Key insight

For decades, organisations managed exactly two kinds of thing: people and applications. AI agents are a third kind — software that acts on its own — and the controls built for the first two do not fully fit it. When agents are easy to create and nobody keeps a complete list, they multiply into agent sprawl, including shadow agents nobody approved. Closing that gap needs more than another point tool. It needs a single control plane built specifically to see, govern, and secure every agent at once.

Picture the front desk of a large building. For years the guard managed two lists. One list was employees: badge in, badge out, each person known and accountable. The other was equipment: the machines and tools the employees used, checked out and checked back in. Between those two lists, the guard could account for almost everything that happened in the building. Then, one week, a third kind of thing started walking through the doors on its own — something that was not an employee and was not a simple tool, but could open doors, sign for packages, and send messages by itself. The two lists no longer described reality. That third thing is the AI agent, and this article is about why it forces organisations to keep a new kind of list, managed in a new kind of way.

1 · The two kinds of actor every organisation already manages

In security, an actor is simply anything that can do something in a system — log in, read a file, call a service, send a message. For most of computing history there have been exactly two kinds of actor that mattered, and nearly every security tool ever built assumes one of them:

Access reviews, audit logs, joiner-mover-leaver processes, and identity systems were all shaped around those two categories. They work because both categories are predictable: a person follows a schedule and a job description; an application follows its code. The moment an actor stops being predictable in that way, the tools built around predictability start to strain.

2 · The new actor: what an AI agent actually is

An AI agent is software that can decide, on its own, which tools to call and which actions to take in order to complete a task — without a person approving each individual step. That last clause is the whole difference. A traditional application waits to be told exactly what to do. An agent is given a goal, and it works out the steps itself: which document to read, which application programming interface (API, a way for one piece of software to call another) to invoke, whether to send an email, whether to hand part of the job to a second agent.

Microsoft’s own framing captures why this is a genuinely new category rather than just a smarter app: agents “access documents, call APIs, send emails, and increasingly make decisions on behalf of users.” Because an agent acts, it behaves less like a program and more like a very fast, always-on, tireless employee — one that never sleeps, can be in many places at once, and does not have a manager watching each keystroke. Microsoft uses a precise term for this third category: a non-human actor. It is not a person, and it is not a passive application. It is something in between that the old two-list model was never designed to hold.

Three kinds of actor: a person, an application, and an AI agent, with the agent shown reaching many tools at once On the left, a person icon reaches one task. In the middle, an application box runs fixed code to one output. On the right, an AI agent box has arrows radiating to six different tools at once โ€” mail, files, an API, a database, another agent, and a calendar โ€” illustrating that the agent acts across many resources on its own. Person one task, human speed Application fixed code, one job AI agent decides & acts on its own MailFilesAPI DatabaseAgentCalendar
Figure 1. A person acts on one thing at a time; an application runs fixed code; an AI agent decides for itself and reaches across many tools at once. That reach is the source of both its usefulness and its risk.

3 · Agent sprawl and shadow agents: how the mess forms

Here is the uncomfortable part: agents are easy to create. A businessperson can build one in a low-code tool in an afternoon. A developer can spin one up in a professional platform. One can be bought pre-made from a partner. And every one of them, once created, quietly acquires access to documents, tools, and data. Multiply that by every team in a large organisation and a predictable thing happens: the number of agents explodes, and no single system knows about all of them.

Microsoft names this pattern directly. Agent sprawl is when “agents multiply across the organisation with no clear oversight or control.” Teams build agents in different environments, security teams lack a complete picture, and the organisation cannot consistently answer what each agent can access or how it behaves over time. A particularly dangerous slice of sprawl is the shadow agent: an agent operating in the tenant that was never registered or approved by anyone responsible for governance — the security equivalent of a person walking the building with a badge nobody issued.

Why sprawl is more than untidiness

Each agent that nobody tracks is an actor with real access and no accountability. As agents take on more autonomous responsibilities in critical workflows, the risk of even one unseen agent grows. You cannot secure, audit, or switch off something you do not know exists.

4 · Why controls built for people and apps do not fit agents

The instinct is to say: “We already manage identities and applications — just treat agents like one of those.” It half-works, and the half that fails is where the risk lives.

Microsoft states the core problem plainly: existing controls for users, applications, and data “don’t fully address how agents operate.” Yet crucially, the questions are not new — what can this thing access, who owns it, does it operate within policy — they are the same identity and access questions organisations already answer for people and apps. What is missing is a place that asks those questions about agents specifically, in a way that fits how agents actually behave.

