DataBlocks journal day 2 – Governance!

Posted on by

From the start, we treated governance as a must have. Since our solution combines AI agents, Power Platform, and a Minecraft integration, we needed clear boundaries around risk, permissions, and visibility. Here’s what we’ve implemented so far:

1. Environment Strategy: Risk-Based Zoning

We defined five environment groups, based on risk and usage patterns:

  • Green Zone
    Intended for low-risk experimentation and learning.
    Very limited permissions, no sharing of agents, and a minimal connector set.
  • Yellow Zone
    Used for POCs and internal, departmental agents.
    Agents can be shared and published, but usage is limited to smaller audiences and a controlled set of connectors.
  • Red Zone – DEV / TEST / PROD
    These environments are considered high risk by design. They allow broader permissions, richer connector access, and agents or apps that may be used by a large number of users.

2. DLP Policies Aligned to Risk

Each zone has its own Data Loss Prevention (DLP) policy, aligned with the intended risk level.

  • Green Zone DLP
    • Very limited connectors
    • Designed to prevent accidental data exposure
  • Yellow Zone DLP
    • Supports publishing to teams and M365 Copilot
    • Expanded connector set
    • Intended for controlled internal use and experimentation
  • Red Zone DLP
    • Broad sharing allowed across the organization
    • Expanded connector availability, enabled on demand
    • Intended for production-grade solutions

3. Red Zone Configuration for the Minecraft Integration

Our Minecraft integration is hosted in the Red Zone, as expected for a solution with real time interaction, agents, and external APIs. Through the Red Zone DLP policy, we explicitly enabled the following connectors:

  • DocumentCorePack (Dataverse / mscrm)
    Used for storing game sessions, players, and state.
  • Direct Line channel in Copilot Studio
    Required to develop our Bot Framework skill and connect it to agents using Direct Line.
  • Public website knowledge sources in Copilot Studio
    Used to retrieve Minecraft commands and related data from public sources.

Nothing is enabled by default, connectors are enabled on demand and implemented after risk assessment.

4. Visibility and Risk Detection with DSPM for AI

We use DSPM for AI to maintain an overview of all agents in the environment.

This allows us to:

  • Identify risky agents
  • Detect risky behaviors
  • Understand where agents are shared and how they’re being used

This gives us governance at the agent level, not just at the environment level.

5. Access Controls and AI Specific Policies

Using Global Secure Access, we collect traffic logs related to agent activity and outbound requests. This allows us to:

  • Configure alerts
  • Enforce allowed or blocked web destinations
  • Detect unusual or unexpected traffic patterns

6. Auditing and Bot Activity Tracking

Audit logging is enabled, and bot activity logs are available. We’ve already identified and extracted key governance events, like:

  • Bot created or deleted
  • Bot published
  • Bot shared
  • Authentication mechanism updated (one of the most critical signals)

Many interesting tools here to see and test! looking forward to see new features and results from reports and insights.

Our GitHub repo you can find here: https://github.com/bricenocar/acdc2026

#Sharing is Caring

Stay tuned!