Designing AI guardrails for apps and agents in Marketplace
Why guardrails are essential for AI apps and agents AI apps and agents introduce capabilities that go beyond traditional software. They reason over natural language, interact with data across boundaries, and—in the case of agents—can take autonomous actions using tools and APIs. Without clearly defined guardrails, these capabilities can unintentionally compromise confidentiality, integrity, and availability, the foundational pillars of information security. From a confidentiality perspective, AI systems often process sensitive prompts, contextual data, and outputs that may span customer tenants, subscriptions, or external systems. Guardrails ensure that data access is explicit, scoped, and enforced—rather than inferred through prompts or emergent model behavior. From an availability perspective, AI apps and agents can fail in ways traditional software does not — such as runaway executions, uncontrolled chains of tool calls, or usage spikes that drive up cost and degrade service. Guardrails address this by setting limits on how the system executes, how often it calls tools, and how it behaves when something goes wrong. For Marketplace-ready AI apps and agents, guardrails are foundational design elements that balance innovation with security, reliability, and responsible AI practices. By making behavioral boundaries explicit and enforceable, guardrails enable AI systems to operate safely at scale—meeting enterprise customer expectations and Marketplace requirements from day one. You can always get a curated step-by-step guidance through building, publishing and selling apps for Marketplace through App Advisor. This post is part of a series on building and publishing well-architected AI apps and agents in Microsoft Marketplace. The series focuses on AI apps and agents that are architected, hosted, and operated on Azure, with guidance aligned to building and selling solutions through Microsoft Marketplace. Using Open Worldwide Application Security Project (OWASP) GenAI Top 10 as a guardrail design lens The OWASP GenAI Top 10 provides a practical framework for reasoning about AI‑specific risks that are not fully addressed by traditional application security models. It helps teams identify where assumptions about trust, input handling, autonomy, and data access are most likely to break down in AI‑driven systems. However, not all OWASP risks apply equally to every AI app or agent. Their relevance depends on factors such as: Agent autonomy, including whether the system can take actions without human approval Data access patterns, especially cross‑tenant, cross‑subscription, or external data retrieval Integration surface area, meaning the number and type of tools, APIs, and external systems the agent connects to Because of this variability, OWASP should not be treated as a checklist to implement wholesale. Doing so can lead teams to over‑engineer controls in low‑risk areas while leaving critical gaps in places where autonomy, data movement, or tool execution create real exposure. Instead, OWASP is most effective when used as a design lens — to inform where guardrails are needed and what behaviors require explicit boundaries. Understanding risks and enforcing boundaries are two different things. OWASP tells you where to look; guardrails are what you actually build. The goal is not to eliminate all risk, but to use OWASP insights to design selective, intentional guardrails that align with the system's architecture, autonomy, and operating context. Translating AI risks into architectural guardrails OWASP GenAI Top 10 helps identify where AI systems are vulnerable, but guardrails are what make those risks enforceable in practice. Guardrails are most effective when they are implemented as architectural constraints—designed into the system—rather than as runtime patches added after risky behavior appears. In AI apps and agents, many risks emerge not from a single component, but from how prompts, tools, data, and actions interact. Architectural guardrails establish clear boundaries around these interactions, ensuring that risky behavior is prevented by design rather than detected too late. Common guardrail categories map naturally to the types of risks highlighted in OWASP: Input and prompt constraints Address risks such as prompt injection, system prompt leakage, and unintended instruction override by controlling how inputs are structured, validated, and combined with system context. Action and tool‑use boundaries Mitigate risks related to excessive agency and unintended actions by explicitly defining which tools an AI app or agent can invoke, under what conditions, and with what scope. Data access restrictions Reduce exposure to sensitive information disclosure and cross‑boundary leakage by enforcing identity‑aware, context‑aware access to data sources rather than relying on prompts to imply intent. AI Output validation and moderation Help contain risks such as misinformation, improper output handling, or policy violations by treating AI output as untrusted and subject to validation before it is acted on or returned to users. What matters most is where these guardrails live in the architecture. Effective guardrails sit at trust boundaries—between users and models, models and tools, agents and data sources, and control planes and data planes. When guardrails are embedded at these boundaries, they can be applied consistently across environments, updates, and evolving AI capabilities. By translating identified risks into architectural guardrails, teams move from risk awareness to behavioral enforcement that supports safe AI agent operation. This shift is foundational for building AI apps and agents that can operate safely, predictably, and at scale in Marketplace environments. Design‑time guardrails: shaping allowed behavior before deployment The OWASP GenAI Top 10 provides a practical framework for reasoning about AI specific risks that are not fully addressed by traditional application security models. It helps teams identify where assumptions about trust, input handling, autonomy, and data access are most likely to break down in AI driven systems. However, not all OWASP risks apply equally to every AI app or agent. Their relevance depends on factors such as: Agent autonomy, including whether the system can take actions without human approval Data access patterns, especially cross-tenant, cross subscription, or external data retrieval Integration surface area, meaning the number and type of tools, APIs, and external systems the agent connects to Because of this variability, OWASP should not be treated as a checklist to implement wholesale. Doing so can lead teams to over engineer controls in low risk areas while leaving critical gaps in places where autonomy, data movement, or tool execution create real exposure. Instead, OWASP is most effective when used as a design lens — to inform where guardrails are needed and what behaviors require explicit boundaries. Understanding risks and enforcing boundaries are two different things. OWASP tells you where to look; guardrails are what you actually build. The goal is not to eliminate all risk, but to use OWASP insights to design selective, intentional guardrails that align with the system's architecture, autonomy, and operating context. Runtime guardrails: enforcing boundaries as systems operate For Marketplace publishers, the key distinction between monitoring and runtime guardrails is simple: Monitoring tells you what happened after the fact. Runtime guardrails are inline controls—part of runtime AI safety controls—that can block, pause, throttle, or require approval before an action completes. If you want prevention, the control has to sit in the execution path. At runtime, guardrails should constrain three areas: Agent decision paths (prevent runaway autonomy) Cap planning and execution. Limit the agent to a maximum number of steps per request, enforce a maximum wall‑clock time, and stop repeated loops. Apply circuit breakers. Terminate execution after a specified number of tool failures or when downstream services return repeated throttling errors, reinforcing autonomous agent limits. Require explicit escalation. When the agent’s plan shifts from “read” to “write,” pause and require approval before continuing. Tool invocation patterns (control what gets called, how, and with what inputs) Enforce allowlists. Allow only approved tools and operations, and block any attempt to call unregistered endpoints. Validate parameters. Reject tool calls that include unexpected tenant identifiers, subscription scopes, or resource paths. Throttle and quota. Rate‑limit tool calls per tenant and per user, and cap token/tool usage to prevent cost spikes and degraded service. Cross‑system actions (constrain outbound impact at the boundary you control) Runtime guardrails cannot “reach into” external systems and stop independent agents operating elsewhere. What publishers can do is enforce policy at your solution’s outbound boundary: the tool adapter, connector, API gateway, or orchestration layer that your app or agent controls. Concrete examples include: Block high‑risk operations by default (delete, approve, transfer, send) unless a human approves. Restrict write operations to specific resources (only this resource group, only this SharePoint site, only these CRM entities). Require idempotency keys and safe retries so repeated calls do not duplicate side effects. Log every attempted cross‑system write with identity, scope, and outcome, and fail closed when policy checks cannot run. Done well, runtime guardrails produce evidence, not just intent. They show reviewers that your AI app or agent enforces least privilege, prevents runaway execution, and limits blast radius—even when the model output is unpredictable. Guardrails across data, identity, and autonomy boundaries Guardrails don't work in silos. They are only effective when they align across the three core boundaries that shape how an AI app or agent operates — identity, data, and autonomy. Guardrails must align across: Identity boundaries (who the agent acts for) — represent the credentials the agent uses, the roles it assumes, and the permissions that flow from those identities. Without clear identity boundaries, agent actions can appear legitimate while quietly exceeding the authority that was actually intended. Data boundaries (what the agent can see or retrieve) — ensuring access is governed by explicit authorization and context, not by what the model infers or assumes. A poorly scoped data boundary doesn't just create exposure — it creates exposure that is hard to detect until something goes wrong. Autonomy boundaries (what the agent can decide or execute) — defining which actions require human approval, which can proceed automatically, and which are never permitted regardless of context. Autonomy without defined limits is one of the fastest ways for behavior to drift beyond what was ever intended. When these boundaries are misaligned, the consequences are subtle but serious. An agent may act under the authority of one identity, access data scoped to another, and execute with broader autonomy than was ever granted — not because a single control failed, but because the boundaries were never reconciled with each other. This is how unintended privilege escalation happens in well-intentioned systems. Balancing safety, usefulness, and customer trust Getting guardrails right is less about adding controls and more about placing them well. Too restrictive, and legitimate workflows break down, safe autonomy shrinks, and the system becomes more burden than benefit. Too permissive, and the risks accumulate quietly — surfacing later as incidents, audit findings, or eroded customer trust. Effective guardrails share three characteristics that help strike that balance: Transparent — customers and operators understand what the system can and cannot do, and why those limits exist Context-aware — boundaries tighten or relax based on identity, environment, and risk, without blocking safe use Adjustable — guardrails evolve as models and integrations change, without compromising the protections that matter most When these characteristics are present, guardrails naturally reinforce the foundational principles of information security — protecting confidentiality through scoped data access, preserving integrity by constraining actions to authorized paths, and supporting availability by preventing runaway execution and cascading failures. How guardrails support Marketplace readiness For AI apps and agents in Microsoft Marketplace, guardrails are a practical enabler — not just of security, but of the entire Marketplace journey. They make complex AI systems easier to evaluate, certify, and operate at scale. Guardrails simplify three critical aspects of that journey: Security and compliance review — explicit, architectural guardrails give reviewers something concrete to assess. Rather than relying on documentation or promises, behavior is observable and boundaries are enforceable from day one. Customer onboarding and trust — when customers can see what an AI system can and cannot do, and how those limits are enforced, adoption decisions become easier and time to value shortens. Clarity is a competitive advantage. Long-term operation and scale — as AI apps evolve and integrate with more systems, guardrails keep the blast radius contained and prevent hidden privilege escalation paths from forming. They are what makes growth manageable. Marketplace-ready AI systems don't describe their guardrails — they demonstrate them. That shift, from assurance to evidence, is what accelerates approvals, builds lasting customer trust, and positions an AI app or agent to scale with confidence. What’s next in the journey Guardrails establish the foundation for safe, predictable AI behavior — but they are only the beginning. The next phase extends these boundaries into governance, compliance, and day‑to‑day operations through policy definition, auditing, and lifecycle controls. Together, these mechanisms ensure that guardrails remain effective as AI apps and agents evolve, scale, and operate within enterprise environments. See the next post in the series: Governing AI apps and agents for Marketplace | Microsoft Community Hub. Key resources See curated, step-by-step guidance to help you build, publish, or sell your app or agent (no matter where you start) in App Advisor, Quick-Start Development Toolkit can connect you with code templates for AI solution patterns Microsoft AI Envisioning Day Events How to build and publish AI apps and agents for Microsoft Marketplace Get over $126K USD in benefits and technical consultations to help you replicate and publish your app with ISV SuccessHow Marketplace offer types shape AI economics and scale
