Why security has become a strategic enabler for AI‑powered growth 

These customer stories highlight how security is no longer a supporting function—it’s a strategic enabler of growth, speed, and trust. As AI accelerates decision-making and reshapes how work gets done, leaders must modernize without increasing risk or slowing the business. The experiences of these forward-looking organizations reflect the realities many companies face: gaining consistent visibility across complex environments, moving faster while maintaining trust, meeting governance and compliance expectations that expand with AI adoption, and driving operational efficiency through automation. These examples will show how the right security foundation allows organizations to scale AI with confidence—turning protection into a competitive advantage, not a constraint.  

First, we’ll take a closer look at St. Luke’s University Health Network. 

How St. Luke’s is accelerating efficiency and threat response with AI 

St. Luke’s identified a critical gap in unified, real-time visibility across its security tools, limiting its ability to detect and stop threats early. The organization needed a way to see across their entire landscape and respond to threats as they emerge. To modernize and unify security operations, St. Luke’s turned to Microsoft Security Copilot to supercharge analyst productivity and help its Security Operations Center (SOC) teams operate at scale. 

By connecting Microsoft Defender and Microsoft Sentinel, St. Luke’s gains a single, AI-powered view across endpoints, identity, email, and cloud workloads—helping analysts move faster, correlate cyberthreats more effectively, and shift from reactive response to proactive, predictive defense. With AI embedded directly into daily workflows, teams can identify risks in real time, uncover gaps in visibility, and make more informed decisions with greater precision.

Streamlining workflows and automating protection

At the same time, Security Copilot agents are transforming how the SOC operates by automating time-consuming tasks like alert triage and vulnerability remediation. This reduces noise, accelerates investigations, and frees analysts to focus on real threats and strategic work. The result is a more efficient, collaborative, and resilient security operation built for today’s increasingly complex threat landscape. With Microsoft Security Copilot, St. Luke’s has:

• Unified visibility across Defender and Microsoft Sentinel eliminates silos and accelerates threat response.
• AI-powered insights help analysts detect, investigate, and act on cyberthreats in real time.
• Security Copilot agents automating routine tasks, with Security Triage Agent saving up to 200 analyst hours each month.
• Advanced phishing triage reduces false positives and improves decision confidence.
• Centralized workflows improve collaboration, reporting speed, and overall SOC efficiency.

St. Luke’s sees its investment in Security Copilot as the foundation for a self-improving security ecosystem. AI-powered security means the team stays ahead of both technological and business changes, ensuring that St. Luke’s remains resilient in the face of evolving threats. To learn more about how St. Luke’s is modernizing and unifying security operations with Microsoft Security Copilot, watch the customer video or read the full St. Luke’s customer story.

How ManpowerGroup is securing a global workforce with a unified platform 

ManpowerGroup is modernizing toward a unified, cloud-based security platform to protect a highly distributed workforce, addressing identity-centric risk and complex compliance requirements as AI becomes embedded in everyday work. Their experiences show how organizations can use Microsoft Security to secure the foundation of AI transformation, end to end. 

As ManpowerGroup scaled globally, its longstanding mix of security tools became more difficult to manage, driving complexity, inconsistent controls, and slower response as cyberthreats and regulatory demands increased. 

To reduce tool sprawl, ManpowerGroup deployed Microsoft 365 E5 for the real-time identity, endpoint, email, and cloud prevention, detection, and response capabilities of Microsoft Defender, plus the cloud-native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) performance of Microsoft Sentinel. 

By deploying Microsoft 365 E5, ManpowerGroup reduced security complexity, cut integration timelines from weeks or months to hours or days, unified global security operations, and built an AI-ready security foundation. To see how this platform approach is supporting secure, agile operations worldwide, watch the customer video read the full ManpowerGroup story. 

A repeatable playbook for securing AI at scale 

While these customers operate in very different environments, their paths to securing their organization and adopting (or preparing to adopt) AI followed the same core pattern—one that other organizations can adopt as they modernize. Both started by anchoring security decisions in business risk, then unified signals across cloud, data, identity, and operations, and finally automated guardrails so protection could scale alongside AI-powered work. These experiences point to a clear, repeatable approach for security and adopting AI without slowing business: 

• Lead with risk and business value. Clearly define what must be protected—and why—so security enables AI adoption rather than constraining it. 
• Unify visibility across the environment. Connect cloud, identity, data, and security operations (SecOps) signals into a single operational view to reduce blind spots. 
• Make governance real, not aspirational. Operationalize classification, labeling, data loss prevention, and policy enforcement, so protections are consistent by default. 
• Harden posture continuously. Use continuous configuration management and drift detection to prevent misconfigurations as environments evolve. 
• Automate outcomes at scale. Streamline response and compliance reporting so security and governance improve without increasing headcount. 

This approach helped both organizations move faster with confidence—and offers a practical blueprint for others looking to secure the foundation of AI transformation. 

What Frontier firms get right in the AI era 

These stories point to a broader pattern emerging among leading organizations. “Frontier firms” refers to organizations that lead in the AI era by pairing speed with trust. They move quickly—but not recklessly—because security is treated as a foundational capability, not an afterthought. For these organizations, protection is built into how work gets done: governance that scales as AI adoption grows, posture that remains resilient as environments change, and controls that operate continuously in the background. Security becomes the primitive that allows AI to be deployed with confidence, not constraint. 

These customers exemplify what this looks like in practice. And through their stories, we gain a playbook that other organizations can deploy with confidence. By modernizing security as a platform—connecting visibility, governance, posture management, and automation—organizations can enable AI-powered work while strengthening trust across data, identities, cloud environments, and more. These customer stories show that in the AI era, organizations that treat security as a strategic foundation will be best positioned to lead, adapt, and compete in an AI-powered world. Learn more about how Microsoft Security helps organizations secure AI-powered work at scale. 

Are you a regular user of Microsoft Defender for Cloud? Share your insights and experiences on Gartner Peer Insights.™

Learn more

Learn more about Microsoft Defender for Cloud, Microsoft Purview, and Zero Trust.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.  

¹Secure agentic AI for your Frontier Transformation, Microsoft Security blog. March 9, 2026.

The post Microsoft Security success stories: How St. Luke’s and ManpowerGroup are securing AI foundations appeared first on Microsoft Security Blog.

Microsoft Purview visibility now extends to Anthropic’s Claude

Security and compliance teams can now detect and investigate Claude usage alongside other cloud applications in their broader AI ecosystem. The new Claude Compliance API for Microsoft Purview delivers centralized visibility and oversight for Claude Enterprise activity enabling Microsoft Purview to provide insights on Claude interactions and audit log signals. This integration will provide visibility across Claude Enterprise, extending the Microsoft Purview experience and helping your teams protect sensitive data across your AI estate.  

New data security posture management experience in Microsoft Purview

The new Microsoft Purview Data Security Posture Management (DSPM) experience is now generally available. This solution unifies and streamlines DSPM across scenarios, from discovery to protection, all the way to remediation, allowing teams to investigate risks and take actions on the same workflow. The new experience delivers goal-oriented flows, deeper remediation, expanded reporting, and third-party visibility. Your teams can efficiently discover sensitive data, assess risk, and take action at scale.

Microsoft Purview Data Security Investigations extends investigative depth with custom examinations

Microsoft Purview Data Security Investigations now includes optical character recognition (OCR) and custom examination capabilities to extend investigative depth. OCR extracts text from images, bringing previously inaccessible visual content into scope for AI-powered deep content analysis. In addition to existing examination types that identify credentials, risk, and personally identifiable data, and help inform mitigation, investigators can define their own analysis with custom examination, enabling more tailored and flexible investigations based on their unique needs. 

Microsoft Entra ID Account recovery securely restores account access

Microsoft Entra ID Account recovery is an advanced authentication recovery mechanism that enables users to regain access to their organizational accounts when they’ve lost access to all registered authentication methods. Unlike traditional password reset capabilities, Account recovery focuses on identity verification and trust re-establishment prior to replacement of authentication methods rather than simple credential recovery.

Windows 365 for Agents delivers a secure AI agent execution environment

Windows 365 for Agents, now expanding in public preview, and Microsoft Agent 365 work together to provide a consistent, secure environment to run and govern agents. Agent 365 determines the work an agent is authorized to do, using shared organizational policies and identity to govern agent behavior and access. Windows 365 for Agents defines where an agent executes the work, providing Cloud PCs that enable agents to operate their own desktops and applications within a fully managed and auditable environment. Read our blog for more details.

