Key insight
The Agents at Risk card in the Microsoft 365 admin center gives a single, tenant-wide view of the agents with the highest-severity risks, aggregated from Microsoft Entra, Microsoft Purview, and Microsoft Defender at once. Three risk types are rated Critical: the shadow agent (no registry entry, owner, or identity), no owner assigned (no accountable sponsor), and excessive permissions. Each is a different missing safeguard — missing identity, missing accountability, missing restraint — and the model exists to turn an overwhelming inventory into a short, prioritised list.
Every control in this level of the series, access control, data protection, threat protection, is watching something. But watching thousands of agents produces thousands of small signals, and a security team cannot start every morning by reviewing all of them by hand. The Agents-at-Risk model exists to answer one practical question: out of everything being watched, what actually needs a human’s attention today?
1 · The problem: thousands of agents, one morning
Imagine a large organisation with several thousand registered agents. Even with a perfect registry, sound identities, and every protection described so far, a genuinely useful security posture needs one more thing: a way to prioritise. Not every agent is equally risky at any given moment, and a team that tries to review everything equally will end up reviewing nothing carefully. The practical need is a short, ranked list: here are the few agents that matter most right now.
2 · The Agents at Risk card
Microsoft’s answer sits directly in the Microsoft 365 admin centre’s Overview page: the Agents at Risk card. It provides a tenant-level summary of agents identified with high-severity risks, and it surfaces the top three most at-risk agents immediately, so attention goes to the worst problems first without requiring anyone to scroll through the full inventory.
Selecting “View agents” from the card takes an administrator straight to the All agents > Registry page, already pre-filtered and sorted by risk level. That single click replaces what would otherwise be manual filtering across the entire agent population — the card does the triage, so a human starts already looking at the right place.
3 · One score, three security systems
The card’s power comes from where its signal is drawn from: risk severity is aggregated across Microsoft Entra, Microsoft Purview, and Microsoft Defender at once. Rather than an administrator checking three separate dashboards and mentally combining what each one says, the model does that combining automatically and presents one ranked view.
This matters because a real risk often only becomes visible when you connect signals from more than one system: an identity anomaly from Entra, a data-handling flag from Purview, a behavioural alert from Defender, none conclusive alone, together forming a clear picture. Aggregation is what makes that combined picture something a person can act on in seconds rather than assemble by hand.
4 · The three critical risk types
Three specific risk types are rated at the highest severity, Critical. Each has a precise trigger:
- Shadow agent. Triggered when an agent has no registry entry, no owner, or no Microsoft Entra Agent ID. This is the exact unregistered, unaccountable actor earlier articles named as the most dangerous form of agent sprawl.
- No owner assigned. Triggered when an agent has no owner or sponsor on record. Even a properly registered agent is a risk if nobody is accountable for it.
- Excessive permissions. Detected using signals from both Entra and Defender together, flagging an agent that holds more access than its role appears to justify.
Each risk type comes with a direct path to remediation: a shadow agent can be resolved through the shadow-AI discovery flow described in the threat-protection article; a missing owner can be fixed by assigning one directly from the registry; excessive permissions point back to the access-control and least-privilege practices covered earlier in this level.
5 · What the three risks have in common
Look at the three risk types together and a pattern emerges. Each one is a different kind of missing safeguard: the shadow agent is missing identity and registration; the unowned agent is missing accountability; the over-permissioned agent is missing restraint. None of these are exotic attack techniques — they are the absence of the very basics this whole level has been building: a known identity, a named sponsor, and least privilege.
That is the real insight behind the Agents-at-Risk model. It is not a new, separate control sitting apart from everything else; it is the dashboard that reports, out of everything the earlier controls are watching, which of the basics are currently missing and where. Getting the basics right for every agent is, in a very real sense, what keeps an organisation’s Agents-at-Risk list short.
Every Critical risk on this list is a basic that was skipped: no identity, no owner, or too much access. The model does not invent new problems to find; it surfaces exactly where the fundamentals from this whole series were not followed.
6 · Glossary — every short-form term, spelled out
- Agents at Risk card
- A summary in the Microsoft 365 admin center Overview page showing the highest-severity agent risks tenant-wide.
- Risk severity
- A rating of how serious a detected risk is; the highest level is Critical.
- Aggregated risk
- A combined score built from signals across multiple security systems, rather than from any one system alone.
- Shadow agent
- An agent with no registry entry, no owner, or no Entra Agent ID — unregistered and unaccountable.
- No owner assigned
- A risk type triggered when an agent has no owner or sponsor on record.
- Excessive permissions
- A risk type triggered when an agent holds more access than its role justifies, detected via combined Entra and Defender signals.
- Agent registry
- The authoritative catalogue of every agent, which the risk-filtered view is drawn from.
A large agent population needs a way to prioritise, not just monitor everything equally.
The Agents at Risk card gives a tenant-wide, ranked view, surfacing the top three most at-risk agents immediately.
Its score aggregates signals from Entra, Purview, and Defender together, catching risks no single system would flag alone.
Three risk types are rated Critical: the shadow agent, no owner assigned, and excessive permissions.
Each of the three is a missing basic — identity, accountability, or restraint — not an exotic new attack.
The model is a dashboard on top of existing controls, not a replacement for getting identity, ownership, and least privilege right in the first place.
References
- Microsoft Learn, Manage agent registry in Microsoft 365 admin center — Agents at Risk card and the three critical risk types. learn.microsoft.com
- Microsoft Learn, Secure AI agents at scale using Microsoft Agent 365 — centralized visibility in the Agent 365 overview. learn.microsoft.com