TL;DR: As Microsoft reports more than 230,000 organisations, including 90% of the Fortune 500, using Copilot Studio to build custom agents, Zenity’s analysis shows why unauthenticated inputs, tool chaining, and indirect prompt injection can turn workflow automation into data exposure risk. Inline, behavior-driven controls are becoming the governance baseline for AI agents.
NHIMG editorial — based on content published by Zenity: Preventing AI Agents from Going Rogue with inline protection in Microsoft Copilot Studio
By the numbers:
- While 71% of IT teams have been advised on AI agent data access, only 47% of compliance teams, 39% of legal teams, and 34% of executives have the same visibility.
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
Questions worth separating out
Q: How should security teams prevent AI agents from acting on malicious input?
A: Security teams should treat every external prompt, email, ticket, or chat message as untrusted input until it is validated against policy.
Q: Why do AI agents complicate identity governance more than standard automation?
A: AI agents complicate identity governance because they do not just execute scripted steps.
Q: What do teams get wrong about public agent workflows?
A: Teams often assume a public workflow is safe if it has no login or human approval step.
Practitioner guidance
- Classify every agent trigger path Map whether the agent can be activated by public flows, email, chat, or other untrusted inputs, then disable any path that can reach sensitive tools without review.
- Enforce runtime policy at tool invocation Block or step up high-risk actions before the tool call executes, especially for CRM writes, email sends, and cross-system reads.
- Build an agent inventory with real ownership Record who created each agent, which identities and connectors it uses, and what data it can reach.
What's in the full article
Zenity's full research covers the operational detail this post intentionally leaves for the source:
- A working demo narrative showing how indirect prompt injection reaches a misconfigured Copilot Studio agent.
- The inline prevention flow Zenity describes for intercepting risky tool invocation in real time.
- The specific misconfiguration patterns observed in the Black Hat 2025 demo, including unauthenticated chat inputs and public trigger exposure.
- The root-cause analysis approach for tracing privilege misuse and insecure triggers back to the agent configuration.
👉 Read Zenity's analysis of rogue AI agents and inline protection in Copilot Studio →
AI agent rogue behavior and inline protection for Copilot Studio?
Explore further
Inline protection is becoming the governance boundary for AI agents: traditional IAM controls stop at authentication and entitlement assignment, but agent risk unfolds after access is already granted. Once an agent can interpret untrusted input and invoke tools autonomously, the decisive question becomes whether the action is blocked at runtime. That shifts security from perimeter trust to behaviour control, which is now the relevant governance layer for enterprise agents.
A few things that frame the scale:
- While 71% of IT teams have been advised on AI agent data access, only 47% of compliance teams, 39% of legal teams, and 34% of executives have the same visibility, according to AI Agents: The New Attack Surface report.
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
A question worth separating out:
Q: How can organisations tell whether AI agent controls are working?
A: Controls are working when teams can identify every agent, every trigger, every connected tool, and every identity the agent can use, then prevent unauthorised actions in real time. If those relationships are not visible, the organisation is already operating with a governance blind spot.
👉 Read our full editorial: AI agent governance needs inline protection against rogue behavior