Control 1.13: Extensibility Readiness (Graph Connectors, Plugins, Declarative Agents)
Control ID: 1.13 Pillar: Readiness & Assessment Regulatory Reference: GLBA 501(b), FFIEC IT Handbook (Information Security Booklet), OCC Bulletin 2013-29 (Third-Party Relationships), Interagency AI Guidance (2023) Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated
Objective
Conduct a pre-deployment assessment for Microsoft 365 Copilot extensibility features -- including Microsoft Graph connectors, Copilot plugins (actions), and declarative agents (including SharePoint declarative agents) -- to evaluate the security, data flow, governance, and compliance implications of extending Copilot's capabilities beyond native M365 functionality. Extensibility features introduce external data sources and third-party code into Copilot's processing pipeline, creating additional risk vectors that must be assessed before deployment in regulated financial services environments.
Why This Matters for FSI
- GLBA 501(b): Extensibility features that bring external data into Copilot's grounding scope or that allow Copilot to take actions in external systems expand the data protection surface area. Safeguards must extend to cover data flows through connectors, plugins, and agents.
- FFIEC IT Handbook (Information Security): Security assessment of new technology components is a core expectation. Each extensibility feature represents a new component in the Copilot architecture that requires security evaluation, including authentication, authorization, data encryption, and input validation.
- OCC Bulletin 2013-29: Third-party plugins and connectors may be developed by vendors outside Microsoft. These relationships create third-party risk that must be managed per OCC expectations.
- Interagency AI Guidance (2023): AI systems that interact with external data sources and take actions based on AI processing require heightened risk assessment, including evaluation of data quality, bias, and operational risk.
- SOX 302/404: If extensibility features enable Copilot to interact with financial systems or reporting data through connectors or plugins, the internal control implications must be assessed.
Control Description
Copilot Extensibility Architecture
Microsoft 365 Copilot supports three primary extensibility mechanisms:
| Extension Type | Description | Data Flow | Risk Profile |
|---|---|---|---|
| Microsoft Graph Connectors | Ingest external data into Microsoft Graph, making it searchable by Copilot | External system -> Graph connector -> Microsoft Graph -> Copilot | Medium-High: External data enters M365 search and Copilot grounding scope |
| Copilot Plugins (Actions) | Allow Copilot to invoke external APIs to retrieve data or perform actions | Copilot -> Plugin -> External API -> Response back to Copilot | High: Copilot interacts with external systems, potential for data exfiltration or unauthorized actions |
| Declarative Agents | Custom Copilot experiences scoped to specific data sources and instructions | User -> Declarative Agent -> Copilot + scoped data sources | Medium: Custom Copilot experience with potentially expanded or restricted scope |
| SharePoint Declarative Agents | Declarative agents automatically created from SharePoint sites | User -> SharePoint agent -> Copilot + SharePoint site content | Low-Medium: Scoped to specific SharePoint content with site-level permissions |
Graph Connector Assessment
Graph connectors bring external data into the Microsoft 365 search and Copilot grounding scope:
| Assessment Area | Key Questions | Risk Consideration |
|---|---|---|
| Data inventory | What external data sources are connected or planned for connection via Graph connectors? | Each connector expands Copilot's grounding scope with external data |
| Data classification | What is the sensitivity classification of data flowing through each connector? | External data may include regulated data (customer records, financial data, PII) |
| Access control | How are permissions applied to connector-ingested content? Does it use ACLs from the source system? | Permission model mismatches can create oversharing of external data |
| Data freshness | How frequently is connector data refreshed? What is the latency? | Stale connector data can lead to inaccurate Copilot responses |
| Data quality | What quality controls exist for data ingested through connectors? | Low-quality external data degrades Copilot response quality |
| Connector source | Is the connector Microsoft-built, third-party, or custom-developed? | Third-party and custom connectors require additional security review |
Graph Connector Inventory Template
| Connector | Source System | Data Type | Sensitivity | Permission Model | Refresh Frequency | Connector Provider | Approval Status |
|---|---|---|---|---|---|---|---|
| [Name] | [System] | [Type] | [Level] | [ACL/Group/None] | [Frequency] | [MS/3rd Party/Custom] | [Status] |
Plugin Assessment
Copilot plugins enable external API interactions:
| Assessment Area | Key Questions | Risk Consideration |
|---|---|---|
| Plugin inventory | What plugins are available, requested, or planned? | Each plugin extends Copilot's capability to interact with external systems |
| Authentication | How does the plugin authenticate to external systems? What credentials are used? | Credential management and authentication security are critical |
| Authorization | What actions can the plugin perform? Read-only or read-write? | Write actions create risk of unauthorized changes in external systems |
| Data flow | What data flows from Copilot to the plugin? What data returns? | Data leaving M365 through plugins may include sensitive information |
