Silverfort has thrown a much-needed net over the autonomous actions of AI agents with a new early-access integration for Microsoft Copilot Studio. Announced June 8, 2026, the solution injects runtime identity and access controls directly into agent workflows, evaluating every operation before it touches sensitive data or systems. Security teams can now enforce who an agent is, what it’s allowed to do, and under which conditions—without gutting the speed that makes agents useful.

The launch tackles a glaring oversight in agent governance. Microsoft Copilot Studio lets builders spin up conversational agents that tap into Microsoft 365, Dynamics, Power Platform, and hundreds of third-party connectors. But those agents carry the identity of their service principal or user account, often granted sweeping read/write permissions simply to avoid frustrating “access denied” errors during testing. An overprivileged agent is a gift horse for attackers; compromise the agent’s credentials, and you own the keys to the kingdom. Silverfort’s controls change that calculus.

“AI agents are the new identity frontier,” explained a Silverfort product manager in the announcement briefing. “They act autonomously, sometimes chaining dozens of API calls across different systems in seconds. Traditional static role-based access can’t keep up. We give teams the ability to say, ‘This agent can read customer records only during business hours, from a managed device, and never download bulk data.’ That’s runtime enforcement.”

The Identity Blind Spot in Agentic Workflows

Copilot Studio agents are not simple chatbots. They orchestrate multi-step processes: a customer inquiry might trigger a CRM lookup, an inventory check, a support ticket creation, and a follow-up email—all without a human in the loop. Each action is a potential pivot point. If the agent’s underlying service account has blanket access to SharePoint sites, SQL databases, or financial systems, a poisoned prompt or an internal bad actor could trigger a data exfiltration that logs as legitimate activity.

Existing Microsoft safeguards, such as Conditional Access and Privileged Identity Management, are designed for human users. They can gate the initial authentication of the agent’s account, but once a token is issued, the agent can waltz through series of API calls unchecked. Silverfort’s innovation is to insert a policy decision point at each action boundary—similar to how OPA (Open Policy Agent) works in cloud-native infrastructure, but purpose-built for the identity context of Microsoft ecosystems.

How Runtime Identity Controls Work

The integration hooks directly into Copilot Studio’s extensibility layer. When an agent is triggered, its actions are intercepted by a Silverfort policy engine that sits logically between the agent’s execution runtime and the target resource. The engine examines:

  • Agent identity: Which service principal, managed identity, or user account is executing the action? Is it allowed to impersonate a human?
  • Action type: Read, write, delete, execute, or API-specific operations like “ExportToCSV” or “SendMail”.
  • Target resource: SharePoint file, Dynamics table, Dataverse entity, external connector endpoint, etc.
  • Contextual signals: Time of day, geolocation, device compliance status, risk score from Microsoft Entra ID Protection or Silverfort’s own threat analytics.
  • Behavioral history: Is this action anomalous compared to the agent’s typical pattern—e.g., accessing 50,000 records when it normally touches 10?

Policies are authored in Silverfort’s cloud console and can be as granular as “Allow HR agents to update employee records only from the VPN IP range during 8am–6pm CET” or “Block any agent from sending email to external domains unless flagged as allowed.” The policy engine uses streaming inputs, so a change in risk score mid-session—say, an account appearing on a dark web list—can revoke access instantly.

All decisions are logged with full context, including the original prompt snippet, the evaluated attributes, and the outcome. This turns agent actions into auditable events, satisfying compliance teams who have been spooked by the “black box” nature of autonomous AI.

Tight Integration with Microsoft’s Security Stack

Silverfort built the connector natively for the Microsoft identity fabric. It ingests agent identities from Entra ID, maps them to roles and groups, and applies Conditional Access signals in real time. The integration respects existing Microsoft policy structures, so a CISO doesn’t need to rip out RBAC models; they extend them.

For example, a company that already requires phishing-resistant MFA for human administrators can now require the same for agents that can modify security settings. Silverfort can step-up authentication—prompting the agent’s human oversight for approval—before a high-risk action executes. That human approval can be delivered via Teams chat, mobile push, or an API call, keeping the workflow automated but not uncontrolled.

