One major aspect of platform governance is data protection and risk mitigation. As more code is AI-generated, getting the security policies and configuration right is essential to prevent data leaking into the wrong hands. Power Platform has the controls, but they're scattered across different layers - network isolation, identity, access control, encryption.

We'll start with authentication fundamentals in Power Apps, Power Automate and Copilot Studio (OBO token flows, service principal client credentials) showing the right identity patterns and avoiding bad ones like handing out service account credentials or letting vendors access privileged identities.

Then each security layer. Identity and access: Entra ID fundamentals, Power Platform management roles, PIM for just-in-time access, Managed Identities, Conditional Access. Network isolation: VNet integration with subnet delegation and private endpoints when compliance demands it. Boundary protection: IP firewall, tenant isolation, cookie binding, CSP headers, app access control with audit mode discovery. Data protection: Customer-Managed Keys for key ownership.

Application-layer controls in Dataverse: security roles with privilege depth, automated assignment through Entra ID groups, Modernized Business Units, Access Teams, Column-Level Security, Hierarchy Security, Purview labels. For Copilot Studio: same network isolation patterns for knowledge sources and MCP servers.

The goal is understanding which controls address your actual risks, how to configure them, what the trade-offs are, and when they're worth the overhead.