Control 1.12: Insider Risk Detection and Response
Control ID: 1.12 Pillar: Security Regulatory Reference: FINRA 4511, GLBA 501(b), SOX 404, SEC 17a-4 Last UI Verified: February 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03
Objective
Detect potentially malicious or inadvertent insider activities that could harm the organization, including unauthorized data extraction via agents, misuse of agent capabilities, and theft of proprietary models or configurations. This control supports data exfiltration prevention and regulatory compliance monitoring.
Why This Matters for FSI
- GLBA 501(b): Protect customer NPI from insider misuse
- SOX 404: Internal control monitoring for financial data access
- SEC 17a-4: Supervision and monitoring requirements for records access
- FINRA 4511: Supervision of access to books and records
- FINRA 3110: Supervisory controls over trading activities
Control Description
| Capability | Description |
|---|---|
| Data theft detection | Detect unauthorized data extraction by departing users |
| Data leak monitoring | Identify external sharing, email exfiltration, USB copy |
| Security violations | Monitor failed access attempts and risky sign-ins |
| Agent abuse detection | Identify misuse of agent capabilities and configurations |
| ML-powered analytics | AI-driven risk pattern detection and scoring |
Risky Agents Policy Template (Preview)
Microsoft Purview Insider Risk Management now includes a Risky Agents policy template specifically designed to detect suspicious activity by Copilot Studio and Microsoft Foundry agents. This template monitors for:
- Agents accessing unusual volumes of sensitive data
- Agents operating outside expected business hours or geographies
- Agent behavior patterns that deviate from established baselines
- Unauthorized agent-to-agent communication patterns
Configure at purview.microsoft.com > Solutions > Insider risk management > Policies > Create policy > select Risky Agents template.
- Data risk graphs: Insider Risk Management now includes data risk graphs that visualize relationships between users, agents, data sources, and risk signals, helping investigators understand the scope and impact of potential insider risk incidents
- AI-powered Triage Agent (GA): The IRM Triage Agent uses AI to automatically triage and prioritize insider risk alerts, reducing manual review burden for compliance analysts and accelerating response times for high-severity incidents
Key Configuration Points
- Enable Insider Risk Management and configure analytics
- Create policies for departing users, data leaks, and security violations
- Create custom policy for agent-related insider risk
- Use the Risky Agents policy template (Preview, November 2025) to detect risky Copilot Studio and Microsoft Foundry agent activities
- Configure priority user groups (agent admins, trading staff, client-facing)
- Set up HR data connector for resignation/termination triggers
- Configure investigation settings with SLAs and evidence collection
- Define alert triage workflow with escalation paths
- Consider using the IRM Triage Agent (GA, December 2025) — a Security Copilot agent that automates insider risk alert triage and investigation prioritization
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Basic data leak monitoring; high-severity alerts only | Limited scope and risk |
| Zone 2 (Team) | Data leaks + security violations; 48-hour investigation SLA | Shared data increases risk |
| Zone 3 (Enterprise) | All policies; 4-hour SLA for critical; automated response | Maximum protection required |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Insider Risk Management Admin | Policy configuration and tuning |
| Insider Risk Analyst | Alert triage and review |
| Insider Risk Investigator | Case investigation and remediation |
| HR | Data connector and departing user coordination |
Related Controls
| Control | Relationship |
|---|---|
| 1.5 - DLP and Sensitivity Labels | DLP signals for insider risk |
| 1.7 - Audit Logging | Audit data for detection |
| 1.10 - Communication Compliance | Communication signals |
| 1.8 - Runtime Protection | Threat detection correlation |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- All FSI insider risk policies created and enabled
- Analytics enabled and showing risk patterns
- Test activity generates alert in queue
- Investigation workflow creates and assigns cases
- HR connector functional for departing user triggers
- Priority user groups configured with members
Additional Resources
- Microsoft Learn: Insider Risk Management Overview
- Microsoft Learn: Create Insider Risk Policies
- Microsoft Learn: Insider Risk Indicators
- Microsoft Learn: Investigate Insider Risk Alerts
- Microsoft Learn: HR Data Connector
Updated: February 2026 | Version: v1.2 | UI Verification Status: Current