Work IQ, Microsoft IQ, and Agent 365: The New Context Layer for Enterprise AI Agents

The Gap Between a Smart Agent and a Trustworthy One

This article is part of the EPC Group Microsoft Build 2026 series. For the full strategic read on Project Solara, the Copilot Super App tease, MAI, Scout, MDASH, and RTX Spark — see the pillar: Project Solara, the Death of Apps, and the One Copilot That Wasn't.

There's a particular failure mode I keep encountering in enterprises that rushed to deploy AI assistants over the past two years. The model answers fluently. It sounds authoritative. It uses the right terminology. But the answer it gives is either wrong, stale, or sourced from data the person asking had no business seeing in the first place.

The problem was never the model's vocabulary. The problem was always the context it was operating on.

An AI agent without proper grounding is like a new analyst who has memorized the company handbook but has never actually spoken to anyone in the business. They'll give you an answer. They'll give it with confidence. But the moment you ask something that requires live organizational context — who's working on what, what the current policy actually says, what the project status was this morning — you'll get plausible fiction instead of useful intelligence.

Work IQ is Microsoft's answer to that problem. And at Build 2026, it became the most architecturally significant announcement the enterprise community needs to understand — not because it's the flashiest thing on stage, but because it's the layer everything else runs on.

---

What Microsoft IQ Actually Is

Before diving into Work IQ specifically, it helps to understand where it sits in the larger architecture. Microsoft introduced the Microsoft IQ umbrella at Build 2026 — described as a "shared foundation built to activate AI agents" across the enterprise. The IQ umbrella comprises four layers: Work IQ, Fabric IQ, Foundry IQ, and Web IQ.

Think of it as the intelligence substrate that separates a connected, governed enterprise agent from a glorified autocomplete engine. Work IQ handles the organizational context layer — your people, documents, communications, calendar, and tools. Fabric IQ handles the business intelligence and semantic layer — your data models, metrics, and ontologies. Foundry IQ is the managed knowledge layer that unifies Work IQ, Fabric IQ, Azure SQL, File Search, and MCP sources behind a single SLA-backed retrieval endpoint — the Foundry IQ MCP server — so agents don't need to know which underlying source to query. Web IQ lives inside Foundry IQ and adds real-time web grounding at sub-165ms latency with zero data retention.

These four layers don't replace each other. They compose. A production agent reasoning over a financial forecast needs Fabric IQ's semantic models to understand what "revenue" means to your business, Work IQ's access controls to verify what the agent is allowed to see, Foundry IQ's unified retrieval to avoid reinventing prior work across disparate sources, and Web IQ to ground currency assumptions in live market data — all without storing that external context in your tenant.

That's not four products. That's one architecture. And Microsoft IQ is accessible across GitHub Copilot, Microsoft Foundry, and Copilot Studio — meaning the governance layer travels with the agent regardless of which surface it's deployed through.

---

Work IQ: The Organizational Intelligence Layer in Detail

The Work IQ announcement from Microsoft's Tolga Kilicli at the Microsoft 365 Dev Blog is worth reading in full if you are an architect or developer building on this platform. Here are the specifics that matter for enterprise strategy.

Work IQ builds "semantic understanding across Microsoft 365 and external systems with permission-aware governance." It is agent-first by design — not retrofitted from a human UI paradigm. The APIs reach general availability on June 16 with three integration paths: the A2A protocol (Agent-to-Agent, for cross-agent communication), a redesigned remote MCP server, and a standard REST API. If you're building agents that need to interoperate across vendor boundaries, the A2A support is significant: it means Work IQ participates in the emerging open protocol ecosystem rather than requiring vendor lock-in at the interface layer.

One of the most practically important details: API access at GA is independent of Microsoft 365 Copilot licensing. It's consumption-based. This is a meaningful architectural signal. Microsoft is decoupling the grounding layer from the seat-license model. Developers building agents — internal dev shops, ISVs, systems integrators — can access Work IQ's organizational intelligence without requiring every end user to hold a Copilot license. That changes the unit economics of several categories of agent applications.

The Collapse of Complexity: ~10 Generic Tools

The Work IQ MCP implementation makes a design decision that I think is underappreciated: it collapses hundreds of Microsoft 365 operations into approximately 10 generic tools covering mail, calendar, files, people, chat, and sites. The getSchema capability lets agents discover the data structure of a tool at runtime rather than requiring hardcoded knowledge of every API endpoint.

