Control 1.9: License Planning and Copilot Assignment Strategy
Control ID: 1.9 Pillar: Readiness & Assessment Regulatory Reference: GLBA 501(b), FFIEC IT Handbook (IT Operations), SOX 302/404 Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated
Objective
Develop a comprehensive license planning strategy for Microsoft 365 Copilot deployment that addresses Copilot license types, prerequisite license requirements, add-on licensing for governance tooling (Microsoft Purview, Microsoft Defender, SharePoint Advanced Management), phased rollout assignment strategies, and cost optimization. Proper license planning supports compliance by ensuring that governance controls can be activated for all Copilot users and that deployment is managed through a controlled, phased approach rather than uncontrolled proliferation.
Why This Matters for FSI
- GLBA 501(b): Governance tooling (Purview, Defender, SAM) required to implement GLBA safeguards for Copilot-processed data depends on specific license entitlements. Deploying Copilot without the prerequisite governance licenses creates a safeguard gap.
- FFIEC IT Handbook (IT Operations): Effective IT operations management includes capacity planning and resource allocation for new technology deployments. License planning is a critical component of Copilot deployment operations.
- SOX 302/404: Uncontrolled Copilot deployment (assigning licenses without governance readiness) could introduce AI-generated content into financial reporting workflows without appropriate controls. Phased assignment strategy supports controlled deployment.
- Cost Management: Financial institutions have fiduciary responsibilities that extend to technology spending. Copilot licensing represents significant per-user cost that must be justified against productivity and governance investment.
- Regulatory Expectations for AI Governance Tooling: Deploying AI capabilities without the corresponding governance tooling (audit logging, DLP, information protection) would not meet regulatory expectations for AI risk management.
Control Description
Microsoft 365 Copilot License Landscape
| License Type | Description | Commercial / Billing Model | Key Capabilities |
|---|---|---|---|
| Microsoft 365 Copilot | Full Copilot experience across M365 apps | Per-user add-on license | Copilot in Word, Excel, PPT, Outlook, Teams, Microsoft 365 Copilot Chat, Pages |
| Microsoft 365 Copilot (Frontline add-on) | Microsoft 365 Copilot as an add-on for F1/F3 users | Per-user add-on to F1/F3 base licenses | Copilot available for frontline workers on F1 or F3 base licenses; feature availability should be tested for specific FSI workflows before broad deployment |
| Microsoft Copilot (free) | Basic Copilot chat without M365 grounding | Included service | Web-grounded chat only; no M365 data access |
| Microsoft 365 Copilot Chat (pay-as-you-go) | Microsoft 365 Copilot Chat with Microsoft Graph grounding and metered access | Usage-based billing through a connected billing policy and Azure meter | Copilot Chat with Graph grounding for approved users or groups without assigning full Microsoft 365 Copilot seats |
Frontline SKU Availability
Microsoft 365 Copilot is available as an add-on for Frontline Worker licenses (F1 and F3), extending Copilot access to frontline banking and operations staff who may not have E3/E5 licenses.
FSI frontline use cases: Branch tellers using Copilot for customer inquiry assistance, operations center staff using Copilot for process documentation lookup, and compliance staff on frontline licenses accessing Copilot for policy reference. Per the SEC 2026 Division of Examinations Priorities (November 17, 2025), examiners are focused on AI use in internal processes and back-office operations — Frontline SKU deployment brings additional internal operations under AI governance scope.
Important note on feature availability: Do not assert feature parity between F1/F3 Copilot and E3/E5 Copilot. Feature constraints for Frontline SKUs are not fully documented. Recommend testing feature availability for specific FSI workflows before broad deployment.
Governance considerations for Frontline Copilot: Frontline workers accessing Copilot are subject to the same information protection, DLP, and information barrier policies as E3/E5 users. Ensure governance controls (Purview, Defender) are appropriately scoped to cover Frontline-licensed users.
