Deployment Guide¶
Version: v0.1 — Verified information only. Sections marked TODO require product team input.
This guide maps common customer questions to specific solutions and provides deployment sequencing based on documented solution dependencies.
Use-Case Mapping¶
When a customer asks one of these questions, deploy the corresponding solutions:
| Customer Need | Solutions to Deploy | Notes |
|---|---|---|
| "How do we control who agents are shared with?" | Unrestricted Agent Sharing Detector, Agent Sharing Access Restriction Detector, Agent Access Governance Monitor | UASD handles org-wide/public sharing violations with automated remediation; ASARD enforces zone-based sharing policies with approval workflows; AAM monitors overly permissive access configurations |
| "How do we monitor agent execution and platform changes?" | Agent Observability Foundation, Message Center Monitor, Scope Drift Monitor | AOF provides foundational telemetry; MCM tracks M365 platform changes; SDM detects data access beyond declared scope |
| "How do we track agent performance and feedback?" | Hallucination Tracker, Agent Observability Foundation, Copilot Studio Analytics | HT aggregates hallucination feedback patterns; AOF provides operational metrics; CSA provides business impact analytics |
| "How do we enforce conditional access for AI workloads?" | Conditional Access Automation, Session Security Configurator | CAA deploys and monitors CA policies; SSC validates session security per zone |
| "How do we handle regulatory compliance evidence?" | Compliance Dashboard, Cross-Solution Integration, Audit Compliance Manager | CD provides aggregated reporting across the 78-control baseline with Exchange coverage; CSI wires Tier 2 solutions into the dashboard; ACM validates configurations and remediates gaps |
| "How do we manage environment provisioning governance?" | Environment Lifecycle Management, Pipeline Governance Cleanup | ELM provisions environments with zone classification; PGC enforces ALM governance |
| "How do we control file uploads and content moderation?" | File Upload Security Configurator, MIME Type Restrictions, Content Moderation Governance Monitor | FUS validates file upload settings; MIME enforces type restrictions; CMM monitors content moderation per zone |
Solution Layers¶
Solutions fall into three deployment layers. Deploy foundational solutions first, then add monitoring and governance solutions as needed.
Layer 1: Foundational Infrastructure¶
These solutions provide shared infrastructure that other solutions depend on:
| Solution | Role | Version |
|---|---|---|
| Environment Lifecycle Management | Zone-based environment provisioning and classification | v1.1.2 |
| Agent Observability Foundation | Foundational telemetry and monitoring infrastructure | v1.1.0 |
Layer 2: Tier 2 Governance Solutions¶
These solutions operate independently but can be wired into the Compliance Dashboard via Cross-Solution Integration:
| Solution | Controls | Integration |
|---|---|---|
| Audit Compliance Manager | 1.7 | Dashboard Assessment |
| Session Security Configurator | 1.23, 1.11 | Dashboard Assessment |
| Agent Access Governance Monitor | 3.8 | Dashboard Assessment |
| Content Moderation Governance Monitor | 1.8 | Dashboard Assessment |
| File Upload Security Configurator | 1.14 | Dashboard Assessment |
| Conditional Access Automation | 1.11, 1.23, 1.18 | Dashboard Assessment |
Layer 3: Standalone Solutions¶
All other solutions operate independently and can be deployed in any order based on customer needs. See the Solutions Index for detailed descriptions and control mappings.
Compliance Dashboard Integration¶
To stand up unified compliance reporting:
- Deploy Layer 1 solutions (ELM for zone classification)
- Deploy the Tier 2 solutions your customer needs (Layer 2)
- Deploy Compliance Dashboard with
fsi_controlmastertable populated - Deploy Cross-Solution Integration to wire Tier 2 results into the dashboard
- Run
Sync-SolutionAssessments.ps1for initial assessment sync - Deploy
CD-SolutionFeedCollectorflow for daily automated feeds
See Cross-Solution Integration README for prerequisites and setup.
