▲ WORKING PAPER · AI AGENT GOVERNANCE REF AG·2026·07 — COPILOT · BEDROCK · QUICK SUITE
The control-mapping matrix

Platforms ship primitives,
not governance.

The financial-control playbook — least privilege, segregation of duties, audit trails, four-eyes sign-off, kill switches — is a century old. Here it is mapped onto AI agents across three surfaces — Microsoft Copilot, AWS Bedrock and AWS Quick Suite — against DORA, the EU AI Act and ISO 42001. Ten controls. Three surfaces. One column that never fills in.

Tickmarks — how coverage is marked on this paper
Native
The platform gives you this out of the box. Turn it on and it works.
Partial
Present, but configuration-dependent — you must assemble it and prove it holds.
Δ
The gap
Δ is the difference. The platform doesn't do this — you design, run and evidence the control.

Read each row left to right: the classic control it descends from, the native primitive each surface exposes, the obligation it maps to — and the Δ gap, the part no vendor hands you. The primitives are converging fast. The Δ column is the job, and it's the same job on every platform.

Why two AWS columns

On AWS, governance has two faces. Bedrock / AgentCore is the build layer — you write agent code and wire controls from primitives (IAM, Cedar policy, Guardrails). Quick Suite is the buy layer — the packaged agentic workspace where the same controls are admin-configured in a console (custom permissions, S3 ACLs, per-action approvals). Quick Suite runs on Bedrock underneath, so it inherits the foundation but exposes governance very differently — and it's the surface most knowledge-worker deployments actually touch.

