Control 2.4: Information Barriers for Copilot (Chinese Wall)

Control ID: 2.4 Pillar: Security & Protection Regulatory Reference: SEC Rule 10b-5, FINRA 5280, Chinese Wall Requirements Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated

Objective

Deploy Microsoft Purview Information Barriers (IB) to enforce regulatory Chinese Wall requirements within Microsoft 365 Copilot. Information barriers help prevent Copilot from surfacing content across organizational segments that must remain separated — such as investment banking and research, proprietary trading and client advisory, or merging entities during M&A transactions. This control is critical for firms subject to SEC and FINRA requirements regarding material non-public information (MNPI) and trading ahead of research.

Why This Matters for FSI

SEC Rule 10b-5 prohibits fraud and manipulation in connection with securities transactions — inadequate information barriers that allow Copilot to surface MNPI to public-side employees could facilitate insider trading violations
FINRA Rule 5280 prohibits trading ahead of research reports — information barriers must prevent Copilot from providing research department content to trading desk personnel
FINRA Rule 2241 (Equity Research) and Rule 2242 (Debt Research) require structural protections between research and investment banking — Copilot must respect these boundaries when generating content or answering queries
SEC Regulation AC requires analyst certifications and independence — Copilot must not blend investment banking content into research analyst workflows
Chinese Wall doctrine (recognized by SEC, FINRA, and courts) requires firms to establish, maintain, and enforce policies and procedures designed to prevent the misuse of MNPI — Copilot's cross-workload search capability makes this control essential
DOJ/SEC Enforcement Actions have targeted firms with inadequate information barriers — AI tools that bypass barriers represent a new enforcement risk vector

Control Description

Microsoft Purview Information Barriers restrict communication and collaboration between defined user segments within M365. When applied to Copilot workloads, information barriers:

Prevent Microsoft 365 Copilot Chat from searching across barrier-separated segments
Block Copilot from referencing files owned by barrier-separated users
Restrict Teams Copilot from summarizing conversations that span barrier boundaries
Prevent SharePoint agent access to sites owned by barrier-separated segments

FSI Information Barrier Segments

Segment	Description	Wall Type	Separated From
Investment Banking	M&A advisory, capital markets, underwriting	Permanent	Research, Trading
Equity Research	Equity analyst coverage	Permanent	Investment Banking, Trading
Debt/Fixed Income Research	Fixed income analyst coverage	Permanent	Investment Banking
Proprietary Trading	Firm proprietary trading desks	Permanent	Research, Investment Banking
Client Advisory	Wealth management, financial advisory	Situational	Investment Banking (deal-specific)
Compliance/Legal	Regulatory, legal, compliance	Supervisory	None (supervisory override)
Retail Banking	Consumer banking operations	Permanent	Investment Banking
M&A Deal Teams	Transaction-specific teams	Temporary	All non-deal personnel

Barrier Types and Copilot Impact

Barrier Type	Duration	Copilot Impact	Example
Permanent	Ongoing	Copilot Chat cannot search across segments; Copilot cannot reference cross-segment files	Research vs. Investment Banking
Temporary (Deal-Specific)	Duration of transaction	Additional barrier restricting deal team content from non-deal personnel	M&A target information
Situational	Activated/deactivated as needed	Client advisory restricted from specific IB deal information	Wealth client also an M&A target
Supervisory	Ongoing with override	Compliance can access all segments for supervisory purposes	Compliance monitoring

Microsoft 365 Copilot Chat Cross-Workload Search Implications

Microsoft 365 Copilot Chat performs a cross-workload search when answering user queries. Without information barriers, a single Copilot Chat prompt could retrieve:

Copilot Chat Query: "What's the latest on Acme Corp?"
         │
    ┌────┴────────────────────────────────────┐
    │            Without Barriers              │
    ├──────────────────────────────────────────┤
    │ SharePoint: M&A deal room documents (IB) │
    │ Exchange: Research analyst emails         │
    │ Teams: Trading desk conversations         │
    │ OneDrive: Client advisory presentations   │
    └──────────────────────────────────────────┘
                    ⚠ VIOLATION

