<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: stepbystep tocloud</title>
    <description>The latest articles on DEV Community by stepbystep tocloud (@stepbysteptocloud).</description>
    <link>https://dev.to/stepbysteptocloud</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4002234%2Fc2f2c6e4-dfc3-4675-b39c-968b36cecb26.png</url>
      <title>DEV Community: stepbystep tocloud</title>
      <link>https://dev.to/stepbysteptocloud</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/stepbysteptocloud"/>
    <language>en</language>
    <item>
      <title>Putting the agent governance model into production</title>
      <dc:creator>stepbystep tocloud</dc:creator>
      <pubDate>Thu, 09 Jul 2026 15:17:58 +0000</pubDate>
      <link>https://dev.to/stepbysteptocloud/putting-the-agent-governance-model-into-production-1p33</link>
      <guid>https://dev.to/stepbysteptocloud/putting-the-agent-governance-model-into-production-1p33</guid>
      <description>&lt;p&gt;This article is part of a multi-part series on Microsoft Entra Agent ID governance. For the full sequence and recommended reading order, start from the &lt;a href="https://dev.to/stepbysteptocloud/governing-ai-agents-with-microsoft-entra-agent-id-and-agent-365-3a7g"&gt;Governing AI agents with Microsoft Entra Agent ID and Agent 365&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;By this point, the governance design is no longer theoretical. The organisation has a defined path for discovering agents, classifying them, assigning accountability, applying custom security attributes, designing Conditional Access policies, governing access through access packages, maintaining sponsor continuity, and monitoring risk.&lt;/p&gt;

&lt;p&gt;The final step is to turn these design areas into a practical production rollout plan.&lt;/p&gt;

&lt;p&gt;This is where many governance efforts fail. The architecture may be sound, but if the rollout is too broad, too manual, or unclear to operational teams, it becomes difficult to sustain. The goal should be a phased rollout that proves the model with a small controlled set of agents before expanding to the wider estate.&lt;/p&gt;

&lt;h2&gt;
  
  
  Start with a pilot, not the full estate
&lt;/h2&gt;

&lt;p&gt;Do not try to govern every agent on day one.&lt;/p&gt;

&lt;p&gt;Start with a representative pilot group that includes different agent types and governance states. The pilot should include a mix of:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;One or more &lt;strong&gt;Microsoft Entra Agent ID-backed agents&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;A few &lt;strong&gt;approved production agents&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;A few agents with &lt;strong&gt;missing owner or sponsor&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;One or two &lt;strong&gt;unknown or ReviewRequired agents&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;An agent with &lt;strong&gt;higher sensitivity or business criticality&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;If available, a third-party or registry-synced agent for comparison&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This helps validate whether the governance model works across real scenarios. It also helps confirm where controls apply cleanly and where additional validation is required.&lt;/p&gt;

&lt;h2&gt;
  
  
  Define rollout phases clearly
&lt;/h2&gt;

&lt;p&gt;A practical rollout can be structured into phases.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Phase&lt;/th&gt;
&lt;th&gt;Focus&lt;/th&gt;
&lt;th&gt;Outcome&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Phase 1&lt;/td&gt;
&lt;td&gt;Inventory and classification&lt;/td&gt;
&lt;td&gt;Agents visible and grouped by source, identity model, owner, sponsor, and access pattern&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Phase 2&lt;/td&gt;
&lt;td&gt;Accountability cleanup&lt;/td&gt;
&lt;td&gt;Missing owners, sponsors, orphaned agents, and unknown agents identified and actioned&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Phase 3&lt;/td&gt;
&lt;td&gt;Custom security attributes&lt;/td&gt;
&lt;td&gt;Approved schema created and pilot agents tagged with governance metadata&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Phase 4&lt;/td&gt;
&lt;td&gt;Conditional Access report-only&lt;/td&gt;
&lt;td&gt;Agent policies tested without enforcement&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Phase 5&lt;/td&gt;
&lt;td&gt;Access package pilot&lt;/td&gt;
&lt;td&gt;Approved agents receive governed, time-bound access&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Phase 6&lt;/td&gt;
&lt;td&gt;Lifecycle workflow pilot&lt;/td&gt;
&lt;td&gt;Sponsor transition scenarios validated&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Phase 7&lt;/td&gt;
&lt;td&gt;Monitoring and operations&lt;/td&gt;
&lt;td&gt;Risk review, access expiry, attribute drift, and ownership hygiene become recurring checks&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Phase 8&lt;/td&gt;
&lt;td&gt;Wider enforcement&lt;/td&gt;
&lt;td&gt;Controls expanded from pilot to production cohorts&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;This phased approach avoids accidental blocking and gives the customer confidence before enforcement.&lt;/p&gt;

&lt;h2&gt;
  
  
  Define decision gates
&lt;/h2&gt;

&lt;p&gt;Each phase should have a decision gate. A decision gate is a simple checkpoint that confirms whether the customer is ready to move to the next stage.&lt;/p&gt;

&lt;p&gt;For example:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Gate&lt;/th&gt;
&lt;th&gt;Question to answer&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Inventory gate&lt;/td&gt;
&lt;td&gt;Do we know what agents exist and where they came from?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Classification gate&lt;/td&gt;
&lt;td&gt;Do we know which agents are Agent ID-backed, legacy, third-party, shadow, system-generated, or unknown?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Accountability gate&lt;/td&gt;
&lt;td&gt;Do production agents have valid owners and sponsors?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Metadata gate&lt;/td&gt;
&lt;td&gt;Are required custom security attributes populated?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Policy gate&lt;/td&gt;
&lt;td&gt;Have Conditional Access policies been tested in report-only mode?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Access gate&lt;/td&gt;
&lt;td&gt;Are access packages designed only for approved agents with clear business purpose?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Lifecycle gate&lt;/td&gt;
&lt;td&gt;Do sponsor transition workflows have reliable manager and lifecycle data?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Monitoring gate&lt;/td&gt;
&lt;td&gt;Is there a recurring process to review risky agents, orphaned agents, and stale access?&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;This keeps the rollout controlled and measurable.&lt;/p&gt;

&lt;h2&gt;
  
  
  Recommended minimum production baseline
&lt;/h2&gt;

&lt;p&gt;Before an agent is considered production-ready, it should meet a minimum governance baseline.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Requirement&lt;/th&gt;
&lt;th&gt;Why it matters&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Agent is inventoried&lt;/td&gt;
&lt;td&gt;Establishes visibility&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Source platform is known&lt;/td&gt;
&lt;td&gt;Determines governance path&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Identity model is known&lt;/td&gt;
&lt;td&gt;Confirms which controls apply&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Access pattern is known&lt;/td&gt;
&lt;td&gt;Determines Conditional Access model&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Owner is assigned&lt;/td&gt;
&lt;td&gt;Provides technical accountability&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Sponsor is assigned&lt;/td&gt;
&lt;td&gt;Provides business accountability&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Business purpose is documented&lt;/td&gt;
&lt;td&gt;Confirms why agent exists&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Data sensitivity is classified&lt;/td&gt;
&lt;td&gt;Helps define risk posture&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Approval status is populated&lt;/td&gt;
&lt;td&gt;Lets policies distinguish approved and unapproved agents&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Lifecycle state is known&lt;/td&gt;
&lt;td&gt;Supports review, retirement, and monitoring&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;If these values are missing, the agent should remain in &lt;strong&gt;ReviewRequired&lt;/strong&gt; state.&lt;/p&gt;

&lt;h2&gt;
  
  
  Rollout should be policy-light at first
&lt;/h2&gt;

&lt;p&gt;Initial rollout should avoid creating too many policies.&lt;/p&gt;

&lt;p&gt;Start with a small number of meaningful controls:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;A report-only Conditional Access policy for approved autonomous agents&lt;/li&gt;
&lt;li&gt;A block or review policy for rejected or unknown agents&lt;/li&gt;
&lt;li&gt;A risk-based policy for high-risk agent identities&lt;/li&gt;
&lt;li&gt;One or two access packages for common approved access patterns&lt;/li&gt;
&lt;li&gt;One lifecycle workflow for sponsor leave or role-change scenarios&lt;/li&gt;
&lt;li&gt;One drift report for missing owner, sponsor, or required attributes&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This gives the customer a working governance model without creating unnecessary policy sprawl.&lt;/p&gt;

&lt;h2&gt;
  
  
  Keep exception handling explicit
&lt;/h2&gt;

&lt;p&gt;Every governance model needs an exception path.&lt;/p&gt;

&lt;p&gt;Some agents may not fully fit the target design immediately. Some may be legacy. Some may be third-party. Some may not yet support the preferred identity model. The important point is that exceptions are visible, approved, time-bound, and reviewed.&lt;/p&gt;

&lt;p&gt;Good exception handling should include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Exception ID&lt;/li&gt;
&lt;li&gt;Agent name&lt;/li&gt;
&lt;li&gt;Business justification&lt;/li&gt;
&lt;li&gt;Owner&lt;/li&gt;
&lt;li&gt;Sponsor&lt;/li&gt;
&lt;li&gt;Risk accepted by&lt;/li&gt;
&lt;li&gt;Expiry date&lt;/li&gt;
&lt;li&gt;Review date&lt;/li&gt;
&lt;li&gt;Compensating controls&lt;/li&gt;
&lt;li&gt;Final disposition&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Avoid permanent exceptions wherever possible.&lt;/p&gt;

&lt;h2&gt;
  
  
  Define operational ownership
&lt;/h2&gt;

&lt;p&gt;Production governance needs clear ownership across teams.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Area&lt;/th&gt;
&lt;th&gt;Primary owner&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Inventory reporting&lt;/td&gt;
&lt;td&gt;IAM, platform team, or AI governance team&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Owner and sponsor cleanup&lt;/td&gt;
&lt;td&gt;Business sponsors, platform owners, identity governance team&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Custom security attribute schema&lt;/td&gt;
&lt;td&gt;IAM or Entra governance team&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Attribute assignment process&lt;/td&gt;
&lt;td&gt;IAM operations, automation team, or delegated governance team&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Conditional Access policies&lt;/td&gt;
&lt;td&gt;IAM / security team&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Access packages&lt;/td&gt;
&lt;td&gt;Identity governance team with resource owners&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Lifecycle workflows&lt;/td&gt;
&lt;td&gt;Identity governance team&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Risk review&lt;/td&gt;
&lt;td&gt;Security operations / identity protection team&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Agent retirement&lt;/td&gt;
&lt;td&gt;Platform owner, sponsor, and IAM team&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;This prevents the common problem where central IT becomes responsible for every business decision about every agent.&lt;/p&gt;

&lt;h2&gt;
  
  
  Production rollout checklist
&lt;/h2&gt;

&lt;p&gt;Use this checklist before scaling wider.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Agent inventory completed&lt;/li&gt;
&lt;li&gt;Classification model agreed&lt;/li&gt;
&lt;li&gt;Owner and sponsor model agreed&lt;/li&gt;
&lt;li&gt;Orphaned agent process defined&lt;/li&gt;
&lt;li&gt;Custom security attribute schema approved&lt;/li&gt;
&lt;li&gt;Attribute assignment owner identified&lt;/li&gt;
&lt;li&gt;Initial attributes populated for pilot agents&lt;/li&gt;
&lt;li&gt;Conditional Access policies created in report-only mode&lt;/li&gt;
&lt;li&gt;Sign-in and policy impact reviewed&lt;/li&gt;
&lt;li&gt;Access package model validated&lt;/li&gt;
&lt;li&gt;Sponsor request or approval process validated&lt;/li&gt;
&lt;li&gt;Lifecycle workflow pilot validated&lt;/li&gt;
&lt;li&gt;High-risk agent review process defined&lt;/li&gt;
&lt;li&gt;Monitoring cadence agreed&lt;/li&gt;
&lt;li&gt;Exception process documented&lt;/li&gt;
&lt;li&gt;Rollout ring model approved&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Suggested rollout rings
&lt;/h2&gt;

&lt;p&gt;Roll out in rings rather than one broad change.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Ring&lt;/th&gt;
&lt;th&gt;Scope&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Ring 0&lt;/td&gt;
&lt;td&gt;Lab or test agents&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ring 1&lt;/td&gt;
&lt;td&gt;Small pilot group of approved agents&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ring 2&lt;/td&gt;
&lt;td&gt;Production agents with complete metadata&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ring 3&lt;/td&gt;
&lt;td&gt;Wider agent estate&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ring 4&lt;/td&gt;
&lt;td&gt;Enforcement for unknown, rejected, or unmanaged agents&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;This lets the organisation move from visibility to enforcement safely.&lt;/p&gt;

&lt;h2&gt;
  
  
  What success looks like
&lt;/h2&gt;

&lt;p&gt;A mature production rollout should result in:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Every agent has a known governance state&lt;/li&gt;
&lt;li&gt;Production agents have owners and sponsors&lt;/li&gt;
&lt;li&gt;Unknown agents are not silently trusted&lt;/li&gt;
&lt;li&gt;Custom security attributes support policy targeting and reporting&lt;/li&gt;
&lt;li&gt;Conditional Access policies are scoped using trusted metadata&lt;/li&gt;
&lt;li&gt;Access packages provide approved, time-bound access&lt;/li&gt;
&lt;li&gt;Sponsor lifecycle changes do not create orphaned agents&lt;/li&gt;
&lt;li&gt;Risky agents are reviewed and actioned&lt;/li&gt;
&lt;li&gt;Exceptions are documented and time-bound&lt;/li&gt;
&lt;li&gt;Governance is repeatable for new agents, not just existing ones&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Wrap-up
&lt;/h2&gt;

&lt;p&gt;The production rollout is where the governance model becomes real. Do not move directly from design to broad enforcement. Start with a pilot, define decision gates, use report-only policies, validate access packages, test lifecycle workflows, and build monitoring into regular operations.&lt;/p&gt;

&lt;p&gt;The goal is not to create the most complex governance design. The goal is to create a model the customer can operate repeatedly: every agent known, classified, accountable, approved, governed, monitored, and eventually retired when no longer needed.&lt;/p&gt;

</description>
      <category>microsoftentra</category>
      <category>agent365</category>
      <category>aigovernance</category>
      <category>entraagentid</category>
    </item>
    <item>
      <title>Build an operating model for AI agent governance</title>
      <dc:creator>stepbystep tocloud</dc:creator>
      <pubDate>Thu, 09 Jul 2026 15:15:54 +0000</pubDate>
      <link>https://dev.to/stepbysteptocloud/build-an-operating-model-for-ai-agent-governance-655</link>
      <guid>https://dev.to/stepbysteptocloud/build-an-operating-model-for-ai-agent-governance-655</guid>
      <description>&lt;p&gt;By this point in the series, the governance building blocks are in place.&lt;/p&gt;

&lt;p&gt;You have inventoried the agents, classified them, assigned owners and sponsors, added custom security attributes, designed Conditional Access policies, introduced access packages, configured sponsor continuity, and defined monitoring practices.&lt;/p&gt;

&lt;p&gt;The next step is to turn all of this into an operating model.&lt;/p&gt;

&lt;p&gt;Without an operating model, agent governance can easily become a collection of disconnected controls. One team maintains inventory, another team owns Conditional Access, another reviews access packages, and another responds to risk. The controls exist, but the process is unclear.&lt;/p&gt;

&lt;p&gt;A good operating model answers one practical question:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How does an agent move from creation to approved use, ongoing review, and eventual retirement?&lt;/strong&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Why an operating model matters
&lt;/h2&gt;

&lt;p&gt;AI agents are not static objects. New agents are created, old agents become unused, sponsors change roles, access requirements evolve, and risk signals may appear over time.&lt;/p&gt;

&lt;p&gt;If the organisation only completes a one-time cleanup, the estate will drift again. New agents may appear without owners, unclassified agents may remain active, or approved agents may keep access longer than required.&lt;/p&gt;

&lt;p&gt;The operating model keeps governance repeatable.&lt;/p&gt;

