At the end of January, I had the opportunity to attend the Microsoft Security Engineering Airlift 2026 on the Microsoft Campus in Redmond. Over the course of several days, security practitioners, engineering leads and selected partners came together to discuss architecture trends, strategic developments and operational challenges in the Microsoft security environment.

The focus was on one central question: Where are modern security operations heading and what priorities should organizations set now to keep pace with AI integration, cloud dynamics and regulatory pressure?

What is the Microsoft Security Engineering Airlift?

The Microsoft Security Engineering Airlift is an exclusive technical event on the Microsoft Campus in Redmond, USA. Selected partners and engineering leads come together to share best practices and discuss architecture trends and strategic developments within the Microsoft Security Platform.

As the sessions will be held under a non-disclosure agreement (NDA), this article will focus on overarching topics and practical insights that are particularly relevant for customers and security managers.

• Security operations are developing into AI-supported platform architectures. Signals from identity, endpoint, cloud and data are standardized in order to control investigation and response more consistently and quickly.

• Non-human identities must be governed like user accounts. AI agents require lifecycle management, access controls and continuous monitoring to prevent misuse and misconfiguration.

• Exposure management replaces isolated alert processing. Graph-based attack path analyses help to identify critical dependencies and proactively reduce risks before incidents occur.

• Zero Trust Network Access structurally reduces lateral movement. Access is granted based on identity and context instead of allowing broad network access.

• Data security is a prerequisite for secure AI use. Classification, protection guidelines and policy enforcement must follow data - regardless of storage location or use.

A clear development was recognizable across all sessions. Security operations are moving towards a more unified experience. Signals, incidents, investigation context and governance are becoming more integrated to reduce tool-hopping and shorten response times.

This is critical because attackers are already operating end to end across identity, endpoints, email, SaaS and cloud. Defenders need the same cross-domain visibility and the ability to act quickly. And with humans and AI working together, not separately.

One recurring message was clear: AI agents will become part of the workforce. They need to be managed and secured like any other identity. Agents can permanently perform tasks, access sensitive data and trigger actions. Security and governance are therefore not optional, but a prerequisite.

Two concrete implications for organizations:

• Identity controls also apply to non-human identities. This includes lifecycle management, conditional access and comprehensive visibility of authorizations and activities.

• Data security is the basis for secure AI use. Classification, protection and policy enforcement must follow the data - regardless of where it is stored or how it is used by AI.

Another key topic was the need for a better overall view of one's own environment. Modern attacks move across domains. From on-premises to the cloud, from identities to SaaS applications. Gaps between tools and teams are often exploited.

The focus was therefore placed on approaches that help security teams to set real priorities:

• Building an asset-centric view that links identities, devices, cloud resources and data.
• Understanding attack paths, i.e. how an attacker can move laterally, and focusing on the crown jewels. These are the few critical assets that contribute significantly to risk reduction.
• Shift left from reactive firefighting to proactive remediation. The aim is to reduce exposure before an incident occurs.

The modern enterprise is hybrid. Secure access is no longer just a network issue, but above all a question of identity and policies.

One area that has been particularly emphasized is Zero Trust Network Access, or ZTNA for short. Users and agents are given granular access to specific applications and services instead of broad network access. This reduces lateral movement and significantly reduces the attack surface compared to traditional VPN patterns.

In addition, the importance of secure on-premises access to private applications and domain controllers was emphasized. This area remains a central element of modern security programs.

There was a strong focus on data security, particularly in view of the reality that AI increases the risk of oversharing and unintentional exposure. Risk reduction is based on several building blocks:

• Discovery and classification: Knowing where sensitive data is located and how it is used.
• Policy enforcement across endpoints, browsers and networks, not just within a single application.
• Faster investigation workflows that help security teams answer questions like „what happened“ more efficiently and contain incidents across large data landscapes.

The most important finding for Swiss organizations is the following: The SOC of the future is AI-supported, identity-centric and standardized across all signals. At the same time, it remains controlled, compliant and cost-conscious.

At itnetX, we translate these platform developments into concrete results. Typical customer priorities that we support are:

• AI Security Readiness: Governance for AI use, securing agent identities and implementing clear data guardrails.
• SOC modernization: Optimization of detection-to-response workflows, reduction of log noise and costs as well as simplification of incident handling across multiple domains.
• Exposure Reduction Program: Proactive remediation strategies for attack paths, misconfigurations and vulnerabilities to reduce the likelihood of breaches.
• Zero Trust Access Modernization: Replacement of classic access patterns with granular, identity-based access with continuous policy enforcement.
• Consolidation of the security platform: Alignment of tools, processes and operating model under a clear Zero Trust strategy.

Next step: Targeted further development of architecture

If you would like to specify these fields of action for your own organization, we will be happy to support you in the structured planning and implementation of the next architecture phase. Contact us for a professional exchange.

I returned from Redmond with the clear realization that the next phase of security will be characterized by agentic workflows, unified security operations and strong governance. Especially in the area of identity and data.

I look forward to incorporating these learnings into our customer projects at itnetX and supporting organizations in developing their security in a modern, pragmatic and sustainable way.