Scaling Microsoft AI Agents Securely: Zenity Brings Inline Prevention to Microsoft Foundry and Copilot Studio

Microsoft Foundry and Microsoft Copilot Studio have made it simple to build AI agents that automate workflows, access sensitive data, and integrate across critical business systems. However, agent democratization without control creates new security challenges. Further, as more agents are deployed across the organization, it means more agents that can access more data, invoke more tools (including MCP and A2A), and perform more actions. In other words, the potential attack surface is expanding. Significantly.

As these agents are built and adopted across departments, even small oversights in security can turn into systemic vulnerabilities.

Most agent security relies on soft boundaries such as system prompts, user policies, or fine-tuned model restrictions. These are probabilistic controls. They guess at intent instead of enforcing rules. Indirect prompt injections, like the 0click exploits we showed at BlackHat 2025, bypass soft boundaries regularly, hiding malicious instructions in documents or data sources that agents process without realizing it. Soft guardrails frequently lack nuanced context about data, intent, or how a string could be leveraged within an agent’s downstream operations.

Think of an agent that runs with assumed access rights (e.g., the builder’s credentials) that also has privileged access to sensitive data. Injected content may trigger actions that bypass intended policy checks and give an attacker a clear path to data they shouldn’t. Soft boundaries have no visibility into the agent’s context, privilege escalation, or whether a user-triggered action was intentional and/or if it was manipulated.

Organizations need deterministic protection: hard boundaries that actually hold.

Inline Prevention Reaches General Availability

Today, Zenity’s inline prevention capabilities provide expanded coverage across Microsoft Foundry (preview) and Microsoft Copilot Studio. This means deterministic enforcement for agents built by citizen developers in Copilot Studio and professional developers in Microsoft Foundry that prevent agents from performing actions or invoking tools that are deemed risky. These capabilities, which introduce minimal latency, provide hard boundaries to identify, spot, and disrupt bad actors in real-time, before they can impact the enterprise.

Copilot Studio empowers business users to create agents through low-code interfaces. These agents often introduce risk through indirect prompt injection, where user-provided content or shared files unknowingly act on malicious instructions.

Microsoft Foundry enables professional developers to build complex, multi-tool agents at scale. Foundry agents often run as cloud-hosted services that connect directly to enterprise APIs and data systems, which makes inline controls essential at the execution layer. Risk here stems from tool overreach which can then be manipulated by indirect prompt injection, insecure API chaining, or unsanitized external inputs.

Zenity, in working with Microsoft, now provides native security controls for agents built across Foundry and Copilot Studio in a unified end-to-end platform. Now, enterprises can enforce consistent protection across agentic platforms with an end-to-end security platform purpose built to secure AI agents everywhere.

The Next Step in the Zenity & Microsoft Partnership

Earlier this year, Zenity and Microsoft announced a deep integration for Copilot Studio agents. The first step was visibility: who built which agents, what systems they connect to, and identifying vulnerabilities as agents were built and introduced to the enterprise. Leading analysts at Gartner recognized the importance of this approach:

“Controls for Embedded AI systems – this is usually not possible within the system itself unless the third party vendor lets the security/risk controls vendor inside their system. This will become particularly important with AI Agents. Microsoft has partnered with Zenity to help control Microsoft Copilot Studio agents.” - Avivah Litan, Gartner Analyst

Now, that visibility evolves into real-time control. Zenity now provides native security controls within every agent built in Copilot Studio and Foundry, allowing security teams to enforce policies inline during execution. Security teams can detect and block risky behaviors before they occur, without disrupting developer workflows or slowing down innovation.

How Inline Prevention Works

Zenity inline prevention enforces security policies in the flow of agent execution. It continuously monitors every action an AI agent performs and stops unsafe or noncompliant behavior before it can cause harm. If an unsafe condition is identified, Zenity blocks the action instantly and prevents it from completing. The impact of inline prevention is best seen in real-world use cases where Zenity stops unsafe actions before they happen.

• Enforces controls that prevent agents from executing destructive or high-risk actions, ensuring that sensitive operations cannot be triggered unintentionally, indirectly, or by external manipulation.
• Applies strict runtime boundaries to stop outbound movement of sensitive information, automatically blocking transmissions that violate enterprise policies or data protection rules, regardless of how the prompt was crafted.
• Identifies and halts unauthorized reuse of internal or confidential data, ensuring agents cannot repurpose previous context, memory, or outputs in ways that conflict with governance requirements.
• Prevents exposure of secrets, credentials, or regulated data by monitoring agent behavior in real time, enforcing hard stops before sensitive information can move beyond approved systems or environments.

These controls apply across all environments and user personas. Whether the agent is built in Copilot Studio by a business user or in Foundry by a professional developer, Zenity inline prevention ensures consistent, policy-based enforcement.

This real-time protection means that malicious inputs, poisoned content, and indirect prompt injections cannot manipulate agents into unsafe actions.

Learn more about Zenity’s approach to inline prevention in the Zenity Labs overview

Moving from Reactive to Preventative

Security teams can now move beyond passive monitoring to active prevention, ensuring AI agents operate safely without slowing down the pace of innovation.

Key benefits include:

• Real Enforcement - Inline prevention enforces hard boundaries that attackers can’t jailbreak or bypass with prompt manipulation.
• Real-Time Control - Prevention happens instantly within execution, not after the fact through logs or alerts.
• Real Enterprise Scale - Coverage across SaaS, cloud and device-based agents, giving security teams unified visibility, policy enforcement and real-time prevention across every deployment environment

With the general availability of Zenity inline prevention for Microsoft AI agents, enterprises can adopt AI responsibly at scale.

Security and compliance leaders can now deploy Foundry and Copilot Studio with confidence. Zenity enforces hard boundaries exactly where it matters: inline, in real time, and across every Microsoft AI agent.

To explore how Zenity protects AI agents across SaaS, cloud, and endpoint environments, click here!