InsightAI readinessMicrosoft 365Agentic AI

Agentic AI is arriving through the platforms you already pay for. Can your controls keep up?

For Microsoft 365-heavy organisations, the issue is practical: what can AI access, what can it do, where can sensitive data leave the environment, who approves higher-risk actions, and how will usage and cost be monitored?

This insight covers where AI is already arriving, the control gaps most mid-market environments have today, the Australian baseline that applies, and what AI readiness looks like as engineering work rather than a workshop.

Existing stack / AI ingress / control surface
CONTROL SURFACE ACCESSDATAAPPROVALAUDIT Microsoft 365identity + permissionsCRM / ERPFinance / ProcurementService Desk / OperationsShadow AIdata leaves boundaryAIAIAIAIAI CONTROL BOUNDARY
AccessWhat can AI see?
ActionWhat can AI do?
BoundaryWhere can data leave?
ApprovalWho signs off before execution?
AI readiness

Three checks before AI scales

Agentic AI readiness is not a strategy document. It starts with three practical checks: what changed, what must be engineered, and where visibility is missing.

01

What changed when AI moved from assistive to agentic?

Assistive AI produces content; the user reads it and decides what to do. Agentic AI produces actions: it plans steps, calls tools, retrieves data and executes across systems before anyone has read what just happened.

Control areaAction authority
02

Why is this an engineering question, not a governance one?

Governance frames the rules. Engineering operates them. Once AI can retrieve data, trigger workflows or act through a user's permissions, the work becomes identity, permissions, classification, DLP, audit trails, monitoring, cost control and approval points.

Control areaOperating controls
03

Where should an Australian mid-market organisation start?

Map where AI is already entering the environment, especially through Microsoft 365 Copilot, embedded SaaS agents and unapproved shadow AI. Then identify what those agents can access, where sensitive data can leave, and which actions need human approval.

Control areaVisibility first
The shift

Assistive AI produces content. Agentic AI produces actions.

Assistive AI
  • Produces content
  • User reviews first
  • Primary risk accuracy, privacy, attribution
  • Control focus data use
Agentic AI
  • Executes steps
  • Actions may happen before review
  • Primary risk authority, access, reversibility
  • Control focus permissions, approval, audit, rollback
Prompt
Plan
Retrieve
Act
Log
Review

The risk changes when output becomes action.

Where it is arriving

The agents in your environment are not the ones you decided to deploy.

Most boardroom AI conversations are still framed around "should we deploy AI?" For most organisations, that framing is already behind reality. AI capability is arriving through platforms the organisation already pays for.

Channel 01 · Microsoft 365 Copilot
How AI arrivesEmbedded across Word, Excel, Outlook, Teams and SharePoint.
Risk shiftCopilot acts on the user's permissions and can surface whatever the user can already see.
Control requiredMicrosoft 365 permission hygiene, information structure, sensitivity labels and audit visibility.
Channel 02 · CRM and ERP platforms
How AI arrivesSalesforce, ServiceNow, Workday, NetSuite and similar platforms are embedding agents at platform level.
Risk shiftAgents can act inside systems of record.
Control requiredRole-based access, approval points, change logging and workflow boundaries.
Channel 03 · Finance and procurement tools
How AI arrivesAgents draft invoices, match transactions and approve routine spend.
Risk shiftThe agent moves closer to financial authority.
Control requiredApproval thresholds, segregation of duties, exception handling and audit trail.
Channel 04 · Service desk and operational platforms
How AI arrivesAgents triage tickets, execute routine remediation, update records and escalate with summaries.
Risk shiftOperational action can happen before a human reads the detail.
Control requiredPlaybook boundaries, rollback paths, escalation rules and monitoring.
Channel 05 · SaaS workflow platforms
How AI arrivesAtlassian, Asana, Monday and similar tools add agents across project, task and document layers.
Risk shiftWorkflows and records can be changed across teams.
Control requiredWorkspace governance, access review, data boundaries and ownership.
Channel 06 · User-led shadow AI
How AI arrivesPersonal ChatGPT, Claude, Gemini and other accounts are used for work.
Risk shiftSensitive data leaves the organisation's control boundary.
Control requiredApproved AI pathways, DLP, user guidance and monitoring.

The scale is moving quickly. Industry forecasts put task-specific AI agents in around 40 percent of enterprise applications by 2026, up from less than 5 percent in 2025. The business may not get to choose whether AI appears. It does get to choose whether that AI is visible, controlled and useful.

The control gaps

Nine gaps that show up in almost every mid-market environment.

An AI readiness review is not a strategy exercise. It is a control gap assessment. The gaps are operational, identifiable in days, and most environments have at least six of the nine.

Access
01

Over-permissioned users

Copilot inherits whatever the user can see, so the blast radius of an agent acting through that account is the user's accumulated permissions.

02

No agent approval model

No defined rules for which actions an agent can take autonomously, which require human approval, and which require human execution.

