Control 3.6 — Verification & Testing Playbook (Orphaned Agent Detection and Remediation)
Control: 3.6 — Orphaned Agent Detection and Remediation Pillar: 3 — Reporting Audience: AI Governance Lead, Compliance Officer, AI Administrator, Power Platform Admin, Entra Agent ID Admin, Entra Identity Governance Admin, Entra Global Reader, Purview Compliance Admin, HR / People Operations liaison, Internal Audit Sovereign-cloud scope: Microsoft 365 Commercial, GCC, GCC High, DoD. 21Vianet is out of scope for this playbook (see SOV namespace). Last UI verified: April 2026
Document Conventions
This playbook is the verification-and-testing artifact for Control 3.6 — Orphaned Agent Detection and Remediation. It is authored against framework version v1.4 and cites Microsoft UI and API surfaces as last verified in April 2026.
- Hedged regulatory language. This playbook supports compliance with FINRA Rule 3110 (Supervision), FINRA Rule 4511 (Books and Records), FINRA Regulatory Notice 25-07 (Generative-AI Supervision), SEC Rules 17a-3 / 17a-4 (Records and Retention), SOX Sections 302 / 404 (Internal Control over Financial Reporting), GLBA §501(b), OCC Bulletin 2011-12, Federal Reserve SR 11-7 (Model Risk Management), CFTC Regulation 1.31, and NYDFS 23 NYCRR Part 500. A clean execution does not guarantee compliance, does not replace written supervisory procedures, and supports — does not replace — registered-principal supervisory review under FINRA Rule 3110. Implementation requires organization-specific risk assessment and legal review. Organizations should verify current Microsoft Learn documentation, sovereign-cloud feature parity, and tenant entitlements at each cycle.
- Canonical role names. AI Administrator, Power Platform Admin, Entra Agent ID Admin, Entra Identity Governance Admin, Entra Global Reader, AI Governance Lead, Compliance Officer, Purview Compliance Admin, HR / People Operations. No title substitution (for example, "Global Administrator" is not a substitute for "Entra Global Admin").
- Terminology. The framework term is orphaned agent (five loss-of-accountability categories — see the control document); Microsoft surface terminology is ownerless agent (narrow definition — owner principal unset). Every ownerless agent is an orphaned agent; not every orphaned agent is ownerless.
- Backtick rule. Code identifiers are fenced with backticks in body text but not inside headings. Where a heading references
(GCC / GCC High / DoD), the anchor slug isgcc-gcc-high-dod(no parentheses). - PowerShell 7.4 + Pester 5.5. All automated assertions use Pester 5.5
Describe/Context/Itblocks; all code is executable against PowerShell 7.4. Module versions are pinned in §0.2. - Evidence schema. Every test emits a JSON evidence record conforming to §1.3. The §14 pack assembler refuses to publish packs containing records that fail schema validation.
- What this playbook does NOT claim. It does not prove the absence of undiscovered shadow agents; it does not replace the registered-principal supervisory review required by FINRA Rule 3110 where that rule applies; it does not guarantee sovereign-cloud parity with commercial-cloud feature availability; and it does not substitute for the firm's written supervisory procedures or books-and-records program.
§0 Pre-Test Prerequisites and Sovereign Cloud Bootstrap
0.1 Operator role prerequisites
Orphan detection, reconciliation, and remediation read from identity, directory, Power Platform, SharePoint, Purview, and HR-connector surfaces, and write to the orphan register and to remediation ticketing. Read/write separation is enforced: every Pester suite in §2–§12 is read-only; any remediation cited from a FAIL routes to the sister PowerShell Setup or Portal Walkthrough under its own change ticket and its own write scopes.
| Role (canonical) | Required for | PIM activation window |
|---|---|---|
| AI Administrator | Reads Agent 365 Ownerless Agents card, agent inventory, inline Assign-Owner evidence; signs DETECT and RECONCILE evidence | 4 hours, just-in-time |
| Power Platform Admin | Reads PPAC agent / environment / maker metadata; exports Get-AdminPowerApp, Get-AdminPowerAppEnvironment; reads Dataverse maker tables |
4 hours, just-in-time |
| Entra Agent ID Admin | Reads Microsoft Entra Agent ID sponsor tasks, lifecycle-workflow run history, service-principal state | 4 hours, just-in-time |
| Entra Identity Governance Admin | Reads HR connector attribute mapping (employeeLeaveDateTime), lifecycle-workflow definitions |
4 hours, just-in-time |
| Entra Global Reader | Read-only Entra user / service-principal / sign-in evidence; witness-role for dual-control attestation in §14 | 4 hours, standing permissible |
| Purview Compliance Admin | Reads retention-label configuration bound to the orphan register and snapshots; reads UAL evidence for SIEM forwarding | 4 hours |
| AI Governance Lead | Owns the orphan register; counter-signs REASSIGN, TERMINAL, SOV, and quarterly attestation evidence | Standing with quarterly recertification per Control 2.8 |
| Compliance Officer | Counter-signs TERMINAL delete decisions; counter-signs quarterly attestation and sovereign reconciliation worksheet | Standing |
| HR / People Operations liaison | Confirms HR connector feed integrity (leaver / mover / joiner with employeeLeaveDateTime) that drives SPONSOR and HR namespaces |
Standing, read-only |
Least privilege. No operator should hold Entra Global Admin persistently. This playbook does not require Global Admin; if a tenant insists on it for Agent 365 blade reads, activate through Entra PIM time-bound, never standing. Standing privileged role overlap between Preparer / Validator / Compliance signatories is a cycle-stopping FAIL (see §14).
0.2 Module baseline
Pin to specific module versions so evidence packs are reproducible across machines and across time. Re-validate against newer module versions before promoting them to the standing schedule.
#Requires -Version 7.4
#Requires -Modules @{ ModuleName='Microsoft.Graph.Authentication'; ModuleVersion='2.25.0' }
#Requires -Modules @{ ModuleName='Microsoft.Graph.Users'; ModuleVersion='2.25.0' }
#Requires -Modules @{ ModuleName='Microsoft.Graph.Identity.DirectoryManagement'; ModuleVersion='2.25.0' }
#Requires -Modules @{ ModuleName='Microsoft.Graph.Identity.Governance'; ModuleVersion='2.25.0' }
#Requires -Modules @{ ModuleName='Microsoft.Graph.Beta.Applications'; ModuleVersion='2.25.0' }
#Requires -Modules @{ ModuleName='Microsoft.PowerApps.Administration.PowerShell'; ModuleVersion='2.0.200' }
#Requires -Modules @{ ModuleName='MicrosoftTeams'; ModuleVersion='6.5.0' }
#Requires -Modules @{ ModuleName='ExchangeOnlineManagement'; ModuleVersion='3.5.0' }
#Requires -Modules @{ ModuleName='Pester'; ModuleVersion='5.5.0' }
Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'
$ProgressPreference = 'SilentlyContinue'
Note on Agent 365 Graph endpoints. The
/beta/agentGovernanceGraph branch exposes the Ownerless Agents card data as of the verification date. Noun names and module distribution are still stabilising across 2026 Wave 1. Wrapper functions (Get-Agt36OwnerlessCard,Get-Agt36AgentInventory,Get-Agt36SponsorTask) are defined in the sister PowerShell Setup. Re-verify module / noun availability after each Microsoft release wave.
0.3 PRE gates (must all pass before §2–§12 execute)
Invoke-Agt36PreFlight.ps1 runs nine pre-flight gates. Any FAIL halts the suite and emits a single preflight-FAILED-<runId>.json. A SKIPPED on PRE-06 routes the run to the SOV namespace (§10).
| Gate | ID | Purpose | Failure behavior |
|---|---|---|---|
| Module presence | PRE-01 | Confirms modules loaded at the pinned versions in §0.2 | HALT |
| Graph context | PRE-02 | Confirms Connect-MgGraph with scopes AgentGovernance.Read.All, Directory.Read.All, User.Read.All, Application.Read.All, LifecycleWorkflows.Read.All, AuditLog.Read.All, Reports.Read.All |
HALT |
| Tenant identification | PRE-03 | Captures tenantId, displayName, verifiedDomains[0].name for every evidence record |
HALT |
| Cloud detection | PRE-04 | Reads (Get-MgContext).Environment; maps to Commercial / GCC / GCCH / DoD |
Continue; sovereign clouds route to §10 |
| HR connector health | PRE-05 | Confirms at least one Entra HR provisioning connector with status Healthy in the last 24h and last-sync within tenant SLA |
HALT — without HR feed, SPONSOR and HR namespaces cannot attest |
| Agent 365 Ownerless card reachability | PRE-06 | Probes /beta/agentGovernance/ownerlessAgents?$top=1; in sovereign clouds expects 404/501 and routes to §10 |
Commercial 404/403/501 → HALT; sovereign → route to §10 |
| Orphan register endpoint | PRE-07 | Confirms the SharePoint or Dataverse orphan register is reachable, has versioning enabled, and is bound to a ≥6-year Purview retention label with deletionLocked=true |
HALT — without the system of record, no evidence can be assembled |
| Clock skew gate | PRE-08 | Compares local UTC to Graph Date header; aborts on > 60s drift |
HALT — skew invalidates timestamp evidence under FINRA 4511 / SEC 17a-4 |
| Evidence root writeable | PRE-09 | Confirms $env:AGT36_EVIDENCE_ROOT exists, is writeable, resolves to WORM-eligible storage |
HALT |
0.4 Sovereign bootstrap pattern
function Test-Agt36SovereignTenant {
[CmdletBinding()]
[OutputType([pscustomobject])]
param()
$ctx = Get-MgContext
if (-not $ctx) { throw "PRE-02 failed: no Graph context. Run Connect-MgGraph first." }
$cloud = switch ($ctx.Environment) {
'Global' { 'Commercial' }
'USGov' { 'GCC' }
'USGovDoD' { 'DoD' }
'USGovHigh' { 'GCCH' }
default { 'Unknown' }
}
[pscustomobject]@{
cloud = $cloud
is_sovereign = $cloud -in @('GCC','GCCH','DoD')
tenant_id = $ctx.TenantId
detected_at = (Get-Date).ToUniversalTime().ToString('o')
compensating_ref = 'control-3.6-sovereign-manual-reconciliation'
}
}
When is_sovereign is $true, each automated It block in §2–§9 and §11–§12 emits a SKIPPED record with the compensating-control pointer to §10 SOV. This produces an examiner-defensible trail showing the test was attempted, was correctly skipped on regulatory-sound grounds, and was supplemented by the manual dual-signed worksheet in §10.
0.5 Run identifier and evidence root
function New-Agt36RunId {
$ts = (Get-Date).ToUniversalTime().ToString('yyyyMMdd-HHmmss')
$guid = ([guid]::NewGuid().ToString('N')).Substring(0,8)
"AGT36-$ts-$guid"
}
$script:RunId = New-Agt36RunId
$script:RunTimestamp = (Get-Date).ToUniversalTime().ToString('o')
$script:EvidenceRoot = Join-Path $env:AGT36_EVIDENCE_ROOT $script:RunId
New-Item -Path $script:EvidenceRoot -ItemType Directory -Force | Out-Null
Every evidence record written in §2–§12 is stored under $script:EvidenceRoot and the runId is embedded in each artifact filename that is assembled into the §14 evidence pack.
