The interesting question with agents this year is no longer how capable they are — it is who they are. An autonomous system that reads your data, calls internal APIs, and acts on your behalf needs an identity, scoped permissions, and an owner, or it becomes the most privileged unmanaged account in your estate. Microsoft just made that explicit; the teams who treat it as a Microsoft feature rather than a design requirement will learn the lesson the expensive way.
Microsoft Agent 365 reached general availability at $15 per user per month, positioned as a single control plane to observe, secure, and govern AI agents. Each agent gets an Entra Agent ID, the same identity fabric that governs employees: admins extend conditional access and least-privilege rules from users to agents, Defender extends threat detection and vulnerability management to them, and lifecycle rules can automatically expire inactive agents. A registry and an "agents map" inventory every agent — Microsoft-built, partner, or self-registered — and chart what each one can reach.
The June 2026 Entra updates sharpened the governance layer. Every agent identity now requires a delegated human sponsor accountable for its access; if that sponsor leaves, lifecycle workflows transfer the responsibility to their manager rather than orphaning the agent. Policy-based runtime controls entered public preview, and Defender context mapping began charting the relationships between agents, their MCP servers, their identities, and the cloud resources they can touch.
Most teams deploy agents the way they deployed early scripts: on a shared service account, with a long-lived token and whatever scope was convenient. That worked when there was one integration. It does not work now that there are dozens of autonomous ones. Industry estimates already put non-human identities at 45 to 90 for every human in a typical enterprise, and every new agent widens the gap.
The security data has caught up with the trend. In one 2026 survey, 88% of organisations confirmed or suspected an AI-agent security incident in the prior year, yet only about a fifth treated their agents as independent, identity-bearing entities with their own controls — and most had no documented process for creating or retiring an AI identity at all. An agent without an identity is not a convenience; it is a credential with initiative, able to move laterally and act repeatedly the instant something goes wrong.
Microsoft is the loudest voice here, but it is not alone — identity vendors, cloud security groups, and standards bodies are all converging on the same conclusion: identity, not the model, becomes the real control plane for agents. The pattern that is forming looks a lot like how we already manage people and machines: a unique identity per agent, scoped and revocable credentials, a named owner, conditional access tied to context, an audit trail, and an expiry date. The novelty is applying all of it to something that acts on its own initiative.
You do not need Microsoft's SKU to act on this. Give every agent its own identity rather than a shared one, scope its credentials to the minimum tools and data it needs, attach a named human owner, and set it to expire by default so dormant agents disappear instead of lingering as forgotten access. Then make sure you can answer, for any agent in production, what it can reach and who is accountable for it — if you cannot, that is the work, regardless of platform.
The trap is treating identity as paperwork you bolt on after the agent works. Provisioning, scoping, and revocation are part of the agent's design, not a compliance afterthought, and they are far cheaper to build in at the prototype stage than to retrofit across a fleet already in production. Get this right and an agent is a governable teammate; skip it and you have shipped an autonomous account nobody owns.
Agent identity is a design decision, not a procurement one — and it is far cheaper to build in than to retrofit. If your team is trying to move an AI use case from demo to deployment, METECH helps scope, build, and validate the first working system in 2-3 weeks.