Microsoft Adds AI Agent Governance Controls to Copilot Studio, Introducing Agent 365 and Analytics Viewer Role
What Happened — In April 2026 Microsoft released a major Copilot Studio update that adds Agent 365, a centralized control plane for observing, governing, and securing AI agents, and introduces an Analytics Viewer role that lets designated users view agent performance metrics without edit rights. The enhancements also expand workflow capabilities, allowing AI‑powered reasoning steps to be embedded securely.
Why It Matters for TPRM —
- Provides explicit visibility into the security posture of third‑party AI agents that may process sensitive data.
- Enables segregation of duties, reducing the risk of unauthorized configuration changes.
- Supplies audit‑ready analytics without exposing edit functions, supporting compliance and governance programs.
Who Is Affected — SaaS platforms, cloud‑hosted services, and enterprises that embed Microsoft Copilot Studio agents in their workflows (e.g., technology, financial services, healthcare, and consulting firms).
Recommended Actions — Review your organization’s inventory of Copilot Studio agents, map them to the new Agent 365 controls, assign the Analytics Viewer role to appropriate stakeholders, and update third‑party risk assessments to reflect the new governance capabilities.
Technical Notes — The update adds a control plane (Agent 365) that enforces shared policies, security controls, and lifecycle oversight for both Microsoft‑native and partner AI agents. The Analytics Viewer role is read‑only for analytics pages, preventing configuration changes. No new CVEs or vulnerabilities are disclosed. Source: Help Net Security