Our Global Collection team in the Microsoft Treasury division makes sure payments are seamlessly executed in our fast-moving global enterprise environment. However, our case managers were often losing valuable time figuring out things like who the right contact was for a given customer, which issues were likely to be challenged by a customer, and where an exception should be routed next. This information was spread across systems or buried in handoffs.

To solve these challenges, our team built a human-led, AI agent-assisted support system to reduce preparation time and streamline their processes.

“Building the AI assistance wasn’t the hard part,” says Kathy Brustad, a director in the Global Treasury and Financial Services division at Microsoft. “The hard part was reimagining the collection experience with AI front and center, and bringing the underlying infrastructure up to speed to get it there.”

In this post, we explain how we did it so you can learn from our experience.

“We have over 1,000 collectors around the world who perform collections for Microsoft. They had multiple systems they had to go to in order to find out things like the totality of the customer’s invoice and what conversations a different team had with the customer. The information was fragmented.”

Kathy Brustad, director, Global Treasury and Financial Services

Stitching together information across systems

Our AI agent is focused on helping our case managers prioritize high-value work by:

• Predicting late payments and possible customer disputes
• Summarizing customer case interactions for use by case managers
• Routing customer emails to the right collections manager faster and with greater precision Automatically matching payments to invoices
• Automatically responding to customer inquiries

“We have over 1,000 collectors around the world who perform collections for Microsoft,” Brustad says. “They had multiple systems they had to go to in order to find out things like the totality of the customer’s invoice and what conversations a different team had with the customer. All of this information was fragmented. We didn’t have a single view of how much a customer owed us.”

We started by consolidating these dispersed tools and systems into an SAP and Microsoft Dynamics 365 environment, creating a single source of truth for all relevant customer, invoice, and payment data.

On that foundation, we layered on Microsoft’s IQ intelligence platform to infuse semantic understanding and business context. That standardized our workflows by simplifying templates and worklists to reduce complexity and put consistent global practices into place. Routine communications became fully automated.

We then applied AI to improve payment matching accuracy from 40% to 90%, generate customer response drafts, and intelligently route cases to reduce time-consuming back‑and‑forth.

Copilot assistance was embedded directly into the daily workflow of our case managers to reduce administrative load by providing inline knowledge suggestions, summarizing calls, and automatically drafting replies. With these standardized automated workflows, we could apply 98% of payments within 48 hours.

“In a nutshell, this is the collection story: We have various agents and models deployed to assist our human agents with all the activities they have to do, saving hundreds of thousands of hours that we spent on manually tracking things before.”

Kathy Brustad, director, Global Treasury and Financial Services

Moving faster on ‘act ready’ work

Deploying the agent was only the starting point. The harder work was helping our collection team change established ways of working. Brustad described the shift as learning to “run it in a different way,” moving from manual, fragmented preparation toward workflows where prioritization, context gathering, and routing were increasingly supported within the system.

To make that shift possible, the team introduced a change management work stream program and role-based training focused on real, day-to-day scenarios alongside the rollout. By anchoring the work in clear business pain points and showing tangible improvements, our team saw how the new approach made their work easier. Each morning, the agent prioritized each case manager’s workload according to urgency and past client behavior so case managers could immediately focus on the accounts that were the most pressing.

We reduced repetitive communications using automatically drafted responses and automated statements.

“In a nutshell, this is the collection story: We have various agents and models deployed to assist our human agents with all the activities they have to do, saving hundreds of thousands of hours that we spent on manually tracking things before,” Brustad says.

After deploying this system to our case managers, we saw measurable improvements in both productivity and speed, including:

• Hundreds of thousands of hours unlocked annually in order to do more human-led high-value work rather than routine administrative tasks
• 40% reduction in call preparation time
• 2X growth in automatic cash applications
• 2.5X acceleration of customer inquiry resolution time

Operationally, the team also saw up to 60% reduction in inquiry handling time through inline suggestions, summarized calls, and automatically drafted replies. To ensure these improvements were real and repeatable, we emphasized observability in our evaluation approach. Our team tracked dollars collected through collections and hours worked to create productivity metrics.

Data, trust, and good governance

When introducing AI systems or agents into finance workflows, leaders often ask two questions:

1. Can we trust the outputs?
2. Can we govern the process?

“The biggest takeaway is to know your own process very, very well. You need to understand where all the bottlenecks and pain points are. Start from there to design the new agent-enabled process instead of saying, ‘I’m going to just inject the agent into my existing process.’”

Kathy Brustad, director, Global Treasury and Financial Services

For us, trust came from getting the basics right in the form of right-sizing our enterprise data, standardizing our workflows, and establishing clear ownership for each part of the work. When we tested early and included frontline users throughout the process, outcomes improved.

“The biggest takeaway is to know your own process very, very well,” Brustad says. “You need to understand where all the bottlenecks and pain points are. Start from there to design the new agent-enabled process instead of saying, ‘I’m going to just inject the agent into my existing process.’”

Embed custom agent assistance directly into the moments where time disappears, such as prioritization, preparation, routing, and drafting so adoption feels natural and can be measured. You can prove impact with a small set of metrics like cycle time, throughput, dollars collected, and hours saved, and iterate from there.

Key takeaways

Modernizing collections is about fixing the fundamentals first, before you add AI into the mix. As you begin to streamline your own finance workflows, keep these lessons in mind:

• Fix fragmented workflows before adding intelligence: AI delivers the most value when it’s layered on top of standardized processes and a unified data foundation rather than disconnected systems and ad hoc handoffs.
• Embed assistance where time is actually lost: Copilot-style support works best when it shows up directly in prioritization, preparation, routing, and drafting to reduce friction without changing how people work.
• Focus AI on high‑ROI decisions, not just automation: Predicting late payments, flagging likely invoice disputes, and surfacing context can help teams spend time where it matters.
• Design around the practitioner’s day: When work arrives prioritized and prepped, case managers spend less time chasing context and more time resolving exceptions.
• Measure what matters to prove impact: Cycle time, dollars collected, throughput, and hours saved provide a clear, repeatable way to track productivity gains and cashflow velocity.
• Pair generative AI with strong governance: Trust comes from clear ownership, standardized workflows, quality data, and ongoing human oversight.

Editor’s notes:

• SAP is an enterprise finance system that many organizations use to manage invoices, payments, and financial records in a single, centralized platform.
• All metrics cited are based on Microsoft internal data gathered during the writing of this article. They’re best read as directional signals from that period, and they may change as systems, processes, and behaviors evolve. Microsoft makes no warranties, express, implied, or statutory.

Try it out

• Build and test an AI‑assisted workflow with Microsoft Copilot Studio to see how agents can help prioritize work, summarize context, and route cases more efficiently.
• Start a Dynamics 365 free trial.

Related links

• Discover the five lessons we learned on how to make AI stick for sellers during our Copilot rollout.
• See how we revamped and modernized our Microsoft Treasury infrastructure using Azure.
• Explore how we’re supercharging our support experience with Microsoft Dynamics 365 and AI.
• Learn how we’re transforming the marketing function at Microsoft with AI.
• Read about our role as Customer Zero in an AI-powered world.
• Check out how we’re measuring the impact of Microsoft 365 Copilot and AI internally.

The post Streamlining finance cash collection at Microsoft with AI appeared first on Inside Track Blog.

Corporate Vice President of red teaming at Microsoft Craig Nelson describes what he looks for with this method, “I’m interested in the model, but I’m also interested in how that model connects with underlying additional data. And then how that model also executes automation from the back end.”

In this video, Nelson explains why securing AI requires more than testing the model alone.

Key takeaways

When you apply full stack red teaming to AI, here are some key questions to answer:

• How are AI models connecting to data sources?
• What backend automation do we allow AI to execute?
• What security credentials do we require?
• Do we have logs you need to understand how the model works with our backend infrastructure?

Try it out

Learn more about comprehensive cloud security for multicloud and hybrid environments.

Related links

• Read about our open automation framework for red teaming generative AI systems.
• Explore our AI red teaming 101 training series.
• Get an overview of security and governance features available for Azure Machine Learning.
• Find out how to safeguard your organization’s AI based on our experience at Microsoft.

The post Microsoft CISO advice: Securing AI with full stack red teaming appeared first on Inside Track Blog.

As AI capabilities advanced, we saw an opportunity to move beyond individual productivity gains and toward something more transformative: Empowering our developers to build intelligent agents that can automate workflows, streamline operations, and create new business value.

Realizing this vision required more than new tools. We needed to rethink how we foster development, govern innovation, and operate at scale.

“We’ve made a lot of progress enabling our developers to build agents that make us more productive. We’re Customer Zero at Microsoft, which means we’re the first to deploy and use the technology and services that we later sell to our customers. Those learnings give us a unique perspective and story to share about the journey our developers have been on with AI and agents.”

Brian Fielder, vice president, Microsoft Digital

Today, we’re sharing the foundation we built that supports this shift.

We’re driving employees across Microsoft to create and use AI agents—from simple, task-focused solutions to enterprise-grade applications available across the company. It’s all supported by a secure, governed, and extensible platform.

“We’ve made a lot of progress enabling our developers to build agents that make us more productive,” says Brian Fielder, vice president of Microsoft Digital, the company’s IT organization. “We’re Customer Zero at Microsoft, which means we’re the first to deploy and use the technology and services that we later sell to our customers. Those learnings give us a unique perspective and story to share about the journey our developers have been on with AI and agents.”

Within the context of Microsoft Build 2026, we’re sharing what it really takes to move from experimentation to impact. Through this collection of stories and resources, we highlight how we’re empowering our developers to build with agentic AI—from establishing governance and platform capabilities to driving adoption and delivering real-world outcomes. Our goal is to provide practical insights you can use to accelerate your own AI journey.

“We hope you find the journey we’ve been on practical and useful,” Fielder says. “When it comes to agents, we’re accelerating fast and scaling at an enterprise level. As our story continues to evolve, we look forward to sharing it with you.”

Guidance for developers: How we manage agentic AI at Microsoft

These articles outline our vision for agentic AI, showing how we’re building a secure, governed, and extensible foundation for AI agents—from Work IQ and Copilot Studio to Agent 365, Azure DevOps, and Model Context Protocol—so developers can create scalable, high-value solutions across the enterprise.

April 16, 2026

Alex Fleck

Becoming a Frontier Firm: A guide for deploying AI agents based on our experience at Microsoft

May 21, 2026

Alex Fleck

Governing AI agents at scale: Lessons from our journey at Microsoft

• How Work IQ is supercharging our AI usage at Microsoft
• Shaping AI management at Microsoft with Agent 365 and Copilot controls
• Deploying Microsoft Agent 365: How we’re extending our infrastructure to manage agents at Microsoft
• Unlocking enterprise AI extensibility at Microsoft with Microsoft Copilot Studio
• Powering AI value with Microsoft 365 Copilot extensibility at Microsoft
• How our employees are extending enterprise AI with custom retrieval agents
• Transforming our approach to sensitivity labels at Microsoft with Microsoft Entra
• Reclaiming engineering time with AI in Azure DevOps at Microsoft
• Protecting AI conversations at Microsoft with Model Context Protocol security and governance

UPCOMING POSTS

• Intelligence on tap: Our guide for How Work IQ enables Microsoft 365 Copilot to better understand how we work at Microsoft
• Our guide for deploying Agent 365 based on our experience at Microsoft
• Agentic modernization: Securing Python at scale for agentic AI at Microsoft

Our IT guide to becoming a Frontier Firm

These stories share our IT playbook for becoming a Frontier Firm, highlighting a practical path to enterprise AI maturity through agentic transformation, operational scale, responsible innovation, and partnership—showing how IT leaders can balance governance, modernization, and employee engagement while building an AI-first organization.

December 4, 2025

Keith Boyd

Becoming a Frontier Firm: Our IT playbook for the AI era

• Enterprise AI maturity in five steps: Our guide for IT leaders
• The agentic future: How we’re becoming an AI-first Frontier Firm at Microsoft
• AI at scale: How we’re transforming our enterprise IT operations at Microsoft
• Transforming into an AI-first Frontier Firm in partnership with our works councils
• Fast Train to the AI Frontier: Balancing risk and innovation in the era of AI at Microsoft

Working as developer in IT at Microsoft in the era of AI

These stories explore what it means to work in Microsoft Digital during the AI era, showing how developers and knowledge workers are reshaping engineering, the employee experience, and their own career growth through AI-powered tools, new ways of working, and personal journeys that reflect the evolving culture of IT at Microsoft.