§1 Namespace Catalog
The eight Verification Criteria from Control 3.6 §Verification Criteria — hereafter "VC-1 … VC-8" — are evidenced by the nine test namespaces below. Each namespace produces independent evidence records that combine into a single signed pack (§14).
| Namespace | Section | Evidences | Cadence | Owner |
|---|---|---|---|---|
DETECT |
§2 | VC-1 — Detection-run completeness (all 10 signal sources, all zones) | Weekly (Z3 sample 100%); ≥4 weeks/quarter (Z2, Z1) | AI Administrator |
RECONCILE |
§3 | VC-2 — Agent 365 Ownerless card count vs orphan register category-1 count (zero variance unsubstantiated) | Per cycle × 4/quarter | AI Governance Lead |
TERMINAL |
§4 | VC-3 — Per-category, per-zone SLA adherence (≥95% Z3); and VC-5 — Archive/delete approval evidence (Z3 dual approval, ITSM ref, retention-label state) | Weekly | AI Governance Lead |
REASSIGN |
§5 | VC-4 — Reassignment integrity: sample 10/quarter, new-owner prerequisites, permission/metadata transfer | Quarterly (sample) | Power Platform Admin |
HR |
§6 | Supporting — HR leaver / mover / employeeLeaveDateTime feed integrity that powers sponsor / owner / maker-departure detection |
Weekly | Entra Identity Governance Admin |
SPONSOR |
§7 | Supporting — Entra Agent ID sponsor-departure cascade (one sponsor → many agents); feeds DETECT category #2 | Per cycle | Entra Agent ID Admin |
BULK |
§8 | Supporting — Bulk-reassign safety (dry-run, exclusion of distribution-list-owned agents, false-positive rate) | Per bulk run | Power Platform Admin |
SOV |
§9 | VC-6 — Sovereign-cloud compensating control (quarterly dual-signed manual reconciliation) — sovereign tenants only | Quarterly | AI Governance Lead + Compliance Officer |
SIEM |
§10 | Supporting — Detection-run logs, remediation tickets, and approval artifacts forwarded to SIEM; 6-year retention enforced | Weekly | Purview Compliance Admin |
RETAIN |
§11 | VC-7 — Purview retention-label enforcement on orphan register, snapshots, and approvals (≥6-year, deletion locked) |
Monthly | Purview Compliance Admin |
PREVENT |
§12 | VC-8 — Pre-orphan prevention rate (orphans-avoided ÷ agents-created) with YoY trend | Quarterly | AI Governance Lead |
Each namespace section follows an identical 8-part structure, mirroring the sibling Control 2.25 and Control 2.26 verification playbooks:
- Criterion mapping — explicit pointer to the numbered VC in Control 3.6.
- Pre-conditions — PRE gates passed; reference data present; Graph scopes granted; zone scope declared.
- Pester suite —
Describe "AGT36-{NS}" { Context "Zone {1|2|3}" { It "…" } }in Pester 5.5 on PowerShell 7.4. - Sample PASS evidence record — the exact JSON shape assembled into the evidence pack.
- Sample FAIL evidence record — with a pointer to §15 triage.
- Examiner artifact — filename pattern, retention duration, signing policy.
- Zone thresholds — PASS / WARN / FAIL bands per zone.
- Regulator mapping — which specific regulatory citation each test supports.
1.1 Evidence record schema (canonical)
Every evidence record MUST conform to this schema. Test-Agt36EvidenceSchema in §14.5 enforces it; the pack assembler refuses to publish a pack containing any record that fails validation.
{
"control_id": "3.6",
"run_id": "AGT36-20260415-093012-a1b2c3d4",
"run_timestamp": "2026-04-15T09:30:12Z",
"tenant_id": "11111111-2222-3333-4444-555555555555",
"tenant_display_name": "Contoso Bank, N.A.",
"cloud": "Commercial",
"zone": "3",
"namespace": "DETECT",
"criterion": "VC-1",
"subject_id": "detection-cycle-2026W15",
"subject_type": "detection_run",
"status": "PASS",
"assertion": "Weekly detection cycle exercised all 10 signal sources with non-null counts and a signed run-log bundle.",
"observed_value": {
"signal_sources_exercised": 10,
"run_bundle_sha256": "f3a1…",
"start": "2026-04-14T02:00:00Z",
"end": "2026-04-14T02:06:41Z",
"counts_by_category": { "1":3, "2":1, "3":0, "4":0, "5":0, "6":0, "7":2, "8":0, "9":1, "10":0 }
},
"expected_value": {
"signal_sources_exercised": 10,
"run_bundle_sha256": "<non-null>",
"counts_by_category": "<object with keys 1..10>"
},
"evidence_artifacts": ["detect-run-AGT36-20260415-093012-a1b2c3d4.json"],
"regulator_mappings": ["FINRA-4511","FINRA-25-07","SEC-17a-4","SOX-404","NYDFS-500"],
"remediation_ref": null,
"operator_upn": "ai.administrator@contoso.com",
"schema_version": "1.0"
}
Field semantics (abbreviated where identical to peer controls):
| Field | Type | Notes |
|---|---|---|
control_id |
string | Always "3.6" for this playbook. |
run_id |
string | Output of New-Agt36RunId; identical across every record in a run. |
cloud |
enum | Commercial / GCC / GCCH / DoD / Unknown. |
zone |
enum | 1 / 2 / 3 / all. |
namespace |
enum | One of DETECT / RECONCILE / TERMINAL / REASSIGN / HR / SPONSOR / BULK / SOV / SIEM / RETAIN / PREVENT. |
criterion |
enum | VC-1 … VC-8, supporting, or VC-1..8 (compensating) for SOV. |
subject_id |
string | Agent ID, cycle ID, template ID, policy ID, or workflow ID. |
subject_type |
enum | agent / detection_run / reconciliation / remediation_ticket / reassignment / sponsor_task / hr_feed / retention_label / attestation / manual_attestation. |
status |
enum | PASS / WARN / FAIL / SKIPPED / ERROR. |
remediation_ref |
string or null | TRG-{NS}-NN pointer into §15 when status != 'PASS'. |
1.2 Regulator mapping vocabulary
| Token | Citation |
|---|---|
FINRA-3110 |
FINRA Rule 3110 (Supervision) |
FINRA-4511 |
FINRA Rule 4511 (Books and Records) |
FINRA-25-07 |
FINRA Regulatory Notice 25-07 (Generative-AI Supervision) |
SEC-17a-3 |
SEC Rule 17a-3 (Records to be Made) |
SEC-17a-4 |
SEC Rule 17a-4 (Records Retention; WORM requirement) |
SOX-302 |
Sarbanes-Oxley §302 (Management Certification) |
SOX-404 |
Sarbanes-Oxley §404 (Internal Control over Financial Reporting) |
GLBA-501b |
Gramm-Leach-Bliley Act §501(b) (Safeguards) |
OCC-2011-12 |
OCC Bulletin 2011-12 (Third-Party / Technology Risk) |
FED-SR-11-7 |
Federal Reserve SR 11-7 (Model Risk Management) |
CFTC-1.31 |
CFTC Regulation 1.31 (Recordkeeping) |
NYDFS-500 |
NYDFS 23 NYCRR Part 500 (Cybersecurity) |
FFIEC-MGMT |
FFIEC IT Examination Handbook — Management booklet |
No FINRA Rule 3110 substitution. Wherever
FINRA-3110appears, it indicates that the control element supports — does not replace — registered-principal supervisory review of AI-enabled business activity. The firm's written supervisory procedures remain the authoritative supervisory document; this playbook's evidence supports those procedures.
§2 DETECT — Detection-run Completeness (VC-1)
2.1 Criterion mapping
This namespace evidences VC-1 of Control 3.6 §Verification Criteria: "Weekly detection cycle exercised all ten signal sources for Zone 3 (100% sample) and at least four cycles per quarter for Zone 2 and Zone 1, with a signed run-log bundle persisted to evidence storage." It is the foundational completeness assertion: every downstream namespace (RECONCILE, TERMINAL, REASSIGN, SPONSOR) presupposes that DETECT ran end-to-end.
2.2 Pre-conditions
- PRE-01 through PRE-09 PASS.
- The 10 Detection Signal Sources defined in Control 3.6 §Detection Signal Sources are wired into the weekly job: (1) Ownerless agent, (2) Sponsor-departed, (3) Maker-departed, (4) Environment-owner departed, (5) SharePoint agent author disabled, (6) Environment deleted, (7) Inactivity, (8) License expired, (9) Broken connector, (10) Shadow agent.
- Per-zone cadence configured: Z3 weekly 100%; Z2 ≥4 cycles/quarter; Z1 ≥4 cycles/quarter.
- Run-log signing key (X.509 or sigstore) present in the orchestrator key vault; thumbprint pinned in
Agt36Config.psd1.
2.3 Pester suite
Describe "AGT36-DETECT" -Tag 'Control3.6','VC-1' {
BeforeAll {
$sov = Test-Agt36SovereignTenant
if ($sov.is_sovereign) {
Set-ItResult -Skipped -Because "Sovereign cloud ($($sov.cloud)); see §9 SOV"
}
$script:Cycles = Get-Agt36DetectionCycle -LookbackDays 100
}
Context "Zone 3 — weekly cycles, 100% sample" {
It "exercises all 10 signal sources in every Z3 cycle" {
foreach ($c in $script:Cycles | Where-Object Zone -eq 3) {
$c.SignalSourcesExercised | Should -Be 10 -Because "Z3 cycle $($c.CycleId) must cover all 10 categories"
}
}
It "persists a signed run-log bundle for every Z3 cycle" {
foreach ($c in $script:Cycles | Where-Object Zone -eq 3) {
$c.RunLogBundleSha256 | Should -Not -BeNullOrEmpty
$c.RunLogSignatureValid | Should -BeTrue
$c.RunLogSignerThumbprint | Should -Be (Get-Agt36Config).RunLogSignerThumbprint
}
}
It "completes the cycle within the orchestrator's 60-minute SLA" {
foreach ($c in $script:Cycles | Where-Object Zone -eq 3) {
($c.End - $c.Start).TotalMinutes | Should -BeLessOrEqual 60
}
}
}
Context "Zone 2 — at least four cycles per quarter" {
It "has ≥4 completed Z2 cycles in the trailing 92 days" {
($script:Cycles | Where-Object Zone -eq 2).Count | Should -BeGreaterOrEqual 4
}
}
Context "Zone 1 — at least four cycles per quarter" {
It "has ≥4 completed Z1 cycles in the trailing 92 days" {
($script:Cycles | Where-Object Zone -eq 1).Count | Should -BeGreaterOrEqual 4
}
}
Context "Cross-zone integrity" {
It "produces non-null counts_by_category for all 10 categories in every cycle" {
foreach ($c in $script:Cycles) {
1..10 | ForEach-Object { $c.CountsByCategory.ContainsKey([string]$_) | Should -BeTrue }
}
}
}
}
2.4 Sample PASS evidence record
{
"control_id": "3.6",
"run_id": "AGT36-20260415-093012-a1b2c3d4",
"namespace": "DETECT",
"criterion": "VC-1",
"zone": "3",
"subject_id": "detection-cycle-2026W15",
"subject_type": "detection_run",
"status": "PASS",
"assertion": "Z3 weekly cycle exercised all 10 signal sources, signed bundle persisted, SLA met.",
"observed_value": {
"signal_sources_exercised": 10,
"run_bundle_sha256": "f3a1b9c4e7…",
"run_log_signer_thumbprint": "9F:2A:11:…",
"duration_minutes": 6.7
},
"evidence_artifacts": ["detect-run-2026W15-AGT36-20260415-093012-a1b2c3d4.json","detect-run-2026W15.sig"],
"regulator_mappings": ["FINRA-4511","FINRA-25-07","SEC-17a-3","SEC-17a-4","SOX-404","NYDFS-500","FED-SR-11-7"]
}
2.5 Sample FAIL evidence record
{
"control_id": "3.6",
"run_id": "AGT36-20260415-093012-a1b2c3d4",
"namespace": "DETECT",
"criterion": "VC-1",
"zone": "3",
"subject_id": "detection-cycle-2026W14",
"subject_type": "detection_run",
"status": "FAIL",
"assertion": "Z3 cycle exercised only 9 of 10 signal sources; category 9 (broken-connector) skipped due to connector-API throttling.",
"observed_value": { "signal_sources_exercised": 9, "missing_categories": [9], "throttle_429_count": 47 },
"remediation_ref": "TRG-DETECT-02",
"regulator_mappings": ["FINRA-4511","SEC-17a-4","SOX-404"]
}
2.6 Examiner artifact
| Item | Value |
|---|---|
| Filename pattern | detect-run-{YYYYWww}-{runId}.json plus signed bundle *.sig |
| Storage | Evidence root → assembled into §14 pack |
| Retention | 6 years WORM, Purview retention label FSI-Records-6Y-WORM, deletion locked |
| Signing | X.509 detached signature; signer = orchestrator service principal; counter-signed at pack assembly by AI Governance Lead |
2.7 Zone thresholds
| Zone | PASS | WARN | FAIL |
|---|---|---|---|
| 3 | All weekly cycles cover 10/10 sources, signed | One cycle covered 9/10 with documented re-run within 24h | Any uncompensated coverage gap, or missing signature |
| 2 | ≥4 cycles/quarter, ≥9/10 average coverage | 3 cycles/quarter | <3 cycles/quarter |
| 1 | ≥4 cycles/quarter, ≥8/10 average coverage | 3 cycles/quarter | <3 cycles/quarter |
2.8 Regulator mapping
| Regulator | Specifically supported by VC-1 |
|---|---|
| FINRA Rule 4511 / SEC 17a-3 | Continuous capture of identity-and-accountability change events for AI-enabled business activity |
| FINRA Notice 25-07 | Documented periodic monitoring of generative-AI inventory accountability |
| SOX §404 | Operating effectiveness of the detection control over financial-reporting-relevant agents |
| NYDFS Part 500 | Documented monitoring activity on technology assets |
| Federal Reserve SR 11-7 | Ongoing model-risk monitoring on identity-bound model assets |
§3 RECONCILE — Card-vs-Register Parity (VC-2)
3.1 Criterion mapping
VC-2: "For every reconciliation cycle, the count from the Microsoft 365 Agent 365 Ownerless Agents card equals the count of category-1 (ownerless-narrow) entries in the orphan register; any variance is documented with a substantiation memo and a corrective action."
