Agent 365 orders the AI agents, liability remains open

15.05.2026

7 Min. Reading Time

Microsoft has introduced Agent 365 as a control plane for AI agents in the market since May 1st. It registers, monitors, and secures the agents of a corporation from a single location. This addresses the tool question but does not resolve the issue of who within the organization is responsible for an autonomous agent. This gap will be on the agenda of boards and supervisory boards in 2026.

Key Takeaways

Agent 365 is the control plane. Available since May 1st, it manages AI agents through the existing identity, compliance, and security stack instead of a parallel system.
The sponsor is the technical answer. Each agent is assigned a person responsible for its access, which is an identity construct, not a liability rule.
The governance gap remains open. The roles of who commissions an agent, who operates it, and who is liable for its damage are distinct. The tool does not resolve these roles.
The board must address three points. An agent registry with owners, a risk-based approval threshold, and clear liability assignment. Three decisions fitting on an agenda.

What Agent 365 Solves and What It Does Not

Agent 365 was announced at Ignite 2025 and has been generally available since May 1st. Microsoft describes the product as a control plane for agents: a place where IT can see every agent, define what it can do, and bind the entire fleet to corporate standards. The bet behind this is clearly stated. AI agents should be managed like managed devices and managed identities have been for a decade, through a control plane that fits into the existing stack instead of building a second one.

This is technically clean. Agent 365 brings agents into the Microsoft Entra identity management, grants permissions through access packages, ties data retention to Microsoft Purview, and evaluates risky agent behavior through Purview Insider Risk Management. Agents from AWS Bedrock and Google Cloud can be gathered and fundamentally managed in a public preview. For the IT organization, this is a real relief. They don’t have to learn a new tool.

What Agent 365 does not solve is the question before it. A tool that registers and secures agents does not address who in the organization decides that an agent should be productive at all. It does not address who carries the business damage if the agent triggers a faulty order or reveals confidential information. It organizes the technology. The organization must handle this itself.

Microsoft’s Response to the Accountability Question

Microsoft has not ignored the accountability issue. In the Entra Identity Management for Agents, there is a construct called Sponsor. Each agent is assigned a person who monitors their access, ensures their permissions are up-to-date, and ensures the agent operates within the guidelines. On paper, this means each agent is associated with a specific individual.

This is a useful construct, but it is smaller than it sounds. The Sponsor is an identity role, not a liability subject. The assigned person is responsible for the agent’s access, meaning they are technically responsible for which systems the agent can access. However, they are not automatically responsible for the business risk that arises from the agent’s actions. These two things rarely overlap in medium-sized businesses and large corporations.

A Sponsor manages what an agent can access. However, the person who bears the damage if the agent misuses this access is not clearly defined. This is not a technical issue but a board-level question.

An example makes the gap clear. A purchasing agent is assigned by the procurement department. The IT department registers and operates them in Agent 365, typically naming an IT administrator as their Sponsor. If the agent issues a faulty framework purchase order for six-figure sums, the Sponsor is technically responsible, but not legally. The department that assigned the task, the IT that operated it, and the board that bears external liability are three roles with an unclear assignment of responsibility.

The Governance Gap Between IT, Department, and Board

The actual task lies not in the admin center but in organizational structure. Three roles overlap with every productive agent. Without clear definition, responsibility gets tangled exactly there.

What Agent 365 Covers Technically

Registration and inventory of all agents in one place
Permissions through Entra Access Packages
Data retention and compliance through Purview
Identification of risky agent behavior as insider risk

What the Organization Needs to Clarify

Who can release an agent for productive use
Who bears the business risk of their actions
At what risk level the board decides
Who shuts down an agent that has gone rogue

The IT operates the control level. They can see what an agent does and stop them. However, they rarely have the mandate to reject an agent desired by a department for risk reasons. The department assigns the agent and reaps the benefits but does not bear the technical risk and often lacks detailed knowledge. The board bears external liability, sees individual agents only when someone presents a report.

This configuration is not new. It resembles the shadow IT of previous years, where departments purchased software that no one knew centrally. The difference is the impact. An un inventorized SaaS tool processes data. An unassigned AI agent makes decisions and acts on them. The gap is the same, but the damage in a serious case is greater.

What the Board Needs to Decide Now

Agent 365 is the opportunity to close this gap, as the tool provides the necessary technical visibility. The organizational part must be set by the board. Three decisions are sufficient for the start and can be addressed in a single meeting.

Firstly, the Agent Register with Owners. Every productive agent needs a business owner alongside their technical sponsor, which is a person from the responsible department who takes responsibility for the business risk. The sponsor and owner can be the same person, but they don’t have to be. What’s important is that both roles are named and documented in the register.

Secondly, the Risk-Based Approval Threshold. Not every agent needs to go before the board. An agent who compiles internal documents is in a different risk class than one who triggers orders or communicates with customers. The board decides once what level of risk requires approval at their level. Below that, the department decides in consultation with IT.

Thirdly, Liability Assignment. For each risk class, it is clarified in advance who bears the damage if the agent acts erroneously. This is less a legal issue than an organizational one: It forces clarification before the agent becomes productive about what the agent can cause at most and whether the company consciously accepts this risk.

None of these decisions require a major project. They require a board resolution and a person to maintain the register. Agent 365 provides the technical foundation on which such a register can be reliably filled. Anyone who introduces the tool without addressing these three role questions has made the agents visible but not accountable.

Frequently Asked Questions

What is Microsoft Agent 365?

Agent 365 is Microsoft’s control layer for AI agents, generally available since May 1st. It registers, monitors, and secures an organization’s agents through the existing identity, compliance, and security stack from Entra, Purview, and Defender. It costs $15 per user and month or is included in the Microsoft 365 E7 bundle.

What is a Sponsor in Agent 365?

A Sponsor is a person assigned in the Entra identity management to an agent. They monitor the agent’s access, ensure permissions are up-to-date, and maintain adherence to policies. The Sponsor is responsible for technical access questions, not automatically the business risk of the agent’s actions.

Who is liable if an AI agent causes damage?

Agent 365 does not address this. Technically, the Sponsor is responsible, while the business side is managed by the relevant department. Externally, the board is accountable. The organization must define this allocation itself, ideally in advance based on risk categories. The tool provides visibility, but responsibility assignment remains an organizational decision.

Does Agent 365 manage AWS and Google agents?

In public preview, yes. IT teams can automatically discover, inventory, and manage AWS Bedrock and Google Cloud agents, including starting, stopping, and deleting them. This functionality is not limited to Microsoft’s own agents.

What should the board establish first?

Three key points: an agent registry where each agent has a technical Sponsor and a business owner. A threshold for approval, beyond which decisions at the board level are required based on the agent’s risk category. And a liability assignment per risk category, to be clarified before deployment.