Stay In the Loop

Microsoft Security continually ships meaningful innovations across our portfolio and research-driven insights and reports for the security community. In the Loop posts are your reliable source of what’s new across Microsoft Security and what it means for your security strategy. Check back for the next drop and connect with us at Microsoft Build, June 2-3, 2026, in San Francisco, to hear directly from Microsoft Security experts and learn more about today’s releases.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post What’s new in Microsoft Security: May 2026 appeared first on Microsoft Security Blog.

The AI systems shipping inside enterprises today are fundamentally different from the ones we were building even two years ago, because they have moved well past answering questions and into accessing your email, retrieving records from your CRM, writing and executing code, and taking actions on your behalf across dozens of connected systems. That shift from “generate text” to “do things in the world” changes the safety equation entirely, because an agent that can act can also potentially act in ways nobody intended.

Today Microsoft is open-sourcing two tools designed to help engineers: Microsoft RAMPART, an agent test framework for encoding adversarial and benign scenarios as repeatable tests that can run in CI, making it easy to turn red-team findings and AI incidents into lasting regression coverage; and Clarity, a structured sounding board that helps teams figure out whether they are building the right thing before they write a single line of code.

We built these tools because we believe that AI safety has to become a continuous engineering discipline rather than a periodic checkpoint, and we think the best way to make that happen is to put practical, open tools in the hands of the people doing the building.

Why we are investing in this

1. Helping teams think through the “why,” before the “how” of software building: In the vibe coding era, execution is easy and the harder question is the “why.” The most expensive safety failures we see almost always trace back to design mistakes that nobody questioned early enough, long before any adversary got involved — say, when a product team decided their agent should have access to a tool, or handle a particular user flow, without fully working through what could go wrong. By the time a red team engagement surfaces the issue, the system is largely built, and addressing it means going back to the drawing board. We wanted to give product managers and engineers a way to pressure-test their assumptions at the start of a project, when changing course is cheap and the right conversation can save months of rework.
2. Scaling the lessons of red teaming across the industry. The techniques that uncover vulnerabilities in one agentic product almost always shed light on another. A cross-prompt injection attack that works against one system will often work, with minor variations, against a customer service agent or a coding assistant. But those lessons tend to stay locked inside individual engagement reports. Our goal was to build a system where the lessons of red teaming exercises can be turned into runnable engineering assets.  
3. Making incidents reproducible and mitigations verifiable. If something goes wrong in production AI systems, the team responding needs to do two things quickly: replicate the incident so they understand exactly what happened, and verify that whatever fix they ship actually holds up against variants of the original attack. Both of those tasks are harder than they sound with probabilistic LLMpowered systems, and most teams end up doing them manually in an ad hoc way. We wanted tooling that is purpose-built for exactly this workflow, so that incident response becomes a repeatable engineering process rather than a scramble.

RAMPART: Continuous safety testing for agentic AI

RAMPART is an open-source testing framework that brings red teaming techniques directly into the development workflow. It is built on top of PyRIT, Microsoft’s open automation framework for red teaming generative AI systems so that RAMPART leverages the best in class, out of the box adversarial tests. Where PyRIT is optimized for black-box discovery by security researchers after the system is built, RAMPART is built for engineers as the system is being built.

The developer experience will feel familiar to anyone who has written integration tests. Teams write standard pytest tests that describe scenarios drawn from their threat model. Each test connects to the agent through a thin adapter, orchestrates an interaction, and evaluates observable outcomes. Tests return a clear pass or fail signal and can be gated in CI just like any other integration test. When a new tool or data source is added to the agent, the corresponding safety test can be added in the same pull request.

RAMPART is different from conventional testing in the following ways:

1. Built for prompt injection attacks: RAMPART’s most mature coverage today focuses on cross-prompt injection attacks, scenarios in which an agent retrieves or processes potentially poisoned content from documents, emails, tickets, or other data sources that manipulate its behavior indirectly.  New threat categories can be added incrementally as attack patterns evolve, and the framework’s extension points are all defined as Python protocols, so integration stays lightweight even for complex agent architectures.<
2. Built for probabilistic behavior: Because LLM behavior is probabilistic, RAMPART supports statistical trials. The same test can run multiple times with policies like “this action must be safe in at least 80 percent of runs.” This reflects how agents actually behave in production far more accurately than single-shot validation ever could.
3. Built to reproduce your AI red team findings and AI incidents: RAMPART is designed to work alongside dedicated red teaming, and the two reinforce each other. Findings from a red team engagement can be encoded as RAMPART tests, which means the issue is permanently covered, runs on every change, and never silently regresses. The ownership model is intentionally flipped from the traditional approach: engineers write the tests, engineers run them, and engineers treat failures like any other bug. The framework supplies the attack strategies, adversarial payload generation, and evaluation logic. The test author focuses on expressing expectations about what their agent should and should not do.

Agent safety ultimately comes down to what the agent does, which means evaluators need to look at which tools it invokes, what side effects occur, and whether those actions stay within expected boundaries. RAMPART’s evaluators are designed to inspect all of that. They are composable, so teams can combine them with boolean logic to express nuanced safety conditions rather than relying on a single binary signal.

Clarity: Helping check software engineering assumptions

Where most AI tools are designed to help teams execute faster, Clarity was designed by Microsoft to help them figure out whether they are executing on the right thing in the first place. It asks the kinds of questions that experienced architects, product managers, and safety engineers would ask, the ones that are easy to skip when a team is excited about building something new.

Consider a team that wants to add real-time collaboration to a document editor. Instead of jumping straight to implementation options, Clarity will ask what happens when two people edit the same paragraph at the same time, and whether the team actually needs true real-time collaboration with cursors and presence indicators, or whether “nobody loses their work” is the real requirement. Those two answers can lead to very different architectures with very different failure modes, and getting clarity on that distinction early can save months of rework.

Clarity runs as a desktop app, a web UI, or embedded directly in a coding agent. It guides engineers through structured conversations covering problem clarification, solution exploration, failure analysis, and decision tracking. As the conversation progresses, the results are written to a .clarity-protocol/ directory in the repo as plain, human-readable markdown files that get committed, reviewed in pull requests, and diffed just like source code. They capture the problem statement, the solution rationale, the failure analysis, and the key decisions made along the way.

The failure analysis deserves a closer look, because it goes well beyond what a single reviewer would typically catch. Multiple AI “thinkers” independently examine the system from different angles, including security, human factors, adversarial scenarios, and operational concerns. The team then works through the results together with Clarity, grouping related failures, tracing causal chains, and building management plans.  

Clarity also tracks staleness across these documents, because they form a dependency graph. When a problem statement changes, Clarity knows that the solution description and failure analysis might need revisiting and nudges the team to do so. Important decisions are captured with their criteria, the options considered, and the rationale behind each choice, so that six months later anyone on the team can revisit the full reasoning, including which alternatives were ruled out and why.

The .clarity-protocol/ directory becomes a shared artifact that everyone on the team can see and contribute to, and for stakeholders who need a summary before a review, Clarity can generate a review packet that tells a coherent narrative.

RAMPART and Clarity are part of a broader movement toward spec-driven, engineering-native AI safety. They complement Microsoft’s work on policy-to-measurement systems: Clarity helps teams clarify design intent and capture assumptions; RAMPART gives teams the building blocks to write concrete agent safety testsand keep them running as agents evolve.. Together, these approaches move AI safety from a one-time review to a set of living artifacts that developers can use throughout the lifecycle.

RAMPART and Clarity available now

Both RAMPART and Clarity are available today as open source projects from Microsoft.

We look forward to working with the community. For feedback, and partnership in deploying this in the enterprise setting, please contact aisafetytools@microsoft.com.

Contributions

Microsoft RAMPART is led by Bashir Partovi with contributions from Elliot H Omiya, Richard Lundeen, Nina Chikanov, Spencer Schoenberg, and Toby Kohlenberg. Clarity is joint project from Yonatan Zunger, Dharmin Shah, Elliot H Omiya, Eve Kazarian, Sarah Cooley, and Neil Coles. We would like to thank Minsoo Thigpen, Abby Palia, Mehrnoosh Sameki, Hilary Solan, Elliot Volkman, Pete Bryan, Roman Lutz, and Shiven Chawla for their helpful comments.

The post Introducing RAMPART and Clarity: Open source tools to bring safety into Agent development workflow appeared first on Microsoft Security Blog.

The key question is: How can we maximize the benefits of AI while staying protected in a rapidly evolving threat landscape?

