
Microsoft just mapped the ten ways its own AI agents can be turned against you. Most M365 tenants aren’t covering half of them.

1. Ten Ways an Agent Can Be Turned Against You
The OWASP Gen AI Security Project published its OWASP Top 10 Agentic AI Applications this year, and it reads like a list Microsoft would rather not have needed. These are not theoretical weaknesses. They describe how autonomous systems that act across workflows, with real identities, real data access, and real tools, get turned into liabilities.
Five of them show up again and again in the incidents already on record: prompt injection, where malicious instructions hide inside a webpage or email the agent reads; goal hijacking, where an attacker redirects what the agent is actually trying to do; tool misuse, where an agent is tricked into calling a legitimate tool for an illegitimate purpose; identity abuse, where an agent’s permissions are exploited because nobody scoped them tightly enough; and memory poisoning, where false information is planted so the agent keeps acting on it long after the original attack ended.
None of these requires a flaw in the underlying model. They exploit the gap between what an agent is allowed to do and what anyone is actually watching it do.
2. Microsoft Is Already Mapping the Risk Inside Copilot Studio Security
To its credit, Microsoft has not waited for the inevitable headline. On 30 March 2026, the Microsoft Security Blog published a direct mapping from each OWASP agentic risk to a specific control inside Copilot Studio and Agent 365, the platform’s runtime governance layer. It is an unusually candid document for a vendor: here is the risk, here is what we ship to reduce it, here is what is still on you.
At Build 2026, Microsoft went further with Agent Identity Perimeter, which extends Conditional Access to agent-initiated actions. Instead of evaluating a sign-in once, it evaluates the agent’s risk level, the sensitivity of the resource it is reaching for, and the type of action it wants to take, every time, in real time. Combined with Entra ID Workload Identities for agents 365, this is Microsoft’s clearest statement yet that agent identity needs the same Zero Trust treatment as human identity.
Agents are entering production seven to eight times faster than the governance built to control them. That gap is exactly where the next breach starts.
3. The Incidents That Prove the Risk Is Real
This is not a hypothetical exercise. Researchers found Copilot Studio agents configured to be public by default, with no authentication, letting attackers enumerate exposed agents and pull confidential business data straight out of production environments. In February 2026, Microsoft traced AI memory manipulation back to fake “Summarise with AI” interface buttons, identifying 31 affected companies where attackers had injected persistent instructions into an agent’s memory store. In May, Microsoft’s own security team documented remote code execution vulnerabilities in agent 365 frameworks, where a crafted prompt could effectively open a shell.
Real incident, February 2026:
Attackers used fake “Summarise with AI” buttons to plant persistent instructions inside agent memory at 31 companies. The poisoning did not end when the session did. It quietly biased the agent’s recommendations afterwards, with no visible sign anything had changed.
Each of these incidents maps to an OWASP risk that Microsoft itself has now named in writing. The pattern is consistent: Agent 365 given more reach than anyone is actively monitoring, with no clear owner for catching it when something goes wrong.
4. This Is the Licence Sprawl Problem, Wearing a New Costume
Strip away the AI framing, and the shape of this problem is one IT teams already know. It is the same one that drives licence sprawl: nobody has a complete inventory, nobody owns the lifecycle, and visibility stops at whichever workload boundary the reporting tool happens to cover. Swap “unused licence” for “agent with standing permissions nobody reviewed in six months” and the governance failure is identical.
Entra ID app registrations taught the same lesson with service accounts: a permission granted for a one-off integration outlives the project, nobody revisits it, and eventually it becomes the path of least resistance for an attacker. Agents inherit that exact risk, except they act faster, more often, and increasingly without a human in the loop to notice the request looked wrong.
Power Platform governance went through the same arc years earlier: citizen-built automation outran IT oversight until shadow flows touching sensitive data became the norm rather than the exception. Agentic AI is running that cycle again, on a shorter timeline, with higher stakes. The principle that eventually restored order in each case was never about the specific technology. It was inventory, least privilege, lifecycle, and continuous visibility, applied consistently rather than reactively.
5. What IT Managers Should Do Before the Board Asks
Start with an inventory that names every agent 365running against the tenant, what identity it uses, and what it can touch. If that list does not exist yet, treat building it as the most urgent item on the agenda, not a project for next quarter.
- Apply least privilege to every agent identity. Entra ID Workload Identities and Agent Identity Perimeter give you the controls. Use them as deliberately as you would scope a human admin account.
- Audit grounding and memory sources for poisoning risk. Anything an agent reads and remembers is now an attack surface, including interface elements end users click without thinking twice.
- Set lifecycle rules for agents the same way you would for stale user accounts. An agent built for a single project should not still hold production access a year later.
- Monitor agent actions continuously, not through a quarterly report. The incidents above were all discovered after the fact. The organisations that catch the next one will be watching in real time.
None of this requires a dedicated agent governance product to start. It requires applying governance habits IT teams already practise elsewhere in Microsoft 365, and refusing to treat agents as a special case exempt from them.
Frequently Asked Questions
What is the OWASP Top 10 Agentic AI?
It is a list published by the OWASP Gen AI Security Project naming the most critical risks in autonomous AI agents, including prompt injection, goal hijacking, tool misuse, identity abuse, and memory poisoning.
Can Microsoft Copilot Studio Security agents be exploited through prompt injection?
Yes. Indirect prompt injection, where malicious instructions are hidden in a webpage, email or document an agent 365 processes, has already been documented against Copilot Studio agents, alongside agents left publicly accessible without authentication.
What is AI agent memory poisoning?
It is the practice of planting false information into an agent’s memory so it keeps acting on it after the original attack. Microsoft documented a real case in February 2026 affecting 31 companies.
Does Microsoft’s Agent 365 governance toolkit solve agent security on its own?
It adds a meaningful runtime security layer and maps directly to OWASP risks, but it governs what runs on Microsoft’s platform. It does not replace an organisation’s own inventory, lifecycle, and monitoring discipline.
How should IT teams start governing AI agent 365 today?
Build a full inventory of agents 365 and their identities, apply least privilege, audit memory and grounding sources, set lifecycle rules, and monitor actions continuously rather than periodically.
Ready to see this in your tenant?
Run a free TeamsFox M365 analysis, no contract, no account changes. You will see your licence, storage, and governance exposure within 30 minutes.
Conclusion
Microsoft naming its own OWASP gaps in public is a sign that the agentic AI governance conversation has moved past hype and into damage control. That is a healthy shift. It also means the window for IT leaders to build governance habits before the first major disclosed breach is closing, not opening.
The governance principles do not change because the technology is new. Inventory what exists. Scope permissions tightly. Decommission what nobody owns anymore. Watch continuously instead of quarterly. Those habits are transferable to agents today, with or without a dedicated tool.
Organisations that build that discipline now, while agents are still novel enough to be inventoried by hand, will be the ones in control when agents become standard infrastructure rather than an experiment IT is still trying to map.
About TeamsFox
TeamsFox is a Franco-German Microsoft 365 management platform that gives IT teams tenant-wide visibility across licensing, storage, and governance. Customers cut licence costs by 30%, reduce admin time by 60%, and lower storage costs by 40%. TeamsFox is trusted in more than 20 countries across Europe, MENA, and Asia.