Build 2026 Made Safe AI Agents an Os Feature. We Were Already Running Them in Production.

At Build last week, Microsoft called Windows the most trusted platform to build and run agents. Not the fastest, not the most capable. The most trusted. That is Microsoft saying out loud what most of the industry has spent the past year talking around: running autonomous agents safely is the hard part, and most teams have not solved it.

We have. Build 2026 did not change how we deploy agents for clients. It confirmed it.

What Microsoft actually shipped

The headline is Microsoft Execution Containers, or MXC. Microsoft calls it a policy-driven execution layer for agents, with isolation that scales from a sandboxed process up to a micro-VM or a full Linux container depending on how much you need to lock down. The useful part sits underneath the marketing. You declare what an agent is allowed to touch, files and network, and Windows enforces it at runtime. Every agent gets a real identity, local or backed by Entra, so you can actually attribute what it did. And you manage all of it with the same tools your security team already runs: Intune, Defender, Entra, Purview.

Microsoft named its launch partners for this work: Hermes, Manus, NVIDIA, OpenAI, and OpenClaw. OpenClaw's node and gateway now run on Windows inside MXC. Public preview is next month, with general availability in the Windows 11 2026 Update in October.

Take the product names out of it and Microsoft just turned three things into operating-system features: containment, identity, and management. Those happen to be the three questions every serious company asks before it lets an agent near real data.

We didn't wait for the OS to catch up

Here is the part that matters if you are actually weighing agents for real work. The architecture Microsoft is now building into Windows is the one we have already been running in production, for clients in transportation and logistics, technology, construction, and nonprofits.

When we put an agent into a client's operation, it does not run on a laptop with a god-mode API key. It runs on its own virtual machine, walled off from anything it has no business touching. We reach it through a bastion, so access is brokered and logged instead of wide open. It gets least privilege, narrow grants to the few systems it needs and nothing more. And a human signs off on anything that cannot be undone: money going out, an email going to a client, code going to production. The agent does the work and drafts the action. A person approves the part you cannot take back.

That is the same shape Microsoft just described. Declare what the agent can reach, enforce it at runtime, attribute every action, keep a person in the loop where a mistake is expensive. We got here the unglamorous way, by being on the hook for production systems at companies that do not get a do-over with their data. Build 2026 is Microsoft taking that pattern and making it the default.

Running agents this way, safely, at real scale, across more than one industry, is still rare. It is the actual work, not a demo reel, and it is the part we have been doing.

Why the validation matters for buyers

For most of the past year the agent conversation has been a standoff, and I have watched it from the operator seat. Vendors showed slick demos. Security teams said no. Security was usually right, because the controls a CISO needs, isolation, identity, an audit trail, policy enforcement, lived in custom engineering instead of the platform. Every deployment turned into its own argument.

Microsoft moving those controls into the OS ends that argument. It tells every security team that contained, identity-bound, policy-gated agents are the normal expectation now, not some exotic risk you have to be talked into. That is good for the whole market. It is especially good for the shops that were already building to that bar before anyone made them.

We build on OpenClaw, the runtime Microsoft just named as one of its Build 2026 containment partners, and on Anthropic's Claude, where we are a member of the Claude Partner Network. To be clear about it, we are not a party to the Microsoft and OpenClaw deal. We are an operator that picked this stack early and ran it safely in production. The platforms are catching up to the bar we set for ourselves.

What this means if you're evaluating agents

You do not have to choose anymore between moving fast on AI and keeping security happy. The architecture that keeps security happy is becoming the default. What is left is execution: figuring out where an agent actually belongs in your operation, scoping it right, containing it, and putting the human checkpoints in the right spots.

That is the gap we close. If your team got told to go do something with agents and your security posture is the reason nothing has shipped, that excuse is gone. The safe way to do this is the way we have been doing it the whole time.

Frequently Asked Questions

What did Microsoft announce about AI agents at Build 2026?

At Build 2026 on June 2, Microsoft positioned Windows as the most trusted platform for building and running AI agents. The centerpiece is Microsoft Execution Containers (MXC), a policy-driven isolation layer that lets you declare what an agent can access and then enforces it at runtime. It pairs that with Entra-backed identity for agents and Intune policy controls. Public preview is expected the following month, with general availability in the Windows 11 2026 Update in October.

What is MXC (Microsoft Execution Containers)?

MXC is Microsoft's execution layer for AI agents. It gives you a range of isolation, from a sandboxed process up to micro-VMs and Linux containers, so an agent only reaches the files and networks an administrator has allowed. With identity and policy management on top, it turns containment, attribution, and management into built-in operating-system features instead of custom engineering.

Is Queen City AI part of the Microsoft and OpenClaw partnership?

No. The partnership announced at Build 2026 is between Microsoft and OpenClaw, the agent runtime platform. We build our clients' systems on OpenClaw and on Anthropic's Claude, and we are a member of the Claude Partner Network. We adopted this stack early and have deployed it safely in production. We are not a party to the Microsoft and OpenClaw agreement.

How does Queen City AI deploy AI agents safely for clients?

Each agent system runs on its own virtual machine, gets reached through a bastion so access is brokered and logged, and is scoped to least privilege. A person approves the irreversible steps: spend, send, and deploy. It is the same containment, identity, and human-in-the-loop approach Microsoft has now made a platform default.

Do we have to wait for the Windows 11 2026 Update to run AI agents safely?

No. The platform updates make this easier and more standard, but the controls that keep agents safe, isolation, least privilege, an audit trail, and human approval on costly actions, can be built today on existing infrastructure. We run them in production now.