Your Tenant has Three AI Labs in It Now. Here's What That Breaks.

Three frontier AI labs now have first-party integrations inside a standard Microsoft 365 tenant. That's not a product story. It's a governance boundary problem that most organisations haven't mapped yet.

The shift

Anthropic shipped Claude as GA add-ins inside Word, Excel, and PowerPoint on May 7, 2026, with Outlook in public beta. The M365 connector (read-only delegated Graph access) has been live since late 2025. Cross-app context persistence means Claude can carry a thread from a financial model in Excel into the deck in PowerPoint. Anthropic became a Microsoft subprocessor in January 2026, bringing the connector pathway under Microsoft's DPA framework. EU, EFTA, and UK tenants have that toggle disabled by default.

OpenAI has been building its own footprint. ChatGPT Enterprise connects to SharePoint, OneDrive, mailboxes, and Teams via Entra-registered apps. Write operations went live in March 2026, including SharePoint, though write actions are disabled by default and require explicit admin enablement per app. On April 22, OpenAI launched Workspace Agents: Codex-powered, always-on automation workers with 60+ enterprise integrations. The Microsoft co-investment and Azure OpenAI relationship create a different dynamic, but ChatGPT Enterprise is not Azure. The model runs on OpenAI's infrastructure under OpenAI's DPA, not Microsoft's.

Google's play is more oblique. Gemini Enterprise isn't a first-party M365 add-in. It's Workspace-native. But it does orchestrate across M365 data connectors, which means Google's model layer can reach SharePoint and OneDrive data in organisations running a hybrid footprint. Less visible. Still present.

Microsoft's response to all of this is Agent 365, which went generally available on May 1. It's the governance control plane for what's now an unavoidably multi-model tenant.

What changes architecturally

Identity

Both the Claude and ChatGPT Enterprise connectors integrate through Entra enterprise app registrations with delegated Graph permissions. That's the right architecture. Connectors authenticate on behalf of a user, respect existing SharePoint and OneDrive permissions, and surface in Purview audit logs.

The trap is subtle. The audit trail shows that a user authorised the Claude app to read their email. In practice, most organisations will lock down user self-consent at the tenant level, so an admin is making that call either way. What the audit trail doesn't show is what was in the prompt that left your tenant boundary, what data was included, or what came back. The inference happens outside. There is no Microsoft-side record of that exchange.

Agent 365 adds Entra Agent ID. Agents get their own registered identity with conditional access policies and lifecycle management. Conditional access can target agent sign-ins, apply MFA on On Behalf Of (OBO) flows — where an agent acts using a delegated user identity — and enforce risk evaluation. What it can't do is apply a policy to model inference. The security control stops at authentication. The model is downstream.

Data residency

When a user's email or SharePoint document gets pulled into a Claude prompt, it leaves your tenant boundary and enters Anthropic's processing infrastructure: US servers, Anthropic's terms. If you're routing through Microsoft Copilot with Anthropic models, that sits under Microsoft's DPA. If users are accessing the native Claude.ai add-ins directly, that's a separate contract relationship with Anthropic. Different documents, different data processing commitments.

ChatGPT Enterprise adds another processing layer. OpenAI has enterprise DPA commitments, but the infrastructure is OpenAI's, not Azure's. The Microsoft co-investment doesn't change where the data goes.

For EU-based organisations, the position is clear. Anthropic's infrastructure sits outside Microsoft's EU Data Boundary. Prompts that reference EU-resident M365 data can be processed in the US. If your data residency policy was written around Microsoft's commitments, it doesn't cover what's now happening.

Policy enforcement

Purview logs every Graph API call the Claude connector makes. That's table stakes and worth acknowledging. It's more visibility than most browser-based AI tools give you. What Purview can't see is what happens after the data crosses the Graph boundary. Sensitivity labels and DLP policies enforce at classification time, within the Microsoft estate. Once content is in a prompt headed to an external model, those controls have already fired or not. There's no policy that intercepts a prompt mid-flight.

The architectural consequence is that your data governance posture needs to move earlier. The question isn't whether Purview classified a file correctly. It's whether that file should ever be reachable by an external model connector at all. That's a permissions and connector deployment decision, not a DLP policy decision.

Governance layer

Agent 365 is genuinely useful for what it covers. The agent registry gives visibility into active agents. Tools management lets admins allow or block MCP servers at tenant level. The shadow AI detection page surfaces patterns that suggest unregistered agents.

The gaps are structural, not gaps that will be closed with a patch. At GA, Agent 365 governs OBO agents: agents that act in the context of a tied user identity. Autonomous agents, A2A patterns, and agents running without a human delegation anchor are in Frontier Preview only. Any agent operating outside the Entra registration model (a third-party automation tool with Graph access, a Power Automate flow calling an external API) doesn't appear automatically. Registration is manual. The shadow AI detection works from known signatures, not semantic understanding of data crossing the boundary.

What you need before you need it

Audit your consent grants now. Both the Claude and ChatGPT Enterprise connectors created enterprise applications in your tenant when users enabled them. Pull the app registrations in Entra, map the delegated permissions, and check whether any went through IT governance or just user self-service consent. Conditional Access policies targeting these app registrations can rate-limit connector access while you build a broader policy.

One practical wrinkle worth knowing: if the enterprise app exists but hasn't been admin-consented, users who attempted to connect via personal accounts were silently queued. The moment you grant admin consent, all of them get access simultaneously. Be selective about when and how you open that gate.

Map your subprocessor chain separately for each integration. The Microsoft DPA covers the connector pathway and Microsoft Copilot with Anthropic models. The native Claude.ai add-ins are a direct Anthropic relationship. ChatGPT Enterprise is an OpenAI enterprise DPA. These are different documents with different data processing commitments. Track them as such.

Define your connector deployment policy through Admin Center before your users define it for you. The Claude add-ins are in the Microsoft Marketplace. The deployment window where IT is ahead of adoption is closing. Agent 365 Tools Management covers MCP servers at tenant level once agents are registered. The prerequisite is having that registry populated.

Don't rely on Agent 365 to catch everything. It won't catch autonomous agents, non-Entra identities, or data that left your tenant before the registry existed.

Close

The multi-model M365 tenant is already running in most organisations, whether it was planned or not. Most won't allow users to self-consent to external AI connectors, and that's reasonable. But locking access down entirely isn't a governance strategy. Nothing stops a user uploading a document to Claude.ai in their browser, or copying content out of SharePoint into a model they've found on their own. That's a worse governance position than a managed, audited connector, because you've lost the audit trail entirely.

The architectural question isn't whether to block all of it. It's whether your identity, data, and policy posture was designed for a single trusted model or for a landscape where three competing labs have delegated access to your users' mailboxes, documents, and spreadsheets simultaneously. Agent 365 gives you a governance surface. What you put on it is still yours to define.

This is the type of work I do. Get in touch at consulting@joshwickes.com