88% of organisations report AI agent security incidents. Most IT teams have no visibility when it happens.
May 2026 | 8 min read
At a Glance
1. Agents Operate on Trust — and Attackers Know It
When Microsoft launched Copilot Studio agents into general availability, it gave organisations the ability to build autonomous AI systems that read documents, query data, send emails, and trigger workflows. Those agents do not just respond to prompts. They act on them.
That is a meaningful shift. A chatbot that gives a wrong answer is embarrassing. However, Microsoft agents security risks are far more significant. An agent that acts on a manipulated instruction can exfiltrate data, execute unauthorised actions, or silently alter future recommendations, without the user knowing it happened.
80% of Fortune 500 companies were already running active AI agents as of February 2026 (Microsoft Security Blog). Most of those organisations do not have a framework for governing what those agents can access, who can instruct them, or what happens when the instruction is malicious. That gap is what attackers are now targeting. A robust Microsoft 365 governance framework is the foundation for addressing Microsoft agents’ security risks.
2. Prompt Injection: The Attack Microsoft Has Already Patched Twice
A prompt injection attack occurs — one of the most documented Microsoft agents security risks —when a malicious instruction is embedded in content that an AI agent processes, a document, an email, a web page, or a data field, and the agent treats that instruction as legitimate. The agent does not know it is being manipulated. It simply follows the instruction it was given.
In 2026, prompt injection attacks have surged 340% (Practical DevSecOps). That is not a theoretical risk. Microsoft has assigned CVE-2026-21520, a CVSS 7.5 indirect prompt injection vulnerability, to Copilot Studio, patched in January 2026. Two further critical CVEs, CVE-2026-25592 and CVE-2026-26030, were identified shortly after, both enabling remote code execution through injection attacks on agents.
RISK: Prompt injection enables data exfiltration in 40% of successful AI-related attacks. Agents with access to Exchange, SharePoint, and Teams data can be instructed to forward sensitive content to external recipients — silently, within a normal execution path.
A successful indirect prompt injection attack, also called a cross-prompt injection attack (XPIA), can instruct an agent to send internal data to external recipients, modify records, or elevate permissions, all within the normal execution path. Enterprise-grade AI copilots show data-exfiltration vulnerabilities in 60% of real-world red-team tests. Copilot Studio contains built-in detection mechanisms for user-injected prompt attacks (UPIA) and cross-domain prompt injection (XPIA), and Microsoft has added near-real-time protection through Defender integration. These controls help. They do not eliminate the risk, particularly for custom agents with broad data access. See Microsoft’s Copilot security documentation for the current control set.
3. Memory Poisoning: When the Attack Outlasts the Conversation
Most prompt injection attacks affect only the current conversation. The agent is manipulated, acts on the instruction, and the session ends. Memory poisoning is different. It persists.
In February 2026, Microsoft published findings identifying 31 companies where AI memory had been manipulated through fake ‘Summarise with AI’ interface buttons. Attackers used these entry points to inject persistent instructions into the agent’s memory store, biasing all future interactions without triggering any Microsoft agents security risks alerts.
“Memory poisoning survives across sessions, silently biasing the assistant’s future recommendations without the user knowing anything has changed.” (Microsoft Security Blog, February 2026)
For organisations running agents with persistent memory, Microsoft agents security risks do not end when the session does; this is a governance problem with a long tail. An agent whose memory has been manipulated may give subtly wrong recommendations for weeks or months. There is no audit trail by default. There is no alert. The bias is invisible unless you are actively monitoring it. This connects directly to the governance visibility problem: if you cannot see what your agents are doing, you cannot detect when they have been compromised.
4. Microsoft agents’ security risks and The ‘Double Agent’ Risk: When Your AI Works Against You
The OWASP Top 10 for Agentic Applications 2026, published in March, identifies ten critical risk categories for autonomous AI systems. Several map directly to risks that IT teams running Microsoft 365 Copilot Studio agents face today. The most significant is agent goal hijacking: an agent that has been instructed, through injection or memory manipulation, to pursue objectives that differ from what the user or organisation intended.