3.2 Pre-conditions
- DETECT cycle for the same window has PASS status.
- AI Administrator can read the Ownerless Agents card via Graph (
/beta/agentGovernance/ownerlessAgents) or Agent 365 admin center; in sovereign clouds this routes to §9 SOV. - Orphan register query supports filter
category=1 AND status IN ('open','reassigned-pending','terminal-pending').
3.3 Pester suite
Describe "AGT36-RECONCILE" -Tag 'Control3.6','VC-2' {
BeforeAll {
if ((Test-Agt36SovereignTenant).is_sovereign) {
Set-ItResult -Skipped -Because "Ownerless card not GA in sovereign clouds; see §9"
}
$script:Card = Get-Agt36OwnerlessCard
$script:Register = Get-Agt36OrphanRegister -Category 1 -Status 'open','reassigned-pending','terminal-pending'
}
Context "Snapshot parity at cycle close" {
It "card count equals register category-1 open-set count" {
$script:Card.Count | Should -Be $script:Register.Count
}
It "every card-listed agent appears in the register with category=1" {
foreach ($a in $script:Card.Agents) {
$script:Register.AgentId | Should -Contain $a.AgentId
}
}
It "no register category-1 entry is missing from the card" {
foreach ($r in $script:Register) {
$script:Card.Agents.AgentId | Should -Contain $r.AgentId
}
}
}
Context "Variance substantiation (when present)" {
It "every documented variance carries a substantiation memo and corrective action" {
$variances = Get-Agt36ReconciliationVariance -CycleId $script:Card.CycleId
foreach ($v in $variances) {
$v.SubstantiationMemoUri | Should -Not -BeNullOrEmpty
$v.CorrectiveActionTicket | Should -Match '^(SNOW|JIRA|REM)-\d+$'
$v.SignedBy | Should -Be 'AI Governance Lead'
}
}
}
}
3.4 Sample PASS evidence record
{
"control_id": "3.6", "namespace": "RECONCILE", "criterion": "VC-2", "zone": "3",
"subject_id": "reconcile-2026W15", "subject_type": "reconciliation",
"status": "PASS",
"assertion": "Ownerless card count (12) equals orphan register category-1 open-set count (12); zero variance.",
"observed_value": { "card_count": 12, "register_count": 12, "variance": 0, "card_snapshot_sha256": "1a2b…", "register_snapshot_sha256": "9f8e…" },
"evidence_artifacts": ["card-snapshot-2026W15.png","card-snapshot-2026W15.csv","register-snapshot-2026W15.csv","reconcile-2026W15.json"],
"regulator_mappings": ["FINRA-4511","SEC-17a-4","SOX-302","SOX-404","NYDFS-500"]
}
3.5 Sample FAIL evidence record
{
"control_id": "3.6", "namespace": "RECONCILE", "criterion": "VC-2", "zone": "3",
"subject_id": "reconcile-2026W14", "subject_type": "reconciliation",
"status": "FAIL",
"assertion": "Card count (12) and register category-1 count (10) diverge by 2; missing entries: agent-aaaa, agent-bbbb.",
"observed_value": { "card_count": 12, "register_count": 10, "missing_from_register": ["agent-aaaa","agent-bbbb"] },
"remediation_ref": "TRG-RECONCILE-01",
"regulator_mappings": ["FINRA-4511","SEC-17a-4","SOX-404"]
}
3.6 Examiner artifact
| Item | Value |
|---|---|
| Filename | reconcile-{YYYYWww}-{runId}.json plus PNG + CSV snapshots of the card |
| Retention | 6 years WORM (matches the "weekly Ownerless Agents card snapshot" line of Control 3.6 Evidence and Retention) |
| Signing | Counter-signed by AI Governance Lead at §14 pack assembly |
3.7 Zone thresholds
| Zone | PASS | WARN | FAIL |
|---|---|---|---|
| 3 | Variance = 0; or variance fully substantiated within 24h | Variance > 0 substantiated within 72h | Any uncompensated variance > 24h, or missing snapshot |
| 2 | Variance ≤ 5% substantiated within 7d | Variance ≤ 10% substantiated within 14d | Variance > 10% or unsubstantiated |
| 1 | Variance ≤ 10% substantiated within 14d | Variance ≤ 20% substantiated within 30d | Variance > 20% or unsubstantiated |
3.8 Regulator mapping
FINRA-4511, SEC-17a-3, SEC-17a-4, SOX-302, SOX-404, NYDFS-500, OCC-2011-12. Reconciliation parity is the inventory-completeness test that examiners use to confirm books-and-records integrity for AI-enabled business activity.
§4 TERMINAL — SLA Adherence & Archive/Delete Approval (VC-3, VC-5)
4.1 Criterion mapping
This namespace evidences two Verification Criteria:
- VC-3 — SLA adherence. Remediation is completed within the per-category, per-zone SLA defined in Control 3.6 §Detection Signal Sources. Zone 3 SLA attainment must be ≥95% on a rolling 90-day window.
- VC-5 — Archive/delete approval. Every Zone 3 archive or delete action carries dual approval (AI Governance Lead + Compliance Officer for delete), an ITSM reference, and evidence that the retention-label state of the agent's records is preserved (
≥6Y WORM, deletion locked) before the agent object is removed.
4.2 Pre-conditions
- DETECT and RECONCILE have PASS for the cycle under review.
- Orphan register exposes each category's remediation timeline (
firstDetectedAt,terminalAt,terminalKind,approverIds[],itsmRef). - Purview retention labels are applied to the orphan's records (Dataverse tables, SharePoint sites, Teams messages) per the firm's records schedule.
4.3 Detection Signal Sources — SLA reference
Reproduced from Control 3.6 §Detection Signal Sources. Dates are the maximum elapsed calendar time from first-detected to terminal state (reassigned, archived, or deleted).
| # | Category | Z3 SLA | Z2 SLA | Z1 SLA |
|---|---|---|---|---|
| 1 | Ownerless (narrow) | 7d | 14d | 30d |
| 2 | Sponsor-departed | real-time / 24h | 10 bd | 10 bd |
| 3 | Maker-departed | 7d | 14d | 30d |
| 4 | Environment-owner departed | 3d | 7d | 14d |
| 5 | SharePoint agent — author disabled | 7d | 14d | 30d |
| 6 | Environment deleted | 3d | 3d | 7d |
| 7 | Inactivity | 30d | 60d | 90d |
| 8 | License expired | 7d | 14d | 30d |
| 9 | Broken connector | 14d | 30d | 30d |
| 10 | Shadow agent | 7d | 14d | 30d |
4.4 Pester suite
Describe "AGT36-TERMINAL-SLA" -Tag 'Control3.6','VC-3' {
BeforeAll {
$script:Sla = Get-Agt36SlaTable
$script:Closed = Get-Agt36OrphanRegister -Status 'terminal' -LookbackDays 90
}
Context "Zone 3 — ≥95% on 90-day rolling window" {
It "per-category Z3 SLA attainment is ≥95%" {
foreach ($cat in 1..10) {
$set = $script:Closed | Where-Object { $_.Zone -eq 3 -and $_.Category -eq $cat }
if (-not $set) { continue }
$met = $set | Where-Object { ($_.TerminalAt - $_.FirstDetectedAt) -le $script:Sla["Z3-$cat"] }
($met.Count / $set.Count) | Should -BeGreaterOrEqual 0.95 -Because "Z3 category $cat"
}
}
}
Context "Zone 2 — ≥90% rolling" {
It "per-category Z2 SLA attainment is ≥90%" {
foreach ($cat in 1..10) {
$set = $script:Closed | Where-Object { $_.Zone -eq 2 -and $_.Category -eq $cat }
if (-not $set) { continue }
$met = $set | Where-Object { ($_.TerminalAt - $_.FirstDetectedAt) -le $script:Sla["Z2-$cat"] }
($met.Count / $set.Count) | Should -BeGreaterOrEqual 0.90
}
}
}
Context "Zone 1 — ≥80% rolling" {
It "per-category Z1 SLA attainment is ≥80%" {
foreach ($cat in 1..10) {
$set = $script:Closed | Where-Object { $_.Zone -eq 1 -and $_.Category -eq $cat }
if (-not $set) { continue }
$met = $set | Where-Object { ($_.TerminalAt - $_.FirstDetectedAt) -le $script:Sla["Z1-$cat"] }
($met.Count / $set.Count) | Should -BeGreaterOrEqual 0.80
}
}
}
}
Describe "AGT36-TERMINAL-DELETE" -Tag 'Control3.6','VC-5' {
BeforeAll {
$script:Deletes = Get-Agt36OrphanRegister -Status 'terminal' -TerminalKind 'delete' -LookbackDays 90
}
Context "Zone 3 delete approvals" {
It "every Z3 delete carries dual approval from AI Governance Lead AND Compliance Officer" {
foreach ($d in $script:Deletes | Where-Object Zone -eq 3) {
$d.Approvers.Role | Should -Contain 'AI Governance Lead'
$d.Approvers.Role | Should -Contain 'Compliance Officer'
$d.Approvers.Count | Should -BeGreaterOrEqual 2
($d.Approvers | Select-Object -ExpandProperty Upn -Unique).Count | Should -Be $d.Approvers.Count
}
}
It "every Z3 delete references a closed ITSM change ticket" {
foreach ($d in $script:Deletes | Where-Object Zone -eq 3) {
$d.ItsmRef | Should -Match '^(SNOW|JIRA|CHG)-\d+$'
$d.ItsmTicketState | Should -BeIn @('Closed','Resolved','Implemented')
}
}
It "retention label on the agent's records is ≥6Y WORM and deletion-locked" {
foreach ($d in $script:Deletes | Where-Object Zone -eq 3) {
$d.RetentionLabel.RetentionDurationDays | Should -BeGreaterOrEqual 2190
$d.RetentionLabel.IsDeletionLocked | Should -BeTrue
$d.RetentionLabel.BehaviorDuringRetentionPeriod | Should -BeIn @('retainAsRecord','retainAsRegulatoryRecord')
}
}
}
Context "Zone 3 archive approvals" {
It "every Z3 archive carries at least AI Governance Lead approval" {
