Control 1.14: Data Minimization and Agent Scope Control
Control ID: 1.14
Pillar: Security
Regulatory Reference: GLBA 501(b), SEC Reg S-P, FINRA 4511, FINRA 3110, FINRA 25-07, CCPA §1798.100
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated
Objective
Ensure Copilot Studio agents access only the minimum data necessary for their functions by implementing least-privilege principles, documented data access justifications, scope creep prevention controls, and regular access reviews.
Why This Matters for FSI
- GLBA 501(b): Helps limit agent access to customer NPI to the minimum necessary for the function
- SEC Regulation S-P (Safeguards Rule, as amended May 2024): Supports written policies and procedures for the safeguarding and disposal of customer information; helps evidence justification for agent access to consumer financial records
- FINRA Rule 4511: Helps maintain an audit trail of data access decisions and book-and-record retention obligations for AI-mediated interactions
- FINRA Rule 3110 + Regulatory Notice 25-07 (AI guidance, March 2025): Extends supervisory obligations to AI agent data access; supports documented data minimization policies and near-real-time monitoring (within tenant audit and DSPM for AI latency windows) of AI-to-data interactions for customer-facing agents
- CCPA §1798.100: Supports data minimization for non-GLBA personal information. Most broker-dealer / bank customer financial information is exempt under the GLBA carve-out at CCPA §1798.145(e); CCPA still applies to HR, marketing, and other non-GLBA personal information processed by agents
Control Description
This control establishes data minimization across the full set of agent grounding surfaces:
- Agent Data Access Inventory — Map all data sources and grounding surfaces accessed by each agent: SharePoint / OneDrive sites and libraries, Dataverse tables, Microsoft Graph connectors, per-conversation file uploads, image uploads (vision grounding), public web grounding (Bing-backed), enterprise web / curated URLs, connector references (Power Platform standard, premium, and custom connectors), and Copilot extensions / declarative agents / API plugins. Cross-reference Control 1.2 (Agent Registry) for the source-of-truth inventory.
- Data Access Justification Framework — Require documented business need for each agent ↔ grounding surface pair, with zone-based approval workflows (Zone 1 self-service; Zone 2 manager; Zone 3 CISO + AI Governance Lead).
- Connector Classification + Permission Minimization — Use Power Platform DLP to classify connectors into Business / Non-Business / Blocked groups (PPAC → Policies → Data Policies); block connectors not justified by an inventory entry. For OAuth / Graph permission minimization on connectors that authenticate via Entra (custom connectors, Graph connectors, agent identity), use scoped delegated and application permissions per Control 1.18 — Power Platform DLP itself does not configure OAuth scopes.
- Grounding Source Minimization (SharePoint, web, files) — Scope SharePoint knowledge sources to specific document libraries or folders rather than entire sites; coordinate with Control 4.6 (Grounding Scope Governance) which provides the SharePoint enforcement layer (Restricted Content Discovery exclusion lists, Restricted SharePoint Search ≤100-site allowed list, and Data Access Governance reports). Disable public web grounding for Zone 3 agents handling NPI; restrict file upload by sensitivity label and SIT match (see Controls 1.13 and 1.17).
- Scope-Drift Monitoring (DSPM for AI + Audit + SIEM) — Use Microsoft Purview DSPM for AI and Activity Explorer to surface sensitive-data interactions with Copilot and agents; query the M365 Copilot audit schema (
CopilotInteractionrecords) and join to the agent registry (Control 1.2) to derive scope-expansion signals. No nativeAgentScopeExpansionaudit event exists — implement via thescope-drift-monitorsolution or an equivalent SIEM correlation in Sentinel / Logic Apps. - DLP for M365 Copilot Location — Apply Purview DLP policies at the Microsoft 365 Copilot location to prevent agents from grounding on content carrying restricted sensitivity labels or matched SITs (Control 1.13). This is the runtime enforcement counterpart to inventory-time minimization.
- Periodic Access Reviews — Run Microsoft Entra ID Governance Access Reviews on agent identities (Entra Agent ID), connector connections, and knowledge-source group memberships at the cadence defined in Zone-Specific Requirements; record decisions for FINRA 3110 supervisory evidence.
