Project Solara, the Death of Apps, and the One Copilot That Wasn't: What Microsoft Build 2026 Actually Means for Your Enterprise

Less than 5% of the 450 million people paying for Microsoft 365 also pay for Copilot.

Sit with that number for a second. After two of the most aggressive years of AI marketing in the company's history — a Copilot in Word, a Copilot in Teams, a Copilot in Edge, a Copilot in Windows, a Copilot in your taskbar, a Copilot in your security console — fewer than one in twenty seat holders has decided the assistant is worth the upgrade. That is not a model-quality problem. That is not a pricing problem. It's a strategy problem, and this week in San Francisco, Microsoft told us in no uncertain terms that it knows it — and that its answer is far more radical than another assistant.

Build 2026 wrapped at Fort Mason Center on June 2. Satya Nadella opened the keynote, the entire session catalog was built around autonomous agents, and going in, the headline most of the tech press was chasing was a leaked look at a unified Copilot "super app." But the actual showstopper turned out to be something bigger and stranger: Project Solara — a brand-new, agent-first device platform that is not built on Windows at all, and that openly contemplates a future where apps, as we've known them for forty years, quietly disappear. Nadella put the thesis in a single sentence in a conversation with Qualcomm's CEO: "We're moving from building operating systems — devices for apps — to agents" (T3).

That is the most consequential sentence Microsoft uttered all week, and almost nobody is connecting it to the governance reality sitting inside your tenant right now. I will.

I've spent 29 years architecting Microsoft environments — SharePoint since the "Tahoe" beta, Power BI since it was codenamed "Crescent," governance and migration builds for organizations across every industry you can name. So let me give you EPC Group's read on this, and it comes in two parts.

The first part: the strategic direction — one unified Copilot, owned models, and an agent-first device platform — is the right direction, and it's overdue.

The second part — the one most of the coverage is going to skip — is that none of it fixes the thing that's actually keeping enterprise Copilot adoption underwater, and Project Solara makes that thing existential rather than merely urgent. If you don't fix the underlying governance and data-readiness problem first, "one Copilot" and an army of always-on agents on purpose-built devices just become a faster, more powerful way to surface problems you didn't know you had.

Let's walk through what was actually announced, what's real versus hype, what the "death of apps" really means for a regulated enterprise, and what you should be doing about all of it.

What Microsoft Actually Put on the Table at Build 2026

Before we talk about the super app — which, importantly, was not the thing shipping this week — let's be precise about what Microsoft genuinely unveiled at Build, because the model news and the device news are arguably bigger stories for enterprise buyers than the super app ever was.

MAI-Thinking-1. Mustafa Suleyman's Microsoft AI group introduced the company's first dedicated in-house reasoning model. The specifics matter: it's a roughly 35-billion-parameter model with a 128K context window, positioned as a medium-sized, high-efficiency reasoner built for complex multi-step instructions, long-context reasoning, and code generation (Let's Data Science). Microsoft's own materials claim parity with Anthropic's Claude Opus 4.6 on the SWE-Bench Pro coding benchmark, and that independent evaluators preferred it to Claude Sonnet 4.6 on unspecified tests (Let's Data Science). Take vendor-supplied benchmarks with the usual grain of salt — no technical paper, open weights, or benchmark datasets were released — but the strategic signal is unmistakable. For an organization that spent years leaning on OpenAI's models and got caught flat-footed when those models occasionally fell behind rivals, owning a frontier reasoning model is a milestone aimed squarely at enterprise customers.

MAI-Code-1-Flash. Microsoft's inaugural coding-focused model, built for efficiency and cost, and clearly designed to run on Azure to cut developer spend (Let's Data Science). Microsoft is also expanding its in-house lineup across image, speech, and transcription. The throughline: Microsoft wants to stop renting the core of its AI stack and start owning it. As GitHub COO and Microsoft Developer CMO Kyle Daigle framed the reasoning model, it "was designed to be good at complex multi-step instructions, long context reasoning, and code generation" (Let's Data Science).

Azure AI Foundry as the multi-model control plane. This is the one I'd circle in red if I were a CIO. Foundry is Microsoft's platform for building and deploying agents, and it supports models from OpenAI, Anthropic, Mistral, DeepSeek — and now Microsoft's own MAI family. The Build sessions aren't about which model is "best." They're about deploying agents to production and managing what they cost to run. Read that again, because it's the quiet admission underneath all the keynote theater: the future is multi-model, and the hard problem is orchestration and cost governance, not picking a single winner.

Windows gets a real developer mode. Microsoft is introducing a distraction-free, developer-optimized Windows 11 experience that ships pre-loaded with the tools and scripts developers actually use — a direct answer to years of complaints that the default Windows setup fights the people building on it.

Local, on-device AI tied to NVIDIA's RTX Spark. Build is putting heavy emphasis on running models locally on Windows rather than in the cloud. Microsoft has optimized Windows for NVIDIA's new RTX Spark silicon — better workload scheduling, power and thermal management, and unified memory handling — so developers can run heavier AI workloads on the machine instead of paying for cloud inference on every call. For regulated industries, this is far more interesting than it sounds, and I'll come back to why — with the actual silicon specs, because they reframe the whole conversation.

Agent Mode is already the default. Worth noting that Agent Mode is now the default experience inside Microsoft 365 Copilot across Word, Excel, and PowerPoint. The agentic shift isn't coming; for a lot of your users, it's already here.

Scout — the first "Autopilot" agent — went live in the Frontier program. This is the one I'd flag for every security team, and the one the press is rightly calling Microsoft's move from "copilot" to "taking the wheel." Scout is the official name of the OpenClaw-based project led by Microsoft Corporate VP Omar Shahine, and Microsoft calls it a "personal agent for work" — the first public example of a new category it's branding "Autopilots" (GeekWire / Mary Jo Foley). In Shahine's own words, "it operates across cloud, desktop, and web, connecting to Teams, Outlook, OneDrive, and SharePoint, and to the data that powers your day, including chats, email, calendar, and contacts" — grounded through Microsoft's Work IQ context layer (The Register). It proactively preps meetings, flags looming deadlines, blocks focus time, and even spots "risks, like stalled decisions" — critically, and this is Microsoft's word, autonomously, "without needing to be prompted each time" (The Register). It went live to a select group of Frontier-program customers on June 2. Read that sentence again: an always-on agent with cross-tenant reach that acts without per-action approval is now in customers' hands. Hold that thought, because it's the whole ballgame — and I'll come back to the security questions it raises, which are not small.

Project Solara — the announcement that should reframe your entire AI strategy. More on this below, because it deserves its own treatment. The short version: Microsoft unveiled a from-scratch, agent-first device platform — not built on Windows — designed to run AI agents instead of apps. It is the clearest signal yet of where Microsoft thinks computing is going.

So the super app got the pre-show hype, but the substance of Build is this: Microsoft now owns its own frontier models, it's standardizing agent deployment through Foundry, it's pushing AI onto local silicon, it's shipping always-on autonomous agents that act without approval, and it just announced an entire device platform premised on agents replacing apps. Every one of those moves changes what your tenant needs to be ready for.

The Super App That Wasn't: A Verbal Tease, Not a Reveal

Here's where I want to be straight with you, because I cross-check everything and so should you — and the super app is a case study in why.

Going into Build, the rumor mill had this thing all but shipping. Social-media screenshots and pre-show leaks of a sleek four-tab Copilot shell circulated for days; plenty of people expected the super app to be Microsoft's "one more thing" moment in the June 2 keynote. It wasn't. As longtime Microsoft watcher Mary Jo Foley documented, the app — in whatever form it currently exists — was a complete no-show on stage. No live demo. No product reveal (GeekWire / Mary Jo Foley).

What we actually got was a single sentence from Nadella, delivered in passing: "Come summer, we will be bringing coding to all knowledge work within one Copilot Super App. That's really exciting. So you're going to have Chat, Cowork, and Code all in Copilot" (Let's Data Science). That's it. A roadmap-level tease, not an engineering milestone. And that viral "screenshot"? The Verge reported the project is real but the specific image was a mockup built for internal demonstrations — not a finished product. The effort is being driven by Jacob Andreou, the recently appointed EVP of Copilot who reports directly to Nadella and came to Microsoft about eighteen months ago by way of Snap and Greylock (GeekWire / Mary Jo Foley).

