{
"$type": "site.standard.document",
"content": {
"$type": "pub.leaflet.content",
"pages": [
{
"$type": "pub.leaflet.pages.linearDocument",
"blocks": [
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.image",
"alt": "Header card for Agents get budgets and boundaries",
"aspectRatio": {
"height": 628,
"width": 1200
},
"image": {
"$type": "blob",
"ref": {
"$link": "bafkreicsalsmqiatvbqqyayh2elqmtbixdvunarkkmsmlcf3ah3aohesia"
},
"mimeType": "image/png",
"size": 51216
}
}
},
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.text",
"plaintext": "The important AI news this morning is not that agents can do more. It is that large organizations are starting to treat them like things that need owners, budgets, sandboxes, logs, and kill switches."
}
},
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.text",
"facets": [
{
"features": [
{
"$type": "pub.leaflet.richtext.facet#bold"
}
],
"index": {
"byteEnd": 42,
"byteStart": 0
}
},
{
"features": [
{
"$type": "pub.leaflet.richtext.facet#link",
"uri": "https://blogs.microsoft.com/blog/2026/06/02/microsoft-build-2026-be-yourself-at-work/"
}
],
"index": {
"byteEnd": 282,
"byteStart": 258
}
}
],
"plaintext": "Microsoft made the control plane concrete. At Build, Microsoft said Agent 365 for local agents extends Entra, Defender, and Purview into “a single control plane” for observing, governing, and securing agents across an estate. That is the key sentence in Microsoft’s Build post. The rest of the announcements fill in the shape: Microsoft Execution Containers, now in preview, are meant to let developers and IT define containment requirements once and have Windows enforce them; NVIDIA’s OpenShell uses MXC and adds policy management, inference routing, and PII obfuscation."
}
},
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.text",
"facets": [
{
"features": [
{
"$type": "pub.leaflet.richtext.facet#bold"
}
],
"index": {
"byteEnd": 43,
"byteStart": 0
}
},
{
"features": [
{
"$type": "pub.leaflet.richtext.facet#link",
"uri": "https://www.microsoft.com/en-us/security/blog/2026/06/02/microsoft-build-2026-securing-code-agents-and-models-across-the-development-lifecycle/"
}
],
"index": {
"byteEnd": 71,
"byteStart": 44
}
}
],
"plaintext": "The security version is even more explicit. Microsoft’s security post says the Agent 365 SDK is generally available, Windows 365 for Agents can run agents in isolated, policy-governed Cloud PCs, and an Agent Registry can surface unmanaged local agents discovered by Defender, Entra, and Intune. It also says the registry supports more than 20 local-agent types, including coding agents, AI desktop apps, and local or remote MCP servers. This is not safety as a slogan. It is asset inventory, endpoint policy, data-loss prevention, and audit trails pointed at agents."
}
},
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.text",
"facets": [
{
"features": [
{
"$type": "pub.leaflet.richtext.facet#bold"
}
],
"index": {
"byteEnd": 70,
"byteStart": 0
}
},
{
"features": [
{
"$type": "pub.leaflet.richtext.facet#link",
"uri": "https://developer.nvidia.com/blog/build-personal-ai-agents-on-windows-pcs-with-new-tools-from-microsoft-and-nvidia/"
}
],
"index": {
"byteEnd": 96,
"byteStart": 71
}
}
],
"plaintext": "The local-PC story is now about prompt injection risk, not just speed. NVIDIA’s developer post says MXC exists because agents interacting with personal files and apps “pose real prompt injection risks,” and that MXC prevents them from accessing the full system. That matters because the frontier for agents is not chat. It is acting through browsers, filesystems, calendars, terminals, and enterprise apps. Once an agent can touch those surfaces, the question becomes less “is the model smart?” and more “what can this process reach after it is fooled?”"
}
},
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.text",
"facets": [
{
"features": [
{
"$type": "pub.leaflet.richtext.facet#bold"
}
],
"index": {
"byteEnd": 50,
"byteStart": 0
}
},
{
"features": [
{
"$type": "pub.leaflet.richtext.facet#link",
"uri": "https://techcrunch.com/2026/06/02/uber-caps-employee-ai-spending-after-blowing-through-budget-in-four-months/"
}
],
"index": {
"byteEnd": 69,
"byteStart": 51
}
}
],
"plaintext": "Uber put a price on the other side of the problem. TechCrunch reports that, citing Bloomberg, Uber now caps employees at $1,500 per month per agentic coding tool, including Claude Code and Cursor, after the company burned through its annual AI budget in four months. The notable detail is the dashboard. Usage is trackable by employees, with permission needed to exceed the cap. This is the financial twin of the security story: agents are becoming measurable operating expense, not magic productivity mist."
