Skip to content

Control 1.23: Step-Up Authentication for AI Agent Operations

Control ID: 1.23
Pillar: Security
Regulatory Reference: GLBA 501(b), FINRA 4511, FINRA 4530, FINRA 25-07, SOX 302/404, NIST SP 800-63B, NIST SP 800-53 IA-2, NYDFS 23 NYCRR 500.12
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated

Objective

Implement step-up authentication requirements when AI agents attempt sensitive operations such as financial transactions, data exports, or access to restricted information, requiring re-authentication at the moment of high-risk action.

Why This Matters for FSI

  • GLBA 501(b) Safeguards Rule: Helps verify customer identity at the point of sensitive data access, supporting the access-control safeguards required for non-public personal information (NPI)
  • FINRA 4511 / 25-07: Supports authorized access to financial books and records at transaction time; FINRA 25-07 calls for supervisory oversight of AI-assisted activity at the point of execution (interpretation guidance)
  • FINRA 4530: Helps create a contemporaneous, attributable authentication record at the moment of material events that may later require disclosure or reporting
  • SOX 302/404: Provides transaction-level authentication evidence supporting management assertions over internal controls for financial reporting
  • NIST SP 800-63B: Supports AAL2 / AAL3 authenticator assurance levels at the moment of high-risk action, rather than relying solely on initial sign-in
  • NIST SP 800-53 IA-2 (Identification and Authentication): Aids in meeting IA-2(1) MFA for privileged accounts and IA-2(2) MFA for non-privileged accounts when paired with re-authentication for sensitive operations
  • NYDFS 23 NYCRR 500.12: Supports the universal MFA mandate for all individuals accessing covered information systems, including AI-mediated access (effective November 2025)

Automation Available

Companion solutions in FSI-AgentGov-Solutions:

Control Description

This control establishes step-up (re-authentication) requirements at the moment an AI agent — or a user acting through an AI agent — initiates a sensitive operation. Step-up is delivered through Microsoft Entra Conditional Access authentication contexts (c1c25), which downstream services (Copilot Studio flows, custom connectors, Power Automate, SharePoint, Purview, and Graph-protected APIs) request when a sensitive action is invoked. The Conditional Access engine then enforces fresh authentication, Authentication Strength (phishing-resistant methods), device compliance, and short sign-in frequency before the action is permitted.

Step-up is layered on top of the baseline Conditional Access posture established in Control 1.11 and the agent identity controls in 1.18. It is not a substitute for baseline MFA — it is a second decision point that runs at the moment of high-risk action so that a compromised long-lived session cannot escalate into a sensitive transaction.

The control includes:

  1. High-risk action classification — Define which agent actions (financial transactions, bulk data export, external API calls, configuration changes, sensitive queries against regulated data) require step-up, and which do not
  2. Authentication contexts (c1c5) — Mapped to action risk tiers; c1 is the most restrictive
  3. Conditional Access policies per context — Each context targeted by a CA policy that requires phishing-resistant Authentication Strength, short sign-in frequency, and (Zone 3) compliant device
  4. Authentication Strengths — Use the built-in Phishing-resistant MFA strength as a baseline; create a custom strength (e.g., FSI-Critical-Operations) for the most sensitive contexts when the built-in does not cover the desired method set
  5. Sign-in risk and user risk integration — Stack risk-based Conditional Access (Identity Protection) on top of context-based policies so that elevated risk forces step-up even when context is not invoked
  6. Privileged Identity Management (PIM) — For administrative actions on agents (publishing, connector allowlist changes, environment changes), require PIM just-in-time activation with approval and bind activation to a step-up context
  7. Service principal compensating controls — Because service principals authenticate non-interactively, sensitive SP operations are governed via approval workflows, workload identity Conditional Access, and managed identity with federated credentials rather than interactive step-up
  8. Monitoring and evidence — Sign-in logs, Conditional Access "what-if" diagnostics, and PIM activation history captured for examination evidence

