Today’s blog post introduces new capabilities to strengthen the security and governance of AI agents using Microsoft Foundry Agent Service and explores how Microsoft Defender helps organizations secure Foundry agents as they move from experimentation to production.
AI is moving from responses to actions
In our previous announcement, we introduced new threat protection capabilities for custom AI applications, helping organizations detect prompt injections, jailbreak attempts, sensitive data exposure, and other AI-specific risks.
But the AI landscape is evolving rapidly.
AI systems are no longer limited to single-turn prompts and responses. Modern applications increasingly rely on AI agents – autonomous, multi-step systems that can reason, plan, call tools, access data sources, and take actions on behalf of users. While this unlocks powerful new scenarios, it also introduces an entirely new and potentially more vulnerable attack surface.
The agentic AI systemWhy AI Agents Require a New Security Model
Agentic AI introduces a materially broader and more dynamic threat surface than traditional AI applications. Security risks now extend far beyond the user's prompt and model response. AI agents can maintain memory, perform planning and self-reflection, orchestrate tools and API calls, interact with other agents (A2A), and execute real-world actions. Each of these stages introduces new opportunities for abuse.
Attackers can poison short- or long-term memory to manipulate future behavior, exploit indirect prompt injection through data sources and tools, or abuse orchestration flows between agents and external systems. Planning and reasoning loops introduce failure modes such as intent drift, deceptive behavior, and uncontrolled agent sprawl. Tool and API access can be misused to exfiltrate data, escalate privileges, or trigger unauthorized actions at scale. At the platform layer, compromised models, poisoned training data, and insecure Model Context Protocols (MCPs) further compound risk.
For security teams, this means protecting the full AI agent lifecycle – inputs, memory, reasoning, tool calls, actions, and model dependencies, not just prompts and responses. Effective protection requires continuous runtime monitoring, prevention, and governance across the entire agent ecosystem.
Introducing Threat Protection for Microsoft Foundry Agents
To address these challenges, we’re pleased to announce the public preview of threat protection for Azure Foundry Agent Service, a new capability in Microsoft Defender. This release builds on our previously announced threat protection for Microsoft Copilot Studio during Ignite 2025, further expanding Defender’s coverage across the AI landscape.
Starting February 2, 2026, the enhanced Defender for AI Services plan will include support for AI agents built with Foundry, delivering advanced protection from development through runtime.
Note: Threat protection for Foundry Agent Service is currently free of charge and does not consume tokens. However, pricing and usage terms may change at any time.
This release delivers coverage for the most critical and actionable risks aligned with the OWASP guidance for LLM and agentic AI threats, specifically those that translate directly into real-world security incidents. Coverage includes:
- Tool misuse, where agents are coerced into abusing APIs or backend systems.
- Privilege compromise, caused by permission misconfigurations or inherited roles.
- Resource overload, mitigating attacks that exhaust compute, memory, or service capacity.
- Intent breaking and goal manipulation, where adversaries redirect an agent’s objectives.
- Misaligned and deceptive behaviors, detecting harmful actions driven by manipulated reasoning.
- Identity spoofing and impersonation, preventing actions executed under false identities.
- Human manipulation, where attackers exploit trust in agent responses to influence users or decisions.
Together, this scope focuses on high-signal, runtime threats across agent reasoning, tool execution, identity, and human interaction, giving security teams immediate visibility and control over the most dangerous agent behaviors in production.
What sets Defender apart
AI agents are just one of many threat vectors attackers may target. Defender delivers comprehensive, build-to-runtime protection across the AI stack - including models, agents, SaaS apps, and cloud infrastructure. Unlike point solutions, Defender unifies security signals across endpoints, identities, applications, and cloud environments. Its platform-native runtime context automatically correlates AI agent detections with broader threats, reducing complexity, streamlining response, and strengthening defense across your digital estate.
Get Started with Threat Protection for AI Agents in Just One Click
Enabling threat protection for Microsoft Foundry Agent Service is simple. Activate it with a single click on your selected Azure subscription.
Detections appear directly in the Defender for Cloud portal and are seamlessly integrated with Defender XDR and Sentinel through existing connectors. This allows SOC analysts to immediately correlate agent threats, reducing investigation time, and improving response accuracy from day one.
You can start exploring these capabilities today with a free 30-day trial. Simply enable the AI Services plan on your chosen Azure subscription, and your existing Foundry agents will begin detecting malicious and risky behaviors within minutes.
Note: Defender for AI Services is priced at $0.0008 per 1,000 tokens per month (USD, list price), excluding Foundry agents which are free of charge. The trial includes scanning up to 75 billion tokens.
This enables security teams to detect, investigate, and stop malicious AI agent behavior before it results in real-world impact.
Explore additional resources
- Learn more about Runtime protection
- Learn more about Posture capabilities
- Get started with Defender for Cloud
- What is Foundry Agent Service
Microsoft