Cybersecurity—from IT issue to business risk

Today’s cybersecurity landscape is defined by speed, scale, and automation—trends that disproportionately affect growing businesses. According to the 2025 Microsoft Digital Defense Report, Microsoft now processes more than 100 trillion security signals every day and blocks 4.5 million new malware files daily, underscoring just how industrialized cybercrime has become. Increasingly, cyberattackers are using AI to automate phishing, generate highly convincing scams, and rapidly adapt malware, making cyberattacks more frequent and harder to detect.

For businesses that often lack dedicated security teams or round-the-clock monitoring, this shift has real business consequences: disrupted operations, financial loss from ransomware or fraud, and lasting damage to customer trust. The report also notes that most modern cyberattacks now target identities, like user accounts and access—a challenge for organizations relying on cloud services and remote work without strong protections in place for accounts and access. As AI continues to amplify both the volume and sophistication of cyberattacks, cybersecurity is no longer just an IT issue for businesses—it’s a core business risk that can directly affect resilience and growth.

Building a foundation of trust

In this new reality, security becomes the foundation of trust—helping growing businesses protect their operations, preserve customer trust, and move forward with confidence. For business owners, cybersecurity isn’t just about stopping cyberattacks; it’s about keeping the business running day to day. When systems go down, orders can’t be processed, employees can’t do their work, and customers are left waiting or wondering whether their data is safe. Even short disruptions can have outsized consequences for growing businesses, from lost revenue and stalled growth to reputational damage that’s hard to repair. By making security a core part of how the business operates—not an afterthought—even the smallest businesses put themselves in a stronger position to withstand disruptions, maintain credibility with customers, and create a stable foundation for long-term growth.

Simple, built‑in security for your growing business

Effective security must be simple, approachable, and fit the realities of running a business with limited time and resources. Many growing businesses don’t have dedicated security teams or the time and resources to manage complex tools, yet they still need protection that keeps pace with modern threats. Microsoft Security is built with this in mind, offering integrated, easy‑to‑manage protections that help safeguard devices, identities, email, and cloud apps without adding unnecessary complexity. Microsoft 365 Business Premium combines productivity and built-in security in one streamlined solution, with centralized visibility and automation that reduces manual effort. It helps protect your users, devices, and data across your business, so you can stay focused on customers and day-to-day operations. By providing security that works quietly in the background—and scales as the business grows—Microsoft helps businesses of all sizes protect what matters most without slowing them down.

Allowing people to operate devices and applications without conditional access increases risks. Getting that done was a huge success for us.“

—Theo Mouchteros, Head of IT Operations, Acumen

Take the next step

To discover the right security plan for growing business, read our small and medium business plans and pricing options or contact Microsoft Sales for more support.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2025.

²Cyber Signals Issue 9.

³The Devastating Impact of Ransomware Attacks on Small Businesses.

The post How to better protect your growing business in an AI-powered world appeared first on Microsoft Security Blog.

AI agents are moving beyond assistance and into action. Instead of generating content, they invoke tools, modify data, trigger workflows, and operate across systems with increasing autonomy. This shift changes the security problem fundamentally. When an agent can act autonomously, mistakes propagate faster, blast radius increases, and rollback becomes harder.

Security for agentic AI relies on defense in depth. What changes with autonomous agentic AI is where security decisions matter most. As autonomy increases, the center of gravity moves away from the model alone and toward how agents are assembled, constrained, and governed inside real applications. To build agentic AI applications that can be operated safely at scale, you need to deliberately design how agents are assembled, constrained, and governed within real applications. In return, you increase the likelihood of predictable behavior, controlled blast radius, and the confidence to deploy autonomy in production.

Defense in depth for agentic AI systems

Agentic AI systems are vulnerable to the existing security risks of software systems, and introduce new threat classes: agent hijacking, intent breaking, sensitive data leakage, supply chain compromise, and inappropriate reliance. Any weakness in permissions, data protection, or access control that exists today is amplified when an agent is added to the system.

A useful way to reason about agent security is through the following mitigation layers:

• Model layer: Influences how the agent reasons through training data, fine-tuning, and refusal behaviors.
• Safety system layer: Provides runtime protections such as content filtering, guardrails, logging, and observability.
• Application layer: Defines what the agent can do and how it does it through application architecture, permissions, workflows, and escalation paths.
• Positioning layer: Shapes how the system is presented to users through transparency documentation and UX disclosure.

Each layer reinforces the others, and no single layer is sufficient on its own. The model layer is probabilistic by nature. The safety system layer observes and intervenes at runtime. The positioning layer shapes perception. But for organizations building agentic AI applications, the application layer is the decisive one because it is the only layer builders fully control.  The application layer translates probabilistic model behavior into deterministic system outcomes. This is also where customers turn generic components into differentiated systems: two organizations can start with the same model and tools and end up with very different security outcomes depending on how they constrain agent behavior at this layer.

Why the application layer matters most when building agentic AI applications

Most organizations build agentic AI applications by combining off-the-shelf models, tools, and business data into systems that perform specific tasks. The application layer is where they decide which actions an agent is allowed to take, which tools and data it can access, how permissions are scoped and enforced, how failures are handled, and when humans must be involved.

Getting these decisions right requires thinking through several specific design patterns. Each one addresses a distinct failure mode. Together, they form the practical expression of defense in depth at the application layer.

Here are some recommended design patterns for building a more resilient application layer for your agents.

Pattern 1: Design agents like microservices

The most consequential application layer decision is action scope: how broadly you define an agent’s responsibilities. A common and dangerous failure mode is the “everything agent,” a single agent with broad permissions, many tools, and loosely defined responsibilities. Every additional tool expands the attack surface. Every ambiguous instruction increases the risk of error or task drift. As autonomy and tools increase, these risks compound quickly.

A more resilient approach is to design agents the way distributed systems have been designed for decades: as carefully scoped components with bounded capabilities. Agents should have isolated permissions, clear interfaces, and narrow responsibilities. More complex behaviors emerge from orchestration rather than from granting a single agent broad authority. Building agents like microservices, with constrained responsibilities and scoped permissions by design, is one of the most effective structural controls available at the application layer.

Pattern 2: Least permissions

Bounded scope defines what an agent is responsible for. Progressive permissioning governs what actions are permitted within that scope. As a rule, permissions should always start at zero (“zero trust”).

For safe design, no actions should be permitted by default. Actions are enabled explicitly, based on role and system needs. Least-privilege and zero-access principles apply to agents just as they do to human users.

Permissions granted loosely at design time become exploitable surfaces at runtime.

In practice, this means every tool call, data access, and external integration an agent can invoke should be the result of a deliberate authorization decision, not an implicit one. The question is not “should we restrict this?” but “have we explicitly permitted this?”

The general rule is to scope capabilities to the duration of a specific task. If task-based limits aren’t feasible, implement time-based limits. Task-focused permissions are preferred because they naturally “expire” when the task completes; temporal permissions help limit blast radius.

Pattern 3: Deterministic human-in-the-loop design

Even well-scoped, well-permissioned agents need a governance backstop for high-stakes decisions. Human-in-the-loop (HITL) review is often discussed as a trust mechanism: a way to keep humans informed. In agentic systems, it is better understood as a governance mechanism: a structural control that prevents agents from self-authorizing consequential actions.

The critical design mistake here is letting the model decide when human review is required. If escalation is left to probabilistic reasoning, an adversarial prompt or an ambiguous instruction can bypass review entirely. A model that reasons its way out of escalating is exhibiting exactly the behavior the escalation mechanism was supposed to catch.

In secure agentic systems:

• HITL review ideally is enforced deterministically by the application layer, or orchestrator, not delegated to the model.
• Escalation triggers are defined in code.
• An orchestrator enforces HITL review triggers.
• Intervention can occur mid-execution — including during tool calls — rather than only before or after an action completes.

This design removes ambiguity about when review is required, supports auditability for oversight and compliance, and ensures that as agents move toward greater autonomy, the separation between reasoning and enforcement remains intact.

Pattern 4: Agent identity as a security primitive

It is an unfortunate reality that human users are routinely over-permissioned (“give them access to everything”). To implement Pattern 1: Agents as Microservices and Pattern 2: Least permissions, agents must never have the same identity as the user. This sounds obvious, but it requires deliberate design: When an action is taken, you need to know if it was executed by the user, the agent was acting on its own behalf, or the agent acting on the user’s behalf. Each agent must be assigned a unique, verifiable identity which allows assignment of explicit and narrowly scoped permissions, lifecycle controls, and accountability.

