Skip to content

Control 3.8a: Generative AI Model Governance for Microsoft 365 Copilot

Control ID: 3.8a Pillar: Compliance & Audit Regulatory Reference: SR 26-2 / OCC Bulletin 2026-13 (April 2026 interagency guidance — Copilot excluded as generative AI; this control applies SR 11-7 / OCC Bulletin 2011-12 principles synthesized with NIST AI RMF 1.0 and ISO/IEC 42001 as the most-recent applicable interim framework), NIST AI RMF 1.0, ISO/IEC 42001 (AI Management Systems), Federal Reserve SR 11-7 (interim principles), OCC Bulletin 2011-12 (interim principles) Last Verified: 2026-05-25 Governance Levels: Baseline / Recommended / Regulated

Why this control exists. On April 17, 2026, the Federal Reserve, OCC, and FDIC jointly issued SR 26-2 and OCC Bulletin 2026-13Revised Guidance on Model Risk Management — which superseded SR 11-7 and OCC Bulletin 2011-12 but explicitly excluded generative and agentic AI pending further regulatory consideration. Microsoft 365 Copilot is a generative AI system, so the operative MRM expectations for Copilot remain undefined under the revised interagency framework. Control 3.8 continues to map Copilot to legacy SR 11-7 / OCC Bulletin 2011-12 principles. This Control 3.8a is the forward-looking, generative-AI-specific synthesis pre-committed in v1.5.1: it weaves SR 11-7 / OCC Bulletin 2011-12 principles together with NIST AI RMF 1.0 and ISO/IEC 42001 to provide a defensible interim governance framework for Copilot until the agencies issue genAI-specific guidance. Organizations should monitor agency communications and update their Copilot governance accordingly. Use 3.8 and 3.8a together — 3.8 anchors the institution's existing MRM lineage, and 3.8a operationalizes the genAI overlay.

Objective

Establish a defensible, multi-framework governance model for Microsoft 365 Copilot as a generative AI system, given that SR 26-2 / OCC Bulletin 2026-13 excluded generative and agentic AI from the revised interagency MRM guidance. This control synthesizes legacy SR 11-7 / OCC Bulletin 2011-12 principles (model inventory, validation scope, ongoing monitoring, governance documentation), NIST AI RMF 1.0 functions (Govern, Map, Measure, Manage and the trustworthy-AI characteristics of valid/reliable, safe, secure, accountable, explainable, privacy-enhanced, fair) and ISO/IEC 42001 AI Management System clauses (leadership, planning, support, operation, performance evaluation, improvement) into a single Copilot-specific control. The objective is to help meet supervisory expectations during the SR 26-2 transition period without overstating capabilities of a vendor-provided model. Organizations should verify that the depth of governance scales with their actual Copilot usage scope, institution size, and risk profile, and that Control 3.8 (legacy MRM alignment) and Control 3.8a (genAI overlay) are operated as a single integrated program rather than competing frameworks.

Why This Matters for FSI

Financial institutions face a governance gap in 2026: SR 11-7 / OCC Bulletin 2011-12 are formally superseded for traditional models, the replacement guidance excludes the AI systems most rapidly adopted across the enterprise, and supervisory expectations have not been redefined for generative AI. Examiners are nevertheless asking how institutions govern Microsoft 365 Copilot — at the OCC's Heightened Standards (12 CFR part 30, appendix D) tier, in CCAR/DFAST-relevant business units, and within insurance/wealth advisory subsidiaries.

Three realities shape how this gap should be filled:

  • Copilot is a vendor-provided model. Institutions cannot inspect the underlying model architecture, training data, or fine-tuning regime. Traditional SR 11-7 validation activities (independent re-derivation, sensitivity analysis on parameters, conceptual soundness review of the algorithm) are not available. Governance must therefore focus on usage controls, output monitoring, vendor due diligence, and bounded use cases.
  • No single framework is sufficient. SR 11-7 principles cover lifecycle governance well but predate LLMs. NIST AI RMF 1.0 is purpose-built for AI but is voluntary and not regulatory. ISO/IEC 42001 establishes a management-system spine but does not address financial supervisory expectations. Synthesizing all three helps meet a wider range of examiner questions and produces documentation that aids in demonstrating proportionate, risk-based governance.
  • Proportionality applies. OCC Bulletin 2025-26 community-bank proportionality guidance remains applicable when scoping the depth of MRM activities. A community bank using Copilot for internal productivity has materially different obligations than a large complex banking organization deploying Copilot in client-facing or lending workflows. This control supports compliance with the proportionality principle by tiering activities across Baseline / Recommended / Regulated.

