Two agent releases landed on the same day last week, and taken together they describe a real shift in how teams will run persistent AI.
On June 2, at Build 2026, Microsoft launched Scout- its first "Autopilot" AI agent, a persistent, always-on autonomous assistant designed to operate continuously across Microsoft 365 apps without waiting to be prompted. A few hours later, Nous Research announced Hermes Desktop- a native graphical front end for Hermes Agent v0.15.2, released under the MIT license across macOS 12+, Windows 10/11, and Linux.
One is enterprise software wrapped in procurement language. The other is a 180,000-star open-source project that just grew a proper UI. Both are worth understanding, because the hard question they share is identical: when you give an agent persistent access to your work, who governs what it does?
Scout: OpenClaw inside an enterprise shell
The most interesting architectural fact about Scout is where it comes from. It is powered by OpenClaw open-source technology, reflecting Microsoft's commitment to building with the community while extending capabilities to meet enterprise needs. That foundation matters, because OpenClaw can access email accounts, calendars, messaging platforms, and other sensitive services, and the agent is susceptible to prompt injection attacks in which harmful instructions are embedded in data with the intent of getting the LLM to interpret them as legitimate user instructions.
Microsoft's answer to those risks is a governance wrapper. Scout will come with a built-in "policy conformance system" that will continuously check whether the system is operating according to set guidelines, and each conformance check will produce its own audit trail. Every agent also runs under a governed identity: every agent operates under its own governed Entra identity, not a shared, anonymous service account, so the work it does is attributable to a known actor your directory already understands.
Unlike traditional AI assistants that respond only when queried, Autopilots remain active in the background, monitoring signals, reacting to triggers, and resuming tasks without user initiation. That is the genuine capability jump. It also means the blast radius of a misconfiguration or a prompt injection is larger than anything a stateless chatbot could cause.
Scout operates across cloud, desktop, and web, connecting to Teams, Outlook, OneDrive, and SharePoint, and to the data that powers your day. You interact with it in Teams, and extend its reach through the desktop app to your browser, local resources, and model context protocol servers.
For now, access is narrow. Access requires Frontier enrollment, Intune policy configuration, and an opt-in attestation. Users with a GitHub Copilot license can then download and install the experience. That is not a product you can spin up in an afternoon-which is probably intentional.
The real differentiator in the always-on agent era is not capability. It is the audit trail you hand to your security team.
Hermes Desktop: the open alternative, now with a front door
The point is not just that Hermes now has buttons. The bigger move is that Nous Research is trying to make agent infrastructure feel less like something you summon from a terminal and more like software a normal technical team could keep open all day.
That distinction matters for adoption. Developers tolerate setup friction when the reward is control. Broader teams usually won't. Per Nous Research's own desktop documentation, the app uses the same agent core, configuration, API keys, sessions, skills, and memory as the CLI and gateway -so nothing under the hood changed. What changed is who can reach it without a terminal session.
Hermes has persistent memory that stores projects and solution paths, plus task planning in natural language. It can delegate to sub-agents with their own terminals and Python scripts, search the web, generate images, and read text aloud. Five sandboxed execution backends are available: local, Docker, SSH, Singularity, and Modal.
The security comparison between the two frameworks is worth being honest about. As of April 2026, Hermes Agent has zero publicly disclosed agent-specific CVEs. In the same window, OpenClaw disclosed nine CVEs across four days in March 2026, including one rated CVSS 9.9. Hermes ships with built-in prompt injection scanning and credential filtering by default. That gap is partly because OpenClaw attracted mass adoption first and got attacked first-but it is still a real data point for teams evaluating the stack.
What this means for real teams
The practical question is not "Scout or Hermes?" Most teams are not choosing between them. The question is what governance posture you actually need before you let an agent run unsupervised on your calendar and inbox.
Scout answers that with enterprise tooling: Entra identity, Intune policy, and a conformance audit trail. It also answers it with a significant access bar-you need Frontier enrollment, a Copilot subscription, and an IT admin willing to configure the prerequisites. For a 10-person team that lives in Microsoft 365, that friction is worth it. For a small engineering team that wants to self-host and tune everything, Hermes Desktop is the more direct path.
The governance primitives you actually need, regardless of which framework you land on:
- A named, attributable identity for the agent (not a shared service account)
- Explicit approval gates for sensitive actions before they execute
- Persistent logs of what the agent did, not just what it was asked to do
- A clear policy on which channels and data sources the agent can reach
Sensitive actions can require human approval before Scout proceeds, and organizations can define which resources and destinations the agent can access. Hermes offers similar controls through its skill permission model and sandbox selection, but you have to configure them yourself rather than inheriting an enterprise default.
The underlying OpenClaw ecosystem-now counting 68,000 GitHub stars and a skills marketplace with thousands of community-built extensions-is clearly the infrastructure layer both Microsoft and independent developers are building on. Local inference keeps prompts on the device, and self-improving local agents keep even the learning loop on-device. But Scout builds on OpenClaw-which had a 2026 supply-chain incident-so identity, sandboxing, and policy conformance are not optional.
The shift from "ask the model a question" to "let the agent run while you sleep" is real and it is happening now. The teams that will use it well are the ones who treat the governance layer as the actual product, not the agent's feature list.