foreach ($a in (Get-Agt36OrphanRegister -Status 'terminal' -TerminalKind 'archive' -Zone 3 -LookbackDays 90)) {
$a.Approvers.Role | Should -Contain 'AI Governance Lead'
$a.ItsmRef | Should -Match '^(SNOW|JIRA|CHG)-\d+$'
}
}
}
}
4.5 Sample PASS evidence record (delete)
{
"control_id": "3.6", "namespace": "TERMINAL", "criterion": "VC-5", "zone": "3",
"subject_id": "agent-1e2f3a4b", "subject_type": "remediation_ticket",
"status": "PASS",
"assertion": "Z3 delete approved by AI Governance Lead AND Compliance Officer; ITSM CHG-44821 Closed; retention label 10Y WORM deletion-locked.",
"observed_value": {
"terminal_kind": "delete",
"approvers": [
{ "role": "AI Governance Lead", "upn": "jane.doe@contoso.com", "approved_at": "2026-04-14T16:02:11Z" },
{ "role": "Compliance Officer", "upn": "carlos.k@contoso.com", "approved_at": "2026-04-14T16:11:44Z" }
],
"itsm_ref": "CHG-44821", "itsm_state": "Closed",
"retention_label": { "name": "FSI-Records-10Y-WORM", "retention_days": 3650, "deletion_locked": true, "behavior": "retainAsRegulatoryRecord" },
"category": 1, "first_detected_at": "2026-04-09T02:00:00Z", "terminal_at": "2026-04-14T18:03:00Z", "elapsed_days": 5.7
},
"evidence_artifacts": ["terminal-agent-1e2f3a4b.json","approval-CHG-44821.pdf","retention-label-FSI-Records-10Y-WORM.json"],
"regulator_mappings": ["FINRA-3110","FINRA-4511","SEC-17a-4","SOX-302","SOX-404","GLBA-501b","NYDFS-500"]
}
4.6 Sample FAIL evidence record
{
"control_id": "3.6", "namespace": "TERMINAL", "criterion": "VC-5", "zone": "3",
"subject_id": "agent-9c8d7e6f", "subject_type": "remediation_ticket",
"status": "FAIL",
"assertion": "Z3 delete carries only one approver (AI Governance Lead); Compliance Officer approval missing; dual-control violated.",
"observed_value": { "approvers": [ { "role": "AI Governance Lead", "upn": "jane.doe@contoso.com" } ], "terminal_kind": "delete" },
"remediation_ref": "TRG-TERMINAL-03",
"regulator_mappings": ["FINRA-3110","SEC-17a-4","SOX-404"]
}
4.7 Examiner artifact
| Item | Value |
|---|---|
| Filename | terminal-{agentId}.json plus approval-{itsmRef}.pdf and retention-label export |
| Retention | 6 years WORM (remediation-ticket and approval-artifact rows of Evidence and Retention) |
| Signing | ITSM approval PDF (system signature) + AI Governance Lead pack counter-signature |
4.8 Zone thresholds
| Zone | PASS (VC-3) | PASS (VC-5 delete) |
|---|---|---|
| 3 | ≥95% SLA attainment per category | Dual approval (AI Governance Lead + Compliance Officer), ITSM Closed, retention ≥6Y WORM locked |
| 2 | ≥90% SLA attainment per category | Single approval (AI Governance Lead) + ITSM |
| 1 | ≥80% SLA attainment per category | Single approval + ITSM |
4.9 Regulator mapping
FINRA-3110 (supports registered-principal supervisory review — does not replace it), FINRA-4511, FINRA-25-07, SEC-17a-3, SEC-17a-4, SOX-302, SOX-404, GLBA-501b, OCC-2011-12, FED-SR-11-7, NYDFS-500.
§5 REASSIGN — Reassignment Integrity (VC-4)
5.1 Criterion mapping
VC-4: "On a sample of at least ten reassignments per quarter, the new owner meets all prerequisites (license, environment membership, maker / admin role) and the full set of agent permissions and metadata transferred atomically before the old accountability was severed." This is the regulator's favourite integrity test because it prevents a permissions-gap window and preserves books-and-records custody.
5.2 Pre-conditions
- DETECT, RECONCILE, and TERMINAL (reassign kind) have PASS status for the period.
- Sample frame: all Z3 reassignments in the quarter; if >10, sample 10 at random with reproducible seed; if <10, sample all.
- Pre/post snapshots captured by the orchestrator at
T-0(before reassign) andT+1(after reassign).
5.3 Pester suite
Describe "AGT36-REASSIGN" -Tag 'Control3.6','VC-4' {
BeforeAll {
$script:Sample = Get-Agt36ReassignmentSample -QuarterId (Get-Agt36Quarter) -MinSize 10
}
Context "New-owner prerequisites" {
It "new owner holds the required license" {
foreach ($r in $script:Sample) {
$r.NewOwner.Licenses | Should -Contain (Get-Agt36Config).RequiredOwnerLicenseSku
}
}
It "new owner is a member of the agent's Power Platform environment" {
foreach ($r in $script:Sample) {
$r.NewOwner.EnvironmentRoles[$r.EnvironmentId] | Should -BeIn @('EnvironmentMaker','EnvironmentAdmin','SystemAdministrator')
}
}
It "new owner is a distinct security principal from the departed owner" {
foreach ($r in $script:Sample) {
$r.NewOwner.ObjectId | Should -Not -Be $r.OldOwner.ObjectId
$r.NewOwner.UserType | Should -Be 'Member'
}
}
It "new owner is not a distribution list or shared mailbox" {
foreach ($r in $script:Sample) {
$r.NewOwner.PrincipalType | Should -BeIn @('User','Group:Security','ServicePrincipal:ManagedIdentity')
if ($r.NewOwner.PrincipalType -eq 'Group:Security') {
$r.NewOwner.IsAssignableToRole | Should -BeTrue
$r.NewOwner.IsMailEnabled | Should -BeFalse
}
}
}
}
Context "Permission and metadata transfer integrity" {
It "all agent permissions present at T-0 are present at T+1 on the new owner" {
foreach ($r in $script:Sample) {
$missing = Compare-Object $r.Before.PermissionSet $r.After.PermissionSet -PassThru |
Where-Object SideIndicator -eq '<='
$missing | Should -BeNullOrEmpty
}
}
It "agent metadata (display name, description, environment, connection refs) is byte-identical except the owner field" {
foreach ($r in $script:Sample) {
$diff = Compare-Agt36AgentMetadata -Before $r.Before.Metadata -After $r.After.Metadata -IgnoreFields 'owner','modifiedBy','modifiedOn'
$diff | Should -BeNullOrEmpty
}
}
It "old owner accountability is severed only after new owner accepts" {
foreach ($r in $script:Sample) {
$r.NewOwner.AcceptedAt | Should -BeLessOrEqual $r.OldOwner.RemovedAt
}
}
}
}
5.4 Sample PASS evidence record
{
"control_id": "3.6", "namespace": "REASSIGN", "criterion": "VC-4", "zone": "3",
"subject_id": "agent-4a5b6c7d", "subject_type": "reassignment",
"status": "PASS",
"assertion": "New owner Lin Zhou has license, env-maker role, accepted at 2026-03-12T14:02Z; permission set and metadata identical pre/post.",
"observed_value": {
"old_owner_upn": "departed.user@contoso.com",
"new_owner_upn": "lin.zhou@contoso.com",
"new_owner_accepted_at": "2026-03-12T14:02:10Z",
"old_owner_removed_at": "2026-03-12T14:02:14Z",
"permission_delta": [],
"metadata_delta_ignoring_owner": []
},
"evidence_artifacts": ["reassign-agent-4a5b6c7d.json","reassign-agent-4a5b6c7d-before.json","reassign-agent-4a5b6c7d-after.json"],
"regulator_mappings": ["FINRA-3110","FINRA-4511","SEC-17a-4","SOX-404","GLBA-501b","NYDFS-500"]
}
5.5 Sample FAIL evidence record
{
"control_id": "3.6", "namespace": "REASSIGN", "criterion": "VC-4", "zone": "3",
"subject_id": "agent-8e9f0a1b", "subject_type": "reassignment",
"status": "FAIL",
"assertion": "New owner lacks required Power Platform per-user license; reassignment committed without prerequisite.",
"observed_value": { "new_owner_upn":"a.b@contoso.com", "missing_license":"POWERAUTOMATE_ATTENDED_RPA" },
"remediation_ref": "TRG-REASSIGN-01",
"regulator_mappings": ["FINRA-4511","SOX-404","NYDFS-500"]
}
5.6 Examiner artifact
| Item | Value |
|---|---|
| Filename | reassign-{agentId}.json, plus before.json / after.json snapshots |
| Retention | 6 years WORM (sponsor/owner reassignment approval row of Evidence and Retention) |
| Signing | Power Platform Admin performs; AI Governance Lead counter-signs at pack assembly |
5.7 Zone thresholds
| Zone | PASS | WARN | FAIL |
|---|---|---|---|
| 3 | 10/10 sample passes all four checks | 9/10 with a documented corrective action | ≤8/10 or any atomicity breach |
| 2 | 8/10 sample passes | 7/10 with corrective action | ≤6/10 |
| 1 | 7/10 sample passes | 6/10 with corrective action | ≤5/10 |
5.8 Regulator mapping
FINRA-3110, FINRA-4511, FINRA-25-07, SEC-17a-4, SOX-302, SOX-404, GLBA-501b, OCC-2011-12, NYDFS-500.
§6 HR — HR Connector Feed Integrity (Supporting)
6.1 Criterion mapping
Supporting evidence for VC-1 / VC-3: the orphan detector cannot detect sponsor-departed, maker-departed, or environment-owner-departed orphans without a healthy HR connector providing employeeLeaveDateTime, employeeHireDate, employeeId, and termination event signals to Microsoft Entra. A broken or stale HR feed silently breaks four of the ten Detection Signal Sources.
6.2 Pre-conditions
- Entra Identity Governance Admin can read
/identityGovernance/workflowsHrSync/connectors. - HR connector has been configured per Control 3.5 (Identity Lifecycle for Agent Sponsors and Makers).
