CISO
CIO
Compliance Officer
Enterprise Architect
Industry relevance
Financial Services
Healthcare
Government
Manufacturing
FEBRUARY 12, 2026
Over 80% of Fortune 500 companies are running AI agents, but fewer than half have the security controls in place to govern them.
Microsoft Security Insider published findings from first-party telemetry showing that more than 80% of Fortune 500 companies are deploying active agents built with low-code or no-code tools, based on the last 28 days of November 2025. A separate survey of 1,725 data security professionals found that 29% of employees are already using unsanctioned AI agents for work tasks, while only 47% of organizations have implemented specific GenAI security controls. The report introduces Agent 365 as Microsoft's unified control plane for managing AI agents enterprise-wide. Vasu Jakkal, CVP of Microsoft Security, is quoted on applying Zero Trust principles to AI agents. The report identifies the observability gap as the foundational risk: organizations cannot govern what they cannot see.
GOVERNANCE IMPLICATION
Microsoft's own telemetry shows agent deployment has outpaced governance infrastructure by a significant margin. When 29% of employees are already running unsanctioned agents and only 47% of organizations have GenAI security controls, the accountability structure that most regulated organizations assume exists simply does not. Agent 365 provides the observability layer — but observability without a defined accountability policy is a dashboard, not a control. The question regulators will ask is not whether you could see the agents operating in your environment. It is whether you had defined, in writing, who was responsible for each one.
SCENARIO
A compliance analyst at a mid-size regional bank spends a Tuesday afternoon building a Copilot Studio agent that summarizes client portfolio emails and flags upcoming regulatory deadlines. IT never sees it. Six months later, the agent surfaces a deadline incorrectly and a Form ADV filing is missed. The OCC examination team asks who authorized the agent. The compliance officer says IT owns agents. IT says the business owns what it builds in low-code tools. The CISO says neither team ever reported it. There is no policy covering unsanctioned low-code agents because nobody in the organization believed a compliance analyst had the technical access to build one.
THE GOVERNANCE QUESTION
When 29% of employees are already running unsanctioned agents and only 47% of organizations have GenAI security controls in place, who in the enterprise is accountable for the agents no one formally authorized?
CONTROL GAP
No enterprise-wide registry exists for agents built outside IT-sanctioned channels. Microsoft Copilot Studio allows business users to deploy agents with data access permissions that bypass standard software procurement and governance workflows entirely.
REGULATORY RELEVANCE
OCC
FINRA
FFIEC
NIST Ai RMF
SEC Cyber
PRIMARY SOURCE
Cyber Pulse: An AI Security Report
Microsoft Security Experts
February 10, 2026
Read the primary source →(opens in new tab)CONTINUE READING
MARCH 11, 2026
AgentsMicrosoft announced on March 9, 2026 via its Security Blog that Agent 365 will be generally available on May 1, 2026, priced at $15 per user per month. Agent 365 is the unified control plane for managing AI agents across the enterprise, providing IT and security teams with visibility and tools to observe, secure, and govern agents at scale. It is bundled with Microsoft 365 E7: The Frontier Suite - a new licensing tier priced at $99 per user per month that combines Microsoft 365 Copilot, Agent 365, Microsoft Entra Suite, and Microsoft 365 E5 with advanced Defender, Entra, Intune, and Purview capabilities. Vasu Jakkal, CVP of Microsoft Security, authored the announcement and positioned Agent 365 as the enterprise response to the agent governance gap.
APRIL 18, 2026
AccountabilityMicrosoft published an AI observability checklist for enterprise steering committees on April 16, 2026 via the Microsoft Cloud Blog, authored by Alym Rayani, VP of Marketing for Microsoft Security. The post frames observability as the foundational prerequisite for scaling enterprise AI in 2026 and introduces a refreshed version of Microsoft's governance guide, adding observability as a new pillar. The checklist identifies four questions every steering committee must be able to answer: what agents currently exist across the environment, who owns them, what data and systems they touch, and how they behave. Accenture is cited as a case study, having deployed over 75 AI use cases across industries with 16 in production after implementing centralized observability, reducing AI application build time by 50%.