July 13, 2026
July 13, 2026

AI Assets - Local AI Agent Discovery on Endpoints

AI Assets - Local AI agent discovery on endpoints

For teams still managing AI agents like ordinary software, it’s time for a mindset shift. Local AI agents operate inside the endpoint. They interact directly with the OS accessing file systems, reading clipboard data, spawning processes, and executing complex workflows. And until now, much of this activity has been largely invisible to traditional controls.

Most third-party tools (CASB, SaaS security, AI governance platforms) focus on:

  • API integrations
  • SaaS usage
  • Network traffic or browser activity

They often miss local AI agents running directly on endpoints.

AI agents are no longer just cloud-based they’re running locally on endpoints, accessing files, credentials, and system processes. That makes them powerful… and a potential blind spot.

That’s why Local AI agent discovery in Microsoft Defender for Endpoint (Preview) is a major step forward.

Defender now automatically discovers local AI agents across Windows and macOS including coding agents and IDE extensions and brings them directly into your security operations workflow.

  • No more guesswork
  • No more shadow AI

Full visibility

  • View agents in AI inventory, exposure maps, and Advanced Hunting
  • See who is using them, where they run, and what they access

Risk and exposure awareness

  • Assess blast radius if an agent is compromised
  • Identify risky permissions and credential-heavy configs

Active defence

  • Block unauthorised coding agents
  • Generate actionable alerts for investigations

Broader coverage

  • Detects MCP (Model Context Protocol) server configurations
  • Extends visibility beyond standalone agents to the entire agent ecosystem

Integrated governance

  • Works with Microsoft Agent 365 for centralized AI governance

Defender advantage:

  • Native OS-level telemetry (processes, files, identities)
  • Sees agents as they execute, not just when they call APIs
  • Detects things like IDE plugins, local coding agents, MCP servers

What you can do with it:

  • Investigate which agents are running across your fleet
  • Hunt for suspicious behaviours with KQL
  • Correlate agent activity with identity, device, and process signals
  • Build deep, cross-domain threat hunting scenarios

Outcome

  • No manual inventory
  • No reliance on user disclosure
  • No blind spots around local AI usage

A High-level AI Assets workflow is outlined below:

Endpoints >> AI Agents >>Discovery >>Security Portal >>Analytics >>SOC Action

Bottom line

  • If developers are using coding agents (and most are), this capability allows already be part of organisation endpoint security baseline conversation.
  • AI governance is no longer just a policy discussion it’s an operational necessity.

Requirements: Microsoft Defender for Endpoint Plan 2

Typical deliverables:

  • AI agent inventory report
  • Exposure & risk assessment
  • Advanced hunting queries (5–10)
  • AI governance policy
  • Monitoring dashboard
  • Implementation runbook

How Spartan Helps

Spartan helps organisations manage AI agents entering their environments faster than they can be governed. We help organisations quantify risk and bring these agents under operational control, enabling organisation to scale AI adoption securely and responsibly.

#CyberSecurity #AI #MicrosoftDefender #EndpointSecurity #AIGovernance #GenAI

Recent blog

View all blog