In This Article
On May 1, 2026, Microsoft flips a switch that changes how your employees work. Agent 365 goes generally available at $15 per user per month, giving every licensed user the ability to deploy autonomous AI agents inside your Microsoft 365 tenant. These agents don't just answer questions. They execute multi-step tasks across Word, Excel, Outlook, Teams, and SharePoint, running for minutes or hours without human intervention.
For credit unions, community banks, and mortgage companies, that last sentence should trigger an immediate question: what governance controls do we need in place before autonomous AI starts touching our data? The answer isn't a policy document you can write over a weekend. It's a set of technical configurations that most financial institutions haven't started yet.
Microsoft announced the governance gap data months ago: 77% of financial institutions use AI tools, but only 37% have formal governance in place. Agent 365 widens that gap further because autonomous agents introduce risks that traditional Copilot usage didn't create. Agents act on behalf of users, inherit permissions, access sensitive data, and make decisions without real-time human oversight. Your institution has 32 days.
What Changed on March 9
Microsoft's Wave 3 announcement on March 9, 2026 introduced three shifts that financial institutions need to understand before Agent 365 goes live.
First, Copilot Cowork. This is Microsoft's new agentic capability built on Anthropic's Claude technology platform. Users describe an outcome, Cowork creates a plan, and then executes it across multiple applications. It can draft a loan committee presentation in Word, pull supporting data from Excel, email the package to reviewers through Outlook, and schedule a follow-up meeting in Teams. All autonomously. All using your institution's data.
Second, multi-model intelligence. Copilot now auto-selects between OpenAI's GPT models and Anthropic's Claude models depending on the task. The Researcher feature uses GPT to draft research reports and Claude to critique them for accuracy, scoring 13.8% higher on Microsoft's DRACO accuracy benchmark than single-model approaches. For financial institutions, this means your data now flows through two distinct AI model providers.
Third, the Frontier Suite. Microsoft bundled everything into a new M365 E7 license at $99 per user per month: E5, Copilot, Agent 365, and the Entra Suite. This isn't just a pricing change. It signals that Microsoft expects every enterprise to run autonomous agents within 12 months.
Anthropic's Claude integrated into Copilot. Agent 365 governance details published.
Free Copilot Chat restricted to chat-only experience. Paid Copilot unaffected.
Autonomous AI agents can be deployed across your tenant. E7 Frontier Suite available.
First state-level AI governance law with financial services impact takes effect.
Business Basic up 17%, Business Standard up 12%, E3 up 8.3%. Business Premium holds flat.
Why Agent 365 Governance Is Different
If your institution already deployed Copilot, you may assume the same governance controls apply. They don't. Traditional Copilot is reactive: a user asks a question, Copilot answers using data the user can already access. Agent 365 is proactive: an agent executes a multi-step workflow, accesses multiple data sources, and produces outputs without a human reviewing each step.
That distinction matters for regulated institutions because it changes the risk surface. An agent processing loan applications can touch borrower PII, pull credit data, access compliance documents, and generate regulatory filings in a single workflow. If any permission in that chain is misconfigured, the agent amplifies the exposure faster than any human user could.
- Agent 365
- Microsoft's control plane for managing, governing, and securing autonomous AI agents across an organization's M365 tenant. GA May 1, 2026 at $15/user/month.
- Entra Agent ID
- A unique Microsoft Entra identity assigned to each AI agent, giving it authentication, permissions, conditional access, and audit trails comparable to a human user account.
- Agent Registry
- A centralized inventory in the M365 Admin Center tracking all agents (sanctioned and shadow), their builders, data access scope, usage activity, and risk classifications.
- Copilot Cowork
- Microsoft's agentic capability built on Anthropic's Claude that executes long-running, multi-step tasks across M365 applications autonomously.
Microsoft's Agent 365 governance framework treats agents as first-class organizational identities. Each agent receives a unique Entra Agent ID with the same lifecycle management as human accounts: authentication, scoped permissions, conditional access policies, and time-limited access packages that auto-expire. The Agent Registry surfaces both sanctioned and shadow agents, with IT able to quarantine unauthorized deployments. For financial institutions, this means agent governance can plug directly into your existing Entra ID governance workflows.
