AI agent rogue behavior and inline protection for Copilot Studio

TL;DR: As Microsoft reports more than 230,000 organisations, including 90% of the Fortune 500, using Copilot Studio to build custom agents, Zenity’s analysis shows why unauthenticated inputs, tool chaining, and indirect prompt injection can turn workflow automation into data exposure risk. Inline, behavior-driven controls are becoming the governance baseline for AI agents.

NHIMG editorial — based on content published by Zenity: Preventing AI Agents from Going Rogue with inline protection in Microsoft Copilot Studio

By the numbers:

• While 71% of IT teams have been advised on AI agent data access, only 47% of compliance teams, 39% of legal teams, and 34% of executives have the same visibility.
• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.

Questions worth separating out

Q: How should security teams prevent AI agents from acting on malicious input?

A: Security teams should treat every external prompt, email, ticket, or chat message as untrusted input until it is validated against policy.

Q: Why do AI agents complicate identity governance more than standard automation?

A: AI agents complicate identity governance because they do not just execute scripted steps.

Q: What do teams get wrong about public agent workflows?

A: Teams often assume a public workflow is safe if it has no login or human approval step.

Practitioner guidance

• Classify every agent trigger path Map whether the agent can be activated by public flows, email, chat, or other untrusted inputs, then disable any path that can reach sensitive tools without review.
• Enforce runtime policy at tool invocation Block or step up high-risk actions before the tool call executes, especially for CRM writes, email sends, and cross-system reads.
• Build an agent inventory with real ownership Record who created each agent, which identities and connectors it uses, and what data it can reach.

What's in the full article

Zenity's full research covers the operational detail this post intentionally leaves for the source:

• A working demo narrative showing how indirect prompt injection reaches a misconfigured Copilot Studio agent.
• The inline prevention flow Zenity describes for intercepting risky tool invocation in real time.
• The specific misconfiguration patterns observed in the Black Hat 2025 demo, including unauthenticated chat inputs and public trigger exposure.
• The root-cause analysis approach for tracing privilege misuse and insecure triggers back to the agent configuration.

👉 Read Zenity's analysis of rogue AI agents and inline protection in Copilot Studio →

AI agent rogue behavior and inline protection for Copilot Studio?

Explore further

View Full Forum →  |  NHI Foundation Course →