Pillar 3: Security and governance

AI agents built with Agent Builder in Microsoft 365 Copilot, Copilot Studio and Microsoft Foundry must operate within enterprise‑grade security, governance, and compliance boundaries. As agents gain autonomy, access business data, and take action across systems, organizations must ensure they remain secure by design, governed throughout their lifecycle, and aligned with corporate risk and compliance requirements.

This pillar focuses on how organizations use Microsoft's integrated security and governance stack to protect AI agents, manage risk, and maintain trust. It also focuses on how organizations establish the guardrails, controls, and operating discipline required to ensure agents operate securely, compliantly, and predictably without slowing innovation.

Note

Operations and lifecycle management and Responsible AI and trust are cross‑cutting capabilities. To support clearer maturity assessment, they're separate pillars in this maturity model, even though they're embedded across security, technology, and process execution in practice.

Why security and governance matter for AI agents

Agents amplify human intent by acting within the context of identity, data, and permissions. Without strong governance, this same capability can introduce risk through unintended data exposure, inconsistent behavior, or unclear accountability.

Strong security and governance provide the foundation that allows agent adoption to scale safely. They ensure that agent behavior is observable, controlled, and auditable, and that increasing autonomy is matched with clear decision rights, lifecycle oversight, and risk management. This foundation helps innovation progress without compromising safety or reliability.

What high maturity looks like

At high maturity, security and governance are embedded, scalable, and enabling.

Characteristics include:

Organizations govern agents using consistent, enterprise‑wide standards.
Identity, data access, and compliance controls are enforced by default.
Organizations make agent behavior observable through logs, telemetry, and review mechanisms.
Human oversight and escalation paths are clearly defined for each agent class.
Governance enables faster adoption rather than slowing it down.

How to read the maturity table

The table describes how security and governance capabilities evolve across five maturity levels.

For each level, notice:

State of security and governance: Observable characteristics at that level.
Opportunity to progress: Practical focus areas that enable the next level of maturity.

Organizations often operate at different levels depending on agent criticality. For example, internal productivity agents might require lighter controls than customer-facing or decision-making agents.

Security and governance maturity

Level	State of security and governance	Opportunity to progress
100: Initial	No AI-specific security or governance processes. Agents operate without formal oversight, risk assessment, or compliance checks. AI initiatives might bypass standard IT governance, creating unseen security, privacy, or regulatory risks. All agents treated the same regardless of purpose or risk. No formal environments, data policies, or approval checkpoints. Agents might access enterprise data with minimal oversight. No clarity on ownership, accountability, or decision rights.	Establish minimum guardrails. Define who can create, publish, and share agents. Introduce basic AI and agent awareness across IT, security, and compliance. Establish simple ground rules (approved data sources, access controls, environment separation) and begin treating AI agents as governed solutions rather than experiments. Start inventorying agents and assigning owners.
200: Repeatable	Basic tenant-level controls and policies are documented but inconsistently applied. Some guidelines and approval steps exist, such as security reviews before production deployment. Some agents use development, test, and production environments. Early distinction between personal or productivity agents and shared agents, but controls are manual. Governance is largely reactive and dependent on individual diligence rather than enforced standards.	Publish an organization baseline for identity and access expectations, data governance and compliance controls, and audit and monitoring expectations for agents. Formalize a governance framework that defines roles, review checkpoints, and compliance requirements. Document policies and ensure teams are trained on them. Move from informal guidance to consistent, repeatable governance practices. Begin classifying agents by intended use and blast radius. Align security, IT, and business on baseline compliance expectations. Establish a tiering concept and minimum guardrails: define that personal productivity, departmental/team, and mission-critical agents must not share the same governance posture.
300: Defined	Security, governance, compliance, and risk management practices for AI are documented and enforced. Audit and monitoring capabilities are in place. Agents explicitly classified by purpose and criticality (productivity, departmental, mission-critical). Zoned governance model adopted using environments (safe, supported, IT managed). Standard approval, risk assessment, and ALM requirements defined per agent class. Responsible AI considerations are incorporated into reviews. Central agent registry and audit logging established.	Automate governance where possible (environment provisioning, policy enforcement). Scale governance through federation. Delegate low-risk approvals to teams within guardrails. Integrate observability and logging into all production agents. Align governance reviews with portfolio and planning cycles.
400: Capable	Governance is risk-based and partially automated. Monitoring systems detect anomalies and misuse. Productivity agents move quickly with lightweight controls. Mission-critical agents follow enterprise ALM, security, and compliance rigor. Federated governance: central standards with delegated approvals for low-risk agents. Continuous monitoring and policy-driven compliance integrated into operations.	Expand automation to approvals, monitoring, and compliance reporting. Use analytics to identify emerging risks and continuously update governance policies as regulations and agent capabilities evolve. Introduce KPI-based governance (incidents, reliability, trust signals). Refine human-agent decision rights and escalation paths by agent class.
500: Efficient	Agents treated as tiered digital services with differentiated SLAs, controls, and autonomy levels. Governance continuously adapts based on usage, risk, and regulation. Predictive risk analytics and continuous compliance in place. Governance accelerates innovation and might influence industry best practices.	Maintain maturity through continuous adaptation. Stay ahead of emerging threats, regulatory changes, and new agent patterns by investing in governance capabilities, tooling, and external engagement. Continuously reassess agent classifications and controls. Share practices externally and influence industry standards.

Common anti-patterns

No inventory and no ownership. Teams create and share agents without a reliable registry, lifecycle status, or accountable owner, which makes audits and incident response slow and inconsistent.
Controls are "guidance-only" instead of enforceable. Teams document policies but don't translate them into enforceable technical controls (for example, data governance, data policy, and sensitivity constraints), so compliance depends on individual behavior.
Missing or ignored environment strategy. Makers build and publish in the same environment without clear separation or guardrails, which increases the risk of accidental exposure and weakens change control.
Treating all agents as the same (no tiered approach by risk and criticality). Organizations apply one set of controls to every agent. This approach either over‑restricts low‑risk personal productivity agents (driving shadow AI), or under‑governs departmental and mission‑critical agents (creating security and compliance gaps). A tiered approach is needed because risk and governance requirements increase as you move from personal productivity to department and team collaboration to enterprise and mission‑critical workloads.
Data policy and connector governance aren't treated as an "agent safety boundary." Teams allow agents to connect broadly (connectors, actions, HTTP) without consistent policy constraints, which increases data exfiltration and unintended action risk.
Audit and monitoring are afterthoughts. Teams don't centralize logs, create dashboards, or connect security operations center (SOC) workflows with agent data. Teams only learn about risky behavior after incidents escalate.
Security posture isn't continuously validated. Teams don't rely on runtime protection status, automatic security scans (where available), or systematic adversarial testing expectations prior to release and major updates.
Cost and usage governance is unmanaged. Teams don't allocate or monitor token, usage, and capacity costs, so spend grows without visibility and governance can't prioritize what to scale or retire.

Using this pillar in practice

Security and governance should scale with agent autonomy and impact.

As you progress:

Make controls more automated and embedded.
Keep decision rights explicit and review them regularly.
Consider governance metrics alongside value metrics.

Strong security and governance provide the trust and clarity needed to scale AI agents responsibly, so organizations can move faster.

Next step

Next, explore how value realization and outcomes ensure that well-governed agents deliver measurable and sustained business impact.

Pillar 4: Value realization and outcomes

Feedback

Was this page helpful?

Last updated on 2026-03-10