Full Dependency Tree¶
The diagram below is generated from the dependencies: field in each solution's manifest.yaml. Solutions not shown have no declared inter-solution dependencies and can be deployed standalone.
graph TD
AOF[Agent Observability Foundation<br/>Tier 1 root]
ELM[Environment Lifecycle Management<br/>Tier 3 root]
ARA[Agent Registry Automation<br/>Tier 3 root]
UASD[Unrestricted Agent Sharing Detector<br/>Tier 2 root]
CSI[Cross-Solution Integration<br/>Tier 1]
CD[Compliance Dashboard<br/>Tier 3 — convergence]
ACM[Audit Compliance Manager<br/>Tier 3]
CSA[Copilot Studio Analytics<br/>Tier 2]
DECR[Deny Event Correlation Report<br/>Tier 2]
SDM[Scope Drift Monitor<br/>Tier 2]
CTESG[Cross-Tenant External Sharing Governance<br/>Tier 2]
AOF --> CSI
AOF --> ACM
AOF --> CSA
AOF --> DECR
AOF --> SDM
AOF --> CD
CSI --> CD
ARA --> CTESG
UASD --> CTESGLayer 1 — roots (no dependencies)
├── Agent Observability Foundation (AOF, Tier 1)
│ ├── Cross-Solution Integration (CSI, Tier 1)
│ │ └── Compliance Dashboard (CD, Tier 3) — also depends on AOF
│ ├── Audit Compliance Manager (Tier 3)
│ ├── Copilot Studio Analytics (Tier 2)
│ ├── Deny Event Correlation Report (Tier 2)
│ └── Scope Drift Monitor (Tier 2)
├── Environment Lifecycle Management (ELM, Tier 3) — foundational, no declared dependencies
├── Agent Registry Automation (ARA, Tier 3)
│ └── Cross-Tenant External Sharing Governance (CTESG, Tier 2) — also depends on UASD
└── Unrestricted Agent Sharing Detector (UASD, Tier 2)
└── Cross-Tenant External Sharing Governance (CTESG, Tier 2)
Standalone (no inter-solution dependencies declared):
action-confirmation-auditor, agent-365-lifecycle-governance,
agent-access-monitor, agent-communication-restriction-detector,
agent-knowledge-source-scanner, agent-sharing-access-restriction-detector,
coi-testing, conditional-access-automation, content-moderation-monitor,
credential-oversharing-detector, dr-testing-framework, file-upload-security,
finra-supervision-workflow, generative-ai-config-auditor, hallucination-tracker,
hitl-workflow-governance, inactivity-timeout-enforcement, message-center-monitor,
mime-type-restrictions, model-risk-management-automation,
pipeline-governance-cleanup, rag-source-validator, segregation-detector,
session-security-configurator
Note: Compliance Dashboard is the convergence node — it depends on both AOF (telemetry foundation) and CSI (Tier 2 integration layer). Deploy AOF → CSI → CD in that order to stand up unified reporting.
Zone Deployment Roadmap¶
The table below maps each solution to the governance zones where it applies. Zone metadata is sourced from each solution's manifest.yaml. Where a manifest has no zone field, the row is marked TODO: and listed in the Manifests Missing Zone Metadata section below.
Tier 1 (Foundational)¶
| Solution | Zone 1 (Personal) | Zone 2 (Team) | Zone 3 (Enterprise) | Tier | Notes |
|---|---|---|---|---|---|
| Agent Observability Foundation | TODO: | TODO: | TODO: | 1 | Root telemetry — needed by 6 dependents |
| Cross-Solution Integration | TODO: | TODO: | TODO: | 1 | Wires Tier 2 results into Compliance Dashboard |
Tier 2 (Governance)¶
| Solution | Zone 1 (Personal) | Zone 2 (Team) | Zone 3 (Enterprise) | Tier | Notes |
|---|---|---|---|---|---|
| Action Confirmation Auditor | TODO: | TODO: | TODO: | 2 | Standalone |
| Agent Access Governance Monitor | TODO: | TODO: | TODO: | 2 | Standalone |
| Agent Communication Restriction Detector | TODO: | TODO: | TODO: | 2 | Standalone |
| Agent Knowledge Source Scanner | TODO: | TODO: | TODO: | 2 | Standalone |
| Agent Sharing Access Restriction Detector | TODO: | TODO: | TODO: | 2 | Standalone |
| Conditional Access Automation | TODO: | TODO: | TODO: | 2 | Standalone |
| Conflict of Interest Testing | TODO: | TODO: | TODO: | 2 | Standalone |
| Content Moderation Monitor | TODO: | TODO: | TODO: | 2 | Standalone |
