Control 2.24: Agent Feature Enablement and Restriction Governance

Control ID: 2.24
Pillar: Management
Regulatory Reference: SOX 302/404, FINRA 3110, FINRA 4511, FINRA 25-07, Fed SR 11-7, OCC 2011-12, FFIEC IT Risk Management, GLBA 501(b), SEC Reg SCI (SCI entities)
Last UI Verified: February 2026
Governance Levels: Baseline / Recommended / Regulated

Objective

Define and enforce zone-based policies for enabling or restricting Copilot Studio, Microsoft 365 Copilot, and declarative-agent features, generative actions, preview capabilities, and AI tools (including MCP connectors and Agent Framework feature flags) to support compliance and risk management requirements in financial services organizations. This control governs which features are permitted per governance zone across three surfaces — tenant-level Copilot controls in the Microsoft 365 admin center, environment-level controls in the Power Platform admin center and DLP policies, and agent-level settings in Copilot Studio or declarative agent packages — with change-management integration and explicit feature allowlist/denylist configurations.

This control supports consistent feature-governance decisions, but it does not replace written supervisory procedures, registered-principal oversight where required (Control 2.12), model validation (Control 2.6), AI guardrails (Control 1.1), or security review for high-impact AI capabilities.

Why This Matters for FSI

Federal Reserve SR 11-7 / OCC 2011-12 (Model Risk Management): Enabling or disabling a generative AI capability on a production agent is treated as a material change to the model under SR 11-7 §V ("Model Change Management") and OCC 2011-12. Feature-enablement decisions should cascade a re-validation trigger into Control 2.6 (MRM) and a supervisory-procedures review under Control 2.12 before the capability is made available to users. Feature toggles alone do not substitute for MRM validation.
SOX 302/404: Internal controls over financial reporting — restricting unapproved generative features and AI capabilities supports control environment requirements by preventing unauthorized automation that could affect financial data integrity.
FINRA Rule 3110 (Supervision): Supervisory procedures should be updated whenever a new capability (e.g., web search, code interpreter, external actions, MCP connectors) is enabled on agents in scope for supervised communications; the supervisory procedures in Control 2.12 should reference the feature catalog maintained here.
FINRA Notice 25-07 (workplace modernization RFC): Cited here as contextual industry consultation only — it is an RFC, not binding guidance, and does not of itself create feature-governance obligations. Primary supervisory authority remains FINRA Rule 3110.
FFIEC IT Risk Management Handbook: Supports documenting the business justification, risk rating, rollback plan, and compensating controls for each capability change, aligned with the change-management workflow in Key Configuration Points.
GLBA 501(b): Administrative, technical, and physical safeguards — feature restriction policies contribute to safeguarding customer information by helping prevent the use of experimental or high-risk AI features that could expose sensitive financial data.
FINRA Rule 4511 / SEC 17a-4: Records retention and supervision — restricting features that lack adequate audit trails or records retention supports regulatory recordkeeping obligations for supervised communications and decisions.
SEC Regulation SCI (SCI entities only): Firms that qualify as SCI entities should treat enablement of capabilities that affect order-handling or market-facing agents as potential systems changes subject to Reg SCI §242.1001(a) reasonably designed policies and §242.1003 notification requirements. Non-SCI firms may disregard this bullet.

No companion solution by design

Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.

Control Description

This control governs the enablement and restriction of Copilot Studio, Microsoft 365 Copilot, and declarative-agent features across governance zones, ensuring that only approved AI capabilities, generative actions, and experimental features are available to agent authors based on agent risk classification and regulatory requirements. Feature governance spans three distinct surfaces that are often conflated:

Tenant Copilot hub — Microsoft 365 admin center Copilot settings (declarative agents, capability allow-lists, first-party agent decisions) and Power Platform admin center Copilot hub (PPAC → Copilot) for tenant-wide Copilot Studio toggles
Environment-level features — Power Platform admin center (PPAC → Environments → [env] → Settings → Product → Features) and environment DLP policies for per-environment feature flags and connector restrictions
Agent-level settings — Copilot Studio per-agent tools, knowledge sources, authentication choices, publishing configuration, and declarative-agent package capabilities

Not every restriction described in this control is exposed as a native Microsoft "off switch" in every tenant, cloud, or release wave. Where a direct product setting is unavailable, organizations should implement a documented allow-list, approval workflow, and compensating detective control (monitoring, DLP, audit review) rather than assuming hard runtime enforcement. Re-verify admin-center labels quarterly — Microsoft has re-organized the Copilot hub navigation multiple times.

