Financial services didn’t get cautious by accident. Banks, insurers, and capital markets firms have learned—repeatedly—that the fastest way to turn a promising innovation into a headline is to let it outrun governance.
GenAI is no different. In most institutions, the gap isn’t “we don’t have models.” The gap is that we don’t have a trusted, permission-aware way to ground agents on enterprise knowledge—without quietly bypassing entitlements, data classifications, and audit expectations.
In this post, I’ll lay out what Azure Foundry IQ (Microsoft’s current naming is Foundry IQ inside Microsoft Foundry, formerly Azure AI Foundry) actually is, why it should matter to CTOs, CROs, and CISOs, and how its value shows up in business outcomes, business risk avoided, and compliance risk—specifically in Financial Services.
The core problem in financial services: agents are only as safe as their “knowledge plumbing”
If you’ve watched a bank attempt to scale GenAI beyond pilots, you’ve probably seen some version of this pattern:
An internal assistant starts as a simple RAG proof-of-concept. Then a second team builds a different pipeline. Then a third team ships “the same thing” with slightly different retrieval logic, different chunking, different indexing schedules, different access trimming, and different interpretations of what “confidential” means.
In a regulated industry, that duplication isn’t just wasteful—it’s dangerous:
- A customer-facing workflow can “hallucinate” policy or product terms and create conduct risk.
- A staff assistant can leak nonpublic information across lines of business if retrieval isn’t permission-trimmed.
- An examiner can ask, “Where did that answer come from?” and the team can’t produce a defensible trail.
Foundry IQ matters because it is Microsoft’s attempt to make the knowledge layer a first-class, reusable, governed component—rather than bespoke glue code hidden inside each assistant.
What Azure Foundry IQ is—without the marketing haze
Foundry IQ (preview) is a way to build a configurable, multi-source knowledge base that agents can call to retrieve grounded content, enforce user permissions, and return results with citations. Multiple agents can share the same knowledge base.
Under the hood, it’s built on Azure AI Search knowledge bases and its agentic retrieval engine. In practice, that means Foundry IQ is not “a model.” It’s the retrieval and governance layer that sits between your agents and the sprawling reality of enterprise content.
A few features that are especially relevant in financial services:
- Multi-source grounding: knowledge bases can connect to indexed or remote sources such as Azure Blob Storage, OneLake, SharePoint, and the public web (via Bing grounding).
- Agentic retrieval: the retrieval engine can plan queries, select sources, run parallel searches, and iterate when results aren’t good enough—so the agent gets better context without brute-force token waste.
- Quality uplift (measured): Evaluations where knowledge bases using query planning and reflective search show an average 36% improvement in answer score versus “traditional RAG” approaches that brute-force across sources. That’s not a guarantee for your corpus—but it’s a meaningful directional signal for enterprise-scale retrieval.
- Permission-aware retrieval: it can synchronize document-level ACLs, honor Microsoft Purview sensitivity labels, and enforce permissions at query time by running queries under the caller’s Microsoft Entra identity.
That last bullet is where the conversation becomes very real for the CTO, CRO, and CISO—because it’s exactly where most “DIY RAG” implementations quietly fall apart in regulated environments.
Why the CTO should care: faster delivery, less reinvention, and a cleaner path to ROI
CTOs don’t need another GenAI pilot. They need a platform pattern that scales across lines of business without turning into a retrieval “tower of Babel.”
Foundry IQ’s CTO-value is straightforward: standardize the knowledge layer so teams can ship agents faster and with fewer bespoke retrieval decisions. The product framing emphasizes reusable knowledge bases, automated indexing pipelines, and built-in security/identity/policy—exactly the parts that bog teams down when every project rebuilds the same plumbing.
Where the business value shows up:
- Speed to delivery: “point-and-click” or programmatic setup of knowledge bases that multiple agents can reuse reduces lead time for the 10th agent you build (the one that finally matters).
- Better outcomes per token: retrieval that plans, selects, and iterates is designed to avoid brute-force searching across everything—which is often how costs spiral in early deployments.
- Architectural leverage: when retrieval behavior and knowledge-source configuration live in a shared knowledge base, you can improve answer quality and governance in one place instead of refactoring every agent separately.
For financial services, the hidden CTO win is organizational: Foundry IQ creates a plausible boundary between “agent experience” and “knowledge governance.” That separation is often the difference between experimentation and an operating model.
(And yes: it’s in public preview, so CTOs should treat it as a strategic direction and an adoption target—not as a blanket green light for production workloads. That nuance matters.)
Why the CRO should care: fewer avoidable losses, fewer “AI incidents,” and better control of model risk
Chief Risk Officers live in the world of second-order effects: small flaws that scale into large losses. GenAI risk in financial services rarely starts as “the model is evil.” It starts as the model is confidently wrong or the system answered with information the user should never have seen.
Foundry IQ helps reduce those failure modes in three ways that map cleanly to CRO concerns:
Grounding with citations creates controllability. If the agent can return extractive content with citations, risk teams can test whether answers map back to approved sources (policies, procedures, disclosures, product documentation). That’s a different posture than “trust the model.”
Better retrieval lowers operational risk. The improvements from query planning and reflective search are not just “nice UX.” They reduce the chance that an agent misses the one clause in a policy that flips the decision. In banking, that is the difference between a clean process and a control failure.