May 21, 2026

Matthew Cooke

IT on the cutting edge: Working in Microsoft Digital in the era of AI

• Powering the new age of AI-led engineering in IT at Microsoft – Inside Track Blog
• The Frontier Firm: How knowledge workers are forging their own AI tools at Microsoft – Inside Track Blog
• The future of work is here: Transforming our employee experience with AI – Inside Track Blog
• Olutunde Makinde: From Lagos to Redmond, a Microsoft IT engineer’s journey – Inside Track Blog
• Building from the inside: Anahit Hovhannisyan’s impact on IT at Microsoft – Inside Track Blog

Key takeaways

From our journey enabling agentic AI across Microsoft Digital, several key principles have emerged to help organizations move from experimentation to scalable, enterprise-wide impact.

• Treat your organization as Customer Zero. Use your own AI capabilities first to generate real-world insights, validate scenarios, and build credibility before scaling to customers.
• Build a foundation for scale. Establish a secure, governed, and extensible platform that enables developers to create AI agents—from simple solutions to enterprise-grade applications.
• Empower developers to drive transformation. Move beyond productivity gains by enabling developers to build intelligent agents that automate workflows and unlock new business value.
• Align governance with innovation. Rethink how you enable development, govern AI, and operate at scale to balance flexibility with responsible use.
• Connect tools, platforms, and workflows. Integrate AI capabilities across your ecosystem—linking platforms, governance models, and development tools to support consistent, scalable adoption.
• Translate experimentation into impact. Focus on turning early AI exploration into coordinated, enterprise-wide efforts that deliver measurable outcomes.

Try it out

Learn more about Microsoft Build.

Related links

• Read our guide for deploying AI agents based on our experience at Microsoft.
• Learn about how we’re governing AI agents at scale internally.
• Find out how Work IQ is supercharging our AI usage at Microsoft.
• Check out an IT playbook for the AI era and see how we’re becoming a Frontier Firm.

The post Microsoft Build 2026: Empowering our developers to adopt agentic AI at Microsoft appeared first on Inside Track Blog.

For years, our security groups operated without consistent, policy‑based guardrails. As a result, we couldn’t uniformly control guest access to sensitive resources or apply governance consistently across different group types.

Addressing this required a complex, coordinated effort by our team here in Microsoft Digital, the company’s IT organization, and the Microsoft Entra product team.

“Because IT security is our highest priority at Microsoft, we knew we needed a better approach to limiting access to groups within our tenant. And we realized that Microsoft Entra was a powerful in-house solution that represented our best path forward to solve for this challenge.”

David Johnson, principal product manager architect, Microsoft Digital

The result is a new approach to sensitivity labels across the organization that strengthens our security posture, which benefits Microsoft and our customers.

“Because IT security is our highest priority at Microsoft, we knew we needed a better approach to limiting access to groups within our tenant,” says David Johnson, a principal product manager architect in Microsoft Digital. “And we realized that Microsoft Entra was a powerful in-house solution that represented our best path forward to solve for this challenge.”

Go deeper

Learn how to assign sensitivity labels to Microsoft Entra security groups.

Closing the security gap

Sensitivity labels for Microsoft 365 groups are labels that govern join and access restrictions for membership and sharing. They have been a product feature since 2020. But sensitivity labels for security groups—labels that enforce rules about who can join a group—had no equivalent.

This meant that organizations that wanted to govern who could join a security group or determine if guests are permitted and how group membership is managed had to either lock down the group creation process entirely, or rely on reactive scanning after the fact.

“Security groups are a key piece of our efforts to secure sensitive resources,” says Mohit Bhargava, a principal product manager on the Microsoft Entra team, which manages the Entra family of identity and network access products. “We wanted to apply policies to protect who could be in security groups so that the sensitive resources in those groups would remain secure.”

“Whoever gets into an Azure security group can have access to all the resources associated with the Azure subscription. That’s a potential high-severity threat.”

Basanth Kakumani, software engineer II, Microsoft Digital

The security risk is real. If an unauthorized guest account ends up as a member of a security group that governs access to an Azure subscription, that guest gains access to every resource inside that subscription.

“Whoever gets into an Azure security group can have access to all the resources associated with the Azure subscription,” says Basanth Kakumani, a software engineer II in Microsoft Digital. “That’s a potential high-severity threat.”

Another priority was the need for consistency across experiences.

“Microsoft 365 groups have supported labeling for a very long time,” Bhargava says. “Customers have an expectation that there’s parity across group types, so that they can govern them uniformly. That was another driving factor for this work.”

Security groups reuse the same sensitivity labels already configured for Microsoft 365 groups and SharePoint sites in Microsoft Purview—so admins don’t need to create or manage a separate set of labels. This reuse reduces configuration overhead and supports a more consistent governance model across group types.

Security workarounds, and why they fell short

Without sensitivity label support, we had to make do with alternative solutions. The most common one was simply preventing certain users from creating any security groups at all.

In the Microsoft tenant, this meant that employees who needed a security group had to fill out a form that had custom business logic behind it.

“We had on-premises, Active Directory, synchronization, tooling, and customization,” Johnson says. “This caused latency, from the time you created your group to the time it would show cloud membership. If you wanted to manage your membership, you had to do it on premises, AD, and then wait for it to sync to Entra.”

Neither centralized control nor reactive governance was a satisfying solution to prevent policy violations.

“This is really about making reactive things more proactive. We want to catch problems before they occur.”

John Begley, principal software engineer, Microsoft Digital

Typically, IT is going to manage this in one of two ways: Either we turn off self-service and manage everything on behalf of users, or we do reactive governance, which includes scanning groups and looking for policy violations.

Those aren’t super effective at preempting violations.

“This is really about making reactive things more proactive,” says John Begley, a principal software engineer in Microsoft Digital. “We want to catch problems before they occur.”

A collaborative solution

Coming up with a solution to this challenge required a genuine partnership.

We at Microsoft Digital approached the Entra product team and explained the problem we were trying to solve. Rather than simply handling this as a feature request, the two teams agreed to a co-development arrangement.

“Having access to a very large customer who cares deeply about security was extremely helpful. If it works for Microsoft, which is so complicated and huge, it’s going to work for smaller-sized tenants too.”

Mohit Bhargava, principal product manager, Microsoft Entra

Microsoft Digital team members would work alongside Entra engineers as the feature was built, serving simultaneously as implementation partner, design critic, and test environment—what we like to call our Customer Zero role.

Bhargava found the partnership equally illuminating from the product side.

“Having access to a very large customer who cares deeply about security was extremely helpful,” he says. “If it works for Microsoft, which is so complicated and huge, it’s going to work for smaller-sized tenants too.”

For Begley and his team, working closely with the product team revealed how complex the solution actually was.

“Both the product team and Microsoft Digital walked into this thinking a fix was going to be simpler than what it turned out to be,” Begley says. “It’s been eye-opening to see how the product is built, how it runs, what all the moving parts are. We learned early on that there was significant co‑development happening within Entra itself, across teams with very different areas of expertise.”

That dynamic played out in specific feature decisions. The team’s original plan did not include support for agent access controls and didn’t include the ability to prevent AI agents from joining sensitive security groups. This is something the product group quickly addressed and resolved after our team in Microsoft Digital raised it as a concern.

“One of the first customers who raised it was Microsoft Digital,” Bhargava says. “They said we needed need to start thinking about it ahead of time to get ahead of the problem.”

Sensitivity labels for Microsoft Entra cloud security groups are now in public preview. The same labels you publish in Microsoft Purview for Microsoft 365 groups and sites now apply to Entra security groups. Visit Microsoft Learn for scope, supported scenarios, and current preview behaviors.

Changes afoot for IT admins and employees

The practical impact of this solution lands on both sides of the relationship between Microsoft Digital and the company’s employees.

“Now I can’t accidentally have guests in an internal-only group, which changes the dynamic. Employees can create their own Entra security groups now, without us having to worry that they’ll be inviting guests where they shouldn’t be.”

David Johnson, principal product manager architect, Microsoft Digital

For IT admins, the shift is from reactive remediation to proactive prevention. For employees, it means self-service action with security groups become viable again, without the security risks that made organizations reluctant to enable it before.

“Now I can’t accidentally have guests in an internal-only group, which changes the dynamic,” Johnson says. “Employees can create their own Entra security groups now, without us having to worry that they’ll be inviting guests where they shouldn’t be.”

Johnson underscores the broader ambition behind the shift, which is to allow employees to create and manage groups directly in Entra.

“A company that can unblock self-service action by its employees with confidence, knowing that there’s an additional level of protection—that’s very important,” he says.

Looking ahead: AI and the expanding policy surface

Labeling support for security groups is already being extended across the organization, with AI governance in mind.

Adding the ability to block agents from joining sensitive security groups is our next logical step. Guest membership is enforced via allow-to-add guest policy, but agents won’t join in the same way. Rather, we will set policies in Purview and then use labels to control if an agent can join a group.

The longer-term vision involves extending oversharing prevention beyond Entra itself. This will make it impossible (not just detectable) to accidentally assign a highly confidential resource to an unlabeled or inappropriately scoped security group. The foundation we’ve built with labeling in Entra is what makes this vital step possible.

“We want to get into the preventative aspect,” Johnson says. “The goal is to make it so it’s not possible to overshare in the first place.”

Key takeaways

Here are some tips as you consider ways to address how you manage your own security labeling practices:  

• Reuse existing labels—no extra setup required. Security groups reuse the same sensitivity labels already configured for Microsoft 365 Groups and SharePoint sites in Microsoft Purview, eliminating duplicate configuration and helping admins apply a consistent governance model across group types.
• Understand label immutability at launch. Unlike Microsoft 365 Groups, sensitivity labels on security groups are initially immutable—a deliberate design choice to ensure protections are enforced from the moment a group is created. Controlled label mutability will be introduced in a subsequent update.
• Know what’s in scope today. Labeling currently applies to static, non–mail-enabled security groups. Dynamic membership groups, mail-enabled security groups, and distribution lists aren’t supported at launch, so admins should plan accordingly.
• Shift from reactive cleanup to proactive protection. Label-driven membership controls prevent policy violations—such as unintended guest access—before they occur, reducing the need for post-creation audits and remediation.
• Enable safe self-service with guardrails. With labels enforcing access rules automatically, employees can create and manage security groups without increasing risk, restoring self-service without sacrificing control.
• Lay the foundation for future governance scenarios. Using sensitivity labels as the backbone of access policy creates a scalable framework that can extend to additional protections over time, including broader enforcement and emerging governance needs.

Try it out

Learn more about configuring security with Microsoft Entra.

Related links

• Learn how we’re using sensitivity labels to make Microsoft more secure.
• Get an overview of Microsoft Entra fundamentals documentation.
• Find out how self-service sensitivity labels to help our employees stay productive without exposing sensitive information.
• See what it took to transition our company to a Zero Trust security model.
• Explore how we’re boosting our Secure Future Initiative with a new approach to wired network security.

The post Transforming our approach to sensitivity labels at Microsoft with Microsoft Entra appeared first on Inside Track Blog.

• Introduction
• Chapter 1: Building your agent governance strategy
• Chapter 2: Establishing a solid data foundation for agent governance
• Chapter 3: A matrixed approach to agent governance
• Chapter 4: Tracking, impact, and value
• Conclusion: Governing the frontier

Empowering employees and protecting your organization through agent governance

Welcome to the agentic frontier

Agents are expanding the frontier of enterprise AI. By creating tools that surface knowledge, take actions, and even reinvent workflows, organizations can apply the power of AI to business processes in new and innovative ways.

But this shift raises questions for business and IT leaders: How do you get the benefits of agents without putting your organization and employees at risk? How do you encourage citizen developers to create agents freely while maintaining control, security, privacy, and compliance?

At Microsoft Digital, the company’s IT organization, we’re putting practical governance structures in place to ensure our internal agents are useful, safe, and properly scoped. Through a deliberate strategy of empowerment with established guardrails, we’re unlocking the potential of agentic transformation while maintaining the trust that defines our work.

Read and prepare

Check out our complete guide to deploying and adopting agents across the enterprise, based on our own experience here at Microsoft.

