Deployment Guide

Version: v1.0 — Reference-implementation deployment paths for FSI-AgentGov-Solutions. Versions and zone applicability are regenerated from each solution's manifest.yaml by scripts/build-manifest.py. Edit manifests; do not edit the generated tables by hand.

This guide maps common customer questions to specific solutions and provides deployment sequencing based on documented solution dependencies and the Personal/Team/Enterprise zone model.

Positioning

These are reference implementations, not turnkey deployable Power Platform solutions. They consist of documentation, scripts (PowerShell, Python, KQL), schemas, and per-solution Dataverse table definitions — they do not ship as packaged Dataverse .zip solutions. Adopters tailor each implementation to their tenant, identity model, and governance posture before deploying.

Use-Case Mapping

When a customer asks one of these questions, deploy the corresponding solutions:

Customer Need	Solutions to Deploy	Notes
"How do we control who agents are shared with?"	Unrestricted Agent Sharing Detector, Agent Sharing Access Restriction Detector, Agent Access Governance Monitor	UASD detects org-wide/public sharing violations with automated remediation; ASARD enforces zone-based sharing policies with approval workflows; AAM monitors overly permissive access configurations
"How do we monitor agent execution and platform changes?"	Agent Observability Foundation, Message Center Monitor, Scope Drift Monitor	AOF provides foundational telemetry; MCM tracks M365 platform changes; SDM detects data access beyond declared scope
"How do we track agent performance and feedback?"	Hallucination Tracker, Agent Observability Foundation, Copilot Studio Analytics	HT aggregates hallucination feedback patterns; AOF provides operational metrics; CSA provides business impact analytics
"How do we enforce conditional access for AI workloads?"	Conditional Access Automation, Session Security Configurator	CAA deploys and monitors CA policies; SSC validates session security per zone
"How do we handle regulatory compliance evidence?"	Compliance Dashboard, Cross-Solution Integration, Audit Compliance Manager	CD provides aggregated reporting across the 78-control baseline with Exchange coverage; CSI wires Tier 2 solutions into the dashboard; ACM validates configurations and supports remediation
"How do we manage environment provisioning governance?"	Environment Lifecycle Management, Pipeline Governance Cleanup	ELM provisions environments with zone classification; PGC enforces ALM governance
"How do we control file uploads and content moderation?"	File Upload Security Configurator, MIME Type Restrictions, Content Moderation Governance Monitor	FUS validates file upload settings; MIME enforces type restrictions (defense-in-depth via Dataverse plugin); CMM monitors content moderation per zone

Pilot Path (recommended starting deployment)

For organizations beginning their FSI agent governance program, deploy in this order to land a working pilot in three increments:

1. Foundational telemetry — Deploy Environment Lifecycle Management (zone classification) and Agent Observability Foundation (telemetry). These produce no policy enforcement on their own but provide the data plane every other solution depends on.
2. First detection signal — Pick one Tier 2 solution that maps to the customer's most acute concern. Recommended starting points:
3. Sharing risk → Unrestricted Agent Sharing Detector
4. Supervisory exposure → Action Confirmation Auditor
5. Knowledge oversharing → Agent Knowledge Source Scanner
6. Compliance reporting — Deploy Cross-Solution Integration and Compliance Dashboard to roll the Tier 2 signal into a single report.

This pilot exercises the three architectural layers (telemetry → detection → reporting) without committing to the full 35-solution surface.

Licensing Footprint

The reference implementations require these licenses or service plans across the catalog. Individual solutions enumerate their specific subset in their READMEs.

License / Service	Required For
Microsoft 365 E5 (or E3 + Compliance / Security add-ons)	Purview audit, DLP, Communication Compliance, Insider Risk Management
Microsoft Entra ID P2	Conditional Access, Identity Governance access reviews, PIM
Power Platform per-app or per-user (Premium)	Dataverse tables, custom connectors, Power Automate premium connectors
Power Platform Managed Environments	Environment Lifecycle Management, Pipeline Governance Cleanup, sharing limits
Copilot Studio license per maker	Action Confirmation Auditor, HITL Workflow Governance, COI Testing, agents in scope
Azure subscription	Application Insights / Log Analytics for AOF, Azure Functions / Logic Apps for orchestration
Microsoft 365 Copilot license per supervised user	Copilot-specific solutions (analytics, supervision workflows)

Adopters should validate their tenant SKUs against each solution's prerequisites before scheduling a pilot.