    ┌────┴────────────────────────────────────┐
    │            With Barriers                 │
    ├──────────────────────────────────────────┤
    │ Only content from user's own segment     │
    │ + content from non-restricted segments   │
    └──────────────────────────────────────────┘
                    ✓ COMPLIANT

Information Barrier Policy Architecture

Segment Definition (Entra ID attributes)
              │
              ▼
    IB Policy (Block/Allow rules)
              │
              ▼
    ┌─────────┴──────────┐
    │                    │
  M365 Workloads    Copilot Service
    │                    │
  ├─ Teams Chat        ├─ Copilot Chat Search
  ├─ SharePoint        ├─ File Grounding
  ├─ OneDrive          ├─ Meeting Summary
  └─ Exchange          └─ Email Drafting

Copilot Surface Coverage

M365 Application	IB Enforced	Cross-Segment Search Blocked	Notes
Microsoft 365 Copilot Chat	Yes	Yes	Critical — searches all workloads
Word	Yes	Yes	Copilot cannot reference cross-segment files
Excel	Yes	Yes	Data analysis limited to own segment
PowerPoint	Yes	Yes	Presentation generation limited
Outlook	Yes	Yes	Email summarization respects barriers
Teams Copilot (meeting summaries, chat)	Yes	Yes	Standard Teams IB applies to meeting summaries and chat Copilot
Channel Agent in Teams	No	No	Documented limitation: Information Barriers are not supported for Channel Agent. Channel Agent may return content that crosses IB boundaries. See compensating controls below.
OneNote	Yes	Yes	Note summarization limited
Loop	Yes	Yes	Collaborative content restricted
Copilot Pages	Yes	Yes	Pages cannot combine cross-segment content
SharePoint (Agents)	Yes	Yes	SharePoint agents scoped to segment-accessible sites

Channel Agent IB Limitation and Compensating Controls

Channel Agent in Teams does not support Information Barriers. This is a documented platform limitation: unlike standard Copilot Chat and Teams Copilot features, Channel Agent is not subject to IB policy enforcement and may return content that crosses information barrier boundaries.

FSI regulatory impact: Per SEC Rule 10b-5 and FINRA Rules 5280, 2241, and 2242, firms must maintain Chinese Wall procedures that prevent the misuse of material non-public information (MNPI). A Channel Agent deployed in a Teams channel that includes members from barrier-separated segments (e.g., Investment Banking and Research) could surface MNPI across the barrier without policy enforcement. This limitation must be documented in the firm's supervisory procedures and information barrier policies.

Required compensating controls:

Restrict Channel Agent deployment to homogeneous segments. Do not deploy Channel Agent in any Teams channel where members from IB-separated segments are present. Before deploying a Channel Agent, audit the channel's membership to confirm all members belong to a single IB segment or are in non-restricted segments.
Apply sensitivity labels to IB-affected channel content. Sensitivity labels with DLP policies can prevent Channel Agent from processing or surfacing labeled content. Label content in channels where IB-separated users are present with appropriate sensitivity labels and configure DLP policies to block Copilot from referencing labeled content.
Monitor Channel Agent activity via DSPM for AI. Configure DSPM for AI monitoring on Channel Agent interactions in channels adjacent to IB segments. Anomalous cross-segment content surfacing via Channel Agent should generate alerts for compliance review.
Document in supervisory procedures. The Channel Agent IB limitation and the firm's compensating controls must be documented in supervisory procedures, information barrier policies, and (for Regulated level) in the regulatory examination package.