I'm flagging the no-show not to dunk on Microsoft — unifying consumer Copilot, GitHub Copilot, and Microsoft 365 Copilot is genuinely hard, and they're right to take the time. I'm flagging it because the gap between the hype and the stage is exactly the gap you should be managing internally. Your executives saw the same leaked screenshots. Some of them think the super app is shipping. It is not. "Come summer" is the only date on the record, and there is no public timeline beyond that. Plan against the reality, not the rumor.

That said, the architecture the reporting describes is consistent and credible. Here's what the unified Copilot is shaping up to be:

• A Code tab carrying the GitHub Copilot mark — with a work-tree picker, support for both local repositories and remote environments, a model selector, your full repo list, and a scheduled-task layer reportedly called "Routines." If you're a team already standardized on GitHub, with millions of paid Copilot developers already in the fold, this is a genuine upgrade rather than a reskin. And it lands right as Microsoft readies its own coding-tuned models, in a market where GitHub Copilot has been losing ground to Cursor and to Anthropic's Claude Code. I'll come back to that fight, because it got a lot more interesting this week.

• A Cowork tab that pulls from multiple sources, aggregates the data, and proactively proposes work — prepping your week off your calendar, researching a target company — with a Library and Projects sidebar that keeps that work separate from plain chat. Early looks show it running in Edge via a URL, so whether it reaches deep into local files or stays largely cloud-bound is still an open question.

• An Autopilot agentic layer. Microsoft's "Autopilots" are the new category of always-on, proactive agents, and the first public one — Scout — already shipped this week into the Frontier program (covered above). Inside the eventual super app, this is the layer that takes initiative across your connected sources rather than waiting to be prompted at every step. The fact that Scout went live as a standalone Frontier release before the super app even has a demo tells you Microsoft is shipping the agent capability ahead of the unified shell that's supposed to house it.

• A personal/enterprise toggle, letting a user move between their consumer Copilot identity and their Microsoft 365 enterprise Copilot inside one shell — and, notably, you'll still be able to reach your individual Copilots outside the super app if you want.

If that overall pattern feels familiar — a single app with chat, coding, and always-on agents behind clean toggles — it's because the entire industry has converged on it. OpenAI is reportedly combining ChatGPT, its Codex coding tool, and a browser into one destination. Apple is expected to ship its first true Siri app. The "super app" is officially the format of the season, and Microsoft is in a footrace to get its version out the door.

Good. Competition forces clarity. I want my clients standing on a unified, well-funded platform. But a front door is only as valuable as the house behind it.

Part One: Why "Seventeen Copilots" Was Always Going to Fail

Let me be blunt about something I've watched play out inside real client tenants for the last 24 months: the Copilot sprawl was confusing the very people paying for it.

There was a consumer Copilot with a peachy, friendly personality and a separate enterprise Copilot wired into Microsoft 365. GitHub Copilot lived in its own universe. Security Copilot, Dynamics Copilot, Power Platform Copilot — each a reasonable idea on its own, each another surface, another login, another "wait, which one am I in and where does my data go?" Ask a CIO that question and you'd get a five-second pause. That pause is the whole problem. People don't adopt — and they certainly don't trust — what they can't locate.

Microsoft's distribution advantage was real. It put Copilot everywhere because it could, and saturation made strategic sense on a whiteboard. But saturation is not adoption. Putting a Copilot button on seventeen surfaces taught users that Copilot was a feature sprinkled on top of apps they already had — not a place where work begins. The under-5% paid-conversion number is the receipt for that strategy.

So when Microsoft says "Delivering one Copilot," I'm not rolling my eyes. I'm nodding. Folding the entry points into a single, coherent home is exactly right. A user who knows there's one place to go, with chat and coding and agents behind clean toggles, is a user who might actually build a daily habit. Habits are where ROI lives. The consolidation is a win, and the engineering behind the Code and Cowork tabs looks genuinely strong.

Now here's the part nobody's going to put in a headline.

Part Two: The 4.5% Problem Was Never a UI Problem

A unified app fixes findability. It does not fix trust, governance, or data readiness — and those three things are what's actually holding enterprise Copilot adoption under the waterline.

Think about what an always-on agent like Scout actually needs to be useful. It has to reach across your calendar, your files, your email, your repositories, and act proactively — before you ask. That is precisely the surface area where I watch organizations get burned. When you hand a proactive agent broad reach across a tenant that was never properly governed, you don't get productivity. You get an oversharing incident with a countdown timer on it. An agent that can read everything will eventually surface everything — including the HR folder somebody set to "everyone in the organization" in 2019 and forgot about, or the M&A working files that were never labeled, or the customer PII sitting in a SharePoint library nobody's audited since the last reorg.

This is not a hypothetical I'm inventing to sell services. Earlier this year, BleepingComputer reported on a confirmed Microsoft 365 Copilot bug that caused the assistant to summarize confidential emails sitting in users' Sent and Drafts folders — messages that carried sensitivity labels and were governed by data-loss-prevention policies explicitly designed to keep automated tools out (BleepingComputer). Microsoft fixed it, and stated the access controls themselves stayed intact. But sit with the lesson anyway: even when the model is behaving and the labels are in place, a single code path can let an assistant reach content it was supposed to leave alone. Now multiply that exposure by an always-on agent with proactive reach across an ungoverned tenant. The bug was the warning shot. The super app is the live round.

The companies that get nothing from Copilot are almost never the ones running a "bad model." They're the ones with:

• Permission sprawl. Years of overshared SharePoint sites, open Teams, and "share with everyone" links that an agent will now happily index, reason over, and quote back to people who were never supposed to see the underlying content.

• No sensitivity labeling. Nothing in Microsoft Purview telling the AI what's confidential, what's regulated, and what it must never surface in a generated answer. The model can't respect a boundary that was never drawn.

• Dirty, ungoverned, contradictory data. Copilot grounds its answers in your content. If your content is stale, duplicated, or self-contradictory, the assistant will confidently hand someone the wrong number — and the first time a leader catches that, trust collapses and never fully comes back.

• No adoption motion. No champions, no role-based prompt libraries, no measurement framework. The license gets bought, sits unused, and shows up as the line item nobody can defend at renewal.

"One Copilot" makes every one of these more urgent, not less. Here's the uncomfortable irony: the friction of having to go find the right Copilot was accidentally acting as a governor on risk. It slowed people down. Remove the friction, add an agent that acts on its own initiative, and the underlying readiness of your tenant becomes the only thing standing between you and either a breakout quarter or a very bad audit. The super app doesn't lower the stakes on governance. It raises them, and it raises them right now.

Scout "Takes the Wheel" — and Inherits Every Risk in the Car

I promised I'd come back to Scout, because it's the single most consequential thing that actually shipped at Build, and it's the cleanest illustration of the gap between Microsoft's vision and your tenant's reality.

The headlines got the framing right: this is the moment Microsoft's AI stops being a co-pilot and asks to take the wheel (The Register). Microsoft's own pitch is that letting Autopilots "operate on autopilot creates a more durable way to keep work in motion so it continues even when your attention is elsewhere" (The Register). Read that as a CISO, not a productivity blogger: an agent doing things across your email, calendar, files, and contacts while no human is paying attention is a description of both the dream and the nightmare, and which one you get is decided entirely by the governance underneath it.

Give Microsoft credit where it's due on the identity design. Every Autopilot is bound to an Entra identity, so its activity can be attributed to a specific person's Scout agent, and organizations can set access controls that constrain what it's allowed to do (The Register). That's exactly right — an agent with its own attributable identity, scoped by policy, is how this should work. But "can be constrained by access controls" is doing enormous load-bearing work in that sentence. The agent inherits whatever permissions your tenant actually grants it, and if your permissions are the overshared mess I described above, then a least-privilege identity model wrapped around a most-privilege tenant is just a tidier label on the same exposure.

And here's the part Microsoft was notably quiet about. Scout is powered by OpenClaw — the same agent platform whose own creators coined the term "vibe slop" and which does not carry a spotless security reputation (The Register). Microsoft says Scout is "built with enterprise-grade security and controls so it can be trusted in your organization from day one," but when pressed for specifics on what protections exist against the common ways agents get exploited, the company didn't elaborate before press deadlines (The Register). That matters, because autonomous agents are routinely manipulated in ways their operators never intended — a malicious webpage can inject a prompt that tricks the agent into leaking sensitive information, and those attacks can fire without any direct user interaction (The Register). An always-on agent that acts unprompted is, by definition, an always-on attack surface that acts unprompted.

