Wild Ideas, Safe Agents: How Not to Be the 95%

Or: how to let your agents run wild with creativity while you are running after them trying to make sure they don’t burn the house down.

Right. So. Innovation requires freedom. Enterprise AI requires control. And somehow, against all reason, we’re expected to deliver both. Welcome to the eternal IT paradox, but now we added agents.

You’ll have heard the line by now. Microsoft says it. Every other speaker on the circuit says it. “The AI train is leaving the station, get on board or get left behind.” It’s a great line. It’s also nonsense.

Here’s what I always say instead: there will be more trains. There is always another train. The platform you’re panic-buying today will look quaint by Christmas. So no, you don’t need to fling yourself onto a moving carriage with no luggage and no idea where it’s headed. What you need is a clear plan: decide where you’re actually going, work out what to pack, and buy the right ticket for the right destination. Sprinting onto the first train just because it’s leaving is how you end up in the wrong city with someone else’s suitcase, which, conveniently, is also a fairly accurate description of most AI pilots.

I did a short version of this talk at UTMessan in Reykjavik in February, and I did a longer session at Workplace Ninjas Norway last week. And the whole premise was simple: walk through the full lifecycle of an agent, from that exciting “what if we built a agent for this?” moment, all the way through to “who owns this thing and why is it emailing the CEO?”

Come curious. Leave slightly paranoid. That, in my experience, is the sweet spot.

The number nobody wants on a slide

95% of AI pilots fail.¹

Let that sink in. That’s not a margin of error, that’s a graveyard. Almost every AI pilot dies, and not because the technology is bad. It dies because nobody bothered to define what “success” even looked like in the first place.

Here’s how it usually goes. Licences get handed out like party favours. Users are told to “go innovate”, whatever that means, and then management sits back, bewildred, wondering why nobody’s innovating.

Scattered experiments. No clear owner. No measurable value. And my personal favourite: value is never measured, so value never appears. Shocking, I know.

The problem isn’t AI. The problem is that we treat AI pilots exactly like we treated SharePoint in 2010 and Teams in 2020, throw it at people and hope for the best.

But the 5% that succeed? They weren’t smarter. They weren’t using magic. They had three boring things: clear ownership, defined success metrics, and governance from day one. 

That’s the whole secret. The bar is shockingly low, which means if you’re reading this, you’re already ahead of the curve. Slightly. Don’t let it go to your head.

Agents in the wild

Let me tell you a story. A well-meaning employee, genuinely trying to be helpful, bless them, builds an agent to summarise SharePoint documents. They connect it to a library with permissions inherited from 2019. You know the ones. “Everyone except external users.” Because that seemed perfectly fine five years ago.

Within one week, three people in a completely different department received AI-generated summaries of confidential board strategy. The agent wasn’t malicious. It was just doing its job. Summarising. Helpfully. To anyone who asked.

Nobody built that agent to leak information. It happened because nobody told it not to. That’s the thing about agents, they’re obedient to a fault. They’ll do exactly what you let them do, and not one thing less.

Here’s the bit people get wrong: AI doesn’t create new permission problems. It amplifies existing ones, at scale, to anyone who asks. Those broad SharePoint permissions from 2019 nobody reviewed? Still there. That agent you connected as a knowledge source? Nobody checked what it can actually see. If your permissions were a mess before AI, congratulations, now everyone knows.

And if everyone can build an agent, and they can, it’s terrifyingly easy, then who actually knows what’s running in your tenant?

• Who created this agent?
• What data does it touch?
• Who’s using it, and for what?
• Is it still needed?
• Does anyone own it?

If the answer to most of those is “I have no idea,” congratulations again, you’re the norm. I’m not saying this to shut innovation down. I’m saying it because unchecked creativity without governance is how you end up with agents nobody owns, doing things nobody approved, with data nobody secured. Freedom is great. Sustainable freedom is better.

The obvious first steps that everyone skips

If you’ve read this blog before, or heard me talk, you know exactly what’s coming. Know. Your. Data.