&lt;p&gt;It defines:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Who provides metadata&lt;/li&gt;
&lt;li&gt;Who approves the agent&lt;/li&gt;
&lt;li&gt;Who assigns ownership and sponsorship&lt;/li&gt;
&lt;li&gt;Who validates data sensitivity&lt;/li&gt;
&lt;li&gt;Who applies governance attributes&lt;/li&gt;
&lt;li&gt;Who reviews risky agents&lt;/li&gt;
&lt;li&gt;Who approves access packages&lt;/li&gt;
&lt;li&gt;Who retires or disables agents&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The goal is not to make central IT responsible for every detail. The goal is to create shared accountability across makers, sponsors, security, identity, platform, and operations teams.&lt;/p&gt;

&lt;h2&gt;
  
  
  The recommended governance flow
&lt;/h2&gt;

&lt;p&gt;A practical lifecycle for agent governance can be structured like this:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Stage&lt;/th&gt;
&lt;th&gt;Purpose&lt;/th&gt;
&lt;th&gt;Output&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Discover&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Identify agents across platforms&lt;/td&gt;
&lt;td&gt;Agent added to inventory&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Classify&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Determine source, identity model, and access pattern&lt;/td&gt;
&lt;td&gt;Agent placed into governance bucket&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Assign accountability&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Confirm owner, sponsor, and business purpose&lt;/td&gt;
&lt;td&gt;Agent becomes accountable&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Tag with governance metadata&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Populate custom security attributes&lt;/td&gt;
&lt;td&gt;Agent becomes policy-addressable&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Approve or reject&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Decide if agent can move forward&lt;/td&gt;
&lt;td&gt;ApprovalStatus updated&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Apply access controls&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Use Conditional Access and access packages&lt;/td&gt;
&lt;td&gt;Agent access governed&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Monitor&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Review risk, access, ownership, and activity&lt;/td&gt;
&lt;td&gt;Agent remains trusted&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Retire&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Disable or remove agents no longer needed&lt;/td&gt;
&lt;td&gt;Agent lifecycle closed&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;This keeps governance simple: every agent should have a known state and a clear next action.&lt;/p&gt;

&lt;h2&gt;
  
  
  Suggested agent governance states
&lt;/h2&gt;

&lt;p&gt;Use a small set of governance states that everyone understands.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Governance state&lt;/th&gt;
&lt;th&gt;Meaning&lt;/th&gt;
&lt;th&gt;Recommended action&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;New&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent newly discovered or created&lt;/td&gt;
&lt;td&gt;Add to inventory and classify&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;ReviewRequired&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Required metadata or accountability missing&lt;/td&gt;
&lt;td&gt;Do not treat as production-ready&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Approved&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent has required metadata, owner, sponsor, and business justification&lt;/td&gt;
&lt;td&gt;Eligible for policy and access design&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Rejected&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent not approved for use&lt;/td&gt;
&lt;td&gt;Block, disable, or prevent access based on policy&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Orphaned&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;No valid owner or sponsor&lt;/td&gt;
&lt;td&gt;Run claim-or-retire process&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Retiring&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent no longer needed but cleanup not complete&lt;/td&gt;
&lt;td&gt;Remove access and disable safely&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Disabled&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent no longer allowed to operate&lt;/td&gt;
&lt;td&gt;Confirm access and assignments removed&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Screenshot: Governance state view showing New, ReviewRequired, Approved, Orphaned, Retiring and Disabled agents&lt;/p&gt;

&lt;p&gt;These states help reduce confusion. Instead of arguing whether an agent is “good” or “bad”, the organisation can ask: &lt;strong&gt;what state is this agent in, and what action does that state require?&lt;/strong&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Define roles and responsibilities
&lt;/h2&gt;

&lt;p&gt;Agent governance works best when responsibilities are clear.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Role or team&lt;/th&gt;
&lt;th&gt;Responsibility&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Agent maker or developer&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Provides purpose, platform, data sources, access pattern, and technical details&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Technical owner&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Maintains configuration, connectors, runtime, and operational support&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Business sponsor&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Confirms business need, approves continued use, and supports lifecycle decisions&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Security governance team&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Reviews risk, sensitivity, policy impact, and approval criteria&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;IAM / Entra team&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Owns identity governance model, Conditional Access design, custom security attribute schema&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Platform team&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Supports Copilot Studio, Agent Builder, Foundry, or third-party platform controls&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Operations team&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Reviews drift reports, orphaned agents, risky agents, and access expiry&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Automation team&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Builds scripts, flows, or integrations to update metadata and reduce manual effort&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;A mature model does not expect the Entra administrator to decide every value manually. The Entra team owns the control plane, but business and security teams provide the decisions that determine approval, sensitivity, and risk.&lt;/p&gt;

&lt;h2&gt;
  
  
  New agent onboarding gate
&lt;/h2&gt;

&lt;p&gt;The operating model should include a gate for newly created agents.&lt;/p&gt;

&lt;p&gt;Before an agent becomes production-ready, it should have minimum required information:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Required field&lt;/th&gt;
&lt;th&gt;Why it matters&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Owner&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Technical accountability&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Sponsor&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Business accountability&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Business purpose&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Explains why the agent exists&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Source platform&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Determines governance path&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Environment&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Separates production from test or sandbox&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Access pattern&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Determines Conditional Access and access governance model&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Data sensitivity&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Drives risk and protection decisions&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Business criticality&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Helps prioritise monitoring and review&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Approval status&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Determines whether access should be allowed&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;If required metadata is missing, the agent should remain in &lt;strong&gt;ReviewRequired&lt;/strong&gt; state.&lt;/p&gt;

&lt;p&gt;This does not mean every agent must be blocked immediately. It means the agent should not be treated as fully approved or policy-ready until the required information is complete.&lt;/p&gt;

&lt;h2&gt;
  
  
  Existing agent remediation
&lt;/h2&gt;

&lt;p&gt;For existing agents, use the inventory to drive remediation.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Finding&lt;/th&gt;
&lt;th&gt;Action&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Missing owner&lt;/td&gt;
&lt;td&gt;Assign or confirm technical owner&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Missing sponsor&lt;/td&gt;
&lt;td&gt;Assign business sponsor&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;No owner and no sponsor&lt;/td&gt;
&lt;td&gt;Mark as Orphaned and run claim-or-retire process&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Unknown source platform&lt;/td&gt;
&lt;td&gt;Validate platform or registry origin&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Unknown access pattern&lt;/td&gt;
&lt;td&gt;Review authentication and runtime behaviour&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Unknown data sensitivity&lt;/td&gt;
&lt;td&gt;Ask owner, sponsor, or data governance team to classify&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Approved but missing metadata&lt;/td&gt;
&lt;td&gt;Move back to ReviewRequired until corrected&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Retired but still active&lt;/td&gt;
&lt;td&gt;Remove access and disable&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The aim is to convert the existing estate from unclear to governed.&lt;/p&gt;

&lt;h2&gt;
  
  
  Automation and manual process balance
&lt;/h2&gt;

&lt;p&gt;Not every customer needs heavy automation from day one.&lt;/p&gt;

&lt;p&gt;A small estate may start with manual review and periodic bulk updates. A large estate with hundreds or thousands of agents needs automation or structured workflows to avoid daily manual housekeeping.&lt;/p&gt;

&lt;p&gt;A practical maturity model looks like this:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Maturity level&lt;/th&gt;
&lt;th&gt;Approach&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Level 1: Manual&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Inventory reviewed periodically, attributes updated by authorised admins&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Level 2: Bulk-assisted&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Export inventory, validate in tracker, bulk update attributes using approved scripts&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Level 3: Workflow-driven&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Intake, sponsor approval, security review, and metadata stamping handled through workflow&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Level 4: Integrated&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent creation pipeline captures metadata and stamps governance values automatically where supported&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The recommended start is simple: define the required metadata and approval states first. Automation can come after the process is clear.&lt;/p&gt;

&lt;h2&gt;
  
  
  Policy enforcement model
&lt;/h2&gt;

&lt;p&gt;Once governance states and attributes are trusted, enforcement becomes easier.&lt;/p&gt;

&lt;p&gt;Example policy logic:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Condition&lt;/th&gt;
&lt;th&gt;Governance action&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;ApprovalStatus = Approved&lt;/td&gt;
&lt;td&gt;Eligible for access controls and access packages&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;ApprovalStatus = ReviewRequired&lt;/td&gt;
&lt;td&gt;Do not grant production access&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;ApprovalStatus = Rejected&lt;/td&gt;
&lt;td&gt;Block or disable based on policy&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;OwnershipStatus = Orphaned&lt;/td&gt;
&lt;td&gt;Escalate for claim-or-retire review&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;DataSensitivity = Restricted&lt;/td&gt;
&lt;td&gt;Require stricter approval and monitoring&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;AgentRisk = High&lt;/td&gt;
&lt;td&gt;Block, investigate, or move agent back to ReviewRequired&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;This keeps policy decisions based on trusted metadata rather than manual agent selection.&lt;/p&gt;

&lt;h2&gt;
  
  
  Recommended implementation sequence
&lt;/h2&gt;

&lt;p&gt;A customer can implement the operating model in phases.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Create the inventory&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Collect agents from Agent 365, Microsoft Entra, platform-native exports, registry sync, and third-party sources.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Classify the estate&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Identify Agent ID-backed agents, legacy app registrations, service principals, Agent Builder agents, registry-synced agents, shadow AI, system objects, and unknowns.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Fix accountability&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Assign missing owners and sponsors.&lt;/li&gt;
&lt;li&gt;Mark unclaimed agents as Orphaned or ReviewRequired.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Define custom security attributes&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Start with ApprovalStatus, Environment, DataSensitivity, AccessPattern, SourcePlatform, OwnershipStatus, and LifecycleState.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Backfill existing agents&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Populate known values.&lt;/li&gt;
&lt;li&gt;Keep unclear values as Unknown or ReviewRequired.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Create the onboarding gate&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Require minimum metadata before agents are considered production-ready.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Design Conditional Access&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Start with report-only.&lt;/li&gt;
&lt;li&gt;Use custom security attributes for scalable targeting.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Introduce access packages&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Use for approved agents that need durable access to groups, roles, or API permissions.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Enable lifecycle workflows&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Maintain sponsorship continuity when sponsors move roles or leave.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;strong&gt;Monitor continuously&lt;/strong&gt;&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;ul&gt;
&lt;li&gt;Review risky agents, owner/sponsor drift, access package expiry, audit logs, and stale attributes.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  What good looks like
&lt;/h2&gt;

&lt;p&gt;A healthy operating model should make these statements true:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Every production-ready agent is inventoried.&lt;/li&gt;
&lt;li&gt;Every governable agent has an owner and sponsor.&lt;/li&gt;
&lt;li&gt;Every approved agent has required custom security attributes populated.&lt;/li&gt;
&lt;li&gt;Unknown agents are not silently trusted.&lt;/li&gt;
&lt;li&gt;Orphaned agents are reviewed, claimed, retired, or disabled.&lt;/li&gt;
&lt;li&gt;Conditional Access policies are based on access pattern and trusted metadata.&lt;/li&gt;
&lt;li&gt;Access packages provide time-bound, approval-based access.&lt;/li&gt;
&lt;li&gt;Sponsor changes are handled through lifecycle workflows.&lt;/li&gt;
&lt;li&gt;Risky agents are reviewed and actioned.&lt;/li&gt;
&lt;li&gt;Monitoring detects drift before it becomes a governance problem.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Wrap-up
&lt;/h2&gt;

&lt;p&gt;Agent governance is not a one-time configuration activity. It is an operating model.&lt;/p&gt;

&lt;p&gt;Inventory provides visibility. Ownership and sponsorship provide accountability. Custom security attributes provide scalable metadata. Conditional Access provides enforcement. Access packages provide governed access. Lifecycle workflows maintain continuity. Monitoring keeps the model current.&lt;/p&gt;

&lt;p&gt;The strongest design is not the one with the most controls. It is the one where every agent has a known state, a responsible person, an approved purpose, and a clear path from creation to retirement.&lt;/p&gt;

</description>
      <category>agents</category>
      <category>ai</category>
      <category>management</category>
      <category>security</category>
    </item>
    <item>
      <title>Monitor risky agents and keep agent governance current</title>
      <dc:creator>stepbystep tocloud</dc:creator>
      <pubDate>Thu, 09 Jul 2026 15:15:01 +0000</pubDate>
      <link>https://dev.to/stepbysteptocloud/monitor-risky-agents-and-keep-agent-governance-current-4568</link>
      <guid>https://dev.to/stepbysteptocloud/monitor-risky-agents-and-keep-agent-governance-current-4568</guid>
      <description>&lt;p&gt;This article is part of a multi-part series on Microsoft Entra Agent ID governance. For the full sequence and recommended reading order, start from the &lt;a href="https://dev.to/stepbysteptocloud/governing-ai-agents-with-microsoft-entra-agent-id-and-agent-365-3a7g"&gt;Governing AI agents with Microsoft Entra Agent ID and Agent 365&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Agent governance does not finish when inventory, custom security attributes, Conditional Access policies, access packages, and lifecycle workflows are configured. That is only the foundation.&lt;/p&gt;

&lt;p&gt;The real operating model starts after that.&lt;/p&gt;

&lt;p&gt;Agents will continue to be created. Sponsors will move roles. Access packages will expire. Some agents may become risky. Some may become unused. Some may lose ownership. If the organisation does not monitor these signals, the governance model will slowly become stale.&lt;/p&gt;

&lt;p&gt;The final stage of the agent governance journey is &lt;strong&gt;continuous monitoring and operational review&lt;/strong&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why monitoring matters
&lt;/h2&gt;

&lt;p&gt;A governed agent estate should not be treated as a one-time project. It should behave more like an identity governance programme.&lt;/p&gt;

&lt;p&gt;The organisation should be able to answer these questions on an ongoing basis:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Are any agents currently risky?&lt;/li&gt;
&lt;li&gt;Are any agents accessing resources unexpectedly?&lt;/li&gt;
&lt;li&gt;Are any agents missing owners or sponsors?&lt;/li&gt;
&lt;li&gt;Are any approved agents no longer used?&lt;/li&gt;
&lt;li&gt;Are access package assignments nearing expiry?&lt;/li&gt;
&lt;li&gt;Have any agents lost their sponsor due to role change or departure?&lt;/li&gt;
&lt;li&gt;Are custom security attributes still accurate?&lt;/li&gt;
&lt;li&gt;Are Conditional Access policies working as expected?&lt;/li&gt;
&lt;li&gt;Are any agents still in &lt;code&gt;ReviewRequired&lt;/code&gt; state for too long?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If these questions are not reviewed periodically, the environment may drift back into unmanaged state.&lt;/p&gt;

&lt;h2&gt;
  
  
  What to monitor
&lt;/h2&gt;

&lt;p&gt;The monitoring layer should focus on a few practical areas instead of trying to inspect every detail manually.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Monitoring area&lt;/th&gt;
&lt;th&gt;Why it matters&lt;/th&gt;
&lt;th&gt;Recommended action&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Risky agents&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent identities may show risky behaviour or unusual access patterns.&lt;/td&gt;
&lt;td&gt;Review high-risk agents, block access if required, disable the agent, or move it back to &lt;code&gt;ReviewRequired&lt;/code&gt;.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Sign-in logs&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Shows whether agents are authenticating and accessing resources as expected.&lt;/td&gt;
&lt;td&gt;Validate Conditional Access impact and check unexpected access behaviour.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Audit logs&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Helps track changes to agent identity, ownership, sponsorship, attributes, and access assignments.&lt;/td&gt;
&lt;td&gt;Review important changes and investigate unauthorised or unexpected updates.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Owner and sponsor gaps&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agents without accountability become governance risks.&lt;/td&gt;
&lt;td&gt;Re-run ownership and sponsorship gap reports periodically.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Access package expiry&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent access should not remain permanent without review.&lt;/td&gt;
&lt;td&gt;Track expiring assignments and ensure sponsor or approver validates continued need.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Custom security attribute drift&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Incorrect attribute values can lead to wrong policy targeting.&lt;/td&gt;
&lt;td&gt;Review agents with missing, stale, or inconsistent attribute values.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Conditional Access impact&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Policies may block or allow agents unexpectedly if scope is wrong.&lt;/td&gt;
&lt;td&gt;Review report-only results and policy impact before broad enforcement.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Lifecycle workflow outcomes&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Sponsor transition workflows depend on accurate user and manager data.&lt;/td&gt;
&lt;td&gt;Verify sponsorship transfers and notifications worked as expected.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  Review high-risk agents
&lt;/h2&gt;