This post is part of a series on building and publishing well-architected AI apps and agents in Microsoft Marketplace. The series focuses on AI apps and agents that are architected, hosted, and operated on Azure, with guidance aligned to building and selling solutions through Microsoft Marketplace. Offer types and hosting decisions Where the solution runs defines cost ownership, control, and scalability in Microsoft Marketplace. Marketplace offer types such as SaaS, Container, Virtual Machine, and Managed Application determine who pays for AI execution, how the solution is operated, and how it scales as usage grows across customers. Offer Type Where it runs Who pays AI consumption Control SaaS Publisher tenant Publisher Centralized Container Customer tenant (AKS) Customer Shared Virtual Machine Customer tenant (VM) Customer Customer Managed Application Customer Azure subscription Customer Shared SaaS centralizes execution in the publisher’s environment. Customers subscribe and begin using the solution immediately, while the publisher manages infrastructure updates, releasing new features, security, and scaling. This allows consistent behavior across tenants and simplifies onboarding. It also means all AI inference is paid by the publisher. For example, an agent that summarizes IT tickets for multiple customers runs in the same environment, and increased usage from one tenant directly increases the publisher’s cost. Container offers move execution into the customer’s Kubernetes environment. The publisher provides the application, but the customer controls scaling, networking, and data access. Cost and performance are determined within each customer deployment. For example, one company running an AI workflow for incident analysis can scale its AKS cluster based on internal demand without affecting other customers. Virtual Machine offers also run entirely within the customer’s environment, and just like container offers, the customer manages the infrastructure, updates, and security controls. This is often required in restricted or regulated environments. For example, a financial institution may run an AI analysis tool inside its own VM to ensure that data and processing remain within controlled network boundaries. Managed Applications introduces a shared model. The solution is deployed into the customer’s Azure subscription, where infrastructure and data control remain with the customer, while the publisher typically manages application updates and lifecycle operations. This allows coordinated improvements without moving execution outside the customer environment. These operating models determine who absorbs cost as demand increases, how consistently the solution behaves across tenants, and how easily it can scale as adoption grows. Additional curated step-by-step guidance from building through publishing and selling apps for Marketplace is available on App Advisor. AI economics and pricing strategies AI pricing models differ from traditional software because AI execution introduces variable cost tied directly to usage, in the form of token consumption, API calls, and workflow execution. These usage patterns vary across customers, which makes fixed pricing difficult to sustain. Pricing strategy follows the offer type. Choosing between flat rate, usage‑based, or hybrid pricing models is a key part of designing scalable and cost‑efficient AI apps in Microsoft Marketplace. Model Offer Type Mechanism Impact Flat rate SaaS Fixed subscription Publisher absorbs variability Usage-based SaaS Cost per action or token Cost aligns with usage Hybrid SaaS Base + overage Balance of predictability and protection License / software fee Container, VM, Managed App Charge for software only Customer absorbs all runtime cost Usage‑based and hybrid models rely on the Marketplace Metering API, which enables usage‑based pricing for AI apps in Microsoft Marketplace by reporting consumption events such as agent runs, API calls, or tokens. This allows pricing to reflect how the solution is used rather than a fixed assumption. SaaS pricing requires alignment with usage. The publisher operates the runtime and absorbs all AI cost. Without metering, a small number of high‑usage customers can drive disproportionate cost. For example, a customer running large volumes of AI-driven customer support ticket analysis can increase token consumption significantly while paying the same flat subscription, resulting in reduced profit margins. Customer‑hosted pricing separates cost from usage. For container, virtual machine, and managed application offer types, execution runs in the customer’s environment. Infrastructure and AI costs are billed directly to the customer, while the publisher charges for the software or capability. This removes exposure to AI inference variability. For example, a customer processing high volumes of AI agent prompts and responses in their own environment absorbs the associated compute and token cost without impacting the publisher’s margin. Scale considerations for different offer types Scalability for AI apps that are listed in Microsoft Marketplace depends on who owns infrastructure and cost. Key considerations include multi‑tenant design, performance, and how systems scale under increasing usage. As AI usage grows, these differences shape operational effort, cost predictability, and how quickly performance improvements and new capabilities reach customers. SaaS scaling is managed by the publisher. The publisher operates a multi‑tenant architecture and is responsible for scaling compute, optimizing performance, and managing cost variability across customers. As usage increases, the publisher must ensure that adding new customers does not erode their business by balancing throughput, latency, and token consumption while maintaining consistent performance. Container and Virtual Machine models scale per customer environment. Each deployment runs independently in the customer’s Azure environment. While this removes multi‑tenant complexity, it creates an expectation that the publisher will provide a software distribution mechanism or use Marketplace effectively to push updates seamlessly into customer environments. This shifts scaling responsibility to the customer, including compute allocation, model usage, and workload performance. While this simplifies the publisher’s operational burden, it introduces variability in how the solution performs across deployments. Managed Applications balance control and scalability. Infrastructure scales within the customer’s Azure subscription, while the application lifecycle—including updates, configuration, and version management—remains controlled by the publisher. This allows coordinated improvements without centralizing runtime execution. Packaging decisions Packaging determines how customers adopt and expand AI apps and agents in Microsoft Marketplace. It defines the entry point, how capabilities are grouped, and how customers progress from initial use to broader deployment over time. Packaging decisions determine how many Marketplace offers publishers need to create, whether capabilities are presented as individual agents or combined into workflows, and how pricing aligns with entry points and expansion. These choices influence how customers evaluate the solution, whether they will purchase, and how easily they can grow their usage. Focused packaging simplifies adoption. A single agent aligned to a specific workflow provides a clear starting point and reduces evaluation friction. Customers can quickly understand where the solution fits and begin using it within an existing process. Bundled capabilities support expansion. Related functionality can be grouped into workflows that extend the initial use case. For example, a customer may start with an agent that automates IT ticket triage and then expand into incident reporting, root cause analysis, or change management as those capabilities are included in the same solution. Plans define progression. Tiers structure how customers move from initial use to broader adoption by aligning features, limits, and pricing. An entry plan may support basic ticket triage, while higher tiers introduce expanded workflows, customization via pro-code APIs, and higher usage capacity. Customers can scale without changing solutions or re-evaluating alternatives. Packaging defines the adoption path. Clear entry points, aligned pricing, and structured expansion allow customers to move from initial use to broader deployment in a way that reflects how they already operate. Individual agents vs. bundled offers How offers are structured in Microsoft Marketplace determines how customers evaluate and purchase AI apps and agents. The listing structure should match how customers make buying decisions, not how the solution is built. This decision defines whether capabilities are presented as separate Marketplace offers or as a single offer with multiple plans. The structure affects positioning, evaluation, and how customers move from initial usage to broader adoption. Decision When to use Implication Separate offers Distinct use cases or buyer groups Clear positioning, independent pipelines Single offer with plans Progressive adoption within the same scenario Simpler operations, unified expansion path Separate offers support distinct buying decisions. When capabilities address different use cases, teams, or budgets, they are evaluated independently. Creating separate Marketplace listings allows each solution to be positioned clearly, with its own messaging, trial experience, and co-sell motion. For example, an IT operations agent for support ticket automation and an incident response security analytics agent may be purchased by different teams within the same customer organization. Listing them separately allows each to align with specific buyer priorities. A single offer with plans supports progressive adoption. When capabilities are closely related and used together, structuring them within one offer allows customers to expand naturally. Plans organize features, limits, and pricing into tiers that reflect stages of usage. For example, the IT operations solution may start with ticket triage in a base plan and expand into incident management and analytics in higher tiers. Customers can scale usage without re-evaluating or switching offers. Marketplace listing structure directly influences adoption and expansion. Separate offers provide clarity when purchase decisions are independent, while a single offer with plans supports growth within a unified solution. AI economics strategic decision framework Offer type and packaging together define the operating and economic model of AI apps and agents in Microsoft Marketplace. These decisions determine where the solution runs, how revenue aligns with usage, and how customers adopt and expand over time. Cost ownership defines the economic model. In SaaS, the publisher absorbs infrastructure and token costs, requiring pricing that aligns with consumption. In customer‑hosted models, including Container and Virtual Machine offers, execution costs are billed directly to the customer, separating software value from runtime cost. Usage predictability shapes pricing and scaling. Variable workloads require alignment between consumption and pricing, while predictable workloads support fixed or tiered models. For example, an AI agent used for IT operations may see steady usage across workflows, while an agent used during incident spikes may experience sudden increases in demand that affect cost differently. Control and compliance guide the deployment model. SaaS centralizes control and simplifies updates but requires alignment with multi‑tenant identity and governance. Container and Virtual Machine models provide stronger control over data and execution, which is often required in regulated environments, but introduce software distribution requirements. Managed Applications balance these requirements by combining customer‑side deployment with publisher‑managed lifecycle operations. Customer buying behavior defines packaging. Packaging determines whether the solution is adopted as a focused capability or expanded across workflows. Offers structured with clear entry points and progressive plans allow customers to scale without re‑evaluating alternatives. For example, an organization may adopt an IT ticket triage agent under a SaaS model for fast deployment. As control or compliance requirements increase, similar capabilities may need to move to a container or managed application model, as pricing and packaging evolve to support broader usage. Offer type defines execution and cost structure, while packaging defines adoption and expansion. Aligning both ensures AI apps in Microsoft Marketplace scale predictably, meet enterprise requirements, and convert usage into sustained growth. Closing insight Offer type defines how the solution is built, priced, operated, and scaled in Microsoft Marketplace. Packaging defines how customers enter, adopt, and expand usage over time. Together, these choices shape how the solution grows from initial adoption to sustained, long‑term scale. Key resources See curated, step-by-step guidance to help you build, publish, or sell your app or agent (no matter where you start) in App Advisor. Quick-Start Development Toolkit Microsoft AI Envisioning Day Events How to build and publish AI apps and agents for Microsoft Marketplace Get over $126K USD in benefits and technical consultations to help you replicate and publish your app with ISV SuccessOperating AI apps and agents after publishing in Microsoft Marketplace
Marketplace operations begin after publishing The previous post focused on configuring your offer in Partner Center and preparing it for publishing. Publishing makes your Marketplace offer available for purchase by customers. Subscriptions are created, provisioning flows execute, billing begins, and support demand emerges. Trials, onboarding, and initial usage occur concurrently and generate immediate feedback on runtime behavior. This post is part of a series on building and publishing well-architected AI apps and agents in Microsoft Marketplace. The series focuses on AI apps and agents that are architected, hosted, and operated on Azure, with guidance aligned to building and selling solutions through Microsoft Marketplace. You can always get curated step-by-step guidance through building, publishing, and selling apps for Marketplace through App Advisor. Configuration defined in Partner Center is expressed as customer-visible behavior. Pricing tiers, plan boundaries, entitlement logic, and provisioning flows move from configuration into execution. These elements define how customers interact with the solution. Early signals emerge during trial activation, onboarding, and initial execution. For example, a customer may complete a purchase but encounter delays during provisioning or fail to access the solution due to missing tenant permissions. These signals reflect how the operational model performs across customer environments. Observing Marketplace usage and billing Once customers begin using the solution, real usage patterns replace assumptions. Application telemetry describes how the solution executes, while Marketplace data captures how customers use it, how they are billed, and how they progress through the lifecycle. Patterns emerge under real usage. Trial tenants focus on onboarding and initial execution. Paid tenants generate sustained usage and billing. Usage intensity may vary across customer environments depending on operational maturity, identity and governance constraints. These patterns provide actionable insight. For example, repeated failures along a workflow may indicate missing permissions or configuration assumptions. Correlating runtime behavior with Marketplace data establishes a clear basis for prioritization. Customer onboarding and early adoption The first interactions customers have with your solution determine how quickly they reach value. When a trial is activated, customers begin using the solution within their own environment. Challenges may appear before the benefits of core functionality are fully realized. Identity consent may require administrator approval. Tenant configurations may differ from expected defaults. Provisioning delays can block access. Customers may complete a purchase but not reach initial execution. For example, an AI agent that retrieves enterprise documents may assume access is already granted. In many environments, that access must be configured explicitly, which prevents the first request from succeeding. Support and issue resolution after publishing Customer interactions surface how the solution performs across real environments. Publishing the solution in Marketplace may uncover technical issues, billing questions, and usage inquiries that reflect different aspects of runtime behavior. Recurring patterns indicate underlying gaps. Repeated failures may trace back to assumptions that do not hold across customer tenants. Cost-related questions reflect how execution maps to billing. Feature confusion may point to unclear operational boundaries. For example, repeated support inquiries may occur when customers expect an agent to complete an end‑to‑end business task—such as processing invoice approvals—but the solution only automates part of the approval workflow. Customers may attempt to use the solution beyond its intended scope such as an entire procure-to-pay workflow, leading to inconsistent results across teams. Addressing the gap by clarifying workflow boundaries reduces confusion and improves adoption across customers. Billing, usage, and cost management in production Comparing runtime execution with metering reveals where pricing and behavior diverge. Clear mapping between actions and cost allows customers to understand usage and manage it effectively. Cost becomes visible as usage reflects how the solution actually executes. Usage-based pricing depends on a clear relationship between customer actions and measured consumption. After publishing, execution paths often expand. A single request may trigger retrieval, multiple model calls, and validation steps. While the customer performs one action, billing reflects several underlying operations. Customer success and growth signals Ongoing usage reveals whether the solution becomes part of everyday work. Growth often begins with one use case. A team may start with case reviews and expand into other support workflows. As usage spreads, the solution becomes embedded in daily operations. Repeated use, expansion across users, and movement to higher plans indicate sustained adoption. Pairing Marketplace data with CRM insights provides a clearer view of engagement. Trial-to-conversion activity, continued usage, and expansion into new scenarios guide follow-up and customer success planning. Operating across Marketplace offer types In SaaS offers, the publisher manages runtime, monitoring, and updates. For example, an AI contract analysis agent