The control plane for every non-human identity in Microsoft 365.
AI agents, Copilots and service principals now outnumber your people. AIRM discovers, scores and governs every one.
Purpose-built for Microsoft Entra, Microsoft 365, Copilot and AI agents, and delivered through the MSPs who already run the tenant. Start with a free Sabiki NHI Risk Score on any tenant.
Illustrative, live non-human identity risk on a client tenant
The AI-identity number every board will ask for
What's your Sabiki NHI Risk Score?
One number, 0 to 100, for how exposed a Microsoft 365 tenant is across its non-human identities. A credit score for AI identity, benchmarked, trendable, and yours in about five minutes.
Two ways to see AIRM before you commit: a sample scored report, and the read-only assessment flow. Both use a sample tenant, so nothing leaves your environment to try them.
Sample report
A real scored NHI report
The AI-identity risk report a client receives: Sabiki NHI Risk Score, findings and prioritised actions, on a sample “Meridian Global” tenant.
The five-step, read-only flow: connect a Microsoft 365 tenant, AIRM assesses it, you get a scored report. No call needed, and nothing in the tenant is changed.
Machine-to-human identity ratio approximately 45:1 (Gartner analyst estimate).
The problem
Your biggest attack surface is completely unmonitored.
AI agents and non-human identities now outnumber human users by as much as 45 to 1 in a typical Microsoft 365 environment, and almost no organisation has visibility into them.
In a typical Microsoft 365 tenant, non-human identities already outnumber people, and AI is minting more every week.
1 human to~45 non-human identities
Human usersNon-human identities (service accounts, OAuth apps, workload IDs)AI agents & copilots: the new, fastest-growing slice
Machine-to-human identity ratio approximately 45:1 (Gartner). Service accounts, OAuth apps and workload identities already dominate; AI agents and copilots are the newest and fastest-growing part, and the one almost no tenant governs today.
Shadow AI Agents
Copilot connectors, Power Automate flows, and third-party AI tools operate continuously with permissions nobody reviews. If compromised, the damage is catastrophic.
Unmanaged Credentials
Service principals accumulate over time with aged credentials, no owners, and permissions far beyond what they need. A quiet app with write access to your entire tenant.
Invisible Compliance Risk
EU AI Act, DORA, ISO 42001: regulators are asking about AI agents and non-human identities. Most organisations can't answer those questions yet.
Machine-to-human identity ratio ~45:1 (Gartner analyst estimate); some vendor telemetry runs higher (Entro Labs, NHI & Secrets Risk Report, H1 2025: up to 144:1). Third-party research cited for context; Sabiki is not affiliated.
What Microsoft misses
AIRM sees the AI agents Microsoft can't.
Microsoft Agent 365 discovers agents by its own naming conventions. AIRM discovers every AI and non-human identity by behaviour and real Graph permissions, so the third-party and non-conforming agents that don't follow Microsoft's rules can't stay hidden.
Naming-based discoveryMicrosoft Agent 365
What Microsoft surfaces
Copilot-Studio-AgentSeen
Power-Automate-FlowSeen
acme-gpt-connectorMissed
svc-openai-prod-07Missed
Agents that don't follow Microsoft's naming stay invisible to naming-based discovery.
Behaviour-based discoverySabiki AIRM
What AIRM surfaces
Copilot-Studio-AgentSeen
Power-Automate-FlowSeen
acme-gpt-connectorSurfaced
svc-openai-prod-07Surfaced
Every AI and non-human identity found by behaviour, then scored for blast radius.
Same tenant, two very different pictures. AIRM surfaces the identities Microsoft's naming-based discovery leaves invisible, then scores their blast radius and hands your team the fix. Additive to Microsoft, never a replacement.
How it works · the control plane in motion
Discover. Understand. Govern. Enable. Optimise.
AIRM is the AI Identity Control Plane for Microsoft 365. It runs as one continuous loop on every tenant, from the first read-only scan to safe AI adoption and a score that keeps climbing. See the full Sabiki Adoption Loop →
01 · Discover
Find every non-human identity
By behaviour, not naming, so nothing hides.
Every AI agent, Copilot, service principal & NHI
Third-party & non-conforming agents Microsoft misses
↻ One continuous, always-on loop. Every Optimise feeds the next Discover.
For security leaders
The questions every CISO is being asked right now.
AI adoption is accelerating faster than security teams can govern it, and security leaders are increasingly concerned about AI agents and their impact on security. AIRM was built to answer these questions, and to act on the answers.
“Are we ready for AI?”
Your board and CEO are pushing AI adoption, and you've been asked to sign off on it. But many organisations already have AI agents running in production, most deployed without security review, with permissions nobody explicitly granted.
How AIRM helps
A full inventory of every AI agent and non-human identity in the Microsoft 365 environment, so you can answer “what AI do we have, and what can it access?” before anyone signs off.
“What is Shadow AI doing in our environment?”
