AccuroAI
Platform
What We Do
Solutions
Company
Resources
Book demo
← Blog·Agentic AI Governance13 read

Microsoft Agent 365 + Anthropic Claude Managed Agents: A CISO Field Guide to Governing the Big Two

In a three-week window, Microsoft shipped Agent 365 to GA and Anthropic shipped Claude Managed Agents with a 28-integration Compliance API. They are the two biggest enterprise agent platforms in the market. This is the side-by-side field guide: what each gives you, what each leaves you to add, and how to govern both with one control plane.

J
James Okafor
Strategy
2026-05-09

Answer box

Between May 1 and May 19, 2026, the two largest enterprise AI vendors shipped their full agent platforms. Microsoft Agent 365 (GA May 1) extends Entra identity and Microsoft Purview governance to Copilot Studio agents, adds Computer-Using Agents (May 13), and offers a central agent control plane inside the Microsoft tenant. Anthropic Claude Managed Agents (May 19) runs Claude agents inside the customer's infrastructure with MCP tunnels into private networks and ships a Claude Compliance API with 28 enterprise integrations spanning DLP, SIEM, identity, eDiscovery, and AI governance. Together they define how the agentic enterprise will be deployed for the next 18 months. This is the CISO field guide for governing both — what each platform gives you natively, what each leaves you to add, and how to unify policy across them.

Why this comparison matters now

Most enterprises will run both platforms by the end of 2026. The reason: each captures different agent traffic patterns. Microsoft Agent 365 dominates agents that operate inside Microsoft 365 workflows — email, Teams, SharePoint, Dynamics. Claude Managed Agents dominates agents that touch private codebases, sensitive data lakes, and customer-specific reasoning workloads. Treating either as "the enterprise's agent platform" is wrong. Both will be in production.

That creates a governance problem: two agent platforms, two different identity models, two different audit substrates, two different policy interfaces. If your AI control plane covers one and not the other, you operate two parallel governance stacks. If your AI control plane covers both, you maintain one.

This is the field guide for the CISO making that call.

Microsoft Agent 365 — what it is and what it gives you

Released GA May 1, 2026. Extended with Computer-Using Agents May 13, 2026. Sits as a control plane inside the Microsoft 365 tenant for all Copilot Studio agents and (announced roadmap) AWS Bedrock + GCP Vertex registry sync.

What Agent 365 gives you natively

  • Centralized agent registry for every Copilot Studio agent in the tenant.
  • Entra-native identity for agents. Each agent registered to Entra; Conditional Access policies extend to agent sign-ins.
  • Network controls via Entra Internet Access and Entra Private Access — agents constrained to declared destinations.
  • Microsoft Purview integration — agent prompts and responses logged with sensitivity-label propagation, eDiscovery hooks.
  • Computer-Using Agents (May 13, 2026) — agents that operate UI surfaces directly (clicking, typing) with screen-level provenance.
  • Multi-cloud registry sync (announced) — bring AWS Bedrock and GCP Vertex agents into the Agent 365 control plane.

What Agent 365 leaves you to add

  • Cross-vendor AI coverage. Agent 365's policy engine governs Microsoft and registered third-party agents inside the Microsoft tenant. ChatGPT Enterprise, direct-API Claude, Perplexity Enterprise, Gemini Workspace agents, and custom MCP-based agents are not natively governed by Agent 365.
  • Inline prompt and response inspection beyond Purview's coverage. Purview catches sensitivity labels and DLP patterns. It does not run OWASP Agentic Top 10 inspections (prompt injection, tool poisoning, A2A attacks).
  • Tool poisoning defense. Agent 365 governs the agent identity. It does not by default inspect tool descriptions or tool responses for poisoning patterns. See Tool Poisoning.
  • Agent-to-agent provenance beyond Microsoft-native A2A. Mixed-vendor multi-agent workflows are not natively traced.
  • OWASP Top 10 for Agentic Applications coverage as a first-class policy framework. Microsoft maps to its own taxonomy; cross-vendor parity requires mapping.

Where Agent 365 is strong

  • For tenants that live in Microsoft 365, Agent 365 is the path of least friction. Existing Entra policies, Purview labels, and tenant-admin workflows extend naturally.
  • Computer-Using Agents are the most operationally mature implementation of UI-level agentic automation in the market today.
  • Compliance evidence for E5/E7 tenants drops into existing Purview audit logs.

Where Agent 365 is weak

  • Cross-vendor reach. The moment your agent fleet includes Claude, Gemini, or open-model deployments outside the Microsoft tenant, Agent 365 covers part of the fleet only.
  • Inline OWASP-Agentic-Top-10 inspection requires complementary tooling.

Anthropic Claude Managed Agents — what it is and what it gives you

Released May 19, 2026. Two distinguishing features: sandbox-in-customer-infrastructure (the agent runs inside your environment, not Anthropic's) and MCP tunnels (the agent reaches your private network through governed tunnels rather than via public network paths).

