Updated with RSAC 2026 GA announcements and field research findings. The Classic vs Modern agent distinction, maker credentials, and the AI Agent Inventory setup complexity are newly added gaps based on practitioner research.
Security Dashboard for AI: Now GA. Entra Internet Access Shadow AI Detection and Prompt Injection Protection both GA March 31. Purview DLP for M365 Copilot GA March 31. Entra External MFA GA.
| Gap | Why It Matters | Interim Mitigation | Expected Resolution |
|---|---|---|---|
| Classic Agents — no Entra security product coverage | Most existing Copilot Studio agents in production are Classic Agents (Service Principals). They receive zero Entra Agent ID security product coverage: no ID Protection, no Conditional Access, no lifecycle governance. This gap is invisible from Microsoft's marketing materials. Field research confirms this is the default state of most enterprise Copilot Studio deployments. | Inventory Classic vs Modern agents via AIAgentsInfo KQL; enforce end-user auth per agent via Power Platform admin; restrict org-wide sharing; manually recreate critical agents as Modern Agents | Microsoft migration tool planned — no date confirmed. Manual recreation is the only current path. |
| Maker credentials — agent authenticates as builder, not user | Copilot Studio agents authenticate to connected services as the maker (builder), not the invoking user. Combined with org-wide sharing and no authentication, a single admin-built agent extends admin permissions to every employee. This is structurally more dangerous than OBO in Copilot Studio deployments. | Enforce end-user authentication per agent (Power Platform admin); restrict sharing scope via Managed Environments; PAM hygiene on developers who build agents | Architectural — requires Power Platform admin enforcement. Product default is unlikely to change. |
| OBO — no true per-agent least privilege (non-Copilot Studio agents) | Standard agents inherit invoking user's full token scope. Overprivileged users = overprivileged agents. No changes at RSAC 2026. | PAM hygiene on users; Foundry Guardrails for tool whitelisting; Entra Workload Identity for app-level scoping; Defender Predictive Shielding during active attacks (preview) | Dependent on Entra Agent ID GA — timeline unconfirmed |
| Entra Agent ID — preview only, Modern Agents only | The primary Entra security primitive for agents isn't GA. Even when it is, it will only protect Modern Agents — Classic Agent migration must happen first. Not announced as GA at RSAC 2026. | Entra Workload Identity as stopgap; manual agent inventory; Agent 365 for discovery (GA May 1) | GA timeline not publicly committed; expected H2 2026. Migration tool needed before most orgs can benefit. |
| Per-user licensing mismatch | Agent 365 licenses per user, not per agent. Governance scope doesn't scale with agent proliferation. Not addressed at RSAC 2026. | Architect agent deployments to be user-anchored; track agent count separately | No per-agent tier announced |
| OBO audit trail — user not agent identity | Logs show user UPN (or service), not agent identity. In Copilot Studio with maker credentials, logs may show the service account — making the attacker invisible. Forensic attribution is fundamentally broken until Agent ID GA + Classic migration. | Purview AI Observability (data-access layer); Sentinel correlation; application-layer logging; AIAgentsInfo Advanced Hunting for agent-side context | Improves with Agent ID GA and Classic→Modern migration |
| Gap | Interim Mitigation |
|---|---|
| AI Agent Inventory — complex setup requiring two admins Setup requires collaboration between Defender admin (enable 3 preview features) AND Power Platform admin (enable separate threat detection toggle). Takes up to 30 min for connection, longer for data population. Not self-service. | Assign a joint Defender + Power Platform admin workstream for onboarding. Verify via AIAgentsInfo KQL after setup. Plan for 30-minute minimum delay on initial data. |
| Agent name sync bug — Copilot Studio rename not reflected in Entra Agent ID Agents renamed in Copilot Studio keep their original "Agent #" name in Entra. Makes per-agent CA policy management nearly impossible at scale. | Use Agent ID object-ID (not name) as primary key for agent identification. Cross-reference via PowerShell script against Power Platform Admin Environment URL. Monitor for Microsoft fix — no timeline confirmed. |
| No MCP server authentication standard — MCP spec doesn't mandate cryptographic server binding | Defender for Cloud Apps MCP server registry + anomaly detection; network segmentation; Foundry Guardrails tool whitelist (Foundry agents only); Sentinel MCP Entity Analyzer (GA April) for investigation |
| Foundry Guardrails in preview, Foundry agents only — no equivalent control for Copilot Studio agents | Power Platform admin controls for Copilot Studio agents (authentication enforcement, sharing limits); Defender for Cloud Apps for API-layer controls |
| Defender for Cloud Apps RT protection — 1-second timeout If the Defender system doesn't return a block decision within 1 second, the agent proceeds to execute the tool anyway. Fast tool calls may bypass protection. | Ensure network latency between Copilot Studio environment and Defender is minimised. Treat as a detection tool, not a guaranteed prevention control. |
| ZT Assessment AI pillar not until summer 2026 | Use existing ZT Workshop assessment for Identity/Data/Network pillars; manually assess against ZT for AI reference architecture (published March 2026) |
| No platform-level agent kill switch | Entra CA for Modern Agents; Power Platform admin can disable Classic agents; Defender Predictive Shielding (preview) limits blast radius during active attacks; requires pre-planned runbook |
| Cross-user context contamination in shared agents | Architecture control: enforce session isolation in agent design; no native Microsoft platform control |
| Org-wide sharing default enables blast radius | Power Platform Managed Environments: set sharing limits; require end-user auth; AIAgentsInfo KQL to detect widely-shared no-auth agents |
These queries require the AI Agent Inventory to be enabled in Defender for Cloud Apps (requires Defender admin + Power Platform admin collaboration).
