Microsoft's Work IQ Turns Your Org Chart Into an Agent Platform. Do You Know What It Can Access?

The agents Microsoft is shipping to enterprise customers this year aren't general-purpose assistants. They're built from your Active Directory, your email, your Teams messages, your SharePoint documents — and they remember what they've learned about you between sessions. Before your IT team finishes the deployment, three questions about access and scope deserve answers that aren't in the default configuration.

What Microsoft announced

Ben Thompson's analysis of Microsoft's Q1 earnings (Stratechery, May 6) documented Work IQ — a system that creates stateful agents by combining M365 data (email, Teams, SharePoint, OneDrive), Active Directory (your role, your reports, your manager, your permissions), and your communication history. These agents aren't search tools. They're built around a persistent model of who you are and how you work.

The commercial rollout is moving through Microsoft's enterprise sales channel. Mid-market companies — the ones that haven't built their own AI infrastructure — are the primary target. If your organization runs on Microsoft 365, Work IQ is likely already in a conversation between your IT team and a Microsoft account executive.

What to ask before it goes live

Three questions worth raising before the deployment is approved:

What data sources does the agent have access to? M365 includes email, Teams, SharePoint, and OneDrive — each carrying different risk. Email may contain client communications and confidential deal terms. SharePoint may hold HR records, compensation data, or unreleased financials. Agents inherit the permissions of the account they're deployed under, which may be broader than anyone intended when those permissions were originally set.

What actions can the agent take on your behalf? "Suggests" and "does" are not the same thing. An agent that drafts a calendar invite is different from one that sends it. An agent that summarizes pipeline data is different from one that updates deal stages. Define the boundary before deployment, not after the first unintended action.

Who else can query the agent's context? Stateful means it retains information between sessions. In an enterprise deployment, that retention may be queryable by other users — managers, administrators, and potentially the agents of your colleagues. Ask specifically where the context is stored and who has read access to it.

The SharePoint permissions nobody audited

Priya is HR director at a 280-person financial services firm. Her IT team flagged the Work IQ pilot as a productivity tool, not a security decision. When she reviewed the proposed agent scope, she realized it would have read access to the same SharePoint library her HR team uses daily — which includes performance reviews, termination records, and compensation bands.

The permissions weren't wrong. They were designed for a team of five HR professionals who understood the sensitivity of what they were accessing. The agent would have had the same access, queryable by any manager enrolled in the pilot. She restricted the agent to a specific subfolder containing approved HR policy documents. A 20-minute conversation with IT — before deployment, not after the first incident.

The deal notes a pipeline agent probably shouldn't read

Dan runs sales at a 90-person SaaS company. He was an early Work IQ supporter — he wanted an agent to draft weekly pipeline summaries for his VP automatically. When he scoped the agent, the most natural data source was deal notes synced from HubSpot into M365. Those notes included frank assessments of individual reps and candid observations about specific prospects — the kind of working commentary that belongs in a CRM, not in an automated summary that administrators could review.

He redesigned the workflow: the agent drafts from a structured weekly export, not from raw deal notes. It drafts but does not send. And the export excludes rep-level commentary. The summary is useful. The exposure is contained. The guardrails took one afternoon to define.

The default is already a decision

Work IQ's defaults are configured for adoption, not for your data obligations or your clients' expectations. The organization that deploys it without reviewing access scope and action boundaries has still made a decision about what the agent can see and do — just not a deliberate one.