Copilot Agents governance relies on four key controls. First, decide who can create agents. Next, define what data agents can use. Then, control who can share them. Finally, limit what they can do externally. Get those four right and Microsoft Agent 365 becomes a useful productivity layer for your business. Skip them and you create a quiet new oversharing surface that sits on top of all the data your tenant has accumulated since 2018.
Agent 365 reached general availability on 1 May 2026, and Microsoft’s Copilot data loss prevention for web search is rolling out worldwide through June 2026. That makes June the right month to set the rules, before staff start building agents at scale and the first ungoverned one shows up in a client meeting.
What changed with Microsoft Agent 365
Microsoft Agent 365 brings agents into the same identity, security and management plane as users. Agents can hold their own identity and use specific data sources. In addition, they can perform actions across Microsoft 365 and selected third-party systems. However, organisations should govern them with the same controls they use for human accounts.
For an SME already using Microsoft 365 Copilot, this is the point where AI moves from a chat feature to something staff can build with. Copilot Studio lets users assemble agents that summarise weekly inboxes, route customer queries, draft proposals from templates, or trawl SharePoint for an answer. The hard part is no longer building. It is governing.
The four Copilot Agents governance controls every business should set this month
A workable Copilot Agents governance starter pack is four decisions made in writing and enforced in the tenant. Configure them in the Microsoft 365 admin centre, Copilot Studio settings and Microsoft Purview.
| Control | What it does | Where it lives |
| 1. Who can create agents | Restricts agent authoring to named users or a security group | Copilot Studio settings |
| 2. What data agents can ground in | Limits which SharePoint sites, OneDrive locations or external sources an agent can use | Sensitivity labels and agent configuration |
| 3. Who agents can be shared with | Controls internal-only, by-team, or cross-tenant sharing | Microsoft 365 admin and Copilot Studio |
| 4. What agents can do externally | DLP rules that prevent sensitive data leaving the tenant via web search or third-party connectors | Microsoft Purview DLP for Copilot |
That is the starter pack. It is not the end of governance, but it is the floor.
Control 1: Who can create agents
The default is rarely the answer. If everyone with a Microsoft 365 licence can build agents, agents will appear faster than your IT team can track them. The sensible starting position is to restrict authoring to a named group, typically IT plus a handful of trained power users, and review quarterly.
When a team wants their own agent, the group helps them build it. That keeps the oversight loop in place without turning IT into a bottleneck.
Control 2: What data agents can ground in
This control sits on top of the work you have already done with Microsoft Purview. If your sensitivity labels are healthy, your agents inherit the protection automatically. If they are not, agents will happily pull from any SharePoint site they can reach.
Next, walk through the same logic from our Microsoft Purview starter pack. Then, make sure you apply labels before turning agents loose. Without that base layer, the next control gets harder.
Control 3: Who agents can be shared with
Agents can be shared inside a team, across the tenant, or with external organisations. Each step outward changes the risk profile. Tenant administrators in Agent 365 can now govern who is allowed to share agents created in Copilot. Set the default to internal-only, require approval for external sharing, and audit external-shared agents monthly.
Take particular care with agents that touch customer or finance data. Those should not be shareable outside the team that owns them without a named approver.
Control 4: What agents can do externally
The June 2026 rollout of Copilot DLP for web search is the new control here. It prevents sensitive data from being included in prompts that hit web search, while still letting the agent ground its response in internal data sources. Microsoft documents this in their Copilot blueprint for oversharing.
Set DLP rules for the data classes you already protect in email and Teams: customer records, financial data, payroll, anything regulated. The same rules now apply to agent web actions.
How this connects to what you already have
If your business has worked through the AI readiness check and rolled out Copilot, Agent 365 is the next layer. The Purview labels, conditional access policies and AI acceptable-use guidance you put in place earlier this year still apply. Agent 365 extends them; it does not replace them.
For businesses that have not started yet, the order matters. Labels and DLP first. Copilot second. Agents third. Skipping ahead means governing agents on top of an unlabelled tenant, which is the situation Microsoft’s own guidance describes as the oversharing problem.
A short readiness check
Three questions to ask before you let agents into the business at scale:
- Have we restricted who can author agents in our tenant?
- Are our SharePoint sites labelled with sensitivity that agents will respect?
- Do we have DLP rules that apply to Copilot web search as well as email and Teams?
If two of the three answers are no, get the controls in place this month.
Set the rules before staff build the agents
Microsoft Agent 365 is moving fast. The right time to govern it is before staff start shipping agents into business processes, not after. The four controls above take a working day to set up and a quarterly review to maintain.
If you would like us to audit which agents already exist in your tenant, configure the four-control starter pack and check your Purview foundation, book a Copilot Agents governance review and we will produce a one-page agent inventory and a setup plan tailored to your Microsoft 365 estate.