Microsoft Shipped the Agent Controls. Your Campus Has Not Shipped the Policy.
Microsoft Shipped the Agent Controls. Your Campus Has Not Shipped the Policy.
It is now May. Her account is deprovisioned. Her agent is not.
That agent still holds the authorization scopes she granted it in October. Nobody at the institution knows it exists. Nobody owns it. Nobody is going to review it next quarter, because there is no quarterly review for a thing nobody has on a list.
This is the column. The rest is detail.
Microsoft Shipped. Ellucian and Workday Did Not. The Gap Is the Story.
In April, Microsoft moved Copilot Studio's agentic workflow tooling from roadmap to production. Institutions running A3 or A5 Microsoft education licensing can now deploy configurable agents with granular permission controls, audit logging, and role-based access. The agents administration guide was refreshed on April 30. The security and governance update followed on May 5. Both documents are public, detailed, and apply directly to every Education tenant Microsoft Copilot Blog, Microsoft Learn admin guide, Microsoft 365 Copilot governance post.
In the same window, Ellucian shipped no comparable announcement. Workday shipped no comparable announcement. Oracle ran a simulated test environment called AiPEX, an interesting research exercise but not an institution-configurable production capability GovTech. One vendor put the keys on the table. The others kept theirs in the desk.
That asymmetry is exactly what I predicted on record. Prediction 3: agentic workflow capability would arrive inside major vendor solutions, and the how-to-implement would be left for the institution to figure out. Prediction 8: Ellucian's AI story would underdeliver. Microsoft did more than I expected on the controls. Ellucian did less. Both predictions are landing in the same week.
What this means for your budget meeting on Tuesday is simpler than the vendor decks make it sound. Your faculty and staff are about to start configuring agents whether your identity team is ready or not. The deployment surface is already in their hands. The question is whether the identity office governs what happens next or finds out about it from an auditor.
The Ghost Account Problem Never Got Solved. The Ghost Agent Problem Is Already Here.
Higher ed is the most attacked sector in the world. Institutions lose an estimated $180 million annually to ghost-student fraud. The average time to detect a credential breach is 241 days. Ninety-one percent of institutions have been breached. These are the receipts on the QuickLaunch identity landing page, and the structural numbers have not meaningfully moved in years.
Now we are layering an agent identity problem on top of an unresolved human identity governance gap and calling it innovation.
The enterprise side has noticed. Cloud Security Alliance published a piece in April arguing that the industry is fixing the wrong problem in non-human identity security. We are hardening credentials while ignoring that the provisioning and deprovisioning lifecycle for non-human identities has no owner on most campuses CSA. C1.ai announced unified identity governance covering both human and non-human identities C1.ai. The Gravitee State of AI Agent Security 2026 report documents AI agents triggering cybersecurity incidents across enterprises, with over-provisioned and orphaned agent identities as the primary attack surface Gravitee. GitGuardian briefed boards on the same gap in February Help Net Security.
A directed search of the trailing two weeks turned up zero policy documents from any higher-ed institution describing formal governance for non-human identities. Zero. Not one university, not one community college, not one state system. The enterprise side is publishing playbooks. Higher ed is publishing nothing.
At least a ghost student account has a registrar somewhere in the org chart who is supposed to care. Who owns the Copilot agent the department head spun up in March and never deprovisioned when the grant ended? Nobody. That is not an opinion. Walk down the hall and ask your IT director who owns service account review for agents that touch Banner. Watch the answer.
The Audit Logs Are Already Running. Nobody on Your Team Is Reading Them.
This is the part I want to be fair about. Microsoft did the work on the controls. The April 25 configuration guide for a secure and governed Copilot foundation includes specific guidance on Power Automate flow identities, required permissions, and monitoring practices Microsoft Learn. The agents admin guide specifies the permission model and role-based access available today. The audit logging exists. The tenant settings exist. The role definitions exist.
A working session on exactly this problem.
On Thursday, May 21, Raymond Todd Blackwood and John Saullo are working through the governance pattern with Damian Clarke, CIO and VP of Technology Services at Alabama State University. How to assign identity, scope, and audit to the agents already running on your campus.
