FSI Agent Governance Framework - Control Index
Complete Control Reference (48 Controls)
This directory contains comprehensive control documentation for the FSI Agent Governance Framework across four pillars.
Pillar 1: Security Controls (19 Controls)
Pillar 2: Management Controls (15 Controls)
Pillar 3: Agent Reporting (9 Controls)
Pillar 4: SharePoint Advanced Management (5 Controls)
How to Use This Framework
- Review the Overview - Start with the framework overview to understand the 3 zones and 4 pillars
- Assess Current State - For each control, review your current implementation level (Baseline, Recommended, or Regulated)
- Implement Controls - Follow the implementation guidance in each control file
- Verify & Document - Use the verification steps to confirm implementation and document evidence
- Establish Recurring Reviews - Schedule quarterly reviews to ensure controls remain effective
Governance Levels
Each control is documented with three governance levels:
- Baseline: Minimum required implementation
- Recommended: Best practice implementation for Zone 2+ agents
- Regulated/High-Risk: Comprehensive implementation for Zone 3 agents and regulated environments
Pillar Descriptions
Pillar 1: Security Controls (19 Controls)
Focus: Protect data and systems from unauthorized access, misuse, and exploitation. - Authentication and Authorization - Data Loss Prevention - Audit Logging - Encryption - Threat Detection - eDiscovery
Pillar 2: Management Controls (15 Controls)
Focus: Govern the agent lifecycle, access control, change management, and model risk. - Managed Environments - Change Management - Business Continuity - Testing & Validation - Model Risk Management - Vendor Management - Training & Supervision
Pillar 3: Agent Reporting (9 Controls)
Focus: Visibility and monitoring of agent activities, performance, and compliance. - Agent Inventory - Usage Analytics - Compliance Reporting - Incident Management - Cost Tracking - Orphaned Agent Detection - PPAC Security Posture - Copilot Hub - Sentinel Integration
Pillar 4: SharePoint Advanced Management (5 Controls)
Focus: Govern SharePoint content accessed by agents with specific access, retention, and security controls. - Information Access Governance - Access Reviews - Retention Management - Guest Access Controls - Security Monitoring
Regulatory Alignment
The framework covers compliance requirements for:
- FINRA: Rules 3110, 4511, 4512 + Regulatory Notice 25-07
- SEC: Rules 17a-3/4, 10b-5, Reg BI, Reg S-P
- SOX: Sections 302, 404 (internal controls and reporting)
- GLBA: Sections 501, 504, 505 (safeguards and privacy)
- OCC: Bulletin 2011-12 and SR 11-7 (model risk management)
- Federal Reserve: SR 11-7 (model risk, fair lending)
Governance Zones
Controls are documented for implementation in three governance zones:
- Zone 1: Personal Productivity - Individual development, low risk
- Zone 2: Team Collaboration - Departmental agents, medium risk
- Zone 3: Enterprise Managed - Organization-wide, high risk, customer-facing
Questions & Support
For questions about specific controls or implementation guidance:
- Review the control file for detailed verification steps
- Contact your AI Governance Lead
- Escalate to Compliance Officer for regulatory questions
- Contact your technical implementation team for platform-specific guidance
FSI Agent Governance Framework Beta - December 2025