Control 3.11: Centralized Agent Inventory Enforcement
Control ID: 3.11 Pillar: Reporting Regulatory Reference: FINRA 4511, SOX 404, OCC 2011-12, Fed SR 11-7 Last UI Verified: February 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03
Objective
Establish enforcement mechanisms for centralized agent inventory completeness through automated detection, mandatory registration, and remediation of unmanaged or orphaned agents. This control builds on foundational agent inventory (Control 3.1) by adding proactive enforcement to help ensure every agent in the tenant is tracked, managed, and compliant with governance requirements.
Agent Inventory Feature Status (February 2026)
The Agent Inventory feature in Power Platform Admin Center is in Preview. Microsoft is rolling out enhanced discovery and enforcement capabilities across the Agent 365 control plane throughout 2026. Organizations should implement this control using available preview capabilities and prepare for GA features.
Feature Status Tracking:
| Capability | Status (Feb 2026) | Expected GA | Implementation Approach |
|---|---|---|---|
| Agent Inventory (PPAC) | Preview | Q2 2026 | Primary enforcement interface |
| Agent 365 Control Plane | Frontier Preview | TBA | Unified discovery and policy enforcement |
| Orphaned Agent Detection | Preview | Q2 2026 | Manual + PowerShell automation |
| Ownership Transfer | GA | GA | Standard PPAC capability |
| Copilot Studio Kit | Preview | TBA | Agent Inventory monitoring and alerts |
| Unmanaged Agent Blocking | Roadmap | TBA | DLP + Security Roles (compensating control) |
Monitor Microsoft 365 Roadmap for GA announcements and enhanced enforcement capabilities.
Why This Matters for FSI
- FINRA 4511: Books and records requirements necessitate complete and accurate inventory of all systems and tools used in securities activities. Unmanaged agents create gaps in audit trails and supervisory records
- SOX 404: IT general controls over financial reporting systems require documented inventory of all applications with financial data access. Orphaned or untracked agents undermine control effectiveness assessments
- OCC 2011-12: Model Risk Management guidance requires inventory and ongoing monitoring of all automated decision-making systems. AI agents qualify as models requiring governance oversight
- Fed SR 11-7: Supervisory guidance on model risk management mandates comprehensive model inventory with ownership, purpose, and risk ratings. Unmanaged agents introduce unquantified operational risk
Centralized inventory enforcement helps support regulatory examination readiness by demonstrating that the organization maintains complete visibility into all AI agent deployments and actively remediates inventory gaps.
Control Description
While Control 3.1 establishes the foundational agent inventory and metadata structure, Control 3.11 enforces inventory completeness through automated discovery, mandatory registration, and systematic remediation of unmanaged agents. This control transforms the inventory from a passive repository into an active governance enforcement mechanism.
Key Enforcement Mechanisms:
| Mechanism | Description | Implementation |
|---|---|---|
| Automated Discovery | Continuous scanning for agents across all environments, Copilot Studio, Microsoft 365, and integrated apps | Agent Inventory in PPAC + PowerShell scripts |
| Registration Requirements | Mandatory metadata submission before agent publication or sharing | Pre-publication checklist + approval gates |
| Completeness Monitoring | Real-time alerts for agents with incomplete metadata or missing ownership | Power Automate flows + Teams notifications |
| Orphaned Agent Detection | Scheduled detection of agents with departed owners or inactive projects | PowerShell scripts + ownership validation |
| Remediation Workflows | Structured processes for resolving inventory gaps, assigning ownership, and decommissioning abandoned agents | Change management integration |
Agent Inventory Feature in PPAC (Preview)
The Agent Inventory feature provides tenant-wide visibility into all agents with filtering, sorting, and export capabilities:
Inventory Attributes Tracked:
| Attribute | Description | Governance Value |
|---|---|---|
| Agent Name | Display name and internal identifier | Identification and tracking |
| Creation Date | When the agent was first created | Age analysis and lifecycle tracking |
| Owner | Primary responsible individual | Accountability and ownership validation |
| Environment | Power Platform environment or M365 context | Zone classification and access control verification |
| Authentication Method | Service principal, managed identity, or user delegation | Security posture assessment |
| Feature Usage | Connectors, generative actions, tools enabled | Risk profiling and compliance validation |
| Last Modified Date | Most recent configuration change | Activity monitoring and staleness detection |
| Sharing Status | Private, team, or organizational | Distribution scope and exposure assessment |
Agent 365 Control Plane Integration
Microsoft's Agent 365 control plane provides a unified interface for agent discovery, lifecycle management, observability, and policy enforcement across the Microsoft ecosystem:
- Discovery: Automatic detection of agents across Copilot Studio, Microsoft 365 Copilot, Declarative Agents, and Microsoft Foundry
- Lifecycle: Unified management for creation, approval, publication, monitoring, and retirement
- Observability: Cross-platform usage analytics, performance metrics, and compliance status
- Policy Enforcement: Centralized policy application ensuring agents meet organizational governance standards before deployment
Organizations should prepare for Agent 365 GA by establishing inventory enforcement processes aligned with the unified control plane model.