Microsoft built strong governance primitives into Agent 365. The problem isn't the tooling. The problem is that most financial institutions haven't configured the prerequisites. Conditional Access policies need to cover agent identities. Purview DLP needs rules for agent-processed data. Sensitivity labels need to propagate to agent outputs. Audit logging needs to capture every agent action for examiner review. None of this happens automatically.
Five Controls to Configure Before May 1
Your institution needs these five governance controls operational before Agent 365 goes live. Configuring them after deployment creates a window where autonomous agents run with fewer restrictions than your human users.
Extend Microsoft Purview DLP to cover Copilot agent workflows. Block agents from processing SSNs, bank account numbers, credit card numbers, and ITINs without encryption. Create custom DLP policies for loan application data and NPI.
Create Conditional Access policies scoped to Entra Agent IDs. Restrict agent access to sensitive resources by network location, time window, and risk level. Require step-up verification for agents accessing regulated data classifications.
Configure sensitivity labels to propagate from source documents to agent outputs. When an agent processes a document labeled "Confidential - NPI," the output inherits that classification and its encryption requirements.
Enable audit trails for all agent activities in Microsoft Purview. Track resource access, data processed, decisions made, and policy violations. Configure retention policies that meet GLBA and examiner evidence requirements.
Document which business processes agents can and cannot execute. Define escalation triggers that require human review. Specify data classifications that agents cannot access without approval workflows.
These five controls aren't aspirational. They map directly to what OCC examiners evaluate under Bulletin 2023-17, the interagency guidance on third-party relationships and risk management. The bulletin requires banks to adopt risk management processes proportional to the complexity of their third-party relationships. An autonomous AI agent accessing your entire tenant qualifies as complex.
The Data Residency Question Your Regulator Will Ask
Here's the question your examiner will ask that most IT teams can't answer yet: when Copilot uses Anthropic's Claude to process your data, where does that processing happen?
Microsoft states that all Copilot data remains within the Microsoft 365 service boundary, protected by Enterprise Data Protection. Prompts and responses are never used to train foundation models. Tenant isolation prevents cross-tenant data visibility. These are meaningful protections.
But Anthropic is now a designated sub-processor for Microsoft 365 organizations using Copilot with Claude models. That sub-processor relationship, effective since January 7, 2026, creates documentation obligations under OCC third-party risk management guidance. Your institution needs to verify and document: how the data processing agreement covers Anthropic's role, whether data flows remain within U.S. jurisdiction for your regulated workloads, and how your shadow AI controls extend to multi-model architectures.
Your institution deploys Agent 365 without configuring DLP policies for agent-processed data. A mortgage loan officer's agent autonomously compiles a borrower package, pulling SSNs and bank statements from SharePoint, credit reports from a connected system, and denial history from archived emails.
The agent generates a summary containing NPI from denied applications alongside active applications. This creates a fair lending documentation risk, a potential ECOA violation, and an audit trail that shows the institution had no DLP controls on autonomous AI data access.
The scenario above isn't hypothetical. It's the natural consequence of deploying autonomous agents into a tenant where permissions were configured for human users browsing files manually. Copilot amplifies oversharing because agents actively surface data that was technically accessible but practically buried in folder structures no human would navigate.
The Governance Gap Most Institutions Won't Close in Time
The gap between what Agent 365 enables and what most financial institutions have configured is wider than any previous technology shift in banking IT. Cloud migration had years of runway. Copilot deployment had months. Agent 365 gives you 32 days from this article's publication to GA.
Default Agent Configuration
- Agents inherit user's full permission set
- No DLP policies specific to agent workflows
- No Conditional Access scoped to agent identities
- Sensitivity labels don't propagate to agent outputs
- Audit logging captures agent actions but lacks regulatory retention
- No documented acceptable use policy for autonomous AI
Governed Agent Configuration
- Agents receive scoped, time-limited permissions via access packages
- Purview DLP blocks agent processing of unencrypted NPI
- Conditional Access restricts agent data access by classification and context
- Sensitivity labels inherited from source to output automatically
- Audit trails with GLBA-compliant retention and examiner-ready reporting
- Board-approved AI acceptable use policy with defined escalation triggers
The left column is where most credit unions, community banks, and mortgage companies will be on May 1 if they don't act. Not because their IT teams are negligent, but because Agent 365's governance requirements are new. The Agent Registry, Entra Agent IDs, and agent-specific Conditional Access policies didn't exist before the Wave 3 announcement. Financial institutions that hardened their tenants for standard Copilot still have work to do.