Pay-As-You-Go (PAYG) Copilot Chat
Microsoft 365 Copilot pay-as-you-go is now administered through billing policies. Administrators create a billing policy tied to an Azure subscription and a responsible set of users or groups, optionally add a budget and email notifications, and then connect that policy to supported services such as Microsoft 365 Copilot Chat. PAYG is disabled by default until a billing policy is connected to a service.
FSI applications for PAYG: Approved pilot programs, occasional users in lower-risk functions, seasonal or project-based access patterns, and bounded populations where the institution wants to observe usage before assigning full seats.
Governance considerations for PAYG: - Use Billing > Pay-as-you-go services to define billing policies and connect them to approved services. - Assign a cost-center owner to each billing policy and document the users or groups it covers. - Configure a budget limit and email notifications for each active billing policy. - Review costs in M365 Admin Center > Cost Management and Microsoft Cost Management. - Review Settings > Org settings > Self-service trials and purchases separately because self-service is managed per product, not through a single tenant-wide off switch. - PAYG users remain subject to the same information barrier, DLP, and sensitivity label controls as seat-licensed users.
Prerequisite License Requirements
Microsoft 365 Copilot requires one of the following base licenses:
| Base License | Copilot Eligible | Key Governance Tools Included |
|---|---|---|
| Microsoft 365 E5 | Yes | Purview (full), Defender (full), eDiscovery (Premium), Audit (Premium) |
| Microsoft 365 E3 | Yes | Purview (basic), Defender (basic), eDiscovery (Standard), Audit (Standard) |
| Office 365 E3/E5 | Yes | Limited governance tools -- add-ons required |
| Microsoft 365 Business Premium | Yes | Basic governance tools |
| Microsoft 365 Business Standard | Yes | Minimal governance tools -- significant add-ons required |
| Microsoft 365 F1 | Yes (add-on) | Limited governance tools — Copilot add-on available for eligible frontline SKUs |
| Microsoft 365 F3 | Yes (add-on) | Limited governance tools — Copilot add-on available for eligible frontline SKUs |
Add-On License Requirements for Governance
| Add-On License | Purpose | Required For | When Needed |
|---|---|---|---|
| Microsoft Purview Compliance Manager | Compliance assessment and score | Control 1.1 Readiness Assessment | All governance levels |
| Microsoft Purview DSPM for AI | AI-specific data security posture | Control 1.2 Oversharing Detection | Recommended and Regulated |
| SharePoint Advanced Management | DAG reports, RCD, site access reviews | Controls 1.3, 1.7 | Recommended and Regulated |
| Microsoft 365 E5 Compliance | Advanced compliance features (if on E3) | DLP, eDiscovery Premium, Audit Premium, Communication Compliance | Regulated |
| Microsoft 365 E5 Security | Advanced security features (if on E3) | Defender for Office 365 P2, Defender for Cloud Apps | Recommended and Regulated |
| Microsoft Entra ID P2 | Conditional access, Identity Protection, access reviews | Pillar 2 Security Controls | Recommended and Regulated |
| Microsoft Defender for Cloud Apps | Shadow IT detection, session controls | Pillar 2 Security Controls | Recommended and Regulated |
| Microsoft Purview Audit (Premium) | Extended audit log retention, crucial events | Pillar 3 Audit Controls | Regulated |
| Microsoft Purview eDiscovery (Premium) | Advanced eDiscovery with AI capabilities | Pillar 3 Compliance Controls | Regulated |
Phased Rollout Assignment Strategy
Financial institutions should deploy Copilot in controlled phases rather than organization-wide simultaneously:
| Phase | Target Population | Duration | Purpose |
|---|---|---|---|
| Phase 0: Governance Foundation | IT administrators and compliance team only | 2-4 weeks | Configure and validate governance controls before any business user access |
| Phase 1: Pilot | 50-100 users from low-risk departments (e.g., IT, HR operations) | 4-6 weeks | Validate Copilot behavior, test governance controls, gather initial feedback |
| Phase 2: Early Adopters | 200-500 users from moderate-risk departments (e.g., operations, project management) | 4-8 weeks | Expand testing, refine governance based on Phase 1 findings |
| Phase 3: Broad Deployment | Remaining eligible users across the organization | Rolling | Full deployment with established governance, monitoring, and support |