Agent identity enables least-privilege enforcement, because you cannot scope permissions to a specific agent if you cannot distinguish that agent from other agents or a human user. It also enables lifecycle governance, because revocation actions won’t be invoked when many agents are affected. Finally, separate agent identity enables meaningful observability, because actions can be traced back to a specific agent rather than being attributed vaguely to “the system.”

 As enterprises manage agent sprawl (with more agents, more deployments, and even more integrations), identity clarity becomes operationally critical. Identity is not a feature you add later. It is a prerequisite for operating autonomous agents responsibly at scale, and it ties together every other application layer pattern: permissioning, escalation, and logging all depend on knowing which agent is acting.

How the Other Layers Reinforce Application‑Layer Design

Focusing on the application layer does not diminish the importance of the other layers. Instead, it clarifies their roles.

• The model layer – the model chosen to enable the application – shapes how an agent reasons, but remains probabilistic. It can be tuned toward safer behavior, but it cannot guarantee it.
• The safety system layer – platform tools like content filters and groundedness detection – compensates for what models alone cannot prevent: it detects anomalies, filters harmful outputs, and fulfills the observability teams’ need to respond when something goes wrong.
• The positioning layer – how the UI and UX explains that AI is in use, what it can do, and what it can’t do

Each layer addresses failure modes the others cannot fully cover. A strong safety system cannot compensate for an agent with unlimited scope. A well-tuned model cannot substitute for deterministic escalation triggers. The application layer is where the load-bearing decisions are made. The other layers make those decisions more resilient.

Designing for Secure Autonomy

The four patterns described here — agents as microservices, least permissions, deterministic human-in-the-loop design, and agent identity — are mutually reinforcing. Scope containment limits blast radius. Permissioning limits what a contained agent can do. Deterministic escalation ensures that neither scope nor permissions can be circumvented by adversarial input. Identity makes all of it auditable.

The application layer is where customers have the most power to shape how their agent behaves. It is where off‑the‑shelf models become real agentic AI applications. It is where security decisions shape both business value and risk. Defense in depth remains the right strategy. As agents take on more responsibility, the application layer becomes the place where that strategy succeeds or fails.

As organizations deploy more agentic AI systems, the question is not whether agents will make mistakes. They already have and will continue to. The question is whether those mistakes are minimized, identified, and contained. Secure autonomous agentic AI systems are achieved by designing systems where autonomy is bounded by architecture, permissions, identity, and deterministic oversight from the start.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Defense in depth for autonomous AI agents appeared first on Microsoft Security Blog.

AI agents have fundamentally changed the threat model of AI model-based applications. By equipping these models with plugins (also called tools), your agents no longer just generate text; they now read files, search connected databases, run scripts, and perform other tasks to actively operate on your network.

Because of this, vulnerabilities in the AI layer are no longer just a content issue and are an execution risk. If an attacker can control the parameters passed into these plugins via prompt injection, the agent may be driven to perform actions beyond its intended use.

The AI model itself isn’t the issue as it’s behaving exactly as designed by parsing language into tool schemas. The vulnerability lies in how the framework and tools trust the parsed data.

To build powerful applications, developers rely heavily on frameworks like Semantic Kernel, LangChain, and CrewAI. These frameworks act as the operating system for AI agents, abstracting away complex model orchestration. But this convenience comes with a hidden cost: because these frameworks act as a ubiquitous foundational layer, a single vulnerability in how they map AI model outputs to system tools carries systemic risk.

As part of our mission to make AI systems more secure and eliminate new class of vulnerabilities, we’re launching a research series focused on identifying vulnerabilities in popular AI agent frameworks. Through responsible disclosure, we work with maintainers to ensure issues are addressed before sharing our findings with the community.

In this post, we share details on the vulnerabilities we discovered in Microsoft’s Semantic Kernel, along with the steps we took to address them and interactive way to try it yourself. Stay tuned for upcoming blogs where we’ll dive into similar vulnerabilities found in frameworks beyond the Microsoft ecosystem.

Background

We discovered a vulnerable path in Microsoft Semantic Kernel that could turn prompt injection into host-level remote code execution (RCE).

A single prompt was enough to launch calc.exe on the device running our AI agent, with no browser exploit, malicious attachment, or memory corruption bug needed. The agent simply did what it was designed to do: interpret natural language, choose a tool, and pass parameters into code.

This scenario is the real security story behind modern AI agents. Once an AI model is wired to tools, prompt injection draws a thin line between being just a content security problem and becoming a code execution primitive. In this post in our research series on AI agent framework security, we show how two vulnerabilities in Semantic Kernel could allow attackers to cross that line, and what customers should do to assess exposure, patch affected agents, and investigate whether exploitation may already have occurred.

A representative case study: Semantic Kernel

Semantic Kernel is Microsoft’s open-source framework for building AI agents and integrating AI models into applications. With over 27,000 stars on GitHub, it provides essential abstractions for orchestrating AI models, managing plugins, and chaining workflows.

During our security research into the Semantic Kernel framework, we identified and disclosed two critical vulnerabilities: CVE-2026-25592 and CVE-2026-26030. These flaws, which have since been fixed, could allow an attacker to achieve unauthorized code execution by leveraging injection attacks specifically targeted at agents built within the framework.

In the following sections, we break down the mechanics of these vulnerabilities in detail and provide actionable guidance on how to harden your agents against similar exploitation.

CVE-2026-26030: In-Memory Vector Store

Exploitation of this vulnerability requires two conditions:

1. The attacker must have a prompt injection vector, allowing influence over the agent’s inputs
2. The targeted agent must have the Search Plugin backed by In-Memory Vector Store functionality using the default configuration

When both these two conditions are met, the vulnerability enables an attacker to achieve RCE from a prompt.

To demonstrate how this vulnerability could be exploited, we built a “hotel finder” agent  using Semantic Kernel. First, we created an In Memory Vector collection to store the hotels’ data, then exposed a search_hotels(city=…) function to the kernel (agent) so that the AI model could invoke it through tool calling.

When a user inputs, for example, “Find hotels in Paris,” the AI model calls the search plugin with city=”Paris”. The plugin then first runs a deterministic filter function to narrow down the dataset and computes vector similarity (embeddings).

With this understanding of how a Semantic Kernel agent performs the search, let’s dive deep into the vulnerability.

Issue 1: Unsafe string interpolation

The default filter function that we mentioned previously is implemented as a Python lambda expression executed using eval(). In our example, The default filter will result to new_filter = “lambda x: x.city == ‘Paris'”.

The vulnerability is that kwargs[param.name] is AI model-controlled and not sanitized. This acts as a classic injection sink. By closing the quote (‘) and appending Python logic, an attacker could turn a simple data lookup into an executable payload:

• Input: ‘ or MALICIOUS_CODE or ‘
• Result: lambda x: x.city == ” or MALICIOUS_CODE or ”

Issue 2: Avoidable blocklist

The framework developers anticipated this RCE risk and implemented a validator that parses the filter string into an Abstract Syntax Tree (AST) before execution.

Before running a user-provided filter code, the application runs a validation function designed to block unsafe operations. At a high level, the validation does the following:

1. It only allows lambda expressions. It rejects outright any attempt to pass full code blocks (such as import statements or class definitions).
2. It scans every element in the code for dangerous identifiers and attributes that could enable arbitrary code execution (for example, strings like eval, exec, open, __import__, and similar ones). If any of these identifiers appear, the code is rejected.
3. If the code passes both checks, it is executed in a restricted environment where Python’s built-in functions (like open and print) are deliberately removed. So even if something slips through, it shouldn’t have access to dangerous capabilities.

The resulting lambda is then used to filter records in the Vector Store.

While this approach is solid in theory, blocklists in dynamic languages like Python are inherently fragile because the language’s flexibility allows restricted operations to be reintroduced through alternate syntax, libraries, or runtime evaluation.

We found a way to bypass this blocklist implementation through a specially crafted exploit prompt.

Exploit

Our exploit prompt was designed to manipulate the agent into triggering a Search Plugin invocation with an input that ultimately leads to malicious code execution:

This prompt circumvented the agent to trigger the following function calling:

As result, the lambda function was formatted as the following and executed inside eval(). This payload escaped the template string, traversed Python’s class hierarchy to locate BuiltinImporter, and used it to dynamically load os and call system(). These steps bypassed the import blocklists to launch an arbitrary shell command (for example, calc.exe) while keeping the template syntax valid with a clean closing expression.