Governance Levels

Level	Requirement	Rationale
Baseline	Define organizational segments based on department attribute; create block policies between Investment Banking and Research; enable information barriers for Teams, SharePoint, and OneDrive; verify Copilot Chat respects barriers; disable Channel Agent in Teams channels where IB-separated users are members	Minimum Chinese Wall implementation — addresses the most critical regulatory separation requirements including the Channel Agent IB limitation
Recommended	Add Trading segment separation; implement temporary deal-specific barriers; enable barriers for all M365 workloads; quarterly barrier validation testing; compliance review of barrier configurations; integrate barrier events with audit logging; deploy Channel Agent only in homogeneous-segment channels with documented segment membership audits; apply sensitivity labels to IB-adjacent channel content as compensating control	Comprehensive barrier strategy suitable for multi-service financial firms with investment banking, research, and trading operations, with Channel Agent compensating controls in place
Regulated	All segments defined and enforced; automated barrier provisioning for new deals; real-time monitoring of barrier breach attempts; annual barrier effectiveness audit by compliance; supervisory access documented and reviewed quarterly; barrier configurations included in regulatory examination packages; Channel Agent IB limitation documented in supervisory procedures (per SEC Rule 10b-5 and FINRA Rules 5280, 2241, 2242); DSPM for AI monitoring configured for all Channel Agent deployments; Channel Agent prohibited in any channel with mixed IB-segment membership	Full Chinese Wall implementation for large, diversified financial institutions subject to frequent SEC/FINRA examinations. The Channel Agent limitation and compensating controls must appear in the examination package.

Setup & Configuration

Step 1: Define User Segments

Portal: Microsoft Purview > Information barriers > Segments

Create segments based on Entra ID user attributes (typically Department or custom attributes)
Ensure all Copilot-licensed users are assigned to exactly one segment
Verify segment membership accuracy with business stakeholders

# Connect to Security & Compliance PowerShell
Connect-IPPSSession

# Create segment definitions
New-OrganizationSegment -Name "InvestmentBanking" `
  -UserGroupFilter "Department -eq 'Investment Banking'"

New-OrganizationSegment -Name "EquityResearch" `
  -UserGroupFilter "Department -eq 'Equity Research'"

New-OrganizationSegment -Name "Trading" `
  -UserGroupFilter "Department -eq 'Proprietary Trading'"

Step 2: Create Information Barrier Policies

# Block Investment Banking from Research
New-InformationBarrierPolicy -Name "IB-Research-Block" `
  -AssignedSegment "InvestmentBanking" `
  -SegmentsBlocked "EquityResearch","DebtResearch" `
  -State Active

# Block Trading from Research
New-InformationBarrierPolicy -Name "Trading-Research-Block" `
  -AssignedSegment "Trading" `
  -SegmentsBlocked "EquityResearch","DebtResearch" `
  -State Active

# Block Investment Banking from Trading
New-InformationBarrierPolicy -Name "IB-Trading-Block" `
  -AssignedSegment "InvestmentBanking" `
  -SegmentsBlocked "Trading" `
  -State Active

Step 3: Apply Barrier Policies

# Start policy application (this processes all policies)
Start-InformationBarrierPoliciesApplication

# Check application status
Get-InformationBarrierPoliciesApplicationStatus

Step 4: Enable Information Barriers for SharePoint and OneDrive

Portal: SharePoint Admin Center > Settings > Information barriers

Enable information barriers for SharePoint
Enable information barriers for OneDrive
Apply IB mode to sites: "Owner Moderated" or "Implicit" based on firm requirements

Step 5: Verify Copilot Barrier Enforcement

Sign in as an Investment Banking user
Open Copilot Chat and query for content that should be restricted (e.g., research reports)
Verify that Copilot does not return results from barrier-separated segments
Repeat for other segment combinations

Step 6: Configure Deal-Specific Temporary Barriers

# Create temporary deal team segment
New-OrganizationSegment -Name "ProjectAlpha-DealTeam" `
  -UserGroupFilter "CustomAttribute1 -eq 'ProjectAlpha'"

# Create barrier blocking non-deal personnel
New-InformationBarrierPolicy -Name "ProjectAlpha-Barrier" `
  -AssignedSegment "ProjectAlpha-DealTeam" `
  -SegmentsBlocked "ClientAdvisory","RetailBanking" `
  -State Active

