Unit 8 Module 11

pablorodMS · web-flow · commit 903c142f6a35 · 2026-02-18T13:08:34.000-06:00
diff --git a/learn-pr/wwl/design-responsible-ai-security-governance-risk-management-compliance/includes/8-design-access-controls-ground-data-model-tune.md b/learn-pr/wwl/design-responsible-ai-security-governance-risk-management-compliance/includes/8-design-access-controls-ground-data-model-tune.md
@@ -10,116 +10,88 @@ Grounding data is the authoritative information used to produce reliable model r
 
 ### Key Design Principles
 
-**Least privilege by default** - Allow the minimum necessary access for each role, agent, model, or service.
+- **Least privilege by default:** Allow the minimum necessary access for each role, agent, model, or service.
 
-**Rolealigned data partitions** - Separate grounding data by function (e.g., customer support, finance, engineering).
+- **Rolealigned data partitions:** Separate grounding data by function (e.g., customer support, finance, engineering).
 
-**Clear ownership and stewardship** - Assign accountable stakeholders who govern quality and security of each data domain.
+- **Clear ownership and stewardship:** Assign accountable stakeholders who govern quality and security of each data domain.
 
-**Auditability** - All access events and data retrieval operations must be logged and reviewable.
+- **Auditability:** All access events and data retrieval operations must be logged and reviewable.
 
-### Recommended Architecture Visual (TextBased)
+### Recommended Architecture
 
-[User / Agent Identity]
-
-        │
-
- RBAC / Managed Identity
-
-        │
-
-[Grounding Data Gateway]
-
-  │     │      │
-
-Finance HR  Product Docs
-
-  │     │      │
-
-  Enforced Access Boundaries
+:::image type="content" source="../media/recommended-architecture.png" alt-text="Recommended Architecture Diagram.":::
 
 ## 2. Securing Grounding Data Retrieval Workflows
 
 AI systems retrieve grounding data during search, retrievalaugmented generation (RAG), or context assembly. Each retrieval mechanism must enforce:
 
-**Connectorlevel authorization** restricting which data types the model can query
-
-**Structured query filtering** preventing models from accessing disallowed fields
+- **Connectorlevel authorization:** restricting which data types the model can query
 
-**DLP and sensitivity labeling** applied across all data stores
+- **Structured query filtering:** preventing models from accessing disallowed fields
 
-**Regionaligned access rules** ensuring data residency adherence
+- **DLP and sensitivity labeling:** applied across all data stores
 
-**Professional Visual: Retrieval Access Flow**
+- **Regionaligned access rules:** ensuring data residency adherence
 
-Prompt → Policy Check → Search Index → Sanitization Layer → Model Context Injection
+- **Retrieval Access Flow:** Prompt → Policy Check → Search Index → Sanitization Layer → Model Context Injection
 
 ## 3. Access Controls for Model Tuning
 
 Modeltuning operations—evaluation, supervised finetuning, or reinforcement learning—require elevated permissions. These processes must be insulated from production operations.
 
 ### Model Tuning Access Requirements
 
-Segregated environments for **development, evaluation, and production**
-
-Approval workflows for introducing new training datasets
-
-Verified data lineage and documentation of tuning datasets
-
-Security scanning of all tuning inputs
-
-Restricted ability to promote new tuned models into production
-
-### Model Tuning Role Matrix (TextBased)
+- Segregated environments for **development, evaluation, and production**
 
-Role                 | Permissions
+- Approval workflows for introducing new training datasets
 
-------------------------------------------------------
+- Verified data lineage and documentation of tuning datasets
 
-ML Engineer          | View training data, run tuning jobs
+- Security scanning of all tuning inputs
 
-Solution Architect   | Approve datasets, review tuning results
+- Restricted ability to promote new tuned models into production
 
-Security Admin       | Validate compliance, enforce policies
+### Model Tuning Role Matrix
 
-Ops Engineer         | Deploy approved tuned models
+:::image type="content" source="../media/model-tuning-role-matrix.png" alt-text="Model Tuning Role Matrix.":::
 
 ## 4. Designing Guardrails for Grounding Data and Tuning Inputs
 
 Guardrails protect both users and the system by preventing unsafe or noncompliant data from influencing model behavior.
 
 ### Examples of Guardrails
 
-Blocklists for prohibited document types
+- Blocklists for prohibited document types
 
-Sanitization pipelines removing PII or contractual data
+- Sanitization pipelines removing PII or contractual data
 
-Automated reviews validating safety and policy alignment
+- Automated reviews validating safety and policy alignment
 
-Alerting and anomaly detection for unusual data access or tuning patterns
+- Alerting and anomaly detection for unusual data access or tuning patterns
 
-### Visual: Guardrail Enforcement Model
+### Guardrail Enforcement Model
 
-[Raw Data] → [Validation Rules] → [Sanitization] → [Approved Dataset]
+:::image type="content" source="../media/guardrail-enforcement-model.png" alt-text="Guardrail Enforcement Model.":::
 
 ## 5. Operational Monitoring and Compliance Enforcement
 
 Continuous monitoring ensures access controls work as intended.
 
 ### Operational Controls
 
-Logging for prompt activity, tuning actions, and retrievalbased access
+- Logging for prompt activity, tuning actions, and retrievalbased access
 
-Periodic reviews of RBAC assignments
+- Periodic reviews of RBAC assignments
 
-Automated anomaly alerts for abnormal retrieval patterns
+- Automated anomaly alerts for abnormal retrieval patterns
 
-Governance dashboards tracking how grounding data is used
+- Governance dashboards tracking how grounding data is used
 
 ## References
 
-[https://learn.microsoft.com/en-us/training/modules/embrace-responsible-ai-principles-practices/7-put-responsible-ai-frameworks](/training/modules/embrace-responsible-ai-principles-practices/7-put-responsible-ai-frameworks)
+- [https://learn.microsoft.com/en-us/training/modules/embrace-responsible-ai-principles-practices/7-put-responsible-ai-frameworks](/training/modules/embrace-responsible-ai-principles-practices/7-put-responsible-ai-frameworks)
 
-[https://learn.microsoft.com/en-us/training/modules/build-copilot-ai-studio/3-search-data](/training/modules/build-copilot-ai-studio/3-search-data)
+- [https://learn.microsoft.com/en-us/training/modules/build-copilot-ai-studio/3-search-data](/training/modules/build-copilot-ai-studio/3-search-data)
 
-[https://learn.microsoft.com/en-us/azure/well-architected/ai/grounding-data-design](/azure/well-architected/ai/grounding-data-design)
+- [https://learn.microsoft.com/en-us/azure/well-architected/ai/grounding-data-design](/azure/well-architected/ai/grounding-data-design)
