The recent RSA Conference, a preeminent global gathering for cybersecurity professionals, served as the backdrop for two significant announcements signaling a critical shift in identity security. Both Microsoft and RSA Security unveiled strategies designed to address the escalating complexities of modern authentication, particularly in an era where artificial intelligence agents are increasingly integrated into enterprise workflows alongside human employees. The core message from these industry giants is clear: organizations require a more adaptable, unified, and intelligent approach to identity governance to secure what is rapidly becoming a hybrid human-AI workforce.
Microsoft utilized the prominent platform of the RSA Conference to declare the general availability of its external multi-factor authentication (MFA) support within Microsoft Entra ID. This move represents a substantial enhancement in flexibility for enterprises grappling with diverse authentication ecosystems. Concurrently, RSA Security announced a deepening of its partnership with Microsoft, specifically targeting the burgeoning challenge of securing what it terms the "AI workforce" through its ID Plus for Microsoft offering, designed to integrate seamlessly with Microsoft’s new AI-centric productivity suite.
The RSA Conference: A Nexus for Cybersecurity Innovation
The RSA Conference, held annually, stands as one of the largest and most influential events in the cybersecurity calendar. It brings together industry leaders, policymakers, researchers, and practitioners from around the globe to discuss emerging threats, showcase innovative solutions, and shape the future of digital security. Announcements made at RSA often carry significant weight, indicating major trends and strategic directions within the cybersecurity landscape. The timing of these announcements from Microsoft and RSA underscores the perceived urgency and strategic importance of adapting identity security frameworks to the rapidly evolving technological environment, particularly with the acceleration of AI adoption across enterprises. Historically, the conference has been a bellwether for shifts in security priorities, from perimeter defense to zero trust, and now, evidently, to securing AI identities.
Microsoft Entra External MFA Achieves General Availability: A Paradigm Shift in Flexibility
Microsoft’s declaration of general availability for its external MFA feature within Microsoft Entra ID marks a pivotal moment for enterprises navigating complex IT landscapes. This capability allows organizations to directly integrate third-party MFA providers into their Entra ID infrastructure without needing to dismantle existing authentication systems or compromise on the robust security policies offered by Microsoft’s Conditional Access framework.
For years, enterprises have invested heavily in specialized MFA solutions, often driven by specific regulatory compliance mandates, the intricacies of mergers and acquisitions (M&A) that consolidate disparate IT systems, or the operational demands of environments where Microsoft’s native MFA options might not have been the optimal fit. The previous approach, known as "Custom Controls," offered limited integration and was slated for deprecation. The new external MFA feature, built upon the widely adopted OpenID Connect (OIDC) standard, provides a standardized, more robust, and significantly more flexible integration pathway.
This enhancement is particularly impactful for large, hybrid organizations. It means that an IT team can now manage all authentication methods – both Microsoft’s native offerings and those from approved third-party providers – from a single administrative console within Entra ID. This "single pane of glass" approach dramatically simplifies identity management, reduces operational overhead, and enhances visibility across the entire authentication estate.
Crucially, sign-ins processed via external MFA providers do not bypass Microsoft’s stringent security evaluations. They continue to pass through the full policy evaluation pipeline, including real-time risk assessments, which leverage Microsoft’s vast threat intelligence network. Administrators retain granular control, able to align authentication prompts with specific business objectives through configurable sign-in frequency and session controls. However, Microsoft has also issued a vital caution: overly aggressive reauthentication policies, while seemingly enhancing security, can paradoxically increase phishing risk. This is because users, constantly bombarded with authentication prompts, may become conditioned to approve them without proper scrutiny, making them more susceptible to sophisticated phishing attacks. This insight underscores the delicate balance between security friction and user experience, a persistent challenge in identity management.
Microsoft’s extensive research consistently highlights the transformative power of MFA. The company’s data unequivocally demonstrates that the adoption of MFA reduces the risk of account compromise by more than 99%. By extending this critical protection to organizations whose authentication infrastructure includes non-Microsoft native solutions, the external MFA feature significantly broadens the reach of this essential security control, strengthening the overall security posture of the enterprise ecosystem. This move reflects Microsoft’s commitment to enabling a more secure, flexible, and interoperable identity landscape, catering to the diverse needs of its global customer base.
Timeline and Urgency for IT Professionals: Deprecation of Custom Controls
The announcement carries an important timeline for IT professionals: the existing Custom Controls approach for integrating third-party MFA solutions is scheduled for deprecation in September 2026. This deadline creates a clear imperative for organizations currently relying on Custom Controls to begin planning their migration to the new, generally available external MFA framework within Entra ID. Proactive planning and phased migration strategies will be essential to ensure a smooth transition and maintain continuous, robust authentication capabilities without disruption. This transition also presents an opportunity for organizations to re-evaluate their overall MFA strategy and optimize their security posture.
RSA Moves to Secure the AI Workforce: A Proactive Stance
RSA Security’s announcement at the RSA Conference directly addresses one of the most pressing and rapidly evolving cybersecurity challenges: securing the identities and actions of artificial intelligence agents. This initiative is strategically tied to Microsoft’s newly launched Microsoft 365 E7: The Frontier Suite, a comprehensive offering that bundles Microsoft 365 productivity tools, the advanced AI capabilities of Microsoft Copilot, essential Entra identity services, and Agent 365, a governance platform specifically designed for AI agents. RSA is positioning its ID Plus for Microsoft offering as the crucial "identity trust layer" that underpins and secures this innovative platform.
