FSI Agent Governance Framework
FSI-AgentGov helps US financial services organizations govern Microsoft 365 AI agents such as Copilot Studio agents, Agent Builder agents, and related custom agent deployments. It exists to turn agent governance questions—who can build, publish, connect, approve, monitor, and retire agents—into a practical framework, control catalog, and implementation playbooks.
New to this framework?
Start with Start Here for newcomer orientation. If you are deciding between this repo and the M365 Copilot framework, also read Relationship to FSI-CopilotGov.
Why This Framework Exists
Custom agents create governance decisions that standard product setup guidance does not answer consistently. Teams still need to decide how agents are classified, which environments and connectors they may use, what approvals apply before production use, and what evidence should be retained for risk, oversight, audit, and examination review.
This framework helps you:
- classify agents into Zone 1, Zone 2, or Zone 3
- identify which controls should be implemented before broader rollout
- move from governance policy to technical implementation with linked playbooks
- support a more defensible operating model for regulated deployments
Framework Structure
The framework is organized into three layers:
| Layer | Audience | Content |
|---|---|---|
| Framework | Executives, Compliance, Governance | Principles, zones, regulatory context |
| Control Catalog | Compliance Officers, Architects | 71 control requirements |
| Playbooks | Platform Teams, Operations | Step-by-step procedures |
Key Concepts for First-Time Users
| Term | What it means |
|---|---|
| Zone | The risk classification for how broadly an agent is used and what data it can access |
| Control | A governance requirement that tells you what should be in place |
| Playbook | Step-by-step implementation, verification, or troubleshooting guidance |
Quick Start by Role
I'm a Compliance Officer or AI Governance Lead
Start here to understand the governance framework and regulatory alignment.
- Assess: Governance Readiness Assessment — Evaluate your current posture across all 71 controls
- Read: Executive Summary — Board-level overview
- Then: Operating Model — Roles and RACI
- Then: Regulatory Framework — Control-to-regulation mappings
- Action: Adoption Roadmap — Phased implementation
I'm a Power Platform Admin
Start here for technical implementation guidance.
- Read: Control Catalog — All 71 controls
- Then: Pillar 1 Security and Pillar 2 Management
- Action: Implementation Playbooks — Step-by-step procedures
- Use: Phase 0 Setup — Initial deployment
I'm Preparing for FINRA/SEC Examination
Start here for examination readiness materials.
- Read: Regulatory Framework — Regulation mappings
- Then: Evidence Standards — Documentation requirements
- Action: Audit Readiness Checklist
- Use: Evidence Pack Assembly
I'm a Business Owner Requesting an Agent
Start here to understand what's needed for agent approval.
- Read: Zones and Tiers — Understand zone requirements
- Then: Agent Lifecycle — Approval process
- Action: Agent Promotion Checklist
Control Summary
71 controls across four governance pillars:
| Pillar | Controls | Focus |
|---|---|---|
| Pillar 1: Security | 28 | DLP, audit, encryption, MFA, eDiscovery |
| Pillar 2: Management | 24 | Lifecycle, testing, model risk, supervision |
| Pillar 3: Reporting | 12 | Inventory, usage, PPAC, Sentinel |
| Pillar 4: SharePoint | 7 | Access, retention, grounding scope |
Three governance zones based on risk:
| Zone | Risk | Data Access | Approval |
|---|---|---|---|
| Zone 1: Personal | Low | M365 Graph only | Self-service |
| Zone 2: Team | Medium | Internal data | Manager |
| Zone 3: Enterprise | High | Regulated data | Governance Committee |
Regulatory Coverage
Controls map to major US financial regulations:
- FINRA 4511/3110 — Books and records, supervision
- SEC 17a-3/4 — Recordkeeping requirements
- SOX 302/404 — Internal controls
- GLBA 501(b) — Safeguards rule
- OCC 2011-12 / SR 11-7 — Model risk management
See Regulatory Framework for complete mappings.
Quick Links
Getting Started:
- Start Here — New user orientation and scope guidance
- Governance Readiness Assessment — Interactive tool to assess all 71 controls
- Quick Start Guide
- Implementation Checklist
- Phase 0 Setup Playbook
Reference:
Star this repository on GitHub and use Watch > Releases for update notifications.
Disclaimer
This framework is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. Organizations should consult with their legal counsel and compliance teams. See Disclaimer for full details.
Latest Updates
See CHANGELOG for full version history.