Skip to content

Control 1.2: Agent Registry and Integrated Apps Management

Overview

Control ID: 1.2 Control Name: Agent Registry and Integrated Apps Management Regulatory Reference: FINRA 4511, SEC Rule 17a-3/4, OCC 2011-12 Setup Time: 1-2 hours (initial); ongoing maintenance

Purpose

A comprehensive agent registry provides the foundational inventory required for AI governance in financial services. Regulators expect firms to know exactly what AI agents are deployed, who owns them, what data they access, and their approval status. This control satisfies:

  • FINRA 4511: Books and records requirements for electronic systems
  • SEC 17a-3/4: Record-keeping for broker-dealers including AI systems
  • OCC 2011-12: Model inventory for AI/ML systems in banks
  • Examination Readiness: Rapid response to regulatory inquiries about AI deployments

Prerequisites

Primary Owner Admin Role: Power Platform Admin Supporting Roles: Dataverse System Admin, Entra App Admin, SharePoint Site Owner

Required Licenses

  • Microsoft 365 E3 or E5 (M365 Admin Center access)
  • Power Platform per-user or per-app license (for Copilot Studio agents)
  • Power Platform Admin Center access

Required Permissions

  • Microsoft 365 Global Administrator or Application Administrator (Integrated Apps)
  • Power Platform System Administrator (Copilot Studio agent inventory)
  • SharePoint Site Owner (for registry SharePoint list)

Dependencies

  • Control 2.1 (Managed Environments): Provides environment structure for agent categorization
  • Control 1.1 (Restrict Publishing): Ensures only approved agents are published

Pre-Setup Checklist

  • [ ] Define agent metadata schema (see below)
  • [ ] Create security groups for registry access
  • [ ] Identify all existing agents across environments
  • [ ] Establish agent naming convention
  • [ ] Create SharePoint site for registry (recommended)

Governance Levels

Baseline (Level 1)

Centralized inventory (spreadsheet or SharePoint list) of agents, updated at least monthly.

Automated registry with ownership, data sources, connectors, approval status; weekly review.

Regulated/High-Risk (Level 4)

Real-time inventory with automated drift detection; daily monitoring for production agents.

Setup & Configuration

Step 1: Create Agent Registry Metadata Schema

Before building the registry, define the required metadata fields for FSI compliance:

Field Name Required Description Example
Agent ID Yes Unique identifier AGT-2025-001
Agent Name Yes Display name Customer Service Bot
Description Yes Purpose and function Handles retail banking inquiries
Owner Yes Responsible individual jane.smith@contoso.com
Business Unit Yes Owning department Retail Banking
Zone Classification Yes Governance zone Tier 3 - Enterprise
Environment Yes Deployment location Production-Enterprise
Data Sources Yes Connected data SharePoint, CRM
Connectors Used Yes External integrations SharePoint, Dataverse
Sensitivity Level Yes Data classification Confidential-FSI
Approval Status Yes Governance approval Approved
Approval Date Yes When approved 2025-01-15
Approver Yes Who approved AI Governance Committee
Review Frequency Yes How often reviewed Quarterly
Last Review Date Yes Most recent review 2025-01-01
Next Review Date Yes Scheduled review 2025-04-01
Risk Rating Yes Risk assessment Medium
Status Yes Current state Active

Step 2: Configure Integrated Apps in M365 Admin Center

Portal Path: Microsoft 365 Admin CenterSettingsIntegrated Apps

  1. Sign in to the Microsoft 365 Admin Center
  2. Navigate to SettingsIntegrated Apps
  3. Review the current list of integrated applications
  4. For each Copilot Studio agent:
  5. Click the agent name to view details
  6. Verify Publisher and Permissions information
  7. Check User access configuration
  8. Note the App ID for registry tracking

Configure User Consent Settings:

  1. Navigate to SettingsOrg settingsServicesUser consent to apps
  2. For FSI environments, set to Do not allow user consent
  3. This ensures all agents must go through IT/Governance approval

