Sign in Subscribe

Part 4: The Azure AI Foundry Operating Model - Roles & Responsibilities

Sakaldeep Yadav

6 min read
Part 4: The Azure AI Foundry Operating Model - Roles & Responsibilities

Part 4 of 13: The Azure AI Foundry Operating Model - Roles & Responsibilities

Published by: Azure User Group Nepal
Series: Enterprise AI Governance, Security & Infrastructure with Azure AI Foundry

Introduction

You've learned the architecture (Part 1), security controls (Part 2), and governance framework (Part 3). Now comes the organizational question: Who does what?

In a traditional IT environment, the IT team does everything. But Azure AI Foundry requires a distributed operating model where different teams own different responsibilities. The IT team owns the Hub. The business unit owns the Project. The data team owns the Connections. Without clear role definitions, you get confusion: duplicate work, conflicting decisions, accountability gaps.

Your retail company has multiple teams: IT, HR, Data, Security, Compliance. Each team needs to understand their role in the Azure AI Foundry operating model. Each team needs to understand their responsibilities. Each team needs to understand how they interact with other teams.

This post explains how to build an operating model for Azure AI Foundry.

What you'll learn in this post:

  • The key roles in Azure AI Foundry
  • The responsibilities of each role
  • How roles interact with each other
  • How to assign roles in your organization
  • How to manage role transitions

Prerequisites: Parts 1-3 (Architecture, Security, Governance)

Complexity Level: Low-Medium

The Five Key Roles in Azure AI Foundry

Azure AI Foundry operating model has five key roles:

Role 1: Hub Admin

Hub Admin is responsible for the Hub—the central governance and security boundary.

Hub Admin responsibilities:

  • Create and manage the Hub
  • Define Hub-level policies (data residency, encryption, audit)
  • Approve Project creation requests
  • Manage Hub security (network, identity, encryption)
  • Manage Hub audit logs
  • Manage Hub costs
  • Manage Hub compliance

Hub Admin skills required:

  • Azure infrastructure knowledge
  • Security and compliance knowledge
  • Governance and policy knowledge
  • Project management skills

In your retail scenario:

  • Hub Admin: IT Director or Cloud Architect
  • Hub Admin team: 2-3 people (IT team)
  • Hub Admin responsibilities:
    • Create the Hub in Azure
    • Define data residency policy (EU data in EU, US data in US)
    • Define encryption policy (all data encrypted with CMK)
    • Define network policy (all services use Private Endpoints)
    • Approve Project creation requests from business units
    • Manage Hub security controls
    • Monitor Hub audit logs for compliance violations
    • Manage Hub costs and budgets

Role 2: Project Owner

Project Owner is responsible for a specific Project—an isolated workspace for a specific AI initiative.

Project Owner responsibilities:

  • Create and manage the Project
  • Define Project-level policies
  • Add/remove team members
  • Manage Project data
  • Request production deployment
  • Manage Project budget
  • Manage Project compliance

Project Owner skills required:

  • Business domain knowledge
  • Project management skills
  • Data governance knowledge
  • Compliance knowledge

In your retail scenario:

  • Project Owner: HR Lead or Business Unit Manager
  • Project Owner team: 1-2 people (business unit)
  • Project Owner responsibilities:
    • Create the chatbot Project within the Hub
    • Define Project data (HR knowledge base, IT support docs)
    • Add team members (Data Scientists, ML Engineers, Reviewers)
    • Request production deployment
    • Manage Project budget ($10,000/month)
    • Ensure Project complies with GDPR and PCI-DSS
    • Monitor Project performance and costs

Role 3: Data Team

Data Team is responsible for Connections—secure access to external services.

Data Team responsibilities:

  • Create and manage Connections
  • Manage credentials (store in Key Vault)
  • Control access to Connections
  • Manage data access
  • Manage data quality
  • Manage data governance

Data Team skills required:

  • Data engineering knowledge
  • Security and compliance knowledge
  • Data governance knowledge
  • SQL/Python knowledge

In your retail scenario:

  • Data Team: Data Engineer or Data Architect
  • Data Team team: 2-3 people (data team)
  • Data Team responsibilities:
    • Create Connection to Azure OpenAI
    • Create Connection to HR system
    • Create Connection to Data Lake
    • Manage credentials in Key Vault
    • Control who can use each Connection
    • Ensure data quality
    • Ensure data governance compliance

Role 4: Data Scientist / ML Engineer

Data Scientist / ML Engineer is responsible for developing AI models.

Data Scientist / ML Engineer responsibilities:

  • Develop models
  • Train models
  • Test models
  • Deploy models to staging
  • Request production deployment
  • Monitor model performance

Data Scientist / ML Engineer skills required:

  • Machine learning knowledge
  • Python/R knowledge
  • Data analysis knowledge
  • Model development knowledge

In your retail scenario:

  • Data Scientist: 2-3 people (project team)
  • Data Scientist responsibilities:
    • Develop chatbot model
    • Train model on HR knowledge base
    • Test model in dev environment
    • Deploy model to staging environment
    • Request production deployment
    • Monitor model performance in production

Role 5: Security Reviewer

Security Reviewer is responsible for reviewing and approving production deployments.

