Control 2.10: Insider Risk Detection for Copilot Usage — Verification & Testing

Test cases and evidence collection for validating insider risk detection for Copilot and agent activity.

Test Cases

Objective: Confirm insider risk policies for Copilot are active and processing
Steps:
Navigate to Microsoft Purview > Insider Risk Management > Policies
Verify Copilot-related policies show "Active" status
Run Script 1 to confirm policy configuration
Check that policy indicators include both Copilot-specific signals and AI usage indicators
Expected Result: All configured insider risk policies are active with AI usage indicators enabled
Evidence: Policy status screenshot and PowerShell output

Objective: Confirm the Risky Agents policy is active and covers all deployed agents
Steps:
Navigate to Microsoft Purview > Insider Risk Management > Policies
Locate the auto-deployed Risky Agents policy
Verify the policy scope includes all deployed Copilot Studio and Azure AI Foundry agents
Confirm alert routing is configured to reach both compliance and agent deployment owners
Review the policy thresholds for FSI appropriateness
Expected Result: Risky Agents policy is active, scoped correctly, and alert routing is configured
Evidence: Policy configuration screenshot; alert routing configuration

Objective: Verify AI usage indicators are active and producing signals
Steps:
Navigate to Microsoft Purview > Insider Risk Management > Settings > Policy indicators
Confirm AI usage indicator category is enabled
Generate above-normal Copilot and agent activity volume with a test account
Wait for the processing cycle (24-48 hours)
Check the test user's risk timeline for AI usage indicator signals
Expected Result: AI usage indicators appear in the risk timeline for elevated-activity accounts
Evidence: IRM risk timeline showing AI usage indicator signals

Objective: Confirm data risk graphs are available and integrated into investigation procedures
Steps:
Navigate to Microsoft Purview > Insider Risk Management > Investigations
Access the Data risk graphs view
Select a time window and verify graph data is loading
Confirm the graph includes Copilot and agent interaction data
Verify investigators know to include graph review in the standard investigation procedure
Expected Result: Data risk graphs accessible and displaying Copilot/agent interaction data
Evidence: Screenshot of data risk graph showing activity data

Objective: Verify the Triage Agent is functioning and producing useful context summaries
Steps:
Navigate to Microsoft Purview > Insider Risk Management > Alerts
Select an active alert and review the Triage Agent context summary
Verify the summary includes: activity type detected, data involved, user risk history context
Confirm the alert severity categorization is reasonable
For Regulated tier: verify that the human-in-the-loop workflow requires investigator confirmation before alert dismissal
Expected Result: Triage Agent produces actionable context summaries; severity categorizations are appropriate
Evidence: Screenshot of Triage Agent context summary for an active alert

Objective: Verify the alert triage process functions correctly
Steps:
Identify an active insider risk alert (or create one via testing)
Verify the alert is routed to the assigned investigator
Complete the triage workflow: review Triage Agent context, classify, and take action
For agent risk alerts: verify routing reaches both compliance and agent deployment owners
Verify the triage is documented in the case management system
Expected Result: Alert is triaged per the documented workflow with Triage Agent context reviewed
Evidence: Completed triage record with investigator actions

Evidence Item	Format	Storage Location	Retention
Insider risk policy configuration	PDF	Compliance evidence repository	7 years
Risky Agents policy configuration	PDF	Compliance evidence repository	7 years
AI usage indicator configuration	Screenshot	Compliance evidence repository	7 years
Triage Agent model inventory entry	PDF	Model risk management repository	7 years
Alert and triage records	PDF	Compliance evidence repository	7 years
Usage anomaly reports	CSV	Compliance evidence repository	7 years
Privacy control verification	Screenshot	Compliance evidence repository	7 years
Data risk graph samples	Screenshot	Compliance evidence repository	7 years

Regulation	Requirement	How This Control Supports It
FINRA Rule 3110	Supervisory systems	Insider risk detection supports compliance with supervisory monitoring requirements; Risky Agents addresses the 2026 FINRA Oversight Report requirement for AI agent supervisory controls
FINRA Rule 3120	Testing supervisory procedures	IRM alert generation and investigation workflow provide testable supervisory procedures for Copilot and agent oversight
FINRA 2026 Oversight Report (GenAI)	Agentic AI supervisory controls	Risky Agents policy and AI usage indicators directly address FINRA's 2026 requirement for supervisory systems covering AI workflow engines
OCC Bulletin 2025-26	Model risk management	IRM Triage Agent documented as model per SR 11-7; proportionate AI-assisted governance
SEC Regulation S-P	Safeguards for customer data	Detecting data theft patterns helps meet customer data protection obligations
GLBA 501(b)	Monitoring and testing safeguards	IRM provides ongoing monitoring evidence and quarterly testing capability
Bank Secrecy Act	Suspicious activity monitoring	Copilot and agent usage monitoring supports compliance with suspicious activity reporting
NIST CSF	DE.AE-1 Anomaly detection	Insider risk supports compliance with anomaly detection requirements