• Sensitivity labels. If you don’t have them, stop building agents and go set them up. I’m serious. Applied, not theoretical.
• Sensitive Information Types (SITs). So your data gets classified without relying on end users to do the right thing. Because they won’t. They mean well. They won’t.
• DLP policies. So data stays in its lane.
• DSPM for AI. This is your control tower. It shows you which agents are interacting with sensitive data, and honestly, the first time you open that dashboard, you’ll need to sit down for a moment.

Bottom line: you cannot secure what you cannot see. Fix the data layer first, or everything else is just decoration.

DSPM will actually guide you, so you can see what remediation plans you can take to make sure you secure your data.
Have a look at the different plans, and start your plan today!

Then there’s SharePoint Advanced Management (SAM), the thing most organisations skip because it sounds boring. It is boring. It’s also essential. Data Access Governance reports show you exactly which sites are overshared before you connect a single agent. Restricted SharePoint Search lets you limit which sites Copilot and agents can reach, even when permissions technically allow more. Because “technically allowed” and “should be allowed” are two very different things.

The rule is simple: fix the data layer before you deploy the AI layer. SAM plus Restricted SharePoint Search is your oversharing firewall. Not glamorous. Works anyway.

The agent lifecycle

Foundation done. Now the fun part. People assume governance slows you down. It’s the opposite. Without a lifecycle, every agent idea turns into a six-month approval saga that kills enthusiasm stone dead. With one, someone has a great idea on Monday and a sandbox prototype by Wednesday.

The path from shower thought to production agent:

1. Spot the idea.
2. Validate it.
3. Build it in a sandbox.
4. Test it with a real group of users,real users, real feedback, real problems caught before they become real disasters.
5. Get it approved.
6. Deploy it.
7. Review, learn, and feed those learnings into the next agent.

It’s a flywheel, not a checklist. And the maturity model tells you where you are: Level 1 is reactive (vibes-based governance). Level 2 is managed. Level 3 is governed properly. Level 4 is the dream, self-service with guardrails, where people build agents confidently because the safety net is already baked in. Most organisations sit at Level 1 or 2. That’s fine. The goal isn’t perfection. It’s momentum.

And remember, IT is not a representative group of real people…

Freedom vs control, a false choice

Most organisations treat this as a binary. Either lock everything down and kill innovation, or let people run wild and pray. But the best organisations don’t choose.

They build systems where freedom and control reinforce each other. Guardrails don’t kill creativity, they channel it. It’s like improv comedy: the constraints are what make it work.

So stop thinking freedom versus control. Think freedom through control. The governance you set up is exactly what lets you say yes to the next hundred agent ideas without losing sleep.

Here’s what that looks like in practice:

• Connector DLP groups. Classify connectors as Business, Non-business, or Blocked, and the platform enforces it. No exceptions. Since early 2025, enforcement is mandatory for all tenants.
• Prompt-level DLP, the real game changer. It inspects what users type before anything is processed. Someone pastes a passport number into a chatbot? Caught in real time, not after the fact.
• Label-based restrictions that stop agents summarising your most sensitive content, even when permissions technically allow it.
• The HTTP connector. It’s basically a backdoor to any API on the internet. Block it. Or at the very least, restrict it heavily. You’re welcome.

Authentication: the unsexy topic that breaks everything

Authentication is the difference between a liability and an asset, and almost nobody wants to talk about it.

No authentication means the agent runs as the deployer’s identity. It sees everything they see. So if a global admin deployed a agent… yes. Sit with that for a second.

Entra ID authentication means the agent runs as the user. Data isolation by default, the agent sees what the user sees, nothing more, nothing less. Which means you can deploy the same agent to a thousand users and each gets a personalised, secure experience without IT configuring a single individual permission. That’s the real unlock: agents that scale safely.

And your publishing controls are the other lever:

• Admin approval before anything hits the org catalogue.
• Agent certification, so users know what’s been reviewed versus what Dave from Accounting built during his lunch break.
• Service principals running with managed identity and least-privilege permissions. No shortcuts.
• Mind the cross-tenant risks, external sharing and guest access can expose agent-connected content to people outside your organisation.