6.3 Pester suite
Describe "AGT36-HR" -Tag 'Control3.6','Supporting' {
BeforeAll {
$script:Connectors = Get-Agt36HrConnector
}
Context "Connector health and freshness" {
It "at least one HR connector is in Healthy state" {
($script:Connectors | Where-Object Status -eq 'Healthy').Count | Should -BeGreaterOrEqual 1
}
It "last successful sync is within the tenant freshness SLA" {
foreach ($c in $script:Connectors) {
((Get-Date).ToUniversalTime() - $c.LastSuccessfulSyncUtc).TotalHours | Should -BeLessOrEqual 24
}
}
It "employeeLeaveDateTime attribute is mapped and populated for ≥98% of leavers in last 30 days" {
$leavers = Get-Agt36HrLeaver -LookbackDays 30
$populated = $leavers | Where-Object { $_.EmployeeLeaveDateTime -ne $null }
($populated.Count / [math]::Max(1,$leavers.Count)) | Should -BeGreaterOrEqual 0.98
}
}
Context "Cascading impact on Detection Signal Sources" {
It "every leaver in last 30 days surfaces as a sponsor / maker / owner departure event when applicable" {
foreach ($l in (Get-Agt36HrLeaver -LookbackDays 30)) {
$cascade = Get-Agt36DepartureCascade -PrincipalId $l.PrincipalId
$cascade.Detected | Should -BeTrue -Because "leaver $($l.Upn) must be reflected in detection signals"
}
}
}
}
6.4 Sample PASS evidence record
{
"control_id": "3.6", "namespace": "HR", "criterion": "supporting", "zone": "all",
"subject_id": "hr-connector-workday-prod", "subject_type": "hr_feed",
"status": "PASS",
"assertion": "Workday HR connector Healthy, last sync 2h22m ago, 99.4% of last-30-day leavers carry employeeLeaveDateTime.",
"observed_value": { "status":"Healthy", "last_sync_age_minutes":142, "leavers_with_leave_date_pct":0.994, "leavers_count":491 },
"evidence_artifacts": ["hr-feed-2026W15.json"],
"regulator_mappings": ["FINRA-4511","SEC-17a-4","SOX-404","GLBA-501b","NYDFS-500"]
}
6.5 Sample FAIL evidence record
{
"control_id":"3.6","namespace":"HR","criterion":"supporting","zone":"all",
"subject_id":"hr-connector-workday-prod","subject_type":"hr_feed",
"status":"FAIL",
"assertion":"HR connector last successful sync is 38h ago — exceeds 24h freshness SLA. Sponsor/maker departure cascade is at risk.",
"observed_value":{"status":"Degraded","last_sync_age_minutes":2280},
"remediation_ref":"TRG-HR-01",
"regulator_mappings":["FINRA-4511","SOX-404","NYDFS-500"]
}
6.6 Examiner artifact, thresholds, regulators
| Item | Value |
|---|---|
| Retention | 1 year operational + roll-up summary in 6Y attestation pack |
| Z3 PASS | Healthy + ≤24h sync age + ≥98% leave-date populated |
| Z2/Z1 PASS | Healthy + ≤72h sync age + ≥95% leave-date populated |
| Regulators | FINRA-4511, SEC-17a-4, SOX-404, GLBA-501b, NYDFS-500, FFIEC-MGMT |
§7 SPONSOR — Entra Agent ID Sponsor-Departure Cascade
7.1 Criterion mapping
Supporting evidence for VC-1 (Detection Signal Source #2) and VC-3 (real-time / 24h Z3 SLA): when a registered sponsor departs, every Entra Agent ID for which they were named sponsor must be (a) detected within 24h on Z3, (b) routed to a sponsor-task in the Entra Agent ID surface for re-sponsorship or terminal action, and (c) reflected in the orphan register as category-2.
7.2 Pre-conditions
- HR namespace PASS (else cascade evidence is unreliable).
- Entra Agent ID Admin can read
/identityGovernance/agentSponsorshipsand/identityGovernance/agentSponsorTasks. - Sponsor-task workflow has SLA timer configured per zone.
7.3 Pester suite
Describe "AGT36-SPONSOR" -Tag 'Control3.6','Supporting','VC-1','VC-3' {
BeforeAll {
$script:Departed = Get-Agt36DepartedSponsor -LookbackDays 30
}
Context "Cascade completeness" {
It "every agent with a departed sponsor surfaces as a category-2 orphan within 24h (Z3)" {
foreach ($s in $script:Departed) {
foreach ($agent in $s.SponsoredAgents | Where-Object Zone -eq 3) {
$reg = Get-Agt36OrphanRegisterEntry -AgentId $agent.AgentId
$reg.Category | Should -Be 2
($reg.FirstDetectedAt - $s.LeaveDateTime).TotalHours | Should -BeLessOrEqual 24
}
}
}
It "every cascade-detected agent has an Entra Agent ID sponsor-task created" {
foreach ($s in $script:Departed) {
foreach ($agent in $s.SponsoredAgents) {
$task = Get-Agt36SponsorTask -AgentId $agent.AgentId
$task | Should -Not -BeNullOrEmpty
$task.State | Should -BeIn @('open','assigned','resolved','escalated')
}
}
}
}
Context "Multi-agent cascade integrity" {
It "no Z3 sponsor-departure leaves a sponsored agent undetected after 24h" {
$stragglers = Get-Agt36SponsorCascadeStraggler -Zone 3 -OlderThanHours 24
$stragglers | Should -BeNullOrEmpty
}
}
}
7.4 Sample PASS / FAIL evidence
{
"control_id":"3.6","namespace":"SPONSOR","criterion":"VC-1+VC-3","zone":"3",
"subject_id":"sponsor-departure-jdoe","subject_type":"sponsor_task",
"status":"PASS",
"assertion":"Sponsor jdoe@contoso.com left 2026-04-09T17:02Z; all 7 Z3-sponsored agents detected and sponsor-tasked within 24h.",
"observed_value":{"sponsored_agent_count":7,"detected_within_24h":7,"max_detection_lag_hours":3.4},
"evidence_artifacts":["sponsor-departure-jdoe.json"],
"regulator_mappings":["FINRA-3110","FINRA-4511","FINRA-25-07","SEC-17a-4","SOX-404","NYDFS-500"]
}
{
"control_id":"3.6","namespace":"SPONSOR","criterion":"VC-1+VC-3","zone":"3",
"subject_id":"sponsor-departure-msmith","subject_type":"sponsor_task",
"status":"FAIL",
"assertion":"3 of 5 Z3-sponsored agents not detected after 26h; cascade integrity broken.",
"observed_value":{"sponsored_agent_count":5,"detected_within_24h":2,"undetected_after_24h":3},
"remediation_ref":"TRG-SPONSOR-01",
"regulator_mappings":["FINRA-3110","SOX-404","NYDFS-500"]
}
7.5 Thresholds & regulators
Z3: 100% cascade within 24h. Z2: ≥95% within 10 business days. Z1: ≥90% within 10 business days. Regulators: FINRA-3110 (supports), FINRA-4511, FINRA-25-07, SEC-17a-4, SOX-302, SOX-404, NYDFS-500.
§8 BULK — Bulk-Reassign Safety Gates
8.1 Criterion mapping
Supporting — protects the integrity of REASSIGN (§5) when remediations are batched. A poorly-gated bulk reassignment can silently transfer custody of dozens of agents to a single principal who lacks proper licensing, can over-apply to false positives (DL-owned agents that are not in fact orphans), and can race the SLA window.
8.2 Pre-conditions
- Bulk-reassign tooling runs in dry-run by default;
-Commitrequires explicit AI Governance Lead approval ticket. - Exclusion list maintained for non-orphan ownership patterns: distribution-list-owned agents, role-assignable security-group-owned agents, managed-identity-owned agents.
8.3 Pester suite
Describe "AGT36-BULK" -Tag 'Control3.6','Supporting' {
BeforeAll {
$script:Runs = Get-Agt36BulkReassignRun -LookbackDays 90
}
Context "Safety gates on every commit" {
It "every -Commit run has a paired -DryRun within the prior 24h with identical scope hash" {
foreach ($r in $script:Runs | Where-Object Mode -eq 'Commit') {
$r.PairedDryRunId | Should -Not -BeNullOrEmpty
$r.PairedDryRunScopeSha256 | Should -Be $r.ScopeSha256
($r.StartedAt - $r.PairedDryRunStartedAt).TotalHours | Should -BeLessOrEqual 24
}
}
It "every -Commit run cites a closed AI-Governance approval ticket" {
foreach ($r in $script:Runs | Where-Object Mode -eq 'Commit') {
$r.ApprovalTicket | Should -Match '^(SNOW|JIRA|AGV)-\d+$'
$r.ApprovalTicketState | Should -BeIn @('Closed','Resolved','Implemented')
}
}
It "exclusion list is applied; no DL-owned, MI-owned, or role-assignable group-owned agent is in the commit scope" {
foreach ($r in $script:Runs | Where-Object Mode -eq 'Commit') {
$excluded = $r.ExpandedScope | Where-Object {
$_.Owner.PrincipalType -eq 'Group:Distribution' -or
$_.Owner.PrincipalType -eq 'ServicePrincipal:ManagedIdentity' -or
($_.Owner.PrincipalType -eq 'Group:Security' -and $_.Owner.IsAssignableToRole)
}
$excluded | Should -BeNullOrEmpty
}
}
It "post-run false-positive rate is ≤1%" {
foreach ($r in $script:Runs | Where-Object Mode -eq 'Commit') {
($r.FalsePositives.Count / [math]::Max(1,$r.CommittedCount)) | Should -BeLessOrEqual 0.01
}
}
}
}
8.4 Sample evidence
{
"control_id":"3.6","namespace":"BULK","criterion":"supporting","zone":"all",
"subject_id":"bulk-run-2026Q1-04","subject_type":"reassignment",
"status":"PASS",
"assertion":"Bulk reassign 47 agents committed under AGV-1244; dry-run paired; exclusions applied; 0 false positives.",
"observed_value":{"committed":47,"false_positives":0,"approval_ticket":"AGV-1244","dry_run_id":"bulk-run-2026Q1-04-dry"},
"evidence_artifacts":["bulk-run-2026Q1-04.json","bulk-run-2026Q1-04-dry.json","approval-AGV-1244.pdf"],
"regulator_mappings":["FINRA-4511","SEC-17a-4","SOX-404","NYDFS-500","OCC-2011-12"]
}
8.5 Thresholds & regulators
Z3: false-positive rate ≤1%, dual-control on every commit, dry-run pairing. Z2: ≤2%. Z1: ≤5%. Regulators: FINRA-4511, SEC-17a-4, SOX-404, OCC-2011-12, NYDFS-500.
§9 SOV — Sovereign-Cloud Compensating Control
9.1 Criterion mapping
VC-6. As of April 2026, Microsoft has not announced general availability of the Microsoft 365 Agent 365 Ownerless Agents card or of Entra Agent ID lifecycle workflows in GCC, GCC High, or DoD. Sovereign tenants therefore rely on a manual quarterly reconciliation worksheet, dual-signed by the AI Governance Lead and the Compliance Officer, that recomputes every category-1 entry from raw Graph and Power Platform queries. This is a compensating control — not a substitute for the commercial-cloud automation. Re-verify Microsoft Learn at each quarterly cycle for parity announcements.
9.2 GCC / GCC High / DoD bootstrap
Run Test-Agt36SovereignTenant (§0.4). When is_sovereign=$true, every automated It in §2–§8 and §10–§12 emits a SKIPPED evidence record with remediation_ref="see §9 SOV". The SOV namespace is the only namespace that produces a substantive PASS for sovereign tenants.
9.3 Manual worksheet inputs
The worksheet is a versioned, locked template (SOV-Reconcile-3.6-{YYYY}Q{N}.xlsx) with the following sheets:
Sources— Graph and Power Platform query exports (CSV) with run timestamps and SHA-256.Category-1 (Ownerless)— synthesized list of agents whose owner principal is unset or deleted.Category-2 through 10— one sheet per Detection Signal Source; each row carries detection date, category, zone, and proposed remediation.Reconcile— formula sheet that compares the synthesized list to the orphan register.Variance— substantiation memo per variance.Sign-off— dual signatures (AI Governance Lead + Compliance Officer), capture date, hash of all preceding sheets.
9.4 Manual procedure (quarterly)
- Capture sources. Power Platform Admin runs
Get-AdminPowerApp,Get-AdminPowerAppEnvironment, and the maker / connector exports; AI Administrator runs the agent-inventory Graph query (/beta/agentGovernance/agentsif available, else/beta/applicationsfiltered to agent-bearing app templates); Entra Identity Governance Admin exports HR-driven leaver list; SharePoint Admin exports SharePoint-agent author state. - Compute category-1. Join exports on owner principal; the synthesized count is the category-1 ground truth for the quarter.
- Compare to register. Reconcile sheet computes variance per category; every nonzero variance gets a substantiation memo on the Variance sheet.
- Sign. AI Governance Lead and Compliance Officer sign on the Sign-off sheet. The worksheet is exported to PDF, hashed, and locked.
- Persist. PDF + XLSX + raw CSVs assembled into the §14 evidence pack; retention label
FSI-Records-6Y-WORM, deletion locked.
