Control 2.23: User Consent and AI Disclosure Enforcement

Control ID: 2.23
Pillar: Management
Regulatory Reference: FINRA Rule 3110, FINRA Rule 2210, FINRA Regulatory Notice 25-07, SEC 17a-4, GLBA Section 501(b), SOX Section 302/404, CFPB UDAAP guidance
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated

Objective

Enforce policy-driven user consent and AI disclosure requirements across Microsoft 365 Copilot and Power Platform environments to support transparency obligations for financial services organizations. This control governs the AI Disclaimer toggle, custom disclosure URLs, and mandatory acknowledgment settings based on agent usage context and governance zone.

Why This Matters for FSI

FINRA Rule 3110 / Regulatory Notice 25-07: Written supervisory procedures must address AI use — visible AI disclosure helps demonstrate that users were informed automated systems are subject to supervision and monitoring
GLBA Section 501(b): Privacy and safeguards rules — AI disclosure contributes to transparency obligations when automated systems process nonpublic personal information (NPI)
SEC 17a-4 / SEC AI proposed rule (S7-12-23): Records of AI-assisted recommendations and the disclosures presented to users help meet record-keeping and conflict-of-interest disclosure expectations
FINRA Rule 2210 (Communications with the Public): AI disclaimers help meet "fair, balanced, not misleading" standards when agents communicate with retail customers
SOX Section 302/404: Internal control over financial reporting — documented user consent for AI systems that touch financial data supports control attestation
CFPB UDAAP guidance: Disclosure of AI usage helps reduce the risk of unfair, deceptive, or abusive acts or practices claims arising from undisclosed automation in consumer-facing flows

No companion solution by design

Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.

Control Description

This control governs user-facing consent and AI disclosure mechanisms across Microsoft 365 Copilot and Power Platform agent deployments. Organizations must configure and enforce AI disclaimer settings, custom disclosure URLs, and consent acknowledgment requirements that align with agent usage context (internal vs. external users) and governance zone classification.

Multi-Platform Disclosure Control

This control addresses AI disclosure across multiple Microsoft platforms: the AI Disclaimer toggle in Microsoft 365 admin center (affects Microsoft 365 Copilot), Copilot Control System transparency settings, and Power Platform agent-level disclosure configurations. Unlike customer-facing transparency (Control 2.19), this control governs user consent and internal disclosure for employees and authorized users.

Capability	Description	Implementation
AI Disclaimer Toggle	Tenant-wide policy in Microsoft 365 admin center (per Microsoft Learn, applies to Word, Excel, PowerPoint, Outlook, OneNote, and Copilot Chat; not SharePoint, OneDrive, Whiteboard, or Forms)	Navigate to Copilot → Settings → View all → Copilot AI disclaimer; toggle on to create the tenant-level "Copilot AI Disclaimer" policy
Disclaimer Style	Standard or Bold font for the disclaimer string	Choose Standard or Bold in the Copilot AI disclaimer settings panel
Custom Disclosure URL	Optional internal AI policy link surfaced as a tooltip / info icon next to the disclaimer	Configure custom URL pointing to the organization's AI policy; if blank, the default Microsoft transparency content is displayed
Copilot Control System (CCS)	Enterprise transparency and policy surface for Copilot	Use CCS surfaces in the Microsoft 365 admin center (Copilot section) to manage related governance settings; verify availability for your tenant in the Microsoft 365 roadmap
Agent-Level Disclosure	Per-agent consent messages in Copilot Studio	Configure custom greeting topics with AI disclosure language; display before user interaction begins
Consent Acknowledgment	Mandatory acknowledgment tracking for Zone 3 agents	Implement consent tracking in Dataverse; capture user acknowledgment with timestamp and version
Transparency Notes	Published Microsoft documentation on Copilot AI behavior	Reference Microsoft Transparency Notes in organizational disclosure URLs; provide to users as supplementary material

The control uses multiple configuration surfaces depending on scope:

Microsoft 365 Admin Center (Copilot → Settings → View all → Copilot AI disclaimer): Tenant-wide AI Disclaimer toggle, font style, and optional custom disclosure URL
Copilot Control System (CCS): Enterprise transparency and policy surfaces in the Copilot section of the admin center
Copilot Studio (per agent): Agent-level disclosure topics, custom greeting messages, consent prompts
Dataverse tables: Consent record tracking, acknowledgment audit trail, disclosure version history (custom — see Implementation Playbooks for the deployment script)

Disclosure Configuration by Scope

The disclosure implementation varies by platform and usage context:

Tenant-wide (Microsoft 365 Copilot): AI Disclaimer toggle in admin center affects all users of Microsoft 365 Copilot; displays banner with custom URL on first use
Enterprise-wide (Copilot Control System): Centralized transparency settings apply across all Copilot experiences; manages plugin disclosures and data usage transparency
Agent-specific (Copilot Studio): Per-agent disclosure topics appear before user interaction; customizable based on agent purpose and target audience
Consent tracking (Zone 3): Formal consent records stored in Dataverse with user identity, timestamp, disclosure version, and acknowledgment status

Relationship to Customer AI Disclosure (Control 2.19)

Control 2.19 governs customer-facing transparency and disclosure requirements for AI interactions with external customers. Control 2.23 governs internal user consent and employee-facing disclosure requirements. These controls are complementary: 2.19 addresses regulatory disclosure obligations for customer communications, while 2.23 addresses user awareness and informed consent for internal operations.

Key Configuration Points

Microsoft 365 Admin Center (Tenant-Wide)

Enable the AI Disclaimer toggle in Copilot → Settings → View all → Copilot AI disclaimer (creates the tenant-level "Copilot AI Disclaimer" policy)
Choose Bold font style for Zone 2 / Zone 3 deployments to increase visibility
Configure the optional custom disclosure URL pointing to your organization's AI policy or transparency statement (surfaced as a tooltip from the info icon next to the disclaimer)
Note: as of April 2026 the AI Disclaimer is off by default in Copilot Chat; FSI tenants are expected to explicitly enable it
Test the disclaimer displays correctly across the supported surfaces (Word, Excel, PowerPoint, Outlook, OneNote, Copilot Chat); it does not appear in SharePoint, OneDrive, Whiteboard, or Forms

Copilot Control System (Enterprise-Wide)

Configure enterprise transparency settings through the Copilot Control System
Manage plugin permissions and disclosure requirements centrally
Publish Transparency Notes reference URLs for internal users
Set data usage disclosure language aligned with organizational privacy policy

Copilot Studio (Agent-Level)

Create a custom greeting topic with AI disclosure language in each agent
Display disclosure message before user interaction begins (first conversation turn)
Include statement such as: "I'm an AI assistant created by [Organization]. Responses are generated by AI and should be reviewed. Conversations may be monitored for quality and compliance."
Configure disclosure topic to appear on each new conversation session (not just first use)
For Zone 3 agents: Add mandatory acknowledgment prompt with "I understand" button or similar confirmation

Deploy Dataverse table fsi_aiconsent with fields: UserID, AgentName, ConsentTimestamp, DisclosureVersion, AcknowledgmentStatus
Implement consent verification flow that checks for valid acknowledgment before agent interaction
Set consent expiration period (e.g., 90 days) requiring periodic re-acknowledgment
Integrate consent records with Purview audit logging for immutable trail
Configure notification to compliance team for users who decline consent

Disclosure Content Requirements

Zone 1 (Personal): General AI disclosure; link to Microsoft Transparency Notes; periodic awareness reminders
Zone 2 (Team): AI disclosure with organizational policy link; statement about monitoring and data handling; quarterly refresh
Zone 3 (Enterprise): Formal disclosure with regulatory language; mandatory acknowledgment; data usage specifics; retention policy; escalation path for concerns; monthly or session-based re-acknowledgment