The core premise of RSA’s strategy is both straightforward and increasingly urgent: as AI agents evolve from simple scripts to sophisticated, autonomous entities capable of executing complex workflows, accessing sensitive data, and operating with privileged access within enterprise systems, traditional identity governance, which primarily focuses on human users, becomes woefully inadequate. The security perimeter must now extend to encompass these non-human identities.
Compelling research underscores this urgency. Data indicates that non-human identities, encompassing everything from bots and service accounts to IoT devices and now AI agents, already outnumber human users by a staggering factor of 17 to 1. This imbalance is set to become even more pronounced with the accelerating adoption of generative AI. Gartner, a leading research and advisory company, has predicted that by 2028, a significant 33% of enterprise applications will incorporate "agentic AI" – autonomous AI agents capable of making decisions and taking actions – a dramatic increase from less than 1% in 2024. This rapid proliferation necessitates a fundamental re-evaluation of identity and access management (IAM) principles.
RSA’s identity trust layer for the Microsoft 365 E7 suite is structured around three critical pillars:
- High-Assurance, Phishing-Resistant Authentication for Human Users: While the focus is expanding to AI, securing human identities remains foundational. RSA provides advanced authentication methods designed to be highly resistant to phishing attacks, a leading cause of breaches.
- Risk Intelligence: This pillar leverages advanced analytics and contextual signals to continuously evaluate access attempts, flagging suspicious behaviors, whether originating from human users or AI agents. This proactive threat detection is vital for identifying and mitigating risks in real-time.
- Secure Access Controls for Privileged Operations by AI Agents: As AI agents assume more autonomous and privileged tasks, ensuring that their access is appropriately governed, monitored, and restricted to only what is necessary is paramount. This involves establishing clear identity policies, roles, and permissions for AI agents, mirroring the robust controls typically applied to highly privileged human accounts.
A key aspect of this expanded partnership and RSA’s strategic positioning is its confirmation of availability as an external MFA provider through Microsoft Entra’s newly generally available framework. This means that organizations already invested in RSA authentication solutions can now deploy and manage them seamlessly through the external MFA integration directly within their Entra configurations, further solidifying the interoperability and unified management vision.
Broader Industry Context and Implications: The Zero-Trust Imperative for AI
The announcements from Microsoft and RSA collectively highlight a fundamental shift in cybersecurity paradigms, driven by the pervasive integration of AI. The traditional security perimeter has long dissolved, giving way to a "zero-trust" model where no entity, human or machine, is inherently trusted. This principle now extends unequivocally to AI agents. The ability of AI to both enhance defensive capabilities (e.g., threat detection, anomaly analysis) and introduce new attack vectors (e.g., sophisticated social engineering, autonomous malware) necessitates a comprehensive and adaptive security posture.
The regulatory landscape is also beginning to catch up with the rapid pace of AI development. Governments and standards bodies worldwide are initiating discussions and drafting frameworks for AI governance, ethics, and security. Solutions like those presented by Microsoft and RSA will be instrumental in helping organizations meet future compliance requirements, demonstrating due diligence in securing AI systems and the data they interact with.
For IT professionals, these developments present a dual challenge and opportunity. On one hand, there is the immediate task of managing the migration from legacy Custom Controls to the more robust Entra external MFA framework, ensuring continuity and enhanced security for human users. On the other hand, a more forward-looking, yet rapidly approaching, challenge involves establishing robust identity and access management frameworks for AI agents. The Gartner prediction of 33% agentic AI in enterprise applications by 2028 underscores the urgency. Identity teams must proactively develop strategies for assigning identities to AI agents, defining their roles, managing their permissions, monitoring their activities, and revoking access when necessary – essentially mirroring the sophisticated lifecycle management applied to human users. This includes implementing consistent identity controls that extend the principles of least privilege and continuous verification to non-human entities.
The future of identity management is clearly converging. The distinction between human and non-human identities, while operationally necessary, will increasingly blur within unified security platforms. The ability to manage, secure, and audit all forms of identity – whether a human employee logging in from a remote device or an AI agent autonomously executing a critical business process – through a cohesive and intelligent system will be a core determinant of enterprise resilience.
Conclusion: Charting a Secure Path in the AI Era
The announcements from Microsoft and RSA at the RSA Conference represent significant strides toward addressing the multifaceted challenges of identity security in the age of AI. Microsoft’s Entra external MFA provides critical flexibility and consolidation for human identity management, allowing diverse enterprise ecosystems to benefit from advanced protection. Concurrently, RSA’s focus on securing the "AI workforce" offers a proactive and essential framework for governing the burgeoning population of autonomous AI agents.
Together, these initiatives underscore a collective recognition that securing the digital enterprise in the coming years will hinge on a flexible, unified, and intelligent approach to identity. Organizations that embrace these advanced frameworks will be better positioned to harness the transformative power of AI while mitigating its inherent risks, ensuring a more secure and resilient future for their operations in a world increasingly driven by intelligent automation. The journey toward comprehensive human-AI identity governance has truly begun, and these announcements provide a clear direction for IT and security leaders navigating this complex terrain.