9.5 Sample SOV evidence record
{
"control_id":"3.6","namespace":"SOV","criterion":"VC-6","zone":"3",
"cloud":"GCCH",
"subject_id":"sov-reconcile-2026Q1","subject_type":"manual_attestation",
"status":"PASS",
"assertion":"Quarterly manual reconciliation completed; category-1 synthesized count (24) matches register (24); variance 0; dual signatures captured.",
"observed_value":{
"synth_cat1_count":24,"register_cat1_count":24,"variance":0,
"signed_by":[
{"role":"AI Governance Lead","upn":"jane.doe@contoso.gov","signed_at":"2026-04-15T18:11:02Z"},
{"role":"Compliance Officer", "upn":"carlos.k@contoso.gov","signed_at":"2026-04-15T18:14:48Z"}
],
"worksheet_sha256":"e7d4…","worksheet_pdf_sha256":"71aa…"
},
"evidence_artifacts":[
"SOV-Reconcile-3.6-2026Q1.xlsx","SOV-Reconcile-3.6-2026Q1.pdf",
"raw-graph-agents-2026Q1.csv","raw-pp-apps-2026Q1.csv","raw-hr-leavers-2026Q1.csv"
],
"regulator_mappings":["FINRA-3110","FINRA-4511","FINRA-25-07","SEC-17a-4","SOX-302","SOX-404","NYDFS-500","FED-SR-11-7","OCC-2011-12"]
}
9.6 Pester wrapper for SOV (light-touch)
Describe "AGT36-SOV" -Tag 'Control3.6','VC-6' {
BeforeAll {
if (-not (Test-Agt36SovereignTenant).is_sovereign) {
Set-ItResult -Skipped -Because "Commercial cloud — automated namespaces apply"
}
$script:Wk = Get-Agt36SovereignWorksheet -QuarterId (Get-Agt36Quarter)
}
It "current quarter's worksheet exists and is hash-locked" {
$script:Wk | Should -Not -BeNullOrEmpty
$script:Wk.WorksheetSha256 | Should -Not -BeNullOrEmpty
$script:Wk.PdfSha256 | Should -Not -BeNullOrEmpty
}
It "worksheet carries dual signatures from AI Governance Lead and Compliance Officer" {
($script:Wk.Signers.Role | Sort-Object -Unique) | Should -Contain 'AI Governance Lead'
($script:Wk.Signers.Role | Sort-Object -Unique) | Should -Contain 'Compliance Officer'
}
It "variance is documented when nonzero" {
if ($script:Wk.Variance -gt 0) { $script:Wk.SubstantiationMemoUri | Should -Not -BeNullOrEmpty }
}
}
9.7 Examiner narrative
"Microsoft 365 Agent 365's Ownerless Agents card and Entra Agent ID lifecycle workflows are not generally available in GCC / GCC High / DoD as of the verification date (April 2026). To compensate, we perform a quarterly manual reconciliation that recomputes the category-1 ownerless set from raw Graph and Power Platform queries, dual-signed by the AI Governance Lead and the Compliance Officer, and retained for 6 years WORM. We re-verify Microsoft Learn each quarter for parity announcements and are prepared to retire the manual worksheet within one cycle of GA."
§10 SIEM — Detection/Remediation Event Forwarding
10.1 Criterion mapping
Supporting — the orphan register and the detection / remediation event streams must forward to the enterprise SIEM with 6-year retention so that examiners can reconstruct any cycle, sponsor departure, or delete decision independently of the Microsoft tenant.
10.2 Pester suite
Describe "AGT36-SIEM" -Tag 'Control3.6','Supporting' {
BeforeAll {
$script:Streams = Get-Agt36SiemStream
}
Context "Stream registration and health" {
It "detection-run and remediation-ticket streams are registered and active" {
$script:Streams.Name | Should -Contain 'agt36-detection-run'
$script:Streams.Name | Should -Contain 'agt36-remediation-ticket'
$script:Streams.Name | Should -Contain 'agt36-approval-artifact'
foreach ($s in $script:Streams) { $s.State | Should -Be 'Active' }
}
It "each stream declares ≥6-year retention" {
foreach ($s in $script:Streams) { $s.RetentionDays | Should -BeGreaterOrEqual 2190 }
}
It "each stream has produced events in the last 7 days" {
foreach ($s in $script:Streams) { $s.LastEventAgeHours | Should -BeLessOrEqual 168 }
}
}
Context "End-to-end trace" {
It "a sample detection cycle from the last 30 days is present in SIEM with matching run-bundle hash" {
$sample = Get-Agt36DetectionCycle -LookbackDays 30 | Get-Random -Count 1
$siem = Get-Agt36SiemEvent -Stream 'agt36-detection-run' -CorrelationId $sample.CycleId
$siem.RunBundleSha256 | Should -Be $sample.RunLogBundleSha256
}
}
}
10.3 Sample evidence
{
"control_id":"3.6","namespace":"SIEM","criterion":"supporting","zone":"all",
"subject_id":"siem-streams","subject_type":"detection_run",
"status":"PASS",
"assertion":"All three required streams Active, ≥6Y retention, sample cycle hash matches end-to-end.",
"observed_value":{"streams":["agt36-detection-run","agt36-remediation-ticket","agt36-approval-artifact"],"retention_days":2555,"sample_corr_match":true},
"regulator_mappings":["FINRA-4511","SEC-17a-4","SOX-404","NYDFS-500"]
}
10.4 Thresholds & regulators
Z3/Z2/Z1 share the same PASS: all three streams Active, ≥6Y retention, last-event age ≤168h, sample-cycle hash match. Regulators: FINRA-4511, SEC-17a-3, SEC-17a-4, SOX-404, NYDFS-500, OCC-2011-12, FFIEC-MGMT.
§11 RETAIN — Purview Retention Enforcement (VC-7)
11.1 Criterion mapping
VC-7: "The orphan register, all weekly card snapshots, detection-run bundles, remediation tickets, approval artifacts, quarterly attestation PDFs, and sovereign reconciliation worksheets are bound to a Purview retention label with retention ≥6 years, deletion-locked, and verified each month."
11.2 Pester suite
Describe "AGT36-RETAIN" -Tag 'Control3.6','VC-7' {
BeforeAll {
$script:Labels = Get-Agt36RetentionLabelBinding
$script:Artifacts = @(
'orphan-register','ownerless-card-snapshot','detection-run-log',
'remediation-ticket','approval-artifact','quarterly-attestation','sovereign-reconciliation'
)
}
Context "Per-artifact retention binding" {
foreach ($a in $script:Artifacts) {
It "$a is bound to a ≥6Y deletion-locked retention label" {
$b = $script:Labels | Where-Object ArtifactClass -eq $a
$b | Should -Not -BeNullOrEmpty
$b.RetentionDays | Should -BeGreaterOrEqual 2190
$b.IsDeletionLocked | Should -BeTrue
$b.Behavior | Should -BeIn @('retainAsRecord','retainAsRegulatoryRecord')
}
}
}
}
11.3 Sample evidence
{
"control_id":"3.6","namespace":"RETAIN","criterion":"VC-7","zone":"all",
"subject_id":"purview-binding-2026-04","subject_type":"retention_label",
"status":"PASS",
"assertion":"All 7 artifact classes bound to FSI-Records-6Y-WORM; deletion-locked; retainAsRegulatoryRecord.",
"observed_value":{"artifact_count":7,"retention_days_min":2190,"all_deletion_locked":true},
"regulator_mappings":["FINRA-4511","SEC-17a-4","SOX-302","SOX-404","CFTC-1.31","NYDFS-500"]
}
11.4 Thresholds & regulators
Z3/Z2/Z1: all 7 artifact classes bound, ≥6Y, deletion-locked, behaviour retainAsRecord or retainAsRegulatoryRecord. Any unbound artifact class is a FAIL at any zone. Regulators: FINRA-4511, SEC-17a-3, SEC-17a-4, SOX-302, SOX-404, CFTC-1.31, NYDFS-500, OCC-2011-12.
§12 PREVENT — Pre-Orphan Prevention Rate (VC-8)
12.1 Criterion mapping
VC-8: "Each quarter, measure the pre-orphan prevention rate — the proportion of agents created in the quarter whose ownership / sponsorship was kept current (no orphan event in the quarter of creation plus one) — and track year-over-year trend."
12.2 Formula
pre_orphan_prevention_rate(Q) =
1 - ( orphan_events_in(Q, Q+1) for agents created in Q
÷ agents_created_in(Q) )
Computed per zone, reported at quarterly governance review.
12.3 Pester suite
Describe "AGT36-PREVENT" -Tag 'Control3.6','VC-8' {
BeforeAll {
$script:Metrics = Get-Agt36PreventionMetric -QuarterId (Get-Agt36Quarter) -IncludeYoY
}
Context "Zone 3 target" {
It "Z3 pre-orphan prevention rate ≥ 0.95" {
($script:Metrics | Where-Object Zone -eq 3).Rate | Should -BeGreaterOrEqual 0.95
}
It "Z3 YoY trend is non-regressive (≥ prior year quarter - 0.02)" {
$m = $script:Metrics | Where-Object Zone -eq 3
$m.Rate | Should -BeGreaterOrEqual ($m.PriorYearRate - 0.02)
}
}
Context "Zone 2 target" {
It "Z2 pre-orphan prevention rate ≥ 0.90" {
($script:Metrics | Where-Object Zone -eq 2).Rate | Should -BeGreaterOrEqual 0.90
}
}
Context "Zone 1 target" {
It "Z1 pre-orphan prevention rate ≥ 0.80" {
($script:Metrics | Where-Object Zone -eq 1).Rate | Should -BeGreaterOrEqual 0.80
}
}
}
12.4 Sample evidence
{
"control_id":"3.6","namespace":"PREVENT","criterion":"VC-8","zone":"3",
"subject_id":"prevention-2026Q1","subject_type":"attestation",
"status":"PASS",
"assertion":"Z3 pre-orphan prevention rate 0.972 in 2026Q1 (prior year 0.963); trend non-regressive.",
"observed_value":{
"agents_created":358,"orphan_events_same_or_next_quarter":10,"rate":0.972,
"prior_year_rate":0.963,"yoy_delta":0.009,
"z2_rate":0.921,"z1_rate":0.831
},
"regulator_mappings":["FINRA-25-07","SOX-404","FED-SR-11-7","NYDFS-500","OCC-2011-12"]
}
12.5 Thresholds & regulators
| Zone | PASS | WARN | FAIL |
|---|---|---|---|
| 3 | ≥0.95 and non-regressive YoY | 0.90–0.95 | <0.90 or regression >0.02 |
| 2 | ≥0.90 | 0.85–0.90 | <0.85 |
| 1 | ≥0.80 | 0.75–0.80 | <0.75 |
Regulators: FINRA-25-07 (periodic monitoring of generative-AI supervisory program effectiveness), SOX-404, FED-SR-11-7, NYDFS-500, OCC-2011-12, FFIEC-MGMT.
§13 Manual Verification Procedures
Automation cannot cover every assertion. The following are performed manually each quarter and captured as PDF manual-attestation evidence records.
13.1 Supervisory review walkthrough (FINRA 3110)
Performer: AI Governance Lead in the presence of a registered principal (for firms to which FINRA 3110 applies). Procedure:
- Pick three Z3 orphan events closed in the quarter — one category-1, one category-2, one category-7.
- For each, walk the registered principal through: detection date, cascade path (if any), approvals, reassignment or terminal, retention binding, SIEM trace.
- Record principal's signed acknowledgement that the evidence supports supervisory review per the firm's written supervisory procedures.
- This walkthrough supports — does not replace the registered-principal supervisory review under FINRA Rule 3110; the firm's WSPs remain authoritative.
13.2 Shadow-agent sweep review (category 10)
Shadow-agent detection (Detection Signal Source #10) is the most error-prone source because it relies on pattern-matching naming conventions, connector usage, and Dataverse table heuristics. Each quarter, the AI Governance Lead reviews a 5-agent sample of category-10 detections with the Power Platform Admin to confirm true positives and to capture learnings into detector rules.
