Agent 365 vs vendor-native governance: when you need both, when one is enough

Figure 1: Visual representation of the BeyondTrust vulnerability chain

The agent governance question every CISO asks in May 2026 sounds like a simple "which platform do we pick?" It is actually a "which TWO platforms do we pick?" question, because credible governance for a multi-vendor agent estate requires both:

• Layer 1 — Vendor-native governance. Inside each vendor (Salesforce, ServiceNow, Workday, Google), you need their built-in agent controls because they are the only thing that can enforce policies INSIDE the vendor boundary at the speed and depth required.
• Layer 2 — Cross-vendor governance. Above all the vendors, you need a unified inventory, identity model, audit trail, and policy surface — because the agent estate spans vendors and your IT/SecOps team needs ONE place to govern it.

Neither layer replaces the other. Most enterprises in 2026 will run both: Microsoft Agent 365 for cross-vendor (Layer 2) plus Salesforce Trust Layer + ServiceNow Now Assist Governance + Workday Illuminate controls for vendor-native (Layer 1).

Below is the framework we apply when scoping these decisions for clients.

Salesforce Trust Layer (for Agentforce). Sits inside the Salesforce platform. Provides prompt grounding (Einstein Trust Layer redacts PII before sending to LLMs), zero-data-retention with model providers, audit trail of agent prompts/responses inside Salesforce, and connector controls for Agentforce actions. Strong inside Salesforce; effectively invisible outside. Pricing bundled with Agentforce.

ServiceNow Now Assist Governance. Native ServiceNow platform controls. Skill scoping (which Now Assist skills are enabled per workflow), prompt redaction, audit logs in ServiceNow's existing audit framework, role-based skill access. Strong inside ServiceNow; doesn't extend to other systems Now Assist might call.

Workday Illuminate controls. Workday-native controls for the Illuminate AI features. Bias monitoring on HR/finance use cases (table-stakes for HR AI), policy controls per process area, audit logs in Workday's audit framework. Strong inside Workday; specifically tuned for HR/finance compliance posture.

Google Vertex AI Model Armor + governance. Google Cloud's native AI governance for Vertex-hosted agents. Prompt filtering, response filtering, abuse-detection, IAM-based access. Strong for Vertex-hosted; doesn't extend to non-Google agent platforms.

Each vendor's native layer is genuinely good — purpose-built for their platform, operationally embedded in their consoles, and shipped with deep integration into their data model. The problem is not that vendor-native governance is bad. The problem is that vendor-native governance only sees ONE vendor.

Figure 2: How the authentication bypass vulnerability works

Three structural shifts make the cross-vendor layer mandatory in 2026:

1. The agent estate spans vendors. The mid-market enterprise we audited last week had: 14 Microsoft Copilot Studio agents, 6 Salesforce Agentforce agents, 4 ServiceNow Now Assist deployments, 2 Workday Illuminate flows, and 3 custom LangChain agents running on AWS. Five vendors. Twenty-nine agents. Five separate audit trails. Five separate identity models. The CISO had no way to answer "show me every agent that touched customer PII this week" without manually pulling logs from five consoles and reconciling timestamps.

2. Compliance regulators expect a single inventory. EU AI Act enforcement begins August 2, 2026. NIST AI RMF and ISO/IEC 42001 audits are being requested in vendor due-diligence questionnaires. All of these expect a SINGLE agent inventory with classification by use case and risk tier. Vendor-native consoles cannot produce this — they only see their own vendor's agents.

3. Incident response needs unified context. When SecOps gets paged that an agent leaked sensitive data, they need to know: which agent, on whose behalf, with what data scope, against which other systems, with what blast radius. That context spans vendors. SOC analysts cannot triage in five separate consoles during an incident.

Microsoft Agent 365 (GA May 1, 2026) is the first credible answer to the cross-vendor problem because Microsoft has the structural pieces — Microsoft Entra ID is already the identity surface for most enterprises, Microsoft Defender XDR is already the SOC platform, Microsoft Purview is already the information governance backbone. Agent 365 extends those three surfaces to cover agents from any vendor.