Permission-aware answers reduce conduct and confidentiality risk. In financial services, “unauthorized disclosure” isn’t theoretical—think Chinese wall constraints, restricted lists, insider risk, and cross-LOB segmentation. Foundry IQ’s emphasis on ACL synchronization, Purview label enforcement, and Entra identity-based queries goes directly at that problem.
If you want a familiar risk-language mapping: this is an enabler for stronger governance around AI behaviors that fall under model risk management expectations (e.g., the long-standing SR 11-7 guidance that emphasizes robust development, validation, and governance for models used in decision-making). Whether your agents are “models” in the classic sense or not, regulators tend to care about impact and control.
This is where risk management becomes practical: not “ban AI,” but “make its knowledge path testable and policy-aligned.”
Why the CISO should care: the difference between “RAG” and data exfiltration-as-a-feature
Most security leaders are not worried about the agent being creative. They’re worried about it being helpful in exactly the wrong way.
A typical failure pattern: someone builds a RAG layer that uses a privileged service account to index content, and then the assistant starts answering questions that cross entitlements because the retrieval layer is not enforcing the end-user’s identity.
Foundry IQ is explicitly positioned to avoid that trap:
- It can synchronize document-level ACLs and apply query-time trimming aligned with each user’s permissions.
- It can honor Microsoft Purview sensitivity labels, with labels extracted during indexing and enforced at query time.
- It can run queries under the caller’s Microsoft Entra identity for end-to-end permission enforcement.
For CISOs in financial services, this is the heart of it:
You don’t get to call an AI assistant “internal” if it can surface restricted information to the wrong employee.
Purview integration is especially relevant because classification and protection are already part of many financial institutions’ control environments. Microsoft’s guidance for Purview notes that RAG-based apps using AI Search can honor sensitivity labels similarly to Microsoft 365 Copilot, including enforcement behavior for protected/encrypted items based on user rights.
This is why Foundry IQ is not just an “AI feature.” It’s part of a larger security story around governed retrieval in the era of agents—squarely in cybersecurity and AI territory.
Compliance risk: where Foundry IQ can reduce friction with regulators (and where it won’t)
It’s tempting to talk about compliance as if tools “make you compliant.” They don’t.
But tools absolutely influence whether compliance is plausible at scale.
Here are three compliance lenses where Foundry IQ’s design choices line up well for financial services:
Access controls and audit expectations
Regulations and supervisory expectations consistently emphasize access control, least privilege, and auditability. As one concrete example, NYDFS 23 NYCRR 500 includes requirements around access privileges and audit trails.
Foundry IQ’s emphasis on permission trimming, Entra identity-based queries, and label-aware retrieval supports the spirit of those expectations—especially when your alternative is a bespoke RAG service with unclear entitlement handling.
Privacy and safeguarding obligations
In the U.S., financial institutions operate under a patchwork of privacy and safeguarding expectations (GLBA-related obligations, SEC Regulation S‑P for many market participants, and FINRA guidance reinforcing customer information protection).
The compliance risk isn’t only “a breach happened.” It’s also that your controls cannot convincingly demonstrate that sensitive data is accessed and disclosed appropriately. Permission-aware grounding and label enforcement are directly relevant control mechanisms in that context.
Operational resilience and third-party risk
In the EU, DORA has been in application since January 17, 2025, strengthening expectations around ICT risk management and resilience for financial entities.
Foundry IQ does not “solve DORA.” But it sits in the zone DORA cares about: operational discipline for critical systems, governance for technology dependencies, and a defensible approach to how AI-enabled processes interact with sensitive enterprise data.
And as the EU AI Act becomes fully applicable on August 2, 2026 (with earlier obligations already phased in), financial services firms operating globally will increasingly be expected to explain how AI systems are governed, controlled, and monitored—not just how impressive they are.
A pragmatic adoption posture for financial services leaders
Because Foundry IQ is public preview today, the best approach is to treat it as both:
- a near-term way to improve pilots and internal assistants, and
- a directional architectural pattern for scaled agent deployments.
A sensible financial services path looks like this:
Start with internal use cases where the value is high and blast radius is bounded (operations, engineering, policy navigation, incident response). Use the knowledge base as a controlled asset: curate sources, validate outputs, and measure retrieval quality—not just model fluency.
At the same time, make governance explicit: align to a risk framework (many teams use NIST’s AI RMF as a shared vocabulary for trustworthy AI outcomes), and map controls to your existing security and compliance regime.
This is the work that turns “we experimented with GenAI” into “we operate AI safely.”
The takeaway: Foundry IQ is less about smarter agents—and more about safer scaling
Let’s recap what we covered.
Foundry IQ matters in financial services because it targets the real bottleneck: governed, permission-aware access to enterprise knowledge. For the CTO, it offers standardization and reuse that improves time-to-value. For the CRO, it reduces avoidable loss pathways by grounding answers with citations and improving retrieval quality. For the CISO, it directly addresses the “RAG bypassed our entitlements” failure mode through identity- and label-aware enforcement.
If you’re leading technology, risk, or security in a bank, insurer, or broker-dealer, the question isn’t whether you will deploy agents. It’s whether your agents will be built on knowledge plumbing you can defend—under audit, under exam, and under pressure.
That’s why Azure Foundry IQ should be on the C‑suite radar.