The fair lending and consumer protection dimensions identified in Control 3.8 (ECOA, Fair Housing Act, UDAAP) continue to apply. This control does not replace those obligations; it adds the genAI-specific governance overlay that aids in identifying and managing risks unique to large language models — hallucination, prompt-injection susceptibility, drift across vendor model versions, and output bias that may not be visible in a single sample.

Control Description

Control 3.8a operates as a synthesis overlay on top of Control 3.8. Where 3.8 documents Copilot as a model in the legacy SR 11-7 sense, 3.8a documents how each of the three contributing frameworks is applied, the institution's mapping between them, and the artifacts produced.

Distinguishing Control 3.8 from Control 3.8a

Dimension Control 3.8 (legacy MRM alignment) Control 3.8a (genAI synthesis — this control)
Anchoring framework SR 11-7 / OCC Bulletin 2011-12 principles SR 11-7 + NIST AI RMF 1.0 + ISO/IEC 42001
Regulatory status Operative interim per SR 26-2 exclusion Forward-looking synthesis pre-committed in v1.5.1
Primary artifact Model inventory entry, validation scope, fair-lending monitoring Cross-framework crosswalk, AI Management System minutes, Measure cadence
Examiner audience OCC / Federal Reserve MRM examiners OCC / Federal Reserve MRM examiners + AI/technology risk examiners + ISO/IEC 42001 auditors
Operational counterpart Existing MRM governance committee Sister Solution 20 — Generative AI Model Governance Monitor

Both controls are required for Regulated-tier institutions; community banks may treat 3.8a Baseline as a lightweight overlay on 3.8 Baseline.

Three-Framework Synthesis

The synthesis is operationalized through a crosswalk that institutions maintain as a living document:

SR 11-7 / OCC 2011-12 principle NIST AI RMF 1.0 function ISO/IEC 42001 clause Copilot-specific evidence
Model inventory and tiering Govern (Govern 1.x — policies, roles) Clause 5 (Leadership), Clause 6 (Planning) Copilot entry in model inventory, AI policy, accountable owner
Conceptual soundness (adapted to vendor) Map (Map 1.x — context, Map 5.x — impacts) Clause 6.1 (Risk and opportunity), Annex A controls Use-case register, Microsoft model cards review, prohibited uses
Outcomes analysis / monitoring Measure (Measure 2.x — trustworthy characteristics) Clause 9 (Performance evaluation) Output sampling results, hallucination metrics, bias indicators
Ongoing monitoring Manage (Manage 1.x — risk response) Clause 8 (Operation), Clause 10 (Improvement) DSPM for AI dashboards, Insider Risk alerts, change log
Governance and documentation Govern (Govern 4.x — accountability) Clause 5.3 (Roles), Clause 7 (Support) Committee minutes, training records, vendor attestations

Organizations should verify that the crosswalk reflects their actual control inventory and is reviewed at least annually.

Vendor-Model Reality

Because Copilot is delivered by Microsoft as a managed service, several SR 11-7 activities are inherently bounded:

  • Conceptual soundness review is limited to Microsoft's published documentation (model cards, transparency notes, Responsible AI Standard, SOC reports). Institutions should record the documents reviewed, the date of review, and any open questions referred to Microsoft.
  • Independent validation focuses on usage controls and output quality rather than internal architecture. The validation function reviews whether the institution's controls operate as designed, not whether Microsoft's model is internally sound.
  • Benchmarking uses output comparison (Copilot vs. human, Copilot vs. alternative tool, Copilot vs. prior model version) for representative use cases rather than parameter-level analysis.
  • Change management depends on Microsoft's release cadence. Institutions should track Message Center entries, Copilot release notes, and Microsoft's model-version disclosures, and re-validate output quality after material model updates.

This bounded-validation approach is consistent with how vendor models have always been governed under SR 11-7; 3.8a formalizes it for the genAI context and aids in producing examination-ready documentation.

