Silverfort has integrated its runtime identity and access controls directly into Microsoft Copilot Studio, enabling enterprises to evaluate and block agent actions in real time. The announcement, made on June 8, 2026, addresses a critical gap in AI agent security: while authentication verifies who an agent is, it does not determine what the agent should be allowed to do once authenticated. With this integration, Silverfort brings continuous, context-aware authorization to the Copilot ecosystem, effectively allowing organizations to enforce allow/block decisions on agent actions based on real-time identity risk signals.

Copilot Studio agents—autonomous AI assistants built by enterprises to automate workflows—often interact with sensitive data and business systems. Until now, these agents operated with static permissions, inherited from the user who created them or from predefined service accounts. That model breaks down when agents act dynamically, chain multiple actions, or access resources across cloud and on-prem environments. Silverfort’s runtime controls insert a policy evaluation point just before each agent action, checking the current security posture of the identity involved and the context of the request.

How the Integration Works

The integration leverages Silverfort’s existing unified identity protection platform, which already extends multi-factor authentication and zero-trust policies to any resource, including legacy systems and command-line interfaces. When a Copilot Studio agent attempts an action—such as retrieving a file from SharePoint, updating a record in Dynamics 365, or running a script on a virtual machine—the request is intercepted by a lightweight Silverfort proxy or agent-side plugin. The proxy calls Silverfort’s cloud-based policy engine, which evaluates the request against predefined rules based on identity risk factors, device trust, location, time of day, and behavioral anomalies.

If the policy engine determines that the action is too risky—for example, because the user’s session shows signs of compromise, or because the agent is trying to access a resource outside its normal pattern—it can block the action outright or step up authentication. The block happens inline, meaning the action never reaches the target resource, preventing potential damage. This differs from traditional logging or alert-only solutions that only notify after the fact.

Silverfort’s approach also supports allowlisting and blocklisting specific agent behaviors. For instance, an organization might allow an HR chatbot agent to read employee records but block it from modifying salary data, even if the underlying service account technically has write permissions. Policies can be tied to identity attributes, group memberships, or dynamic risk scores, and they can evolve as the agent’s purpose changes.

Filling a Gaping Security Hole

AI agent security has become a top concern as enterprises deploy hundreds of Copilot agents to handle everything from customer service to code generation. These agents often possess broad privileges to be effective, but that makes them attractive targets for attackers. Silverfort’s integration addresses the problem of over-privileged agents by decoupling authentication from authorization and making authorization decisions at runtime.

A common scenario: a developer creates a Copilot agent that can read and write to a Azure SQL database. The agent authenticates using a managed identity and inherits permissions based on its identity, not its code. If an attacker compromises the agent’s logic or the endpoint it runs on, they can misuse those permissions. With Silverfort’s controls, even if the identity is valid, the action can be blocked if the request originates from an untrusted location or exhibits anomalous behavior.

The solution also helps organizations comply with zero-trust mandates. The US federal government, through Executive Order 14028 and subsequent OMB memos, requires agencies to implement continuous authorization for all access requests. Silverfort’s runtime controls for Copilot extend that model to non-human identities, an area that NIST and other frameworks increasingly emphasize.

Real-World Enterprise Use Cases

Enterprises in finance, healthcare, and critical infrastructure stand to benefit immediately. Consider a bank that uses a Copilot agent to generate customer statements. The agent needs to read account balances, transactions, and personal information. Without runtime controls, a flawed prompt or a compromised backend could expose data en masse. With Silverfort, the bank can create a policy that says: “Allow read access to the core banking system ONLY during business hours and ONLY from approved IP ranges; block any write attempts and any access from unmanaged devices.”

In healthcare, a triage agent might help nurses schedule appointments by reading patient records. Under HIPAA, the minimum necessary rule applies. Silverfort’s policies can enforce that the agent never sees diagnostic codes unless the patient has consented, regardless of what its service account can technically access. That level of granularity is impossible with static role-based access controls alone.

Manufacturing companies using Copilot agents to monitor shop-floor IoT devices can prevent agents from issuing commands to dangerous machinery unless additional human approval is provided. Silverfort’s engine can trigger a step-up authentication or a manual approval workflow before allowing the action, effectively creating a break-glass mechanism for high-risk operations.

