# Grant Agent Authority One Level at a Time

> Use the action-authority question from Microsoft's AI Decision Framework to decide whether an agent drafts, executes with approval, or acts alone, and what each level costs to operate.

- Canonical: https://www.architecture-logic.com/grant-agent-authority-one-level-at-a-time
- Published: 2026-06-09
- Updated: 2026-06-15
- Claims verified: 2026-06-11
- Category: AI Architecture
- Tags: Azure AI, AI Architecture, Microsoft Copilot, Microsoft Foundry

## Revision history

- 2026-06-09 (published): Initial publication.
- 2026-06-11 (revised): Editorial pass under the new prose style gate: punctuation and adverb cleanup, one long sentence split.
- 2026-06-11 (revised): Linked the managed-runtime and Content Safety claims; updated the Agent ID footnote to current availability and licensing.
- 2026-06-11 (verified): Re-checked the framework, Purview audit, Entra Agent ID, and Foundry guardrail claims against Microsoft Learn.
- 2026-06-15 (revised): Temporarily removed visual blocks while the Architecture Logic visual system is redone.
- 2026-06-15 (revised): Removed the inline promotion-gate diagram for a cleaner article; the levels and gates stay in prose.

## Sources

- [Microsoft AI Decision Framework](https://microsoft.github.io/Microsoft-AI-Decision-Framework/docs/decision-framework.html) (verified 2026-06-11)
- [What is Microsoft Entra Agent ID](https://learn.microsoft.com/en-us/entra/agent-id/what-is-microsoft-entra-agent-id) (verified 2026-06-11)
- [Audit logs for Copilot and AI applications (Microsoft Purview)](https://learn.microsoft.com/en-us/purview/audit-copilot) (verified 2026-06-11)
- [AI agent technology solutions (Cloud Adoption Framework)](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ai-agents/technology-solutions-plan-strategy) (verified 2026-06-11)
- [What is Azure AI Content Safety?](https://learn.microsoft.com/en-us/azure/ai-services/content-safety/overview) (verified 2026-06-11)

---

The platform debate gets the meeting time, but the decision that determines
your production risk is quieter: how much is the agent allowed to do without
a human? Microsoft's [AI Decision
Framework](https://microsoft.github.io/Microsoft-AI-Decision-Framework/docs/decision-framework.html)
calls this action authority and gives it three postures: draft-only,
configurable execution, and autonomous with guardrails. Most teams treat the
posture as a property of the platform they already picked. It should be the
other way around: pick the authority level the organization can operate,
then let that choice constrain the platform.

## Authority is the risk decision, not the model

An agent that drafts a reply nobody sends can be wrong cheaply. An agent that
closes tickets, issues refunds, or changes configuration is a system actor,
and every property you care about — audit, identity, rollback, blast radius —
changes the moment its output stops passing through a person.

The framework's intake questions establish whether the agent should exist and
where it lives. Action authority decides what kind of failure you are
signing up for. That is why it deserves its own decision, made before the
platform hardens around an assumption nobody examined.

## What each level costs to operate

**Draft-only is the cheapest level to govern.** Microsoft 365 Copilot keeps
the human on the send button, stays inside the tenant boundary, and its
interactions land in the Microsoft Purview unified audit log
automatically.[^audit] The operating cost is human time: every output still
needs a reviewer, which caps throughput at the speed of the people approving.

**Configurable execution buys throughput with governance you must design.**
Copilot Studio agents can take bounded actions, but the framework is explicit
that approval steps and audit coverage are yours to design, not defaults to
inherit. The platform brings Power Platform governance with it: environment
strategy, data loss prevention policies, connector controls. The real cost
is a second operating discipline next to your Azure landing zone.

**Autonomous with guardrails moves the safety burden onto your team.**
Foundry Agent Service gives agents [a managed
runtime](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ai-agents/technology-solutions-plan-strategy),
and Foundry's guardrails screen inputs and outputs using [Azure AI Content
Safety](https://learn.microsoft.com/en-us/azure/ai-services/content-safety/overview)
models.
What the guardrails do not provide is a built-in human approval step: content
screening is automatic, action approval is architecture you build. The
framework's phrasing is honest here: autonomous agents require your own
safety framework. Identity is the one part getting structurally easier:
Microsoft Entra Agent ID gives agents directory identities with conditional
access and lifecycle management, so an autonomous agent can at least be
governed like the workload it is.[^agentid]

## Promote authority with evidence, not ambition

Start every agent at draft-only, even when the platform supports more. The
draft phase is not a delay; it is where you collect the evidence a promotion
decision needs: how often the agent is wrong, which action classes fail,
and whether anyone reads the audit trail.

Promote one level at a time, and only when three things are true for the
next level. A named owner is accountable for the agent's actions. The
rollback path has been executed at least once rather than merely documented.
And the audit surface has been checked against a real incident question, not
a compliance checkbox.

> **Boundary:** This holds for agents that act on business systems. Agents
> whose only action surface is retrieval (search, summarize, answer) can
> start at configurable execution, because a wrong answer is recoverable in a
> way a wrong wire transfer is not.

The pressure to skip levels will come from the demo, because autonomy demos
brilliantly. Resist it with a question the demo cannot answer: who gets paged
when the agent does the wrong thing at 2 a.m., and what do they press? If
there is no name and no button, the agent has not earned the level, whatever
the platform supports.

[^audit]: Purview's baseline audit records the interaction event, the app,
the user, and referenced resources; capturing full prompt and response
content requires Purview's DSPM for AI or eDiscovery workflows, per
[Microsoft's audit documentation](https://learn.microsoft.com/en-us/purview/audit-copilot).

[^agentid]: Agent ID is available to all Microsoft Entra customers, but the
agent security features carry their own licensing: conditional access needs
Microsoft Entra ID P1, identity protection needs P2, and the Microsoft
Agent 365 integration is licensed per user. Price the controls before
making them a dependency.
