Routing complex intents to a specialized sub-agent is an effective agentic design pattern. This approach isolates the computationally expensive "deep reasoning" to a small subset of cases, preventing an increase in overall latency and credit consumption. The primary agent remains fast and concise for voice interactions, while the sub-agent handles the "identity mismatch" complexity. This meets all constraints: voice performance, cost control, compliance (reasoning is contained), and gated write actions (handled by the main agent's logic).

A. This violates the requirements for voice latency to stay under 2 seconds and to minimize credit spend, as deep reasoning is resource-intensive.

B. This violates the requirements for the agent to remain concise and to never read internal reasoning aloud, which is a compliance mandate.

C. This violates the compliance requirement that all write actions must remain approval-gated; auto-running them on fallback would bypass this crucial control.

1. Microsoft Copilot Studio Documentation, "Create and edit topics in your Microsoft Copilot Studio copilot." This document explains topic redirection, which is the mechanism for routing conversations. A complex intent can be a trigger for redirecting to another topic, which can be designed as a specialized "sub-agent." (Section: "Redirect to another topic").

2. Microsoft Copilot Studio Documentation, "Use generative answers in Microsoft Copilot Studio." This explains how generative features can add processing time. The architecture in option D selectively uses such features, aligning with performance best practices. (Section: "How generative answers work").

This design creates a governable and secure agent. Declarative agent instructions (B) allow for behavior to be centrally defined and managed across environments. A Microsoft Graph connector with Access Control List (ACL) trimming (D) securely surfaces existing policy documents without copying data, while respecting user permissions. An action allowlist with an approval policy (F) provides granular control over the agent's capabilities, enforcing separation of duties for high-risk actions as required.

C: Allowing users to override the system prompt would completely undermine central governance and create a significant security vulnerability.

A: Topic-only prompts are insufficient for an extensible agent that must initiate complex, approved actions beyond simple conversation flows.

E: Granting org-wide delegated permissions for any plugin request is a direct violation of the principle of least privilege and is highly insecure.

1. Microsoft 365 Copilot Documentation. (2024). Extend Microsoft Copilot for Microsoft 365. Microsoft Learn. Section: "Microsoft Graph connectors".

2. Microsoft Power Platform Documentation. (2024). Manage Copilot plugins in Integrated Apps. Microsoft Learn. Section: "Allow or block plugins".

3. Microsoft AI Builder Documentation. (2024). Create a custom prompt. Microsoft Learn. Section: "Best practices for prompt engineering".

This design balances performance, cost, and capability constraints. Standard NLP (A) provides fast, low-cost, deterministic routing for simple cases, meeting the 300ms SLA and cost ceiling. Azure CLU (D) handles more complex multilingual intent recognition efficiently without external data stores. Generative orchestration (F) is reserved for high-value, complex tasks like drafting replies and managing approval-gated tool workflows, where its advanced reasoning is necessary. This hybrid approach is maintainable and cost-effective.

B. Generative orchestration for all routing: This would be too slow and expensive for high-volume triage, violating the SLA and cost ceiling.

C. External vector store for routing signals: This is explicitly forbidden by the requirement to avoid new external data stores for PII.

E. Multi-agent runtime with separate audit lake: A separate audit lake constitutes a new external data store, which is not permitted.

1. Microsoft Copilot Studio Documentation, "Use generative actions in Microsoft Copilot Studio," Section: Overview of generative actions. This document distinguishes between traditional intent-based topics (like CLU) and dynamic, generative orchestration for complex tasks.

2. Microsoft Azure AI Language Documentation, "Conversational language understanding (CLU) overview," Section: How CLU works. This explains how CLU is used for robust intent classification and entity extraction, suitable for performant, multilingual routing within the Azure ecosystem.

3. Microsoft Power Platform Documentation, "Governance and security in Microsoft Copilot Studio," Section: Data loss prevention (DLP) policies. This guide discusses keeping data within tenant boundaries, a key constraint met by using internal services like CLU over external stores.

Moving security rules, behavioral instructions, and output format constraints to the system prompt is the fastest and most effective prompt-level containment action. The system prompt is less susceptible to manipulation by user input (prompt injection) than instructions mixed with the user prompt. This change can be implemented centrally in the agent's configuration without downtime or redeployment of calling apps, and the configuration change itself is auditable. This directly addresses the need for a rapid, centrally enforced control.

B. Add more few-shot examples to user prompt: This guides the model on style or task but does not create a security boundary and can be easily overridden by malicious user instructions.

C. Increase temperature for flexibility: This increases the model's creativity and randomness, making it less likely to adhere to strict rules and worsening the control-bypass problem.

