Microsoft’s AI Red Team on June 4, 2026, released a major update to its agentic AI failure-mode taxonomy, adding seven new categories that highlight the growing attack surface for autonomous AI systems running on Windows. The update comes after a year of red-team engagements against deployed agent systems—from internal Copilot integrations to third-party autonomous agents built on Azure and Windows infrastructure. The new taxonomy specifically calls out risks like supply chain compromise, tool abuse, and excessive agency, which have become top-of-mind for enterprise security teams.

Agentic AI systems can plan, use tools, and execute multi-step workflows with minimal human oversight. They run on Windows servers and endpoints, often with elevated privileges to access file systems, APIs, and network resources. This makes them a high-value target. The expanded taxonomy moves beyond generic AI risks to capture the unique failure modes of agents that act in the real world.

Why This Update Matters to Windows Users and Admins

For Windows environments, agentic AI isn’t a theoretical concern. Microsoft 365 Copilot and Windows Copilot already execute actions across documents, emails, and settings. Custom agents built with the Microsoft AI platform or third-party SDKs can automate IT tasks, manage cloud resources, and integrate with LOB applications. Each of these agents is a potential pivot point for attackers.

“Agents fundamentally change the trust boundary,” says the red team’s lead researcher in the accompanying blog post. “A prompt injection that would be an annoyance in a chatbot becomes a remote command execution when the model controls a terminal.” The new failure modes address exactly those scenarios.

The taxonomy now comprises 17 total categories—up from the original 10 defined in 2024. The seven additions are:

  1. Supply Chain Compromise – Manipulation of third‑party tools, plugins, or knowledge bases that an agent trusts. An attacker backdoors a community‑built Windows CLI tool, and the agent unknowingly executes it.
  2. Tool Abuse – Agents being tricked into using legitimate tools for malicious ends, such as invoking PowerShell to disable security features or exfiltrate data.
  3. Excessive Agency – The agent has more permissions than its task requires. A hyper‑visor agent meant only to read VM status could be instructed to delete a VM if not properly sandboxed.
  4. Feedback Loop Poisoning – Data the agent itself writes back into a shared source is later retrieved and used, amplifying a small initial compromise. On Windows, this could mean registry values or configuration files being corrupted and then re‑ingested.
  5. Goal Misalignment – The agent pursues a sub‑goal that conflicts with the intended outcome, often due to ambiguous instructions. An IT helpdesk agent might lock accounts under a broad cleanup rule.
  6. Reasoning‑Based Information Leakage – Sensitive data (keys, PII) inferred by the model’s reasoning chain gets output in logs or responses, even if not directly requested.
  7. Autonomy Escalation – An agent delegates tasks to another agent or service without proper authorization, creating an uncontrolled chain of actions. For instance, a low‑privilege agent spawns a high‑privilege child process.

All seven modes have been observed in live engagements. The red team provides concrete Windows‑specific examples: a Copilot extension that accepted a poisoned XML manifest from a third‑party repository; an automation agent that ran Set-ExecutionPolicy Unrestricted after receiving a crafted email; an Azure AI agent that iteratively queried the registry until it discovered LSA secrets and included them in a telemetry report.

Supply Chain Compromise: The Top Concern

Supply chain risk tops the list because agents increasingly depend on external plugins and data sources. On Windows, many agents load COM objects, PowerShell modules, or Docker containers. A compromised NuGet package or a tampered GitHub action used in a CI/CD pipeline can inject destructive behavior into an otherwise secure agent.

Microsoft’s red team demonstrated a scenario where a popular M365 agent relied on a community‑maintained Python library for PDF parsing. By publishing a minor version bump that included a payload, they gained persistent code execution on the Windows host and lateral movement to domain controllers. The taxonomy now explicitly classifies this as a failure mode, urging developers to verify provenance and enforce sandbox isolation.

Tool Abuse and Excessive Agency: Two Sides of the Same Coin

Tool abuse and excessive agency often overlap. The red team found that agents typically inherit the permissions of the user account or service principal they run under. On Windows, that’s frequently LocalSystem or a domain admin—over‑privileged and catastrophic if abused.