Two more practical notes for anyone tempted to pilot Scout tomorrow. First, access is gated: the preview is limited to Frontier-program customers who are also GitHub Copilot subscribers (The Register). Second — and tell your CFO — GitHub Copilot recently moved to usage-based billing that has already produced eye-watering invoices, so an always-on agent burning tokens around the clock is exactly the kind of thing that turns a "let's just try it" pilot into a budget conversation (The Register). None of this is a reason to avoid Scout. It is every reason to scope it, log it, and pilot it against a governed tenant before you let it anywhere near production data.

The "Trojan Horse" Framing — and Why It's a Compliment and a Warning at the Same Time

There's a piece circulating from AI Magazine that calls Microsoft's AI strategy the "ultimate enterprise Trojan horse," and I want to engage with it directly, because the framing is sharper than the headline lets on (AI Magazine).

The argument is not that Microsoft is sneaking something past you. It's that while everyone else fights a public model war — ChatGPT versus Gemini versus Claude, benchmark by benchmark — Microsoft is quietly playing a different game entirely: turning AI into an invisible layer that sits across the operating system, the productivity suite, and the enterprise stack. The "Trojan horse," in their telling, is that enterprises end up adopting an AI-first operating model without ever consciously deciding to switch platforms, because the intelligence is arriving through Windows, Microsoft 365, Teams, Azure, and Entra — software they already trust and already standardized on. As the piece puts it, Microsoft doesn't need to own the best model if it owns the platform where the AI work actually happens.

I think that read is largely correct, and Nadella himself has been saying the quiet part out loud. In a recent statement tied to the agentic announcements, he framed the shift as AI evolving "from answering questions and suggesting code, to executing multi-step tasks with clear user control points," pointing to Copilot Tasks, Copilot Cowork, agentic capabilities in Office, and Agent 365 as the proof points — while explicitly promising organizations "the governance and security controls they need" (AI Magazine). Microsoft's broader "Frontier Firm" vision goes further: a future where every employee works alongside a network of AI agents handling research, analysis, administration, and operational work — where organizations aren't deploying AI tools anymore, they're building digital workforces.

Here's where I have to add the part the analysis piece treats as a footnote and I treat as the headline: a Trojan horse only works because the city wheels it inside its own walls. The genius of embedding AI into infrastructure you already trust is also exactly the risk. When AI arrives through the platforms you've standardized on, it inherits every permission, every mislabeled folder, every overshared site, and every ungoverned data store already sitting inside those walls. Frictionless adoption is frictionless precisely because nobody had to stop and ask the governance question. The "digital workforce" Microsoft is describing is real and it's coming — but a digital workforce operating on an ungoverned tenant isn't a productivity revolution. It's an unaudited workforce with credentials to everything, and it never sleeps. The Trojan-horse framing is a compliment to Microsoft's platform strategy. It should also be a warning to every CISO about what, exactly, you're rolling through the gate.

And notice the through-line back to Foundry. The same article highlights that Microsoft has made the Foundry Agent Service and observability in the Foundry Control Plane generally available — so organizations can build, deploy, monitor, and govern agents across their lifecycle, watch agent behavior, measure performance, and catch failures (AI Magazine). Read that as Microsoft itself conceding the point: agents at enterprise scale are ungovernable without a dedicated control plane. The tooling to watch the digital workforce is now shipping alongside the digital workforce. That's not an accident. That's an admission.

The Multi-Model Reality Microsoft Just Confirmed — and Why It Validates a Truth Layer

Here's the strategic thread running through all of Build that almost nobody is connecting: Microsoft is no longer a single-model company, and it just stopped pretending to be one.

Azure AI Foundry now serves OpenAI, Anthropic, Mistral, DeepSeek, and Microsoft's own new MAI models — including MAI-Thinking-1 for reasoning. The Copilot super app ships with a model selector right in the Code tab. The enterprise future Microsoft is building toward is explicitly, deliberately multi-model. The AI Magazine analysis lands on the same conclusion from the outside: the real cleverness is Microsoft's refusal to tie its future to a single foundation model, embracing both OpenAI and Anthropic inside Copilot on the bet that enterprises will value governance, security, and workflow integration more than the underlying model (AI Magazine).

That's not a footnote. That's the entire game.

When you have a reasoning model from Microsoft, a coding model from Anthropic, an image model from Microsoft, and a chat model from OpenAI all answering questions for your people — sometimes inside the same workflow — you have created a new and very real risk: the same question can produce different answers depending on which model caught it. Different models, different training, different confidence, different blind spots. Without a governance and grounding layer that enforces a single source of truth across all of them, "multi-model" doesn't mean resilience. It means your organization can now be wrong in four different ways simultaneously, at machine speed.

This is the discipline we've built our entire practice around, and it's the reason our tagline is what it is. You can — and increasingly should — use multiple models. But the data they're grounded in, the permissions that gate them, the labels that constrain them, and the definitions they reason over have to resolve to one authoritative answer. Multiple models. One truth. Microsoft just spent its biggest developer keynote of the year confirming the first half of that sentence. The second half is the work, and it doesn't happen by itself.

The Coding-Model Knife Fight Behind the Code Tab

That model selector in the Code tab isn't a cosmetic detail. It's Microsoft quietly admitting it's no longer the default choice for the developers it practically invented this category with.

CNBC laid out the competitive picture this week, and it is not flattering to the incumbent. Microsoft's GitHub Copilot launched in 2021 as the first mainstream AI coding assistant, riding entirely on OpenAI's technology — and for a while it owned the conversation. That conversation has moved. Anthropic has surged to the front on the strength of Claude Code, and just rolled Claude Opus 4.5 with a default one-million-token context window, which is a serious advantage for the kind of large, multi-file coding tasks enterprises actually care about (CNBC). OpenAI pivoted hard toward the enterprise and is pushing Codex directly against Claude Code. Google, by its own CEO's admission, is "currently lagging" on agentic coding — and is spending aggressively to fix that, launching Antigravity and Gemini Code Assist and undercutting on price with a $100-a-month developer tier (CNBC).

So Microsoft's Build positioning — an integrated coding model inside Copilot, reportedly priced to compete, plus a model selector that lets developers reach Anthropic, Google, and OpenAI through GitHub Copilot — is a hedge dressed as a strategy. And honestly, it's the right hedge. The reporting makes the structural point clearly: there's minimal vendor lock-in in this market, because developers test multiple tools and gravitate to whatever's best this quarter. MongoDB's CEO described running three different generative-AI coding tools and wanting the freedom to switch as the leaders trade places (CNBC).

Why does any of this matter to a CIO who isn't shopping for a coding tool? Three reasons.

First, the money. The AI coding-tools market is projected to grow roughly 26% a year, from about $9.3 billion this year to around $30 billion by 2031, and one analyst estimated AI could eventually account for 30% to 60% of R&D spend (CNBC). This is not a line item you can ignore at renewal. And the pricing model is shifting under your feet — Microsoft has started charging for Copilot coding based on usage, reflecting the real cost of running these tools. Snowflake's CEO estimated a single highly productive engineer might burn around $50,000 a year on these assistants (CNBC). Usage-based pricing on an agentic tool with no spend governance is how a "productivity investment" turns into a budget surprise.

Second, the lock-in question runs backwards from what most buyers assume. The vendors want you in their tool not just for the subscription, but because your usage trains their models and pulls you deeper into their cloud. The Code tab's model selector is Microsoft trying to be the place you orchestrate from even when you're not running Microsoft's model. That's smart for Microsoft. Whether it's smart for you depends entirely on whether you've decided your own multi-model and cost-governance policy — or whether you're going to let each developer decide it, one token at a time.

Third, and most important for everything else in this article: this confirms the multi-model future is not a Microsoft marketing posture. It's the actual market structure. The best coding model will keep changing hands. The best reasoning model will keep changing hands. If your governance strategy assumes a single vendor, you will be re-architecting every two quarters. If your governance strategy assumes many models grounded in one trusted, governed data-and-permissions layer, you can swap the engine without rebuilding the car.

MDASH: Microsoft Just Proved My Entire Thesis — In Its Own Security Lab

If you read only one section of this piece, make it this one, because Microsoft quietly shipped the single best argument for everything I've been saying for two years — and almost nobody outside the security press noticed.

