Two pitches, same month. That’s where this starts.

Your Microsoft account team wants to walk you through Agent 365 — the new control plane for governing every AI agent in your organization, GA as of May 1, 2026. Your Salesforce rep wants to walk you through MuleSoft Agent Fabric — the multi-vendor agent governance layer that shipped in September 2025. Both decks show your entire agent fleet, centrally managed. Both highlight open standards — MCP, A2A — as proof they’re not locking you in. Both close with the same implicit argument: pick us as the system of record for your agents, and everything else falls into place.

The uncomfortable thing is that both vendors mean it.

If you’re running Anypoint Platform today, the evaluation is less symmetrical than it looks. One of these products is likely already in your contract.

The Naming Problem Nobody Is Talking About

Start with the taxonomy, because it’s a mess.

Microsoft has “Microsoft Fabric” — the data platform built on Delta Lake and OneLake. I traced its lock-in structure in the last post in this series: open at the storage layer, proprietary at the experience layer above it. Microsoft also has “Microsoft Foundry agents” — the agent runtime inside Microsoft Foundry (formerly Azure AI Foundry, renamed at Ignite 2025, the dropped “Azure” being a deliberate signal about cross-cloud ambitions).

MuleSoft has “Agent Fabric.” Launched September 2025. Not a Microsoft product.

The collision creates real confusion in evaluations. “Agent Fabric” without a vendor qualifier sounds like it could be a Fabric-adjacent Microsoft offering — especially when Microsoft field teams routinely talk about “agents in Fabric” and “Foundry agents” in the same conversation. The collision is not accidental. When two platforms fight for the same governance position, the one that creates naming ambiguity in the other’s evaluations wins a few RFPs by default.

This matters for what follows. Every time this post refers to “Agent Fabric,” it means MuleSoft Agent Fabric — Salesforce’s cross-vendor agent governance platform. Microsoft has no product with that name.

MuleSoft Agent Fabric, Decoded

Agent Fabric shipped in September 2025. If you’re running Anypoint Platform at the Platinum, Titanium, Unlimited, or Integration Advanced tier, there is no additional line item. You are already paying for it.

The platform has four components:

Agent Registry — a curated catalog of MCP servers and agent connections. Third-party MCP server discovery and add-by-URL registration went GA in January 2026. At TDX 2026 in March, Salesforce added 60+ MCP tools and 30 preconfigured coding skills to the registry. This is the discovery layer — the organizational catalog where agents find the tools they’re allowed to call.

Agent Broker — the routing and orchestration layer that connects agents to registered tools and other agents. Handles the traffic between an agent that needs a capability and the MCP server or A2A endpoint that provides it.

Agent Visualizer — end-to-end visibility into agent-to-agent and agent-to-tool relationships across the fleet. Lets platform and security teams filter by agent type, tool type, and call pattern. This is the observability surface that turns an agent sprawl problem into a governance dashboard.

Governance — the enforcement layer, built on Flex Gateway.

The governance capability is more developed than most evaluations give it credit for. MuleSoft’s AI Gateway, built on Flex Gateway, has shipped specific policy types that are GA and documented: LLM Token Based Rate Limit (token-window quotas per application and business group), Prompt Guard (prompt injection firewall), Semantic Routing (routes prompts by contextual meaning to cheaper or more specialized models), and PII detection. These are versioned policies in the Flex Gateway documentation, not roadmap slides.

MCP and A2A governance are similarly concrete. MCP Connector 1.4 and A2A Connector 1.1 are both versioned, maintained, and documented. Flex Gateway ships A2A Schema Validation, A2A Rate Limiting and Spike Control, and A2A SSE Content Logging for audit trails. Current releases, not preview-tagged.

The integration into Agentforce completes the picture. Agentforce MuleSoft: API Catalog unifies APIs from MuleSoft, Salesforce, and Heroku in a single admin work area. Agentforce MuleSoft: Topic Center turns those APIs into Agentforce Topics — the action-and-instruction packages that Agentforce agents use to reach outside the Salesforce data model. MCP and A2A are the wire protocols; Flex Gateway is the enforcement point; Agent Fabric is the governance layer across all of it.

For Anypoint shops: before booking the Microsoft demo, check your subscription tier.

Microsoft Foundry + Agent 365, Decoded

Microsoft’s AI agent stack is more coherent than most independent assessments describe, and the coherence is the strategic point.

Agent 365 went GA May 1, 2026, at $15/user/month standalone. The product is not a new model or a new runtime — it’s the governance control plane: agent registry, fleet visualization, conditional access policies, and a cross-source inventory of every agent in the tenant, regardless of where it was built. Every agent in the registry gets a Microsoft Entra Agent ID — a durable Microsoft identity credential, governed through the same Entra framework that manages users, devices, and workloads.

Microsoft Foundry (the rebrand matters; dropping “Azure” signals the platform is designed to govern agents beyond Azure workloads) runs the agent runtime. The four layers are Foundry Models (a multi-vendor catalog that includes Azure OpenAI, Cohere, DeepSeek, Meta, and Mistral), Foundry Agent Service (the hosted agent runtime, replacing the Azure OpenAI Assistants API, which retires August 26, 2026), Foundry Tools and Toolboxes (the MCP + OpenAPI + built-in tool bundling layer), and the Foundry Control Plane (observability, guardrails, evaluations).