Control
10 controls shown
01
Identity & Least Privilege
classic control — a person gets only the access their role requires. An agent is just a new kind of identity. Treat it the same.
Microsoft Copilot
Each agent gets its own Entra Agent ID — not a shared service account. Scoped via OAuth2 delegated scopes, governed by Conditional Access for agents (network, device, risk) and access packages in Entra ID Governance.
AWS Bedrockbuild
AgentCore Identity binds each agent to an IAM role; Cedar policy at the AgentCore Gateway makes an allow/deny decision on every tool call, outside the model's reasoning.
AWS Quick Suitebuy
Custom permissions at account / role / user levels (user overrides role overrides account) restrict capabilities — Chat Agents, Flows, Actions, Research. S3 knowledge-base document ACLs (ALLOW/DENY) are enforced at query time, so answers include only what the user may see.
maps to
AI Act Art. 26 — use in scope DORA — ICT access mgmt ISO 42001 — access control
ΔThe gap — you own this
Every surface here can scope access. None of them proves it was right. Least privilege as a control means a periodic access recertification, a named owner who attests, and a duty-separation map of which agent may touch which system. That review cadence, and the evidence of it, is yours to build.
Evidence an examiner asks forQuarterly access recertification per agent, signed by a named owner · permission baseline vs. actual configuration diff · the agent-to-system authorization map.
02
Segregation of Duties
classic control — whoever builds a control can't also approve it and monitor it. Four eyes, not one.
Microsoft Copilot
Agent 365 splits the builder (Copilot Studio maker) from the admins (Entra / Purview / Defender) and assigns each agent a human sponsor accountable for it. Onboarding and approval workflows gate deployment.
AWS Bedrockbuild
A multi-account strategy with SCPs separates dev / prod and data-governance accounts; Agent Registry approval workflows gate publication; IAM separates who may publish from who may consume.
AWS Quick Suitebuy
Capability and data access split across account / role / user. Notably, Quick admins don't automatically get rights to manage custom permissions — a deliberate role-separation control. Spaces isolate teams and their data.
maps to
AI Act Art. 14 + 26 DORA — ICT governance roles ISO 42001 — roles & responsibilities
ΔThe gap — you own this
The platforms give you the seams — accounts, roles, sponsors, permission tiers. They don't draw your incompatible-duties map or stop one person holding maker, approver and monitor rights at once. Defining which duties conflict for agents, enforcing it in role design, and evidencing that no single person can build-approve-run an agent unchecked — that's a control you design.
Evidence an examiner asks forThe incompatible-duties matrix for agent roles · an admin-rights extract proving no identity holds maker + approver + monitor · the approval trail for each deployment.
03
Audit Trail & Record-Keeping
classic control — if it isn't logged, it didn't happen. Every consequential action must be attributable and reconstructable.
Microsoft Copilot
Purview audit plus eDiscovery and legal hold over agent interactions; Data Lifecycle Management sets retention; the Agent 365 registry and Defender signals give one activity view across agents.
AWS Bedrockbuild
CloudTrail logs every agent and API action; AgentCore Observability adds tracing and session replay; tag each agent with owner, cost-centre and use-case for attribution.
AWS Quick Suitebuy
Actions are logged through AWS CloudTrail; a built-in monitoring dashboard tracks agent interactions, flow triggers, outcomes and per-user usage for operational oversight.
maps to
AI Act Art. 12 — logging AI Act Art. 19 — log retention DORA — traceability
ΔThe gap — you own this
You get raw logs and a usage dashboard — not an audit file. An examiner doesn't want CloudTrail JSON or a console export; they want evidence that a specific decision was made within policy, by an authorized identity, on the inputs it actually saw. Turning native logs into a retained, tamper-evident, examiner-ready evidence pack — each field mapped to the obligation it satisfies — is the work.
Evidence an examiner asks forOne sampled action reconstructed end-to-end from retained logs (who, what, when, on which inputs) · retention configuration mapped to Art. 12/19 · immutability / tamper-evidence settings.
04
Human Oversight & Sign-Off
classic control — a human approves before the agent does something consequential or irreversible.
Microsoft Copilot
Copilot Studio supports approval steps and human-in-the-loop inside workflows; Apps in agents surface review / approve actions in the conversation; deterministic workflow steps wrap sensitive actions.
AWS Bedrockbuild
Human-in-the-loop is implemented in agent logic; AgentCore Policy can deterministically deny a tool call at the gateway, forcing escalation; approvals also gate the Agent Registry.
AWS Quick Suitebuy
Write-back actions (email, Slack, Salesforce, Jira) require a confirmation step by default; admins configure auto-approval rules per app. The gate is built in at the productivity layer — the one place Quick Suite is stronger out of the box than raw Bedrock.
maps to
AI Act Art. 14 — human oversight DORA — operational control ISO 42001 — operational planning
ΔThe gap — you own this
A confirmation prompt or a deny-rule is not oversight. Oversight means a named human with the authority and the information to intervene, a defined list of which actions need sign-off, and proof the human reviewed rather than rubber-stamped. Setting the consequentiality threshold, deciding which actions get auto-approved, and capturing the sign-off as evidence — yours.
Evidence an examiner asks forThe approved list of gated actions with thresholds · sampled sign-offs with reviewer identity and timestamp · at least one rejected action — a gate that never rejects is a rubber stamp.
05
Kill Switch & Circuit Breaker
classic control — you can stop it. Instantly. On a loop, a budget breach or an anomaly — pull the plug.
Microsoft Copilot
Agent 365 lets admins block an agent or restrict its access; Entra network controls cut off web destinations; Conditional Access can stop issuing tokens at runtime.
AWS Bedrockbuild
AgentCore Policy deny at the gateway halts tool calls outside the model's reasoning; revoke the IAM role; per-session microVM isolation contains and wipes state on termination.
AWS Quick Suitebuy
Disable capabilities at account / role / user via custom permissions — and programmatically (CloudTrail + EventBridge + Lambda) to auto-turn-off AI features across the account; revoke user access; disable a connector's actions.
maps to
AI Act Art. 14 — stop function DORA — resilience ISO 42001 — incident control
ΔThe gap — you own this
The off-switch exists; the runbook doesn't. Who is authorized to pull it, on what trigger, how fast, who gets notified, and how you resume safely — that's a tested operational procedure. An untested kill switch is a button nobody knows when to press. You write it and you rehearse it.
Evidence an examiner asks forThe runbook itself (trigger, authority, notification chain) · a dated kill-switch drill with outcome · measured time-to-halt.
