Control 2.3: Change Management and Release Planning

Control ID: 2.3 Pillar: Management Regulatory Reference: FINRA 4511, SOX 404, GLBA 501(b), SEC 17a-4 Last UI Verified: January 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03

Agent 365 Architecture Update

Agent 365 standardizes change management across agent platforms through consistent promotion gates and approval workflows. This replaces per-platform approval processes with a unified lifecycle, supporting SOX 302 change management controls. See Unified Agent Governance for promotion gate configuration.

Objective

Establish structured governance over all modifications to AI agents through controlled, documented, and approved change processes. This includes promotions between governance zones, configuration changes, version updates, and rollback procedures.

Why This Matters for FSI

FINRA 4511: Requires records of all business activities - change records provide audit trail of AI system modifications
SOX 404: Internal control assessment - change management demonstrates IT control effectiveness
GLBA 501(b): Administrative safeguards - controlled changes protect customer information systems
SEC 17a-4: Record preservation - change records retained per regulatory requirements

Control Description

This control requires that modifications to AI agents be controlled, documented, and approved before deployment. Power Platform provides ALM (Application Lifecycle Management) pipelines for automated, governed deployments with version tracking and rollback capabilities. Approval workflows can be implemented through Power Automate integration with the pipeline deployment process.

Approval Gates Implementation

Power Platform ALM pipelines provide the deployment framework with built-in version tracking and rollback. Approval gates are implemented by integrating Power Automate approval workflows that trigger before pipeline stages execute. This integration requires custom configuration using the OnApprovalStarted trigger rather than built-in approval gate functionality.

Terminology Update: Delegated Deployments

Pipeline approvals are now documented by Microsoft as "delegated deployments", reflecting the model where deployment authority is delegated to specific approvers at each pipeline stage. When referencing Microsoft Learn documentation, search for "delegated deployments" in addition to "pipeline approvals" for current guidance.

Native vs. Pipeline Approval Workflows

Agent approval requirements differ based on deployment method:

Deployment Method	Approval Mechanism	Configuration
Copilot Studio native publish	Built-in publishing approval workflow	Agent settings > Approval (requires admin enablement)
Solution-packaged agents via ALM pipelines	Custom Power Automate approval	OnApprovalStarted trigger integration

Copilot Studio Native Approvals: Copilot Studio includes a built-in approval workflow that requires designated approvers to authorize agent publishing. This is configured per-agent in agent settings and does not require custom Power Automate development.

ALM Pipeline Approvals: When agents are packaged as solutions and deployed via ALM pipelines, approval gates require custom Power Automate configuration using the OnApprovalStarted trigger. This approach provides more flexibility but requires development effort.

FSI Recommendation: Use native Copilot Studio approvals for Zone 2 agents with straightforward approval chains. Use ALM pipeline approvals for Zone 3 agents requiring multi-stage deployments with CAB review.

Capability	Description	Implementation	FSI Relevance
ALM Pipelines	Automated solution deployment	Built-in	Controlled promotion
Solution Versioning	Track agent versions	Built-in	Audit trail
Approval Workflows	Gate deployments	Power Automate integration (custom)	Compliance enforcement
Rollback Capability	Revert failed changes	Built-in	Business continuity

Key Configuration Points

Enable ALM pipelines for Zone 2 (recommended) and Zone 3 (required) agents
Implement approval workflows using Power Automate to integrate with pipeline stages (custom configuration required per governance zone: Manager for Zone 2, CAB + Compliance for Zone 3)
Implement solution versioning using semantic format: [Major].[Minor].[Patch]+[Config]-[Environment]
Create configuration snapshots before any agent modification
Define rollback procedures with clear decision authority matrix
Maintain audit trail of all change requests, approvals, and deployments

Zone-Specific Requirements

Zone	Requirement	Rationale
Zone 1 (Personal)	Basic change documentation recommended; pipelines optional	Low risk, personal use
Zone 2 (Team)	Pipelines recommended; manager approval; configuration snapshots required	Shared agents increase accountability requirements
Zone 3 (Enterprise)	Pipelines required; CAB + Compliance approval; 48-hour review period; tested rollback	Customer-facing, highest regulatory examination risk

Emergency Change Procedures

The standard 48-hour CAB review period may be compressed for emergency situations:

Emergency Type	Approval Path	Review Window	Post-Action Requirement
Security vulnerability (CVSS ≥7.0)	Security Admin + CISO	Immediate	Post-implementation CAB review within 72 hours
Regulatory mandate	Compliance Officer + CCO	4 hours	Documentation within 24 hours
Customer-impacting production issue	AI Governance Lead	2 hours	Root cause analysis within 48 hours

Rollback Authority: Security Admin, Compliance Officer, and AI Governance Lead have authority to initiate immediate rollback without pre-approval. Post-rollback documentation required within 24 hours.

Cross-reference: Control 2.4 (Business Continuity and Disaster Recovery) for incident response SLAs.

Roles & Responsibilities

Role	Responsibility
Power Platform Admin	Configure pipelines, manage deployments, target environment setup
AI Governance Lead	Define approval workflows, change classification criteria
Compliance Officer	Approve Zone 3 changes, verify regulatory requirements met
Security Admin	Security review for major changes, rollback authority

Control	Relationship
2.1 - Managed Environments	Target environments must be Managed
2.5 - Testing and Validation	Testing requirements for deployments
2.15 - Environment Routing	Environment placement for agents
3.1 - Agent Inventory	Version tracking in registry

Advanced Implementation: Platform Change Governance

For operationalizing Microsoft Message Center changes with structured governance workflows, see Platform Change Governance.

Advanced Implementation: Pipeline Governance Cleanup

Organizations with existing personal pipelines that need cleanup before enforcing centralized ALM governance should refer to the Pipeline Governance Cleanup Solution in the FSI-AgentGov-Solutions repository. The solution provides discovery, owner notification, controlled cleanup, custom host enforcement, and ongoing compliance monitoring.

February 2026 Pipeline Deadline

Starting February 2026, Microsoft will automatically enable Managed Environments for all pipeline target environments. Organizations using deployment pipelines should review Control 2.1: Managed Environments for licensing implications and required actions.

Advanced Implementation: Environment Lifecycle Management

For treating environment provisioning as a controlled change with approval workflows, audit trails, and baseline configuration, see Environment Lifecycle Management.

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Portal Walkthrough — Step-by-step portal configuration
PowerShell Setup — Automation scripts
Verification & Testing — Test cases and evidence collection
Troubleshooting — Common issues and resolutions

Verification Criteria

Confirm control effectiveness by verifying:

ALM pipelines are configured for all Zone 2-3 agents
Approval workflows (via Power Automate integration) are functioning and blocking unauthorized deployments
All changes are documented with change ID, justification, and approvals
Rollback procedure can restore previous version within defined SLA
Audit trail captures complete change history for regulatory examination
Configuration snapshots exist for all Zone 2-3 agents

Additional Resources

Agent 365 Blueprint Deployment (Preview)

Preview Notice

Microsoft Agent 365 SDK and Agent Essentials are in limited preview (Frontier program). Verify feature availability and GA timelines before implementing production controls dependent on these capabilities. Expect changes before general availability.

Agent 365 introduces a 3-phase deployment blueprint that complements Power Platform ALM:

Design → Build → Deploy lifecycle with governance gates at each transition
Blueprint registration provides formal change documentation for audit trail
Promotion between phases requires approval workflows

Blueprint Promotion Workflow:

Phase Transition	Approval Required	Change Documentation
Design → Build	Technical review (Zone 2), Architecture review (Zone 3)	Requirements sign-off, data source declaration
Build → Deploy	QA sign-off, Security review	Test results, security scan results
Deploy → Production	Business owner + Compliance (Zone 3)	UAT sign-off, rollback plan

Integration with Power Platform ALM:

For agents built in Copilot Studio and registered via Blueprint:

Solution Export - Export Copilot Studio agent as solution
Blueprint Registration - Register solution in Agent 365 Blueprint
Pipeline Deployment - Use ALM pipelines with Blueprint phase gates
Promotion Approval - Blueprint promotion triggers ALM approval workflow

Change Record Requirements:

Each Blueprint promotion must include:

Change ID (linked to ALM pipeline run)
Business justification
Approval chain with timestamps
Rollback reference (previous Blueprint version)
Test evidence (linked to Control 2.5)
Microsoft Learn: Agent 365 Blueprint (Preview) - 3-phase deployment framework for agent change management

Updated: January 2026 | Version: v1.2 | UI Verification Status: Current