hosted by the publisher may continuously improve its accuracy and compliance logic across all customers without requiring any changes in the customer environment. Updates are applied centrally, and customers experience improvements as part of normal usage. In container offers, the solution is deployed into a customer‑managed Kubernetes environment. For example, a fraud detection agent packaged as a container may run within a bank’s controlled infrastructure, where the customer manages scaling, networking, and data access policies. The publisher provides the application updates, but the customer determines when and how those updates are deployed. In Virtual Machine offers, the solution is delivered as a preconfigured image that runs entirely within the customer’s environment. For example, a document processing agent used in a regulated industry may operate within a customer’s secure network, where the customer controls patching, access, and execution conditions. This model provides isolation but limits direct visibility and control for the publisher. In Azure Managed Applications, responsibility is shared across environments. For example, an AI agent used for claims processing may be deployed into the customer’s Azure subscription, where the publisher manages the application logic and updates while the customer manages data access, identity policies, and infrastructure constraints. Coordination between both sides is required when issues arise. These boundaries influence security, compliance, monitoring, support, and change management. Clear ownership defines who is responsible for runtime behavior, environment configuration, and issue resolution. When those responsibilities are understood, escalation paths are clear and issues can be resolved efficiently across different operating models. From operating to governing long-term evolution Operational signals provide the basis for long-term decisions. Observability data, usage patterns, billing behavior, and support trends indicate how the solution performs and where adjustments are required. These inputs guide versioning, compliance, rollout strategies, and investment priorities. For example, adoption trends may support expansion into new plans, while recurring constraints may require stronger access controls. Good governance can be built on a foundational data lake and operational discipline that publishers seed using observed behavior and metrics that tell the story of how the solution has evolved. What’s next in the journey With operational practices in place, the next step focuses on driving adoption and growth in Marketplace. The following post covers how to promote your AI app or agent, improve discoverability, and convert customer interest into sustained usage as your solution scales. Key resources See curated, step-by-step guidance to help you build, publish, or sell your app or agent (no matter where you start) in App Advisor. Quick-Start Development Toolkit Microsoft AI Envisioning Day Events How to build and publish AI apps and agents for Microsoft Marketplace Get over $126K USD in benefits and technical consultations to help you replicate and publish your app with ISV SuccessPublishing AI apps and agents on Microsoft Marketplace: Partner Center configuration and offer setup
Partner Center configuration The previous post, Publishing readiness for AI apps and agents on Microsoft Marketplace, established publishing readiness at the solution and organizational level. At that stage, identity boundaries, runtime behavior, data handling, and subscription lifecycle logic are defined and operating consistently. You can always get curated step-by-step guidance through building, publishing, and selling apps for Marketplace through App Advisor. This post is part of a series on building and publishing well-architected AI apps and agents in Microsoft Marketplace. The series focuses on AI apps and agents that are architected, hosted, and operated on Azure, with guidance aligned to building and selling solutions through Microsoft Marketplace. This article focuses on how you express that readiness in Partner Center. Partner Center connects your solution to Microsoft Marketplace commerce and to how customers evaluate, purchase, and operate it. It bridges solution behavior, Marketplace transactions, and customer expectations. The configuration you provide represents how your solution operates in practice, including identity models, plans, pricing, and lifecycle handling. The sections that follow walk through universal configuration first, then move into offer‑type‑specific publishing paths. Design choices in Partner Center Partner Center represents how your AI app or agent solution operates in Marketplace. The configuration you define reflects decisions already made in your architecture and operations. Runtime ownership, identity boundaries, and subscription lifecycle handling are expressed directly through how you structure your offer. Each configuration choice connects back to solution behavior. Observability defines what behavior exists and how it can be explained. CI/CD defines how that behavior changes over time. Partner Center captures both by requiring you to declare identity models, pricing plans, access patterns, and lifecycle transitions in a consistent way. Publishing friction often points to gaps in these underlying decisions. Unclear solution boundaries make it difficult to define ownership and responsibility. For example, a SaaS solution may configure a transactable offer without clearly defining where the service operates and how tenant access is provisioned. In Partner Center, this appears as incomplete or inconsistent identity configuration—such as a missing multitenant Entra ID setup or unclear landing page behavior for provisioning. During certification, this creates gaps between the declared subscription flow and how the solution grants access, leading to delays while identity ownership and provisioning responsibilities are clarified. Universal offer configuration Universal offer configuration defines the settings that apply to every transactable offer and establish the structure customers interact with during evaluation, purchase, and onboarding. Offer listing content describes the solution in clear, operational terms. The name, summary, description explain what your solution does, its value prop and why a customer would choose your solution. Visual assets and media represent how the solution operates. Logos, screenshots, and supporting material provide a view into real workflows and interfaces. Screenshots should reflect actual usage paths, configuration steps, and outputs customers will see during deployment and operation. Legal contracts and terms define the agreement between you and the customer. You select Microsoft’s Standard Contract or provide your own terms and conditions. These terms govern how the solution is used, supported, and maintained across its lifecycle. Plans and SKUs establish how the solution is packaged and sold. Each plan defines pricing, entitlements, and lifecycle behavior. Public and private plans determine how different customers access and purchase the solution. These elements form the foundation of your Marketplace offer. They translate how the solution operates into a structure customers can evaluate and adopt. Commerce models and pricing mechanics Commerce configuration connects how your solution is used to how it is billed in Marketplace. Pricing models, metering, and billing dimensions define how usage translates into revenue and how customers understand cost. Marketplace supports different pricing models depending on the offer type. Common approaches include flat‑rate pricing for fixed entitlements, per‑user pricing for seat‑based access, and usage‑based pricing where billing reflects actual consumption. The model you select defines how customers adopt the solution and how cost scales with usage. Metered billing dimensions extend this model into runtime behavior. You define measurable units such as API calls, documents processed based on token volume, content size, structure (e.g., tables, images, mixed formats), etc., or agent executions. Your solution reports usage through the Marketplace metering APIs. Accurate and timely reporting ensures that billing reflects actual usage and remains aligned with how the solution operates. Pricing also connects directly to execution limits and cost predictability. Throttling, retry policies, and step limits influence how consumption grows during runtime. These controls shape how customers experience cost and establish predictable usage patterns across different workloads. Preview audiences and end‑to‑end testing Preview audiences provide a controlled way to validate how your solution behaves in Marketplace before it is broadly available. A preview audience limits exposure to a defined set of users or tenants. This allows you to observe how the solution operates when accessed through Marketplace. Testing should cover the full subscription lifecycle. This may include purchase, initial provisioning, plan changes, renewals, and cancellation. Each stage introduces events that your solution must handle correctly, with consistent updates to access, entitlements, and usage. Validation focuses on how these events are processed. Subscription events must trigger the correct actions in your solution. Webhook handling needs to be reliable, efficient, and responsive to repeated or delayed delivery. Lifecycle transitions must align with how the solution enforces access and usage boundaries. Changes to plans, pricing, or configuration should support safe reversion without leaving subscriptions or entitlements in an inconsistent state. This requires exercising rollback paths. Offer‑type publishing deep dives Offer types define how your solution is delivered and operated in Marketplace. This section focuses on best practices for publishing considering the most commonly used offer types for Azure based AI apps and agents. For more in-depth selection guidance, see Choosing your Marketplace offer type. SaaS offers SaaS offers require you to operate the solution in your environment while Marketplace manages subscriptions and billing. Configuration centers on identity, provisioning, and lifecycle handling. Your customers must be Microsoft customers that either have M365 tenants or Azure tenants. You register a multitenant Microsoft Entra ID application to support customer authentication and onboarding. A landing page processes purchase tokens and provisions access. Fulfillment APIs and webhooks handle subscription events such as activation, plan changes, renewals, and cancellations. Plans, pricing, and metering define how usage is billed. Testing validates end‑to‑end behavior, including purchase, provisioning, entitlement updates, and deprovisioning. Container offers Container offers package your solution as a Kubernetes application that deploy into your customer’s environment. Marketplace provides software distribution mechanism and manages subscriptions and billing. Configuration includes container images stored in Azure Container Registry and deployment artifacts packaged through a CNAB bundle. Helm charts define application configuration, scaling behavior, and service dependencies. Kubernetes permissions and runtime policies determine how the solution operates within the cluster. Pricing models align with how the container is deployed, such as per‑node or per‑cluster pricing. Deployment validation ensures that the application installs correctly, dependencies are resolved, and the solution operates consistently in customer environments. Virtual Machine offers Virtual Machine offers deploy a preconfigured image directly into the customer’s tenant. Similar to containers, Marketplace provides software distribution mechanism and manages subscriptions and billing. The publisher’s configuration tasks should focus on image preparation, security, and startup reliability. The VM must be generalized, hardened, and tested to ensure consistent deployment. Required agents and services must initialize correctly. The Marketplace offer configuration defines the image, deployment parameters, and supported regions. Pricing typically aligns with the selected VM size, usage model, or reservation options. Validation ensures that the image deploys cleanly, initializes correctly, and performs consistently across supported regions and configurations. Azure Managed Application offers Managed Application offers deploy your solution into the customer’s Azure subscription with defined management boundaries. Configuration relies on ARM or Bicep templates that describe infrastructure, dependencies, and deployment parameters. Like VMs and containers, Marketplace provides the software distribution mechanism and manages subscriptions and billing. It also defines the level of control the publisher retains within the customer’s environment. Pricing reflects the management layer, while infrastructure usage is billed separately. Managed resource groups enforce access control and define operational ownership. Permissions must align with how the solution is managed after deployment. Preview deployments validate template execution, access boundaries, and post‑deployment behavior. Go‑live checks and submission review Submission and certification verify that your solution, organization, and offer configuration align. These steps confirm that Marketplace can transact, provision, and support the solution as defined. Account, finance, and role validation ensure that your publisher identity, tax profiles, payout configuration, and role assignments are complete and consistent. These elements enable transactions, define ownership, and support operational accountability. Universal readiness checks confirm that your offer configuration is complete. Listing content, plans, pricing, contracts, and lead routing must align with how the solution operates. These checks ensure that customers can evaluate and purchase the solution without missing or inconsistent information. Section 100 of the Microsoft Marketplace certification policies is a useful early reference because it applies to all offer types and outlines the core requirements evaluated during certification. Offer‑type‑specific checks validate the configuration required for each delivery model. SaaS offers must support subscription lifecycle events and API integration. Managed Applications must deploy reliably through templates. Container and Virtual Machine offers must meet packaging, security, and deployment standards. Action Center findings highlight issues discovered during validation and review. These findings require resolution before submission can proceed. Addressing them early ensures that configuration and behavior remain aligned. Submission review follows a defined process. Offers move through validation, certification, and approval stages, with feedback provided when issues are detected. When configuration, behavior, and ownership are clear, review progresses predictably and leads to successful publication in Marketplace. Marketplace publishing operations Publishing makes your solution active in Marketplace. From that point forward, customers can discover it, purchase it, and interact with it in real time. The configuration you defined becomes the experience customers rely on. As a publisher, the moment your offer goes live, several things may happen at once. Customers can initiate purchases, subscriptions begin generating lifecycle events, and your solution starts provisioning access and processing usage. Billing reflects actual consumption, and support requests begin to surface as customers interact with the solution in different environments. Published offers enter continuous evaluation. Updates introduce new behavior that flows through CI/CD pipelines and affects active customers. Billing reflects how execution scales in real usage. Support interactions reveal how the solution performs across tenants and workloads. Each of these signals connects directly back to the configuration and readiness established earlier. Marketplace scale amplifies both consistency and gaps. Clear identity boundaries, predictable runtime behavior, and accurate billing reinforce trust. Misalignment between configuration and execution becomes visible quickly as customers evaluate and adopt the solution. Publishing marks the start of operational responsibility. Your teams maintain alignment between solution behavior, Marketplace configuration, and customer experience as the solution evolves over time. What’s next in the journey With publishing complete, the focus shifts to operating your solution at scale in Marketplace. This includes supporting customers, managing updates, and maintaining alignment between behavior, billing, and expectations as usage grows. Future posts will cover operational excellence and promoting your AI app and agent. Key resources See curated, step-by-step guidance to help you build, publish, or sell your app or agent (no matter where you start) in App Advisor. Quick-Start Development Toolkit Microsoft AI Envisioning Day Events How to build and publish AI apps and agents for Microsoft Marketplace Get over $126K USD in benefits and technical consultations to help you replicate and publish your app with ISV SuccessPublishing readiness for AI apps and agents on Microsoft Marketplace