It's called MDASH — Microsoft's multi-model agentic scanning harness — and at Build it entered expanded preview with native integration into the Microsoft Defender Portal (TechTimes). On the surface it's a security tool. Underneath, it's a working blueprint for how you actually get trustworthy results out of AI agents at scale — and it looks almost exactly like the multi-AI governance architecture EPC Group has been building into client engagements.

Start with the headline result, because it's stunning. MDASH scored 96.55% on CyberGym — UC Berkeley's benchmark of 1,507 real vulnerability-reproduction tasks across 188 open-source projects, where "success" means generating a proof-of-concept that triggers a flaw in the unpatched code but not the patched version (TechTimes). It launched at 88.45% on May 12 and climbed roughly ten points in under three weeks, leading the public leaderboard. This isn't a chatbot guessing. In production in May 2026, MDASH found 16 previously unknown vulnerabilities in Windows' networking and authentication stack — four rated Critical, including an unauthenticated use-after-free in tcpip.sys and an IKEv2 double-free — all patched in that month's Patch Tuesday (TechTimes). Real zero-days, found by agents.

Now look at HOW they built it, because this is the part that should be printed and taped to every AI strategy deck. Taesoo Kim — the Microsoft VP of Agentic Security who led the Georgia Tech team that won DARPA's AI Cyber Challenge — summed up the entire philosophy in seven words: "The model is one input. The system is the product" (TechTimes). Read that again. The most advanced AI security system Microsoft has ever shipped is built on the explicit premise that the model is not the point — the architecture around it is.

And that architecture is a five-stage pipeline of more than 100 specialized agents, model-agnostic by design (TechTimes): a Prepare stage that maps the attack surface; a Scan stage where "auditor" agents generate hypotheses with supporting evidence; a Validate stage where "debater" agents argue both sides of whether a flaw is actually reachable and exploitable — and here's the line that made me grin — "disagreement between models is treated as a confidence signal rather than a noise event"; a Dedup stage that collapses equivalent findings; and a Prove stage that constructs and executes a real triggering input to dynamically confirm the flaw before a single human ever sees it (TechTimes).

If that sounds familiar, it should — it's the exact posture I described us building two sections ago. Cross-model adjudication where disagreement is signal, not noise. A verification gate (the Prove stage) that demands hard evidence before anything is trusted. Model-agnostic design so you swap the engine through a config change and A/B-test it without rebuilding the system. Source-traceability and dedup so claims are clean and attributable. Microsoft, in its own security lab, independently arrived at the same conclusion EPC Group ships to clients and the same one Perplexity reached with Search as Code: the model is a component; the governance is the product. Three parties, three starting points, one architecture.

There's even a smart cost-governance lesson baked in: MDASH runs expensive frontier models only on the heavy reasoning in the Scan and Validate stages, and cheaper distilled models on the high-volume passes (TechTimes). That's how you make multi-agent systems affordable — right-size the model to the job, don't pay frontier prices for grunt work.

The Defender integration is the practical enterprise payoff. MDASH findings now flow into the Defender Portal through native integration with GitHub Code Security (the renamed successor to GitHub Advanced Security), enriched with production risk signals like internet exposure and data sensitivity, so a security team triages from the console it already lives in — and once a finding is confirmed, GitHub Copilot Autofix generates, assigns, and validates the remediation right in the workflow (TechTimes). Role-based access controls keep unpatched findings visible only to authorized personnel — a quiet but important nod to coordinated disclosure, since a working exploit shouldn't be broadcast before the patch ships. Accenture's CISO called it a shift from reactive rule-based scanning to agentic systems that reason across a codebase the way a skilled researcher would; PwC's cyber-risk leader framed it as helping organizations stay ahead of AI-accelerated attack sophistication (TechTimes).

One honest caution, because it cuts both ways. A system that can autonomously construct working proof-of-concept exploits is inherently dual-use — the same capability that finds your zero-days can weaponize someone else's. Microsoft's answer is a restricted-preview model with role-based access controls, and the broader field is converging here too: Anthropic's restricted security model reportedly found over 6,000 high- and critical-severity vulnerabilities across open-source projects in its first month, and OpenAI offers a hardened model for triage and red-teaming (TechTimes). The capability is here. Whether it protects you or gets pointed at you is, once again, a governance question.

The takeaway for your enterprise is bigger than security tooling. MDASH is Microsoft demonstrating — with a leaderboard score and 16 real Windows CVEs — that the winning move with agentic AI is not a better model. It's a disciplined multi-agent system with verification, cross-checking, traceability, and human gating baked in. That is the same architecture that turns vibe slop into reliable code, the same one that turns a confident-but-wrong Copilot answer into a trustworthy one, and the same one your tenant needs before you let Scout or a Solara badge act on your data. Microsoft just proved the thesis in its own lab. The only question is whether you apply it before your agents go live, or after the cleanup bill arrives.

Project Solara: Microsoft Just Declared the Death of the App — and Most People Missed Why It Matters

Now we get to the announcement that should genuinely change how you think about the next decade, and the one I'd put at the center of any serious enterprise AI conversation. Forget the super app for a moment. The most radical thing Microsoft revealed at Build is called Project Solara, and it is nothing less than Microsoft's bet on what replaces the operating-system-and-apps model we've all lived inside for forty years.

Let me describe it plainly, because the official framing is dressed in a lot of "agent-first" poetry. Project Solara is a from-scratch device platform — "a chip-to-cloud platform," in Microsoft's words — designed to run AI agents instead of apps. And here's the detail that made me put my coffee down: it is not built on Windows. It runs on the Microsoft Device Ecosystem Platform, or MDEP, which is Microsoft's enterprise-grade variant of Android, built on AOSP — the same lineage Microsoft already uses for its Teams meeting-room hardware (GeekWire). Microsoft chose Android over Windows deliberately, so these devices can run on small, low-power hardware while keeping the management and security IT departments demand. Sit with the symbolism of that for a second: the company that won the last era by owning the OS that ran the apps just announced its agent-first future on an OS that isn't Windows. When even Microsoft is willing to let Windows take a back seat, the "death of apps" is not a hot take anymore. It's a roadmap.

Stevie Bathiche, the Microsoft technical fellow who leads the Applied Sciences Group behind Solara, put the thesis bluntly: "Boundaries are collapsing. You don't necessarily need the traditional app model. You don't need the traditional way of developing experiences" (GeekWire). Microsoft's own platform documentation describes the shift as moving "from apps to agents — from software you open to intelligence you invoke; from graphical interfaces of buttons to expressing intent through agents; and from AI operating inside your applications to agents working outside and across your apps, workflows, and devices" (Microsoft Command Line). And Nadella tied it to hardware in his conversation with Qualcomm's Cristiano Amon, where Amon argued the smartphone has been the center of the digital world until now — but with AI able to understand everything, the agent becomes the center, doing things without you ever opening a piece of software (T3).

What Microsoft actually showed

This isn't pure vision-deck vapor. Microsoft showed two working concept devices, both aimed squarely at the enterprise, not the consumer:

• The Desk device — a small touchscreen hub that looks a lot like an Amazon Echo Show and sits beside your PC. It signs you in with facial recognition (Windows Hello for Business), surfaces only your most pressing items through curated "Priority Cards," and gives you Microsoft 365 Copilot voice grounded in your WorkIQ data. The clever part: it pairs with your PC over Bluetooth, hands tasks back and forth, keeps lock state in sync, and — with an external display attached — transforms into a full Windows 365 cloud PC (GeekWire, Microsoft Command Line). Bathiche's framing was pointed: an Echo Show sitting next to your PC has no idea the PC exists. This one does.

• The Badge device — a wearable that reimagines the standard employee ID card, which Applied Sciences lead Steven Bathiche called "a lightweight digital badge designed for seamless agent interactions while on the move" (CNET). You unlock it with a fingerprint and drive the agent by voice; a single tap records and transcribes a conversation; a built-in camera lets the agent act on what you're looking at. In the healthcare demo, the badge scanned a patient's QR code, recorded and transcribed the visit, logged vitals, and started a prescription — hands-free (GeekWire). On stage, Bathiche even had the badge photograph the Build audience, then asked Copilot to pick the best shots, enhance them, and send them to his team — a small demo with a large implication about what an always-watching badge can reach (CNET). Microsoft says it lasts about a week on a charge and presents a far smaller attack surface than a phone, and Bathiche framed it as "a comprehensive solution for creating distinctive agent-centric devices" (CNET).

