Microsoft warns enterprises to treat AI agents like employees in new security report

Microsoft has published a Cyber Pulse report urging enterprises to apply the same security standards to AI agents as they do to employees and service accounts.

The report found that more than 80% of Fortune 500 companies use active AI agents built with low-code or no-code tools, and that 29% of employees have adopted unsanctioned AI agents for work tasks.

Microsoft said agents now appear across sales, finance, security, customer service and product teams.

The report argues that longstanding Zero Trust security principles, an approach that assumes no user or system should be trusted by default, must be extended to AI agents, with emphasis on least privilege access, explicit verification and designing systems on the assumption that compromise can occur.

Cyber Pulse outlines five core capabilities that Microsoft considers essential for agent observability and governance: a centralised registry of all agents, identity and policy-driven access control, real-time visualisation and telemetry, interoperability across platforms and frameworks, and built-in security protections.

Related reading

• Microsoft survey finds 91% of people worry about AI harms as teen exposure to online risks rises
• Microsoft: AI conversations reshape retail search
• Google Photos adds AI-powered Ask button for image search and editing

"AI becomes more than a breakthrough in technology; it becomes a breakthrough in human ambition," wrote Vasu Jakkal, corporate vice president of Microsoft Security.

The report's industry and regional metrics on agent usage are drawn from Microsoft's own first-party telemetry, measuring agents built with Microsoft Copilot Studio or Microsoft Agent Builder that were active during the last 28 days of November 2025.

The Recap

• Microsoft published Cyber Pulse on AI agent governance.
• More than 80% of Fortune 500 use active agents.
• Report based on Microsoft telemetry from November 2025.