&lt;p&gt;Identity Protection for agents should be treated as an operational review point.&lt;/p&gt;

&lt;p&gt;If an agent is marked as high risk, the organisation should not simply ignore the signal. The response should depend on the agent’s business criticality, access level, and sensitivity.&lt;/p&gt;

&lt;p&gt;Recommended actions include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Review the agent’s recent sign-in and audit activity.&lt;/li&gt;
&lt;li&gt;Confirm the agent’s owner and sponsor.&lt;/li&gt;
&lt;li&gt;Validate whether the agent still has a valid business purpose.&lt;/li&gt;
&lt;li&gt;Check access package assignments and resource permissions.&lt;/li&gt;
&lt;li&gt;Move the agent to &lt;code&gt;ReviewRequired&lt;/code&gt; if the risk is unclear.&lt;/li&gt;
&lt;li&gt;Block access through Conditional Access if required.&lt;/li&gt;
&lt;li&gt;Disable the agent identity if immediate containment is needed.&lt;/li&gt;
&lt;li&gt;Retire the agent if it is no longer required.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The key point is that risky agents should not remain silently approved.&lt;/p&gt;

&lt;h2&gt;
  
  
  Use governance states to drive action
&lt;/h2&gt;

&lt;p&gt;The monitoring process becomes easier when agents have clear governance states.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Governance state&lt;/th&gt;
&lt;th&gt;Meaning&lt;/th&gt;
&lt;th&gt;Monitoring action&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Approved&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent is classified, accountable, and allowed to operate.&lt;/td&gt;
&lt;td&gt;Monitor normally.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;ReviewRequired&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent has missing or uncertain metadata, risk, or ownership issue.&lt;/td&gt;
&lt;td&gt;Do not treat as production-ready until reviewed.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Rejected&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent should not be used.&lt;/td&gt;
&lt;td&gt;Ensure access is blocked or removed.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Orphaned&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent has no valid owner or sponsor.&lt;/td&gt;
&lt;td&gt;Start claim-or-retire process.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Retiring&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent marked for removal or decommissioning.&lt;/td&gt;
&lt;td&gt;Track until disabled or deleted.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Disabled&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent no longer allowed to operate.&lt;/td&gt;
&lt;td&gt;Confirm access and assignments removed.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;These states should be reflected in custom security attributes or the governance tracker so that operations teams can filter and act quickly.&lt;/p&gt;

&lt;h2&gt;
  
  
  Monitor Conditional Access effectiveness
&lt;/h2&gt;

&lt;p&gt;Conditional Access policies for agents should be reviewed after deployment.&lt;/p&gt;

&lt;p&gt;The review should check whether policies are doing what they were designed to do:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Approved agents can access expected resources.&lt;/li&gt;
&lt;li&gt;Rejected or unknown agents are blocked.&lt;/li&gt;
&lt;li&gt;Risky agent identities are blocked or restricted.&lt;/li&gt;
&lt;li&gt;Report-only policies are showing expected impact.&lt;/li&gt;
&lt;li&gt;No business-critical agent is unintentionally blocked.&lt;/li&gt;
&lt;li&gt;Policies are scoped to the correct access pattern.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This is especially important because on-behalf-of agents, autonomous agents, and agent users may follow different access models.&lt;/p&gt;

&lt;p&gt;A strong review question is:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Is this policy controlling the right identity subject for the right access pattern?&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;If the answer is unclear, reassess the policy before enforcement.&lt;/p&gt;

&lt;h2&gt;
  
  
  Monitor access package lifecycle
&lt;/h2&gt;

&lt;p&gt;Access packages provide time-bound access, but they only deliver value if expiry and extension are reviewed.&lt;/p&gt;

&lt;p&gt;For agents, access package monitoring should focus on:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Assignments nearing expiry.&lt;/li&gt;
&lt;li&gt;Sponsors requesting extensions.&lt;/li&gt;
&lt;li&gt;Assignments with no sponsor action.&lt;/li&gt;
&lt;li&gt;Agents with access packages but missing valid sponsor.&lt;/li&gt;
&lt;li&gt;High-risk agents with active access assignments.&lt;/li&gt;
&lt;li&gt;Agents that no longer need access but still hold assignment.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The recommendation is simple: approved access should not become permanent access by accident.&lt;/p&gt;

&lt;p&gt;If access is still needed, extension should follow approval. If no one validates the need, access should expire.&lt;/p&gt;

&lt;h2&gt;
  
  
  Review owner and sponsor health
&lt;/h2&gt;

&lt;p&gt;Owner and sponsor data should be reviewed periodically.&lt;/p&gt;

&lt;p&gt;Useful checks include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Agents with no owner.&lt;/li&gt;
&lt;li&gt;Agents with no sponsor.&lt;/li&gt;
&lt;li&gt;Agents where owner or sponsor has left the organisation.&lt;/li&gt;
&lt;li&gt;Agents where sponsor changed role.&lt;/li&gt;
&lt;li&gt;Agents where only technical owner exists but no business sponsor.&lt;/li&gt;
&lt;li&gt;Agents where sponsor exists but business purpose is unclear.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This connects directly with lifecycle workflows. If sponsor transition workflows run, the organisation should still validate whether the new sponsor is appropriate.&lt;/p&gt;

&lt;p&gt;Automatic transfer can help continuity, but it should not replace business accountability review.&lt;/p&gt;

&lt;h2&gt;
  
  
  Watch for custom security attribute drift
&lt;/h2&gt;

&lt;p&gt;Custom security attributes are only useful if they remain accurate.&lt;/p&gt;

&lt;p&gt;Common drift examples:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Agent marked &lt;code&gt;Approved&lt;/code&gt; but sponsor missing.&lt;/li&gt;
&lt;li&gt;Agent marked &lt;code&gt;Prod&lt;/code&gt; but actually used for testing.&lt;/li&gt;
&lt;li&gt;Agent marked &lt;code&gt;Low&lt;/code&gt; sensitivity but now accesses confidential data.&lt;/li&gt;
&lt;li&gt;Agent still marked &lt;code&gt;ReviewRequired&lt;/code&gt; after approval completed.&lt;/li&gt;
&lt;li&gt;Agent owner changed but &lt;code&gt;OwnershipStatus&lt;/code&gt; not updated.&lt;/li&gt;
&lt;li&gt;Agent retired but still marked &lt;code&gt;Active&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Build a simple periodic review around these mismatches.&lt;/p&gt;

&lt;p&gt;The goal is not perfect metadata. The goal is trusted enough metadata to drive policy decisions safely.&lt;/p&gt;

&lt;h2&gt;
  
  
  Suggested operational cadence
&lt;/h2&gt;

&lt;p&gt;The cadence can vary by organisation size and risk, but the operating model should include recurring checks.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Cadence&lt;/th&gt;
&lt;th&gt;Review item&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Daily or frequent&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;High-risk agents, blocked access events, critical policy failures.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Weekly&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;New agents, agents in &lt;code&gt;ReviewRequired&lt;/code&gt;, owner or sponsor gaps, report-only CA impact.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Monthly&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Access package expiry, sponsor validity, orphaned agents, attribute drift.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Quarterly&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Overall agent governance posture, policy effectiveness, exception review, retired agent cleanup.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;For large environments, this should be report-driven and automated where possible. For smaller environments, a lightweight review process may be enough.&lt;/p&gt;

&lt;h2&gt;
  
  
  What good looks like
&lt;/h2&gt;

&lt;p&gt;A mature agent governance monitoring model should show:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Every production agent has owner and sponsor.&lt;/li&gt;
&lt;li&gt;Every approved agent has required custom security attributes.&lt;/li&gt;
&lt;li&gt;Unknown agents remain under review and are not silently trusted.&lt;/li&gt;
&lt;li&gt;Risky agents are reviewed and actioned.&lt;/li&gt;
&lt;li&gt;Agent access is time-bound where appropriate.&lt;/li&gt;
&lt;li&gt;Access extensions require sponsor or approver validation.&lt;/li&gt;
&lt;li&gt;Conditional Access policies are reviewed before enforcement.&lt;/li&gt;
&lt;li&gt;Lifecycle workflow outcomes are validated.&lt;/li&gt;
&lt;li&gt;Retired or orphaned agents are removed or disabled.&lt;/li&gt;
&lt;li&gt;Governance dashboards show actionable exceptions, not just raw inventory.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Final operating model
&lt;/h2&gt;

&lt;p&gt;The complete governance journey should now look like this:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Inventory&lt;/strong&gt; agents across platforms.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Classify&lt;/strong&gt; source, identity model, and access pattern.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Assign accountability&lt;/strong&gt; with owners and sponsors.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Populate custom security attributes&lt;/strong&gt; for governance metadata.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Apply Conditional Access&lt;/strong&gt; using approval state, risk, and access pattern.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Use access packages&lt;/strong&gt; for governed, time-bound access.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Use lifecycle workflows&lt;/strong&gt; to maintain sponsor continuity.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Monitor continuously&lt;/strong&gt; through risk, logs, access expiry, and metadata drift.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Wrap-up
&lt;/h2&gt;

&lt;p&gt;Monitoring is what keeps agent governance alive.&lt;/p&gt;

&lt;p&gt;Inventory creates visibility. Custom security attributes create structure. Conditional Access and access packages create control. Lifecycle workflows maintain accountability. Monitoring ensures the model does not drift over time.&lt;/p&gt;

&lt;p&gt;For AI agents, the goal is not just to approve access once. The goal is to continuously confirm that each agent is still known, accountable, justified, correctly classified, and operating within policy.&lt;/p&gt;

&lt;p&gt;Next in the series (Bonus): &lt;a href="https://dev.to/stepbysteptocloud/putting-the-agent-governance-model-into-production-1p33"&gt;Putting the agent governance model into production&lt;/a&gt;&lt;/p&gt;

</description>
      <category>microsoftentra</category>
      <category>agent365</category>
      <category>aigovernance</category>
      <category>entraagentid</category>
    </item>
    <item>
      <title>Maintain sponsor continuity with lifecycle workflows</title>
      <dc:creator>stepbystep tocloud</dc:creator>
      <pubDate>Thu, 09 Jul 2026 15:13:48 +0000</pubDate>
      <link>https://dev.to/stepbysteptocloud/maintain-sponsor-continuity-with-lifecycle-workflows-3mo5</link>
      <guid>https://dev.to/stepbysteptocloud/maintain-sponsor-continuity-with-lifecycle-workflows-3mo5</guid>
      <description>&lt;p&gt;This article is part of a multi-part series on Microsoft Entra Agent ID governance. For the full sequence and recommended reading order, start from the &lt;a href="https://dev.to/stepbysteptocloud/governing-ai-agents-with-microsoft-entra-agent-id-and-agent-365-3a7g"&gt;Governing AI agents with Microsoft Entra Agent ID and Agent 365&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Agent governance does not end when an agent is inventoried, classified, approved, and granted access. The people accountable for that agent can change. A sponsor may move to another role, leave the organisation, or no longer be the right person to make lifecycle decisions for that agent.&lt;/p&gt;

&lt;p&gt;That is why sponsor continuity matters.&lt;/p&gt;

&lt;p&gt;If an agent continues to exist after its sponsor has moved or left, the organisation can end up with an active agent that still has access, but no clear business owner. Lifecycle workflows help reduce that risk by keeping sponsorship aligned with organisational changes.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why this matters
&lt;/h2&gt;

&lt;p&gt;Owners and sponsors are not just informational fields.&lt;/p&gt;

&lt;p&gt;The &lt;strong&gt;owner&lt;/strong&gt; helps with technical administration and operational support. The &lt;strong&gt;sponsor&lt;/strong&gt; provides business accountability: why the agent exists, whether it should continue to exist, whether it still needs access, and whether access should be extended or removed.&lt;/p&gt;

&lt;p&gt;When the sponsor changes roles or leaves the company, that accountability chain can break.&lt;/p&gt;

&lt;p&gt;Without a sponsor-continuity process, agents can become:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Orphaned&lt;/strong&gt;, because no one remains accountable.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Over-permissioned&lt;/strong&gt;, because access continues without review.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Operationally unclear&lt;/strong&gt;, because no one knows who should approve changes.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Riskier over time&lt;/strong&gt;, because access and purpose are no longer actively validated.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Lifecycle workflows provide a way to handle this as part of the normal identity governance lifecycle.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where lifecycle workflows fit in the journey
&lt;/h2&gt;

&lt;p&gt;Lifecycle workflows should not be the first step in agent governance. They become meaningful after the earlier foundations are in place.&lt;/p&gt;

&lt;p&gt;The recommended sequence is:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Inventory agents&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Classify identity model and access pattern&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Assign owners and sponsors&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Populate custom security attributes&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Design Conditional Access policies&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Use access packages for governed access&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Use lifecycle workflows to maintain sponsor continuity&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Monitor risk, access expiry, and governance drift&lt;/strong&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The key point is simple: lifecycle workflows help keep the governance model current after it has been established.&lt;/p&gt;

&lt;h2&gt;
  
  
  What lifecycle workflows help with
&lt;/h2&gt;

&lt;p&gt;Lifecycle workflows are useful when there is a change in the human accountability layer around an agent.&lt;/p&gt;

&lt;p&gt;Common scenarios include:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Scenario&lt;/th&gt;
&lt;th&gt;Why it matters&lt;/th&gt;
&lt;th&gt;Recommended action&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Sponsor leaves the organisation&lt;/td&gt;
&lt;td&gt;Agent may become orphaned&lt;/td&gt;
&lt;td&gt;Notify manager or co-sponsors, transfer sponsorship where appropriate&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Sponsor changes role&lt;/td&gt;
&lt;td&gt;Sponsor may no longer be the right business accountable person&lt;/td&gt;
&lt;td&gt;Notify relevant stakeholders and review whether sponsorship should change&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Sponsor no longer owns the business process&lt;/td&gt;
&lt;td&gt;Agent may need a new business accountable owner&lt;/td&gt;
&lt;td&gt;Reassign sponsor or mark agent for review&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Agent access is tied to sponsorship&lt;/td&gt;
&lt;td&gt;Access extensions may need business validation&lt;/td&gt;
&lt;td&gt;Ensure future approvals go to the right accountable person&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The goal is not only notification. The goal is continuity of accountability.&lt;/p&gt;

&lt;h2&gt;
  
  
  Sponsor lifecycle workflow patterns
&lt;/h2&gt;

&lt;p&gt;There are two useful lifecycle workflow patterns for agent sponsorship.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Workflow pattern&lt;/th&gt;
&lt;th&gt;Lifecycle category&lt;/th&gt;
&lt;th&gt;Typical trigger&lt;/th&gt;
&lt;th&gt;Outcome&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Sponsor leaves organisation&lt;/td&gt;
&lt;td&gt;Leaver&lt;/td&gt;
&lt;td&gt;Leave date, attribute change, or group membership change&lt;/td&gt;
&lt;td&gt;Notify manager or co-sponsors, transfer sponsorship, avoid orphaned agents&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Sponsor changes roles&lt;/td&gt;
&lt;td&gt;Mover&lt;/td&gt;
&lt;td&gt;Role, department, job profile, or group membership change&lt;/td&gt;
&lt;td&gt;Review sponsorship, notify stakeholders, transfer accountability if needed&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fu64qfh0wxy9rgujsgi2m.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fu64qfh0wxy9rgujsgi2m.png" alt=" " width="800" height="92"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Screenshot: Lifecycle workflow template showing sponsor-related tasks for mover and leaver scenarios&lt;/p&gt;

&lt;h2&gt;
  
  
  What actions should be considered
&lt;/h2&gt;