The AI maturity model and frontier transformation

Agentic AI has made a new operational model possible, one that blends machine intelligence with human judgment, creating AI-operated, human-led teams.

We call organizations that enact this model Frontier Firms.

As organizations move toward this new operational state, they progress from foundational AI assistance through escalating levels of agentic maturity and complexity. First, humans operate with help from an AI assistant like Microsoft 365 Copilot. Then, human-agent teams work together. But the future lies with humans leading teams of agent users: AI agents that perform core labor with relative autonomy.

Capturing the benefits of this model relies on many factors, but in our experience as Microsoft Digital, two main tenets are instrumental to a successful transformation:

1. Empowering employees and teams to create and experiment with their own agents
2. Properly governing those agents to protect the enterprise

It’s a balance. If you set agent builders free without the proper guardrails, you risk data overexposure, agent sprawl, and security vulnerabilities. However, being too restrictive about governance stifles individual imagination, workflow reinvention, and innovation that can come from agentic AI.

“At Microsoft, we’ve moved beyond envisioning the agentic future into operating within it every day. Our experience as Customer Zero gives us a unique perspective on what it takes to govern AI agents at scale, turning early lessons into proven practices that help organizations innovate with confidence.”

Brian Fielder, vice president, Microsoft Digital

We’re here to help you find the right balance for your organization.

This guide shares what we’ve learned along the way. As you read, you’ll follow our journey as Customer Zero at Microsoft, and you’ll gain access to tips and resources that we’ve assembled to help you apply our expertise to your own agent governance practice.

Every organization is different, and your experience will differ from ours in terms of risk tolerance, technical capability, resourcing, and more. This guide highlights some principles and best practices you can apply to your own business context, needs, and objectives.

“At Microsoft, we’ve moved beyond envisioning the agentic future into operating within it every day,” says Brian Fielder, vice president of Microsoft Digital. “Our experience as Customer Zero gives us a unique perspective on what it takes to govern AI agents at scale, turning early lessons into proven practices that help organizations innovate with confidence.”

Now is the time to seize this opportunity. Follow along to start your own journey toward frontier transformation and capture the benefits of trusted, connected agentic intelligence.

Learn from our experience governing agents

Within Microsoft Digital, we’ve been acting as Customer Zero for frontier transformation by creating the tools, infrastructure, and processes that power agents at Microsoft.

Our goal is to make it easy for employees to engage with agentic tools freely and adaptably while maintaining safety and responsibility. The path to this objective relies on a three-pronged approach to governance:

• Embedded governance functionality: Agent creation and publishing tools should incorporate good guidance, governance, and guardrails out of the box, making agents people create essentially self-governing.
• IT oversight: This is a new space and a new way of working, so it isn’t feasible for all agents to self-govern at this point. As an IT organization, we fill gaps in governance through reviews and oversight. We establish risk-based policies around types of agents, exposure and sharing, and other pivots.
• User education: It’s almost impossible to predict every governance gap and need, so educating our users helps them avoid accidentally increasing risk. Our Agents at Microsoft team and individual change managers are the guides for these efforts. Employees can also refer to resources like Microsoft Learn courses and the Agent Builders SharePoint hub.

Throughout this journey, we’ve empowered our employees to create all kinds of agents, ranging from simple personal tools built by people working in every function, with every level of technical skill, all the way to AI-powered enterprise tools designed by professional developers for use across lines of business and even the entire company.

As part of the process, we’ve incorporated guardrails to ensure less technical employees are limited to tools that simply retrieve enterprise knowledge, such as SharePoint Agent Builder or Copilot Studio, while software engineers get the full power of any tool they need that can take action or automate workflows, including Microsoft Foundry and Microsoft 365 Agent Toolkit.

Over the course of this journey, we’ve learned valuable lessons about effective agent governance, including:

• How to build an impactful but flexible governance strategy
• Strategies for creating an AI-ready data ecosystem
• Ways to apply appropriate policies and controls for highly diverse agents
• Approaches for tracking the impact and value of agents

Chapter 1: Building your agent governance strategy

Thinking through your organizational needs and building a framework to govern agents

As we’ve incorporated agents into different aspects of our organization, we’ve also deepened their involvement in employees’ daily workflows and core business processes. Because of this, we’re diligent about the governance guardrails and policies that protect our organization.

We’ve accumulated a wealth of knowledge and insights in this area through our efforts governing Microsoft 365 Copilot. Based on this experience, some of the key priorities that we made sure to adhere to included:

• Effectively applying controls to ensure users and apps don’t get access to privileged information
• Preventing employees from creating agents that violate company policies
• Balancing the freedom for employees to share their creations with the need to prevent agent sprawl
• Delineating which agents are authoritative and applicable for enterprise functions and which ones are meant for employees’ own personal use.
• Inventorying agents to provide lifecycle management
• Securing and protecting confidential data while respecting our responsible AI principles: Fairness, reliability and safety, privacy and security, transparency, accountability, and inclusiveness
• Unlocking telemetry that enables us to govern agents effectively

By focusing on each of these dimensions, our governance team has centered its efforts on the value these agents provide to the company while also ensuring organizational safety and trust. To realize this value, we emphasize three key principles that help protect both our employees and the organization:

Security

We’ve established standards for data classification, policies for handling confidential information, and other security measures to protect data from unauthorized access, misuse, and disclosures. Microsoft Purview powers these capabilities through data labeling, rights management, and data loss prevention.

Privacy

Privacy compliance measures keep personal data protected and ensure agents adhere to regulatory frameworks in the regions where we operate. We conduct regular privacy assessments for all applications, including high-impact agents.

Regulation

Regulatory compliance assessments ensure agents meet prevailing legal standards. Our legal and compliance teams carefully monitor AI guidelines, regulations, and laws as they evolve so we can understand and incorporate them into these assessments.

We incorporated elements of our tenant’s minimum bar for governance into how we secure agents. Those include Microsoft Purview Information Protection, a functional inventory, activity logging, lifecycle management, and the ability to properly isolate agents so that they don’t cross data boundaries.

Our overarching tenant governance strategy is to govern items like documents and data at the container level. However, within a SharePoint site, for example, the added functionality of agents demands that we introduce further controls like sharing limits, breadth of knowledge sources, agent metadata, and information about an agent’s behaviors.

Turning priorities into principles

To operationalize governance, we developed six principles that guide our approach to agents. They form the governance foundation for a wide matrix of agent creation and usage opportunities.

1. We ensure a strong data hygiene foundation so we can trust our data estate as employees build and use agents.
2. We empower employees to build personal agents that can access permitted services and data sources to help automate and accelerate their tasks.
3. We empower teams and lines of business to build agents with known lower-risk patterns to accelerate impact.
4. We provide a smooth release path for engineering teams to develop agents designed for enterprise functions so they can access all the services and sources they need. This includes the same software development lifecycle (SDLC) reviews and certifications as other enterprise software, which we outline in Chapter 3.
5. We accelerate innovation through agent and automation templates while maintaining an AI Center of Excellence (CoE) to help teams think through their opportunities.
6. We reimagine employee experiences and task execution to simplify and optimize productivity.

Read and prepare

Powering the technical veracity of AI at Microsoft with a Center of Excellence.

Securing control through agent lifecycles

As we strategized to operationalize good governance, agent lifecycles became one of our most crucial tools. We superimposed the enterprise lifecycle on top of these policies, with both user-based and attestation-based lifecycles.

This means we treat agents owned by individual employees like any other user app and delete them when they leave the organization. Meanwhile, we ensure that agents owned by teams have a lifecycle that’s defined by the tenant and tied to attestation, our internal enterprise SDLC, and accountability confirmations.

This approach helps us combat sprawl by eliminating agents that no longer serve a purpose. It provides a solid foundation for more fine-tuned, matrixed policies and practices.

Governing amid real-time technology acceleration

One recent development illustrates how the rapid advancement of AI technology requires us to stay ahead of policy for new features.

Model Context Protocol (MCP) adds new capabilities, but also new risks and challenges. It’s a simple standard that lets AI systems communicate with the right tools and data without custom integration work. Instead of building a new connection or API every time, teams plug into a common pattern.

That standardization delivers speed and flexibility, but it also changes the security equation. We’ve extended our security and governance practices to account for MCP servers.

Our practices and policies help us govern agents effectively in this new environment. First, we assess security across four layers: Applications and agents, the AI platform, data, and infrastructure. We establish a secure-by-default strategy by positioning every remote MCP server behind our API gateway and establishing practices for vetting, identity management, automation that slows agents at the right moments, context trimming, and server isolation.

As you define policies for governing your own agentic ecosystem, you can take inspiration from our process. Start by asking questions about what you want to accomplish and what you want to protect, then move on to establishing your most important priorities. From there, you can cement those priorities into policies.

Learning from our approach to agent governance strategy

Match policies to progress on your AI journey

The complexity of agent governance depends on the maturity of your organization and where you are in your adoption journey. Start slowly to let that maturity grow over time.

A strong policy framework is the foundation

Lean on existing app governance policies, then layer agent-specific structures on top.

Take your cues from established standards

Global regulations around privacy, security, and responsible AI provide a good baseline for establishing governance policies. Assign teams to work through these regulations and incorporate their insights into your agent governance strategy.

Decide on your comfort level with risk

Bring cross-disciplinary experts together from across your organization to determine what level of risk is acceptable for different agents and their use cases. Put guardrails in place for low-risk scenarios and establish processes for supporting more complex or sensitive use cases. Evaluate what data sources agents can extract information from. Establish whether users have shared sensitive data sources.

Change is constant

Plan to reassess and revise your governance structure regularly. Agents are evolving rapidly, as is the tooling surrounding them, so maintaining good governance policies will be an ongoing practice.

Governance is a value driver for employees

Governance isn’t just about protecting your organization. It also provides the right patterns to make sure your employees are getting value from agents. Establish strong measures of business value and a robust methodology for management and assessment of agents through ongoing tracking. This kind of observation and telemetry is foundational and should be a key part of your governance efforts.

Key takeaways

Use these tips based on what we learned here at Microsoft to build your strategy for agent governance at your company:

• Establish a cross-disciplinary agent Center of Excellence. Bring together stakeholders across the organization to define priorities, goals, and shared practices for agent adoption.
• Right-size oversight based on risk. Determine your organization’s risk tolerance and define which agents require more or less involvement from IT, security, and compliance teams.
• Operationalize agent oversight and management. Establish an oversight model and implement tools that help manage agents at scale.
• Establish change management and adoption. Determine and implement a strategy for driving adoption to educate and empower employees.
• Create a centralized governance and information hub. Provide employees and agent builders with a single place to find guidance, standards, and governance information.

Learn more

How we did it at Microsoft

• Find out how we’re protecting AI conversations at Microsoft with MCP security and governance. This post outlines how we’re streamlining MCP governance through secure-by-default architecture, automation, and inventory.
• Explore our IT playbook for the AI era and learn how we’re becoming a Frontier Firm. This article shares our journey as an IT organization in support of this new operating model.
• Discover how Microsoft is becoming an AI-first Frontier Firm. This story shares how we’re approaching the idea of an agentic future.
• Read our five-step guide for IT leaders who want to drive greater AI maturity. This resource can help you chart a course through AI maturity to reimagine what’s possible for the enterprise.
• Learn from our experience tackling Microsoft 365 Copilot governance. This guide details our governance efforts for Microsoft 365 Copilot and can serve as a starting point for agentic governance.

Further guidance for you

• Secure your agents at scale with Microsoft Agent 365 guidance for unified identity, compliance, and control across platforms.
• Learn about the responsible AI policies and practices that guide our use of AI at Microsoft.

Chapter 2: Establishing a solid data foundation for agent governance

Setting agents up for success using a secure, robust data foundation

Operating according to an escalating maturity model means we’ve done the foundational work to secure and govern our data estate for Microsoft 365 Copilot. Many of the same principles apply to agents, with the added complexity of incorporating additional data sources.

To lead these efforts, we established a cross-functional team of data professionals within our AI CoE. This team is mostly comprised of Microsoft Digital employees who support corporate functions like Corporate, External, and Legal Affairs (CELA) and Global Workplace Services. Together with our AI CoE, this team helped us define what it means to have AI-ready data.

In essence, AI-ready data just means information we’ve certified for AI workloads. We certify those data sources using Microsoft Purview to identify defects in our core data products, and we’ve also built AI-powered assessments to certify which data lakes are AI-ready.

