Control 1.13: Extensibility Readiness (Graph Connectors, Plugins, Declarative Agents)
Control ID: 1.13 Pillar: Readiness & Assessment Regulatory Reference: GLBA §501(b), FFIEC IT Handbook (Information Security Booklet), OCC Bulletin 2023-17 (Third-Party Relationships), Interagency AI Guidance (2023) Last Verified: 2026-05-25 Governance Levels: Baseline / Recommended / Regulated
Scope boundary: FSI-CopilotGov vs FSI-AgentGov
This control governs the Microsoft 365 Copilot surface only — tenant-level configuration, data-source posture, audit/eDiscovery, and admin-managed extensibility. Governance of the agents themselves (Copilot Studio agents, declarative agents, Agent Builder, custom pro-code agents) — including agent registration, risk tiering, environment zoning, model-card review, and lifecycle promotion — lives in the companion FSI-AgentGov framework. See Relationship to FSI-AgentGov for the full boundary map.
Objective
Conduct a pre-deployment assessment for Microsoft 365 Copilot extensibility features -- including Microsoft Graph connectors, Copilot plugins (actions), and declarative agents (including SharePoint declarative agents) -- to evaluate the security, data flow, governance, and compliance implications of extending Copilot's capabilities beyond native M365 functionality. Extensibility features introduce external data sources and third-party code into Copilot's processing pipeline, creating additional risk vectors that must be assessed before deployment in regulated financial services environments.
Why This Matters for FSI
- GLBA §501(b): Extensibility features that bring external data into Copilot's grounding scope or that allow Copilot to take actions in external systems expand the data protection surface area. Safeguards must extend to cover data flows through connectors, plugins, and agents.
- FFIEC IT Handbook (Information Security): Security assessment of new technology components is a core expectation. Each extensibility feature represents a new component in the Copilot architecture that requires security evaluation, including authentication, authorization, data encryption, and input validation.
- OCC Bulletin 2023-17: Third-party plugins and connectors may be developed by vendors outside Microsoft. These relationships create third-party risk that must be managed per OCC expectations.
- Interagency AI Guidance (2023): AI systems that interact with external data sources and take actions based on AI processing require heightened risk assessment, including evaluation of data quality, bias, and operational risk.
- Sarbanes-Oxley §§302/404 (where applicable to ICFR): If extensibility features enable Copilot to interact with financial systems or reporting data through connectors or plugins, the internal control implications must be assessed.
Control Description
Terminology Update (2025)
Microsoft renamed "plugins" to "actions" in 2025. This control uses both terms: "actions" reflects the current product terminology, while "plugins" appears in some admin center UI and documentation references that have not yet been updated.
Copilot Extensibility Architecture
Microsoft 365 Copilot supports three primary extensibility mechanisms:
| Extension Type | Description | Data Flow | Risk Profile |
|---|---|---|---|
| Microsoft Graph Connectors | Ingest external data into Microsoft Graph, making it searchable by Copilot | External system -> Graph connector -> Microsoft Graph -> Copilot | Medium-High: External data enters M365 search and Copilot grounding scope |
| Copilot Plugins (Actions) | Allow Copilot to invoke external APIs to retrieve data or perform actions | Copilot -> Plugin -> External API -> Response back to Copilot | High: Copilot interacts with external systems, potential for data exfiltration or unauthorized actions |
| Declarative Agents | Custom Copilot experiences scoped to specific data sources and instructions | User -> Declarative Agent -> Copilot + scoped data sources | Medium: Custom Copilot experience with potentially expanded or restricted scope |
| SharePoint Declarative Agents | Declarative agents automatically created from SharePoint sites | User -> SharePoint agent -> Copilot + SharePoint site content | Low-Medium: Scoped to specific SharePoint content with site-level permissions |
Graph Connector Assessment
Graph connectors bring external data into the Microsoft 365 search and Copilot grounding scope:
| Assessment Area | Key Questions | Risk Consideration |
|---|---|---|
| Data inventory | What external data sources are connected or planned for connection via Graph connectors? | Each connector expands Copilot's grounding scope with external data |
| Data classification | What is the sensitivity classification of data flowing through each connector? | External data may include regulated data (customer records, financial data, PII) |
| Access control | How are permissions applied to connector-ingested content? Does it use ACLs from the source system? | Permission model mismatches can create oversharing of external data |
| Data freshness | How frequently is connector data refreshed? What is the latency? | Stale connector data can lead to inaccurate Copilot responses |
| Data quality | What quality controls exist for data ingested through connectors? | Low-quality external data degrades Copilot response quality |
