Business users are building AI agents without IT approval. Governance frameworks haven’t caught up. Here’s what that means, and what to do about it.
May 2026 | 7 min read
At a Glance
1. Shadow AI Microsoft 365: How Unsanctioned Agents Get Into Your Tenant
Your sales team is using it. So is finance. So is the project manager who got tired of waiting for IT. They are using Copilot Studio, Power Automate, and the new Microsoft 365 Agents framework to build automations, bots, and assistants that pull from SharePoint, query Exchange, and connect to external services. They did it without a ticket. Without a review. Without a lifecycle plan.
This is shadow AI. It is the governance problem that nobody has fully solved yet, and it is growing fast inside Microsoft 365 tenants right now.
Microsoft’s own Cyber Pulse report found that 29% of employees have already used unsanctioned AI agents for work tasks. That figure was published in early 2026. It has almost certainly moved since. The barrier to building an agent in Copilot Studio is now a few clicks, not a development cycle. If your organisation has Microsoft 365, your users have everything they need to create an agent that accesses your most sensitive data.
2. What Is Shadow AI? Shadow IT With Direct Data Access
Shadow IT has existed for as long as enterprise software has had a procurement queue. Business units install tools. IT finds out later. The governance gap gets patched retrospectively, usually after something has gone wrong.
Shadow AI Microsoft 365 follows the same pattern but with a critical difference: AI agents do not just run on data. They generate outputs based on it, share it in responses, and act on it autonomously. A shadow application sitting on a file server is a passive risk. A shadow AI Microsoft 365 agent with read access to your HR SharePoint site, answering questions about employee records, is a different category of problem entirely.
Gartner classifies 41% of employees as citizen developers: people building or customising applications outside formal IT oversight. When those employees build AI agents in Copilot Studio, the agent inherits their permissions. No separate authorisation. No review. No audit trail beyond what the Microsoft 365 admin centre surfaces, which is limited.
Risk: Agent permissions are not agent permissions
An agent built by a senior HR manager inherits that manager’s access to SharePoint, Exchange, and any connected external systems. If the agent is shared with a broader team, those team members can query it, and the agent will respond using the builder’s data access. IT has no native alert when this happens. Your Microsoft 365 tenant may be running agents that IT did not approve, cannot fully see, and cannot audit without additional tooling.
3. The Power Platform Parallel: Enterprise Governance Has Solved This Before
IT departments fought this battle with Power Platform four years ago. When Power Apps and Power Automate became accessible to business users, the default environment filled up with apps and flows that nobody documented, nobody owned, and nobody decommissioned. Research shows organisations without formal governance experience application sprawl at three to four times the rate of those with an established Centre of Excellence.
The solution was not to shut down citizen development. It was to build the governance structures that made citizen development safe: managed environments, data loss prevention policies, lifecycle management, licence tracking. The same disciplines that turned Power Platform from a governance liability into a controlled, productive platform.
“Shadow AI governance and Power Platform governance are the same question at a higher stake. The principles are identical. The tools are still catching up.”
The governance framework that worked for Power Platform applies directly to AI agents. Inventory everything. Review permissions. Set policies on data access. Establish lifecycle rules. Monitor for drift. The difference is that the tooling is immature, patchy, and still catching up to the speed at which agents are proliferating.
4. What Microsoft Agent 365 Can and Cannot Do About Shadow AI
Microsoft’s response to shadow AI governance is Agent 365, which reached general availability on 1 May 2026 at USD 15 per user per month standalone, or included in Microsoft 365 E7. It is a meaningful product that addresses genuine gaps.
Agent 365 surfaces a Shadow AI page in the Microsoft 365 admin centre. IT administrators can see which unmanaged AI agents are running in the environment, which devices they operate on, and apply Intune-based policy controls to restrict specific agent runtimes. For Microsoft-native agents, this is a real step forward.
But there are things Agent 365 does not cover. Third-party agents connected to Microsoft 365 data via OAuth without formal registration are much harder to surface. Browser-based AI tools that users authenticate with their Microsoft credentials fall outside the visibility boundary. Agents built on Azure AI Foundry by individual developers and not registered in the admin centre may not appear.
There is also the question of what lies beneath the agent. If a shadow agent is accessing a SharePoint site with overly permissive access controls, or an Exchange shared mailbox that should have been decommissioned two years ago, Agent 365 sees the agent but not the underlying exposure. The governance gap runs deeper than the inventory.