Publishing begins before Partner Center Your AI solution readiness for Microsoft Marketplace is based on how your system operates at runtime, how change is controlled over time, and how customers experience adoption, billing, and ongoing use. Microsoft evaluates how these elements align. It checks that identity boundaries are clear, support and privacy policies are accessible and well-structured, and subscription and billing events connect to system execution in predictable ways. This article focuses on technical Marketplace readiness before you begin to configure an offer in Partner Center to ensure publishing proceeds cleanly. It covers organizational readiness, identity and access boundaries, runtime safeguards, data handling posture, and subscription lifecycle preparation. Go‑to‑market planning and promotion also play a key role in driving adoption and success. This article focuses on technical readiness, and a future post will cover go‑to‑market considerations in more detail. You can always get curated step-by-step guidance through building, publishing, and selling apps for Marketplace through App Advisor. This post is part of a series on building and publishing well-architected AI apps and agents in Microsoft Marketplace. The series focuses on AI apps and agents that are architected, hosted, and operated on Azure, with guidance aligned to building and selling solutions through Microsoft Marketplace. Publishing readiness for Marketplace operations Publishing readiness reflects how your organization is structured to transact, support customers, and operate your AI app or agent in Marketplace. It depends on how identity, finance, and ownership are defined and aligned within your organization. Partner Center enrollment and account structure define your publisher identity. You enroll in the Microsoft AI Cloud Partner Program and the Marketplace program and operate under a publisher identity and Seller ID. This identity connects your organization to offers, transactions, and certification processes. Duplicate accounts or incomplete enrollment create conflicts when offers, payouts, or reviews do not align to one record and can create attribution issues towards benefit qualification milestones. Financial readiness connects your system to Marketplace transactions. Microsoft processes purchases, renewals, and payouts on your behalf, which requires validated tax and payout profiles tied to your legal entity. These profiles determine how revenue flows and how regulatory obligations are handled. If your organization operates across regions or uses different tax or currency structures, you may define multiple selling entities, each with its own Seller ID. This ensures Marketplace can associate transactions, payouts, and compliance requirements accurately with the correct entity. Role assignment defines how work is executed across teams. Publishing spans engineering, product, and finance, with roles such as Owner, Manager, Developer, and Finance Contributor enforced through Partner Center. This division of labor ensures that configuration progresses, publishing workflow moves predictably, and issues are resolved quickly. Identity and tenant requirements Marketplace publishing requires identity boundaries to be clearly defined and consistently enforced. These boundaries are expressed through configuration and declared behavior that is set up during publishing and certification. Marketplace evaluates how identity is defined, scoped, and enforced based on that input. The customer authentication model defines how access is granted. Your solution establishes whether access is managed at the tenant level, where administrators control entry for the organization, or at the user level, where individual users authenticate and operate independently. This model determines how access is provisioned, how permissions are applied, and how customers manage their environments. Tenant isolation ensures that each customer operates within a defined boundary. Isolation applies across data, execution context, and agent behavior. Data generated within a tenant remains scoped to that tenant. Execution paths, including model calls and tool usage, remain contained within the intended context. Agents operate within defined scopes, so their actions stay within tenant boundaries. Runtime behavior readiness Runtime behavior needs to be clear, bounded, and observable so that customers and Microsoft can understand how the solution performs as usage scales. This information directly informs Marketplace certification and customer evaluation. Certification reviews rely on clear behavior definitions, and customers use these signals to assess reliability, performance, and cost expectations during trials. For detailed coverage of best practices, refer to Design CI/CD for AI apps and agents selling through Microsoft Marketplace post. Data handling and compliance Data boundaries need to be clearly defined, consistently enforced, and easy to understand from both an operational and customer perspective. Data flow and storage boundaries describe how information moves through your solution. This includes where data originates, how it is processed, and where it is stored. These flows must be explicit so that customers and Microsoft can understand how data is handled in different scenarios, including normal execution and failure conditions. Separation of customer data and system data defines how information is scoped. Customer data remains isolated within its tenant and context, while system data—such as logs, telemetry, and model inputs—follows defined handling rules. Clear separation prevents unintended access and ensures that processing remains aligned with tenant boundaries. Access governance defines who can interact with data and under what conditions. Permissions are assigned based on roles and responsibilities, and access paths are controlled across services, agents, and supporting infrastructure. These controls determine how data can be read, modified, or acted upon during execution. Auditability ensures that data interactions are traceable over time. Access, modification, and usage patterns are recorded in a way that supports review, compliance, and incident response. Marketplace publishing reflects these controls as part of your offer. Customers rely on this information to understand how their data is handled in practice. Commerce and subscription lifecycle readiness Commerce is part of how your solution operates in production, shaping how customers activate, modify, and stop using your service. Transactable offers introduce a defined subscription lifecycle. Customers create subscriptions, select plans, change quantities or pricing tiers, and cancel or renew over time. Each of these events interacts directly with your solution and influences how access, usage, and billing are handled. Your solution must respond to these lifecycle events consistently. Subscription creation should trigger provisioning and access setup. Plan updates should adjust capacity, limits, or entitlements. Cancellations and suspensions must deactivate access and ensure that usage aligns with billing state. These transitions must be handled in a way that keeps solution behavior and customer expectations aligned. CI/CD pipelines should extend into subscription logic. This ensures that changes to plans, pricing models, or metering behavior move through the same controlled processes as code and configuration. Updates to commerce handling will then remain consistent with runtime behavior and not introduce gaps between billing and execution. Customer acquisition and engagement Marketplace publishing introduces a direct connection between customer interest and solution usage. Leads and trials reflect real evaluation activity and need to be captured and connected to your operational processes. Marketplace generates signals when customers discover, evaluate, and interact with your offer. Trial activations, preview usage, and direct inquiries indicate who engaged and when that engagement occurred. This information provides context for how your AI app or agent is being evaluated in real environments. Lead destination configuration connects these signals to your systems. Partner Center integrates with CRM platforms such as Dynamics 365, Salesforce, or other endpoints such as webhook and Azure tables, ensuring that lead data flows into your internal processes without delay. This configuration determines how quickly teams can respond to customer interest and how consistently engagement is tracked. CRM integration supports continuity between Marketplace and ongoing operations. Engagement data becomes part of how you understand adoption patterns, follow up on trials, and support customers as they transition to active use. When lead data flows are reliable, teams can connect Marketplace activity to product usage, support workflows, and sales processes. A foundational best practice is to offer free trials to encourage customers to test your product before they commit to purchase, which in the process unlocks an incredible opportunity to nurture a high intent opportunity into a paying customer. Certification readiness as system validation Marketplace certification validates how your system is defined and how consistently it operates. Review processes evaluate alignment between your offer configuration, declared behavior, and the expected customer experience. Certification focuses on consistency, declared behavior, and boundary clarity. Identity models, runtime behavior, subscription lifecycle handling, and data controls must align across your listing, technical configuration, and actual solution. Clear definitions allow reviewers to understand how the solution behaves without needing to inspect it directly. Certification friction often comes from gaps in these definitions. Inconsistent identity mapping creates uncertainty around access and enforcement. Unclear lifecycle handling introduces risk in how subscriptions are provisioned, updated, or terminated. These issues surface during review because the system behavior and the published configuration do not align. Certification also validates your offers against Marketplace policies such as inclusion of expected information in your listing like support links, privacy policy, adequate terms of use, and accurate use of Microsoft product names and icons. The Partner Center validation steps provide early Marketplace listing certification signals. These tools surface configuration issues, missing requirements, and inconsistencies before submission. Running them during preparation helps resolve problems ahead of certification and keeps the submission process predictable. Publishing readiness checkpoints Publishing readiness becomes clear when the system, organization, and operational model align. Partner Center setup proceeds without delays, system behavior is explainable under real conditions, ownership across teams is defined, and subscription flows are understood and validated conceptually. At this point, offer configuration begins to reflect how the system already behaves. Publishing becomes a step where defined behavior is expressed and submitted, not a process where gaps are discovered and resolved under time pressure. These details—identity models, plans, pricing, and lifecycle handling—once entered into Partner Center will flow directly into a transactable offer that is live on Marketplace. What’s next in the journey With readiness established, the next step is expressing it in Microsoft Marketplace. This shifts the focus from system design and operational alignment to how those decisions are represented through Partner Center configuration. Key resources See curated, step-by-step guidance to help you build, publish, or sell your app or agent (no matter where you start) in App Advisor. Quick-Start Development Toolkit Microsoft AI Envisioning Day Events How to build and publish AI apps and agents for Microsoft Marketplace Get over $126K USD in benefits and technical consultations to help you replicate and publish your app with ISV SuccessSecuring AI apps and agents on Microsoft Marketplace
Why security must be designed in—not validated later AI apps and agents expand the security surface beyond that of traditional applications. Prompt inputs, agent reasoning, tool execution, and downstream integrations introduce opportunities for misuse or unintended behavior when security assumptions are implicit. These risks surface quickly in production environments where AI systems interact with real users and data. Deferring security decisions until late in the lifecycle often exposes architectural limitations that restrict where controls can be enforced. Retrofitting security after deployment is costly and can force tradeoffs that affect reliability, performance, or customer trust. Designing security early establishes clear boundaries, enables consistent enforcement, and reduces friction during Marketplace review, onboarding, and long‑term operation. In the Marketplace context, security is a foundational requirement for trust and scale. You can always get a curated step-by-step guidance through building, publishing and selling apps for Marketplace through App Advisor. This post is part of a series on building and publishing well-architected AI apps and agents in Microsoft Marketplace. The series focuses on AI apps and agents that are architected, hosted, and operated on Azure, with guidance aligned to building and selling solutions through Microsoft Marketplace. How AI apps and agents expand the attack surface Without a clear view of where trust boundaries exist and how behavior propagates across systems, security controls risk being applied too narrowly or too late. AI apps and agents introduce security risks that extend beyond those of traditional applications. AI systems accept open‑ended prompts, reason dynamically, and often act autonomously across systems and data sources. These interaction patterns expand the attack surface in several important ways: New trust boundaries introduced by prompts and inputs, where unstructured user input can influence reasoning and downstream actions Autonomous behavior, which increases the blast radius when authentication or authorization gaps exist Tool and integration execution, where agents interact with external APIs, plugins, and services across security domains Dynamic model responses, which can unintentionally expose sensitive data or amplify errors if guardrails are incomplete Each API, plugin, or external dependency becomes a security choke point where identity validation, audit logging, and data handling must be enforced consistently as part of securing AI integrations—especially when AI systems span tenants, subscriptions, or ownership boundaries. Using OWASP GenAI Top 10 as a threat lens The OWASP GenAI Top 10 provides a practical, industry‑recognized lens for identifying and categorizing AI‑specific security threats that extend beyond traditional application risks. Rather than serving as a checklist, the OWASP GenAI Top 10 helps teams ask the right questions early in the design process. It highlights where assumptions about trust, input handling, autonomy, and data access can break down in AI‑driven systems—often in ways that are difficult to detect after deployment. Common risk categories highlighted by OWASP include: Prompt injection and manipulation, where malicious input influences agent behavior or downstream actions Sensitive data exposure, including leakage through prompts, responses, logs, or tool outputs Excessive agency, where agents are granted broader permissions or action scope than intended Insecure integrations, where tools, plugins, or external systems become unintended attack paths Highly regulated industries, sensitive data domains, or mission‑critical workloads may require additional risk assessment and security considerations that extend beyond the OWASP categories. The OWASP GenAI Top 10 allows teams to connect high‑level risks to architectural decisions by creating a shared vocabulary that sets the foundation for designing guardrails that are enforceable both at design time and at runtime. Designing security guardrails into the architecture Security guardrails must be designed into the architecture, shaping where and how policies are enforced, evaluated, and monitored throughout the solution lifecycle. Guardrails operate at two complementary layers: Design time, where architectural decisions determine what is possible, permitted, or