AGENT 365

Agent 365 is here. Be ready before your agents are.

From 1 May, every agent in your tenant gets a control plane. Changing Social helps you stand it up the right way – observable, governed, secure, and aligned to the EU AI Act, in days, not months.

Whether you’re standing up your first Copilot Studio agent, inheriting a tenant full of shadow ones, or scaling a multi-agent estate across business units, Agent 365 changes how you have to operate. We help you make that shift without the false starts.

  • Inventory-led control that turns shadow agents into a defensible register
  • Identity-first security with Entra Agent ID, Conditional Access and runtime protection extended to every agent
  • Lifecycle governance that treats agents like employees – sponsored, scoped, retired
  • Regulator-ready evidence mapped to EU AI Act articles, not retrofitted later
  • Adoption that holds through trained admins, sponsored owners and agent-aware ways of working

WHAT YOU LEAVE WITH

A clear, owned Agent 365 blueprint.

By the end of the engagement, IT, Security, Legal and the business have one shared view of your agent estate, and a plan that holds up to both Microsoft governance best practice and EU AI Act scrutiny.

  • A current-state Agent Registry, owned by IT

  • A sponsorship model agreed across IT, Security and the business

  • A configured Agent 365 control plane in your tenant

  • A Provider/Deployer determination and FRIA template

  • An EU AI Act control matrix mapped to Microsoft capabilities

  • Trained admins, business owners and agent-aware employees

ⓘ No generic “best practice” decks – everything is tailored to your tenant and ways of working.

Why this matters now

Your agent estate is already running. Your governance probably isn’t.

Most leaders are asking the same questions:

  • How many agents are actually running in our tenant, including the shadow ones?
  • Who sponsors each agent, and what data can it touch?
  • Are we a Provider or a Deployer under the EU AI Act?
  • Where does Agent 365 give us evidence we can show a regulator?

Twelve months ago, the question was whether agents could do useful work. Today the answer is yes – too many of them, in too many places, often without anyone formally in charge. From 1 May, Microsoft gives IT and Security a single place to see them all, govern them all, and protect them all.

Agent 365 maturity ladder

Your results are mapped against our CS-500 Maturity Model, scoring each area from Level 0 to Level 500. This simple visual benchmark helps leaders understand strengths, risks and priority gaps at a glance.

0
Awareness

AI and Microsoft capabilities are known but not yet embedded.

100
Foundations

Core governance, platforms and pilots are in place.

200
Accelerators

Early use cases, champions and repeatable patterns emerging.

300
Established

AI and low-code used consistently across key journeys.

400
Integrated

AI is embedded into ways of working, with strong guardrails.

500
Transformed

AI-enabled, data-driven and continually optimised workplace.

CS-500 example profile

AI Agents – 400
Microsoft 365 – 350
Copilot readiness – 240
Power Platform – 210
People & culture – 180

Our differentiator

Agent 365, mapped to the EU AI Act

The Act becomes fully applicable on 2 August 2026. High-risk obligations – risk management, data governance, transparency, human oversight, post-market monitoring – apply directly to how you deploy agents. Penalties run up to €15m or 3% of global turnover.

Three months between Agent 365 going live and the Act biting. We’ve already mapped every Agent 365 capability to the obligations a Provider or Deployer must meet – including the Fundamental Rights Impact Assessment under Article 27.

What we deliver:

  • An EU AI Act-aligned Agent 365 control framework
  • A FRIA template that reuses your existing DPIA evidence
  • An Agent Registry that doubles as your Article 16 / 26 record-keeping
  • Human oversight playbooks for each agent class
  • Post-market monitoring tied to Microsoft Purview DSPM

What you get

Four outputs that move you from insight to action.

D E L I V E R A B L E  0 1

Agent 365 readiness baseline

Current-state Agent Registry, sponsorship model and policy-template shortlist after a structured Key Questions session with IT, Security, Legal and the business.

