New Governance Tools From OpenAI and Microsoft Target AI Risks

This difference brings new governance challenges as companies deploy AI agents in real business workflows. Traditional cybersecurity tools were made for monitoring applications and networks, not for tracking the complex behavior of autonomous systems interacting with multiple data sources and tools.

In response, technology companies are adding oversight directly into the platforms used for AI agent development and deployment. Two recent announcements illustrate how this shift is taking shape.

OpenAI said on Monday (March 9) that it plans to acquire Promptfoo, a startup that helps companies find vulnerabilities in AI systems during development. According to OpenAI, Promptfoo’s technology will be integrated into OpenAI Frontier, the company’s enterprise platform for building and running AI agents.

At the same time, Microsoft is preparing to launch Agent 365, a platform built to monitor and manage AI agents operating across Microsoft 365. The company said the system will give administrators visibility into how agents interact with corporate data and services.

Together, these developments reflect a core thesis: AI agent platforms are not just for deployment—they are becoming the primary arenas for securing and governing autonomous systems.

Testing AI Systems Before They Go Live

Promptfoo identifies risks in AI systems before deployment. The platform runs automated tests to uncover weaknesses such as prompt injection attacks, unsafe responses and attempts to access sensitive data.

Prompt injection attacks happen when someone creates a prompt designed to manipulate an AI system’s instructions. In some cases, attackers trick an AI system into revealing confidential information or bypassing safety controls.

Tools like Promptfoo simulate those attacks during development so companies can detect problems before releasing a system. Developers can run automated tests that interact with the AI application and record how it responds under different conditions.

OpenAI has also been expanding its security toolkit for developers. The company on Friday (March 6) introduced Codex Security in research preview, which allows developers to analyze how AI systems behave during development.

This approach moves security testing earlier in the development process. Instead of discovering problems after deploying an AI system, companies can identify and fix them during the build process.

Microsoft Builds Governance Into the Platform

Microsoft tackles the same challenge from an operational perspective.

Instead of focusing on development tools, the company builds governance features directly into the environment where AI agents run. Agent 365 lets administrators see which agents exist in a Microsoft 365 environment, who created them, and which systems they can access. The platform also provides companies with tools to monitor how agents interact with data and to enforce policies that govern behavior.

Agent 365 will join a broader enterprise offering, Microsoft 365 E7, a new licensing tier focused on AI governance and management. Industry analysts say the new package reflects Microsoft’s plan to build an all-inclusive platform for organizations that deploy AI agents. Instead of relying on separate monitoring tools, Microsoft integrates security, compliance and identity controls into the same environment where AI agents operate.

Banks and payments companies face some of the highest stakes. AI agents may review suspicious transactions, retrieve customer records for support teams or assist with compliance reporting. Because those tasks involve regulated financial data, institutions must keep detailed audit trails that meet bank regulators’ requirements. Neither OpenAI nor Microsoft has fully demonstrated those capabilities yet.

For all PYMNTS AI and digital transformation coverage, subscribe to the daily AI and Digital Transformation Newsletters.