Skip to content

Control 1.22: Information Barriers for AI Agents

Control ID: 1.22
Pillar: Security
Regulatory Reference: SEC Exchange Act §15(g), SEC Rules 10b-5, 14e-5, Regulation M, Regulation Best Interest (Reg BI) 17 CFR 240.15l-1, Regulation S-P 17 CFR 248.30; FINRA Rules 2241, 2242, 3110, 5270, 5280, FINRA 25-07; MSRB Rules G-23, G-37; OCC 2011-12; Fed SR 11-7
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated

Objective

Implement Microsoft Purview Information Barriers (IB) — the technical implementation of regulatory "ethical walls" — to constrain how M365 Copilot, Copilot Studio agents, and connected agents can surface, summarize, or relay content across compliance-segregated business units (e.g., research / sales-and-trading, investment banking / public-side desks, fiduciary / proprietary trading). The control aids in preventing AI-mediated leakage of material nonpublic information (MNPI) and supports compliance with FINRA, SEC, MSRB, and prudential supervisory expectations for supervision of generative-AI workflows.

Why This Matters for FSI

  • SEC Exchange Act §15(g) (15 U.S.C. 78o(g)): Requires broker-dealers to establish, maintain, and enforce written policies and procedures reasonably designed to prevent the misuse of MNPI. AI agents that can read across both sides of a wall are an unmitigated MNPI-leakage vector and are squarely within §15(g)'s scope.
  • FINRA Rule 3110 (Supervision): WSPs must reasonably supervise the activities of associated persons. FINRA Regulatory Notice 25-07 (April 2025) extends 3110 supervisory expectations to generative-AI tools, including agents — firms are expected to log, monitor, and attest to barrier-aware AI behavior.
  • FINRA Rules 2241 / 2242 (Research Analyst Rules): Mandate information barriers between research analysts and investment-banking / principal-trading personnel for equity (2241) and debt (2242) research; agent-mediated content sharing falls within "communications" under both rules.
  • FINRA Rule 5280 (Trading Ahead of Research Reports) and 5270 (Front-Running of Block Transactions): Prohibit information flow that would permit anticipatory trading; an agent that summarizes draft research for a trading-desk user is a 5280 violation surface.
  • SEC Regulation Best Interest (Reg BI) 17 CFR 240.15l-1: Requires broker-dealers to identify and mitigate conflicts of interest with retail customers; cross-desk agent retrieval can create conflicts that Reg BI requires to be mitigated, not merely disclosed.
  • SEC Regulation S-P 17 CFR 248.30 (as amended May 2024, compliance dates 2025–2026): Safeguards rule and incident-response amendments require reasonably designed policies to protect customer information; AI cross-segment retrieval is a covered safeguarding gap.
  • SEC Rules 10b-5, 14e-5, Regulation M: Anti-fraud, tender-offer, and trading-restriction regimes that depend on demonstrable information segregation.
  • MSRB Rules G-23 (Activities of Financial Advisors) and G-37 (Political Contributions): Require segregation between municipal advisory and underwriting roles; barrier enforcement should extend to municipal-securities desks.
  • OCC Bulletin 2011-12 / Fed SR 11-7 (Model Risk Management) and OCC 2023-17 (Risk Management of Third-Party Relationships): Require effective challenge and segregation of model-input data — applicable to retrieval-augmented agents.
  • CFTC Rule 1.31 / NFA Compliance Rule 2-10: Recordkeeping for derivatives firms — barrier-crossing decisions and approvals must be retained as books-and-records.

No companion solution by design

Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.

Control Description

This control establishes Information Barriers as the M365 enforcement layer for FSI ethical walls, with attention to how generative-AI agents inherit (or fail to inherit) those barriers:

