Skip to content

Solutions Integration

How FSI-AgentGov-Solutions automation aligns with the governance framework.

Overview

The FSI Agent Governance Framework defines what controls organizations should implement. The FSI-AgentGov-Solutions repository provides how—ready-to-deploy automation that operationalizes key controls.

flowchart TB
    subgraph Framework["FSI-AgentGov (Framework)"]
        direction TB
        P1[Pillar 1: Security<br/>28 Controls]
        P2[Pillar 2: Management<br/>24 Controls]
        P3[Pillar 3: Reporting<br/>12 Controls]
        P4[Pillar 4: SharePoint<br/>7 Controls]
    end

    subgraph Solutions["FSI-AgentGov-Solutions (19 of 27 Solutions Shown)"]
        direction TB
        ELM[Environment Lifecycle<br/>Management]
        MCM[Message Center<br/>Monitor]
        PGC[Pipeline Governance<br/>Cleanup]
        DEC[Deny Event<br/>Correlation]
        FSW[FINRA Supervision<br/>Workflow]
        CAA[Conditional Access<br/>Automation]
        CD[Compliance<br/>Dashboard]
        SDD[Segregation<br/>Detector]
        SDM[Scope Drift<br/>Monitor]
        RSV[RAG Source<br/>Validator]
        COI[COI Testing<br/>Framework]
        HT[Hallucination<br/>Tracker]
        DR[DR Testing<br/>Framework]
        SSC[Session Security<br/>Configurator]
        FUS[File Upload<br/>Security]
        ACM[Audit Compliance<br/>Manager]
        AAM[Agent Access<br/>Monitor]
        CMM[Content Moderation<br/>Monitor]
        CSI[Cross-Solution<br/>Integration]
    end

    P2 --> ELM
    P2 --> MCM
    P2 --> PGC
    P1 --> DEC
    P3 --> DEC
    P2 --> FSW
    P1 --> CAA
    P3 --> CD
    P2 --> SDD
    P1 --> SDM
    P2 --> RSV
    P2 --> COI
    P3 --> HT
    P2 --> DR
    P1 --> SSC
    P1 --> FUS
    P1 --> ACM
    P3 --> AAM
    P1 --> CMM
    P1 --> CSI
    P3 --> CSI
    CSI --> CD
    CSI --> ELM

Solution-to-Control Mapping

Environment Lifecycle Management

Automates environment provisioning with zone classification.

Control How Solution Helps
2.1 Managed Environments Automatically enables managed environment settings during provisioning
2.2 Environment Groups Assigns environments to zone-appropriate environment groups
2.15 Environment Routing Implements default environment policies through provisioning workflow

Applicable Zones: Zone 2, Zone 3

Playbook: Environment Lifecycle Management

Message Center Monitor

Operationalizes platform change tracking for governance workflows.

Control How Solution Helps
2.3 Change Management Delivers structured notifications for platform changes requiring assessment
2.10 Patch Management Tracks Microsoft-initiated updates affecting Power Platform and M365

Applicable Zones: All zones (organization-wide)

Playbook: Platform Change Governance

Pipeline Governance Cleanup

Transitions from personal to centralized deployment pipelines.

Control How Solution Helps
2.3 Change Management Enforces centralized ALM governance by removing ungoverned personal pipelines

Applicable Zones: Zone 2, Zone 3 (production-path environments)

Related Control: 2.3 - Change Management

Deny Event Correlation Report

Aggregates block events for unified compliance visibility.

Control How Solution Helps
1.5 DLP and Sensitivity Labels Correlates DLP policy violation events
1.7 Comprehensive Audit Logging Extracts Purview audit events for agent activities
3.4 Incident Reporting Provides unified deny event view for incident investigation

Applicable Zones: Zone 2, Zone 3

Status: Validated

Playbook: Deny Event Correlation Report

FINRA Supervision Workflow

Automates supervision queue for AI agent outputs supporting FINRA Rule 3110.

Control How Solution Helps
2.12 Supervision and Oversight Routes flagged content to supervisory principals with SLA tracking
1.10 Communication Compliance Ingests policy violations from Communication Compliance
1.7 Comprehensive Audit Logging Maintains immutable audit trail with SHA-256 integrity hashing

Applicable Zones: Zone 2, Zone 3

Status: Validated

Repository Link: finra-supervision-workflow

Prerequisites: - Microsoft Purview Communication Compliance configured - Supervisory principal role assignments in place - Dataverse database with appropriate capacity

Conditional Access Automation

Automates CA policy deployment and compliance monitoring for AI workloads.