This matters because it solves one of the most tedious problems in enterprise agent development: the combinatorial explosion of tool definitions. If your agent needs to interact with a SharePoint list, a Teams channel, a user's calendar, and a shared mailbox, the traditional approach requires explicit integration with four separate APIs, each with its own authentication flow, rate limits, and schema management. Work IQ's generic tool model pushes that complexity down to the infrastructure layer and exposes a uniform interface upward.

The agent doesn't need to know which API underlies "get files from this site." It calls the generic file tool. Work IQ handles the routing.

SharePoint Embedded Working Storage

SharePoint Embedded working storage is the persistent agent workspace within the tenant boundary. This is where agents store intermediate state, working context, and session data — inside your tenant, under your data governance policy, without exfiltrating context to an external service. For enterprise architects who've been worried about the data residency implications of stateful agents, this is a direct answer: the working memory lives in SharePoint Embedded, governed by your existing information protection policies.

The Rego Policy Engine and Security Architecture

Here is where the governance architecture gets genuinely interesting — and where I spend the most time in client conversations. Work IQ's security model is built on three principles that work together:

Small, broad permissions. Rather than requiring an agent to hold expansive delegated permissions across every possible M365 workload, Work IQ scopes the agent's base permission set narrowly and resolves specific access at the moment of tool invocation.

Rego-based policy engine. Every tool invocation is evaluated against a Rego policy — the same policy language used in Open Policy Agent, which enterprises using cloud-native infrastructure will recognize. These policies can express fine-grained, context-aware rules: this agent can access files in this SharePoint site, but only when the request originates from this user, and only when the sensitivity label is below this threshold. The context-awareness is what separates this from a traditional RBAC model.

User-scoped execution. Every tool invocation runs in the context of the delegating user's permissions — not the agent's elevated service credentials. This means an agent can't access data the user couldn't access directly. The agent's capability ceiling is bounded by the human principal behind it.

Full logging. Every tool invocation is logged and evaluated. This isn't optional telemetry — it's the audit foundation that makes the whole governance story credible.

The unified control plane ties these together into something an enterprise security team can actually reason about, audit, and govern. That's not a minor convenience feature. In a world where autonomous agents are reading sensitive mail and acting on calendar data, the ability to answer "who authorized this access, under what policy, at what time, and for what purpose" is the difference between enterprise-grade deployment and liability.

---

Agent 365: The Management Control Plane

Work IQ governs what agents can see and do at the data access layer. Agent 365 governs the agents themselves — but the timeline matters here. Agent 365 reached GA on May 1, 2026, before Build. It is not a Build announcement; it is production infrastructure that has been running for over a month. It is the unified control plane for observing, governing, and securing enterprise agents: agent registry, visual topology map, the ability to surface unmanaged local agents, and delivery of Defender, Entra, Intune, and Purview protections. What Build 2026 extended is the Agent 365 SDK, which reaches GA at the event, giving developers programmatic access to that registry and governance infrastructure.

The key architectural integration coming in preview in July is native MXC (Microsoft Execution Containers) support. MXC is a cross-platform, policy-driven runtime execution layer for agents running on Windows and WSL — you declare what an agent can access, and containment is enforced at runtime. When Agent 365 integrates natively with MXC, you get a continuous chain of governance from the agent's runtime environment (MXC) through its identity (Entra) through its data access (Work IQ's Rego engine) through its security monitoring (Defender) through its compliance policy (Purview). That's the full governance stack, end to end. It doesn't arrive all at once — MXC integration is July — but it's on a deterministic delivery path.

Alongside the governance tooling, Microsoft also released two open-source frameworks at Build that deserve attention. ACS (Agent Control Specification) is an open standard that gives agent runtimes deterministic allow/deny decisions at five lifecycle checkpoints: input, LLM, state, tool execution, and output. ASSERT is an MIT-licensed eval framework from Microsoft Research that converts plain-text behavioral specs into executable regression test suites, running across LangChain, CrewAI, LiteLLM, OpenAI, and others. Together ACS and ASSERT form Microsoft's open trust stack for agents. If you're building production agents and you're not incorporating these frameworks, you're accepting governance risk you didn't have to take.