Key Configuration Points

  • Create Authentication Contexts: c1 (Financial Transaction), c2 (Data Export), c3 (External API), c4 (Config Change), c5 (Sensitive Query) under Entra admin center → Protection → Conditional Access → Authentication contexts
  • Create one Conditional Access policy per context (named FSI-StepUp-<Context>) targeting the context under Conditions → Cloud apps or actions → Authentication context
  • Apply the built-in Phishing-resistant MFA Authentication Strength on each step-up policy (or a custom strength for c1)
  • Set sign-in frequency under Session controls → Sign-in frequency: 15 minutes for c1, 30 minutes for c2c4, 60 minutes for c5 (Zone 3); relax per zone table below
  • For Zone 3, require compliant device or Entra hybrid joined device in the same step-up policy
  • Stack a sign-in risk Conditional Access policy (Identity Protection) requiring step-up at risk level medium or higher
  • Stack a user risk Conditional Access policy requiring secure password change at risk level high
  • Configure PIM for administrative roles touching agent infrastructure (Power Platform Admin, Environment Admin, AI Administrator, Purview Data Security AI Admin) with: approval required, justification required, MFA on activation, maximum activation duration ≤ 4 hours
  • Implement service principal compensating controls (approval workflow plus workload identity CA) for any sensitive SP operation; do not exempt SPs from governance
  • Configure real-time alerting on step-up authentication failures and on Conditional Access policy state changes via Microsoft Sentinel or Defender XDR custom detections
  • Bake step-up policies in report-only mode for at least 72 hours before flipping to enforcement, and confirm zero unintended block events in sign-in diagnostics

PIM Integration for Sensitive Agent Operations

Combine step-up authentication with PIM for administrative operations on AI agents:

Operation PIM Requirement Step-Up Context Combined Control
Agent Publishing (Zone 3) Activate Power Platform Admin c4 (Config Change) PIM + 30-min fresh auth
Connector Allowlist Changes Activate Power Platform Admin c4 (Config Change) PIM + 30-min fresh auth
Agent Deletion Activate Environment Admin c4 (Config Change) PIM + approval workflow
DSPM Policy Changes Activate Purview Admin c4 (Config Change) PIM + 15-min fresh auth
Agent Sponsor Assignment Activate AI Governance Lead c5 (Sensitive Query) PIM + justification required

PIM + Step-Up Workflow:

  1. User requests PIM activation for administrative role
  2. PIM approval workflow triggers (requires approver consent)
  3. Upon activation, step-up authentication context applied
  4. User completes phishing-resistant MFA
  5. Administrative operation permitted within activation window
  6. All actions logged with PIM activation context for audit

Zone-Specific Requirements

Zone Requirement Rationale
Zone 1 (Personal) Standard MFA (any approved method); 8-hour session; step-up not required for personal-productivity actions; sign-in risk policy still applied Low-risk, non-regulated content; minimize friction while preserving baseline identity assurance
Zone 2 (Team) Step-up required for data exports, external API calls, and configuration changes; 4-hour session; 30-minute fresh auth on sensitive actions; phishing-resistant MFA preferred and required for connector allowlist changes Team data may include limited regulated content; additional verification reduces blast radius of session compromise
Zone 3 (Enterprise) Mandatory step-up on all sensitive actions (c1c5); 1-hour baseline session; 15-minute fresh auth for c1; phishing-resistant Authentication Strength required; compliant or hybrid-joined device required; PIM with approval for all admin operations; sign-in risk and user risk policies enforced; real-time monitoring with FSI examination evidence retention Customer-facing, regulated workloads (FINRA / SEC / NYDFS scope); highest authenticator assurance and shortest re-authentication interval needed at point of action

