CISO
CIO
Board
Enterprise Architect
Industry relevance
Financial Services
Healthcare
Government
Manufacturing
MARCH 9, 2026
IDC forecasts 1.3 billion AI agents by 2028 — at that scale, existing identity governance frameworks will need to be rebuilt, not extended.
Microsoft cited IDC research in its March 9, 2026 E7 announcement projecting 1.3 billion agents in circulation by 2028. The same announcement confirmed that 80% of the Fortune 500 are already using Microsoft agents, with adoption led by operationally complex industries including manufacturing, financial services, and retail.
GOVERNANCE IMPLICATION
IDC's 1.3 billion agent forecast by 2028, combined with Microsoft's current data showing 80% of the Fortune 500 already using agents, establishes a trajectory that most enterprise governance frameworks were not designed to handle. Identity governance programs built for human users typically assume an access review cadence of quarterly or annually. At ten agents per employee, that cadence becomes operationally impossible without automation. The governance gap is not in the intent to govern — it is in the tooling and process design that governance programs have not yet built for agent-scale populations.
SCENARIO
An enterprise architect at a large financial institution reads the IDC forecast and calculates that at the projected 1.3 billion agent figure, her organization with 50,000 employees would be managing approximately 500,000 agent identities by 2028. Her current identity governance program reviews 50,000 human access rights on an annual cycle. She presents the math to the CISO: at the same review cadence, the 2028 agent access review cycle would require a team ten times larger or a fully automated governance process that does not yet exist.
THE GOVERNANCE QUESTION
At 1.3 billion agents by 2028, the ratio of AI agents to licensed human users in enterprise environments will exceed anything identity governance frameworks were designed for. What does your current access review cadence, entitlement management model, and audit trail architecture look like at ten agents per employee — and has your security team run that scenario, or is it being deferred until the scale becomes undeniable?
CONTROL GAP
Identity governance programs were designed for human-scale populations. No enterprise has yet built an agent identity governance process designed for agent-scale populations where agents outnumber humans by an order of magnitude.
REGULATORY RELEVANCE
NIST Ai RMF
OCC
FFIEC
FINRA
PRIMARY SOURCE
Introducing the First Frontier Suite built on Intelligence + Trust
Microsoft
Read the primary source ->(opens in new tab)CONTINUE READING
JUNE 2, 2026
AgentsMicrosoft announced Scout at Build 2026 on June 2, 2026, as the first product in a new agent category called Autopilots. Scout is an always-on agent operating across Microsoft 365 apps including Teams, Outlook, OneDrive, and SharePoint, with its own governed Microsoft Entra identity. It is available in private preview for Frontier enterprise customers requiring a GitHub Copilot subscription, built on the OpenClaw open-source agent framework. The announcement was published on the Microsoft 365 Blog by Omar Shahine, Corporate Vice President, Microsoft 365.
JUNE 2, 2026
AgentsOn June 2, 2026, Microsoft announced the Agent Control Specification (ACS) and ASSERT at Build 2026, authored by Sarah Bird on the Microsoft Foundry Blog. ACS is an open industry specification, part of the Agent Governance Toolkit, that places deterministic safety and security controls at five validation checkpoints in an agent's lifecycle: input, LLM, state, tool execution, and output. Controls are expressed as portable, versionable, auditable policy and are designed to work across any agent framework. ASSERT, a separate open-source project, converts written policies into executable evaluation scenarios. ACS launched with customer and partner endorsement including KPMG, Zscaler, IBM, and Arize AI.
MAY 11, 2026
AgentsMicrosoft Copilot Studio published April 2026 feature updates on May 11, 2026, authored by Nitasha Chopra, VP and COO of Copilot Studio. Key releases include the Analytics Viewer role reaching GA providing read-only access to agent analytics separated from configuration rights; agent nodes embeddable directly into workflows to delegate AI reasoning within deterministic automation; MCP server-enabled tools in preview for external system connectivity within workflows; and a centralized admin-controlled DLP-enforced environment for the Workflows Agent. The post also confirms Microsoft Agent 365 is now generally available as the centralized control plane for agents.