Non-human identity security · Microsoft 365

The control plane for every non-human identity in Microsoft 365.

AI agents, Copilots and service principals now outnumber your people. AIRM discovers, scores and governs every one.

Purpose-built for Microsoft Entra, Microsoft 365, Copilot and AI agents, and delivered through the MSPs who already run the tenant. Start with a free Sabiki NHI Risk Score on any tenant.

5 minutesMicrosoft 365No credit card
or book a 1:1 demo →
Blast radius
CRITICAL
Sabiki NHI Risk Score
Needs attention
▲ +8 since last scan
Acme Corp
Top NHIs by risk
APPCopilot-Studio-Agent0
NHIOpenAI-Enterprise0
AUTPower-Automate-Flow0
SPExchange-Connector0
EU AI Act
Art. 14, Oversight
Illustrative, live non-human identity risk on a client tenant
The AI-identity number every board will ask for

What's your Sabiki NHI Risk Score?

One number, 0 to 100, for how exposed a Microsoft 365 tenant is across its non-human identities. A credit score for AI identity, benchmarked, trendable, and yours in about five minutes.

Get your free Sabiki NHI Risk Score →
5 minutesMicrosoft 365No credit card
Sabiki NHI Risk ScoreIllustrative
62/100
Needs attention
0 · Low50100 · Critical
Peer benchmark 71Top finding Over-permissioned agents
See it in action

A look at the platform.

Two ways to see AIRM before you commit: a sample scored report, and the read-only assessment flow. Both use a sample tenant, so nothing leaves your environment to try them.

Sample report

A real scored NHI report

The AI-identity risk report a client receives: Sabiki NHI Risk Score, findings and prioritised actions, on a sample “Meridian Global” tenant.

23
Over-privileged identities
146
Dormant identities
62/100
Sabiki NHI Risk Score
Open the full sample report →
Live demo · read-only

See how a tenant gets scored

The five-step, read-only flow: connect a Microsoft 365 tenant, AIRM assesses it, you get a scored report. No call needed, and nothing in the tenant is changed.

5
Steps to a score
~5 min
To first result
Read-only
Graph access
Try the live demo →

Illustrative sample tenant. Real customer screenshots and outcome metrics replace these at launch.

AI agents are becoming your newest employees.

They never sleep, never ask permission, never resign, and too often no one owns them.

The identity perimeter has shifted.

Yesterday

An identity meant a person, a login, a password, MFA.

Today

AI agents, Copilots and service principals are identities too, and they already outnumber your people by roughly 45 to 1 (Gartner).

The catch

Microsoft secures Microsoft. AIRM governs every AI identity operating inside your tenant.

One model, three names

Sabiki, AIRM, and the Sabiki NHI Risk Score.

The company
SabikiThe security company defining non-human identity for Microsoft 365.
The platform
AIRMAgentic Identity Risk Management. Discovers, scores and governs every AI identity.
The metric
Sabiki NHI Risk ScoreThe 0 to 100 index every assessment produces. The number you own and improve.
Why you can trust it

Built on Microsoft. Evidence you can hand over.

11
Compliance frameworks mapped
~5 min
Average time to a first score
AI identities discovered
Populate at launch
Tenants assessed
Populate at launch
Microsoft ISV PartnerCertified Microsoft partner
Microsoft Verified PublisherPublisher identity verified with Microsoft
EU AI ActISO/IEC 42001NIST AI RMFDORANIS2ISO 27001+ 5 more · 11 frameworks

Machine-to-human identity ratio approximately 45:1 (Gartner analyst estimate).

The problem

Your biggest attack surface is completely unmonitored.

AI agents and non-human identities now outnumber human users by as much as 45 to 1 in a typical Microsoft 365 environment, and almost no organisation has visibility into them.