In most ways, governance is tool-agnostic and rooted in basic principles. With robust data labeling, data hygiene, and permissions in place alongside our AI tools, which respect labels by default, we can confidently give every employee the ability to build basic agents and trust in our governance guardrails. For decades, the challenge of data analysts and engineers was maintaining a consistently reliable source of truth despite inconsistent data quality, insufficient governance, and years of collecting data in silos. Microsoft Fabric and Microsoft Purview can help resolve these issues.

We’re embracing a more balanced, federated approach to data management today. We call this approach a data mesh. Rather than allowing unchecked decentralization or forcing all our data into a single centralized system, the data mesh formalizes domain ownership while embedding governance, quality, and interoperability directly into shared platforms.

The data mesh connects and distributes, data products across domains, enabling shared data access and compute while scaling beyond centralized architectures.

Platform services are standardized blueprints that embed security, interoperability, policies, standards, and core capabilities — providing guardrails that enable speed without fragmentation.

Data management zones provide centralized governance capabilities for policy enforcement, lineage, observability, compliance, and enterprise-width trust.

With this approach, our domain teams publish data as well-defined, discoverable products, while common standards for security, metadata, and compliance are enforced through automation rather than manual processes. This model preserves enterprise trust and consistency without sacrificing speed or autonomy. By adopting a data mesh mindset, we can scale analytics and AI more effectively across the organization while still keeping ownership closely connected to the business focus.

Confidentiality labels, the practical framework for data protection

To operate according to Zero Trust principles, we needed a coherent system that lets us see, label, and protect data. Otherwise, the burden of data loss prevention would fall solely on employees, who would have to exercise individual discretion whenever they decided how to house and share potentially sensitive content.

With labeling, it’s important to strike a balance between the depth necessary for supporting an array of data governance controls and the simplicity to ensure labeling isn’t burdensome for users.

We decided on four overarching labels for container and file classification, each with its own sub-labels. The highest-level schema looks like this:

1. Highly confidential: We only share our most critical data with named recipients.
2. Confidential: Any items crucial to achieving our goals feature limited distribution.
3. General: Employees can share daily work–like personal settings and postal codes–internally throughout Microsoft.
4. Public: We share unrestricted data meant for public consumption freely. That includes information like publicly released source code and openly announced financials.

For our risk tolerance and organizational needs, we made the decision to protect data designated confidential or higher. As a result, we contain data flows to their tenants and only trust suitable storage destinations for content. That suitability depends on a storage location’s ability to gate which connectors can work with particular source data and sensitivity labels.

The administrators responsible for workspaces like SharePoint sites set default labels. These labels serve as a foundation for appropriate access and circulation for objects within those containers. It takes the burden of labeling off of employees. The sensitivity labels that administrators apply map to several different categories of policies that can anticipate and help to mitigate data loss and risk.

They communicate four key areas:

1. Breadth of availability: Labels determine whether the workspace is broadly available internally or is a private site.
2. External permissions: We administer guest allowance via the group’s classification, allowing specified partners to access teams when appropriate.
3. Sharing guidelines: We tie important governance policies to the container’s label. For example, can an employee share this workspace outside of Microsoft? Is this group limited to a specific division or team? Is it restricted to specific people? The label establishes these rules.
4. Conditional access: While we haven’t implemented this policy at Microsoft, tying identity and device verification to container labels can introduce additional governance controls.

Within Microsoft Digital, we’ve put a lot of thought into how each of our labels aligns with relevant policies. You can see more of the logic behind our sensitivity labels and their policies in this graphic:

If a container owner needs different policies for a set of files to provide greater external access, they can self-service new groups without accidentally violating our governance practices.

At Microsoft, we use Microsoft Purview, which is our suite of data estate management tools, but you can use your tool of choice to apply labels in your environment. Microsoft tools will respect them. Microsoft Purview helps us accomplish three important tasks: mapping our labeling structure onto the relevant policies, verifying them against our standards, and backstopping self-service data loss prevention practices through automation.

Automation is particularly useful. We’ve configured Microsoft Purview Information Protection to scan automatically for wayward credentials, malicious user behaviors, and other sensitive information in items without the proper protections. When Purview detects a violation, our governance team receives alerts that prompt them to contain the risk by upgrading an item’s sensitivity label or requiring employees to remedy the issue.

The result is a system that allows flexibility for employees to self-manage their digital workspaces while providing guardrails that help our governance experts take appropriate actions without overtaxing their time and resources.

Our approach within Microsoft Digital is just one way to create an AI-ready data estate, but aspects of our story will hold true for almost any organization. Consider establishing a body to take over responsibility for AI-ready data, developing your primary goals for AI-ready data, unifying your data estate, and implementing a system of confidentiality labels.

Learning from our approach to agent governance strategy

Define the responsibility for AI-ready data

Identify and assign enterprise data owners to implement and oversee the processes that guarantee data quality.

Create intuitive labels

Your employees will be the ones applying labels, so make those labels intuitive. For example, “highly confidential” is easy to understand, while “business-critical” could be interpreted in many ways from a sensitivity standpoint.

Don’t overwhelm your users

Make labeling simple and intuitive to ensure it isn’t overwhelming. Employees should have a limited set of choices to keep things comprehensible.

Use existing defaults

Identify the security needs and regulatory compliance that are specific to your organization and use built-in governance controls available through Microsoft tools.

Key takeaways

You can use these tips based on what we learned here at Microsoft to tackle agent governance at your company:

• Establish a cross-functional data council. Form a data council to help promote a culture of AI-ready data with professionals from all relevant disciplines, including human resources, legal, security, IT, and anyone else who can share relevant expertise.
• Certify datasets for AI workloads. Limit agents to datasets that have been certified as “AI-ready” to minimize hallucinations and reasoning errors.
• Define your labeling parameters. Keep the number of labels to five main labels with five sub-labels each. The fewer you use, the better.
• Align your sensitivity labels with policies. Consider how your labels line up with breadth of availability, external permissions, sharing guidelines, and conditional access.

Learn more

How we did it at Microsoft

• Follow our journey as we transform our data culture with AI-ready data. This story highlights how we’re using Microsoft Fabric and Microsoft Purview to revolutionize our approach to data governance and AI readiness here at Microsoft.
• Discover how a data council is powering our unified data strategy at Microsoft. This post tells the story of how the Microsoft Digital Data Council is leading our efforts to adopt an AI-ready data strategy.
• See how we’re conditioning our unstructured data for AI at Microsoft. This article explains our internal strategies for handling unstructured data, which can be surfaced by AI agents.

Further guidance for you

• Learn about governance and security for agents and how to keep your AI initiatives secure across your organization.
• Establish responsible AI policies for AI agents to support ethical, transparent, and accountable AI agent deployment across your organization.

Chapter 3: A matrixed approach to agent governance

Governing different types of agents for different contexts, built with different toolsets

Our customers have expressed a strong desire to start building agents, but they’re concerned about where to begin and how to manage those agents once they’re built. They worry about persistent problems such as hallucinations and agent sprawl. These concerns are especially pronounced on IT teams.

During our Customer Zero journey, we’ve learned that the diversity of agent types and creation methods means there’s no one-size-fits-all approach to governance. Generalized approaches will only get you so far.

We’ve found it helpful to think about different kinds of agents along an escalating spectrum of development complexity:

There’s an entire matrix of different parameters that apply to an agent at any level of this spectrum, and they all require different policies. Those parameters include:

• Level of reach: Personal agents, limited sharing (like development environments or team boundaries), or enterprise-wide distribution
• Agent-building tool: SharePoint agent builder, Agent Builder in Microsoft 365 Copilot, Microsoft Copilot Studio, or tools geared to more professional developers (such as Microsoft Foundry or Microsoft 365 Agent Toolkit)
• Knowledge sources and content accuracy: Public sites, SharePoint and OneDrive, directly uploaded files, enterprise apps and systems, or third-party knowledge bases

Each of these parameters creates a pivot that we need to govern, and we’ve carefully assembled a set of policies and controls to account for them. As our understanding and use of agents advances, we’re continually updating how we match their characteristics and capabilities with relevant policies and any applicable reviews.

Within Microsoft Digital, we’ve adopted a risk-based approach that helps us establish a matrixed model for agent governance. The foundational idea is that we identify potential harms for each kind of agent, then assign policies for the level of review and oversight they require.

For example, simple agents that can only read and present data tend to be low risk. Because their access is tied to their creators’ identities and access, our data governance structures and guardrails can prevent overexposure. But for agents that have capabilities like writing data, taking action, or creating items, more reviews are necessary.

A matrix of agent governance policies, pivoted by parameter

The following matrix enumerates the factors that determine how we govern different kinds of agents created using different tools. This matrix helps our employees understand the agent creation process and helps us maintain safety and control.

In addition to mapping out our policies for governing agents, the matrix illustrates how we see their relative utility across the organization. It demonstrates an escalation from personally useful to organizationally useful agents. Their governance policies and controls escalate accordingly.

Regionality is an additional concern. Regulatory compliance might vary, but it’s important to keep in mind that certain kinds of data access and actions might be perfectly permissible in one region, but not in another.

One example is our Employee Self-Service Agent, a central resource employees can turn to for help with IT support, HR questions, and facilities requests. Because it can access potentially sensitive personal information, this agent required additional review from European works councils to ensure it met all relevant workplace standards.

As you facilitate the experimentation and innovation with agents across your workforce from citizen developers to pro developers, consider adopting a similar matrixed approach to agent governance. It starts with understanding your organization’s needs, your risk tolerance, and the different employee populations you want to equip with agent-building capabilities.

Learning from our matrixed approach to agent governance

Figure out your building environment strategy

Decide which scenarios match up with specific environments and make those environments available to the relevant employees.

Design governance structures that scale from low-code to more advanced agentic tools

With the proliferation of AI agents, platform-level approvals similar to the Power Platform model at Microsoft can ensure rapid innovation while requiring review for individual high-impact scenarios.

Build trust through transparency and structure

A clear, well-documented approval process helps internal regulatory advisors understand new AI technologies and establishes the trust needed for productive, long-term collaboration.

Treat regional partners as strategic allies in the agentic future

Early feedback on digital agents from regional partners like works councils helps improve product design, accelerate approvals, and reduce fear or misconceptions about AI in the workplace.

Don’t forget that Copilot Studio is part of Power Platform

You can use what you’ve learned empowering citizen developers in Power Platform to guide your work with agents.

Key takeaways

Use these tips based on what we learned here at Microsoft to tackle agent governance at your company:

• Establish your tolerance for risk. Determine where the most prevalent risks emerge across different populations and kinds of agents. Remember, you control the guardrails in your environment.
• Determine what agent-building tools you want to roll out and who can use them. Different populations benefit from different agent-building capabilities. Put thought into what individuals and teams can create and the degree of partnership each level will need from IT.
• Define your governance parameters for different kinds of agents. Determine the best ways to hedge against risk at every level. For example, you might choose to trust in tenant governance for simple agents and establish reviews for more complex tools.

Learn more

How we did it at Microsoft

• See how we’re empowering employees with the Power Platform. This article explains how our Power Platform governance model influenced our matrixed approach to agent governance.
• Learn how our employees are building their own AI tools. This article describes how knowledge workers at Microsoft are forging their own agents to help improve efficiency and get more done.
• Check out our lessons learned using SharePoint agents at Microsoft. This post shows how we approached governance for low-risk, knowledge-only agents through our deployment of SharePoint agents.
• Read how we’re unlocking enterprise AI extensibility with Copilot Studio. This story explores how we govern more advanced agents built with Copilot Studio, including connectors, orchestration, and scaled governance.

Further guidance for you

• Explore governance and security for AI agents across the organization with Microsoft Learn content.
• Check out this industry-standard framework that validates matrixed, risk-based governance approaches for AI systems.

Chapter 4: Tracking, impact, and value

Managing agents and assessing their business impact for the organization

It’s clear that agents bring astonishing capabilities to the enterprise. For many organizations, what remains unclear is exactly how to measure their impact. Without that information, businesses are at a loss for ways to articulate value and drive improvement.

Tracking agents is also a crucial component of preventing sprawl: We need to understand what agents we have, how employees are using them, what critical processes they’re supporting, and if they’re contributing value or need to be retired.

