CISO
Enterprise Architect
Compliance Officer
Industry relevance
Financial Services
Healthcare
Government
MARCH 29, 2026
Every agent added to Copilot is a new prompt-injection surface — Microsoft's own guidance says tools and knowledge can pull from untrusted sources and influence behavior.
Microsoft’s current guidance on extending Microsoft 365 Copilot with agents explicitly warns that tools and knowledge can pull from untrusted sources and influence behavior. The implication is clear: every custom agent added to Copilot is also a new prompt-injection and tool-governance surface.
GOVERNANCE IMPLICATION
Microsoft's own documentation for extending Copilot with agents explicitly acknowledges the prompt-injection risk from tools and knowledge sources that pull from untrusted content. This is not a theoretical concern surfaced by third-party researchers — it is a first-party acknowledgment embedded in the official product guidance. For regulated organizations, this means the approval process for adding any custom agent to Copilot should include a documented review of every data source and tool the agent can access, with a specific assessment of whether any source can be influenced by untrusted external content.
SCENARIO
A legal team at a financial services firm deploys a Copilot agent that monitors regulatory news feeds and summarizes relevant updates into a weekly briefing document. The agent's knowledge source includes public RSS feeds from three industry news sites. An adversary plants a prompt injection payload in an article on one of those sites. The next time the agent processes the feed, it includes the injected instruction in its output and forwards it to the team's SharePoint library where other Copilot agents use it as a grounding source. The original agent had no content safety guardrail on external knowledge sources.
THE GOVERNANCE QUESTION
What review process should exist before a Copilot-connected agent is allowed to use tools or knowledge sources that can be manipulated by untrusted content?
CONTROL GAP
No standardized review process exists for assessing the prompt-injection risk of knowledge sources and tools before a custom agent is added to the organizational Copilot deployment. Most agent approval workflows focus on data access permissions, not on the trustworthiness of the content the agent ingests.
REGULATORY RELEVANCE
NIST Ai RMF
SEC Cyber
FINRA
OCC
FFIEC
PRIMARY SOURCE
Extend Microsoft 365 Copilot with agents
Microsoft
February 27, 2026
Read the primary source ->(opens in new tab)CONTINUE READING
MAY 21, 2026
Identity DataMicrosoft's May 2026 security roundup (Microsoft Security Blog, May 21, 2026) introduced an Anthropic Claude connector for Microsoft Purview, extending centralized visibility and audit signals across Claude Enterprise, Claude Console, and the Claude API. The same update reported Agent 365 reaching general availability and Windows 365 for Agents expanding in public preview. The connector gives Purview insight into Claude interaction and audit log activity alongside an organization's existing Microsoft AI estate.
MAY 7, 2026
Identity DataMicrosoft Digital published an internal governance guide for Microsoft 365 Copilot on May 7, 2026, updated June 8, 2026, authored by Alex Fleck on the Inside Track Blog. The guide states that by trusting employees to apply sensitivity labels and defaulting new content to inherit labels from parent containers, Microsoft accounts for 99 percent of its governance needs. The guide covers eight chapters: self-service container creation, label taxonomy, file-label inheritance, employee training, DLP-based verification, lifecycle attestation, company-shareable links, and oversharing detection through Microsoft Graph Data Connect.
MAY 1, 2026
Identity DataMicrosoft confirmed on May 1, 2026 that Conditional Access for agents is generally available for delegated access agents, those that act on behalf of a licensed human user. Conditional Access for own-access agents, those that operate with an independent identity not tied to a user session, remains in public preview. Microsoft Entra ID Protection applies dynamic risk evaluation to both agent and user identity signals and feeds those signals into Conditional Access policies. The GA and preview split means the two agent classes operate under materially different access control regimes at Agent 365 launch.