This session explores the evolution and capabilities of Microsoft Security Copilot, focusing on how it's transforming security operations. Microsoft Security Copilot operates as a unified platform, providing a consistent user experience across its various agents and underlying products. Key features like transparent decision trees, identity and RBAC management, and human-in-the-loop design principles are common across all agents, ensuring that users retain control and can audit AI-driven actions. The Conditional Access Agent, for instance, autonomously scans policies and recommends changes to ensure they align with the current state of the business, enabling rapid updates to security posture and reducing the risk window from months to minutes or hours.

The system incorporates robust guardrails, allowing organizations to control agent operations, particularly concerning new users and applications, and to apply custom natural language instructions to tailor agent behavior. This ensures that AI-generated policy recommendations are balanced with human oversight and business context. Users can also provide feedback to the agents, which directly influences their future reasoning and decision-making, akin to training a new human employee. This continuous learning mechanism is crucial for the AI to adapt to an organization's specific nuances and improve its effectiveness over time.

While agents are designed to handle resource-intensive tasks like triaging user-submitted phishing emails, the generative AI component is not intended for real-time, high-volume inline processing due to its computational demands. Instead, Microsoft focuses on applying AI where it can most significantly augment human efforts, such as automating time-consuming and low-value tasks. The platform aims to provide clear metrics like resolution rates and time to triage, allowing organizations to assess the economic value of deploying these agents. Furthermore, Microsoft is committed to expanding integrations with third-party data sources and partners, empowering agents to leverage a broader ecosystem of security tools and data, and ultimately enabling customers to build more comprehensive and adaptive security workflows.

Presented by Nick Goodman, Product Manager, Microsoft Security Copilot. Recorded live at Security Field Day 13 in Santa Clara, CA on May 29, 2025. Watch the entire presentation at https://techfieldday.com/appearance/microsoft-security-presents-at-security-field-day-13/ or visit https://techfieldday.com/event/xfd13/ or https://techcommunity.microsoft.com/category/security-copilot/blog/securitycopilotblog for more information.