Q: What about security, is delegating work to an agent safe?
Security is the strongest argument for the Microsoft approach, and getting it right is where a partner earns their keep. At SofwareOne, security sits at the core of everything we do in the workplace, so we treat agentic AI the same way: not as a risk to be feared, but as a capability to be enabled safely.
The good news is architectural. Cowork runs entirely inside the Microsoft 365 trust boundary, inheriting your audit logs, DSPM, eDiscovery, Insider Risk Management and Data Lifecycle Management controls. It’s cloud-native (no local file access), it can’t delete your files by design, and it enforces human-in-the-loop checkpoints – a “zero actions” posture that requires explicit human approval before any sensitive external action. A sensible safeguard is to separate the “research and draft” phase of a task from the “execute and send” phase.
The part to plan for: this is a genuinely new class of risk. As the Gartner® security note The Future of AI Security Is in Securing Agent Actions, Not Prompts puts it, with agentic AI: “the primary risk is not what the AI says, but what the AI does.”¹ The perimeter shifts from the words going into the actions the agent takes.
The specific concern is action injection, where malicious instructions hidden in an untrusted email or document hijack an agent that holds real credentials – a risk profile closer to malware behavior (lateral movement, privilege escalation) than to a chatbot mistake. Two gaps to note at GA: Copilot DLP support for Cowork is still in preparation, and for UK/EU tenants the underlying Anthropic models sit outside the EU Data Boundary, so Cowork is disabled by default and needs deliberate admin opt-in. None of this is a reason to avoid Cowork – it’s a reason to enable it consciously, with governance in place.