ai-assisted

Purview Is the Gatekeeper Your Fabric Agents Need

Building an AI Governance Playbook Around Agentic Analytics Engineering

Frank Garofalo

Frank Garofalo

4 min read
Purview Is the Gatekeeper Your Fabric Agents Need

Agentic analytics is not a tooling rollout. It is a decision-rights problem disguised as productivity.

In Microsoft-heavy estates, the hardest part is not getting agents to work. It is deciding when they are allowed to act on trusted data.

That is why I think the common framing is wrong. If an agent can query, join, transform, summarize, or publish enterprise data, it is doing analytics engineering. It should inherit analytics governance, not bypass it.

Microsoft’s stack already points in this direction. Azure Architecture Center treats AI systems as architecture. Purview treats governance, security, and compliance as control planes. Fabric makes agentic capability easier to distribute across data workflows. The implication is clear: this is an operating model problem, not a feature rollout.

Start with ownership

Before you discuss copilots, define who owns what.

At minimum, name five owners:

  1. Data product owner — source suitability, business meaning, downstream use
  2. Platform owner — workspaces, deployment paths, runtime controls
  3. Governance owner — catalog standards, lineage expectations, stewardship
  4. Security owner — identity, access, connectors, monitoring, response
  5. Agent or app owner — tools, instructions, grounding scope, production behavior

Then define what each role can approve:

  • Source onboarding
  • Transformation logic changes
  • Semantic model publication
  • Agent tool access
  • Production deployment

My hard rule: no agent should cross domain boundaries by default, even inside one Fabric tenant or OneLake estate. Shared storage is not shared authority.

A practical standard is simple: agents may observe broadly in sandbox contexts, but they may only act inside named domains with accountable owners.

Why this matters

The blast radius has changed.

Classic self-service BI mostly stopped at exploration. Agentic systems can chain tools, modify transformations, invoke workflows, and publish outputs with much less friction.

That creates ordinary but expensive failure modes:

  • Silent schema drift that gets “worked around”
  • KPI rewrites without business approval
  • Lineage gaps no one can explain later
  • Over-broad workspace access across domains
  • Connector sprawl that opens exfiltration paths
  • Polished low-confidence outputs that get operationalized

One retailer I worked with learned this the hard way. A 40-person data team used an internal assistant to rewrite KPI logic against a trusted semantic model. The model was not the issue. The issue was that nobody could say who had authority to approve the new business definition before it reached an executive dashboard. The result was a delayed leadership report and a governance escalation over conflicting margin definitions.

That is the real risk: automated action without clear decision rights.

Three controls that matter most

If you are building a playbook for data leaders, focus on three things first.

1. Ownership boundaries

Every trusted dataset, semantic model, and agent-enabled workflow needs an accountable owner.

2. Lineage

If a transformation or answer cannot be traced, it should not be trusted in production.

For agentic analytics, lineage should cover:

  • Source data used
  • Transformation steps applied
  • Semantic layer involved
  • Tool calls invoked
  • Publication target
  • Grounding assets where relevant

This is where Purview matters. If the business consumes the output as trusted data, traceability is not optional.

3. Approval gates

Experimentation and production are not the same thing.

For experimentation, optimize for speed:

  • Narrow datasets
  • Synthetic or masked data where possible
  • Time-boxed sandboxes
  • Human review before publication
  • No autonomous write-back into trusted assets

For production, require gates:

  • Transformation changes need approval
  • Semantic changes need approval
  • New connectors need approval
  • Agent action enablement needs approval
  • Deployment needs approval

Every gate should answer three questions:

  1. What changed?
  2. Who approved it?
  3. What downstream assets are affected?

Make the controls operational

Governance fails when it lives in slide decks instead of delivery paths.

In Microsoft-heavy environments, I would operationalize controls through Fabric workspace classification, connector allowlists, Entra ID role checks, and Purview-backed lineage expectations.

Here is a simple Microsoft-specific example of the mindset:

# Deployment guardrails for workspace classification, approvals, and connector allowlist
$workspace = @{ Name = "prod-analytics"; Classification = "Confidential" }
$asset = @{ Name = "agent-kpi-model"; RequiredApprovals = 2; ReceivedApprovals = 2 }
$connectors = @("SqlServer", "FabricLakehouse")
$allowlist = @("SqlServer", "FabricLakehouse", "KeyVault")

if ($workspace.Classification -notin @("Internal", "Confidential")) { throw "Workspace classification not allowed." }
if ($asset.ReceivedApprovals -lt $asset.RequiredApprovals) { throw "Required approvals missing." }
if (@($connectors | Where-Object { $_ -notin $allowlist }).Count -gt 0) { throw "Connector allowlist violation." }

"Promotion approved for $($asset.Name) in $($workspace.Name)"

The point is not the script. The point is the pattern: promotion depends on explicit checks for workspace trust level, approvals, and allowed connectors.

That is what good governance looks like in practice.

A 90-day control stack

If I were standing this up this quarter, I would not start with autonomous actions. I would start with controlled reads, visible lineage, and deployment guardrails.

My first 90 days would look like this:

Put in place now

  • Architecture patterns from Microsoft’s Architecture Center
  • Least-privilege access for agent tools and connectors
  • Purview-backed catalog and lineage expectations
  • ALM controls for agents, connectors, actions, and data assets
  • Monitoring and incident response for agent-enabled workflows
  • Role-based readiness across governance, platform, and engineering teams

Allow first

  • Read-only grounded assistants over curated datasets
  • Agent-assisted SQL or code generation through existing review pipelines
  • Metadata discovery and lineage-assisted impact analysis
  • Natural language querying over curated semantic models

Delay on purpose

  • Autonomous write-back
  • Cross-domain joins by default
  • Connector sprawl
  • Production remediation actions
  • Unreviewed publication into trusted BI assets

The stance

Trust must be earned before agents are allowed to act on enterprise data.

So if you are a CDO, platform leader, or security leader, define four non-negotiables now:

  • Ownership
  • Lineage
  • Approval gates
  • Environment-specific permissions

This is not a vendor feature comparison. It is an operating model decision.

The teams that get this right will move faster later because they will not spend next year unwinding semantic drift, unauthorized transformations, and untraceable outputs.

Rate your approval-gate maturity from 1 to 5, and name the one control you still do not have in production.

#EnterpriseAI #DataGovernance #MicrosoftFabric

Sources & References

  1. Azure Architecture Center - Azure Architecture Center
  2. Microsoft Purview
  3. Developing in Agentic AI Systems Part 1 of 2 - Training
  4. Agent Framework documentation
  5. Azure developer documentation
  6. Study guide for Exam AB-100: Agentic AI Business Solutions Architect
  7. Course AB-100T00-A: Architecting agentic AI business solutions - Training
  8. Overview of Copilot in Fabric - Microsoft Fabric
  9. Security hub - Security
  10. Microsoft Learn for Organizations

Try it yourself

Run this tutorial as a Jupyter notebook: Download runbook.ipynb (30 cells, 25 KB).

Read more

Link copied