale, the number of agents will soon outpace human users—making visibility, oversight, and robust governance not just important, but essential.

The new risk landscape: Why agents are different

While autonomous agents unlock new levels of efficiency, scalability, and continuous operation for organizations, they also introduce a fundamentally different risk profile:

• Self-initiating: Agents can act without direct human prompts, enabling automation and responsiveness at scale—but this autonomy also means they may take unintended actions or operate outside established guardrails.
• Persistent: Running continuously with long-lived access allows agents to deliver ongoing value and handle tasks around the clock. However, persistent presence increases the risk of over-permissioning, lifecycle drift, and undetected misuse.
• Opaque: Their ability to operate as “black boxes” can simplify complex workflows and abstract away technical details, but it also makes them difficult to audit, explain, or troubleshoot—especially when built on large language models (LLMs).
• Prolific: The ease with which agents can be created, even by non-technical users, accelerates innovation and experimentation—while simultaneously increasing the risk of shadow agents, sprawl, and inconsistent governance.
• Interconnected: By calling other agents and services, they can orchestrate complex, multi-step processes—but this interconnectedness creates complex dependencies and new attack surfaces that are challenging to secure and monitor.

Given this new risk profile, these autonomous agents aren’t a minor extension of existing identity or application governance—they’re a new workload. Treat them accordingly.

What’s more—as they scale, they will soon outnumber human users in the enterprise.

Common failure points in autonomous agents

Despite their impressive capabilities, AI agents can still make mistakes. These errors tend to arise during long-running tasks, where “task drift” can occur, or when the agent encounters malicious input such as Cross Prompt Injection Attacks (XPIA). In these cases, the agent may veer off course or even be manipulated into acting against its intended purpose.

That’s why it’s useful to approach agent security the same way you would approach working with a junior employee: by setting clear guardrails, monitoring behavior, and establishing strong protections. Microsoft is addressing XPIA with prompt shields and evolving best practices. Robust authentication can help counter deepfakes, and improved prompt engineering through orchestration or employee training can reduce hallucinations and strengthen overall response accuracy.

Understanding Model Context Protocol for agent governance

One of the most powerful enablers of the growth of autonomous agents is the Model Context Protocol (MCP). MCP is an open standard that allows AI agents to securely and effectively connect with external data sources, tools, and services—providing flexibility to fetch real-time data, call external tools, and operate autonomously. This open standard essentially acts as a “USB-C port for AI.”

But with that flexibility comes risk. Poorly governed MCP implementations can expose agents to data exfiltration, prompt injection, or access to unvetted services. Because MCPs are easy to create, they can proliferate quickly, often without proper access controls or oversight. This is where role-based access control (RBAC) becomes critical: MCP’s ability to connect agents to a wide range of resources means that robust, granular access controls are essential to prevent misuse. However, implementing effective role-based access control for MCP-enabled agents is complex: it requires dynamic, context-aware permissions that can adapt to rapidly changing agent behaviors and access needs. Without this rigor, organizations risk over-permissioning agents, losing visibility into who can access what, and ultimately exposing sensitive data or critical services to unauthorized use.

In short, agents don’t sleep, they don’t forget, and they don’t always follow the rules. That’s why governance and thought-through authorization can’t be optional, for both agents and MCP servers.

Securing and governing agents starts with visibility

The first challenge customers raise is simple: “Do I even know which agents I have?” Before any meaningful governance or security can take place, organizations must achieve observability. Without a clear inventory of agents—across SaaS, PaaS, IaaS, and local environments—governance is guesswork. Visibility provides the foundation for everything that follows: it helps organizations to audit agent activity, understand ownership, and assess access patterns. Only with this single, unified view can organizations move from reactive oversight to proactive control.

Once visibility is in place, securing and governing agents requires a layered approach built on seven core capabilities:

Identity management

Agents must have unique, traceable identities. These identities might be identities derived, but distinguishable, from user identities or independent identities like those used by services—but no matter what they are, these identities need to be governed throughout their lifecycle (from creation to deactivation) with clear sponsorship and accountability to prevent sprawl.

