1. Home
  2. Member News
  3. Microsoft's head of identity on why CEOs need to pay attention to Agentic AI

Microsoft's head of identity on why CEOs need to pay attention to Agentic AI

10 Jun 2026

"Attackers don't break in today — they log in." Microsoft's head of identity on why the future of AI is being decided in Prague as well as in Redmond 

Nadim Abdo manages one of the most sensitive areas of the entire business at Microsoft — identity and access to data for hundreds of millions of Microsoft Entra users. At the end of April, he visited Prague to meet with Czech customers and partners at a time when AI agents are moving from the role of assistants to the role of operators — systems that act independently across company applications and data. We talked about why identity is becoming the AI control center and what Czech CEOs should do first. 

The Czech economy is undergoing accelerated digitization. According to Microsoft's internal data, the AI adoption rate in the Czech Republic is about 28 percent, while in Norway, for example, it exceeds 50 percent. For companies, this means one thing: the opportunity to gain a head start is great – but only those that understand the new risks will take advantage of it. 

Assistants become operators 

Until now, AI was a "smart assistant". That is changing. "AI agents are now transitioning into the role of operators — systems that can act autonomously across business applications, processes, and data," explains Abdo. And because they need access to company data to be useful, one of the oldest questions of business comes back to the table: who is allowed to do what, who runs it, and who is responsible when something goes wrong. 

With the advent of agents, this question increases dramatically. "If an agent gets too broad or wrong access, they can act very quickly and on a scale that people are not used to. And they are exposed to new types of threats that can cause damage to your business," warns Abdo. 

Two traps that companies fall into 

When adopting AI today, companies usually end up at one of two extremes. Either they block access to agents altogether — which is tempting, but it means giving up huge productivity benefits. Or, on the contrary, they let the agents run without any checks, which is an equally serious risk from the point of view of security. 

"The right way is to give agents access, but through technology that can manage it," he sums up. Microsoft has developed Entra Agent ID and Agent 365 for this — a layer that allows businesses to deploy agents productively but with full control. 

Identity as an AI control plane 

The key concept that Abdo explained to Czech leaders in Prague is identity as a control plane — a control plane for AI agents. Identity is no longer just about logging in. It is a decision-making authority: it determines what actions an agent is allowed to perform and under what conditions. 

"You can set rules — for example, that an agent can access certain data, but not confidential information. Or that they are only allowed to work from a specific network, but not from the outside," Abdo describes. 

A fundamental difference compared to employees? "People come in, work and leave. Agents arise and disappear all the time — the user creates them in the blink of an eye, they can create other agents, even change into other types. We call them polymorphic agents." The old rules of access are simply not enough for them. 

Attackers do not break in today. They log in. 

Before companies start dealing with agents, they must secure the users themselves. "Attackers don't usually break in these days — they just log in. They use phishing or password spray attacks to do this," says Abdo. The solution is passkeys — passwordless login resistant to phishing, built right into Microsoft Entra. "The bonus is a better user experience that people will really appreciate." 

In addition, Abdo recommends managing devices through Microsoft Intune and setting up access policies using Conditional Access in Entra — clear rules about who can access what and under what conditions. 

Why is it crucial for Czech companies 

Czech companies and institutions often operate in a hybrid IT, outsourcing and post-acquisition environment. This is a fragile environment from the point of view of identity. "If you don't have unified governance over identities, unified policies and visibility, you will always be left with a gap somewhere. And that loophole can be exploited — no matter how structured your organization is," Abdo points out. 

It's not just a question of efficiency, but a direct security risk — especially when working with sensitive data, in public administration, or in industrial systems. 

Visibility is the basis of control 

In an environment where agents are growing faster than companies can track them, the first condition for control is an overview. "You want to support the growth of agents, but you need technology to do it. Agent 365 gives you full visibility over all agents in your environment, including new ones.You can't manage what you can't see." 

With a complete log of each agent's actions, security teams can set rules and, in the event of an incident, trace what the agent did and why. 

Microsoft as proof that it can be done 

That this is not a theory is shown by Microsoft itself. As part of the Secure Future Initiative (SFI) — perhaps the largest engineering project in the company's history, with more than 35,000 engineers working on it — Microsoft has overhauled its own security practices. The identity pillar had the greatest effect: the introduction of phishing-resistant login for each employee measurably reduced the risk of attacks. 

"Any Czech company can do the same thing today — the technology is available," says Abdo. 

So what to do before AI agents go into production?  

Abdo recommends three steps in clear order: 

  1. Deploy Agent 365 — get an overview of what's actually happening in your environment. 
  2. Secure users — start with passwordless authentication, i.e. passkeys. 
  3. Managed devices and Conditional Access — a combination of Microsoft Intune and Entra. 

Three sentences that every CEO should take away 

  • "You can't control what you can't identify." 
  • "The success of AI is first and foremost a matter of governance, not just technology." 
  • "When AI is scaled, the old approach models just don't work anymore."