| Connector source | Is the connector Microsoft-built, third-party, or custom-developed? | Third-party and custom connectors require additional security review |
Graph Connector Inventory Template
| Connector | Source System | Data Type | Sensitivity | Permission Model | Refresh Frequency | Connector Provider | Approval Status |
|---|---|---|---|---|---|---|---|
| [Name] | [System] | [Type] | [Level] | [ACL/Group/None] | [Frequency] | [MS/3rd Party/Custom] | [Status] |
Plugin Assessment
Copilot plugins enable external API interactions:
| Assessment Area | Key Questions | Risk Consideration |
|---|---|---|
| Plugin inventory | What plugins are available, requested, or planned? | Each plugin extends Copilot's capability to interact with external systems |
| Authentication | How does the plugin authenticate to external systems? What credentials are used? | Credential management and authentication security are critical |
| Authorization | What actions can the plugin perform? Read-only or read-write? | Write actions create risk of unauthorized changes in external systems |
| Data flow | What data flows from Copilot to the plugin? What data returns? | Data leaving M365 through plugins may include sensitive information |
| Input validation | Does the plugin validate inputs to prevent injection attacks? | Prompt injection could trigger unintended plugin actions |
| Audit logging | Are plugin invocations logged for audit and compliance purposes? | Regulatory requirements for audit trails extend to AI-initiated actions |
| Plugin source | Is the plugin from Microsoft, a verified publisher, or custom-developed? | Source determines trust level and security review requirements |
Plugin Risk Classification
| Risk Level | Criteria | Approval Requirement |
|---|---|---|
| Low | Read-only access to non-sensitive external data; Microsoft-published plugin | IT admin approval |
| Medium | Read-only access to sensitive external data; verified publisher plugin | IT admin + security review |
| High | Write access to external systems; custom-developed plugin; access to financial systems | IT admin + security review + compliance approval |
| Critical | Write access to financial systems or regulated data; unverified publisher | Full security assessment + compliance review + CISO approval |
Declarative Agent Assessment
Declarative agents create custom Copilot experiences:
| Assessment Area | Key Questions | Risk Consideration |
|---|---|---|
| Agent inventory | What declarative agents exist or are planned? | Each agent creates a custom Copilot experience with specific scope |
| Scope definition | What data sources does each agent have access to? | Agent scope determines what content it can reference and generate |
| Instructions | What custom instructions are configured for the agent? | Instructions shape agent behavior and may create compliance implications |
| Target audience | Who can access and use each agent? | Agent access should be governed and limited to appropriate populations |
| SharePoint agents | Which SharePoint sites have auto-generated declarative agents? | SharePoint agents inherit site permissions but may make content more discoverable |
| Agent actions | Can the agent invoke plugins or take actions? | Agents with action capabilities inherit plugin risk considerations |
SharePoint Declarative Agent Considerations
SharePoint declarative agents are a specific category that merits focused attention:
| Aspect | Detail | Governance Action |
|---|---|---|
| Auto-creation | SharePoint sites can automatically generate declarative agents | Review which sites have agents enabled; disable where inappropriate |
| Permission inheritance | Agents inherit the SharePoint site's permission model | Sites with oversharing create agents with oversharing |
| Content scope | Agent is scoped to the specific SharePoint site content | Verify that site content is appropriate for AI-powered discovery |
| User access | Users who can access the site can use the agent | Ensure site permissions align with intended agent audience |
| Discoverability | Agents may be discoverable in the Copilot agent catalog | Control catalog visibility for agents on sensitive sites |
Extensibility Governance Framework
1. INVENTORY: Catalog all connectors, plugins, and agents
|
2. CLASSIFY: Assign risk classification per extension
|
3. ASSESS: Conduct security and compliance review per risk level
|
4. APPROVE: Obtain appropriate approvals per risk classification
|
5. DEPLOY: Deploy with configured governance controls
|
6. MONITOR: Ongoing monitoring of extension behavior and data flows
|
7. REVIEW: Periodic re-assessment of extension inventory and risk
Agent 365 Platform Assessment
Organizations should assess readiness for the Agent 365 platform as part of extensibility planning:
| Assessment Area | Key Questions | Risk Consideration |
|---|---|---|
| Admin access | Which administrators have access to Agent 365? Are roles appropriately scoped? | Overly broad administrative access to the centralized agent platform increases governance risk |
| Inventory baseline | Has the organization established a baseline inventory of agents across all sources (M365, Copilot Studio, third-party)? | Agent 365 consolidates visibility, but organizations should document the initial inventory before governance review begins |
