Weekly Security Roundup: Agent Governance, Zero Trust, and PQC

Security updates cover expanded AI integration, automation, zero-trust principles, new security features in Azure, .NET, and Microsoft 365, and more detailed data and agent governance. These changes reflect an ongoing shift toward explainable, automated, and unified security practices.

Azure Platform Security: New Foundations and Granular Controls

Azure now offers the MetaData Security Protocol (MSP) for VMs, with support for HMAC validation and eBPF Guest Proxy Agent. These bring controls for zero-trust and explicit allowlisting into general availability, supporting compliance.

• Metadata Security Protocol (MSP) General Availability Secures Azure VM Metadata Azure Monitor Logs provides GA support for detailed RBAC at multiple levels, advancing least privilege for telemetry data.
• Granular RBAC Now Generally Available in Azure Monitor Logs Azure DNS Security Policy, now generally available, links threat intelligence with DNS filtering and integrates with DevOps workflows.
• Azure DNS Security Policy with Threat Intelligence Feed Now Generally Available Microsoft also detailed its defense against a recent 15 Tbps DDoS attack, highlighting current adaptive, automated protections.
• Defending the cloud: Azure neutralized a record-breaking 15 Tbps DDoS attack

Building Security for AI-Driven Workloads and Agents

Microsoft Entra now manages “Agent ID” for non-human actors, supporting identity lifecycle management and mitigation for issues like prompt injection.

• Microsoft Entra: What's New in Secure Access on the AI Frontier Best practices for securing AI agents with Microsoft Defender and in Microsoft Foundry add practical strategies for real-world risk management.
• Secure Your AI Agents with Microsoft Defender: Best Practices from Ignite 2025
• Securing AI Agents in Microsoft Foundry with Microsoft Security Oasis introduces more comprehensive credential management for non-person entities in the Microsoft environment.
• Power Agentic Access: Governing Non-Human Identities with Oasis | Microsoft Ignite 2025 Zenity's integration provides runtime monitoring and incident response support for agent workflows in Copilot, Studio, and Foundry.
• Securing the AI Agents with Zenity and Microsoft

Microsoft Defender for Cloud and End-to-End Application Security

Defender for Cloud expands support for risk management and AI-powered threat detection, including pipelines, with integration for live risk assessments and artifact tracking. Defender’s connection with GitHub Advanced Security aids in automating secure development practices.

• Defending Cloud Platforms: Unified Security with Microsoft Defender
• Unified Application Security with Microsoft Defender for Cloud
• Runtime Security and AI Fixes: Integrating GitHub Advanced Security with Defender for Cloud
• Unified Code-to-Cloud Artifact Risk Visibility with Microsoft Defender for Cloud in GitHub Security Copilot’s expanded role now includes Microsoft 365 E5, offering SIEM and XDR coverage plus automated PR remediation with Copilot Autofix. New artifact tracking and shielding cover legacy environments as well.
• AI-Driven Security Agents Now in Microsoft 365 E5: Security Copilot Integration and Expansion
• Security Copilot: Automating and Accelerating Defense with Agentic Workflows
• AI-Powered Endpoint Security Updates in Microsoft Defender

Comprehensive Governance for Data, Secrets, and Identity

Secrets management and identity rotation benefit from new technical guides for secure Azure Authentication and OIDC, bringing programmatic security best practices into DevOps pipelines.

• Secure Secrets, Certificate, and Access Management for Azure Microsoft Fabric has introduced finer-grained data permissions, offering write access at the folder and table levels, as well as assignment capabilities in the UI.
• Fine-grained ReadWrite Access to Data with OneLake Security (Preview) SQL auditing and encryption improvements offer better compliance management for regulated workloads.
• Auditing Features for Fabric SQL Database (Preview)
• Using Customer-Managed Keys with Microsoft Fabric SQL Database

Post-Quantum Cryptography Advances and Secure Coding

.NET now supports additional post-quantum cryptography algorithms (ML-KEM, ML-DSA), helping organizations prepare for new cryptographic requirements.

