With the growing use of user-created agents in SharePoint and Microsoft 365 Copilot Chat, it is imperative that organizations implement robust IT governance controls to ensure proper management, security, and compliance. Although users create the agents, it is the organization’s responsibility to implement IT governance controls to protect its business data.

That said, it is important for users to understand how and why their agents interact with the governance controls put in place by their company. Microsoft 365 Copilot includes tools designed to support governance strategies across a wide range of use cases, including user-created agents in SharePoint and Copilot Chat, as well as advanced agents developed in Copilot Studio. When organizations have the necessary controls in place, as illustrated in the diagram below, they can confidently deploy and manage their AI initiatives.

The Importance of IT Governance Controls
Establishing robust IT governance controls for agents is essential to ensure their secure, compliant, and effective use within organizations. Organizations that implement comprehensive policies, risk management practices, access controls, data management strategies, performance monitoring, and training programs can maximize the benefits of agents while minimizing potential risks in their Microsoft 365 environment. Adhering to best practices and continuously improving governance controls enables organizations to fully leverage these innovative tools and drive success in the modern digital landscape.

When you use an agent, you have access to the sites, pages, and documents included in the agent’s knowledge sources for which you already have permissions. Depending on a user’s Copilot license, their agents may also provide access to Microsoft Graph data, subject to the permissions and configurations defined by the organization. If the user does not have permission to access specific content—even if that content is included in the agent’s knowledge sources—they will not be able to view information from that content in their conversation with the agent.

Implementing IT governance controls for agents is crucial for several reasons:

• Ensuring Compliance: Agents, like any other IT system, must comply with applicable laws, regulations, and industry standards. Effective governance controls help organizations meet these requirements, avoiding legal and financial penalties. For example, compliance with sector-specific regulations such as HIPAA in healthcare is essential. Compliance requirements may vary depending on the industry and applicable regulations.
• Enhancing Security: Security is a major concern in agent deployment. Appropriate governance controls ensure that agents operate in secure environments, protecting sensitive data from unauthorized access and reducing potential threats. For instance, organizations often implement encryption protocols to secure data and prevent breaches.
• Maintaining Quality: Governance controls help maintain the quality and reliability of agents by establishing standards for their development, deployment, and operation. These controls ensure that agents perform as expected and deliver accurate and useful results. For example, regular testing and validation of agent functionalities help maintain high quality standards.
• Promoting Accountability: By defining roles and responsibilities, IT governance controls promote accountability within the organization. This ensures that individuals involved in agent deployment and management understand their duties and can be held accountable for their actions. For example, establishing a clear chain of command and reporting structure within the IT department can strengthen accountability.

---

Key IT Governance Controls for Agents
To establish effective IT governance for agents, organizations should consider implementing the following controls:

• Policy Development: Create comprehensive policies that define the use, management, and security of agents. These policies should cover areas such as data privacy, access control, and compliance with relevant regulations. For example, a policy might require that all data processed by agents be encrypted and securely stored.
• Risk Management: Conduct regular risk assessments to identify potential threats and vulnerabilities related to agents. Implement risk mitigation strategies to address identified risks and ensure agents operate within acceptable risk levels. For example, deploying firewalls and intrusion detection systems can reduce the risk of cyberattacks.
• Access Control: Establish robust access control mechanisms to restrict unauthorized access to agents. Implement role-based access control (RBAC) to ensure that only authorized individuals can deploy, manage, and interact with agents. An example is using multi-factor authentication (MFA) to enhance security.
• Data Management: Implement data management practices that ensure the integrity, confidentiality, and availability of data processed by agents. These practices include data encryption, backup procedures, and recovery protocols. For example, regular backups can prevent data loss in case of system failure.
• Performance Monitoring: Continuously monitor agent performance to ensure they operate efficiently. Use performance indicators and metrics to identify and resolve potential issues. An example is setting up dashboards and alerts to track agent performance in real time.
• Training and Awareness: Provide ongoing training and awareness programs to employees so they understand the importance of IT governance controls and their role in maintaining them. These programs can include training on policy compliance, security practices, and proper agent usage. For example, hosting regular workshops and refresher sessions can help employees stay informed about best practices.

Best Practices for Implementing IT Governance Controls with Agents
To successfully implement IT governance controls for agents, organizations should follow these best practices:

• Engage Stakeholders: Involve key stakeholders, including IT, legal, and compliance teams, in the development and implementation of governance controls. This practice ensures that the controls are comprehensive and meet the needs of all concerned parties. For example, collaborating with the legal team can ensure that policies comply with applicable laws and regulations.
• Establish a Governance Framework: Develop a governance framework that defines the processes, roles, and responsibilities for managing agents. This framework should align with the organization’s goals and priorities. For instance, creating a detailed governance charter can help clarify the scope and structure of the framework.
• Conduct Regular Audits and Reviews: Perform regular audits and reviews of agents and their governance controls to ensure they remain effective and compliant with current standards. Promptly address any identified gaps or deficiencies. For example, annual audits can help identify and resolve compliance issues.
• Continuous Improvement: Adopt a continuous improvement approach to governance controls by regularly updating policies, procedures, and practices based on feedback, industry trends, and emerging threats. For example, incorporating feedback from users and stakeholders can help refine and enhance governance practices.

Next Unit: Module Assessment