Step 3: Create SharePoint Registry List

Recommended: Create a SharePoint list for centralized agent tracking

Portal Path: SharePoint Admin Center or SharePoint site

  1. Create a new SharePoint site or use existing governance site
  2. Create a new list named AI Agent Registry
  3. Add columns matching the metadata schema from Step 1
  4. Configure views:
  5. All Agents: Complete inventory
  6. Active Agents: Status = Active
  7. Pending Review: Next Review Date <= Today + 30 days
  8. By Zone: Grouped by Zone Classification
  9. By Business Unit: Grouped by Business Unit
  10. Set permissions:
  11. Full Control: AI Governance Team
  12. Contribute: Agent Owners (their items only)
  13. Read: Compliance, Audit, Security Teams

Step 4: Discover Existing Agents

Portal Path: Power Platform Admin CenterEnvironments

  1. For each environment:
  2. Click the environment name
  3. Navigate to ResourcesPower Apps or Copilot Studio agents
  4. Export the list of all applications/agents
  5. Document each agent's:
  6. Name and ID
  7. Owner (Created By)
  8. Last Modified Date
  9. Connectors used (visible in app details)

Using Copilot Studio:

  1. Navigate to Copilot Studio
  2. Select each environment from the environment picker
  3. Review Copilots list
  4. Click each agent to view:
  5. Topics and Knowledge sources
  6. Channels published to
  7. Analytics and usage data

Step 5: Configure Agent Publishing Requirements

Portal Path: Power Platform Admin Center → PoliciesPublishing

Ensure all new agents must be registered before publishing:

  1. Navigate to Environments → Select production environment
  2. Go to SettingsFeatures
  3. Under AI-generated content:
  4. Enable Require admin approval for publishing
  5. Document the approval workflow:
  6. Agent must be registered in SharePoint list
  7. Zone classification must be assigned
  8. Risk assessment must be completed
  9. Approval documented before publishing enabled

Step 6: Set Up Automated Inventory Refresh

Option A: Power Automate Flow

Create a scheduled flow to refresh the registry:

  1. Navigate to Power Automate
  2. Create a Scheduled cloud flow
  3. Set schedule: Weekly (or daily for Tier 3)
  4. Add actions:
  5. Connect to Power Platform Admin connector
  6. List all apps in target environments
  7. Compare with SharePoint registry
  8. Flag new unregistered agents
  9. Send notification email for discrepancies

Option B: PowerShell Scheduled Task

# See PowerShell Configuration section below

PowerShell Configuration

# Agent Registry Automation Script
# Requires: Power Platform Admin PowerShell module

# Install required module
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Force

# Connect to Power Platform
Add-PowerAppsAccount

# Get all Copilot Studio agents across environments
$AllEnvironments = Get-AdminPowerAppEnvironment
$AgentInventory = @()

foreach ($Env in $AllEnvironments) {
    Write-Host "Scanning environment: $($Env.DisplayName)" -ForegroundColor Cyan

    # Get Canvas Apps (includes Copilot Studio agents)
    $Apps = Get-AdminPowerApp -EnvironmentName $Env.EnvironmentName

    foreach ($App in $Apps) {
        $AgentInventory += [PSCustomObject]@{
            AgentName = $App.DisplayName
            AgentID = $App.AppName
            Environment = $Env.DisplayName
            EnvironmentID = $Env.EnvironmentName
            Owner = $App.Owner.displayName
            OwnerEmail = $App.Owner.email
            CreatedTime = $App.CreatedTime
            LastModifiedTime = $App.LastModifiedTime
            AppType = $App.AppType
        }
    }
}

# Export to CSV
$ExportPath = "C:\Governance\AgentInventory-$(Get-Date -Format 'yyyyMMdd').csv"
$AgentInventory | Export-Csv -Path $ExportPath -NoTypeInformation
Write-Host "Exported $($AgentInventory.Count) agents to $ExportPath" -ForegroundColor Green

# Compare with registered agents (from SharePoint list export)
$RegisteredAgents = Import-Csv "C:\Governance\RegisteredAgents.csv"
$RegisteredIDs = $RegisteredAgents.AgentID