blocked by default Runtime, where controls actively govern behavior as the AI app or agent interacts with users, data, and systems When architectural boundaries are not defined early, teams often discover that critical controls—such as input validation, authorization checks, or action constraints—cannot be applied consistently without redesign: Tenancy boundaries, defining how isolation is enforced between customers, environments, or subscriptions Identity boundaries, governing how users, agents, and services authenticate and what actions they can perform Environment separation, limiting the blast radius of experimentation, updates, or failures Control planes, where configuration, policy, and behavior can be adjusted without redeploying core logic Data planes, controlling how data is accessed, processed, and moved across trust boundaries Designing security guardrails into the architecture transforms security from reactive to preventative, while also reducing friction later in the Marketplace journey. Clear enforcement boundaries simplify review, clarify risk ownership, and enable AI apps and agents to evolve safely as capabilities and integrations expand. Identity as a security boundary for AI apps and agents Identity defines who can access the system, what actions can be taken, and which resources an AI app or agent is permitted to interact with across tenants, subscriptions, and environments. Agents often act on behalf of users, invoke tools, and access downstream systems autonomously. Without clear identity boundaries, these actions can unintentionally bypass least‑privilege controls or expand access beyond what users or customers expect. Strong identity design shapes security in several key ways: Authentication and authorization, determines how users, agents, and services establish trust and what operations they are allowed to perform Delegated access, constraints agents to act with permissions tied to user intent and context Service‑to‑service trust, ensures that all interactions between components are explicitly authenticated and authorized Auditability, traces actions taken by agents back to identities, roles, and decisions A zero‑trust AI agent architecture is essential in this context. is essential in this context. Every request—whether initiated by a user, an agent, or a backend service—should be treated as untrusted until proven otherwise. Identity becomes the primary control plane for enforcing least privilege, limiting blast radius, and reducing downstream integration risk. This foundation not only improves security posture, but also supports compliance, simplifies Marketplace review, and enables AI apps and agents to scale safely as integrations and capabilities evolve. Protecting data across boundaries Data may reside in customer‑owned tenants, subscriptions, or external systems, while the AI app or agent runs in a publisher‑managed environment or a separate customer environment. Protecting data across boundaries requires teams to reason about more than storage location. Several factors shape the security posture: Data ownership, including whether data is owned and controlled by the customer, the publisher, or a third party Boundary crossings, such as cross‑tenant, cross‑subscription, or cross‑environment access patterns Data sensitivity, particularly for regulated, proprietary, or personally identifiable information Access duration and scope, ensuring data access is limited to the minimum required context and time When these factors are implicit, AI systems can unintentionally broaden access through prompts, retrieval‑augmented generation, or agent‑initiated actions. This risk increases when agents autonomously select data sources or chain actions across multiple systems. To mitigate these risks, access patterns must be explicit, auditable, and revocable. Data access should be treated as a continuous security decision, evaluated on every interaction rather than trusted by default once a connection exists. This approach aligns with zero-trust principles, where no data access is implicitly trusted and every request is validated based on identity, context, and intent. Runtime protections and monitoring For AI apps and agents, security does not end at deployment. In customer environments, these systems interact continuously with users, data, and external services, making runtime visibility and control essential to a strong security posture. AI behavior is also dynamic: the same prompt, context, or integration can produce different outcomes over time as models, data sources, and agent logic evolve, so monitoring must extend beyond infrastructure health to include behavioral signals that indicate misuse, drift, or unintended actions. Effective runtime protections focus on five core capabilities: Vulnerability management, including regular scanning of the full solution to identify missing patches, insecure interfaces, and exposure points Observability, so agent decisions, actions, and outcomes can be traced and understood in production Behavioral monitoring, to detect abnormal patterns such as unexpected tool usage, unusual access paths, or excessive action frequency Containment and response, enabling rapid intervention when risky or unauthorized behavior is detected Forensics readiness, ensuring system-state replicability and chain-of-custody are retained to investigate what happened, why it happened, and what was impacted Monitoring that only tracks availability or performance is insufficient. Runtime signals must provide enough context to explain not just what happened, but why an AI app or agent behaved the way it did, and which identities, data sources, or integrations were involved. Equally important is integration with broader security event and incident management workflows. Runtime insights should flow into existing security operations so AI-related incidents can be triaged, investigated, and resolved alongside other enterprise security events—otherwise AI solutions risk becoming blind spots in a customer’s operating environment. Preparing for incidents and abuse scenarios No AI app or agent operates in a perfectly controlled environment. Once deployed, these systems are exposed to real users, unpredictable inputs, evolving data, and changing integrations. Preparing for incidents and abuse scenarios—including AI agent incident response—is therefore a core security requirement, not a contingency plan. AI apps and agents introduce unique incident patterns compared to traditional software. In addition to infrastructure failures, teams must be prepared for prompt abuse, unintended agent actions, data exposure, and misuse of delegated access. Because agents may act autonomously or continuously, incidents can propagate quickly if safeguards and response paths are unclear. Effective incident readiness starts with acknowledging that: Abuse is not always malicious, misuse can stem from ambiguous prompts, unexpected context, or misunderstood capabilities Agent autonomy may increase impact, especially when actions span multiple systems or data sources Security incidents may be behavioral, not just technical, requiring interpretation of intent and outcomes Preparing for these scenarios requires clearly defined response strategies that account for how AI systems behave in production. AI solutions should be designed to support pause, constrain, or revoke agent capabilities when risk is detected, and to do so without destabilizing the broader system or customer environment. Incident response must also align with customer expectations and regulatory obligations. Customers need confidence that AI‑related issues will be handled transparently, proportionately, and in accordance with applicable security and privacy standards. Clear boundaries around responsibility, communication, and remediation help preserve trust when issues arise. How security decisions shape Marketplace readiness From initial review to customer adoption and long‑term operation, security posture is a visible and consequential signal of readiness. AI apps and agents with clear boundaries—around identity, data access, autonomy, and runtime behavior—are easier to evaluate, onboard, and trust. When security assumptions are explicit, Marketplace review becomes more predictable, customer expectations are clearer, and operational risk is reduced. Ambiguous trust boundaries, implicit data access, or uncontrolled agent actions can introduce friction during review, delay onboarding, or undermine customer confidence after deployment. Marketplace‑ready security is therefore not about meeting a minimum bar. It is about enabling scale. Well-designed security allows AI apps and agents to integrate into enterprise environments, align with customer governance models, and evolve safely as capabilities expand. When security is treated as a first‑class architectural concern, it becomes an enabler rather than a blocker—supporting faster time to market, stronger customer trust, and sustainable growth through Microsoft Marketplace. What’s next in the journey Security for AI apps and agents is not a one‑time decision, but an ongoing design discipline that evolves as systems, data, and customer expectations change. By establishing clear boundaries, embedding guardrails into the architecture, and preparing for real‑world operation, publishers create a foundation that supports safe iteration, predictable behavior, and long‑term trust. This mindset enables AI apps and agents to scale confidently within enterprise environments while meeting the expectations of customers adopting solutions through Microsoft Marketplace. See the next post in the series: Designing AI guardrails for apps and agents in Marketplace | Microsoft Community Hub. Key resources See curated, step-by-step guidance to help you build, publish, or sell your app or agent (no matter where you start) in App Advisor, Quick-Start Development Toolkit Microsoft AI Envisioning Day Events How to build and publish AI apps and agents for Microsoft Marketplace Get over $126K USD in benefits and technical consultations to help you replicate and publish your app with ISV SuccessProduction ready architectures for AI apps and agents on Marketplace
Why “production‑ready” architecture matters for Marketplace AI apps and agents A working AI prototype is not the same as a production‑ready AI app in Microsoft Marketplace. Marketplace solutions are expected to operate reliably in real customer environments, alongside mission‑critical workloads and under enterprise constraints. As a result, AI apps published through Marketplace must meet a higher bar than “it works in a demo.” You can always get a curated step-by-step guidance through building, publishing and selling apps for Marketplace through App Advisor. Production‑ready Marketplace AI apps must assume: Alignment with enterprise expectations and Azure well‑architected AI principles, including cost optimization, security, reliability, operational excellence, and performance efficiency Architectural decisions made early are difficult to reverse, especially once customers, tenants, and billing relationships are in place A higher trust bar from customers, who expect Marketplace solutions to be Microsoft‑vetted, certified, and safe to run in production Customers come to Marketplace expecting solutions that are ready to run, ready to scale, and ready to be supported—not experiments. This post focuses on the architectural principles and patterns required to meet those expectations. Specific services and implementation details are covered later in the series. This post is part of a series on building and publishing well-architected AI apps and agents in Microsoft Marketplace. The series focuses on AI apps and agents that are architected, hosted, and operated on Azure, with guidance aligned to building and selling solutions through Microsoft Marketplace. Aligning offer type and architecture early sets you up for success A strong indicator of a smooth Marketplace journey is early alignment between offer type and solution architecture. Offer type defines more than how an AI app is listed—it establishes clear roles and responsibilities between publishers and customers, which in turn shape architectural boundaries. Across all other offer types, architecture must clearly answer three questions: Who owns the runtime? Where does the AI execute? Who controls updates and ongoing operations? These decisions will vary depending on whether the solution resides in the customer’s or publisher’s tenant based on the attributes associated with the following transactable marketplace offer types: SaaS offers, where the AI runtime lives in the publisher’s environment and architecture must support multitenant AI app design, strong isolation, and centralized operations Container offers, where workloads run in the customer’s Kubernetes environment and architecture emphasizes portability and clear operational assumptions Virtual Machine offers, where preconfigured environments run in the customer’s subscription and architecture is more tightly coupled to the OS and infrastructure footprint Azure Managed Applications, where the solution is deployed into the customer's subscription and architecture must balance customer control with defined lifecycle boundaries. What makes this model distinctive is its flexibility: an Azure Managed Application can package containers, virtual machines, or a combination of both — making it a natural fit for solutions that require customer-controlled infrastructure without sacrificing publisher-managed operations. The packaging choice shapes the underlying architecture, but the managed application wrapper is what defines how the solution is deployed, updated, and governed within the customer's environment. Architecture decisions naturally reinforce Marketplace requirements and reduce certification and operational friction later. Key factors that benefit from early alignment include: Roles and responsibilities, such as who operates the AI runtime and who is responsible for uptime, patching, scaling, and ongoing operations Proximity to data, particularly for AI solutions that rely on customer‑specific or proprietary data, where placement affects performance, data movement, and compliance Core architectural building blocks of AI apps Designing a production‑ready AI app starts with treating the solution as a system, not a single service. AI apps—especially agent‑based solutions—are composed of multiple cooperating layers that together enable reasoning, action, and safe operation at scale. At a high level, most production‑ready AI apps include the following building blocks: Interaction layer, which serves as the entry point for users or systems and is responsible for authentication, request shaping, and consistent responses Orchestration layer, which coordinates reasoning, tool selection, workflow execution, and retrieval‑augmented generation (RAG) flows across multi‑step interactions Model endpoints, which provide inference and generation capabilities and introduce distinct latency, cost, and dependency characteristics Data sources, including vector stores, operational data, documents, and logs that the AI system reasons over Control planes, such as identity, configuration, policy enforcement, feature flags, and secrets management, which govern behavior without redeploying core logic Observability, which enables tracing, monitoring, and diagnosis of agent decisions, actions, and outcomes Networking, which connects components using a zero‑trust posture where every call is authenticated and outbound access is explicitly controlled Together, these components form the foundation of most Marketplace‑ready AI architectures. How they are composed—and where boundaries are drawn—varies by offer type, tenancy model, and customer requirements. Specific services, patterns, and implementation guidance for each layer are explored later in the series. Tenancy design choices as an early architectural decision One of the earliest and most consequential architectural decisions is where the AI solution is hosted. Does it run in the publisher’s tenant, or is it deployed into the customer’s tenant? This choice establishes foundational boundaries and is difficult to change later without significant redesign. If the solution runs in the publisher’s tenant, it is inherently multi‑tenant and must be designed with strong logical isolation across customers. If it runs in the customer’s tenant, deployments are typically single‑tenant by default, with isolation provided through infrastructure boundaries. Many Marketplace AI apps fall between these extremes, making it essential to define the AI tenancy model early. Common tenancy approaches include: Publisher‑hosted, multi‑tenant solutions, where a shared AI runtime serves multiple customers and requires strict isolation of customer data, inference requests, identity, and cost attribution Customer‑hosted, single‑tenant