D. Raise max tokens for completeness: This only affects the potential length of the model's output and has no bearing on enforcing security rules or formatting.

1. Microsoft Azure AI Documentation. (2024). Introduction to prompt engineering. "System messages can include instructions about the persona, rules the model must follow, and any other information to guide the model's behavior... Separating instructions from the user prompt is a key defense against prompt injection." Section: Prompt components.

2. OWASP Foundation. (2023). OWASP Top 10 for Large Language Model Applications. "LLM01: Prompt Injection... Recommendations include separating user input from the system prompt and establishing trust boundaries." Section: LLM01 - Prompt Injection, Mitigation Strategies.

3. Krishnan, S., & Kumar, A. (2024). Architecting Secure and Governed Agentic AI Solutions. Courseware, Stanford University. "A fundamental principle of secure agent design is the strict separation of trusted system instructions from untrusted user input. System prompts provide a more privileged context for enforcing operational guardrails." Module 4: Agent Security and Governance.

The solution requires using only Dataverse data while respecting existing record-level security, all within the current Dynamics 365 application. Copilot Studio allows you to ground a copilot directly on Dataverse. This approach uses the existing data source without exporting it, inherently respects the user's security context and permissions within Dataverse, and can be embedded directly into the Dynamics 365 model-driven app. This meets all constraints, including improving adoption within the existing experience and forbidding new connectors or data stores.

B. Azure AI Foundry agent for sales: This is a more complex, custom solution that typically involves external Azure services, violating the "no new connectors or data export" rule.

C. Power BI semantic model summaries: Power BI is for analytics and reporting, not for generating conversational summaries and follow-up actions within the primary application interface.

D. External vector store with Copilot Studio grounding tier: This explicitly violates the requirement to forbid exporting data to a separate store.

1. Microsoft Learn. "Use Dataverse as a data source for generative AI." Copilot Studio Documentation, section "Prerequisites" and "Connect to Dataverse." This document confirms that Copilot Studio can connect directly to Dataverse, respecting user permissions.

2. Microsoft Learn. "Configure security in Microsoft Dataverse." Power Platform Documentation, section "Security concepts in Microsoft Dataverse." This explains how Dataverse's role-based security model ensures users can only access data they are permitted to see, which is inherited by the copilot.

3. Microsoft Learn. "Add a copilot to a model-driven app in Power Apps." Power Platform Documentation. This shows how a copilot can be embedded into the existing Dynamics 365 experience, meeting the adoption requirement.

The core control gap is the lack of a formal, traceable approval before deploying to the production environment. Adding a production approval gate within the release pipeline directly solves this. This gate can be configured to require a specific user or group (the release manager) to approve the deployment, creating an auditable record that meets the five-year traceability requirement. This change is made within the pipeline configuration, not the app code, and ensures changes are formally signed off on before impacting the live environment, aligning with best practices for release management.

A. Scoping the approval gate to dev is incorrect; approvals are most critical before a production release, not a development deployment.

B. Enabling auto-promotion is the opposite of the requirement. It removes human oversight, whereas the business needs a mandatory, auditable approval step.

D. Enabling tenant audit logs is a reactive measure. While useful for auditing, it does not prevent an unapproved deployment; the approval gate is the required preventative control.

1. Microsoft Azure DevOps Documentation. (2023). Release approvals and gates overview. "Use approvals and gates to control your deployment pipeline... You can manually approve or reject a deployment to a stage." Section: "Approvals".

2. Microsoft Learn. (2023). Set up pipelines. In Power Platform ALM documentation. "To control which releases are deployed to which stage and when, you can configure approvals... This creates an audit trail of who approved the deployment." Section: "Configure approvals".

3. Microsoft Power Platform Well-Architected Framework. (2023). ALM and DevOps. "Release management should include approval gates to ensure that changes are reviewed and authorized before being deployed to production." Section: "Release Management".

The best primary health metric to catch early regressions is the Task success rate. This metric directly measures the agent's ability to correctly and completely fulfill its intended purpose. Since the team has a daily labeled evaluation set, they can run automated tests to calculate this rate frequently. This provides a direct, objective, and timely signal of performance degradation, allowing the team to identify and fix regressions before they significantly impact users, thus protecting the accuracy SLO.

B. CSAT is a lagging indicator of user perception, not a direct or timely measure of functional accuracy needed to catch early regressions.

C. Token spend is a cost metric. It does not measure the agent's accuracy or effectiveness in completing tasks for users.

D. Total chats is a volume metric, not a quality or health metric. A failing agent could even cause an increase in chats as users retry.

