At its Build conference on 2 June 2026, Microsoft introduced Scout, a personal work agent built on OpenClaw and Work IQ, the intelligence layer behind Microsoft 365 Copilot. Microsoft is positioning it as its first Autopilot, a new category of always-on agent that sits above Copilot and operates rather than just answers. The company describes it as built with enterprise-grade security. That claim is worth holding onto, because the rest of this post is about whether the security model keeps pace with the capability.
The framing also matters in another way. Scout is not Microsoft's coding answer to OpenClaw. That role sits with GitHub Copilot's agent mode and the new MAI-Code-1-Flash model announced the same day. Scout is aimed at knowledge work: email, calendar, meetings, and files. It is the layer where most office staff actually spend their day.
The pitch is proactivity. Microsoft says Scout understands how a person works and can handle routine jobs such as resolving scheduling conflicts and preparing for meetings without being asked. That last phrase is the whole story. A reactive assistant waits for a prompt. Scout is designed to act first, which is a different product and a different risk profile.
Scout reaches into the core of the Microsoft 365 stack. It connects to Teams, Outlook, OneDrive, and SharePoint, and reads chat, email, calendar, and contacts. It can reach external applications through the Model Context Protocol, and it runs across cloud, desktop, and web. One detail is easy to miss and important to the security picture: Scout is a downloadable desktop experience that can use both on-device and Microsoft 365 data, which means it can also reach the local file system and perform tasks that require local access.
That breadth is the selling point and the concern in equal measure. An agent that can read every inbox thread, every calendar invite, every shared document, and files sitting on the local machine, then take action on them, has a wide blast radius if anything goes wrong.
It is worth being precise about availability, because the gap between announcement and general release is large. Scout is an experimental release available through Microsoft's Frontier program, extended to a select group of customers in private preview alongside Frontier organisations. Getting it running requires Frontier enrollment, Intune policy configuration, and an opt-in attestation. Users with a GitHub Copilot license can then download and install it. Microsoft has said a broader rollout and more detail will come later.
So this is not something most organisations can switch on today, and it would be a mistake to treat it as a finished product. It is a signal of direction. The useful question is not whether to adopt Scout this week. It is whether the move toward always-on, proactive agents is one that any Microsoft 365 tenant should be ready for, because that direction is now set across the industry. Google is reported to be building a similar personal agent, currently referred to as Remy, and the same convergence is visible at OpenAI and Anthropic.
A chatbot that answers questions is reasonably easy to reason about. The user asks, the model responds, and a human reads the output before anything happens. An always-on agent with broad access and the authority to act removes the human from large parts of that loop. Security researchers have spent the past year cataloguing what goes wrong when that happens, and the failure modes are not hypothetical.
The clearest example sits on the exact stack Scout is built on. EchoLeak, tracked as CVE-2025-32711, was a zero-click data exfiltration flaw in Microsoft 365 Copilot. A crafted email could trigger it through indirect prompt injection, slipping past Copilot's protective classifier without the user clicking anything. Scout reads email by design, which puts this class of attack squarely in scope.
A second pattern is even more pointed given what Scout is built to do. In a documented goal-hijacking attack, a hidden instruction placed inside a calendar invite was read by an agent, which then began exfiltrating data without anyone noticing. Scout reads calendar invites and resolves scheduling conflicts on its own initiative. The attack surface and the product feature are, in this case, the same thing.
These are specific cases of a general problem. Untrusted content, an email, a document, a meeting invite, becomes a channel for instructions when an agent processes it automatically. The agent cannot reliably tell the difference between data it should summarise and commands it should obey. The more autonomous the agent, and the broader its access, the higher the stakes when that line blurs. Local file-system access raises those stakes further, since a successful injection is no longer confined to cloud data.
The industry data suggests most organisations are not ready for this shift. One 2026 survey of more than 900 executives and practitioners found that 88 percent of organisations confirmed or suspected an AI agent security incident in the past year, while only around 22 percent treated agents as identity-bearing entities with their own access controls. Separate research has pointed to widespread reports of risky agent behaviour, including unauthorised data exposure and improper system access.
The structural issue is identity. When an agent acts on a person's behalf, who is accountable for what it did, and under whose permissions did it act? If Scout sends a message, moves a file, or accepts a meeting, the audit trail needs to show that clearly. Treating an agent as a true identity with scoped, logged, revocable access is the control that most organisations have not yet built.
To its credit, Microsoft has not shipped Scout as an open consumer toggle, and it is leading with the enterprise-grade security framing rather than treating it as an afterthought. The gating is part of that. Intune policy configuration lets administrators define where and how Scout can run. The opt-in attestation forces a deliberate decision rather than a silent default. The Frontier-only release keeps early use inside organisations that have agreed to specific terms. Microsoft has also announced supporting infrastructure, including Microsoft IQ as a grounding layer for agents.
Whether those controls are sufficient is the open question, and it cannot be answered from a launch announcement. Intune policy governs where an agent runs, not whether it can be tricked by a malicious calendar invite once it is running. Admin gating reduces sprawl but does not by itself solve prompt injection. The EchoLeak fix shows Microsoft can patch these flaws, but it also shows the flaws reach production on this stack in the first place. The honest position is that the perimeter controls look reasonable, the enterprise-grade security label is a claim rather than a verdict, and the in-the-loop behavioural controls are unproven until independent testing exists.
Scout is an early look at where Microsoft 365 is heading rather than a product to judge on its current form. The questions worth tracking are concrete. How does Scout handle untrusted content in mail and invites once it is acting autonomously. What does its identity and audit model look like under Intune. How does it treat local file-system access in practice. How does it behave under independent red-team testing rather than vendor demos. And how the licensing and rollout terms settle when it moves past the Frontier program.
The direction is clear and probably inevitable. The security work that should accompany it is the part still catching up.
Azar Consulting works with teams weighing up agentic tools like Scout, focusing on the governance, identity, and prompt-injection questions before an agent gets access to mail, calendars, and files. If your team is assessing where always-on agents fit, get in touch to talk it through.