The engineering signal underneath those demos is the part I found most telling: Microsoft says it got the Badge running on the platform in about three days, reusing the same software as the Desk device on a completely different chipset from a different vendor (GeekWire). That's the whole pitch in one fact — when specialization gets cheap, a thousand purpose-built form factors become viable. The silicon partners are Qualcomm (the Badge) and MediaTek (the Desk), both using off-the-shelf rather than custom chips, and the early enterprise pilots include AccuWeather, Best Buy, CVS Health, Levi's/Levi Strauss, and Target (GeekWire, CNET). Microsoft will not ship these devices itself — it's providing reference designs and expecting hardware makers to turn them into products for specific industries: healthcare, retail, hospitality, financial services, legal, field service.

One more dated specific worth putting on your calendar: the Work IQ context layer that grounds these devices — the framework that gives an agent access to your Microsoft 365 emails, documents, and meetings, and that powers both the Solara Desk and Scout — reaches general availability on June 16, 2026 (CNET). That date matters more than the concept hardware, because Work IQ is the connective tissue: the moment it's GA, the grounding layer that lets agents reach across your tenant is no longer a preview. The devices are years out. The thing that makes them dangerous on an ungoverned tenant ships this month.

Why this is a governance earthquake, not a gadget story

Here's where I have to put on my 29-years-in-the-trenches hat, because the tech press is covering Solara as a cool-hardware story and almost entirely missing the enterprise risk profile.

A Project Solara device is, by design, an always-listening, always-watching, always-acting agent endpoint wired into your tenant. The Badge has a far-field microphone array and a camera that the agent uses, with permission, to understand and act on the physical environment. The Desk has presence sensors and Copilot voice grounded in WorkIQ — which means grounded in your organization's data. These devices authenticate with Entra ID, are managed through Intune, and run agents that reach across Microsoft 365 (Microsoft Command Line). That is a genuinely elegant enterprise design. It is also the single largest expansion of the AI attack-and-exposure surface I have seen Microsoft propose.

Think about what "agents instead of apps" actually removes. The app was never just a UI. The app was a boundary. It defined what data a tool could touch, what it could do, and where the audit trail lived. When you replace "open the app, navigate to the record, take the action" with "express intent and let an agent act across everything," you have dissolved the very boundary that governance, DLP, and least-privilege design have always relied on. Microsoft's own description is explicit: the agent now sits "between user intent and distributed execution," and "the UI becomes more like an adaptive access layer" (Microsoft Command Line). An adaptive access layer to everything is exactly as powerful — and exactly as dangerous — as the governance underneath it.

And this is a multi-agent world by design. Microsoft is explicit that there will be no single dominant agent; organizations will run Microsoft's agents alongside their own, coordinated by an "agent dispatcher" and an "agent task manager" that automatically surface agents on your behalf (Microsoft Command Line, Neowin). So picture the steady state: purpose-built devices in your hospital wards, on your retail floor, at every desk, each running multiple agents that activate automatically, grounded in your data, acting without per-step approval, on a non-Windows OS most of your security team has never hardened. The convenience is real. So is the exposure. Every governance failure I described in Part Two — permission sprawl, missing labels, dirty data — doesn't just surface faster on Solara. It walks into the room wearing a badge and starts taking actions.

To Microsoft's genuine credit, they did not bolt governance on as an afterthought. The Solara platform names enterprise manageability, identity, security, privacy, and user control as foundational pillars: MDEP for managed updates and device integrity, Microsoft Defender, Intune, Entra ID sign-in, Windows Hello for Business biometrics, physical mic-mute switches, and clear recording indicators (Microsoft Command Line, GeekWire). Bathiche made the security case directly: asking a nurse to pull patient data up on a personal phone felt wrong to patients and created security problems, whereas a purpose-built device has a far smaller attack surface (GeekWire). I agree with every word of that. But — and this is the EPC Group point — every one of those controls is a control over the device and the identity. None of them governs whether the data the agent reaches is properly labeled, whether the permissions it inherits are scoped, or whether the answer it gives is grounded in a single source of truth. The platform secures the endpoint. It does not clean your tenant. That part is still on you, and Solara raises the stakes on it by an order of magnitude.

The honest timeline — and why that's the opportunity

Now the reality check, because I'm not here to help anyone panic-buy a badge. Solara is, in Microsoft's own words, "still early." The private pilots start "in the coming months," hundreds of Microsoft employees are dogfooding the concept devices internally, and credible coverage puts any tangible consumer product "at least a few years" out (Neowin, GeekWire). The business model is, by Bathiche's own admission, still taking shape — the one concrete piece is that the devices run on Azure (GeekWire). And history is littered with AI-first hardware that flopped: the Rabbit R1 and the Humane AI Pin both promised an agent-runs-everything future and both landed as expensive curiosities (T3). The T3 analysis nails the real barrier, and it's the same one I see in every boardroom: this isn't fundamentally about computing, it's about trust. People — and compliance officers — are not yet ready to hand an agent the keys to health data, financial data, and the data of their personal lives (T3).

That's exactly why the years-long runway is a gift, not a reason to ignore this. The organizations that will be ready to safely deploy agent-first devices the moment they mature are the ones using the runway right now to get their tenant governed, their data labeled, their permissions scoped, and their agent boundaries defined. The ones who wait until a vendor ships them a box of badges will be doing emergency governance under deadline pressure — which, as I argue everywhere, is how the expensive cleanups happen. Solara doesn't change the readiness work. It just raises the ceiling on what that readiness eventually unlocks, and the floor on what happens if you skip it.

The Local-AI Angle That Regulated Industries Should Be Paying Attention To — Now With the Actual Silicon

Most of the coverage is treating the RTX Spark and on-device AI story as a developer-convenience and cost-savings play. It's both of those things. But for healthcare, financial services, government, and any other organization living under strict data-residency and compliance rules, local inference is something much more important: it's an architecture where sensitive data can be reasoned over without leaving the machine or the tenant boundary.

And the silicon is no longer a footnote. At Computex in Taiwan, Nvidia CEO Jensen Huang unveiled the RTX Spark "superchip" and, in characteristic Jensen fashion, declared that "Microsoft and Nvidia are going to reinvent the PC," calling it "the first completely reengineered, reinvented line of PCs that has happened in 40 years" (Information Age / ACS). The specs are the part that should make a regulated-industry architect sit up: a Blackwell RTX GPU paired with a 20-core CPU, 128 gigabytes of unified memory, roughly 70 billion transistors, and about 1 petaflop of AI performance — built explicitly to run local AI agents and reduce reliance on cloud-based AI services (Information Age / ACS). The chip is expected to start showing up from September in machines from ASUS, Dell, HP, Lenovo, Microsoft Surface, and MSI, with Acer and GIGABYTE to follow (Information Age / ACS).

Nadella framed Microsoft's stake plainly: "Our goal is to deliver unmetered intelligence to every home and every desk with Windows," calling RTX Spark "a real breakthrough towards that vision" (Information Age / ACS). And the agents Nvidia imagines running on it are exactly the ones in this story — OpenClaw, Anthropic's Claude, and others — controlling the PC autonomously, surfaced right in the Windows taskbar (Information Age / ACS).

When the model runs on local silicon instead of a cloud endpoint, you change the data-governance conversation entirely. You reduce the surface area for data egress. You get a credible answer to the auditor who asks where the regulated record went when the AI touched it. You can run AI workloads in environments where cloud round-trips were previously a non-starter. That's not a niche capability — that's the difference between "we can't use AI on this data class" and "we can, safely."

There's a real-world signal in the demand data that backs this up, and it's worth your attention because it maps directly onto enterprise hesitancy. In a recent survey of more than 2,000 people by the analyst firm Telsyte, fewer than a third of adults said they'd be comfortable with AI managing more of their everyday lives, with privacy and security cited as the dominant concern — and a senior Telsyte analyst named trust, security, and privacy as "the primary barriers to full AI autonomy," while suggesting that more powerful on-device processing could give people the control they need to get comfortable (Information Age / ACS). Read that as a consumer-survey proxy for exactly what your compliance officer is feeling. The barrier to AI adoption in regulated environments was never capability. It was trust. Local inference is the first architecture that speaks directly to that trust objection — keep the data on the device, keep it inside the boundary, and a whole category of "we legally cannot" suddenly becomes "show me the controls."

