CISO
Enterprise Architect
CTO
Compliance Officer
Industry relevance
Financial Services
Healthcare
Government
JUNE 2, 2026
Microsoft launched an always-on AI agent that operates with its own corporate identity. Organizations need a formal authorization process before deployment, not after.
Microsoft announced Scout at Build 2026 on June 2, 2026, as the first product in a new agent category called Autopilots. Scout is an always-on agent operating across Microsoft 365 apps including Teams, Outlook, OneDrive, and SharePoint, with its own governed Microsoft Entra identity. It is available in private preview for Frontier enterprise customers requiring a GitHub Copilot subscription, built on the OpenClaw open-source agent framework. The announcement was published on the Microsoft 365 Blog by Omar Shahine, Corporate Vice President, Microsoft 365.
GOVERNANCE IMPLICATION
Scout's governed Entra identity is a new class of governance artifact that most organizations have no process to authorize or review before provisioning. Attributability through a directory identity is not the same as authorization: the question is whether the identity scope was approved by a named human accountable for the consequences. Organizations that treat Scout provisioning as a product configuration rather than an authorization decision will have no answer when an examiner asks for the approval record. Purview DLP and sensitivity labels apply at action time, but those controls operate downstream of the identity scope decision that matters for audit.
SCENARIO
An enterprise architect at a financial services firm provisions Scout through the Frontier preview for a trading operations team. Scout is given an Entra identity with access to Teams, Outlook, and SharePoint. Three weeks after deployment, a regulatory examiner asks for the authorization record for the agent identity, the documented scope of data access, and the named approver. No such record exists because provisioning was treated as a product configuration, not an authorization decision. The organization must reconstruct the authorization chain retroactively.
THE GOVERNANCE QUESTION
When an Autopilot agent acts autonomously under its own Entra identity, who in the organization formally authorized the scope of that identity before it was provisioned?
CONTROL GAP
No standard authorization workflow is required for Autopilot identity provisioning in Agent 365 as of the June 2, 2026 launch. Scout's Entra identity scope is set during configuration with no mandated approval gate before production deployment.
REGULATORY RELEVANCE
NIST Ai RMF
SEC Cyber
PRIMARY SOURCE
Introducing Microsoft Scout: Your always-on personal agent
Omar Shahine
June 2, 2026
Read the primary source →(opens in new tab)CONTINUE READING
MAY 11, 2026
AgentsMicrosoft Copilot Studio published April 2026 feature updates on May 11, 2026, authored by Nitasha Chopra, VP and COO of Copilot Studio. Key releases include the Analytics Viewer role reaching GA providing read-only access to agent analytics separated from configuration rights; agent nodes embeddable directly into workflows to delegate AI reasoning within deterministic automation; MCP server-enabled tools in preview for external system connectivity within workflows; and a centralized admin-controlled DLP-enforced environment for the Workflows Agent. The post also confirms Microsoft Agent 365 is now generally available as the centralized control plane for agents.
MAY 5, 2026
AgentsMicrosoft's 2026 Work Trend Index Annual Report, published May 5, 2026, includes the first WTI telemetry on AI agent volume. Active agents on Microsoft 365 grew 15x year-over-year across all customer segments, rising to 18x in large enterprises. This is the first time Microsoft has disclosed agent volume scale as part of its annual workforce research.
MAY 1, 2026
AgentsMicrosoft's May 1, 2026 What's New in Agent 365 announcement introduced registry sync, allowing organizations to connect the Agent 365 registry to external agent platforms. Initial preview connections include Amazon Web Services and Google Cloud, with additional partner platforms planned. When connected, agents built on those platforms appear in the Agent 365 unified registry with governance actions including agent deletion available directly from the registry interface. Without registry sync connections configured, Agent 365 shows only Microsoft-hosted agents.