Use Cases Driving Demand

Early adopters in the financial services and healthcare sectors are testing the integration for specific high-stakes scenarios:

  • Customer Support Triage: Agents now handle refund requests up to $500 autonomously. Silverfort policies ensure that any refund above $500 triggers a manager approval step, and that the agent cannot access payment instrument details.
  • Clinical Data Queries: A hospital’s Copilot agent answers physician questions by querying patient records. Runtime controls restrict the agent to read-only access on the target FHIR endpoints, and deny access if the query appears to request bulk data export.
  • Supplier Onboarding: An agent automates the creation of vendor accounts in Dynamics. Silverfort ensures the agent cannot modify existing vendor records or access financial audit logs, reducing the blast radius of a potential compromise.
  • Internal IT Helpdesk: Agents that reset passwords or provision accounts are constrained to specific OUs in Active Directory, and any attempt to add an account to a privileged group is blocked and alerted.

Competing Approaches and Silverfort’s Edge

Silverfort is not alone in chasing agent governance. Microsoft’s own Purview and Entra platform are rapidly adding AI-centric controls, including sensitivity labels for Copilot interactions and the ability to apply Conditional Access to service principals. Startups like Aembit and Otterize have carved niches in workload identity for CI/CD pipelines, while established players like CyberArk and Delinea focus on secrets management for non-human accounts.

Silverfort’s differentiation comes from its unified runtime enforcement across on-premises and cloud. Many enterprises still run active directory and legacy systems alongside Azure, and Copilot agents can reach into those. Silverfort’s existing identity security platform already monitors and protects hybrid identities, so this Copilot Studio integration is an extension of a larger control plane. Moreover, the contextual analysis—merging identity signals with AI behavior—is a more sophisticated approach than simple static rules.

Getting Hands On: Early Access Program

The runtime identity controls for Copilot Studio are available now as part of Silverfort’s early access program. Participants get a managed cloud instance, pre-built policy templates, and full integration support. The company has committed to weekly threat intelligence updates for agent-specific risks and is working on a community policy library where customers can share templates.

Requirements include an existing Copilot Studio environment, Entra ID Premium licensing, and Silverfort’s identity security platform (or a trial instance). The solution does not modify Copilot Studio’s code; it operates via API-based interception, which means no changes to existing agents are necessary.

The Bigger Picture: From User-Centric to Agent-Centric Security

This launch signals a broader shift in identity strategy. For decades, security tools have been built around the assumption of a human user sitting down to work. Autonomous agents shatter that model. They operate at machine speed, they don’t log in at 9 a.m., and they don’t get tired and make mistakes—but they do amplify the consequences of misconfiguration.

Gartner listed “agentic AI security” as a top-of-mind concern in its 2026 cybersecurity forecasts, predicting that 70% of enterprises will experience a security incident involving an AI agent by 2027. Regulations like the EU AI Act and U.S. executive orders on AI safety are increasingly demanding that high-risk AI systems implement “technical measures” to prevent unauthorized actions.

Silverfort’s move positions its platform as a bridge between static IAM and the fluid, context-aware enforcement that agentic workflows demand. If the early access proves successful, expect similar integrations with other agent builders like Salesforce Agentforce, ServiceNow’s AI, or homegrown LangChain deployments.

What Security Leaders Should Do Now

Even before adopting runtime controls, CISOs can take immediate steps to limit exposure from overprivileged agents:

  • Audit all service principals and managed identities used by Copilot Studio. Revoke excessive permissions.
  • Implement strict naming conventions and tagging so agents are easily identifiable in logs.
  • Use Entra ID’s “workload identity protection” to flag risky authentications and anomalous token usage.
  • Enroll in Silverfort’s early access if Copilot Studio is in production, particularly for agents touching regulated data.

Conclusion: A Necessary Guardrail

AI agents promise efficiency, but without runtime identity controls, they are loose cannons. Silverfort’s integration for Copilot Studio provides a pragmatic, deployable guardrail that doesn’t require rebuilding agents or upending existing identity architectures. It’s a soft landing for enterprises that have already charged ahead with agent adoption and are now waking up to the governance debt.

As the agent landscape fragments, the ability to enforce consistent, real-time policies across clouds and on-prem systems will become the hallmark of mature identity programs. Silverfort’s June 2026 announcement is an early but decisive step toward that endpoint, and a signal that the era of treating agents as special, exempt entities is over. The new rule: no action is too automated to be accountable.