Microsoft’s May 1 ‘Agent 365’ Launch Isn’t the Big Risk—It’s the New ‘Prompt Traffic’ Layer That Can Leak Your Company in One Click
Microsoft is shipping agent governance and agent acceleration on the same day. The bigger risk isn’t hallucinations—it’s the new “prompt traffic” layer where context, tool outputs, and clickable actions can turn one approval into a company-wide spill.
By TheMurrow Editorial
April 12, 2026
Key Points
- 1Track the real danger: “prompt traffic” (context, tool outputs, action requests) can be compromised and trigger one-click enterprise data spills.
- 2Watch May 1, 2026: Agent 365 ($15/user/month) and Microsoft 365 E7 ($99/user) ship together, compressing rollout timelines.
- 3Treat governance as operations: inventory, observability, Entra/Defender/Purview controls, and connector hygiene must be continuously configured and enforced.
May 1, 2026 is supposed to be the day Microsoft makes enterprise AI agents safer.
That’s the official story, at least. According to Microsoft’s own Tech Community post, Agent 365 will be generally available on May 1, 2026, priced at $15 per user/month—and positioned as a way to keep agents “governed, observable, and secure” across an organization, even when those agents are built with different tools and models.
The irony is that the very moment a governance layer goes mainstream is also the moment the thing being governed becomes easier to deploy. On the same date, Microsoft is also bringing a new premium bundle to market: Microsoft 365 E7: The Frontier Suite, announced March 9, 2026, slated for general availability May 1 at $99 per user. Third-party coverage describes E7 as bundling E5 + Copilot + Agent 365 into one SKU—an adoption accelerant disguised as simplification.
The real risk isn’t that an AI assistant will “hallucinate” in a chat window. The more dangerous failure mode is quieter: a new layer of “prompt traffic”—instructions, retrieved context, tool outputs, and action requests—moving between users, models, and systems that security teams often don’t fully own. When that layer is compromised, it can turn a single click into an enterprise-scale data spill.
Agent governance ships as a safety feature. It also ships as an adoption engine.
— — TheMurrow Editorial
May 1, 2026
Microsoft’s synchronized date for Agent 365 general availability—and Microsoft 365 E7 general availability—where governance and acceleration land together.
Agent 365 is a governance product—by design, and by necessity
Microsoft is unusually clear about what Agent 365 is meant to be: a “unified control plane” for AI agents. That language matters. “Control plane” is how infrastructure teams talk about centralized management—policy, auditing, visibility—rather than creation or usage.
In Microsoft’s framing, Agent 365 addresses three recurring enterprise questions:
- What agents exist in the tenant? A registry or inventory function, aimed at the basic “what’s out there?” problem.
- What did those agents do? Monitoring and “advanced observability” capabilities described in Microsoft Learn documentation.
- Can we apply enterprise controls to agents the way we do to people? Integration with Microsoft’s identity, security, and compliance stack—Entra, Defender, and Purview—to extend “user-like” governance to “agent-like” identities.
Microsoft’s message is hard to argue with. Enterprises already struggle to track apps, scripts, service accounts, and permissions sprawl. Agents add yet another layer of automation and access, but with a more flexible interface: natural language, tool use, and retrieval over internal documents.
The harder question is timing. A governance control plane arriving at general availability is good. But it also signals that agent deployment has crossed from experimentation to routine procurement. For many large organizations, routine procurement is the point where security review starts losing races.
In Microsoft’s framing, Agent 365 addresses three recurring enterprise questions:
- What agents exist in the tenant? A registry or inventory function, aimed at the basic “what’s out there?” problem.
- What did those agents do? Monitoring and “advanced observability” capabilities described in Microsoft Learn documentation.
- Can we apply enterprise controls to agents the way we do to people? Integration with Microsoft’s identity, security, and compliance stack—Entra, Defender, and Purview—to extend “user-like” governance to “agent-like” identities.
Microsoft’s message is hard to argue with. Enterprises already struggle to track apps, scripts, service accounts, and permissions sprawl. Agents add yet another layer of automation and access, but with a more flexible interface: natural language, tool use, and retrieval over internal documents.
The harder question is timing. A governance control plane arriving at general availability is good. But it also signals that agent deployment has crossed from experimentation to routine procurement. For many large organizations, routine procurement is the point where security review starts losing races.
The ‘what did it do?’ question isn’t philosophical anymore. It’s an audit requirement.
