Agent 365 and AI agent access governance: what teams still miss

TL;DR: Microsoft’s Agent 365 gives AI agents first-class identities and better visibility inside Entra, but it still leaves downstream OAuth grants, connector credentials, vault secrets, and many third-party or local agents outside runtime governance, according to Oasis Security. The real control gap is not agent identity itself; it is access governance for agents whose privileges drift faster than registry-based oversight can track.

NHIMG editorial — based on content published by Oasis Security: AI Agent Identity (Agent 365) Meets Access Governance

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, 38% have no or low visibility, and a further 47% have only partial visibility.

Questions worth separating out

Q: How should security teams govern AI agents beyond identity registration?

A: Teams should govern AI agents the same way they govern other high-risk NHIs: by separating identity from entitlement, mapping downstream credentials, and continuously reviewing what the actor can actually do.

Q: Why do AI agents complicate NHI access reviews?

A: AI agents complicate access reviews because their privileges can change through new tools, widened scopes, and inherited permissions long after provisioning.

Q: What breaks when an agent identity layer does not include access governance?

A: What breaks is the assumption that visibility equals control.

Practitioner guidance

• Separate agent inventory from entitlement review Build a control process that reviews agent identity, downstream scopes, and tool access as three different approval artifacts.
• Map downstream credentials to every production agent Track OAuth grants, API keys, MCP tokens, connector permissions, and vault secrets for each agent so the actual blast radius is visible before go-live.
• Re-certify agent ownership and purpose on a fixed cadence Require a named business owner and a current use case for every agent, then revoke access when the owner changes or the business purpose no longer matches.

What's in the full article

Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:

• The product and runtime boundary between agent identity in Entra and downstream access governance outside the directory.
• The specific Microsoft ecosystem gaps around OAuth grants, connector permissions, and agent-to-agent delegation.
• The scope of shadow AI discovery across endpoints, SaaS, and non-Microsoft runtimes.
• The article's own examples of how owners, scopes, and execution paths drift in production.

👉 Read Oasis Security's analysis of Agent 365 and AI agent access governance →

Agent 365 and AI agent access governance: what teams still miss?

Explore further

View Full Forum →  |  NHI Foundation Course →