We’re at the beginning of our impact-tracking journey, but our work can provide a starting point for your own efforts to measure the value of AI initiatives at your organization.

Managing our agent catalog through comprehensive tracking

Microsoft Digital partners with other internal organizations to ensure we’re prioritizing the right agents and avoiding agent sprawl. Ideally, these engagements take place before teams start building their agents so we can avoid wasted effort or duplicated work.

Still, ongoing management efforts are crucial to keeping our agent ecosystem healthy. Telemetry is the key to assessing usage and ensuring compliance. We’ve developed our own internal tooling to ensure that:

• Metadata is complete and available
• The tooling tells us the right information about our agents
• The tools connect properly with other compliance tooling, like Microsoft Purview

This telemetry also reveals agent behaviors, shows how agents do their work, and tracks events, actions, and policy baselines.

These capabilities help us gain visibility into policy adherence and violations, and then to conduct enforcement actions. We also track the speed of reaction and mitigation. AI-ready data and robust guardrails mean we head off most violations before they occur.

A robust inventory, an agile policy framework, and an automated workflow for enforcement are cornerstones for successfully governing agents at scale.

The release of Microsoft Agent 365, now in early access, represents the next step in agent observability and management, two key aspects of agent governance and sprawl mitigation. This control pane for agents incorporates many of our learnings as we’ve bridged governance gaps through IT intervention.

Some of the key aspects of the control pane:

The registry

Provides a complete view of agents, and the enterprise agent store makes it easy to find the right agents for each role and business process within familiar workflows in Microsoft 365 Copilot and Teams.

Visualization

Delivers the observability layer, including role-specific oversight, compliance and audit features, and performance measurements that can help organizations track their agents’ impact and see where they contribute value.

Interoperability

Ensures Agent 365 is open to any Microsoft-built or partner ecosystem, while delivering work intelligence through access to data and Microsoft 365 apps.

Security features

Provide crucial confidence through visibility into security posture, detection and response capabilities, and intelligent runtime defense.

As Customer Zero for Agent 365, we’re excited to have a platform for observability and telemetry that encompasses everything from agentic creation through usage.

Tracking governance from agent inception

Professionally developed agents add a new dimension of tracking and governance, because we need standards in place for ensuring compliant agent-building and to remediate any issues.

We use our Azure DevOps instance to catalog apps on our tenant, and we’ve applied this practice to agents created professionally for lines of business and enterprise agents. This tool contains our service tree with product and app log registration, which is tied to our KPI dashboard and scoring system that validates agent data against our policies.

Our expectation is that all new apps and agents start from a place of compliance. Any new agent is registered through this platform, and we expect adherence within the first 14 days. In our experience, the introduction of new metrics, policies, or timeframes as our governance policies evolve is where agents tend to drop out of compliance. The priority is restoring compliant status.

We’ve established a series of metrics to help track and manage these expectations:

• Enablement velocity
• Renewal velocity
• Agents in compliance
• Time to remediation of noncompliance

Through a DevOps process built on our preexisting software development lifecycle practices, we’ve applied governance not only to agents themselves, but to the process of building them professionally.

Measuring progress and unlocking value

Properly measuring value depends on concrete definitions of success and metrics that support it. Articulating AI’s impact came with several challenges. First, we had to land on a consistent taxonomy for different measurement areas. Then we needed to make the relevant data accessible, ensure its quality, and confirm it made sense.

The Microsoft Digital AI Value Framework is our flexible, modular tool for measuring the impact of our AI initiatives. With tools for measurement firmly in place, we can effectively demonstrate value and guide further decision-making.

We plan to use the following capabilities to improve the overall ecosystem:

• Filtering our agent inventory on specific criteria like the type of agent or how it was built
• Enhancing governance-specific actions we can take with agents in areas like ownership and quarantining
• Gaining visibility into trends like agent usage
• Ingesting agent blueprints and defining policy templates

We’re still in the midst of our agentic measurement journey at Microsoft, but the blueprint for tracking already exists. Your organization might be in the early stages of agent readiness and deployment. If that’s the case, it could be helpful for you to internalize the lessons we’ve learned as Customer Zero and apply them as early as possible in your own journey toward AI maturity.

Learning from our agent adoption experience

Think proactively, not retroactively

If you put effort into tracking agentic impact early in your AI maturity journey, you’ll be poised to start capturing insights immediately instead of applying your methodology retroactively.

Involve a wide array of stakeholders

This workstream needs oversight from different kinds of stakeholders, including your leadership team, IT, Microsoft 365 administrators, agent developers and builders, and employee champions. That will provide the sponsorship, expertise, and perspective you need for success.

Different measurements will be appropriate for different phases of your initiatives

These measurements include monthly, weekly, or daily active usage; consider which metrics make sense at each phase of an AI initiative.

Establish a continuum of value

Agents need to tie into real business goals, so it’s important to establish metrics that actually speak to those objectives. Cascade business goals to concrete KPIs with well-defined timelines and track those diligently.

Embrace the red

Try to think of underperformance not as failure, but as data. Performance data over time helps you course correct or pivot, making sure you invest where it matters.

Key takeaways

Here are some important steps to keep in mind as you embark on your own tracking and measurement efforts for agents:

• Establish priorities and parameters for tracking agents. Consider measurements that relate to sprawl, usage, and coverage, and build them into your telemetry tooling.
• Pull your stakeholders together to establish measurement parameters. Cascade business priorities into measurable value.
• Conduct ongoing tracking. Establish a cadence for tracking and reviewing progress with your team.

Learn more

How we did it at Microsoft

• Learn how we’re measuring the impact of Microsoft 365 Copilot and AI at Microsoft. Discover our framework for tracking the impact of the investments in AI that we’re making internally.
• Find out how we’re deploying Microsoft Agent 365 internally. This story shares our intentions for using our unified control pane for agents.
• See how we’re building an AI-powered continuous improvement culture at Microsoft. This article outlines our approach to continuous improvement.
• Check out how we’re reshaping Microsoft with continuous improvement and AI. This post discusses the importance of continuous improvement for accelerating AI at Microsoft, including three initiatives already underway.

Further guidance for you

• This Microsoft Learn guidance helps organizations align AI investments with strategic goals and measurable outcomes over time.
• Explore a cloud adoption framework that provides practical guidance for defining success metrics, tracking ROI, and tying AI initiatives to business outcomes.

Governing the frontier to scale innovation

AI agents are rapidly becoming core contributors to how work gets done. As our experience within Microsoft Digital demonstrates, realizing their full potential demands more than powerful tools or enthusiastic builders. It requires thoughtful governance that evolves alongside your AI maturity, protects what matters, and gives employees the confidence to innovate responsibly.

As you consider your own strategy for managing agents, it can be helpful to keep one truth in mind: Governance is a catalyst for progress, not a barrier. By embedding guardrails into tools, grounding agent creation in AI‑ready data, applying risk‑based and matrixed policies, and reinforcing all of it through adoption and education, we’ve been able to expand agentic capability without sacrificing security, privacy, or trust.

From our experience, we’ve learned that governance works best when it’s:

• Proportional, scaling with risk and agent complexity
• Embedded, not bolted on after the fact
• Human‑led, recognizing that accountability and judgment remain essential
• Iterative, adapting as technology, regulations, and business needs evolve

When you design governance this way, it allows experimentation, learning, and impact at scale. Employees feel empowered to build agents that solve real problems, while IT and compliance teams gain visibility and control without becoming bottlenecks. Crucially, leaders can measure value, manage risk, and make informed decisions about where to invest next.

“At Microsoft, we believe the future of agentic AI depends on governance that empowers people first. The structures should be invisible when they’re working, intentional when they’re needed, and trusted by everyone they serve.”

Vijaya Alaparthi, principal group product manager, Microsoft Digital

This is the foundation of the Frontier Firm: Organizations where humans lead and agents operate, guided by clear principles and trusted systems.

As you continue your AI maturity journey, remember that there is no single, correct governance model. Your approach will reflect your risk tolerance, regulatory environment, data maturity, and organizational culture. The practices outlined here provide a proven starting point informed by real-world deployment at enterprise scale.

“At Microsoft, we believe the future of agentic AI depends on governance that empowers people first,” says Vijaya Alaparthi, principal group product manager in Microsoft Digital. “The structures should be invisible when they’re working, intentional when they’re needed, and trusted by everyone they serve.”

Now is the moment to act. Start with strong foundations. Empower your builders. Measure what matters. And treat governance not as a constraint, but as a strategic advantage that allows your organization to move faster, innovate safely, and lead confidently on the agentic frontier.

Key takeaways

Here are the high-level learnings and insights that you need to consider as you embark on your own agent governance journey, based on what we’ve learned here at Microsoft:

• Treat governance as an enabler of innovation, not a brake. Effective agent governance is what makes large‑scale innovation possible. When you embed guardrails into platforms, data, and processes, employees can build and experiment confidently without exposing the organization to unnecessary risk or slowing progress.
• Match governance rigor to agent risk and maturity. Not all agents need the same level of oversight. A risk‑based, matrixed approach lets organizations trust lightweight, personal agents while applying deeper reviews to agents that write data, take actions, or operate across business‑critical systems.
• Start with AI‑ready data and zero‑trust foundations. Strong agent governance rests on secure, well‑labeled, high‑quality data. Clear ownership, intuitive sensitivity labels, default protections, and automation reduce reliance on user judgment and allow agents to operate safely at scale.
• Embed governance where agents are built and used. The most effective governance is built into tools and workflows, not enforced through manual reviews alone. Defaults, limits, identity‑based access, lifecycle controls, and telemetry should apply automatically so agents are governed by design.
• Plan for the full agent lifecycle to prevent sprawl. Agent inventories, ownership models, attestation, and retirement processes are essential. Governance needs to account for how you create, share, evolve, audit, and ultimately decommission agents, whether individuals or enterprise teams are responsible for building them.
• Reinforce governance through adoption and education. Guardrails work best when employees understand them. Targeted adoption programs, clear guidance, prerequisites for advanced tools, and visible leadership sponsorship can help employees build responsibly and recognize their role in protecting the organization.
• Measure what matters to prove value and drive improvement. Visibility drives trust. Telemetry, observability, and clear metrics that span productivity, quality, risk reduction, and experience allow organizations to track impact, course‑correct early, and continuously improve their agent ecosystem.

Learn more

• Discover our IT playbook for becoming an AI-driven Frontier Firm.
• Learn how to secure your agents at scale with Microsoft Agent 365 guidance.
• Read a guide to governance and security for AI agents at your organization.
• Check out this detailed guide to our governance process for the internal rollout of Microsoft 365 Copilot.  
• Explore ways to establish responsible AI policies for agents across the organization.  
• Find out how a data council is powering our unified data strategy at Microsoft.

Try it out

Get started building and managing agents at your company with Microsoft Agent 365.

The post Governing AI agents at scale: Lessons from our journey at Microsoft appeared first on Inside Track Blog.

These innovations have come in many different forms across every group and function at the company. It’s impossible to capture them all in a single concept or story, but one of the ways that we’ve activated the power of AI for our workforce is Work IQ.

Work IQ isn’t a product.

It’s a shared intelligence layer that enables Microsoft 365 Copilot and AI agents to reason over and understand your organization’s work data, then use that context to generate more relevant responses and actions. This means that the entire Microsoft Graph—including rich unstructured data from your Teams chats and meetings, Outlook emails, Word documents, PowerPoint presentations, and more—is now part of your AI-powered work experience.

“It’s not really a brand-new capability, but more an evolution of what users already know, which is access to the grounding data in their Microsoft tenant. The difference is that Work IQ adds an additional layer to provide more context, allowing for richer and more relevant results.”

Aisha Hasan, principal product manager, Microsoft Digital

Work IQ enables Copilot to not only tailor answers to your role and responsibilities, but also to understand who your most frequent collaborators are, comprehend details about your latest projects, surface deliverables and deadlines, and intuit next steps. Additionally, Work IQ makes it easy for any AI agent to take advantage of the same rich enterprise data to return and act on more contextual results.

“It’s not really a brand-new capability, but more an evolution of what users already know, which is access to the grounding data in their Microsoft tenant,” says Aisha Hasan, a principal product manager in Microsoft Digital. “The difference is that Work IQ adds an additional layer to provide more context, allowing for richer and more relevant results.”

