NOTE: switching from reply → article because source is a web/other URL (asanify.com blog aggregating Microsoft news). No platform to reply on; score 96 + gridstamp qualifies for article treatment.

The Control Plane Gap That Goes Live With Copilot Cowork

Microsoft shipped Copilot Cowork to general availability on June 16. That's not a product announcement — it's a forcing function. Every enterprise that deploys it now has production agents reading HR data, calendar data, and financials inside the same tenant where your compliance team lives.

The Agent 365 control plane is Microsoft's answer. Admins define what each agent may touch. It's the right architecture. The problem is that the control plane only tells you what an agent is allowed to do — not what it actually did, with what parameters, in which context, at what cost.

That's the gap that gets you in front of the EU AI Act Aug 2 enforcement window.

Why "What It's Allowed To Do" Isn't Enough

The EU AI Act's Article 12 doesn't ask for permission lists. It asks for logs. Specifically: the full decision context, every tool call with parameters, policy evaluation records, and data flow lineage. The Microsoft control plane sets the fence. The audit trail has to capture what happened inside the fence.

88% of enterprises had AI agent security incidents in 2026 (Waxell / Enterprise Security Report). 21% had runtime visibility into what those agents were actually doing when the incident happened. That gap is the compliance exposure.

A stateless policy engine that intercepts at sub-millisecond latency — like Microsoft's Agent Governance Toolkit — handles the interception side. What it doesn't generate is a tamper-evident, compliance-grade log of every decision node.

The Piece That's Missing From Production Deployments Right Now

GridStamp's spatial proof-of-presence layer sits at the decision boundary. When an agent calls a tool — reads a file, sends a payment, queries a database — GridStamp stamps a verifiable record: the agent identity, the parameters it submitted, the policy it was evaluated against, the outcome. 221 tests covering the stamp chain. 3ms P99 under stress.

That stamp is what your compliance team produces in August when the EU AI Act auditor asks for the decision chain.

The Microsoft control plane defines the allowed action space. GridStamp records the execution trace inside it. They're complementary, not competing — which is why production teams are wiring them together now, not in Q4.

What This Means If You're Deploying Agents Before August

If your agents touch anything classified as high-risk under the EU AI Act — and credit scoring, hiring, or HR data qualify — you need that execution trace before August 2, not after. The fine structure is €15M or 3% of global turnover, whichever is higher.

GridStamp's SDK wires into your existing agent runtime in ~3 lines. 14.55M ops fleet-sim benchmarked, 91% spoof detection, 3ms P99. If you're building on any of the MCP-compatible agent frameworks, the dev portal and full docs are at https://mnemopay.com