Security Reviewer responsibilities:

  • Review production deployment requests
  • Verify security controls
  • Verify compliance controls
  • Approve/reject production deployment
  • Investigate security incidents
  • Manage security exceptions

Security Reviewer skills required:

  • Security knowledge
  • Compliance knowledge
  • Risk assessment knowledge
  • Incident response knowledge

In your retail scenario:

  • Security Reviewer: Security Architect or Security Lead
  • Security Reviewer team: 1-2 people (security team)
  • Security Reviewer responsibilities:
    • Review chatbot production deployment request
    • Verify network security controls
    • Verify identity security controls
    • Verify encryption controls
    • Verify audit logging controls
    • Approve production deployment
    • Investigate any security incidents

RACI Matrix

Here's a RACI matrix showing who is Responsible, Accountable, Consulted, and Informed for key activities:

Activity Hub Admin Project Owner Data Team Data Scientist Security Reviewer
Create Hub R/A I I I C
Create Project C R/A I I C
Create Connection C I R/A C C
Add team member I R/A I I I
Develop model I C C R/A I
Train model I C C R/A I
Deploy to staging I C C R/A I
Request prod deployment I R/A I C C
Approve prod deployment I I I I R/A
Manage Hub security R/A I C I C
Manage Project data I R/A C C I
Manage Connections I I R/A C C
Monitor audit logs R/A C I I C
Investigate incidents C I C I R/A

Legend: R = Responsible, A = Accountable, C = Consulted, I = Informed

Terraform Implementation Approach

To implement the operating model, you'll use Terraform to create RBAC role assignments:

# Hub Admin Role
resource "azurerm_role_assignment" "hub_admin" {
  scope              = azurerm_machine_learning_workspace.hub.id
  role_definition_name = "Owner"
  principal_id       = azurerm_user_assigned_identity.hub_admin_group.principal_id
}

# Project Owner Role
resource "azurerm_role_assignment" "project_owner" {
  scope              = azurerm_machine_learning_workspace.hub.id
  role_definition_name = "Contributor"
  principal_id       = azurerm_user_assigned_identity.project_owner_group.principal_id
}

# Data Team Role
resource "azurerm_role_assignment" "data_team" {
  scope              = azurerm_key_vault.hub_kv.id
  role_definition_name = "Key Vault Administrator"
  principal_id       = azurerm_user_assigned_identity.data_team_group.principal_id
}

# Data Scientist Role
resource "azurerm_role_assignment" "data_scientist" {
  scope              = azurerm_machine_learning_workspace.hub.id
  role_definition_name = "Contributor"
  principal_id       = azurerm_user_assigned_identity.data_scientist_group.principal_id
}

# Security Reviewer Role
resource "azurerm_role_assignment" "security_reviewer" {
  scope              = azurerm_machine_learning_workspace.hub.id
  role_definition_name = "Reader"
  principal_id       = azurerm_user_assigned_identity.security_reviewer_group.principal_id
}

What this does:

  • Assigns Hub Admin role (Owner) to IT team
  • Assigns Project Owner role (Contributor) to business unit
  • Assigns Data Team role (Key Vault Administrator) to data team
  • Assigns Data Scientist role (Contributor) to data scientists
  • Assigns Security Reviewer role (Reader) to security team

For complete Terraform code with all parameters, see:

Compliance & Governance Implications

This operating model enables compliance:

GDPR Compliance

  • Hub Admin ensures data residency (EU data in EU)
  • Project Owner ensures data governance
  • Data Team ensures data access control
  • Security Reviewer ensures compliance controls

PCI-DSS Compliance

  • Hub Admin ensures encryption controls
  • Data Team ensures credential management
  • Security Reviewer ensures access controls
  • Data Scientist ensures secure model development

SOC 2 Type II Compliance

  • Hub Admin ensures audit logging
  • Security Reviewer ensures incident response
  • Data Team ensures change management
  • Project Owner ensures access control

Operational Considerations

Role Transitions

When someone leaves or changes roles:

  1. Offboarding:

    • Remove from Azure AD group
    • Remove RBAC role assignments
    • Revoke access to Connections
    • Audit logs for final activity

  2. Onboarding:

    • Add to Azure AD group
    • Assign RBAC role assignments
    • Grant access to Connections
    • Provide role documentation

Role Conflicts

Avoid conflicts of interest:

  • Hub Admin should not be Project Owner (separation of duties)
  • Data Team should not be Security Reviewer (separation of duties)
  • Data Scientist should not be Security Reviewer (separation of duties)

Role Escalation

For urgent decisions:

  • Project Owner can escalate to Hub Admin
  • Data Scientist can escalate to Project Owner
  • Data Team can escalate to Hub Admin
  • Security Reviewer can escalate to Security Lead

Conclusion & Next Steps

You now understand the five key roles in Azure AI Foundry:

  • Hub Admin: Manages the Hub
  • Project Owner: Manages the Project
  • Data Team: Manages Connections
  • Data Scientist / ML Engineer: Develops models
  • Security Reviewer: Reviews and approves deployments

This operating model enables clear accountability, efficient decision-making, and compliance.

In Part 5, we'll dive deeper into landing zone: how to deploy the Hub and Projects securely.

Next steps:

  1. Identify who will fill each role in your organization
  2. Define role responsibilities in your organization
  3. Create Azure AD groups for each role
  4. Assign RBAC roles using Terraform
  5. Document role transitions and escalation paths
  6. Read Part 5 to understand landing zone deployment

Relevant Azure documentation:

Connect & Questions

Want to discuss Azure AI Foundry operating models, share feedback, or ask questions?

Reach out on X (Twitter) @sakaldeep

Or connect with me on LinkedIn: https://www.linkedin.com/in/sakaldeep/

I look forward to connecting with fellow cloud professionals and learners.

Published by: Azure User Group Nepal
Series: Enterprise AI Governance, Security & Infrastructure with Azure AI Foundry
Part: 4 of 13