The latest episode of Cloudy with a Chance of Insights lands at an interesting moment. AI agents are no longer a forward-looking topic for most Microsoft practitioners. They are arriving in production environments now, and the questions that come with them, around memory, governance, identity, and trust, are no longer theoretical.
David opens the episode with two tools from Merrill Fernando that speak directly to one of the more practical frustrations in agentic development on the Microsoft stack. Locker is an MCP implementation that bridges the Model Context Protocol to Microsoft Graph and Azure APIs, allowing compatible AI systems to query a live tenant in plain English rather than working from stale training data. The pairing tool, the Microsoft Graph Skill, addresses the specific problem of LLMs operating against an API with over 27,000 endpoints updated weekly. The two tools are designed to work together: the Skill provides current knowledge of what the API can do, and Locker handles execution in a read-only, safe-by-default manner. It is a combination that closes a genuinely frustrating gap, and it is worth the attention of anyone building agents on the Microsoft stack.
The second item David covers is the Agent Governance Toolkit, an open source project from Microsoft released at the start of April. The central question it tries to answer is harder than it first appears: as agents gain autonomy to act, who governs what they do? The toolkit consists of seven independently installable packages covering policy enforcement, cryptographic agent identity, inter-agent trust scoring, execution rings modelled on CPU privilege levels, SRE practices applied to agent systems, compliance mapping for the EU AI Act, and plugin lifecycle management. OWASP published the first formal taxonomy of agentic AI risks in December 2025, covering goal hijacking, tool misuse, memory poisoning, cascading failures, and rogue agent behaviour. The toolkit is a direct response to that gap. Microsoft's stated intent is to move the project into community governance under OWASP or LFAI, which is a meaningful signal of how seriously the risk landscape is being treated.
Richard connects the agent governance question to the Copilot adoption picture ahead of Microsoft's Q3 earnings. The headline number, around 15 million paid seats, representing roughly 3% of the M365 installed base, is well known. The context matters more. Microsoft spent $37.5 billion on infrastructure in a single quarter, up 66% year on year, and the market is asking whether the monetisation trajectory justifies that level of capital expenditure. Richard's observation is that slow adoption is almost always a governance problem in practice, or more precisely a permissions problem presented as a governance problem. Copilot surfaces whatever is already accessible in an estate, and most SharePoint environments were not built with that kind of exposure in mind. The bottleneck is not technical appetite. It is the state of the underlying information architecture.
The second half of Richard's segment takes a different direction. Working on a client project, he found himself wanting to produce something with the clarity and fidelity of the wireframes a UX team had sent over, without the tools or the time to produce them conventionally. The result was a click-through React prototype built entirely in VS Code using GitHub Copilot and Claude, with chaptered narrative flow, role-based screens, and deterministic state. The point is not that he built an application. It is that he produced what would previously have been a PowerPoint deck or a Visio diagram, and the output answered substantially more questions at a meaningfully higher fidelity. Anthropic shipping Claude Design in the same week, a dedicated prototyping surface built on Opus 4.7 with a handoff path to Claude Code, was an accidental validation that the gap is real and widely perceived.
David closes his section with MemPalace, an open source memory architecture project whose connection to The Fifth Element is deliberate. The film's premise is that four classical elements are necessary but insufficient, and life itself is the binding force. David's argument is that agents can have all the reasoning, retrieval, and tool use in the world, but without persistent memory and continuity of identity across sessions, something fundamental is still missing. MemPalace structures memory across four layers, stores verbatim content without summarisation to preserve context fidelity, and uses a compressed symbolic index for fast scanning by a language model. Everything runs locally using ChromaDB and SQLite, with no cloud sync or API keys required.
Cyrus covers the security section at pace, moving through AutoPatch improvements, hot patching for Windows becoming the default from May, Android XR support in Intune, Entra's new tenant configuration management API allowing full tenant snapshots in JSON with drift detection at scale, the conditional access optimisation agent moving governance from periodic review to continuous monitoring, and the Defender entity analyser reaching general availability and integrating with the new Sentinel MCP graph tool. He closes with a striking data point from IBM and Palo Alto Networks research: 61% of C-suite leaders said their AI model assets or data had already been compromised, and 67% said they had been targeted by an AI-enabled attack in the last year. The OWASP agentic AI top ten is not a theoretical exercise.
The episode is available on Spotify, Apple Podcasts, and YouTube.