03

No clear owner

AI sits between IT, security, legal, risk, finance and the business, and falls through the gaps between them.

Data
04

Unmanaged sensitive data

Sensitive documents, records and credentials sit outside controlled locations.

05

Weak or absent classification

Without sensitivity labels, DLP cannot apply. The agent treats all data the same.

06

No DLP for prompts and responses

Nothing stops a user pasting confidential data into a personal AI account, and there is no monitoring of what leaves through approved tools either.

Operations
07

No AI register

No central record of which AI tools, agents or features are running, who owns each, and what each can access.

08

No monitoring

No central visibility into who is using AI, which agents are running, what data they touch, or what actions they execute.

09

No AI cost governance

Consumption-based spend grows without owner, budget envelope or review cadence.

The Australian baseline

The six practices that frame what good looks like in Australia.

In October 2025, the Department of Industry, Science and Resources published the Guidance for AI Adoption: Foundations, condensing earlier voluntary guardrails into six essential practices for responsible AI governance and adoption.

The point is not to slow AI down. It is to make adoption credible enough to scale.

Responsible AI adoption baseline
01Accountability
02Impact planning
03Risk management
04Information sharing
05Testing and monitoring
06Human control
The control foundation

The deliverable is a control set, not a strategy document.

A consistent finding across reputable research is that AI programmes struggle less because models are unavailable and more because organisations are not operationally ready. The failure modes, escalating cost, unclear value and inadequate risk controls, are governance and engineering problems, not model problems.

The organisation does not need every control to be perfect before it starts. It does need to know which use cases are low-risk enough to pilot, which need stronger data and permissions first, and which should wait.

Operate
Identity and permissions
Who and what an agent can act as.
Data classification and DLP
What data can move, and where it cannot go.
Audit trails and monitoring
A record of what ran, touched and changed.
Human approval points
Where a person decides before execution.
Approved AI pathways
Sanctioned tools that keep data in boundary.
FinOps for AI
Ownership and envelope for consumption spend.
Outcome metrics
Evidence the control set is working.
The Inlight IT view

Agentic AI is not a feature you can switch on. It is a control surface that has to be operated.

Inlight IT's view is simple: agentic AI should not be treated as a software feature that can be switched on because a vendor made it available. Once AI can retrieve data, trigger workflows, update records or act through a user's permissions, the control surface has changed, and the response has to be engineering, not a policy document.

The AI that puts you at risk is not the AI you bought. It is the AI arriving through the platforms you already pay for.

01

Treat AI as a control surface

02

Start with identity and permissions

03

Control data movement

04

Operate approval, monitoring and cost

Delivery

Where this is delivered.

AI readiness is not a separate discipline bolted onto the environment. It is delivered through the same control foundation that good Microsoft 365 and security operations already rely on: identity hardening, Conditional Access and granular access control on one side, and monitoring, alerting and incident response on the other. A VLI Conveyors Microsoft 365 deployment built that identity and access foundation in practice.

Common questions

Questions organisations ask about agentic AI readiness

What is agentic AI?

Agentic AI is AI that takes action rather than only producing content. An agent plans a multi-step workflow, calls tools, retrieves data from systems, executes actions on the user's behalf and reports back, often before a person has reviewed the result.

How is agentic AI different from Copilot or ChatGPT?

Assistive tools like a chat prompt or a copilot draft produce output the user reviews before anything happens. Agentic capability executes steps across systems, so the risk moves from accuracy and privacy to authority, access and reversibility. Copilot and similar platforms are progressively adding agentic features, which is why the distinction matters inside tools organisations already run.

Why does Microsoft 365 permission hygiene matter for AI?

Copilot acts on the user's permissions and accesses whatever data the user can already see. If users are over-permissioned, the blast radius of an agent acting through their account is the user's accumulated access. Right-sizing permissions is the single most direct AI readiness control in Microsoft 365 environments.

What is shadow AI?

Shadow AI is the use of unapproved AI tools for work, typically personal ChatGPT, Claude or Gemini accounts. Sensitive data leaves the organisation's control boundary every time a prompt is submitted from a personal account, and it usually happens because there is no approved alternative.

What controls should be in place before AI adoption scales?

A practical control set covers identity and permissions, data classification and DLP, audit trails and monitoring, human approval points, approved AI pathways, cost governance and outcome metrics. Not every control needs to be perfect before starting, but the organisation needs to know which use cases are low-risk enough to pilot and which need stronger data and permissions first.

Where should a mid-market organisation start?

Map where AI is already entering the environment, especially Microsoft 365 Copilot, embedded agents in SaaS platforms and shadow AI. Identify what those agents can access, where sensitive data can leave the control boundary, and which actions require human approval before anything is executed.

AI Applications

Turn AI interest into practical use cases your teams can use.

Identify practical AI use cases, data requirements and controls before adoption scales.

Explore AI Applications