Comprehensive governance framework for Microsoft 365 AI agents in financial services organizations.
This framework provides complete guidance for deploying, governing, and managing Microsoft 365 agents (Copilot Studio, Agent Builder, and related AI services) in regulated financial services environments.
Version: 1.1.4 (January 2026) Target Audience: Financial Services Organizations (FSI) Regulatory Focus: FINRA, SEC, SOX, GLBA, OCC, Federal Reserve, FDIC, NCUA
To stay current: Star this repository, use Watch β Releases for low-noise update notifications, and share with your compliance team as part of your review.
Scope: This framework is designed for US financial institutions using Microsoft 365 AI agents (Copilot Studio, Agent Builder). Non-US regulations (EU AI Act, GDPR, DORA) and non-M365 AI platforms are out of scope.
Important: This framework is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. See Disclaimer for full details.
| Pillar | Controls | Focus | Examples |
|---|---|---|---|
| 1. Security | 23 | Protect data and systems | DLP, Audit, Encryption, MFA, eDiscovery, Network Isolation, Information Barriers |
| 2. Management | 21 | Govern lifecycle and risk | Change Control, Testing, Model Risk, Multi-Agent Orchestration, HITL Framework |
| 3. Reporting | 10 | Monitor and track | Inventory, Usage, Incidents, PPAC, Sentinel, Hallucination Feedback |
| 4. SharePoint Mgmt | 7 | SharePoint-specific controls | Access, Retention, External Sharing, Grounding Scope, Copilot Data Governance |
Total: 61 Comprehensive Controls
| Zone | Level | Risk | Data Access | Approval |
|---|---|---|---|---|
| Zone 1: Personal | Low | Individual development | M365 Graph only | Self-service |
| Zone 2: Team | Medium | Departmental agents | Internal data | Manager approval |
| Zone 3: Enterprise | High | Production/customer-facing | Regulated data | Governance committee |
graph LR
subgraph "Zone 1: Personal"
Z1[Individual Use]
end
subgraph "Zone 2: Team"
Z2[Departmental Use]
end
subgraph "Zone 3: Enterprise"
Z3[Production Use]
end
Z1 -->|Promote| Z2
Z2 -->|Promote| Z3
Z3 -.->|Demote| Z2
Z2 -.->|Demote| Z1
style Z1 fill:#66BB6A,color:#fff
style Z2 fill:#FFA726,color:#fff
style Z3 fill:#EF5350,color:#fff
Strategic governance principles in docs/framework/:
- Executive summary and adoption roadmap
- Governance zones and tiers
- Agent lifecycle management
- Operating model and regulatory framework
Technical specifications in docs/controls/:
- Pillar 1: 23 Security Controls (1.1-1.23)
- Pillar 2: 21 Management Controls (2.1-2.21)
- Pillar 3: 10 Reporting Controls (3.1-3.10)
- Pillar 4: 7 SharePoint Controls (4.1-4.7)
Each control includes:
- Overview and regulatory reference
- 3 governance levels (Baseline, Recommended, Regulated)
- Zone-specific requirements
- Verification and testing procedures
Step-by-step procedures in docs/playbooks/control-implementations/:
- 4 playbooks per control (61 controls Γ 4 = 244 playbooks)
- Portal walkthrough guides with click-by-click navigation
- PowerShell automation scripts with validation
- Verification testing procedures with evidence checklists
- Troubleshooting guides with common issues and resolutions
- README.md - This file (overview)
- Zones-Overview.md - Detailed governance zones
- Regulatory-Mappings.md - Regulation-to-control mapping
- Quick-Start-Guide.md - How to use the framework
- Glossary.md - Key terms and definitions
- RACI-Matrix.md - Roles and responsibilities
- Implementation-Checklist.md - Implementation roadmap
- FAQ.md - Frequently asked questions
- CONTROL-INDEX.md - Master index of all controls
- Administrator Excel Templates - Role-specific checklists and dashboards (see Downloads)
- Offline Deliverables - This repository ships web docs + Excel templates only (no Word/PDF document bundle)
- Read Quick Start Guide (10 minutes)
- Review Zones Overview to classify your agents (15 minutes)
- Check Regulatory Mappings for your relevant regulations (10 minutes)
- Use Implementation Checklist for step-by-step guidance
- Reference individual control files for detailed procedures
- Document evidence in your compliance system
- Schedule quarterly reviews
- Use RACI Matrix to assign roles and responsibilities
- Establish governance committee per Zones Overview
- Schedule recurring compliance reviews
- Track incidents and remediation
Version 1.1 introduces a three-layer documentation model designed to serve different audiences and use cases:
Purpose: Strategic governance principles and organizational context Audience: Executives, compliance officers, governance leads
9 comprehensive documents covering:
- Executive summary for leadership buy-in
- Governance zone definitions (Zone 1/2/3)
- 30/60/90-day adoption roadmap
- Agent lifecycle management process
- Operating model with RACI
- Regulatory framework landscape
Start here: Framework Overview
Purpose: Technical control specifications Audience: Administrators, engineers, security teams
61 detailed controls organized by pillar:
- Pillar 1 - Security: 23 controls (1.1-1.23)
- Pillar 2 - Management: 21 controls (2.1-2.21)
- Pillar 3 - Reporting: 10 controls (3.1-3.10)
- Pillar 4 - SharePoint: 7 controls (4.1-4.7)
Each control follows a 10-section format including objective, regulatory alignment, configuration points, zone-specific requirements, and verification criteria.
