added md files

Author: DivyaGundreddy

learn-pr/wwl-azure/explore-ai-governance-ai-ready-infrastructure/includes/2-microsoft-foundry-governance-capability.md

@@ -0,0 +1,44 @@
+## Microsoft Foundry's role in AI infrastructure governance
+
+When you deploy AI workloads across Azure OpenAI, Azure Machine Learning, and Cognitive Services, you create a distributed infrastructure that spans multiple subscriptions, regions, and resource groups. Without centralized governance, each team manages policies independently, leading to inconsistent security controls, fragmented cost tracking, and compliance gaps that auditors discover only during reviews. Microsoft Foundry addresses this by offering a single governance layer that works with Azure Policy, Microsoft Purview, and Azure Monitor to apply controls automatically across all AI resources.
+
+Microsoft Foundry lets you define governance boundaries at the management group or subscription level and automatically enforce policies across your entire resource hierarchy. Centralized controls for tagging, regional restrictions, and responsible AI ensure every AI deployment is compliant before provisioning, while providing real-time visibility into cost, metadata, and compliance.
+
+With Microsoft Foundry, you can:
+- Define governance policies once and apply them consistently through inheritance across all subscriptions and resources  
+- Enforce tagging, regional limits, and responsible AI controls automatically for all AI deployments, regardless of how they’re created  
+- Gain continuous, real-time insight into resource usage, costs, and compliance without manual inventory tracking
+
+
+## Policy enforcement for AI workloads
+
+
+Microsoft Foundry extends Azure Policy by providing prebuilt templates designed specifically for governing AI infrastructure. These templates help ensure governance and compliance requirements are enforced automatically before any AI resource is deployed.  
+- Common scenarios include mandatory tags for cost center tracking, restricting AI service deployments to approved regions for data residency compliance, and limiting SKU selections to control costs.  
+- Foundry also enforces responsible AI configurations, such as content filtering and abuse monitoring, and evaluates all applicable policies whenever an AI engineer attempts a deployment.
+
+Microsoft Foundry also streamlines policy enforcement by preventing noncompliant resources from ever reaching production. This proactive approach reduces manual effort and eliminates the need for later remediation.  
+- For example, instead of manually defining a **CostCenter** tagging rule per subscription, you select a prebuilt tagging policy template, specify the required tags, and assign it at the management group level.  
+- Any Azure OpenAI deployment missing the **CostCenter** tag fails immediately with a clear error message, avoiding downstream fixes during monthly governance audits.
+
+
+## Resource organization and cost management
+
+Foundry uses Azure's resource hierarchy—management groups, subscriptions, resource groups—to organize AI workloads by business domain, project, or compliance boundary. This hierarchical structure becomes powerful when combined with budget controls and spending limits. You can assign a monthly budget to a resource group containing a specific AI project, configure alerts when spending reaches 80% and 100% of the threshold, and optionally block new deployments once the budget is exhausted. This prevents the scenario described in the introduction, where unmonitored AI experimentation leads to unexpected charges.
+
+At the same time, Foundry integrates cost data with resource tagging, enabling you to generate chargeback reports that show exactly which department, project, or cost center consumed AI resources during a billing period. Organizations using this capability report 25-30% reduction in unplanned AI infrastructure spending because teams gain visibility into their consumption patterns and adjust usage proactively. Your finance team receives automated reports showing AI costs by business unit, while project managers see real-time spending trends in the Foundry dashboard, creating accountability without manual cost tracking.
+
+:::image type="content" source="../media/resource-hierarchy-management-group.png" alt-text="Diagram showing how Microsoft Foundry integrates cost data with resource tagging.":::
+
+## Compliance tracking and audit readiness
+
+Microsoft Foundry maintains detailed audit logs for every governance decision: policy evaluations, resource deployments, configuration changes, and access requests. These logs integrate with Microsoft Purview to provide compliance dashboards aligned with regulatory frameworks like ISO 27001, and SOC 2. When auditors request evidence that your organization enforces data residency requirements, you export a Foundry compliance report showing all AI deployments, their regions, the policies that governed their placement, and any exceptions granted through documented approval workflows.
+
+This automated evidence collection transforms compliance from a quarterly burden into a continuous process. Instead of spending weeks reconstructing resource inventories and policy enforcement records, your compliance officer generates current reports on demand. Organizations using Foundry's compliance features complete regulatory reviews 60% faster because the audit trail exists automatically, validated through policy enforcement rather than self-reported by engineering teams. Building on this foundation, you're ready to explore how to configure specific governance policies that balance innovation velocity with the control requirements your organization demands.
+
+
+:::image type="content" source="../media/microsoft-foundry-governance-flow.png" alt-text="Diagram with Microsoft Foundry at the center connecting to four governance pillars.":::
+
+*Microsoft Foundry governance architecture showing integration with Azure Policy, resource hierarchy, cost controls, and Microsoft Purview*
+
+