Copilot Studio Kit: Agent Inventory Monitoring
The Copilot Studio Kit (Preview) provides pre-built monitoring capabilities for agent inventory governance:
- Inventory Synchronization: Automated refresh of agent metadata from Power Platform environments
- Completeness Validation: Detection of agents missing required metadata fields (owner, description, zone classification, risk rating)
- Ownership Verification: Validation that assigned owners are active users in Entra ID
- Alert Generation: Teams notifications for inventory gaps, orphaned agents, or overdue metadata updates
- Dashboard Visualization: Power BI dashboard showing inventory completeness metrics and remediation status
Organizations implementing Control 3.11 should evaluate the Copilot Studio Kit as an accelerator for enforcement automation.
PL-900 Admin Certification
Microsoft's PL-900 certification (Microsoft Certified: Power Platform Fundamentals) covers foundational Power Platform concepts including governance, security, and administration. Organizations should encourage Power Platform Admins and AI Governance Leads to complete PL-900 training to build platform governance competency.
Key Configuration Points
- Enable Agent Inventory in PPAC and configure data refresh schedules (daily recommended for Zone 3)
- Define mandatory metadata fields required for all agents before publication
- Implement pre-publication checklist enforcing inventory completeness (owner, zone, risk rating, approvals)
- Configure Power Automate flows to detect agents with missing or incomplete metadata
- Establish ownership validation process verifying owners are active users and agents align with approved projects
- Deploy PowerShell scripts for scheduled orphaned agent detection (weekly for Zone 2/3)
- Configure Teams notifications alerting governance team to inventory gaps and remediation requirements
- Integrate agent registration into change management and approval workflows
- Establish agent decommissioning process for abandoned or inactive agents
- Set up quarterly inventory audit reviews validating completeness across all zones
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Quarterly inventory review; basic metadata tracked (owner, name, environment); unmanaged agent notifications sent to Power Platform Admin | Low-risk personal productivity; lighter governance |
| Zone 2 (Team) | Monthly inventory review; complete metadata required (owner, zone, risk rating, approvals, description); orphaned agent detection and reassignment within 14 days | Team collaboration introduces shared data exposure; moderate governance |
| Zone 3 (Enterprise) | Weekly inventory review; full metadata + compliance status + audit trail; automated orphan detection with immediate alerts; mandatory ownership assignment before publication; decommissioning process for abandoned agents within 7 days | Customer-facing and regulated operations; strictest governance |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Power Platform Admin | Manage Agent Inventory in PPAC; configure data refresh schedules; monitor completeness dashboards; execute orphaned agent detection scripts |
| Entra Global Admin | Configure tenant-level discovery and enforcement settings; manage Agent 365 control plane (when available) |
| Compliance Officer | Review inventory reports for regulatory audit readiness; validate completeness of agent documentation; approve exceptions for unmanaged agents |
| Security Operations | Monitor for unregistered or unmanaged agents; investigate unauthorized agent deployments; coordinate remediation with business owners |
| AI Governance Lead | Define mandatory metadata requirements; review remediation workflows; approve agent decommissioning decisions; maintain inventory audit trail |
| Agent Authors | Complete mandatory metadata before agent publication; respond to ownership validation requests; update metadata when agent purpose or scope changes |
Related Controls
| Control | Relationship |
|---|---|
| 3.1 - Agent Inventory and Metadata Management | Foundational inventory; Control 3.11 adds enforcement and remediation |
| 3.6 - Orphaned Agent Detection and Remediation | Specialized remediation process for agents with departed owners |
| 1.2 - Agent Registry and Integrated Apps Management | Integrated Apps registry complements PPAC Agent Inventory for cross-platform visibility |
| 3.8 - Copilot Hub and Governance Dashboard | Agent Registry in M365 Admin Center provides additional visibility layer |
Automated Validation: Agent Inventory Enforcement Monitor
For automated detection of incomplete agent inventory records, orphaned agents, and enforcement of mandatory metadata requirements, see the Agent Inventory Enforcement Monitor solution.