Solution Layers

Solutions fall into three deployment layers. Deploy foundational solutions first, then add monitoring and governance solutions as needed.

Layer 1: Foundational Infrastructure

These solutions provide shared infrastructure that other solutions depend on:

Solution	Role	Version
Agent Intake	Pre-build maker intake (Express + Standard + Full paths) with sponsor 1-click approval, parallel reviewer quorum, MRM handoff, and Entra Agent ID minting	v1.0.0-preview
Agent Observability Foundation	FSI-compliant telemetry infrastructure for Microsoft Copilot Studio agents with long-term audit retention, operational workbooks, and proactive alerting.	v1.2.4

Layer 2: Tier 2 Governance Solutions

These solutions operate independently but can be wired into the Compliance Dashboard via Cross-Solution Integration:

Solution	Version	Controls
Agent Access Governance Monitor	v1.1.2	3.8
Audit Compliance Manager	v1.0.5	1.7
Conditional Access Automation	v2.0.2	1.11, 1.23, 1.18
Content Moderation Monitor	v1.1.2	1.27, 1.8
File Upload Security	v1.1.2	1.14, 1.8, 1.4
Session Security Configurator	v1.3.0	1.23, 1.11

Layer 3: Tier 3 / Standalone Solutions

All other solutions operate independently and can be deployed in any order based on customer needs.

Solution	Tier	Version	Zones
Action Confirmation Auditor	2	v1.2.1	personal, team, enterprise
Agent 365 Lifecycle Governance	2	v1.1.5	enterprise
Agent Communication Restriction Detector	2	v1.2.1	team, enterprise
Agent Knowledge Source Scanner	2	v1.1.3	personal, team, enterprise
Agent Registry Automation	2	v2.1.1	personal, team, enterprise
Agent Sharing Access Restriction Detector	2	v2.0.2	team, enterprise
Conflict of Interest Testing	2	v1.1.2	team, enterprise
Compliance Dashboard	2	v1.0.5	enterprise
Copilot Studio Analytics	2	v2.0.2	personal, team, enterprise
Credential Oversharing Detector	2	v2.1.1	personal, team, enterprise
Cross-Solution Integration	2	v2.0.3	personal, team, enterprise
Cross-Tenant External Sharing Governance	2	v1.1.0	enterprise
Deny Event Correlation Report	2	v2.0.4	team, enterprise
DR Testing Framework	2	v2.0.2	enterprise
Environment Lifecycle Management	2	v1.2.2	personal, team, enterprise
FINRA Supervision Workflow	2	v1.1.1	enterprise
Generative AI Config Auditor	2	v1.2.1	team, enterprise
Hallucination Feedback Tracker	2	v1.2.0	personal, team, enterprise
HITL Workflow Governance	2	v1.1.2	personal, team, enterprise
Inactivity Timeout Enforcement	2	v1.1.2	team, enterprise
Message Center Monitor	2	v2.5.1	enterprise
MIME Type Restrictions for File Uploads	2	v1.2.1	personal, team, enterprise
Model Risk Management Automation	2	v1.0.4	enterprise
Pipeline Governance Cleanup	2	v1.2.1	team, enterprise
RAG Source Validator	2	v1.3.1	personal, team, enterprise
Scope Drift Monitor	2	v1.2.2	personal, team, enterprise
Segregation of Duties Detector	2	v1.2.1	team, enterprise
Unrestricted Agent Sharing Detector	2	v2.0.1	team, enterprise

Compliance Dashboard Integration

To stand up unified compliance reporting:

1. Deploy Layer 1 solutions (ELM for zone classification)
2. Deploy the Tier 2 solutions your customer needs (Layer 2)
3. Deploy Compliance Dashboard with fsi_controlmaster table populated
4. Deploy Cross-Solution Integration to wire Tier 2 results into the dashboard
5. Run Sync-SolutionAssessments.ps1 for initial assessment sync
6. Deploy CD-SolutionFeedCollector flow for daily automated feeds

See Cross-Solution Integration README for prerequisites and setup.