— — TheMurrow Editorial
What launches May 1 is less about intelligence—and more about accountability
Microsoft’s own Tech Community post anchors the key facts: general availability on May 1, 2026, and $15 per user/month pricing. The product is positioned as a way to govern agent ecosystems built across different frameworks and models.
That cross-model, cross-tool promise is the tell. Microsoft is acknowledging an uncomfortable truth: enterprise agent environments will not be monocultures. Organizations will run Copilot-based agents, custom agents, third-party agents, and internal automations that talk to each other. The governance problem isn’t limited to Microsoft-native endpoints.
Agent 365, then, is less a shiny new assistant and more a management layer. The work it does—inventory, observability, policy integration—is the work security and compliance teams have been demanding since “AI agents” stopped being a hackathon novelty.
That cross-model, cross-tool promise is the tell. Microsoft is acknowledging an uncomfortable truth: enterprise agent environments will not be monocultures. Organizations will run Copilot-based agents, custom agents, third-party agents, and internal automations that talk to each other. The governance problem isn’t limited to Microsoft-native endpoints.
Agent 365, then, is less a shiny new assistant and more a management layer. The work it does—inventory, observability, policy integration—is the work security and compliance teams have been demanding since “AI agents” stopped being a hackathon novelty.
$15 per user/month
Microsoft-stated pricing for Agent 365 at general availability, framing governance as a comparatively low-friction add-on.
E7 bundling turns governance into a rollout lever
Microsoft didn’t just announce Agent 365’s general availability. On March 9, 2026, Microsoft introduced a new premium tier: Microsoft 365 E7: The Frontier Suite, with general availability May 1 at $99 per user.
Third-party coverage characterizes E7 as bundling E5 + Copilot + Agent 365 into a single SKU. Pricing aside, the packaging is the point: bundling reduces friction. Procurement teams prefer fewer line items. IT teams prefer integrated licensing. Executives prefer “one plan” that signals modernity.
The risk is structural. When agent creation (Copilot capabilities), agent connectivity (tool integration), and agent governance (Agent 365) expand together under one SKU, adoption can outpace control. Not because anyone is reckless—but because rollout is easier than review.
Enterprises already know this pattern from identity and SaaS sprawl: a new capability lands in a familiar admin center, users discover it, productivity teams champion it, and only later do security teams learn how widely it spread.
Here are the hard numbers that frame the shift:
- $15 per user/month for Agent 365 (Microsoft-stated) creates a relatively low-cost add-on path.
- $99 per user for Microsoft 365 E7 (Microsoft-stated) creates a premium bundle path.
- May 1, 2026 becomes a synchronized launch date for both governance and acceleration.
- March 9, 2026 marks the moment Microsoft publicly tied “intelligence” and “trust” into a single top-tier suite.
That combination can be responsible—centralized governance arriving with broader AI capability—but it also increases the odds that governance is treated as a feature checkbox rather than an operational discipline.
Third-party coverage characterizes E7 as bundling E5 + Copilot + Agent 365 into a single SKU. Pricing aside, the packaging is the point: bundling reduces friction. Procurement teams prefer fewer line items. IT teams prefer integrated licensing. Executives prefer “one plan” that signals modernity.
The risk is structural. When agent creation (Copilot capabilities), agent connectivity (tool integration), and agent governance (Agent 365) expand together under one SKU, adoption can outpace control. Not because anyone is reckless—but because rollout is easier than review.
Enterprises already know this pattern from identity and SaaS sprawl: a new capability lands in a familiar admin center, users discover it, productivity teams champion it, and only later do security teams learn how widely it spread.
Here are the hard numbers that frame the shift:
- $15 per user/month for Agent 365 (Microsoft-stated) creates a relatively low-cost add-on path.
- $99 per user for Microsoft 365 E7 (Microsoft-stated) creates a premium bundle path.
- May 1, 2026 becomes a synchronized launch date for both governance and acceleration.
- March 9, 2026 marks the moment Microsoft publicly tied “intelligence” and “trust” into a single top-tier suite.
That combination can be responsible—centralized governance arriving with broader AI capability—but it also increases the odds that governance is treated as a feature checkbox rather than an operational discipline.
Bundles don’t just simplify licensing. They compress the time between ‘available’ and ‘everywhere.’
— — TheMurrow Editorial
$99 per user
Microsoft-stated price for Microsoft 365 E7: The Frontier Suite, which third-party coverage describes as bundling E5 + Copilot + Agent 365.