Roles & Responsibilities

Role Responsibility
Entra Security Admin Configure Conditional Access authentication contexts, step-up policies, risk-based policies, and Authentication Strengths
Entra Global Admin Approve tenant-wide authentication method policy changes; act as break-glass for misconfigured step-up policies
Entra Privileged Role Admin Configure PIM role settings (approval, justification, MFA on activation) for roles touching agent infrastructure
Authentication Administrator Assist non-admin users with phishing-resistant method enrollment (FIDO2, Windows Hello, passkey, certificate-based)
Power Platform Admin Map sensitive Copilot Studio / Power Automate actions to the correct authentication context
AI Administrator Identify which agent operations qualify as sensitive and require step-up classification
Compliance Officer Validate action classification against FINRA, SEC, GLBA, and NYDFS expectations and confirm evidence retention
Control Relationship
1.11 - Conditional Access Baseline CA policies; step-up builds on top (Conditional Access Automation)
1.18 - RBAC Entra Agent ID (Public Preview) enables Conditional Access for agent identities with agent-specific risk signals; role-based access complements step-up
1.4 - Advanced Connector Policies Connector governance enables action-level step-up
1.7 - Audit Logging Step-up events must be logged
2.22 - Inactivity Timeout Enforcement Complementary session controls — 1.23 governs authentication session lifecycle (CA policies via Graph API); 2.22 governs application-level inactivity timeout duration (BAP Admin API)

Automated Validation: Session Security Configurator

For automated deployment, validation, and drift detection of session security controls per governance zone, see the Session Security Configurator solution.

Capabilities:

  • Authentication context deployment (c1-c5) with conflict detection
  • Zone-specific CA policy deployment with 72-hour bake period enforcement
  • 5-dimension session security validation (session controls, auth strength, PIM, break-glass, conflict audit)
  • Daily drift detection with Teams adaptive card alerts
  • Compliance evidence export with SHA-256 integrity hashing

Deployable Solution: session-security-configurator provides PowerShell validation scripts, Dataverse infrastructure, and Power Automate flows.

Automated Compliance: Conditional Access Automation

For automated deployment and compliance scanning of Conditional Access policies supporting step-up authentication for AI agent operations, see the Conditional Access Automation solution.

Capabilities:

  • Automated deployment of authentication context CA policies for agent step-up auth (c1–c5)
  • Zone-specific policy templates enforcing phishing-resistant MFA for sensitive agent operations
  • Daily compliance scanning of CA policy configuration drift for step-up scenarios
  • Teams adaptive card alerts when step-up policies are weakened or disabled
  • SHA-256 evidence export with integrity hashing for FINRA/SEC examination support

Deployable Solution: conditional-access-automation provides PowerShell deployment scripts, Azure Automation runbook wrappers, and Power Automate flow definitions.

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Verification Criteria

Confirm control effectiveness by verifying:

  1. Agent access without baseline MFA is denied at sign-in (validates 1.11 dependency before step-up applies)
  2. A sensitive action (c1) attempted more than 15 minutes after the last interactive authentication triggers a re-authentication prompt
  3. Step-up using FIDO2, Windows Hello for Business, passkey, or certificate-based authentication succeeds for c1c4
  4. Step-up using SMS, voice, or password-only is denied when the policy requires the Phishing-resistant MFA Authentication Strength
  5. Sign-in logs in Entra (Monitoring → Sign-in logs → Authentication Details) show the requested authentication context, the satisfied authentication methods, and the policy that enforced step-up
  6. Sign-in risk medium or above triggers step-up even when no authentication context is invoked
  7. PIM activation for any role in the agent governance set (Power Platform Admin, Environment Admin, AI Administrator, Purview Data Security AI Admin) requires approval, justification, and MFA on activation
  8. Service principal sensitive operations are governed by an approval workflow or workload identity Conditional Access policy — no SP is silently exempt
  9. Step-up failures and Conditional Access policy state changes generate alerts in Sentinel or Defender XDR within the documented SLA
  10. Evidence exports (sign-in logs, CA policy snapshots, PIM activation history) are retained for the FINRA / SEC retention window applicable to the workload

Additional Resources

Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current