This directory contains comprehensive control documentation for the FSI Agent Governance Framework across four pillars. See the Solutions Index for the live catalog of 33 companion solutions aligned to the companion repository inventory.
| Control ID | Control Name | Implementation |
|---|---|---|
| 3.1 | Agent Inventory and Metadata Management | Portal / PowerShell, CD |
| 3.2 | Usage Analytics and Activity Monitoring | Portal, CD, CSA |
| 3.3 | Compliance and Regulatory Reporting | Portal, CD, MTR |
| 3.4 | Incident Reporting and Root Cause Analysis | Portal, Deny Event Correlation |
| 3.5 | Cost Allocation and Budget Tracking | Portal |
| 3.6 | Orphaned Agent Detection and Remediation | Portal / PowerShell |
| 3.7 | PPAC Security Posture Assessment | Portal, Hardening Baseline, ITE, MTR |
| 3.8 | Copilot Hub | Portal, Hardening Baseline, UASD, AAM, ITE, CSI |
| 3.9 | Microsoft Sentinel Integration | Portal / PowerShell, AOF |
| 3.10 | Hallucination Feedback Loop | Portal, HT |
| 3.11 | Centralized Agent Inventory Enforcement | Portal / PowerShell |
| 3.12 | Agent Governance Exception and Override Management | Portal / PowerShell |
| 3.13 | Agent 365 Admin Center Analytics and Reporting | Portal / PowerShell |
| 3.14 | Agent 365 Observability SDK and Custom Agent Telemetry | Portal / PowerShell |
| Control ID | Control Name | Implementation |
|---|---|---|
| 4.1 | SharePoint Information Access Governance (IAG) / Restricted Content Discovery | Portal / PowerShell |
| 4.2 | Site Access Reviews and Certification | Portal |
| 4.3 | Site and Document Retention Management | Portal / PowerShell, AKSS, MTR |
| 4.4 | Guest and External User Access Controls | Portal / PowerShell |
| 4.5 | SharePoint Security and Compliance Monitoring | Portal |
| 4.6 | Grounding Scope Governance | Portal |
| 4.7 | Microsoft 365 Copilot Data Governance | Portal |
| 4.8 | Item-Level Permission Scanning for Agent Knowledge Sources | PowerShell, AKSS |
| 4.9 | Embedded File Content Governance | Portal / PowerShell |
The Implementation column indicates how each control is implemented:
| Reference | Meaning |
|---|---|
| Portal | Configured through Microsoft admin portals (PPAC, Purview, Entra, etc.) |
| PowerShell | Automated via PowerShell cmdlets |
| Solution Link | Deployable automation from FSI-AgentGov-Solutions |
Companion solutions provide deployment documentation, governance scripts, KQL queries, and templates that help operationalize controls at scale. See Solutions Index for the live catalog of 33 companion solutions.
- Review the Overview - Start with the framework overview to understand the 3 zones and 4 pillars
- Assess Current State - For each control, review your current implementation level (Baseline, Recommended, or Regulated)
- Implement Controls - Follow the implementation guidance in each control file
- Verify & Document - Use the verification steps to confirm implementation and document evidence
- Establish Recurring Reviews - Schedule quarterly reviews to ensure controls remain effective
Each control is documented with three governance levels:
- Baseline: Minimum required implementation
- Recommended: Best practice implementation for Zone 2+ agents
- Regulated/High-Risk: Comprehensive implementation for Zone 3 agents and regulated environments
Focus: Protect data and systems from unauthorized access, misuse, and exploitation.
- Authentication and Authorization
- Data Loss Prevention
- Audit Logging
- Encryption
- Threat Detection
- eDiscovery
- Network Isolation
- Adversarial Input Protection
- Information Barriers
- Step-Up Authentication
- File Upload Governance
- Content Moderation
- Publishing Restrictions
- AI Security Posture Management
- Global Secure Access
Focus: Govern the agent lifecycle, access control, change management, and model risk.
- Managed Environments
- Change Management
- Business Continuity
- Testing & Validation
- Model Risk Management
- Vendor Management
- Training & Supervision
- RAG Source Validation
- Multi-Agent Orchestration
- Conflict of Interest Testing
- Customer AI Disclosure
- Adversarial Testing & Red Teaming
- AI Marketing Claims & Substantiation
- Inactivity Timeout Enforcement
- User Consent & AI Disclosure
- Feature Enablement Governance
- Agent 365 Governance Console
- Entra Agent ID Governance
Focus: Visibility and monitoring of agent activities, performance, and compliance.
- Agent Inventory
- Usage Analytics
- Compliance Reporting
- Incident Management
- Cost Tracking
- Orphaned Agent Detection
- PPAC Security Posture
- Copilot Hub
- Sentinel Integration
- Hallucination Feedback
- Centralized Inventory Enforcement
- Exception & Override Management
- Agent 365 Admin Center Analytics
- Custom Agent Telemetry
Focus: Govern SharePoint content accessed by agents with specific access, retention, and security controls.
- Information Access Governance
- Access Reviews
- Retention Management
- Guest Access Controls
- Security Monitoring
- Grounding Scope Governance
- M365 Copilot Data Governance
- Item-Level Permission Scanning for Agent Knowledge Sources
- Embedded File Content Governance
The framework covers compliance requirements for:
- FINRA: Rules 3110, 4511, 4512, 2111 (Suitability)
- SEC: Rules 17a-3/4, 10b-5, Reg BI, Reg S-P
- SOX: Sections 302, 404 (internal controls and reporting)
- GLBA: Sections 501, 504, 505 (safeguards and privacy)
- OCC: Bulletin 2011-12 and SR 26-2 (formerly SR 11-7) (model risk management)
- Federal Reserve: SR 26-2 (formerly SR 11-7) (model risk, fair lending)
Controls are documented for implementation in three governance zones:
- Zone 1: Personal Productivity - Individual development, low risk
- Zone 2: Team Collaboration - Departmental agents, medium risk
- Zone 3: Enterprise Managed - Organization-wide, high risk, customer-facing
For questions about specific controls or implementation guidance:
- Review the control file for detailed verification steps
- Contact your AI Governance Lead
- Escalate to Compliance Officer for regulatory questions
- Contact your technical implementation team for platform-specific guidance
FSI Agent Governance Framework v1.4.0 - April 2026