&lt;p&gt;A lifecycle workflow for sponsor continuity can include actions like:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Notify the sponsor’s manager that sponsorship needs attention.&lt;/li&gt;
&lt;li&gt;Notify co-sponsors that the current sponsor has changed roles or left.&lt;/li&gt;
&lt;li&gt;Transfer sponsorship to the sponsor’s manager where that is the agreed operating model.&lt;/li&gt;
&lt;li&gt;Trigger a review of agents associated with that sponsor.&lt;/li&gt;
&lt;li&gt;Move affected agents into a review state if automatic transfer is not appropriate.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Not every organisation should automatically transfer sponsorship to the manager. That depends on the operating model.&lt;/p&gt;

&lt;p&gt;For some customers, manager-based transfer is acceptable. For others, sponsorship should move to an application owner, product owner, business process owner, or governance team.&lt;/p&gt;

&lt;h2&gt;
  
  
  Design decisions before enabling workflows
&lt;/h2&gt;

&lt;p&gt;Before configuring sponsor lifecycle workflows, agree on these decisions.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Design decision&lt;/th&gt;
&lt;th&gt;Why it matters&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Who should receive sponsor-change notifications?&lt;/td&gt;
&lt;td&gt;Manager, co-sponsor, governance team, or platform owner may be more appropriate depending on process&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Should sponsorship transfer automatically?&lt;/td&gt;
&lt;td&gt;Automatic transfer is useful but may be wrong if manager is not accountable for the business process&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;What happens if manager data is missing?&lt;/td&gt;
&lt;td&gt;Workflow may fail or route accountability incorrectly&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;What happens if no co-sponsor exists?&lt;/td&gt;
&lt;td&gt;Agent may need to be marked as ReviewRequired&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Should affected agents be paused or disabled?&lt;/td&gt;
&lt;td&gt;High-risk agents may need stronger action until sponsorship is confirmed&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Should access packages be reviewed at the same time?&lt;/td&gt;
&lt;td&gt;Sponsor changes can affect access extension and approval decisions&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;This is where governance design matters more than clicking through a template.&lt;/p&gt;

&lt;h2&gt;
  
  
  Recommended operating model
&lt;/h2&gt;

&lt;p&gt;A practical model is to treat sponsor lifecycle events as governance review triggers.&lt;/p&gt;

&lt;p&gt;When a sponsor changes role or leaves:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Identify all agent identities sponsored by that person.&lt;/li&gt;
&lt;li&gt;Notify the defined responsible party.&lt;/li&gt;
&lt;li&gt;Transfer sponsorship automatically only if the organisation has approved that default behaviour.&lt;/li&gt;
&lt;li&gt;If sponsorship cannot be confidently reassigned, mark the agent as &lt;strong&gt;ReviewRequired&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;Review related access packages and active access assignments.&lt;/li&gt;
&lt;li&gt;Confirm whether the agent should remain active, be reassigned, disabled, or retired.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;This keeps the workflow aligned to business accountability rather than just directory changes.&lt;/p&gt;

&lt;h2&gt;
  
  
  Important caveats
&lt;/h2&gt;

&lt;p&gt;Lifecycle workflows depend heavily on identity data quality.&lt;/p&gt;

&lt;p&gt;If manager, department, role, group membership, or leave-date information is inaccurate, the workflow may not trigger correctly or may route sponsorship to the wrong person.&lt;/p&gt;

&lt;p&gt;Before relying on lifecycle workflows, validate:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Manager data is populated and reliable.&lt;/li&gt;
&lt;li&gt;Role or department changes are reflected in Microsoft Entra ID.&lt;/li&gt;
&lt;li&gt;Leave-date attributes or group membership changes are maintained correctly.&lt;/li&gt;
&lt;li&gt;Sponsors and co-sponsors are already populated for agent identities.&lt;/li&gt;
&lt;li&gt;The organisation has agreed what “transfer sponsorship” should mean.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A workflow cannot fix poor governance data. It can only act on the signals available.&lt;/p&gt;

&lt;h2&gt;
  
  
  How this connects to access packages
&lt;/h2&gt;

&lt;p&gt;Lifecycle workflows and access packages work well together.&lt;/p&gt;

&lt;p&gt;Access packages provide time-bound, approval-based access for agents. Sponsors can be involved in access decisions and extension requests. If a sponsor leaves or changes role, access package governance can become stale unless sponsorship is updated.&lt;/p&gt;

&lt;p&gt;That is why sponsor continuity should be part of the access governance design.&lt;/p&gt;

&lt;p&gt;If an agent has active access package assignments and the sponsor changes, the organisation should review whether:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The access is still required.&lt;/li&gt;
&lt;li&gt;The new sponsor understands the business purpose.&lt;/li&gt;
&lt;li&gt;The access should be extended, reduced, or allowed to expire.&lt;/li&gt;
&lt;li&gt;The agent should remain approved.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  How this connects to custom security attributes
&lt;/h2&gt;

&lt;p&gt;Custom security attributes can also reflect lifecycle state.&lt;/p&gt;

&lt;p&gt;For example:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Attribute&lt;/th&gt;
&lt;th&gt;Example value&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;OwnershipStatus&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;Complete&lt;/code&gt;, &lt;code&gt;MissingSponsor&lt;/code&gt;, &lt;code&gt;Orphaned&lt;/code&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;LifecycleState&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;Active&lt;/code&gt;, &lt;code&gt;UnderReview&lt;/code&gt;, &lt;code&gt;Retiring&lt;/code&gt;, &lt;code&gt;Disabled&lt;/code&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;ApprovalStatus&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;Approved&lt;/code&gt;, &lt;code&gt;ReviewRequired&lt;/code&gt;, &lt;code&gt;Revoked&lt;/code&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;When sponsor continuity breaks, the agent can be moved back to a review state until accountability is restored.&lt;/p&gt;

&lt;p&gt;That gives Conditional Access, reporting, monitoring, and governance dashboards a consistent signal.&lt;/p&gt;

&lt;h2&gt;
  
  
  Recommended policy position
&lt;/h2&gt;

&lt;p&gt;Do not treat lifecycle workflows as optional clean-up.&lt;/p&gt;

&lt;p&gt;For agent identities, sponsor lifecycle handling should be part of the production governance model. If an agent has access to business data or operational systems, the organisation should know what happens when the person accountable for that agent changes role or leaves.&lt;/p&gt;

&lt;p&gt;A good policy statement could be:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Every production agent must have a valid sponsor. If the sponsor changes role or leaves the organisation, sponsorship must be reviewed, transferred, or the agent must be marked as ReviewRequired until accountability is restored.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Wrap-up
&lt;/h2&gt;

&lt;p&gt;Lifecycle workflows help keep agent governance alive after the initial setup. Inventory, classification, owners, sponsors, custom security attributes, Conditional Access, and access packages create the governance model. Lifecycle workflows help preserve that model when people move, leave, or stop being accountable for the agents they sponsor.&lt;/p&gt;

&lt;p&gt;The objective is simple: no active production agent should continue indefinitely without a valid business sponsor.&lt;/p&gt;

&lt;p&gt;Next in the series: &lt;a href="https://dev.to/stepbysteptocloud/monitor-risky-agents-and-keep-agent-governance-current-4568"&gt;Monitor risky agents and keep governance current&lt;/a&gt;&lt;/p&gt;

</description>
      <category>microsoftentra</category>
      <category>agent365</category>
      <category>aigovernance</category>
      <category>entraagentid</category>
    </item>
    <item>
      <title>Use access packages for governed agent access</title>
      <dc:creator>stepbystep tocloud</dc:creator>
      <pubDate>Thu, 09 Jul 2026 15:13:07 +0000</pubDate>
      <link>https://dev.to/stepbysteptocloud/use-access-packages-for-governed-agent-access-35an</link>
      <guid>https://dev.to/stepbysteptocloud/use-access-packages-for-governed-agent-access-35an</guid>
      <description>&lt;p&gt;This article is part of a multi-part series on Microsoft Entra Agent ID governance. For the full sequence and recommended reading order, start from the &lt;a href="https://dev.to/stepbysteptocloud/governing-ai-agents-with-microsoft-entra-agent-id-and-agent-365-3a7g"&gt;Governing AI agents with Microsoft Entra Agent ID and Agent 365&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Conditional Access helps decide &lt;strong&gt;whether an approved agent can access a resource under the right policy conditions&lt;/strong&gt;. Access packages answer a different question: &lt;strong&gt;what access should the agent receive, who approves it, and how long should that access remain valid&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;This is the right next step after inventory, classification, owner/sponsor cleanup, custom security attributes, and Conditional Access policy design. At this stage, the organisation should already know which agents are approved, who is accountable for them, what access pattern they use, and what sensitivity or business criticality applies.&lt;/p&gt;

&lt;p&gt;Access packages should not be used for every discovered agent. They are most useful for approved agents that need durable access to resources such as groups, Microsoft Entra roles, or API permissions. The aim is to avoid permanent, ad hoc permission assignments and move toward access that is intentional, approved, auditable, and time-bound.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why access packages matter for agents
&lt;/h2&gt;

&lt;p&gt;Agents may need access to resources to complete business tasks. For example, a fleet of customer support agents may need access to the same set of groups, APIs, or directory roles. Without a governed access model, those permissions can become difficult to track, review, and remove.&lt;/p&gt;

&lt;p&gt;Access packages provide a structured way to grant access with governance controls around:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Who can request access&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Who approves access&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;What resources are included&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;How long access lasts&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Whether access can be extended&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;What happens when access expires&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This is especially important for agent identities because they may continue operating without day-to-day human interaction. Access should therefore be granted with clear purpose, expiry, and review expectations.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where access packages fit in the governance sequence
&lt;/h2&gt;

&lt;p&gt;Access packages should come after the agent has already passed the earlier governance checks.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Stage&lt;/th&gt;
&lt;th&gt;Purpose&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Inventory&lt;/td&gt;
&lt;td&gt;Identify the agent and its source platform&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Classification&lt;/td&gt;
&lt;td&gt;Understand identity model and access pattern&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Owner and sponsor assignment&lt;/td&gt;
&lt;td&gt;Establish technical and business accountability&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Custom security attributes&lt;/td&gt;
&lt;td&gt;Record governance metadata like approval status and sensitivity&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Conditional Access&lt;/td&gt;
&lt;td&gt;Enforce access policy based on identity, risk, and attributes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Access packages&lt;/td&gt;
&lt;td&gt;Grant approved, time-bound access to required resources&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Lifecycle workflows and monitoring&lt;/td&gt;
&lt;td&gt;Keep sponsorship, access, and risk posture current&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The key point is simple: &lt;strong&gt;do not grant durable access to an agent until it is classified, accountable, and approved&lt;/strong&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  What agents can receive through access packages
&lt;/h2&gt;

&lt;p&gt;Access packages are useful when approved agents need access to defined resources rather than broad standing permissions.&lt;/p&gt;

&lt;p&gt;Common examples include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Security group memberships&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Microsoft Entra directory roles&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;OAuth application permissions&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;API permissions such as Microsoft Graph application permissions&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This makes access packages suitable for repeatable access patterns. For example, if several approved agents need the same type of access, create a standard access package instead of assigning permissions manually to each agent.&lt;/p&gt;

&lt;h2&gt;
  
  
  Recommended access package design
&lt;/h2&gt;

&lt;p&gt;Start with a small number of meaningful access packages rather than creating many narrowly scoped packages too early.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Design area&lt;/th&gt;
&lt;th&gt;Recommendation&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Scope&lt;/td&gt;
&lt;td&gt;Use access packages only for approved agents with known purpose and accountability&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Resources&lt;/td&gt;
&lt;td&gt;Include only the resources the agent needs for the defined scenario&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Approval&lt;/td&gt;
&lt;td&gt;Route approval to the sponsor, resource owner, application owner, or security governance team&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Expiry&lt;/td&gt;
&lt;td&gt;Make assignments time-bound by default&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Extension&lt;/td&gt;
&lt;td&gt;Require re-approval or extension review for continued access&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Auditability&lt;/td&gt;
&lt;td&gt;Ensure assignments and approvals can be reviewed later&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Naming&lt;/td&gt;
&lt;td&gt;Use names that explain the agent scenario and access purpose&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Example naming pattern:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;AP-Agent-CustomerSupport-GraphRead-Prod&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AP-Agent-FinanceAutomation-GroupAccess-Prod&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;AP-Agent-SOCInvestigation-Privileged-ReviewRequired&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The name should help an administrator quickly understand &lt;strong&gt;who the access is for, what it grants, and whether it is production or review-based&lt;/strong&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Request and approval model
&lt;/h2&gt;

&lt;p&gt;Access packages can support different assignment paths:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Assignment path&lt;/th&gt;
&lt;th&gt;When it makes sense&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Agent identity requests access&lt;/td&gt;
&lt;td&gt;Useful for programme-driven or automated access request scenarios&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Sponsor requests access for the agent&lt;/td&gt;
&lt;td&gt;Useful when human oversight is required before the agent receives access&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Administrator directly assigns access&lt;/td&gt;
&lt;td&gt;Useful for controlled rollout, pilot, or emergency remediation scenarios&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The sponsor-based model is especially valuable. It keeps a human accountable for why the agent needs access and whether that access should continue.&lt;/p&gt;

&lt;h2&gt;
  
  
  Expiry and extension behaviour
&lt;/h2&gt;

&lt;p&gt;Access packages should not create permanent access by default. The value comes from giving access a lifecycle.&lt;/p&gt;

&lt;p&gt;When an access package assignment has an expiry date, the organisation can review whether the agent still needs that access. If the sponsor remains accountable and the access is still valid, an extension can be requested based on policy. If no action is taken, the assignment expires and the agent loses access to the target resources.&lt;/p&gt;

&lt;p&gt;This is a clean governance pattern for agents because access does not remain forever simply because it was once approved.&lt;/p&gt;

&lt;h2&gt;
  
  
  Design caveats
&lt;/h2&gt;

&lt;p&gt;Access packages are powerful, but they should be used carefully.&lt;/p&gt;

&lt;p&gt;Do not use access packages as a shortcut to approve unknown agents. If the agent source, identity model, business purpose, owner, sponsor, or access pattern is unclear, keep the agent in &lt;strong&gt;ReviewRequired&lt;/strong&gt; state.&lt;/p&gt;

&lt;p&gt;Also avoid reusing access packages that were originally designed for human users if the resource roles or approval model do not fit agent identities. Agent access packages should be designed with agent scenarios in mind.&lt;/p&gt;

&lt;p&gt;Key checks before using access packages:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Is the agent approved?&lt;/li&gt;
&lt;li&gt;Does the agent have a valid owner and sponsor?&lt;/li&gt;
&lt;li&gt;Is the access pattern understood?&lt;/li&gt;
&lt;li&gt;Is the business purpose documented?&lt;/li&gt;
&lt;li&gt;Are the required resources clearly defined?&lt;/li&gt;
&lt;li&gt;Is access time-bound?&lt;/li&gt;
&lt;li&gt;Is there a clear approver?&lt;/li&gt;
&lt;li&gt;Is there a review or expiry model?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If the answer is unclear, the access package design is not ready.&lt;/p&gt;

&lt;h2&gt;
  
  
  Recommended operating model
&lt;/h2&gt;

&lt;p&gt;A practical access package operating model for agents can look like this:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Approved agents are identified from the inventory.&lt;/li&gt;
&lt;li&gt;Required resource access is mapped to a business scenario.&lt;/li&gt;
&lt;li&gt;Access package is created for that scenario.&lt;/li&gt;
&lt;li&gt;Sponsor or approver validates the need.&lt;/li&gt;
&lt;li&gt;Access is granted with expiry.&lt;/li&gt;
&lt;li&gt;Access is reviewed or extended only when justified.&lt;/li&gt;
&lt;li&gt;Expired or unused access is removed automatically through the lifecycle process.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;This keeps access aligned to business purpose and reduces long-term permission drift.&lt;/p&gt;

&lt;h2&gt;
  
