Start Here
FSI-AgentGov explains how to govern Microsoft 365 AI agents in regulated financial services environments — especially when your questions are about who can build agents, where they can run, what data and connectors they can use, how they move into production, and what evidence should be retained.
Disclaimer
This framework is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. See full disclaimer.
Is This the Right Repository?
Use this framework if you are:
- an AI governance lead, Power Platform Admin, compliance lead, security architect, auditor, or business sponsor responsible for Microsoft 365 AI agents
- deploying Copilot Studio, Agent Builder, or related custom agent capabilities at a bank, insurer, broker-dealer, or similar US financial institution
- trying to decide what governance controls should exist before agents move from experimentation into broader use
- looking for a structured path from governance strategy to technical implementation
Start somewhere else if you are:
- governing Microsoft 365 Copilot in Word, Excel, PowerPoint, Outlook, Teams, Copilot Chat, or Copilot Pages -> see FSI-CopilotGov
- looking for prompt engineering guidance or end-user productivity tips
- working outside regulated US financial services
- trying to learn basic product capabilities before thinking about governance -> start with Microsoft Learn
Why FSI-AgentGov Exists
Microsoft product documentation explains how to create and configure agents. It does not provide a complete financial-services-focused operating model for:
- governing who can create, publish, and share agents
- controlling environments, connectors, file handling, and data movement
- scaling controls as agents move from personal experiments to team and enterprise use
- collecting the evidence needed for oversight, audit, examination preparation, and recurring review
FSI-AgentGov packages those decisions into 71 controls, 284 implementation playbooks, and a three-zone governance model so teams can move from ad hoc experimentation to a more structured rollout.
How This Repository Helps a New User
If you are new to the repository, it helps you:
- determine whether an agent belongs in Zone 1, Zone 2, or Zone 3
- identify which foundational controls to implement first
- route to the right framework, control, or playbook page based on your role and scenario
- support risk, compliance, and operational discussions with a common governance reference point
Scenario Guide — Where Should I Go?
| Your Situation | Where to Start |
|---|---|
| "We need to decide whether a new agent belongs in personal, team, or enterprise governance." | Zones and Tiers + Agent Lifecycle |
| "We need to control who can create, publish, or move agents into production." | Control 1.1 - Restrict Agent Publishing + Control 2.1 - Managed Environments + Control 2.15 - Environment Routing |
| "We need to govern connectors, file handling, and data boundaries." | Control 1.4 - Advanced Connector Policies + Control 1.5 - DLP and Sensitivity Labels + Control 1.26 - File Upload Restrictions |
| "We need step-by-step implementation guidance, not just policy statements." | Quick Start Guide + Playbooks Overview + Phase 0: Governance Setup |
| "We need evidence for governance, audit, or compliance review." | Regulatory Framework + Evidence Standards + Audit Readiness Checklist |
| "We are not sure whether AgentGov or CopilotGov is the right starting point." | Relationship to FSI-CopilotGov |
Recommended First 30 Minutes
- Read the Executive Summary to understand the governance problem and the operating model.
- Confirm scope with Relationship to FSI-CopilotGov if your organization also uses Microsoft 365 Copilot.
- Review Zones and Tiers to understand the three-zone classification model.
- Scan the Control Catalog to see the four pillars and foundational controls.
- Open the Quick Start Guide or the Governance Readiness Assessment to turn orientation into an action plan.
How the Repository Is Organized
| Layer | What it answers | Who uses it |
|---|---|---|
| Framework | Why governance matters, how zones work, what regulations apply, and how accountability is structured | Executives, compliance, governance leads |
| Controls | What technical and procedural controls should be in place | Architects, admins, control owners |
| Playbooks | How to implement, verify, and troubleshoot the controls | Hands-on implementers and operations teams |
Next Step
If you want the shortest path from orientation to action, continue to the Quick Start Guide. If you first need to confirm whether this framework or the Copilot framework applies to your scenario, read Relationship to FSI-CopilotGov.