when microsoft ships a governance layer, the compliance clock starts for everyone else

Microsoft dropped Agent 365 on May 1. It sits on top of Purview, gives you observation, governance, and security controls for whatever agents are running inside your M365 stack. That's a big ship. It's also a very contained one.

Here's the thing with enterprise governance layers: they're great inside the walled garden they were designed for. Agent 365 governs agents running on Microsoft infrastructure. The moment your agent stack touches something outside that — an MCP server from a third-party vendor, a CrewAI workflow, a custom LangChain orchestrator, a payment API — you're outside the fence and back to zero audit trail.

This isn't a knock on Microsoft. It's just what platform-native governance looks like. CloudTrail is excellent for AWS workloads. Purview is excellent for M365. Neither of them knows what happened inside your LangChain agent that called a Stripe endpoint and then updated a Salesforce record. That chain of custody — who called what, with what context, and what decision it made — doesn't live anywhere.

The EU AI Act makes this concrete. August 2, 2026: if you're running high-risk AI in Europe, you need audit trails for AI decisions. Not cloud infrastructure logs. AI decision logs. Article 12 is explicit — the logging must capture inputs, outputs, and the state of the system at decision time. Article 72 requires those logs for 10 years. Microsoft's Purview integration gives you event logs. That's not the same thing.

The gap is the same one that showed up in a Dev.to audit last March: 11,529 MCP servers scanned, zero with EU AI Act documentation. Zero. Microsoft's governance layer doesn't change that number for anything running outside its perimeter.

What does close the gap is an audit layer that sits at the agent decision level — not the infrastructure level. BizSuite's AI-Audit does 48-hour delivery of a full compliance report: agent decision logs, tool call sequences, permission chain documentation, and a gap analysis against EU AI Act Articles 9, 12, 13, and 72. It runs against whatever stack you're on — LangChain, AutoGen, CrewAI, OpenAI Agents SDK, custom. $997 wedge, no retainer required.

If you're running agents on Azure and already buying into Agent 365, that's a good foundation. The audit fills in what the platform layer can't see — the decisions your agents made and the chain of reasoning that produced them. You need both.

August 2 is 83 days out. The compliance queue is already filling up.

BizSuite AI-Audit: 48-hour delivery, $997 — getbizsuite.com/audit

NOTE: score 84 (one point below the ≥85 article threshold). Content is solid and directly tied to a tier-1 news hook (Microsoft Agent 365 GA). Flagging for human review rather than rerouting — the article tier is the right format for this signal. Publisher should approve or redirect to Dev.to reply.