Copilot Surface Coverage

Copilot Surface NIST AI RMF Trustworthy Characteristic Focus ISO/IEC 42001 Clause Focus Risk Tier
Microsoft 365 Copilot Chat (work) Valid/reliable, accountable, explainable Clause 8 (Operation), Clause 9 (Evaluation) Moderate
Word Copilot Valid/reliable, fair (in customer-facing drafts) Clause 8, Annex A operational controls High
Excel Copilot Valid/reliable, accountable Clause 8, Clause 9 High
Outlook Copilot Fair, privacy-enhanced, accountable Clause 8, Clause 9 High
Teams Copilot (meetings, chat recap) Valid/reliable, privacy-enhanced Clause 8, Clause 7 (awareness) Moderate
PowerPoint Copilot Valid/reliable Clause 8 Moderate
Copilot Pages and Notebooks Valid/reliable, accountable Clause 8 Low–Moderate
Researcher and Analyst agents Valid/reliable, explainable, fair Clause 8, Clause 9, Annex A High
Copilot Studio agents (declarative) Accountable, secure, fair Clause 8, Annex A controls (full suite) High
Third-party model providers (Anthropic as Microsoft subprocessor; xAI as independent provider) Vendor due diligence overlay; explicit subprocessor and data-boundary review (Anthropic is out of EU Data Boundary scope; xAI processing occurs outside Microsoft-managed environments) Clause 8 (operational), Clause 5 (leadership), Annex A vendor controls High

Coverage applies regardless of Copilot tier (Basic Chat or Premium); Premium adds agent surfaces that warrant elevated NIST AI RMF Manage activity.

Governance Levels

Baseline

Applies to all institutions with Copilot deployed, scaled per OCC Bulletin 2025-26 proportionality. The Baseline tier helps meet minimum supervisory expectations during the SR 26-2 transition period:

  • Register Microsoft 365 Copilot in the enterprise model inventory as a generative AI system, cross-referencing the Control 3.8 inventory entry to avoid duplicate records.
  • Maintain a vendor due diligence package on file, including: Microsoft Responsible AI Standard, applicable Microsoft model cards / transparency notes, Microsoft 365 Copilot data, privacy and security documentation, latest available SOC 2 Type II, and the Microsoft Data Protection Addendum.
  • Document the institution's Copilot-specific AI policy at a minimum NIST AI RMF Govern 1.1 level: scope, accountable owner, prohibited uses, escalation path.
  • Perform basic output sampling (recommended cadence: monthly, ~25 outputs across the highest-risk use cases) and record findings in a tracker.
  • Identify the named accountable owner for Copilot generative AI governance (often the Head of AI Governance or CTO delegate).
  • Confirm Copilot use cases are listed in the institution's AI use-case register with an initial NIST AI RMF Map (context and impact) statement for each.
  • Document the synthesis rationale: which framework drives which obligation, and where the institution is exercising proportionality (citing OCC Bulletin 2025-26 where applicable).
  • Record the date and outcome of the most recent Microsoft Message Center / Copilot release notes review affecting Copilot capabilities.
  • Communicate Copilot's known limitations (hallucination potential, lack of real-time market data, no assurance of factual accuracy) to all licensed users at onboarding and at least annually.
  • Ensure Control 3.8 Baseline activities are also in place — 3.8a Baseline is additive, not a replacement.

Applies to mid-size institutions and to community banks that have moved Copilot beyond purely internal productivity. Recommended-tier activities aid in demonstrating a maturing AI Management System aligned to ISO/IEC 42001 expectations:

  • Define the validation scope for Copilot in writing, expressly limited to (a) usage controls and (b) output quality — not internal model architecture, which is Microsoft's responsibility as vendor.
  • Operate a quarterly NIST AI RMF Measure cadence covering the trustworthy-AI characteristics relevant to the institution's Copilot use cases (typically valid/reliable, fair, accountable, privacy-enhanced).
  • Hold quarterly ISO/IEC 42001-aligned management review meetings with documented minutes covering: AI policy effectiveness, results of monitoring and measurement, status of corrective actions, changes in external/internal context, opportunities for improvement.
  • Maintain the three-framework crosswalk (see Control Description) as a living document, reviewed at least semi-annually.
  • Implement structured output monitoring drawing on Microsoft tooling: DSPM for AI (prompt/response inspection, sensitive data exposure events), Purview Audit (interaction logs), Microsoft Defender for Cloud Apps (Copilot anomaly detection), Insider Risk Management risky-AI-usage signals, and Viva Insights Copilot dashboards.
  • Test Copilot outputs for fair-lending and UDAAP risks where Copilot supports lending, deposit-product, or customer-complaint workflows (coordinate with Control 3.8 fair-lending monitoring).
  • Track at minimum: hallucination indicator rate, sensitive-data exposure events per quarter, prompt-injection / jailbreak attempts identified, and material Microsoft model-version changes.
  • Conduct an annual vendor due diligence refresh covering Microsoft's Responsible AI updates, third-party model providers in scope, and any newly disclosed safety reports. The refresh should explicitly cover:
    • Anthropic — Microsoft 365 Copilot subprocessor since January 7, 2026, available across Microsoft 365 Copilot, Researcher, Copilot Studio, Power Platform, Agent Mode in Excel, and Word/Excel/PowerPoint agents. Anthropic models are provided under the Microsoft Product Terms and DPA but are out of scope for the EU Data Boundary and in-country LLM processing commitments, and are on by default for most commercial-cloud customers (excluding EU/EFTA and UK). Document the institution's enable / disable decision and the residency posture for each tenant region.
    • xAI — independent provider (currently scoped to Copilot Studio); processing occurs outside Microsoft-managed environments and is governed by xAI's separate Terms of Service and Data Processing Addendum. The Microsoft Product Terms, DPA, data residency commitments, audit and compliance requirements, SLAs, and Customer Copyright Commitment do not apply to xAI usage. Treat xAI as a discrete vendor under Control 1.10.
  • When agents (Microsoft, partner, or custom) are used to extend Microsoft 365 Copilot, review the agent's privacy statement and terms of use to determine how the agent will handle organizational data; record the review outcome in the vendor due diligence package.
  • Include Copilot generative AI governance in the AI/model risk committee charter and on the standing agenda.
  • Cross-reference and reconcile activities with Control 3.8 Recommended-tier requirements at least annually.

Regulated

Applies to large complex banking organizations, broker-dealers, and registered investment advisers deploying Copilot in client-facing, lending, advisory, or financial-reporting-adjacent workflows. Regulated-tier activities support compliance with examiner expectations across MRM, AI/technology risk, and AI Management System auditors:

  • Conduct an annual comprehensive MRM assessment for Copilot that is cross-walked to all three frameworks (SR 11-7, NIST AI RMF 1.0, ISO/IEC 42001), with explicit gap analysis where the SR 26-2 exclusion creates open questions.
  • Subject the Copilot governance program to independent validation function review, focused on whether usage controls and output monitoring operate as designed (recognizing the bounded validation scope for vendor-provided models).
  • Report Copilot AI governance status to the board (or designated board committee) at least annually, covering risk tier, use-case scope, monitoring results, material vendor changes, and known issues.
  • Operate continuous (or near-continuous) NIST AI RMF Manage activities — incident response runbooks for prompt-injection, data exposure, hallucination-driven customer-facing errors, and material output-quality regressions following Microsoft model updates.
  • Maintain examination-ready documentation packages aligned to OCC Heightened Standards (12 CFR part 30, appendix D) where applicable, organized for reviewer navigation.
  • Apply OCC Bulletin 2025-26 proportionality determinations only where formally documented; large complex banking organizations should not rely on community-bank proportionality.
  • Coordinate with internal audit on at least an annual ISO/IEC 42001 readiness review, even if formal certification is not pursued.
  • Maintain quantitative thresholds for key Copilot risk indicators with documented escalation paths and (where appropriate) automated triggers.
  • Run challenger or benchmark testing at least annually for the highest-risk use cases (e.g., compare Copilot-drafted client communications to human-drafted baselines for tone, accuracy, and fair-lending indicators).
  • Confirm Control 3.8 Regulated-tier activities are fully in place; 3.8a Regulated is the genAI-specific overlay, not a substitute.

Setup & Configuration

Step 1 — Establish the synthesis crosswalk

  1. Convene the AI governance committee (or equivalent) with representation from MRM, compliance, legal, technology risk, and data governance.
  2. Adopt the three-framework crosswalk in this control as the institution's baseline, then adapt it to existing terminology.
  3. Identify the accountable owner for each row of the crosswalk, the evidence repository, and the review cadence.
  4. Document the synthesis rationale and the decision to apply 3.8a as an overlay on 3.8.