So what does Agent 365 actually do?

Microsoft calls Agent 365 the “control plane for AI agents,” which is consultant-speak for “another fancy dashboard.” So lets stripp of the marketing, here’s what it actually does, step by step:

1. Registers every agent in one place. The Registry is a single inventory of every agent in your tenant, Microsoft-built, third-party, open-source, the lot, surfaced right in the Microsoft 365 admin centre. One source of truth. This is the cure for “agent sprawl,” a phrase that didn’t exist two years ago and now keeps people awake at night.
2. Gives each agent an identity. Every agent gets an Entra Agent ID, essentially its own service account. So an agent stops being an anonymous gremlin wandering your tenant and becomes a named entity you can authenticate, track, and hold accountable. Revolutionary concept, naming things.
3. Controls who can build, and what agents can touch. Through Entra you set the guardrails: who’s allowed to create or onboard agents, and which data, apps and APIs each one can reach. Least privilege by default. Conditional Access applies too, so a risky or compromised agent can be blocked in real time.
4. Quarantines the ones nobody approved. Found an agent that shouldn’t exist? Quarantine it straight from the Registry so it can’t run or reach corporate resources until someone signs off. Shadow AI, meet your off switch.
5. Watches everything they do. The observability layer, including the Agent Map, shows which agents are talking to which users and which data, how often, and how well. Role-based views: IT sees performance, security sees violations, the business sees value. Every action logged and traceable.
6. Secures them with the kit you already own. Entra for identity, Purview for data protection (DLP, labels, DSPM for AI), Defender for threat detection and runtime protection, including prompt-injection and shadow-AI flagging.
7. Plays nicely with non-Microsoft agents. Governs Microsoft, open-source and third-party agents alike, one pane of glass, no ecosystem lock-in.

The short version: Agent 365 treats your agents like employees, identity, manager, job description, security badge, performance review. The difference is these ones don’t take holidays, and if they misbehave you can quarantine them. Try that with Dave from Accounting.

(Generally available since 1 May 2026, licensed per user as an add on, or get E7 that includes the bundle with Agent365, M365 Copilot, E5 and Microsoft Entra Suite)

The Agent launch pad

This isn’t homework, and it’s definitely not some dreary compliance chore. Think of it as your pre-train ride checklist, except instead of checking the tickets and luggage, you’re ticking off simple, doable tasks that launch you into the stratosphere of productivity.

Best part? You can knock out every single one before the week’s over, no pilot’s license required.

•  Documented purpose and an owner
•  Built in a sandbox
•  Knowledge sources are permission-reviewed and labelled
•  DLP policies cover the agent’s connectors
•  Sensitivity labels applied
•  Authentication set to Entra ID, not No Auth
•  Admin approval required before publishing
•  Tested with a real user group
•  Monitoring and analytics configured
•  Quarterly review scheduled

Tick these boxes and you’re not just compliant, you’re ready to scale. Every agent after this one follows the same path, faster and easier. That’s the whole point.

So the 5 key takeaways

1. Freedom to innovate is essential, governance is what makes it sustainable. They’re partners, not opposites.
2. Agents amplify existing permission problems at scale. Fix your permissions first.
3. The lifecycle doesn’t end at deployment. Monitor. Review. Retire. And learn, every agent makes the next one easier.
4. Purview is your compliance backbone. IT IS NOT OPTIONAL, but not as scary as it sounds. Start with DSPM for AI and sensitivity labels.
5. Start where you are. Level 1 to Level 2 is progress, and progress is the point. Don’t wait for perfect.

Here’s what I really want you to take away. In six months, the people who set up governance now will be building agents that save their organisations real time and real money. The rest will be back at another conference, trying to work out why their pilots failed.

Don’t be the 95%. Be the 5%.

1. Source: MIT NANDA, State of AI in Business 2025. ↩︎