| Telemetry readiness | Is the organization prepared to monitor agent usage analytics (sessions, active users, exception rates)? | Agent 365 telemetry signals support operational governance but require defined review cadences and escalation procedures |
| Policy alignment | Do existing agent governance policies cover the full scope of agents visible in Agent 365? | Policies written for M365-only agents may not address Copilot Studio or third-party agents now visible in the consolidated registry |
| Management rules | Has the organization defined Agent 365 management rules (auto-block unapproved publishers, ownership requirements, lifecycle policies)? | Management rules enforce governance at scale — without them, agent sprawl bypasses manual review processes |
| Security templates | Has the organization evaluated Agent 365 security templates for consistent policy application? | Security templates provide baseline agent configurations (allowed knowledge sources, action permissions, sharing scope) that support examination-ready evidence of standardized governance |
| Agent Map | Has the organization reviewed the Agent Map for cross-agent dependency and knowledge-source visibility? | Agent Map surfaces which agents share knowledge sources and which are orphaned — gaps here create blind spots in governance coverage |
| Ownerless agent remediation | Does the organization have a process for reassigning ownerless agents discovered in Agent 365? | Ownerless agents lack governance accountability; Agent 365 can surface these, but reassignment requires a defined workflow |
Frontier Agent Governance (Researcher and Analyst)
Microsoft's Researcher and Analyst capabilities are first-party experiences within the core M365 Copilot Chat surface. They use multi-step reasoning, autonomous web research, and data analysis workflows that differ from standard Copilot interactions. Because they are not Registry-managed agents, they require a distinct governance approach:
| Assessment Area | Key Questions | Risk Consideration |
|---|---|---|
| Access scoping | Which user populations have access to Researcher and Analyst? Is access limited to approved roles? | Researcher and Analyst provide capabilities (autonomous multi-step research, code execution) that may not be appropriate for all user populations |
| Supervisory alignment | Are Researcher and Analyst interactions captured in the same supervisory workflows as standard Copilot usage? | FINRA Rule 3110 supervisory systems and WSPs must cover all AI-assisted interactions; Researcher and Analyst must not create a supervisory blind spot |
| Data access scope | Does Researcher's web research capability introduce unvetted external data into regulated workflows? Does Analyst have access to data sets containing NPI or MNPI? | Researcher can pull external web content into Copilot responses; Analyst can process uploaded data — both expand the data surface beyond standard Copilot grounding |
| Exception handling | If the organization blocks Researcher or Analyst for general users, is there a documented exception process for approved business functions (e.g., equity research, compliance monitoring)? | Blanket blocking may impair legitimate business use; documented exceptions with business justification support examination readiness |
| Agent 365 mapping | Are Researcher and Analyst documented in the agent governance inventory even though they are not Registry-managed agents? | Agent 365 surfaces these as Copilot Chat capabilities, not installable agents — organizations should document them separately in their governance framework to avoid an inventory gap |
Entra Agent ID Readiness
Organizations should assess readiness for Entra Agent ID — the capability that assigns unique Entra identities to Copilot agents:
| Assessment Area | Key Questions | Risk Consideration |
|---|---|---|
| Identity governance | Does the existing identity governance framework accommodate non-human identities for agents? | Agent identities should be managed with the same rigor as service principals and managed identities |
| Conditional Access | Have Conditional Access policies been reviewed to account for agent identities? | Agents may be subject to or exempt from policies designed for human users — this should be an explicit decision |
| Audit integration | Are Entra sign-in and audit logs monitored for agent identity activity? | Agent identity events appear alongside human user events and require filtering and review procedures |
| Lifecycle management | Is there a process for provisioning, reviewing, and deprovisioning agent identities? | Orphaned agent identities create security risk similar to orphaned user or service accounts |
Third-Party Model Provider Readiness
Some agents and extensibility components may use third-party model providers (non-Microsoft LLM inference services). Organizations should assess readiness for this risk:
| Assessment Area | Key Questions | Risk Consideration |
|---|---|---|
| Data residency | Where does inference processing occur? Does the model provider's data processing location comply with organizational and regulatory data residency requirements? | Third-party inference may process data outside the M365 compliance boundary and outside approved geographic regions |
| Model governance | What model governance, versioning, and change control does the provider maintain? | Model updates by the provider may change behavior, introduce bias, or affect output quality without notice |