Windows 365 for Agents — secure managed Cloud PCs for computer-using agents — is already GA within Agent 365. For organizations running agents that need persistent virtual desktop environments rather than serverless execution, this is the managed infrastructure layer.

Each Autopilot agent (including Scout, Microsoft's first public Autopilot) is bound to its own Entra identity. This is the right architectural decision: an agent is a principal, not a process. It should have a distinct identity, auditable actions, and scoped permissions — not piggyback on a shared service account with god-mode privileges.

---

The Permission Sprawl Problem No One Wants to Budget For

I need to be direct about the elephant in the room, because I've seen what's actually inside enterprise Microsoft 365 tenants after years of organic growth.

SharePoint permissions are a disaster in most organizations. I don't mean that as a critique of the people who made those permission decisions — I mean it as a structural reality. Over five, eight, ten years of "just add them to the site," "let's share this folder with the whole team," and "give the contractor access to this library for now," the average enterprise SharePoint environment has thousands of permission entries that nobody has reviewed in years. Sensitivity labels applied inconsistently, if at all. Groups that include former employees. Sites that contain merger discussions from 2019 that were never archived.

Work IQ's Rego policy engine and per-invocation logging are excellent governance controls. They are exactly the right architecture. But here's what they cannot do: they cannot retroactively evaluate whether the underlying permissions in your SharePoint were appropriate in the first place. A Rego policy that says "agent can access files the user can access" will dutifully grant access to the sensitive acquisition documents that were shared to "Everyone except external users" two years ago because someone didn't know how to scope it properly.

The governance architecture in Work IQ is the roof. You still need to build the walls.

The conversation I'm having with clients right now is this: before you enable Work IQ agents over your M365 estate, run a proper permissions audit. Implement Purview sensitivity labels if you haven't. Tighten your Entra Conditional Access. Review your SharePoint sharing settings. Do the messy, unglamorous governance work that doesn't make for a compelling conference keynote but absolutely determines whether your agents are trustworthy or a liability.

This is exactly the kind of work EPC Group has been doing for enterprise clients for decades — long before the word "agent" was part of the Microsoft vocabulary. Purview and Entra governance remediations, SharePoint permission audits and cleanup, Copilot readiness assessments. What's changed is the urgency. Agents amplify whatever is true about your data. If what's true is "this is a mess," agents will find that mess and act on it with conviction.

---

What Developers Need to Know Right Now

If you're building agents on this platform, a few practical observations before June 16:

The A2A protocol support in Work IQ is worth designing around. Cross-vendor agent interoperability is an emerging capability, and building to open protocols now avoids the re-architecture cost later when your agents need to talk to systems outside your Microsoft estate.

getSchema changes your agent development workflow. Runtime schema discovery means you can build more adaptive agents that handle M365 structural changes gracefully rather than hardcoding against a specific API shape that will change with the next update.

The consumption-based model for Work IQ API access creates a new cost variable you need to model. Unlike a seat license where the cost is fixed regardless of usage, consumption-based pricing means agent workloads with high tool invocation rates will have costs that scale with usage. Design your agent interaction patterns — batching, caching, minimizing redundant invocations — with cost efficiency in mind.

SharePoint Embedded working storage simplifies your state management architecture significantly. If you've been maintaining external state stores for agent session context, evaluate whether SharePoint Embedded handles your requirements within the tenant boundary.

---

The Architecture Conversation Your Organization Needs to Have

Work IQ, Microsoft IQ, and Agent 365 represent something architecturally significant: Microsoft has decided that agent governance is infrastructure, not configuration. The policy engine, the logging, the identity-bound execution, the containment at the runtime layer — these aren't add-ons. They're the load-bearing walls of the agentic architecture.

That's the right instinct. And it means the conversation in your organization needs to shift accordingly. The question isn't "how do we set up Work IQ?" The question is "what is the state of our identity governance, our data permissions, our sensitivity classification, and our audit posture — and are those in good enough shape to trust an agent with organizational context?"

For a full picture of how Work IQ fits into the broader Build 2026 agentic architecture — including Foundry, MAI models, MDASH, Scout, and Project Solara — read our full Build 2026 enterprise breakdown at epcgroup.net.

