Control Catalog
The FSI Copilot Governance Framework contains 56 controls organized across four lifecycle-based pillars, providing comprehensive governance coverage for Microsoft 365 Copilot in US financial services.
Control Index
Pillar 1: Readiness & Assessment (15 Controls)
Pre-deployment data hygiene, oversharing detection, permission audits, and license planning.
| ID | Control | Governance Level |
|---|---|---|
| 1.1 | Copilot Readiness Assessment and Data Hygiene | Baseline |
| 1.2 | SharePoint Oversharing Detection and Remediation (DSPM for AI) | Baseline |
| 1.3 | Restricted SharePoint Search Configuration | Recommended |
| 1.4 | Semantic Index Governance and Scope Control | Recommended |
| 1.5 | Sensitivity Label Taxonomy Review for Copilot | Baseline |
| 1.6 | Permission Model Audit | Baseline |
| 1.7 | SharePoint Advanced Management Readiness for Copilot | Recommended |
| 1.8 | Information Architecture Review | Recommended |
| 1.9 | License Planning and Copilot Assignment Strategy | Baseline |
| 1.10 | Vendor Risk Management for Microsoft AI Services | Regulated |
| 1.11 | Organizational Change Management and Adoption Planning | Baseline |
| 1.12 | Training and Awareness Program | Baseline |
| 1.13 | Extensibility Readiness | Recommended |
| 1.14 | Item-Level Permission Scanning | Recommended |
| 1.15 | SharePoint Permissions Drift Detection | Recommended |
Pillar 2: Security & Protection (15 Controls)
DLP, sensitivity labels, conditional access, encryption, information barriers, and Defender integration.
| ID | Control | Governance Level |
|---|---|---|
| 2.1 | DLP Policies for M365 Copilot Interactions | Baseline |
| 2.2 | Sensitivity Labels and Copilot Content Classification | Baseline |
| 2.3 | Conditional Access Policies for Copilot Workloads | Recommended |
| 2.4 | Information Barriers for Copilot (Chinese Wall) | Regulated |
| 2.5 | Data Minimization and Grounding Scope | Recommended |
| 2.6 | Copilot Web Search and Web Grounding Controls | Baseline |
| 2.7 | Data Residency and Cross-Border Data Flow Governance | Regulated |
| 2.8 | Encryption (Data in Transit and at Rest) | Baseline |
| 2.9 | Defender for Cloud Apps — Copilot Session Controls | Recommended |
| 2.10 | Insider Risk Detection for Copilot Usage Patterns | Recommended |
| 2.11 | Copilot Pages Security and Sharing Controls | Baseline |
| 2.12 | External Sharing and Guest Access Governance | Baseline |
| 2.13 | Plugin and Graph Connector Security Governance | Recommended |
| 2.14 | Declarative Agents from SharePoint — Creation and Sharing Governance | Recommended |
| 2.15 | Network Security and Private Connectivity | Regulated |
Pillar 3: Compliance & Audit (13 Controls)
Audit logging, retention, eDiscovery, communication compliance, and regulatory reporting.
| ID | Control | Governance Level |
|---|---|---|
| 3.1 | Copilot Interaction Audit Logging | Baseline |
| 3.2 | Data Retention Policies for Copilot Interactions | Baseline |
| 3.3 | eDiscovery for Copilot-Generated Content | Recommended |
| 3.4 | Communication Compliance Monitoring | Recommended |
| 3.5 | FINRA Rule 2210 Compliance for Copilot-Drafted Communications | Regulated |
| 3.6 | Supervision and Oversight (FINRA Rule 3110 / SEC Reg BI) | Regulated |
| 3.7 | Regulatory Reporting | Recommended |
| 3.8 | Model Risk Management Alignment (OCC 2011-12 / SR 11-7) | Regulated |
| 3.9 | AI Disclosure, Transparency, and SEC Marketing Rule | Recommended |
| 3.10 | SEC Reg S-P — Privacy of Consumer Financial Information | Regulated |
| 3.11 | Record Keeping and Books-and-Records Compliance | Baseline |
| 3.12 | Evidence Collection and Audit Attestation | Recommended |
| 3.13 | FFIEC IT Examination Handbook Alignment | Regulated |
Pillar 4: Operations & Monitoring (13 Controls)
Feature management, per-app toggles, usage analytics, cost tracking, and incident response.
| ID | Control | Governance Level |
|---|---|---|
| 4.1 | Copilot Admin Settings and Feature Management | Baseline |
| 4.2 | Copilot in Teams Meetings Governance | Recommended |
| 4.3 | Copilot in Teams Phone and Queues Governance | Recommended |
| 4.4 | Copilot in Viva Suite Governance | Recommended |
| 4.5 | Copilot Usage Analytics and Adoption Reporting | Baseline |
| 4.6 | Microsoft Viva Insights — Copilot Impact Measurement | Recommended |
| 4.7 | Copilot Feedback and Telemetry Data Governance | Recommended |
| 4.8 | Cost Allocation and License Optimization | Baseline |
| 4.9 | Incident Reporting and Root Cause Analysis | Baseline |
| 4.10 | Business Continuity and Disaster Recovery for Copilot Dependency | Recommended |
| 4.11 | Microsoft Sentinel Integration for Copilot Events | Regulated |
| 4.12 | Change Management for Copilot Feature Rollouts | Baseline |
| 4.13 | Copilot Extensibility Governance | Recommended |
Control Statistics
| Pillar | Controls | Baseline | Recommended | Regulated |
|---|---|---|---|---|
| 1. Readiness & Assessment | 15 | 7 | 7 | 1 |
| 2. Security & Protection | 15 | 6 | 6 | 3 |
| 3. Compliance & Audit | 13 | 3 | 5 | 5 |
| 4. Operations & Monitoring | 13 | 5 | 7 | 1 |
| Total | 56 | 21 | 25 | 10 |
How to Use This Catalog
- Identify your governance level — See Governance Fundamentals to determine if your organization needs Baseline, Recommended, or Regulated controls
- Start with Pillar 1 — Complete readiness assessments before enabling Copilot
- Implement by priority — Within each pillar, Baseline controls should be implemented first
- Use playbooks — Each control has 4 implementation playbooks (portal walkthrough, PowerShell, verification, troubleshooting)
FSI Copilot Governance Framework v1.2.1 - March 2026