  1. IB Mode Selection — Choose Legacy (single-segment, ABP-based, deprecated for new tenants), SingleSegment (modern v2, one segment per user), or MultiSegment (modern v2, up to 10 segments per user). New tenants onboarded after the August 2023 Information Barriers v2 GA default to v2 modes and no longer require Exchange Online Address Book Policy (ABP) management for unsegmented users. Verify with Get-InformationBarrierMode.
  2. Organization Segments — Define segments based on Microsoft Entra ID attributes (e.g., Department, CompanyName, MemberOf). Up to 5,000 segments per tenant. Avoid using extensionAttribute* fields without an HR-of-record sync — drift causes silent barrier failures.
  3. IB Policies — Create allow-list (multi-segment) or block-list (single-segment) policies between segments and apply them with Start-InformationBarrierPoliciesApplication. Application is asynchronous and may take several hours; users without segment assignment bypass barriers and remain a residual risk until covered.
  4. Workload Coverage — IB enforcement applies to Teams (chat, channels, meetings, calling), SharePoint (site membership, sharing, search trimming), OneDrive for Business (sharing), Exchange Online (mail flow when in Legacy mode; native suppression in v2), and Microsoft 365 Groups (membership and creation). Power BI, Stream-on-SharePoint, and Loop respect SharePoint/OneDrive trimming.
  5. AI Agent Inheritance — M365 Copilot (chat, BizChat, work-grounded responses), declarative agents, and Copilot Studio agents deployed in Teams (1:1 chat, group chat) inherit the invoking user's IB context and use IB-aware retrieval. The agent cannot return content the user could not retrieve directly — IB acts as the floor of agent retrieval.
  6. Channel Agent Limitation — Copilot Studio agents posted directly into a Teams channel (Channel Agent deployment model) operate in a shared-channel context and do not consistently inherit the per-invoker IB context. This is a Microsoft platform constraint and is the highest-residual-risk surface in Zone 2/3.
  7. SharePoint Barrier Alignment — IB-mode SharePoint sites must have a site segment assigned. Knowledge sources referenced by Copilot Studio (SharePoint, Dataverse, Graph connectors, web sources) must each be reviewed for cross-barrier content, since IB does not segment Graph connector indexes by default.
  8. Wall-Crossing Workflow — Compliance-approved, time-boxed exceptions (e.g., over-the-wall analyst engagements). Document the request, approver, business justification, scope, expiration, and post-event closeout. Retain 6+ years for SEC 17a-4 / FINRA 4511 alignment.
  9. Barrier Monitoring — Microsoft Purview Audit (Standard / Premium) records InformationBarrierPolicyApplication events; Defender XDR Advanced Hunting (CloudAppEvents, OfficeActivity) and Microsoft Sentinel are recommended to alert on anomalous cross-segment access attempts via agents.
  10. Planner / Loop / Whiteboard Integration — Modern Planner (basic plans in Planner Web, Teams desktop/web/mobile) honors IB-driven group membership; Loop components and Whiteboard inherit the host SharePoint/OneDrive segment.

Channel Agent vs. Copilot Studio Agent IB Support

Information Barriers support varies by agent surface in Teams:

Agent Surface IB-Aware Retrieval Deployment Model Notes
M365 Copilot (BizChat, Office hosts) ✅ Yes Built-in User context inherits all IB policies; IB-aware indexing is the floor of retrieval
Declarative agents (M365 Copilot) ✅ Yes Copilot agent package Inherits user IB context; knowledge-source curation still required
Copilot Studio agent in Teams 1:1 / group chat ✅ Yes Teams app package, per-user invocation User context inherits IB
Copilot Studio agent posted as Channel Agent ⚠️ Limited / Not enforced Channel post (shared context) Microsoft platform limitation — does not consistently inherit per-invoker IB
Copilot Studio agent on web / DirectLine ❌ No External channel No IB context available

Compensating Controls for Channel Agents and external channels:

  • Zone 3 prohibition: Do not deploy Channel Agents in Teams channels where barrier-protected segments interact, and do not expose any Copilot Studio agent over web/DirectLine without compensating data-scope restrictions.
  • Knowledge-source isolation: Manually verify Channel Agent and external-channel knowledge sources contain no cross-barrier content; document this verification in the change record.
  • Connector and DLP scoping: Use Power Platform DLP (Control 1.4) and Purview DLP for Copilot/Agents (Control 1.7) to restrict cross-segment data flow.
  • User attestation and training: Require channel members to acknowledge that Channel Agent responses are not IB-bound and that escalations must use a per-user agent surface.

Pre-deployment test: Before publishing any agent into a Teams space used by barrier-protected segments, have a user from one segment invoke the agent and verify they cannot retrieve content owned by the blocked segment. Capture screenshots and PowerShell evidence in the change ticket.

Key Configuration Points

  • Verify IB mode (Get-InformationBarrierMode) — MultiSegment is preferred for FSI firms with overlapping mandates (e.g., a banker who is also Reg BI compliance-officer-of-record)
  • Create organization segments in Purview (e.g., IB-Research, IB-Trading, IB-InvestmentBanking-Public, IB-InvestmentBanking-Private, IB-Sales, IB-Compliance, IB-Muni-Underwriting, IB-Muni-Advisory)
  • Source segment-defining attributes from an HR-of-record system (Workday, SuccessFactors, etc.) via Entra ID provisioning — never hand-edit
  • Define IB policies as allow-lists in Multi-Segment mode (segments may communicate only with the listed segments), or block-lists in Single-Segment mode
  • Apply policies with Start-InformationBarrierPoliciesApplication — application is asynchronous and may take several hours
  • Confirm 100% segment coverage of the user population — users without segment assignment bypass barriers
  • Assign site segments to all SharePoint sites that store regulated content; review Graph-connector indexes for cross-barrier content
  • Configure SharePoint IB modes at the site level (Explicit for restricted sites; OwnerModerated for cross-segment collaboration)
  • Document a wall-crossing approval workflow with Compliance + Legal + Business-Unit-Head sign-off and a hard expiration
  • Configure Defender XDR / Sentinel detections for IB-relevant signals (UnifiedAuditLog Workload=InformationBarrier)
  • Retain wall-crossing documentation 6+ years to meet SEC 17a-4(b) / FINRA 4511(b)

