As artificial intelligence agents move from pilot programs into enterprise operations, a fundamental question is emerging: who secures the machines that act on our behalf? Microsoft’s latest research suggests many Australian organisations have yet to answer it.
The software giant’s inaugural Cyber Pulse: An AI Security Report arrives at a critical moment. AI agents—software that can take actions, make decisions and access systems autonomously—are multiplying across industries. Without proper governance, these digital workers could expose businesses to risks their existing security frameworks were never designed to handle.
AI agents scale across global enterprises
Microsoft’s Cyber Pulse report found that more than 80 per cent of Fortune 500 companies now have active AI agents deployed, many built using low-code and no-code development tools. The company projects this figure will grow dramatically, with more than 1.3 billion autonomous AI agents expected to be in operation globally by 2028.
Financial services currently leads adoption, accounting for roughly 11 per cent of active agents worldwide, according to Microsoft. The rapid uptake reflects broader trends in automation, where organisations are deploying agents to handle customer service, data processing and decision support tasks that previously required human intervention.
Security gaps leave agents vulnerable
Microsoft’s analysis warned that AI agents, like human employees, require careful management of their access and privileges. Without proper controls, agents could be exploited by malicious actors or inadvertently cause harm—becoming what the report described as unintended “double agents.”
The Cyber Pulse report recommended organisations apply Zero Trust security principles to their agent deployments, treating each agent as a potential risk until verified. This includes implementing observability measures to track what agents are doing, establishing governance frameworks for agent behaviour, and centralising controls across business, IT, security and developer teams.
Australian organisations face control gaps
Microsoft’s 2026 Security Data Index, released alongside the Cyber Pulse report, examined the state of AI security readiness across multiple markets. For Australia, the findings were sobering: 53 per cent of Australian organisations surveyed lacked generative AI-specific security controls.
These gaps include missing policies for agent deployment, insufficient monitoring for unauthorised agents operating within corporate environments, and limited visibility into what data agents can access. As Australian businesses accelerate their adoption of tools like Microsoft 365 Copilot and Azure AI Foundry, these vulnerabilities could widen.
Gartner analyst Domenico Scriva, speaking to ARN, emphasised that addressing these gaps requires more than product configuration. Partners and systems integrators must help customers understand the behavioural and risk implications of AI agent deployment—including potential exposure points in Copilot and SharePoint integrations.
Governance frameworks for agent deployment
The challenge for Australian enterprises extends beyond technical controls. As AI agents become more capable and autonomous, organisations may need to rethink how they structure accountability and oversight for automated decision-making.
Microsoft’s recommendations centre on bringing together cross-functional teams—spanning business operations, IT, security and software development—to establish centralised agent governance. This approach aims to prevent shadow AI deployments where agents operate outside formal oversight, while ensuring legitimate use cases can proceed with appropriate safeguards.
For channel partners and systems integrators, the Cyber Pulse findings point toward growing demand for specialised implementation services. Customers may increasingly seek help not just deploying AI capabilities, but securing and governing them throughout their operational lifecycle.
Enterprise AI security taking shape
Microsoft’s Cyber Pulse report marks an early attempt to define security standards for an emerging technology category. As AI agents move beyond experimentation and into core business processes, the governance frameworks organisations establish now could determine whether those deployments deliver value or create unforeseen liabilities.
Key indicators to watch include how quickly Australian organisations implement GenAI-specific policies, whether agent-related security incidents emerge as adoption scales, and how regulators respond to autonomous AI systems operating across critical sectors. The speed at which enterprises move from awareness to action will shape the risk landscape.
For Australian businesses, the 53 per cent figure represents both a vulnerability and an opportunity. Organisations that address these gaps early may find themselves better positioned as AI agent deployment becomes standard practice across industries.
Is your organisation ready for AI agents? Book a free AI Discovery Session with Aivy to assess your security posture and governance readiness.