| Data handling | Does the model provider use customer data for training, fine-tuning, or improvement? | Data handling terms for third-party providers may differ from Microsoft's no-training commitment |
| Contractual coverage | Are third-party model providers covered under existing vendor risk management and third-party agreements? | OCC Bulletin 2023-17 expectations apply to AI model providers that process regulated data |
| Audit and logging | Does the third-party provider support audit logging and evidence production for regulatory examination? | Regulatory expectations for audit trails extend to all AI processing components, including external inference |
Copilot Surface Coverage
| Copilot Surface | Extensibility Relevance | Notes |
|---|---|---|
| Microsoft 365 Copilot Chat | Critical | Primary surface where Graph connector data, plugins, and agents are invoked |
| SharePoint Copilot | High | SharePoint declarative agents create site-scoped Copilot experiences |
| Teams Copilot | High | Plugins and agents can be invoked from Teams conversations |
| Word / Excel / PowerPoint | Medium | Graph connector data may surface in document generation; some plugins may be available |
| Outlook Copilot | Medium | Plugins for CRM and other systems may integrate with Outlook Copilot |
| Copilot Pages | Medium | Pages may reference content from Graph connectors |
| Copilot Notebooks | Medium | notebooks may reference content from Graph connectors |
| Loop Copilot | Low | Limited extensibility surface |
| OneDrive Copilot | Low | Limited extensibility surface |
| Viva Copilot | Medium | Viva-specific connectors and plugins |
Governance Levels
| Level | Requirement | Rationale |
|---|---|---|
| Baseline | Inventory existing Graph connectors. Review Copilot plugin availability settings in M365 Admin Center. Assess whether SharePoint declarative agents are enabled and on which sites. Document extensibility posture. Disable extensibility features that have not been assessed. | Minimum awareness of extensibility landscape and proactive disabling of unassessed features to reduce risk. |
| Recommended | All Baseline requirements plus: implement plugin approval process with risk classification. Conduct security review for all active Graph connectors. Assess data flows for each connector and plugin. Configure SharePoint agent governance (enable/disable per site based on content sensitivity). Establish extensibility change management process. Monitor connector and plugin usage through admin reports. | Structured governance of Copilot extensibility with security review, approval workflows, and ongoing monitoring. |
| Regulated | All Recommended requirements plus: conduct full security assessment for all extensions including custom-developed connectors and plugins. Implement formal change control for extensibility deployments. Include extensibility in vendor risk management for third-party providers (see Control 1.10). Require compliance sign-off for plugins with write access to external systems. Maintain extensibility governance documentation in regulatory examination file. Conduct quarterly extensibility inventory review. Include extensibility risk in AI governance reporting. | Comprehensive extensibility governance with formal security assessment, compliance oversight, and examination readiness documentation. |
Setup & Configuration
Step 1: Review Extensibility Settings
Navigate to Microsoft 365 Admin Center > Settings > Copilot and review:
- Plugin availability settings (which plugins are enabled/disabled)
- Graph connector status (which connectors are active)
- Integrated apps settings (which apps can interact with Copilot)
Step 2: Inventory Graph Connectors
Navigate to Microsoft 365 Admin Center > Settings > Search & intelligence > Data sources to review:
- Active Graph connectors
- Connector source (Microsoft, third-party, custom)
- Data source connections
- Item count per connector
- Permission configuration per connector
Step 3: Configure Plugin Governance
In Microsoft 365 Admin Center > Copilot > Agents & connectors:
- Review available plugins
- Enable/disable plugins based on risk classification
- Configure user assignment (which users can access which plugins)
- Set approval requirements for new plugin requests
Step 4: Configure SharePoint Agent Governance
Navigate to SharePoint admin center > Settings and review:
- SharePoint declarative agent settings (tenant-level enable/disable)
- Per-site agent configuration
- Agent catalog visibility settings
For sites containing sensitive content: - Disable declarative agent creation - Or enable with enhanced monitoring
Step 5: Establish Approval and Change Management
Document and implement:
- Extension request and approval workflow
- Risk classification criteria and corresponding approval authorities
- Security review requirements per risk level
- Change management process for new extension deployments
- Periodic review cadence for extension inventory
Financial Sector Considerations
- CRM Connector Risk: Many financial institutions consider connecting CRM systems (Salesforce, Dynamics) to Copilot via Graph connectors. This brings client data directly into Copilot's grounding scope. Assess the implications of CRM data in Copilot responses, particularly for institutions subject to SEC Reg S-P and GLBA NPI protections.