| Input validation | Does the plugin validate inputs to prevent injection attacks? | Prompt injection could trigger unintended plugin actions |
| Audit logging | Are plugin invocations logged for audit and compliance purposes? | Regulatory requirements for audit trails extend to AI-initiated actions |
| Plugin source | Is the plugin from Microsoft, a verified publisher, or custom-developed? | Source determines trust level and security review requirements |
Plugin Risk Classification
| Risk Level | Criteria | Approval Requirement |
|---|---|---|
| Low | Read-only access to non-sensitive external data; Microsoft-published plugin | IT admin approval |
| Medium | Read-only access to sensitive external data; verified publisher plugin | IT admin + security review |
| High | Write access to external systems; custom-developed plugin; access to financial systems | IT admin + security review + compliance approval |
| Critical | Write access to financial systems or regulated data; unverified publisher | Full security assessment + compliance review + CISO approval |
Declarative Agent Assessment
Declarative agents create custom Copilot experiences:
| Assessment Area | Key Questions | Risk Consideration |
|---|---|---|
| Agent inventory | What declarative agents exist or are planned? | Each agent creates a custom Copilot experience with specific scope |
| Scope definition | What data sources does each agent have access to? | Agent scope determines what content it can reference and generate |
| Instructions | What custom instructions are configured for the agent? | Instructions shape agent behavior and may create compliance implications |
| Target audience | Who can access and use each agent? | Agent access should be governed and limited to appropriate populations |
| SharePoint agents | Which SharePoint sites have auto-generated declarative agents? | SharePoint agents inherit site permissions but may make content more discoverable |
| Agent actions | Can the agent invoke plugins or take actions? | Agents with action capabilities inherit plugin risk considerations |
SharePoint Declarative Agent Considerations
SharePoint declarative agents are a specific category that merits focused attention:
| Aspect | Detail | Governance Action |
|---|---|---|
| Auto-creation | SharePoint sites can automatically generate declarative agents | Review which sites have agents enabled; disable where inappropriate |
| Permission inheritance | Agents inherit the SharePoint site's permission model | Sites with oversharing create agents with oversharing |
| Content scope | Agent is scoped to the specific SharePoint site content | Verify that site content is appropriate for AI-powered discovery |
| User access | Users who can access the site can use the agent | Ensure site permissions align with intended agent audience |
| Discoverability | Agents may be discoverable in the Copilot agent catalog | Control catalog visibility for agents on sensitive sites |
Extensibility Governance Framework
1. INVENTORY: Catalog all connectors, plugins, and agents
|
2. CLASSIFY: Assign risk classification per extension
|
3. ASSESS: Conduct security and compliance review per risk level
|
4. APPROVE: Obtain appropriate approvals per risk classification
|
5. DEPLOY: Deploy with configured governance controls
|
6. MONITOR: Ongoing monitoring of extension behavior and data flows
|
7. REVIEW: Periodic re-assessment of extension inventory and risk
Copilot Surface Coverage
| Copilot Surface | Extensibility Relevance | Notes |
|---|---|---|
| Microsoft 365 Copilot Chat | Critical | Primary surface where Graph connector data, plugins, and agents are invoked |
| SharePoint Copilot | High | SharePoint declarative agents create site-scoped Copilot experiences |
| Teams Copilot | High | Plugins and agents can be invoked from Teams conversations |
| Word / Excel / PowerPoint | Medium | Graph connector data may surface in document generation; some plugins may be available |
| Outlook Copilot | Medium | Plugins for CRM and other systems may integrate with Outlook Copilot |
| Copilot Pages | Medium | Pages may reference content from Graph connectors |
| Loop Copilot | Low | Limited extensibility surface |
| OneDrive Copilot | Low | Limited extensibility surface |
| Viva Copilot | Medium | Viva-specific connectors and plugins |
Governance Levels
| Level | Requirement | Rationale |
|---|---|---|
| Baseline | Inventory existing Graph connectors. Review Copilot plugin availability settings in M365 Admin Center. Assess whether SharePoint declarative agents are enabled and on which sites. Document extensibility posture. Disable extensibility features that have not been assessed. | Minimum awareness of extensibility landscape and proactive disabling of unassessed features to reduce risk. |
| Recommended | All Baseline requirements plus: implement plugin approval process with risk classification. Conduct security review for all active Graph connectors. Assess data flows for each connector and plugin. Configure SharePoint agent governance (enable/disable per site based on content sensitivity). Establish extensibility change management process. Monitor connector and plugin usage through admin reports. | Structured governance of Copilot extensibility with security review, approval workflows, and ongoing monitoring. |
| Regulated | All Recommended requirements plus: conduct full security assessment for all extensions including custom-developed connectors and plugins. Implement formal change control for extensibility deployments. Include extensibility in vendor risk management for third-party providers (see Control 1.10). Require compliance sign-off for plugins with write access to external systems. Maintain extensibility governance documentation in regulatory examination file. Conduct quarterly extensibility inventory review. Include extensibility risk in AI governance reporting. | Comprehensive extensibility governance with formal security assessment, compliance oversight, and examination readiness documentation. |