The filter function didn’t block the payload because of the following reasons:

1. Missing dangerous names

The payload used several attributes that weren’t in the blocklist:

• __name__  – Used to find BuiltinImporter by name
• load_module – The method that imports modules
• system – The method that executes shell commands
• BuiltinImporter – The class itself

2. Structural check passes

The payload was wrapped inside a valid lambda expression. The check isinstance(tree.body, ast.Lambda) passed because the entire thing is in itself a lambda that just happens to contain malicious code in its body.

3. Empty __builtins__ is irrelevant
The eval() call used {“__builtins__”: {}} to remove access to built-in functions. However, this protection was meaningless because the payload never used built-ins directly. Instead, it started with tuple(), which exists regardless of the builtins environment, and crawled through Python’s type system to reach dangerous functionality.

4. No ast.Subscript checking
While not used in this payload, it’s worth noting that the filter only checked ast.Name and ast.Attribute nodes. If the payload needed to use a blocked name, it could’ve accessed it using bracket notation (for example, obj[‘__class__’] instead of obj.__class__), which creates an ast.Subscript node that the validation completely ignored.

Mitigation

After responsibly disclosing the vulnerability to MSRC, the Microsoft Semantic Kernel team implemented a comprehensive fix using four layers of protection to eliminate every escape primitive needed to turn a lambda filter into executable code:

• AST node-type allowlist – Permits only safe constructs like comparisons, boolean logic, arithmetic, and literals.
• Function call allowlist – Checks even allowed AST call nodes to ensure only safe functions can be invoked.
• Dangerous attributes blocklist – Blocks class hierarchy traversal (for examples, __class__, __subclasses__).
• Name node restriction – Allows only the lambda parameter (for example, x) as a bare identifier and rejects references to os, eval, type, and others.

How do I know if I am affected?

Your agent is vulnerable to CVE-2026-26030 if it meets all of the following conditions:

• It uses the Python package semantic-kernel.
• It’s running a framework version prior to 1.39.4.
• It uses the In-Memory Vector Store and relies on its filter functionality (when acting as the backend for the Search Plugin using default configurations).

What to do if I am affected?

You don’t need to rewrite your agent. Upgrading the Python semantic-kernel dependency to version 1.39.4 or higher mitigates the risk.

What about the time that my agent was vulnerable?

While patching closes the bug, but it doesn’t answer the retrospective question defenders care about: whether their agent was exploited before they upgraded.

First, define the vulnerable window for each affected deployment: from the moment a vulnerable Semantic Kernel Python version was deployed until the moment version 1.39.4 or later was installed. Any investigation should focus on that time range.

Second, hunt for host-level post-exploitation signals during that vulnerable window. Because successful exploitation results in code execution on the host, the most useful evidence is in endpoint telemetry: suspicious child processes, outbound connections, or persistence artifacts created by the agent host process. We provide a set of practical advanced hunting queries for further investigation in a separate section of this blog.

If you find suspicious activity during that window, treat it as a potential host compromise. Review the affected host, rotate credentials and tokens accessible to the agent, and investigate what data or systems that host could reach.

CVE-2026-25592: Arbitrary file write through SessionsPythonPlugin

Before diving into the mechanics of this second vulnerability, here is what an agent sandbox escape looks like in practice: with a single prompt, an attacker could bypass a cloud-hosted sandbox, write a malicious payload directly to the host device’s Windows Startup folder, and achieve full RCE.

The container boundary

Semantic Kernel includes a built-in plugin called SessionsPythonPlugin that allows agents to safely execute Python code inside Azure Container Apps dynamic sessions, which are isolated cloud hosted sandboxes with their own filesystem.

The security model relies entirely on this boundary. Code runs in the isolated sandbox and cannot touch the host device where the agent process runs. To help move data in and out of the sandbox, the plugin uses helper functions like UploadFile and DownloadFile, which run on the host side to transfer files across this boundary.

The vulnerability

In the .NET software development kit (SDK), DownloadFileAsync was accidentally marked with a [KernelFunction] attribute, which officially advertised it to the AI model as a callable tool, complete with its parameter schema:

Because of this attribute, the localFilePath parameter, which dictates exactly where File.WriteAllBytes() saves data on the host device, was now entirely AI controlled. With no path validation, directory restriction, or sanitization in place, an attacker wouldn’t need a complex hypervisor exploit; they just needed to prompt the model to do it for them.

(Note: Arbitrary File Read. A similar vulnerability existed in reverse for the upload_file() function across both the Python and .NET SDKs. It accepted any local file path without validation, allowing prompt injections to exfiltrate sensitive host files, like SSH keys or credentials, directly into the sandbox).

Attack chain overview

By chaining two exposed tools, an attacker could turn standard function calling into a sandbox escape:

Step 1: Create the payload

An  injected prompt instructs the agent to use the ExecuteCode tool to generate a malicious script inside the isolated container:

At this point, the payload is contained. It exists only in the sandbox and cannot execute on the host.

Step 2: Escape the sandbox

A second injected instruction tells the AI model to use the DownloadFileAsync tool to download the file to a dangerous location on the host:

The agent calls:

The agent fetches the script from the sandbox’s API and writes it directly to the host’s Windows\Start Menu\Programs\Startup folder.

Step 3: Execute the code

On the next user sign-in, the script runs, granting full host compromise.

This exploit illustrates the MITRE ATLAS technique AML.T0051 (LLM Prompt Injection) cascading into AML.T0016 (Obtain Capabilities).

Exposing DownloadFileAsync provided a direct file write primitive on the host filesystem, effectively negating the container isolation.

The fix and how to defend

Semantic Kernel patched this vulnerability by removing the root cause of tool exposure and adding defense in depth:

Removed AI access – The [KernelFunction] attribute was removed, making the function invisible to the AI model. The AI agent can no longer invoke it, and prompt injection can no longer reach it:

This single change breaks the entire attack chain. The AI can now only be called directly by the developer’s intentional code.

• Path validation – For developers calling the function programmatically, a ValidateLocalPathForDownload() method was added using path canonicalization (Path.GetFullPath()) and directory allowlist matching to ensure the target path falls within permitted directories:

How do I know if I am affected?

Your agent is vulnerable to CVE-2026-25592 if it uses a Semantic Kernel .NET SDK version older than 1.71.0.

Defending the agentic edge

If you use Semantic Kernel, our primary recommendation is to upgrade immediately. You don’t need to rewrite your agent’s architecture; the security updates simply remove the AI model’s ability to trigger these functions autonomously.

More broadly, defending AI agents requires acknowledging that AI models aren’t security boundaries. Security teams must correlate signals across two layers: the AI model level (intent detection through meta prompts and content safety filters) and the host level (execution detection). If an attacker bypasses the AI model guardrails, traditional endpoint defense must be in place to detect anomalous behavior, such as an AI agent process suddenly spawning command lines or dropping scripts into Startup folders.

Not bugs, but developed by design

Untrusted data being used as input for high-risk operations isn’t entirely new. In the early days of web application security, such input was passed directly into SQL queries or filesystem APIs. Today, agents are doing something similar, in that they could map untrusted natural-language input to system tools.

The overarching lesson from both vulnerabilities is that both aren’t bugs in the AI model itself, but rather issues in agent architecture and tool design. We must make a clear distinction between model behavior and agent architecture. The AI model functions exactly as it was designed to: translate intent into structured tool calls.

When models are connected to system tools, prompt injection risks may extend beyond typical chatbot misuse and require additional safeguards. Instead, it becomes a direct path to concrete execution primitives like data exfiltration, arbitrary file writes, and RCE. For a deeper look at the runtime risks of tool-connected AI models, see Running OpenClaw safely: identity, isolation, and runtime risk.

As mentioned previously, your LLM is not a security boundary. The tools you expose define your attacker’s affected scope. Any tool parameter the model can influence must be treated as attacker-controlled input.

In the next blog in this series, we’ll expand beyond Semantic Kernel to explore structurally similar execution vulnerabilities that we found in other widely used third-party agent frameworks.

CTF challenge: Attack your own agent

If you want to see how prompt injections escalate into execution and to put your skills to the test, we’ve packaged the vulnerable hotel-finder agent that we described in this blog into an interactive, hands-on capture-the-flag (CTF) challenge.

This CTF challenge lets you step into the shoes of an attacker and try to exploit the CVE-2026-26030 vulnerability in a controlled environment. You need to craft a prompt injection that not only bypasses the agent’s natural language defenses but also smuggle a Python AST-traversal payload through the vulnerable eval() sink.

To see if you can manipulate the AI model into launching arbitrary code and popping calc.exe on the server, download the challenge, spin it up in a sandbox, and see if you can achieve RCE. Keep in mind that this challenge is for educational purposes only, and shouldn’t be run in production environments.