At Microsoft Digital, the company’s IT organization, we’ve seen firsthand how this intelligence layer is accelerating employee adoption of Copilot and agentic AI as outputs become more perceptive and valuable. Work IQ is a foundational step toward a future where AI has moved beyond isolated assistance and become a trusted professional helper—sometimes described as a digital colleague—that carries out tasks and anticipates needs in every aspect of daily work.

How Work IQ impacts everyday work

One of the most instructive aspects of Work IQ’s impact across our organization is that it happened without a traditional deployment. There was no enablement event for employees or operational playbook distributed to administrators. It didn’t require any changes to the application interfaces. Yet over time, our employee Copilot interactions improved in measurable ways.

“There was a period where we weren’t adding new content to Copilot, and yet I noticed our metrics for quality and user satisfaction kept going up. Why was that? It was because of all these incremental improvements that we refer to as Work IQ.”

Dodd Willingham, principal product manager, Microsoft Digital

This was a direct consequence of introducing a shared intelligence layer into a Microsoft environment that was already rich in work signals. Those work signals are extremely valuable data that was difficult to extract meaning from before the advent of AI. As the technology advanced, we could take full advantage of this data to inform and improve agentic responses.

As Customer Zero for the company, Microsoft Digital was at the forefront of measuring the impact of Work IQ. Our employees saw significant gains in relevance, grounding, and answer coherence in Copilot that were visible in the metrics, even during times when the underlying content remained relatively static. That’s the Work IQ difference.

“There was a period where we weren’t adding new content to Copilot, and yet I noticed our metrics for quality and user satisfaction kept going up,” says Dodd Willingham, a principal product manager in Microsoft Digital. “Why was that? It was because of all these incremental improvements that we refer to as Work IQ.”

At a systems level, Work IQ reasons across a broad cross-section of Microsoft 365 data, including:

• Outlook email content, thread structure, and interaction patterns
• Teams chats, channels, and meeting transcripts
• Calendar events and scheduling metadata
• Documents and files across Word, PowerPoint, Excel, OneDrive, and SharePoint
• Signals that show who collaborates with whom, how often, and in what context

Work IQ can also access structured data in tools like Dynamics 365, Power BI, Power Apps, and other business applications. The ability to extract context and interpret structured and unstructured data in a unified intelligence layer is the reason why Work IQ is making such a difference for our employees.

Making Outlook better

Outlook provides a useful lens on how Work IQ functions because it’s both heavily used by our employees and a highly contextual tool. Although the application hasn’t outwardly changed, the way Copilot interacts with inbox and calendar data has evolved, in part due to richer context provided by Work IQ.

“The intelligence works behind the scenes as you use Outlook. Your inbox just gradually feels more relevant. Outlook adapts to your work patterns, making your inbox feel more like an assistant, instead of a filing cabinet of communications.”

Matthew Marzynski, principal product manager, core experiences, Microsoft Digital

Now when you turn to Copilot in Outlook to summarize email threads, it can surface decision points, action owners, and unresolved issues. Instead of treating email as a collection of messages and providing rote summaries, Copilot perceives it as a record of decisions and commitments over time.

Calendar-related experiences are on a similar trajectory. Meeting preparation and follow‑up suggestions are now drawing on prior interactions with the same participants, relevant documents that were previously shared, and historical patterns around similar meetings.

Work IQ isn’t rule-based automation layered on top of Outlook. Users aren’t configuring new filters or workflows. Instead, the system is adapting based on observed patterns, meaning user behavior can remain the same while output quality improves

“The intelligence works behind the scenes as you use Outlook,” says Matthew Marzynski, a principal product manager for core experiences in Microsoft Digital. “Your inbox just gradually feels more relevant. Outlook adapts to your work patterns, making your inbox feel more like an assistant, instead of a filing cabinet of communications.”

Applying persistent memory

Another important aspect of Work IQ is the ability to retain persistent memory of each employee’s role, responsibilities, and work context. Copilot and other agents no longer need to be continually prompted with details about who the user is and what they’re working on. It learns that information and remembers it going forward.

This feature, also called persistent understanding, builds trust and increases efficiency each time an employee turns to AI for help with their work. AI systems that depend on manual context-setting don’t scale well across large organizations, which we at Microsoft Digital learned as we tested and deployed Copilot across the company.

“The user no longer has to tell the agent, ‘I work in this area, so please tailor your response to that’ every time,” says Anishkumar Ramakrishnan, a principal PM manager in Microsoft Digital. “With Work IQ, Copilot and agents recall it going forward. It remembers things that the user doesn’t even remember themselves about their past work and actions. This is the promise of intelligent context.”

From answers to action: Work IQ and AI agents

As organizations move toward integrating AI agents into all aspects of their day-to-day work, the value of Work IQ increases. Any agent—not just a general-purpose agent like Copilot—that can interpret vast amounts of your unstructured work data is going to produce results that are far more relevant than one that simply draws on general knowledge about a topic or process.

“Before, a builder had to go connector by connector and be very prescriptive—calendar read, email read, meeting access—just to build an agent. Now they can simply point the agent to Work IQ, and it gains contextual access across mail, calendar, meetings, and files through a single connector (API or MCP server).”

Naveen Jangir, principal architect, Microsoft Digital

Early agent implementations relied on narrower task-specific access to data. For each agent, a developer would have to build connections to a particular document library, mailbox, or set of calendar data. Each connection required separate consent and management, which generally resulted in a more limited scope.

But with Work IQ, builders can create agents using Microsoft Copilot Studio or other development platforms (such as Microsoft Foundry) that use APIs or Model Context Protocol (MCP) servers to connect to Microsoft Graph data. This enables them to bring the full power of enterprise data to any agentic creation, not just Microsoft 365 agents.

“Before, a builder had to go connector by connector and be very prescriptive—calendar read, email read, meeting access—just to build an agent,” says Naveen Jangir, a principal architect in Microsoft Digital. “Now they can simply point the agent to Work IQ, and it gains contextual access across mail, calendar, meetings, and files through a single connector (API or MCP server).”

This shift doesn’t just simplify agent development—it fundamentally expands what agents are capable of. Instead of operating within narrow, predefined tasks, agents can now reason across a broader work context to deliver better outcomes. For example, an agent supporting a project manager can surface relevant email threads, identify key stakeholders from meeting activity, reference the latest project documents, and highlight upcoming deadlines—all within a single interaction.

Intelligence without bypassing governance

From a governance perspective, Work IQ doesn’t introduce a new security model. Instead, it operates entirely within the existing Microsoft 365 data protection boundaries that our company and our customers already rely on.

The intelligence layer can access this enterprise data, but it does so while honoring permissions, sensitivity labels, access policies, and compliance controls defined at the source. Work IQ can only surface or act on information that the user—or an agent identity acting on the user’s behalf—is already authorized to access.

This inheritance model is intentional. Governance remains rooted in the data layer, not in the AI layer. Work IQ respects established controls such as identity‑based access and tenant policies, which means agents are generally given less access than human users.

“An agent user only gets access to what is explicitly shared with it,” Jangir says. “Human users typically have broader default access. By design in Work IQ, agents can usually see less than people, not more.”

For IT and security teams, this places the emphasis squarely on data discipline and identity controls, which are complementary security layers. Work IQ amplifies the value of well‑governed data and exposes weaknesses where governance is inconsistent. Admins remain in control of access and can turn off APIs and MCP server connections if they want to limit an agent’s data access.

Work IQ, Fabric IQ, and Foundry IQ

As we’ve scaled up Copilot and agentic AI internally, one lesson has become clear: Intelligence works best when it’s part of a layered infrastructure rather than working on its own.

That’s why Work IQ is just one context layer we’re using at Microsoft. We’ve also developed Fabric IQ and Foundry IQ, which are complementary layers in our overall data strategy. Each of these addresses a different aspect of enterprise intelligence.

The three layers serve distinct but connected purposes:

• Work IQ focuses on unstructured productivity data, helping AI understand how people work across email, meetings, documents, and collaboration signals.
• Fabric IQ applies similar reasoning to analytical and structured data, adding context and explanation to metrics, trends, KPIs, and other business signals.
• Foundry IQ provides the foundation for builders to create agents that draw from both worlds, connecting intelligence across Microsoft 365, analytics platforms, and line‑of‑business systems.

Taken together, these layers also contribute to something deeper: the emergence of a shared business ontology. By extracting and aligning business entities—such as people, projects, and processes—from both structured data in Fabric IQ and the unstructured signals captured by Work IQ, the system perceives meaningful connections that previously were hidden. This unified understanding allows agents to reason across domains with greater precision, linking metrics to the real work and making insights more actionable in context.

This architecture matters because it removes artificial seams. Agents shouldn’t need to shift between separate contexts for work content, enterprise data, or application logic. The IQ layers make it possible to deliver a single agentic experience that reasons consistently, applies governance uniformly, and moves with users across environments. Just as importantly, the same controls—identity, permissions, labeling, and policy—flow through each layer, keeping trust intact as capability expands.

At Microsoft, Work IQ and the other context layers are helping Copilot and agents to accelerate beyond AI experimentation. They are now vital operational tools that make everyone more productive across the global enterprise. Context and intelligence in agentic tools are a key part of the future of work, at Microsoft and for our customers as well.

Key takeaways

Here are some things to keep in mind as you prepare your own organization to take full advantage of Work IQ:

• Treat the technology as infrastructure, not a feature. We didn’t formally roll out Work IQ. Its value emerged gradually as it improved Copilot responses and as our agent builders could more easily tap into unstructured enterprise data.
• Expect improvements in AI quality without changes to your data. We saw measurable gains in relevance and user satisfaction even when underlying content remained the same, driven by better contextual reasoning across existing work signals.
• Focus on how employees work, not just what content exists. Work IQ improves AI outcomes by connecting people, relationships, and activity patterns, resulting in more actionable and grounded responses.
• Use Work IQ to move from assistance to action with agents. By giving agents access to contextual enterprise data through a unified layer, we enabled more automated workflows without requiring developers to manage dozens of connectors manually.
• Invest in data governance early to maximize AI value. Because Work IQ inherits permissions and policies from the data layer, its effectiveness—and safety—relies on clear labeling, intentional access design, and disciplined data management.
• Enable self-service collaboration data so it’s available for Work IQ. WorkIQ can only ground on data that is both available and not purposefully hidden. We make sure that our meetings are AI-enabled (and often recorded) and allow self-service in Teams and SharePoint, so the data is not hidden from Work IQ.
• Build toward a unified intelligence model across work and data. Combining Work IQ with Fabric IQ and Foundry IQ means agents can operate seamlessly across different kinds of data and incorporate more intelligence into their output and actions.

Try it out

Get a closer look at Work IQ.

Related links

• Check out how we’re embracing this agentic moment at Microsoft.
• Explore a Microsoft Learn article for more technical details about how Work IQ works.
• Learn how to get started building agents with Microsoft tools.
• Discover our detailed guide on how we deploy AI agents internally at Microsoft.
• Read an IT playbook for the AI era and learn how we’re becoming a Frontier Firm at Microsoft.
• See how we’re using Model Context Protocol security and governance to protect AI conversations at Microsoft.

The post How Work IQ is supercharging our AI usage at Microsoft appeared first on Inside Track Blog.

Geoff Belknap, CVP and operating CISO shares the questions he asks when considering when and how to integrate technologies with a merged or acquired company.

Key takeaways

Think about moving slowly with early integration with M&A. Here are some key questions to consider:

• What do we risk by combining tools or technical capabilities too quickly?
• Is the deal still valuable if we do not integrate systems?
• What operational safeguards and governance are needed?

The post Microsoft CISO advice: Consider the risks of early integration with mergers and acquisitions appeared first on Inside Track Blog.

On the other: A deep responsibility to protect the enterprise—its data, employees, customers, and regulatory posture—at a time when AI systems are evolving faster than traditional governance models were designed to handle.

“In the era of AI, delaying deployment does not eliminate risk—it often increases it. We need to work even faster to enable our business with AI, while simultaneously protecting our enterprise.”

Brian Fielder, vice president, Microsoft Digital

For CIOs, CDOs, and technology leaders across industries, this is no longer a philosophical debate, it’s an operating reality. How do you accelerate AI‑driven transformation without increasing enterprise risk? And critically, how do you innovate earlier, when learning is most valuable, without sacrificing trust?