Reserve your seat
What does not exist is a higher-ed-specific governance framework from Microsoft, because that is not Microsoft's job. The student lifecycle is not the employee lifecycle, and Microsoft wrote the documentation with an enterprise persona in mind. An adjunct who taught one section in the fall is not the same identity object as a salaried employee whose status change flows from a workday-style HR feed. The Entra Connect synchronization window I have cited before, that quiet thirty-minute gap between a status change in the source system and the access change in the directory, is still there. It now applies not just to the human account but to every agent permission that account ever delegated.
The controls are real. The configuration for an academic population is the institution's problem.
The Protocol Is Not the Story. The Policy Is the Story.
The Internet Engineering Task Force published a draft on AI agent authentication and authorization, covering delegated user access, service-to-service credentials, and workload-identity patterns IETF draft. OAuth 2.0 client credential flows backed by short-lived access tokens remain the most common authorization model in practice. Vendors including Scalekit and Stytch have published architecture guidance for OAuth-based agent authorization Scalekit, Stytch.
I am flagging this not because the protocol is the story but because it is evidence that the identity community has finally acknowledged agent authorization as a distinct, unsolved problem. That matters for the long game.
What the draft does not do is tell a CIO what to write in a policy, who owns service account review for an agent that calls Banner, or what happens when an agent's access token outlives the employee who authorized it. The standards community is doing its job. The institutional governance community is not yet doing its.
Every campus that reads the standards draft and assumes the engineers will figure it out is setting up the same human-in-the-loop failure I have been documenting for fourteen years, now at the agent layer.
The Agentic University Is a Narrative. The Production Deployment Is Not.
UPCEA published a piece titled *The Rise of the Agentic AI University in 2026* UPCEA. EAB, Inside Higher Ed, and Times Higher Education have all run versions of the same projection Inside Higher Ed, EAB, Times Higher Education. The analysis is everywhere.
The documented production deployments are not. A directed search of the trailing two weeks returned zero verifiable, non-pilot agentic AI deployments launched by higher-ed institutions. Not a press release, not an incident report, not a case study. Just narrative.
The silence is the diagnosis. Capability is here. Guidance is not. Institutions are reading the projections and nodding. They are not shipping. The CIOs I trust are the ones who can tell the difference between "we are planning agentic workflows" and "we have a deployed agent with a documented authorization scope and a quarterly access review."
I do not believe there are more than a handful of institutions in that second category right now. That is the column's argument in its sharpest form.
Ray's Corner
I have watched Microsoft publish governance frameworks that nobody reads. The agents admin guide went live on April 30. The security and governance update went up on May 5. Both are public, both are detailed, both apply to every Education tenant running A3 or A5 today. My honest prediction is that fewer than one in ten institutions whose IT teams deployed Copilot have opened either document. Not because they do not care. Because nobody told them it was their job.
Here is what bothers me about this moment more than any specific gap in the documentation. The IAM director I respect most at a midsize state university told me last month that she found out about a Copilot agent in her tenant because a faculty member emailed her asking why it stopped working. That was her discovery mechanism. A help ticket. Not a report, not a dashboard, not an access review. A user noticing the agent was broken.
The load-bearing human is still in the loop. She is just not reading the Microsoft Learn documentation, because she is fielding the password reset queue and the SSO break-fix tickets and the request from advancement to add three more apps to single sign-on by Friday. Asking her to also become the agent governance officer for the institution, on top of everything else, is not a plan. It is the same plan we have always had, with a new acronym taped on the front.
The institutions that get through the next eighteen months without an agent incident will be the ones that name an owner for non-human identity now, while it still feels theoretical. The ones that wait for the incident to name the owner will get to name them in front of a regulator.
I would rather you name yours on a Tuesday in May.
Take the next step
- Download the CIO Guide for Managing AI Identities on Campus
- Follow our LinkedIn page for weekly identity and agentic-AI analysis written for higher-ed CIOs.
*Raymond Todd Blackwood is the President of QuickLaunch and writes about identity, agentic AI, and the messy reality of higher-ed IT. #ItsExistential*
