ORIGINAL FRAMEWORKS

The Tenant Agent Reconciliation Framework

Five steps for reconciling what your Microsoft tenant actually contains against what your organization formally approved. The gap between those two numbers is where governance work begins.

The reconciliation step most organizations skip is matching display names in the tenant against the authorization record. Agents get renamed, repurposed, or inherited across team changes. By step three of an examination, that gap is already visible.

v1.0 · April 2026Sougata Roy, sougataroy.com

Free to read and cite with attribution to Sougata Roy and sougataroy.com. Do not republish, rebrand, or claim authorship of any framework, term, or model as your own.

Explore all frameworks

Tenant Agent Reconciliation

v1.0

Five-step reconciliation process5 steps

Surface

Establish the actual count of AI agents operating in th…

OUTPUT

Reconcile

Document the minimum set of facts required to govern ea…

OUTPUT

Classify

Assign a risk tier to each cataloged agent to prioritiz…

OUTPUT

Govern

Apply governance requirements proportional to each agen…

OUTPUT

Sustain

Maintain catalog accuracy over time and prevent new sha…

OUTPUT

The agents you don't know about

Most organizations surface agents in step one that their Authorization Registry does not contain. The gap between the two counts is the Tenant Reconciliation Gap. That is where governance work begins.

The problem

Why this framework exists

Shadow agents are not built by rogue employees. They are built by motivated employees solving real problems with tools their organization gave them access to.

Inside the organization

The governance question

Does your organization know the complete count of AI agents currently operating in its environment - not the count that were formally approved, but the count that are actually running?

Platform capability

What the framework adds

The objective is to establish the actual count of AI agents operating in the environment, including those that were never formally approved.

Why this section matters

The platform can surface agents. The framework turns that visibility into an operating inventory with ownership, classification, and remediation.

Governance layer

What the framework adds

Operator view

The platform can surface agents. The framework turns that visibility into an operating inventory with ownership, classification, and remediation. The discovery process works across multiple inquiry channels simultaneously - governance interfaces, development teams, department surveys, and procurement records - because no single source produces the complete count.

Signal

The platform can surface agents.

Signal

The framework turns that visibility into an operating inventory with ownership, classification, and remediation.

Signal

The discovery process works across multiple inquiry channels simultaneously - governance interfaces, development teams, department surveys, and procurement records - because no single source produces the complete count.

The framework

The five reconciliation steps

The Tenant Agent Reconciliation Framework is the organizational process for making the actual agent population visible, assessed, and governed. It has five sequential reconciliation steps. Each step produces a specific output that becomes the input to the next step.

Active reconciliation step

Surface

Step brief

Establish the actual count of AI agents operating in the environment, including those that were never formally approved.

Key question

Question path

The discovery process works across multiple inquiry channels simultaneously.

Query every governance interface and management system the organization uses for AI administration and record the count each one surfaces.

Ask the teams responsible for development, process automation, and AI tooling for their own counts and compare those against what governance interfaces show.

Survey department heads and team leads directly: how many AI agents or AI-automated workflows is your team currently using, regardless of whether they were formally approved? Check procurement records for AI tool subscriptions, including department-level purchases that did not go through central IT.

Output

Evidence produced

A total agent count, a breakdown by discovery source, and an explicit statement of the shadow agent population - the agents operating without formal approval.

The organizational principle: the count that matters is the actual count, not the approved count.

Starting governance work from the approved list means governing the minority of the AI deployment while the majority operates without oversight.

Governance move

Each step produces a concrete artifact that becomes the input to the next step, so the reconciliation evolves from surfacing into a working control system.

Quarterly agent governance review

The Quarterly Agent Governance Review: What Gets Checked and Why

The quarterly review is the evidence record for regulatory audit readiness. An organization that cannot produce quarterly review documentation for its agent portfolio is carrying unquantified governance debt regardless of how well its agents are configured.