Reconnaissance:

Exploit (jailbreak and payload):

Note: Because the agent will running locally on your device, calc.exe will open on your desktop. In a real-world scenario, such an executable file will launch remotely on the server hosting the agent.

Download the CTF challenge: https://github.com/amiteliahu/AIAgentCTF/tree/main/CVE-2026-26030

Advanced hunting

The following advanced hunting queries lets you surface suspicious activities from Semantic Kernel agents.

Detect common RCE post-exploitation child processes from Semantic Kernel agent hosts

DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessCommandLine matches regex @"(?i)semantic[\s_\-]?kernel"
    or InitiatingProcessFolderPath matches regex @"(?i)semantic[\s_\-]?kernel"
| where FileName in~ (
    "cmd.exe", "powershell.exe", "pwsh.exe", "bash.exe", "wsl.exe",
    "certutil.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe",
    "wscript.exe", "cscript.exe", "bitsadmin.exe", "curl.exe",
    "wget.exe", "whoami.exe", "net.exe", "net1.exe", "nltest.exe",
    "klist.exe", "dsquery.exe", "nslookup.exe"
)
| project 
    Timestamp,
    DeviceName,
    AccountName,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessFolderPath
| sort by Timestamp desc

Detect .NET hosting Semantic Kernel that spawns suspicious children

DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName in~ ("dotnet.exe")
| where InitiatingProcessCommandLine matches regex @"(?i)(semantic[\s_\-]?kernel|SKAgent|kernel\.run)"
| where FileName in~ (
    "cmd.exe", "powershell.exe", "pwsh.exe", "bash.exe",
    "certutil.exe", "curl.exe", "whoami.exe", "net.exe"
)
| project 
    Timestamp,
    DeviceName,
    AccountName,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine
| sort by Timestamp desc

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.   

• Learn more about securing Copilot Studio agents with Microsoft Defender  
• Evaluate your AI readiness with our latest Zero Trust for AI workshop.
• Learn more about Protect your agents in real-time during runtime (Preview)
• Explore how to build and customize agents with Copilot Studio Agent Builder 
• Microsoft 365 Copilot AI security documentation 
• How Microsoft discovers and mitigates evolving attacks against AI guardrails 

The post When prompts become shells: RCE vulnerabilities in AI agent frameworks appeared first on Microsoft Security Blog.

Passwords remain a major source of risk; they’re difficult to manage and easy to steal. Along with weaker forms of multifactor authentication, they’re also highly vulnerable to phishing: AI-powered campaigns drive click-through rates as high as 54%.¹ In response, Microsoft is expanding passkey adoption across our ecosystem. We’re reducing reliance on legacy authentication and strengthening account recovery so it won’t become a backdoor for cyberattackers.

Passkey adoption continues to grow industry wide

Passkey adoption is accelerating: FIDO Alliance estimates 5 billion passkeys already in use worldwide.² Across Microsoft’s consumer services, including OneDrive, Xbox, and Copilot, hundreds of millions of users sign in with passkeys every day.

There are many reasons to choose passkeys as the standard authentication method over passwords. Sign-in success rates are significantly higher than with passwords, and exposure to credential-based attacks is significantly lower.³ Organizations and individual users alike prefer the simpler, more secure sign-in experience passkeys offer.⁴

Inside Microsoft, we’ve eliminated weaker authentication methods and rolled out phishing-resistant authentication, covering 99.6% of users and devices in our environment.⁵ It’s made signing in a lot simpler: no codes to enter, no extra prompts to manage, just a straightforward experience for everyone.

Product updates across sign-in and recovery

Across Microsoft, we’ve been steadily building passkey support into every layer of the identity experience from consumer accounts to enterprise access with Microsoft Entra, and from device-based authentication like Windows Hello to Microsoft’s password manager. This work ensures people can create and use passkeys wherever they sign in, with a consistent, phishing-resistant experience across devices, apps, and environments.

To make passkeys more accessible, we’re expanding where and how people can use them:

• Synced passkeys and passkey profiles in Microsoft Entra ID make it easier to scale passwordless sign-in across diverse environments. We’re expanding flexibility in cloud passkey management, including support for larger and more complex policies, and transitioning tenants to a unified passkey profile model.
• Entra passkeys on Windows make it simple for users to create and use device-bound passkeys directly on personal or unmanaged Windows devices using Windows Hello, and will be generally available in late May 2026.
• Passkeys for Microsoft Entra External ID will be generally available late May 2026, so your customer-facing applications can offer a more seamless, consumer-grade sign-in experience.
• Passkey-preferred authentication in Microsoft Entra ID (preview) detects registered methods and prompts the strongest one first. If a passkey is registered, that’s what the user sees—immediately. 
• On the consumer side, with Microsoft Password Manager, users can now save and sync passkeys across devices signed in with their Microsoft account, with support for iOS and Android rolling out soon through Microsoft Edge. 

Account recovery also plays a critical role in maintaining the integrity of identity systems. Historically, it’s been vulnerable to cyberattackers who try to hijack the recovery process, for example by impersonating legitimate users and requesting new credentials.

Microsoft Entra ID account recovery, generally available today, strengthens security for recovery flows by enabling users to regain access to their accounts through a robust identity verification process. Users can regain access after losing all authentication methods by using government-issued ID and biometric face checks. At general availability, we are expanding our identity verification ecosystem with two new partners—1Kosmos and CLEAR1—joining our existing partners Au10tix, IDEMIA, and TrueCredential. 

Removing phishable credentials from user accounts

Strengthening authentication is important, but reducing risk means eliminating phishable credentials entirely. Microsoft is continuing to phase out legacy methods and move users toward phishing-resistant authentication. Starting in January 2027, security questions will be removed as a password reset option in Microsoft Entra ID due to their susceptibility to guessing and social engineering.

The rationale is straightforward: improving strong methods while removing weak ones shrinks the attack surface. This is increasingly urgent as AI agents act on behalf of users. If an identity is compromised, cyberattackers can leverage those agents to access systems, execute workflows, and operate within existing permissions. Organizations need to address this risk quickly.

A more secure and usable future

Last year, Microsoft joined dozens of organizations in taking the Passkey Pledge, a commitment to accelerating the adoption of phishing-resistant authentication and to moving beyond passwords. Since then, we’ve seen meaningful progress, from hundreds of millions of better-protected consumer accounts to large-scale deployments across organizations like our own.

What once felt like a long-term shift is finally gaining real momentum: authentication is becoming simpler, safer, and passwordless.

For a more in-depth perspective on how cyberattackers try to bypass authentication through fallback methods and recovery flows—and how to address those gaps—read our companion post.

Getting started

Organizations that want to strengthen their identity security posture can enable passkeys for their users and extend policy protections across both sign-in and recovery scenarios.

Get started with a phishing-resistant passwordless authentication deployment in Microsoft Entra ID.

Individuals can create and use passkeys for their personal accounts for better security and convenience.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2025.

²FIDO Alliance reports mainstream global usage on World Passkey Day. FIDO Alliance, 2026.

³Synced passkeys and high assurance account recovery, Microsoft Entra blog. December 16, 2025.

⁴FIDO Alliance Champions Widespread Passkey Adoption and a Passwordless Future on World Passkey Day 2025, FIDO News Center. May 1, 2025.

⁵Microsoft Security and Future Initiative (SFI) Progress Report—November 2025.

The post World Passkey Day: Advancing passwordless authentication appeared first on Microsoft Security Blog.

KuppingerCole Analysts’ 2026 Emerging AI Security Operations Center (SOC) reflects this shift clearly: the future of security automation is not defined by static rules or isolated workflows, but by intelligence‑driven automation that supports analyst decision‑making across the full security lifecycle. This evolution mirrors what many security leaders already experience day to day, that the limiting factor is no longer alert volume, but human capacity.

Microsoft is excited to be named an Overall Leader, and the Market Leader, in this report, as we see automation as a core component of the future of cybersecurity.

From playbook‑driven SOAR to intelligence‑led automation

Traditional security orchestration, automation, and response (SOAR) solutions were built to automate predictable, repeatable tasks: enrichment steps, ticket creation, notifications, and predefined containment actions. These capabilities remain valuable, but they were designed for an era when incidents followed more deterministic patterns.

This is a critical change. In many SOCs today, analysts still spend significant time:

• Stitching together context across alerts and data sources.
• Manually triaging incidents that turn out to be benign.
• Following repetitive investigation and response steps.

