Skip to content

Control 2.10: Patch Management and System Updates

Control ID: 2.10
Pillar: Management
Regulatory Reference: GLBA 501(b), SOX 404, FINRA 4511, FINRA 25-07, SEC 17a-4
Last UI Verified: January 2026
Governance Levels: Baseline / Recommended / Regulated

Objective

Implement structured patch management for AI agent infrastructure including Power Platform, Copilot Studio, and dependent Azure services to maintain security posture, operational stability, and regulatory compliance.

Why This Matters for FSI

  • GLBA 501(b): Patch management protects customer information through vulnerability remediation
  • SOX 404: Documented update processes provide internal control evidence
  • FINRA 4511, FINRA 25-07: Patch records demonstrate system maintenance for books and records
  • SEC 17a-4: System update documentation supports recordkeeping requirements

Automation Available

See Message Center Monitor in FSI-AgentGov-Solutions for monitoring M365 Message Center for platform changes affecting AI agents.

Control Description

This control establishes patch management through:

  1. Update Monitoring - Track Microsoft 365 Message Center and Azure Service Health
  2. Impact Assessment - Evaluate updates for agent compatibility and business impact
  3. Testing Protocol - Test updates in non-production before production deployment
  4. Deployment Windows - Define maintenance windows aligned with business operations
  5. Rollback Procedures - Document rollback plans for failed updates
  6. Documentation - Maintain patch history for compliance evidence

Key Configuration Points

  • Subscribe to Microsoft 365 Message Center for Power Platform, Microsoft Copilot Studio, and Microsoft 365 Copilot updates
  • Configure Azure Service Health alerts (via Azure Monitor action groups) for the Microsoft.PowerPlatform and dependent resource providers
  • Set the Release Channel on each Power Platform environment (Monthly for early validation, Semi-annual for production) at PPAC > Environments > [env] > Settings > Product > Behavior
  • Establish a non-production environment that mirrors the production configuration and uses the Monthly release channel so platform changes surface there first
  • Define maintenance windows aligned with the two annual Power Platform release waves (April and October) and document them by zone
  • Maintain a pre/post-patch verification checklist tied to the agent's regression test suite
  • Capture patch decisions, deployment outcomes, and rollback evidence in the change management system referenced by Control 2.3

Implementation caveat: Microsoft owns the underlying platform release cadence for Power Platform, Copilot Studio, and Microsoft 365 Copilot. Customers cannot defer or opt out of platform updates indefinitely; the controls above govern awareness, validation, and response, not suppression of vendor-driven changes.

Zone-Specific Requirements

Zone Requirement Rationale
Zone 1 (Personal) Default release channel acceptable; monthly review of relevant Message Center posts Low blast radius; coordination overhead not justified
Zone 2 (Team) Validate breaking-change Message Center posts in a Monthly-channel sandbox; 48-hour validation window; documented deployment record Shared agents warrant controlled validation before user-visible change
Zone 3 (Enterprise) Mandatory Monthly-channel sandbox + Semi-annual production channel; pre-deployment regression test; defined maintenance windows; rollback plan referenced in change ticket; SHA-256 evidence retained per SEC 17a-4(f) Customer-facing or supervisory workflows require maximum stability and audit-defensible evidence

Roles & Responsibilities

Role Responsibility
Power Platform Admin Monitor Message Center, configure release channels per environment, coordinate validation runs, capture evidence
AI Administrator Track Microsoft 365 Copilot and Copilot Studio platform updates that affect agent behavior; coordinate with Power Platform Admin on dependent connector changes
AI Governance Lead Approve patch schedules, sign off on maintenance windows for Zone 3, escalate breaking changes to CAB
Agent Owner Assess business impact of upcoming changes, approve maintenance windows for owned agents, validate post-patch functionality
Control Relationship
2.3 - Change Management Patches follow change management process
2.4 - BC/DR Rollback procedures align with recovery plans
2.9 - Performance Monitoring Monitor performance pre/post patch
1.7 - Audit Logging Patch events captured in audit logs

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Verification Criteria

Confirm control effectiveness by verifying:

  1. Message Center email preferences include Power Platform, Microsoft Copilot Studio, and Microsoft 365 Copilot service filters, and named recipients are current
  2. Azure Service Health alert rules exist for Microsoft.PowerPlatform (and any dependent providers) with an active Azure Monitor action group routing to the operations team
  3. The validation environment is set to Monthly release channel and the production environment is set to Semi-annual in PPAC > Environments > [env] > Settings > Product > Behavior
  4. The most recent platform-driven change has a corresponding change record (per Control 2.3) with impact assessment, validation results, and approver
  5. The patch history log is retained with SHA-256 integrity evidence (Zone 3) or CSV export (Zone 1/2) for the look-back period required by your firm's record-retention policy under SEC 17a-4 / FINRA 4511

Additional Resources

Deployable Solution: Message Center Monitor

For a ready-to-deploy Power Automate flow that polls Message Center and stores posts in Dataverse with Teams notifications, see the Message Center Monitor Solution in the FSI-AgentGov-Solutions companion repository.

Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current