Governance Fundamentals
Core concepts and principles for AI agent governance in financial services.
Adaptive Governance Philosophy
This framework is built on the principle of adaptive governance: controls that scale proportionally with risk rather than applying uniform restrictions across all agent use cases. A low-risk personal productivity agent is not the same as an agent connected to a core business system — governance should reflect that difference.
Adaptive governance rests on three operational pillars:
- Classify risk clearly — The three governance zones (Personal, Team, Enterprise) provide graduated risk classification that determines the level of oversight, approval, and audit requirements for each agent.
- Enforce through the platform — Governance is most effective when it is inherent to the platform, not layered on through policy documents alone. Managed environments, environment groups, DLP policies, and environment routing enforce boundaries automatically — reducing reliance on manual processes and individual compliance.
- Create promotion paths — Rather than restricting all agent development, the framework provides a supported path from personal experimentation (Zone 1) through team collaboration (Zone 2) to enterprise production (Zone 3). Sharing limits paired with zone progression criteria create a clear on-ramp: agents can scale when they meet the governance requirements of the next zone.
Why This Matters
Governance models that only restrict — without providing supported paths for innovation — tend to drive shadow IT. By combining platform-enforced controls with clear promotion criteria, organizations can let teams experiment freely in Zone 1 while requiring deliberate promotion, review, and accountability when agents are ready to reach broader audiences.
Framework Overview
The FSI Agent Governance Framework provides complete guidance for deploying, governing, and managing Microsoft 365 agents (Copilot Studio, Agent Builder, and related AI services) in regulated financial services environments.
Version: 1.2.53 (March 2026) Target Audience: US Financial Services Organizations Regulatory Focus: FINRA, SEC, SOX, GLBA, OCC, Federal Reserve, FDIC, NCUA, CFTC
Warning
This framework is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. See Disclaimer for full details.
Scope and Assumptions
What This Framework Covers
This framework provides governance guidance for:
- Copilot Studio agents
- Agent Builder agents
- Power Platform environments hosting agents
- SharePoint as a knowledge source for agents
Agent Types In Scope
| Agent Type | In Scope? | Governance Location |
|---|---|---|
| Copilot Studio custom agents | Primary focus | Power Platform Admin Center |
| Agent Builder agents (M365) | Primary focus | M365 Admin Center + PPAC |
| Microsoft-built agents (Researcher, Analyst, Facilitator) | Partial | M365 Admin Center (limited controls) |
| Third-party/partner agents | Varies by integration | M365 Admin Center |
| Agent 365 control plane | GA (May 1, 2026) | M365 Admin Center |
Microsoft Agent 365 — Generally Available May 1, 2026
Microsoft Agent 365 is the centralized control plane for agent governance, announced at Ignite 2025 and generally available as of May 1, 2026. It provides centralized agent registry, Entra Agent ID, lifecycle management, and observability dashboards. At GA, Agent 365 transitions from preview per-agent-instance licensing to per-user licensing — agents acting on behalf of a licensed user are covered under that user's Agent 365 or Microsoft 365 E7 license. See Agent 365 overview for current details.
Entra Agent ID (Public Preview)
Entra Agent ID provides first-class agent identities in Microsoft Entra, enabling Conditional Access, Identity Protection, and lifecycle management for AI agents. Currently in Public Preview since November 2025. See Agent Identity Architecture for implementation guidance and FSI readiness assessment.
Microsoft-Built Agent Applicability
Microsoft-built agents (Researcher, Analyst, Facilitator) have limited governance options. Control applicability:
| Control Category | Applicability | Notes |
|---|---|---|
| 1.2 Agent Registry | Partial | Visible in M365 Admin Center only |
| 1.5 DLP/Sensitivity Labels | Full | Tenant-wide policies apply |
| 1.7 Audit Logging | Full | Logged via OfficeActivity |
| 2.1 Managed Environments | N/A | Not in Power Platform |
| 2.3 Change Management | N/A | Managed by Microsoft |
| 3.1 Agent Inventory | Full | Visible in M365 Admin Center |
| 3.2 Usage Analytics | Full | Copilot usage reports |
| 4.1-4.9 SharePoint | Full | Grounding data governance applies |
Zone Classification: Based on data access - Zone 1 (personal M365), Zone 2 (team sites), Zone 3 (regulated content).
