Control 2.15: Environment Routing and Auto-Provisioning

Control ID: 2.15 Pillar: Management Regulatory Reference: OCC 2011-12, FINRA 3110, GLBA 501(b), SOX 302/404 Last UI Verified: January 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03

Objective

Implement environment routing to automatically direct makers to governed Power Platform environments based on security group membership, helping prevent the creation of ungoverned "shadow AI" in the default environment.

Why This Matters for FSI

OCC 2011-12: Routes makers to governed environments for operational risk management
FINRA 3110: Enforces routing rules based on role/group membership for supervision
GLBA 501(b): Directs makers to environments with proper data policies for customer protection
SOX 302/404: Provides audit trail of routing decisions for internal controls

Control Description

This control establishes environment routing through:

Resource Type Enablement - Enable routing for Power Apps, Power Automate, and Copilot Studio
Security Group Rules - Create routing rules based on AD security group membership
Priority Ordering - Configure rule priority (1-25) for complex organizational structures
Developer Environment Provisioning - Auto-create personal dev environments on first use
Catch-All Rules - Ensure "Everyone" rule at lowest priority to prevent default environment fallback
Shadow AI Prevention - Monitor default environment for unauthorized resource creation

Key Configuration Points

Access Environment Routing in PPAC → Manage → Tenant settings → Environment routing
Enable routing for all resource types (Power Apps, Flows, Copilot Studio)
Create security group-based routing rules with appropriate priority
Include "Everyone" catch-all rule at lowest priority
Configure developer environment auto-provisioning for personal productivity
Implement default environment monitoring for shadow AI detection
Document routing rules for compliance evidence

Zone-Specific Requirements

Zone	Requirement	Rationale
Zone 1 (Personal)	Route to developer environments; basic governance	Personal use with baseline controls
Zone 2 (Team)	Route to team environments; documented routing rules; DLP applied	Shared agents warrant controlled placement
Zone 3 (Enterprise)	Route to production environments; full governance; zero tolerance for shadow AI	Customer-facing requires strictest routing

Roles & Responsibilities

Role	Responsibility
Power Platform Admin	Configure routing rules, manage environment groups
Environment Admin	Environment-level administration
Entra Security Admin	Validate routing aligns with security policies
Compliance Officer	Approve routing policy, review shadow AI reports

Control	Relationship
2.1 - Managed Environments	Routed environments should be managed
2.2 - Environment Groups	Routing targets environment groups
1.1 - Restrict Agent Publishing	Complements routing with publishing controls
1.4 - Advanced Connector Policies	DLP policies apply in routed environments

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Portal Walkthrough — Step-by-step portal configuration
PowerShell Setup — Automation scripts
Verification & Testing — Test cases and evidence collection
Troubleshooting — Common issues and resolutions

Verification Criteria

Confirm control effectiveness by verifying:

Environment routing enabled for all resource types in PPAC
Routing rules exist with correct security group assignments
Test user creation routes to expected environment based on group membership
Default environment monitored for unauthorized resource creation
Catch-all "Everyone" rule present at lowest priority

Additional Resources

Advanced Implementation: Environment Lifecycle Management

For conversational intake that routes environment requests to appropriate zones with automated classification, see Environment Lifecycle Management.

Updated: January 2026 | Version: v1.2 | UI Verification Status: Current