Setup & Configuration
Step 1: Review Extensibility Settings
Navigate to Microsoft 365 Admin Center > Settings > Copilot and review:
- Plugin availability settings (which plugins are enabled/disabled)
- Graph connector status (which connectors are active)
- Integrated apps settings (which apps can interact with Copilot)
Step 2: Inventory Graph Connectors
Navigate to Microsoft 365 Admin Center > Settings > Search & intelligence > Data sources to review:
- Active Graph connectors
- Connector source (Microsoft, third-party, custom)
- Data source connections
- Item count per connector
- Permission configuration per connector
Step 3: Configure Plugin Governance
In Microsoft 365 Admin Center > Settings > Copilot > Plugins:
- Review available plugins
- Enable/disable plugins based on risk classification
- Configure user assignment (which users can access which plugins)
- Set approval requirements for new plugin requests
Step 4: Configure SharePoint Agent Governance
Navigate to SharePoint Admin Center > Settings and review:
- SharePoint declarative agent settings (tenant-level enable/disable)
- Per-site agent configuration
- Agent catalog visibility settings
For sites containing sensitive content: - Disable declarative agent creation - Or enable with enhanced monitoring
Step 5: Establish Approval and Change Management
Document and implement:
- Extension request and approval workflow
- Risk classification criteria and corresponding approval authorities
- Security review requirements per risk level
- Change management process for new extension deployments
- Periodic review cadence for extension inventory
Financial Sector Considerations
- CRM Connector Risk: Many financial institutions consider connecting CRM systems (Salesforce, Dynamics) to Copilot via Graph connectors. This brings client data directly into Copilot's grounding scope. Assess the implications of CRM data in Copilot responses, particularly for institutions subject to SEC Reg S-P and GLBA NPI protections.
- Trading System Integration: Plugins or connectors that interact with trading platforms, order management systems, or portfolio management tools introduce the risk that Copilot could initiate or influence trades. Implement strict controls around any extensibility that touches trading infrastructure.
- Regulatory Filing Systems: Connectors to regulatory filing systems (EDGAR, FINRA Gateway, regulatory reporting platforms) should be evaluated carefully. Copilot grounding on regulatory filing data could create disclosure risks.
- Third-Party Plugin Vendors: Plugins developed by third parties create vendor risk relationships that must be managed per OCC 2013-29 and the institution's third-party risk framework. Include plugin vendors in the vendor risk inventory.
- Custom Development Security: Custom-developed Graph connectors and plugins must undergo the institution's software development security review process (SDLC security), including code review, vulnerability assessment, and penetration testing.
- Data Sovereignty for Connectors: Graph connectors may ingest data from systems hosted in different geographic locations. Verify that connector data flows comply with data sovereignty and data residency requirements.
- Information Barrier Interaction: Assess how Graph connector data and plugin responses interact with Microsoft Purview information barriers. External data brought into the Graph may not be segmented by information barrier policies.
Verification Criteria
- Inventory of all active Graph connectors has been completed with data source, sensitivity classification, and permission model documented
- Plugin availability settings have been reviewed and non-assessed plugins disabled
- SharePoint declarative agent configuration has been reviewed and agents disabled on sites containing sensitive data (unless specifically approved)
- Plugin approval process has been established with risk classification criteria (Recommended and Regulated levels)
- Security review has been conducted for all active Graph connectors (Recommended and Regulated levels)
- Data flow assessment has been completed for each active connector and plugin, documenting what data enters and leaves M365 (Recommended and Regulated levels)
- Compliance sign-off has been obtained for plugins with write access to external systems (Regulated level)
- Third-party extension providers are included in the vendor risk inventory (Regulated level)
- Extensibility change management process is documented and being followed
- Extensibility governance documentation is maintained and accessible for regulatory examination (Regulated level)
Additional Resources
- Microsoft Learn: Microsoft Graph connectors overview
- Microsoft Learn: Copilot plugins overview
- Microsoft Learn: Declarative agents overview
- Microsoft Learn: Manage plugins for Copilot
- Microsoft Learn: SharePoint agents
- OCC Bulletin 2013-29: Third-Party Relationships
- Related Controls: 1.10 Vendor Risk Management, 1.1 Copilot Readiness Assessment, 1.4 Semantic Index Governance, 2.13 Plugin & Connector Security, 4.13 Extensibility Governance
- Playbooks: Playbook 1.13.1 (Graph Connector Inventory and Assessment), Playbook 1.13.2 (Plugin Risk Classification and Approval Workflow), Playbook 1.13.3 (Declarative Agent Governance Configuration), Playbook 1.13.4 (Extensibility Security Review Checklist)
FSI Copilot Governance Framework v1.2.1 - March 2026