| Copilot Studio Analytics | TODO: | TODO: | TODO: | 2 | Depends on AOF |
| Credential Oversharing Detector | TODO: | TODO: | TODO: | 2 | Standalone |
| Cross-Tenant External Sharing Governance | TODO: | TODO: | TODO: | 2 | Depends on ARA + UASD |
| Deny Event Correlation Report | TODO: | TODO: | TODO: | 2 | Depends on AOF |
| DR Testing Framework | TODO: | TODO: | TODO: | 2 | Standalone |
| File Upload Security | TODO: | TODO: | TODO: | 2 | Standalone |
| FINRA Supervision Workflow | TODO: | TODO: | TODO: | 2 | Standalone |
| Generative AI Config Auditor | TODO: | TODO: | TODO: | 2 | Standalone |
| Hallucination Feedback Tracker | TODO: | TODO: | TODO: | 2 | Standalone |
| HITL Workflow Governance | TODO: | TODO: | TODO: | 2 | Standalone |
| Inactivity Timeout Enforcement | TODO: | TODO: | TODO: | 2 | Standalone |
| Message Center Monitor | TODO: | TODO: | TODO: | 2 | Standalone |
| MIME Type Restrictions for File Uploads | TODO: | TODO: | TODO: | 2 | Standalone |
| Model Risk Management Automation | TODO: | TODO: | TODO: | 2 | Standalone |
| Pipeline Governance Cleanup | TODO: | TODO: | TODO: | 2 | Standalone |
| RAG Source Validator | TODO: | TODO: | TODO: | 2 | Standalone |
| Scope Drift Monitor | TODO: | TODO: | TODO: | 2 | Depends on AOF |
| Segregation of Duties Detector | TODO: | TODO: | TODO: | 2 | Standalone |
| Session Security Configurator | TODO: | TODO: | TODO: | 2 | Standalone |
| Unrestricted Agent Sharing Detector | TODO: | TODO: | TODO: | 2 | Standalone |
Tier 3 (Enterprise)¶
| Solution | Zone 1 (Personal) | Zone 2 (Team) | Zone 3 (Enterprise) | Tier | Notes |
|---|---|---|---|---|---|
| Agent 365 Lifecycle Governance | TODO: | TODO: | TODO: | 3 | Standalone |
| Agent Registry Automation | TODO: | TODO: | TODO: | 3 | Required by CTESG |
| Audit Compliance Manager | TODO: | TODO: | TODO: | 3 | Depends on AOF |
| Compliance Dashboard | TODO: | TODO: | TODO: | 3 | Depends on AOF + CSI (convergence node) |
| Environment Lifecycle Management | TODO: | TODO: | TODO: | 3 | Foundational; no declared dependencies |
Manifests Missing Zone Metadata¶
All 35 solution manifests currently lack a zones / zonesApplicable / applicableZones field. Add the field to each manifest below, then regenerate this section:
action-confirmation-auditor/manifest.yamlagent-365-lifecycle-governance/manifest.yamlagent-access-monitor/manifest.yamlagent-communication-restriction-detector/manifest.yamlagent-knowledge-source-scanner/manifest.yamlagent-observability-foundation/manifest.yamlagent-registry-automation/manifest.yamlagent-sharing-access-restriction-detector/manifest.yamlaudit-compliance-manager/manifest.yamlcoi-testing/manifest.yamlcompliance-dashboard/manifest.yamlconditional-access-automation/manifest.yamlcontent-moderation-monitor/manifest.yamlcopilot-studio-analytics/manifest.yamlcredential-oversharing-detector/manifest.yamlcross-solution-integration/manifest.yamlcross-tenant-external-sharing-governance/manifest.yamldeny-event-correlation-report/manifest.yamldr-testing-framework/manifest.yamlenvironment-lifecycle-management/manifest.yamlfile-upload-security/manifest.yamlfinra-supervision-workflow/manifest.yamlgenerative-ai-config-auditor/manifest.yamlhallucination-tracker/manifest.yamlhitl-workflow-governance/manifest.yamlinactivity-timeout-enforcement/manifest.yamlmessage-center-monitor/manifest.yamlmime-type-restrictions/manifest.yamlmodel-risk-management-automation/manifest.yamlpipeline-governance-cleanup/manifest.yamlrag-source-validator/manifest.yamlscope-drift-monitor/manifest.yamlsegregation-detector/manifest.yamlsession-security-configurator/manifest.yamlunrestricted-agent-sharing-detector/manifest.yaml
Related Documentation¶
- Solutions Index — Detailed descriptions and framework alignment
- Solutions Coverage Gaps — Coverage analysis across the 78-control baseline
- FSI Agent Governance Framework — Full framework documentation