Microsoft expects more than 1.3 billion AI agents to be operating across enterprises by 2028—a staggering scale that demands a fundamental rethink of identity, access, and runtime security. The projection, revealed at Build 2025 alongside new Copilot tooling, is not mere marketing hype; it reflects a genuine inflection point where software agents are moving from proof-of-concept chatbots to autonomous, multi-step workflows woven into the fabric of business. But as Microsoft’s deputy CISO for Identity warns, without purpose-built governance, these agents will create risks that traditional user and service account controls simply cannot address.
At the same conference, Microsoft unveiled Copilot Tuning and multi-agent orchestration capabilities that make it easier than ever for business teams to create specialized agents using low-code experiences. Over 230,000 organizations already use Copilot Studio, and customers created more than one million custom agents in a single quarter—a 130% increase. While these tools accelerate adoption, they also amplify the danger of agent sprawl, where unmanaged agents proliferate across SaaS, PaaS, and IaaS stacks with no centralized visibility or control. The solution, according to Microsoft, is a comprehensive security model built on identity-first governance, agent registries, and deep integration with the Model Context Protocol (MCP).
The Agent Explosion and Why It Matters
At Build 2025, Microsoft doubled down on making agents a core productivity layer. Copilot Tuning lets organizations fine-tune agents with proprietary documents and workflows inside Microsoft 365, without machine learning expertise. Multi-agent orchestration—also announced—enables agents to share data and collaborate across departments, such as HR onboarding workflows that involve IT, marketing, and facilities. These features, combined with Copilot Studio’s existing support for MCP, Agent Flows, and Deep Reasoning, point to a future where autonomous or semi-autonomous agents handle complex, interconnected tasks.
But scale introduces systemic risk. Microsoft’s own data shows the velocity: one million custom agents created in a quarter, with exponential growth expected. By 2028, the 1.3 billion figure underscores a world where agents outnumber employees by orders of magnitude. Traditional identity and access management (IAM) is designed for humans and service accounts that change slowly and are closely monitored. Agents, however, are self-initiating, persistent, opaque, prolific, and deeply interconnected—making them a fundamentally different threat surface.
Five Ways Agents Rewrite the Security Rulebook
Agents break the traditional application security model in five critical ways. First, they are self-initiating: an agent can take action without an explicit human trigger, so authorization gating must shift from per-request to continuous policy evaluation. Second, their persistence means many run indefinitely and hold long-lived credentials, increasing the blast radius of a compromise. Third, opacity is inherent—LLM-based reasoning is often inscrutable, making audit and explainability difficult. Fourth, the prolific nature of low-code creation tools leads to “agent sprawl,” where shadow agents operate outside IT governance. Finally, agents are interconnected: they call other agents and external tools through protocols like MCP, creating composite dependencies and new attack paths such as tool poisoning and prompt injection.
These characteristics justify Microsoft’s central recommendation: treat agents as first-class workloads with dedicated identity and governance constructs, not as extensions of existing applications. That means every agent must be registered, assigned an owner, granted least-privilege access, and monitored continuously.
MCP: The Connective Tissue That Also Expands the Attack Surface
The Model Context Protocol, introduced by Anthropic and rapidly adopted by OpenAI, Google, and Microsoft, standardizes how LLMs connect to data and tools. MCP servers act like an API layer that models can call, enabling a single connector to serve multiple agents. This unification dramatically reduces integration complexity—Microsoft calls it the “USB-C port for AI.” But it also centralizes risk.
An overprivileged or poorly configured MCP server can expose sensitive business data to any model that connects to it. Researchers have already demonstrated prompt injection attacks that manipulate agents into exfiltrating files, and tool poisoning attacks can substitute legitimate MCP endpoints with malicious lookalikes. Moreover, because MCP servers are trivially easy to deploy, organizations can accumulate hundreds of unmanaged connectors. Microsoft’s guidance is unambiguous: register every MCP server in an agent catalog, enforce dynamic RBAC with just-in-time credentials, and monitor all tool calls for anomalies.
Identity-First Governance: Entra Agent ID and the Agent Registry
To close the visibility gap, Microsoft introduced Microsoft Entra Agent ID, a purpose-built identity object that registers agents in Entra ID. Now in public preview, it gives each agent a unique, traceable identity with support for conditional access, short-lived tokens, and audit logging within existing SIEM/XDR systems. An agent registry complements the directory, capturing metadata such as ownership, version, business justification, and approved tool connections.
This approach delivers immediate operational wins: security teams can apply conditional access policies to agents just as they do for users, revoke credentials instantly, and map every agent action back to an accountable owner. However, identity alone is insufficient—teams must still design runtime authorization, per-action approvals for sensitive operations, and integrate agent telemetry into compliance workflows. In preview, some platforms surface Agent IDs inconsistently (managed identities vs. app registrations), so early piloting is essential to avoid lifecycle confusion.
