If you manage IT or security at a law firm, here's something worth sitting with. AI agents are entering your Microsoft 365 environment from multiple directions. Copilot Studio lets any licensed user build and publish one. M365 Agent Builder opens a similar door. Microsoft ships its own native agents inside the M365 suite. Third-party agents can be installed from the marketplace. No single front door. No single approval process. Most firms I talk to don't realize how many agents already exist in their tenant until they go looking. When they do look, the number is often in the hundreds.
That's not a knock-on Microsoft. It's a deliberate product philosophy. Lower the barrier to creation, let innovation happen, assume adequate governance is in place. For organizations with mature governance programs, that model can work well. For firms still building that foundation, starting open and governing later carries risk worth thinking through.
Law firms operate under Model Rule 1.6, which creates specific obligations around client confidentiality. Most IT leaders in this space already know that. What's worth examining is how fast those obligations become relevant. An attorney creates an agent connected to SharePoint, email, or a matter management system. The agent starts surfacing information. Suddenly questions about data scope and access control aren't theoretical anymore.
The practical problem is that Microsoft doesn't give you a single switch to shut down all agent activity. Governance is spread across Copilot Studio, Power Platform, Entra ID, and connector policies. Keeping visibility across all those surfaces requires deliberate staffing and process. Not every firm has that today.
What Deny-by-Default All Actually Looks Like
A deny-by-default posture doesn't mean no AI. It means capability gets granted on purpose rather than available to anyone with a license. There are four layers that matter here.
Blocking agent creation at the environment level is the most direct control. Remove the Environment Maker role from the default Power Platform environment. New agents can't be created without going through an approved process. Simple in concept. In practice, many firms have not implemented this control.
Connector lockdown through DLP policy matters just as much. An agent without connectors can't do much. Move connectors to blocked or non-business classification by default. Even existing agents lose their reach into sensitive data unless a specific connector gets approved.
Third-party agent access is the one that gets missed most often. User consent for enterprise app registrations should be disabled. Any outside agent entering your environment should go through an admin consent workflow. Not a one-click install by someone who found something useful on a Tuesday afternoon.
Then there's shadow AI, which none of the above touches. Attorneys using personal ChatGPT accounts or browser tools outside your tenant are outside your governance model. Defender for Cloud Apps can surface and block known unsanctioned applications. But that requires active monitoring and enforcement, not just having the license.
A Reasonable Starting Framework
Some firms will run the inventory first to understand scope before applying broad controls. Others will lock things down and work through inventory from a stable baseline. Either way is defensible. Ideally neither step is skipped.
For firms still building their governance foundation, a three-phase approach tends to work well. Phases one and two can run in parallel or in either sequence depending on your resources. Both need to happen. The order is flexible.
Phase one is containment. Stop new agent creation. Apply strict DLP across connectors. Disable or unpublish agents with no documented owner or business purpose.
Phase two is inventory and reduction. Take stock of what exists. Classify each agent by risk and business value. Work toward a small, documented baseline of approved agents.
Phase three is controlled reintroduction. Build an approval workflow. Maintain an agent catalog with documented owners and data access scope. Use tiered access so expanded capability requires a conversation, not just a license.
Setting Realistic Expectations
Microsoft's governance tools are capable. What they require is deliberate configuration, active management, and someone accountable for watching them. The open-by-default model works when that governance infrastructure exists. When it doesn't, the gap between what users can do and what IT can see tends to grow without much notice.
Many firms are already seeing meaningful value from agents that improve knowledge retrieval, automate administrative processes, and support legal workflows. The goal is not to reduce innovation. The goal is to ensure innovation happens within a framework that allows firms to understand, approve, and defend how client information is being accessed and used.
For many firms, starting with a deny-by-default governance model and selectively enabling approved capabilities is the more conservative path. It's also the approach that gives firm leadership and technology teams a clearer picture of what's running before something unexpected surfaces. That visibility matters. It's hard to govern what you didn't know was there. In a profession built on trust, visibility is often the first step toward defensible governance.