Control How Solution Helps
1.11 Conditional Access and MFA Deploys 8 zone-aligned CA policies with break-glass exclusions
1.23 Step-Up Authentication Enforces step-up authentication for sensitive agent operations
1.18 Service Principal Governance Validates service principal access controls meet zone requirements

Applicable Zones: All zones (zone-specific policy requirements)

Status: Completed

Repository Link: conditional-access-automation

Prerequisites: - Microsoft Entra ID P1 licenses - Break-glass account configuration - Zone classification completed

Compliance Dashboard

Unified compliance visibility across all 71 framework controls.

Control How Solution Helps
3.3 Compliance and Regulatory Reporting Aggregates control scores with zone-based filtering and trend analysis
3.1 Agent Inventory and Metadata Management Provides executive visibility into governance posture
3.2 Usage Analytics and Activity Monitoring Integrates security control scores with operational metrics

Applicable Zones: All zones (organization-wide reporting)

Status: Completed

Repository Link: compliance-dashboard

Prerequisites: - Power BI Pro licenses for dashboard consumers - Dataverse database with appropriate capacity - Control assessment process established

Segregation of Duties Detector

Identifies and helps prevent SoD violations in agent development workflows.

Control How Solution Helps
2.8 Access Control and Segregation of Duties Scans for incompatible role assignments across development and deployment
2.1 Managed Environments Validates Maker/Checker separation in environment configurations
2.3 Change Management Enforces deployment approval separation from developer roles

Applicable Zones: Zone 2, Zone 3

Status: Validated

Repository Link: segregation-detector

Prerequisites: - Environment role assignments documented - SoD policy requirements defined - Exception approval workflow established

Scope Drift Monitor

Detects agent data access beyond declared operational scope.

Control How Solution Helps
1.14 Data Minimization and Agent Scope Control Compares actual data access against declared scope baselines
1.4 Connector Governance Monitors connector usage for scope expansion patterns
1.5 DLP and Sensitivity Labels Correlates DLP events with scope violation alerts

Applicable Zones: Zone 2, Zone 3

Status: Completed

Repository Link: scope-drift-monitor

Prerequisites: - Agent scope baselines defined - Unified Audit Log enabled - Defender for Cloud Apps configured

RAG Source Validator

Validates integrity of RAG knowledge sources with change detection.

Control How Solution Helps
2.16 RAG Source Integrity Validation SHA-256 hash validation detects unauthorized content modifications
1.7 Comprehensive Audit Logging Tracks knowledge source changes with immutable audit trail
2.13 Documentation and Record Keeping Monitors knowledge source freshness for RAG model accuracy

Applicable Zones: Zone 2, Zone 3

Status: Work In Progress

Repository Link: rag-source-validator

Prerequisites: - RAG knowledge sources cataloged - Baseline hash values generated - SharePoint/Dataverse/Blob access configured

Conflict of Interest Testing Framework

Automated testing for conflicts of interest in agent recommendations.

Control How Solution Helps
2.18 Automated Conflict of Interest Testing Runs 10 predefined scenarios for proprietary bias and suitability violations
2.11 Bias Testing and Fairness Assessment Integrates COI testing into agent validation lifecycle
2.5 Testing, Validation, and Quality Assurance Provides evidence for COI risk mitigation

Applicable Zones: Zone 2, Zone 3

Status: Work In Progress

Repository Link: coi-testing

Prerequisites: - Test scenarios aligned with product catalog - Integration with FINRA Supervision Workflow - Agent response baselines established

Hallucination Tracker

Feedback aggregation for hallucination pattern analysis.

Control How Solution Helps
3.10 Hallucination Feedback Loop Collects multi-source feedback and clusters hallucination patterns
2.9 Continuous Monitoring Tracks hallucination trends for model performance degradation
2.12 Supervision and Oversight Routes high-severity hallucinations to supervisory review

Applicable Zones: Zone 2, Zone 3

Status: Work In Progress

Repository Link: hallucination-tracker

Prerequisites: - Feedback collection channels configured - Hallucination taxonomy aligned with firm policies - Integration with FINRA Supervision Workflow

DR Testing Framework

Automated disaster recovery testing for AI agent infrastructure.

