Control 1.4: Semantic Index Governance — Verification & Testing
Test cases and evidence collection for validating Semantic Index governance controls.
Test Cases
Test 1: Index Scope Configuration Verification
- Objective: Confirm the semantic index scope matches governance-approved configuration
- Steps:
- Review current index configuration in Microsoft 365 Admin Center
- Compare against the documented governance decision for content source inclusion
- Verify that excluded content sources are not being indexed
- Confirm settings have not been modified since last governance review
- Expected Result: Index scope exactly matches governance-approved configuration
- Evidence: Admin center screenshots and configuration export
Test 2: Sensitivity Label Enforcement in Index
- Objective: Verify that sensitivity labels affect index behavior as configured
- Steps:
- Create a test document with a "Highly Confidential" sensitivity label
- Store the document in a SharePoint site included in the index scope
- As a user without access to Highly Confidential content, query Copilot for the test document content
- Verify Copilot does not surface the protected content to the unauthorized user
- As an authorized user, verify Copilot can surface the content
- Expected Result: Semantic Index respects sensitivity label access controls — authorized users see content, unauthorized users do not
- Evidence: Copilot interaction logs for both authorized and unauthorized test users
Test 3: Content Exclusion Validation
- Objective: Confirm that content sources marked for exclusion are not indexed
- Steps:
- Identify a content source that was excluded from the semantic index per governance decision
- Create unique test content in the excluded source
- Query Copilot using terms from the unique test content
- Verify Copilot does not return results from the excluded source
- Expected Result: Content from excluded sources does not appear in Copilot responses
- Evidence: Copilot query results showing no references to excluded content
Test 4: Governance Documentation Completeness
- Objective: Verify that all semantic index governance decisions are properly documented
- Steps:
- Review the index governance policy document
- Confirm it includes: content source scope decisions, sensitivity label thresholds, user enablement criteria, review cadence
- Verify governance committee sign-off is current (within the last review period)
- Check that change history is maintained for all scope modifications
- Expected Result: Complete governance documentation with current approvals
- Evidence: Governance policy document with sign-off records
Evidence Collection
| Evidence Item |
Format |
Storage Location |
Retention |
| Index configuration screenshot |
PNG/PDF |
Compliance evidence repository |
7 years |
| Content source inventory |
CSV |
Compliance evidence repository |
7 years |
| Sensitivity label access test results |
PDF |
Compliance evidence repository |
7 years |
| Governance decision documentation |
PDF |
Governance document repository |
7 years |
| Index scope change history |
CSV |
Compliance evidence repository |
7 years |
Compliance Mapping
| Regulation |
Requirement |
How This Control Supports It |
| FINRA Rule 3110 |
Information access controls |
Index governance limits AI access scope to approved content |
| SEC Regulation S-P |
Customer information safeguards |
Controlling index scope reduces risk of AI accessing protected NPI |
| OCC Heightened Standards |
Third-party risk management |
Governing AI content access supports compliance with data control standards |
| NIST AI RMF |
GOVERN 1.1 — AI governance policies |
Formal index governance supports compliance with AI governance requirements |