Financial Sector Considerations

Broker-Dealer Operations: The Chinese Wall between investment banking and research is the most examined information barrier in securities regulation. Copilot must not allow research analysts to access investment banking deal content or vice versa. Examiners will specifically test whether AI tools respect these boundaries.
Multi-Service Financial Institutions: Firms operating across banking, insurance, and securities face the most complex barrier requirements. Each line of business may require separation from multiple other segments, creating a matrix of barrier policies.
Deal-Specific Barriers: M&A transactions require temporary barriers that restrict deal information to authorized deal team members. These barriers must be provisioned rapidly (within hours of deal engagement) and decommissioned cleanly after transaction close. Copilot must respect these temporary barriers immediately upon activation.
Supervisory Access: Compliance and legal functions typically need supervisory access across all segments for monitoring purposes. Information barriers support this through allow policies that permit one-way or bidirectional access for supervisory segments. Document the business justification for all supervisory access exceptions.
Wall-Crossing Procedures: When employees are temporarily "brought over the wall" for a transaction, their information barrier segment assignment must be updated and Copilot access adjusted accordingly. Establish a documented wall-crossing procedure that includes Copilot access considerations.
Private-Side vs. Public-Side: Financial firms distinguish between private-side (access to MNPI) and public-side (no MNPI access) roles. Information barriers should align precisely with the firm's private-side/public-side designation. Any misalignment creates regulatory risk.
Examination History: SEC and FINRA have brought enforcement actions against firms with inadequate information barriers. AI tools that access data across organizational boundaries represent a heightened enforcement risk. Maintain detailed evidence of barrier effectiveness testing.

Verification Criteria

Segment Assignment: Verify that all Copilot-licensed users are assigned to appropriate organizational segments with no gaps or misassignments
Policy Application Status: Confirm all information barrier policies show "Active" and "Applied" status
Copilot Chat Barrier Enforcement: As an Investment Banking user, query Copilot Chat for research content — confirm no cross-segment results are returned
File Grounding Restriction: Attempt to reference a Research segment file in Copilot while signed in as an Investment Banking user — confirm Copilot cannot access the file
Teams Copilot Barrier Enforcement: Verify that Teams Copilot meeting summaries do not include content from barrier-separated participants
Channel Agent IB Gap Documentation: Confirm that Channel Agent deployments are documented with IB segment membership audits for each channel; confirm no Channel Agents are deployed in channels with mixed IB-segment membership; confirm the Channel Agent IB limitation is documented in supervisory procedures
Channel Agent Compensating Controls: Verify that sensitivity labels are applied to content in channels where Channel Agent is deployed adjacent to IB segments; confirm DSPM for AI monitoring is configured for Channel Agent activity
SharePoint IB Mode: Confirm SharePoint sites have appropriate IB modes applied and that Copilot in SharePoint respects barrier boundaries
Temporary Barrier Activation: Create a test temporary barrier and verify Copilot enforcement within 1 hour of policy application
Supervisory Access: Verify that Compliance segment users can access content across barriers as designed, and that access is logged
Barrier Event Audit Logs: Confirm that information barrier policy match events appear in the Unified Audit Log
Periodic Validation: Confirm quarterly barrier validation testing is scheduled, documented, and reviewed by compliance

Additional Resources

Information Barriers in Microsoft Purview
Information Barriers in Microsoft Purview
Information Barriers in SharePoint
Information Barriers in Teams
SEC Rule 10b-5 — Anti-Fraud
FINRA Rule 5280 — Trading Ahead of Research
Related Controls: 2.1 DLP Policies, 2.2 Sensitivity Labels, 2.5 Data Minimization, 3.6 Supervision & Oversight
Playbooks: Information Barrier Configuration Playbook, Chinese Wall Validation Playbook, Deal-Specific Barrier Playbook