What Agent 365 does not tell you
Agent 365 surfaces agents it knows about. It does not surface the data access vulnerabilities those agents are exploiting. An agent with read access to a SharePoint site containing unclassified sensitive data is invisible to Agent 365 from a data risk perspective. The shadow AI Microsoft 365 problem and the broader permissions hygiene problem are the same problem.
5. A Practical Shadow AI Microsoft 365 Governance Framework for Microsoft 365 IT Teams
IT leaders are being asked by boards and finance teams: What is Shadow AI Microsoft 365 governance and what are we doing about it? The honest answer at most organisations is: not enough, and we are not yet sure what enough looks like.
Here is a practical starting framework, built on the same principles that resolved the Power Platform governance crisis.
Inventory: know what agents exist in your tenant. Use Agent 365 as a starting point for Microsoft-native agents. Cross-reference with Copilot Studio environments. Check Power Platform audit logs for agent creation events. Look for OAuth consents in Entra ID that may indicate external AI tools.
Permissions review: Every agent inherits the permissions of its creator or service account. An agent built by a global admin and shared with a business unit carries permissions that do not belong in a conversational tool. Map what agents can access, not just what they were intended to access.
Data access scope: which SharePoint sites, Exchange mailboxes, and external connectors are agents reaching? Microsoft 365 governance requires understanding the data surface before governing the tool. M365 sprawl in the data layer becomes agent sprawl in the output layer.
Lifecycle policies: agents need owners, review dates, and decommission criteria. An agent that served a project that ended six months ago is a live governance risk. Treat agents the same way mature organisations treat Entra ID service accounts: named owner, documented purpose, expiry date.
Monitoring: set alerts for new agent creation. Review agent activity logs weekly. Treat anomalous behaviour, large data transfers, unexpected external connector calls, as a security signal, not just an operational curiosity.
“The organisations that apply Power Platform governance discipline to AI agents today will not be the ones firefighting agent sprawl in 2027.”
Frequently Asked Questions
What is shadow AI and how is it different from shadow IT?
Shadow AI refers to AI-powered tools and agents in use within an organisation without IT approval, governance policies, or oversight. It differs from shadow IT because AI agents generate outputs from data, act on it autonomously, and share sensitive information in responses. The risk is active, not passive. A file sitting on an unsanctioned server is a risk. An agent answering questions about that file to any employee who asks it is a different order of magnitude.
How does shadow AI governance relate to Microsoft 365 governance?
Shadow AI governance and Microsoft 365 governance are the same question at different layers. Most shadow agents in an enterprise context access Microsoft 365 data: SharePoint sites, Exchange mailboxes, Teams channels. Governing them requires the same visibility into what data they are accessing and who authorised that access.
What can Microsoft Agent 365 do about shadow AI Microsoft 365 in my tenant?
Agent 365, which reached general availability in May 2026, surfaces a Shadow AI page in the Microsoft 365 admin centre showing unmanaged agents, the devices they run on, and Intune-based controls to restrict them. It addresses the most visible Microsoft-native shadow agents but has limited reach into third-party tools and browser-based agents connected through OAuth.
What is Shadow AI Microsoft 365 governance and where do I start?
Shadow AI Microsoft 365 governance is the set of policies, processes, and controls that ensure AI tools operate within defined boundaries for data access, security, and compliance. Start with inventory: know what agents exist. Then review permissions, establish lifecycle policies, and set monitoring alerts for new agent creation and anomalous data access patterns.
How does Microsoft 365 sprawl apply to AI agents?
The pattern is identical to Power Platform sprawl: rapid adoption, minimal oversight, accumulating risk. The difference is velocity. Agents proliferate faster than apps because they are easier to build and easier to share. The governance framework that resolved Power Platform sprawl, covering environment strategy, DLP policies, lifecycle management, and cross-workload visibility, applies directly to agent governance.
About TeamsFox
TeamsFox is the Microsoft 365 governance and optimisation platform that gives IT teams tenant-wide visibility into licence usage, storage waste, and access risk. Continuous monitoring surfaces shadow agents, inactive licences, and orphaned identities before they become security incidents or budget surprises. Headquartered in Düsseldorf and trusted in 20+ countries, TeamsFox helps organisations reduce licence spend by up to 30%, cut storage costs by 40%, and free up 60% of administrative time.