All articles

Azure AI

Grant Agent Authority One Level at a Time

Use the action-authority question from Microsoft's AI Decision Framework to decide whether an agent drafts, executes with approval, or acts alone, and what each level costs to operate.

The platform debate gets the meeting time, but the decision that determines your production risk is quieter: how much is the agent allowed to do without a human? Microsoft's AI Decision Framework (opens in new tab) calls this action authority and gives it three postures: draft-only, configurable execution, and autonomous with guardrails. Most teams treat the posture as a property of the platform they already picked. It should be the other way around: pick the authority level the organization can operate, then let that choice constrain the platform.

Authority is the risk decision, not the model

An agent that drafts a reply nobody sends can be wrong cheaply. An agent that closes tickets, issues refunds, or changes configuration is a system actor, and every property you care about — audit, identity, rollback, blast radius — changes the moment its output stops passing through a person.

The framework's intake questions establish whether the agent should exist and where it lives. Action authority decides what kind of failure you are signing up for. That is why it deserves its own decision, made before the platform hardens around an assumption nobody examined.

What each level costs to operate

Draft-only is the cheapest level to govern. Microsoft 365 Copilot keeps the human on the send button, stays inside the tenant boundary, and its interactions land in the Microsoft Purview unified audit log automatically.1 The operating cost is human time: every output still needs a reviewer, which caps throughput at the speed of the people approving.

Configurable execution buys throughput with governance you must design. Copilot Studio agents can take bounded actions, but the framework is explicit that approval steps and audit coverage are yours to design, not defaults to inherit. The platform brings Power Platform governance with it: environment strategy, data loss prevention policies, connector controls. The real cost is a second operating discipline next to your Azure landing zone.

Autonomous with guardrails moves the safety burden onto your team. Foundry Agent Service gives agents a managed runtime (opens in new tab), and Foundry's guardrails screen inputs and outputs using Azure AI Content Safety (opens in new tab) models. What the guardrails do not provide is a built-in human approval step: content screening is automatic, action approval is architecture you build. The framework's phrasing is honest here: autonomous agents require your own safety framework. Identity is the one part getting structurally easier: Microsoft Entra Agent ID gives agents directory identities with conditional access and lifecycle management, so an autonomous agent can at least be governed like the workload it is.2

Promote authority with evidence, not ambition

Start every agent at draft-only, even when the platform supports more. The draft phase is not a delay; it is where you collect the evidence a promotion decision needs: how often the agent is wrong, which action classes fail, and whether anyone reads the audit trail.

Promote one level at a time, and only when three things are true for the next level. A named owner is accountable for the agent's actions. The rollback path has been executed at least once rather than merely documented. And the audit surface has been checked against a real incident question, not a compliance checkbox.

The pressure to skip levels will come from the demo, because autonomy demos brilliantly. Resist it with a question the demo cannot answer: who gets paged when the agent does the wrong thing at 2 a.m., and what do they press? If there is no name and no button, the agent has not earned the level, whatever the platform supports.

Notes

  1. Purview's baseline audit records the interaction event, the app, the user, and referenced resources; capturing full prompt and response content requires Purview's DSPM for AI or eDiscovery workflows, per Microsoft's audit documentation (opens in new tab).

  2. Agent ID is available to all Microsoft Entra customers, but the agent security features carry their own licensing: conditional access needs Microsoft Entra ID P1, identity protection needs P2, and the Microsoft Agent 365 integration is licensed per user. Price the controls before making them a dependency.

Claims checked against vendor documentation, Jun 11, 2026.

Sources

  1. 01Microsoft AI Decision Framework (opens in new tab)Verified Jun 11, 2026
  2. 02What is Microsoft Entra Agent ID (opens in new tab)Verified Jun 11, 2026
  3. 03Audit logs for Copilot and AI applications (Microsoft Purview) (opens in new tab)Verified Jun 11, 2026
  4. 04AI agent technology solutions (Cloud Adoption Framework) (opens in new tab)Verified Jun 11, 2026
  5. 05What is Azure AI Content Safety? (opens in new tab)Verified Jun 11, 2026

Read next