Control 2.26: Entra Agent ID — Identity Governance for Agents
Control ID: 2.26 Pillar: Management Regulatory Reference: SOX 404, GLBA 501(b), OCC 2011-12, FFIEC Access Management, FINRA 3110, FINRA 25-07 Last UI Verified: April 2026 Governance Levels: Baseline / Recommended / Regulated
Preview Feature — Microsoft Entra Agent ID
Microsoft Entra Agent ID remains in PREVIEW as of April 2026. Per Microsoft Learn (Governing Agent Identities, Preview), access to Entra Agent ID and the agent governance capabilities described in this control requires two prerequisites: (1) a Microsoft 365 Copilot license assigned to the relevant users, and (2) Frontier program enabled for those users in the Microsoft 365 admin center (Copilot > Settings > User access > Copilot Frontier). Frontier enrollment alone, without Microsoft 365 Copilot licensing, does not unlock these capabilities. Agent 365 (GA May 1, 2026) is the broader control plane that surfaces Entra Agent ID; organizations should plan for Entra Agent ID capabilities to mature alongside the Agent 365 GA. Treat this control as pilot-ready configuration with a clear path to production as capabilities stabilize post-GA, and note that no GCC, GCC High, or DoD availability has been announced (see Zone-Specific Requirements for sovereign cloud guidance).
How This Control Differs from Related Controls
Scope Boundaries — Read Before Implementing
This control governs a distinct and new governance domain. Understanding where it begins and where related controls end prevents duplication and gaps.
Control 2.26 vs. Control 1.11 (Conditional Access and MFA): Control 1.11 governs access policies at authentication time — who can create agents, what MFA is required for agent identity sign-in, and what Conditional Access policies apply at the moment an agent authenticates. That is a point-in-time gate.
Control 2.26 governs the ongoing identity lifecycle of the agent itself — who is accountable for the agent over its full operational life, how long the agent identity exists, what resources it can access through governed access packages, and what happens when the accountable sponsor departs the organization. This is a continuous lifecycle process, not a one-time authentication check.
Control 2.26 vs. Controls 2.3 / 2.5 (Change Management and Testing/QA): Controls 2.3 and 2.5 govern the software development lifecycle (SDLC) of agent development — how agents are built, tested, approved, and released. These are engineering lifecycle controls.
Control 2.26 governs the identity lifecycle of the agent identity object in Entra ID — who is the named accountable sponsor, what access package governs the agent's resource assignments, what the expiration policy is, and how the agent is decommissioned when no longer needed. The SDLC can complete successfully while the identity lifecycle governance is entirely absent; both must be present for a compliant deployment.
Objective
Establish identity lifecycle governance for all Microsoft 365 Copilot and Copilot Studio agent identities operating within the organization's tenant. This control supports compliance with regulatory expectations that every agent identity has an accountable human sponsor, that access assignments are intentional and time-bound, that lifecycle events trigger governed workflows, and that agent identities are decommissioned in a controlled and auditable manner.
Why This Matters for FSI
Financial services organizations face a fundamental accountability problem with AI agent proliferation: agents can be deployed quickly, but the governance mechanisms that apply to human user identities — Joiner-Mover-Leaver workflows, access reviews, entitlement management, sponsor accountability — have historically not extended to non-human identities. Microsoft Entra Agent ID addresses this gap specifically for AI agents.
Regulatory Accountability Gap Without This Control
SOX 404 requires that access controls be documented, attributable, and reviewed. An agent with no named accountable owner and no time-bound access represents a direct gap in the access control attestation required for SOX financial reporting systems.
GLBA 501(b) requires reasonable safeguards for customer financial information. An agent accessing NPI without a documented accountable sponsor and a governed access lifecycle cannot demonstrate those safeguards to OCC or FDIC examiners.
OCC 2011-12 holds financial institutions responsible for technology risk arising from all systems — including AI agents — that process customer data. Orphaned agents (agents whose sponsor has departed with no reassignment) represent unmanaged technology risk.
FINRA Rule 3110, as informed by FINRA Regulatory Notice 25-07, expects firms to supervise AI-enabled business activity through written supervisory procedures and named accountable personnel. An agent performing supervisory-adjacent functions (reviewing communications, generating reports, processing transactions) should have a named accountable owner whose role is documented in the firm's WSPs. Requiring an agent sponsor in this control helps support that supervisory framework and provides examiner-ready attribution, but it does not substitute for the firm's obligation to assign an appropriately registered principal where Rule 3110 requires registered supervisory responsibility.