deployments, where each customer operates an isolated instance within their own Azure subscription, often preferred for regulated or tightly controlled environments Hybrid models, which combine centralized AI services with customer‑hosted data or execution layers and require carefully defined trust and access boundaries Tenancy decisions influence several core architectural dimensions, including: Identity and access boundaries, which define how users and agents authenticate and act across tenants Data isolation, including how customer data is stored, processed, and protected Model usage patterns, such as shared models versus tenant‑specific models Cost allocation and scale, including how usage is tracked and attributed per customer These considerations are not implementation details—they shape how the AI system behaves, scales, and is governed in production. Reference architecture guidance for multi‑tenant AI and machine learning solutions in the Azure Architecture Center explores these tradeoffs in more detail. Understanding your customer’s needs Designing a production‑ready AI architecture starts with understanding the environment your customers expect your solution to operate in. Marketplace customers vary widely in their security posture, compliance obligations, operational practices, and tolerance for change. Architectures that reflect those realities reduce friction during onboarding, certification, and long‑term operation. Key customer considerations that shape architecture include: Security and compliance expectations, such as industry regulations, internal governance policies, or regional data requirements Target environments, including whether customers expect solutions to run in their own Azure subscription or are comfortable consuming centrally hosted services Change and outage windows, where operational constraints or seasonal restrictions require predictable and controlled updates Architectural alignment with customer needs is not about designing for every edge case. It is about making intentional tradeoffs that reflect how customers will deploy, operate, and depend on your AI solution in production. Specific security controls, compliance enforcement mechanisms, and operational policies are explored later in the series. This section establishes the architectural mindset required to support them. Separating environments for safe iteration Production AI systems must evolve continuously while remaining stable for customers. Separating environments is how publishers enable safe iteration without destabilizing live usage—and how customers maintain confidence when adopting and operating AI solutions in their own environments. From the publisher’s perspective, environment separation enables: Iteration on prompts, models, and orchestration logic without impacting production customers Validation of behavior changes before rollout, especially for AI‑driven systems where small changes can produce materially different outcomes Controlled release strategies that reduce operational risk From the customer’s perspective, environment separation shapes how the solution fits into their own development and operational practices: Where the solution is deployed across development, staging, and production environments How deployments are repeated or promoted, particularly when the solution runs in the customer’s tenant Whether environments can be recreated predictably, or whether customers are forced to manually reconfigure deployments with each iteration When AI solutions are deployed into the customer’s tenant, environment design becomes especially important. Customers should not be required to reverse‑engineer deployment logic, recreate environments from scratch, or re‑establish trust boundaries every time the solution evolves. These concerns should be addressed architecturally, not deferred to operational workarounds. Environment separation is therefore not just a DevOps choice—it is an architectural decision. It influences identity boundaries, deployment topology, validation strategies, and the shared operational contract between publisher and customer. Designing for AI‑specific scalability patterns AI workloads do not scale like traditional web or CRUD‑based applications. While front‑end and API layers may follow familiar scaling patterns, AI systems introduce behaviors that require different architectural assumptions. Production‑ready AI architectures must account for: Bursty inference demand, where usage can spike unpredictably based on user behavior or downstream automation Long‑running or multi‑step agent workflows, which may span tools, data sources, and time Model‑driven latency and cost characteristics, which influence throughput and responsiveness independently of application logic As a result, scalability decisions often vary by layer. Horizontal scaling is typically most effective in interaction, orchestration, and retrieval components, while model endpoints may require separate capacity planning, isolation, or throttling strategies. Treating identity as an architectural boundary Identity is foundational to Marketplace AI apps, but architecture must plan for it explicitly. Identity decisions define trust boundaries across users, agents, and services, and shape how the solution scales, secures access, and meets compliance requirements. Key architectural considerations include: Microsoft Entra ID as a foundation, where identity is treated as a core control plane rather than a late‑stage integration How users sign in, including: Their own corporate Microsoft Entra ID tenant B2B scenarios where one Entra ID tenant trusts another B2C identity providers for customer‑facing experiences How tenants authenticate, particularly in multi‑tenant or cross‑organization scenarios How AI agents act on behalf of users, including delegated access, authorization scope, and auditability How services communicate securely, using a zero‑trust posture where every call is authenticated and authorized Treating identity as an architectural boundary helps ensure that trust relationships remain explicit, enforceable, and consistent across tenants and environments. This foundation is critical for supporting secure operation, compliance enforcement, and future tenant‑linking scenarios. Designing for observability and auditability Production‑ready AI apps must be observable and auditable by design. Marketplace customers expect visibility into how systems behave in production, and publishers need clear insight to diagnose issues, operate reliably, and meet enterprise trust and compliance expectations. Key architectural considerations include: End‑to‑end observability, covering user interactions, agent reasoning steps, tool invocations, and downstream service calls Clear audit trails, capturing who initiated an action, what the AI system did, and how decisions were executed—especially when agents act on behalf of users Tenant‑aware visibility, ensuring logs, metrics, and traces are correctly attributed without exposing data across tenants Operational transparency, enabling effective troubleshooting, incident response, and continuous improvement without ad‑hoc instrumentation AI app observability design goes beyond infrastructure health. It must also account for AI‑specific behavior, such as prompt execution, model selection, retrieval outcomes, and tool usage. Without this visibility, diagnosing failures, validating changes, or explaining outcomes becomes difficult in real customer environments. Auditability is equally critical. Identity, access, and action histories must be traceable to support security reviews, regulatory obligations, and customer trust—particularly in regulated or enterprise settings. Common architectural pitfalls in Marketplace AI apps Even experienced teams run into similar challenges when moving from an AI prototype to a production‑ready Marketplace solution. The following pitfalls often surface when architectural decisions are deferred or made implicitly. Common pitfalls include: Treating AI as a single service instead of a system, where model inference is implemented without considering orchestration, data access, identity, observability, and operational boundaries Hard‑coding tenant assumptions, such as assuming a single tenant, identity model, or deployment topology, which becomes difficult to unwind as customer requirements diversify Not planning for a resilient model strategy, leaving the architecture fragile when model versions change, capabilities evolve, or providers introduce breaking behavior Assuming data lives within the same boundary as the solution, when in practice it may reside in a different tenant, subscription, or control plane Tightly coupling prompt logic to application code, making it harder to iterate on AI behavior, validate changes, or manage risk without full redeployments Assuming issues can be fixed after go‑live, which underestimates the cost and complexity of changing architecture once customers, subscriptions, and trust relationships are in place While these pitfalls may be caused by a lack of technical skill on the customer’s side, they could typically emerge when architectural decisions are postponed in favor of speed, or when AI behavior is treated as an isolated concern rather than part of a production system. What’s next in the journey The architectural decisions made early—around offer type, tenancy, identity, environments, and observability—establish the foundation on which everything else is built. When these choices are intentional, they reduce friction as the solution evolves, scales, and adapts to real customer needs. The next set of posts builds on this foundation, exploring different dimensions of operating, securing, and evolving Marketplace AI apps in production. See the next post in the series: Securing AI apps and agents on Microsoft Marketplace | Microsoft Community Hub. Key resources See curated, step-by-step guidance to help you build, publish, or sell your app or agent (no matter where you start) in App Advisor Quick-Start Development Toolkit can connect you with code templates for AI solution patterns Microsoft AI Envisioning Day Events How to build and publish AI apps and agents for Microsoft Marketplace Get over $126K USD in benefits and technical consultations to help you replicate and publish your app with ISV SuccessDesign CI/CD for AI apps and agents selling through Microsoft Marketplace
In the previous post, Design observability for AI apps and agents selling through Microsoft Marketplace, we focused on observability—making AI app and agent behavior visible and explainable. Execution paths, retries, degradation patterns, and agent decisions can now be observed across environments and tenants. With that visibility in place, a new challenge emerges: how do you safely modify an AI system whose behavior you can now observe? You can always get curated step-by-step guidance through building, publishing and selling apps for Marketplace through App Advisor. This post is part of a series on building and publishing well-architected AI apps and agents in Microsoft Marketplace. The series focuses on AI apps and agents that are architected, hosted, and operated on Azure, with guidance aligned to building and selling solutions through Microsoft Marketplace. Using continuous integration/continuous delivery (CI/CD) to control AI system evolution AI apps and agents introduce numerous novel ways that production behavior can change. In addition to application code, updates to configuration, prompts, models, and guardrails, agent logic can alter execution, cost, and outcomes—often immediately and across tenants. CI/CD defines how these changes reach production. Without a structured delivery path, behavior‑shaping updates risk entering runtime without validation or recovery paths, making system behavior difficult to explain or reverse once customers encounter it. AI solutions are typically built and operated as cloud applications. Software delivery of cloud services, and the supporting components that enable it, remains part of the CI/CD pipeline, and any instability in these foundational components directly propagates into AI behavior. AI systems add two additional sources of change that require explicit control. MLOps governs model evolution. Agents introduce further variability, as agent logic and configuration evolve. CI/CD is what prevents these change vectors from interacting unpredictably across both publisher and customer environments. Core CI/CD requirements for AI apps and agents For AI apps and agents, CI/CD determines whether deployment strategies can be applied safely. Progressive rollouts, ring deployments, feature flags, and kill switches all rely on pipelines that isolate change, validate behavior, and support rollback. Observability provides insight into behavior; CI/CD controls when and how that behavior is allowed to change. CI/CD must reliably provision, configure, and promote cloud native infrastructure, including but not limited to front-end services, APIs, storage, identity, and networking across environments. Agent behavior depends directly on the stability of the platform it runs on. AI systems introduce additional CI/CD requirements through MLOps and agents. Model versions, routing logic, and evaluation configurations must move through pipelines as deployable artifacts, with isolation, validation, and rollback built in. Changes to models affect latency, cost, and outcomes even when application code remains unchanged, making promotion controls necessary at the model layer. A well-run CI/CD pipeline should positively impact AI models and agents in the following ways: Change isolation ensures code, prompts, models, and configuration evolve independently. Artifact versioning beyond code treats prompts, policies, tools, and models as release assets. Behavioral validation evaluates outcomes, constraints, and patterns rather than single responses. Safe promotion controls gate model and agent releases based on observed behavior. Rollback readiness allows fast reversion when model or agent behavior degrades. Building behavioral baselines for AI solutions using CI/CD Before an AI system is built by a pipeline, it is built by a team. CI/CD build pipelines are where these contributions are stitched together. Product managers define scope and constraints. UX designers shape how behavior is experienced. Full‑stack engineers assemble application logic. AI engineers wire reasoning and tools. Data engineers and data scientists curate data and models. In AI systems, a build does more than compile code. It captures a shared agreement across roles about what the system is expected to do. Application code, orchestration logic, prompts, configuration, guardrails, routing rules, and trained or fine‑tuned models are assembled into a single versioned artifact. That artifact represents a coordinated snapshot of intent, behavior, and constraints. This coordination must declare which models, prompts, policies, and tool definitions are included. Implicit dependencies—such as dynamically changing prompts or unpinned models—break shared understanding across teams and introduce behavior changes without acknowledgement. A successful build confirms that contributions from multiple roles are compatible and executable together. It does not decide when customers see the change. That decision belongs later, where behavior can be evaluated deliberately, enforced by build pipelines that are separating assembly from release. Testing AI solutions with CI/CD pipelines When an agent is updated, the first task is straightforward: the agent’s code changes. Logic is refined, tools are added, limits are adjusted. That change moves through the CI/CD pipeline, where it is built, packaged, and validated in isolation. At this point, the focus is narrow—does this agent compile, configure, and execute as expected? The second step widens the lens. The update now moves through testing aligned to the layers beneath it. For cloud solutions, tests confirm the platform still behaves as assumed: infrastructure provisions correctly, APIs and identity boundaries remain intact, and dependencies remain reachable. These tests ensure the environment can support execution before behavior is evaluated. Next, MLOps tests assess whether model behavior still aligns with system expectations. New model versions, routing logic, or provider changes are evaluated for cost, latency, and outcome consistency. The goal is not identical responses, but bounded behavior within known limits. Finally, testing shifts to the agentic system as a whole. Other agents need to be made aware of the new capabilities. When you go to update the agent the first job you have to do is update the agent code. The second job you have to do is to use your CI/CD pipeline to build, test and release that code. The third job is to test that the entire agentic system is running smoothly together. At this stage, testing answers a