Zone-Specific Requirements

Zone	Requirement	Rationale
Zone 1 (Personal)	AI Disclaimer toggle recommended; default Microsoft disclosure acceptable; periodic awareness campaigns	Personal productivity agents have lower regulatory exposure; basic disclosure enhances user awareness without excessive friction
Zone 2 (Team)	AI Disclaimer toggle required; custom disclosure URL pointing to organizational AI policy; agent-level disclosure in greeting topics	Team collaboration environments process shared organizational data requiring explicit disclosure of AI usage and monitoring; custom policy URL supports enterprise governance
Zone 3 (Enterprise)	AI Disclaimer toggle mandatory; custom disclosure URL with regulatory language; agent-level disclosure with mandatory consent acknowledgment; formal consent records retained in Dataverse; Purview integration for audit trail	Customer-facing and enterprise agents process sensitive financial data requiring formal consent and disclosure per FINRA 3110, SEC guidance, and GLBA 501(b); immutable consent records required for regulatory examination

Roles & Responsibilities

Role	Responsibility
AI Administrator	Primary owner. Configure the tenant-wide Copilot AI Disclaimer policy (toggle, font style, custom URL) in the Microsoft 365 admin center. AI Administrator is the least-privilege role for Copilot scenario management; Entra Global Admin is required only for initial tenant setup or broader cross-service consent
Entra Global Admin	Initial enablement, broad consent grants for Graph permissions used by automation, and break-glass changes when AI Administrator scope is insufficient
Power Platform Admin	Configure agent-level disclosure topics in Copilot Studio; manage consent tracking flows and the Dataverse `fsi_aiconsent` table
Compliance Officer	Define disclosure language and consent requirements; review regulatory alignment; approve disclosure content for Zone 3 agents
Copilot Studio Agent Author	Implement agent-level disclosure topics; configure greeting messages with AI disclosure language; test disclosure display
AI Governance Lead	Maintain organizational AI policy document; update custom disclosure URL; track disclosure version history; coordinate with legal on regulatory language
Purview Compliance Admin	Configure audit logging for consent events; integrate consent records with Purview for immutable trail; generate disclosure compliance reports

Control	Relationship
2.19 - Customer AI Disclosure and Transparency	Governs customer-facing disclosure requirements; 2.23 governs internal user consent and employee-facing disclosure — complementary transparency controls
1.2 - Agent Registry and Integrated Apps Management	Agent registry tracks disclosure configuration status per agent; provides inventory for consent requirement enforcement
2.13 - Documentation and Record Keeping	Consent records and disclosure version history feed into documentation retention requirements; supports audit trail for regulatory examination
1.10 - Communication Compliance Monitoring	Disclosure statements reference monitoring practices; consent includes acknowledgment of conversation monitoring for compliance
3.8 - Copilot Hub and Governance Dashboard	Consent compliance and disclosure coverage metrics feed into governance dashboard for consolidated visibility

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, verification, and troubleshooting:

Portal Walkthrough — Step-by-step configuration of AI Disclaimer toggle, custom URLs, and agent-level disclosure topics
PowerShell Setup — Scripts for consent tracking deployment, disclosure audit queries, and compliance reporting
Verification & Testing — Test cases for disclosure display, consent acknowledgment, and audit trail validation
Troubleshooting — Common issues with disclaimer display, consent tracking, and cross-platform configuration

Automated Compliance Validation

Use PowerShell scripts to audit disclosure configuration across all agents, verify consent records for Zone 3 users, and generate compliance reports showing disclosure coverage by zone and agent.

Verification Criteria

Confirm control effectiveness by verifying:

AI Disclaimer toggle is enabled in Microsoft 365 admin center for all Zone 2 and Zone 3 deployments
Custom disclosure URL is configured and points to current organizational AI policy document
All Zone 3 agents have agent-level disclosure topics configured in greeting messages
Consent acknowledgment tracking is implemented for Zone 3 agents with Dataverse table fsi_aiconsent deployed
Disclosure content includes required elements: AI system identification, data handling statement, monitoring notice, and escalation path (Zone 3)
Purview audit logging captures consent events for Zone 3 agents with immutable records
Testing confirms disclosure displays correctly for all target user populations
Consent records include timestamp, user identity, disclosure version, and acknowledgment status
Periodic re-acknowledgment occurs at defined intervals (90 days or session-based for Zone 3)
Compliance reporting shows 100% disclosure coverage for all Zone 2 and Zone 3 agents

Additional Resources

Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current