Access control

Agents should operate with the minimum permissions required. Whether acting autonomously or on behalf of a user, access must be scoped, time-bound, and revocable in real time.

Data security

Sensitive data must be protected at every step. This requires implementing inline data loss prevention (DLP), sensitivity-aware controls, and adaptive policies to prevent oversharing. These safeguards are especially critical in low-code environments where agents are created quickly and often without sufficient oversight.

Posture management

Security posture must be continuously assessed. Organizations need to continually identify misconfigurations, excessive permissions, and vulnerable components across the agent stack to maintain a strong baseline.

Threat protection

Agents introduce new attack surfaces; therefore, prompt injection, misuse, and anomalous behavior must be detected early. To mitigate this increased surface area for attacks, signals from across the compute, data, and AI layers should feed into existing extended detection and response (XDR) platforms for proactive defense.

Network security

Just like users and devices, agents need secure network access. That includes controlling which agents can access which resources, inspecting traffic, and blocking access to malicious or non-compliant destinations.

Compliance

Agent activities must align with internal policies and external regulations. Organizations should audit interactions, enforce retention policies, and demonstrate compliance across the agent lifecycle.

These are not theoretical requirements; they are essential for building trust in agentic systems at scale.

Building the foundation: Agent identity

To address the need for augmented governance, Microsoft is introducing Entra Agent ID—a new identity designed specifically for AI agents. You can think of them the same way as managed identities (MSIs) with no default permissions. They can act on behalf of users, other agents, or independently, with just-in-time access that’s automatically revoked when no longer needed. They’re secure by default, auditable, and easy for developers to use. As organizations move beyond managing just users and applications, the need to extend these foundational identity principles to AI agents becomes increasingly important.

An emerging strategy to manage AI agents at scale and improve risk management is the concept of an agent registry. While the directory of Microsoft Entra ID is an authoritative source for both human users and application artifacts, there is a need to provide a similar authoritative store for all agent-specific metadata. This is where the concept of an agent registry comes in—serving as a natural extension to the directory, tailored to capture the unique attributes, relationships, and operational context of AI agents as they proliferate across the enterprise. As these registries evolve, they are likely to integrate with core components like MCP servers, reflecting the expanding role of agents within the ecosystem. Together, these tools will allow organizations to achieve observability, manage risk, and scale governance.

Extending Microsoft Security to meet the moment

To meet organizational needs that come with autonomous agents, Microsoft is building on a strong foundation and extending our existing security products to meet the unique demands of the agentic era, grounded in a Zero Trust approach that protects both people and AI agents.

Microsoft’s security stack—including Entra, Purview, Defender, and more—adapts identity management, access control, data protection, secure network access, threat detection, posture management, and compliance to support AI agents across both first-party and third-party ecosystems. We are innovating from this baseline to deliver agent-specific capabilities:

• Microsoft Entra extends identity management and access control to AI agents, ensuring each agent has a unique, governed identity and operates with just-in-time, least-privilege access.
• Microsoft Purview brings robust data security and compliance controls to AI agents, helping organizations prevent data oversharing, manage regulatory requirements, and gain visibility into AI-specific risks.
• Microsoft Defender integrates AI security posture management and runtime threat protection, empowering developers and security teams to proactively mitigate risks and respond to emerging threats in agentic environments.

This isn’t a separate security silo for AI. It’s agent governance becoming a natural extension of the security investments customers already trust—ones that are integrated, consistent, and ready to scale with them.

Microsoft
Deputy CISOs

To hear more from Microsoft Deputy CISOs, check out the OCISO blog series:

To stay on top of important security industry updates, explore resources specifically designed for CISOs, and learn best practices for improving your organization’s security posture, join the Microsoft CISO Digest distribution list.

A call to action

The agentic era is here, and the opportunities are real—but so are the risks.

To move quickly without compromising trust, we need to integrate governance into the core of agent design. This begins with visibility, scales with identity, access, and data controls, and matures with posture, threat, and compliance capabilities that treat agents as first-class workloads.

Let’s build a future where agents are not just powerful—but trustworthy by design.

Learn more with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Securing and governing the rise of autonomous agents​​ appeared first on Microsoft Security Blog.