Non-substitution principle

Feature toggles restrict what a capability can do but do not validate that a capability is fit for purpose. Enabling a generative capability on a Zone 2 or Zone 3 agent should trigger — not replace — the downstream Model Risk Management re-validation (Control 2.6), the supervisory-review update (Control 2.12), and the AI guardrails reassessment (Control 1.1). Treat this control as an enforcement and evidence layer that presupposes an approval layer elsewhere.

Sovereign cloud and release-wave caveat (GCC / GCC High / DoD)

Microsoft 365 Copilot, Copilot Studio, declarative-agent capabilities, MCP connectors, and Agent Framework tools reach General Availability on the commercial cloud first. Microsoft 365 GCC, GCC High, DoD, and other sovereign environments typically lag commercial by 6–18 months, and some preview capabilities (certain MCP connectors, image-generation models, third-party plugin types) may never become available in sovereign clouds. FSI organizations operating in sovereign tenants should:

Maintain a separate feature catalog per cloud (commercial vs. GCC / GCC High / DoD) rather than a single shared catalog
Treat any "allow in Zone 2/3" decision in commercial as not inherited into sovereign; each cloud requires its own approval record
Verify capability availability against the cloud-specific service description (Microsoft 365 for Government, Copilot for GCC / GCC High) before publishing a feature allow-list item
Record capabilities that are unavailable in the sovereign cloud as a product unavailability item in examination briefing materials, not as a policy exception or compensating control

Governance exception: Researcher and Analyst agents

Researcher and Analyst are excluded from the standard agent governance mechanisms documented in this control.

These first-party Microsoft 365 Copilot agents are part of the core Copilot Chat experience and are not subject to the normal agent governance settings in the M365 admin center.

These agents are not subject to:

Agent-related governance settings in the M365 admin center
Block, remove, or deploy controls in the agent registry
Approval workflows for standard agent publishing
Zone classification and the associated restriction lifecycle

These agents remain subject to:

Standard Microsoft 365 Copilot security, privacy, and compliance commitments
Conditional Access policies applied to Copilot experiences
Microsoft Purview sensitivity labels and DLP policies
The organization's standard Copilot acceptable-use policy

What this means for FSI governance:

Researcher and Analyst cannot be blocked through the standard agent governance controls documented in this framework
Governance of Researcher and Analyst is handled through the Copilot control system rather than the ordinary agent registry workflow
If restrictions are required for Researcher or Analyst, use Copilot license assignment and Copilot feature policies instead of standard agent governance controls
This exception should be documented in the organization's RACI and examination briefing materials

Researcher with Computer Use (Frontier only): Researcher's core capabilities are governed at the Copilot platform level, but the Researcher with Computer Use extension is configurable through the Agent 365 admin experience:

M365 admin center
  > Agents
    > All Agents
      > Researcher
        > Computer Use

See Control 2.25 - Agent 365 Governance Console for the detailed administration workflow.

Feature Governance Scope

This control addresses feature-level governance across the Copilot Studio platform: generative actions (AI Builder), connectors and data sources (governed by ACP Control 1.4), preview/experimental features, multi-agent orchestration capabilities, tool plugins, and authentication methods. Unlike environment-level controls (Control 2.2), this control governs which specific Copilot Studio features are enabled or restricted within environments based on agent classification.

Capability	Description	Implementation
Copilot Governance Dashboard	Central PPAC interface for tenant-wide and environment-specific feature controls	Navigate to PPAC → Copilot → Governance; review feature toggles and environment assignments
Generative Actions Restrictions	Control enablement of AI Builder generative actions and prompt-based automation	Configure through PPAC Copilot governance page; restrict generative AI features to approved environments
Preview/Experimental Features	Manage access to preview, beta, and experimental Copilot Studio capabilities	Disable preview features in Zone 3; require documented approval for Zone 2; allow in Zone 1 for testing
Tool and Plugin Controls	Govern which agent tools (web search, code interpreter, data analysis) are available	Configure tool restrictions per environment; enforce allowlist for Zone 3 agents
Multi-Agent Orchestration Limits	Control agent-to-agent communication and orchestration features	Set maximum agent invocation depth; restrict orchestration in Zone 3 without approval
Feature Catalog Maintenance	Documented inventory of enabled features per environment and zone	Maintain Dataverse table or SharePoint list tracking: FeatureName, Zone, Status (Allowed/Restricted), ApprovalDate, ChangeTicket
DLP Integration	Data Loss Prevention policies enforce feature restrictions at runtime	Leverage DLP connector policies (Control 1.4) to block restricted data sources and actions