  
  Example access package patterns
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Scenario&lt;/th&gt;
&lt;th&gt;Access package idea&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Customer support agents&lt;/td&gt;
&lt;td&gt;Standard access to support knowledge groups and approved APIs&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Security operations agents&lt;/td&gt;
&lt;td&gt;Time-bound access to investigation-related resources&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Finance automation agents&lt;/td&gt;
&lt;td&gt;Controlled access to finance processing groups or APIs&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;HR assistant agents&lt;/td&gt;
&lt;td&gt;Access only to approved HR resources with stricter review&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Test or sandbox agents&lt;/td&gt;
&lt;td&gt;Limited non-production access with short expiry&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The design should follow least privilege. Agents should receive only the access needed for their approved scenario.&lt;/p&gt;

&lt;h2&gt;
  
  
  How this connects to the next phase
&lt;/h2&gt;

&lt;p&gt;Once access packages are in place, the next concern is lifecycle. Agents may be approved today, but sponsors can change roles, leave the organisation, or stop being accountable for the agent. If sponsorship becomes stale, access decisions become stale too.&lt;/p&gt;

&lt;p&gt;That is why the next phase is &lt;strong&gt;Lifecycle Workflows for sponsor continuity&lt;/strong&gt;. Access packages govern what the agent can access. Lifecycle workflows help ensure the people responsible for that access remain current.&lt;/p&gt;

&lt;h2&gt;
  
  
  Wrap-up
&lt;/h2&gt;

&lt;p&gt;Access packages give agent governance a proper entitlement layer. Conditional Access controls whether the agent can access resources under policy conditions. Access packages control what access the agent receives, who approves it, how long it lasts, and how it expires.&lt;/p&gt;

&lt;p&gt;Use access packages for approved agents with clear business purpose and accountability. Keep access time-bound, auditable, and reviewable. This prevents agent permissions from becoming permanent, unmanaged, or disconnected from business ownership.&lt;/p&gt;

&lt;p&gt;Next in the series: &lt;a href="https://dev.to/stepbysteptocloud/maintain-sponsor-continuity-with-lifecycle-workflows-3mo5"&gt;Maintain sponsor continuity with lifecycle workflows&lt;/a&gt;&lt;/p&gt;

</description>
      <category>microsoftentra</category>
      <category>agent365</category>
      <category>aigovernance</category>
      <category>entraagentid</category>
    </item>
    <item>
      <title>Design Conditional Access policies for agent identities</title>
      <dc:creator>stepbystep tocloud</dc:creator>
      <pubDate>Thu, 09 Jul 2026 15:11:35 +0000</pubDate>
      <link>https://dev.to/stepbysteptocloud/design-conditional-access-policies-for-agent-identities-29cb</link>
      <guid>https://dev.to/stepbysteptocloud/design-conditional-access-policies-for-agent-identities-29cb</guid>
      <description>&lt;p&gt;This article is part of a multi-part series on Microsoft Entra Agent ID governance. For the full sequence and recommended reading order, start from the &lt;a href="https://dev.to/stepbysteptocloud/governing-ai-agents-with-microsoft-entra-agent-id-and-agent-365-3a7g"&gt;Governing AI agents with Microsoft Entra Agent ID and Agent 365&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;After agent inventory, ownership, sponsorship and custom security attributes are in place, the next step is to turn that governance metadata into policy enforcement. This is where &lt;strong&gt;Conditional Access&lt;/strong&gt; becomes important.&lt;/p&gt;

&lt;p&gt;The goal is not to create one policy per agent. That model will not scale. The better approach is to use the information already captured during inventory and classification — such as approval status, access pattern, environment, data sensitivity and risk — to decide which agents should access which resources, and under what conditions.&lt;/p&gt;

&lt;p&gt;Conditional Access is the point where the governance model starts becoming enforceable.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why Conditional Access matters for agents
&lt;/h2&gt;

&lt;p&gt;Agents can access resources in different ways. Some act on behalf of a signed-in user. Some operate independently using their own identity. Some behave more like user accounts with their own mailbox, collaboration context or persistent access.&lt;/p&gt;

&lt;p&gt;Because these patterns are different, one Conditional Access design will not fit every agent type.&lt;/p&gt;

&lt;p&gt;Before creating policies, classify each agent by access pattern:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Access pattern&lt;/th&gt;
&lt;th&gt;What it means&lt;/th&gt;
&lt;th&gt;Conditional Access approach&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;On-behalf-of flow&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent acts in the signed-in user’s context&lt;/td&gt;
&lt;td&gt;Review existing user Conditional Access policies&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Autonomous agent&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent authenticates using its own identity&lt;/td&gt;
&lt;td&gt;Use agent-specific Conditional Access policies&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Agent user identity&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent behaves like a user-like identity with its own access&lt;/td&gt;
&lt;td&gt;Use agent-user targeting and supported endpoint/network controls&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;This distinction matters because the policy subject changes. In an on-behalf-of flow, the user is still central to the access decision. In an autonomous agent flow, the agent identity itself becomes the subject of the policy.&lt;/p&gt;

&lt;h2&gt;
  
  
  Start by reviewing existing user policies
&lt;/h2&gt;

&lt;p&gt;For agents acting on behalf of users, do not immediately assume a new agent-specific policy is required. First review the existing user Conditional Access baseline.&lt;/p&gt;

&lt;p&gt;The organisation should confirm whether existing user policies already enforce the expected Zero Trust posture:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Strong authentication or MFA where required&lt;/li&gt;
&lt;li&gt;Compliant device or trusted device requirements&lt;/li&gt;
&lt;li&gt;Network or location-based controls&lt;/li&gt;
&lt;li&gt;Legacy authentication blocking&lt;/li&gt;
&lt;li&gt;Resource-specific controls for Microsoft 365, SharePoint, Exchange, Teams, Graph or other sensitive resources&lt;/li&gt;
&lt;li&gt;Risk-based user protections where applicable&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If the user access path is already well governed, the on-behalf-of agent scenario benefits from those user-context controls. The agent does not bypass the user’s identity governance model simply because it is performing work for the user.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fctz75r182ncr7y2f03i0.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fctz75r182ncr7y2f03i0.png" alt=" " width="799" height="338"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Screenshot: Existing Conditional Access policy templates from &lt;a href="https://entra.microsoft.com/#view/Microsoft_AAD_ConditionalAccess/CaTemplates.ReactView" rel="noopener noreferrer"&gt;portal&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Design separate policies for autonomous agents
&lt;/h2&gt;

&lt;p&gt;Autonomous agents need a different approach. These agents authenticate using their own identity and may run without a signed-in user present. They cannot satisfy interactive controls in the same way a human user can.&lt;/p&gt;

&lt;p&gt;For these agents, Conditional Access should use agent-specific signals and metadata.&lt;/p&gt;

&lt;p&gt;A practical starting point is to use the custom security attributes populated in the previous phase.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Policy pattern&lt;/th&gt;
&lt;th&gt;Suggested targeting&lt;/th&gt;
&lt;th&gt;Recommended action&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Allow only approved agents&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;ApprovalStatus = Approved&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Allow access to selected resources&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Block rejected agents&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;ApprovalStatus = Rejected&lt;/code&gt; or &lt;code&gt;Revoked&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Block access&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Restrict unknown agents&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;ApprovalStatus = New&lt;/code&gt; or &lt;code&gt;ReviewRequired&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Keep blocked or in report-only validation&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Block high-risk agents&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent risk is high&lt;/td&gt;
&lt;td&gt;Block access&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Protect sensitive data access&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;DataSensitivity = Confidential&lt;/code&gt; or &lt;code&gt;Restricted&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Apply stricter access decisions&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Separate production from test&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;Environment = Prod&lt;/code&gt;, &lt;code&gt;Test&lt;/code&gt;, &lt;code&gt;Sandbox&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Apply different enforcement rings&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The key design idea is simple: approved agents can proceed, unknown or rejected agents should not be trusted by default.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ftvtsl0hcpo4spn1lns3o.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ftvtsl0hcpo4spn1lns3o.png" alt=" " width="800" height="591"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fr0eeudyvnoawdui9crta.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fr0eeudyvnoawdui9crta.png" alt=" " width="455" height="466"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fbwq4gkg9pldhbngni5j0.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fbwq4gkg9pldhbngni5j0.png" alt=" " width="800" height="293"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Screenshot: Conditional Access policy targeting agent identities by custom security attributes&lt;/p&gt;

&lt;h2&gt;
  
  
  Avoid copying human-user controls to autonomous agents
&lt;/h2&gt;

&lt;p&gt;Autonomous agents are not humans. They do not complete MFA prompts. They do not respond to interactive remediation flows. They may not have a compliant device context unless they run through a managed endpoint model.&lt;/p&gt;

&lt;p&gt;For autonomous agents, focus on controls that make sense for non-human access:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Block or allow based on approval state&lt;/li&gt;
&lt;li&gt;Block based on agent risk&lt;/li&gt;
&lt;li&gt;Scope access to specific resources&lt;/li&gt;
&lt;li&gt;Use custom security attributes for targeting&lt;/li&gt;
&lt;li&gt;Use report-only mode before enforcement&lt;/li&gt;
&lt;li&gt;Validate sign-in impact before enabling policy&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Avoid applying human-user policy patterns without reviewing the agent access model. A policy designed for a person may not behave correctly for an autonomous agent.&lt;/p&gt;

&lt;h2&gt;
  
  
  Use report-only mode first
&lt;/h2&gt;

&lt;p&gt;Agent Conditional Access policies should not be enforced blindly. Start with &lt;strong&gt;report-only&lt;/strong&gt; mode and validate the effect.&lt;/p&gt;

&lt;p&gt;A safe rollout model looks like this:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Ring&lt;/th&gt;
&lt;th&gt;Purpose&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Ring 0 — report-only&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Understand impact without blocking access&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Ring 1 — pilot agents&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Apply to selected approved agents&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Ring 2 — production approved agents&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Expand to known, classified, accountable agents&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Ring 3 — broader enforcement&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Apply across a wider approved population&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;This staged approach reduces risk. It also gives administrators an opportunity to validate sign-in logs, policy impact, exceptions and unsupported scenarios before enforcement.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fl3xknw33lms5vl78kupw.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fl3xknw33lms5vl78kupw.png" alt=" " width="800" height="1112"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Screenshot: Conditional Access report-only impact for agent identity policy&lt;/p&gt;

&lt;h2&gt;
  
  
  Recommended baseline policies
&lt;/h2&gt;

&lt;p&gt;A clean Conditional Access design for agents can start with a small number of baseline policies.&lt;/p&gt;

&lt;h3&gt;
  
  
  Block non-approved autonomous agents
&lt;/h3&gt;

&lt;p&gt;Use this policy to prevent agents without the right approval metadata from accessing corporate resources.&lt;/p&gt;

&lt;p&gt;Target agents based on custom security attributes such as:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;ApprovalStatus = New&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;ApprovalStatus = ReviewRequired&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;ApprovalStatus = Rejected&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;ApprovalStatus = Revoked&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This helps ensure only classified and approved agent identities can proceed to resource access.&lt;/p&gt;

&lt;h3&gt;
  
  
  Allow approved agents to access selected resources
&lt;/h3&gt;

&lt;p&gt;Use this policy to ensure approved autonomous agents can access only the resources they are supposed to use.&lt;/p&gt;

&lt;p&gt;Target agents where:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;ApprovalStatus = Approved&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Environment = Prod&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;AccessPattern = Autonomous&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Scope the policy to the relevant resources instead of treating all resources the same.&lt;/p&gt;

&lt;h3&gt;
  
  
  Block high-risk agent identities
&lt;/h3&gt;

&lt;p&gt;Use this policy to respond to risky agent behaviour.&lt;/p&gt;

&lt;p&gt;If an agent identity is detected as high risk, block access until the issue is reviewed. The operational response could include reviewing permissions, disabling the agent identity, moving the agent back to &lt;code&gt;ReviewRequired&lt;/code&gt;, or retiring the agent if it is no longer valid.&lt;/p&gt;

&lt;h3&gt;
  
  
  Apply stricter controls for sensitive agents
&lt;/h3&gt;

&lt;p&gt;Agents tagged with higher sensitivity or business criticality may need stricter governance.&lt;/p&gt;

&lt;p&gt;Example targeting:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;DataSensitivity = Confidential&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;DataSensitivity = Restricted&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;BusinessCriticality = High&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;BusinessCriticality = MissionCritical&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;These agents may need stricter resource scoping, closer monitoring, shorter access durations and stronger approval before access packages are granted.&lt;/p&gt;

&lt;h2&gt;
  
  
  Agent user identity considerations
&lt;/h2&gt;

&lt;p&gt;Some agents may operate with their own user-like identity. These scenarios need separate design consideration because controls such as device compliance, network compliance and endpoint execution context may become relevant.&lt;/p&gt;

&lt;p&gt;For agent users, consider policies that evaluate:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Agent risk&lt;/li&gt;
&lt;li&gt;Execution environment&lt;/li&gt;
&lt;li&gt;Device compliance where supported&lt;/li&gt;
&lt;li&gt;Network or Global Secure Access signals where applicable&lt;/li&gt;
&lt;li&gt;Resource-specific access&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Be careful not to apply endpoint-based requirements to cloud-native agents that have no device context. If the agent has no route to satisfy a device or network condition, the result may be unintended blocking.&lt;/p&gt;

&lt;p&gt;Screenshot: Conditional Access policy for agent user identity with endpoint-based conditions&lt;/p&gt;

&lt;h2&gt;
  
  
  Naming and governance standards
&lt;/h2&gt;

&lt;p&gt;Use consistent naming so policies remain readable over time.&lt;/p&gt;

&lt;p&gt;Suggested naming pattern:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;CA-AgentID-&amp;lt;AccessPattern&amp;gt;-&amp;lt;Control&amp;gt;-&amp;lt;Scope&amp;gt;-&amp;lt;Mode&amp;gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Examples:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;CA-AgentID-Autonomous-Block-NonApproved-ReportOnly
CA-AgentID-Autonomous-Block-HighRisk-ReportOnly
CA-AgentID-Autonomous-Allow-Approved-Prod
CA-AgentUser-Require-CompliantDevice-Pilot
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Good naming helps during operations, troubleshooting and policy review. It also prevents agent policies from being confused with human-user policies.&lt;/p&gt;

&lt;h2&gt;
  
  
  Common design caveats
&lt;/h2&gt;

&lt;p&gt;Keep these points visible in the design:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Do not assume every discovered agent has a Microsoft Entra Agent ID.&lt;/li&gt;
&lt;li&gt;Do not assume every agent can be governed through the same Conditional Access model.&lt;/li&gt;
&lt;li&gt;Do not apply user MFA controls to autonomous agents without validating behaviour.&lt;/li&gt;
&lt;li&gt;Do not enforce policies before validating in report-only mode.&lt;/li&gt;
&lt;li&gt;Do not create individual policies for hundreds or thousands of agents.&lt;/li&gt;
&lt;li&gt;Use custom security attributes for scalable targeting.&lt;/li&gt;
&lt;li&gt;Keep OBO, autonomous and agent user scenarios separate.&lt;/li&gt;
&lt;li&gt;Validate policy impact using sign-in logs before enforcement.&lt;/li&gt;
&lt;li&gt;Keep exception handling documented and time-bound.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Where Conditional Access fits in the sequence
&lt;/h2&gt;

&lt;p&gt;Conditional Access should come after inventory, accountability and custom security attributes.&lt;/p&gt;

&lt;p&gt;The sequence should look like this:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Inventory agents.&lt;/li&gt;
&lt;li&gt;Classify source, identity model and access pattern.&lt;/li&gt;
&lt;li&gt;Assign owners and sponsors.&lt;/li&gt;
&lt;li&gt;Populate custom security attributes.&lt;/li&gt;
&lt;li&gt;Create Conditional Access policies in report-only mode.&lt;/li&gt;
&lt;li&gt;Validate impact.&lt;/li&gt;
&lt;li&gt;Enforce in rings.&lt;/li&gt;
&lt;li&gt;Use access packages for durable resource access.&lt;/li&gt;
&lt;li&gt;Monitor risky agents and policy outcomes.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Conditional Access is not the first step. It is the enforcement layer that becomes effective once the governance metadata is trusted.&lt;/p&gt;

&lt;h2&gt;
  