different question: not does the agent work, but does the system still work together. CI/CD release management as team coordination Once testing confirms that behavior remains within expected bounds, release management determines how changes are introduced and observed under real conditions. In AI systems, release management must reflect where change originates and how risk propagates across layers. Within the cloud services that support the AI solution, release management focuses on scope and blast‑radius control. Examples include staged rollout of infrastructure updates, controlled exposure of new API versions, and limiting configuration changes to specific environments or tenants before going global. These steps allow both publisher and customer teams to observe stability and dependency behavior under load. For MLOps, release management governs behavioral shifts introduced by model changes. Common patterns include routing a small percentage of requests to a new model version, limiting exposure to specific customer segments, or restricting usage to defined request types. This allows teams to compare cost, latency, and outcome patterns before expanding exposure. For agents, release management controls how new behaviors surface. Prompt updates, tool access changes, or guardrail adjustments may be released to specific workflows, tenants, or traffic slices. This makes it possible to observe planning depth, retry behavior, and termination patterns without affecting all users simultaneously. Rollback readiness remains essential. Release paths must allow fast reversion using version pinning or traffic shifting rather than full redeployment. Release management creates space to observe, adjust, and respond before changes reach full Marketplace scale. Deployment as a shared boundary Effective deployment pipelines ensure that software, models, and agent behavior enter production together, with changes explicitly acknowledged and observable. Versioning and rollback remain available, but deployment defines the moment when coordinated decisions become customer‑visible. Cloud service—For the software, deployment governs application code and supporting platform changes. These remain necessary foundations. Application binaries, infrastructure templates, runtime configuration, and orchestration must enter production in a known, versioned state so operational behavior can be correlated with specific changes. MLOps—Model version updates, routing rules, provider switches, and evaluation configurations can change system behavior without modifying application code. Deployment pipelines must therefore treat these artifacts as deployable units, subject to the same versioning, promotion, and rollback mechanics as software releases. Agent—Deployment includes behavior‑defining inputs such as prompts and system messages, tool definitions and permissions, guardrails, and execution limits. Changes directly affect how agents plan, execute, and terminate work. Allowing these inputs to change outside deployment pipelines breaks traceability and weakens accountability across teams. How CI/CD best practices positively impact marketplace readiness Customers expect updates to arrive in predictable ways. They expect that behavior changes can be explained, that issues can be reversed without prolonged disruption, and that outcomes remain consistent across trials and production use. CI/CD pipelines make these expectations achievable by ensuring changes are versioned, staged, and observable as they move through environments. Reliability depends on limiting how far unstable behavior propagates. Billing accuracy depends on knowing when changes alter execution paths, token usage, or metering logic. Compliance depends on being able to identify which versions of software, models, and agent configurations were active at a given time. Offer type shapes how CI/CD is applied. For transactable SaaS offers, CI/CD operates entirely within the publisher’s environment. For container offers and Azure Managed Applications, deployment boundaries extend to customer environments requiring a CI/CD hand-off between publisher and customer pipelines. Publisher CI/CD responsibilities for AI solutions Publishers must define what constitutes a deployable change. Updates to software, models, prompts, agent configuration, guardrails, or limits should not enter customer environments or generally available code implicitly. Each change that can influence behavior must flow through the publisher’s CI/CD pipelines so it can be versioned, observed, and reversed if necessary. Additionally, CI/CD pipelines require validation and approval before promotion, ensuring that behavior‑altering updates do not reach customers without visibility or control. Publishers are also responsible for communicating behavior changes. Customers should be able to understand when updates affect outcomes, performance, or cost profiles. Customers should never experience silent behavior shifts, undocumented updates, or releases that cannot be recovered cleanly. When those occur, trust erodes quickly. In this context, CI/CD is part of how publishers establish reliability, accountability, and trust with Marketplace customers. Customer’s responsibility: CI/CD across environments (Dev / Stage / Prod) While publishers own CI/CD pipelines, customers play an important role in how AI systems are evaluated and adopted across environments. AI behavior often manifests differently across Dev, Stage, and Prod because operating conditions change as systems move toward real usage. As environments scale, dependency interactions increase, traffic patterns diversify, and tenant behavior becomes less predictable—revealing execution paths and constraints that are not exercised earlier. These differences affect how behavior appears during evaluation and rollout. To keep behavior interpretable across environments, pipeline structure matters. CI/CD pipelines, validation steps, and promotion criteria should operate consistently so signals observed earlier can be understood later. When these mechanics diverge between environments, it becomes difficult to attribute changes in behavior to specific updates or conditions. Staging environments serve as a behavioral proving ground. They allow customers to observe retries, limits, degradation paths, and cost behavior under conditions that more closely resemble production. Trials often run against production‑like configurations, which means CI/CD gaps surface early. When behavior differs from expectations, the consistency of pipelines determines how quickly teams can diagnose and respond. What’s next in the journey With CI/CD establishing control over how AI systems change, the next focus is how those changes are introduced safely at runtime. The following posts cover deployment strategies, progressive rollouts, and operational patterns that allow AI apps and agents to evolve while remaining stable, observable, and ready for Marketplace scale. Key resources See curated, step-by-step guidance to help you build, publish, or sell your app or agent (no matter where you start) in App Advisor Quick-Start Development Toolkit can connect you with code templates for AI solution patterns Microsoft AI Envisioning Day Events How to build and publish AI apps and agents for Microsoft Marketplace Get over $126K USD in benefits and technical consultations to help you replicate and publish your app with ISV SuccessDesign observability for AI apps and agents selling through Microsoft Marketplace
In the last post, API resilience and reliability patterns for AI apps and agents, we focused on what happens when AI systems encounter failure—and how resilient execution paths keep that failure contained. Timeouts fire with intent. Retries stay bounded. Circuit breakers provide overload protection. When resilience is designed well, your system continues to function even as conditions change. You can always get curated step-by-step guidance through building, publishing and selling apps for Marketplace through App Advisor. This post is part of a series on building and publishing well-architected AI apps and agents in Microsoft Marketplace. The series focuses on AI apps and agents that are architected, hosted, and operated on Azure, with guidance aligned to building and selling solutions through Microsoft Marketplace. Observability for AI systems AI apps and agents are shifting traditional observability, which was designed for systems based on simple assumptions, where requests followed linear paths and workloads behaved predictably. Execution in AI systems consumes tokens at a highly variable rate rather than fixed compute units. Requests unfold across multiple reasoning steps. Agents perform work that spans APIs, models, retrieval layers, and applications. A single interaction may pause, branch, retry, or exit early depending on inferred intent, context, and constraints. Instead of asking whether services are running, observability for AI systems asks: what is the system doing right now—and why? Is an agent spending its time reasoning, waiting on dependencies, retrying tool calls, or exiting early due to enforced limits? Is cost increasing because value is increasing, or because execution paths are expanding without progress? AI observability requirements shift the focus in the following subtle, but critical ways: From resource availability to workflow state From performance metrics to signals From incidents to patterns Core observability dimensions for AI apps and agents Once observability shifts toward understanding behavior, clarity comes from tracking state across the agents in the workflow. For AI apps and agents, observable indicators, such as those detailed below, show how work unfolds and changes during real usage—especially in trials and early adoption: Execution flow shows how a request moves through agents, tools, and workflows. This highlights where execution progresses smoothly, where it slows, and where it concludes early. This makes agent outcomes explainable and keeps behavior consistent across tenants. Cost and token behavior reveals how execution translates into consumption. Token usage per request, per agent step, and per retry shows where value is being delivered and where execution paths expand without proportional benefit. This insight connects runtime behavior directly to Marketplace billing expectations and evaluations. Latency and wait states distinguish active processing from time spent waiting on dependencies. Seeing where time is consumed helps explain slow experiences and guides decisions about optimization, caching, or resilience improvements. Failure classification provides structure when systems degrade. Separating tool failures from planning failures, and transient issues from terminal exits, keeps investigations focused and prevents protective behavior from being misread as instability. Tenant‑level patterns surface how behavior repeats at scale. Uneven load, and recurring degradation often appear first during trials and shape the customer's perception. Together, these dimensions turn telemetry into understanding—supporting clearer conversations, faster triage, and predictable execution as usage grows. Why observability matters By this point in the journey, your AI app or agent has implemented bounded execution paths, cost controls, and quality of service safeguards. As a result, failure degrades gracefully instead of spreading. These resilience techniques determine how your solution behaves under pressure. The data gathered from observability platforms like Application Insights and Azure Monitor explains why it behaves that way. For AI and agentic systems, infrastructure health alone rarely answers the questions that matter. Services can be up, CPUs can be idle, and queues can look healthy while agents loop inefficiently, retries quietly expand cost, or workflows exit early without delivering value. From the customer’s perspective, the experience feels inconsistent even though the platform appears stable. Observability closes this gap by revealing system behavior rather than system status. It shows how requests move, where work concentrates, and how constraints shape outcomes. At Marketplace scale, these patterns repeat across tenants and trials. What appears once during an evaluation often appears again as adoption grows. Observability connects runtime behavior back to the design choices introduced in earlier posts: Usage‑based billing introduced variability in consumption Performance optimization introduced tradeoffs among latency, quality, and cost Resilience patterns introduced controlled failure and bounded execution Observability allows you to explain outcomes during trials, validate assumptions as usage grows, and operate with confidence across customers and environments. Without this visibility, teams react to symptoms. With it, they recognize patterns. From execution paths to behavioral signals Observability begins at the same place resilience begins—API boundaries. These boundaries define where responsibility shifts and where behavior becomes visible. Observability focuses on signals that explain decisions made by the system as it executes instead of relying on raw logs that describe isolated events. Every resilience mechanism emits behavioral signals. Viewed together, these signals provide far more value than logs alone. Logs answer whether something happened. Behavioral signals explain why it happened and how the system responded. Circuit breakers change state as load builds and recedes. Retry loops show whether failures resolve quickly or exhaust their limits. Timeout enforcement reveals where dependencies slow execution. Fallback paths and early terminations show how the system protects itself while preserving outcomes for customers. This perspective matters most for agents. Agent execution unfolds as a series of choices—plan, call a tool, retry, exit early—rather than a single request‑response cycle. Observability that tracks these decisions makes agent behavior understandable, consistent, and defensible as usage grows across customer tenants. Observability at the agent layer As AI systems become more agent‑driven, observability needs to move closer to where decisions are made. Agents introduce variability by design. They plan, adapt, and choose workflow paths dynamically. Without first‑class visibility into that behavior, execution can appear unpredictable even when the underlying system is healthy. Observability at the agent layer acts as the feedback loop that keeps execution safely bounded. It shows how agents use the freedom you give them—and where that freedom begins to stretch into inefficiency. Observability follows how the agent did its job instead of treating the agent’s interaction as a single outcome. Several indicators help make agent behavior understandable. Step count per request reveals how much reasoning effort a prompt requires. Planning iterations show whether an agent converges quickly or cycles through alternatives. Tool invocation frequency highlights when agents rely heavily on external systems. Early exits compared to full completion explain whether limits and fallbacks activate as designed. Taken together, these indicators help distinguish healthy exploration from inefficient reasoning and degraded execution. An agent exploring briefly before converging adds value. An agent looping through tools without progress signals pressure, uncertainty, or dependency issues. This distinction reinforces a core principle of agentic systems: models reason probabilistically, adapting to context as it changes. Your system observes deterministically—measuring execution, enforcing boundaries, and clarifying outcomes. When those roles stay separate and well‑instrumented, agent behavior becomes transparent, predictable, and ready for Marketplace scale. Observability across environments The type of Marketplace offer you choose shapes what observability customers expect and how responsibility is shared. For SaaS offers, publishers typically own end‑to‑end execution. Observability centers on agent behavior, workflow completion, token usage, latency, and dependency impact across tenants. Publishers rely on consistent signals—often surfaced through tools like Azure Monitor, Application Insights, and Microsoft AI Foundry—to explain how requests behave as scale and load increase. For container‑based offers and Azure Managed Applications, observability expectations are more distributed. Publishers expose clear execution outcomes, limits, and failure signals at application boundaries. Customers, in turn, observe infrastructure health, scaling behavior, and downstream systems within their own environments. This separation ensures each party has visibility into what they control without creating ambiguity. Learn more about Choosing your marketplace offer type for AI Apps and agents. Execution behavior differs across environments for predictable