Open
Conversation
This PR adds comprehensive Azure Policy governance for Azure Machine Learning and AI Foundry resources. Policy categories: - Network Security: Disable public access, require private endpoints, VNet integration - Identity Management: Disable local auth, require Azure AD/Entra ID - Data Protection: Customer-managed key (CMK) encryption - Model Governance: Restrict deployments to approved AI models - Logging: Enable diagnostic logging for AI services Files added: - ai-governance.bicep: Main deployment file (subscription scope) - ai-governance.bicepparam: Parameters for customization - modules/ai-policy-initiative.bicep: Policy initiative definition - modules/ai-policies.bicep: Individual policy assignments - POLICIES.md: Documentation of all controls
There was a problem hiding this comment.
Pull request overview
Adds subscription-scoped Azure Policy governance for AI resources (Azure ML + AI Foundry) and updates networking to better align with landing zone controls.
Changes:
- Introduces AI governance initiative + assignment templates and a parameter file for effect configuration.
- Enhances VNet deployment with optional DDoS protection and enforces NSG association for the PE subnet.
- Updates infra docs to describe the new AI governance capabilities.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| infra/vnet.bicep | Adds optional DDoS plan support, NSG creation/association, and outputs for integration. |
| infra/modules/ai-policy-initiative.bicep | Creates a custom policy initiative grouping built-in AI governance policies. |
| infra/modules/ai-policies.bicep | Adds individual policy assignments (resource-group oriented) with configurable enforcement toggles. |
| infra/config.json | Updates Foundry naming defaults. |
| infra/ai-governance.bicepparam | Adds a parameter set to drive policy effects and allowed model IDs. |
| infra/ai-governance.bicep | Deploys the initiative and assigns it at subscription scope with environment-based enforcement mode. |
| infra/README.md | Documents how to deploy and configure AI governance policies. |
| infra/POLICIES.md | Adds detailed policy documentation, categories, and deployment guidance. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
will approve and fix the stuff it found in my code. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.