| Phase 4: Regulated Functions | Compliance, trading, wealth management, investment banking | Ongoing assessment | Deploy only after information barriers, DLP, and supervision controls are fully validated |
Assignment Strategy Considerations
| Consideration | Recommendation | Rationale |
|---|---|---|
| Department-based assignment | Assign by department in phased waves | Allows governance controls to be validated per department's data sensitivity profile |
| Role-based assignment | Consider user role when prioritizing assignment | Executives, client-facing roles, and financial reporting roles have higher governance requirements |
| Geography-based assignment | Consider regulatory jurisdictions | Different jurisdictions may have distinct AI governance requirements |
| Governance readiness gating | Do not assign Copilot to users until their primary data stores pass readiness assessment | Prevents Copilot from accessing unvetted content |
| License reclamation | Implement 90-day usage review to reclaim unused licenses | Cost optimization -- reassign licenses from inactive users |
Cost Optimization Strategies
| Strategy | Approach | Potential Savings |
|---|---|---|
| Phased deployment | Deploy incrementally rather than purchasing all licenses upfront | Defer costs until governance readiness is confirmed |
| Usage-based reclamation | Monitor adoption metrics and reclaim licenses from non-active users after 90 days | 10-20% license cost reduction based on typical adoption curves |
| Role-based tiering | Assign full M365 Copilot to regular or high-dependency users; use PAYG Copilot Chat for approved occasional users; use the Frontline add-on for F1/F3 workers who need Copilot access | Provides flexibility for large populations with different usage patterns when backed by billing-policy governance |
| PAYG for pilots and seasonal access | Use PAYG for approved pilot or seasonal populations through billing policies, then review observed usage before converting frequent users to full seats | Reduces upfront commitment during pilots and supports right-sizing before wider rollout |
| Frontline SKU for branch staff | Extend Copilot to frontline workers (tellers, branch operations) at the F1/F3 base license tier with the $30 Copilot add-on rather than upgrading all frontline workers to E3 | Lower per-user cost for frontline populations; maintains governance coverage without full enterprise SKU upgrades |
| E3 + add-ons vs. E5 evaluation | Compare cost of E3 + individual compliance add-ons vs. E5 upgrade | May save costs for organizations that need only specific compliance features |
| Annual commitment negotiation | Negotiate multi-year agreements with Microsoft for volume discounts | Enterprise agreement savings |
Copilot Surface Coverage
License planning affects all Copilot surfaces uniformly since the Microsoft 365 Copilot license enables all surfaces:
| Copilot Surface | License Required | Notes |
|---|---|---|
| Microsoft 365 Copilot Chat | M365 Copilot or Copilot Chat | Full M365 Copilot recommended for grounding quality |
| Word Copilot | M365 Copilot | Requires full Copilot license |
| Excel Copilot | M365 Copilot | Requires full Copilot license |
| PowerPoint Copilot | M365 Copilot | Requires full Copilot license |
| Outlook Copilot | M365 Copilot | Requires full Copilot license |
| Teams Copilot | M365 Copilot | Requires full Copilot license |
| SharePoint Copilot | M365 Copilot | Available on SharePoint sites |
| OneDrive Copilot | M365 Copilot | Requires full Copilot license |
| Copilot Pages | M365 Copilot | Requires full Copilot license |
| Loop Copilot | M365 Copilot | Requires full Copilot license |
Governance Levels
| Level | Requirement | Rationale |
|---|---|---|
| Baseline | Document Copilot license types and quantities needed, including Frontline (F1/F3) add-on and PAYG options. Identify prerequisite license requirements (E3/E5/F1/F3 base). Confirm governance add-on availability. Develop the initial rollout plan. Establish license assignment approval process. If PAYG is used, define the billing policy owner, covered users or groups, connected service, and budget notifications. Review self-service trials and purchases for Copilot-related products. | Minimum planning to ensure controlled deployment with basic governance tooling and explicit commercial controls in place. |
