Identities for AI Agents

Identity and Access Management is typically tasked with managing user accounts for carbon-based users (humans) and Certificates and service accounts for the silicone-based users (machines).

But, what about AI agents?

The recent announcement about Microsoft Entra Agent ID – an identity solution for AI agents – marks a pivotal step in bringing the same stringent security controls used for employees to autonomous AI systems. In an era where 80% of breaches are identity-related, treating AI agents as first-class identities is essential for trust, compliance, and effective collaboration between humans and intelligent agents.

AI Agents as Identities: Yet Another Frontier in Security

Microsoft’s Work Trend Index predicts that within 2–5 years, every organization will integrate AI agents into their workforce, having humans and AI work in tandem. Each such agent, if unchecked, could become a blind spot in security – a potential access point to sensitive data without proper oversight.

Microsoft Entra Agent ID directly addresses this new frontier by assigning every AI agent a unique, traceable identity in the directory. It’s akin to etching a VIN (vehicle identification number) on every AI “digital employee” before it hits the road. By registering AI agents in a unified directory, identity practitioners gain immediate visibility into which bots or copilots exist in the environment and what they have access to. Visibility is the first step: you can’t protect or govern what you don’t know exists. With Agent ID, any agent created via approved platforms (like Microsoft 365 Copilot’s Copilot Studio or Azure AI Foundry) is automatically catalogued with no admin action needed. This inventory of AI agents serves as a foundational AI register, enabling further security and governance measures.

If you want to know how many agents you are using already in your organisation, do the following:

1. Open https://entra.microsoft.com
2. Go to Applications.
3. Select Enterprise Applications.
4. Filter by Application Type.
5. Select Agent ID (Preview).

Surprised? 😀

Our ability to assign identities to AI agents will greatly improve accountability. Just as people have user accounts that authenticate and authorize their actions, an AI agent with an Entra Agent ID must authenticate (proving it is the genuine agent) and is subject to authorization checks for each action. This concept extends the Zero Trust model to AI: never trust an agent by default just because it’s coded by us – always verify its identity and enforce least privilege access.

Strengthening Access Controls with Entra Agent ID

One of the biggest security improvements from registering AI agents is the ability to apply granular access controls on them. Entra Agent ID enables fine-grained permission sets and Conditional Access policies for AI agents, analogous to those for human users. This means that a company can ensure that an AI assistant only accesses the data and systems explicitly allowed – for example, it might be permitted to read research databases but not confidential files or allowed to update calendar entries but not send emails, depending on its role.

Least-Privilege Access: In the traditional scenarios, bots or scripts might run under a service account with broad permissions, raising the risk of misuse. Microsoft’s approach builds just-in-time, scoped access tokens for agents. When an AI agent needs to perform a task, it requests a narrowly scoped credential for that task – for instance, a token only for a specific SharePoint file or a particular Teams channel, and only for a short time window.

This just-in-time access greatly limits the blast radius if an agent is compromised or malfunctions. The agent never holds long-term credentials or blanket access; it operates on a strict need-to-know and need-to-access basis.

Watch this space as we start to adopt the concepts of attribute-based and signal-based access control for humans.

Conditional Access & Contextual Controls: Because agents have identities in Entra ID (previously Azure AD), all the powerful Conditional Access capabilities can be applied. The company can invoke policies so that an AI agent’s access is allowed only under certain conditions – for example, only during business hours, or only from the company's network, or only if the agent’s last activity was low-risk. Indeed, Microsoft plans to leverage “real-time signals and context” in enforcing agent access just as it does for human logins (consider signals like unusual access patterns or location). If an AI agent were acting outside of expected parameters, its Conditional Access policy could block it, just as it would a suspicious human user session.

With rigorous identity-based policies and proper data scoping, oversharing of data can be averted. By tagging data with confidentiality labels and ensuring AI agents only query data they’re entitled to see, companies maintain the confidentiality separations that are the bedrock of legal ethics.

Entra Agent ID’s integration into the identity system means these data permission rules and ethical walls can extend to AI activities. In short, registering AI agents allows IAM teams to apply the same gatekeeping to bots as to humans, closing a crucial gap in access control.

Data Privacy and Sovereignty Benefits

For an international company, data privacy compliance and data sovereignty are non-negotiable. AI agents must not become a loophole through which sensitive personal data is mishandled or shipped overseas in violation of regulations. By registering AI agents in Entra and managing their credentials, organizations gain tighter control over what data AI agents can access and where that data is processed. Several features of Microsoft’s solution contribute to protecting privacy and supporting data sovereignty:

• Data Visibility and Classification: Every action an agent takes is attributable to its ID, which means data access by AI can be logged in detail
• Preventing Oversharing: A key privacy risk with AI is that a large language model-based agent might generate responses with more information than the user should see. With security controls in place, agents are constrained to only the data sources and facts they’re authorized to use. Microsoft’s integration allows developers to reduce the risk of AI oversharing or leaking data by design
• Geographic Access Policies: Data sovereignty – ensuring data complies with local jurisdiction laws – is aided by identity-based controls. With Entra Agent ID, one can envision applying location-based Conditional Access to AI agents. For instance, if policy dictates that an AI agent handling EU personal data must run in EU datacenters or only access EU-stored content, the agent’s identity can be tied to those restrictions. Any attempt by that agent identity to access resources outside allowed regions (or to connect from an unapproved geo) would be logged or blocked, much as it would for a human user subject to geo-fencing policies. While Microsoft’s announcement focuses on identity, it dovetails with initiatives like the Microsoft Cloud for Sovereignty, which provide mechanisms to meet local data residency requirements
• Consent and Minimization: Through governance (addressed below), the company should ensure that AI agents are designed with privacy in mind – using only the minimum necessary data for tasks (data minimization) and respecting user consents. By inventorying all AI agents, Privacy Officers can evaluate each agent’s data usage against privacy requirements. If an agent’s identity isn’t in the register, it shouldn’t be processing client data at all. This discipline reinforces compliance with laws like GDPR, which require understanding and controlling how personal data flows to automated systems.