A fair counterpoint: bundling can also improve safety
To be clear, bundling governance into the same suite as productivity AI can be a net positive. In many organizations, governance tools fail because they are optional, underfunded, or perpetually postponed.
If E7 makes governance harder to ignore, that’s good. But safety only improves if teams actually configure policies, review logs, and enforce controls—work that does not happen automatically because a SKU exists.
If E7 makes governance harder to ignore, that’s good. But safety only improves if teams actually configure policies, review logs, and enforce controls—work that does not happen automatically because a SKU exists.
Key Insight
Bundling can raise the floor on governance adoption—but only if policies, logging, and enforcement are operationalized, not merely licensed.
The new attack surface isn’t the model. It’s the “prompt traffic.”
Security teams are comfortable thinking in terms of endpoints, identities, permissions, and network boundaries. AI agents add a different kind of surface: the layer where prompts and context move between people, models, and tools.
Call it prompt traffic: the flow of instructions and data that includes:
- user requests,
- system prompts and policies,
- retrieved documents and snippets,
- tool descriptions and tool outputs,
- action proposals and confirmations.
In a traditional app, input and output are constrained by forms and defined APIs. With agents, the “input” may include whatever the agent reads—emails, documents, webpages, internal wiki pages, ticket threads—plus whatever tools it can call. The “output” may include not just text, but actions: creating a file, sending a message, changing a record.
Prompt traffic becomes the battleground because it’s where attackers can smuggle instructions, and where well-meaning systems can accidentally propagate them.
Microsoft has explicitly discussed indirect prompt injection as a recognized class of attacks, where malicious instructions are embedded in content an agent consumes—documents, emails, webpages, or tool outputs. That matters because indirect injection targets the context supply chain, not the user.
In other words: the user doesn’t need to be tricked into typing a secret. The agent can be tricked into treating untrusted text as trusted instructions.
Call it prompt traffic: the flow of instructions and data that includes:
- user requests,
- system prompts and policies,
- retrieved documents and snippets,
- tool descriptions and tool outputs,
- action proposals and confirmations.
In a traditional app, input and output are constrained by forms and defined APIs. With agents, the “input” may include whatever the agent reads—emails, documents, webpages, internal wiki pages, ticket threads—plus whatever tools it can call. The “output” may include not just text, but actions: creating a file, sending a message, changing a record.
Prompt traffic becomes the battleground because it’s where attackers can smuggle instructions, and where well-meaning systems can accidentally propagate them.
Microsoft has explicitly discussed indirect prompt injection as a recognized class of attacks, where malicious instructions are embedded in content an agent consumes—documents, emails, webpages, or tool outputs. That matters because indirect injection targets the context supply chain, not the user.
In other words: the user doesn’t need to be tricked into typing a secret. The agent can be tricked into treating untrusted text as trusted instructions.
Why “one-click” failures happen in agentic systems
A “one-click” failure is rarely one click in isolation. It’s one click at the end of a chain: content ingestion → instruction interpretation → tool invocation → data movement.
As Microsoft’s ecosystem expands to make agents more capable and connected, the “one click” might be:
- approving an agent’s proposed action,
- clicking an interactive widget inside a chat experience,
- enabling a connector that seems harmless,
- granting access so an agent can “be more helpful.”
The agent layer is designed to reduce friction. Security teams, by contrast, often rely on friction—approval workflows, least privilege, segmented access—to prevent mistakes from becoming incidents.
As Microsoft’s ecosystem expands to make agents more capable and connected, the “one click” might be:
- approving an agent’s proposed action,
- clicking an interactive widget inside a chat experience,
- enabling a connector that seems harmless,
- granting access so an agent can “be more helpful.”
The agent layer is designed to reduce friction. Security teams, by contrast, often rely on friction—approval workflows, least privilege, segmented access—to prevent mistakes from becoming incidents.
Editor’s Note
In agentic systems, “one click” often means one approval at the end of a multi-step pipeline that security teams may not fully instrument.
MCP makes tool wiring easier—and makes the traffic layer real
The idea of “prompt traffic” isn’t metaphorical. It maps to real integration plumbing, increasingly standardized.
Microsoft has announced Model Context Protocol (MCP) support in Copilot Studio, framing MCP as a way to simplify integration between agents and external apps and data. Microsoft documentation in a Dynamics 365 context similarly describes MCP as an open standard used to connect agents to data systems for more relevant responses.
Standards do two things at once: they reduce integration cost, and they increase integration volume. MCP lowers the barrier to connecting agents to tools, which is exactly what customers want.
