The CISO question Microsoft just answered with a $15-per-user SKU
Microsoft Agent 365 hit GA on May 1 at $15 per user per month, with Defender able to block coding agents and a cross-cloud registry that already imports agents from AWS Bedrock and Google Gemini. Coding-agent governance just became a procurable SKU, and the next question is who owns the kill switch.
On May 1, Microsoft Agent 365 hit general availability at $15 per user per month. Inside the SKU is a Defender capability that can block coding agents and a registry that already syncs across AWS Bedrock and Google Gemini. The harness-governance question moved from "build" to "buy" overnight, and the next quarter is about who owns the kill switch.
The headline your board saw
Microsoft Agent 365 left preview on May 1 and shipped at $15 per user per month, or bundled in Microsoft 365 E7 at $99 per user per month. The Microsoft Security Blog post ran the line that mattered for engineering leaders. Defender, in Microsoft’s own wording, will be able to “block coding agents and generate detailed alerts to support security investigations.” Thurrott confirmed the same day that controls for GitHub Copilot CLI and Claude Code “will follow” through the same plane. The CFO read the price. The CISO read the Defender line. Both of them want the same answer on Monday.
What it actually means
For most of the last twelve months, harness governance has been a homemade thing. Engineering leaders pieced together permission settings inside each tool, sandbox rules in the IDE, secret scanners on the CI side, and a Slack channel where someone occasionally posted “did Cursor just commit a key.” That worked because the surface was small.
The surface is no longer small. UC Today reported on April 30, citing Microsoft’s Q3 FY26 earnings, the scale that just landed on the security org’s lap.
"Paid seats crossed 20 million, up from 15 million in January, with year-over-year seat adds growing 250 percent."
Add to that the 140,000 organizations now on GitHub Copilot and Copilot CLI usage that, per the same Microsoft commentary, is “nearly doubling month over month.” When Defender becomes the network and identity layer metering and gating that population, harness governance stops being a tooling exercise. It becomes a platform decision.
Agent 365 GA is the first time a CISO can see Claude Code, Copilot CLI, and a homegrown Bedrock agent in one inventory, under one set of policy controls. That is what changed.
The cross-cloud registry sync is the other shoe. Microsoft’s own post says admins can discover agents running on AWS Bedrock and Google Gemini Enterprise Agent Platform and import them into the same management plane. The harness register, which has been a folder of Notion pages and a few wiki entries, now has a vendor with an opinion and a license cost. Agents stop being “developer tools” that quietly escape the security catalog. They become a Defender object class.
I want to be honest about the trade. The good news for an engineering leader is that the kill switch no longer has to be hand-built. The harder news is that the kill switch now has Microsoft’s name on it. Both things are true at the same time.
Three questions your board will ask
“Are we already paying for this and not using it?” If the org is on E5 or E7, parts of Agent 365 ride on licenses already owned. The question is not whether to spend $15 more per user. It is whether existing Microsoft licensing has quietly extended into a coding-agent governance plane that nobody on the security team is configuring yet. Inventory it before the next renewal conversation, not after.
“Does this lock us into Microsoft for harness governance?” Yes and no. The management plane is Microsoft’s. The agents underneath are not, which is exactly why cross-cloud registry sync shipped on day one of GA. The lock-in is at the governance layer, not the harness layer. The contractual answer is to keep the harnesses portable, the policy plane vendor-aware but not vendor-married, and the kill-switch authority inside the security org rather than inside any one tooling vendor.
“What is the kill-switch story if Defender blocks the wrong agent at 2 a.m.?” This is the question that actually matters. A Defender block on a coding agent looks like a normal endpoint event until it is the release pipeline that just lost its agent mid-deploy. The runbook needs to exist before the SKU lands, not after. Who owns the override. Who gets paged. What is the SLA for re-enable. How does the agent’s audit trail survive the block. Those four answers are the difference between a governance plane and a 3 a.m. incident.
The 60-second brief
Coding-agent governance just became a procurable SKU. The CISO can stop building the kill switch by hand. The harness register, which has been a folder of Notion pages and a wiki, just got a license cost, an audit trail, and a vendor with opinions. Decide three things before the next budget cycle. First, whether existing Microsoft licensing already covers part of this. Second, whether the cross-cloud registry replaces the manual harness inventory the security team has been keeping. Third, who owns the kill-switch runbook when Defender does what Defender does. None of this is urgent. All of it is overdue.
What to watch
The next signal is whether non-Microsoft harness vendors publish their own integration into Defender’s blocking and alerting plane, or quietly route around it. Either move tells the engineering org where the leverage is heading. Watch the next round of releases from Anthropic, Cursor, and the parallel-agent platforms for either announcement.
Sources
- Microsoft Agent 365, now generally available, expands capabilities and integrations - Microsoft Security Blog, 2026-05-01
- Microsoft Agent 365 Platform Goes Out of Preview and Adds Support for Local AI Agents - Thurrott, 2026-05-01
- Microsoft Earnings: AI Business Hits 37Bn Run Rate as Copilot Passes 20 Million Seats - UC Today, 2026-04-30