On July 13, 2026, Microsoft updated its 365 roadmap to declare general availability for a long-awaited security feature: Insider Risk Management in Microsoft Purview now monitors AI agents. The change means autonomous software—the kind that reads emails, accesses SharePoint files, and calls external tools—can be flagged for risky behavior just like a human employee. But there’s a catch. Even as the roadmap item 516032 moved to “Launched,” official documentation continues to label the core policy template as a preview feature. For administrators tasked with securing enterprise data, that split personality is the first problem to solve.

What Actually Changed

The new capability extends Purview’s Insider Risk Management from human users to AI agents. Agents built with Microsoft Copilot Studio, Microsoft Foundry, or the P4AI SDK are now subject to agent-specific indicators, risk scoring, policies, and investigation workflows. Microsoft’s learning materials list the kinds of activity the system detects:

  • Risky prompts submitted to an agent
  • Sensitive information appearing in agent-generated responses
  • Agent access to sensitive or priority SharePoint files
  • Connections to websites considered risky
  • Use of tools involving sensitive information
  • Sharing of SharePoint files with external recipients
  • Activity that rises above the agent’s established behavioral baseline

The policy framework now presents agents as a distinct category. The Purview dashboard separates “User policy” and “Agent policy” views, and Microsoft provides a built-in “Risky Agents” policy template intended to generate alerts without custom configuration. Organizations can also build their own policies when default detections don’t match internal governance needs—for example, when an agent designed for broad enterprise search needs tighter controls around what it can reproduce rather than simple access-volume alerts.

Agent risk scores calculated in Insider Risk Management can be shared with Microsoft’s Data Security Posture Management for AI and surfaced in the Microsoft 365 admin center. This suggests a broader architecture where Purview supplies compliance signals while other management surfaces offer organization-wide visibility.

What It Means for You

Security and Compliance Analysts

You now have a view into behavior that was previously invisible or mismapped. A poorly configured agent might retrieve sensitive content and accidentally expose it, and a malicious employee could instruct an agent to collect information they shouldn’t see. Traditional identity controls don’t explain whether the agent’s behavior was appropriate in context. With agent-specific alerts, you can investigate the prompt, the response, the tools used, and the data touched, all within the established Insider Risk Management workflow. The ability to distinguish between deliberate misuse, unsafe configuration, and an inaccurate detection becomes critical—and that’s a governance challenge, not a product feature.

IT Administrators

Here lies the immediate tension: the roadmap says general availability, but Microsoft’s own monitoring page and policy template documentation still call “Risky Agents” a preview feature. This could be a documentation lag, a staged transition where the underlying indicators are GA while a specific template remains in preview, or a discrepancy between supported agent platforms. Microsoft hasn’t clarified. That means you cannot rely on any single status label. Before counting on the capability for a compliance requirement, you must confirm that the Agent policy view is present in your Purview tenant, determine which agent types are producing signals, test whether expected activity generates alerts, and check the licensing terms applied to your tenant.

Business Decision-Makers

The gap between availability and actual coverage matters. A feature can be generally available while still monitoring only a subset of the agent estate. Enterprises increasingly deploy agents from multiple vendors and frameworks, alongside custom automation that may not identify itself as an agent to Microsoft’s services. Microsoft’s own training material warns that Purview coverage varies across agent types. The practical milestone is not simply switching on a policy; it’s proving that the organization knows which agents exist, what data they touch, and whether Purview can see enough activity to raise a useful alert.

How We Got Here

Microsoft’s journey toward agent-aware compliance has been public since at least late 2025. The roadmap item 516032 first surfaced with a preview availability date of December 2025. The description then said development was targeting April 2026, and the status remained in preview until the July 13, 2026 update tagged it as “Launched” with a general availability date of June 2026. That timeline—preview to GA within six months—reflects the urgency around agentic risk. But it also explains why documentation may lag. The older January 30 note about targeting April 2026 still sits in the same roadmap description, even though the headline status has changed.

Insider Risk Management has traditionally correlated activity signals to spot intellectual property theft, data leakage, and policy violations by employees. Agents upend that model because they can create insider-like risk without malicious intent. They work faster, process more data, and often operate across permissions that span multiple services. An agent with access to SharePoint, email, and a web search tool can, in seconds, pull together a set of documents and share them externally in ways that a single user identity would never be permitted. The speed and persistence of automation demand a different detection logic, and Microsoft’s answer is to apply risk scoring to agentic activities and funnel them into the existing compliance workflow.

What to Do Now

  1. Verify what’s live in your tenant. Open the Purview portal, navigate to Insider Risk Management, and look for the Agent policy view. If it’s absent, the feature hasn’t reached your environment regardless of roadmap status.
  2. Check licensing. Agent monitoring requires supported licensing. Confirm with your Microsoft account team or the service description which plans include it.
  3. Run a controlled test. Deploy the built-in “Risky Agents” policy in a test environment. Submit a prompt likely to trigger a detection—for example, asking an agent to find a sensitive file and summarize it—and see whether an alert is generated. Document the end-to-end investigation flow.
  4. Inventory your agents. Even before tuning policies, list all agents operating in your organization, their platforms, the identities they use, and the data stores they access. Microsoft’s monitoring is most effective when you know what should be covered.
  5. Define clear investigation procedures. Determine who will respond to agent-related alerts. Decide how to distinguish between malicious use, unsafe configuration, excessive permissions, and false detections. A high-risk response from a customer-service agent that accessed engineering files is different from a knowledge-management agent reading the same location as expected behavior.
  6. Prepare for custom policies. The built-in template is a starting point. If your agents handle financial records, interact with customer data, or operate in regulated repositories, you’ll likely need specialized policies that reflect acceptable use cases.

The Road Ahead for Agent Governance

Microsoft’s mixed messaging on preview versus general availability will likely resolve as documentation catches up, but the deeper challenge is platform-agnostic. Agents from third-party vendors and homegrown automation may not register with Purview at all unless they emit compatible telemetry. Microsoft has signaled integrations with its own ecosystem—Copilot Studio, Foundry, and the P4AI SDK—but a universal agent governance framework is still distant. Expect further roadmap items that expand coverage and tighten latency for alerts. In the meantime, the rollout of item 516032 marks a turning point: organizations can now hold software accountable with the same rigor they apply to people. The only question is whether the tooling is ready to be trusted yet.