Article

Making Copilot Agents Work in Regulated Environments

By David Callaghan

Financial services has always walked a balancing act:

Move fast enough to serve customers and markets, but slow down enough to satisfy regulators.

Financial services leaders are being pulled in two directions at once. On the one hand, macro volatility (shifting interest rates, inflation pressures, and an uncertain global economy) is changing customer behaviour, pricing, risk appetite, and market conditions faster than organisations can comfortably absorb. Microsoft’s Financial Services scenario library explicitly frames the industry as being impacted by changing interest rates, inflation, regulatory policies, and the global economy.

On the other hand, scrutiny is rising, regulators and auditors continue to demand stronger controls, clearer evidence trails, and better supervision of how decisions are made and recorded. This is the context behind the growing focus on governance and compliance obligations when deploying tools like Microsoft 365 Copilot in regulated environments. Yet despite both pressures, leadership expectations haven’t softened: firms are still expected to deliver material productivity gains - meaning tangible reductions in effort and cycle time, and measurable improvements in efficiency - while simultaneously modernising operations and compliance, improving analysis, and enhancing customer experience. 

AI Agents for Regulated Work

What’s different now is that AI agents can be designed to do regulated work “the right way” grounded with approved content, permissioned by existing access controls, and measurable by governance and operational KPIs. At WM Reply, we see agents as AI assistants that range from simple retrieval/Q&A through task-based process agents up to autonomous agents (with increasingly advanced orchestration), and it emphasises a delivery lifecycle from grounding data and governance through testing, deployment, monitoring, and continuous improvement.  

In this article, I’ll be giving you an analyst-style view of where Copilot Agents solve known financial services problems, how to choose the right “agent flavour,” and how to set them up with controls that make risk teams comfortable. 

Not Just Chat | Why are Agents Showing up in Financial Service Roadmaps? 

Two realities keep recurring across financial services transformation programmes: 

Copilot Agents map neatly to both: they can retrieve evidence, apply rules and workflows, and route decisions, all while operating within a governed enterprise environment. Copilot Studio is positioned by Microsoft as an end-to-end tool for building copilots and agents and extending Microsoft Copilot using your data, applications, and automation within the Power Platform ecosystem. 

Choosing the Right Agent Pattern: Lite vs Full and why it Matters in Regulated Teams 

A credible financial services story starts with a deployment and governance model. In this model, we draw a clear line between the following options:

  • Use Agent Builder in Microsoft 365 Copilot to quickly create agents for individuals or small teams using natural language and existing content. 

  • Use Copilot Studio when you need broader deployment, advanced workflows, integrations, and stronger lifecycle management controls.  

In operational terms, Lite (Agent Builder) publishing is controlled via Microsoft 365 admin controls and is effectively Teams-only, while Full (Copilot Studio) uses environment-level controls (DLP, roles, sharing limits, channel restrictions) and supports broader channels depending on policy.  

In practice, this means you should start small and safely with low-complexity Q&A agents, then “graduate” high-value workflows into Copilot Studio where you can enforce environment strategies, data loss prevention, and ALM. 

High-impact Use Cases and the Agents that Solve Them 

1) Financial Crime (KYC/AML): Triage and evidence packs that reduce cycle time.

The problem here is a well-known one. Teams have been stood-up to manage this requirement and yet alert backlogs, inconsistent triage, manual narrative drafting, and duplicated evidence gathering remain – a minefield of modern work. In fact, Microsoft’s Scenario Library explicitly calls out reducing false positives in fraud and AML as a key operational and compliance opportunity for agents.  

Agent concept: KYC/AML Case Triage and Evidence Agent 

  • Retrieves: policies, procedures, prior case notes, approved typology guidance from organisational knowledge sources.  

  • Produces: a structured evidence pack (what was checked, what policy thresholds apply, what’s missing, etc.) for a human investigator to approve. This is a design pattern consistent with a governed retrieval-first approach of many agents we see in the industry.  

This aligns with the McKinsey point we made earlier that efficiency gains come from addressing fragmented data and manual operating model inefficiencies. 

