Building a Shared Responsibility Model for Agentic AI

Why Cloud’s Shared Responsibility Works

The cloud shared responsibility model became legible because the layers were separable. Physical infrastructure, virtualization, operating systems, applications, data: each layer has an owner, and the handoff points between them are defined clearly enough to be contractual. 

It took years to get there. Early cloud incidents produced real disputes about who was responsible for what, and the resolution of those disputes shaped the frameworks enterprises now rely on. Organizations that moved fast without understanding the model paid for that education in the form of breaches, compliance failures, and recovery costs. 

The model works now because the questions it answers are settled. Who patches the hypervisor? The provider. Who manages access to the application? The enterprise. The answers may not always be comfortable, but they are known.

Why Agents Make This Harder

An AI agent operating inside your Microsoft 365 environment sits at the intersection of multiple responsibility layers. The enterprise deployed it. Microsoft built the governance infrastructure for these agents, called Agent 365, to make them auditable and controllable. The underlying model came from a vendor that made its own decisions about training, behavior, and outputs, with no enterprise input.

When the agent takes an action that causes harm (sending the wrong communication, accessing data it shouldn't have touched, committing resources without appropriate authority), the question of who owns that outcome is complicated.

Microsoft’s governance framing around Microsoft Agent 365 is an attempt to draw these lines. The platform provides observability, policy enforcement, and audit infrastructure. The enterprise configures those controls, defines what agents are authorized to do, and owns the outcomes of agent actions taken under human authority.

That framing, while reasonable, should still be read carefully, rather than accepted as settled.

What Enterprises Need to Own

The shared responsibility model for cloud works because enterprises understand what they’re responsible for and have built the internal capabilities to own it. Access management, data governance, application security, and incident response are all functions with owners, policies, and operational history.
 
For agentic AI, most enterprises are starting from a different place. The policies that govern agent authorization don’t yet exist. The incident response playbooks don’t contemplate agents as actors. The audit infrastructure may not be configured to capture agent actions in the level of detail that a post-incident review requires.

Agent 365 provides the platform capabilities. Whether those capabilities are configured, maintained, and connected to enforceable organizational policy is entirely an enterprise responsibility, and for most organizations, that work hasn’t happened. Understanding exactly what Agent 365’s governance controls cover and what they don’t is the prerequisite for knowing what the enterprise itself must build.
  
The platform doesn’t govern agents by default, but it does provide the infrastructure for governance that the enterprise has to build on top of it.

What Regulators Will Eventually Require

Regulators in financial services, healthcare, and other sectors are watching agentic AI deployment closely. The direction is clear: enterprises will be expected to demonstrate that they understood what their agents were authorized to do, that they had controls in place to enforce those boundaries, and that they maintained records sufficient to reconstruct agent actions when something went wrong.

That’s the cloud shared responsibility model applied to AI, and the enterprises that build those capabilities now, before regulatory frameworks mature, will be in a substantially stronger position than those that wait for guidance.