But — and you knew there was a but — local inference is not a governance free pass. A model running on a clinician's laptop still needs the right access controls, the right labeling, the right logging, and the right boundaries around what it can read and retain. In fact, Microsoft itself has warned that Windows 11's agentic features create new local user accounts for AI agents with access to a user's directory, and explicitly told people to enable the capability only if they understand the security implications — because that surface is susceptible to prompt injection. The hardware moves where the computation happens. It does not, on its own, decide what the AI is allowed to see, and it introduces brand-new local attack surface of its own. That's still architecture. That's still your job, and ours.

There's also a sober procurement note buried in the Nvidia coverage that I'd put in front of any CFO before the hype cycle peaks: between RTX Spark's high-end specs and the RAM price hikes that AI demand is already driving, machines built on this chip are almost guaranteed to be expensive (Information Age / ACS). The on-device AI future is real and it's compelling for regulated work — but it's a capital-planning conversation, not a free upgrade. Plan the refresh cycle deliberately, target it at the data classes and workflows where local inference actually earns its premium, and don't let "AI PC" become a line item nobody scoped.

What To Actually Do Before the Agents Reach Your Users

Microsoft has handed you the timeline, and it's tighter than the super-app delay makes it look. Scout is live in the Frontier program now; Agent Mode is already the default in Microsoft 365 Copilot; the MAI models are landing now; the RTX Spark AI PCs start shipping in September; the super app arrives "come summer"; and Project Solara pilots begin in the coming months. The unifying shell is the slowest-moving piece — the agents themselves are already arriving. This is your window, so use it. Here's the readiness work that pays off regardless of which Copilot tab your people end up living in, which model answers them, or which device the agent runs on:

1. Run a permissions and oversharing audit immediately. Find out, concretely, what a proactive agent would be able to see in your tenant today. Most organizations are genuinely surprised by the answer, and almost never pleasantly.

2. Stand up Microsoft Purview sensitivity labeling and DLP. Teach the AI the difference between a public FAQ and a board deck before you give it an agent that acts on its own. This is the single highest-leverage governance move available to you ahead of agentic Copilot, full stop — and remember the confidential-email summarization incident: labels and DLP are necessary, but you still have to verify they're holding.

3. Clean and consolidate your knowledge sources. Copilot is only as trustworthy as what it's grounded in. Kill the duplicates, retire the stale, resolve the contradictions, and make the authoritative source unmistakable. A clean knowledge layer is the difference between an assistant people trust and one they quietly stop using.

4. Build an adoption motion, not just a license deployment. Identify champions, publish role-based prompt libraries by department, and put a measurement framework in place that ties usage to outcomes. The gap between under-5% and a number you're proud of is almost entirely a change-management gap, not a technology gap.

5. Define your multi-model and identity strategy deliberately. With a model selector in the Code tab and a personal/enterprise toggle in the shell, the choices your people make about which model and which identity now carry real data-governance weight. Decide your defaults, your guardrails, and your allowed/blocked models before your users decide for you. And set cost governance on coding tools now — usage-based pricing plus agentic tools is how budgets get ambushed.

6. Pressure-test your agent boundaries before turning agents loose — starting with Scout today. Scout is in the Frontier program now, and it acts across Teams, Outlook, and SharePoint without per-action approval. An autonomous agent should operate inside an explicit, least-privilege scope. Define what Scout-style and Autopilot agents can read, what they can act on, what requires a human in the loop, and what gets logged — and validate it in a controlled pilot, not in production. If you're enabling Windows agentic features and the local agent accounts that come with them, treat that as a security review, not a settings toggle.

7. Plan for local inference where it earns its keep. If you're in a regulated industry, map which data classes and workflows benefit from on-device AI on RTX Spark-class hardware, design the access, labeling, and logging controls around them now, and budget the device refresh deliberately — so you're ready to take advantage rather than scrambling to retrofit, and so the premium hardware lands where it actually pays for itself.

8. Get ahead of agent-first devices now, while Solara is still years out. Project Solara's runway is the single best gift in this whole announcement. Use it. The same tenant readiness — governed permissions, enforced labels, clean grounded data, scoped agents — is exactly what makes agent-first devices safe to deploy the day they mature. Start treating WorkIQ grounding, Entra/Intune device posture, and least-privilege agent scoping as one connected program, not three separate projects, so a badge or desk device is a configuration step later instead of an emergency.

9. Treat the June 16 Work IQ GA as your real deadline. Work IQ is the grounding layer that lets Scout and Solara devices reach across your Microsoft 365 data, and it goes generally available June 16, 2026. Before that date, know exactly what Work IQ will expose — because the agents are downstream of it, and so is your risk.

10. Put agentic security on the same agenda as agentic productivity. Microsoft's own MDASH-in-Defender work shows where this is going: agentic systems that reason across your code and surface validated, exploitable findings into the Defender Portal. Evaluate it, but also adopt its lesson internally — verification, cross-model adjudication, traceability, and human gating are the controls that make any agent trustworthy, including the ones you deploy.

11. Tighten tenant hardening end-to-end. Conditional access, lifecycle management for sites and Teams, retention, eDiscovery readiness, and audit logging all become more load-bearing the moment autonomous agents are reasoning across your environment — and they become load-bearing on a brand-new, non-Windows device OS (MDEP) the moment Solara devices show up.

This is exactly the work EPC Group does. Our 30-Day Copilot, Purview & Microsoft 365 Tenant Hardening Accelerator exists for precisely this moment, and our managed Microsoft cloud and analytics practice keeps the foundation solid long after the initial rollout. We're a Microsoft Solutions Partner with designations across the stack and a perfect 100 NPS on G2, and we serve organizations across every industry — Fortune 500, federal agencies, healthcare, financial services, government, manufacturing, energy, education, retail, technology, and global enterprises.

The Honest Competitive Read

A word to the buyers, because this is where I think clear-eyed beats breathless.

The fact that Microsoft, OpenAI, and Apple are all converging on the same super-app, always-on-agent design at the same moment tells you something useful: nobody has a durable structural lead in the interface anymore. The chat-app paradigm won, the layouts have collapsed into near-identical shells, and the differentiation is moving underneath the surface — to model quality, to agent reliability, to cost-per-task, and above all to how safely a given platform plugs into your data.

And the layer below that is moving too. The coding-model leaderboard is changing hands quarter to quarter. Nvidia and Microsoft are trying to relocate inference itself from the cloud onto the desk. With Project Solara, Microsoft is trying to relocate the entire interaction model off Windows and onto agents running on Android-based devices. Microsoft is racing to own the orchestration layer — the place the AI work happens — precisely because it can no longer count on owning the best model, the best device form factor, or even the operating system underneath it. Every one of those shifts points to the same buyer conclusion.

That should change how you buy. Don't over-rotate on a single vendor's keynote promises, and don't architect your organization so tightly around one company's super app — or one quarter's best model, or one generation of AI silicon — that you can't take advantage of a better option six months from now. The smart enterprise posture in a multi-model world is a governed, vendor-flexible foundation — clean data, enforced labels, least-privilege agents, and a single source of truth — that lets you adopt the best tool for each job without rebuilding your house every time the industry ships a new front door. Microsoft's own Foundry strategy, and the model selector it just put in the Code tab, are quietly telling you the same thing.

The Bottom Line

The strategic direction Microsoft laid out at Build is genuinely strong, and I'm optimistic — as a Microsoft partner and as someone who's been building on this stack since before most of these products had public names. Owning a frontier reasoning model in MAI-Thinking-1, standardizing agents through Foundry, pushing AI onto local silicon, shipping real autonomous agents like Scout, and — most ambitiously — reimagining the device itself with Project Solara are the right moves, made at the right time. "We're moving from devices for apps to agents" is the correct call on where computing is headed.

But notice what actually shipped versus what got teased. The super app was a verbal promise with no demo. Solara is "still early," years from a product. The MAI benchmarks are vendor-supplied. What shipped — today, into customers' hands — is Scout: an always-on agent that reaches across your tenant and acts without asking. The vision is years out. The exposure is live now. That gap is the whole story.

