Comprehensive governance framework for Microsoft 365 AI agents in financial services organizations.
This framework provides complete guidance for deploying, governing, and managing Microsoft 365 agents (Copilot Studio, Agent Builder, and related AI services) in regulated financial services environments.
Version: 1.0 Beta (December 2025) Target Audience: Financial Services Organizations (FSI) Regulatory Focus: FINRA, SEC, SOX, GLBA, OCC, Federal Reserve, FDIC, NCUA
To stay current: Star this repository, use Watch β Releases for low-noise update notifications, and share with your compliance team as part of your review.
Scope: This framework is designed for US financial institutions using Microsoft 365 AI agents (Copilot Studio, Agent Builder). Non-US regulations (EU AI Act, GDPR, DORA) and non-M365 AI platforms are out of scope.
Important: This framework is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. See Disclaimer for full details.
| Pillar | Controls | Focus | Examples |
|---|---|---|---|
| 1. Security | 19 | Protect data and systems | DLP, Audit, Encryption, MFA, eDiscovery |
| 2. Management | 15 | Govern lifecycle and risk | Change Control, Testing, Model Risk, Environment Routing |
| 3. Reporting | 9 | Monitor and track | Inventory, Usage, Incidents, PPAC, Sentinel |
| 4. SharePoint Mgmt | 5 | SharePoint-specific controls | Access, Retention, External Sharing |
Total: 48 Comprehensive Controls
| Zone | Level | Risk | Data Access | Approval |
|---|---|---|---|---|
| Zone 1: Personal | Low | Individual development | M365 Graph only | Self-service |
| Zone 2: Team | Medium | Departmental agents | Internal data | Manager approval |
| Zone 3: Enterprise | High | Production/customer-facing | Regulated data | Governance committee |
graph LR
subgraph "Zone 1: Personal"
Z1[Individual Use<br/>Self-Service<br/>Low Risk]
end
subgraph "Zone 2: Team"
Z2[Departmental<br/>Manager Approval<br/>Medium Risk]
end
subgraph "Zone 3: Enterprise"
Z3[Production<br/>Committee Approval<br/>High Risk]
end
Z1 -->|Promote| Z2
Z2 -->|Promote| Z3
Z3 -.->|Demote| Z2
Z2 -.->|Demote| Z1
style Z1 fill:#66BB6A,color:#fff
style Z2 fill:#FFA726,color:#fff
style Z3 fill:#EF5350,color:#fff
- Pillar 1: 19 Security Controls (1.1-1.19)
- Pillar 2: 15 Management Controls (2.1-2.15)
- Pillar 3: 9 Reporting Controls (3.1-3.9)
- Pillar 4: 5 SharePoint Controls (4.1-4.5)
Each control includes:
- Overview and regulatory reference
- 3 governance levels (Baseline, Recommended, Regulated)
- Verification and testing procedures
- Implementation guidance
- README.md - This file (overview)
- Zones-Overview.md - Detailed governance zones
- Regulatory-Mappings.md - Regulation-to-control mapping
- Quick-Start-Guide.md - How to use the framework
- Glossary.md - Key terms and definitions
- RACI-Matrix.md - Roles and responsibilities
- Implementation-Checklist.md - Implementation roadmap
- FAQ.md - Frequently asked questions
- CONTROL-INDEX.md - Master index of all controls
- Administrator Excel Templates - Role-specific checklists and dashboards (see Downloads)
- Offline Deliverables - This repository ships web docs + Excel templates only (no Word/PDF document bundle)
- Read Quick Start Guide (10 minutes)
- Review Zones Overview to classify your agents (15 minutes)
- Check Regulatory Mappings for your relevant regulations (10 minutes)
- Use Implementation Checklist for step-by-step guidance
- Reference individual control files for detailed procedures
- Document evidence in your compliance system
- Schedule quarterly reviews
- Use RACI Matrix to assign roles and responsibilities
- Establish governance committee per Zones Overview
- Schedule recurring compliance reviews
- Track incidents and remediation
Each control in this framework follows a consistent documentation structure.
This repo is actively being expanded to include how-to configure guidance (step-by-step portal paths, optional automation, and evidence-grade verification).