But from a risk perspective, MCP also turns “agent context” into a more formal pipeline. Instead of ad hoc integrations, you get consistent connectors and patterns. That’s great for scale—until an organization realizes it has scaled a new category of sensitive traffic that may not fit neatly into existing monitoring.
Microsoft 365 Message Center archives also point to MCP-based agents surfacing richer UI widgets in Copilot Chat—an indicator that agent outputs are becoming more interactive and “clickable.”
Interactive outputs are a usability win. They can also make it harder for users to distinguish between:
- information pulled from trusted internal sources,
- suggestions generated by a model,
- instructions embedded by an adversary in something the agent retrieved.
Microsoft has announced Model Context Protocol (MCP) support in Copilot Studio, framing MCP as a way to simplify integration between agents and external apps and data. Microsoft documentation in a Dynamics 365 context similarly describes MCP as an open standard used to connect agents to data systems for more relevant responses.
Standards do two things at once: they reduce integration cost, and they increase integration volume. MCP lowers the barrier to connecting agents to tools, which is exactly what customers want.
But from a risk perspective, MCP also turns “agent context” into a more formal pipeline. Instead of ad hoc integrations, you get consistent connectors and patterns. That’s great for scale—until an organization realizes it has scaled a new category of sensitive traffic that may not fit neatly into existing monitoring.
Microsoft 365 Message Center archives also point to MCP-based agents surfacing richer UI widgets in Copilot Chat—an indicator that agent outputs are becoming more interactive and “clickable.”
Interactive outputs are a usability win. They can also make it harder for users to distinguish between:
- information pulled from trusted internal sources,
- suggestions generated by a model,
- instructions embedded by an adversary in something the agent retrieved.
Multiple perspectives: standardization helps defenders, too
There’s a strong argument that MCP and similar standardized connectors are good for security precisely because they reduce chaos. When integrations follow repeatable patterns, defenders can instrument and govern those patterns.
Agent 365’s pitch—observability, inventory, policy—sounds like a necessary companion to MCP-era connectivity. The challenge is organizational: security teams must be brought into agent design early enough to define what gets logged, what gets blocked, and what requires approval.
Agent 365’s pitch—observability, inventory, policy—sounds like a necessary companion to MCP-era connectivity. The challenge is organizational: security teams must be brought into agent design early enough to define what gets logged, what gets blocked, and what requires approval.
“Indirect prompt injection” is a governance problem, not just an AI problem
When Microsoft’s Security Response Center discusses indirect prompt injection, it’s acknowledging that attacks can arrive through content an agent consumes. That shifts responsibility.
Classic phishing targets people. Indirect injection targets systems that read what people receive: the agent scanning an email thread, the summarizer reading a document, the assistant retrieving an internal page.
A realistic scenario doesn’t require Hollywood villainy:
1. An employee asks an agent to summarize an email thread and draft a response.
2. A malicious instruction is embedded in the thread—formatted like a footer, a quoted reply, or a harmless note.
3. The agent interprets it as higher-priority instruction because it appears “in context.”
4. The agent then drafts or performs an action that leaks data, misroutes a message, or changes a record.
The defense isn’t “train users to be careful” alone. Users never see most of what agents ingest. The defense is governance and design:
- clear trust boundaries between user instructions and retrieved content,
- observability into tool calls and data access,
- policies restricting what agents can do without review.
Agent 365’s emphasis on monitoring and integration with Entra, Defender, and Purview speaks to this. Indirect injection isn’t simply an LLM quirk—it’s a new kind of content-borne instruction risk.
Classic phishing targets people. Indirect injection targets systems that read what people receive: the agent scanning an email thread, the summarizer reading a document, the assistant retrieving an internal page.
A realistic scenario doesn’t require Hollywood villainy:
1. An employee asks an agent to summarize an email thread and draft a response.
2. A malicious instruction is embedded in the thread—formatted like a footer, a quoted reply, or a harmless note.
3. The agent interprets it as higher-priority instruction because it appears “in context.”
4. The agent then drafts or performs an action that leaks data, misroutes a message, or changes a record.
The defense isn’t “train users to be careful” alone. Users never see most of what agents ingest. The defense is governance and design:
- clear trust boundaries between user instructions and retrieved content,
- observability into tool calls and data access,
- policies restricting what agents can do without review.
Agent 365’s emphasis on monitoring and integration with Entra, Defender, and Purview speaks to this. Indirect injection isn’t simply an LLM quirk—it’s a new kind of content-borne instruction risk.