Because every one of these moves — one Copilot, many models, an agent that takes the wheel, agents instead of apps, devices built around those agents — dissolves a boundary that used to protect you. The app was a boundary. The separate Copilots were, accidentally, a boundary. Cloud-only inference was a boundary. The need to prompt an assistant for every action was a boundary. Microsoft is systematically removing all of them in the name of frictionless intelligence, and frictionless intelligence on an ungoverned tenant is just a faster, all-seeing path to your worst-labeled data. And here's the thing — Microsoft already showed you the answer. MDASH didn't hit 96.55% and find 16 real Windows zero-days because it had a smarter model; it did it because it had a smarter system: cross-checking, verification, traceability, human gating. The model is one input. The system is the product. That's not just how you build a security scanner. It's how you safely run every agent Microsoft just announced. The Trojan-horse strategy works both ways: the same frictionlessness that makes Microsoft's platform play brilliant is the same frictionlessness that wheels an always-on, all-seeing agent — eventually wearing a badge — straight past your governance gate. An agent doesn't reward you for buying it. It rewards you for being ready for it.

The organizations that win the next few years aren't the ones who download the super app on day one, buy the first RTX Spark laptop, or pilot the first Solara badge. They're the ones whose tenant was already governed, labeled, and clean when it all arrived — so that when Microsoft hands every employee one Copilot, drawing on many models, running in the cloud, on the desk, and eventually on a device built around the agent itself, every one of them hands back a single answer they can trust.

Which, as it happens, is how we've run things here for 29 years.

Multiple models. One truth.

---

Errin O'Connor is the Founder & Chief AI Architect of EPC Group, a Houston-based Microsoft consulting firm with 29 years of experience and six Microsoft Solutions Partner designations. He is a four-time Microsoft Press bestselling author and a former NASA Lead Architect, and has led enterprise Microsoft implementations across virtually every industry.

Planning your Copilot rollout, or worried about what an autonomous agent could reach inside your tenant? Talk to EPC Group about Copilot readiness, Purview governance, and tenant hardening before the super app ships this summer. Email: contact@epcgroup.net | Phone: 888-381-9725 | Web: www.epcgroup.net

---

Frequently Asked Questions

What is the Microsoft Copilot "super app"? It's a unified application Microsoft is building to fold its separate Copilot tools — chat, GitHub Copilot for coding, the Cowork task assistant, and a new agentic layer called Autopilot — into a single interface. It's being developed under the internal slogan "Delivering one Copilot," and the goal is to give users one central home for their AI assistants, including the ability to toggle between personal and enterprise Microsoft 365 Copilot accounts.

Was the Copilot super app released or demoed at Microsoft Build 2026? No. The super app was a no-show on stage — there was no live demo and no product reveal. CEO Satya Nadella only referenced it verbally, saying: "Come summer, we will be bringing coding to all knowledge work within one Copilot Super App ... you're going to have Chat, Cowork, and Code all in Copilot." The Verge reported the project is real but the widely circulated "screenshot" was an internal mockup. The only public timeline is "come summer" 2026. Build instead delivered new in-house MAI models, the Scout agent, Project Solara, GitHub Copilot upgrades, and agent infrastructure.

What is Project Solara? Project Solara is Microsoft's new "agent-first" device platform, unveiled at Build 2026 and led by technical fellow Stevie Bathiche's Applied Sciences Group. It is a chip-to-cloud platform designed to run AI agents instead of traditional apps, built not on Windows but on MDEP (the Microsoft Device Ecosystem Platform), an enterprise-grade variant of Android based on AOSP. Microsoft showed two enterprise concept devices — a Desk hub and a wearable Badge — with silicon from Qualcomm and MediaTek, and named AccuWeather, Best Buy, CVS Health, Levi's, and Target as early pilot partners. It is early-stage; any tangible consumer product is likely several years away.

Why is Microsoft building Project Solara on Android instead of Windows? Microsoft chose MDEP (its Android-based, AOSP-derived OS used for Teams room devices) so Solara devices can run on small, low-power hardware while retaining enterprise management and security — Intune, Entra ID, Microsoft Defender, over-the-air updates, and Windows Hello for Business biometrics. Windows is heavier than these purpose-built agent devices need. The choice is a strong signal of Microsoft's "agents replace apps" thesis: even Microsoft is willing to let Windows take a back seat in an agent-first world.

Does Microsoft really think AI agents will replace apps? Yes — that is the explicit premise of Project Solara. Nadella framed it as moving "from building operating systems — devices for apps — to agents," and Microsoft describes the shift as going "from software you open to intelligence you invoke." Rather than opening apps and clicking buttons, users express intent and agents act across their data and workflows. The practical barrier, as analysts note, is trust: organizations are not yet ready to hand agents unsupervised access to sensitive health, financial, and personal data — which is why governance readiness matters before agent-first devices mature.

What is MAI-Thinking-1? MAI-Thinking-1 is Microsoft's first dedicated in-house reasoning model, from Mustafa Suleyman's Microsoft AI group, unveiled at Build 2026. It's roughly a 35-billion-parameter model with a 128K context window, built for complex multi-step instructions, long-context reasoning, and code generation. Microsoft's own materials claim parity with Anthropic's Claude Opus 4.6 on the SWE-Bench Pro coding benchmark (vendor-supplied, with no published technical paper or open weights). Microsoft also introduced MAI-Code-1-Flash, its first coding-focused model. The releases signal Microsoft's shift from relying on partner models toward owning its own frontier AI on Azure.

Why is Microsoft AI being called an "enterprise Trojan horse"? An AI Magazine analysis used the phrase to describe how Microsoft is embedding AI so deeply into tools enterprises already use — Windows, Microsoft 365, Teams, Azure, Entra — that organizations adopt an AI-first operating model without ever consciously deciding to switch platforms. It's framed as a compliment to Microsoft's platform strategy, but it carries a governance warning: AI arriving through trusted infrastructure inherits all the permission sprawl and ungoverned data already inside that infrastructure.

What are Autopilot and Scout? "Autopilots" are Microsoft's new category of always-on, proactive AI agents — the move from "copilot" to, as the press put it, "taking the wheel." Scout is the first public Autopilot, the OpenClaw-based project led by Microsoft Corporate VP Omar Shahine. It operates across cloud, desktop, and web, connecting to Teams, Outlook, OneDrive, and SharePoint and to your chats, email, calendar, and contacts (grounded through Work IQ), and it acts autonomously — prepping meetings, flagging deadlines, blocking focus time, and spotting stalled decisions — "without needing to be prompted each time." Each Autopilot is bound to its own Entra identity for attribution. Scout went live to a select group of Frontier-program customers on June 2, 2026 (limited to GitHub Copilot subscribers), making it the most concrete and consequential agentic release from Build.

Is Microsoft Scout secure for enterprises? Microsoft says Scout is "built with enterprise-grade security and controls" and binds each agent to an Entra identity with organization-set access controls — good design in principle. But security researchers have flagged real concerns: Scout is powered by OpenClaw (whose own creators coined "vibe slop"), Microsoft did not detail its protections against common agent exploits when asked, and autonomous agents are known to be manipulable via prompt injection — a malicious webpage can trick an agent into leaking data with no user interaction. The practical takeaway: an always-on agent inherits whatever permissions your tenant grants it, so it's only as secure as your underlying governance. Scope it, log it, and pilot it against a hardened tenant before production use.

What is Microsoft MDASH and the 96.55% CyberGym score? MDASH (Microsoft's multi-model agentic scanning harness) is a 100+-agent agentic security system from Microsoft's Autonomous Code Security team. At Build 2026 it entered expanded preview with native integration into the Microsoft Defender Portal (via GitHub Code Security), and it scored 96.55% on CyberGym — UC Berkeley's benchmark of 1,507 real vulnerability-reproduction tasks across 188 open-source projects — up about 10 points in under three weeks and leading the public leaderboard. In production it found 16 previously unknown Windows vulnerabilities (4 Critical) in May 2026. Its architecture (Prepare → Scan → Validate → Dedup → Prove), model-agnostic design, and the principle that "the model is one input, the system is the product" make it a real-world proof that disciplined multi-agent governance — not a single better model — is what produces trustworthy AI results.

