Microsoft Build 2026 wrapped up yesterday in San Francisco, and even allowing for the usual Build noise, this one carried a properly significant strategic shift. Buried inside a long keynote, between the new MAI model family, the Surface RTX Spark Dev Box, and the Mayo Clinic announcement, was the part that I think actually matters most.
Windows is being repositioned as an operating system for AI agents. Not a desktop that runs AI applications, but a runtime where agents themselves are first-class citizens, with their own identity, their own permission model, and their own enforced boundaries.
The piece of plumbing that makes this real is called Microsoft Execution Containers, or MXC. Worth understanding what it does, because for anyone running AI governance over a Microsoft estate, the surface area you need to cover just expanded massively.
What MXC actually is
MXC is a policy-driven execution layer for AI agents, built into Windows and the Windows Subsystem for Linux. It is in preview now.
It is not a product you buy. It is an SDK and a policy model embedded in the operating system itself, providing what Microsoft calls a "composable sandbox spectrum." That spectrum runs from lightweight process isolation, already used by the GitHub Copilot CLI, through to micro virtual machines, Linux containers, and full cloud instances running on Windows 365.
In practical terms, MXC decouples an agent's execution from the user's desktop, clipboard, user interface and input devices. A developer or IT admin declares what an agent is allowed to touch, including file access and networking policies configured through Intune, and Windows enforces those boundaries at runtime.
Microsoft also announced that Agent 365 will integrate natively with MXC in preview from July, bringing Defender, Entra, Intune and Purview protections to local agent workloads. OpenClaw on Windows already uses MXC. Nvidia's OpenShell secure runtime is built on MXC and adds policy management, inference routing and PII obfuscation on top.
Alongside MXC, Microsoft introduced Scout, the first in a new product category it is calling Copilot Autopilots. Scout is an always-on work agent running across Teams, Outlook, OneDrive, SharePoint and local device actions, with its own governed Entra identity, separate from the user's.
Why this matters for governance
Until now, AI governance for Microsoft customers has mostly meant governing what users do inside Copilot, what makers build inside Copilot Studio, and what Power Platform connections each agent has. The conceptual model has been Microsoft 365 plus Power Platform plus, more recently, Copilot Studio agents.
MXC and Scout push that model into the operating system. That has three practical consequences for governance work.
The first is identity. Scout having its own Entra identity, separate from the user, is significant. It means agents become a new class of actor in your tenant, with their own access, their own logs, and their own audit trail. Most organisations have an identity governance posture built for humans and a handful of service accounts. They are about to need one built for a growing population of autonomous agents acting on behalf of users, but not as them.
The second is scope. An OS-level sandbox is a major enabler. It lets an organisation deploy useful, autonomous agents without giving them unconstrained access to the device, the user's data, or the wider network. That capability is genuinely good news. The corresponding governance question is, who decides what each agent is allowed to do, who reviews those policies, and how often. MXC gives you the control surface. The decisions about how to use it are yours.
The third is the trail. An agent operating below the application layer, with its own identity and its own permitted set of actions, creates a different kind of audit trail than a user clicking through Copilot Chat. The events you need to capture, retain and be able to explain are different. Most organisations have not yet thought about what the equivalent of an event log looks like for autonomous agents acting at the OS level.
What this connects to
If you read my article a couple of weeks ago on Agent-to-Agent communication in Copilot Studio, this is the next step in the same direction. A2A made the accountability question harder by letting agents collaborate horizontally. MXC and Scout make it different again by giving agents a privileged execution environment at the OS layer, and a separate identity from the people they work for.
It also tightens the case for organisations to know exactly what AI they are running, who authorised it, and how they would explain an outcome after the fact. Those are the same questions ISO/IEC 42001 asks. They were good questions a month ago. With MXC sitting underneath, they are now questions an Australian organisation will need to be able to answer at a different level of detail.
Where Aureus fits
If your organisation is already running Copilot Studio agents, the December 2026 amendments to the Privacy Act are reason enough to put a proper governance position in place this year. MXC arriving in preview, with Agent 365 integration following in July, sharpens that timeline rather than relaxing it.
Aureus Govern assesses Copilot Studio agents and Microsoft AI deployments against ISO/IEC 42001, Australia's 8 AI Ethics Principles, the Microsoft Responsible AI Standard, and the UK AI Regulation White Paper. As the surface area of where agents run keeps expanding, so does the work to keep that assessment honest.
Tomorrow I will be publishing a companion piece on the healthcare and life sciences moments from Build, including the Mayo Clinic Frontier health model and Microsoft Discovery, the research platform already in use at GSK and BHP. If you read Tuesday's article on Copilot Health, this is the other half of the picture.
References
Microsoft Official Blog, Microsoft Build 2026: Be yourself at work (2 June 2026). https://blogs.microsoft.com/blog/2026/06/02/microsoft-build-2026-be-yourself-at-work/
Windows Developer Blog, Build 2026: Furthering Windows as the trusted platform for development (2 June 2026). https://blogs.windows.com/windowsdeveloper/2026/06/02/build-2026-furthering-windows-as-the-trusted-platform-for-development/
Windows Developer Blog, Windows platform security for AI agents (2 June 2026). https://blogs.windows.com/windowsdeveloper/2026/06/02/windows-platform-security-for-ai-agents/
VentureBeat, Microsoft launches MXC, an OS-level sandbox for AI agents, with OpenAI and Nvidia already on board (3 June 2026). https://venturebeat.com/security/microsoft-launches-mxc-an-os-level-sandbox-for-ai-agents-with-openai-and-nvidia-already-on-board
Directions on Microsoft, Build 2026: Microsoft Pushes the Agent Envelope with Android Devices, New Windows PCs (3 June 2026). https://www.directionsonmicrosoft.com/build-2026-microsoft-pushes-the-agent-envelope-with-android-devices-new-windows-pcs/
International Organization for Standardization, ISO/IEC 42001:2023 Information technology, Artificial intelligence, Management system. https://www.iso.org/standard/42001
Office of the Australian Information Commissioner, Privacy Act review and reform, automated decision-making transparency requirements. https://www.oaic.gov.au/privacy/privacy-legislation/privacy-act-review-and-reform
Jan Davids is the Principal Consultant at Aureus Solutions, a Microsoft consulting firm based in Adelaide, South Australia. Aureus Solutions specialises in AI readiness, governance, and Microsoft platform adoption.