The control uses multiple configuration surfaces depending on scope:

Power Platform Admin Center (PPAC → Copilot → Governance): Tenant-wide and environment-specific feature toggles, generative AI restrictions, preview feature controls
Power Platform Admin Center (Copilot > Settings): Additional feature flags and capability toggles affecting Copilot Studio behavior (previously under Settings → Features)
Environment-level DLP Policies: Connector restrictions that limit data sources and generative actions available to agents
Copilot Studio Agent Settings: Per-agent tool and plugin configuration (constrained by environment-level governance)
Dataverse Policy Enforcement Tables: Custom tables tracking feature approval status, change tickets, and exception requests

Feature Governance Configuration by Scope

Feature governance operates at multiple levels, each providing different control granularity:

Tenant-wide: Global feature flags in PPAC apply to all environments unless explicitly overridden; use for disabling high-risk capabilities organization-wide
Environment-specific: Per-environment feature toggles in PPAC Copilot governance page; align with environment tier classification (Control 2.2)
Zone-based: Features allowed or restricted based on governance zone (Zone 1/2/3); implemented through environment assignments and DLP policies
Agent-specific: Individual agents may have further restrictions beyond environment defaults; configured in Copilot Studio agent settings
Exception-based: Temporary feature enablement for specific use cases; requires change management approval and time-bound access

Relationship to Advanced Connector Policies (Control 1.4)

Control 1.4 governs connector-level restrictions through DLP policies, which directly affect what data sources and generative actions are available to agents. Control 2.24 governs broader feature enablement (preview features, tools, orchestration) beyond connector access. These controls work together: 1.4 restricts what agents can connect to, 2.24 restricts what agent capabilities are available.

Zone-Based Feature Exposure Model

Feature Category	Zone 1 (Personal)	Zone 2 (Team)	Zone 3 (Enterprise)
Generative Actions	Allowed (Microsoft default)	Allowed with documented approval	Explicit allowlist only; each action requires approval
Preview/Experimental Features	Allowed for testing	Disabled (documented exceptions only)	Prohibited
AI Builder Custom Prompts	Allowed	Restricted to approved prompts	Explicit allowlist; prompt validation required
Web Search Tool	Allowed	Restricted to approved agents	Prohibited or explicit allowlist with limited scope
Code Interpreter	Allowed	Disabled (high-risk)	Prohibited
Multi-Agent Orchestration	Allowed	Limited depth (max 2 levels)	Prohibited or explicit approval with audit trail
Custom Tool Plugins	Allowed	Approved plugins only	Explicit allowlist with security validation
External Data Connectors	Microsoft default (DLP enforced)	Approved connectors only (Control 1.4)	Explicit allowlist (Control 1.4)
Anonymous Authentication	Allowed	Prohibited	Prohibited

Key Configuration Points

Power Platform Admin Center (Copilot Governance Page)

Navigate to Power Platform Admin Center → Copilot → Governance
Review the central Copilot governance dashboard showing tenant-wide and environment-specific feature controls
Identify feature toggles for:
Generative AI features
Preview/experimental capabilities
Agent sharing and distribution controls
Multi-agent orchestration settings
Configure environment-specific feature restrictions aligned with governance zones
Document baseline configuration settings for each environment tier (Development, Test, Production)

Generative Actions and AI Builder Controls

In PPAC Copilot governance page, locate generative AI feature toggles
For Zone 3 environments: Disable generative AI features by default; enable only through exception process
For Zone 2 environments: Enable generative actions with documented approval; maintain feature approval log
For Zone 1 environments: Allow Microsoft default generative features; conduct periodic review of feature usage
Configure AI Builder capacity allocation to limit resource consumption in production environments
Integrate with DLP policies (Control 1.4) to restrict which connectors can invoke generative actions

Preview and Experimental Feature Management

In PPAC → Copilot > Settings (previously under Settings → Features), review all preview feature flags relevant to Copilot Studio
For Zone 3: Ensure all preview/experimental features are disabled; log any Microsoft-enforced preview features that cannot be disabled
For Zone 2: Disable preview features by default; implement documented approval process for temporary enablement during evaluation
For Zone 1: Allow preview features for testing; require summary report of preview feature usage before promotion to Zone 2/3
Track preview feature graduation to General Availability (GA); update feature allowlists when features reach GA status
Contact Microsoft Support if GA features cannot be disabled through PPAC (document this as a compensating control gap)

Tool and Plugin Restrictions

In Copilot Studio agent settings, configure allowed tools per agent:
Web Search: Restrict to approved agents; configure search scope limitations if available
Code Interpreter: Disable for Zone 2/3; allow only in sandboxed Zone 1 environments
Data Analysis: Enable with data source restrictions (DLP integration)
Custom Plugins: Maintain plugin allowlist; require security validation before approval
Document tool restriction policy in feature catalog with rationale for each decision
Test tool restrictions by attempting to enable prohibited tools in restricted environments (should be blocked)
Configure error messages for authors attempting to use restricted tools: "This feature is restricted in [Zone]. Contact [Governance Team] for approval."