In a typical Microsoft 365 tenant, non-human identities already outnumber people, and AI is minting more every week.
1 human to ~45 non-human identities
Human usersNon-human identities (service accounts, OAuth apps, workload IDs)AI agents & copilots: the new, fastest-growing slice
Machine-to-human identity ratio approximately 45:1 (Gartner). Service accounts, OAuth apps and workload identities already dominate; AI agents and copilots are the newest and fastest-growing part, and the one almost no tenant governs today.

Shadow AI Agents

Copilot connectors, Power Automate flows, and third-party AI tools operate continuously with permissions nobody reviews. If compromised, the damage is catastrophic.

Unmanaged Credentials

Service principals accumulate over time with aged credentials, no owners, and permissions far beyond what they need. A quiet app with write access to your entire tenant.

Invisible Compliance Risk

EU AI Act, DORA, ISO 42001: regulators are asking about AI agents and non-human identities. Most organisations can't answer those questions yet.

Machine-to-human identity ratio ~45:1 (Gartner analyst estimate); some vendor telemetry runs higher (Entro Labs, NHI & Secrets Risk Report, H1 2025: up to 144:1). Third-party research cited for context; Sabiki is not affiliated.

What Microsoft misses

AIRM sees the AI agents Microsoft can't.

Microsoft Agent 365 discovers agents by its own naming conventions. AIRM discovers every AI and non-human identity by behaviour and real Graph permissions, so the third-party and non-conforming agents that don't follow Microsoft's rules can't stay hidden.

Naming-based discoveryMicrosoft Agent 365
What Microsoft surfaces
Copilot-Studio-AgentSeen
Power-Automate-FlowSeen
acme-gpt-connectorMissed
svc-openai-prod-07Missed

Agents that don't follow Microsoft's naming stay invisible to naming-based discovery.

Behaviour-based discoverySabiki AIRM
What AIRM surfaces
Copilot-Studio-AgentSeen
Power-Automate-FlowSeen
acme-gpt-connectorSurfaced
svc-openai-prod-07Surfaced

Every AI and non-human identity found by behaviour, then scored for blast radius.

Same tenant, two very different pictures. AIRM surfaces the identities Microsoft's naming-based discovery leaves invisible, then scores their blast radius and hands your team the fix. Additive to Microsoft, never a replacement.

How it works · the control plane in motion

Discover. Understand. Govern. Enable. Optimise.

AIRM is the AI Identity Control Plane for Microsoft 365. It runs as one continuous loop on every tenant, from the first read-only scan to safe AI adoption and a score that keeps climbing. See the full Sabiki Adoption Loop →

01 · Discover

Find every non-human identity

By behaviour, not naming, so nothing hides.
  • Every AI agent, Copilot, service principal & NHI
  • Third-party & non-conforming agents Microsoft misses
  • Agentless, read-only via Microsoft Graph
How discovery works →
02 · Understand

Know its real risk

What it can reach, who owns it, why it exists.
  • Real Microsoft Graph permission analysis
  • Blast-radius mapping & ownership
  • Dormant & over-permissioned detection
See the analysis →
03 · Govern

Control it, prove it

Policy, lifecycle and audit-ready evidence.
  • Prioritised, guided remediation
  • Mapped to 11 governance frameworks
  • PSA-ready workflow & reporting
Govern & comply →
04 · Enable

Say yes to AI, safely

Deploy Copilot and agents on a clean, governed baseline.
  • Prioritised remediation to a safe baseline
  • Turn stalled pilots into governed production
  • Human-approved, your team stays in control
Adopt AI safely →
05 · Optimise

Keep raising the score

An independent NHI Risk Score that climbs over time.
  • Benchmark against peer tenants
  • Continuous Anomaly Intelligence Engine
  • Intelligence compounds with every tenant
The NHI Risk Score →
↻ One continuous, always-on loop. Every Optimise feeds the next Discover.
For security leaders

The questions every CISO is being asked right now.

AI adoption is accelerating faster than security teams can govern it, and security leaders are increasingly concerned about AI agents and their impact on security. AIRM was built to answer these questions, and to act on the answers.

“Are we ready for AI?”

