Microsoft Agent 365 is a control plane for Microsoft-tenant agents. VeriSwarm is a control plane for every agent — wherever it runs, whatever framework it uses, whatever cloud it touches. Multi-cloud trust scoring, immutable audit, and compliance attestation endpoints that exist today.
Microsoft Agent 365 is the agent-governance layer for Microsoft-tenant agents. The other large fraction of enterprise agents lives outside Microsoft — on AWS, GCP, Anthropic, OpenAI, internal LangChain stacks, custom Python. VeriSwarm is the agent-governance layer for those. And the ones that cross the boundary.
Three orthogonal differentiators below. Pick whichever your audience cares about.
Five governance axes. For each, the Microsoft Agent 365 posture as it stood at GA — and the VeriSwarm capability that ships today, with the endpoint that emits the evidence.
Entra-bound. Agent identities live inside the Microsoft tenant; Conditional Access and Identity Protection apply to the agent only when it's an Entra principal.
Most enterprise agent stacks aren't 100% Microsoft. The moment an agent calls AWS, a vendor SaaS, or runs on a non-Copilot framework, Microsoft's identity story degrades to "additional tooling required."
Agents get short-lived ES256 JWTs (1-hour TTL) with audience binding. Downstream services verify the signature against a public JWKS endpoint — no shared secret, no tenant boundary. The same credential works whether the agent is running in your VPC, on Bedrock, or inside a partner's stack.
GET /.well-known/jwks.jsonActivity logged inside Microsoft's tenant under Microsoft's retention and discovery posture. Exportable on Microsoft's terms.
For healthcare, legal, and finserv, "Microsoft says it happened" and "I have a cryptographic receipt I can verify offline" are not the same product. Vault is the answer for the conversation where the customer doesn't want to trust the vendor.
Every audit event is SHA-256 chained to its predecessor. Chain verification is offline-reproducible — hand the export to an auditor and they can verify integrity without a VeriSwarm API call. Chain-aware retention archives older segments to JSONL with a recorded segment_hash and bridges across the boundary so the verifier still works after retention.
GET /v1/suite/vault/verifyGA materials describe "compliance and performance assessment." Framework-specific attestation endpoints are on the roadmap, not in the product today.
EU AI Act enforcement for high-risk systems moved from August 2026 to December 2, 2027 in the May 7 Omnibus deal. The compliance window got longer, not shorter — and the buyers who use it to build durable governance instead of panic-buying two months out are the ones who'll be ready first. A buyer producing evidence today has VeriSwarm or a roadmap link.
Per-framework attestation endpoints emit machine-readable evidence packages auditors can read without your engineering team rebuilding spreadsheets. EU AI Act (high-risk obligations now December 2027 per the May 7 Omnibus deal), NIST AI RMF, ISO 42001, OWASP Agentic AI Top 10 — all live. Five more frameworks in technical preview.
GET /v1/compliance/{framework}Governs the already-classified data inside the M365 data graph. Outside M365 — custom RAG, third-party knowledge bases, MCP tools calling external APIs — the PII problem is the customer's.
The interesting PII problem isn't "data inside Microsoft." It's the moment an agent reads from a third-party knowledge base, calls a vendor API, or hands data to a downstream LLM you don't control. That's where the breach lives.
Recursive PII tokenization across nested payloads using Presidio NER (Microsoft's own library, applied at the agent-tool boundary rather than inside the M365 graph). Guard Proxy sits transparently between agents and their tools, intercepting every call. PII never crosses the boundary — tokens do, and rehydration is session-scoped.
POST /v1/suite/guard/scanPolicy and approval workflows tied to M365/Azure-resource scopes. Strong inside the boundary; degraded outside it.
Cedar is the same language AWS uses for IAM and the language Microsoft's own Agent Governance Toolkit picked for policy. Owning the runtime decision layer in a vendor-portable language matters when the agent crosses cloud boundaries.