Review record

Five quarterly checks. One evidence record.

Each check turns an agent population problem into a documented operating decision: validate, identify, resolve, detect, reconcile.

Complete only when registry, scope, owner, audit trail, and observed behavior agree.

Q1Check 1

Q1 - Registry Integrity and Scope Validation: New Agents Since Last Cycle

Checks: Complete registry entry, documented intent statement, named accountable owner, active audit trail. Red Flag: Incomplete entries require remediation before the next review cycle closes.

Q2Check 2

Q2 - Identify Scope and Permission Changes

Checks: Updated intent statement, owner sign-off on new scope, audit trail entry. Red Flag: Undocumented scope change requires immediate escalation to the accountable owner and CISO.

Q3Check 3

Q3 - Security, Audits, and Intent Reconciliation: Resolve Ownerless Agent Status

Checks: Escalation triggered, ownership assignment in progress, agent suspended status. Red Flag: Ownerless agent still active requires immediate suspension and escalation.

Q4Check 4

Q4 - Detect Audit Trail and Logging Gaps

Checks: Logging active and complete, SIEM connectivity, log retention compliance. Red Flag: Audit trail gap requires the agent to be suspended pending logging remediation.

Q5Check 5

Q5 - Reconcile Observed Behavior vs Documented Intent

Checks: Compare logs to intent, flag unreconciled behavior, human review escalation. Navy Flag: Reconciled agents document review completion in the registry entry.

Why it lasts

That last condition is the practical test. If your organization cannot produce a current, complete agent count on demand, the shadow agent inventory work has not begun.

Who it is for

What good looks like

The organization's agent catalog reflects the actual count of AI agents operating in the environment, not just the count of approved ones. The shadow agent population is declining over time as the intake process matures. When a named accountable owner leaves, ownership transfer is initiated before their departure. Authorization records do not expire without review. When someone asks how many AI agents the organization operates and what governance is in place for each, the answer comes from the catalog - not from someone's recollection of what was approved two years ago, and not assembled under pressure when an examiner or auditor is waiting for a response.

Living catalog

Quarterly control review

Active

Discovered

Approved

Ownerless

Renew authorizations

Due this quarter

Transfer ownership

Before role changes

Reduce shadow count

Trend must decline

Governance signal

The reconciliation is working when the Tenant Reconciliation Gap declines quarter over quarter and the intake path is the reason.

Quick reference

Download the Discovery Sprint Card

A one-page reference card for running the five-step agent reconciliation exercise across your Microsoft 365 environment.

QUICK CHECK

Tenant Agent Reconciliation: 60-Minute Discovery Sprint

Five steps from M365 inventory to shadow agent count to reconciliation gap.

Download PDF

Executive FAQ

Questions leaders ask before deployment

These are the questions that separate a tool inventory from an operating governance system. If the answer is not in the catalog, the control does not exist yet.

Referenced in

This framework is analyzed in the white paper

"Who Owns the Agent?" applies this framework to real-world deployment scenarios and maps it to named governance incidents from 2024 to 2026.

White paper

Who Owns the Agent?

The Intent Architecture Stack white paper, ten sections, complete diagnostic, named incident analysis, Intent Document template.

Read the paper Download PDF

Research brief

Source: Torii, "2026 SaaS Benchmark Annual Report," February 24, 2026.

View all frameworks

Continue through the connected framework sequence above.

60-minute operating sprint

Apply this framework in one working session

Use this as a live governance exercise. Leave the session with named evidence, a visible gap, and a next owner rather than another discussion note.

Working session board

One pass through the framework. One evidence trail.

Steps

Minutes

Owner

Live

Decision

60 minutes, all in one session

Discover

Query your Microsoft 365 Admin Center: navigate to Copilot > Agents > Inventory. Record the number of agents shown. If you have Microsoft Agent 365, check the registry there as well - this shows additional agents not visible in the standard inventory.

Output