A realistic indirect-injection chain
- 1.An employee asks an agent to summarize an email thread and draft a response.
- 2.A malicious instruction is embedded in the thread—formatted like a footer, a quoted reply, or a harmless note.
- 3.The agent interprets it as higher-priority instruction because it appears “in context.”
- 4.The agent then drafts or performs an action that leaks data, misroutes a message, or changes a record.
The organizational snag: prompt traffic sits between teams
Prompt traffic often flows through layers owned by different groups:
- productivity platforms (IT),
- identity and access (security),
- compliance and retention (legal/compliance),
- application integrations (engineering),
- business owners who sponsor the agent.
When something goes wrong, the postmortem question won’t be “why did the model do that?” It will be “who owned the control?” A unified control plane is appealing because it can reduce that ambiguity—if it is actually used as the system of record.
- productivity platforms (IT),
- identity and access (security),
- compliance and retention (legal/compliance),
- application integrations (engineering),
- business owners who sponsor the agent.
When something goes wrong, the postmortem question won’t be “why did the model do that?” It will be “who owned the control?” A unified control plane is appealing because it can reduce that ambiguity—if it is actually used as the system of record.
What Agent 365 can realistically change—and what it can’t
Microsoft’s Agent 365 story is fundamentally about enterprise hygiene: know what exists, observe what happens, apply policy, and integrate with established security controls.
That’s meaningful. Most enterprise incidents are not exotic; they’re failures of visibility and policy enforcement. A registry of agents across the tenant addresses the “unknown unknowns” problem. Observability addresses the “we can’t prove what happened” problem. Integration with Entra, Defender, and Purview addresses the “agents need identities and controls” problem.
Still, governance platforms have limits.
That’s meaningful. Most enterprise incidents are not exotic; they’re failures of visibility and policy enforcement. A registry of agents across the tenant addresses the “unknown unknowns” problem. Observability addresses the “we can’t prove what happened” problem. Integration with Entra, Defender, and Purview addresses the “agents need identities and controls” problem.
Still, governance platforms have limits.
Governance can’t fix a bad idea shipped at scale
If an organization connects an agent to sensitive systems with broad permissions, centralized monitoring won’t stop a mistake—it will document it. Monitoring is essential, but prevention still depends on least privilege, careful connector selection, and scoped access.
Governance won’t compensate for unclear user experience
If agents surface interactive widgets and action buttons inside chat, users need clear cues about what is safe to click and what requires verification. No control plane can compensate for UX that normalizes high-stakes actions as casual interactions.
Governance tools require operational ownership
A control plane does not govern itself. Someone must:
- review agent inventory regularly,
- set policies and exceptions,
- investigate anomalous behavior,
- enforce connector hygiene,
- coordinate across business units.
Agent 365’s arrival will push organizations to decide whether “AI agent ops” is a real function or a side quest added to someone’s already-full plate.
- review agent inventory regularly,
- set policies and exceptions,
- investigate anomalous behavior,
- enforce connector hygiene,
- coordinate across business units.
Agent 365’s arrival will push organizations to decide whether “AI agent ops” is a real function or a side quest added to someone’s already-full plate.
Operational ownership isn’t optional
- ✓Review agent inventory regularly
- ✓Set policies and exceptions
- ✓Investigate anomalous behavior
- ✓Enforce connector hygiene
- ✓Coordinate across business units
Practical takeaways for leaders: treat prompt traffic like a real system
Organizations preparing for May 1 should approach Agent 365 and E7 not as a simple licensing change, but as a structural shift in how work gets done—and how mistakes propagate.
Build a “prompt traffic” threat model now
Security leaders don’t need to become prompt engineers. They need a map of where instructions and context flow:
- Which agents exist (or are being piloted)?
- Which tools can they call?
- Which data sources can they retrieve from?
- What approvals exist before actions occur?
Agent 365’s registry and observability themes suggest Microsoft expects customers to ask these questions.
- Which agents exist (or are being piloted)?
- Which tools can they call?
- Which data sources can they retrieve from?
- What approvals exist before actions occur?
Agent 365’s registry and observability themes suggest Microsoft expects customers to ask these questions.
Align identity controls with “agent-like” identities
Microsoft has emphasized integration with Entra for identity controls. The practical implication: agents should not inherit sprawling permissions by default. Treat an agent like a new kind of actor in your environment, with:
- explicit permissions,
- limited scope,
- clear ownership,
- revocation paths.