5 · Why stitching point solutions together fails

Faced with a gap, the natural first move is to cover it with the tools already on hand: a little visibility from one portal, some access rules from another, a monitoring dashboard from a third. This is the point-solution approach — several narrow tools, each solving one slice. It feels pragmatic, and it fails for a reason security teams know well.

When visibility lives in one portal, access control in another, and threat detection in a third, the boundaries between the tools become blind spots. An agent registered in one system but invisible to another falls through the crack. Microsoft describes exactly this outcome: fragmentation forces teams to “stitch together visibility and control across fragmented tools, which introduces gaps and creates an inconsistent management experience.” Every seam between tools is a place where an agent can operate unseen — and seams are precisely where problems hide until they become incidents.

Fragmented tools with gaps between them, contrasted with a single control plane covering every agent On the left, three separate boxes labelled Visibility, Access, and Monitoring sit apart, with dashed red gap markers between them and one agent slipping through a gap unseen. On the right, one wide box labelled Control Plane sits over four agent icons together, each connected and accounted for. Point solutions, with seams Visibility Access Monitoring shadow agent slips through the gap One control plane, no seams Control plane every agent seen & accounted for
Figure 2. Point tools leave seams between them; a control plane is one surface that sees, governs, and secures every agent at once, so nothing slips through a gap.

6 · What a control plane has to provide

The phrase control plane comes from networking and cloud engineering. A control plane is the central layer that decides and directs, separate from the things doing the actual work. For agents, a control plane means one place, purpose-built, that can answer and act on every governance question about every agent — regardless of where the agent was built or bought. To do that, it has to bring together five things that were previously scattered:

This is precisely the shape of Microsoft Agent 365. Microsoft describes it as establishing “a unified way to track, govern, and secure agents so organizations can move from ad hoc experimentation to treating agents as a managed, trusted part of their operating environment,” with those capabilities powered underneath by services the organisation already runs — Microsoft Entra for identity, Microsoft Defender for threat protection, Microsoft Purview for data protection and compliance, and Microsoft Intune for device management. The next article defines Agent 365 itself, from zero.

Where this fits in the journey

This article made the case for a control plane in the abstract. The specific one is Microsoft Agent 365, and it is built from five pillars. You do not need any of that yet; you only need the idea that agents are a new kind of actor that needs a purpose-built place to be managed.

7 · Glossary — every short-form term, spelled out

Actor
In security, anything that can perform an action in a system — log in, read data, call a service, send a message.
AI agent
Software that can decide, on its own, which tools to call and which actions to take to complete a task, without a person approving each individual step.
Non-human actor
Microsoft’s term for an agent: an actor that is neither a human user nor a passive application, but acts on its own and so needs its own form of management.
API (application programming interface)
A defined way for one piece of software to call another and exchange data or trigger actions.
Standing access
Access that stays in place continuously, rather than being granted freshly for one task and removed afterward.
Agent sprawl
When agents multiply across an organisation with no clear oversight, so no single system knows about all of them or what they can reach.
Shadow agent
An agent operating in the environment that was never registered or approved by anyone responsible for governance.
Point solution
A narrow tool that solves one slice of a problem; several stitched together leave seams, and seams become blind spots.
Control plane
The central layer that decides and directs, separate from the things doing the work; for agents, one purpose-built place to see, govern, and secure every agent.
Lifecycle management
Handling something consistently from creation through retirement — for an agent, approve, deploy, monitor, block, and delete.
Tenant
An organisation’s own dedicated instance of a cloud service, containing its users, data, applications, and now its agents.
Key takeaways

Organisations have always managed two kinds of actor — people and applications — and their tools assume one of those two.
An AI agent is a third kind: software that decides and acts on its own, which Microsoft calls a non-human actor.
Because agents are easy to create and hard to track, they multiply into agent sprawl, including unapproved shadow agents.
Controls built for people assume human limits; controls built for apps assume fixed behaviour — an agent has neither.
Stitching point solutions together leaves seams, and agents slip through the seams.
The fix is a single control plane that unifies identity, observability, governance, security, and lifecycle for every agent at once — which is exactly what Microsoft Agent 365 is.

References

  1. Microsoft Learn, Why does an enterprise need Agent 365? — agent sprawl, non-human actors, and the case for a control plane. learn.microsoft.com
  2. Microsoft Learn, Overview of Microsoft Agent 365. learn.microsoft.com
  3. Microsoft Learn, Microsoft Entra Agent ID — first-class identity for agents. learn.microsoft.com
  4. This guide’s Anti-Patterns Catalogue — named agent design mistakes, several of which are what agent sprawl amplifies.