Skip to content

Phase 0: Governance Setup

Foundation phase for establishing governance structure and core controls (0-60 days).

Overview

Phase 0 establishes the organizational foundation and minimum viable controls needed to enable secure AI agent experimentation while maintaining governance oversight.

Timeline: 0-60 days Outcome: Governance structure in place, Zone 1 and Zone 2 environments enabled

Prerequisites

Before starting Phase 0, confirm you have the required licenses and admin roles:

Week 1-2: Governance Structure

Identify Key Roles

  • AI Governance Lead — Assign individual with accountability for framework
  • Power Platform Admin — Assign technical lead for platform configuration
  • Compliance Officer liaison — Identify compliance point of contact
  • CISO liaison — Identify security point of contact

Initial Documentation

  • Review FSI Agent Governance Framework documentation
  • Draft governance committee charter (for Zone 3 preparation)
  • Identify existing policies that apply to AI agents
  • Document current state of any existing agents

Kickoff Meeting

Conduct kickoff meeting with key stakeholders:

  • Present framework overview
  • Agree on implementation timeline
  • Assign ownership for Phase 0 tasks
  • Schedule weekly check-ins

Week 3-4: Core Technical Controls

Control 2.1: Managed Environments

Purpose: Enable governance features for Zone 2 environments

Steps:

  1. Navigate to Power Platform Admin Center (PPAC)
  2. Go to Manage > Environments, select the Zone 2 environment row, and choose Edit Managed Environment from the toolbar or the environment ellipsis (...). (Enable Managed Environments)
  3. Toggle Enable Managed Environments on, then select Save. (Enable Managed Environments)
  4. Configure baseline settings

Verification:

  • Managed Environments status shows as enabled
  • Environment details show managed features available

Control 1.1: Restrict Agent Publishing

Purpose: Prevent unauthorized agent deployment

Steps:

  1. Navigate to PPAC > Manage > Environment groups
  2. Create Zone 1 and Zone 2 environment groups
  3. Configure sharing rules:
  4. Zone 1: Disabled sharing
  5. Zone 2: Controlled sharing
  6. Assign environments to groups

Verification:

  • Attempt to share agent outside policy fails
  • Environment group rules active

Control 1.5: Data Loss Prevention (DLP) Policies

Purpose: Prevent sensitive data from reaching unauthorized connectors

Steps:

  1. Navigate to PPAC > Policies > Data policies
  2. Create baseline DLP policy
  3. Classify connectors:
  4. Business (approved)
  5. Non-business (restricted)
  6. Blocked
  7. Apply to Zone 2 environments

Verification:

  • Attempt to use blocked connector fails
  • Policy shows as active

Control 1.7: Audit Logging (Baseline)

Purpose: Ensure agent activities are recorded

Steps:

  1. Navigate to the Microsoft Purview portal (https://purview.microsoft.com). (Microsoft Purview portal overview)
  2. Open Solutions > Audit (or the Audit card on the home page). (Search the audit log in the Purview portal)
  3. Verify auditing is enabled for Power Platform
  4. Configure retention (30 days for Zone 1, 1 year for Zone 2)

Verification:

  • Test action appears in audit log
  • Retention settings correct

Week 5-6: Environment Setup

Environment Architecture

Create the following environment structure:

Environment Zone Purpose Managed?
Personal-[User] 1 Individual development No
Team-[Department] 2 Team collaboration Yes
Test 2 Testing and validation Yes

Environment Groups

Configure environment groups in PPAC:

Zone 1 Group:

  • Sharing: Disabled
  • Channels: Microsoft 365 Copilot Chat only
  • AI features: All allowed (experimental)

Zone 2 Group:

  • Sharing: Controlled (team only)
  • Channels: Teams, SharePoint
  • AI features: Production-ready only

Control 2.15: Environment Routing

Purpose: Automatically route makers to appropriate environments

Steps:

  1. Navigate to PPAC > Manage > Tenant settings > Environment routing. (Default environment routing)
  2. Set Environment routing to On. (Default environment routing)
  3. Configure routing rules by defining attribute conditions and the target environment. (Default environment routing)
  4. Configure the fallback environment. (Default environment routing)

Verification:

  • New maker lands in correct environment
  • Routing rules active

Week 7-8: Operational Readiness

Control 3.1: Agent Inventory

Purpose: Establish central registry of all agents

Steps:

  1. Create SharePoint list or other tracking mechanism
  2. Define required metadata fields:
  3. Agent ID
  4. Agent Name
  5. Owner
  6. Zone
  7. Status
  8. Creation Date
  9. Document inventory process
  10. Inventory any existing agents

Verification:

  • Inventory accessible to governance team
  • Process documented

Control 2.3: Change Management

Purpose: Establish controlled change process for Zone 2+ agents

Steps:

  1. Document change management workflow
  2. Create change request template
  3. Define approval requirements by zone
  4. Communicate process to makers

Verification:

  • Process documented
  • Template available

Training

  • Complete Power Platform Admin training
  • Review governance framework with compliance team
  • Brief department managers on Zone 2 requirements

First Governance Meeting

Conduct first governance review meeting:

  • Review Phase 0 completion status
  • Discuss any issues encountered
  • Plan Phase 1 priorities
  • Schedule recurring meetings

Phase 0 Completion Checklist

Governance Structure

  • AI Governance Lead assigned
  • Key roles identified
  • Governance committee charter drafted
  • Weekly meetings scheduled

Technical Controls

  • Managed Environments enabled for Zone 2
  • Agent publishing restrictions in place
  • DLP policies configured
  • Audit logging verified

Environments

  • Zone 1 environment group configured
  • Zone 2 environment group configured
  • Environment routing enabled
  • Test environment available

Operations

  • Agent inventory process established
  • Change management process documented
  • Key stakeholders trained

Success Criteria

Phase 0 is complete when:

  1. AI Governance Lead can demonstrate publishing restrictions work
  2. DLP policies prevent unauthorized data flow
  3. Agent inventory process is operational
  4. At least one Zone 2 environment is ready for use
  5. Governance team has completed initial training

Next Phase

Proceed to Phase 1: Minimal Viable Controls to implement production readiness controls.

Updated: May 2026 | Version: v1.6.2 | UI Verification Status: Current