AI agent inventory and least privilege

An AI agent is an identity with permissions and an instruction-following brain. You cannot govern what you cannot see, and most organizations have no inventory of the agents already running in their tenant, let alone what those agents can reach. Senserva builds that inventory deterministically, reading live from Microsoft Graph, and ranks the agents that hold more access than their job needs.

This page covers the deterministic agent auditing at the core of Microsoft AI security: the three-level hierarchy, inheritable permissions, the high-risk Graph scopes Senserva flags, and why over-privileged agents are dangerous.

The three-level hierarchy

Microsoft's agent model has three levels, and permissions inherit down the chain. That inheritance is exactly where risk hides: grant too much at the top and every layer below it carries the same reach. Senserva walks all three levels and reports what each can do.

1. Agent identity blueprint
A permission template. Whatever inheritable permissions it holds flow to every agent and user built on it. Senserva enumerates every blueprint and reads its inheritable scopes.
2. Agent identity (service principal)
The service principal that actually runs as the agent, under a blueprint, with its own granted OAuth scopes. Senserva detects these and reports the scopes they hold.
3. Agent user
A user account bound to an agent identity, inheriting its permissions. Senserva detects these bindings so an inherited grant cannot hide behind a human-looking account.

Deterministic agent checks

These checks read live configuration from Microsoft Graph and report exactly what is there. No guessing, no sampling. This is the inventory and least-privilege backbone.

Check What it inspects Severity
Least privilege for agent functionsInheritable scopes on agent blueprints, flagged when an agent can do more than its job needs.High
High-risk scopes on agent blueprintsInherited scopes checked against high-risk Graph permissions such as Directory.ReadWrite.All and RoleManagement.ReadWrite.Directory.High
Agent identity blueprints discoveredEvery blueprint in the tenant, with its display name and inherited scopes.Medium
Inheritable permissions on blueprintsThe presence and content of inheritable permissions that propagate to every agent and user under a blueprint.Medium
Agent identities (service principals)The service principals running as agents under each blueprint, with their granted OAuth scopes.Medium
Agent usersUser accounts bound to an agent identity, inheriting its permissions.Medium

High-risk scopes Senserva flags include Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory, Application.ReadWrite.All, Mail.Send, Files.ReadWrite.All, Sites.ReadWrite.All, Policy.ReadWrite.ConditionalAccess, and PrivilegedAccess.ReadWrite.AzureAD, among others.

Why over-privileged agents are dangerous

An agent follows instructions, and those instructions can be poisoned. A single prompt-injection, hidden in a document, an email, or a web page the agent reads, can redirect it. If the agent is over-privileged, that injection becomes a path to act with the agent's full reach, no human in the loop.

  • An agent with Mail.Send can be turned into a phishing or exfiltration channel.
  • An agent with RoleManagement.ReadWrite.Directory or Directory.ReadWrite.All can escalate privilege or alter the directory.
  • An agent with Files.ReadWrite.All or Sites.ReadWrite.All can read, change, or move data across the tenant.
  • An agent with Policy.ReadWrite.ConditionalAccess can weaken the very controls meant to contain it.

Least privilege is the antidote. Scope every agent to the functions it genuinely performs, and the blast radius of any injection shrinks accordingly. Senserva tells you, deterministically, where that principle is being broken.

Know your agents, then constrain them

Inventory comes first, least privilege comes next, and proof closes the loop. Senserva does all three on the Microsoft side and ranks the work so you start with the agents that can do the most damage. For the full Microsoft AI surface, see Microsoft AI security, and for the governance-standard view, see ISO/IEC 42001.

Scan your tenant free Microsoft AI security ISO/IEC 42001

Explore the AI Enhanced suite

Agentic AI for Microsoft 365 security, end to end. Each piece works with the AI of your choice.

Works with any AIChatGPT, Claude, Gemini, Copilot, or a local model, with a built-in prompt builder. Claude & MCPRun Microsoft 365 security agentically from Claude through the Senserva MCP. AI security reportsSix AI-enhanced report types generated from one scan. AI remediationValidated, approve-before-apply fixes for every finding. AI complianceMap and close gaps against CISA SCuBA, MCSB, and more.