• Search in Protiviti.com

Building a Frontier First Firm With Best Practices for Secure AI Deployment

6 min read

The concept of a Frontier First firm represents a new organisational blueprint for the AI era as pioneering companies embed AI deeply across every layer of their operations to unlock exponential value. These firms integrate intelligent agents and copilots into workflows, blending human judgment with machine intelligence to scale faster, innovate boldly and lead responsibly. As Microsoft’s recent Work Trend Index notes, 2025 marked the birth of the Frontier Firm, a model built for agility, trust and transformation.

Protiviti’s most recent AI Pulse Survey, conducted in late 2025, found that nearly one in four organisations have incorporated agentic AI into their operations, reshaping decision-making within those companies while adding new layers of complexity. Clearly, as we head into this new frontier, one principle stands out: innovation must go hand in hand with responsibility. Protecting users and data from security and compliance risks is critical. Without robust governance, the same tools that promise efficiency could expose organisations to significant vulnerabilities.

Why agents are changing the game

Artificial Intelligence (AI) is reshaping the way we work, and at the center of this transformation are Microsoft agents. These intelligent tools automate workflows, connect systems and deliver personalised experiences, helping organisations move beyond simple time-saving tasks toward true business transformation.

Agents are more than chatbots. They can summarise documents, connect to external systems and even take autonomous actions on behalf of users. From simple SharePoint-based agents to enterprise-grade solutions built in Copilot Studio or Azure AI Foundry, the possibilities seem endless. Imagine an HR agent that drafts onboarding emails or a customer service agent that interacts with thousands of users. These scenarios illustrate the power of agents to streamline processes and enhance productivity. However, as agents gain access to sensitive data and perform critical actions, their risk profile grows. The question becomes: how do we ensure these agents operate securely and ethically?

Top security and compliance considerations

The rapid adoption of AI introduces new challenges that every organisation must address. Three considerations stand out:

  1. Oversharing and data leakage

AI tools provide fast access to content, but if sensitive data isn’t properly protected, it can be inadvertently exposed. For example, widespread use of “share with everyone” links in documents can lead to internal oversharing. Worse, employees might upload confidential files to third-party AI tools, risking data exposure or even model training on proprietary information.

How to mitigate:

  • Implement data labeling and protective policies.
  • Use lifecycle controls to retain necessary data and delete what’s not needed.
  • Run oversharing assessments with tools like Microsoft Purview to identify risk areas.
  1. Expanding threat landscape

AI introduces new attack vectors. Techniques like prompt injection, where malicious instructions are hidden within legitimate prompts, can trick agents into performing harmful actions, such as exfiltrating data. Cybercriminals are also leveraging AI for sophisticated attacks, including deepfakes and autonomous attack agents.

How to defend:

  • Deploy prompt shields and fine-grained access controls.
  • Keep a human-in-the-loop for sensitive outputs.
  • Strengthen core security posture with a Zero Trust strategy: verify explicitly, use least privilege and assume breach.
  • Proactively identify vulnerabilities with Red Team security reviews.
  1. Compliance with evolving regulations

AI regulations are emerging worldwide, from the EU AI Act to the NIST AI Risk Management Framework. Organisations must maintain visibility into AI interactions for legal and ethical investigations, retain records of prompts and outputs, and conduct structured risk assessments. Microsoft’s Responsible AI Principles (accountability, transparency, fairness, reliability, privacy and inclusiveness) offer a strong foundation for compliance.

How to comply:

  • Implement a records management programme to retain relevant prompts and responses.
  • Take a structured, risk-based approach to AI adoption decisions.
  • Establish a clear legal and regulatory compliance roles and responsibilities framework.

Tailored governance: one size does not fit all

Not all agents carry the same risk. A personal agent that helps an employee manage emails is very different from a healthcare agent handling patient data. That’s why governance should be tailored to the agent’s risk level.

Microsoft recommends, and Protiviti supports, grouping agents into three zones:

  • Green zone:  Low-risk agents with limited scope, such as personal productivity tools. These support self-service creation but require baseline security such as authentication, audit logs and data loss prevention policies.
  • Yellow zone: Moderate-risk agents serving specific teams, like legal or finance. These need IT oversight and conditional approval, including reviews of data sensitivity and compliance implications.
  • Red zone: High-risk agents with broad reach or access to sensitive data, such as customer-facing healthcare bots. These demand formal governance, privacy and legal involvement and rigorous testing before deployment.

When developing agents, proper application lifecycle management is equally important. Copilot Studio agents should be built in development environments that are only accessible to developers and provide access to limited data. Once development has ended, these agents should be deployed to testing/sandbox environments for rigorous validation before being promoted to a production environment, where the organisation can then use them with access to all the planned data. Once published, agents should be monitored for anomalies, retired when inactive and updated as business needs evolve. Tools like Copilot Studio Kit enable long-term analytics and even allow administrators to quarantine non-compliant agents. As agents are being developed outside of IT processes by business users, development lifecycle controls also need to be put in place for all personnel. With Microsoft’s new Agent 365 and Entra Agent ID, each agent is registered, governed like a non-human identity and can be cleanly deactivated at end-of-life. Admins can quarantine non-compliant agents, while Foundry’s control plane provides observability, structured evaluations and managed runtime guardrails to continuously improve performance. Purview’s new security view and SAM “agent insight” reports help detect oversharing and enforce DLP on prompts, and Prompt Shields protect against prompt‑injection during runtime.

Empowering users while protecting data

The goal of governance is not to slow innovation but to enable it safely. By establishing clear roles, organisations can create a framework that empowers employees to leverage Copilot and agents confidently.

Success depends on building a strong foundation of security, compliance, and governance. Organisations that strike this balance will not only harness the full potential of AI but also position themselves as frontier firms - leaders in the AI-powered future.

Frontier First firms are architects of the future. By embedding responsible AI practices into every stage of deployment, organisations can lead with confidence and integrity. Governance, security and compliance become the pillars that support sustainable innovation. When these principles guide an organisation’s approach, AI becomes a strategic advantage. The firms that embrace this mindset will not only navigate the complexities of today’s AI landscape but will define the standards for tomorrow.

Learn more about Microsoft agents and other new tools Microsoft unveiled at Ignite 2025 in the Microsoft Book of News.

To learn more about our Microsoft consulting services, contact us.

Loading...