FINRA 4511 requires books and records retention. All lifecycle events — agent creation, sponsor assignment, access package grants, access expirations, sponsor departure workflows, decommission — must be logged and retained for the applicable examination period (generally six years for FINRA member firms).
The consequences of non-compliance extend beyond regulatory risk: an agent operating after its accountable sponsor has departed represents an active insider-threat-equivalent risk, because no human is monitoring the agent's behavior, approving its continued access, or responsible for remediating issues it causes.
Control Description
| Capability | Description |
|---|---|
| Agent Sponsorship | Every agent identity must have a named human sponsor assigned in Entra Agent ID. The sponsor is accountable for the agent throughout its operational lifecycle — approving resource access, attesting to continued business need, and triggering decommission when the agent is no longer required. |
| Lifecycle Workflows | Microsoft Entra ID Governance lifecycle workflows are extended to agent identities. Workflows trigger on defined events: agent creation (Joiner), sponsor change or agent repurposing (Mover), and sponsor departure or agent expiration (Leaver). Automated notifications, review tasks, and suspension actions are configured per zone. |
| Entitlement Management Access Packages | Agent resource assignments are governed through the same entitlement management framework used for user access. Access packages define the bundle of resources an agent is permitted to access. Every assignment is intentional, documented, time-bound, and subject to renewal review. |
| Time-Bound Access | All Zone 2 and Zone 3 agent access packages are configured with a maximum expiration period. Access does not persist indefinitely. Renewal requires active human approval with documented business justification. |
| Orphaned Agent Prevention | Every agent identity must have a sponsor. Microsoft Entra provides a built-in default: when a sponsor leaves the organization, sponsorship of their agent identities is automatically transferred to the sponsor's manager, so a human accountable owner is preserved without manual intervention. This control augments the default with a configured Lifecycle Workflow (Preview) that adds named agent-sponsor tasks — notifying co-sponsors and the manager of impending sponsorship changes, opening a reassignment task, and escalating to the AI Governance Lead if the new sponsor relationship is not affirmatively accepted within the SLA. The HR connector / employeeLeaveDateTime attribute is the documented signal source for the leaver trigger. |
| Access Certification Campaigns | Periodic access review campaigns are configured to certify that each Zone 3 agent's resource assignments remain appropriate. Certifiers are the current sponsor and the Compliance Officer. Failure to complete certification within the review window triggers automatic access suspension. |
| Audit and Retention | All lifecycle events — sponsor assignment, access package grant, renewal, expiration, suspension, decommission — are written to the Entra audit log and forwarded to the SIEM. Retention policies are aligned to FINRA 4511 six-year requirements. |
Key Configuration Points
Prerequisites
All configuration steps below that involve Entra Agent ID, access packages for agents, and lifecycle workflows require Frontier enrollment to be active. Enable Frontier at: M365 Admin Center > Copilot > Settings > Frontier.
-
Enable Entra Agent ID: M365 Admin Center > Copilot > Settings > Frontier enrollment. Allow up to one hour for Agent identities blade to appear in Entra admin center.
-
Assign sponsors to all Zone 2 and Zone 3 agents: In the Entra admin center, navigate to the Agent ID experience (under Applications or via search for "Agent identities" — exact navigation may shift during preview; Microsoft Learn's Manage Agents in Microsoft Entra ID (Preview) page is the authoritative reference). Select the agent, open Properties, and assign a Sponsor. The sponsor must be a named human user (not a shared mailbox, distribution group, or service account); per Microsoft's documented behaviour, if the sponsor leaves the organization, sponsorship is automatically transferred to that user's manager, so the sponsor's manager-of-record in Entra must be accurate.
-
Create an Entitlement Management catalog for agent resources: Entra admin center > Identity Governance > Entitlement management > Catalogs > New catalog. Name: "AI Agent Resources." Add the resource types that entitlement management currently supports for agent identity assignment: security group memberships, application OAuth API permissions (including Microsoft Graph application permissions), and Microsoft Entra role assignments. SharePoint site access for agents is granted indirectly by adding the agent identity to a security group that has the required SharePoint permission, not by adding the site to the catalog directly. When configuring the access package assignment policy, under Who can get access, select For users, service principals, and agent identities in your directory and then All agents (preview).