Your board and CEO are pushing AI adoption, and you've been asked to sign off on it. But many organisations already have AI agents running in production, most deployed without security review, with permissions nobody explicitly granted.

How AIRM helps

A full inventory of every AI agent and non-human identity in the Microsoft 365 environment, so you can answer “what AI do we have, and what can it access?” before anyone signs off.

“What is Shadow AI doing in our environment?”

Unsanctioned AI tools are already running in most tenants. Many were granted OAuth tokens and elevated permissions plugged straight into business systems, outside any standard provisioning workflow.

How AIRM helps

AIRM detects every service principal and AI agent in the tenant, sanctioned or not. Unreviewed identities are flagged, with their permissions, blast radius and compliance implications shown together.

“If an approved AI agent is compromised, how bad could it get?”

An AI agent you legitimately approved can still be compromised: its logic updated, its permissions silently widened. Traditional tools watch for human behaviour anomalies, they weren't built to catch this.

How AIRM helps

Blast Radius Analysis maps exactly what an attacker would reach if any identity were compromised, built from real granted permissions, not assumed activity. You see the worst case before it happens.

“Are we compliant with the EU AI Act, DORA and ISO 42001?”

Regulators are now asking specific questions about AI governance. The EU AI Act's high-risk obligations phase in through 2026, and DORA has been in force since January 2025. Most organisations can't yet produce evidence of AI agent oversight.

How AIRM helps

Every finding maps automatically to 11 frameworks, including the EU AI Act, ISO 42001 and DORA, generating per-framework reports you can hand to auditors and regulators.

“How do we enable AI without losing control?”

Security teams are under pressure to enable AI, and saying yes without visibility is the fastest way to lose control. The organisations that build agent inventories and privilege policies now are the ones in control when something goes wrong.

How AIRM helps

AIRM is the visibility layer that makes “yes” safe: monitor every AI agent continuously, detect permission drift, get alerted when behaviour changes, and demonstrate governance to the board.

AIRM is your AI governance layer.

You don't have to choose between enabling AI and securing it. AIRM gives security teams the visibility, intelligence and evidence they need to say yes to AI with confidence.

Free NHI Risk Score →
No credit card · agentless · connect in minutes
The shift

Before AIRM, and after.

The same Microsoft 365 tenant, seen two ways. One is a blind spot. The other is governed, scored and defensible.

Before AIRM

An invisible identity layer

  • Non-human identities discovered manually, if at all.
  • AI agents and Shadow AI running without review.
  • Third-party apps and connectors nobody owns.
  • Service principals with aged, over-scoped credentials.
  • No evidence to hand an auditor, board or insurer.
After AIRM

A governed control plane

  • Every non-human identity discovered continuously and automatically.
  • Every AI agent surfaced, scored and given an owner.
  • Third-party and non-conforming agents caught by behaviour.
  • Permissions and credentials under continuous governance.
  • Board, auditor and insurer-ready evidence on demand.
What you get

Outcomes, not another dashboard.

AIRM turns invisible non-human identity into the things your business, board and auditors actually care about.

Reduce identity risk

Every non-human identity discovered, scored and ranked by the real damage it could do.

Secure Copilot & AI

See exactly what your Copilots and agents can reach, before an attacker finds out for you.

Control NHI sprawl

Owners, permissions and stale credentials brought under continuous governance.

Prove compliance

Evidence mapped to the EU AI Act, DORA, ISO 42001 and eight more frameworks, on demand.

Lower insurance exposure

Show insurers a governed, scored AI-identity posture instead of an unpriced blind spot.

Protect every tenant

One independent NHI Risk Score across your entire Microsoft 365 estate, tenant by tenant.

Why AIRM

Five reasons MSPs and customers choose AIRM.

AIRM does one job completely: it makes the AI identities in Microsoft 365 safe to adopt, govern and prove. Here's what you get.

Accuracy that grows

Scoring that sharpens the longer it runs

Every scan improves AIRM's model of how non-human identities behave, so your NHI Risk Score and peer benchmark get more accurate over time, never stale.