13.3 Litigation-hold interaction check
Every quarter, confirm with the Purview Compliance Admin that no orphan register entry or related record has been moved to a terminal-delete state while under a legal or litigation hold. Any conflict is a cycle-stopping FAIL and routes to legal.
13.4 Microsoft Learn parity re-verification
Re-read the current Microsoft Learn documentation for the Agent 365 Ownerless Agents card, Entra Agent ID lifecycle workflows, and Power Platform maker-departure telemetry. Note any new zone or sovereign-cloud availability. Any material change triggers an update to this playbook and to Control 3.6.
§14 Examiner-Facing Test Scenarios
Each scenario is an end-to-end narrative with expected evidence. Examiners frequently ask for these during SOX walkthroughs, FINRA sweeps, NYDFS audits, and Fed SR 11-7 reviews.
Scenario A — M&A divestiture / mass-RIF orphan wave
Trigger: 340 leavers in a single day from a divested business unit. Expected evidence:
- HR namespace shows the leaver batch ingested within 24h with
employeeLeaveDateTimepopulated (§6). - SPONSOR namespace shows cascade tasks generated for every sponsored agent (§7).
- DETECT namespace shows category-2 spike in the weekly cycle (§2).
- RECONCILE namespace shows card-vs-register parity maintained or variance substantiated (§3).
- TERMINAL namespace shows Z3 remediation within SLA for the category-2 wave (§4).
- BULK namespace shows any bulk reassign passed all safety gates (§8).
- Quarterly attestation (§18) includes a narrative note on the M&A event.
Scenario B — Examiner pulls orphan register during a SIEM outage window
Trigger: Examiner asks for every orphan event for calendar week W when the SIEM forwarder had a 12-hour outage. Expected evidence:
- Orphan register itself (Dataverse / SharePoint) is primary source of truth and is WORM.
- Detection-run bundles (§2) are persisted independently of SIEM.
- SIEM outage ticket referenced with remediation — gap window is disclosed, not hidden.
- §18 attestation lines up register events with detection-bundle hashes for the affected window.
Scenario C — Sponsor-departure cascade (one sponsor, many agents)
Trigger: Registered sponsor for 12 Z3 agents departs on a Friday evening. Expected evidence:
- SPONSOR namespace produces 12 sponsor-tasks within 24h.
- DETECT surfaces 12 category-2 entries in the next cycle.
- REASSIGN namespace (sampled) shows new sponsors meet all prerequisites (§5).
- TERMINAL SLA for category-2 (24h Z3) is attained or substantiated.
- Registered-principal supervisory walkthrough under §13.1 is performed for at least one of the 12 agents.
Scenario D — Bulk reassign over-applied to DL-owned false positives
Trigger: An over-inclusive bulk reassign attempts to transfer ownership from a distribution-list-owned Teams agent (which is not orphaned). Expected evidence:
- BULK namespace (§8) shows exclusion list caught the DL-owner; commit was blocked.
- If any DL-owner slipped through, it is listed in FalsePositives and routed to §15 triage
TRG-BULK-02. - AI Governance Lead approval ticket captures the corrective scope-reduction.
Scenario E — Sovereign manual quarterly reconciliation
Trigger: GCC High tenant — quarterly SOV namespace produces evidence (§9). Expected evidence:
SOV-Reconcile-3.6-{YYYY}Q{N}.xlsx+ PDF with dual signatures.- Raw CSV exports with SHA-256 manifests.
- Variance substantiation memos (if any).
- Skipped evidence records for §2–§8, §10–§12 referencing §9 SOV.
Scenario F — SOX zero-orphan attestation evidence pack
Trigger: SOX 404 cycle requires a zero-orphan attestation for Z3 financial-reporting-relevant agents. Expected evidence:
- Full DETECT + RECONCILE + TERMINAL + RETAIN + PREVENT PASS for the relevant Z3 scope.
- §16 pack manifest with SHA-256 for every artifact.
- §18 signatures (Preparer / Validator / Compliance).
- PREVENT rate ≥0.95 with non-regressive YoY.
Scenario G — Litigation hold preventing terminal delete
Trigger: An agent meets category-1 terminal-delete criteria but is under legal hold. Expected evidence:
- TERMINAL delete suite (§4) shows the attempted delete was blocked by the Purview legal-hold check.
- Manual verification §13.3 captures the legal-hold interaction and the documented decision to retain.
- Orphan register entry transitions to
terminal-held-for-legal, notterminal-deleted.
§15 Failure Triage Matrix
Triage IDs referenced from FAIL evidence records via remediation_ref. Each entry includes likely root cause, first-responder role, first actions, and the sibling playbook to consult.
| ID | Namespace | Symptom | Likely cause | First responder | First actions | See |
|---|---|---|---|---|---|---|
| TRG-DETECT-01 | DETECT | Cycle did not run | Orchestrator disabled, expired service-principal credential | AI Administrator | Re-enable schedule, rotate SP credential, rerun cycle, document gap | powershell-setup.md |
| TRG-DETECT-02 | DETECT | Cycle ran but < 10 sources | Connector throttled, Graph 429, missing module | AI Administrator | Back-off+retry, pin module versions, rerun within 24h | troubleshooting.md |
| TRG-DETECT-03 | DETECT | Signature missing or invalid | Key vault access revoked, key rotated without pin update | AI Administrator | Restore access, update thumbprint pin in Agt36Config.psd1, re-sign |
powershell-setup.md |
| TRG-RECONCILE-01 | RECONCILE | Card count ≠ register count | Category-1 write lag, filter bug, excluded tenant partition | AI Governance Lead | Capture substantiation memo, open corrective ticket, rerun reconcile | portal-walkthrough.md |
| TRG-TERMINAL-01 | TERMINAL | SLA attainment below Z3 95% | Approval backlog, stale queue, on-call gap | AI Governance Lead | Escalate backlog, add Compliance Officer approval slot, reassign remediator | portal-walkthrough.md |
| TRG-TERMINAL-02 | TERMINAL | Retention label missing on terminal | Label policy drifted, new workload unbound | Purview Compliance Admin | Re-apply label, confirm deletion lock, rerun RETAIN suite | troubleshooting.md |
| TRG-TERMINAL-03 | TERMINAL | Z3 delete with single approver | Dual-control bypassed, role spoof | Compliance Officer | Halt delete, investigate override, escalate per incident-response plan | Control 2.8 |
| TRG-REASSIGN-01 | REASSIGN | New owner lacks license / env role | Pre-check skipped, stale cache | Power Platform Admin | Revert reassign, provision license, rerun | powershell-setup.md |
| TRG-REASSIGN-02 | REASSIGN | Permission delta non-empty | Transfer tool bug, race | Power Platform Admin | Replay transfer from before.json, open vendor ticket |
troubleshooting.md |
| TRG-HR-01 | HR | Connector stale > 24h | Cert expiry, source-system outage | Entra Identity Governance Admin | Rotate cert, engage HRIS vendor, rerun provisioning | Control 3.5 |
| TRG-HR-02 | HR | employeeLeaveDateTime missing |
Attribute mapping drift | Entra Identity Governance Admin | Fix mapping, backfill, re-run HR suite | Control 3.5 |
| TRG-SPONSOR-01 | SPONSOR | Cascade incomplete after 24h Z3 | Workflow disabled, SLA timer drift | Entra Agent ID Admin | Re-enable workflow, recompute cascade, document gap | powershell-setup.md |
| TRG-BULK-01 | BULK | Commit without dry-run pairing | Operator bypass | AI Governance Lead | Halt bulk tooling, require approval ticket, add guardrail in CLI | Control 2.8 |
| TRG-BULK-02 | BULK | DL/MI/role-group owner in scope | Exclusion list drifted | Power Platform Admin | Restore exclusion list, remove false positives, replay | troubleshooting.md |
| TRG-SOV-01 | SOV | Worksheet missing signature | Counter-signer on leave | AI Governance Lead | Route to backup signer per succession plan, document lag | portal-walkthrough.md |
| TRG-SIEM-01 | SIEM | Stream inactive or retention < 6Y | Forwarder misconfig, policy drift | Purview Compliance Admin | Reconfigure forwarder, rebind retention, open gap ticket | Control 3.2 |
| TRG-RETAIN-01 | RETAIN | Artifact class unbound to label | New artifact class introduced without label | Purview Compliance Admin | Bind label, rerun RETAIN, backfill prior artifacts if possible | Control 2.3 |
| TRG-PREVENT-01 | PREVENT | Rate below zone target | Detection/remediation drift causing repeat orphans | AI Governance Lead | Root-cause analysis, update governance playbook, report to steering | Control 1.2 |
§16 Evidence Pack Assembly and Signing
16.1 Pack contents (mirrors Control 3.6 §Evidence and Retention)
The quarterly evidence pack for Control 3.6 contains:
- Orphan register export (CSV + PDF) — system of record, all open and closed events in the quarter.
- Weekly Ownerless Agents card snapshot (PNG + CSV) — one per week; sovereign tenants substitute SOV worksheet.
- Detection-run bundles (JSON + detached signatures) — one per cycle, one per zone.
- Remediation tickets (PDF export from ITSM) — one per closed terminal.
- Sponsor / owner reassignment approval artifacts (PDF) — sample-per-quarter, plus all Z3.
- Quarterly governance attestation PDF (§19 template output, dual-signed).
- Sovereign-cloud reconciliation worksheet (XLSX + PDF, dual-signed) — sovereign tenants only.
- Pack manifest (
manifest.json) with SHA-256 for every artifact and a top-level manifest hash. - Pack signature (
manifest.sig) — detached X.509 signature by AI Governance Lead; second detached signature by Compliance Officer.
All items carry the Purview retention label FSI-Records-6Y-WORM (or the firm's equivalent ≥6Y regulatory-record label), deletion-locked.
16.2 Pack assembly procedure
function New-Agt36EvidencePack {
[CmdletBinding()]
param(
[Parameter(Mandatory)] [string] $QuarterId, # e.g. 2026Q1
[Parameter(Mandatory)] [string] $RunId,
[Parameter(Mandatory)] [string] $DestinationRoot
)
$pack = Join-Path $DestinationRoot "AGT36-$QuarterId-$RunId"
New-Item -Path $pack -ItemType Directory -Force | Out-Null
# 1. Validate every evidence record against the canonical schema.
Get-ChildItem $script:EvidenceRoot -Filter '*.json' | ForEach-Object {
if (-not (Test-Agt36EvidenceSchema -Path $_.FullName)) {
throw "Schema validation failed for $($_.Name); pack assembly aborted."
}
}
# 2. Copy artifacts and compute SHA-256 for each.
$manifest = @()
foreach ($art in Get-Agt36PackArtifact -QuarterId $QuarterId) {
Copy-Item $art.Path -Destination $pack
$manifest += [pscustomobject]@{
name = Split-Path $art.Path -Leaf
kind = $art.Kind
sha256 = (Get-FileHash $art.Path -Algorithm SHA256).Hash
produced_at = $art.ProducedAt
namespace = $art.Namespace
}
}
# 3. Write manifest and compute top-level manifest hash.
$manifest | ConvertTo-Json -Depth 6 | Set-Content (Join-Path $pack 'manifest.json') -Encoding UTF8
$topHash = (Get-FileHash (Join-Path $pack 'manifest.json') -Algorithm SHA256).Hash
Set-Content -Path (Join-Path $pack 'manifest.sha256') -Value $topHash -Encoding ASCII
# 4. Sign — AI Governance Lead first, Compliance Officer second.
Invoke-Agt36Sign -PackRoot $pack -Signer 'AI Governance Lead'
Invoke-Agt36Sign -PackRoot $pack -Signer 'Compliance Officer'
# 5. Bind retention label on the destination location.
Set-Agt36PurviewLabel -Path $pack -LabelName 'FSI-Records-6Y-WORM' -DeletionLock
return $pack
}
16.3 Schema validation helper
function Test-Agt36EvidenceSchema {
param([Parameter(Mandatory)][string]$Path)
$r = Get-Content $Path -Raw | ConvertFrom-Json
$required = 'control_id','run_id','namespace','criterion','zone','subject_id','subject_type','status','assertion','evidence_artifacts','regulator_mappings','schema_version'
foreach ($k in $required) { if (-not $r.PSObject.Properties.Name.Contains($k)) { return $false } }
if ($r.control_id -ne '3.6') { return $false }
if ($r.status -notin 'PASS','WARN','FAIL','SKIPPED','ERROR') { return $false }
if ($r.status -ne 'PASS' -and -not $r.remediation_ref) { return $false }
return $true
}
§17 Sign-off Workflow
17.1 Three-signature chain
| Signatory | Role | Responsibility |
|---|---|---|
| Preparer | AI Administrator or Power Platform Admin (per namespace) | Runs the Pester suites, produces raw evidence records, runs Test-Agt36EvidenceSchema on every record. |
| Validator | Entra Global Reader (or a second, independent AI Administrator) | Independently re-runs a 10% sample of the suites and confirms evidence records match. Privileged-role separation required — must not share standing roles with Preparer. |
| Compliance | Compliance Officer + AI Governance Lead | Counter-sign pack manifest; confirm retention binding; confirm cross-control dependency status; confirm no litigation-hold conflicts. |
17.2 Separation of duties
- No single principal may hold Preparer and Validator on the same cycle.
