Microsoft Responsible AI Standard (RAI)
Microsoft RAI began as an ethics-focused governance framework (Standard v2, 2022) covering fairness, transparency, and accountability. By Q1 2026, Microsoft has effectively transcended the RAI Standard with a comprehensive agentic security product strategy that is the most control-rich AI security framework available — 700+ specific controls in Zero Trust for AI (ZT4AI).
Evolution: From Ethics to Security Product Suite
The RAI Standard v2 (2022) remains the published version but is functionally outdated. Microsoft’s actual AI security substance now lives in:
- Zero Trust for AI (ZT4AI) — the control framework
- Agent 365 — the governance control plane product
- Copilot Studio + OWASP ASI mapping — the operational implementation guide
Zero Trust for AI (ZT4AI)
Announced: March 19, 2026
ZT4AI adds an AI pillar to the Zero Trust framework with 700+ security controls across 116 logical groups and 33 functional swim lanes, covering the full AI lifecycle from data ingestion through agent behavior.
Three Zero Trust principles applied to AI:
- Verify explicitly — agent identity and behavior
- Least privilege — restrict model, data, and plugin access
- Assume breach — resilience to prompt injection, data poisoning, lateral movement
Platform lock
ZT4AI’s 700+ controls are Azure-ecosystem-centric. Organizations using multi-cloud or non-Microsoft AI platforms cannot directly implement them.
Agent 365
Announced: March 9, 2026 | GA: May 1, 2026 | Price: 99/month as part of E7)
Agent 365 is the first commercial unified agent governance control plane. Integrates Defender, Entra, and Purview capabilities:
- Security posture management for AI agents
- Attack detection, investigation, and response
- Runtime threat protection for agents
- Shadow AI detection via Entra Internet Access (GA March 31)
- Prompt injection protection via Entra (GA March 31)
- Predictive shielding via Defender (preview)
OWASP ASI Top 10 Mapping
Microsoft published detailed mapping (March 30, 2026) of OWASP ASI categories to specific Copilot Studio mitigations. Microsoft AI Red Team members served on the OWASP Expert Review Board for the ASI Top 10. This is the most operationalized ASI implementation of any vendor.
FIDES Research Framework
The FIDES research framework (May–September 2025, still active) demonstrated zero successful prompt injection attacks using information-flow control with dynamic taint-tracking, evaluated on the AgentDojo benchmark. This is the strongest published defensive result against prompt injection. FIDES is not a productized capability yet.
Coverage Against OWASP ASI Top 10
| ASI Category | Coverage |
|---|---|
| ASI01: Agent Goal Hijack | ● Specific controls |
| ASI02: Tool Misuse | ◐ Partial |
| ASI03: Identity & Privilege | ● Specific controls (Entra) |
| ASI04: Supply Chain | ◐ Partial |
| ASI05: Data Disclosure | ● Specific controls (Purview) |
| ASI06: Memory Poisoning | ◐ Partial |
| ASI07: Insecure Inter-Agent | ◐ Partial |
| ASI08: Cascading Failures | ◐ Partial |
| ASI09: Missing Guardrails | ● Specific controls |
| ASI10: Rogue Agents | ● Specific controls |
Strengths
- Most control-rich AI security framework with 700+ specific controls — far exceeds any other framework’s specificity
- Agent 365 is the first commercial unified agent governance control plane
- OWASP ASI mapping demonstrates practical operationalization with Copilot Studio-specific guidance
- FIDES provides strongest published research result against prompt injection (100% prevention)
- Only vendor mapping entire product stack to the OWASP agentic taxonomy
- Prompt injection protection and shadow AI detection both reached GA March 31, 2026
Gaps and Shortcomings
- ZT4AI is Azure-ecosystem-centric — multi-cloud and non-Microsoft platforms cannot directly implement
- RAI Standard v2 (2022) is outdated; actual security substance lives in product documentation, not a publishable standard
- Agent 365 pricing creates cost barriers and vendor lock-in
- FIDES remains research, not productized
- Does not address open-source agentic ecosystems, MCP servers outside Azure, or multi-vendor agent orchestration
- AI-BOM capabilities absent
- Cognitive file integrity monitoring not addressed
- Platform-level enforcement distinction implied by ZT4AI architecture but not explicitly stated as a design principle
See Also
- OWASP Top 10 for Agentic Applications (ASI Top 10) — ASI Top 10 that Microsoft maps to its product suite
- Google SAIF — Secure AI Framework — comparable agentic security framework from a hyperscaler
- Agentic AI Security Capability Maturity Model — A 2026 Practical Proposal — ZT4AI Pillar 1 (Agent governance, Entra Agent ID, Agent 365) → D2; Pillar 2 (Data + Purview) → D6; Pillar 3 (Prompt Shields, FIDES) → D4; Sentinel + Defender for Cloud Apps → D7
- CoSAI — Coalition for Secure AI — collaborative multi-vendor alternative to Microsoft’s proprietary stack