Unsanctioned AI tools are already running in most tenants. Many were granted OAuth tokens and elevated permissions plugged straight into business systems, outside any standard provisioning workflow.
How AIRM helps
AIRM detects every service principal and AI agent in the tenant, sanctioned or not. Unreviewed identities are flagged, with their permissions, blast radius and compliance implications shown together.
“If an approved AI agent is compromised, how bad could it get?”
An AI agent you legitimately approved can still be compromised: its logic updated, its permissions silently widened. Traditional tools watch for human behaviour anomalies, they weren't built to catch this.
How AIRM helps
Blast Radius Analysis maps exactly what an attacker would reach if any identity were compromised, built from real granted permissions, not assumed activity. You see the worst case before it happens.
“Are we compliant with the EU AI Act, DORA and ISO 42001?”
Regulators are now asking specific questions about AI governance. The EU AI Act's high-risk obligations phase in through 2026, and DORA has been in force since January 2025. Most organisations can't yet produce evidence of AI agent oversight.
How AIRM helps
Every finding maps automatically to 11 frameworks, including the EU AI Act, ISO 42001 and DORA, generating per-framework reports you can hand to auditors and regulators.
“How do we enable AI without losing control?”
Security teams are under pressure to enable AI, and saying yes without visibility is the fastest way to lose control. The organisations that build agent inventories and privilege policies now are the ones in control when something goes wrong.
How AIRM helps
AIRM is the visibility layer that makes “yes” safe: monitor every AI agent continuously, detect permission drift, get alerted when behaviour changes, and demonstrate governance to the board.
AIRM is your AI governance layer.
You don't have to choose between enabling AI and securing it. AIRM gives security teams the visibility, intelligence and evidence they need to say yes to AI with confidence.
The same Microsoft 365 tenant, seen two ways. One is a blind spot. The other is governed, scored and defensible.
Before AIRM
An invisible identity layer
Non-human identities discovered manually, if at all.
AI agents and Shadow AI running without review.
Third-party apps and connectors nobody owns.
Service principals with aged, over-scoped credentials.
No evidence to hand an auditor, board or insurer.
After AIRM
A governed control plane
Every non-human identity discovered continuously and automatically.
Every AI agent surfaced, scored and given an owner.
Third-party and non-conforming agents caught by behaviour.
Permissions and credentials under continuous governance.
Board, auditor and insurer-ready evidence on demand.
What you get
Outcomes, not another dashboard.
AIRM turns invisible non-human identity into the things your business, board and auditors actually care about.
Reduce identity risk
Every non-human identity discovered, scored and ranked by the real damage it could do.
Secure Copilot & AI
See exactly what your Copilots and agents can reach, before an attacker finds out for you.
Control NHI sprawl
Owners, permissions and stale credentials brought under continuous governance.
Prove compliance
Evidence mapped to the EU AI Act, DORA, ISO 42001 and eight more frameworks, on demand.
Lower insurance exposure
Show insurers a governed, scored AI-identity posture instead of an unpriced blind spot.
Protect every tenant
One independent NHI Risk Score across your entire Microsoft 365 estate, tenant by tenant.
Why AIRM
Five reasons MSPs and customers choose AIRM.
AIRM does one job completely: it makes the AI identities in Microsoft 365 safe to adopt, govern and prove. Here's what you get.
Accuracy that grows
Scoring that sharpens the longer it runs
Every scan improves AIRM's model of how non-human identities behave, so your NHI Risk Score and peer benchmark get more accurate over time, never stale.
The Anomaly Intelligence Engine builds a behavioural fingerprint for every identity and gets sharper scan over scan, giving you peer benchmarking a point-in-time scanner can't offer.
Independent
A score auditors and boards trust
An independent, cross-vendor NHI Risk Score that auditors, insurers and boards actually trust, because it isn't Microsoft assessing Microsoft.
Only a third party can give a defensible, cross-vendor verdict on your AI identity risk, with peer benchmarking against similar organisations.
Complete
Sees the agents Microsoft misses
AIRM finds AI and non-human identities by what they do and the permissions they hold, so it catches the third-party and non-conforming agents that naming-based tools miss.
A rogue or renamed agent still gets caught, mapped to its real blast radius and scored, so nothing operates in your tenant unseen.
Delivered by your MSP
Bought as a managed service
Every client tenant in one console, PSA-integrated and white-labelled, governance you buy from the partner who already runs your Microsoft 365.
One multi-tenant console, per-tenant NHI Risk Scores, PSA-ready alerts (ConnectWise, HaloPSA, Autotask) and white-label reports, delivered as a recurring service line.
Audit-ready
Compliance evidence built in
Findings mapped to 11 frameworks and turned into audit-ready reports automatically, as those standards move from advisory to mandatory.
Findings map to EU AI Act, DORA, ISO/IEC 42001, NIST AI RMF and seven more, generating per-framework, auditor- and insurer-ready evidence packs on demand.
Together they make AIRM the simplest way to see, govern and prove the safety of every AI identity in Microsoft 365, for the MSP that delivers it and the customer that relies on it.