The Toolboxes warrant specific attention. When agents call an MCP server through Microsoft Foundry, they don’t call your MCP server directly — they call a Foundry Toolbox endpoint, and Foundry routes to the underlying tools. The MCP protocol is open. The routing layer above it is not. When you migrate off Foundry, every agent configuration that points at a Foundry Toolbox endpoint needs to be re-pointed at the underlying tools directly. That’s an architectural project, not a config change.

Azure API Center adds the proprietary discovery layer: a private organizational catalog for MCP servers, with auth profiles tied to Entra Managed Identity and scoped discovery gated by org policy. The MCP wire format is open. The catalog where your agents find tools is not.

The APIM AI Gateway policies — llm-token-limit, llm-emit-token-metric, llm-semantic-cache-store, llm-semantic-cache-lookup — are real and functional. They’re also table stakes. Flex Gateway ships the same capabilities. The APIM gateway is not where Microsoft’s differentiated value lives.

The bundle is where the value lives. M365 E7 Frontier Suite at $99/user/month packages Agent 365 with M365 E5, Microsoft 365 Copilot, and the Entra Suite. The bundle makes individual SKU evaluation uneconomical — you’re buying the whole stack to get the agent governance layer, and the governance layer is what deepens the integration. Each agent you register accumulates conditional access policies, an Entra identity, and an audit history. That’s not a feature list. That’s a switching cost that compounds with time.

The Assistants API retirement on August 26, 2026 adds a migration pressure vector that isn’t being discussed loudly. Organizations running Azure OpenAI Assistants today have a deadline. The forward path is Foundry Agent Service. Once you’re there, your agent state — threads, tool definitions, file uploads — lives in Microsoft’s runtime, and it doesn’t export cleanly to other agent platforms.

The Actual Decision: Vertical Depth vs. Horizontal Breadth

The honest framing isn’t “which platform has better MCP support.” Both have MCP support. Both have A2A support. Both have token rate limiting, prompt injection protection, and audit logging. The feature comparison is close enough that it obscures the strategic question.

The strategic question is vertical depth versus horizontal breadth.

Microsoft’s value is depth. If your organization runs M365, Teams, and Azure, Agent 365 plus Foundry plugs into that existing stack with integration economics that are genuinely hard to replicate from outside. Agents surface in Teams. Foundry agents are discoverable by M365 Copilot users. Governance lives inside the identity framework your security team already manages. The cost of that depth is Entra Agent ID: every agent in your fleet carries a Microsoft credential, and leaving means re-credentialing the fleet, rewriting the audit history, and rebuilding the conditional access policies. In a fleet of hundreds or thousands of agents, that’s not a line item in a migration plan. It’s the migration.

MuleSoft’s value is breadth. Agent Fabric is explicitly positioned as a multi-vendor control plane — it governs Microsoft Foundry agents alongside Agentforce agents and anything running on Bedrock or Vertex. If your organization runs multiple AI ecosystems (Salesforce for CRM, Azure for infrastructure, a data team that went their own direction with Bedrock), Agent Fabric can hold a single registry and governance policy across all of them without requiring each agent to carry a Microsoft identity.

The protocol layer doesn’t resolve this. As I wrote in the AI Context Portability post, what’s usually portable in these evaluations is the raw artifact — the agent code, the MCP server implementation, the underlying data. What isn’t portable is the governance layer built on top of it. MCP and A2A are open wire formats. The registry where your agents are discovered, the identity those agents carry, the conditional access policies governing what they can reach — none of that travels.

This is the same pattern I traced in the Fabric post: open at the bottom, locked at the top. Fabric was open at the storage layer, proprietary at the semantic model and experience layer above it. The AI agent stack is open at the protocol layer — MCP, A2A, the wire formats — and proprietary at the control plane layer above. The lock-in didn’t disappear. It moved.

What to Actually Check Before You Decide

Neither vendor is wrong that open protocols are valuable. MCP and A2A are real standards, and both platforms have real implementations.

The questions that actually matter in this evaluation:

Who holds the registry? The entity running the catalog where your agents discover tools and other agents has leverage at renewal time. Azure API Center is Microsoft’s registry. Agent Fabric’s Agent Registry is MuleSoft’s. Both are proprietary layers above an open protocol.

Who issues the identity? Entra Agent ID is a Microsoft credential. Once your fleet is credentialed through Entra, the conditional access policies, audit trails, and security integrations accumulate around those credentials. Replacing them at scale is an architectural project, not a config change.

What’s already in your contract? If you’re on Anypoint Platinum, Titanium, Unlimited, or Integration Advanced, Agent Fabric is already included. The evaluation isn’t Microsoft versus MuleSoft at the same price point — it’s Microsoft versus something you’re already paying for. Start there.

What’s your dominant ecosystem? If your organization is deeply embedded in M365 — Teams, Azure, Entra, the full stack — Microsoft’s integration depth is genuinely valuable and the control plane lock-in may be a fair trade. If you’re running a multi-cloud, multi-ecosystem environment where Salesforce, AWS, and Azure workloads coexist, the case for a neutral governance plane is stronger.

Most enterprise evaluations of these platforms start by comparing feature matrices. The feature comparison is close enough that it’s the wrong frame. The actual decision is whose registry, whose identity, and whose toolbox governs your agent fleet in 2028. Those decisions compound. They’re significantly harder to unwind than switching an LLM model or porting agent code to a different runtime.

Check your contract. Then book the demo.

---

The next natural piece in this thread is the identity question — specifically what Entra Agent ID means for enterprises that didn’t plan to make Microsoft their agent identity provider. If you’re working through a similar evaluation — or you think I’ve gotten something wrong about either platform — I’m at @orestesgarcia on X and LinkedIn.