Full Dependency Tree

The diagram below is generated from the dependencies: field in each solution's manifest.yaml. Solutions not shown have no declared inter-solution dependencies and can be deployed standalone.

graph TD
    AOF[Agent Observability Foundation<br/>Tier 1 root]
    ELM[Environment Lifecycle Management<br/>Tier 3 root]
    ARA[Agent Registry Automation<br/>Tier 3 root]
    UASD[Unrestricted Agent Sharing Detector<br/>Tier 2 root]

    CSI[Cross-Solution Integration<br/>Tier 1]
    CD[Compliance Dashboard<br/>Tier 3 — convergence]

    ACM[Audit Compliance Manager<br/>Tier 3]
    CSA[Copilot Studio Analytics<br/>Tier 2]
    DECR[Deny Event Correlation Report<br/>Tier 2]
    SDM[Scope Drift Monitor<br/>Tier 2]

    CTESG[Cross-Tenant External Sharing Governance<br/>Tier 2]

    AOF --> CSI
    AOF --> ACM
    AOF --> CSA
    AOF --> DECR
    AOF --> SDM
    AOF --> CD
    CSI --> CD

    ARA --> CTESG
    UASD --> CTESG

Note: Compliance Dashboard is the convergence node — it depends on both AOF (telemetry foundation) and CSI (Tier 2 integration layer). Deploy AOF → CSI → CD in that order to stand up unified reporting.

Zone Deployment Roadmap

The table below maps each solution to the governance zones (Personal / Team / Enterprise) where it applies. Zone metadata is sourced from each solution's manifest.yaml and is regenerated on every build-manifest.py invocation.

Status: Zones were initially backfilled by scripts/_backfill-zones.py based on inference from each solution's domain, tier, and controls. Product-team review is required before treating these as authoritative — see the sentinel comment in each manifest.yaml.

Tier 1 (Foundational)

Solution	Personal	Team	Enterprise	Data class
Agent Intake	✅	✅	✅	confidential
Agent Observability Foundation	✅	✅	✅	internal

Tier 2 (Governance)

Solution	Personal	Team	Enterprise	Data class
Action Confirmation Auditor	✅	✅	✅	internal
Agent 365 Lifecycle Governance	—	—	✅	confidential
Agent Access Governance Monitor	—	✅	✅	confidential
Agent Communication Restriction Detector	—	✅	✅	internal
Agent Knowledge Source Scanner	✅	✅	✅	confidential
Agent Registry Automation	✅	✅	✅	internal
Agent Sharing Access Restriction Detector	—	✅	✅	confidential
Audit Compliance Manager	—	✅	✅	confidential
Compliance Dashboard	—	—	✅	restricted
Conditional Access Automation	—	✅	✅	confidential
Conflict of Interest Testing	—	✅	✅	confidential
Content Moderation Monitor	✅	✅	✅	internal
Copilot Studio Analytics	✅	✅	✅	internal
Credential Oversharing Detector	✅	✅	✅	confidential
Cross-Solution Integration	✅	✅	✅	internal
Cross-Tenant External Sharing Governance	—	—	✅	confidential
Deny Event Correlation Report	—	✅	✅	confidential
DR Testing Framework	—	—	✅	confidential
Environment Lifecycle Management	✅	✅	✅	internal
File Upload Security	✅	✅	✅	internal
FINRA Supervision Workflow	—	—	✅	restricted
Generative AI Config Auditor	—	✅	✅	internal
Hallucination Feedback Tracker	✅	✅	✅	confidential
HITL Workflow Governance	✅	✅	✅	confidential
Inactivity Timeout Enforcement	—	✅	✅	internal
Message Center Monitor	—	—	✅	internal
MIME Type Restrictions for File Uploads	✅	✅	✅	internal
Model Risk Management Automation	—	—	✅	restricted
Pipeline Governance Cleanup	—	✅	✅	internal
RAG Source Validator	✅	✅	✅	confidential
Scope Drift Monitor	✅	✅	✅	confidential
Segregation of Duties Detector	—	✅	✅	confidential
Session Security Configurator	—	✅	✅	internal
Unrestricted Agent Sharing Detector	—	✅	✅	confidential

Related Documentation

• Solutions Index — Detailed descriptions and framework alignment
• Solutions Coverage Gaps — Coverage analysis across the 78-control baseline
• FSI Agent Governance Framework — Full framework documentation
• SECURITY.md — Vulnerability disclosure and supported versions
• THREAT-MODEL.md — Cross-solution threat model and trust boundaries