A hijacked agent represents one of the most severe Microsoft agents security risks: it operates autonomously and has no human in the loop to catch malicious instructions. In a Microsoft 365 environment, that agent may have access to Exchange, SharePoint, Teams, and Entra ID: the same access footprint that makes it useful, and that makes it dangerous when compromised.
OWASP’s framework covers agent goal hijacking, tool misuse, identity and privilege abuse, memory poisoning, insecure inter-agent communication, and cascading failures. None of these are theoretical. Microsoft’s own security blog documented real-world exploitation of these vectors in 2026. The Copilot readiness work that prepares a tenant for Copilot deployment, data classification, access hygiene, licence governance, also prepares it to limit the blast radius of a compromised agent.
5. What OWASP Says Organisations Must Do
The OWASP Top 10 for Agentic Applications 2026 is not a theoretical framework. It is a peer-reviewed, globally-validated list of risks that organisations are already encountering. Microsoft has published guidance mapping its Copilot Studio controls to the OWASP framework, but reading that guidance requires understanding what you are exposing in the first place.
The practical steps OWASP and Microsoft recommend for organisations running agents in Microsoft 365 environments:
- Inventory all active agents: know what exists, who built it, and what data it can access
- Apply least-privilege permissions to every agent: agents should access only the data they need for their defined purpose
- Enable Microsoft Defender for Cloud Apps monitoring on Copilot Studio agent activity
- Establish an agent lifecycle policy covering creation, periodic review, and decommissioning
- Audit agent memory stores regularly, particularly for agents deployed to handle sensitive data
- Treat prompt injection as an attack surface equivalent to SQL injection: scope and test for it explicitly
Microsoft agents security risks are real and documented. The question is not whether your organisation is exposed. It is whether you have the visibility to know the extent of that exposure. A Microsoft 365 governance framework that includes agent inventory and permission hygiene is the starting point. See the Microsoft Purview audit solutions overview for the logging controls available.
6. The Governance Parallel IT Teams Already Know
The Microsoft agents security risks problem is not new. It is a restatement of problems IT teams have been managing in the licence and identity space for years, with higher velocity and fewer native controls.
Unused licences accumulate. So will unused agents. Stale credentials outlast the employees they were created for. So will overprivileged agent identities. Access rights granted for a project and never removed created a Microsoft agents security risks in SharePoint. The same pattern plays out in agent deployments. Agents inherit the same governance failures. They just execute them faster, and at scale.
Organisations that have already built governance disciplines around licence management, storage hygiene, and identity lifecycle are better positioned to extend those disciplines to their agent infrastructure. and to manage Microsoft agents’ security risks at scale. The controls are the same. The stakes are higher.
Ready to see this in your tenant? Launch a free analysis of your M365 environment with TeamsFox, no contract, no account changes. You will see your exposure within 30 minutes.
Conclusion
Prompt injection is documented. Memory poisoning is documented. The double agent risk is documented. Microsoft agents security risks are not a future concern. The OWASP framework exists. Microsoft has published three CVEs against its own Copilot Studio platform in under six months. This is not speculation about future threats. It is a description of the current state.
The organisations best placed to manage Microsoft agents security risks are those that have already built the governance foundations: agent inventory, least-privilege access, lifecycle management, and behavioural monitoring. The Microsoft 365 governance disciplines that protect against licence waste and data sprawl are the same disciplines that protect against compromised agents. They scale.
About TeamsFox
TeamsFox GmbH is a Microsoft 365 management platform headquartered in Düsseldorf, Germany. TeamsFox helps IT teams take control of their Microsoft 365 environment: managing licences, optimising storage, enforcing governance, and preparing tenants for Copilot deployment. Customers average a 30% reduction in licence costs and a 40% reduction in storage spend within the first year.