-
Create access packages for standard agent resource bundles: Within the AI Agent Resources catalog, create access packages representing supported governance patterns (for example, "Group-based SharePoint Reader + Graph Read — Zone 2 Agent" or "Privileged catalog: Entra role + approved API permissions — Zone 3 Agent"). Where SharePoint access is required, place that access behind a governed group rather than assigning SharePoint Online site roles directly to the agent access package.
-
Configure access package expiration: Access package > Lifecycle settings > Maximum duration: 365 days. Renewal requires sponsor re-approval with documented business justification. For Zone 3, renewal additionally requires AI Governance Lead and Compliance Officer co-approval.
-
Configure agent-sponsor Lifecycle Workflow tasks (Preview): Entra admin center > Identity Governance > Lifecycle workflows > New workflow. Trigger condition: leaver (driven by the
employeeLeaveDateTimeuser attribute populated by the HR connector). Add the documented agent-sponsor tasks (see Microsoft Learn: Agent identity sponsor tasks in Lifecycle Workflows (Preview)) — notify co-sponsors, notify the departing sponsor's manager (who will inherit sponsorship by default), open a reassignment task for the AI Governance Lead, and emit an audit event. SLA: escalate to the AI Governance Lead 5 business days before the sponsor's leave date. Do not configure this workflow to disable the agent identity on sponsor departure as a default action — Microsoft's automatic manager-transfer behaviour is intended to keep the agent operational while accountability shifts; suspension should be reserved for the case where the manager affirmatively declines and reassignment fails within the configured SLA. -
Configure quarterly access certification campaigns for Zone 3: Entra admin center > Identity Governance > Access reviews > New review. Scope: Zone 3 agent identities and their access package assignments. Reviewer: current sponsor + Compliance Officer. Frequency: quarterly. On failure to review: remove access.
-
Configure SIEM forwarding for Entra agent lifecycle logs: In Entra admin center > Monitoring > Diagnostic settings, forward the AuditLogs category (which captures identity governance events including agent identity create/update/delete, sponsor assignment changes, access package assignment events, and Lifecycle Workflow execution) to the organization's SIEM. Filtering to only agent-identity events is performed downstream in the SIEM (e.g., on
categoryandtargetResources.type) by correlating object IDs and the ApplicationManagement / User Management event categories — Entra diagnostic settings export at the category level and cannot pre-filter sub-events. Apply a retention policy of six years minimum to align with FINRA 4511.
Zone-Specific Requirements
Sovereign Cloud Availability — GCC, GCC High, DoD
As of April 2026, Microsoft Entra Agent ID, agent-identity access packages, and the agent-sponsor Lifecycle Workflows tasks have no announced availability in GCC, GCC High, or DoD. Microsoft Entra ID Governance (lifecycle workflows, entitlement management, access reviews) for human and service-principal identities is generally available in those clouds, but the agent-identity object types and the "All agents (preview)" assignment-policy option are commercial-only at this time. FSI tenants operating in sovereign clouds should:
- Not implement this control as a technical configuration in GCC / GCC High / DoD until Microsoft publishes parity guidance.
- Maintain a documented compensating control for agent accountability in sovereign tenants (named human owner recorded in the agent registry per Control 1.2; manual quarterly attestation; service-principal-based access governance).
- Track Microsoft 365 and Entra roadmap items filtered to government clouds, and re-verify availability quarterly.
- Disclose the absence of native technical enforcement in the firm's Written Supervisory Procedures so examiners are not surprised.