If you're ready to assess your tenant's readiness for production agentic deployments, EPC Group's AI Readiness & Governance Assessment gives you a structured, actionable baseline — and our Virtual Chief AI Officer engagement provides ongoing architectural guidance as this platform evolves.

---

FAQ

Q: What is the difference between Work IQ and Microsoft Copilot?
A: Copilot is the user-facing AI assistant layer. Work IQ is the underlying organizational intelligence infrastructure that agents — including Copilot — can access to ground their responses in live, permission-aware organizational data. You can build agents that use Work IQ without those agents surfacing through the Copilot interface.

Q: Does Work IQ GA on June 16 require us to have Microsoft 365 Copilot licenses?
A: No. Work IQ API access at GA is consumption-based and independent of M365 Copilot licensing. Developers and organizations can access the agent grounding layer without requiring Copilot seats across the organization.

Q: What is the Rego policy engine and why does it matter?
A: Rego is an open-source policy language (used in Open Policy Agent) that allows you to express fine-grained, context-aware access rules. Work IQ uses Rego to evaluate every tool invocation — not just whether the agent has a permission, but whether the specific request, from this specific user, under these specific conditions, should be granted. It's a significant governance upgrade over traditional RBAC.

Q: What is Agent 365 and when does MXC integration arrive?
A: Agent 365 reached GA on May 1, 2026 — before Build — as the unified control plane for observing, governing, and securing enterprise agents. It provides an agent registry, visual topology map, and Defender/Entra/Intune/Purview integration. The Agent 365 SDK reached GA at Build 2026. Native integration with the Microsoft Execution Containers (MXC) SDK arrives in preview in July 2026.

Q: What should we do before enabling Work IQ agents over our M365 estate?
A: Conduct a permissions audit on your SharePoint and OneDrive environments. Implement or validate Purview sensitivity labels. Review your Entra Conditional Access policies. Tighten sharing settings. Do this before agents start reasoning over your organizational data — not after they surface something they shouldn't have reached.

---

Sources

• Microsoft 365 Dev Blog — Work IQ: https://devblogs.microsoft.com/microsoft365dev/work-iq-production-ready-intelligence-for-every-agent/
• Microsoft Foundry Blog — Foundry IQ, ACS & ASSERT Open Trust Stack: https://devblogs.microsoft.com/foundry/
• Azure Blog — Microsoft Fabric & Databases: https://azure.microsoft.com/en-us/blog/microsoft-build-2026-building-agentic-apps-with-microsoft-fabric-and-microsoft-databases/
• The Verge — Biggest Announcements: https://www.theverge.com/tech/941738/microsoft-build-2026-biggest-announcements
• Mashable — Agent-First Future: https://mashable.com/tech/microsoft-build-2026-agent-first-future
• PCMag — Build 2026 Recap: https://www.pcmag.com/news/microsoft-build-2026-recap-didnt-catch-the-live-stream-heres-everything
• The Register — Scout/Autopilot: https://www.theregister.com/ai-and-ml/2026/06/03/no-longer-just-a-copilot-microsofts-ai-wants-to-take-the-wheel/5250718
• AI Magazine — Microsoft Foundry/Trojan Horse: https://aimagazine.com/news/is-microsoft-ai-the-ultimate-enterprise-trojan-horse
• Windows Developer Blog: https://blogs.windows.com/windowsdeveloper/2026/06/02/build-2026-furthering-windows-as-the-trusted-platform-for-development/

---

Contact EPC Group:
contact@epcgroup.net · 888-381-9725 · www.epcgroup.net

---

---

---

EPC Group Can Help

Microsoft Build 2026 raised the ceiling on what agentic AI can do across the Microsoft estate — and the floor on what your tenant has to be to deploy it safely. EPC Group has been doing this work for 29 years across Fortune 500 and federal organizations, with six Microsoft Solutions Partner designations and a perfect 100 NPS on G2.

If any of the following sound like your next 90 days, that is exactly the work we do:

• Microsoft 365 Copilot Readiness Assessment — the 30-day tenant audit, Purview labeling, and adoption motion that turns an under-5% Copilot conversion into a measured rollout.
• Governed AI on Microsoft Framework — one named architecture covering Entra, Purview, M365, SharePoint, Fabric, Power BI, Copilot, Defender, and Agent 365. Seven layers, five maturity stages, one accountable owner.
• Virtual Chief AI Officer (vCAIO) — fractional senior leadership for organizations that need the operating model in 2026 but cannot hire a full-time AI executive yet.
• AI Consulting Services, AI Governance, Microsoft Copilot Consulting, Power BI Consulting, Microsoft Fabric Consulting, and Azure Consulting.