At Microsoft, we’re living this tension firsthand, and our experience has led us to clear conclusions.

“In the era of AI, delaying deployment does not eliminate risk—it often increases it,” says Brian Fielder, vice president of Microsoft Digital. “We need to work even faster to enable our business with AI, while simultaneously protecting our enterprise.”

Mastering the delicate balance between risk avoidance and AI-fueled innovation is the new challenge for technology leaders globally. This insight has fundamentally reshaped how we approach release management, AI adoption, and enterprise governance at Microsoft. We call this approach Fast Train, and it has become a core part of how we operate as a Frontier Firm—one that learns early, under control—enabling capabilities that give our employees an edge while carefully balancing enterprise risk.

Rethinking release management for the AI era

Traditional release management was designed for a different world.

“While we’ve never been as risk‑averse as some of our customers, our focus is to always be risk‑aware. When products attest to risk upfront and take ownership at design time, they’re empowered to deploy at full speed—without waiting in a backlog of exceptions.”

B. Ganti, principal architect, Microsoft Digital

Stage‑gated approvals, quarterly releases, and broad “wait until it’s safe” models worked when change was linear, infrequent, and predictable. But AI changes the equation. Models evolve continuously. Capabilities improve weekly. User behavior, as well as risks, emerge dynamically in production.

In this environment, waiting for certainty before deploying often means learning too late.

As Customer Zero for so many of Microsoft’s enterprise products, Microsoft Digital has long been risk aware, with greater tolerance for risk than some of our customers. However, with Fast Train we’re moving at greater speed in low-risk situations.

“While we’ve never been as risk‑averse as some of our customers, our focus is to always be risk‑aware,” says B. Ganti, a principal architect in Microsoft Digital. “When products attest to risk upfront and take ownership at design time, they’re empowered to deploy at full speed—without waiting in a backlog of exceptions.”

Legacy models concentrate exposure until a global rollout, when:

• Dependency has already hardened
• Mitigation options are limited
• The blast radius is at its largest

Frontier organizations take a different approach. They treat release management not as a gate, but as an adaptive operating system—one designed to surface signal early, while controls still matter.

While you won’t have access to Microsoft solutions at design time, these same principles are useful as you consider how to “shift left” when you build or acquire new digital capabilities in your environment. Design time in this context might be early visibility of new features or capabilities in the Microsoft 365 Message Center. Applying a Fast train mentality can help you to quickly identify trusted updates to bring into your environment immediately versus those that might require deeper assessment prior to deployment.

At Microsoft, that shift reframed a core question:

Not “How do we safely deploy change at scale?”, but instead “How do we learn earlier, safely, and continuously?”

Fast Train: Learning early, at enterprise scale

Fast Train is not a shortcut around governance. It is Microsoft’s primary early‑Frontier deployment model for low‑ and medium‑risk innovation.

Under Fast Train, eligible capabilities are deployed earlier—often globally—inside Microsoft’s own enterprise environment, under explicit guardrails. This allows product teams to learn from real usage patterns, real data flows, and real operational behavior before expectations harden and dependencies scale.

Critically, Fast Train operates on a simple principle: speed should align to risk, not to organizational inertia.

Instead of forcing every capability down the slowest possible path, Fast Train uses risk‑adaptive deployment shapes:

• Default‑on Frontier deployment for lower‑risk capabilities
• Admin‑gated Frontier deployment for higher‑impact or tenant‑sensitive scenarios
• Standard or deferred release only where risk truly demands it

In all cases, innovation moves forward. What changes is how it is enabled, not whether it progresses at all.

Why early deployment can reduce risk

From a security and compliance perspective, this may sound counterintuitive. Isn’t early deployment riskier?

In practice, we’ve observed the opposite. The most dangerous moment for an enterprise system is not early exposure, it’s late discovery. Waiting until adoption is widespread before learning how a capability behaves:

• Reduces mitigation options
• Expands blast radius
• Compresses response timelines under regulatory or customer pressure

“The question isn’t how to eliminate risk entirely—it’s where we’re willing to be uncomfortable, so our employees don’t work around IT.”

David Johnson, principal tenant architect, Microsoft Digital

By contrast, Frontier deployment reverses this risk profile. Fast Train allows Microsoft to:

• Surface data flow issues and edge cases earlier
• Tune controls before dependencies harden
• Establish clear accountability for rollback, disablement, and remediation

This is risk‑aware innovation, not risk‑blind speed. Guardrails are built in and not bolted on after the fact.

Governance that adapts instead of blocks

One of the most significant shifts Fast Train enabled was a change in how governance participates in innovation.

“Fast Train is fundamentally a risk-taking exercise—but it’s a deliberate one,” says David Johnson, principal tenant architect in Microsoft Digital. “The question isn’t how to eliminate risk entirely—it’s where we’re willing to be uncomfortable, so our employees don’t work around IT. If the platform honors our non‑negotiables—security, compliance, discovery—then we don’t need to over‑rotate on every new feature built on top of it.”

Traditional models treat governance as a final checkpoint. Governance is an episodic approval that happens after most key decisions are already made. Frontier models embed governance earlier and continuously, focusing attention where it matters most.

“Innovation doesn’t have to be slowed down by governance,” Ganti says. “By shifting risk consideration to design time, we remove friction at the point of deployment—so teams can move straight onto the Fast Train, with no toll booths, no gates, and no delays.”

Under Fast Train:

• Low‑risk change moves quickly under defined boundaries
• Higher‑impact capabilities shift to choice‑based enablement
• Deep governance review is reserved for material risk events like new data flows, boundary changes, or regulatory impact

This keeps governance focused, effective, and credible while avoiding the trap of over‑governing low‑risk change.

Just as importantly, Fast Train makes our Microsoft product teams explicitly accountable. Ownership for quality, rollback, and remediation sits with the teams shipping the capability, not with downstream review bodies. That means product teams have an incentive to build features that meet our Fast Train criteria, increasing the chance that our customers can also deploy new capabilities more quickly and with less risk.

Admin‑gated does not mean anti‑Frontier

A common misconception is that admin‑gated or choice‑based deployment is inherently slower or less innovative. Our experience in Microsoft Digital suggests the opposite.

Admin‑gated Frontier deployments are not a retreat from innovation. They are a different exposure shape for the same learning objective. We use them when impact is higher and explicit tenant choice matters.

In both default‑on and admin‑gated Frontier deployment:

• Capabilities reach real users early
• Deployment is global
• Learning loops start before broad GA expectations harden

The distinction is not speed. It’s enablement mechanics, informed by the risk profile of the deployment.

Becoming a Frontier Firm is a maturity journey

Frontier behavior is a maturity that advances over time.

“Our focus is evolving to put greater focus on speed and enablement. Fast Train lets governance teams focus on truly high‑risk scenarios while giving product teams the guidance and tools they need upfront so they can move faster with confidence.”

Priya Chebiyam, principal product manager, Microsoft Digital

In Microsoft Digital, we measure ourselves against a Frontier Firm capability maturity model, which reflects how organizations evolve from risk averse release models toward risk aware, signal driven operations. Our internal rubric describes 5 stages of enterprise maturity:

Frontier Firm capability maturity model

“Our focus is evolving to put greater focus on speed and enablement,” says Priya Chebiyam, principal product manager in Microsoft Digital. “Fast Train lets governance teams focus on truly high‑risk scenarios while giving product teams the guidance and tools they need upfront so they can move faster with confidence.”

Today, we assess ourselves in the Emerging Frontier stage, operating Fast Train broadly while investing to further institutionalize continuous governance, telemetry, and accountability. A critical step in that journey has been onboarding Microsoft 365 Copilot and first‑party agents into the Fast Train operating model to expand early signal and tighten ownership.

The lesson for customers isn’t to copy Microsoft’s internal processes, but to adopt the pattern:

• Define where early learning is safe through your own criteria—these are effectively your organizational “guardrails”
• Make enablement choices explicit
• Require ownership and rollback readiness
• Let real‑world signal and not assumptions drive your decisions

Trust and innovation advance together

At Microsoft, Fast Train has reinforced a simple truth: speed, trust, and compliance are not tradeoffs. They are outcomes of a risk‑adaptive operating model.

“Fast Train is built on a simple principle: ship fast when it’s safe, and slow down only when it’s necessary,” Chebiyam says. “We empower feature owners to self‑attest low‑risk features using clear criteria, while still protecting security, privacy, compliance, and regulatory requirements.”

By learning earlier—under control—organizations can reduce late‑stage surprises, accelerate transformation, and engage partners and stakeholders from a position of evidence rather than theory.

“We will be deploying earlier under the right guardrails so we can understand real world behavior, build the right controls, and earn customer trust through evidence, not assumptions. Our responsibility is not to slow innovation down, but to enable it safely—at the speed our customers and the market demand.”

Aleš Holeček, chief architect and corporate vice president, Microsoft Security

In the AI era, the greatest enterprise risk isn’t moving too fast—it’s learning too slow.  Fast Train reflects a shift from risk avoidance to risk awareness and near real-time assessment.

“We will be deploying earlier under the right guardrails so we can understand real‑world behavior, build the right controls, and earn customer trust through evidence, not assumptions,” says Aleš Holeček, chief architect and corporate vice president in Microsoft Security. “Our responsibility is not to slow innovation down, but to enable it safely—at the speed our customers and the market demand.”

Frontier firms don’t move fast despite risk. They move fast because risk is understood, bounded, and actively managed.

Key takeaways

For CIOs, CDOs, and technology leaders ready to accelerate AI adoption while minimizing risk, Microsoft Digital’s experience suggests five practical actions you can take today:

• Treat early deployment as a risk‑reduction strategy. Surface issues earlier when mitigation options are still available, instead of discovering them after global dependency sets in.
• Establish a clear Frontier cohort. Identify a workload, geography, or business unit where early learning is safe, intentional, and governed and be intentional in empowering that cohort.
• Separate innovation speed from enablement mechanics. Use default‑on deployment for low‑risk capabilities and admin‑gated choice for higher‑impact scenarios without slowing learning velocity.
• Make governance continuous, not episodic. Shift governance left by embedding it earlier with monitoring, attestation, and clear escalation triggers rather than relying on late‑stage gates.
• Require explicit ownership and rollback readiness. Ensure every deployed capability has a named owner, a defined rollback path, and continuous telemetry to support fast correction.

Try it out

Looking to accelerate your journey to the Frontier? Try Microsoft Agent 365 in your company.

Related links

• Check out our IT playbook for becoming a Frontier Firm.
• Read more about the agentic future that we’re embracing at Microsoft.
• Discover our readiness guide for deploying AI agents, based on our own company’s experience.
• Learn how we’re transforming our enterprise IT operations with AI at scale.
• Explore our five-step guide to enterprise AI maturity for IT leaders.

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Fast Train to the AI Frontier: Balancing risk and innovation in the era of AI at Microsoft appeared first on Inside Track Blog.

Yonatan Zunger, CVP and deputy CISO for Microsoft, suggests focusing exclusively on hardening a piece of software to security threats may make it difficult to use and introduce a new risk when users get frustrated and try to bypass controls. This is why engineers need to consider not just individual components but how they work together to maintain productivity.

“Think of every system as a socio-technical system containing many parts, and all of them working together in unison have to be secured,” Zunger says.

Learn from our experience 

Read our practical advice about applying security fundamentals to AI.

Try it out

Read more from Zunger about applying security fundamentals to AI.

Related links

• Explore more from Zunger about how to deploy AI safely.
• Discover what you need to know about governing autonomous agents.
• Learn about aligning user, developer role, and organizational intent in agent governance.
• Find out how to use Authorization Fabric to govern AI agents at scale.
• Read about agent abuse patterns.
• Identify ways to secure AI agents with Azure AI Foundry.
• Explore how Data Security Posture Management for AI can prevent runtime risks.

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Microsoft CISO advice: Apply engineering fundamentals to securing AI appeared first on Inside Track Blog.

At Microsoft Digital, the company’s IT organization, we shape and propel many of our groundbreaking products through our role as the company’s Customer Zero—and we want to tell that story. At this year’s Microsoft 365 Community Conference, we hosted a variety of sessions focused on change management, AI adoption, and how we manage governance in the era of the Frontier Firm.

As Customer Zero for Microsoft 365 Copilot, we embedded the technology into our employees’ daily workflows and carefully monitored the results. That journey from early experimentation to broad adoption of the tool across our organization continues to guide the company as we explore what comes next.

