A structured approach to securing agentic AI across the enterprise โ from initial visibility through to sustained governance. Each phase has prerequisites, produces evidence the next phase consumes, and maps to controls available in your existing Microsoft 365 E5 and Sentinel investment.
Framework: aiagentsecurity.guide ยท Aligned to Microsoft RSAC 2026 announcements and Agent 365 GA
Before kicking off Phase 1, an organisational-level readiness check frames the technical work within the strategic AI roadmap. The output is not a control deployment โ it's a documented baseline of attack surface, ungoverned legacy estate (Classic agents, shadow AI tools, unmanaged OAuth grants), and the gap between current AI adoption and current AI governance. This is what turns Phase 1 from "run some KQL queries" into "we know how big the problem is before we measure it."
Attack surface inventory (shadow AI tools, unsanctioned LLMs, ungoverned plugins); legacy estate scale (Classic agent count, ownerless agents, no-auth agents); governance maturity gap (what's deployed today vs the six phases); commercial path (which Agent 365 capabilities are needed and at what population size). This becomes the brief for Phase 1.
Each phase has prerequisites and produces evidence the next phase consumes. Run them in order โ skipping ahead leaves controls without the visibility they depend on. Each phase maps to capabilities available in your existing Microsoft 365 E5 and Microsoft Sentinel footprint, with Agent 365 add-ons clearly marked where required.
| Phase | What you do | Key prerequisites | Phase output (input to next phase) |
|---|---|---|---|
| 01 โ Discover & Inventory | Set up Security Dashboard for AI. Enable AI Agent Inventory (Defender + Power Platform integration). Run full AIAgentsInfo KQL inventory. Identify no-auth and maker-credential agents. Apply H/M/L risk tier classification. Discover shadow AI via Cloud App Catalog. | M365 E5; Defender + Power Platform admin access | Tiered agent register ยท no-auth agent list ยท shadow AI baseline |
| 02 โ Identity & Governance | Part A (Classic): Enable Managed Environments. Enforce end-user authentication. Set sharing limits. Define Owner / Sponsor / Approver model. Deploy Power Platform DLP. Part B (Modern): Apply Conditional Access policies. Deploy ID Protection. Configure Access Packages. | Phase 1 inventory complete ยท Agent 365 licence (Modern controls only) | Governed maker estate ยท CA-protected Modern agents ยท auth-type baseline |
| 03 โ Data Security | Run DSPM oversharing assessment. Configure regulated SITs. Enable sensitivity label inheritance. Deploy Purview DLP for Copilot. Apply retention to agent-generated content. Address EU Data Boundary via model inventory KQL. Apply SAM RCD as interim site exclusion. Deploy browser DLP for public LLMs. | Phase 2 governance baseline ยท Purview E5 | Oversharing remediated ยท DLP active ยท label coverage measured |
| 04 โ Runtime Protection | Enable Defender real-time protection for Copilot Studio (three layers). Configure Entra Internet Access prompt-injection protection. Deploy Prompt Shields. Run pre-deployment red teaming with PyRIT (or Foundry Red Teaming Agent for Foundry agents). LLM + Agent red team for High-tier agents. | Phase 1 setup ยท Agent 365 licence from July 1, 2026 (network controls) | Runtime blocking active ยท red team findings register |
| 05 โ Monitoring & Detection | Bookmark Security Dashboard for AI. Deploy Microsoft Copilot Sentinel solution (6 analytic rules + workbook). Enable auth-type downgrade Analytics Rule. Hunting queries for sensitive label access, out-of-EUDB models, ownerless agents. Configure ITDR for agent identities. | CopilotActivity table ingested ยท Sentinel workspace | SOC alerting live ยท weekly KPI tracking ยท incident workflow |
| 06 โ Compliance & Governance | Run AI Baseline in Purview Compliance Manager (establish score). Map estate to EU AI Act, NIST AI RMF, ISO 42001. Stand up AI Governance Operating Model โ Working Group, Lifecycle Board, quarterly sweep, annual review. Board-level quarterly reporting pack. Vet third-party agents pre-publish. | Phases 1โ5 generating evidence ยท governance forum approvals | Compliance score baseline ยท sustained operating model |
Phase 1 produces the agent inventory that Phase 2 governance applies to. Phase 2 produces the governed maker estate that Phase 3 DLP attaches to. Phase 5 monitoring depends on Phases 1, 3, and 4 having generated the underlying telemetry. Phase 6 compliance evidence comes from controls deployed in Phases 1โ5. Running phases in parallel is possible โ running them out of order is not.
The trend matters more than the absolute number. These four metrics give a defensible weekly view that maps directly to controls deployed across the six phases.
| KPI | Source | Definition | Target trend |
|---|---|---|---|
| Risky agents | AIAgentsInfo | Count of published agents where UserAuthenticationType == "None" | Decreasing to zero |
| Sensitive access events | Purview Activity Explorer | AI interactions where a sensitivity label of Confidential or above was cited | Stable โ rising trend = label enforcement gaps |
| DLP policy hits | Purview DLP โ Copilot location | Count of blocked or warned responses from DLP policy evaluation | Stable after initial tuning spike |
| Blocked tool actions | Defender Incidents โ Category: AI, Status: Blocked | Tool invocations blocked by Defender real-time protection (ATG) | Increasing initially (policy working), then stable |
For the source queries and SOC workflow integration, see Playbooks โ Four AI Security KPIs.
AI agent risk should be reported alongside conventional cyber risk metrics, not as a separate workstream. The pack below uses outputs from the six phases and the four weekly KPIs, rolled up to a quarterly view suitable for senior leadership.
| Section | What to include | Source |
|---|---|---|
| Agent estate summary | Total agents, Classic vs Modern split, risk tier distribution (H/M/L), quarter-over-quarter trend | Phase 1 inventory ยท AIAgentsInfo |
| No-auth agent count trend | Quarterly trajectory โ should be decreasing toward zero. Flag any quarter where it rises. | Phase 1 KQL ยท Weekly KPI #1 |
| Sentinel alert volume by category | Jailbreak attempts, auth-type changes, anomalous tool calls, external IP access, plugin tampering | Phase 5 Content Hub analytic rules |
| DLP hits | Volume and category, split by Copilot location and browser extension | Phase 3 ยท Weekly KPI #3 |
| Compliance score trend | Purview Compliance Manager AI Baseline score over time, against EU AI Act, NIST AI RMF, ISO 42001 templates | Phase 6 ยท AI Baseline assessment |
| Red team findings | Critical findings from PyRIT runs and structured red-team engagements during the quarter, status of remediation | Phase 4 ยท Red team cycle |
| Agent 365 licence compliance | Are all users of premium capabilities licensed? Where are the gaps? | Phase 6 ยท Procurement |
One page or one slide per section is enough โ the board is reviewing trends, not drilling into individual agents. The detail lives in the working group and lifecycle board reviews. Consider pairing this with a red/amber/green status indicator per section so the trajectory is readable at a glance.
The six-phase framework synthesises the Agentic AI Security Framework with Microsoft's RSAC 2026 announcements (Vasu Jakkal โ Secure agentic AI end-to-end, March 2026), the Agent 365 GA capabilities, the Zero Trust for AI reference architecture, and field-validated patterns from the Microsoft Security MVP community. Phase ordering is informed by real-world implementation experience across enterprise tenants โ not a theoretical sequence.