Microsoft Purview Compliance Manager Templates Reference
Purpose: This reference summarises the Microsoft Purview Compliance Manager assessment template catalog as it pertains to US financial services governance of Microsoft 365 AI agents. Compliance Manager is a Microsoft Purview surface that ships a library of 360+ regulatory and standards templates that customers can use to map their own controls to a specific framework, run improvement actions, and produce examiner-ready evidence.
Scope reminder. Compliance Manager (CM) is a template / control-mapping surface. It is distinct from the Microsoft Service Trust Portal (STP), which is the vendor attestation / audit-report repository — see the Service Trust Portal Attestation Evidence Guide for how Microsoft's own attestations (SOC 2 Type 2, ISO 27001/27017/27018/27701/42001, FedRAMP, etc.) are surfaced for examiner / vendor risk-management evidence.
Relationship to the framework. Compliance Manager templates are an input to the framework's regulatory mapping (see regulatory-mappings.md) and an output destination for evidence collected via the controls in this catalog. The framework does not depend on Compliance Manager — it is one of several optional implementation surfaces (Sentinel (Control 3.9), Purview Audit (Control 1.7), and the Automated Assessment Engine are alternative or complementary paths).
Catalog Snapshot
Microsoft maintains the canonical and current list at Microsoft Learn — Compliance Manager templates list. As of the framework's last verification, the catalog includes 360+ templates across the following families:
| Family | Representative templates relevant to US FSI |
|---|---|
| US federal financial regulation | FFIEC IT Examination Handbook, GLBA (Gramm-Leach-Bliley Act), Sarbanes-Oxley (SOX), Federal Reserve Supervisory Letter Fed SR 26-2 (formerly SR 11-7) (Model Risk), OCC Bulletin 2026-13 (formerly OCC Bulletin 2011-12) (Technology Risk Management), Dodd-Frank elements |
| US sector / SRO | FINRA recordkeeping and supervision frameworks, SEC Rule 17a-3/17a-4 recordkeeping, CFTC Part 1.31 |
| US state financial regulation | NYDFS 23 NYCRR Part 500 (Cybersecurity), CCPA / CPRA (California Privacy), New York Privacy frameworks |
| US security & privacy frameworks | NIST 800-53 Rev 5, NIST 800-171, NIST CSF 2.0, NIST AI Risk Management Framework, FedRAMP Moderate/High, CMMC Level 2 |
| International standards | ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27701, ISO/IEC 42001 (AI Management Systems), ISO/IEC 27017 cloud-services profile |
| Healthcare / privacy | HIPAA / HITECH, GDPR (EU), PIPEDA (Canada), LGPD (Brazil) |
| Payments / industry | PCI DSS v4.0, SWIFT Customer Security Programme |
| AI-specific | EU AI Act, NIST AI RMF 1.0, ISO/IEC 42001:2023 |
| Audit / attestation overlays | SOC 2 Trust Services Criteria, SOC 1 (SSAE-18), AICPA Service Organization Controls overlays |
Source of truth: Always re-verify the current template list and version tags at Microsoft Learn — Compliance Manager templates list. Microsoft adds and deprecates templates on its own cadence; this file is a navigational summary, not an authoritative catalog.
Entitlement Requirements
Compliance Manager is part of Microsoft Purview. The free tier surfaces the Microsoft Data Protection Baseline template only. Premium templates require additional entitlements:
| Template family | Minimum entitlement |
|---|---|
| Microsoft Data Protection Baseline | Any Microsoft 365 / Office 365 commercial subscription (free) |
| Premium templates (FFIEC, GLBA, SOX, NIST 800-53, ISO 27001, SOC 2, PCI DSS, HIPAA, EU AI Act, ISO/IEC 42001, etc.) | Microsoft 365 E5 / A5 / G5 Compliance, Microsoft 365 E5 / A5 / G5 Information Protection & Governance, or Microsoft 365 E5 / A5 / G5 Risk Management & Privacy |
| Industry-specific overlays (some Microsoft 365 industry templates) | May require add-on packs or industry-specific licensing — verify per template |
Licensing caveat. Microsoft licensing changes regularly. Always re-verify against the current Microsoft 365 Comparison Table and Microsoft 365 Service Description for Compliance Manager before quoting an entitlement to a customer.
Mapping Common FSI Templates to Framework Controls
The table below maps the most-frequently-requested Compliance Manager templates to the FSI Agent Governance controls that contribute evidence to those templates' control mappings. The framework's Regulatory Mappings reference carries the full crosswalk; the table here is a quick orientation for compliance officers selecting which controls to prioritise when standing up a Compliance Manager assessment.
