CISO
CIO
Board
Enterprise Architect
Industry relevance
Financial Services
Healthcare
Government
Manufacturing
MARCH 9, 2026
IDC forecasts 1.3 billion AI agents by 2028 — at that scale, existing identity governance frameworks will need to be rebuilt, not extended.
Microsoft cited IDC research in its March 9, 2026 E7 announcement projecting 1.3 billion agents in circulation by 2028. The same announcement confirmed that 80% of the Fortune 500 are already using Microsoft agents, with adoption led by operationally complex industries including manufacturing, financial services, and retail.
GOVERNANCE IMPLICATION
IDC's 1.3 billion agent forecast by 2028, combined with Microsoft's current data showing 80% of the Fortune 500 already using agents, establishes a trajectory that most enterprise governance frameworks were not designed to handle. Identity governance programs built for human users typically assume an access review cadence of quarterly or annually. At ten agents per employee, that cadence becomes operationally impossible without automation. The governance gap is not in the intent to govern — it is in the tooling and process design that governance programs have not yet built for agent-scale populations.
SCENARIO
An enterprise architect at a large financial institution reads the IDC forecast and calculates that at the projected 1.3 billion agent figure, her organization with 50,000 employees would be managing approximately 500,000 agent identities by 2028. Her current identity governance program reviews 50,000 human access rights on an annual cycle. She presents the math to the CISO: at the same review cadence, the 2028 agent access review cycle would require a team ten times larger or a fully automated governance process that does not yet exist.
THE GOVERNANCE QUESTION
At 1.3 billion agents by 2028, the ratio of AI agents to licensed human users in enterprise environments will exceed anything identity governance frameworks were designed for. What does your current access review cadence, entitlement management model, and audit trail architecture look like at ten agents per employee — and has your security team run that scenario, or is it being deferred until the scale becomes undeniable?
CONTROL GAP
Identity governance programs were designed for human-scale populations. No enterprise has yet built an agent identity governance process designed for agent-scale populations where agents outnumber humans by an order of magnitude.
REGULATORY RELEVANCE
NIST Ai RMF
OCC
FFIEC
FINRA
PRIMARY SOURCE
Introducing the First Frontier Suite built on Intelligence + Trust
Microsoft
Read the primary source →(opens in new tab)CONTINUE READING
MAY 11, 2026
AgentsMicrosoft Copilot Studio published April 2026 feature updates on May 11, 2026, authored by Nitasha Chopra, VP and COO of Copilot Studio. Key releases include the Analytics Viewer role reaching GA providing read-only access to agent analytics separated from configuration rights; agent nodes embeddable directly into workflows to delegate AI reasoning within deterministic automation; MCP server-enabled tools in preview for external system connectivity within workflows; and a centralized admin-controlled DLP-enforced environment for the Workflows Agent. The post also confirms Microsoft Agent 365 is now generally available as the centralized control plane for agents.
MAY 5, 2026
AgentsMicrosoft's 2026 Work Trend Index Annual Report, published May 5, 2026, includes the first WTI telemetry on AI agent volume. Active agents on Microsoft 365 grew 15x year-over-year across all customer segments, rising to 18x in large enterprises. This is the first time Microsoft has disclosed agent volume scale as part of its annual workforce research.
MAY 1, 2026
AgentsMicrosoft's May 1, 2026 What's New in Agent 365 announcement introduced registry sync, allowing organizations to connect the Agent 365 registry to external agent platforms. Initial preview connections include Amazon Web Services and Google Cloud, with additional partner platforms planned. When connected, agents built on those platforms appear in the Agent 365 unified registry with governance actions including agent deletion available directly from the registry interface. Without registry sync connections configured, Agent 365 shows only Microsoft-hosted agents.