The result is slower response times and analyst burnout—at exactly the moment attackers are moving faster and operating more quietly.

Automation built into the analyst experience

Microsoft has evolved the way these common challenges can be addressed, leveraging machine learning, large language models (LLMs), and agents, including releases such as:

• Automatic attack disruption: An always-on capability that limits lateral attackers and reduces the overall impact of an attack, from associated costs to loss of productivity, leaving security operations teams in complete control of investigating, remediating, and bringing assets back online.
• Phishing triage agent: An agent that runs sophisticated assessments—including semantic evaluation of email content, URL and file inspection, and intent detection—to determine whether a submission is a true phishing threat or a false alarm.
• AI powered incident prioritization: A machine learning prioritization model to surface the incidents that matter most, assigning each incident a priority score from 0–100 and explaining the key factors behind the ranking. 
• Playbook generator: An experience that allows users to create python-code playbooks using natural language for flexible workflow automation.

These capabilities are just the beginning of how we are introducing agents and automation to help users move faster, freeing analysts to focus on higher‑value tasks like proactive hunting and threat analysis.

The next evolution: The agentic SOC

The KuppingerCole report reinforces a broader industry trend, that security platforms must do more than automate pre‑defined workflows. They must support adaptive, intelligence‑driven operations that can respond to novel and fast‑moving threats.

This is where Microsoft is making its next set of investments: agentic security operations.

With innovations such as the Microsoft Sentinel MCP (Model Context Protocol) Server, shared security data and graph context, and deep integration with Microsoft Security Copilot, Sentinel is evolving into a platform where AI agents can:

• Reason across identity, endpoint, cloud, and network signals.
• Summarize incidents and investigations in natural language.
• Assist with decision‑making by correlating weak signals over time.
• Take action—with human oversight—when confidence thresholds are met.

These agents are designed to work alongside analysts, augmenting expertise and dramatically accelerating time to response.

Why this matters for security teams

The direction highlighted by KuppingerCole, and reflected in Microsoft’s roadmap, isn’t about chasing AI for its own sake. It’s about addressing real SOC pain points:

• Scale: Human‑only operations don’t scale with modern attack surfaces.
• Consistency: Automated and agent‑assisted workflows reduce variance and errors.
• Speed: Faster reasoning and response directly reduce attacker dwell time.

By combining automation, rich context, and intelligent agents, Microsoft Sentinel helps SOC teams move from reactive alert handling to proactive, intelligence‑led defense without forcing teams to re‑architect their operations overnight.

Looking ahead

Security automation is no longer a bolt‑on capability. As KuppingerCole’s research makes clear, it is becoming a foundational element of modern security operations. The evolution of SOAR reflects the reality of a shift from static playbooks to adaptive, context‑aware assistance that scales human expertise.

Microsoft is investing accordingly, advancing an AI‑first approach to security analytics that helps SOC teams operate with greater speed, confidence, and resilience as threats continue to evolve. Read the Emerging AI Security Operations Center (SOC) report to learn more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post ​​Microsoft named an overall leader in KuppingerCole Analyst’s 2026 Emerging AI Security Operations Center (SOC) report ​​ appeared first on Microsoft Security Blog.

Choose an ecosystem partner for agent security and governance

AI agents aren’t coming—they’re already in your environment. They show up in places you expect (like Microsoft Copilot, Microsoft Teams, and Microsoft 365) and even more places as technology evolves (a local autonomous personal AI assistant or a new software as a service (SaaS) agent connected to your sensitive data.)

The problem isn’t that agents exist. It’s that they proliferate fast, span apps, endpoints and cloud, and often operate outside the visibility and control of the teams accountable for risk. When an agent can invoke tools, access data, and interact with other agents, any “helpful” workflow can turn into data oversharing, tool misuse, or over-privileged actions in seconds. And as agents become even easier to create and deploy, your attack surface grows with them. 

That’s why end-to-end observability matters: you can’t govern what you can’t see, and you can’t secure what you don’t understand—especially when the number of agents is a moving target. 

Microsoft Agent 365 helps you take control of agent sprawl as your control plane to observe, govern, and secure agents and their interactions—including agents built with Microsoft AI and agents from our ecosystem partners—using the admin and security workflows your teams already run. 

General availability starts today for Agent 365.

Additionally, we’re announcing the previews of new Agent 365 capabilities and integrations to help you scale agent adoption with the right controls in place. 

• Observability, governance, and security for agents operating independently—Agent 365 is expanding to cover agents that operate with their own credentials and permissions.
• Discovery of agents and shadow AI, using capabilities of Microsoft Defender and Microsoft Intune for both local and cloud agents.
• A secured, managed environment for agents to work in Windows 365 for Agents.
• Coverage for a wide ecosystem of SaaS agents, including agents innovated by software development companies (SDCs).
• Support for evaluation, adoption, and usage from Microsoft and ecosystem partners worldwide.

Manage agents with a single control plane, regardless of how or where they work

As organizations move from pilot to adoption, AI agents are being deployed across increasingly diverse use cases. Some act with delegated access, working on behalf of users; others operate with their own credentials and permissions, participating in team workflows or operating behind the scenes. 

With Agent 365, you can observe, govern, and secure AI agents whether they act on behalf of users with delegated access—for example, an agent that helps employees organize their inbox—or agents that operate with their own access and scope of work—such as an agent autonomously triaging support tickets. 

Discover and manage local and cloud-hosted agents 

Users are installing agents like OpenClaw and Claude Code on their devices and adopting SaaS agents built by developers on new and emerging platforms. Many of these local and cloud-hosted agents run unmanaged and outside of traditional governance, as they autonomously execute tasks, modify code, or access confidential information, creating a new wave of shadow AI.  

To help organizations address accelerating agent sprawl and the rise of unmanaged agents, we’re introducing new capabilities as part of Agent 365, Microsoft Defender, and Intune so you can discover shadow agents, and apply appropriate controls, such as blocking unmanaged agents. 

Discover and manage local agents

With Microsoft Defender and Intune, organizations will be able to discover and manage local AI agents running on Windows devices, starting with OpenClaw agents and expanding soon to other widely used agents like GitHub Copilot CLI and Claude Code. Customers enrolled in the Frontier program can see if OpenClaw agents are being used in the organization, which devices they are running on, and use Intune policies to block common ways that OpenClaw runs on the new Shadow AI page in Agent 365 in the Microsoft 365 admin center and in the Intune admin center. Through Agent 365 registry, the inventory of local agents will be available in Defender and Intune so IT, endpoint management, and security teams can get a consistent view of discovered local agents in their environment and take appropriate action.

Starting in June 2026, Microsoft Defender will also provide asset context mapping for each agent including the devices they run on, MCP servers configured for those agents, the identities associated with them, and the cloud resources those identities can reach. This will give security teams the context needed to assess exposure and potential blast radius. They can then investigate agent activity, such as file access and network behavior, using familiar endpoint data, and use those insights to identify misconfigurations and even define custom detections.

Beyond monitoring, organizations will be able to apply policy-based controls to set guardrails for what agents are allowed to do—helping protect both agents and organizations from compromise and misuse—with initial support delivered for OpenClaw through Intune. If a managed agent exhibits malicious behavior patterns, such as attempting to access or exfiltrate sensitive data, Defender will be able to block coding agents in runtime and generate alerts with rich incident context to support investigation and response.  

Context mapping capabilities, policy-based controls, plus runtime blocking and alerts will be available in Agent 365 through Intune and Defender public preview in June 2026. 

Visibility across clouds and AI-builder platforms

As developers are rapidly building agents with Microsoft Foundry, AWS Bedrock, and Google Gemini Enterprise Agent Platform (formerly Google Vertex AI) and deploying cloud agents across multicloud and multi-platform environments, the agent sprawl challenge intensifies. To manage potential security risks or vulnerabilities before they become breaches, security and IT teams need visibility to which cloud agents are running, what models these agents are built on, and what resources they’re accessing.

Today, we are excited to announce the public preview of Agent 365 registry sync with AWS Bedrock and Google Cloud connections, enabling IT teams to automatically discover, inventory, and, soon, perform basic lifecycle governance—for example, start, stop, delete agents—across these platforms.

Manage a wide ecosystem of SaaS agents 

Agent 365 works with prebuilt agents in Microsoft 365 Copilot and Teams, agents built with Microsoft Copilot Studio or Microsoft Foundry for your organization, and agents built by software development companies partnered with Microsoft.