• Post-Quantum Cryptography in .NET: New Algorithms and Design Principles The latest CodeQL release improves language coverage and precision for identifying vulnerabilities, building on previous releases.
• CodeQL 2.23.5 Adds New Language Support and Security Query Improvements MLSecOps and prompt security guidance now includes support for PromptGuard 2, CodeShield, and LlamaFirewall, expanding on earlier best practices for treating prompts as code in DevOps security checks.
• MLSecOps and Prompt Security: DevOps Strategies for AI Pipeline Protection

Microsoft Sentinel: Agentic SIEM, Automation, and AI

Sentinel’s Data Lake feature supports larger-scale case management, while custom agent tools and marketplace integrations provide flexible automation paths. Blink micro-agents and Copilot support remediation action; SAP support adds industry application.

• Power Agentic Defense with Microsoft Sentinel: Scalable Security Operations with AI, Data Lake, and Graph Intelligence
• Sentinel Alert to Autonomous Action: Controlled AI Response Framework
• Microsoft Sentinel Solution for SAP: Automated Asset Classification and Incident Response Privacy programs benefit from Copilot integration, automating many aspects of policy compliance.
• Use AI Agents to Scale Privacy Programs with Microsoft Sentinel

Policy, Compliance, and Governance Workflows

Azure Policy now includes Service Groups, in-guest policies, and natural language authoring via Copilot, bringing automated compliance workflow support to more teams.

• Build Secure Applications with Azure Policy and Service Groups CIS Benchmarks are built-in and available for Azure-endorsed Linux, supporting compliance in hybrid and multi-cloud environments.
• Built-In CIS Benchmarks for Linux Security on Azure: Flexible and Hybrid-Ready Compliance

Other Security News

Continuous integration for security tools connects policy and evidence tracking throughout the code lifecycle, continuing recent efforts at automation and visibility.

• Elevate DevEx 2.0 with Continuous Security Across the SDLC Lifecycle coverage for .NET apps emphasizes paying for support after EOL, helping teams plan for service windows closing.
• Managing .NET Support Lifecycles: Why Paying for Post-EOL Support Is Practical Microsoft’s approach to autonomous security is reflected in unified dashboards, Copilot support, and predictive protection—linking oversight with adaptive AI techniques.
• Ambient and Autonomous Security for the Agentic AI Era Developments in adversarial AI defense, led by Microsoft and NVIDIA, continue to make use of real-time GPU-driven safeguards.
• AI-Driven Adversarial Defense: Microsoft and NVIDIA's Real-Time Immunity Collaboration Updates in email and collaboration security, including Defender for Office 365 and agent-based controls, offer additional automation for new threat types.
• Securing Email and Collaboration with Microsoft Defender for Office 365 and Agentic AI Endpoint and Windows security updates offer improvements in device administration, quantum-ready certificates, and patching, making security easier to manage in production.
• Inside Windows Security from Client to Cloud: Innovations in Windows 11 and Windows 365 | BRK258 Further resources for this week span cross-platform security integration, data protection, and modern architecture best practices:
• Secure the Modern Enterprise with Varonis and Microsoft Integration
• Bolster Your Data Security in the AI Era with Microsoft and Netskope
• Level up Microsoft security for insider threats
• Blueprint for Building the SOC of the Future
• Preventing Data Exfiltration with Microsoft Purview's Layered Protection Strategy
• Comprehensive Data Security and Governance in AI Workloads with Microsoft Purview
• Envision Next Generation DLP with Microsoft Purview and Copilot
• Data Protection in the Age of the Adversary: Accelerating Microsoft Purview Adoption
• Maximizing Microsoft Purview Data Security Solutions: Best Practices and Implementation Stories
• Enhancing Data Security Investigations with Microsoft Purview and AI
• End-to-End Security for AI Platforms, Apps, and Agents
• NIST Zero Trust with Forescout and Microsoft
• Active Directory Disaster Recovery: Modern Approaches for Secure Forest Restoration
• Building Secure-By-Design Environments with Azure Capabilities
• Managing .NET Support Lifecycles: Why Paying for Post-EOL Support Is Practical
• Setting Up Security Policies in Microsoft 365 Trial Tenants
• Setting Up Ransomware Protection in Windows 11: Step-by-Step Guide
• Configuring Windows Firewall for Maximum Safety
• Windows 11 Security Features: Protecting Your PC and Data