Email contact@epcgroup.net, call 888-381-9725, or request a consultation. Senior architects only — no offshore handoff, no junior account managers.

LinkedIn Post

Most of the Build 2026 coverage focused on Scout, MAI models, and Copilot. Those are real. But the announcement that will shape enterprise AI architecture for the next five years barely made the headlines.

It's called Work IQ.

I've spent 29 years inside the Microsoft ecosystem. I can tell the difference between a feature and a foundation. Work IQ is a foundation.

HERE'S WHAT WORK IQ ACTUALLY IS

Work IQ is the organizational intelligence layer for enterprise agents. It gives agents the ability to access, reason over, and act on your Microsoft 365 data — mail, calendar, files, people, chat, SharePoint — with permission-aware governance built in at the infrastructure level.

The APIs go GA June 16. A2A protocol. Redesigned MCP server. REST. And critically: consumption-based, independent of M365 Copilot licensing.

That last point changes the economics of agent development more than most people have noticed yet.

THE ARCHITECTURE DECISION THAT MATTERS MOST

Work IQ collapses hundreds of M365 operations into approximately 10 generic tools. A getSchema capability lets agents discover data structure at runtime. SharePoint Embedded working storage gives agents persistent workspace inside your tenant boundary.

But the most important thing in the Work IQ announcement isn't the APIs. It's the security model.

Every tool invocation runs under the delegating user's permissions — not the agent's credentials. A Rego-based policy engine evaluates every request with context-aware rules. Everything is logged. Every invocation is audited.

This is what permission-aware governance looks like when it's built into the infrastructure layer. Not configured. Built in.

AGENT 365: WHERE GOVERNANCE SCALES

Agent 365 is the management control plane on top of this. It delivers Defender, Entra, Intune, and Purview protections to agents as first-class managed entities. Windows 365 for Agents is GA now. MXC (Microsoft Execution Containers) integration arrives in preview in July.

Each Autopilot agent — including Scout — has its own Entra identity. That's the right call. Agents are principals, not processes. They should be auditable, scoped, and governed like any other identity in your tenant.

THE THING NOBODY WANTS TO HEAR

Here's what I tell clients — and I'll say it here too.

Work IQ's Rego policy engine is excellent. The logging is excellent. The architecture is right. And none of it compensates for a SharePoint permission estate that hasn't been reviewed since the Obama administration.

An agent that runs under user-scoped permissions will find every file that user can reach. If your SharePoint sharing settings are loose — if "Everyone except external users" has access to things they shouldn't — Work IQ will enforce exactly that. Faithfully. Auditably. Right up until the moment something sensitive surfaces in an agent response.

AI doesn't fix your permission mess. It finds it. It reasons over it. It acts on it with conviction.

WHAT TO DO BEFORE JUNE 16

Run a SharePoint and OneDrive permissions audit. Validate your Purview sensitivity labels. Review your Entra Conditional Access. Tighten your sharing settings. Do the governance work now, before agents are reasoning over your organizational data.

This is exactly what we help enterprise clients do at EPC Group — the unglamorous cleanup work that doesn't make conference keynotes but absolutely determines whether your agents are trustworthy or a liability. AI Readiness Assessments, Purview deployments, Entra remediation, SharePoint governance. We've been doing this for nearly three decades in environments like yours.

The architecture Microsoft announced at Build 2026 is the right architecture. The question is whether your tenant is ready to host it.

What governance gap are you most concerned about as you look at the Work IQ GA timeline?

#MicrosoftBuild #WorkIQ #AgentGovernance #EntraID #MicrosoftAI #EPCGroup

---

X Post

Work IQ GAs June 16 — A2A, MCP, REST, consumption-based (no Copilot license required). It's the grounding + governance layer every enterprise agent runs on. Before your agents start reading your org's data: clean up your SharePoint permissions first. Full breakdown: epcgroup.net/work-iq-microsoft-iq-agent-365-enterprise-ai/ #WorkIQ #MicrosoftBuild