What is Microsoft Work IQ and when is it available? Work IQ is Microsoft's contextual grounding layer that gives AI agents access to organizational Microsoft 365 resources — emails, documents, meetings — and powers both Microsoft 365 Copilot and the new agent experiences (Scout and the Solara Desk device). It reaches general availability on June 16, 2026. Because it's the connective tissue that lets agents reach across a tenant's data, its GA date is effectively the readiness deadline for any organization concerned about what its agents can see.

How does Microsoft's coding model compare to Claude Code, Codex, and Gemini? Per CNBC, Microsoft and Google are seen as late to AI coding relative to Anthropic (Claude Code) and OpenAI (Codex). Anthropic has led the category, recently shipping Claude Opus 4.5 with a one-million-token default context; Google launched Antigravity and Gemini Code Assist with aggressive pricing; and Microsoft is introducing a Copilot-integrated coding model, reportedly priced to compete, plus a model selector that reaches Anthropic, Google, and OpenAI through GitHub Copilot. The market has minimal vendor lock-in because developers routinely test multiple tools.

What is NVIDIA RTX Spark and why does it matter for enterprises? RTX Spark is an Nvidia PC "superchip" — a Blackwell RTX GPU with a 20-core CPU, 128GB of unified memory, ~70 billion transistors, and roughly 1 petaflop of AI performance — designed to run local AI agents and reduce reliance on cloud AI. Nvidia and Microsoft frame it as reinventing the PC, with machines expected from September 2026. For regulated industries, on-device inference keeps sensitive data on the machine or within the tenant boundary, easing data-residency and egress concerns — though it still requires proper access controls and introduces new local attack surface.

Is Microsoft now a multi-model AI company? Yes. Azure AI Foundry supports models from OpenAI, Anthropic, Mistral, and DeepSeek alongside Microsoft's own MAI family, and the Copilot super app includes a model selector. This multi-model reality makes a governed "single source of truth" data and permissions layer essential, so that different models grounded in your content produce consistent, trustworthy answers rather than conflicting ones.

How does on-device AI (NVIDIA RTX Spark) affect regulated industries? Running models locally on optimized Windows hardware keeps sensitive data on the machine or within the tenant boundary instead of sending it to a cloud endpoint, which reduces data-egress risk and helps with data-residency and compliance requirements in healthcare, finance, and government. However, local inference still requires proper access controls, labeling, and logging — and Windows agentic features create local agent accounts that are themselves susceptible to prompt injection.

How should my organization prepare for the Copilot super app, Scout, and agent-first devices? Run a permissions and oversharing audit, deploy Purview labeling and DLP, clean and consolidate your knowledge sources, build a real adoption motion with champions and measurement, set deliberate multi-model and identity guardrails (including cost governance on coding tools), pressure-test agent boundaries in a controlled pilot — starting with Scout now that it's live in the Frontier program — know exactly what the June 16 Work IQ GA will expose, put agentic security (e.g. MDASH-in-Defender) on the same agenda as agentic productivity, plan for local inference where it adds value, use Project Solara's multi-year runway to get tenant-ready for agent-first devices, and tighten end-to-end tenant hardening. EPC Group's 30-Day Copilot, Purview & Microsoft 365 Tenant Hardening Accelerator is built for exactly this readiness work.

---

#---

EPC Group Can Help

Microsoft Build 2026 raised the ceiling on what agentic AI can do across the Microsoft estate — and the floor on what your tenant has to be to deploy it safely. EPC Group has been doing this work for 29 years across Fortune 500 and federal organizations, with six Microsoft Solutions Partner designations and a perfect 100 NPS on G2.

If any of the following sound like your next 90 days, that is exactly the work we do:

• Microsoft 365 Copilot Readiness Assessment — the 30-day tenant audit, Purview labeling, and adoption motion that turns an under-5% Copilot conversion into a measured rollout.
• Governed AI on Microsoft Framework — one named architecture covering Entra, Purview, M365, SharePoint, Fabric, Power BI, Copilot, Defender, and Agent 365. Seven layers, five maturity stages, one accountable owner.
• Virtual Chief AI Officer (vCAIO) — fractional senior leadership for organizations that need the operating model in 2026 but cannot hire a full-time AI executive yet.
• AI Consulting Services, AI Governance, Microsoft Copilot Consulting, Power BI Consulting, Microsoft Fabric Consulting, and Azure Consulting.

Email contact@epcgroup.net, call 888-381-9725, or request a consultation. Senior architects only — no offshore handoff, no junior account managers.

Sources

• Microsoft, "Composing a new platform for agent-first devices" (Project Solara), Microsoft Command Line — https://commandline.microsoft.com/project-solara-build-2026/
• GeekWire (Todd Bishop), "Inside Microsoft's Project Solara: A new platform for devices that run AI agents instead of apps" — https://www.geekwire.com/2026/inside-microsofts-project-solara-a-new-platform-for-devices-that-run-ai-agents-instead-of-apps/
• The Verge (Jay Peters), "Microsoft's Project Solara is an OS for AI agent gadgets" — https://www.theverge.com/news/941830/microsoft-project-solara-os-ai-agent-gadgets
• Neowin (Usama Jawad), "Microsoft believes that AI agents will eventually replace apps through Project Solara" — https://www.neowin.net/news/microsoft-believes-that-ai-agents-will-eventually-replace-apps-through-project-solara/
• T3 (Chris Hall), "Microsoft's the latest tech firm to herald the death of apps — even Windows could take a back seat" — https://www.t3.com/tech/ai/microsoft-latest-tech-firm-to-herald-the-death-of-apps-even-windows-could-take-a-back-seat
• GeekWire (Mary Jo Foley), "No Copilot 'Super App' at Microsoft Build, but plenty of agentic fodder" — https://www.geekwire.com/2026/mary-jo-foley-no-copilot-super-app-at-microsoft-build-but-plenty-of-agentic-fodder/
• Let's Data Science, "Microsoft teases Copilot Super App but no demo" — https://letsdatascience.com/news/microsoft-teases-copilot-super-app-but-no-demo-1659bca7
• Let's Data Science, "Microsoft unveils MAI reasoning model, expands agentic AI" — https://letsdatascience.com/news/microsoft-unveils-mai-reasoning-model-expands-agentic-ai-33634c95
• AI Magazine (Rithula Nisha), "Is Microsoft AI the Ultimate Enterprise Trojan Horse?" — https://aimagazine.com/news/is-microsoft-ai-the-ultimate-enterprise-trojan-horse
• Information Age (ACS), "Nvidia and Microsoft 'reinvent the PC' with new AI chip" — https://ia.acs.org.au/article/2026/nvidia-and-microsoft--reinvent-the-pc--with-new-ai-chip.html
• CNBC, "Microsoft and Google are late to AI coding, but 'absolutely critical' they compete for growth" — https://www.cnbc.com/2026/06/01/microsoft-and-google-take-on-anthropic-and-openai-in-ai-coding-models.html
• BleepingComputer, "Microsoft says bug causes Copilot to summarize confidential emails" — https://www.bleepingcomputer.com/news/microsoft/microsoft-says-bug-causes-copilot-to-summarize-confidential-emails/
• The Register (Brandon Vigliarolo), "No longer just a Copilot, Microsoft's AI wants to take the wheel" — https://www.theregister.com/ai-and-ml/2026/06/03/no-longer-just-a-copilot-microsofts-ai-wants-to-take-the-wheel/5250718
• TechTimes (Adrian Parham), "Microsoft MDASH Gains Defender Integration at Build 2026: 96.55% on CyberGym Benchmark" — https://www.techtimes.com/articles/317692/20260603/microsoft-mdash-gains-defender-integration-build-2026-9655-cybergym-benchmark.htm
• CNET (Corinne Reichert), "Microsoft Build 2026 Kicks Off Today: Follow Along for Copilot AI News and More" — https://www.cnet.com/news-live/microsoft-build-2026-news-ai-copilot/
• American Bazaar, "Microsoft bets on AI agents with new platform Project Solara" — https://americanbazaaronline.com/2026/06/03/microsoft-bets-on-ai-agents-with-new-platform-project-solara-482051/
• PCMag (Ben Moore), "Microsoft Build 2026: All of Microsoft's Demos and Announcements" — https://www.pcmag.com/news/microsoft-build-2026-live-san-francisco-all-of-microsofts-demos-and-announcements
• The Wall Street Journal; Fortune (Sebastian Herrera) — additional Copilot super app and Build 2026 reporting.