D E L I V E R A B L E  0 2

Configured control
plane

Entra Agent ID, Conditional Access for agents, Purview DSPM for AI, Inline DLP, Communication Compliance and Defender posture management – set up against your environment.

D E L I V E R A B L E  0 3

EU AI Act control matrix + FRIA

Provider / Deployer determination, a FRIA template that reuses your DPIA evidence, and a control matrix showing your DPO exactly which obligations are met by which Agent 365 capability.

D E L I V E R A B L E  0 4

Adoption & enablement playback

IT and Security trained on Agent 365 admin, business owners walked through the Agent Map, employees onboarded to agent-aware ways of working.

Three pillars. One control plane.

What Agent 365 does, and how we help you land it

O B S E R V E

See every agent, even the ones you didn’t know about

A full inventory of Microsoft, partner, Copilot Studio, Foundry and shadow agents. The Agent Map shows how they connect, perform and behave over time.

G O V E R N

Manage agents the way you manage employees

Onboarding workflows, policy templates that bundle Purview, Entra and SharePoint controls, least-privilege access, lifecycle rules, and Communication Compliance for unethical behaviour.

S E C U R E

Protect agents end-to-end, including the threats nobody’s seen yet

Entra Agent ID, Conditional Access for agents, Defender runtime protection through the Agent 365 tools gateway, and Purview Inline DLP that intercepts risky prompts before data leaves.

Each pillar includes discovery, planning and enablement activities without exposing internal methods or tools.

Outcomes for your organisation

Governance that protects you, security that holds up under audit, and an agent estate your people can actually use with confidence.

  • A defensible agent register IT, Security and the DPO all trust

  • Sponsorship and lifecycle rules that match your joiner-mover-leaver model

  • Identity, conditional access and runtime protection extended to every agent

  • EU AI Act obligations evidenced by the controls you’ve already configured

  • Reduced shadow-agent risk through visible, sponsored alternatives

  • A roadmap from agent experimentation to enterprise-scale operations

Don’t let your agent estate run ahead of your governance.

 

Agent 365 is live on 1 May. The AI Act bites on 2 August. The window to get this right is now.

Talk to the team that wrote the questions you should be asking. We’ve been preparing customers for this since Ignite – and our consultants are among the first in the world to take organisations from agent experimentation to enterprise-scale operations, safely.

Response within 1 business day. No spam. No obligation

THE CHANGING SOCIAL FAQ

Here Is The Most Frequently Asked Questions.

We know that investing in a comprehensive AI Agents is a significant decision for your business. That’s why we’ve put together a list of frequently asked questions about Agents. We’ve got your queries covered. If you have further questions, feel free to reach out to us – we’re here to help!

Agent 365 is Microsoft’s control plane for every agent in your tenant – Microsoft, partner, Copilot Studio, Foundry and shadow agents built in Copilot Chat. It doesn’t replace existing tools; it gives IT, Security and Compliance one place to inventory, govern and secure all of them.

To get a balanced picture, we typically include IT, Security, Legal/DPO and a business sponsor. The Agent 365 model only works when sponsorship and risk are agreed across those four roles.

Copilot readiness focuses on a single product. Agent 365 readiness covers every agent in your tenant – including ones built without IT, and ties governance evidence directly to EU AI Act obligations.

Week 1 delivers a baseline you can show leadership. Week 2 stands up the control plane. Week 3 produces your AI Act mapping. Week 4 covers adoption. Days, not months.

The Act applies to any organisation putting agents on the EU market or affecting people in the EU. Even if your headquarters is elsewhere, the same control framework gives you a defensible posture for other regimes – UK AI principles, NIST AI RMF, ISO 42001.

The Fundamental Rights Impact Assessment is required under Article 27 of the EU AI Act for Deployers of high-risk AI in certain contexts. Our template reuses your existing DPIA evidence so you’re not duplicating work between your DPO and your AI governance lead.