Pre-Session Homework: AI Administrator

This page lists the 14 control(s) you are responsible for as AI Administrator. Please review each control and bring the requested evidence to your assessment session.

For the full assessment experience, see the Readiness Assessment.

Control 1.11 — Conditional Access and Phishing-Resistant MFA

Security · Zone 1, Zone 2, Zone 3

Pass criteria: CA policies require phishing-resistant MFA (FIDO2/passkey/WHfB/CBA) for agent makers, owners, and admins; break-glass excluded; CA for Workload Identities applied to agent service principals.

Verify in: See control documentation.

Full control documentation · Portal walkthrough

Control 1.13 — Sensitive Information Types (SITs) and Pattern Recognition

Security · Zone 2, Zone 3

Pass criteria: FSI-relevant built-in and custom SITs (SSN, credit card, ABA routing, account numbers, CRD, MNPI keyword dictionary) are deployed and referenced by DLP, sensitivity labels, and DSPM for AI policies.

Verify in: See control documentation.

Full control documentation · Portal walkthrough

Control 1.14 — Data Minimization and Agent Scope Control

Security · Zone 1, Zone 2, Zone 3

Pass criteria: Each agent has a documented grounding inventory with zone-based justification, narrowed SharePoint scopes, public web grounding disabled for Zone 3 NPI agents, and active scope-drift monitoring.

Verify in: See control documentation.

Full control documentation · Portal walkthrough

Control 1.2 — Agent Registry and Integrated Apps Management

Security · Zone 1, Zone 2, Zone 3

Pass criteria: All agents and integrated apps registered with named owner and backup owner, admin consent workflow enabled, and no orphaned service principals across Entra, Integrated Apps, and Copilot Studio.

Verify in: See control documentation.

Full control documentation · Portal walkthrough

Control 1.5 — Data Loss Prevention (DLP) and Sensitivity Labels

Security · Zone 1, Zone 2, Zone 3

Pass criteria: Purview DLP covers SharePoint, OneDrive, Exchange, Teams, Endpoint, and Copilot/Copilot Chat, plus Power Platform data policies for Copilot Studio agents, all using FSI-tuned SITs.

Verify in: See control documentation.

Full control documentation · Portal walkthrough

Control 2.12 — Supervision and Oversight (FINRA Rule 3110)

Management · Zone 1, Zone 2, Zone 3

Pass criteria: WSP addendum covers AI communications, qualified principal designated, HITL configured for Zone 3 customer-facing outputs, sampling protocol documented, and supervisory review evidence retained.

Verify in: See control documentation.

Full control documentation · Portal walkthrough

Control 2.24 — Agent Feature Enablement and Restriction Governance

Management · Zone 1, Zone 2, Zone 3

Pass criteria: Per-zone feature catalog approved by change management; tenant, environment, and agent-level toggles enforce it; preview/MCP/code-interpreter features explicitly approved per zone.

Verify in: See control documentation.

Full control documentation · Portal walkthrough

Control 2.25 — Microsoft Agent 365 — Admin Center Governance Console

Management · Zone 2, Zone 3

Verify in: See control documentation.

Full control documentation · Portal walkthrough

Control 2.26 — Entra Agent ID — Identity Governance for Agents

Management · Zone 2, Zone 3

Verify in: See control documentation.

Full control documentation · Portal walkthrough

Control 2.6 — Model Risk Management (OCC 2011-12/SR 11-7)

Management · Zone 1, Zone 2, Zone 3

Pass criteria: AI agents classified within the firm's MRM framework with model inventory, independent validation, ongoing performance monitoring, bias testing, and change-control evidence retained per 17a-4(f).

Verify in: See control documentation.

Full control documentation · Portal walkthrough