Skip to main content
Modern 42 Logo
Advisory & Strategy

Your AI agents have access. Do you know what they can do?

Agentic AI and workload identities are multiplying across enterprise environments without governance controls. Modern 42 provides dashboards and observability across your application identity estate, quantifies the risk, and builds the governance frameworks to manage it.

Discuss your application governance View all advisory services
The problem

Your fastest-growing attack surface has no controls

Every AI agent, automation pipeline, and SaaS integration authenticates as an application identity. These identities accumulate over years of project work, proof-of-concept deployments, and vendor integrations. Permissions are granted at creation and rarely reviewed. Owners leave the organisation. Credentials expire or, worse, never expire. Most organisations have no visibility into what these identities can access, who created them, or whether they are still needed.

Agentic AI risk

With the rise of agentic AI, the problem is accelerating. Copilot agents, custom AI assistants, and autonomous workflow bots are being provisioned with broad permissions to access production data, send emails, and modify configurations. Most have no approval workflow, no expiry, and no audit trail.

Common findings

  • Over-privileged applications with excessive Graph permissions
  • High-privileged dormant applications with no recent sign-in activity
  • AI agents with broad data access and no approval workflow
  • Ownerless service principals with no accountability
  • Client secrets with multi-year or no expiry
  • Applications excluded from Conditional Access policies
  • No inventory of what non-human identities exist
Industry Research
33%

of enterprise applications will include agentic AI by 2028, up from less than 1% in 2024. Most organisations have no governance framework for these identities.

Top Strategic Technology Trends for 2025 // Gartner, October 2024

Assess your application identities
What we assess

Eight domains of application identity risk

Each domain is assessed using data extracted directly from your Microsoft Entra ID tenant. We quantify the risk, identify the gaps, and prioritise what to fix first.

01

App registrations and service principals

Inventory of all application identities, ownership status, credential hygiene, and lifecycle management. Identifies orphaned and ownerless applications.

Learn more
02

API permissions and OAuth consent

Analysis of delegated and application-level Microsoft Graph permissions. Identifies over-privileged grants, admin consent status, and unused permissions.

Learn more
03

Legacy configurations

Detection of legacy authentication patterns including OAuth 1.0, legacy service principals for SharePoint, outdated credential-based authentication, and workloads that should be migrated to managed identities.

Learn more
04

Agentic AI and Copilot permissions

Mapping of AI agent identities, their permission scope, data access patterns, and governance controls. Identifies agents operating without oversight or approval workflows.

Learn more
05

Secret and credential management

Certificate and client secret expiry tracking, rotation practices, and Key Vault adoption. Identifies credentials approaching expiry or with excessively long validity periods.

Learn more
06

Application lifecycle and ownership

Owner assignment coverage, stale application detection, and decommissioning processes. Identifies applications with no assigned owner or no sign-in activity.

Learn more
07

Insecure configurations

Identifies applications without App Role assignment requirements, missing Asset IDs, overly permissioned service principals, applications not enforcing token binding, and workload identities excluded from Conditional Access policies.

Learn more
08

Cross-tenant and external access

Multi-tenant application configurations, external identity provider trust, and B2B collaboration controls for workload identities.

Learn more
What you get

Visibility. Risk scores. A governance framework.

The assessment delivers three things: a clear picture of your current state, a quantified risk profile, and a practical framework for managing application identities into the future.

Dashboards and visibility

Using Apporetum, we surface every application identity in your tenant: app registrations, service principals, managed identities, and AI agents. You see what exists, who owns it, what it can access, and whether its credentials are current.

Risk quantification

We score each application identity against permission scope, credential hygiene, ownership status, and policy coverage. The result is a prioritised risk register that tells you exactly where to focus remediation effort.

Governance framework

Beyond the assessment, we build a governance framework for managing application identities into the future: approval workflows, permission standards, lifecycle policies, and review cadences tailored to your organisation.

Engineering pathway

For organisations ready to operationalise governance at scale, our engineering team delivers deterministic, configuration-driven application onboarding pipelines. These enable self-service within guardrails, enforce standards automatically, and provide backup and recovery for critical application configurations.

Deliverables

What you receive

A structured report with findings, risk scores, and a governance framework you can implement immediately.

  • Complete inventory of application identities, service principals, and managed identities
  • Permission analysis with over-privilege scoring for each identity
  • Agentic AI and Copilot agent mapping with governance gap analysis
  • Credential hygiene report (expiry, rotation, Key Vault adoption)
  • Prioritised remediation roadmap with 30/60/90-day milestones
  • Application identity governance framework with approval workflows and lifecycle policies
  • Executive summary suitable for board, CISO, and audit reporting
  • Actionable best-practice recommendations to improve your security posture
  • Single pane of glass for visibility and reporting across your application identity estate
Discuss your application governance
FAQ

Common questions

A workload identity is any non-human identity that authenticates to your environment. This includes app registrations, service principals, managed identities, automation accounts, CI/CD pipelines, and increasingly, agentic AI systems. In most enterprise tenants, these outnumber human users significantly.
From scoping to final report, typically two to three weeks. The initial data collection through Apporetum is largely automated, which means we spend the majority of time on analysis, risk quantification, and building actionable recommendations rather than gathering information.
Apporetum requires read-only API access to Microsoft Entra ID (Microsoft Graph, read permissions). No write access is needed and no changes are made to your environment during the assessment. We provide a documented permissions list before deployment.
Yes. Agentic AI systems, including Copilot agents, custom AI assistants, and autonomous workflow agents, authenticate as application identities. Our assessment maps these identities, their permissions, and the governance gaps that exist around them.
The assessment report can be used as supporting evidence for IRAP, APRA CPS 234, and ISO 27001 audits. The governance framework we deliver provides ongoing controls that align with these frameworks.
You receive a structured report with findings, risk scores, and a prioritised remediation roadmap. Many clients then engage our engineering team to implement deterministic, configuration-driven application onboarding pipelines that enforce the governance framework at scale. You are never obligated to proceed to engineering.
Overly permissioned applications are app registrations or service principals that have been granted more access than they need to function. This commonly includes admin-level Microsoft Graph permissions, broad mail or file access, or directory-wide read/write capabilities. These identities represent a significant risk because if compromised, an attacker inherits every permission the application holds. In most tenants we assess, the majority of application identities have permissions far beyond what they actually use.
Agent identities are the application identities behind AI-powered systems that act autonomously on behalf of users or the organisation. This includes Microsoft Copilot agents, custom AI assistants built on Azure OpenAI, autonomous workflow bots, and any agentic AI system that authenticates to your environment to read data, send communications, or take actions. These identities are growing rapidly and most organisations have no governance framework specifically designed for them.
Both. We can deliver a point-in-time assessment that gives you a complete snapshot of your application identity risk posture. For organisations that want continuous visibility, we can deploy our identity observability tooling to provide ongoing dashboards, alerting, and governance reporting so you always have an up-to-date view of your application identity estate.

Govern your application identities

Start with visibility. The assessment gives you the baseline, the risk profile, and the framework to take control of your non-human identity estate.

Get in touchAll advisory services

We use cookies

We use cookies and similar technologies to help personalise content, measure the performance of our site, and provide a better experience. By clicking Accept, you consent to the use of all cookies.
Learn more.