- explicit permissions,
- limited scope,
- clear ownership,
- revocation paths.
Use compliance tooling to set boundaries on data exposure
Integration with Purview points to a familiar truth: data classification and retention policies will matter more, not less, as agents retrieve and summarize content. If sensitive content is poorly labeled or widely accessible, agents will faithfully bring it into contexts where it doesn’t belong.
Don’t confuse “available” with “safe”
May 1 is a release date and a packaging milestone. It is not a security sign-off for your specific configuration. Teams should plan staged rollouts, controlled connectors, and auditing before broad deployment.
The quiet question May 1 forces: who governs the governors?
Microsoft is making a sensible bet: the era of AI agents in the enterprise needs a centralized way to inventory, observe, and secure them. Agent 365’s general availability on May 1, 2026 makes that bet real, with a clear price tag: $15 per user/month.
Microsoft is also making a bolder bet: customers want agent power and governance as a single motion. Microsoft 365 E7, announced March 9, 2026 and priced at $99 per user, reinforces that packaging logic.
The unresolved issue is the one that always surfaces when automation becomes ordinary. If agents become a default interface to work—connected by standards like MCP, enriched with clickable actions, and woven into daily workflows—then governance isn’t a product you buy. It’s a discipline you run.
May 1 won’t simply mark a launch. It will mark a handoff: from experimentation to operations, from novelty to accountability, from “we tried an agent” to “we can explain what our agents did.”
And in an era of prompt traffic, explanation is the first step toward control.
Microsoft is also making a bolder bet: customers want agent power and governance as a single motion. Microsoft 365 E7, announced March 9, 2026 and priced at $99 per user, reinforces that packaging logic.
The unresolved issue is the one that always surfaces when automation becomes ordinary. If agents become a default interface to work—connected by standards like MCP, enriched with clickable actions, and woven into daily workflows—then governance isn’t a product you buy. It’s a discipline you run.
May 1 won’t simply mark a launch. It will mark a handoff: from experimentation to operations, from novelty to accountability, from “we tried an agent” to “we can explain what our agents did.”
And in an era of prompt traffic, explanation is the first step toward control.
May 1 won’t simply mark a launch. It will mark a handoff: from experimentation to operations, from novelty to accountability.
— — TheMurrow Editorial
T
About the Author
TheMurrow Editorial is a writer for TheMurrow covering technology.
Frequently Asked Questions
What is Microsoft Agent 365, exactly?
Microsoft describes Agent 365 as a unified control plane for managing AI agents so they remain governed, observable, and secure across an enterprise. Microsoft’s materials emphasize agent inventory/registry, monitoring/observability, and integration with Microsoft’s security and compliance stack (including Entra, Defender, and Purview) so agent activity can be managed with enterprise-grade controls.
When does Agent 365 launch, and how much does it cost?
Microsoft’s Tech Community discussion post states that Agent 365 will be generally available on May 1, 2026, and will be priced at $15 per user per month. That date coincides with the general availability of Microsoft’s newly announced premium suite, which also affects how quickly organizations may adopt agent capabilities at scale.
What is Microsoft 365 E7, and why does it matter for agent security?
Microsoft announced Microsoft 365 E7: The Frontier Suite on March 9, 2026, with general availability May 1 at $99 per user. Third-party coverage describes it as bundling E5 + Copilot + Agent 365. Bundling matters because it can accelerate deployment—meaning agent capability and agent governance may spread faster than an organization’s security review process.
What does “prompt traffic” mean in practical terms?
“Prompt traffic” refers to the flow of instructions and context between users, models, and tools: prompts, retrieved documents, tool outputs, and action requests. In agentic systems, that traffic can include content pulled from emails, files, or external sources—and it can influence what actions an agent proposes or takes. Monitoring and governing that flow becomes a new security priority.
What is MCP, and why are people talking about it now?
Model Context Protocol (MCP) is described in Microsoft documentation as an open standard for connecting agents to apps and data systems, improving relevance by wiring external context into agent experiences. Microsoft has announced MCP support in Copilot Studio, signaling a push toward easier, more standardized agent integrations—which increases both capability and the need for careful governance.
What is indirect prompt injection, and why should enterprises care?
Microsoft’s Security Response Center has discussed indirect prompt injection as an attack class where malicious instructions are embedded in content an agent reads—such as webpages, documents, emails, or tool outputs. Enterprises should care because the user may never see the malicious instruction; the agent ingests it as context, which can lead to unintended actions or data exposure unless governance and trust boundaries are well-designed.