  
  Wrap-up
&lt;/h2&gt;

&lt;p&gt;Conditional Access turns agent classification into access control. For on-behalf-of flows, review the existing user Conditional Access baseline. For autonomous agents, use agent identity policies driven by approval status, risk and custom security attributes. For agent users, evaluate endpoint, network and device-based controls only where they apply.&lt;/p&gt;

&lt;p&gt;Start in report-only mode, validate impact, and then enforce in controlled rings. This keeps agent governance scalable, defensible and safer to operate.&lt;/p&gt;

&lt;p&gt;Next in the series: &lt;a href="https://dev.to/stepbysteptocloud/use-access-packages-for-governed-agent-access-35an"&gt;Use access packages for governed agent access&lt;/a&gt;&lt;/p&gt;

</description>
      <category>agents</category>
      <category>ai</category>
      <category>microsoft</category>
      <category>security</category>
    </item>
    <item>
      <title>Use custom security attributes as the governance metadata layer for AI agents</title>
      <dc:creator>stepbystep tocloud</dc:creator>
      <pubDate>Thu, 09 Jul 2026 15:10:15 +0000</pubDate>
      <link>https://dev.to/stepbysteptocloud/use-custom-security-attributes-as-the-governance-metadata-layer-for-ai-agents-k98</link>
      <guid>https://dev.to/stepbysteptocloud/use-custom-security-attributes-as-the-governance-metadata-layer-for-ai-agents-k98</guid>
      <description>&lt;p&gt;This article is part of a multi-part series on Microsoft Entra Agent ID governance. For the full sequence and recommended reading order, start from the &lt;a href="https://dev.to/stepbysteptocloud/governing-ai-agents-with-microsoft-entra-agent-id-and-agent-365-3a7g"&gt;Governing AI agents with Microsoft Entra Agent ID and Agent 365&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Once the agent inventory is complete and ownership gaps are understood, the next question is simple: &lt;strong&gt;how do we govern agents at scale without managing every agent one by one?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;This is where &lt;strong&gt;custom security attributes&lt;/strong&gt; become useful.&lt;/p&gt;

&lt;p&gt;Inventory tells us what exists. Owners and sponsors tell us who is accountable. Custom security attributes give us a structured way to describe each agent with trusted governance metadata — for example, whether the agent is approved, what environment it belongs to, what type of access pattern it uses, and how sensitive its data access may be.&lt;/p&gt;

&lt;p&gt;The goal is not to create labels for the sake of labelling. The goal is to create a metadata layer that downstream controls can use consistently across Conditional Access, access packages, lifecycle reviews, reporting, and monitoring.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why custom security attributes matter
&lt;/h2&gt;

&lt;p&gt;In a small environment, an administrator might manually review a handful of agents and decide what should happen next. That does not scale when hundreds or thousands of agents exist across platforms.&lt;/p&gt;

&lt;p&gt;Custom security attributes help move the model from &lt;strong&gt;manual selection&lt;/strong&gt; to &lt;strong&gt;attribute-driven governance&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Instead of creating separate policies or decisions for individual agents, the organisation can assign standard values such as:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;code&gt;ApprovalStatus = Approved&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Environment = Prod&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;DataSensitivity = Confidential&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;AccessPattern = Autonomous&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;OwnershipStatus = Complete&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;These values turn agent governance into a repeatable model. Once the values are populated and trusted, policy and reporting can operate against the metadata instead of against individual agent names.&lt;/p&gt;

&lt;h2&gt;
  
  
  Suggested attribute set
&lt;/h2&gt;

&lt;p&gt;Create a dedicated attribute set for agent governance, for example:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;AgentGovernance&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;This keeps agent-specific governance metadata separate from other business, HR, application, or user lifecycle attributes.&lt;/p&gt;

&lt;p&gt;A focused attribute set also makes role delegation cleaner. Only the right governance or automation roles should be able to define or update these values.&lt;/p&gt;

&lt;h2&gt;
  
  
  Recommended starter schema
&lt;/h2&gt;

&lt;p&gt;Start small. Do not create too many attributes on day one. The initial schema should contain fields that directly support governance decisions.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Attribute&lt;/th&gt;
&lt;th&gt;Recommended&lt;/th&gt;
&lt;th&gt;Example values&lt;/th&gt;
&lt;th&gt;Purpose&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;ApprovalStatus&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;New&lt;/code&gt;, &lt;code&gt;ReviewRequired&lt;/code&gt;, &lt;code&gt;Approved&lt;/code&gt;, &lt;code&gt;Rejected&lt;/code&gt;, &lt;code&gt;Revoked&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Indicates whether the agent is allowed to move into governed or production-ready state.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Environment&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;Dev&lt;/code&gt;, &lt;code&gt;Test&lt;/code&gt;, &lt;code&gt;Prod&lt;/code&gt;, &lt;code&gt;Sandbox&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Separates production agents from non-production or test agents.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;DataSensitivity&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;Public&lt;/code&gt;, &lt;code&gt;Internal&lt;/code&gt;, &lt;code&gt;Confidential&lt;/code&gt;, &lt;code&gt;Restricted&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Helps drive review depth, access decisions, and monitoring priority.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;AccessPattern&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;OBO&lt;/code&gt;, &lt;code&gt;Autonomous&lt;/code&gt;, &lt;code&gt;AgentUser&lt;/code&gt;, &lt;code&gt;Unknown&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Identifies whether the agent acts on behalf of a user, independently, or with its own user-like identity.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;SourcePlatform&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;CopilotStudio&lt;/code&gt;, &lt;code&gt;AgentBuilder&lt;/code&gt;, &lt;code&gt;Foundry&lt;/code&gt;, &lt;code&gt;Bedrock&lt;/code&gt;, &lt;code&gt;Vertex&lt;/code&gt;, &lt;code&gt;Custom&lt;/code&gt;, &lt;code&gt;Unknown&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Identifies where the agent came from and which governance path may apply.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;BusinessCriticality&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Recommended&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;Low&lt;/code&gt;, &lt;code&gt;Medium&lt;/code&gt;, &lt;code&gt;High&lt;/code&gt;, &lt;code&gt;MissionCritical&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Helps prioritise governance, review frequency, and escalation paths.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;OwnershipStatus&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Recommended&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;Complete&lt;/code&gt;, &lt;code&gt;MissingOwner&lt;/code&gt;, &lt;code&gt;MissingSponsor&lt;/code&gt;, &lt;code&gt;Orphaned&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Tracks whether the agent has the required accountability model.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;LifecycleState&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Recommended&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;Active&lt;/code&gt;, &lt;code&gt;UnderReview&lt;/code&gt;, &lt;code&gt;Retiring&lt;/code&gt;, &lt;code&gt;Disabled&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Tracks where the agent is in its operational lifecycle.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;EnforcementRing&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Optional&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;Ring0ReportOnly&lt;/code&gt;, &lt;code&gt;Ring1Pilot&lt;/code&gt;, &lt;code&gt;Ring2Enforced&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Supports phased rollout of Conditional Access and other controls.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;ExceptionId&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Optional&lt;/td&gt;
&lt;td&gt;&lt;code&gt;EXC-12345&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;References an approved exception process without storing long free-text notes.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;This schema is intentionally simple. It gives enough structure to start governing agents without overengineering the metadata model.&lt;/p&gt;

&lt;h2&gt;
  
  
  Role and permission model
&lt;/h2&gt;

&lt;p&gt;Custom security attributes should not be treated like normal free-form directory fields. They can contain governance-sensitive information such as risk tier, sensitivity, approval state, or compliance status.&lt;/p&gt;

&lt;p&gt;Access to define and assign these attributes should be tightly controlled.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Role&lt;/th&gt;
&lt;th&gt;Purpose&lt;/th&gt;
&lt;th&gt;Suggested holder&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Attribute Definition Administrator&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Creates and manages attribute sets and definitions.&lt;/td&gt;
&lt;td&gt;Small IAM, Entra governance, or security architecture group.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Attribute Assignment Administrator&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Assigns or updates attribute values on objects.&lt;/td&gt;
&lt;td&gt;Controlled automation identity or limited operations team.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Attribute Definition Reader&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Reads attribute definitions and schema.&lt;/td&gt;
&lt;td&gt;Security architecture, audit, or governance reviewers.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Attribute Assignment Reader&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Reads assigned attribute values.&lt;/td&gt;
&lt;td&gt;Security operations, compliance, or reporting teams.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Use &lt;strong&gt;Privileged Identity Management&lt;/strong&gt; where possible for human access. People should activate elevated roles only when needed. For bulk or recurring updates, use a controlled automation identity with the minimum permissions required.&lt;/p&gt;

&lt;p&gt;The key design point is this: &lt;strong&gt;the Entra administrator should own the schema and control plane, but should not be the person deciding every agent’s business sensitivity or approval status.&lt;/strong&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Where the values should come from
&lt;/h2&gt;

&lt;p&gt;Custom security attribute values should be the result of a governance process, not guesswork.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Input&lt;/th&gt;
&lt;th&gt;Suggested source&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Business purpose&lt;/td&gt;
&lt;td&gt;Agent maker, owner, or business sponsor&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Source platform&lt;/td&gt;
&lt;td&gt;Inventory and platform export&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Access pattern&lt;/td&gt;
&lt;td&gt;Platform owner, developer, or identity review&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Data sensitivity&lt;/td&gt;
&lt;td&gt;Data owner, security team, or governance team&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Business criticality&lt;/td&gt;
&lt;td&gt;Business sponsor&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Approval status&lt;/td&gt;
&lt;td&gt;Governance or approval process&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ownership status&lt;/td&gt;
&lt;td&gt;Inventory owner/sponsor review&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Lifecycle state&lt;/td&gt;
&lt;td&gt;Remediation or operational workflow&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;For existing agents, values can be backfilled from the inventory exercise. For new agents, the organisation should define a gatekeeping model so required values are captured before the agent is considered production-ready.&lt;/p&gt;

&lt;h2&gt;
  
  
  Recommended operating model
&lt;/h2&gt;

&lt;p&gt;A practical operating model looks like this:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Define the schema&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Agree the attribute set, attribute names, and allowed values.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Map inventory data&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Use the inventory to identify known values such as source platform, identity state, owner, sponsor, and current governance status.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Validate business inputs&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Ask the maker, owner, or sponsor to confirm business purpose, sensitivity, and criticality.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Assign attributes&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Use a controlled process, bulk update, or automation to stamp approved values.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Flag unknowns&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Agents with missing or unclear metadata should remain in &lt;code&gt;ReviewRequired&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Use attributes for policy&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Conditional Access, access packages, monitoring, and lifecycle workflows can use the attributes as decision inputs.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Design considerations
&lt;/h2&gt;

&lt;p&gt;Keep these points in mind before creating the schema:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Prefer &lt;strong&gt;predefined values&lt;/strong&gt; over free text.&lt;/li&gt;
&lt;li&gt;Keep values short, stable, and easy to report on.&lt;/li&gt;
&lt;li&gt;Do not store secrets, credentials, personal data, or long business justification text in attributes.&lt;/li&gt;
&lt;li&gt;Avoid creating too many fields at the beginning.&lt;/li&gt;
&lt;li&gt;Validate that the relevant agent identity objects can be assigned attributes in the customer tenant.&lt;/li&gt;
&lt;li&gt;Treat &lt;code&gt;Unknown&lt;/code&gt; and &lt;code&gt;ReviewRequired&lt;/code&gt; as valid governance states, not failures.&lt;/li&gt;
&lt;li&gt;Design the schema before bulk assignment; changing attribute structure later can be harder than changing values.&lt;/li&gt;
&lt;li&gt;Keep exception handling separate using an exception ID or reference rather than embedding long exception details into the attribute value.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  How this helps the next phase
&lt;/h2&gt;

&lt;p&gt;Once custom security attributes are populated, the organisation can move from descriptive governance to enforceable governance.&lt;/p&gt;

&lt;p&gt;For example:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Conditional Access can target agents where &lt;code&gt;ApprovalStatus = Approved&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Unknown or rejected agents can be blocked or kept out of enforcement-ready groups.&lt;/li&gt;
&lt;li&gt;Sensitive agents can be placed into stricter review or monitoring paths.&lt;/li&gt;
&lt;li&gt;Access packages can be scoped to approved agents with known business purpose.&lt;/li&gt;
&lt;li&gt;Lifecycle workflows and reporting can use ownership or lifecycle values to detect stale or orphaned agents.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This makes the governance model scalable. Administrators no longer need to select hundreds of agents manually. They govern based on trusted metadata.&lt;/p&gt;

&lt;h2&gt;
  
  
  Wrap-up
&lt;/h2&gt;

&lt;p&gt;Custom security attributes are the bridge between inventory and enforcement.&lt;/p&gt;

&lt;p&gt;They convert raw inventory findings into standard governance values that policies, reports, and lifecycle processes can use consistently. Once the attribute model is in place, the organisation is ready to design Conditional Access policies for agent identities based on approval state, access pattern, environment, risk, and sensitivity.&lt;/p&gt;

&lt;p&gt;Next in the series: &lt;a href="https://dev.to/stepbysteptocloud/design-conditional-access-policies-for-agent-identities-29cb"&gt;Design Conditional Access policies for agent identities&lt;/a&gt;&lt;/p&gt;

</description>
      <category>microsoftentra</category>
      <category>agent365</category>
      <category>aigovernance</category>
      <category>entraagentid</category>
    </item>
    <item>
      <title>Establish owners, sponsors, and accountability for AI agents</title>
      <dc:creator>stepbystep tocloud</dc:creator>
      <pubDate>Thu, 09 Jul 2026 15:09:13 +0000</pubDate>
      <link>https://dev.to/stepbysteptocloud/establish-owners-sponsors-and-accountability-for-ai-agents-1abl</link>
      <guid>https://dev.to/stepbysteptocloud/establish-owners-sponsors-and-accountability-for-ai-agents-1abl</guid>
      <description>&lt;p&gt;This article is part of a multi-part series on Microsoft Entra Agent ID governance. For the full sequence and recommended reading order, start from the &lt;a href="https://dev.to/stepbysteptocloud/governing-ai-agents-with-microsoft-entra-agent-id-and-agent-365-3a7g"&gt;Governing AI agents with Microsoft Entra Agent ID and Agent 365&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Agent inventory tells us what exists. The next question is more important: &lt;strong&gt;who is accountable for each agent?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;In a real environment, agents can be created by makers, developers, business teams, platform teams, or external systems. If the organisation only knows that an agent exists but does not know who owns it, who sponsors it, or why it is still needed, the agent becomes difficult to govern safely.&lt;/p&gt;

&lt;p&gt;This is why owner and sponsor mapping should happen before deeper controls such as Conditional Access, access packages, lifecycle workflows, or enforcement policies.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why accountability matters
&lt;/h2&gt;

&lt;p&gt;AI agents are not just configuration objects. They can access data, call APIs, use connectors, run workflows, interact with users, and sometimes operate without a human present at runtime.&lt;/p&gt;

&lt;p&gt;That means every production-ready agent should have clear human accountability.&lt;/p&gt;

&lt;p&gt;At a minimum, the organisation should be able to answer:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Who is technically responsible for this agent?&lt;/li&gt;
&lt;li&gt;Who is accountable for the business purpose of this agent?&lt;/li&gt;
&lt;li&gt;Who can confirm whether the agent is still required?&lt;/li&gt;
&lt;li&gt;Who approves the agent’s access to data or resources?&lt;/li&gt;
&lt;li&gt;Who should be contacted if the agent becomes risky, stale, or orphaned?&lt;/li&gt;
&lt;li&gt;Who decides whether the agent should be retired?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If these questions cannot be answered, the agent should not be treated as approved or production-ready.&lt;/p&gt;

&lt;h2&gt;
  
  
  Owner and sponsor are not the same
&lt;/h2&gt;