06
Data Governance & Residency
classic control — know what data it can touch, where that data lives, and stop sensitive data leaving.
Microsoft Copilot
Purview DLP, sensitivity-label propagation and DSPM for AI observability; external content kept out of Copilot; data stays in tenant, with Customer Lockbox over access.
AWS Bedrockbuild
Bedrock Guardrails sensitive-information filters redact PII in inputs and outputs; KMS encryption; residency by region; cross-account guardrails enforce org-wide.
AWS Quick Suitebuy
S3 document-level ACLs enforced at query time and carried into Quick Flows at runtime; IAM controls which buckets feed knowledge bases; runs in your AWS account and region, inheriting AWS data controls.
maps to
AI Act Art. 10 — data governance GDPR DORA — data protection
ΔThe gap — you own this
For a Luxembourg PSF the live question isn't "is there DLP" — it's where the inference runs, who the processor is, and whether that satisfies professional secrecy and EU data-residency rules. That's a data-flow map, a processor assessment and a residency decision per use case — a governance judgement no ACL or toggle can make for you.
Evidence an examiner asks forThe data-flow map per use case · processor and sub-processor assessment · the residency decision record · one ACL test showing a denied query.
07
Input / Output & Adversarial Robustness
classic control — validate what goes in and what comes out. Assume someone will try to trick it.
Microsoft Copilot
Defender blocks prompt-injection and malicious-prompt attacks before they act; Entra network controls filter risky file movement; content controls sit on agent I/O.
AWS Bedrockbuild
Bedrock Guardrails: content filters, denied topics, prompt-attack detection, Automated Reasoning checks against hallucination and contextual grounding for RAG; Guardrails for Code adds prompt-leakage detection.
AWS Quick Suitebuy
Agents carry personas and behaviour guidelines for consistent, compliant responses; inference runs on Bedrock-hosted models (Claude / Nova) with their built-in safety. Granular guardrail thresholds and injection testing are less exposed than configuring raw Bedrock directly.
maps to
AI Act Art. 15 — accuracy & cybersecurity DORA — resilience testing ISO 42001 — AI risk treatment
ΔThe gap — you own this
Vendors give probabilistic filters with vendor-set thresholds. Your risk appetite sets the thresholds, your red-team finds the injection paths specific to your data and tools, and your test evidence shows the controls hold. Filters are a capability; a tested robustness posture mapped to Art. 15 is a control. You run the attack-and-defend and keep the proof.
Evidence an examiner asks forThe injection / red-team test plan and results · threshold configuration tied to stated risk appetite · retest evidence after each material change.
08
Change & Version Management
classic control — no change to a production control without review, versioning and a rollback path. Models, prompts and tools are all changes.
Microsoft Copilot
Power Platform ALM (dev / test / prod environments, solutions) and versioning of Copilot Studio agents; Advanced Connector Policies re-validate at runtime; federated connectors carry a review window before reaching users.
AWS Bedrockbuild
Treat every agent, tool and memory config as a versioned, deployable artifact with its own repo and CI/CD; tool manifests carry compliance metadata; Application Inference Profiles pin model access.
AWS Quick Suitebuy
Controlled feature rollout — enable capabilities gradually per account / role / user group for staged testing before broad release, applied consistently across accounts via APIs. Formal versioning and rollback of agents is lighter than Bedrock's artifact + CI/CD model.
maps to
AI Act Art. 9 + 72 — change & monitoring DORA — change management ISO 42001 — lifecycle
ΔThe gap — you own this
The platforms give you the mechanics of versioning and staged rollout. Change governance — a change-advisory step for a model swap, an impact assessment when a prompt changes, the rule that a tool can't reach prod without sign-off, the link from each change to who approved it — is process you impose on top. A model silently updated underneath you is a change you have to detect and attest.
Evidence an examiner asks forA change log linking every model, prompt and tool change to its approval · one sampled impact assessment · rollback evidence.
09
Monitoring, Evaluation & Cost Control
classic control — watch it in production. Detect drift and anomalies. Don't let cost or behaviour run away.
Microsoft Copilot
Agent 365 risk flags from Defender / Entra / Purview signals; Viva Insights and the usage estimator track Copilot-credit spend; a 30-day DSPM view of AI activity.
AWS Bedrockbuild
AgentCore Evaluations continuously scores live traffic (correctness, tool-selection, harmfulness) with CloudWatch alerting; cost allocation by IAM role via CUR 2.0; per-session spend limits.
AWS Quick Suitebuy
A usage dashboard and analytics over agent interactions, flows and outcomes; agent-hours metered per second for cost control. Continuous automated quality scoring (as in AgentCore Evaluations) isn't built in — you'd add your own evaluation.
maps to
AI Act Art. 72 — post-market monitoring DORA — monitoring ISO 42001 — performance evaluation
ΔThe gap — you own this
Platforms score (or surface) quality and usage; they don't define acceptable. What's your minimum pass bar, which breach triggers which response, who owns the alert, and how findings feed back into the risk assessment — that's a monitoring control, not a dashboard. You set the thresholds and own the loop that closes when they're crossed.
Evidence an examiner asks forDocumented thresholds with named alert owners · one alert-to-action trail · review minutes feeding results back into the risk assessment.
10
Risk Classification & System Register
classic control — you can't govern what you haven't listed. Every system on the register, tiered by risk, with an owner.
Microsoft Copilot
The Agent 365 registry is a single inventory of every agent — owner, activity, health — with multi-cloud registry sync (including Bedrock) in preview.
AWS Bedrockbuild
Agent Registry (preview) catalogues agents, tools and MCP servers across clouds with ownership, approval workflows and CloudTrail audit.
AWS Quick Suitebuy
Agents, Spaces and assets are inventoried in the Manage Quick Suite console with ownership and permissions; Quick Suite agents can also surface in cross-cloud registries (e.g. Agent 365 sync). Risk-tier classification itself isn't a platform feature.
maps to
AI Act Art. 9 + risk tiering AI Act Art. 49 — registration DORA — ICT asset register
ΔThe gap — you own this
A platform registry lists agents; it doesn't classify them. Deciding each agent's EU AI Act risk tier, recording purpose, owner, legal basis and the controls that apply, and keeping that register current as the Act phases in — high-risk duties land Dec 2027 / Aug 2028 — is an AI-system register you maintain. The inventory is the input; the classification is the control.
Evidence an examiner asks forThe register itself, with tiering rationale per agent · review-cadence evidence · the reclassification trigger list.
The pattern