The Anomaly Intelligence Engine builds a behavioural fingerprint for every identity and gets sharper scan over scan, giving you peer benchmarking a point-in-time scanner can't offer.
Independent

A score auditors and boards trust

An independent, cross-vendor NHI Risk Score that auditors, insurers and boards actually trust, because it isn't Microsoft assessing Microsoft.

Only a third party can give a defensible, cross-vendor verdict on your AI identity risk, with peer benchmarking against similar organisations.
Complete

Sees the agents Microsoft misses

AIRM finds AI and non-human identities by what they do and the permissions they hold, so it catches the third-party and non-conforming agents that naming-based tools miss.

A rogue or renamed agent still gets caught, mapped to its real blast radius and scored, so nothing operates in your tenant unseen.
Delivered by your MSP

Bought as a managed service

Every client tenant in one console, PSA-integrated and white-labelled, governance you buy from the partner who already runs your Microsoft 365.

One multi-tenant console, per-tenant NHI Risk Scores, PSA-ready alerts (ConnectWise, HaloPSA, Autotask) and white-label reports, delivered as a recurring service line.
Audit-ready

Compliance evidence built in

Findings mapped to 11 frameworks and turned into audit-ready reports automatically, as those standards move from advisory to mandatory.

Findings map to EU AI Act, DORA, ISO/IEC 42001, NIST AI RMF and seven more, generating per-framework, auditor- and insurer-ready evidence packs on demand.

Together they make AIRM the simplest way to see, govern and prove the safety of every AI identity in Microsoft 365, for the MSP that delivers it and the customer that relies on it.

How AIRM is different

Not another horizontal NHI tool.

The non-human identity security market is real and growing fast, but most of it is built for large enterprises chasing SaaS-to-SaaS sprawl, sold one tenant at a time. AIRM is the one purpose-built for Microsoft 365 and delivered through MSPs, so it reaches the mid-market and SMB tenants the enterprise-direct tools never will, and scores every one independently.

Horizontal NHI platforms
  • Broad SaaS-to-SaaS & OAuth coverage across many apps
  • Enterprise-direct sales, one tenant at a time
  • Built for large in-house security teams
Sabiki AIRM
  • Microsoft 365-native and deep, by behaviour not naming
  • Delivered through MSPs, one-to-many, at mid-market scale
  • An independent NHI Risk Score on every tenant
Independent validation

The analysts see it too: AI agents break traditional identity governance.

What Gartner and the wider market are already saying about the non-human identity gap.

“By 2027, 40% of enterprises will demote or decommission autonomous AI agents due to governance gaps identified only after production incidents occur.”

Gartner, “Applying Uniform Governance Across AI Agents Will Lead to Enterprise AI Agent Failure”, May 2026 · source ↗

“The rise of AI agents is introducing new challenges to traditional identity and access management (IAM) strategies… Failure to address these issues will lead to greater risk of access-related cybersecurity incidents as autonomous agents become more prevalent.”

Gartner, “Top Cybersecurity Trends for 2026”, Feb 2026 · source ↗

61% of partners still struggle to get AI projects out of the proof-of-concept stage with customers.”

Canalys (now part of Omdia), “MSP Trends & Predictions 2025” · source ↗

AI is stalling on governance, yet adoption is the channel's growth engine. That's the gap MSPs close for their customers with Sabiki AIRM: turning stalled pilots into safe, governed production, delivered as a recurring managed service. (The non-human identity security market is forecast to grow to ~US$23bn by 2030, a ~23% CAGR, Mordor Intelligence.)

The Sabiki NHI Risk Score

One independent score for NHI risk. Like a credit score for your tenant.

Everything AIRM discovers, rolled into a single, benchmarkable score you can track, improve and take to the board, across Microsoft-native and third-party non-human identities.

