Microsoft Launches AI Agent Control Plane, Yet It Still Lacks Key Capabilities

Microsoft’s Agent 365 control plane arrives as a unified “one‑stop shop” for enterprises that want to treat AI agents the same way they manage employees in Entra ID. The platform, which will be generally available on May 1, 2026, bundles an Agent Registry, behavioral observability, and risk signals drawn from Microsoft Defender, Entra and Purview, plus a set of security‑policy templates, according to the Nexus Guard report (Mar 17). For organizations that keep all of their agents inside a single Azure tenant, this centralization simplifies provisioning, monitoring and compliance, echoing Strata’s “identity orchestration” recommendation that agents be governed by the same policies that protect users and devices.

However, the same analysis points out that the model assumes every agent lives inside the customer’s tenant—a premise that is rapidly eroding. When an internal agent must call an external service—whether a vendor‑supplied chatbot, a partner‑hosted workflow, or an open‑source tool—the Agent 365 registry has no visibility into that third‑party entity. The report notes that “your registry doesn’t know their agents; their registry doesn’t know yours,” leaving cross‑tenant interactions to fallback mechanisms such as static API keys and trust‑on‑first‑use, which Strata explicitly flags as insecure in its “8 strategies for AI agent security.” In other words, Microsoft’s solution solves internal governance but leaves the inter‑agent trust problem unaddressed.

The missing primitive, as the Nexus Guard piece argues, is a portable, cryptographic identity that an agent can carry across tenants, clouds and vendors. The open‑source AIP (Agent Identity Protocol) project proposes exactly that: each agent generates its own Ed25519 key pair, derives a decentralized identifier (DID), and registers on a distributed network, enabling mutual verification without reliance on any single provider. AIP’s “Promise‑Delivery Ratio” trust scoring, which measures observed behavior against expected outcomes, provides a quantitative risk signal that can be consumed by any participating system. This contrasts with Agent 365’s reliance on Microsoft‑centric telemetry; AIP’s model works regardless of where the agent is hosted.

Industry voices converge on the need for such a cross‑boundary identity layer. Strata’s strategy paper calls for treating agents as “first‑class identities” with just‑in‑time provisioning, while the RSAC 2026 “machine‑first identity” pitch underscores the market demand for token‑security mechanisms that are not tied to human credentials. Both sources agree that agents must be able to prove who they are at runtime, but they differ on who should control that proof. Microsoft’s centralized approach offers elegance for internal compliance, yet it cannot extend to the heterogeneous ecosystems that modern AI deployments increasingly rely on.

Analysts suggest a hybrid strategy: use Agent 365 for internal agents—leveraging its integration with Defender, Entra and Purview for policy enforcement—and complement it with AIP identities for any external interactions. The Nexus Guard report explicitly recommends “use Agent 365 for internal governance; give each agent an AIP identity for cross‑boundary interactions.” By feeding AIP’s trust scores into Microsoft’s risk‑signal framework, enterprises could achieve a unified view of agent behavior while still honoring the decentralized identity model needed for inter‑tenant communication.

The gap highlighted by the report is not merely technical; it has tangible security implications. VentureBeat’s recent coverage of OpenClaw—a tool that can bypass EDR, DLP and IAM controls without triggering alerts—demonstrates how attackers exploit weak identity guarantees in multi‑agent environments. Without a portable, cryptographically verifiable identity, an adversary could masquerade as a legitimate external agent, sidestepping the very observability and risk signals that Agent 365 promises. Until Microsoft or another vendor delivers a cross‑tenant identity primitive, enterprises will have to stitch together internal control planes with third‑party solutions like AIP, or risk leaving a critical attack surface exposed.