Delivering on our promise of control plane for the broad agent ecosystem, we’re excited to announce ecosystem partner agents fully configured to be managed by Agent 365, including Genspark, Zensai, Egnyte, and Zendesk, and agents built on agent factories, including Kasisto, Kore, and n8n. Organizations can observe, govern, and secure these agents in the Agent 365 control plane, with no integration work by IT or security teams.  

Agent 365 software development company launch partners

Enterprises can easily build AI agents today, but scaling them with trust and governance is where most initiatives stall. With Kore.ai deeply integrated into Microsoft Agent 365, identity, security, and governance are built in from the start—empowering enterprises to move from pilots to AI at scale with confidence.

—– Raj Koneru, Chief Executive Officer of Kore.ai

The Agent 365 developer and ecosystem partners play a critical role in extending agents into line-of-business systems, building vertical and scenario-specific integrations, modernizing legacy automation into agent workflows, extending Copilot experiences with custom agents, and helping customers operationalize agent ecosystems at scale. These Agent 365 enabled agents are then observable, governable, and securable in the Agent 365 control plane, accelerating adoption for your organization.

• Explore the Agent Showcase of ecosystem partner agents that work seamlessly with Agent 365.
• Get started with Agent 365 development with guidance from Microsoft Learn.

Secure agents as they work in Windows 365 

While Agent 365 provides the control plane to observe, govern, and secure agent activity across the enterprise, Windows 365 for Agents—now available in public preview (in the United States only)—provides a secured, managed environment where agents can carry out that work. It introduces a new class of Cloud PCs purpose-built for agentic workloads and managed in Intune, allowing agents to run in policy-controlled environments, interact with applications, and operate with the same identity, security, and management controls already used for employees.

Now, with Agent 365, you can also observe and secure agents running on Windows 365 for Agents in Microsoft 365 admin center, understanding which agents are connected to the cloud-powered compute. Together, they enable organizations to move from visibility and governance of agents to confidently running them in production environments. 

Secure agents against internet threats with network controls  

AI agents can operate much faster than human users. Without proper guardrails, they can connect to risky web destinations, interact with unsanctioned AI services, handle sensitive files unsafely, or be manipulated through malicious prompt-based attacks. These risks are harder to manage when security teams lack consistent visibility and controls for agent traffic to internet, SaaS, and AI services. 

To give security teams a consistent way to inspect agent traffic at the network layer, in general availability today, Agent 365 extends Microsoft Entra network controls to Microsoft Copilot Studio agents and agents running on user endpoint devices, including local agents such as OpenClaw. These controls can help identify unsanctioned AI usage, restrict connections to only approved web destinations, filter risky file movement, and help block malicious prompt-based attacks before they lead to harmful actions. 

Confidently scale and govern AI agents while maintaining security and control 

Agent 365 extends even further beyond Microsoft platforms to discover, observe, govern, and secure local, SaaS, and cloud agents across your agentic AI ecosystem. Each of today’s announcements build upon Agent 365 capabilities we shared in March 2026 as well as detailed feedback of customers using the Frontier program, developers integrating with the platform, and partners testing Agent 365 capabilities. 

With Agent 365, we can scale and govern AI agents with confidence, while maintaining enterprise grade security and control. Agent 365 enables organizations to move beyond experimentation, driving tangible business value and innovation through trusted AI adoption. By providing a robust and integrated platform, Agent 365 empowers teams to confidently embrace AI and accelerate transformation across the enterprise.

—Yuji Shono, Head of the Global AI Office, NTT DATA Group Corporation, a global infrastructure, networking, and IT services provider.

As organizations begin to adopt Agent 365 at scale, we’ve collaborated with strategic partners to create targeted services to help customers onboard, tackle governance challenges and realize the platform’s full value.

Partner services offered today include expertise and guidance for: 

• Inventory and ownership: What agents exist, who owns them, and where they run.
• Least privilege: Right-sizing permissions and enforcing access guardrails without slowing delivery.
• Compliance and data protection: Preventing oversharing and producing audit-ready evidence.
• Threats and multi-platform estates: Understanding attack paths and governing across vendors and clouds.
• Ongoing operations: Lifecycle management, monitoring, and continuous governance hygiene. 

These valuable services are typically scoped as workshops and assessments (diagnose and roadmap), governance and enablement (stand up the control plane and guardrails), managed services (run and improve continuously), advisory and readiness (operating model and adoption readiness), and security and integration (harden posture and integrate third-party agents.)

• Find a Microsoft Agent Security and Governance partner to assist with your Agent 365 evaluation, deployment and adoption. Filter the directory by Offer: “Agent Security and Governance” and Country name. 

How to get started with Agent 365  

Agent 365 is now available in Microsoft 365 E7 or standalone at USD15 per user per month. Each Agent 365 license covers an individual who manages or sponsors agents, or uses agents to do work on their behalf, ensuring all agent activity is consistently governed across the organization in a way that’s predictable for scaled growth.  

In addition to the expertise of your Microsoft 365 team and partners, Agent 365 resources to support your experience include:

• The Agent 365 blog.
• The adoption hub and getting started guide.
• AI Skills Navigator for Agent 365. 
• Technical documentation on Microsoft Learn.

Plus, on Tuesday, May 12, 2026, a team of Agent 365 experts are hosting a live “Ask Microsoft Anything” to answer your questions about Agent 365—we hope you’ll join for the discussion.

Choose an ecosystem partner for agent security and governance

The post Microsoft Agent 365, now generally available, expands capabilities and integrations appeared first on Microsoft Security Blog.

At Microsoft, security innovations are purpose-built to help every organization protect end-to-end with the speed and scale of AI. Our vision is simple: security should be ambient and autonomous, just like the AI it protects.

In a world where AI agents can act autonomously to take action, access data, and interact across systems, every organization should have the confidence that their security posture can scale and keep pace with their AI investments. Microsoft is focused on helping organizations gain visibility into what their agents are doing, governance over what they’re allowed to do, and protection against emerging threats. With an AI-first, end-to-end security platform grounded in Zero Trust for AI, fueled by more than 100 trillion daily threat signals¹, and shaped by the Secure Future Initiative, security and IT teams can harden their security posture with protection that is continuous, intelligent, and built for the agentic era.

In the Loop is a new series from Microsoft Security that delivers timely news and updates to the global security community. Today’s edition spotlights the latest capabilities designed to help security and IT teams secure their AI agents, secure their foundations, and defend against threats in real time with the powerful combination of agents and experts.

New Microsoft Defender capabilities in Agent 365 tooling gateway

The Agent 365 tooling gateway gives security teams the visibility and control they need to detect and respond to threats that target agentic workflows. New Microsoft Defender capabilities, now available in preview, enable security teams to detect, block and investigate anomalous behavior of their agents. Near real-time protection leverages webhooks to evaluate the actions an AI agent attempts to detect and block malicious or risky activities before they’re executed. Read more and get started.

AI-powered Defender and GitHub solution helps protect from code to runtime

Microsoft Defender for Cloud integration with GitHub Advanced Security, now generally available, provides unified security visibility across the development lifecycle. This integration automatically maps code changes to production environments, prioritizes security alerts based on real runtime context, and enables coordinated remediation workflows between development and security teams. Teams can track vulnerabilities from source code to deployed applications, focus on the security issues that affect production workloads, and take advantage of AI-powered remediation tools to speed resolution.² Get started today and watch the video.

New demo: Run a data security investigation in Microsoft Purview

Step into the role of a data security analyst and see how Microsoft Purview Data Security Investigations helps you identify investigation‑relevant data, analyze it using AI‑powered deep content analysis, and mitigate sensitive data risks—all within a single, integrated solution. Follow the end‑to‑end investigation journey in this hands‑on demo.

In the demo, you’ll learn how to:

• Proactively assess data security risk across your data estate.
• Reactively investigate data involved in security incidents, such as breaches, leaks, fraud, or bribery.
• Visualize risk using the data risk graph, which shows correlations between sensitive content, users, and activities.

Stay In the Loop

Microsoft Security continually ships meaningful innovations across our portfolio and research-driven insights and reports for the security community. In the Loop posts are your reliable source of what’s new across Microsoft Security and what it means for your security strategy. Check back for the next drop and connect with us at Microsoft Build, June 2-3, 2026 in San Francisco, to hear directly from Microsoft Security experts, learn more about today’s releases, and more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2025, Safeguarding Trust in the AI Era

²GitHub Advanced Security Integration with Microsoft Defender for Cloud, Microsoft Defender for Cloud | Microsoft Learn

The post What’s new, updated, or recently released in Microsoft Security appeared first on Microsoft Security Blog.