Federal Reserve Supervisory Letter SR 11-7 applies to all AI/ML models in banking, including third-party models accessed through Microsoft 365. The letter requires effective challenge of complex models by objective, informed parties, understanding of model limitations, and ongoing validation. Agent 365 adds a layer: the autonomous agents themselves become "models" that need governance, separate from the foundation models they run on.
How ABT Bridges the Gap
Access Business Technologies has configured AI governance frameworks for 750+ financial institutions. Agent 365 governance extends the same Guardian operating model that already wraps around your M365 tenant.
Guardian's hardening templates cover 160+ Microsoft Secure Score controls across 11 categories, including Conditional Access, Defender, DLP, and information protection. For Agent 365, ABT extends those templates to cover agent identities: new Conditional Access policies scoped to Entra Agent IDs, DLP rules for agent-processed data classifications, sensitivity label propagation to agent outputs, and audit retention policies that satisfy GLBA Safeguards Rule requirements.
Guardian's continuous monitoring detects compliance drift in real time. When an agent's permissions change, when a DLP policy is bypassed, or when an agent accesses data outside its authorized scope, Guardian surfaces the issue before your next examination. This is the operational evidence examiners expect under OCC Bulletin 2023-17: documented, continuous, and auditable.
The Treasury Department's Financial Services AI Risk Management Framework, published February 2026, calls for lifecycle risk management, governance integration, and transparency across all AI deployments. ABT's approach maps directly to this framework because Guardian was built for the same regulatory reality these newer guidelines describe.
Frequently Asked Questions
Agent 365 is Microsoft's control plane for managing, governing, and securing autonomous AI agents across an organization's Microsoft 365 tenant. It goes generally available on May 1, 2026, priced at $15 per user per month. It includes an Agent Registry, Entra Agent IDs for each agent, Conditional Access policy support, Microsoft Purview integration for DLP and audit logging, and Microsoft Defender integration for threat detection.
Microsoft states that all Copilot data remains within the Microsoft 365 service boundary, protected by Enterprise Data Protection. Anthropic became a designated sub-processor for Microsoft 365 Copilot effective January 7, 2026. Prompts and responses are not used to train foundation models, and tenant isolation prevents cross-tenant data visibility. However, financial institutions should review the updated Data Processing Agreement to document the sub-processor relationship for regulatory compliance purposes.
Financial institutions should configure five controls before Agent 365 goes live: DLP policies extended to agent-processed data in Microsoft Purview, Conditional Access policies scoped to Entra Agent IDs, sensitivity label inheritance from source documents to agent outputs, audit logging with regulatory retention periods, and a board-approved acceptable use policy for autonomous AI that defines which processes agents can execute and what triggers human review.
OCC Bulletin 2023-17, the interagency guidance on third-party relationships published June 6, 2023, requires banks to adopt risk management processes proportional to the complexity of their third-party relationships. Agent 365 introduces autonomous AI agents that access organizational data through Microsoft's platform, with Anthropic as a sub-processor. This creates a multi-layered third-party relationship that examiners will evaluate for due diligence, ongoing monitoring, contractual protections, and documented risk assessments.
Standard Copilot is reactive: a user asks a question, and Copilot responds using data the user can access. Agent 365 agents are proactive: they execute multi-step workflows autonomously, accessing multiple data sources and producing outputs without human review at each step. This requires additional governance controls including agent-specific identities in Entra ID, scoped permissions with automatic expiration, DLP policies covering agent data processing, and audit trails that track every autonomous action for regulatory evidence.
Access Business Technologies extends its Guardian operating model to cover Agent 365 governance for 750+ financial institutions. This includes configuring Conditional Access policies for Entra Agent IDs, extending DLP rules to agent-processed data, setting up sensitivity label propagation, configuring audit retention for GLBA compliance, and documenting acceptable use policies. Guardian's continuous monitoring then tracks compliance drift across all agent activities, providing the operational evidence examiners expect under OCC Bulletin 2023-17.
32 Days Until Autonomous AI Enters Your Tenant
ABT configures DLP, Conditional Access, audit logging, and acceptable use policies for credit unions, community banks, and mortgage companies before Agent 365 goes live on May 1.
