Microsoft launches Zero Trust for AI: a security framework built for the age of autonomous agents
Microsoft has released Zero Trust for AI — new tools, architecture, and guidance for securing AI systems across the full lifecycle, from data to agents.
Microsoft announced Zero Trust for AI (ZT4AI) on March 19, 2026, timed to coincide with the RSAC 2026 Conference. The release extends Microsoft’s existing Zero Trust framework to cover AI systems specifically, addressing a gap that has been growing quietly as organisations deploy autonomous agents, integrate large language models into their workflows, and build AI into core business processes.
This is not a white paper or a roadmap slide. It ships with concrete, usable tools today.
What has actually been released
Four things dropped alongside the announcement:
1. A new AI pillar in the Zero Trust Workshop. The Workshop now covers 700 security controls across 116 logical groups and 33 functional swim lanes. The new AI pillar specifically evaluates how organisations secure AI access and agent identities, protect sensitive data flowing into and out of AI systems, monitor AI usage and behaviour across the enterprise, and govern AI in line with risk and compliance requirements. It is scenario-based and designed to move teams from assessment to action quickly.
2. Updated Data and Networking pillars in the Zero Trust Assessment tool. The Assessment tool has been refreshed with clearer insights, simplified views that surface strengths, gaps, and next steps, and better alignment between assessment findings and the Workshop guidance. This means what you discover in an assessment maps directly to what you can act on in the Workshop.
3. A new Zero Trust reference architecture for AI. This gives security, IT, and engineering teams a shared model for understanding where controls apply, how trust boundaries shift when AI is involved, and how policy-driven access, continuous verification, monitoring, and governance work together across the full AI lifecycle.
4. Patterns and practices for AI security. These are repeatable, prescriptive approaches to the most complex AI security challenges — similar in spirit to software design patterns, but applied to securing AI workloads at scale.
One thing to note on timing: a Zero Trust Assessment pillar specifically for AI is still in development and is expected in summer 2026.
Why this is needed now
AI agents are genuinely different from traditional software. A conventional application does what it is coded to do. An agent reasons, takes actions, uses tools, and makes decisions, often without a human reviewing each step. That introduces a category of risk that existing security frameworks were not built to handle cleanly.
Research from Microsoft shows 80% of Fortune 500 companies are already using agents. The speed of adoption is outpacing the security thinking around it. Microsoft’s framing here is pointed: an overprivileged, manipulated, or poorly governed agent can effectively work against the outcomes it was built to support. The phrase they use is “double agents,” and while it is a bit theatrical, the underlying risk is real.
Zero Trust has always rested on three principles: verify explicitly, use least privilege, and assume breach. Those principles do not change for AI, but applying them requires thinking about new things: the identity of an agent, the data it can access, the actions it is permitted to take, and how you detect when something has gone wrong.
What this means for your organisation
The most practical thing here is structure. The most common problem security leaders report is not a shortage of information about what to do — it is a shortage of clear, structured paths from knowing to doing. The ZT4AI tools are built around that problem specifically.
A few things worth highlighting for different roles:
If you are a security or compliance leader, the reference architecture gives you a defensible model for explaining AI governance to boards and auditors. It aligns with the NIST AI Risk Management Framework and MITRE ATLAS, so it connects to recognised standards rather than existing as a Microsoft-only construct.
If you are an IT or infrastructure team, the updated Workshop and Assessment tools give you a working checklist. The fact that assessment insights now map directly to Workshop guidance and deployment paths means less manual translation between “what we found” and “what we do next.”
If you are building on AI, the patterns and practices give you reusable approaches to common security problems in AI workloads — how to scope agent permissions, how to handle data classification for training data, how to apply runtime controls to AI-enabled infrastructure.
The ZT4AI tools are available for self-service use, through a partner, or directly with Microsoft.
The identity piece deserves specific attention
One of the more interesting technical details is Microsoft Entra Agent ID. Each AI agent gets its own identity in Entra, which improves visibility and auditability. Critically, a human sponsor is required to govern each agent’s identity and lifecycle. This prevents orphaned agents — agents that continue operating after a project ends, a team changes, or a deployment is forgotten. Orphaned agents with persistent permissions are a straightforward attack surface, and requiring a human accountable for each agent’s existence is a sensible control.
The broader picture
ZT4AI does not sit in isolation. Microsoft 365 E7, which becomes generally available on May 1, 2026, is built specifically to bundle AI capabilities with the security controls needed to govern them. It includes Microsoft 365 Copilot, Agent 365, Microsoft Entra Suite, and Microsoft 365 E5 with advanced Defender, Entra, Intune, and Purview capabilities, at a retail price of $99 per user per month.
Shadow AI Detection via Entra Internet Access is also now generally available from March 31, 2026. It identifies unknown AI applications at the network layer — covering the practical reality that employees are using AI tools that the security team has not approved and may not know about.
The ZT4AI framework, the updated Workshop and Assessment tools, and the reference architecture are available now. If your organisation is deploying agents or building on AI in any meaningful way, this is a reasonable place to start a structured security review.