What happened
Microsoft shipped three AI-agent security capabilities in Sentinel on June 30, 2026. First, the ASIM 'AI Agent Events' schema reached GA, normalizing telemetry from AI-driven workflows and autonomous agents into common form so a single analytic rule covers all sources. Second, the Agent Identities Asset Connector (public preview) adds four identity tables — agent owners, identities, blueprints, and service principals — enabling full owner-to-permissions-to-resource traceability for AI agents. Third, Sentinel MCP graph tools (public preview) let analysts visualize relationships across identities, devices, and alerts starting from a single alert.
Why it matters
Enterprises deploying AI agents now have a native SIEM data plane for agent activity: normalized telemetry, identity context, and graph-based investigation in one stack. The Agent Identities connector directly closes the 'who owns this agent and what can it touch?' gap that has left most SOCs blind to agentic workloads.
Applicability
Microsoft Sentinel customers running AI agents or Copilot workflows should enable the ASIM AI Agent Events schema and Agent Identities connector immediately; the MCP graph tools are preview but functional now.