CISO
CIO
Enterprise Architect
Compliance Officer
Industry relevance
Financial Services
Healthcare
Government
APRIL 30, 2026
No published standard defines what an authorization record for a multi-agent chain must contain or whose name is accountable when the chain acts outside any individual agent's approved scope.
CISA, the NSA, and allied agencies from Australia, the UK, Canada, and New Zealand published Careful Adoption of Agentic AI Services on April 30, 2026. The guidance recommended integrating agentic AI into existing zero trust and identity management frameworks. It explicitly acknowledged that existing security frameworks have not fully caught up with agentic AI and that some risks unique to these systems are not yet covered. One of those uncovered risks: how authorization and accountability should flow across multi-agent orchestration chains, including which agent's scope covers the outcome and whose name is accountable when the chain acts outside any individual agent's approved scope.
GOVERNANCE IMPLICATION
When Agent A instructs Agent B which instructs Agent C, no published standard specifies what an authorization record for that chain must contain, which agent's scope covers the aggregate outcome, or whose name is accountable when the chain acts outside any individual agent's approved scope. That gap now has a working name: Chain Authorization Gap. It is distinct from prompt injection, agent sprawl, and the Intent Gap. The Chain Authorization Gap is the absence of any authorization record for the outcome of a multi-agent chain, where no single agent held individual authorization for what the chain collectively did. Entra Agent ID provides identity and parent-child relationships for orchestrations. It does not prescribe who approves the chain or who is accountable when the chain causes harm.
SCENARIO
A regulated financial institution deploys a three-agent Copilot Studio orchestration: an orchestrator that receives customer requests, a retrieval agent that queries SharePoint for policy documents, and a drafting agent that produces loan modification recommendations. Each agent has an Entra Agent ID and a parent-child relationship documented in the platform. An OCC examination asks for the authorization record for the orchestration chain, specifically who approved the combined scope of all three agents acting together, what that combined scope permits, and who is the named accountable owner for the chain's output. The Entra Agent ID records exist. The chain authorization record does not.
THE GOVERNANCE QUESTION
For each multi-agent orchestration currently running in your environment, can you produce a single authorization record that names who approved the chain, defines the aggregate scope of permitted actions across all agents, and identifies the human accountable if the chain produces an outcome outside that scope? If not, the Chain Authorization Gap exists in your environment.
CONTROL GAP
No regulatory body, vendor platform, or published framework specifies what an authorization record for a multi-agent orchestration chain must contain. Enterprises deploying multi-agent systems on Copilot Studio and Entra Agent ID are defining their own accountability structures with no external standard to validate against.
REGULATORY RELEVANCE
NIST Ai RMF
OCC
FINRA
FFIEC
PRIMARY SOURCE
Careful Adoption of Agentic AI Services
CISA, NSA, ASD's ACSC, and international partners
April 30, 2026
Read the primary source →(opens in new tab)CONTINUE READING
MAY 12, 2026
SecurityMicrosoft published a five-level DDoS resilience maturity framework on May 12, 2026 in the Microsoft Security Blog, authored by Kumar Srinivasamurthy, VP of Intelligent Conversation and Communications Cloud Platform. The framework grades organizational posture from Level 1 (Exposed, direct origin with no CDN) through Level 5 (Autonomous Defense, AI-powered predictive mitigation where attacks are neutralized before human operator awareness). The post cites Microsoft Digital Defense Report 2025 data showing DDoS attacks against Microsoft properties reached approximately 4,500 per day by June 2024, up from a rise that began in mid-March 2024.
MAY 12, 2026
SecurityThe Microsoft Defender Security Research Team published research on May 12, 2026 in the Microsoft Security Blog describing three approaches to generating synthetic security attack logs using AI. The pipeline progresses from prompt-engineered generation through an agentic workflow using three specialized agents (Generator, Evaluator, Improver) to multi-turn Reinforcement Learning with Verifiable Rewards. The research uses MITRE ATT&CK TTPs as input and produces structured telemetry designed to trigger detection rules without requiring live attack execution in controlled lab environments. Evaluation showed agentic workflows significantly outperform prompt-only approaches across all test datasets.
MAY 12, 2026
SecurityMicrosoft announced on May 12, 2026 in the Microsoft Security Blog a new multi-model agentic scanning harness (codename MDASH), developed by its Autonomous Code Security team. MDASH orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models to discover, debate, and prove exploitable vulnerabilities end-to-end. The system identified 16 new CVEs across the Windows networking and authentication stack, including four Critical remote code execution flaws, and scored 88.45% on the CyberGym benchmark of 1,507 real-world vulnerabilities, the highest published score on that leaderboard at time of writing.