Why Banks Need a Copilot Use Case Risk Matrix
Microsoft provides a scenario library for financial services Copilot use cases (Microsoft Adoption Library, 2025), but it does not include risk classification. Consulting partners publish use case lists without regulatory risk assessment. Banks deploying Copilot without a risk-rated use case framework cannot demonstrate which workflows are approved, which require controls, and which are prohibited under their regulatory obligations.
The consequences are tangible. 57% of financial services employees share customer data with AI tools without authorization (Microsoft, 2025). Without a formal use case governance framework, shadow usage expands organically as employees discover Copilot capabilities. Compliance teams lose visibility, and the bank cannot demonstrate supervisory compliance to FINRA, SEC, or EU AI Act examiners.
This matrix classifies every banking Copilot use case by risk level, maps it to the applicable regulations, and specifies the controls required for approved deployment. It covers M365 Copilot, Copilot Studio agents, Power Automate flows, and Copilot for Finance agents.
How Should Banks Classify Copilot Use Case Risk?
Every Copilot use case should be evaluated across six dimensions before deployment. The combination of these dimensions determines the risk classification and the controls required.
What data does the use case access? Public, internal, confidential, or restricted
Which regulations apply? FINRA, SEC, EU AI Act, SOX, BSA/AML, PCI-DSS
Does output reach clients or affect client outcomes?
Does output inform material business or financial decisions?
Can errors be corrected before harm occurs?
Can the Copilot interaction be fully reconstructed for regulatory review?
Risk Classification Levels
Four risk levels define the governance requirements for each use case. Every new Copilot workflow must be classified before deployment to production.
Internal operations with no client data and no regulated output. Required controls: standard M365 permissions and audit logging. Approval: department head. Examples: internal meeting summarization, policy document search, project planning
Client-adjacent workflows with regulated data types that require review. Required controls: sensitivity labels, DLP policies, supervisory review. Approval: compliance officer. Examples: client email drafting, financial report assistance, KYC document review
Direct regulatory implications with client-facing output. Required controls: human oversight, model validation, restricted access. Approval: Chief Compliance Officer plus Legal. Examples: financial modeling assistance, audit workpaper preparation
Regulatory prohibition or unacceptable risk. Required controls: block via DLP, information barriers, conditional access. Not permitted under any circumstances. Examples: automated investment recommendations, SAR processing, cross-barrier information retrieval, PCI data processing
Complete Use Case Risk Matrix
The matrix below maps every banking Copilot use case to its risk classification. Use this as a quick reference during deployment planning and quarterly governance reviews.
Customer email summarization
Retail Banking
Branch meeting notes
Retail Banking
Internal pitch deck creation
Investment Banking
Regulatory change monitoring
Compliance & Legal
Policy document search
Compliance & Legal
Loan documentation drafting
Retail Banking
Customer complaint analysis
Retail Banking
KYC document review
Retail Banking
Deal team collaboration notes
Investment Banking
Financial modeling assistance
Investment Banking
Client meeting preparation
Wealth Management
Portfolio performance summaries
Wealth Management
Estate planning document review
Wealth Management
Contract review assistance
Compliance & Legal
Variance analysis for financial reporting
Compliance & Legal
Anomaly detection for fraud monitoring
Compliance & Legal
Variance analysis agent
Agents
Anomaly detection agent
Agents
Invoice processing agent
Agents
Collection prioritization agent
Agents
Autonomous workflow agent
Agents
Automated credit decisioning
Retail Banking
Cross-division research queries
Investment Banking
MNPI-adjacent document queries
Investment Banking
Investment recommendation drafting
Wealth Management
SAR preparation or review
Compliance & Legal
Whistleblower investigation support
Compliance & Legal
Retail Banking Use Cases
Retail banking has the broadest range of Copilot use cases, spanning from low-risk internal operations to prohibited automated credit decisioning.
Low risk. Key regulation: FINRA 3110. Controls: audit logging, retention policy
Low risk. No specific regulation. Controls: standard permissions
Medium risk. Key regulations: Fair Lending Act, ECOA. Controls: human review required, bias assessment before deployment
Medium risk. Key regulations: CFPB, UDAAP. Controls: sensitivity labels, audit trail
Medium risk. Key regulation: BSA/AML. Controls: compliance team oversight. Copilot assists analysis but does not make disposition decisions
Prohibited. Key regulations: EU AI Act Annex III, ECOA. Copilot output must not serve as the sole basis for credit decisions
Investment Banking Use Cases
Investment banking use cases carry elevated risk due to information barrier requirements and material non-public information (MNPI) exposure.