| Recommended | All Baseline requirements plus: complete governance add-on license analysis (Purview, SAM, Defender). Develop the full phased rollout plan with department prioritization including Frontline populations. Implement governance readiness gating for license assignment. Establish a 90-day usage review and reclamation process. Document the license strategy and cost model. For PAYG: use distinct billing policies by department or scenario, review Cost Management monthly, and reserve full seats for regular or higher-dependency users. | Comprehensive license planning that helps align governance tooling, adoption strategy, and cost management across E3/E5 and Frontline license tiers. |
| Regulated | All Recommended requirements plus: ensure E5 Compliance and E5 Security add-ons (or E5 base) for users in regulated functions as appropriate. Validate that all governance controls from Pillars 1-4 have required license dependencies met. Obtain compliance team sign-off on the license strategy. Document license governance in the regulatory examination file. Conduct annual license strategy review. Limit PAYG to documented lower-risk or bounded scenarios with monthly billing policy review and exception evidence. | Full governance tooling coverage for regulated deployments with examination-ready documentation and tighter oversight of metered access paths. |
Setup & Configuration
Step 1: Inventory Current Licenses
Navigate to Microsoft 365 Admin Center > Billing > Licenses and document:
- Current base license distribution (E3, E5, Business Premium)
- Current compliance and security add-on licenses
- Available license capacity for Copilot assignment
Step 2: Identify License Gaps
Compare current license inventory against requirements:
| Governance Control | Required License | Current Status | Gap |
|---|---|---|---|
| DSPM for AI | E5 Compliance or Purview add-on | [Current] | [Gap] |
| SharePoint Advanced Management | SAM add-on | [Current] | [Gap] |
| Advanced Audit | E5 Compliance or Audit Premium add-on | [Current] | [Gap] |
| eDiscovery Premium | E5 Compliance or eDiscovery add-on | [Current] | [Gap] |
| Defender for Cloud Apps | E5 Security or MDCA add-on | [Current] | [Gap] |
| Conditional Access (advanced) | Entra ID P2 | [Current] | [Gap] |
Step 3: Develop Rollout Plan
Create a phased rollout plan with specific: - User populations per phase - Target dates per phase - Governance prerequisites per phase (which controls must be active) - Success criteria for advancing to next phase
Step 4: Configure License Assignment
Navigate to Microsoft 365 Admin Center > Users > Active users or use PowerShell/Group-based licensing:
- Create security groups for each deployment phase
- Assign Copilot licenses to groups (not individuals) for easier management
- Use group-based licensing in Entra ID for automated assignment
Step 4b: Configure PAYG Billing and Self-Service Controls
If PAYG is in scope:
- Open Microsoft 365 Admin Center > Billing > Pay-as-you-go services.
- Create or review the billing policy tied to the correct Azure subscription.
- Add the approved users or groups to the billing policy and record the responsible cost owner.
- Add a budget limit and email notifications to the billing policy.
- Connect the billing policy to the approved service, such as Microsoft 365 Copilot Chat.
- Review Settings > Org settings > Self-service trials and purchases and document the per-product self-service status for Microsoft 365 Copilot and related products.
Step 5: Establish Monitoring and Reclamation
Configure usage monitoring: - Microsoft 365 Admin Center > Reports > Usage for Copilot adoption metrics - Viva Insights for detailed Copilot usage patterns - Set 90-day review cadence for license utilization
Financial Sector Considerations
- Budget Justification: Financial institutions require detailed cost-benefit analysis for technology investments. Build the Copilot license business case around productivity gains weighed against license costs and governance investment. PAYG and Frontline options can broaden access, but only when billing-policy ownership and self-service controls are documented.
- Regulatory Function Licensing: Compliance, legal, and audit functions may need Copilot licenses for governance testing and monitoring even if they are not primary productivity users. Budget for governance team licenses separately from business user licenses.