Control How Solution Helps
2.4 Business Continuity and Disaster Recovery Validates agent restore procedures against RTO/RPO targets
2.1 Managed Environments Tests environment failover for production agent infrastructure
1.9 Data Retention and Deletion Policies Verifies backup integrity for agent configurations and data

Applicable Zones: Zone 3 (Enterprise Managed)

Status: Work In Progress

Repository Link: dr-testing-framework

Prerequisites: - RTO/RPO targets defined - DR environment provisioned - Backup and restore procedures documented

Session Security Configurator

Validates session security settings per governance zone with drift detection and compliance evidence export.

Control How Solution Helps
1.23 Step-Up Authentication Validates session timeout and authentication challenge configurations per zone
1.11 Conditional Access and MFA Monitors MFA enforcement alignment with zone requirements

Applicable Zones: Zone 2, Zone 3

Status: Completed

Repository Link: session-security-configurator

File Upload Security Configurator

Validates per-agent file upload settings against zone governance policies with drift detection.

Control How Solution Helps
1.14 Data Minimization Validates file upload restrictions align with agent scope declarations
1.8 Runtime Protection Monitors file upload configurations for security compliance
1.4 Advanced Connector Policies Validates connector-level file upload restrictions

Applicable Zones: Zone 2, Zone 3

Status: Completed

Repository Link: file-upload-security

Audit Compliance Manager

Validates tenant and environment audit configurations, detects compliance gaps, and provides approval-gated remediation with Managed Identity authentication.

Control How Solution Helps
1.7 Comprehensive Audit Logging Validates audit log configuration completeness, detects gaps, and remediates non-compliant environments with approval workflows

Applicable Zones: All zones

Status: Completed

Repository Link: audit-compliance-manager

Agent Access Governance Monitor

Detects overly permissive agent access configurations per governance zone.

Control How Solution Helps
3.8 Copilot Hub Monitors agent access settings and identifies governance gaps

Applicable Zones: All zones

Status: Work In Progress

Repository Link: agent-access-monitor

Content Moderation Governance Monitor

Validates per-agent content moderation levels against zone-specific governance requirements.

Control How Solution Helps
1.27 Content Moderation Enforcement Validates per-agent content moderation levels against zone-specific governance requirements
1.8 Runtime Protection Validates content moderation settings meet zone protection requirements

Applicable Zones: Zone 2, Zone 3

Status: Completed

Repository Link: content-moderation-monitor

Cross-Solution Integration Layer

The Cross-Solution Integration layer wires five Tier 2 governance solutions into the Compliance Dashboard, adds ELM provisioning hooks, and delivers unified evidence export. This enables automated compliance scoring and consolidated audit evidence across all deployed solutions.

Integration Architecture

flowchart TB
    subgraph Tier2["Tier 2 Solutions"]
        ACM[Audit Compliance<br/>Manager<br/>→ Control 1.7]
        SSC[Session Security<br/>Configurator<br/>→ Controls 1.23, 1.11]
        AAM[Agent Access<br/>Monitor<br/>→ Control 3.8]
        CMM[Content Moderation<br/>Monitor<br/>→ Controls 1.27, 1.8]
        FUS[File Upload<br/>Security<br/>→ Control 1.14]
    end

    subgraph Integration["Cross-Solution Integration"]
        SYNC[Sync-Solution<br/>Assessments.ps1]
        FLOW[CD Solution Feed<br/>Collector Flow]
        CONFIG[IntegrationConfig<br/>Module]
        EXPORT[Unified Evidence<br/>Export]
    end

    subgraph Targets["Target Solutions"]
        CD[Compliance<br/>Dashboard]
        ELM[Environment<br/>Lifecycle Mgmt]
    end

