Practical Entra ID & AI Governance
05.06 2026, 5 minutes read time
TL; DR: How can organizations realize real value from AI agents without losing control of identity, access, security, and compliance?
That was the central topic when Microsoft and Fortytwo invited customers to a professional morning session on Entra ID, AI Governance, and modern identity management.
The event brought together experts from Microsoft, Fortytwo, and Norsk Helsenett to show how organizations can move from experimentation to governed, secure, and measurable use of AI. The program took participants through everything from Microsoft Entra Agent ID and Agent 365, to migration from MIM to Entra ID, concrete experiences from the public sector and how organizations should build governance models for AI agents.
AI Agents must be treated as digital identities
Microsoft’s Kjetil Nordlund opened the professional program with a walkthrough of how AI agents can be managed using Entra Agent ID and Agent 365.
A key point was that AI agents should no longer be understood as loose tools or technical integrations without clear ownership. They must be treated as digital identities with defined permissions, owners, sponsors, and lifecycles. With Entra Agent ID, agents receive their own identities in Entra, and access can be governed according to the same principles used for people and other digital identities: least privilege, clear accountability, time-limited access, and traceability.
Nordlund among other things showed how agent blueprints, agent identities, access packages, and Conditional Access can help organizations gain better control over which agents exist in their environment, which resources they can access, and who is responsible for them. He also highlighted Agent 365 as Microsoft’s control plane for AI agents, bringing together insight, governance, and identity management across Microsoft 365, Entra, Purview, Defender, and Intune.
An important message was that agent governance is not only about granting access. It is just as much about detecting shadow AI, blocking or allowing specific agents, identifying risks related to agent usage, and establishing security controls before the technology is scaled.
From MIM to Entra ID as the core of IAM
Next, Marius Solbakken from Fortytwo, Microsoft MVP, guided participants through a topic many organizations will recognize: the transition from Microsoft Identity Manager and traditional Active Directory-based user management to Entra ID as the core infrastructure for identity and access management.
Many organizations still have identity flows built around HR systems, payroll systems, Active Directory, and MIM. These solutions often work, but they are difficult to change, hard to develop further, and not necessarily suited to a world where applications, data, users, and AI agents increasingly live in the cloud.
Solbakken pointed to the need for a new target architecture in which Entra ID moves closer to the center of the identity architecture. Instead of building new dependencies into old AD and MIM environments, organizations should gradually minimize the role of AD and use modern mechanisms such as Cloud Sync, HR-driven provisioning, lifecycle workflows, and Entra ID Governance.
To succeed with modern IAM, organizations must also clean up the foundation. This means improving data quality from HR, creating clearer joiner-mover-leaver processes, strengthening governance of application access, and taking a more deliberate approach to which systems should be authoritative for identity.
From AI experiments to real value
Finally, Emilie Lundblad from Fortytwo lifted the perspective from identity architecture to the larger question: How can organizations create value with agentic AI?
Many organizations are investing heavily in AI but struggle to move beyond the pilot phase. There are many experiments, but production deployment, benefit realization, and organizational anchoring lag behind. Lack of transparency, unclear ownership, overly broad permissions, weak processes, and low trust often cause AI projects to stall before they deliver measurable impact.
Emilie pointed to four parallel tracks organizations must work on: governance, building, measurement, and scaling. Beneath these sits one shared prerequisite: trust. Agents need the right access to the right context, but they must also be constrained, observable, and governed. An agent is only as good as the data, processes, and controls it is allowed to work within.
A key piece of advice was to start with concrete, measurable improvements rather than chasing grand transformation narratives from day one. Reduced cycle time, improved operational resilience, freed-up capacity, and safer processes may be more relevant goals than broad ambitions of “AI transformation.”
At the same time, it was emphasized that technology is only part of the picture. Emilie highlighted that successful AI adoption is largely about people, culture, and process change. Organizations must understand their maturity level, the roles they have internally, and how they can build AI competence without weakening professional expertise and accountability.
A new phase for identity, security, and AI
The event clearly showed that identity is becoming one of the most important building blocks for secure AI adoption. When AI agents gain the ability to act, retrieve information, use tools, and influence business processes, they must also be covered by the same fundamental principles as other identities in the organization: ownership, access governance, lifecycle management, auditability, and security.
With this event, Microsoft and Fortytwo put the spotlight on an area that is quickly becoming business critical. The question is no longer whether organizations will adopt AI agents. The question is whether they will be able to do so with enough control, enough trust, and enough value.
For organizations already experimenting with Copilot, Foundry, their own agents, or third-party AI tools, the advice is clear: start with visibility. Find out which agents and AI tools exist in the environment. Establish ownership and access governance. Clean up the identity foundation. And build governance in from the start, not as an afterthought.