Step 2 — Update the model inventory entry

  1. Open the existing Copilot inventory entry created under Control 3.8.
  2. Add fields for: NIST AI RMF function coverage, ISO/IEC 42001 clause references, generative-AI-specific risks (hallucination, prompt injection, drift), and the three-framework crosswalk reference.
  3. Record the SR 26-2 / OCC Bulletin 2026-13 exclusion citation and the institution's decision to apply 3.8a as the interim genAI framework.
  4. Re-confirm the risk tier; institutions deploying Copilot in client-facing or lending workflows should validate that the tier remains appropriate given the genAI-specific risks now explicitly tracked.

Step 3 — Stand up the NIST AI RMF Measure cadence

  1. Define the trustworthy-AI characteristics in scope (typically valid/reliable, fair, accountable, privacy-enhanced; safe and secure overlap with Pillar 2 controls).
  2. For each in-scope characteristic, define at least one quantitative or structured-qualitative indicator, the data source (DSPM for AI, Purview Audit, Communication Compliance results, sampling results), and the cadence.
  3. Schedule the quarterly Measure review and assign the chair.
  4. Define escalation thresholds — what indicator level triggers a Manage activity (corrective action, additional monitoring, use-case suspension).

Step 4 — Operate ISO/IEC 42001-aligned management reviews

  1. Schedule the quarterly management review meeting and reserve a recurring agenda slot at the AI governance committee.
  2. Use the ISO/IEC 42001 Clause 9.3 inputs as the meeting template: status of actions from previous reviews, changes in external/internal issues relevant to the AI Management System, performance information (monitoring/measurement results, audit results), opportunities for improvement.
  3. Capture minutes, action items, and accountable owners.
  4. Review minutes annually with internal audit.

Step 5 — Operationalize via Solution 20 (Generative AI Model Governance Monitor)

  1. Deploy or align with the sister Solution 20, which provides operational tooling for Copilot generative AI governance — output sampling workflows, NIST AI RMF Measure dashboards, ISO/IEC 42001 management-review packets, and vendor-change tracking.
  2. Confirm that Solution 20 outputs feed the institution's evidence repository for examiner readiness.
  3. Document the Solution 20 → Control 3.8a mapping in the crosswalk.

Step 6 — Vendor due diligence refresh

  1. Refresh the Microsoft vendor file: latest Responsible AI Standard, transparency notes for Copilot surfaces in scope, model cards (including any third-party model cards relevant when Anthropic or xAI models are enabled), SOC 2 Type II, Data Protection Addendum.
  2. Document the date of refresh, reviewer, and any open questions. Capture provider-specific posture: Anthropic (Microsoft subprocessor since Jan 7, 2026; out of scope for EU Data Boundary and in-country LLM processing commitments; on by default outside EU/EFTA/UK) and xAI (independent provider, processing outside Microsoft-managed environments under xAI's separate ToS / DPA; Microsoft data residency commitments and Customer Copyright Commitment do not apply).
  3. Track Microsoft Message Center notices that materially affect Copilot capabilities and re-validate output quality after material model updates, including provider toggle changes (for example, Anthropic default-on enablement waves and Copilot in M365 apps with Anthropic models in EU/EFTA/UK).

Financial Sector Considerations

Examiner Expectations During the SR 26-2 Transition

Banking regulators continue to ask about generative AI governance even though SR 26-2 / OCC Bulletin 2026-13 excluded these systems. Institutions should expect questions about:

  • How the institution determined which framework(s) apply to Copilot in the absence of SR 26-2 coverage.
  • Whether the institution can demonstrate a documented synthesis (rather than ad-hoc references to "AI principles").
  • How vendor-model limitations are reflected in the validation scope and disclosed to senior management.
  • How the institution monitors Microsoft model updates and re-validates after material changes.
  • How Copilot governance interacts with existing MRM (Control 3.8) and AI inventory programs.

A documented three-framework synthesis aids in answering these questions consistently across MRM examiners, AI/technology risk reviewers, and ISO/IEC 42001 auditors.

Proportionality (OCC Bulletin 2025-26) Applied to genAI

Community banks deploying Copilot for internal productivity may apply Baseline-tier 3.8a activities. The proportionality determination should be documented with: institution size, Copilot usage scope, identified genAI-specific risks, citation to OCC Bulletin 2025-26, and a date for re-evaluation. Institutions should verify that the determination is revisited if Copilot usage expands into client-facing, lending, or advisory workflows.