| Requirement | Zone 1 — Personal | Zone 2 — Team | Zone 3 — Enterprise |
|---|---|---|---|
| Sponsor assignment | Document agent creator as informal owner in agent description field | Formal sponsor assigned in Entra Agent ID; documented in agent metadata | Mandatory sponsor assigned at deployment; Compliance Officer designated as secondary approver |
| Access packages | Not required | Recommended for shared team resources; required if agent accesses resources outside creator's personal OneDrive | Mandatory for all resource assignments; no out-of-band resource access permitted |
| Maximum access duration | No formal expiration required | 12 months; renewal requires sponsor justification | 12 months; renewal requires AI Governance Lead + Compliance Officer co-approval |
| Lifecycle workflow | Not required | Alert to department head when sponsor departs; agent suspended within 10 business days if not reassigned | Immediate suspension workflow on sponsor departure; escalation to AI Governance Lead within 24 hours; mandatory reassignment within 5 business days |
| Access certification | Not required | Annual review by sponsor | Quarterly access certification by sponsor + Compliance Officer; evidence retained for FINRA/SEC examination |
| Audit log retention | Standard 90-day Entra log retention | Minimum 1 year | Minimum 6 years per FINRA 4511 |
| Orphan detection | Quarterly manual scan | Automated detection via lifecycle workflow; alert within 24 hours of sponsor departure | Real-time detection; immediate automated suspension pending reassignment |
Roles & Responsibilities
| Role | Responsibilities |
|---|---|
| AI Governance Lead | Owns this control. Approves Zone 3 access package renewals. Receives escalations from sponsor-departure workflows. Maintains the entitlement management catalog for agent resources. Produces quarterly governance evidence for examination readiness. |
| Agent Sponsor | Named accountable owner for one or more agent identities. Approves initial access package assignment. Certifies continued business need during access review cycles. Initiates decommission workflow when agent is no longer required. Responsible for notifying AI Governance Lead before departing the organization. |
| Compliance Officer | Secondary approver for all Zone 3 access package grants and renewals. Co-certifier in quarterly access review campaigns. Reviews lifecycle event logs for regulatory examination preparation. |
| Entra Identity Governance Admin | Configures Entra Lifecycle Workflows, entitlement management catalogs and access packages, and access review campaigns for agent identities. Owns the agent-sponsor task workflow (Preview) configuration. |
| Entra Agent ID Admin | Day-to-day administration of agent identity registrations, sponsor assignments, and decommission execution. Acts on reassignment tasks emitted by the Lifecycle Workflow. |
| AI Administrator | Owns Frontier enrollment in the Microsoft 365 admin center and the Microsoft 365 Copilot license assignment that gates these capabilities. Coordinates with the Entra Identity Governance Admin on cross-service prerequisites. |
| Entra Security Admin | Configures Entra diagnostic settings to forward AuditLogs to the SIEM and validates retention configuration. Monitors SIEM for orphaned-agent alerts and certification-failure events. Escalates unresolved orphan situations to the AI Governance Lead. |
| Purview Compliance Admin | Owns retention labels and examination-ready evidence export workflows for regulated agent governance artifacts. |
| HR / People Operations | Provides departure signals via HR connector integration. Ensures leaver workflows are triggered accurately and in a timely manner. Coordinates with Information Security on sponsor departure SLAs. |
Related Controls
| Control | Relationship |
|---|---|
| 1.11 — Conditional Access and MFA | Complementary — authentication governance. Control 1.11 governs Conditional Access policies applied at agent authentication time. Control 2.26 governs the ongoing identity lifecycle after authentication is established. Both must be implemented for complete agent identity governance. |
| 2.3 — Change Management and Release Planning | Complementary — SDLC lifecycle. Control 2.3 governs the engineering lifecycle: how agents are built, approved, and released. Control 2.26 governs the identity lifecycle: how agent identities are sponsored, governed, and decommissioned. Both are required; neither substitutes for the other. |
| 2.5 — Testing and Quality Assurance | Complementary — pre-deployment quality. Control 2.5 ensures agents are tested before deployment. Control 2.26 ensures identity governance is established at and after deployment. An agent that passes QA still requires a sponsor and access package before going to production. |
| 2.8 — Access Control and Segregation of Duties | Dependency — access control framework. Control 2.8 defines the access control policy and SoD requirements. Control 2.26 implements those requirements specifically for agent identities through entitlement management access packages. |
| 2.25 — Agent 365 Admin Center Governance Console | Dependency — governance platform. The Agent 365 Admin Center (Control 2.25) provides the inventory and governance dashboard. Control 2.26 provides the identity lifecycle governance layer for the agents inventoried in that console. |
