Check the source code, not the roadmap.
Microsoft just announced its Foundry hosted agents have reached General Availability. The press releases are, as expected, a symphony of innovation: autonomous infrastructure, enterprise-grade AI, a seamless future where bots handle your spreadsheets. But I spent the last 48 hours dissecting what this GA actually means, not as a product launch, but as a systems-level failure of architectural honesty.
The core claim: 'hosted agents' can 'run indefinitely,' autonomously executing complex business workflows. The industry media is already declaring the death of SaaS and the dawn of a new labor paradigm. Hype is just noise in the signal. The real signal here is something else entirely: a massive, unacknowledged dependency on centralized compute and opaque reasoning pipelines.
Let’s start with the technical premise. A 'hosted agent' is not a single model. It’s a stack: an orchestration layer (likely Copilot Studio), a reasoning engine (GPT-4o series), and a tool-calling interface (Azure Functions, Power Automate). When you tell this agent to 'analyze Q3 sales data and auto-ship reorders,' what actually happens? The orchestration layer calls the model. The model generates a plan. That plan calls external APIs. Each step generates a token. Each token is computed on a server you don't own.
The problem? 'Running indefinitely' implies a stateful, persistent process. But the underlying infrastructure is fundamentally session-based. Azure’s AI services operate on discrete request-response loops. There is no persistent execution context. The 'infinite' agent is actually a series of short-lived, stateless invocations that are stitched together by a centralized scheduler. If the math doesn’t balance, the promise is a liability.

This creates a fundamental contradiction. The enterprise is told it’s deploying autonomous agents. In reality, it’s leasing a black-box orchestration service that can be paused, throttled, or modified at the provider’s discretion. The agent isn't autonomous; it's a remote-controlled puppet. The 'unlimited' runtime is a marketing fiction masking a metered API call budget.
Based on my audit experience with 2020’s DeFi composability disasters, I see an exact parallel here: the 'oracle problem' disguised as a product. Back then, protocols claimed decentralized price feeds but relied on a single data source. Today, Microsoft claims autonomous agents but relies on a single layer of centralized orchestration. The risk is not malicious, but systemic. A failure in the orchestrator - a network partition, a throttling spike, a bug in the task queue - doesn’t just slow down an agent; it kills the entire execution state. There’s no state to restore from. The agent is simply gone.
fully audited. Is it? Probably, in terms of code. But the security model here is not about Solidity logic; it’s about infrastructure trust. The auditing of such a system requires proving the orchestration doesn’t leak state, that the tool-calling is sandboxed, and that the scheduler respects constraints. None of this is visible to the user. The 'source code' of the agent is hidden behind a REST API. The real audit is of a closed system.
The industry’s response to this has been predictably bullish. 'This is the moment enterprise AI goes mainstream.' I’ve seen this narrative before - in 2021 with 'composable DeFi.' The bulls are right about the demand vector. Enterprises want automation. The contrarian truth is that this GA accelerates a dangerous dependency. It locks organizations into a compute architecture where the cost of switching is not just time, but the loss of all previously 'autonomous' processes. You don’t build agents; you rent them. And rental agreements are always renegotiated.
The takeaway is not to avoid hosted agents, but to audit them with the same rigor you'd apply to a hardware root of trust. Demand to see the orchestration logs. Require the ability to export agent state in an open format. Force transparency on where the computation runs. Until then, ‘fully audited’ is just a label.