Key insight
The agent registry is the single, authoritative catalogue of every agent. Microsoft describes it as providing centralized metadata management, secure agent discovery, and automatic organization into security collections. It stores each agent’s identity, capabilities, tasks, and protocols; lets agents and governance safely find each other; and sorts related agents into managed groups. Because you cannot permission, watch, or retire what you have not catalogued, the registry is the backbone every other agent-governance capability depends on — and the direct cure for shadow agents.
Of all the moving parts in agent governance, the least glamorous is a list — and it is also the most important. A camera is useless if you do not know who belongs in the building; a permission is meaningless if you do not know the thing you are permissioning exists. The registry is that list for agents, and this article is about why a good one is the foundation everything else is built on.
1 · The most important thing a control plane owns is a list
A registry, in ordinary English, is an official list or record — a register of births, a registry of voters. The agent registry is the same idea applied to agents: the single, authoritative catalogue of every agent operating in the organisation. “Authoritative” is the load-bearing word: it is meant to be the answer to “how many agents do we have, and what are they?”, not one of several partial answers scattered across tools.
Why start here? Because every other capability presupposes it. Setting permissions, watching behaviour, protecting against threats, retiring an agent — each acts on an agent that must first be known. A control plane that cannot produce a complete, trustworthy list of what it governs is not really in control. So the registry is not one feature among many; it is the ground the others stand on.
2 · What the registry stores: metadata
Microsoft says the registry provides centralized metadata management. Metadata simply means data about a thing — its description rather than its work. For an agent, the registry keeps that description in one place. Microsoft names the kinds of metadata it manages: an agent’s capabilities, its tasks, and the protocols it uses, all alongside its identity.
- Capabilities — what the agent is able to do.
- Tasks — what it is meant to do; the jobs it exists for.
- Protocols — the standard languages it speaks to communicate, such as the Model Context Protocol for connecting to tools, or agent-to-agent for talking to other agents.
“Centralized” matters as much as the contents. If this description lived in five different tools, you would be back to the fragmentation that leaves seams for agents to slip through. One catalogue, one description per agent, is what makes the whole population knowable at a glance.
3 · Secure agent discovery
A static list would be useful, but the registry does more: it enables secure agent discovery. Discovery means the ability to find things and learn what they are; “secure” means it happens under authorisation, not as an open free-for-all. Two audiences use discovery.
First, governance: administrators and security tools can find every agent and read its description from the one catalogue. Second, and more interestingly, agents themselves. Microsoft notes the platform provides “agent-to-agent discovery and authorization based on standard protocols such as MCP and A2A.” That means one agent can discover another, learn what it can do, and be authorised to work with it — over open standards rather than private wiring. The registry is what makes such agent-to-agent cooperation something the organisation can see and control, rather than a tangle of hidden connections.
4 · Security collections: grouping agents to govern them
A flat list of ten thousand agents is technically complete and practically unusable. So the registry also provides automatic organization into security collections. A security collection is a managed grouping that keeps related agent identities together so they can be governed as a set rather than one at a time.
The value is leverage. If you can apply a policy, a review, or a report to a collection, you act on many agents in one move — the same reason folders beat a heap of loose files. “Automatic” is the helpful part: the registry organises agents into these collections for you, so grouping is not a manual chore you will fall behind on. Collections are how a large population stays governable: you reason about kinds and groups, not endless individuals.
Governing ten thousand agents one at a time is impossible. Governing a few dozen collections is routine. Security collections are how the registry turns an unmanageable crowd into a manageable set of groups — automatically.
5 · How the registry exposes shadow agents
Recall the most dangerous form of agent sprawl: the shadow agent — an agent operating in the environment that nobody responsible ever registered or approved. A complete registry is the direct answer to it. The logic is simple: if every legitimate agent must appear in the authoritative catalogue, then an agent that is not in it stands out. The registry turns “we have no idea what is running” into “here is everything we know about, so anything else is worth investigating.”
This is why discovery and registration are two sides of one coin. Discovery surfaces what exists; the registry records what is approved. The gap between them — things discovered but not properly registered and owned — is exactly the list a security team wants to work through. Without a registry there is no baseline of “known good,” and therefore no way to define “unknown” at all.
6 · Why the registry is the backbone
Pulling it together: the registry is not one capability sitting beside the others — it is the one they all stand on. Consider each in turn. Access control needs a known agent to attach permissions to. Monitoring needs a known agent to record activity against. Threat protection needs a known agent to defend. Lifecycle management needs a known agent to retire. Remove the registry and every one of those loses the thing it acts upon.
That is why Microsoft positions the registry as central to the platform, providing the “centralized metadata management, secure agent discovery, and automatic organization into security collections” that the rest of agent security builds on. A list is unglamorous. It is also the difference between governing agents and merely hoping you know what they are.
7 · Glossary — every short-form term, spelled out
- Agent registry
- The single, authoritative catalogue of every agent in an organisation, providing centralized metadata, secure discovery, and automatic grouping.
- Metadata
- Data about a thing — its description rather than its work. For an agent: its identity, capabilities, tasks, and protocols.
- Capabilities
- What an agent is able to do.
- Tasks
- What an agent is meant to do — the jobs it exists for.
- Protocols
- The standard languages an agent uses to communicate, such as the Model Context Protocol (MCP) or agent-to-agent (A2A).
- Discovery
- The ability to find things and learn what they are; in the registry, done securely under authorisation.
- MCP (Model Context Protocol)
- A standard way for an agent to connect to tools and data sources.
- A2A (agent-to-agent)
- A standard that lets agents discover and communicate with one another.
- Security collection
- A managed grouping that keeps related agent identities together so they can be governed as a set.
- Shadow agent
- An agent operating in the environment that was never registered or approved — exposed by a complete registry.
The registry is the single, authoritative catalogue of every agent — the most important thing a control plane owns.
It provides centralized metadata management: each agent’s identity, capabilities, tasks, and protocols, kept in one place.
It enables secure agent discovery — for governance, and for agents finding and being authorised to work with one another over open standards.
It automatically organises agents into security collections, so a large population can be governed as groups rather than individuals.
A complete registry is the direct cure for shadow agents: anything not on the authoritative list stands out.
Because permissioning, monitoring, protection, and retirement all act on a known agent, the registry is the backbone every other capability depends on.
References
- Microsoft Learn, Security for AI agents with Microsoft Entra Agent ID — the agent registry: metadata, discovery, security collections. learn.microsoft.com
- Microsoft Learn, Microsoft Entra security for AI overview — assign secure identities, auto-discover, agent-to-agent discovery. learn.microsoft.com
- Microsoft Learn, What is the Microsoft agent identity platform. learn.microsoft.com