What Claude Managed Agents gives you natively

  • Sandbox in customer infrastructure. Agent execution runs in the customer's cloud account (AWS, Azure, GCP). Data and execution don't leave the customer's perimeter for the agent's reasoning steps.
  • MCP tunnels for private network reach. Agents reach internal services through declared, scoped MCP tunnels — not arbitrary outbound HTTPS.
  • Claude Compliance API. Programmatic access to prompts, responses, tool calls, and policy decisions, with declarative compliance integrations.
  • 28-integration enterprise stack. Native bidirectional integrations with major DLP, SIEM, identity, eDiscovery, and AI governance vendors. Customer ships logs to their existing security stack rather than to an Anthropic console only.
  • Computer-use capability. Claude's computer-use API supports agents that operate desktop applications, comparable in shape to Microsoft Computer-Using Agents.
  • Codebase vulnerability scanning available to Claude Enterprise customers.

What Claude Managed Agents leaves you to add

  • Cross-vendor coverage. Same gap as Microsoft from the other direction. Claude Managed Agents governs Claude. It does not natively govern ChatGPT Enterprise, Copilot, Gemini, or non-Claude agents.
  • Identity for agents. Claude Managed Agents ships hooks; the customer wires them into Entra / Okta / SPIFFE. This is more flexible than Microsoft's tightly Entra-integrated model, and more work.
  • Inline prompt and response inspection at the OWASP Top 10 layer. Anthropic's safety filters cover their own scope; enterprise OWASP Agentic Top 10 controls require a complementary layer.
  • AI Bill of Materials. Claude Compliance API logs tool calls; building an AIBOM across all your AI systems is still on the customer.

Where Claude Managed Agents is strong

  • For customers with strong infrastructure operations (cloud-native, IaC, mature observability), the sandbox-in-customer-infrastructure model fits hand-in-glove. Data sovereignty story is the cleanest in the market.
  • The 28-integration Compliance API model means logs flow into existing SIEM, DLP, and identity stacks without intermediate dashboards. SOCs are happier.
  • MCP tunnels are the most defensible answer to private-network reach for AI agents that exists today.

Where Claude Managed Agents is weak

  • Less native opinionation on identity, audit dashboards, and policy UI. The flexibility is also the operational burden.
  • Microsoft's tenant integration is tighter for Microsoft-heavy organizations.

Side-by-side architecture comparison

Dimension Microsoft Agent 365 Anthropic Claude Managed Agents
Execution location Microsoft cloud (Copilot Studio runtime) Customer cloud (sandbox in customer infrastructure)
Identity model Entra-native, Conditional Access extends to agents Customer-wired via hooks (Entra, Okta, SPIFFE)
Audit substrate Microsoft Purview Claude Compliance API (28-integration stack)
Network reach to private services Entra Internet Access / Entra Private Access MCP tunnels
Computer-use / UI automation Computer-Using Agents (May 13, 2026) Claude computer-use API
Cross-vendor agent coverage Registered third-party agents inside tenant; multi-cloud registry sync announced None native — Claude only
Default OWASP Agentic Top 10 coverage Partial (Purview DLP); requires complementary layer Partial (Anthropic safety filters); requires complementary layer
Native tool poisoning defense No No
Native A2A trust Microsoft-native A2A traced Customer-wired
Compliance evidence Purview audit logs, E5/E7 reports Claude Compliance API exports, programmatic
Best for Microsoft-heavy tenants, M365 workflow agents Customer-cloud-heavy orgs, private data agents

Neither is a complete control plane. Both expect a governance layer on top.

The unified control plane that governs both

Five capabilities the AI control plane must provide if you run both:

1. Cross-vendor inline inspection

Prompts and responses across Agent 365 and Claude Managed Agents and the rest of your AI stack pass through the same inspection engine, with the same detection signatures, the same redact/block/warn options, and the same audit log.

2. Unified agent identity

Per-agent workload identities (Tier 3 in our agentic identity piece) issued for agents on both platforms, with the same delegation envelope and capability-token model. Agents on Microsoft Agent 365 surface their Entra identity into the control plane; agents on Claude Managed Agents surface their workload identity. The control plane normalizes.

3. Cross-vendor audit

One searchable log spanning all platforms. Per-task provenance reconstructable in one query regardless of which platform the agent ran on.

4. OWASP Agentic Top 10 policy coverage

The same OWASP-aligned policy applied across both platforms. ASI01 (Goal Hijack), ASI02 (Tool Misuse), ASI03 (Identity), ASI04 (Supply Chain), ASI06 (Memory Poisoning), ASI07 (Inter-Agent), ASI09 (Trust Exploitation), ASI10 (Rogue Agents) — covered consistently regardless of where the agent runs. See the OWASP Agentic Top 10 annotated guide.

5. Cross-vendor kill switch

A single operator action halts a misbehaving agent regardless of which platform it runs on, with atomic revocation of identity + tokens + bus + egress. Tied to the kill-switch architecture in The 9-Second Database Delete.