Key Configuration Points
- Inventory all agent-to-grounding-surface mappings (SharePoint, Dataverse, files, images, web, connectors, extensions) with data classification levels — source of truth lives in Control 1.2
- Establish zone-based approval workflow (Zone 1: self-service; Zone 2: manager; Zone 3: CISO + AI Governance Lead)
- Configure Power Platform DLP (PPAC → Policies → Data Policies) to classify connectors used by agents into Business / Non-Business / Blocked groups; block connectors not justified in inventory (cross-reference Control 1.4)
- Create dedicated SharePoint groups for agent-readable content with least-privilege permissions; coordinate with Control 4.6 to apply Restricted Content Discovery (RCD) on high-risk sites and Restricted SharePoint Search (RSS) where appropriate (RSS is a short-term overshare-remediation measure, not a long-term Zone 3 boundary — see 4.6)
- Narrow Copilot Studio knowledge sources to specific document libraries / folders rather than entire sites; disable public web grounding for Zone 3 agents handling NPI; restrict file uploads and image uploads per zone
- Configure Purview DSPM for AI policies and review Activity Explorer for sensitive-data interactions with agents; derive scope-drift signals via SIEM correlation against the M365 Copilot audit schema (
CopilotInteractionrecords) — no native scope-expansion audit event exists - Apply Purview DLP at the Microsoft 365 Copilot location with rules tied to sensitivity labels and SITs (Control 1.13)
- Document data access justification for each agent ↔ grounding surface pair; retain per WSP / FINRA 4511 retention schedules
- Run Microsoft Entra ID Governance Access Reviews on agent identities and connector connections per zone cadence
Automation Available
See Scope Drift Monitor in FSI-AgentGov-Solutions for automated detection of agent data access beyond declared operational scope with approval workflows for scope expansion.
File Upload Security Automation
See File Upload Security Configurator in FSI-AgentGov-Solutions for automated per-agent file upload validation against zone governance policies with drift detection, Teams alerting, and SHA-256 compliance evidence export.
License Requirements
- Microsoft 365 Copilot — required for agent runtime, Copilot audit (
CopilotInteraction), and DLP-for-Copilot location coverage - Microsoft 365 E5 Compliance (or E5 Information Protection & Governance) — required for Purview DSPM for AI, DLP for M365 Copilot location, and Activity Explorer
- SharePoint Advanced Management — included with M365 Copilot; provides RCD, Restricted SharePoint Search, and Data Access Governance reports (see Control 4.6)
- Microsoft Entra ID Governance (Entra ID P2) — required for Access Reviews on agent identities and connector connections
- Power Platform DLP — included with the Power Platform tenant; no add-on required
- Copilot Studio per-message capacity / per-user — required for Copilot Studio agent runtime
Verify SKU eligibility at deploy time.
Sovereign Cloud Parity (verify at deploy time)
- Power Platform DLP — parity across Commercial / GCC / GCC High / DoD
- Purview DSPM for AI — Commercial GA; GCC rolling; GCC High and DoD lag — verify against the Microsoft 365 roadmap before relying on DSPM for AI in regulated clouds
- DLP for M365 Copilot location — Commercial GA; GCC rolling; GCC High / DoD verify
- SharePoint Advanced Management (RCD / RSS / DAG) — Commercial and GCC; GCC High / DoD limited — verify
- Copilot Studio — Commercial and GCC; GCC High limited preview as of early 2026 — confirm at deploy time
- Entra ID Governance Access Reviews — parity across Commercial / GCC / GCC High / DoD
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Annual data access review; standard DLP; self-service scope changes | Low risk, minimal data access |
| Zone 2 (Team) | Quarterly review; enhanced DLP; manager approval for scope changes | Team data requires accountability |
| Zone 3 (Enterprise) | Monthly review; strict allowlist; CISO approval; real-time monitoring | Customer-facing requires strict minimization |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Power Platform Admin | Review agent configurations, manage environment settings, configure Power Platform DLP |
| AI Administrator | Manage Microsoft 365 Copilot settings, agent feature access, and Copilot connector delegation |
| SharePoint Admin | Manage site permissions, create agent access groups, coordinate RCD/RSS posture (Control 4.6) |
| Purview Compliance Admin | Configure DLP for M365 Copilot location, review compliance posture |
