Control 2.23: User Consent and AI Disclosure Enforcement
Control ID: 2.23 Pillar: Management Regulatory Reference: FINRA 3110/25-07, GLBA 501(b), SEC AI Guidance Last UI Verified: February 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-12
Objective
Enforce policy-driven user consent and AI disclosure requirements across Microsoft 365 Copilot and Power Platform environments to support transparency obligations for financial services organizations. This control governs the AI Disclaimer toggle, custom disclosure URLs, and mandatory acknowledgment settings based on agent usage context and governance zone.
Why This Matters for FSI
- FINRA 3110/25-07: Supervisory procedures and AI governance — disclosure of AI system usage supports supervisory obligations by ensuring users understand when they are interacting with automated systems subject to monitoring
- GLBA 501(b): Privacy notice requirements — AI disclosure aids in fulfilling transparency obligations regarding automated processing of customer financial information
- SEC Guidance on AI-Assisted Advice: Disclosure of AI involvement in investment recommendations — consent and disclosure mechanisms help meet SEC expectations for transparency when AI systems provide financial advice or analysis
- FINRA 2210 (Communications with the Public): Retail communications standards — AI disclaimers contribute to clear, non-misleading communication requirements when agents interact with customers
- Consumer Financial Protection Bureau (CFPB): Fair lending and algorithmic transparency — disclosure of AI usage supports consumer protection requirements in financial services automation
Control Description
This control governs user-facing consent and AI disclosure mechanisms across Microsoft 365 Copilot and Power Platform agent deployments. Organizations must configure and enforce AI disclaimer settings, custom disclosure URLs, and consent acknowledgment requirements that align with agent usage context (internal vs. external users) and governance zone classification.
Multi-Platform Disclosure Control
This control addresses AI disclosure across multiple Microsoft platforms: the AI Disclaimer toggle in Microsoft 365 admin center (affects Microsoft 365 Copilot), Copilot Control System transparency settings, and Power Platform agent-level disclosure configurations. Unlike customer-facing transparency (Control 2.19), this control governs user consent and internal disclosure for employees and authorized users.
| Capability | Description | Implementation |
|---|---|---|
| AI Disclaimer Toggle | Tenant-wide toggle in Microsoft 365 admin center | Navigate to Copilot → Settings → Copilot actions → Copilot AI disclaimer; toggle on to display disclosure banner for all users |
| Custom Disclosure URL | Link to organizational AI policy or transparency statement | Configure custom URL in AI Disclaimer settings; appears in bold with "Learn more about how Microsoft uses your data" link |
| Copilot Control System | Enterprise-wide transparency and control settings | Configure through Copilot Control System for centralized management of disclosure, plugin permissions, and transparency notes |
| Agent-Level Disclosure | Per-agent consent messages in Copilot Studio | Configure custom greeting topics with AI disclosure language; display before user interaction begins |
| Consent Acknowledgment | Mandatory acknowledgment tracking for Zone 3 agents | Implement consent tracking in Dataverse; capture user acknowledgment with timestamp and version |
| Transparency Notes | Published Microsoft documentation on Copilot AI behavior | Reference Microsoft Transparency Notes in organizational disclosure URLs; provide to users as supplementary material |
The control uses multiple configuration surfaces depending on scope:
- Microsoft 365 Admin Center (Copilot → Settings → Copilot actions): Tenant-wide AI Disclaimer toggle and custom disclosure URL
- Copilot Control System: Enterprise-wide transparency settings, plugin permissions, and disclosure management
- Copilot Studio (per agent): Agent-level disclosure topics, custom greeting messages, consent prompts
- Dataverse tables: Consent record tracking, acknowledgment audit trail, disclosure version history
Disclosure Configuration by Scope
The disclosure implementation varies by platform and usage context:
- Tenant-wide (Microsoft 365 Copilot): AI Disclaimer toggle in admin center affects all users of Microsoft 365 Copilot; displays banner with custom URL on first use
- Enterprise-wide (Copilot Control System): Centralized transparency settings apply across all Copilot experiences; manages plugin disclosures and data usage transparency
- Agent-specific (Copilot Studio): Per-agent disclosure topics appear before user interaction; customizable based on agent purpose and target audience
- Consent tracking (Zone 3): Formal consent records stored in Dataverse with user identity, timestamp, disclosure version, and acknowledgment status
Relationship to Customer AI Disclosure (Control 2.19)
Control 2.19 governs customer-facing transparency and disclosure requirements for AI interactions with external customers. Control 2.23 governs internal user consent and employee-facing disclosure requirements. These controls are complementary: 2.19 addresses regulatory disclosure obligations for customer communications, while 2.23 addresses user awareness and informed consent for internal operations.
Key Configuration Points
Microsoft 365 Admin Center (Tenant-Wide)
- Enable the AI Disclaimer toggle in Copilot → Settings → Copilot actions → Copilot AI disclaimer
- Configure custom disclosure URL pointing to your organization's AI policy or transparency statement
- Set disclaimer text to appear in bold with "Learn more about how Microsoft uses your data" link
- Test the disclaimer displays correctly for all Microsoft 365 Copilot users on first use
Copilot Control System (Enterprise-Wide)
- Configure enterprise transparency settings through the Copilot Control System
- Manage plugin permissions and disclosure requirements centrally
- Publish Transparency Notes reference URLs for internal users
- Set data usage disclosure language aligned with organizational privacy policy
Copilot Studio (Agent-Level)
- Create a custom greeting topic with AI disclosure language in each agent
- Display disclosure message before user interaction begins (first conversation turn)
- Include statement such as: "I'm an AI assistant created by [Organization]. Responses are generated by AI and should be reviewed. Conversations may be monitored for quality and compliance."
