Microsoft used Build 2026 to make a quiet but consequential bet, treating the hard part of enterprise AI as everything around the model that decides whether a company can safely let software act on its own. So the company shipped the Agent 365 SDK into general availability and wrapped it in identity, policy and data controls that fire while an agent is being built rather than after it misbehaves in production.

I keep coming back to what that choice signals. For two years the AI conversation rewarded raw capability, with vendors competing on benchmark scores and context windows. Microsoft is now telling its largest customers that capability is table stakes and that the thing standing between a pilot and a deployment is control. That reframing matters to any executive who has watched an agent project stall in legal review.

What Microsoft Actually Shipped

The Agent 365 SDK lets developers fold observability, access controls and compliance enforcement into how an agent is designed, and Microsoft says agents built this way work across any AI platform rather than only its own. Sitting alongside it is an Agent 365 Agent Registry that uses Microsoft Defender, Entra and Intune together to surface unmanaged local agents an organization did not know were running. Microsoft says the registry recognizes more than 20 kinds of local agents, including coding agents and Model Context Protocol servers, which is the sprawl most security teams cannot currently see.

On the code side, the integration between Microsoft Defender and GitHub Code Security is now generally available. It enriches a discovered vulnerability with production signals such as internet exposure and data sensitivity, then routes an AI generated fix through GitHub Copilot for a developer to validate. Behind that sits a research effort Microsoft calls MDASH, an agentic scanning system that orchestrates more than 100 specialized agents across a panel of models. Microsoft reports that it reached a CyberGym benchmark score of 96.55%, up roughly 10 points in under three weeks, though that system remains in expanded preview rather than general release.

There is more in the runtime layer. A Microsoft Execution Container SDK gives Windows operating system level control over what an agent can do, and Windows 365 for Agents, now generally available, runs an agent inside an isolated and policy governed Cloud PC. Microsoft Purview adds runtime data loss prevention for agent prompts, in preview, so sensitive data is caught before it ever reaches a model.

The Industry Is Converging On The Same Idea

Microsoft is not first to this position, which is part of why the move reads as a market signal rather than a one off. At Google Cloud Next earlier this year, Google built its Gemini Enterprise Agent Platform around a governance stack of Agent Identity, an Agent Gateway and an Agent Registry, assigning each agent a unique cryptographic identity separate from any human user. AWS has taken a faster and lighter path with Bedrock AgentCore, leaning on harnesses to push agents into production quickly while still offering identity and tool management.

The pattern across all three is a control plane for agents that mirrors what Kubernetes became for containers. A wave of specialist vendors including Saviynt, Silverfort and TrueFoundry is selling the same governance layer to companies that want it independent of any single cloud, which tells you how real the demand is. Microsoft's distinct advantage is that Entra, Intune, Defender and Purview already run inside most large enterprises, so agent governance arrives as an extension of tools security teams operate today rather than a new platform they must learn and fund.

Where The Story Gets Complicated

A buyer reading the Build announcements should notice how much of this is preview rather than production. The Defender and GitHub integration and Windows 365 for Agents are generally available, but MDASH, the Purview runtime controls and several Defender capabilities are still gated or coming soon. Capability dates slip, and a governance plan built on a preview is a plan with a hole in it.

The harder issue is reach. Microsoft's controls are strongest where the agent lives inside Windows, Entra and Microsoft Foundry, and most enterprises run agents across AWS, Google Cloud and a thicket of software as a service tools at the same time. An organization that adopts Agent 365 as its control plane gains real visibility inside the Microsoft boundary while inheriting a deeper dependency on that boundary, which is the trade every platform consolidation has always carried. Governance also has a cost in friction. Every policy gate, isolation layer and data check that protects the business also slows the developer, and teams that over tighten will quietly watch their people route around the controls.

What Decision Makers Should Take From This

The practical read for a technology leader is that the budget conversation is shifting. Spending that went toward model access and experimentation now needs a line for the governance and identity layer that turns experiments into approved deployments, and that layer is becoming as strategic as the model choice itself. Treating non human identity as a first class problem, the way you already treat employee identity, is no longer optional once agents can read data and trigger actions on their own.

The second takeaway is to resist locking in before the reach question is answered. Microsoft's stack is compelling for a Windows and Microsoft 365 heavy organization, yet the multi cloud reality most enterprises live in argues for keeping the governance layer at least partly portable, whether through a neutral gateway or through standards like Model Context Protocol that the major platforms now claim to support. The companies that win the agent era will be the ones that can prove what every agent did and why, long before a regulator or a board asks.