Multi-Agent Orchestration Governance

In PPAC Copilot governance page, configure multi-agent orchestration limits:
Zone 1: Allow orchestration with monitoring
Zone 2: Restrict orchestration depth to 2 levels (agent → sub-agent, no further nesting)
Zone 3: Prohibit orchestration by default; require explicit approval with audit trail and limited scope
For approved orchestration scenarios, document the agent interaction graph and data flow between agents
Implement orchestration depth limits to prevent infinite loops or uncontrolled escalation
Integrate with Communication Compliance (Control 1.10) to monitor cross-agent conversations

Feature Catalog Maintenance

Create and maintain a feature catalog in Dataverse or SharePoint documenting:
FeatureName: Descriptive name of the Copilot Studio feature
FeatureCategory: Generative Actions, Preview Feature, Tool, Plugin, Orchestration, etc.
Zone1Status: Allowed / Restricted / Prohibited
Zone2Status: Allowed / Restricted / Prohibited
Zone3Status: Allowed / Restricted / Prohibited
ApprovalRequired: Yes/No (whether feature requires documented approval before use)
ApprovalDate: Date feature was approved for use in specific zone
ChangeTicket: Reference to change management ticket authorizing feature enablement
ExpirationDate: For time-bound feature exceptions
RiskRating: High / Medium / Low based on feature risk assessment
Update feature catalog quarterly or when new features are released
Use feature catalog as input to agent registry (Control 1.2) validation: agents cannot use features not approved for their zone

Change Management Integration

Establish change management process for feature enablement changes:
Requester: Agent author or business owner submits feature enablement request
Justification: Document business need and risk assessment
Security Review: Power Platform Admin and Security team review feature security implications
Compliance Review: Compliance Officer approves for Zone 2/3 based on regulatory impact
Implementation: Power Platform Admin enables feature in target environment
Documentation: Update feature catalog with approval details and change ticket reference
Notification: Inform agent authors of feature availability
For Zone 3 feature changes: Require additional approval from AI Governance Lead and Compliance Officer
Implement time-bound feature enablement for evaluation periods (e.g., 90-day trial with mandatory review)
Document compensating controls if high-risk features must be enabled due to business requirements

Zone-Specific Requirements

Zone	Requirement	Rationale
Zone 1 (Personal)	Microsoft default features enabled; preview features allowed for testing; periodic review of feature catalog (quarterly); risk awareness training for agent authors	Personal productivity agents have lower regulatory exposure; allowing preview features supports innovation while periodic review supports monitoring of feature usage
Zone 2 (Team)	Preview/experimental features disabled by default; generative AI features require documented approval; feature catalog maintained and updated monthly; change management for feature enablement	Team collaboration environments process shared organizational data requiring explicit approval for AI capabilities; documented approval supports audit trail and risk management
Zone 3 (Enterprise)	Explicit allowlist of permitted features only; no preview/experimental features unless approved by Compliance Officer; generative actions restricted to approved list with prompt validation; no code interpreter or unapproved orchestration; formal change management for all feature changes; quarterly feature risk assessment	Customer-facing and enterprise agents process sensitive financial data requiring formal approval per FINRA 3110, SR 11-7, SOX 302/404, and OCC 2011-12; explicit allowlist helps ensure only validated features are reachable; compensating controls required if high-risk features must be enabled