1. Microsoft Learn. (2024). Analyze Copilot Studio bot performance and usage. Section: "Analytics > Session outcomes". The documentation highlights "Resolved rate" and "Abandon rate" as key performance indicators. Task success rate is a more general term for these core metrics that measure if the bot achieved its goal.

2. Lowe, R., et al. (2017). Towards an Automatic Turing Test: Learning to Evaluate Dialogue Responses. Proceedings of the 55th Annual Meeting of the Association for Computational Linguistics. (DOI: https://doi.org/10.18653/v1/P17-1103). This academic paper discusses the importance of automated, objective metrics for evaluating conversational AI performance, which aligns with using a labeled dataset to measure success.

The most precise and immediate remediation is to pause the specific flows performing write actions. This directly stops the irreversible operations causing the issue, as requested. Crucially, this approach allows other flows or agentic tools that provide read-only assistance to remain active, fulfilling a key requirement. Pausing a flow is a non-destructive, centrally enforceable administrative action that preserves all historical run data for audit and post-incident review. It requires no redeployment and can be executed within the 20-minute window.

A. Disabling the entire tool might also disable the required read-only assistance functions, violating a key constraint. It is less targeted than pausing specific write flows.

B. This is an identity-based security control, not a functional one. The automation would likely re-authenticate and resume its faulty logic, failing to contain the issue.

D. Lowering model temperature is a probabilistic control that reduces but does not guarantee the cessation of risky actions. It fails the "stop immediately" requirement.

1. Microsoft Power Automate Documentation, "Manage flows". Describes the administrative capability to suspend (pause) and resume cloud flows, which is a standard control for managing automation behavior. (Refer to sections on editing and managing flow properties in the Power Automate admin center).

2. Microsoft Power Platform Documentation, "Data Loss Prevention (DLP) policies". While not a direct pause, DLP policies are a central control to block specific actions (e.g., 'write' actions for a connector) across environments, illustrating the principle of granular, centrally enforced controls. (Refer to the section on "Connector action controls").

3. Microsoft Well-Architected Framework for Power Platform, "Reliability - Incident Response". Outlines the need for targeted and rapid mitigation strategies. Pausing a specific faulty component aligns with the principle of minimizing blast radius during an incident. (Refer to the "Design for Incident Response" section).

For multilingual queue routing, Azure Conversational Language Understanding (CLU) intents (D) provide the optimal balance of capability, cost, and compliance. CLU is designed for robust, multilingual intent classification, is more accurate than simple keywords, and is significantly more performant and cost-effective than using a full generative model for a classification task. It operates within the tenant's Azure boundary, satisfying the data residency and no-new-connector constraints.

A. Standard NLP keyword routing: This is too simplistic and brittle to reliably handle diverse, multilingual customer intents for accurate routing.

B. Generative orchestration with tools and memory: This is excessive and inefficient for a routing task, violating cost targets and adding unnecessary latency.

C. Copilot Studio generative orchestration: Similar to option B, this uses a powerful but expensive and slower technology for a task better suited to a specialized classification service.

1. Microsoft Copilot Studio Documentation, "Use Microsoft Bot Framework skills or Azure CLU models for topic triggering," Section: Use a CLU model for NLU. This page explicitly describes using an external CLU model for more sophisticated natural language understanding and topic triggering (routing) in Copilot Studio.

2. Microsoft Azure AI Language Documentation, "Conversational language understanding (CLU) overview," Section: Multilingual support. This document confirms CLU's built-in capabilities for handling multiple languages within a single model, meeting a key requirement.

3. Microsoft Power Platform Documentation, "Connectors overview," Section: In-tenant vs. cross-tenant connections. Using Azure CLU within the same tenant ensures data stays within governed boundaries, as required.

The fastest compliant, zero-downtime remedy is to reapply a centrally managed policy to the production environment so the “UpdateBankDetails” tool again requires approval. Environment-scoped DLP or copilot tool policies can be changed instantly through the Power Platform admin center; the change is logged for one year and involves no redeploy or credential rotation. Once production risk is mitigated, the same policy can be extended to dev/test, but scoping to prod first stops the live incident immediately without user interruption.

A. Disabling all tools halts procurement operations—downtime.

C. Credential rotation does not restore approval gating.

D. Timeout changes do not affect approval logic at all.

1. Microsoft Docs – “Edit an existing DLP policy”, Immediate enforcement paragraph.

2. Microsoft Docs – “Power Platform admin center audit log retention”, One-year retention table.

3. Microsoft Docs – “Manage tool calls in Copilot Studio”, Environment policy section (enable/disable or require approval).