In summary, the ability to register AI agents translates into concrete privacy controls and sovereignty safeguards: you know what AI is doing, you can enforce policies on it, and you can demonstrate compliance in audits. It turns the AI from a mysterious black box into a governed entity within your security apparatus.

Challenges and The Road Ahead

Implementing AI agent identity management won't be easy:

1. Coverage of All AI Agents

Microsoft Entra Agent ID currently covers agents created in certain Microsoft platforms (and upcoming integrations with ServiceNow, Workday, etc.)

A typical company, however, might experiment with other AI tools or custom bots. Ensuring all AI systems are registered is a governance challenge – one that requires strong policy (banning unapproved AI, or requiring any new AI project to integrate with Entra if possible) and perhaps technical discovery tools. We may need to use network monitoring or surveys to catch any “shadow AI” that employees might be trying out. As the ecosystem matures, we expect standards like the emerging Agent2Agent (A2A) protocol to help bring even third-party agents into a common management fold.

Microsoft’s active participation in industry standards is promising; it indicates that in time, even non-Microsoft AI agents could be issuable an Entra identity or federated equivalent.

2. Technical Learning Curve

Introducing Entra Agent ID means the IAM team must learn new processes and coordinate with developers who create AI agents. There may be a need to update scripts, CI/CD pipelines, or development tools so that any agent the firm builds is properly registered (for example, using SDKs or APIs to register the agent identity during deployment). Microsoft aims to make this seamless (“register once and your agent can have an identity in other tenants” with no custom auth flows), but there will still be a period of adjustment. Close collaboration between IT security and the software developers is essential to ensure smooth onboarding of AI agents into identity management. (do you know any good talent in the IAM space?)

3. Evolving Threat Landscape

AI agents, by virtue of their autonomy, present new kinds of threats – prompt injection attacks, model manipulation, or usage in social engineering. While Entra Agent ID secures the identity and access aspect, the firm must also consider AI-specific security measures (for example, validating the outputs of an AI, or using Microsoft Defender’s new AI security recommendations to harden AI agent code). Attackers might attempt to exploit an AI agent’s elevated access if they can compromise the agent’s logic even without stealing its credentials. Our defensive strategy thus includes not just identity controls but also securing the AI models and platforms themselves. We’re starting to see tools for AI Security Posture Management to complement identity solutions.

4. Regulatory Uncertainty

Global organisations face a complex mesh of laws – data protection regulations, emerging AI oversight laws (like the EU AI Act draft, state-level AI laws in the U.S.), and professional ethics rules. These will evolve, and any solution we adopt must adapt. The governance framework (with an AI risk officer, committee, etc.) is how we track and ensure compliance as rules change. If a law requires data localisation for AI processing, we can configure those constraints at the identity policy level. Flexibility and staying informed are key; having Entra Agent ID gives us a head start by already aligning with many best practices likely to be mandated (identity verification, audit logs, least privilege). (and... do you know any good talent in the AI governance space?)

5. User Adoption and Change Management: Staff need to buy into this new way of working. Initially, some may see registering an AI agent or abiding by the new AI usage policies as extra overhead or may not understand the risks of “just quickly using this cool AI tool I found.” Change management and training are vital to overcome this. By highlighting positive outcomes – e.g., “Because we could trust Copilot with sensitive data due to these controls, it saved us 5 hours on that last deal closing” – and constantly reinforcing the message that security enables innovation, we aim to create a culture where using AI responsibly is second nature.

Looking ahead, Microsoft’s roadmap for Entra Agent ID promises more capabilities that will make our jobs easier. In the next six months, we expect features like more fine-tuned governance controls, support for third-party agents, and deeper integration with our overall identity governance programs.

Conclusion: Embracing Secure and Responsible AI

The introduction of Microsoft Entra Agent ID is a timely development. It provides a much-needed mechanism to secure and manage AI agents with the same vigilance we apply to human users.

By registering AI agents, setting granular access controls, and integrating their activities into our compliance and audit processes, we can use the tremendous benefits of AI – increased efficiency, reduced costs, augmented capabilities – without sacrificing client trust or ethical standards.

For a global organisation, the ability to demonstrate to clients, regulators, and our own professionals that AI is being used in a secure, controlled, and transparent manner is now a competitive differentiator. It turns AI from a potential liability into a strength. With robust identity-based controls like Entra Agent ID, coupled with a strong governance framework and a culture of responsible innovation, we are confidently stepping into the new era of AI-augmented business. Our AI agents are no longer mysterious black boxes, but well-monitored digital colleagues operating under the rule of policy. In essence, we’re ensuring that as our company's intelligence expands with AI, our integrity and security protections expand right alongside it – keeping our data safe, workflows compliant, and outcomes beneficial for all stakeholders.

This article was written by Microsoft 365 Copilot, then checked and edited by me. I reckon 60/40 split is a fair shout. Time saved - couple of hours.