    ACM --> SYNC
    SSC --> SYNC
    AAM --> SYNC
    CMM --> SYNC
    FUS --> SYNC

    ACM --> FLOW
    SSC --> FLOW
    AAM --> FLOW
    CMM --> FLOW
    FUS --> FLOW

    SYNC --> CD
    FLOW --> CD
    CONFIG --> SYNC
    CONFIG --> FLOW
    CONFIG --> EXPORT

    ELM -->|ProvisioningCompleted| ACM

    ACM --> EXPORT
    SSC --> EXPORT
    AAM --> EXPORT
    CMM --> EXPORT
    FUS --> EXPORT

Integration Components

Component Type Purpose
IntegrationConfig.psm1 PowerShell Module Shared configuration — solution-to-control mappings, status translation, canonical zone/severity values
Sync-SolutionAssessments.ps1 PowerShell Script Batch pipeline — queries Tier 2 validation tables, translates status, upserts CD assessment records
cd-solution-feed-collector.json Power Automate Flow Scheduled daily flow — alternative to PowerShell for organizations preferring low-code
elm-solution-initializer.json Power Automate Flow Event-driven — triggers on ELM ProvisioningCompleted to auto-register environments in ACM
Register-ProvisionedEnvironment.ps1 PowerShell Script Manual/scripted ACM registration — PowerShell alternative to the ELM flow
Export-UnifiedComplianceEvidence.ps1 PowerShell Script Exports governance data from all 5 solutions into auditor-ready package with SHA-256 hash chain
Test-UnifiedEvidenceIntegrity.ps1 PowerShell Script Verifies evidence package integrity by recalculating and comparing all hashes

Data Flow Summary

Source Target Mechanism Frequency
5 Tier 2 solutions Compliance Dashboard Sync script or PA flow Daily
ELM provisioning log ACM environment registry PA flow or PS script Event-driven
5 Tier 2 solutions Evidence export PS script On-demand

Status Translation

Each Tier 2 solution stores compliance status in different formats. The integration layer normalizes all to the Compliance Dashboard's four-value scale:

CD Status Value Meaning
Compliant 1 All validations pass
Partially Compliant 2 Some validations pass
Non-Compliant 3 Critical failures detected
Not Assessed 4 No recent validation data

Repository Link: cross-solution-integration

Zone Applicability Matrix

Solution Zone 1 Zone 2 Zone 3 Notes
Environment Lifecycle Management Zone 1 uses default environment
Message Center Monitor Organization-wide change tracking
Pipeline Governance Cleanup Only applies to production paths
Deny Event Correlation Zone 2/3 have audit requirements
FINRA Supervision Workflow Required for customer-facing agents
Conditional Access Automation Zone-specific policy requirements
Compliance Dashboard Organization-wide reporting
Segregation Detector SoD required for production paths
Scope Drift Monitor Data minimization for regulated data
Session Security Configurator Zone-specific session settings
File Upload Security Per-agent upload validation
Audit Compliance Manager Tenant-wide audit configuration
Agent Access Monitor Organization-wide access governance
Content Moderation Monitor Moderation for regulated agents
RAG Source Validator Knowledge integrity for compliance
COI Testing Customer-facing recommendations only
Hallucination Tracker Customer-facing agents require tracking
DR Testing Production disaster recovery only
Cross-Solution Integration Organization-wide — feeds CD, evidence export

Pillar Coverage

Pillar Solutions Covering Coverage Notes
Pillar 1: Security Deny Event Correlation, Conditional Access Automation, Scope Drift Monitor, Session Security Configurator, File Upload Security, Audit Compliance Manager, Content Moderation Monitor DLP correlation, access controls, data minimization, session security, audit validation and remediation
Pillar 2: Management ELM, MCM, PGC, FINRA Supervision, Segregation Detector, RAG Validator, COI Testing, DR Testing Environment lifecycle, change management, supervision, testing
Pillar 3: Reporting Deny Event Correlation, Compliance Dashboard, Hallucination Tracker, Agent Access Monitor Incident visibility, compliance reporting, feedback loops, access governance
Pillar 4: SharePoint SharePoint controls use native admin tools

Deployment Sequence

For organizations implementing the full framework, deploy solutions in this order:

Phase 1: Foundation (Completed Solutions) 1. Message Center Monitor — Establishes platform change visibility 2. Environment Lifecycle Management — Provides governed provisioning 3. Pipeline Governance Cleanup — Transitions to centralized ALM

Phase 2: Compliance & Access Controls (Completed) 4. Conditional Access Automation — Deploys Zero Trust access policies 5. Deny Event Correlation — Aggregates security events 6. Compliance Dashboard — Establishes baseline compliance visibility 7. Scope Drift Monitor — Monitors data access patterns 8. Session Security Configurator — Validates session security per zone