Low risk. Controls: information barriers must be active before use. Content stays within division
Medium risk. Key regulations: SEC, FINRA. Controls: barrier enforcement, restricted sharing, audit logging
Medium risk. Key regulations: SOX 302/906. Controls: human validation required, model risk review per SR 11-7
Prohibited. Key regulation: information barrier requirements. Channel Agent must be disabled for barrier-restricted divisions
Prohibited. Key regulation: SEC insider trading rules. Controls: DLP block with Restricted sensitivity label
Wealth Management Use Cases
Wealth management sits at the intersection of client relationship management and regulatory compliance. Every client-facing Copilot output requires supervisory review.
Medium risk. Key regulations: FINRA 3110, suitability rules. Controls: supervisory review of any content used in client meetings
Medium risk. Key regulations: FINRA 2210, SOX. Controls: human validation of all financial figures. Copilot output cannot serve as official performance reporting
Medium risk. Key regulations: state fiduciary laws. Controls: attorney review required for all outputs
Prohibited. Key regulations: FINRA suitability, Regulation Best Interest. Copilot cannot function as a recommendation engine. LGT (private banking) demonstrated contract review from 4 hours to 30 minutes with proper controls (Microsoft, 2025), but recommendations require human judgment
Compliance, Legal, and Finance Department Use Cases
Compliance and legal departments benefit significantly from Copilot but face the highest concentration of prohibited use cases.
Low risk. Controls: validation against primary source documents before action
Low risk. Controls: standard permissions, audit trail
Medium risk. Controls: attorney review required. LGT demonstrated a reduction from 4 hours to 30 minutes for contract review (Microsoft, 2025)
Prohibited. Key regulation: BSA/AML 31 USC 5318(g)(2). Complete Copilot block required on all SAR-related content
Prohibited. Key regulations: Dodd-Frank, SOX. Confidentiality requirements prevent Copilot access
Medium risk. Key regulation: SOX. Controls: controller review and audit trail required if output enters financial statements
Medium risk. Controls: AML team oversight, model validation. Copilot assists pattern identification but does not make investigation decisions
Copilot Studio Agent and Finance Agent Governance
Copilot Studio agents and Copilot for Finance agents (GA October 2025) create a new governance category. Each agent requires independent risk classification because agents can take autonomous actions, connect to external systems, and chain with other agents, creating compounding risk that must be assessed as a system rather than per agent.
Gartner predicts that by 2028, approximately 33% of enterprise applications will feature agentic AI (Gartner, 2025). Banks must establish agent governance processes now to avoid agent sprawl and uncontrolled risk exposure.
Medium risk. SOX implications if output enters financial statements. Controls: controller review, audit trail
Medium risk. False positive/negative impact on investigations. Controls: AML team oversight, model validation per SR 11-7
Medium risk. Financial record integrity concerns. Controls: approval gates, reconciliation checks
Medium risk. Fair Lending and UDAAP exposure if customer-facing. Controls: compliance review, bias assessment
High risk. Unsupervised actions on financial systems. Controls: human approval gates required for all actions, comprehensive action logging
Risk varies by scope. Unscoped data access and prompt injection are primary concerns. Controls: per-agent risk assessment, mandatory authentication via DLP policy, connector allowlisting
Use Case Approval Process
Banks should implement a formal five-step approval process for all new Copilot use cases. Shadow use cases discovered through Purview audit logs should be routed through the same process retroactively.
Request
Business unit submits use case description with data types involved, intended output, and target user population
Classification
Compliance team classifies risk level using the six assessment dimensions. Medium and high-risk use cases require documented justification
Controls Design
For medium-risk use cases, specify required sensitivity labels, DLP policies, supervisory review cadence, and audit trail configuration
Pilot Validation
Limited deployment with enhanced monitoring for 30-60 days before department-wide rollout
Ongoing Review
Quarterly re-certification of all approved use cases. Regulatory changes may reclassify existing use cases. Purview audit logs reviewed monthly for usage patterns outside the approved inventory