- No single principal may hold Validator and Compliance on the same cycle.
- Standing privileged-role overlap between Preparer / Validator / Compliance is a cycle-stopping FAIL (see §15 → TRG-TERMINAL-03, TRG-BULK-01). Verify via Control 2.8 Access Governance for Agent Admin Roles.
17.3 Sign-off artifact
signoff-AGT36-<QuarterId>-<RunId>.json
{
"pack_root": "AGT36-2026Q1-AGT36-20260415-093012-a1b2c3d4",
"preparer": { "upn":"ai.administrator@contoso.com", "signed_at":"2026-04-16T14:00:00Z", "sig_sha256":"…" },
"validator": { "upn":"globalreader@contoso.com", "signed_at":"2026-04-16T16:12:00Z", "sig_sha256":"…", "sample_pct":0.10, "reruns_passed":true },
"compliance":[
{ "role":"AI Governance Lead", "upn":"jane.doe@contoso.com", "signed_at":"2026-04-17T10:04:00Z", "sig_sha256":"…" },
{ "role":"Compliance Officer", "upn":"carlos.k@contoso.com", "signed_at":"2026-04-17T11:02:00Z", "sig_sha256":"…" }
],
"regulator_mappings":["FINRA-3110","FINRA-4511","FINRA-25-07","SEC-17a-3","SEC-17a-4","SOX-302","SOX-404","GLBA-501b","OCC-2011-12","FED-SR-11-7","CFTC-1.31","NYDFS-500"]
}
§18 Quarterly Attestation Template
The quarterly attestation is the pack's cover document. It restates the hedged language of §Document Conventions, summarises per-namespace status, restates per-zone threshold attainment, discloses every WARN / FAIL with its remediation pointer, and captures the dual signatures that bind the quarter.
# Control 3.6 — Quarterly Governance Attestation — {Tenant} — {QuarterId}
**Framework version:** v1.4
**Control:** 3.6 Orphaned Agent Detection and Remediation
**Cloud:** {Commercial / GCC / GCCH / DoD}
**Cycle dates:** {start} – {end}
**Pack root:** AGT36-{QuarterId}-{RunId}
**Pack manifest SHA-256:** {hash}
## Statement
This attestation supports compliance with FINRA 3110, 4511, and Notice 25-07, SEC Rules 17a-3 / 17a-4, SOX 302 / 404, GLBA §501(b), OCC Bulletin 2011-12, Fed SR 11-7, CFTC 1.31, and NYDFS Part 500. A clean attestation **does not guarantee** compliance, **does not replace** the firm's written supervisory procedures, and **supports — does not replace — registered-principal supervisory review under FINRA Rule 3110**.
## Namespace Summary
| § | Namespace | Criterion | Z3 | Z2 | Z1 | Status | WARN/FAIL refs |
|---|---|---|---|---|---|---|---|
| 2 | DETECT | VC-1 | ✓ | ✓ | ✓ | PASS | — |
| 3 | RECONCILE | VC-2 | ✓ | ✓ | ✓ | PASS | — |
| 4 | TERMINAL | VC-3, VC-5 | ✓ | ✓ | ✓ | PASS | — |
| 5 | REASSIGN | VC-4 | ✓ | ✓ | ✓ | PASS | — |
| 6 | HR | supporting | ✓ | ✓ | ✓ | PASS | — |
| 7 | SPONSOR | supporting | ✓ | ✓ | ✓ | PASS | — |
| 8 | BULK | supporting | ✓ | ✓ | ✓ | PASS | — |
| 9 | SOV | VC-6 | n/a | n/a | n/a | n/a (Commercial) | — |
| 10 | SIEM | supporting | ✓ | ✓ | ✓ | PASS | — |
| 11 | RETAIN | VC-7 | ✓ | ✓ | ✓ | PASS | — |
| 12 | PREVENT | VC-8 | ✓ | ✓ | ✓ | PASS | — |
## Metrics
- **Pre-orphan prevention rate** (VC-8): Z3 = 0.972 (YoY Δ +0.009), Z2 = 0.921, Z1 = 0.831.
- **SLA attainment** (VC-3, Z3, 90-day rolling): per-category range 96.8% – 100%.
- **Reconciliation variance** (VC-2): 0 unsubstantiated variances; 2 substantiated and remediated.
## Disclosures
{WARN or FAIL narratives with pointers to §15 triage}
## Cross-control status
- [Control 1.2](../../../controls/pillar-1-security/1.2-agent-registry-and-integrated-apps-management.md): current-cycle inventory attestation: {status}
- [Control 2.3](../../../controls/pillar-1-security/1.9-data-retention-and-deletion-policies.md): records retention alignment: {status}
- [Control 2.8](../../../controls/pillar-2-management/2.8-access-control-and-segregation-of-duties.md): admin-role access review: {status}
- [Control 2.25](../2.25/verification-testing.md) — agent identity lifecycle: {status}
- [Control 2.26](../2.26/verification-testing.md) — sponsor lifecycle: {status}
- [Control 3.1](../../../controls/pillar-3-reporting/3.1-agent-inventory-and-metadata-management.md) — inventory reporting: {status}
- [Control 3.2](../../../controls/pillar-3-reporting/3.9-microsoft-sentinel-integration.md) — SIEM integration: {status}
- [Control 3.5](../../../controls/pillar-2-management/2.26-entra-agent-id-identity-governance.md) — sponsor/maker lifecycle: {status}
- [Control 3.13](../../../controls/pillar-3-reporting/3.13-agent-365-admin-center-analytics.md) — Agent 365 analytics: {status}
## Signatures
| Role | Name | UPN | Signed (UTC) | Sig SHA-256 |
|---|---|---|---|---|
| Preparer (AI Administrator) | | | | |
| Validator (Entra Global Reader) | | | | |
| AI Governance Lead | | | | |
| Compliance Officer | | | | |
§19 Continuous-Improvement Metrics
Beyond VC-8 (prevention rate), the program tracks:
| Metric | Formula | Target | Trend |
|---|---|---|---|
| Detection-run availability | successful cycles ÷ scheduled cycles (90d) | ≥99.5% Z3 | monthly |
| Mean time to detect (MTTD) | firstDetectedAt - triggeringEventAt median, per category |
see Detection Signal Sources table | monthly |
| Mean time to remediate (MTTR) | terminalAt - firstDetectedAt median, per category+zone |
≤ SLA × 0.7 | monthly |
| Reassignment success-rate | REASSIGN PASS ÷ REASSIGN sample | ≥0.95 Z3 | quarterly |
| Variance substantiation time | hours from variance to signed memo | ≤24h Z3 | quarterly |
| Shadow-agent false-positive rate | category-10 FPs ÷ category-10 detections | ≤5% | quarterly |
| Pack assembly reproducibility | independent re-run produces identical manifest hash | 100% | per pack |
| Sovereign manual-worksheet lag | days from quarter-end to signed worksheet | ≤15 days | quarterly |
19.1 YoY trend table
| Quarter | Z3 Prevention rate | Z3 SLA attainment | Reconcile variance (uncompensated) | Notes |
|---|---|---|---|---|
| 2025Q1 | 0.954 | 94.1% | 1 | baseline |
| 2025Q2 | 0.961 | 95.3% | 0 | |
| 2025Q3 | 0.958 | 96.0% | 0 | |
| 2025Q4 | 0.963 | 96.4% | 0 | |
| 2026Q1 | 0.972 | 97.2% | 0 |
§20 Cross-Control Verification Dependencies
Control 3.6 does not stand alone. Evidence from the following controls must be in PASS state for the 3.6 attestation to be defensible:
| Dependency | Why it matters for 3.6 |
|---|---|
| Control 1.2 Agent Inventory and Classification | Defines the universe against which orphans are computed; without 1.2 the denominator is unknown. |
| Control 2.3 Records Retention and eDiscovery | Provides the FSI-Records-6Y-WORM retention label used throughout §4, §11, §14. |
| Control 2.8 Access Governance for Agent Admin Roles | Enforces PIM and dual-control used in §4 TERMINAL-DELETE, §8 BULK, §17 sign-off. |
| Control 2.25 Agent Identity Lifecycle | Provides the identity-object lifecycle signals that feed DETECT sources 1, 3, 4, 8. |
| Control 2.26 Sponsor Lifecycle | Provides sponsor-departure signal for DETECT source 2 and §7 SPONSOR. |
| Control 3.1 Agent Inventory Reporting | Provides the reconciled inventory view used in §3 RECONCILE. |
| Control 3.2 Audit Logging and SIEM Integration | Provides SIEM forwarding and retention verified in §10. |
| Control 3.5 Identity Lifecycle for Agent Sponsors and Makers | Provides HR connector and mover/leaver signal verified in §6 HR. |
| Control 3.13 Agent 365 Admin Center Analytics | Provides the Ownerless Agents card surface reconciled in §3. |
If any dependency is in WARN or FAIL for the quarter, the 3.6 attestation must disclose it on the §18 attestation under "Cross-control status" and reference the owning control's triage.
§21 References
21.1 Source control document
- Control 3.6 — Orphaned Agent Detection and Remediation
- Detection Signal Sources
- Evidence and Retention
- Verification Criteria
21.2 Sibling playbooks
21.3 Peer verification playbooks
- Control 1.2 verification-testing
- Control 2.25 verification-testing
- Control 2.26 verification-testing
- Control 3.1 verification-testing
21.4 Regulatory sources
- FINRA Rule 3110 (Supervision) — fi(n)ra.org/rules/3110
- FINRA Rule 4511 (Books and Records) — finra.org/rules/4511
- FINRA Regulatory Notice 25-07 (Generative-AI Supervision)
- SEC Rule 17a-3 (Records to be Made)
- SEC Rule 17a-4 (Records Retention; WORM)
- Sarbanes-Oxley Act §302, §404
- Gramm-Leach-Bliley Act §501(b)
- OCC Bulletin 2011-12 (Third-Party / Technology Risk)
- Federal Reserve SR 11-7 (Model Risk Management)
- CFTC Regulation 1.31 (Recordkeeping)
- NYDFS 23 NYCRR Part 500 (Cybersecurity)
- FFIEC IT Examination Handbook — Management booklet
21.5 Microsoft Learn (re-verify each cycle)
- Microsoft 365 Agent 365 admin center — Ownerless Agents card
- Microsoft Entra Agent ID — sponsor lifecycle workflows
- Microsoft Purview records management — retention labels and regulatory records
- Microsoft Power Platform — environment and maker ownership management
- Microsoft Graph
/beta/agentGovernancenamespace
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current