Today, that’s agents.

“Copilot changes how our employees work. Agents are changing how the work gets done. Our focus is to make the technology practical and valuable, so people want to use it daily.”

Stephan Kerametlian, senior director, business program management, Microsoft Digital

We’ve reached a level of maturity with Copilot that allows us to move from individual productivity to systems that can reason and collaborate on our behalf. Our focus now is on driving the adoption of agents across the company, grounding them in our workflows to solve problems.

“Copilot changes how our employees work,” says Stephan Kerametlian, a senior director in Microsoft Digital. “Agents are changing how the work gets done. Our focus is to make the technology practical and valuable, so people want to use it daily.”

Adoption doesn’t happen without trust

As we’ve empowered employees with more capable AI tools that can help automate tasks and make decisions, we’ve been equally focused on making sure the right safeguards are in place.

Innovation and safety are extremely important—the challenge is to enable both at the same time. And this is where governance comes in.

“We’ve spent a lot of time getting governance right. This means giving people confidence, not slowing them down. When employees know the guardrails are there, they feel empowered to experiment and innovate safely.”

David Johnson, principal PM architect, Microsoft Digital

At Microsoft, good governance is what makes innovation sustainable. It’s how we protect the company, our data, and our customers, while still giving employees the freedom to build and push boundaries with AI.

“We’ve spent a lot of time getting governance right,” says David Johnson, a principal PM architect in Microsoft Digital. “This means giving people confidence, not slowing them down. When employees know the guardrails are there, they feel empowered to experiment and innovate safely.”

How Microsoft does IT: Managing and governing agents—empower with risk-aligned oversight

Session description: See how Microsoft Digital empowers employees with tools to build and manage agents. From agent management with Microsoft Agent 365, to securing our environment with Microsoft Defender, to managing our productivity estate with Microsoft Purview, this session offers broad insights into how we use our own technology to accelerate agentic innovation while mitigating risk.

Speakers: David Johnson, Naveen Jangir, and Mike Powers

David Johnson leads our internal Microsoft 365 and productivity services with responsibility for tenant strategy, architecture, and governance. He manages how we empower employees with guardrails and manages our capability onboarding and tenant configuration.

Naveen Jangir is a principal architect in Microsoft Digital. He drives Microsoft 365 security and compliance strategy and leads tenant architecture and capability onboarding, while overseeing secure adoption of services across the enterprise.

Mike Powers is a senior service engineer and AI administrator in Microsoft Digital who manages Copilot features, Agent 365, and enterprise AI operations. He partners with internal product groups and security stakeholders to make sure AI tools and agents are deployed responsibly and governed effectively.

More on AI agents and governance at Microsoft

• Read the guide to how we’re tackling Microsoft 365 Copilot governance internally at Microsoft.
• See how we’re embracing the agentic future to become a Frontier Firm.
• Learn how we deployed the Employee Self-Service Agent at Microsoft. 

Inside Microsoft: Reclaiming engineering time with AI in Azure DevOps

Session description: AI tools embedded directly into Azure DevOps (ADO) are changing how engineering teams work, eliminating manual tasks without creating separate tools or increasing cognitive load. This session explores how ADO AI Chat and the AI Work Item Assistant accelerate coding workflows at Microsoft. You’ll learn how to improve your backlog quality, sprint hygiene, and downstream effectiveness of GitHub Enterprise and Copilot, helping your teams reclaim capacity and focus on the work that moves products forward.

Speakers: Gopal Panigrahy and Sumit Dutta

Gopal Panigrahy is a product leader and member of our product management team in Microsoft Digital. He’s an advocate for our customer-first approach to product development and is passionate about helping people overcome challenges in the era of AI.

Sumit Dutta is a product-minded technology leader working at the intersection of AI, enterprise platforms, and scalable product design. Offering a strong blend of engineering knowledge and product strategy, he focuses on building systems that are not just functional but also extensible and reliable.

More on AI and IT engineering at Microsoft

• Learn how we’re reclaiming engineering time with AI in Azure DevOps at Microsoft.
• Read about powering the new age of AI-led engineering in IT at Microsoft.
• Discover how we’re streamlining engineering at Microsoft with Azure DevOps.

How Microsoft does IT: Microsoft 365 governance in the age of Copilot and agents

Session Description: Microsoft 365 Copilot and Copilot agents are powerful tools, but without proper governance, you could be putting your company at risk. In this lightning talk, you’ll learn how Microsoft Digital protects our enterprise while enabling employee innovation with Copilot and agents.

Speaker: David Johnson

Johnson brings hands-on experience operating Copilot and AI-powered agents inside Microsoft, with a focus on identity, permissions, data boundaries, and real-world misuse prevention. He takes real-world lessons and makes them practical for others.

More on governance at Microsoft

• Learn about how we’re tackling Microsoft 365 Copilot governance internally at Microsoft.
• Check out our guide to deploying Microsoft 365 Copilot in five chapters.
• Read how we’re powering data governance with Purview Unified Catalog.

Accelerating AI adoption with Copilot controls: Lessons from Microsoft Digital

Session description: Microsoft 365 Copilot and AI agents unlock productivity gains, but without careful oversight they can also introduce security and compliance risks. The session covers how the Copilot Control System helps scale AI safely, including adoption insights and satisfaction signals. You’ll also see demos of popular agents, including the Employee Self-Service Agent and the Admin agent.

Speakers: Amy Ceurvorst and Reshma Kapoor

Amy Ceurvorst is a director of business programs In Microsoft Digital. She’s worked extensively with Copilot controls and evangelizes a unified way to view Copilot health reports that help administrators understand Copilot health.  

Reshma Kapoor is a senior product manager in Microsoft Digital with 20 years of experience leading and shipping products at scale. She is customer‑obsessed, grounding product decisions in real customer signals to deliver intuitive, high‑impact experiences.

More on AI and Copilot adoption and deployment

• Read how we’re shaping AI management at Microsoft with Agent 365 and Copilot controls.
• Explore our five-chapter guide to deploying Microsoft 365 Copilot internally.
• Learn how we deployed Microsoft 365 Copilot in Viva Engage at Microsoft.

How Microsoft does IT: Driving adoption of Microsoft 365 Copilot and agents across Microsoft

Speakers: Cadie Kneip and Stephan Kerametlian

Session description: Our team at Microsoft Digital led the first enterprise-scale deployment of Microsoft 365 Copilot, launching to more than 300,000 employees and vendors worldwide. Learn how the team drove adoption using change management strategies to encourage employees to thread Copilot into their daily work. Now we’re doing the same for agents across the enterprise. Learn best practices for accelerating adoption and maximizing value while guiding your own journey with Copilot and AI agents.

Cadie Kneip is a senior business program director and the Copilot Champs community lead in Microsoft Digital. She specializes in turning complex AI initiatives into confidence-building pathways that help employees thrive in an AI-powered workplace. 

Stephan Kerametlian is a senior director in Microsoft Digital, where he leads our global change management efforts for Copilot and agents. He thrives on learning how people use AI and on finding ways to get more people to embrace the technology.

More on adoption and deployment of Copilot and agents

• Explore our guide on how we deployed Microsoft 365 Copilot internally.
• Find out how we’re skilling up for the future of work at Microsoft with Agent Launchpad.

Real-world adoption stories: A fireside chat with a key customer

Session description: Pull back the curtain on the customer experience with Copilot adoption. Join this fireside chat with a Microsoft customer to hear about lessons learned and the real impact that Copilot is delivering across their organization. You’ll glean practical insights you can apply immediately at your own company. 

Speakers: Karuana Gatimu and Sam Crewdson

Karuana Gatimu is a director of Customer Advocacy – AI & Collaboration in Microsoft Digital and a solution architect driven by a passion for people, storytelling, and leadership. With 30 years of experience at the intersection of technology and human impact, she turns complex innovation into compelling narratives that help organizations adopt change and deliver business value.

Sam Crewdson, a principal product manager in Microsoft Digital, is passionate about turning user insights into product improvements. His work focuses on driving adoption of the latest SharePoint features and helping users take advantage of the power of both SharePoint and OneDrive. Working at the intersection of IT, users, feedback, and strategy, he translates real‑world business needs into collaborative experiences that scale.  

More insights on Copilot adoption

• Learn about how we’re tackling Microsoft 365 Copilot governance internally at Microsoft
• Check out our guide for deploying Microsoft 365 Copilot in five chapters.
• Read our executive-level guide covering our Copilot deployment.

Try it out

• Learn more and sign up for the 2027 Microsoft 365 Community Conference.
• Start using Microsoft 365 Copilot.
• Learn how to build your own AI-powered agents and workflows.

Related links

• Find out about the keynote presentations that happened at the 2026 Microsoft 365 Community Conference.
• See how we’re serving as Customer Zero at Microsoft in the era of AI.
• Read about Copilot Control System security and governance.
• Learn about deploying Microsoft Agent 365: How we’re extending our infrastructure to manage agents at Microsoft.
• Discover how the Employee Self-Service Agent helps employees quickly complete IT and HR tasks.

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Unfolding our AI-in-IT story: What to expect at the 2026 Microsoft 365 Community Conference appeared first on Inside Track Blog.

“It turns out that it’s very easy to write AI-powered software, but it’s very hard to write AI-powered software that works right in real-world cases,” says Yonatan Zunger, CVP and deputy CISO for Microsoft.

Yunger explains how important it is to test if you want to build trustworthy agentic AI.

Learn from our experience 

Read our practical advice about applying security fundamentals to AI.

Key takeaways

Here are best practices to apply while building trustworthy agentic AI:

• Prototype. Test. Iterate. Think of and try prompts your real users might give your agentic AI. Use real data. From those trials, build a set of test cases and keep testing.
• Use AI tools to amplify testing. Evaluating agents requires a “try it and repeat it” mindset. Using AI Foundry with such tools as Python Risk Identification Tool amplifies these assessment capabilities.
• Record your tests. Applying this practice, as you would with unit testing, enables you to repeat evaluations as your data models and agents evolve.
• Don’t skimp on testing. Test early, test often, test with real data. This is the best way to understand what your agent might do when it encounters the unexpected.

Try it out

• Find out how to deploy Python Risk Identification Tool (PyRIT).
• Explore how to use Microsoft Foundry Playgrounds to test your AI solutions.

Related links

• Read more about how to secure agentic AI.
• Learn more from Zunger about how to deploy AI safely.
• Discover what you need to know about governing autonomous agents.
• Explore how to use Azure AI Foundry to secure generative AI models.
• Generate synthetic data for fine-tuning in Microsoft Foundry.
• Leverage built-in policies for model deployment in Microsoft Foundry.

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Microsoft CISO advice: How to build trustworthy agentic AI appeared first on Inside Track Blog.

“Make it an expectation in your organization that people will create safety plans and have them for everything,” Zunger says. “People get so excited about having clarity in front of them that they end up making much more systematic, careful plans, and the rate of errors goes down dramatically.”

Learn from our experience 

Read our practical advice about applying security fundamentals to AI.

Key takeaways

Here are questions and ideas to consider as you create a safety plan for your AI systems:

• Define the problem. What problem are you trying to solve? A simple and clear problem statement is always a great starting point before building anything, including an AI agent.
• Outline the solution. What is the basis of your solution? Can you explain your solution to an end user? What does a developer or administrative user of your solution need to know about what it is and does?
• List the things that can go wrong. What can go wrong with your solution? Creating this list is the first step to figuring out how to deal with those issues.
• Document your plan. What is your plan to address identified concerns? Identify the process you will follow when something goes wrong.
• Draft your plan early and update it as your solution matures. Your safety plan can be as simple as a list or outline and should evolve as you prepare to build your solution.
• Get feedback and buy-in. When you review the plan with stakeholders and leaders in your team and organization, you may uncover risks or issues you had not thought of. You also build awareness and agreement on what to do when something goes wrong.
• Make a template and build its use into your processes. This tip is for anyone who leads a team or influences process development. Encourage using a safety template in all your projects to bring clarity and structure to how you work with AI.

Try it out

Discover how to secure agentic AI.

Related links

• Learn more from Zunger about AI security fundamentals.
• Zunger shares one important thing to consider when securing AI. 

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Microsoft CISO advice: The importance of a written AI safety plan appeared first on Inside Track Blog.