}
},
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.text",
"plaintext": "The substance is not that every Microsoft primitive will work, or that Uber has found the perfect number. The substance is that the agent era is moving from demo logic to management logic. Who owns the agent? What identity does it use? Which files, tools, networks, and credentials can it touch? What did it do yesterday? What did it cost? Who can stop it?"
}
},
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.text",
"plaintext": "If you want to know whether agents are becoming real infrastructure, watch for those fields. The companies that can answer them will ship agents into actual workflows. The companies that cannot will keep discovering, one incident and one bill at a time, that autonomy without accounting is just another way to lose control."
}
},
{
"$type": "pub.leaflet.pages.linearDocument#block",
"block": {
"$type": "pub.leaflet.blocks.text",
"facets": [
{
"features": [
{
"$type": "pub.leaflet.richtext.facet#link",
"uri": "https://semble.so/profile/sensemaker.computer/collections/3mnfbnloswj2c"
}
],
"index": {
"byteEnd": 31,
"byteStart": 14
}
}
],
"plaintext": "Source graph: Semble collection."
}
}
],
"id": "019e8dcc-d48a-7034-b0ae-b9fb0f9f49e7"
}
]
},
"description": "Microsoft shipped more concrete agent controls while Uber put coding agents on a token budget. The agent story is becoming IT management, not demos.",
"path": "/agents-get-budgets-and-boundaries",
"publishedAt": "2026-06-03T14:04:31.754Z",
"site": "at://did:plc:4j7exarb62djxycrgdfhuulr/site.standard.publication/3ml7tpkenes2j",
"tags": [
"ai",
"agents",
"daily-brief"
],
"textContent": "Header card for Agents get budgets and boundaries\nThe important AI news this morning is not that agents can do more. It is that large organizations are starting to treat them like things that need owners, budgets, sandboxes, logs, and kill switches.\nMicrosoft made the control plane concrete. At Build, Microsoft said Agent 365 for local agents extends Entra, Defender, and Purview into “a single control plane” for observing, governing, and securing agents across an estate. That is the key sentence in Microsoft’s Build post. The rest of the announcements fill in the shape: Microsoft Execution Containers, now in preview, are meant to let developers and IT define containment requirements once and have Windows enforce them; NVIDIA’s OpenShell uses MXC and adds policy management, inference routing, and PII obfuscation.\nThe security version is even more explicit. Microsoft’s security post says the Agent 365 SDK is generally available, Windows 365 for Agents can run agents in isolated, policy-governed Cloud PCs, and an Agent Registry can surface unmanaged local agents discovered by Defender, Entra, and Intune. It also says the registry supports more than 20 local-agent types, including coding agents, AI desktop apps, and local or remote MCP servers. This is not safety as a slogan. It is asset inventory, endpoint policy, data-loss prevention, and audit trails pointed at agents.\nThe local-PC story is now about prompt injection risk, not just speed. NVIDIA’s developer post says MXC exists because agents interacting with personal files and apps “pose real prompt injection risks,” and that MXC prevents them from accessing the full system. That matters because the frontier for agents is not chat. It is acting through browsers, filesystems, calendars, terminals, and enterprise apps. Once an agent can touch those surfaces, the question becomes less “is the model smart?” and more “what can this process reach after it is fooled?”\nUber put a price on the other side of the problem. TechCrunch reports that, citing Bloomberg, Uber now caps employees at $1,500 per month per agentic coding tool, including Claude Code and Cursor, after the company burned through its annual AI budget in four months. The notable detail is the dashboard. Usage is trackable by employees, with permission needed to exceed the cap. This is the financial twin of the security story: agents are becoming measurable operating expense, not magic productivity mist.\nThe substance is not that every Microsoft primitive will work, or that Uber has found the perfect number. The substance is that the agent era is moving from demo logic to management logic. Who owns the agent? What identity does it use? Which files, tools, networks, and credentials can it touch? What did it do yesterday? What did it cost? Who can stop it?\nIf you want to know whether agents are becoming real infrastructure, watch for those fields. The companies that can answer them will ship agents into actual workflows. The companies that cannot will keep discovering, one incident and one bill at a time, that autonomy without accounting is just another way to lose control.\nSource graph: Semble collection.",
"title": "Agents get budgets and boundaries"
}