How AIRM is different
Not another horizontal NHI tool.
The non-human identity security market is real and growing fast, but most of it is built for large enterprises chasing SaaS-to-SaaS sprawl, sold one tenant at a time. AIRM is the one purpose-built for Microsoft 365 and delivered through MSPs, so it reaches the mid-market and SMB tenants the enterprise-direct tools never will, and scores every one independently.
Horizontal NHI platforms
Broad SaaS-to-SaaS & OAuth coverage across many apps
Enterprise-direct sales, one tenant at a time
Built for large in-house security teams
Sabiki AIRM
Microsoft 365-native and deep, by behaviour not naming
Delivered through MSPs, one-to-many, at mid-market scale
An independent NHI Risk Score on every tenant
Independent validation
The analysts see it too: AI agents break traditional identity governance.
What Gartner and the wider market are already saying about the non-human identity gap.
“By 2027, 40% of enterprises will demote or decommission autonomous AI agents due to governance gaps identified only after production incidents occur.”
Gartner, “Applying Uniform Governance Across AI Agents Will Lead to Enterprise AI Agent Failure”, May 2026 · source ↗
“The rise of AI agents is introducing new challenges to traditional identity and access management (IAM) strategies… Failure to address these issues will lead to greater risk of access-related cybersecurity incidents as autonomous agents become more prevalent.”
Gartner, “Top Cybersecurity Trends for 2026”, Feb 2026 · source ↗
“61% of partners still struggle to get AI projects out of the proof-of-concept stage with customers.”
Canalys (now part of Omdia), “MSP Trends & Predictions 2025” · source ↗
AI is stalling on governance, yet adoption is the channel's growth engine. That's the gap MSPs close for their customers with Sabiki AIRM: turning stalled pilots into safe, governed production, delivered as a recurring managed service. (The non-human identity security market is forecast to grow to ~US$23bn by 2030, a ~23% CAGR, Mordor Intelligence.)
The Sabiki NHI Risk Score
One independent score for NHI risk. Like a credit score for your tenant.
Everything AIRM discovers, rolled into a single, benchmarkable score you can track, improve and take to the board, across Microsoft-native and third-party non-human identities.
72/100
Moderate · improving
This tenant72
Peer average64
✓
Independent & cross-vendor, Microsoft-native and third-party non-human identities, objectively scored.
✓
Benchmarked against peers, see how a tenant compares with similar organisations.
✓
Improves over time, show measurable progress, quarter on quarter.
✓
Board- and insurer-ready, the figure leadership asks for.
See it in action
See what AIRM finds in a client tenant.
Filter the non-human identities and click any one to see its real Graph permissions, blast radius and the recommended fix. This is illustrative data. Your own scan runs read-only through Microsoft Graph.
Agentless, read-only, revoke anytime. Findings shown are representative of a real assessment.
Works with Microsoft
The independent layer on top of your Microsoft investment.
Microsoft secures the platform; Sabiki adds the independent non-human identity observability and governance you run before you deploy AI. Every finding maps to 11 governance frameworks, the AI-specific ones built in.
Customers aren't just buying Microsoft 365, Copilot or AI agents, they're buying a trusted partner who can deploy AI safely. Sabiki AIRM is how MSPs deliver exactly that.
Empowers your people
Gives teams the visibility to confidently say yes to AI, it doesn't replace them.
Extends Microsoft
An independent governance layer on top of Microsoft 365, never a rip-and-replace.
Simplifies governance
One score, one report, prioritised actions, complexity removed, not added.
Value for customers · safe, confident AIRevenue for MSPs · a new recurring serviceFaster adoption · for organisations
The result: the one layer positioned to turn an MSP's trust into safe AI adoption, independent of Microsoft, out of reach of enterprise-direct tools.
The MSP opportunity
A new service line that makes you money.
AIRM isn't another cost to carry. It's a recurring, high-margin service you sell into every Microsoft 365 client, with zero infrastructure to run.
Illustrative, USD. Assumes ~$5,100/tenant/yr in services (onboarding $1,500 + governance $250/mo + posture $150/qtr) plus partner-tier licence margin (Registered 25% → Gold 33% → Elite 40%, by tenants adopted). See assumptions & model your own →
What you receive
A full risk report on every tenant.
See exactly what your customers receive before anyone registers: the NHI Risk Score, a full non-human identity inventory, prioritised findings, recommended actions and compliance mapping across the 11 frameworks.
Microsoft Verified PublisherPublisher identity verified with Microsoft
IT JunctionSecure366+ more soon
Sabiki is a registered Microsoft ISV partner and a Microsoft Verified Publisher. AIRM is built natively on Microsoft 365 and the Microsoft Graph API, agentless and read-only. Early MSP partners include IT Junction and Secure366.
Get started
Assess your entire client base, free.
Register once and run a full AIRM risk report on every Microsoft 365 tenant in your book, at no cost, see exactly what AI is running, scored, with the actions to fix it.