Production-ready GA controls: Prompt Shields, Azure AI Content Safety, Defender for Cloud Apps (OAuth + SaaS governance + Copilot Studio RT protection), Purview Information Protection, Sentinel, Entra Conditional Access, Security Dashboard for AI (now GA), Entra Internet Access Shadow AI and Prompt Injection Protection (GA March 31), Purview DLP for Copilot (GA March 31), Power Platform Managed Environments (sharing limits + auth enforcement). A well-architected deployment combining these controls with Modern Agent migration provides meaningful defence in depth — but the Classic Agent estate must be addressed first.
| Control | Product | Status | Applies To | Key Caveat |
|---|---|---|---|---|
| Agent 365 Control Plane | Agent 365 | GA May 1 | All agents | Per-user, not per-agent licensing |
| Security Dashboard for AI | Defender/Entra/Purview | ✓ Now GA | All agents + third-party AI | Previously preview |
| AI Agent Inventory (Defender) | Defender for Cloud Apps | Preview | Copilot Studio agents only | Requires Defender admin + Power Platform admin collaboration; complex setup; 30min+ data delay |
| Entra Agent ID | Entra | Preview · Frontier only | Modern Agents only | Classic Agents require migration first; OBO still underlying |
| ID Protection for Agents | Entra | Preview | Modern Agents only | Classic Agents not covered |
| Conditional Access for Agents | Entra | GA | Modern Agents only | Classic Agents cannot be targeted; name sync bug complicates policy management |
| Entra Workload Identity | Entra | GA | App-level (not per-agent) | Stopgap — not purpose-scoped for agent-instances |
| Entra External MFA | Entra | ✓ Now GA | All users + agents | New at RSAC 2026 |
| Entra Backup and Recovery | Entra | Preview · RSAC 2026 | Entra directory objects | New capability |
| Entra Tenant Governance | Entra | Preview · RSAC 2026 | Multi-tenant | Shadow tenant discovery |
| Entra Internet Access — Shadow AI | Entra Suite | GA March 31 | Network-wide | — |
| Entra Internet Access — Prompt Injection | Entra Suite | GA March 31 | Network-wide | Complements Prompt Shields; not a replacement |
| Power Platform Managed Environments | Power Platform | GA | Copilot Studio agents | Primary control for maker creds + org-wide sharing risk |
| Prompt Shields | Azure AI / Foundry | GA | Foundry agents, SDK | Must be explicitly enabled per agent; not auto-applied |
| Azure AI Content Safety | Azure AI | GA | Model boundary | Separate from Prompt Shields |
| Defender for Cloud Apps RT Protection | Defender for Cloud Apps | Preview | Copilot Studio agents only | 1-second timeout — fast tool calls may bypass; complex setup |
| Defender Predictive Shielding | Defender | Preview · RSAC 2026 | All identities | Reactive during active attacks |
| Foundry Guardrails | Azure AI Foundry | Preview | Foundry agents only | No equivalent for Copilot Studio agents |
| Defender for Cloud Apps (CASB) | Defender | GA | All MCP-SaaS connections | Primary MCP boundary control |
| Microsoft Sentinel | Sentinel | GA | All | MCP Entity Analyzer GA April; Data Federation preview |
| Purview DSPM for AI | Purview | Preview | AI workloads | — |
| Purview DLP for M365 Copilot | Purview | GA March 31 | M365 Copilot prompts | New at RSAC 2026 |
| Purview Information Protection | Purview | GA | All AI workflows | — |
| Security Copilot | Security Copilot | GA · Included E5 + E7 | SOC workflows | 400 SCU/1K users/mo (E5); 15+ partner agents |
| Security Analyst Agent | Defender / Security Copilot | Preview March 26 | Defender investigations | New at RSAC 2026 |
| Security Alert Triage Agent | Defender / Security Copilot | Preview April | Cloud + identity alerts | New at RSAC 2026 |