Limited Customization
Microsoft-built agents cannot be configured. Governance focuses on data access control, usage monitoring, and output supervision.
What This Framework Does NOT Cover
- Non-US regulations (EU AI Act, GDPR, DORA, MiFID II are out of scope)
- Non-Microsoft AI platforms (OpenAI direct, AWS Bedrock, Google Vertex AI, etc.)
- Custom ML model development, training, or validation
- Quantitative model risk management (requires dedicated MRM programs)
- State privacy laws (CCPA/CPRA require separate analysis)
- Third-party AI integrations outside Microsoft 365 ecosystem
Key Assumptions
| Assumption | Rationale |
|---|---|
| Microsoft 365 E3/E5 | Required for Copilot Studio, Purview, and advanced governance features |
| Microsoft Entra ID | Identity and access management foundation |
| Microsoft Purview | Compliance and data governance capabilities |
| Power Platform licensing | Required for environment management and DLP policies |
| Foundational IT controls | Network security, endpoint protection, backup/recovery assumed in place |
| Identity and access hygiene | Existing permissions are correctly scoped before agent deployment |
Agents Expose Existing Permission Problems
Agents generally operate under the calling user's identity and permissions — they do not create new access rights. This means agents do not introduce permission problems; they surface existing over-permissioning faster by making previously obscure but technically accessible content more discoverable. Organizations should audit and remediate identity and access management (IAM) gaps — particularly oversharing in SharePoint, broad security group memberships, and excessive delegated permissions — before deploying agents broadly. See DSPM for AI and M365 Copilot Data Governance for assessment tools and remediation guidance.
Four Governance Pillars
The framework organizes 78 controls across four pillars:
| Pillar | Controls | Focus | Examples |
|---|---|---|---|
| 1. Security | 29 | Protect data and systems | DLP, Audit, Encryption, MFA, eDiscovery, Network Isolation, Information Barriers |
| 2. Management | 26 | Govern lifecycle and risk | Change Control, Testing, Model Risk, Multi-Agent Orchestration, HITL Framework |
| 3. Reporting | 14 | Monitor and track | Inventory, Usage, PPAC, Sentinel, Hallucination Feedback |
| 4. SharePoint | 9 | SharePoint-specific controls | Access, Retention, External Sharing, Grounding Scope, Copilot Data Governance |
Note: Pillar 4 specializes Pillars 1-3 for SharePoint as an agent knowledge source. Controls address SharePoint-specific implementation of data protection, access governance, and content management.
Three Governance Zones
Agents are classified into zones based on risk level:
| Zone | Risk Level | Data Access | Approval | Audit Retention |
|---|---|---|---|---|
| Zone 1: Personal | Low | M365 Graph only | Self-service | 30 days |
| Zone 2: Team | Medium | Internal data | Manager approval | 1 year |
| Zone 3: Enterprise | High | Regulated data | Governance Committee | 10 years |
See Zones and Tiers for detailed zone definitions and selection criteria.
Governance Triangle
Effective agent governance operates through three interconnected layers:
Policy Layer (Technical Controls)
Automated guardrails that enforce governance without manual intervention:
| Component | Purpose | Implementation |
|---|---|---|
| Environment Groups | Consistent policy across environments | PPAC environment groups |
| Group Rules | Connector, sharing, channel controls | Environment group rules |
| DLP Policies | Data boundary enforcement | Data policies |
| Environment Routing | Automatic maker placement | Default environment routing |
Process Layer (Operational Workflows)
How governance decisions are made and executed:
- Agent Lifecycle Management — Creation, testing, deployment, monitoring, retirement
- Approval Workflows — Zone-appropriate authorization paths
- Change Control — Controlled promotion between environments
- Incident Response — Detection, investigation, remediation procedures
- Compliance Reviews — Scheduled verification of control effectiveness
People Layer (Organizational Structure)
Accountability and human oversight:
| Role | Governance Function | Zone Focus |
|---|---|---|
| AI Governance Lead | Framework ownership, policy decisions | All zones |
| Power Platform Admin | Technical implementation, environment management | Zones 2-3 |
| Compliance Officer | Regulatory alignment, audit coordination | Zones 2-3 |
| Business Owner | Agent sponsorship, use case validation | Per agent |
| Security / CISO | Threat monitoring, incident response | Zone 3 |
How the Layers Interact
- Policy enables Process — Technical controls automate workflow enforcement
- Process guides People — Defined procedures clarify responsibilities
- People inform Policy — Human judgment shapes control configuration
Trust by Design with Built-In Verification
The Governance Triangle reflects a trust-by-design approach: strong proactive controls (Policy Layer) set boundaries that allow agents to operate with appropriate autonomy, while reactive controls (Process Layer) verify those boundaries hold through monitoring, diagnostics, and audit trails.