- Trading System Integration: Plugins or connectors that interact with trading platforms, order management systems, or portfolio management tools introduce the risk that Copilot could initiate or influence trades. Implement strict controls around any extensibility that touches trading infrastructure.
- Regulatory Filing Systems: Connectors to regulatory filing systems (EDGAR, FINRA Gateway, regulatory reporting platforms) should be evaluated carefully. Copilot grounding on regulatory filing data could create disclosure risks.
- Third-Party Plugin Vendors: Plugins developed by third parties create vendor risk relationships that must be managed per OCC Bulletin 2023-17 and the institution's third-party risk framework. Include plugin vendors in the vendor risk inventory.
- Custom Development Security: Custom-developed Graph connectors and plugins must undergo the institution's software development security review process (SDLC security), including code review, vulnerability assessment, and penetration testing.
- Data Sovereignty for Connectors: Graph connectors may ingest data from systems hosted in different geographic locations. Verify that connector data flows comply with data sovereignty and data residency requirements.
- Information Barrier Interaction: Assess how Graph connector data and plugin responses interact with Microsoft Purview information barriers. External data brought into the Graph may not be segmented by information barrier policies.
- Agent Approval Workflows: Microsoft introduced request/approval workflows for agent deployment in the M365 Admin Center (August 2025). FSI organizations should configure these workflows to require formal approval before agents are deployed to production user populations. This supports examination readiness by creating an audit trail of agent deployment decisions.
- Power Platform Inventory (GA March 2026): The Power Platform Inventory now provides a unified view across agents, apps, flows, and environments. For organizations using the companion FSI-AgentGov framework for Copilot Studio governance, Power Platform Inventory serves as an operational governance surface for cross-platform agent discovery and management.
Verification Criteria
- Inventory of all active Graph connectors has been completed with data source, sensitivity classification, and permission model documented
- Plugin availability settings have been reviewed and non-assessed plugins disabled
- SharePoint declarative agent configuration has been reviewed and agents disabled on sites containing sensitive data (unless specifically approved)
- Plugin approval process has been established with risk classification criteria (Recommended and Regulated levels)
- Security review has been conducted for all active Graph connectors (Recommended and Regulated levels)
- Data flow assessment has been completed for each active connector and plugin, documenting what data enters and leaves M365 (Recommended and Regulated levels)
- Compliance sign-off has been obtained for plugins with write access to external systems (Regulated level)
- Third-party extension providers are included in the vendor risk inventory (Regulated level)
- Extensibility change management process is documented and being followed
- Extensibility governance documentation is maintained and accessible for regulatory examination (Regulated level)
Additional Resources
- Microsoft Learn: Microsoft Graph connectors overview
- Microsoft Learn: Copilot plugins overview
- Microsoft Learn: Declarative agents overview
- Microsoft Learn: Manage plugins for Copilot
- Microsoft Learn: Get ready for Copilot with SharePoint Advanced Management
- OCC Bulletin 2023-17: Third-Party Relationships
- Related Controls: 1.10 Vendor Risk Management, 1.1 Copilot Readiness Assessment, 1.4 Semantic Index Governance, 2.13 Plugin & Connector Security, 4.13 Extensibility Governance
- Playbooks: Portal Walkthrough, PowerShell Setup, Verification & Testing, Troubleshooting
FSI Copilot Governance Framework v1.4.0 - April 2026