Microsoft's RSAC 2026 Security Announcements: Agent 365, Zero Trust for AI, and What It All Means
Microsoft announced Agent 365, ZT4AI, and a sweeping set of security updates at RSAC 2026 to help enterprises secure the rise of agentic AI.
Microsoft used RSAC 2026 to lay out what is arguably its most comprehensive security vision in years. The announcement, published by Corporate VP of Security Vasu Jakkal, covers a new product, a new framework, and a significant set of updates across Defender, Entra, Purview, and Sentinel. The thread running through all of it: as AI agents become part of everyday enterprise workflows, the security stack needs to treat them as first-class participants, not afterthoughts.
Here is what was announced and what it means in practice.
Agent 365: A Control Plane for AI Agents
The headline product is Agent 365, generally available from 1 May 2026 at $15 per user per month. The pitch is straightforward: as organisations deploy more AI agents, they quickly lose track of what those agents are doing, what data they can access, and whether they are behaving as intended. Agent 365 is designed to solve that visibility problem.
It includes an Agent Registry, surfaced in the Microsoft 365 Admin Center, that gives you an inventory of every agent in your environment, whether built on Microsoft Foundry, Copilot Studio, or third-party platforms registered via API. Security teams see the same inventory inside their existing Defender and Purview workflows, so there is no separate console to manage.
On top of visibility, it brings Defender protections built specifically for AI threats, including prompt manipulation, model tampering, and agent-based attack chains. It also includes security posture management for agents, runtime threat protection, and integration with Purview for data governance.
If you are already deploying Copilot agents or planning to, this is the product Microsoft wants you to use to keep those deployments governed and observable.
Microsoft 365 E7: The New Flagship Bundle
Also launching 1 May is Microsoft 365 E7, priced at $99 per user per month. It bundles Microsoft 365 Copilot, Agent 365, Microsoft Entra Suite, and Microsoft 365 E5 with advanced Defender, Intune, and Purview capabilities.
For organisations already at E5 who are also paying for Copilot licences separately, E7 will be worth a close look at renewal time. It is essentially Microsoft consolidating its AI and security premium tiers into a single SKU.
Zero Trust for AI: Extending a Familiar Framework
Microsoft has published a formal Zero Trust for AI (ZT4AI) framework, extending the three core Zero Trust principles to AI systems specifically:
- Verify explicitly: Continuously evaluate the identity and behaviour of AI agents, workloads, and users.
- Apply least privilege: Restrict access to models, prompts, plugins, and data sources to only what is needed.
- Assume breach: Design AI systems to be resilient to prompt injection, data poisoning, and lateral movement.
Alongside the framework, Microsoft has released a new AI pillar in the Zero Trust Workshop, updated Data and Networking pillars in the Zero Trust Assessment tool, and a new Zero Trust reference architecture for AI. A Zero Trust Assessment for AI pillar is due in summer 2026.
For security teams, this gives a structured way to assess and communicate AI security posture, which has been a real gap. The reference architecture in particular is useful if you are trying to explain AI risk to a board or build a roadmap.
Identity for Agents: Entra Agent ID
One of the more technically interesting pieces is Microsoft Entra Agent ID. Every AI agent built with Microsoft Foundry, Copilot Studio, or Agent 365 ecosystem partners gets a unique identity, and that identity flows into standard Entra governance workflows.
This matters because agents accessing resources without proper identity controls represent a meaningful risk. If an agent can read your SharePoint, send emails, or query your CRM, you need to know which agent did what, under whose authority, and whether that access was appropriate. Entra Agent ID is how Microsoft intends to make that traceable.
New Conditional Access Agent capabilities also land here, including context-aware recommendations, continuous gap analysis, and automated least-privilege enforcement. These build on existing Conditional Access infrastructure rather than adding a new layer.
Prompt Injection Protection and Shadow AI
Two capabilities that address more immediate, practical risks:
Entra Internet Access prompt injection protection is generally available from 31 March. It enforces network-level policies to block malicious prompts across apps and agents before they reach a model. This is a meaningful control, given that prompt injection is currently one of the more reliable ways to manipulate AI agent behaviour.
Shadow AI detection in Microsoft Defender for Cloud Apps is also now generally available. This is the AI equivalent of shadow IT: employees using consumer GenAI tools, uploading sensitive documents, and potentially feeding proprietary data into models that retain it for training. The detection capability helps security teams see where this is happening. Purview can then enforce policies to block sensitive data, such as personal information or financial data, from being submitted in AI prompts.
Sentinel Becomes an Agentic Defense Platform
Microsoft Sentinel is getting a significant upgrade. Microsoft is repositioning it as an “agentic defense platform,” with new capabilities including data federation powered by Microsoft Fabric (so you can analyse data where it lives rather than copying it), a natural language playbook generator, and granular RBAC to help scale SOC operations across teams.
New security agents are also rolling out inside Defender: a Security Analyst Agent in preview from 26 March, and a Security Alert Triage Agent extending automated analysis from phishing into cloud and identity alerts, in preview from April. The intent is to reduce the manual triage burden on SOC analysts.
Container and Cloud Security
On the infrastructure side, Defender for Cloud is adding binary drift detection and antimalware prevention for containerised environments. These close specific gaps that attackers exploit when containers deviate from their expected state at runtime.
Posture management coverage is also expanding for AWS and GCP, in preview from April. If you run a multi-cloud environment, this is worth watching.
The Bigger Picture
What Microsoft is articulating here is that the security perimeter for AI is not the application layer. It spans identity, data, network, infrastructure, and agent behaviour simultaneously. The announcements at RSAC 2026 are an attempt to address all of those layers through products and frameworks that connect to each other, rather than a collection of point solutions.
The practical starting point for most organisations is visibility. If you do not know what agents you have, what they can access, and how they behave, the rest of the security architecture is hard to build. Agent 365 and the Agent Registry are where Microsoft is suggesting you begin.
The ZT4AI framework and reference architecture are free to use and a sensible starting point for any organisation trying to build a defensible AI security posture, regardless of how much of the Microsoft stack you use.