This mirrors how organizations manage other operational risks. Consider expense approvals: humans unintentionally approve incorrect items regularly, and that risk is managed through audits, compensating controls, and limits on blast radius — not by eliminating approvals entirely. Agent governance follows the same principle: know what happened, understand why it happened, and contain the impact when outcomes differ from expectations.
- Proactive controls — DLP policies, sharing limits, environment groups, publishing restrictions
- Reactive controls — Audit logging, Sentinel integration, compliance reporting, incident response
- Compensating controls — Hallucination feedback loops, access reviews, orphaned agent detection
FSI Note
In regulated environments, all three layers must be documented and auditable. Examiners expect evidence of policy configuration, process execution, and role assignment.
Governance Maturity Levels
Each control supports three implementation levels:
| Level | Name | Description | Typical Use |
|---|---|---|---|
| Level 1 | Baseline | Minimum required implementation | Initial deployment, Zone 1 |
| Level 2-3 | Recommended | Best practice implementation | Zone 2, most production agents |
| Level 4 | Regulated/High-Risk | Comprehensive controls | Zone 3, customer-facing agents |
Maturity Assessment
For compliance tracking, use the 5-point maturity scale: Level 0 (Not implemented), Level 1 (Baseline), Level 2-3 (Recommended), Level 4 (Regulated). See FAQ for percentages.
Control Implementation Approach
- Assess — Current state vs. required level
- Implement — Follow playbook guidance
- Verify — Use verification procedures
- Document — Record evidence for audit
- Review — Schedule recurring reviews
Integration with Existing Governance
This framework is designed to complement, not replace existing enterprise governance programs:
- Integrate controls with your existing IT risk management framework
- Align with enterprise information security policies
- Coordinate with records retention and eDiscovery requirements
- Map to your organization's internal audit program
Note
Organizations should validate all controls against their specific regulatory obligations and existing policy frameworks.
Framework Documentation Structure
Three-Layer Architecture
| Layer | Audience | Update Frequency | Content |
|---|---|---|---|
| Framework (this layer) | Executives, compliance, governance | 1-2x per year | Principles, zones, regulatory context |
| Control Catalog | Compliance officers, architects | Quarterly | Control objectives, requirements |
| Playbooks | Platform teams, operations | Continuous | Portal steps, scripts, screenshots |
Navigation Guide
For Governance Questions:
- Framework Overview — This layer
- Zones and Tiers — Classification requirements
- Operating Model — Roles and responsibilities
For Control Requirements:
- Control Catalog — All 78 controls
- Regulatory Framework — Regulation-to-control mappings
For Implementation:
- Playbooks — Step-by-step procedures
- Adoption Roadmap — Phased implementation
Quick Reference
Getting Started
- Read Executive Summary (10 minutes)
- Review Zones and Tiers to classify agents (15 minutes)
- Check Regulatory Framework for applicable regulations (10 minutes)
For Implementation
- Use the Adoption Roadmap for phased approach
- Reference Control Catalog for requirements
- Follow Playbooks for step-by-step procedures
- Schedule reviews per Governance Cadence
For Governance
- Use the Operating Model for roles and responsibilities
- Establish governance committee per Zones and Tiers
- Schedule recurring compliance reviews
- Track incidents per playbook procedures
Further Reading
- Building Trustworthy AI: A Practical Framework for Adaptive Governance — Microsoft Power Platform Blog (April 2026). Discusses adaptive governance, graduated risk zones, and platform-enforced controls for AI agents.
- Agent Identity Architecture — Entra Agent ID and Agent 365 governance architecture
- Zones and Tiers — Detailed zone definitions and progression criteria
FSI Agent Governance Framework v1.4.0 - April 2026