$UnregisteredAgents = $AgentInventory | Where-Object { $_.AgentID -notin $RegisteredIDs }

if ($UnregisteredAgents.Count -gt 0) {
    Write-Host "WARNING: Found $($UnregisteredAgents.Count) unregistered agents!" -ForegroundColor Red
    $UnregisteredAgents | Format-Table AgentName, Owner, Environment

    # Send alert email
    $EmailBody = "The following agents are not registered in the AI Agent Registry:`n`n"
    $EmailBody += ($UnregisteredAgents | ForEach-Object { "- $($_.AgentName) in $($_.Environment) (Owner: $($_.Owner))" }) -join "`n"

    # Requires Exchange Online connection
    # Send-MailMessage -To "ai-governance@contoso.com" -Subject "Unregistered Agents Detected" -Body $EmailBody
}

# Get Integrated Apps from M365 (Graph API)
# Requires Microsoft.Graph module
Install-Module Microsoft.Graph -Force
Connect-MgGraph -Scopes "Application.Read.All"

$IntegratedApps = Get-MgServicePrincipal -Filter "tags/any(t:t eq 'WindowsAzureActiveDirectoryIntegratedApp')" -All
$IntegratedApps | Select-Object DisplayName, AppId, PublisherName, CreatedDateTime |
    Export-Csv "C:\Governance\IntegratedApps-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

# Generate Registry Report
$ReportPath = "C:\Governance\AgentRegistryReport-$(Get-Date -Format 'yyyyMMdd').html"
$HTML = @"
<!DOCTYPE html>
<html>
<head>
    <title>Agent Registry Report - $(Get-Date -Format 'yyyy-MM-dd')</title>
    <style>
        body { font-family: Arial, sans-serif; margin: 20px; }
        table { border-collapse: collapse; width: 100%; }
        th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
        th { background-color: #0078d4; color: white; }
        tr:nth-child(even) { background-color: #f2f2f2; }
        .warning { background-color: #fff3cd; }
        .error { background-color: #f8d7da; }
    </style>
</head>
<body>
    <h1>AI Agent Registry Report</h1>
    <p>Generated: $(Get-Date -Format 'yyyy-MM-dd HH:mm')</p>
    <h2>Summary</h2>
    <ul>
        <li>Total Agents Discovered: $($AgentInventory.Count)</li>
        <li>Registered Agents: $($RegisteredAgents.Count)</li>
        <li>Unregistered Agents: $($UnregisteredAgents.Count)</li>
    </ul>
</body>
</html>
"@
$HTML | Out-File $ReportPath
Write-Host "Report generated: $ReportPath" -ForegroundColor Green

Financial Sector Considerations

Regulatory Alignment

Regulation Registry Requirement
FINRA 4511 Maintain books and records for all electronic tools including AI agents
SEC 17a-3 Record-keeping for customer interaction systems
SEC 17a-4 Retention of system records for 3-6 years
OCC 2011-12 Model inventory for all AI/ML systems
Fed SR 11-7 Comprehensive inventory of models with risk ratings

Zone-Specific Configuration

Zone 1 (Personal Productivity)

Registry Update Frequency: Monthly
Metadata Required: Basic (Name, Owner, Zone, Status)
Approval Level: Automatic (self-service with guardrails)
Risk Assessment: Not required
Retention: 1 year after decommission

Zone 2 (Team Collaboration)

Registry Update Frequency: Weekly
Metadata Required: Full metadata schema
Approval Level: Team lead + IT approval
Risk Assessment: Simplified checklist
Retention: 3 years after decommission

Zone 3 (Enterprise Managed)

Registry Update Frequency: Real-time (automated)
Metadata Required: Full metadata + audit trail
Approval Level: AI Governance Committee
Risk Assessment: Full risk assessment document
Retention: 7 years after decommission (SEC 17a-4)

FSI Configuration Example: Regional Bank

Scenario: A regional bank with 50+ Copilot Studio agents across retail, commercial, and wealth divisions.