Capabilities:
- Daily automated inventory completeness validation across all zones
- Detection of agents with missing or invalid metadata (owner, zone, risk rating)
- Orphaned agent identification (departed owner, inactive project, exceeds age threshold)
- Teams adaptive card alerts with remediation workflow links
- Dataverse-persisted enforcement history for audit trail
- SHA-256 integrity-hashed evidence export for regulatory examination
Deployable Solution: agent-inventory-enforcement-monitor provides PowerShell validation scripts, Power Automate flow definitions, Dataverse schema, and compliance reporting templates.
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step PPAC Agent Inventory configuration
- PowerShell Setup — Automation scripts for inventory enforcement
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- Agent Inventory feature is enabled in PPAC with daily data refresh configured
- Mandatory metadata requirements are documented and communicated to all agent authors
- Pre-publication checklist enforces inventory completeness before agent approval
- Power Automate flows detect and alert on incomplete agent metadata within 24 hours
- Ownership validation process confirms all agents have active owners (quarterly for Zone 1, monthly for Zone 2, weekly for Zone 3)
- PowerShell scripts for orphaned agent detection execute on schedule without errors
- Teams notifications are delivered to governance team for inventory gaps and remediation requirements
- Change management system tracks agent registration and metadata updates with audit trail
- Decommissioning process removes or disables abandoned agents within SLA (14 days Zone 2, 7 days Zone 3)
- Quarterly inventory audit reports show >95% completeness across all mandatory metadata fields
- All Zone 3 agents have complete metadata including owner, zone classification, risk rating, approvals, and compliance status
- Unmanaged agents detected in previous period have been remediated (assigned owner or decommissioned)
Additional Resources
- Power Platform Agent Inventory (Preview)
- Microsoft Agent 365 Overview
- Copilot Studio Kit for Governance
- Manage Copilot Agents in Integrated Apps
- Orphaned Agent Detection and Ownership Transfer
- PL-900: Microsoft Power Platform Fundamentals
Agent Inventory Enforcement Best Practices
Organizations implementing centralized inventory enforcement should consider:
Discovery Frequency:
| Zone | Discovery Schedule | Rationale |
|---|---|---|
| Zone 1 | Weekly | Personal productivity; lower governance priority |
| Zone 2 | Daily | Team collaboration; moderate risk exposure |
| Zone 3 | Daily + real-time alerts | Enterprise operations; regulatory requirements |
Mandatory Metadata Requirements:
- Universal (all zones): Owner, Agent Name, Environment, Creation Date
- Zone 2 and above: Zone Classification, Risk Rating, Description, Last Modified Date
- Zone 3 only: Approvals (date, approver), Compliance Status, Audit Trail, Decommissioning Plan
Remediation SLAs:
| Issue Type | Zone 1 SLA | Zone 2 SLA | Zone 3 SLA |
|---|---|---|---|
| Missing metadata | 30 days | 14 days | 7 days |
| Orphaned agent | 60 days | 30 days | 14 days |
| Unmanaged agent (never registered) | 90 days | 30 days | 7 days |
| Invalid owner (departed user) | 30 days | 14 days | 7 days |
Implementation Caveats
Regulatory Compliance Considerations
Implementation of this control requires:
- Change Management Integration: All inventory enforcement actions (ownership changes, decommissioning) must follow documented change management procedures with approval gates
- Data Retention Compliance: Decommissioned agent metadata and audit trails must be retained per regulatory requirements (typically 7 years for FSI)
- User Privacy: Ownership tracking and automated notifications must comply with organizational privacy policies and employment regulations
- Business Continuity: Orphaned agent remediation must not disrupt critical business processes; coordinate with business owners before decommissioning
Organizations should verify that inventory enforcement procedures align with existing IT governance frameworks and regulatory obligations.
Updated: February 2026 | Version: v1.3 | UI Verification Status: Current