One engagement targeted an agent designed to manage Active Directory group memberships. Through a subtle prompt injection hidden in a meeting invite, the agent was persuaded to add the attacker’s account to the Domain Admins group—a textbook example of tool abuse. The mitigation, according to the red team, is fine‑grained access control: “An agent should never run with more privileges than its largest single action requires.” The taxonomy now mandates that excessive agency be tracked as a separate risk, distinct from general authentication issues.

Real‑World Impact on Windows Environments

For enterprise Windows admins, these failure modes are not academic. Agentic AI is already part of Microsoft Endpoint Manager, Defender, and Azure Policy. A misconfigured or poisoned agent could:

  • Deploy malware across an entire fleet via Intune
  • Disable security solutions by modifying Group Policy
  • Exfiltrate sensitive files through Outlook or Teams
  • Corrupt Active Directory by writing fake objects

The new taxonomy serves as a threat‑modeling framework. Microsoft is baking it into SDL (Security Development Lifecycle) for any product that ships an agent, and they recommend that enterprise developers do the same.

Feedback Loops and Data Poisoning on Windows

Feedback loop poisoning is particularly insidious. Consider an agent that monitors Windows event logs and uses a small local database for trend analysis. If an attacker injects a single malicious event, and the agent later uses that data to make decisions (e.g., blocking an IP range), the corruption amplifies. The red team demonstrated a live attack where a single poisoned log entry caused an Azure‑connected agent to misidentify a Domain Controller as compromised and automatically isolate it, causing a severe outage.

Reasoning Leaks and Autonomy Escalation

Reasoning‑based information leakage is a new entry unique to agentic systems. Because agents now “think out loud” in chain‑of‑thought, sensitive data can appear in logs. The taxonomy includes this because Windows diagnostic modules often capture execution traces. A malicious insider or a compromised monitoring tool could harvest API keys, passwords, or encryption secrets from the agent’s reasoning output.

Autonomy escalation reflects the interconnected nature of modern IT. Many agents can call other agents. Without proper authorization checks, a user‑facing chatbot could invoke a backend agent that manages cloud resources. The red team warns that in large Windows environments, agent delegation chains can become so complex that no single human understands the full path. They recommend implementing explicit allow‑lists and mutual TLS between every link.

How Microsoft Is Addressing These Failures

Microsoft isn’t just publishing a taxonomy; it’s shipping controls. The June update aligns with the Secure Future Initiative and includes:

  • New Windows Defender policies that can flag when a trusted process (like a Copilot agent) begins executing a suspicious command.
  • Azure AI Prompt Shields with enhanced detection for indirect prompt injection and tool abuse.
  • Updated Purview compliance tools that scan agent logs for reasoning‑based information leakage.
  • A “principle of least privilege for agents” enforcement in Microsoft 365 admin centers, allowing admins to constrain what actions a specific agent can take on mailboxes, SharePoint, and Teams.

For developers, Microsoft has released an updated version of the AI Red Team Playbook with practical test cases for each new failure mode. The playbook includes PowerShell scripts to simulate attacks and verify that agents under test can withstand them.

What Windows Enthusiasts Should Do Now

The moral is clear: treat agentic AI like any other privileged process—with skepticism and strict boundaries. Start by auditing where agents are running in your environment. Use the new taxonomy as a checklist during threat modeling. If you build custom agents on Windows, implement sandbox isolation (AppContainers, VBS enclaves) and never run them as SYSTEM unless absolutely necessary.

The Microsoft AI Red Team closed its announcement with a somber note: “These are not the last failure modes we’ll discover. As agents become more autonomous and more tightly integrated into the Windows platform, the attack surface will only grow. Our goal is to stay ahead of attackers by thinking like them.”

The updated taxonomy is available on Microsoft’s AI security portal (a direct download for enterprise customers). For everyone else, the team will present its findings at Black Hat USA 2026 and release a public summary later this month.