What to do in the next 60 days

If you're Microsoft-heavy and just turning on Agent 365

  1. Inventory every Copilot Studio agent currently in the tenant. Most enterprises have more than they think.
  2. Apply Entra Conditional Access policies to every agent identity. Treat per-agent identity as table stakes (see the agentic identity piece).
  3. Configure Purview AI Hub for prompt/response logging.
  4. Add an OWASP-aligned inspection layer on top — Purview covers DLP, not OWASP Agentic Top 10.
  5. Pre-position the Computer-Using Agents governance question. UI-level agents are the most consequential agentic surface for blast radius. Run a tabletop.
  6. Plan for cross-vendor reach. Multi-cloud registry sync helps; non-Microsoft agents still need a parallel governance path.

If you're standing up Claude Managed Agents

  1. Choose your sandbox cloud account and provision IAM correctly from day one. The sandbox model is only as clean as your IaC.
  2. Configure the Claude Compliance API endpoints into your SIEM, DLP, and identity governance vendors. Pick the integrations from the 28-vendor list that align with your stack.
  3. Define MCP tunnels carefully. Each tunnel is a privileged path into private services; treat it like a VPN tunnel for governance.
  4. Wire agent workload identities to your existing identity layer (Entra, Okta, SPIFFE).
  5. Add an OWASP-aligned inspection layer on top — Anthropic's safety filters cover their scope, not your enterprise Top 10 coverage.

If you're running both

  1. Pick an AI control plane that covers both. The five capabilities above are the evaluation criteria.
  2. Insist on one policy engine across both. Two policy engines is the failure mode this whole architecture exists to prevent.
  3. Unify the audit logs. One searchable record per task, regardless of where the task ran.
  4. Run quarterly tabletops that include both platforms in the scenario.

Where AccuroAI sits

The AccuroAI control plane covers Microsoft Agent 365 (via Entra and Microsoft Graph) and Claude Managed Agents (via the Compliance API) under one policy engine. Same OWASP Top 10 for Agentic Applications inspection on both. Same agent identity model on both. Same audit log spanning both. Same kill switch operating across both.

Customers running both platforms typically deploy AccuroAI because the alternative — two parallel governance stacks — is operationally unsustainable past about six months. We are listed in the Claude Compliance API integration catalog and integrate natively with Microsoft Graph and Entra.

If you want to run the gap map against your specific Microsoft and Anthropic deployments, book a 30-minute architecture review and we'll produce the cross-vendor policy plan.

FAQ

Should we standardize on one of these platforms? Most enterprises won't. The workloads each platform serves best are different. Agent 365 is the natural fit for agents inside M365 workflows; Claude Managed Agents is the natural fit for agents touching private codebases and sensitive data. Standardizing on one means leaving capability on the table in the other. Plan for both.

What is Anthropic's "Claude Compliance API"? A programmatic API Anthropic shipped May 19, 2026, providing customer access to prompts, responses, tool calls, and policy decisions made by Claude Managed Agents, with 28 bidirectional enterprise integrations (DLP, SIEM, identity, eDiscovery, AI governance vendors). Logs ship to existing customer stacks rather than to an Anthropic console only.

What are "Computer-Using Agents"? Microsoft's term for agents that operate UI surfaces directly — clicking, typing, navigating applications as a human would. Released May 13, 2026. Anthropic has a comparable capability via the Claude computer-use API. Operationally, these are the highest-blast-radius agents in production because they can touch anything a human user can touch.

Does Microsoft Purview AI Hub replace the need for a separate AI control plane? For Microsoft-only environments, Purview covers a meaningful share of DLP and audit needs. It does not cover OWASP Agentic Top 10 inspection, tool poisoning defense, A2A trust, or cross-vendor reach. Enterprises running multiple AI platforms typically layer a dedicated AI control plane above Purview.

How does this relate to the EU AI Act? Both platforms produce evidence that satisfies parts of Article 12 (record-keeping) and Article 14 (human oversight). Neither platform alone satisfies all the Annex IV technical documentation requirements for high-risk systems. See our unified compliance crosswalk.

Where can I see the full feature list of each platform? Microsoft Agent 365 documentation on Microsoft Learn. Anthropic Claude Managed Agents documentation on the Anthropic developer site. Both are evolving; recheck before any procurement decision.

Sources: Microsoft Agent 365 GA announcement (May 1, 2026) · Microsoft Copilot Studio April 2026 governance updates · Anthropic Claude Managed Agents security and privacy (May 19, 2026) · Anthropic Claude Compliance API — 28 enterprise integrations · OWASP Top 10 for Agentic Applications 2026.

Related: Microsoft 365 Copilot vs ChatGPT Enterprise: Where Each Leaks · Microsoft 365 Copilot Oversharing · The OWASP Top 10 for Agentic Applications 2026, Annotated for Enterprises · Guardian Agents Explained · NHI Is Dead, Long Live Agentic Identity.

See AccuroAI in action.
30-minute demo tailored to your top AI risk.
Book a demo
More from the blog
Agentic AI Governance · 12
The CISO's MCP Field Guide v2: From Inventory to Runtime Governance
Pillar Hub · 6
The CISO & Board AI Narrative: The Enterprise Hub
Prompt DLP · 11
Microsoft 365 Copilot vs ChatGPT Enterprise: Where Each Leaks (and How to Plug It)
See AccuroAI in action.

Book a 30-minute demo and see how security teams use AccuroAI to discover, govern, and protect every AI asset across their organization.

Book a demoTalk to security