Roles & Responsibilities

Role	Responsibility
AI Administrator	Primary role for the Microsoft 365 Copilot admin center; configure tenant-level declarative-agent capability toggles (web search, code interpreter, image generation, file search, actions/MCP connectors); review feature-access changes affecting first-party agents and declarative agent experiences; coordinate with Power Platform Admin on cross-surface enablement. Prefer AI Administrator over Entra Global Admin for day-to-day governance per the role catalog
Power Platform Admin	Configure feature toggles in PPAC Copilot hub and environment-level features; manage environment-specific feature restrictions; implement DLP policies enforcing feature limits; test feature restrictions
Entra Global Admin	Approve or execute only exceptional tenant-wide changes, initial setup, or emergency rollback where broader privileges are required; routine day-to-day governance should be delegated to AI Administrator and Power Platform Admin
Copilot Studio Agent Author	Request feature enablement for specific agents; document business justification; comply with feature restrictions for assigned governance zone
Compliance Officer	Approve feature changes for Zone 2 and Zone 3 environments; review regulatory impact of new features; define compliance requirements for high-risk features
AI Governance Lead	Maintain feature catalog (commercial + sovereign variants); conduct quarterly feature risk assessments; approve time-bound feature exceptions; coordinate with Microsoft on feature availability and restrictions
Change Management Team	Process feature enablement change requests (forward and reverse); track approval workflow; generate feature change audit reports for regulatory examination
Security Architect	Assess security implications of new features; recommend restrictions for high-risk capabilities; validate compensating controls for approved exceptions

Control	Relationship
1.1 - Restrict Agent Publishing by Authorization	Publishing authorization is the enforcement gate that prevents unapproved authors from deploying agents that use restricted features; feature catalog feeds the publishing approval
1.2 - Agent Registry and Integrated Apps Management	Agent registry tracks which features are enabled per agent; feature catalog feeds into registry validation to ensure agents comply with zone-specific feature restrictions
1.4 - Advanced Connector Policies (ACP)	ACP controls restrict data sources and connectors available to agents; 2.24 governs broader feature enablement — complementary controls working together to limit agent capabilities
1.10 - Communication Compliance Monitoring	Communication Compliance monitors output of enabled capabilities; enabling new generative capabilities (voice, image, code interpreter) should update the CC policy scope
1.25 - MIME Type Restrictions	MIME type restrictions limit file types agents can process; feature restrictions limit AI capabilities agents can use — both controls reduce attack surface and risk exposure
2.2 - Environment Groups and Tier Classification	Environment tier classification determines which feature restrictions apply; feature governance aligns with environment tiers so Zone 3 environments carry strictest restrictions
2.6 - Model Risk Management Alignment with OCC 2011-12 / SR 11-7	A capability change is a model change under SR 11-7; feature enablement should cascade a re-validation trigger into the MRM workflow
2.12 - Supervision and Oversight (FINRA Rule 3110)	Enabling a new capability on a supervised agent should trigger an update to written supervisory procedures; feature catalog feeds the supervision scope and 2.12 evidence register
2.17 - Multi-Agent Orchestration Limits	Multi-agent orchestration is one feature category governed by 2.24; 2.17 provides detailed orchestration-specific controls while 2.24 addresses broader feature governance
2.25 - Agent 365 Admin Center Governance Console	Agent 365 admin console is the operational surface for declarative-agent governance (Researcher / Analyst / Computer Use); feature-enablement decisions governed here are surfaced through the Agent 365 console

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, verification, and troubleshooting:

Portal Walkthrough — Step-by-step configuration of PPAC Copilot governance page, feature toggles, and zone-based restrictions
PowerShell Setup — Scripts for feature catalog deployment, compliance reporting, and automated feature audits
Verification & Testing — Test cases for feature restrictions, exception workflows, and change management integration
Troubleshooting — Common issues with feature toggles, GA features that cannot be disabled, and compensating controls

Automated Feature Compliance Reporting

Use PowerShell scripts to audit feature configuration across all environments, validate that Zone 3 environments have only approved features enabled, and generate quarterly feature risk assessment reports showing feature usage and compliance status.

Verification Criteria

Confirm control effectiveness by verifying:

PPAC Copilot governance page is configured with environment-specific feature restrictions aligned with governance zones
Zone 3 environments have preview/experimental features disabled (or documented exceptions with approval)
Generative AI features are restricted to approved list in Zone 3; Zone 2 has documented approval for enabled generative actions
Feature catalog is deployed and maintained with current status for all Copilot Studio features
High-risk features (code interpreter, unapproved orchestration) are disabled in Zone 2 and Zone 3 environments
DLP policies (Control 1.4) enforce feature restrictions by blocking prohibited connectors and data sources
Change management process is operational with documented approvals for Zone 2/3 feature changes
Testing confirms that agent authors cannot enable restricted features in their assigned environments (blocked by policy)
Feature catalog includes: FeatureName, ZoneStatus, ApprovalDate, ChangeTicket, ExpirationDate (for exceptions)
Quarterly feature risk assessment is conducted with results documented and feature restrictions updated based on findings

Additional Resources

Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current