Start here: Control Index
Purpose: Step-by-step implementation procedures Audience: Hands-on implementers, auditors
244 implementation playbooks (4 per control):
- Portal Walkthrough - Click-by-click configuration in admin portals
- PowerShell Setup - Automation scripts with validation
- Verification Testing - Test cases, evidence collection, attestation templates
- Troubleshooting - Common issues, resolutions, escalation paths
Start here: Playbooks Overview
graph TD
A[Layer 1: Framework] -->|Defines principles| B[Layer 2: Controls]
B -->|Specifies requirements| C[Layer 3: Playbooks]
C -->|Provides evidence| B
B -->|Validates strategy| A
style A fill:#66BB6A,color:#fff
style B fill:#FFA726,color:#fff
style C fill:#42A5F5,color:#fff
Each control in this framework follows a consistent documentation structure.
This repo is actively being expanded to include how-to configure guidance (step-by-step portal paths, optional automation, and evidence-grade verification).
Use this workflow for implementing controls:
Every control file (1.1-4.7) follows this enhanced structure:
| Section | Purpose |
|---|---|
| Overview | Control ID, name, regulatory references, setup time |
| Prerequisites | Required licenses, admin roles, dependencies |
| Governance Levels | Baseline, Recommended, and Regulated configurations |
| Setup & Configuration | Step-by-step portal navigation and PowerShell scripts |
| Financial Sector Considerations | Regulatory alignment, zone-specific guidance, FSI examples |
| Verification & Testing | Steps to confirm configuration is active |
| Troubleshooting | Common issues and resolutions |
| Additional Resources | Microsoft Learn links and admin portal URLs |
graph LR
A[1. Check Prerequisites] --> B[2. Follow Setup Steps]
B --> C[3. Configure per Zone]
C --> D[4. Verify Configuration]
D --> E[5. Document Evidence]
E --> F[6. Schedule Review]
- Check Prerequisites: Verify licenses, admin roles, and dependencies (other controls that must be configured first)
- Follow Setup Steps: Use portal-based or PowerShell configuration methods
- Configure per Zone: Apply settings appropriate for Zone 1, 2, or 3
- Verify Configuration: Execute verification steps to confirm active controls
- Document Evidence: Capture screenshots, export logs, record in compliance system
- Schedule Review: Set quarterly review cadence for control effectiveness
Run these from the repo root (FSI-AgentGov/):
python scripts/verify_controls.pypython scripts/verify_templates.pypython scripts/verify_excel_templates.pymkdocs build --strict
| Resource | Description | Location |
|---|---|---|
| Control Template | Standard template for control documentation | templates/control-setup-template.md |
| Microsoft Learn URLs | Master list of official documentation | reference/microsoft-learn-urls.md |
| Portal Navigation Paths | Quick reference for admin center navigation | reference/portal-paths-quick-reference.md |
| License Requirements | License mapping for all 61 controls | reference/license-requirements.md |
| FSI Configuration Examples | Bank, broker-dealer, and insurance scenarios | reference/fsi-configuration-examples.md |
These foundation controls should be implemented first as other controls depend on them:
| Priority | Control | Why First |
|---|---|---|
| 1 | 2.1 - Managed Environments | Required for 15+ other controls |
| 2 | 1.7 - Audit Logging | Compliance evidence for all controls |
| 3 | 1.11 - Conditional Access & MFA | Security baseline |
| 4 | 1.5 - DLP & Sensitivity Labels | Data protection foundation |
| 5 | 1.4 - Advanced Connector Policies | Connector governance for agents |
| Portal | URL | Primary Use |
|---|---|---|
| Power Platform Admin Center | admin.powerplatform.microsoft.com | Environments, DLP, connectors |
| Microsoft Purview Portal | compliance.microsoft.com | Audit, DLP, retention |
| Microsoft Entra Admin Center | entra.microsoft.com | Conditional access, MFA, roles |
| SharePoint Admin Center | admin.microsoft.com/sharepoint | SharePoint governance |
| Copilot Studio | copilotstudio.microsoft.com | Agent development |
Regulatory mappings and coverage are maintained in a single canonical table:
Note: Coverage indicates which framework controls address aspects of each regulation. Actual compliance requires implementation, validation, and ongoing maintenance. Consult legal counsel for regulatory interpretation. See Disclaimer.