Here is the decision framework we apply:

Need Layer 1 (vendor-native) governance when:

• You have agents from a specific vendor (Salesforce / ServiceNow / Workday / Google) at meaningful scale
• The vendor's native controls offer specific capabilities the cross-vendor layer cannot replicate (e.g., Salesforce Einstein Trust Layer's redaction is deeply embedded in the Salesforce data model)
• Vendor-specific compliance requirements need vendor-specific evidence (e.g., HR AI bias testing for Workday Illuminate)

Need Layer 2 (cross-vendor / Agent 365) governance when:

• You have agents from more than one vendor (almost every mid-market enterprise above 100 people in 2026)
• IT/SecOps need a unified agent inventory across the estate
• You need Entra-based identity governance for agents (Conditional Access, least-privilege, identity governance access reviews)
• You need Defender XDR correlation between agent activity and endpoint/identity/email signals
• You need Purview policies (sensitivity labels, DLP, Records Management) extended to agents from any source
• Compliance requires single-source-of-truth agent inventory (EU AI Act, NIST AI RMF, ISO 42001)

For most clients we engage in 2026, the answer is "both." The vendor-native controls are kept because they're the only thing that enforces deep policies inside each vendor; Agent 365 is added because nothing else gives the unified cross-vendor surface that compliance and SOC operations require.

Figure 3: Privilege escalation from user to SYSTEM level

A common mistake we are seeing in early Agent 365 deployments: organizations turn off vendor-native governance because they think Agent 365 replaces it. It does not.

Agent 365 sees agent activity at the cross-vendor boundary — when an agent registers, when it acts, when it triggers anomaly detection, when policies fire. Vendor-native governance sees activity INSIDE the vendor — at speeds and depths Agent 365 cannot replicate because it would require integration depth no Microsoft can demand of Salesforce or ServiceNow.

Disable Salesforce Trust Layer for Agentforce and you lose the prompt redaction that protects PII inside Salesforce. Disable ServiceNow Now Assist Governance and you lose the per-skill access controls that limit which workflows can invoke AI. Disable Workday Illuminate's bias controls and you lose HR-specific fairness monitoring.

Keep the vendor-native layers. Add Agent 365 above them. The two layers are complementary, not substitutable.

The two-layer model has a pricing reality that buyers need to understand:

• Vendor-native governance is bundled into the vendor's agent platform pricing. Salesforce Trust Layer is included with Agentforce. ServiceNow Now Assist Governance is included with Now Assist licensing. Workday Illuminate controls are bundled into Workday's AI tier.
• Agent 365 is $15/user/mo standalone, OR included in Microsoft 365 E7 Frontier Suite ($99/user/mo bundle). The ~$15-20/user/mo of Agent 365 cost is on top of vendor-native costs.

For an organization at 500 users with multi-vendor agent estate, that's $90,000/year for Agent 365 — paid back many times over by the SOC time saved on cross-vendor incident triage and the compliance audit time saved on unified inventory production. But the math has to be done explicitly during procurement.

A two-layer deployment is typically a 6-8 week engagement. Vendor-native governance is configured per vendor (1-2 weeks each, in parallel). Agent 365 is deployed in parallel (4-6 weeks per our earlier playbook). Integration testing at week 6-8 verifies that:

• Vendor-native policies are enforcing correctly inside each vendor
• Agent 365 inventory captures every agent including those governed by vendor-native layers
• Audit trails from vendor-native consoles flow into Defender XDR via Agent 365 connectors
• SOC playbooks for agent incidents reference both layers (vendor-native console for inside-the-vendor context; Agent 365 for cross-vendor context)

The free 90-minute IT health check we run for prospective clients includes a multi-vendor agent governance review: inventory of agents across every vendor in your tenant, classification of governance gaps at both layers, and a roadmap for closing them. Yours to keep either way.

The full Microsoft Agent 365 mini-site is at /agent-365. The Microsoft Copilot mini-site is at /copilot. The Copilot Studio + custom agents page is at /copilot/studio. The cross-vendor AI comparison (Copilot vs ChatGPT vs Claude vs Gemini) is at /copilot/comparison.

The two-layer model is the right answer for any enterprise running agents from more than one vendor. We help you scope, deploy, and operate both — without disabling the vendor-native governance you'd regret losing six months later.