Registry Structure:

  1. SharePoint Site: AIGovernance.sharepoint.com/sites/AgentRegistry

  2. Lists Created:

  3. AgentMasterRegistry - Primary inventory
  4. AgentApprovals - Approval workflow tracking
  5. AgentReviews - Periodic review documentation

  6. AgentIncidents - Issue/incident tracking

  7. Views Configured:

  8. Customer-Facing Agents (Tier 3)
  9. Internal Tools (Tier 1-2)
  10. Pending Quarterly Review
  11. By Line of Business

  12. Recently Modified

  13. Automation:

  14. Power Automate flow scans environments weekly
  15. Email alert for unregistered agents within 24 hours
  16. Quarterly review reminders 30 days in advance

  17. Automatic status change to "Review Overdue" if missed

  18. Reporting:

  19. Weekly summary to IT leadership
  20. Monthly report to Risk Committee
  21. Quarterly full inventory to Compliance
  22. Annual attestation for regulatory examination

Verification & Testing

Verification Steps

  1. Confirm Registry is Complete:
  2. Navigate to SharePoint registry list
  3. Compare count with Power Platform discovery

  4. EXPECTED: All agents in environments appear in registry

  5. Verify Integrated Apps Visibility:

  6. M365 Admin Center → Settings → Integrated Apps
  7. Confirm all published Copilot Studio agents appear

  8. EXPECTED: Complete list with user access details

  9. Test Discovery Automation:

  10. Create a test agent in sandbox environment
  11. Wait for automated scan to run
  12. Check for alert notification

  13. EXPECTED: Unregistered agent flagged within scheduled interval

  14. Validate Metadata Completeness:

  15. Select 5 random agents from registry
  16. Verify all required fields are populated

  17. EXPECTED: 100% field completion for Tier 2-3 agents

  18. Confirm Approval Workflow:

  19. Attempt to publish agent without registration
  20. EXPECTED: Blocked or flagged per approval policy

Verification Evidence

  • [ ] Screenshot: SharePoint registry list with sample entries
  • [ ] Export: Full agent inventory CSV
  • [ ] Screenshot: Integrated Apps configuration
  • [ ] Documentation: Metadata schema and naming convention
  • [ ] Export: Approval workflow documentation
  • [ ] Log: Automated discovery scan results

Troubleshooting & Validation

Issue: Agents Not Appearing in Integrated Apps

Symptoms: Published Copilot Studio agents don't show in M365 Admin Center

Solutions:

  1. Verify agent is published (not just created)
  2. Check that the agent is published to a Teams channel
  3. Wait 24 hours for sync (can take time)
  4. Verify agent is in a Managed Environment
  5. Check if app registration was created in Entra ID

Issue: PowerShell Discovery Missing Agents

Symptoms: Script doesn't find all known agents

Solutions:

  1. Verify account has Power Platform Admin role
  2. Check all environments are accessible (not blocked by tenant isolation)
  3. Run discovery for each environment individually to identify gaps
  4. Some agent types may require different API calls

Issue: Registry Drift - Mismatches Between Registry and Actual

Symptoms: Registry shows different agents than discovery

Solutions:

  1. Implement more frequent automated scans
  2. Add workflow to require registry update before publishing
  3. Enable Power Platform audit logging to track changes
  4. Create reconciliation report for weekly review

Issue: Orphaned Agents (Owner Left Organization)

Symptoms: Agent owner email is invalid/disabled

Solutions:

  1. Query Entra ID to identify orphaned agent owners
  2. Establish ownership transfer process in offboarding
  3. Assign backup owners for all Tier 3 agents
  4. Flag orphaned agents for immediate reassignment

Additional Resources

Control Relationship
Control 1.1 Publishing restrictions ensure registry compliance
Control 2.1 Environment structure informs zone classification
Control 3.1 Registry feeds inventory reporting
Control 3.6 Registry enables orphan detection

Support & Questions

For implementation support or questions about this control, contact:

  • AI Governance Lead: Registry policy and metadata standards
  • Compliance Officer: Regulatory requirements and retention
  • IT Operations: Technical setup and automation
  • Power Platform Admin: Environment and agent management

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification