AI Governance for Power BI, Fabric, and Copilot: 100-Control Framework for Regulated Industries

TL;DR

• AI governance for Microsoft analytical platforms in 2026 must satisfy multiple converging frameworks: NIST AI Risk Management Framework, EU AI Act, sector-specific regulations (HIPAA, SR 11-7, FedRAMP), and Microsoft's own Responsible AI Standard. The frameworks overlap substantially but are not identical.
• The 100-control framework EPC Group has developed maps each AI-touching capability in Power BI, Microsoft Fabric, and Microsoft Copilot to specific controls across the relevant frameworks. The result: a single control catalog that satisfies multiple framework requirements with one operational discipline.
• The framework spans six control domains: data governance, model governance, deployment governance, operational governance, audit and evidence, and incident response. Each domain has 15–20 controls.
• For healthcare (HIPAA), the framework adds PHI handling, BAA validation, and clinical-safety overlays. For financial services (SR 11-7), the framework adds model risk management integration. For federal (FedRAMP), the framework adds NIST 800-53 mapping and ATO documentation.
• This guide details the framework, the control catalog, the implementation pattern, and the EPC Group methodology refined across substantial regulated-industry AI governance deployments.

Executive Summary

The AI governance challenge for enterprises running Power BI, Microsoft Fabric, and Microsoft Copilot in 2026 is not a lack of frameworks — it is too many frameworks. NIST AI RMF defines a process. The EU AI Act defines obligations. HIPAA Privacy Rule sets PHI handling expectations that apply when AI processes PHI. SR 11-7 sets model risk management expectations for banks. FedRAMP sets baseline expectations for federal-sector AI. Microsoft's Responsible AI Standard sets vendor expectations. Each framework has its own vocabulary, its own control taxonomy, and its own audit expectations.

For a healthcare CIO governing AI use, a bank's model risk function, or a federal agency CISO, the question is not "which framework do I follow?" but "how do I satisfy all of them efficiently?"

EPC Group's 100-control framework is the answer. It maps each AI capability in Power BI, Microsoft Fabric, and Copilot to specific controls across the relevant frameworks. A single control implementation produces evidence that satisfies multiple framework requirements. The control catalog is the master document that compliance, security, and AI governance functions reference.

This guide details the framework structure, the control domains, the regulatory-overlay mappings, and the implementation pattern.

Why a 100-Control Framework

The number is not arbitrary. After mapping all relevant frameworks against the AI surface in Microsoft analytical platforms, the consolidated control catalog lands at approximately 100 controls with reasonable granularity. Fewer controls would over-aggregate and miss specific requirements; more controls would over-decompose and become operationally unmanageable.

The 100 controls cover six domains:

Domain	Control count	Focus
Data governance	18	Data quality, sensitivity, lineage, lifecycle for AI training and inference
Model governance	22	Model development, validation, version control, deprecation
Deployment governance	14	Production deployment, rollback, monitoring
Operational governance	16	Day-to-day operations, capacity, performance
Audit and evidence	17	Audit logging, evidence retention, periodic review
Incident response	13	Incident detection, response, learning

The exact control list is customer-specific (depending on which frameworks apply to the customer's regulatory scope), but the structure is consistent.

The Six Control Domains

Domain 1: Data Governance (18 controls)

The data feeding AI models in Power BI, Fabric, and Copilot must be governed against:

• Data classification and sensitivity labeling.
• Data quality controls (completeness, accuracy, freshness).
• Data lineage from source to AI consumption.
• Data minimization (collect and retain only what's needed).
• Data retention and deletion patterns.
• PHI/PII handling for regulated data.
• Cross-border data transfer controls (for EU AI Act and GDPR alignment).
• Data subject rights handling.

Representative controls:

• DG-01: Every dataset feeding a production AI model has a documented data quality assessment.
• DG-07: Sensitivity labels are applied to all data assets in the analytical platform within 7 days of creation.
• DG-14: Data lineage from source to AI consumption is documented in Microsoft Purview.

Domain 2: Model Governance (22 controls)

The AI models themselves (in Power BI, this is largely Microsoft Copilot's underlying models; in Fabric, this includes both Copilot and custom AI built on Azure ML or Fabric Data Science):

• Model inventory and classification.
• Model development discipline (training data, validation methodology).
• Model approval workflow.
• Model performance monitoring.
• Model drift detection.
• Model deprecation and retirement.
• Fairness and bias assessment.
• Explainability (where the framework requires it).

For Microsoft Copilot specifically, the model is provided by Microsoft. The customer's governance focuses on:

• Acceptable use definitions for the Copilot capability.
• Synonyms and description overrides (the Copilot Tooling Format) being reviewed before production deployment.
• Output review patterns for high-stakes use cases.

Representative controls:

• MG-04: Every AI use case in the enterprise has a documented model card or equivalent describing purpose, training data scope, and known limitations.
• MG-11: Copilot synonym changes go through code review with both technical and business approval.
• MG-18: Model performance is reviewed quarterly for production AI use cases.

Domain 3: Deployment Governance (14 controls)

Moving AI capabilities from development to production:

• Pre-deployment review (technical + business + compliance).
• Phased rollout patterns (pilot → expanded pilot → broad rollout).
• Rollback procedures.
• Production change management.
• Communication to affected users.

Representative controls:

• DepG-02: No production AI capability is enabled tenant-wide without a documented pilot phase of at least 4 weeks.
• DepG-09: Production AI changes flow through the standard change management process with documented approval chain.

Domain 4: Operational Governance (16 controls)

Day-to-day operation of the AI capabilities:

• Capacity planning for AI workloads.
• Performance monitoring.
• Cost monitoring and chargeback.
• User access management.
• Sensitivity-label gating verification.
• Prompt-injection mitigation.

Representative controls:

• OG-03: Copilot capacity consumption is monitored daily with alerts on anomalous patterns.
• OG-08: Sensitivity-label coverage is audited monthly with remediation of any gaps within 14 days.

Domain 5: Audit and Evidence (17 controls)

Producing evidence for regulatory frameworks:

• Audit log routing to a SIEM (Microsoft Sentinel typical).
• Audit log retention per regulatory requirement.
• Audit log integrity verification.
• Periodic audit log review.
• Evidence packaging for annual audits.

Representative controls:

• AE-01: All Copilot interactions are captured in audit logs routed to the centralized SIEM.
• AE-09: Audit logs are retained per the longest applicable regulatory requirement (typically 6 years for HIPAA, 7 years for SOX).
• AE-15: Evidence packages for annual audits are produced 60 days before audit start.

Domain 6: Incident Response (13 controls)

Handling AI-related incidents:

• Incident detection patterns.
• Response procedures.
• Communication patterns.
• Lessons-learned integration.
• Regulatory notification (where required).

Representative controls:

• IR-03: AI incidents (including Copilot incidents) are categorized using a documented severity model.
• IR-08: Lessons learned from AI incidents are integrated into the control catalog within 30 days.

Regulatory Framework Overlays

NIST AI Risk Management Framework

NIST AI RMF defines a process for managing AI risk through Govern, Map, Measure, and Manage functions. The 100-control framework maps each control to one or more NIST AI RMF functions, providing the structured implementation of the NIST process.

EU AI Act

The EU AI Act introduces obligations based on AI system risk classification. The 100-control framework includes a classification process for each AI use case (mapping to High Risk, Limited Risk, Minimal Risk per the Act's structure) and the corresponding control implementations.

For enterprises operating in the EU or processing EU resident data, the Act's obligations apply. The framework's data-governance and audit-and-evidence domains carry most of the Act's specific requirements.

HIPAA

HIPAA's Privacy Rule and Security Rule apply when AI processes PHI. The framework adds healthcare-specific overlay controls:

• BAA validation for AI services.
• De-identification patterns where PHI is not required.
• Clinical safety considerations for AI surfaces touching clinical decisions.
• Workforce training including AI-specific content.

SR 11-7 (Federal Reserve)

For banks, SR 11-7 establishes model risk management expectations. The framework's model governance domain implements SR 11-7's documentation, validation, and effective challenge requirements.

FedRAMP

For federal-sector enterprises, FedRAMP authorization sets baseline expectations. The framework's controls map to NIST 800-53 control families relevant to AI use.

Microsoft Responsible AI Standard

Microsoft's Responsible AI Standard sets expectations for both Microsoft's own AI development and Microsoft's customers using Microsoft AI services. The framework's data and model governance domains align with the Standard's principles.

Implementation Pattern

For a Fortune 500 regulated-industry enterprise implementing the 100-control framework, EPC Group's standard pattern:

Weeks 1–4: Scoping and customization.

• Regulatory framework scoping (which frameworks apply).
• Control catalog customization for the customer's specific scope.
• Gap analysis against current state.
• Implementation roadmap.

Weeks 5–12: Foundation controls.

• Data governance controls implementation.
• Audit log routing setup.
• Sensitivity labeling baseline.
• Microsoft Purview policy deployment.

Weeks 13–18: Model governance controls.

• AI use case inventory.
• Model approval workflow.
• Copilot Tooling Format population and review process.

Weeks 19–22: Deployment and operational controls.

• Change management integration.
• Operational monitoring setup.
• Capacity planning for AI workloads.

Weeks 23–26: Audit and incident response.

• Audit log review procedures.
• Evidence packaging templates.
• Incident response procedures and tabletop exercises.

Weeks 27–30: Validation and handover.

• Internal validation against framework.
• Auditor walkthrough preparation.
• Documentation handover.
• Sustainment model operational.

The 30-week pattern is for a substantial Fortune 500 implementation. Smaller enterprises run shorter.

Common Pitfalls

Across AI governance implementations:

1. Treating AI governance as compliance overhead. Well-designed AI governance enables faster, safer AI adoption — not slower.
2. Implementing controls without underlying tooling. A control that says "audit logs reviewed monthly" without a SIEM to support it is theater.
3. Single-framework focus. Implementing for HIPAA only, then discovering EU AI Act applies, then discovering NIST AI RMF expected.
4. Treating Copilot as a special case. Copilot is one AI capability among many; the governance pattern should cover all.
5. Under-investing in audit log retention. Long-retention audit logs are expensive but non-negotiable for regulatory frameworks.
6. Not refreshing the control catalog. Regulations evolve; the catalog must evolve with them.

Frequently Asked Questions

What is the 100-control framework for AI governance?

EPC Group's 100-control framework is a consolidated control catalog mapping AI governance requirements from NIST AI RMF, EU AI Act, HIPAA, SR 11-7, FedRAMP, and Microsoft's Responsible AI Standard onto a single operational discipline for Power BI, Microsoft Fabric, and Microsoft Copilot deployments.

Which regulatory frameworks does the framework satisfy?

The framework is designed to satisfy NIST AI RMF, EU AI Act, HIPAA Privacy and Security Rules, SR 11-7 (Federal Reserve model risk management), FedRAMP, and Microsoft Responsible AI Standard. The specific framework subset depends on the customer's regulatory scope.

How does the framework address Microsoft Copilot specifically?

Copilot is treated as one AI capability within the broader analytical platform. Controls in data governance, model governance, deployment governance, operational governance, audit and evidence, and incident response all apply to Copilot. The Copilot Tooling Format ("Prep Data for AI") fits into the model governance domain.

How does the framework address Microsoft Fabric AI features?

Fabric AI features (Copilot in Fabric, AI Skills, Data Science workloads) are covered by the framework's model governance and deployment governance domains. Custom AI built on Fabric (using Azure ML or Fabric Data Science) carries additional model development controls.

What is the difference between the framework and Microsoft's Responsible AI Standard?

Microsoft's Responsible AI Standard sets vendor-level principles. EPC Group's framework operationalizes those principles within the enterprise context and adds the multi-framework compliance mappings the Standard does not provide.

How does the framework support SR 11-7 model risk management for banks?

The model governance domain implements SR 11-7's expectations: model inventory, documented model development and validation, effective challenge through independent validation, periodic review, and tiered model risk classification.

Does the framework address the EU AI Act?

Yes. The framework includes the EU AI Act's risk classification process and the controls associated with each risk tier. For high-risk AI use cases under the Act, the framework's control implementation produces the documentation the Act requires.

How long does framework implementation take?

For a Fortune 500 regulated-industry enterprise, the typical implementation is 30 weeks. Smaller enterprises or narrower regulatory scope can complete in 16–20 weeks.

What tools does the framework require?

Microsoft Purview for data classification and audit logging. Microsoft Sentinel for SIEM and audit log analysis. Microsoft Defender for Cloud for additional security controls. Microsoft Entra ID for identity. The specific configuration depends on the customer's framework subset.

How does the framework handle AI use cases that span multiple business units?

Each AI use case has a designated owner (typically the business unit deriving the primary value) and a governance review chain that includes affected business units. The framework's deployment governance domain includes the cross-organizational review process.

Does the framework include explainability requirements?

For high-stakes AI use cases (under the EU AI Act's High Risk classification, or under SR 11-7's higher model risk tiers), the framework includes explainability controls. For Microsoft Copilot in Power BI specifically, the explainability is provided by the underlying model architecture; the framework adds the audit trail.

How does the framework address AI ethics?

The framework's data and model governance domains include fairness assessments, bias detection patterns, and harm mitigation. Microsoft's Responsible AI Standard provides the principles; the framework provides the operational implementation.

Can the framework be implemented incrementally?

Yes. The standard implementation pattern sequences the six domains across 30 weeks. Customers with existing partial implementations can map current state against the framework and prioritize gap remediation.

How does EPC Group support AI governance implementations?

EPC Group works with Fortune 500 regulated-industry enterprises on AI governance for Microsoft analytical platforms. The standard engagement is 30 weeks. Our consultants — including Microsoft Press bestselling author Errin O'Connor — bring direct experience across substantial AI governance implementations in healthcare, financial services, and federal sectors.

What is the typical cost of AI governance implementation?

Cost depends on enterprise scope, regulatory framework set, and existing governance maturity. The dominant cost components are control implementation (the engineering work), tooling licensing (Purview, Sentinel, Defender), and ongoing operational discipline. Detailed cost modeling is part of the scoping phase.

Next Steps

If your enterprise is implementing AI governance for Microsoft analytical platforms, the practical next steps:

1. Inventory current AI use cases across the enterprise.
2. Scope the applicable regulatory frameworks.
3. Run a gap analysis against the 100-control framework.
4. Prioritize gap remediation by risk impact.
5. Engage a partner with deep AI governance experience to compress the planning timeline.

EPC Group has 29 years of enterprise Microsoft consulting experience and is Microsoft Solutions Partner with the core designations. We were historically the oldest continuous Microsoft Gold Partner in North America from 2016 until the program's retirement. Our consultants — including Microsoft Press bestselling author Errin O'Connor — bring direct AI governance experience across substantial regulated-industry deployments. To discuss your AI governance implementation, contact EPC Group for a 30-minute discovery call.