Governance for AI Agents
Design governance frameworks for agent registration, approval workflows, data residency compliance, and access controls on grounding data and model tuning.
Governance is the guardrails, not the brakes
Imagine a city with no building codes. Anyone can build anything, anywhere, with any materials. Some buildings will be great. Some will collapse. Nobody knows which buildings exist or who is responsible for them.
AI governance is like building codes for agents. You register every agent (know what exists). You require approvals based on risk (high-risk agents get more scrutiny). You enforce data residency (data stays where the law says it must). You control who can change the knowledge and tuning data that shapes agent behaviour.
Good governance enables AI adoption β it removes the fear that blocks deployment.
The four governance pillars
| Pillar | Purpose | Key Design Decisions |
|---|---|---|
| Agent registry | Central catalogue of all agents in the organisation | What metadata to capture (owner, purpose, data access, risk level, deployment status). Where to host the registry. How to enforce registration. |
| Approval workflows | Risk-based review gates before agents reach production | How many tiers (typically 3). Who approves at each tier. What evidence is required (impact assessment, security review, legal review). |
| Data residency | Ensuring data stays where regulatory and policy requirements demand | Which regulations apply (GDPR, APRA, HIPAA). Where model inference happens (inference = data processing). Cross-border data movement controls. |
| Access controls on data | Controlling who can modify grounding data and model tuning data | Role-based access to knowledge sources. Approval for training data changes. Audit trail for all data modifications. |
Agent registry
Every agent in the organisation should be registered in a central catalogue. The registry answers fundamental questions: what agents exist, who owns them, what data do they access, and what risk do they pose.
| Registry Field | Purpose | Example |
|---|---|---|
| Agent name | Unique identifier | βVanguard Financial Advisory Agentβ |
| Owner | Accountable person or team | Dev Patel, AI Platform Team |
| Purpose | What the agent does | βProvides portfolio summaries and market insights to wealth clientsβ |
| Platform | Where the agent is built | Copilot Studio, Foundry, D365 built-in |
| Data sources | What data the agent accesses | D365 Finance (client portfolios), SharePoint (market research), Bloomberg API |
| Risk level | Classified risk tier | High β accesses financial data and provides advisory content |
| Deployment status | Current state | Production since 2025-03-15 |
| Last review date | When governance review last occurred | 2025-09-01 |
Approval workflows
Not every agent needs the same level of scrutiny. Risk-based tiers keep governance proportionate:
| Tier | Risk Level | Approval Process | Examples |
|---|---|---|---|
| Tier 1 β Low | No sensitive data, no customer-facing output | Auto-approve with registration | Internal FAQ bot, meeting scheduler |
| Tier 2 β Medium | Accesses business data or produces customer-visible content | Manager approval plus security review | Sales assistant, HR policy bot |
| Tier 3 β High | Accesses sensitive/regulated data or makes decisions with business impact | Security review, legal review, executive sponsor, responsible AI assessment | Financial advisory agent, clinical decision support, credit risk agent |
Data residency and movement compliance
Data residency is about WHERE data is stored AND processed. For AI, model inference counts as data processing.
- Storage residency β where is the data at rest? Dataverse, Azure storage, SharePoint β each has geographic configuration.
- Processing residency β where does the model run inference? If your data is in Australia but the model endpoint is in the US, the data crosses borders during inference.
- Transit controls β how is data protected in motion between regions? Encryption in transit, VPN tunnels, private connectivity.
- Regulatory mapping β which regulations apply? GDPR (EU), APRA (Australia), HIPAA (US health), CCPA (California), PIPL (China). Each has specific data residency requirements.
Design pattern for keeping data in-region:
- Deploy model endpoints in the same region as the data
- Use Standard or Data Zone deployment types β Global deployment types may process data outside your selected region
- Use Azure regions that support the required AI services
- Configure Dataverse environments with the correct geographic region
- Use Azure Private Link to keep traffic off the public internet
- Audit data movement with Microsoft Purview
Important caveat: Deploying an Azure resource in a specific region does not automatically guarantee data residency. For Foundry/OpenAI deployments, Global and Data Zone deployment types can process prompts and responses outside the single region. Always verify the deployment type supports your residency requirements.
Access controls on grounding data and model tuning
The data that feeds agents and models is just as sensitive as the output. Controlling who can modify it is critical:
- Knowledge source access β who can add, update, or remove documents from an agentβs knowledge base? A malicious or accidental change to knowledge sources can completely alter agent behaviour.
- Training data access β who can modify the datasets used to fine-tune models? Unauthorised training data changes can introduce bias or degrade quality.
- Model tuning access β who can change prompt templates, system messages, or fine-tuning parameters? These directly control model behaviour.
- Audit trail β every change to grounding data, training data, and tuning parameters must be logged with who, what, when, and why.
Scenario: Yuki designs Vanguard's AI governance framework
Yuki Tanaka (compliance officer at Vanguard Financial Group) designs the enterprise AI governance framework:
Agent registry: Hosted in a dedicated SharePoint list with Power Automate workflows for registration. Every new agent must be registered before development begins. The registry feeds a Power BI dashboard for executive visibility.
3-tier approval process:
- Tier 1 (low risk): IT self-service. Auto-approved upon registration. Example: internal IT help desk bot.
- Tier 2 (medium risk): Requires approval from the business unit head and a security checklist review. Example: customer service Copilot customisation.
- Tier 3 (high risk): Full review β security assessment by Marcusβs team, legal review for regulatory compliance, executive sponsor sign-off, responsible AI impact assessment. Example: financial advisory agent, credit risk model.
Data residency for APRA compliance:
- All Vanguard customer data must be processed within Australia
- Yuki verifies that D365 Finance runs in the Australia East Azure region
- The Foundry model endpoint is deployed in Australia East
- SharePoint knowledge sources are in the Australia geography
- Azure Private Link ensures data never transits the public internet between services
Access controls:
- Knowledge source updates require approval from the content owner plus the compliance team
- Training data changes require approval from the data steward plus the model owner
- Prompt template changes require approval from the AI Platform team lead
- All changes logged in an immutable audit trail (Azure Immutable Blob Storage)
Exam tip: data residency is about processing, not just storage
This is a frequently tested concept:
- Data at rest in Australia does not satisfy residency requirements if the model endpoint is in the US. Inference is processing. Processing must also be in-region.
- Cross-border data movement happens anytime data leaves a geographic boundary β even temporarily during an API call to a model endpoint.
- The exam may describe a scenario where data is stored locally but the AI service is in another region. The correct answer involves deploying the AI service in the same region as the data.
- Microsoft 365 data residency is separate from Azure data residency. Know which services respect M365 geographic boundaries and which require separate Azure region selection.
Flashcards
Knowledge check
Yuki discovers that a team has deployed a Copilot Studio agent to production without going through the governance process. The agent accesses customer financial data. What is the most appropriate first action?
An architect designs a solution where customer data is stored in Dataverse (Australia East) but the Foundry model endpoint is deployed in US West 2 because it offers newer GPU instances. The solution serves Australian financial services clients regulated by APRA. What is the problem?
A data engineer updates the knowledge sources for a financial advisory agent by adding new market research documents to the agent's SharePoint library. No one reviews the change. Two days later, the agent starts giving inaccurate investment guidance. What governance control was missing?
π¬ Video coming soon
Next up: Prompt Security β analysing AI vulnerabilities including prompt injection, data poisoning, and model extraction β and the mitigations that defend against them.