72/100
Moderate · improving
This tenant72
Peer average64
  • Independent & cross-vendor, Microsoft-native and third-party non-human identities, objectively scored.
  • Benchmarked against peers, see how a tenant compares with similar organisations.
  • Improves over time, show measurable progress, quarter on quarter.
  • Board- and insurer-ready, the figure leadership asks for.
See it in action

See what AIRM finds in a client tenant.

Filter the non-human identities and click any one to see its real Graph permissions, blast radius and the recommended fix. This is illustrative data. Your own scan runs read-only through Microsoft Graph.

Sabiki NHI Risk Score
Acme Corp · illustrative tenant
Needs attention
Blast radius: Critical
Peer average: 71
NHIs in view9
Critical in view2
Over-permissioned6
Third-party / non-conforming4
Run this on your tenants, free →

Agentless, read-only, revoke anytime. Findings shown are representative of a real assessment.

Works with Microsoft

The independent layer on top of your Microsoft investment.

Microsoft secures the platform; Sabiki adds the independent non-human identity observability and governance you run before you deploy AI. Every finding maps to 11 governance frameworks, the AI-specific ones built in.

An enterprise, not an MSP? AIRM is delivered through Sabiki partners. Talk to us and we'll connect you →

Who delivers it

The future of AI adoption runs through MSPs.

Customers aren't just buying Microsoft 365, Copilot or AI agents, they're buying a trusted partner who can deploy AI safely. Sabiki AIRM is how MSPs deliver exactly that.

Empowers your people

Gives teams the visibility to confidently say yes to AI, it doesn't replace them.

Extends Microsoft

An independent governance layer on top of Microsoft 365, never a rip-and-replace.

Simplifies governance

One score, one report, prioritised actions, complexity removed, not added.

Value for customers · safe, confident AI Revenue for MSPs · a new recurring service Faster adoption · for organisations

The result: the one layer positioned to turn an MSP's trust into safe AI adoption, independent of Microsoft, out of reach of enterprise-direct tools.

The MSP opportunity

A new service line that makes you money.

AIRM isn't another cost to carry. It's a recurring, high-margin service you sell into every Microsoft 365 client, with zero infrastructure to run.

New monthly recurring revenue
Differentiate your Microsoft practice
Sell AI readiness assessments
Reduce clients' cyber-insurance risk
One-click tenant health checks
Automated executive reports
Multi-tenant, one console
Zero infrastructure to run
5
client tenants
~$32k
Year 1 revenue
25
client tenants
~$168k
Year 1 revenue
50
client tenants
~$336k
Year 1 revenue

Illustrative, USD. Assumes ~$5,100/tenant/yr in services (onboarding $1,500 + governance $250/mo + posture $150/qtr) plus partner-tier licence margin (Registered 25% → Gold 33% → Elite 40%, by tenants adopted). See assumptions & model your own →

What you receive

A full risk report on every tenant.

See exactly what your customers receive before anyone registers: the NHI Risk Score, a full non-human identity inventory, prioritised findings, recommended actions and compliance mapping across the 11 frameworks.

See the full report your customers receive →
Microsoft ISV PartnerCertified Microsoft partner
Microsoft Verified PublisherPublisher identity verified with Microsoft
IT JunctionSecure366+ more soon

Sabiki is a registered Microsoft ISV partner and a Microsoft Verified Publisher. AIRM is built natively on Microsoft 365 and the Microsoft Graph API, agentless and read-only. Early MSP partners include IT Junction and Secure366.

Get started

Assess your entire client base, free.

Register once and run a full AIRM risk report on every Microsoft 365 tenant in your book, at no cost, see exactly what AI is running, scored, with the actions to fix it.

or book a 1:1 demo →
Free on every client tenantA full report on eachRead-only Day 111 governance frameworks
Chat with Sabiki
Ask about NHI risk, pricing or the MSP programme
Hi 👋 Want your NHI Risk Score, or a question about deploying Sabiki? Ask away, or register free.
Free NHI Risk Score →
Prototype, vendor chat widget mounts here (e.g. Intercom Fin).