The Seven Security Capabilities You Must Operationalize Now
Microsoft’s structured framework defines seven capabilities that organizations must mature immediately to secure agentic workloads. These are not theoretical—each maps to a concrete control.
- Identity Management: Register every agent in a directory or registry with a unique identity and named owner. Require sponsorship, business justification, and decommissioning dates before granting permissions. Enforce short-lived credentials and JIT elevation for high-risk actions.
- Access Control: Apply time-bound, scope-limited tokens. Use conditional access policies that evaluate destination, behavior, and risk scores to allow or deny actions in real time.
- Data Security: Implement sensitivity labels and data loss prevention at both the ingestion and output layers. Prevent agents from processing data that violates classification policies, and enforce redaction or block flows that cross compliance boundaries.
- Posture Management: Include agents in CSPM/DSPM tools to detect excessive permissions, exposed MCP connectors, and configuration drift. Automate posture checks into CI/CD pipelines for agent deployment.
- Threat Protection: Deploy prompt-injection classifiers like Microsoft’s Prompt Shields. Integrate alerts into XDR and set behavioral baselines to detect anomalous tool calls, sudden changes in action patterns, or XPIA attacks.
- Network Security: Segment critical MCP servers and agent runtimes in isolated VNETs with strict egress controls. Limit outbound connections to an allowlist of MCP servers and instrument every tool call.
- Compliance: Capture thread-level traces—inputs, tool calls, outputs, decision metadata—and store logs in tamper-evident, retained formats. Build human-in-the-loop checkpoints for irreversible actions like financial transfers or policy changes.
Practical Design Patterns for Safe Agent Deployment
Beyond platform features, Microsoft advocates design patterns that embed safety into agent architecture. The orchestrator-plus-specialist model splits responsibilities: narrow specialist agents handle well-defined tasks, an orchestrator composes workflows, and a reflection agent validates outputs before commit. Inserting human reviewers for high-impact operations reduces blast radius and makes debugging auditable.
Canary rollouts and staged permission expansion are essential. A new agent should first operate in a sandbox with bounded datasets, then graduate to limited resource access, and only receive broader permissions once metrics stabilize. This prevents a misconfigured agent from gaining broad privileges overnight.
Prompt design and input sanitization must be hardened. Techniques like spotlighting (explicitly marking untrusted inputs) and deterministic transformation (encoding, delimiting) reduce ambiguous instruction interpretation. Running all prompt content through a classifier like Prompt Shields before it reaches the model provides an additional probabilistic defense layer.
Strengths and Critical Gaps in Microsoft’s Approach
Microsoft’s framework has notable strengths. Identity-first thinking aligns agent governance with proven IAM workflows, letting teams reuse conditional access, audit logs, and lifecycle controls. Tight integration across Copilot Studio, Azure AI Foundry, Purview, and Defender gives regulated industries a single-vendor path to meet audit requirements. Research-backed defenses—Prompt Shields, TaskTracker, LLMail-Inject—demonstrate layered mitigation against prompt injection, a credible and evolving threat.
Yet gaps remain. Preview variability in how agent identities appear across platforms can lead to false assumptions about visibility. MCP’s security model is still maturing; the openness that drives adoption also means many server implementations lack enterprise-grade RBAC and signing. Tool poisoning attacks are not theoretical—researchers have shown that replacing an MCP server’s endpoint can hijack agent behavior. At scale, manual controls will fail; automated lifecycle frameworks, cost governance, and telemetry-driven oversight must be in place from day one. Finally, vendor defaults are a starting point, not a substitute for organizational policy, legal review, and contractual clarity on shared responsibility.
The 90-Day Action Plan for Enterprise Security Teams
Organizations can start securing their agent landscape immediately. Begin with an inventory: discover every agent, connector, and MCP endpoint across SaaS, PaaS, IaaS, and desktops, tagging each with owner and risk classification. Then register all agents in a directory and enforce a policy baseline: least privilege by default, per-agent JIT tokens, and conditional access. Inject defenses by deploying prompt-detection classifiers and content-safety gating before tool calls. Forward agent telemetry to XDR/SIEM, capture thread-level logs, and set behavioral baselines for drift detection. Finally, create runbooks mandating human approval for irreversible actions, with automatic escalation triggers.
Balance Speed with Trust
The agentic era promises transformative productivity, but it shifts risk from human error to unattended, networked software actors with persistent access. Microsoft’s prescription—visibility, identity-first governance with Entra Agent ID, MCP-aware RBAC, data-sensitive controls, and runtime defenses—is a practical and coherent starting point. It aligns with industry momentum and credible threat research. However, technology is only half the battle. Effective defense requires policy changes, engineering discipline, and continuous adversarial validation. Agent governance must become part of identity, legal, compliance, and finance processes. Red-team exercises, prompt-injection tests, and tool poisoning experiments must run regularly. The 1.3 billion agent projection is a strategic signal, not a precise forecast, but it underscores the urgency: move fast with agents, but move deliberately—instrument every action, assign every agent an owner, and make every agent auditable and revocable by design.