Control 2.14: Declarative and SharePoint Agents Governance — Troubleshooting
Common issues and resolution steps for declarative, SharePoint-backed, and Registry-governed agent security.
Common Issues
Issue 1: Users Creating Agents Without Governance Approval
- Symptoms: Declarative agents discovered in the tenant without governance approval or documentation
- Root Cause: Agent creation restrictions may not be properly configured, or users may have found alternative creation paths.
- Resolution:
- Review agent settings in Admin Center > Agents > Settings
- Restrict creation to approved security groups
- Audit existing agents and require retroactive governance approval
- Set up monitoring (Script 3) to detect new agent creation
Issue 2: Agent Accessing Overshared Source Content
- Symptoms: A declarative agent returns sensitive content that the querying user should not have access to
- Root Cause: The agent's source SharePoint site has oversharing — content is accessible to more users than intended.
- Resolution:
- Immediately restrict the source site sharing settings
- Run an oversharing assessment (Control 1.2) on the source site
- Remediate permissions before re-enabling the agent
- Consider suspending the agent until remediation is complete
Issue 3: Agent Providing Inaccurate or Stale Responses
- Symptoms: Agent responses reference outdated content or provide incorrect information
- Root Cause: Source content may be outdated, or the semantic index may not have processed recent updates to the source site.
- Resolution:
- Verify source content is current and accurately maintained
- Request a re-index of the source site if recent updates are not reflected
- Add content freshness indicators to the agent description
- Establish a content review cadence for agent source sites
Issue 4: Agent Governance Process Slowing Deployment
- Symptoms: Business teams report agent approval takes too long
- Root Cause: Governance process may be overly complex for low-risk agents.
- Resolution:
- Create tiered governance based on data sensitivity and audience scope
- Fast-track agents referencing already-approved, properly governed sites
- Pre-approve common agent patterns with standardized templates
- Define clear SLAs for governance review
Diagnostic Steps
- Check agent inventory: Review Admin Center > Agents > All agents / Registry
- Verify source security: Run Script 2 on agent data sources
- Review creation policies: Verify agent creation restrictions in admin settings
- Monitor activity: Run Script 3 for recent agent events
- Test agent scope: Query the agent to verify content boundaries
Escalation
| Severity | Condition | Escalation Path |
|---|---|---|
| Low | Governance process improvement needed | Governance team |
| Medium | Unauthorized agent creation detected | Security Operations for review |
| High | Agent exposing sensitive content | Security Operations and site owner |
| Critical | Regulated data exposed through ungoverned agent | CISO and Compliance Officer immediately |
Related Resources
- Portal Walkthrough — Agent governance configuration
- PowerShell Setup — Agent management scripts
- Verification & Testing — Governance validation