Use this workflow for implementing controls:
Every control file (1.1-4.5) follows this enhanced structure:
| Section | Purpose |
|---|---|
| Overview | Control ID, name, regulatory references, setup time |
| Prerequisites | Required licenses, admin roles, dependencies |
| Governance Levels | Baseline, Recommended, and Regulated configurations |
| Setup & Configuration | Step-by-step portal navigation and PowerShell scripts |
| Financial Sector Considerations | Regulatory alignment, zone-specific guidance, FSI examples |
| Verification & Testing | Steps to confirm configuration is active |
| Troubleshooting | Common issues and resolutions |
| Additional Resources | Microsoft Learn links and admin portal URLs |
graph LR
A[1. Check Prerequisites] --> B[2. Follow Setup Steps]
B --> C[3. Configure per Zone]
C --> D[4. Verify Configuration]
D --> E[5. Document Evidence]
E --> F[6. Schedule Review]
- Check Prerequisites: Verify licenses, admin roles, and dependencies (other controls that must be configured first)
- Follow Setup Steps: Use portal-based or PowerShell configuration methods
- Configure per Zone: Apply settings appropriate for Zone 1, 2, or 3
- Verify Configuration: Execute verification steps to confirm active controls
- Document Evidence: Capture screenshots, export logs, record in compliance system
- Schedule Review: Set quarterly review cadence for control effectiveness
Run these from the repo root (FSI-AgentGov/):
python scripts\verify_controls.pypython scripts\verify_templates.pypython scripts\audit_controls_zone_hygiene.pymkdocs build --strict
| Resource | Description | Location |
|---|---|---|
| Control Template | Standard template for control documentation | templates/control-setup-template.md |
| Microsoft Learn URLs | Master list of official documentation | reference/microsoft-learn-urls.md |
| Portal Navigation Paths | Quick reference for admin center navigation | reference/portal-paths-quick-reference.md |
| License Requirements | License mapping for all 48 controls | reference/license-requirements.md |
| FSI Configuration Examples | Bank, broker-dealer, and insurance scenarios | reference/fsi-configuration-examples.md |
These foundation controls should be implemented first as other controls depend on them:
| Priority | Control | Why First |
|---|---|---|
| 1 | 2.1 - Managed Environments | Required for 15+ other controls |
| 2 | 1.7 - Audit Logging | Compliance evidence for all controls |
| 3 | 1.11 - Conditional Access & MFA | Security baseline |
| 4 | 1.5 - DLP & Sensitivity Labels | Data protection foundation |
| 5 | 1.4 - Advanced Connector Policies | Connector governance for agents |
| Portal | URL | Primary Use |
|---|---|---|
| Power Platform Admin Center | admin.powerplatform.microsoft.com | Environments, DLP, connectors |
| Microsoft Purview Portal | compliance.microsoft.com | Audit, DLP, retention |
| Microsoft Entra Admin Center | entra.microsoft.com | Conditional access, MFA, roles |
| SharePoint Admin Center | admin.microsoft.com/sharepoint | SharePoint governance |
| Copilot Studio | copilotstudio.microsoft.com | Agent development |
Regulatory mappings and coverage are maintained in a single canonical table:
Note: Coverage indicates which framework controls address aspects of each regulation. Actual compliance requires implementation, validation, and ongoing maintenance. Consult legal counsel for regulatory interpretation. See Disclaimer.
Each control is documented with 4 maturity levels:
- Level 0: Not implemented
- Level 1: Baseline (minimal compliance)
- Level 2-3: Recommended (best practices)
- Level 4: Regulated/High-Risk (comprehensive)
- Assess - Current state vs. required level
- Implement - Follow control guidance
- Verify - Use verification procedures
- Document - Record evidence for audit
- Review - Schedule recurring reviews (quarterly)
Key roles from RACI Matrix:
| Role | Responsibility |
|---|---|
| AI Governance Lead | Framework oversight, policy decisions |
| Compliance Officer | Regulatory alignment, audit coordination |
| CISO | Security policy, threat response |
| Power Platform Admin | Technical implementation, environments |
| Internal Audit | Independent control testing |
Typical 8-week rollout:
- Phase 1 (Weeks 1-2): Regulatory Compliance Baseline (11 tasks)
- Phase 2 (Weeks 3-4): Security Enhancements (10 tasks)
- Phase 3 (Weeks 5-6): Advanced Governance (8 tasks)
- Phase 4 (Weeks 7-8): Finalization & Operationalization (9 tasks)
See Implementation Checklist for detailed tasks.
- "How do I get started?" β Read Quick Start Guide
- "What's my governance zone?" β See Zones Overview
- "Which controls apply to my regulation?" β Check Regulatory Mappings
- "Who does what?" β Review RACI Matrix
- "What does this term mean?" β Look up Glossary
- "How do I implement this?" β Use Implementation Checklist
- "Common questions?" β See FAQ
- Reference individual control files (1.1-4.5)
- Each control includes step-by-step verification procedures
- Contact your Power Platform Admin for platform-specific setup
- Review Regulatory Mappings for regulation-to-control alignment
- Contact your Compliance Officer for regulatory interpretation
- Escalate to General Counsel for legal questions
This framework is designed for continuous evolution:
- Quarterly Reviews: Assess control effectiveness
- Annual Updates: Incorporate regulatory changes and Microsoft updates
- Version History: Track changes and improvements
- Feedback Loop: Gather input from governance team
| Version | Date | Changes | Author |
|---|---|---|---|
| 1.0 Beta | Dec 2025 | Enhanced with AI data governance (DSPM), bias testing, runtime protection, FINRA Notice 25-07 alignment | FSI Governance Team |
| 0.9 | Oct 2025 | Initial Internal Draft | FSI Governance Team |
This framework is provided for use by financial services organizations. Modify as needed for your organization's specific requirements.
See Disclaimer.
- Review the Quick Start Guide
- Assess your current state against the framework
- Implement using the step-by-step guidance
- Document evidence for audit compliance
- Review quarterly and update as regulations change
FSI Agent Governance Framework v1.0 Beta - December 2025
Comprehensive governance for Microsoft 365 agents in financial services