reasons. Scale increases, tenant mix broadens, and external dependencies behave differently under real load. What must stay consistent is how behavior is interpreted. Signal definitions, thresholds, and failure classification should mean the same thing in Dev, Stage, and Prod. Learn more about designing a reliable environment strategy for Microsoft Marketplace AI apps and agents. Staging environments are where this consistency is validated. Observing retries, timeouts, and graceful degradation before production prepares you for Marketplace evaluations, which often resemble production conditions. Observability gaps tend to appear first during customer evaluation—when clarity matters most. Publisher and customer visibility boundaries Purpose: Parallel Post #13 responsibility clarity, now for observability As observability matures across environments, clarity around responsibility becomes essential. For Marketplace solutions, trust grows when publishers and customers each see what they own—and understand where that visibility ends. Publishers are responsible for instrumenting execution paths end to end. That means making workflows traceable, limits visible, and failure modes explainable. Observability should surface behavior—how requests progressed, where execution concluded, and why—rather than exposing raw internal errors that require insider knowledge to interpret. Customers focus their observability on what they control. This includes monitoring downstream systems, infrastructure behavior, and environment‑level alerts within their own estate. When visibility aligns with ownership, teams can act quickly and decisively. Exposing too much internal detail can overwhelm customers and blur accountability. Observing too little behavior creates friction, especially when issues cross boundaries and lack context. Clear visibility enables faster triage, sharper ownership boundaries, and fewer escalations rooted in ambiguity. Observability as an enabler for scale, billing, and trust From a customer’s perspective, observability answers two fundamental questions: Can I understand what happened? and Can I trust this at scale? When the answer to both is clear, observability becomes part of the value your Marketplace offering delivers. When system behavior is visible and explainable, customers gain confidence that adoption and growth will remain predictable. Observability directly supports usage‑based billing by tying execution behavior to measured consumption. Clear visibility into token usage, retries, and execution paths helps validate how usage is calculated and supports transparent billing conversations. It also enables ongoing performance tuning and caching strategies by showing where latency accumulates, where work repeats, and where optimization delivers measurable impact. Observability reinforces confidence in resilience mechanisms, confirming that limits, fallbacks, and degradation paths activate as designed under real‑world conditions. Beyond validation, observability creates a continuous feedback loop. Execution data informs pricing adjustments, guides changes to limits, and helps refine default configurations as customer behavior evolves. What’s next in the journey With execution behavior observable and explainable, the focus shifts to how AI systems are operated safely as change accelerates. The upcoming posts will discuss deployment strategies, CI/CD pipelines for agents, and progressive rollouts build on this foundation—ensuring AI apps evolve confidently as usage and expectations grow. Key Resources See curated, step-by-step guidance to help you build, publish, or sell your app or agent (no matter where you start) in App Advisor Quick-Start Development Toolkit can connect you with code templates for AI solution patterns Microsoft AI Envisioning Day Events How to build and publish AI apps and agents for Microsoft Marketplace Get over $126K USD in benefits and technical consultations to help you replicate and publish your app with ISV SuccessAPI resilience and reliability patterns for AI apps and agents selling through Microsoft Marketplace
Why API resilience is a Marketplace readiness requirement The previous post Design Predictable AI Performance for Apps Selling Through Microsoft Marketplace showed how to design systems that behave predictably when things go right. This post focuses on what happens when they do not. Imagine an enterprise customer launching a trial of your AI agent from Microsoft Marketplace. The first few interactions work beautifully. Then a more complex request triggers a multi‑step agent workflow: retrieval, enrichment, validation, approval. One downstream API stalls for just long enough to push the workflow beyond its timeout. The agent retries. The retry fans out into additional calls. Tokens burn. Costs rise. Eventually the entire interaction fails ambiguously. From the customer’s perspective, the trial just “didn’t work” with no explanation or architecture diagram. Just a stalled agent and decreased confidence. AI apps and agents treat APIs as their execution backbone. Every model invocation, tool call, retrieval query, and workflow step depends on APIs behaving within expected bounds. Solutions with a single unstable dependency can affect many tenants simultaneously. You can always get curated step-by-step guidance through building, publishing and selling apps for Marketplace through App Advisor. This post is part of a series on building and publishing well-architected AI apps and agents in Microsoft Marketplace. The series focuses on AI apps and agents that are architected, hosted, and operated on Azure, with guidance aligned to building and selling solutions through Microsoft Marketplace. How AI and agentic workloads stress APIs differently Traditional API platforms often assume linear, predictable request patterns. One request in, one response out. AI apps produce bursty, non‑linear traffic shaped by user behavior, token budgets, and inference variability. Agents amplify this further. A single user request may trigger planning, branching logic, parallel tool calls, and dynamic retries—all before returning a result. Single‑turn inference calls tend to be synchronous and bounded. Agent workflows may run for minutes, traverse multiple services, and consume tokens unpredictably depending on intermediate outcomes. Happy‑path assumptions break down quickly. Reliability also compounds mathematically. If you chain five APIs, each with 99.9% availability, the composite reliability drops to roughly 99.5%. Add retries without bounds, and the system can degrade traffic rather than absorb failure. For AI systems, reliability must be defined across multiple dimensions: Availability: Are dependencies reachable? Timeout behavior: How long will the system wait? Error propagation: What information crosses boundaries? Recovery safety: Can operations be retried without harm? Data access and integrity: Is contextual data available, relevant, and trustworthy? Defining reliability for AI systems Reliability becomes the mechanism that preserves trust when uncertainty appears. Reliability in AI systems is more than “the model didn’t fail.” That framing is incomplete. True reliability means providing predictable behavior under partial failure, bounding execution when dependencies degrade, and failing clearly, safely, and consistently instead of unpredictably. For publishers providing AI solutions on Marketplace, this includes protecting customers from ambiguous states—workflows that half‑complete, retries that silently multiply costs, or agents that continue planning after their assumptions are no longer valid. Designing resilient API boundaries The shift toward reliable AI systems starts with how you think about API boundaries. In this context, an API boundary is the line where responsibility changes—between your app and a dependency, between orchestration and execution, or between your system and a customer‑ or partner‑owned service. These boundaries are deliberate points of control. You must decide: how long is a call allowed to run? What happens if it fails? Is a retry safe, and if so, how many times? When agents assume that APIs will be reliable, fast, or always available, failure starts becoming systemic. Well‑designed API boundaries stop execution early when reliability assumptions break. Explicit timeouts keep your system from waiting indefinitely when a dependency slows or an API call hangs. Bounded retries allow brief recovery without inflating cost, load, or complexity. Together, these constraints help your system behave predictably, even under stress. This is where your enforcement layers come into focus. For many Marketplace solutions, Azure API Management is where you turn design intent into predictable behavior. At this boundary, you define how your system responds under pressure—how much traffic is allowed, how tokens are budgeted, and how long requests are permitted to run. These policies give you a steady way to shape execution across tenants, even when the systems behind the boundary behave unpredictably. As workflows grow more complex, orchestration layers such as Azure Durable Functions or Logic Apps carry that intent forward. They give you a way to manage long‑running or multi‑step operations explicitly, with clear execution limits, defined retry behavior, and compensating actions when steps fail so you can keep control over how work progresses and how it concludes. Core API resilience patterns for AI apps and agents Several foundational patterns appear repeatedly in resilient AI solutions published on Marketplace. Timeouts and deadline propagation ensure no call waits indefinitely. For AI workloads, these limits should be token‑aware—longer prompts or higher‑cost models require proportional constraints. Deadlines should propagate across calls so upstream services remain informed. Bounded retries protect against transient failures but with pre-defined limits and quotas. In agent workflows, retries should be explicit, counted, and observable. Retrying API calls that execute actions, attempt and fail authentications, or create updates that exceed quotas can lead to runaway failures. Circuit breakers prevent cascading failure by opening when error rates exceed thresholds. Unlike guardrails—which enforce policy by intent—circuit breakers react to system state by pausing execution paths that are no longer reliable. Azure API Management and resilience libraries such as Polly in .NET provide practical implementations. Bulkheads isolate high‑risk or high‑cost operations. Separate concurrency pools, queues, or compute tiers prevent one tenant or workflow from consuming disproportionate resources. This is especially critical for expensive reasoning paths or third‑party dependencies. Idempotency keeps retries safe by ensuring that repeating the same request produces the same result. Agents that take real‑world actions—creating records, approving workflows, triggering payments—must attach idempotency keys so repeat attempts do not multiply side effects. Together, these patterns do not eliminate failure. They contain it. Agent‑specific reliability risks and mitigations Agent autonomy shifts how reliability behaves in practice. Agents change the shape of failure. Because they plan, reason, and act across multiple steps, a single issue rarely stays isolated. When autonomy increases, failures affect more of the workflow and do so faster. Most agent failures fall into two categories and treating them the same way creates instability. Tool failures occur when an external dependency slows, times out, or becomes unavailable. An API may reject a request, enforce a quota, or fail temporarily. These failures require containment. Your system should pause execution, apply fallback behavior, or exit cleanly once limits are reached. Allowing the agent to keep calling tools under these conditions increases cost and load without improving results. Planning failures occur when the agent’s reasoning breaks down. The plan itself is flawed, incomplete, or loops without converging on an outcome. These failures require correction. Step limits, loop detection, and execution caps keep planning from expanding indefinitely and signal when the system should stop and reassess. Making this distinction explicit is what keeps agent behavior predictable. You define how far execution can go—how many steps are allowed, how long a request may run end‑to‑end, and when the system should pause or conclude. By enforcing these limits outside the model, you give agents room to reason while your system provides the structure that contains failure and keeps execution steady as conditions change. As explored in Designing AI Guardrails for Apps and Agents in Microsoft Marketplace, guardrails define what an agent is allowed to do. Resilience patterns determine how your system holds up when dependencies degrade. Together, they enable agents that feel capable and autonomous while remaining stable, bounded, and ready for Marketplace scale. Reliability across external and third‑party APIs Marketplace AI apps rarely operate in isolation. They depend on customer‑owned systems, partner services, SaaS platforms, and external LLM APIs—each with different SLAs and failure modes. Publishers must absorb this variability rather than pass it directly to customers. That means handling throttling gracefully, surfacing authentication failures clearly, and isolating quota exhaustion. Token‑based rate limiting via Azure API Management is especially important for downstream LLM calls, where cost and availability intersect. Remember the SLA math: your effective reliability is the product of every dependency. Designing for the weakest link protects customer perception—and your own margins. Environment‑aware reliability validation As outlined in Designing a reliable environment strategy for Microsoft Marketplace, environment strategy underpins reliable promotion and confident scaling. Reliability cannot be tested only in production. Before Marketplace submission, failure behavior should be validated in staging. Timeouts should trigger as expected. Retries should stop when designed to stop. Circuit breakers should open—and close—predictably. Equally important is environment consistency. Dev, Stage, and Prod environments should enforce the same resilience policies, even if scale differs. Otherwise, failures will appear only when customers are watching. Azure Chaos Studio provides controlled fault injection to test these scenarios intentionally. The goal is to confirm that systems behave consistently under stress. Reliability, ownership, and Marketplace readiness As a publisher, you are responsible for resilient defaults, protection against cascading failures, predictable failure modes, and documented service expectations. Customers, in turn, remain responsible for the reliability of their downstream systems, environment‑level scaling, and internal monitoring. When this boundary is explicit, teams know where responsibility sits and how to respond when conditions change. When ownership is unclear, support escalations increase, accountability blurs, and confidence drops on both sides. Marketplace customers expect clarity about what your solution controls, what it depends on, and how issues are handled when they arise. That clarity directly shapes Marketplace readiness. Reliable execution paths influence certification reviews, determine whether enterprise pilots progress, and establish long‑term operational confidence. During trials, predictable behavior feels professional. It reduces surprise costs, shortens evaluation cycles, and makes adoption decisions easier. In this way, reliability acts as a trust signal and a sales enabler. When customers see that ownership is well-defined and failure is handled intentionally, AI adoption through Marketplace feels safe, bounded, and ready to scale. What’s next in the journey Once execution paths are resilient, your solution’s behavior becomes visible. Circuit breaker transitions, retry frequency, timeout events, and error propagation turn into operational signals that show how your AI app or agent behaves under real load and across customer tenants. This foundation enables the next layer of operational maturity—observability, safe deployment practices, CI/CD for agents, and ongoing evaluation—so you can understand behavior end‑to‑end and operate confidently as usage grows. Reliability makes AI adoption safe; observability makes it sustainable. Key Resources See curated, step-by-step guidance to help you build, publish, or sell your app or agent (no matter where you start) in App Advisor Quick-Start Development Toolkit can connect you with code templates for AI solution patterns Microsoft AI Envisioning Day Events How to build and publish AI apps and agents for Microsoft Marketplace Get over $126K USD in benefits and technical consultations to help you replicate and publish your app with ISV Success