Declarative Cedar policies per tenant, evaluated on every decision check. Real-time kill switch with reason codes recorded to Vault. Cortex Workflows include a human_review step type for approvals; cross-model verification routes critical decisions through multiple LLMs with majority consensus. Every block, every override, every approval lands in the audit chain.
POST /v1/decisions/checkWe don't pretend otherwise. If your agents all live inside M365 and you're happy with that, Agent 365 is a reasonable answer. The page below is for the other case.
Microsoft can put Agent 365 in front of every CIO buying E5 today. That's an asymmetry we don't fight on. If you're a Microsoft-first shop and your agents stay in Copilot Studio, the path of least resistance is Agent 365 — and that's fine.
Decades of identity credibility, Conditional Access, Identity Protection, Global Secure Access. If the agent lives entirely inside M365, the governance story is well-integrated. We don't claim parity here; we don't need to.
Agents built in Copilot Studio inherit Agent 365 governance with effectively no integration work. For organizations standardizing on Copilot Studio, that's a real productivity story.
Pricing tells you who a product was designed for. Microsoft's assumes you're already inside the Microsoft licensing universe. We assume you may not be.
Microsoft pricing: $15/user/mo standalone, $99/user/mo in M365 E7 bundle (per GA launch materials, May 1 2026).
EU AI Act high-risk obligations move to December 2, 2027 under the May 7, 2026 Omnibus deal — but compliance teams aren't waiting on the deadline to start asking. If a buyer asks for an attestation today, the answer is either an API call or a roadmap link. Here's the API call.
One trust score request. One verifiable response. Works the same whether the agent is in your VPC, on Bedrock, or running locally in a CI job.
The same call from any agent, any framework, any cloud. Cedar policy evaluation, decision, reason code, and a Vault-logged event ID.
POST /v1/decisions/check
→ {
"decision": "allow",
"reason_code": "trust_above_threshold",
"policy_tier": "tier_2",
"trust_score": 812,
"logged_event_id": "evt_evd_..."
}The attestation a buyer's compliance team is asking for now — even with high-risk enforcement pushed to December 2027 by the Omnibus deal. Generated against live agent traffic, not synthetic data.
GET /v1/compliance/eu-ai-act
→ {
"framework": "eu-ai-act",
"articles_covered": [9,13,14,15,16,17,26],
"evidence_events": 12_847,
"vault_chain_verified": true,
"report_url": "..."
}By mid-2026, every major platform ships its own in-tenant agent governance — and stops at its own boundary. This page argues the Microsoft case in detail, but the same argument holds for the other vendor stacks below. VeriSwarm sits across all of them.
Ships: Einstein Trust Layer, Atlas reasoning engine, Autonomous Shield, Command Center audit
Boundary: Governs agents built on Agentforce. The LangChain agent on AWS or the CrewAI workflow in a customer's VPC is out of scope.
Ships: Open-source guardrails, Nemotron model routing, observability primitives
Boundary: Optimized for NVIDIA-hosted inference. Multi-vendor model fleets need a layer that doesn't assume Nemotron at the bottom.
Ships: Bedrock Guardrails, agent action groups, CloudTrail logging
Boundary: Scoped to Bedrock-hosted agents. Agents on Anthropic API, Azure OpenAI, or self-hosted models aren't in the audit chain.
Ships: Entra Agent ID, Conditional Access, M365 retention, Copilot Studio integration
Boundary: Detailed comparison above. Microsoft-tenant agents only.
Each vendor governs their own boundary well. None of them govern across boundaries. VeriSwarm is the trust plane the “all of the above” fleet needs.
Pretending the comparison is one-sided is a tell. Here's what we're explicitly not arguing.
Start a free Gate tier in under five minutes. Bring an agent running on any framework, any cloud, any model. See the trust score, the policy decisions, and the Vault chain — for an agent Agent 365 can't see.
Sources: Microsoft Agent 365 GA launch materials (May 1, 2026); Microsoft Learn Entra Agent ID documentation; VeriSwarm public API surface (veriswarm.ai/docs).