learn-pr/wwl-azure/explore-ai-governance-ai-ready-infrastructure/includes/3-configure-governance-policy-workloads.md

@@ -0,0 +1,58 @@
+## Selecting the right governance policies
+
+Now that you understand how Microsoft Foundry integrates governance capabilities, you need to decide which policies your organization should implement and how strictly to enforce them. This decision balances three competing priorities: enabling rapid AI experimentation, maintaining compliance with regulatory requirements, and controlling infrastructure costs. Your approach varies depending on whether you're governing a development sandbox where teams test new models, a staging environment where solutions undergo validation, or a production deployment serving customers.
+
+Start by identifying your organization's non-negotiable requirements—policies you must enforce immediately because they address legal obligations or critical security controls. Data residency regulations typically fall into this category: if your organization operates in the European Union and must comply with regulations, you need policies that prevent AI deployments in non-EU regions from day one. Similarly, if your security team mandates content filtering for all customer-facing AI endpoints, that policy should block noncompliant deployments rather than merely auditing them. With these critical policies defined, you can then layer on cost controls and operational standards that you initially enforce through audit mode, giving teams visibility into compliance status before switching to deny mode.
+
+## Resource tagging for governance and cost allocation
+
+
+Resource tagging is the foundation of effective AI infrastructure governance because it enables both policy enforcement and financial accountability. By requiring specific tags on every AI deployment—such as **CostCenter**, **Owner**, **Environment**, and **Project**—you create standardized metadata that supports multiple governance objectives at once. These tags ensure AI resources are traceable, auditable, and manageable across finance, operations, and compliance functions.
+
+- **CostCenter** tags enable finance teams to generate chargeback and showback reports that clearly attribute AI spending to the correct department  
+- **Owner** tags allow operations teams to quickly identify the responsible individual when issues such as Azure OpenAI throttling or quota limits occur  
+- **Environment** tags help compliance teams distinguish between production workloads requiring strict controls and development environments that need greater flexibility  
+
+
+Microsoft Foundry enforces these tagging requirements through Azure Policy using deny mode, preventing resource creation when required tags are missing. This approach embeds governance directly into the deployment process rather than relying on retroactive audits. When an engineer attempts to deploy an AI resource without mandatory tags, the deployment is blocked with immediate, actionable feedback.
+
+- Azure Policy evaluates resource creation requests and denies deployments that don't include required tags such as **CostCenter**, **Owner**, or **Environment**  
+- Engineers receive immediate error messages (for example, *"Deployment blocked: Resource missing required tag ‘CostCenter’"*), creating a built‑in learning moment  
+- This enforcement model prevents untagged AI resources from entering the environment, reducing inventory sprawl and avoiding governance gaps discovered only during quarterly reviews  
+
+
+## Regional restrictions and data residency
+
+Regulatory frameworks like HIPAA and various national data protection laws often mandate that certain data remain within specific geographic boundaries. Microsoft Foundry implements these requirements through regional restriction policies that define approved Azure regions for AI workload deployment. Unlike resource tagging, which you might initially enforce through audit mode, regional restrictions typically use deny mode from implementation because data residency violations create legal liability that justifies strict enforcement.
+
+When you configure a regional restriction policy in Foundry, you specify the allowed regions based on your compliance requirements and assign the policy at the management group level so it applies to all subscriptions your AI teams use. For a multinational organization, this might mean creating separate management groups for different geographic regions: one for EU operations restricted to West Europe and North Europe, another for US operations allowed to use East US and West US, and a third for Asia-Pacific workloads permitted in Southeast Asia and Australia East. This approach ensures that teams in each region can work efficiently within their approved boundaries while preventing cross-region deployments that would violate data residency requirements.
+
+:::image type="content" source="../media/regulatory-frameworks-national-data-protection.png" alt-text="Diagram showing how Microsoft Foundry implements  requirements through regional restriction policies.":::
+
+## SKU limitations and cost controls
+
