This topic focuses on the governance and security framework required to protect “Autonomous Agents”—which have the power to act on behalf of users—against emerging threats like prompt injection, data exfiltration, and unauthorized tool use.
The 10 failure modes OWASP sees in agentic systems
- Agent goal hijack (ASI01): Redirecting an agent’s goals or plans through injected instructions or poisoned content.
- Tool misuse and exploitation (ASI02): Misusing legitimate tools through unsafe chaining, ambiguous instructions, or manipulated tool outputs.
- Identity and privilege abuse (ASI03): Exploiting delegated trust, inherited credentials, or role chains to gain unauthorized access or actions.
- Agentic supply chain vulnerabilities (ASI04): Compromised or tampered third-party agents, tools, plugins, registries, or update channels.
- Unexpected code execution (ASI05): Turning agent-generated or agent-invoked code into unintended execution, compromise, or escape.
- Memory and context poisoning (ASI06): Corrupting stored context (memory, embeddings, RAG stores) to bias future reasoning and actions.
- Insecure inter-agent communication (ASI07): Spoofing, intercepting, or manipulating agent-to-agent messages due to weak authentication or integrity checks.
- Cascading failures (ASI08): A single fault propagating across agents, tools, and workflows into system-wide impact.
- Human–agent trust exploitation (ASI09): Abusing user trust and authority bias to get unsafe approvals or extract sensitive information.
- Rogue agents (ASI10): Agents drifting or being compromised in ways that cause harmful behavior beyond intended scope.
Real-time User Journey: Secure Autonomous Execution
This journey illustrates how Copilot Studio’s security layers prevent an “Indirect Prompt Injection” attack:
- The Trigger: An autonomous agent is tasked with summarizing a set of incoming emails and syncing action items to a CRM.
- The Threat: One of the emails contains hidden malicious instructions (an “Indirect Prompt Injection”) designed to trick the agent into sending sensitive company data to an external personal email address.
- Real-time Interception: Before the agent executes the “Send Email” tool, the Microsoft Defender for Agents layer inspects the intent. It identifies that the destination address is not on the organization’s “Allow List” and that the payload contains sensitive keywords.
- Governance Block: The agent’s Managed Identity permissions are checked. The system realizes the agent is attempting an action (external exfiltration) that exceeds its scoped authority.
- Safe Resolution: The action is blocked. The user (and IT admin) receives a notification that a suspicious activity was intercepted, and the agent continues with other safe tasks.
Step-by-Step: How to Enable Security Features
To align your agents with the OWASP security recommendations using Copilot Studio tools:
- Step 1: Assign a Managed Identity: Navigate to the agent settings in Copilot Studio and enable Microsoft Entra Agent ID. This ensures the agent has its own identity and doesn’t “ghost” as a high-privilege human user.
- Step 2: Configure Content Safety: Under Settings > Security, enable Microsoft Azure AI Content Safety. Adjust the sliders to “High” for categories like Jailbreak detection and Protected Material.
- Step 3: Define Tool Guardrails: In the Tools tab, for every connector (like SAP or Salesforce), set “User Confirmation” to “Required” for sensitive actions (e.g., deleting records or making payments).
- Step 4: Enable Network Isolation: In the Power Platform Admin Center, configure Virtual Network (VNet) support for your environment to ensure agent traffic never leaves your private network.
- Step 5: Monitor via Defender: Connect your agent logs to the Microsoft Defender for Cloud dashboard to receive real-time alerts on prompt injection attempts.
Infographic: OWASP Top 10 vs. Copilot Studio Protections
This table summarizes how Microsoft’s platform mitigates the most critical risks identified for LLM agents:
| OWASP Risk Category | Copilot Studio / Microsoft Security Solution |
| Prompt Injection | Defender for Agents: Scans inputs for malicious “jailbreak” patterns. |
| Insecure Output Handling | Azure AI Content Safety: Sanitizes agent responses before the user sees them. |
| Excessive Agency | Scoped Managed Identities: Limits what an agent can do based on “Least Privilege.” |
| Data Exfiltration | DLP (Data Loss Prevention) Policies: Blocks sensitive data from being sent to unapproved domains. |
| Insecure Knowledge Access | Tenant Graph Grounding: Respects existing SharePoint/OneDrive permissions automatically. |
References
GM Dynamics & Agentic AI Consulting 