AI-Powered Internal Request Automation

The most important architectural decision: Power Automate runs first. Regex, keyword matching, and business rules resolve obvious requests in milliseconds at zero LLM cost. AI only activates when rules cannot match. This separates mature engineering from junior automation.

Internal policies change constantly. Fine-tuning embeds knowledge into the model — requiring retraining on every policy change. With RAG, update the document, the system immediately answers with the new version. Also enables citable sources for SOX audits.

Copilot Studio, Power Automate, Dataverse, Azure OpenAI, and Entra ID fit the existing environment — governance is built-in, identity and audit come standard. A custom Python stack would require building security and audit from scratch: wrong trade-off in a regulated environment.

Sensitive categories (financial data access, credentials, compliance requests) always route to human review regardless of confidence score. In a regulated environment, confident-and-wrong is the most expensive failure mode.

This architecture is not a one-time bot. The pipeline, governance layers, and logging become a reusable template. Every future agent uses the same foundation — security gate, audit trail, confidence routing — without rebuilding from scratch.

Every action is tied to a verified Entra ID identity. Every step — who asked, what was retrieved, who approved, when — is logged to Dataverse with timestamps. Audit trail begins before any processing, not after. An auditor can answer any question from the log.