- Configure disclosure topic to appear on each new conversation session (not just first use)
- For Zone 3 agents: Add mandatory acknowledgment prompt with "I understand" button or similar confirmation
Consent Tracking Configuration (Zone 3)
- Deploy Dataverse table
fsi_aiconsentwith fields: UserID, AgentName, ConsentTimestamp, DisclosureVersion, AcknowledgmentStatus - Implement consent verification flow that checks for valid acknowledgment before agent interaction
- Set consent expiration period (e.g., 90 days) requiring periodic re-acknowledgment
- Integrate consent records with Purview audit logging for immutable trail
- Configure notification to compliance team for users who decline consent
Disclosure Content Requirements
- Zone 1 (Personal): General AI disclosure; link to Microsoft Transparency Notes; periodic awareness reminders
- Zone 2 (Team): AI disclosure with organizational policy link; statement about monitoring and data handling; quarterly refresh
- Zone 3 (Enterprise): Formal disclosure with regulatory language; mandatory acknowledgment; data usage specifics; retention policy; escalation path for concerns; monthly or session-based re-acknowledgment
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | AI Disclaimer toggle recommended; default Microsoft disclosure acceptable; periodic awareness campaigns | Personal productivity agents have lower regulatory exposure; basic disclosure enhances user awareness without excessive friction |
| Zone 2 (Team) | AI Disclaimer toggle required; custom disclosure URL pointing to organizational AI policy; agent-level disclosure in greeting topics | Team collaboration environments process shared organizational data requiring explicit disclosure of AI usage and monitoring; custom policy URL supports enterprise governance |
| Zone 3 (Enterprise) | AI Disclaimer toggle mandatory; custom disclosure URL with regulatory language; agent-level disclosure with mandatory consent acknowledgment; formal consent records retained in Dataverse; Purview integration for audit trail | Customer-facing and enterprise agents process sensitive financial data requiring formal consent and disclosure per FINRA 3110, SEC guidance, and GLBA 501(b); immutable consent records required for regulatory examination |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Entra Global Admin | Configure tenant-wide AI Disclaimer toggle and custom disclosure URL in Microsoft 365 admin center |
| Power Platform Admin | Configure agent-level disclosure topics in Copilot Studio; manage consent tracking flows and Dataverse tables |
| Compliance Officer | Define disclosure language and consent requirements; review regulatory alignment; approve disclosure content for Zone 3 agents |
| Copilot Studio Agent Author | Implement agent-level disclosure topics; configure greeting messages with AI disclosure language; test disclosure display |
| AI Governance Lead | Maintain organizational AI policy document; update custom disclosure URL; track disclosure version history; coordinate with legal on regulatory language |
| Purview Compliance Admin | Configure audit logging for consent events; integrate consent records with Purview for immutable trail; generate disclosure compliance reports |
Related Controls
| Control | Relationship |
|---|---|
| 2.19 - Customer AI Disclosure and Transparency | Governs customer-facing disclosure requirements; 2.23 governs internal user consent and employee-facing disclosure — complementary transparency controls |
| 1.2 - Agent Registry and Integrated Apps Management | Agent registry tracks disclosure configuration status per agent; provides inventory for consent requirement enforcement |
| 2.13 - Documentation and Record Keeping | Consent records and disclosure version history feed into documentation retention requirements; supports audit trail for regulatory examination |
| 1.10 - Communication Compliance Monitoring | Disclosure statements reference monitoring practices; consent includes acknowledgment of conversation monitoring for compliance |
| 3.8 - Copilot Hub and Governance Dashboard | Consent compliance and disclosure coverage metrics feed into governance dashboard for consolidated visibility |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, verification, and troubleshooting:
- Portal Walkthrough — Step-by-step configuration of AI Disclaimer toggle, custom URLs, and agent-level disclosure topics
- PowerShell Setup — Scripts for consent tracking deployment, disclosure audit queries, and compliance reporting
- Verification & Testing — Test cases for disclosure display, consent acknowledgment, and audit trail validation
- Troubleshooting — Common issues with disclaimer display, consent tracking, and cross-platform configuration
Automated Compliance Validation
Use PowerShell scripts to audit disclosure configuration across all agents, verify consent records for Zone 3 users, and generate compliance reports showing disclosure coverage by zone and agent.
Verification Criteria
Confirm control effectiveness by verifying:
- AI Disclaimer toggle is enabled in Microsoft 365 admin center for all Zone 2 and Zone 3 deployments
- Custom disclosure URL is configured and points to current organizational AI policy document
- All Zone 3 agents have agent-level disclosure topics configured in greeting messages
- Consent acknowledgment tracking is implemented for Zone 3 agents with Dataverse table
fsi_aiconsentdeployed - Disclosure content includes required elements: AI system identification, data handling statement, monitoring notice, and escalation path (Zone 3)
- Purview audit logging captures consent events for Zone 3 agents with immutable records
- Testing confirms disclosure displays correctly for all target user populations
- Consent records include timestamp, user identity, disclosure version, and acknowledgment status
- Periodic re-acknowledgment occurs at defined intervals (90 days or session-based for Zone 3)
- Compliance reporting shows 100% disclosure coverage for all Zone 2 and Zone 3 agents
Additional Resources
- Microsoft Learn: Microsoft 365 Copilot Privacy and Data Security
- Microsoft Learn: Copilot Control System Overview
- Microsoft Transparency Notes: Copilot
- Microsoft Learn: Copilot Studio Agent Topics and Greeting Messages
- Microsoft Learn: Power Platform Dataverse Security
- FINRA Regulatory Notice 25-07: Workplace Modernization (Request for Comment)
- SEC: AI and Predictive Data Analytics in Investment Management
Updated: February 2026 | Version: v1.3 | UI Verification Status: Current