Architectural Considerations

The integration is designed to be non-intrusive. Silverfort’s platform does not require agents to be rewritten or additional dependencies installed on target applications. The intercept can occur at multiple points: on the endpoint where the agent runs, via an API gateway, or through integration with Microsoft Entra ID’s Conditional Access. For Copilot Studio, Silverfort likely embeds a small shim in the agent’s execution environment that calls out to its policy service over encrypted channels.

Latency is a key concern for inline blocking. Silverfort states that policy decisions are delivered in milliseconds, leveraging a globally distributed policy engine. For most enterprise workloads—document retrieval, data entry, report generation—this overhead is negligible. For latency-sensitive scenarios, organizations can configure policies with caching or fallback modes to avoid timeouts.

Logging and auditing are also central. Every blocked action generates an alert, visible in Silverfort’s dashboard or streamed to SIEM tools like Microsoft Sentinel. This helps security operations teams detect malicious activity early and provides forensic evidence for investigations.

Community and Industry Reactions

Though the announcement is fresh, early reactions from IT administrators on forums have been cautiously optimistic. Many see this as a necessary evolution, noting that they’ve been reluctant to deploy autonomous agents broadly precisely because of the permission sprawl problem. One user commented, “Finally, someone is applying zero-trust principles to agentic AI. I can’t believe Microsoft didn’t build this in natively.” Another pointed out that while Conditional Access in Entra ID can restrict access to apps, it doesn’t cover what an agent does inside an app. Silverfort’s integration fills that gap.

Some concerns revolve around complexity. “Every new layer of policy enforcement is another thing that can break. What happens when Silverfort’s cloud goes down? Do all my agents stop working?” Good architectural design typically includes fail-open or fail-close options. Silverfort has not yet published detailed high-availability documentation, but its existing platform supports on-premise policy engines for offline scenarios, which could mitigate this risk.

Pricing and licensing details remain unclear. Silverfort’s traditional licensing is based on the number of protected resources and identities. It’s likely that Copilot-specific controls will be offered as an add-on to existing identity protection subscriptions, but until official pricing is released, budget-conscious IT managers are reserving judgment.

The Larger AI Agent Security Landscape

Silverfort isn’t alone in tackling AI agent security. Startups like OWASP-aligned projects, Symmetry Systems, and even cloud providers are racing to provide governance frameworks. Microsoft itself has been enhancing its own Copilot security guidance, emphasizing that customers should apply least-privilege principles to agent identities and monitor their behavior. However, native Microsoft tools still largely rely on static permissions and after-the-fact auditing, not inline policy enforcement.

This announcement positions Silverfort as a leader in the emerging field of runtime authorization for AI agents. It dovetails with broader industry efforts to create standards for agent identity and behavior. The Open ID Foundation’s Shared Signals Framework, which enables continuous communication of security events, could be a natural complement to Silverfort’s approach, allowing agents to signal context changes that trigger policy re-evaluation.

Looking ahead, Silverfort may extend its controls to other agent platforms, such as OpenAI’s GPT-based agents, Anthropic’s Claude, or LangChain-built custom agents. The underlying principle—decoupling authentication from authorization and evaluating risk at each step—applies universally. For now, the focus on Copilot Studio gives Microsoft-centric enterprises a compelling reason to consider Silverfort.

Recommendations for Enterprises

Security teams should evaluate this integration immediately if they are planning to deploy Copilot agents or have already done so. A first step is to inventory existing agents and map their permissions. Identify actions that, if abused, could cause significant business disruption. Then, pilot Silverfort’s controls on a few high-risk agents to measure improvements in security posture and the operational impact.

It’s also wise to revisit identity hygiene. Agents often use service principals or managed identities with static secrets. Rotating those credentials regularly, combined with runtime controls, provides defense in depth. Integrating Silverfort with existing SIEM and SOAR platforms will maximize detection and response capabilities.

Finally, treat this as part of a broader AI governance program. Runtime controls are a technical safeguard, but they must be paired with policy development, training, and regular audits. Who gets to define which agent actions are allowed? How are policies reviewed when agents are retrained or expanded? Answering these questions will determine whether the technology delivers on its promise.

Silverfort’s announcement signals a maturing of the AI agent security market. By bringing runtime identity controls to Copilot Studio, enterprises finally have a tool to enforce the principle of least privilege not just at login, but continuously, for every single action. That capability may prove essential as agentic AI moves from pilot projects to enterprise scale.