Phase 3: Regulatory & Operational (Validated/In Progress) 9. FINRA Supervision Workflow — Routes customer-facing content for review 10. Segregation Detector — Validates role separation before production use 11. RAG Source Validator — Validates knowledge source integrity 12. Cross-Solution Integration — Wires Tier 2 solutions into Compliance Dashboard

Phase 4: Quality & Resilience (Work In Progress) 13. COI Testing — Tests for conflicts of interest 14. Hallucination Tracker — Collects feedback for model improvement 15. DR Testing Framework — Validates disaster recovery procedures

Repository Structure

FSI-AgentGov-Solutions/
├── environment-lifecycle-management/      # v1.1.2 (Completed)
├── message-center-monitor/               # v2.1.1 (Completed)
├── pipeline-governance-cleanup/          # v1.0.8 (Completed)
├── deny-event-correlation-report/        # v2.0.0 (Completed)
├── finra-supervision-workflow/           # v1.0.0 (Validated)
├── conditional-access-automation/        # v1.1.0 (Completed)
├── compliance-dashboard/                 # v1.0.0 (Completed)
├── segregation-detector/                 # v1.0.0 (Validated)
├── scope-drift-monitor/                  # v1.1.0 (Completed)
├── rag-source-validator/                 # v1.0.0 (Work In Progress)
├── session-security-configurator/        # v1.0.0 (Completed)
├── file-upload-security/                 # v1.0.0 (Completed)
├── audit-compliance-manager/             # v1.0.0 (Completed)
├── agent-access-monitor/                 # v1.0.0 (Work In Progress)
├── content-moderation-monitor/           # v1.0.0 (Completed)
├── coi-testing/                          # v1.0.0 (Work In Progress)
├── hallucination-tracker/                # v1.0.0 (Work In Progress)
├── dr-testing-framework/                 # v1.0.0 (Work In Progress)
├── cross-solution-integration/           # v1.0.0 (Completed)
│   ├── flows/                            # Power Automate flow templates
│   ├── scripts/powershell/               # PowerShell modules and scripts
│   ├── docs/                             # Integration documentation
│   └── evidence/                         # Evidence export staging
├── scripts/
│   └── hooks/
└── .claude/

CoE Starter Kit Alignment

Microsoft's Power Platform Center of Excellence (CoE) Starter Kit provides comprehensive governance patterns. FSI-AgentGov-Solutions complements the CoE Starter Kit for financial services-specific requirements.

Comparison

Capability CoE Starter Kit FSI-AgentGov-Solutions
Environment inventory
Environment provisioning Basic Zone-based with approvals
Pipeline discovery ✓ (cleanup focused)
Message Center monitoring ✓ (simpler setup)
Deny event correlation
Power BI governance reports Limited

Integration Recommendations

Scenario Recommendation
Existing CoE deployment Add ELM for zone-based provisioning, DEC for deny visibility
Greenfield FSI deployment Deploy FSI solutions first, consider CoE for broader inventory
Enterprise hybrid CoE for platform-wide governance, FSI solutions for AI agent-specific controls

For detailed architecture guidance including scalability limits and alternative patterns, see the Solutions Architecture Guide.

Summary Statistics

Solutions: 27 automation solutions (25 deployable in FSI-AgentGov-Solutions + 2 framework-integrated advanced implementations) Control Coverage: 34 of 71 controls (47.9%) have direct solution support Status Distribution: - Completed: 19 solutions (ELM, MCM, PGC, FUS, ACM, SSC, CMM, CAA, Compliance Dashboard, Scope Drift, Cross-Solution Integration, CHB, AUPW, UASD, ASCG, MIME, ITE, ASARD, AOF) - Validated: 3 solutions (DECR, FINRA Supervision Workflow, Segregation Detector) - Work In Progress: 5 solutions (RAG Source Validator, AAM, COI Testing, Hallucination Tracker, DR Testing) - Planned: 0 solutions

Pillar Support: - Pillar 1 (Security): 7 solutions (+ cross-solution integration) - Pillar 2 (Management): 8 solutions - Pillar 3 (Reporting): 4 solutions (+ cross-solution integration) - Pillar 4 (SharePoint): 0 solutions

FSI Agent Governance Framework v1.2.51 - February 2026