Each control is documented with 4 maturity levels:
- Level 0: Not implemented
- Level 1: Baseline (minimal compliance)
- Level 2-3: Recommended (best practices)
- Level 4: Regulated/High-Risk (comprehensive)
- Assess - Current state vs. required level
- Implement - Follow control guidance
- Verify - Use verification procedures
- Document - Record evidence for audit
- Review - Schedule recurring reviews (quarterly)
Key roles from RACI Matrix:
| Role | Responsibility |
|---|---|
| AI Governance Lead | Framework oversight, policy decisions |
| Compliance Officer | Regulatory alignment, audit coordination |
| CISO | Security policy, threat response |
| Power Platform Admin | Technical implementation, environments |
| Internal Audit | Independent control testing |
Typical 8-week rollout:
- Phase 1 (Weeks 1-2): Regulatory Compliance Baseline (11 tasks)
- Phase 2 (Weeks 3-4): Security Enhancements (10 tasks)
- Phase 3 (Weeks 5-6): Advanced Governance (8 tasks)
- Phase 4 (Weeks 7-8): Finalization & Operationalization (9 tasks)
See Implementation Checklist for detailed tasks.
- "How do I get started?" β Read Quick Start Guide
- "What's my governance zone?" β See Zones Overview
- "Which controls apply to my regulation?" β Check Regulatory Mappings
- "Who does what?" β Review RACI Matrix
- "What does this term mean?" β Look up Glossary
- "How do I implement this?" β Use Implementation Checklist
- "Common questions?" β See FAQ
- Reference individual control files (1.1-4.7)
- Each control includes step-by-step verification procedures
- Contact your Power Platform Admin for platform-specific setup
- Review Regulatory Mappings for regulation-to-control alignment
- Contact your Compliance Officer for regulatory interpretation
- Escalate to General Counsel for legal questions
This framework is designed for continuous evolution:
- Quarterly Reviews: Assess control effectiveness
- Annual Updates: Incorporate regulatory changes and Microsoft updates
- Version History: Track changes and improvements
- Feedback Loop: Gather input from governance team
| Version | Date | Changes | Author |
|---|---|---|---|
| 1.1.4 | Jan 2026 | Microsoft Audit Reporting Tools integration (AI-in-One Dashboard, PAX) | FSI Governance Team |
| 1.1.3 | Jan 2026 | Deep review & enhancements, Microsoft Learn URLs expansion (159 URLs) | FSI Governance Team |
| 1.1.2 | Jan 2026 | NIST AI RMF crosswalk accuracy corrections | FSI Governance Team |
| 1.1.1 | Jan 2026 | Researcher gap analysis response, Control 2.21 (AI Marketing Claims) | FSI Governance Team |
| 1.1 | Jan 2026 | Three-layer documentation architecture, 244 playbooks, framework layer | FSI Governance Team |
| 1.0 | Jan 2026 | Added evaluation gates, adversarial testing, multi-agent governance, RACI templates | FSI Governance Team |
| 1.0 Beta | Dec 2025 | Enhanced with DSPM, bias testing, runtime protection, FINRA Notice 25-07 alignment | FSI Governance Team |
| 0.9 | Oct 2025 | Initial Internal Draft | FSI Governance Team |
This framework is provided for use by financial services organizations. Modify as needed for your organization's specific requirements.
See Disclaimer.
- Review the Quick Start Guide
- Assess your current state against the framework
- Implement using the step-by-step guidance
- Document evidence for audit compliance
- Review quarterly and update as regulations change
FSI Agent Governance Framework v1.1.4 - January 2026 Comprehensive governance for Microsoft 365 agents in financial services