&lt;p&gt;The &lt;strong&gt;owner&lt;/strong&gt; and &lt;strong&gt;sponsor&lt;/strong&gt; serve different governance purposes.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Role&lt;/th&gt;
&lt;th&gt;Primary responsibility&lt;/th&gt;
&lt;th&gt;Typical person or team&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Owner&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Technical administration and operational handling of the agent&lt;/td&gt;
&lt;td&gt;Agent maker, platform admin, application owner, automation team, engineering team&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Sponsor&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Business accountability for the agent’s purpose, lifecycle, and continued need&lt;/td&gt;
&lt;td&gt;Business owner, product owner, process owner, department representative&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The owner normally understands how the agent is configured, where it runs, what connectors or APIs it uses, and how to troubleshoot it.&lt;/p&gt;

&lt;p&gt;The sponsor confirms why the agent exists, whether the business still needs it, whether its access is justified, and whether it should continue to operate.&lt;/p&gt;

&lt;p&gt;In simple terms:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Owner = who manages it technically. Sponsor = who is accountable for why it exists.&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Recommended accountability states
&lt;/h2&gt;

&lt;p&gt;Once the inventory is collected, agents should be grouped based on ownership and sponsorship status.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Accountability state&lt;/th&gt;
&lt;th&gt;Meaning&lt;/th&gt;
&lt;th&gt;Recommended action&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Owner and sponsor present&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent has both technical and business accountability&lt;/td&gt;
&lt;td&gt;Move to classification and policy-readiness review&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Sponsor present, owner missing&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Business need is known but technical accountability is unclear&lt;/td&gt;
&lt;td&gt;Ask sponsor to nominate or confirm technical owner&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Owner present, sponsor missing&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Technical contact is known but business accountability is missing&lt;/td&gt;
&lt;td&gt;Assign a business sponsor before access governance&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;No owner and no sponsor&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent is orphaned or unmanaged&lt;/td&gt;
&lt;td&gt;Mark as &lt;code&gt;ReviewRequired&lt;/code&gt; and start claim-or-retire process&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Purpose unknown&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Agent exists but business reason is unclear&lt;/td&gt;
&lt;td&gt;Keep in &lt;code&gt;ReviewRequired&lt;/code&gt; until validated&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;System or built-in object&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Object appears platform-generated or not business-owned&lt;/td&gt;
&lt;td&gt;Exclude from business-agent review unless risk-relevant&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fp7f4sa9zp7tntm2osxcs.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fp7f4sa9zp7tntm2osxcs.png" alt=" " width="800" height="480"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fcho8qx814ifcyxyst4vj.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fcho8qx814ifcyxyst4vj.png" alt=" " width="799" height="467"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Screenshot: Agent inventory view&lt;/p&gt;

&lt;h2&gt;
  
  
  Treat missing accountability as a governance gap
&lt;/h2&gt;

&lt;p&gt;An agent with no owner or sponsor should not automatically be considered malicious or unsafe. But it should be considered &lt;strong&gt;untrusted from a governance perspective&lt;/strong&gt; until validated.&lt;/p&gt;

&lt;p&gt;The right action is not always immediate blocking. The better approach is to classify the agent into a clear remediation state.&lt;/p&gt;

&lt;p&gt;For example:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Finding&lt;/th&gt;
&lt;th&gt;Governance interpretation&lt;/th&gt;
&lt;th&gt;Next step&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Agent has no owner and no sponsor&lt;/td&gt;
&lt;td&gt;Orphaned or unmanaged&lt;/td&gt;
&lt;td&gt;Ask platform or business team to claim ownership, otherwise move to retire or disable review&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Agent has owner but no sponsor&lt;/td&gt;
&lt;td&gt;Technically known, business purpose not confirmed&lt;/td&gt;
&lt;td&gt;Assign sponsor before granting durable access&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Agent has sponsor but no owner&lt;/td&gt;
&lt;td&gt;Business need exists, technical support unclear&lt;/td&gt;
&lt;td&gt;Nominate technical owner&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Agent purpose is unknown&lt;/td&gt;
&lt;td&gt;Cannot approve yet&lt;/td&gt;
&lt;td&gt;Keep as &lt;code&gt;ReviewRequired&lt;/code&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Agent is system-generated&lt;/td&gt;
&lt;td&gt;May not need business owner/sponsor&lt;/td&gt;
&lt;td&gt;Exclude from business-agent workflow after validation&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;This keeps the model practical. Not every agent needs immediate enforcement, but every agent needs a known state.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why this matters before policy design
&lt;/h2&gt;

&lt;p&gt;Conditional Access, access packages, and lifecycle workflows all depend on trusted metadata.&lt;/p&gt;

&lt;p&gt;If ownership and sponsorship are incomplete, later controls become harder to operate.&lt;/p&gt;

&lt;p&gt;For example:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Access package expiry notifications need a responsible sponsor.&lt;/li&gt;
&lt;li&gt;Lifecycle workflows need sponsor and manager data to maintain continuity.&lt;/li&gt;
&lt;li&gt;Risky-agent review needs someone to validate whether the agent should continue.&lt;/li&gt;
&lt;li&gt;Custom security attributes such as &lt;code&gt;ApprovalStatus&lt;/code&gt;, &lt;code&gt;OwnershipStatus&lt;/code&gt;, or &lt;code&gt;LifecycleState&lt;/code&gt; depend on reliable ownership decisions.&lt;/li&gt;
&lt;li&gt;Conditional Access policies should not blindly trust agents that are unknown or orphaned.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This is why the accountability layer should be completed before moving into enforcement.&lt;/p&gt;

&lt;h2&gt;
  
  
  Suggested ownership and sponsorship process
&lt;/h2&gt;

&lt;p&gt;The organisation should define a simple process for existing and new agents.&lt;/p&gt;

&lt;p&gt;For existing agents:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Use inventory data to identify missing owner and sponsor values.&lt;/li&gt;
&lt;li&gt;Ask platform teams, makers, application teams, or business units to claim agents.&lt;/li&gt;
&lt;li&gt;Mark unclaimed agents as &lt;code&gt;ReviewRequired&lt;/code&gt; or &lt;code&gt;Orphaned&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Decide whether each unclaimed agent should be retained, disabled, retired, or monitored.&lt;/li&gt;
&lt;li&gt;Update governance metadata once ownership and sponsorship are confirmed.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;For new agents:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Require owner and sponsor before the agent becomes production-ready.&lt;/li&gt;
&lt;li&gt;Capture business purpose, data access requirement, source platform, and access pattern.&lt;/li&gt;
&lt;li&gt;Do not mark the agent as approved until accountability is complete.&lt;/li&gt;
&lt;li&gt;Keep incomplete agents in &lt;code&gt;ReviewRequired&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Move fully accountable agents into policy design.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Owner and sponsor self-service
&lt;/h2&gt;

&lt;p&gt;Where supported, owners and sponsors should not depend only on central administrators for every action.&lt;/p&gt;

&lt;p&gt;A strong operating model allows responsible people to:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;View agents they own or sponsor.&lt;/li&gt;
&lt;li&gt;Review agent details.&lt;/li&gt;
&lt;li&gt;Request governed access for an agent.&lt;/li&gt;
&lt;li&gt;Disable or re-enable an agent when action is required.&lt;/li&gt;
&lt;li&gt;Participate in access extension or lifecycle decisions.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This helps shift agent governance from a purely central IT activity into a shared accountability model.&lt;/p&gt;

&lt;p&gt;Central administrators still own the governance framework, but sponsors and owners help keep the data accurate and the lifecycle healthy.&lt;/p&gt;

&lt;h2&gt;
  
  
  Recommended metadata to capture
&lt;/h2&gt;

&lt;p&gt;When assigning owners and sponsors, also capture the minimum context required for future governance.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Metadata&lt;/th&gt;
&lt;th&gt;Why it matters&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Owner&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Identifies technical accountability&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Sponsor&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Identifies business accountability&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Business purpose&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Confirms why the agent exists&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Source platform&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Helps determine governance path&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Environment&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Separates production from test or sandbox agents&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Access pattern&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Determines whether user, agent identity, or agent-user controls apply&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Data sensitivity&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Helps decide risk and protection level&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Approval status&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Determines whether agent can move into enforcement&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Lifecycle state&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Tracks whether agent is active, under review, retiring, or disabled&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;This metadata becomes the input for the next stage: custom security attributes.&lt;/p&gt;

&lt;h2&gt;
  
  
  Design recommendation
&lt;/h2&gt;

&lt;p&gt;Do not treat owner and sponsor mapping as a one-time cleanup exercise.&lt;/p&gt;

&lt;p&gt;Use it as a governance gate.&lt;/p&gt;

&lt;p&gt;An agent should move forward only when it is:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Classified&lt;/strong&gt; — source, identity model, and access pattern are known.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Accountable&lt;/strong&gt; — owner and sponsor are assigned.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Justified&lt;/strong&gt; — business purpose is documented.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Approved&lt;/strong&gt; — governance review completed.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Ready for policy&lt;/strong&gt; — metadata is clean enough for downstream controls.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Agents that do not meet this baseline should remain in &lt;code&gt;ReviewRequired&lt;/code&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Wrap-up
&lt;/h2&gt;

&lt;p&gt;Inventory gives visibility, but ownership and sponsorship create accountability.&lt;/p&gt;

&lt;p&gt;Before applying stronger controls, every governable agent should have a clear technical owner, business sponsor, purpose, and lifecycle state. This prevents agents from becoming orphaned, unmanaged, or permanently over-permissioned.&lt;/p&gt;

&lt;p&gt;Once ownership and sponsorship are clean, the next step is to use &lt;strong&gt;custom security attributes&lt;/strong&gt; as the structured metadata layer for scalable policy targeting, reporting, and governance.&lt;/p&gt;

&lt;p&gt;Next in the series: &lt;a href="https://dev.to/stepbysteptocloud/use-custom-security-attributes-as-the-governance-metadata-layer-for-ai-agents-k98"&gt;Use custom security attributes as the governance metadata layer&lt;/a&gt;&lt;/p&gt;

</description>
      <category>microsoftentra</category>
      <category>agent365</category>
      <category>aigovernance</category>
      <category>entraagentid</category>
    </item>
    <item>
      <title>Start with agent inventory and classification</title>
      <dc:creator>stepbystep tocloud</dc:creator>
      <pubDate>Thu, 09 Jul 2026 15:08:05 +0000</pubDate>
      <link>https://dev.to/stepbysteptocloud/start-with-agent-inventory-and-classification-4m57</link>
      <guid>https://dev.to/stepbysteptocloud/start-with-agent-inventory-and-classification-4m57</guid>
      <description>&lt;p&gt;This article is part of a multi-part series on Microsoft Entra Agent ID governance. For the full sequence and recommended reading order, start from the &lt;a href="https://dev.to/stepbysteptocloud/governing-ai-agents-with-microsoft-entra-agent-id-and-agent-365-3a7g"&gt;Governing AI agents with Microsoft Entra Agent ID and Agent 365&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Before creating Conditional Access policies, access packages, lifecycle workflows, or custom security attribute rules, start with the simplest question: &lt;strong&gt;what agents exist in the environment?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;That sounds basic, but it is the most important step in an Agent ID governance journey. Agents can come from different platforms, use different identity models, and have different levels of visibility in Microsoft 365 and Microsoft Entra. If the inventory is incomplete or poorly classified, every later governance decision becomes risky.&lt;/p&gt;

&lt;p&gt;The purpose of inventory is not just to create a list. The purpose is to understand which agents are ready for governance, which agents need cleanup, which agents are unknown, and which agents should be excluded from business-agent review.&lt;/p&gt;

&lt;p&gt;Licensing note: Microsoft Entra ID Governance for agent identities requires either Microsoft 365 E7, or Microsoft Agent 365 paired with at least Microsoft Entra ID P1 or Microsoft 365 E3. For licensing, refer to the &lt;a href="https://www.microsoft.com/en-in/microsoft-agent-365#plans-and-pricing" rel="noopener noreferrer"&gt;Microsoft Agent 365 plans and pricing&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why inventory comes first
&lt;/h2&gt;

&lt;p&gt;AI agents may be created or discovered from different places:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Microsoft Copilot Studio&lt;/li&gt;
&lt;li&gt;Microsoft 365 Copilot Agent Builder&lt;/li&gt;
&lt;li&gt;Azure AI Foundry&lt;/li&gt;
&lt;li&gt;Amazon Bedrock&lt;/li&gt;
&lt;li&gt;Google Vertex AI&lt;/li&gt;
&lt;li&gt;Other third-party platforms&lt;/li&gt;
&lt;li&gt;Custom or pro-code agent platforms&lt;/li&gt;
&lt;li&gt;Shadow AI or endpoint-discovered tools&lt;/li&gt;
&lt;li&gt;System-created or built-in platform objects&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;These agents should not all be treated the same way.&lt;/p&gt;

&lt;p&gt;Some agents may have a Microsoft Entra Agent ID. Some may still use an app registration or service principal model. Some may only be visible through registry sync. Some may be discovered as shadow AI activity. Some may be system-generated objects that should not be handled like customer-created business agents.&lt;/p&gt;

&lt;p&gt;That is why the first phase should focus on &lt;strong&gt;inventory and classification&lt;/strong&gt;, not enforcement.&lt;/p&gt;

&lt;h2&gt;
  
  
  What the inventory should answer
&lt;/h2&gt;

&lt;p&gt;A useful agent inventory should answer the following questions.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Question&lt;/th&gt;
&lt;th&gt;Why it matters&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;What agents exist?&lt;/td&gt;
&lt;td&gt;Establishes full visibility of the agent estate.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Which platform created or surfaced the agent?&lt;/td&gt;
&lt;td&gt;Determines the likely governance path.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Does the agent have Microsoft Entra Agent ID?&lt;/td&gt;
&lt;td&gt;Determines whether Agent ID-specific controls can apply.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Is the agent user-created, system-created, or third-party discovered?&lt;/td&gt;
&lt;td&gt;Prevents incorrect governance of built-in or system objects.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Does the agent have an owner and sponsor?&lt;/td&gt;
&lt;td&gt;Identifies accountability gaps.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;What access pattern does the agent use?&lt;/td&gt;
&lt;td&gt;Determines the correct Conditional Access and access governance model.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Is the agent approved, unknown, legacy, unmanaged, or orphaned?&lt;/td&gt;
&lt;td&gt;Determines the next corrective action.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Screenshot: Agent inventory table showing source platform, identity type, owner, sponsor, access pattern, and governance state&lt;/p&gt;

&lt;h2&gt;
  
  
  Minimum inventory fields
&lt;/h2&gt;

&lt;p&gt;The inventory should capture enough information to support governance decisions, not just reporting.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Field&lt;/th&gt;
&lt;th&gt;Purpose&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Agent name&lt;/td&gt;
&lt;td&gt;Basic identification.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Source platform&lt;/td&gt;
&lt;td&gt;Identifies where the agent came from.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Environment, tenant, or region&lt;/td&gt;
&lt;td&gt;Helps with platform ownership and operational scoping.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Identity state&lt;/td&gt;
&lt;td&gt;Captures whether the agent uses Agent ID, app registration, service principal, agent user identity, registry-only visibility, or unknown identity.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Microsoft Entra Agent ID present&lt;/td&gt;
&lt;td&gt;Identifies whether Agent ID controls are relevant.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Owner&lt;/td&gt;
&lt;td&gt;Technical or operational administrator.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Sponsor&lt;/td&gt;
&lt;td&gt;Business accountable person.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Business purpose&lt;/td&gt;
&lt;td&gt;Explains why the agent exists.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;User-created or system-created&lt;/td&gt;
&lt;td&gt;Helps avoid applying business governance to built-in objects.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Access pattern&lt;/td&gt;
&lt;td&gt;Classifies whether the agent acts on behalf of a user, acts autonomously, or uses its own user-like identity.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Data sensitivity&lt;/td&gt;
&lt;td&gt;Helps prioritise protection and review.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Business criticality&lt;/td&gt;
&lt;td&gt;Helps prioritise governance effort.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Approval status&lt;/td&gt;
&lt;td&gt;Tracks whether the agent is new, under review, approved, rejected, or revoked.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Governance state&lt;/td&gt;
&lt;td&gt;Tracks whether the agent is active, ReviewRequired, orphaned, unmanaged, retired, or policy-ready.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Recommended action&lt;/td&gt;
&lt;td&gt;Captures the next step for that agent.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  Classification model
&lt;/h2&gt;