The native columns fill in. The Δ column never empties.

Run down the matrix and the trend is unmistakable: Microsoft and AWS are racing to ship the primitives — identity, logging, guardrails, kill switches, registries — and most rows are already green. The two AWS surfaces even differ in where the green sits: Bedrock leads on evaluation and deterministic policy, Quick Suite leads on built-in approvals and console-driven permissions. That's the easy part, and the vendors will keep winning it. But on every single row, the Δ gap is the same shape: the classification, the thresholds, the sign-offs, the evidence, the runbooks. None of that is in the box, and it's identical whether you run Copilot, Bedrock, Quick Suite, or all three.

And notice what 2026 did: every major vendor now ships a named governance control plane — Agent 365, AI Control Tower, Agent Fabric, Agent Gateway. Governance became the product pitch itself. Yet none of them classify your agents, set your thresholds, or sign your attestations. The green filling in faster isn't the thesis weakening — it's the thesis compounding.

That's the whole thesis. Because the gap is portable, the skill that closes it is portable too — and a risk manager who can translate a control framework into evidence a regulator accepts is worth more than any one platform's feature list. The tool is a commodity. The control is the craft.

If you're posting this — one row per post
  1. Open with the classic control — the century-old version everyone in finance already trusts.
  2. Show the surfaces side by side — proof you know what each platform ships in 2026, and where Quick Suite and Bedrock part ways.
  3. Land on the Δ gap — the part no vendor hands you. That's the hook, and the reason they need someone like you.
Next working paper
What changes in your RCM when an agent runs the process
Before/after risk & control matrix · one simulated agent run · autumn 2026 · iddi-labs.com