| Purview Data Security AI Admin | Configure Purview DSPM for AI policies and review Activity Explorer signals |
| Entra Identity Governance Admin | Run Access Reviews on agent identities and connector connections |
| AI Governance Lead | Define approval workflows, conduct quarterly access reviews, own scope-drift response |
| Compliance Officer | Review supervisory evidence, sign off on FINRA 3110 / 25-07 documentation |
| CISO | Approve Zone 3 scope changes; own residual-risk acceptance |
Related Controls
| Control | Relationship |
|---|---|
| 1.2 - Agent Registry | Source-of-truth agent ↔ grounding surface inventory |
| 1.3 - SharePoint Governance | Content access restrictions and label propagation |
| 1.4 - Advanced Connector Policies | Power Platform DLP connector classification |
| 1.10 - Communication Compliance Monitoring | Supervisory monitoring of agent-mediated communications |
| 1.13 - Sensitive Information Types | SIT signal feeding DLP-for-Copilot and scope-drift detection |
| 1.18 - RBAC | Role-based and OAuth scope minimization for agent identities |
| 1.19 - eDiscovery for Agent Interactions | Evidence retrieval over CopilotInteraction records |
| 4.6 - Grounding Scope Governance | SharePoint enforcement layer (RCD, RSS ≤100-site allowed list, DAG reports) — required for §4 minimization to be operational |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- Every agent in the Control 1.2 registry has a documented justification for each grounding surface (SharePoint scope, Dataverse tables, file upload allowed, image upload allowed, public web on/off, enterprise web URLs, connector references, extensions/plugins) on file
- Power Platform DLP policy classifies every connector used by an agent into Business / Non-Business / Blocked; no agent uses a connector that is not in the Business group of its environment's policy (cross-check against Control 1.4)
- SharePoint knowledge sources are scoped to specific libraries / folders, not entire sites; sample 10% of agents and confirm
- Public web grounding is disabled on all Zone 3 agents handling NPI (verify in Copilot Studio agent settings)
- File upload and image upload posture matches zone policy (Zone 3: restricted to labeled / SIT-validated content) — see Control 1.17 endpoint DLP and the File Upload Security Configurator
- Purview DSPM for AI policies cover all environments hosting agents that ground on customer data; Activity Explorer shows no unexplained sensitive-data interactions in the past 30 days for Zone 3
- Purview DLP at the Microsoft 365 Copilot location enforces sensitivity-label and SIT-based blocks (Control 1.13); test with a synthetic NPI document
- SIEM correlation against
CopilotInteractionaudit records produces a scope-drift report at zone cadence (Zone 3: weekly); incidents triaged within SLA - Control 4.6 RCD exclusion list and RSS allowed-list (if used) reconcile against the agent grounding inventory — no high-risk site is grounded by a Zone 3 agent and missing from the RCD list
- Microsoft Entra ID Governance Access Reviews completed at zone cadence on agent identities and connector connections; decisions retained per FINRA 4511
- Quarterly (Zone 1: annual; Zone 2: quarterly; Zone 3: monthly) access review documented with reviewer, date, scope changes, and approval evidence
- Sample audit pulls (
CopilotInteraction, DSPM for AI activity, DLP-for-Copilot rule matches) for the past 90 days are exportable and tied back to the WSP — supports FINRA 3110 supervisory evidence and SEC Reg S-P safeguards documentation
Additional Resources
- Microsoft Learn: Power Platform DLP policies
- Microsoft Learn: Connector classification
- Microsoft Learn: Add knowledge sources to a Copilot Studio agent
- Microsoft Learn: Knowledge sources in Copilot Studio
- Microsoft Learn: Public website knowledge sources
- Microsoft Learn: File analysis in Copilot Studio
- Microsoft Learn: Microsoft Purview DSPM for AI
- Microsoft Learn: DSPM for AI data assessments
- Microsoft Learn: Activity Explorer
- Microsoft Learn: DLP for Microsoft 365 Copilot location
- Microsoft Learn: Audit Microsoft 365 Copilot interactions
- Microsoft Learn: Restricted Content Discovery
- Microsoft Learn: Restricted SharePoint Search
- Microsoft Learn: SharePoint Data Access Governance reports
- Microsoft Learn: Microsoft Entra ID Governance Access Reviews
- Microsoft Learn: SharePoint sharing permissions
- SEC Final Rule: Regulation S-P amendments (May 2024)
- FINRA Regulatory Notice 25-07: AI guidance (March 2025)
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current (re-verified April 2026)