&lt;p&gt;Once the inventory is collected, classify every agent into a practical governance bucket. This avoids treating every discovered object as the same type of agent.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Classification bucket&lt;/th&gt;
&lt;th&gt;Meaning&lt;/th&gt;
&lt;th&gt;Recommended action&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Entra Agent ID-backed agent&lt;/td&gt;
&lt;td&gt;Agent has a Microsoft Entra Agent ID.&lt;/td&gt;
&lt;td&gt;Move to governance design if owner, sponsor, purpose, and access pattern are known.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Agent ID-backed but missing accountability&lt;/td&gt;
&lt;td&gt;Identity exists, but owner or sponsor is missing.&lt;/td&gt;
&lt;td&gt;Fix accountability before enforcement.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Legacy app registration or service principal-backed agent&lt;/td&gt;
&lt;td&gt;Agent uses older app registration or service principal model.&lt;/td&gt;
&lt;td&gt;Track separately and validate governance path.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Microsoft 365 Agent Builder agent&lt;/td&gt;
&lt;td&gt;Agent created through Microsoft 365 Copilot Agent Builder.&lt;/td&gt;
&lt;td&gt;Govern through the appropriate Agent 365 or Microsoft 365 controls. Do not assume Agent ID behaviour without validation.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Third-party registered or synced agent&lt;/td&gt;
&lt;td&gt;Agent discovered through registry sync or external platform integration.&lt;/td&gt;
&lt;td&gt;Reconcile with the source platform and validate supported governance actions.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Shadow AI or local agent&lt;/td&gt;
&lt;td&gt;Agent or AI tool detected through endpoint or security signals.&lt;/td&gt;
&lt;td&gt;Review through endpoint and security governance processes.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;System-created or built-in object&lt;/td&gt;
&lt;td&gt;Platform-generated or connector-like object.&lt;/td&gt;
&lt;td&gt;Exclude from business-agent governance review unless risk-relevant.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Unknown or unclassified agent&lt;/td&gt;
&lt;td&gt;Source, owner, sponsor, purpose, or identity model unclear.&lt;/td&gt;
&lt;td&gt;Mark as ReviewRequired.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Orphaned agent&lt;/td&gt;
&lt;td&gt;No valid owner, no sponsor, and unclear business purpose.&lt;/td&gt;
&lt;td&gt;Run claim-or-retire process.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Policy-ready agent&lt;/td&gt;
&lt;td&gt;Fully classified, accountable, and approved.&lt;/td&gt;
&lt;td&gt;Include in Conditional Access, access package, lifecycle workflow, and monitoring design.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  Access pattern classification
&lt;/h2&gt;

&lt;p&gt;Identity state alone is not enough. The access pattern also matters.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Access pattern&lt;/th&gt;
&lt;th&gt;Meaning&lt;/th&gt;
&lt;th&gt;Governance implication&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;On-behalf-of user&lt;/td&gt;
&lt;td&gt;Agent acts using the signed-in user’s delegated context.&lt;/td&gt;
&lt;td&gt;Existing user Conditional Access and user permissions are highly relevant.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Autonomous or app-only&lt;/td&gt;
&lt;td&gt;Agent operates independently using its own identity or application permission.&lt;/td&gt;
&lt;td&gt;Agent identity controls, app permissions, access packages, and agent-specific Conditional Access become relevant.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Agent user identity&lt;/td&gt;
&lt;td&gt;Agent behaves like a user-like identity with its own mailbox, Teams presence, or directory identity.&lt;/td&gt;
&lt;td&gt;Stronger lifecycle, licensing, content access, and collaboration governance may be needed.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Unknown&lt;/td&gt;
&lt;td&gt;Access behaviour is not confirmed.&lt;/td&gt;
&lt;td&gt;Do not enforce final policies until clarified.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  Corrective actions after inventory
&lt;/h2&gt;

&lt;p&gt;Inventory should not remain a static report. It should drive cleanup.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Inventory finding&lt;/th&gt;
&lt;th&gt;Recommended action&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Agent has no owner and no sponsor&lt;/td&gt;
&lt;td&gt;Treat as orphaned or ReviewRequired. Ask platform or business team to claim ownership, otherwise move to retire or disable review.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Agent has sponsor but no owner&lt;/td&gt;
&lt;td&gt;Confirm or nominate the correct technical owner.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Agent has owner but no sponsor&lt;/td&gt;
&lt;td&gt;Assign a business sponsor before lifecycle or access governance.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Source platform unknown&lt;/td&gt;
&lt;td&gt;Keep in ReviewRequired state until source is validated.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Identity model unknown&lt;/td&gt;
&lt;td&gt;Classify as Agent ID, app registration, service principal, agent user, registry-only, shadow AI, or unknown.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Access pattern unknown&lt;/td&gt;
&lt;td&gt;Do not move into final Conditional Access design until access pattern is confirmed.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;System or built-in object&lt;/td&gt;
&lt;td&gt;Exclude from business-agent governance unless risk-relevant.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Agent fully classified and accountable&lt;/td&gt;
&lt;td&gt;Move to policy design.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  Gatekeeping for new agents
&lt;/h2&gt;

&lt;p&gt;The first inventory helps clean the current state. The next challenge is preventing the same gaps from coming back.&lt;/p&gt;

&lt;p&gt;For newly created agents, define a minimum metadata gate before the agent is considered production-ready. At minimum, the agent should have:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Owner&lt;/li&gt;
&lt;li&gt;Sponsor&lt;/li&gt;
&lt;li&gt;Business purpose&lt;/li&gt;
&lt;li&gt;Source platform&lt;/li&gt;
&lt;li&gt;Environment&lt;/li&gt;
&lt;li&gt;Access pattern&lt;/li&gt;
&lt;li&gt;Data sensitivity&lt;/li&gt;
&lt;li&gt;Business criticality&lt;/li&gt;
&lt;li&gt;Approval status&lt;/li&gt;
&lt;li&gt;Governance state&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Agents that do not meet the baseline should remain in &lt;strong&gt;ReviewRequired&lt;/strong&gt; state. They should not be treated as approved just because they exist.&lt;/p&gt;

&lt;p&gt;This helps the organisation move from manual housekeeping to a repeatable operating model.&lt;/p&gt;

&lt;h2&gt;
  
  
  Recommended outcome of this phase
&lt;/h2&gt;

&lt;p&gt;By the end of the inventory and classification phase, the organisation should be able to answer:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;How many agents exist?&lt;/li&gt;
&lt;li&gt;Where did they come from?&lt;/li&gt;
&lt;li&gt;Which agents have Microsoft Entra Agent ID?&lt;/li&gt;
&lt;li&gt;Which agents are legacy, third-party, shadow, or unknown?&lt;/li&gt;
&lt;li&gt;Which agents are user-created versus system-created?&lt;/li&gt;
&lt;li&gt;Which agents are missing owner or sponsor?&lt;/li&gt;
&lt;li&gt;Which agents are orphaned?&lt;/li&gt;
&lt;li&gt;Which agents are ready for policy design?&lt;/li&gt;
&lt;li&gt;Which agents need further investigation before enforcement?&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Wrap-up
&lt;/h2&gt;

&lt;p&gt;Agent governance should not start with policy creation. It should start with visibility.&lt;/p&gt;

&lt;p&gt;Inventory gives the organisation a clear view of the estate. Classification turns that view into action. Once agents are classified, accountable, and approved, the organisation can safely move into the next stage: using custom security attributes as the governance metadata layer.&lt;/p&gt;

&lt;p&gt;Next in the series: &lt;a href="https://dev.to/stepbysteptocloud/establish-owners-sponsors-and-accountability-for-ai-agents-1abl"&gt;Establish owners, sponsors, and accountability&lt;/a&gt;&lt;/p&gt;

</description>
      <category>microsoftentra</category>
      <category>agent365</category>
      <category>aigovernance</category>
      <category>entraagentid</category>
    </item>
    <item>
      <title>Governing AI agents with Microsoft Entra Agent ID and Agent 365</title>
      <dc:creator>stepbystep tocloud</dc:creator>
      <pubDate>Thu, 09 Jul 2026 15:04:00 +0000</pubDate>
      <link>https://dev.to/stepbysteptocloud/governing-ai-agents-with-microsoft-entra-agent-id-and-agent-365-3a7g</link>
      <guid>https://dev.to/stepbysteptocloud/governing-ai-agents-with-microsoft-entra-agent-id-and-agent-365-3a7g</guid>
      <description>&lt;p&gt;AI agents are becoming part of the enterprise identity landscape. They can be created across different platforms, access corporate data, call APIs, participate in workflows, and in some cases operate with their own identity.&lt;/p&gt;

&lt;p&gt;That makes agent governance more than a discovery exercise. It becomes an identity, access, lifecycle, and risk-management discipline.&lt;br&gt;
The challenge is scale. Administrators cannot govern every agent one by one, especially when agents may come from Copilot Studio, Microsoft 365 Copilot Agent Builder, Azure AI Foundry, third-party platforms, registry sync, or shadow AI discovery. A durable model needs a clear sequence: visibility first, then classification, accountability, metadata, access control, governed access, lifecycle continuity, and monitoring.&lt;/p&gt;

&lt;p&gt;This series focuses on the Microsoft Entra side of AI agent governance, with emphasis on Microsoft Entra Agent ID, identity classification, ownership, sponsorship, access control, lifecycle continuity, and monitoring. It is not intended to be a complete governance model for Microsoft Agent 365, Copilot Studio, Power Platform, or every agent-building platform. Those platforms have their own governance controls and should be reviewed separately as part of a complete enterprise agent governance strategy.&lt;/p&gt;

&lt;p&gt;This series breaks the AI agent identity governance journey into focused stages, helping administrators build the Microsoft Entra governance foundation step by step.&lt;/p&gt;

&lt;h2&gt;
  
  
  Governance journey
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Part&lt;/th&gt;
&lt;th&gt;Article&lt;/th&gt;
&lt;th&gt;What it covers&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;&lt;a href="https://dev.to/stepbysteptocloud/start-with-agent-inventory-and-classification-4m57"&gt;Start with agent inventory and classification&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Discover agents, capture core metadata, classify identity models, and identify corrective actions.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;&lt;a href="https://dev.to/stepbysteptocloud/establish-owners-sponsors-and-accountability-for-ai-agents-1abl"&gt;Establish owners, sponsors, and accountability&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Define who is technically responsible and who is business-accountable for each agent.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;&lt;a href="https://dev.to/stepbysteptocloud/use-custom-security-attributes-as-the-governance-metadata-layer-for-ai-agents-k98"&gt;Use custom security attributes as the governance metadata layer&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Build a scalable attribute model for approval state, sensitivity, access pattern, lifecycle state, and policy targeting.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;&lt;a href="https://dev.to/stepbysteptocloud/design-conditional-access-policies-for-agent-identities-29cb"&gt;Design Conditional Access policies for agent identities&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Apply access controls based on agent access pattern, approval state, identity type, and risk.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;td&gt;&lt;a href="https://dev.to/stepbysteptocloud/use-access-packages-for-governed-agent-access-35an"&gt;Use access packages for governed agent access&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Provide approved agents with time-bound, auditable access through approval workflows instead of permanent direct assignments.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;6&lt;/td&gt;
&lt;td&gt;&lt;a href="https://dev.to/stepbysteptocloud/maintain-sponsor-continuity-with-lifecycle-workflows-3mo5"&gt;Maintain sponsor continuity with lifecycle workflows&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Prevent agent identities from becoming orphaned when sponsors move roles or leave the organisation.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;7&lt;/td&gt;
&lt;td&gt;&lt;a href="https://dev.to/stepbysteptocloud/monitor-risky-agents-and-keep-agent-governance-current-4568"&gt;Monitor risky agents and keep governance current&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Use sign-in logs, audit logs, risk signals, access expiry, and sponsor reviews to keep the model healthy.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  The recommended sequence
&lt;/h2&gt;

&lt;p&gt;The governance model should follow a simple sequence:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Inventory&lt;/strong&gt; the agent estate.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Classify&lt;/strong&gt; agents by source, identity model, and access pattern.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Assign accountability&lt;/strong&gt; through owners and sponsors.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Populate governance metadata&lt;/strong&gt; using custom security attributes.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Apply access controls&lt;/strong&gt; using Conditional Access.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Grant durable access&lt;/strong&gt; using access packages.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Maintain sponsorship&lt;/strong&gt; using lifecycle workflows.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Monitor continuously&lt;/strong&gt; using logs, risk signals, and review processes.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The important principle is that enforcement should not start before the estate is understood. Once each agent is visible, classified, accountable, and approved, policies can be introduced safely and expanded in phases.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why this matters
&lt;/h2&gt;

&lt;p&gt;Without a structured model, organisations can quickly end up with agents that are visible but not governed, approved but not accountable, or active without a clear business owner.&lt;/p&gt;

&lt;p&gt;A good agent governance model helps answer practical questions:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;What agents exist in the environment?&lt;/li&gt;
&lt;li&gt;Which platform created or surfaced each agent?&lt;/li&gt;
&lt;li&gt;Which agents have Microsoft Entra Agent ID?&lt;/li&gt;
&lt;li&gt;Which agents are legacy, third-party, shadow, or unknown?&lt;/li&gt;
&lt;li&gt;Who owns the agent technically?&lt;/li&gt;
&lt;li&gt;Who sponsors the agent from a business perspective?&lt;/li&gt;
&lt;li&gt;What access pattern does the agent use?&lt;/li&gt;
&lt;li&gt;Is the agent approved, under review, rejected, or orphaned?&lt;/li&gt;
&lt;li&gt;What controls should apply next?&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Target outcome
&lt;/h2&gt;

&lt;p&gt;The goal is not to create policy complexity. The goal is to build a repeatable operating model where every agent can be placed into a clear governance state.&lt;/p&gt;

&lt;p&gt;A healthy target state looks like this:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Governance state&lt;/th&gt;
&lt;th&gt;Meaning&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Classified&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;The agent source, identity model, and access pattern are understood.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Accountable&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;The agent has a valid owner and sponsor.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Approved&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;The agent has business justification and required metadata.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Governed&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Conditional Access, access packages, lifecycle controls, and monitoring can apply where relevant.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;ReviewRequired&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;The agent is missing key information and should not be treated as production-ready.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Orphaned&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;The agent has no valid owner or sponsor and must be claimed, retired, or blocked based on the organisation’s process.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  How to use this series
&lt;/h2&gt;

&lt;p&gt;Use the articles as a phased design guide.&lt;/p&gt;

&lt;p&gt;Start with inventory and classification. Then clean up owner and sponsor gaps. Once the baseline is clean, move to custom security attributes, Conditional Access, access packages, lifecycle workflows, and monitoring.&lt;/p&gt;

&lt;p&gt;This keeps the design practical. Instead of trying to govern thousands of agents manually, the organisation builds a metadata-driven model where approved agents can be governed consistently and unknown agents stay under review until validated.&lt;/p&gt;

&lt;p&gt;Bonus: &lt;a href="https://dev.to/stepbysteptocloud/putting-the-agent-governance-model-into-production-1p33"&gt;Putting the agent governance model into production&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Wrap-up
&lt;/h2&gt;

&lt;p&gt;Agent governance should not start with policies. It should start with visibility and accountability.&lt;/p&gt;

&lt;p&gt;Once the estate is inventoried, classified, and trusted, Microsoft Entra Agent ID and Agent 365 controls can be applied in a structured way: custom security attributes for metadata, Conditional Access for enforcement, access packages for governed access, lifecycle workflows for continuity, and monitoring for ongoing assurance.&lt;/p&gt;

&lt;p&gt;Next in the series: &lt;a href="https://dev.to/stepbysteptocloud/start-with-agent-inventory-and-classification-4m57"&gt;Start with agent inventory and classification&lt;/a&gt;&lt;/p&gt;

</description>
      <category>microsoftentra</category>
      <category>aigovernance</category>
      <category>agent365</category>
      <category>entraagentid</category>
    </item>
  </channel>
</rss>