| Compliance Manager template | Primary framework controls contributing evidence | Supporting framework controls |
|---|---|---|
| FFIEC IT Examination Handbook | 1.7 Audit Logging, 2.1 Managed Environments, 2.6 Model Risk Management, 2.7 Vendor Risk | 1.5 DLP, 1.15 Encryption, 3.1 Agent Inventory |
| GLBA 501(b) Safeguards Rule | 1.5 DLP, 1.13 SITs, 1.15 Encryption, 2.1 Managed Environments — Customer Lockbox sub-section | 1.7 Audit, 2.7 Vendor Risk |
| Sarbanes-Oxley (SOX) §302 / §404 | 2.1 Managed Environments, 2.3 Change Management, 2.8 Segregation of Duties, 2.12 Supervision (FINRA 3110) | 1.7 Audit, 3.1 Agent Inventory |
| Federal Reserve SR 26-2 (formerly SR 11-7) (Model Risk) | 2.6 Model Risk Management, 2.11 Bias / Fairness Testing, 2.7 Vendor Risk | 3.1 Agent Inventory |
| OCC Bulletin 2026-13 (formerly OCC Bulletin 2011-12) | 2.6 Model Risk Management, 2.7 Vendor Risk | 3.1 Agent Inventory |
| NYDFS 23 NYCRR 500 | 1.7 Audit, 1.15 Encryption, 2.1 Managed Environments — Customer Lockbox sub-section, 3.9 Sentinel | 1.5 DLP, 2.7 Vendor Risk |
| NIST 800-53 Rev 5 | All Pillar 1 (Security) and Pillar 3 (Reporting) controls contribute; consult regulatory-mappings.md for the full crosswalk |
— |
| NIST AI Risk Management Framework | 2.6 Model Risk Management, 2.11 Bias / Fairness, 1.21 Prompt Injection / RAI — see nist-ai-rmf-crosswalk.md for the 67/72 subcategory mapping |
All controls contribute via the crosswalk |
| ISO/IEC 27001 + 27017 + 27018 + 27701 | 1.5 DLP, 1.7 Audit, 1.15 Encryption, 2.1 Managed Environments, 2.7 Vendor Risk | All other Pillar 1 / 2 controls |
| ISO/IEC 42001:2023 (AI Management Systems) | 2.6 Model Risk, 2.11 Bias / Fairness, 3.1 Agent Inventory | All Pillar 2 (Management) controls |
| SOC 2 Trust Services Criteria | 1.7 Audit, 1.15 Encryption, 2.1 Managed Environments, 2.8 Segregation of Duties | All Pillar 1 / 2 controls — note Microsoft's own SOC 2 attestation is sourced from STP per the Service Trust Portal Attestation Guide |
| PCI DSS v4.0 | 1.5 DLP, 1.13 SITs, 1.15 Encryption, 2.7 Vendor Risk | 1.7 Audit |
| HIPAA / HITECH | 1.5 DLP, 1.13 SITs, 1.15 Encryption | Mostly out of scope for FSI agents; included where firm operates an integrated wealth/insurance/health business |
| EU AI Act | 2.6 Model Risk, 2.11 Bias / Fairness, 2.7 Vendor Risk, 3.1 Agent Inventory | Applicable where firm operates EU subsidiary or services EU customers; combine with regulatory-mappings.md EU section |
Implementation Notes
- Pre-built improvement actions. Each Compliance Manager template ships with Microsoft-recommended improvement actions (technical and operational) pre-mapped to its control framework. Customers should treat these as a starting point, not a finished assessment — many recommended actions require organisation-specific evidence and approval workflows that the framework's Implementation Playbooks supply.
- Customer actions vs Microsoft actions. Compliance Manager distinguishes customer-managed improvement actions (the firm's responsibility) from Microsoft-managed actions (Microsoft's own controls, validated via the Service Trust Portal attestations referenced in the Service Trust Portal Attestation Evidence Guide). FSI compliance officers should pull both classes when assembling examiner evidence packs.
- Evidence retention. Compliance Manager retains assessment evidence per the firm's Microsoft 365 retention policies. For examiner-grade retention (FINRA 4511 / SEC 17a-4 / CFTC 1.31), pair Compliance Manager evidence exports with the records-retention pattern in Control 1.7.
- Automation interplay. The framework's Automated Assessment Engine and Honest Coverage Matrix operate independently from Compliance Manager. They emit JSON/Markdown evidence that maps to the same controls but does not write into Compliance Manager. Where the firm wants a single dashboard, the Solutions Index catalogues integration patterns.
Related Reference
- Service Trust Portal Attestation Evidence Guide — Microsoft's own SOC 2 Type 2, ISO 27001/27017/27018/27701/42001, FedRAMP, and other attestation reports
- Regulatory Mappings — full crosswalk of US FSI regulations to framework controls
- NIST AI RMF Crosswalk — 67/72 subcategory mapping to controls
- Microsoft CAPE Crosswalk — alignment with Microsoft's Cloud Adoption Framework for AI
- Assessment Engine Coverage — honest report of which framework controls have automated evaluators
Microsoft Learn Sources
- Microsoft Purview Compliance Manager — overview
- Compliance Manager templates list
- Compliance Manager regional availability
- Compliance Manager templates — assessment template properties
- Microsoft 365 security & compliance licensing guidance
- Compliance Manager improvement actions
Updated: May 2026 | Version: v1.6.2 | Verification Status: Current