UPDATED · RSAC 2026 · MARCH 24, 2026

Securing AI Workloads,
Agents & MCP Ecosystems

A technical deep-dive into Microsoft's AI security architecture — covering the full stack from identity primitives and MCP attack surfaces to runtime threat detection and regulatory framework alignment. Caveats on current limitations are shown throughout.

AUDIENCE: SECURITY ARCHITECTS & ENGINEERS
✓ SECURITY DASHBOARD FOR AI: NOW GA
⚠ AGENT ID: PREVIEW · FRONTIER ONLY
⚠ AGENTS STILL USE OBO TOKEN FLOW
⚠ AGENT 365: PER-USER, NOT PER-AGENT
✅ RSAC 2026 Updates — March 20, 2026

Security Dashboard for AI is now generally available. Entra Internet Access Shadow AI Detection and Prompt Injection Protection both GA on March 31. New Security Analyst Agent and Security Alert Triage Agent announced. Sentinel MCP Entity Analyzer GA in April. Several new Purview and Entra capabilities added across preview and GA. See the Gaps & Roadmap page for the updated availability matrix.

Executive Summary

Why Securing AI Is a First-Class Security Problem

Organisations are deploying AI copilots and autonomous agents at scale to automate decision-making and access enterprise data. Standards like Model Context Protocol (MCP) now let AI systems invoke real enterprise tools — email, file systems, APIs, SaaS platforms — not just generate text. This transforms the AI agent from a productivity interface into a privileged digital actor operating inside the enterprise perimeter.

80% of Fortune 500 companies are already using agents according to Microsoft's research. Industry projections estimate over one billion AI agents in enterprise environments by 2028. Traditional security models built for users, endpoints, and applications break down when the actor is non-human, persistent, autonomous, and potentially opaque.

⚠ The Core Problem Security Architects Must Solve

An AI agent blends a user (accesses data, makes decisions), an application (runs code, calls APIs), and a service account (operates non-interactively, often persistently). No single existing security primitive handles all three. Microsoft is building toward this with Entra Agent ID — but it remains in limited preview for frontier customers only. Today, agents operate under OBO (On-Behalf-Of) delegation — inheriting the invoking user's identity and permissions, not a purpose-scoped identity of their own.

Microsoft's Five-Pillar Strategy

01
Unified Visibility
Security Dashboard for AI — inventory of all agents, MCP servers, models
✓ Now GA
02
Identity-First
Entra Agent ID — agents as first-class non-human identities
⚠ preview only
03
SaaS & MCP Governance
Defender for Cloud Apps — OAuth governance, shadow AI, MCP tool control
04
Runtime Protection
Prompt Shields, Defender Predictive Shielding — detect injection, jailbreaks, active attacks
05
Detect & Respond
Sentinel + Security Copilot agents — AI telemetry as first-class SOC signal

How to Use This Guide

PAGE 02
AI Risk Reality
How AI agents break traditional security assumptions. Severity-rated risk taxonomy and the full attack surface model.
Risk FrameworkAttack Surface
PAGE 03
Product Map
Every Microsoft security product mapped to the AI stack — updated with RSAC 2026 announcements and current availability status.
Product ReferenceRSAC Updated
PAGE 04
Agent Identity & OBO
The OBO token flow in detail. What Agent ID is vs. what's actually available. What architects should do today.
⚠ Critical GapOBO · Agent ID
PAGE 05
MCP Ecosystem
MCP architecture, six specific attack vectors, and how Microsoft controls the MCP-to-SaaS boundary — including the new Sentinel MCP Entity Analyzer.
MCPTool PoisoningXPIA
PAGE 06
Threat Scenarios
Four detailed attack chains — DPI, XPIA, data leakage, privilege escalation — with full control mappings and gap assessments.
DPIXPIAData Leakage
PAGE 07
Frameworks
NIST AI RMF and ISO 42001 control mappings — with gap analysis per clause and function.
NIST AI RMFISO 42001
PAGE 08
Gaps & Roadmap
Consolidated gap register with interim mitigations and updated availability matrix reflecting RSAC 2026 GA announcements.
Critical GapsRSAC Updated
📌 One-line positioning

Microsoft secures AI by bringing identity-first security, runtime threat protection, and unified visibility to AI workloads, agents, and MCP ecosystems — extending Zero Trust across the full AI lifecycle. The strategy is architecturally sound. The execution is partially complete — agent identity (OBO) and per-agent licensing remain the critical structural gaps.

NEXT →AI Risk
SOURCES: Microsoft Security Blog · RSAC 2026 (March 20, 2026) · Microsoft Ignite 2025 · NIST AI RMF 1.0 · ISO/IEC 42001:2023
Last updated: March 24, 2026 · Analysis covers publicly announced Microsoft security capabilities only