| 3.6 — Orphaned Agent Detection and Remediation | Layered defense — reactive vs. preventive. Control 3.6 is the operational detection and remediation control for orphaned agents already identified in the environment. Control 2.26 is the preventive identity governance layer that prevents orphaning in the first place. Both are required for a complete orphan management posture. |
Implementation Playbooks
| Playbook | Description |
|---|---|
| Portal Walkthrough | Step-by-step Entra admin center and M365 admin center configuration: Frontier enrollment, agent identity sponsor assignment, entitlement management catalog and access package creation, lifecycle workflow setup, and access certification campaign configuration. |
| PowerShell Setup | Microsoft Graph API and PowerShell commands to query all agent identities and sponsors, export governance gap reports (agents without sponsors, agents with expired access), perform bulk sponsor assignments, and generate evidence exports for examination readiness. |
| Verification Testing | Test procedures to validate that sponsor assignment is functioning, access packages are applying correctly with proper expiration, lifecycle workflows fire on sponsor departure simulation, and access certification campaigns surface Zone 3 agents. |
| Troubleshooting | Resolution guidance for the most common implementation issues: Agent identities not visible (Frontier enrollment), lifecycle workflow not triggering (HR connector and trigger conditions), access package assignment failures, and sponsor reassignment notification failures. |
Verification Criteria
The following criteria constitute the minimum evidence set required to attest this control as implemented. All criteria must be evidenced for Zone 3 compliance attestation. Criteria 1–5 apply to Zone 2. Criteria 1–2 apply to Zone 1 at a documentation level.
- Entra Agent ID is enabled for the tenant via confirmed Frontier enrollment, evidenced by the presence of the "Agent identities" blade in Entra admin center.
- All Zone 2 and Zone 3 agents have an assigned sponsor documented in Entra Agent ID properties; zero agents in these zones show a null or empty sponsor field, as evidenced by the governance gap report from the PowerShell playbook.
- Entitlement management access packages have been created for all standard agent resource bundles; all Zone 3 agents are assigned resources exclusively through access packages (no direct permissions outside entitlement management), as evidenced by access package assignment reports.
- Time-bound access is configured on all Zone 2 and Zone 3 access packages with a maximum duration of 365 days; no access package for a Zone 3 agent has a perpetual (no-expiration) configuration, evidenced by access package lifecycle settings screenshots or export.
- At least one lifecycle workflow is active and configured to trigger on sponsor departure; workflow logs show at least one test execution or a live execution with expected actions (notification sent, suspension task created), evidenced by workflow execution history.
- Quarterly access certification campaigns have been completed for all Zone 3 agents within the current quarter; completion evidence (certifier name, date, decision) is retained in the Entra access review audit log and exported for examination file.
- For any access package assignment that has reached its expiry date in the prior 90 days, the corresponding agent identity has either (a) had a sponsor-approved renewal recorded with documented business justification, or (b) lost the granted resource access within 24 hours of expiry. Evidence: Graph export of
accessPackageAssignmentrecords withexpiredDateTimein the period, joined to the agent identity's effective permissions snapshot at expiry+24h. No agent identity in Zone 3 holds a perpetual (no-expiration) access package assignment. - All lifecycle event logs (sponsor assignment, access package grant, renewal, expiration, suspension, decommission) are being forwarded to the SIEM and subject to a minimum six-year retention policy, evidenced by SIEM ingestion confirmation and retention policy screenshot.
Additional Resources
- Microsoft Entra Agent ID documentation (Microsoft Learn)
- Governing Agent Identities (Preview) — Microsoft Entra ID Governance
- Agent identity sponsor tasks in Lifecycle Workflows (Preview)
- Access packages for agent identities in Microsoft Entra Agent ID
- Entra ID Governance — Lifecycle workflows
- Entitlement management overview
- Access reviews overview
- Microsoft 365 Copilot Frontier program
- FINRA 4511 — Books and Records Requirements
- OCC Bulletin 2011-12 — Sound Practices for Model Risk Management
- SOX Section 404 — Internal Control Over Financial Reporting (PCAOB AS 2201)
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Pre-GA preview (verified against Microsoft Learn entra/agent-id and entra/id-governance/agent-id-governance-overview, April 2026). Mandatory re-verification after Agent 365 GA (May 1, 2026) — portal navigation, "All agents (preview)" toggle naming, and Lifecycle Workflow agent-sponsor task names are expected to change at GA.