+Azure AI services offer multiple pricing tiers and model versions with dramatically different cost profiles. A GPT-4 deployment with high token throughput can consume thousands of dollars weekly, while a GPT-3.5 instance with moderate throughput might cost a few hundred. Microsoft Foundry helps you manage this cost variability through SKU limitation policies that restrict which service tiers and model versions teams can deploy. However, unlike data residency policies that require immediate strict enforcement, SKU limitations benefit from a phased approach that starts with visibility before imposing restrictions.
+
+Begin by implementing SKU policies in audit mode, which logs when teams deploy premium AI services but doesn't block the deployments. This audit period—typically 30 to 60 days—reveals your organization's actual usage patterns: which teams need GPT-4 for production customer interactions versus those using it for development experimentation, which projects justify high-throughput instances based on user demand, and which deployments could use lower-cost alternatives without impacting results. With this baseline established, you transition the policy to deny mode for development and staging environments, requiring teams to submit exception requests that justify premium SKUs for nonproduction use. Production environments might maintain more flexible SKU policies but pair them with budget alerts that notify project managers when spending approaches approved thresholds.
+
+## Responsible AI guardrails
+
+Microsoft Foundry integrates responsible AI controls that help organizations deploy AI systems safely and ethically. These guardrails include content filtering that blocks harmful outputs, abuse monitoring that detects unusual usage patterns suggesting misuse, prompt injection protection that prevents attacks manipulating model behavior, and data logging requirements that maintain audit trails for investigation when issues occur. The appropriate enforcement approach for these controls varies by environment and use case.
+
+For production AI endpoints serving customers, responsible AI guardrails should use deny mode because the reputational and legal risks of deploying an unprotected AI system outweigh any innovation velocity gains. Your policy might require that all customer-facing Azure OpenAI deployments enable content filtering for hate speech, violence, and self-harm at medium or high sensitivity levels. You might allow development and staging environments to operate in audit mode, giving data scientists flexibility to test content filtering configurations and understand how different sensitivity levels impact their specific use cases. A tiered approach balances safety in production with the experimentation necessary to optimize responsible AI settings before customer exposure.
+
+## Policy inheritance and scope management
+
+Microsoft Foundry uses Azure's resource hierarchy to simplify policy management through inheritance. When you assign a policy at the management group level, all subscriptions and resource groups beneath that management group inherit the policy automatically. This inheritance model means you configure governance requirements once at the appropriate organizational level, then allow exceptions only through documented exclusion processes that maintain your audit trail.
+
+:::image type="content" source="../media/policies-assigned-management-group-level-cascade.png" alt-text="Diagram showing how policies assigned at management group level cascade to subscriptions, resource groups, and individual AI resources.":::
+
+Consider how this works in practice for a large organization with multiple business units. You create a root management group representing your entire organization and assign core policies that apply universally: required resource tagging, responsible AI guardrails for production, and broad regional restrictions based on your global compliance posture. Beneath this root, you create management groups for each business unit—Sales, Marketing, Engineering—and assign unit-specific policies like budget limits reflecting each unit's AI investment approval. Individual subscriptions inherit both the organization-wide policies and their business unit policies, creating a layered governance framework that enforces consistent standards while accommodating unit-specific requirements. When an AI engineer deploys a resource, Foundry evaluates the complete policy stack from root to subscription, denying the deployment if any policy reports a violation.
+
+With this understanding of policy types, enforcement modes, and inheritance patterns, you're ready to implement governance controls in a hands-on exercise that demonstrates how these concepts work together to balance AI innovation with organizational requirements.
+
+:::image type="content" source="../media/policy-evaluation-flow-deploy-services.png" alt-text="Diagram showing an AI engineer requesting an Azure OpenAI deployment through Microsoft Foundry.":::
+
+*Policy evaluation flow when deploying AI resources through Microsoft Foundry, showing approval and denial paths*
+
+