Independent Validation Scope for Vendor-Provided Generative AI

Independent validation under SR 11-7 traditionally inspects internal model architecture; this is not feasible for Copilot. The validation function instead reviews:

  • Whether the institution's Copilot governance controls operate as designed.
  • Whether output monitoring is calibrated to identify hallucination and bias indicators.
  • Whether the vendor due diligence package is current and substantively reviewed.
  • Whether the three-framework synthesis is operating as a coherent program rather than parallel processes.

This scope is consistent with longstanding vendor-model practice and helps meet supervisory expectations during the SR 26-2 transition.

Interaction with Other Frameworks

  • NIST AI RMF 1.0 is voluntary; adoption is by institutional decision and contributes to demonstrating reasoned governance.
  • ISO/IEC 42001 certification is not required by US banking regulators, but operating an aligned AI Management System aids in cross-jurisdictional readiness (UK PRA, EU AI Act high-risk overlay where applicable, APAC supervisory interest).
  • Interagency Guidance on AI (2023) continues to remind institutions that existing risk management frameworks apply to AI; 3.8a operationalizes this reminder for Copilot specifically.

No single control or framework satisfies a regulation in isolation; Control 3.8a is intended to be operated alongside Control 3.8 and the Pillar 1, 2, and 4 controls.

Verification Criteria

# Verification Step Expected Outcome Tier
1 Confirm Copilot is registered in the model inventory with 3.8a-specific fields populated (NIST AI RMF coverage, ISO/IEC 42001 clauses, genAI-specific risks, SR 26-2 exclusion citation) Inventory entry exists, cross-references Control 3.8, and reflects current tier and accountable owner Baseline
2 Verify the vendor due diligence package is on file and dated within the last 12 months Package contains Microsoft Responsible AI Standard, applicable model cards / transparency notes, SOC 2 Type II, DPA; review date and reviewer recorded Baseline
3 Review the three-framework synthesis document Crosswalk maps SR 11-7 principles, NIST AI RMF functions, and ISO/IEC 42001 clauses to institution evidence; reviewed within last 6–12 months Baseline → Recommended
4 Inspect monthly basic output sampling records Sampling tracker shows ≥ 25 outputs/month across highest-risk use cases with findings logged Baseline
5 Verify the institution's Copilot AI policy exists and documents scope, owner, prohibited uses, and escalation path Policy is approved, version-controlled, and communicated Baseline
6 Inspect quarterly NIST AI RMF Measure review records Each quarterly review covers in-scope trustworthy-AI characteristics with quantitative/structured indicators and escalation thresholds Recommended
7 Inspect ISO/IEC 42001-aligned management review minutes Quarterly minutes cover Clause 9.3 inputs (prior actions, context changes, performance info, improvement opportunities) Recommended
8 Verify structured output monitoring is operating across DSPM for AI, Purview Audit, MDA, IRM (risky AI usage), and Viva Insights Each tool produces evidence reviewed at the documented cadence Recommended
9 Verify annual vendor due diligence refresh has occurred Refresh log shows date, reviewer, open questions, and explicit coverage of Anthropic (subprocessor since Jan 7, 2026; EU Data Boundary / in-country LLM processing exclusion; commercial-cloud default-on outside EU/EFTA/UK) and xAI (independent provider, processed outside Microsoft-managed environments, governed by xAI's separate Terms of Service and DPA), plus a record of agent privacy-statement reviews where third-party agents are in use Recommended
10 Inspect annual comprehensive MRM assessment cross-walked to SR 11-7 + NIST AI RMF 1.0 + ISO/IEC 42001 Assessment exists, includes explicit gap analysis for the SR 26-2 exclusion, and is approved by the AI/model risk committee Regulated
11 Confirm independent validation function review of Copilot governance occurred within the last 12 months Validation report focuses on usage controls and output quality (not internal architecture) and includes findings/recommendations Regulated
12 Confirm board or designated board committee reporting on Copilot AI governance occurred within the last 12 months Board packet includes risk tier, use-case scope, monitoring results, material vendor changes, and known issues Regulated

Additional Resources

FSI Copilot Governance Framework v1.4.0 - April 2026