2) Regulatory change and compliance: Faster interpretation, safer dissemination 

In Financial Services, firms face pressure to implement new requirements quickly while maintaining robust recordkeeping and supervisory processes. Commentary within the industry notes escalating attention on governance and compliance obligations when using tools like Microsoft 365 Copilot or any other AI tool that may be used by employees.  

Agent concept: Regulatory Change Interpreter and Control Mapper Agent 

  • Summarises new internal policy updates or regulator circulars stored in approved repositories, drafts internal guidance notes, and produces an “audit-prep checklist.” This directly reflects the scenario library’s depiction of Copilot being used to streamline research and audit preparation in banking compliance work.  

  • Runs inside a controlled environment with logging and governance guardrails. 

3) Client onboarding and suitability: Orchestrate multi-step checks with approvals 

Onboarding is often slowed by document chasing, suitability checks, and multiple signoffs. A powerful, demonstrable agent capability here is workflow approvals that combine AI decision stages with human oversight. In FSI (particularly wealth/investment advice and portfolio management), firms are required to collect specific client information and make suitable recommendations based on it. The FCA states firms must obtain necessary information about the client’s financial situation, objectives, and risk-related factors (risk profile, capacity for loss, knowledge/experience) to make a suitable recommendation. 

Microsoft’s Copilot Studio best practice describes multi-stage approvals in agent flows as combining human and AI reviews to accelerate routine requests while keeping oversight for complex decisions. 

Agent concept: Onboarding Orchestrator Agent 

  • Validates completeness of onboarding packs, routes escalations by risk or threshold, and records decisions and rationale as the process progresses. This is an archetypal Copilot Studio use case because it depends on workflow orchestration.   

4) Operations and approvals: Exception handling that cuts “swivel-chair” time 

Exception management and approvals are classic bottlenecks in Financial services operations. Copilot Studio’s agent flows (and approvals features) are explicitly designed to automate structured, repeatable business tasks and streamline approvals. 

Agent concept: Ops Exception Manager Agent 

  • Classifies exceptions, requests missing information, routes approvals, and standardises resolution steps using governed connectors and environment rules.  

5) Executive and strategy insight: Navigator experiences for faster decisions

For leadership teams, the pain points they experience comes from time lost consolidating packs and narratives across multiple sources. A “Financial services navigator” which could ingest publicly available peer materials (Citi annual report extracts and investor day reports/transcripts) to make them “interrogatable” via GenAI would be a viable solution.

Agent concept: CFO/COO Navigator Agent 

  • Summarises peer disclosures, drafts discussion briefs, and provides evidence-backed Q&A over approved sources.  

Governance: The non-negotiable layer for Financial Services 

In regulated settings, the “win” isn’t just capability. It’s control, auditability, and reduced leakage risk. 

This exact governance is ‘baked in’. Copilot Studio’s security and governance controls, including data policy controls, audit logs, integration with monitoring (e.g., Microsoft Sentinel), sensitivity label visibility for SharePoint sources, and environment routing. All of this brings the control that Financial Services need to satisfy the regulators without hindering innovation.  

Two of these controls are especially central: 

1. Data Loss Prevention (DLP) for agents and connectors: Copilot Studio data policies govern how agents connect to data and services and enforce policy in real time.  

2. Inventory and oversight: Tenant-wide “agent inventory” in the Power Platform admin centre to discover and filter agents by owner, creation date, and other attributes. This is useful for support, preventing orphaned agents, and enforcing compliance standards.  

So, what do you need to have on your delivery checklist?

At a minimum you’ll need Power Platform governance in place and a Centre of Excellence; a DLP strategy and process; ALM best practices defined; licensing management; and a post-launch plan for monitoring agents and basic housekeeping tasks. This alignment is critical in demonstrating that agents are operationalised properly,  rather than remaining proof-of-concept exercises.

A Practical Getting Started Blueprint: 

Ultimately, you need measurable outcomes with provable controls to achieve success.  Want to learn more contact us now.