- Governance Tooling as Non-Negotiable: For regulated financial institutions, governance add-on licenses (Purview, Defender, SAM) should be treated as mandatory prerequisites, not optional enhancements. Deploying Copilot without governance tooling creates regulatory risk. This applies equally to Frontline and PAYG users — the billing model does not change the governance obligation.
- Frontline AI Governance Scope: The SEC 2026 Division of Examinations Priorities (November 17, 2025) specifically focuses on AI in internal processes and back-office operations. Organizations deploying Copilot to frontline workers (branch tellers, operations center personnel) bring these users' AI interactions under the AI governance scope that examiners will scrutinize. Ensure information barriers, DLP policies, and audit logging cover Frontline-licensed Copilot users.
- PAYG Compliance Obligations: PAYG Copilot Chat users are subject to the same compliance obligations as per-seat users. Establish governance policies for PAYG before enabling access and review billing policy coverage regularly.
- Per-Entity License Management: Multi-entity financial organizations may need separate license strategies per entity based on distinct regulatory requirements and data sensitivity profiles. Separate billing policies can help align PAYG tracking to entity-level cost ownership and reporting.
- Vendor Contract Review: Copilot licensing terms, data processing commitments, and service level agreements should be reviewed by legal and procurement in alignment with Control 1.10 (Vendor Risk Management). PAYG introduces Azure-backed billing administration alongside Microsoft 365 licensing terms, so both commercial paths should be reviewed.
- Examination Readiness: Document the license strategy and governance tooling rationale in a format suitable for regulatory examination. Examiners may ask about the relationship between AI deployment and governance tool investment. Document the governance coverage for all Copilot billing models (per-seat, Frontline add-on, PAYG).
Verification Criteria
- Current license inventory has been documented including base licenses and compliance/security add-ons
- License gap analysis has been completed comparing current state to governance requirements per control
- Prerequisite base license requirements for Copilot are confirmed met for target user populations, including Frontline (F1/F3) user populations where applicable
- Governance add-on license requirements are identified and procurement plan is in place
- Phased rollout plan is documented with specific user populations, dates, and governance prerequisites per phase; Frontline user populations are explicitly included or excluded with documented rationale
- License assignment uses group-based licensing (security groups) rather than individual assignment
- Governance readiness gating criteria are defined for each phase (Recommended and Regulated levels)
- License usage monitoring is configured with 90-day review cadence (Recommended and Regulated levels)
- If PAYG Copilot Chat is in use: the billing policy is connected to the approved service, covered users or groups are documented, budget notifications are configured, and monthly cost review evidence is retained
- License strategy has been reviewed and approved by appropriate stakeholders (IT, finance, compliance)
- License governance documentation is maintained and accessible for regulatory examination (Regulated level), including coverage for Frontline and PAYG billing models
Additional Resources
- Microsoft Learn: Microsoft 365 Copilot requirements
- Microsoft Learn: Microsoft 365 Copilot licensing
- Microsoft Learn: Microsoft 365 Frontline Worker licensing
- Microsoft Learn: Microsoft 365 Copilot pay-as-you-go overview
- Microsoft Learn: Manage self-service purchases and trials (for admins)
- Microsoft Learn: Group-based licensing in Microsoft Entra ID
- Microsoft Learn: Microsoft 365 usage analytics
- Microsoft Learn: Microsoft Viva Insights Copilot Dashboard
- Related Controls: 1.1 Copilot Readiness Assessment, 1.10 Vendor Risk Management, 1.7 SharePoint Advanced Management, 4.8 Cost Allocation
- Playbooks: Playbook 1.9.1 (License Inventory and Gap Analysis), Playbook 1.9.2 (Phased Rollout Planning Template), Playbook 1.9.3 (Group-Based License Assignment), Playbook 1.9.4 (License Utilization Monitoring)
FSI Copilot Governance Framework v1.2.1 - March 2026