Zone-Specific Requirements

Zone Requirement Rationale
Zone 1 (Personal) IB context inherited automatically by M365 Copilot from the invoking user; admin verifies user has segment assignment; no Channel Agents permitted to surface across protected segments User-context inheritance is the enforcement primitive; segment-less users bypass barriers
Zone 2 (Team) All SharePoint sites used as agent knowledge sources have a site segment assigned; weekly attestation that knowledge sources contain no cross-barrier content; Copilot Studio agents deployed only as per-user Teams apps (not Channel Agents) for protected segments; quarterly access review (Control 2.7) Team agents must stay within barrier walls and require explicit knowledge-source curation because Graph-connector indexes are not segment-trimmed by default
Zone 3 (Enterprise) Mandatory enforcement with MultiSegment IB mode; 100% segment coverage attested monthly; formal Compliance + Legal + BU-head wall-crossing workflow with hard expiration; real-time Defender XDR / Sentinel detection on Workload=InformationBarrier events; Channel Agents prohibited where segments interact; quarterly red-team test of agent cross-barrier behavior; 6+ year retention Maximum protection for FINRA 2241/2242/3110-regulated functions, MNPI custodians, and MSRB municipal advisory desks

Roles & Responsibilities

Role Responsibility
Purview Compliance Admin Configure IB segments and policies; run Start-InformationBarrierPoliciesApplication; export evidence
Compliance Officer Approve wall-crossing requests; sign off on segment-design decisions; own annual barrier-policy attestation
Entra Security Admin Monitor barrier enforcement via Defender XDR / Sentinel; investigate suspected cross-barrier agent retrieval
AI Administrator Curate Copilot Studio agent knowledge sources for barrier compliance; gate Channel Agent deployments
Entra User Admin Maintain HR-of-record attribute sync (e.g., Department) that drives segment membership; remediate segment-less users
SharePoint Admin Assign site segments; align site permissions with IB policies; review IB-mode site provisioning
Control Relationship
1.3 - SharePoint Governance SharePoint permissions must align with barriers
1.7 - Audit Logging Barrier events must be logged
1.18 - RBAC Access control aligned with barriers
2.8 - Segregation of Duties Organizational separation supports barriers

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Verification Criteria

Confirm control effectiveness by verifying:

  1. Get-InformationBarrierMode returns the intended mode (MultiSegment recommended for FSI; Legacy flagged as remediation item)
  2. Get-OrganizationSegment returns segments aligned to the firm's regulatory business-unit map; user-attribute filters source from HR-of-record
  3. Get-InformationBarrierPolicy | Where-Object State -eq Active returns the expected allow/block matrix and last Start-InformationBarrierPoliciesApplication completed (Get-InformationBarrierPoliciesApplicationStatus shows Completed)
  4. Segment coverage report shows ≥99.5% of in-scope users assigned (Zone 3 target: 100% of MNPI-handling personnel)
  5. End-to-end retrieval test: a user in IB-Research invoking M365 Copilot, a declarative agent, and a Copilot Studio per-user agent cannot retrieve a known canary document stored in an IB-Trading-segmented SharePoint site
  6. Wall-crossing request routes to Compliance Officer + Legal + BU head; expirations enforced; evidence retained ≥6 years
  7. Defender XDR / Sentinel queries on OfficeActivity Workload=InformationBarrier and Audit InformationBarrierPolicyApplication events produce results within retention window
  8. Channel Agent inventory (Power Platform Admin Center) reviewed; no Channel Agents deployed into Teams channels that span barrier-protected segments

Additional Resources

Exchange Online ABP Changes (March 2026)

For organizations using single-segment or multi-segment IB modes, Information Barriers no longer relies on Exchange Online Address Book Policies (ABPs). The system automatically creates ABPs with empty address lists for unsegmented users, and existing ABPs are not affected. In legacy mode, IB still requires ABP management — all existing ABPs must be removed before enabling IB. Verify your IB mode with Get-InformationBarrierMode and review the Information Barriers multi-segment documentation for details.

Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current