Skip to content
power-automate governance ai code-review power-platform

AI-Powered Flow Review - Quality Gates Before Production

Pipeline approvals are rubber stamps. Use AI to review Power Automate flow JSON for error handling gaps, hardcoded values, and naming violations.

Alex Pechenizkiy 10 min read
AI-Powered Flow Review - Quality Gates Before Production

“Approved.”

That is the entire review process for most Power Automate deployments. The pipeline sends an approval request. The admin glances at the solution name, confirms they were expecting it, and clicks Approve. Nobody opens the solution. Nobody reads the flow definitions. Nobody checks whether the 12 flows inside have error handling, follow naming conventions, or use the right connectors.

The approval step exists. The review does not. AI-powered flow review changes that by scanning flow JSON for quality issues before promotion.

Flow JSON passing through AI review gate with pass and fail outcomes

What Does AI-Powered Flow Review Actually Do?

AI-powered flow review reads your flow definition JSON and checks it against governance criteria that Solution Checker ignores. It catches missing error handling, hardcoded URLs, default action names, unapproved connectors, and PII in expressions. Think of it as an automated code review for flows instead of a manual one.

The Problem: Pipeline Approvals Are Rubber Stamps

Pipelines in Power Platform give you approval gates through delegated deployments. Solution checker runs automatically and catches structural anti-patterns. But neither of these review what the flow actually does or how it is built.

Solution checker catches structural anti-patterns in solution XML — deprecated APIs, security issues, accessibility violations. See the Pipelines article for the full solution checker configuration by environment type.

What it doesn’t look at: the flow definition JSON inside the solution. That JSON contains the complete blueprint of every flow — triggers, actions, conditions, expressions, connectors, error handling patterns, and hardcoded values.

An admin approving a deployment has no practical way to review all of that manually. A solution with 10 flows might have hundreds of actions across them. The JSON is verbose, nested, and not designed for human reading.

What Solution Checker Catches vs. What It Misses

Check Category Solution Checker AI Flow Review
Deprecated API usage Yes Not needed
Web resource issues Yes Not needed
Plugin/code component issues Yes Not needed
Accessibility violations Yes Not needed
Flow naming conventions No Yes
Missing error handling (Try/Catch scopes) No Yes
Hardcoded values that should be env variables No Yes
Unapproved connector usage No Yes
Variable naming consistency No Yes
Excessive scope nesting depth No Yes
Missing retry policies on HTTP actions No Yes
PII in expressions or hardcoded strings No Yes
Business logic assessment No Partial

Solution checker and AI review are complementary. Solution checker handles the platform-level concerns. AI handles the flow-level quality concerns. Together, they cover significantly more ground than either alone.

The Approach: Export Flow JSON, Run AI Review

Every Power Automate cloud flow has its definition stored in the Dataverse workflow table, in the clientdata column. This column contains a JSON string with the complete flow definition: triggers, actions, expressions, connections, and configuration.

The approach:

  1. Export or read the flow definition JSON
  2. Send it to an AI model with a structured review prompt
  3. Parse the AI response for pass/fail criteria
  4. Attach the review results to the deployment approval

The AI model can be any capable LLM: GPT-4o, Claude, Gemini, or whatever your organization has approved. The review prompt is model-agnostic. What matters is the prompt structure and the pass/fail criteria, not the specific model.

What AI Checks

Here are the quality checks that work well with AI review. Each one is something a human reviewer would check if they had time to read the flow JSON.

1. Naming Convention Compliance

Does the flow name match your organization’s standard? Many teams use a pattern like [Department]-[Process]-[Type] (e.g., “HR-Onboarding-Notification” or “Finance-InvoiceApproval-Automated”).

The AI checks the flow name against the pattern and flags non-conforming names. It also checks internal action names. Default names like “Apply_to_each” and “Condition” are a maintenance nightmare when debugging. Renamed actions like “Loop_through_pending_invoices” and “Check_if_amount_exceeds_threshold” make flows readable.

2. Error Handling Patterns

This is the most impactful check. The AI looks for:

  • Try/Catch scopes. Are critical actions wrapped in a scope with Configure Run After set to handle failures? A flow that calls an external API without error handling will fail silently or crash in a way that nobody notices until the business process breaks.
  • Configure Run After settings. Are there actions configured to run after failure, skipped, or timed out conditions? Or does everything only run on success?
  • Terminate actions. When a flow catches an error, does it terminate with a meaningful error message, or does it just swallow the exception?

3. Hardcoded Values

Environment variables exist for a reason. The AI scans for:

  • URLs that look like environment-specific endpoints (SharePoint site URLs, API base URLs, Dataverse organization URLs)
  • Email addresses hardcoded in send actions
  • File paths or container names
  • API keys or tokens (this is a security finding, not just a quality one)
  • Threshold values that should be configurable

4. Connector Usage

The AI can compare connectors used in the flow against your approved connector list. If someone is using an HTTP connector to call an external API that is not in your DLP policy scope, that is worth flagging. If someone is using a premium connector in what is supposed to be a standard-license solution, that is worth knowing before it hits production.

5. Variable Naming Consistency

Flow variables should follow a consistent pattern. Some teams use camelCase, others use PascalCase, others use snake_case. The AI checks whether variables within a single flow use a consistent convention and flags inconsistencies.

6. Scope Nesting Depth

Deeply nested scopes (a condition inside a loop inside a scope inside a condition inside a scope) are a maintenance red flag. More than 3-4 levels deep and the flow becomes nearly impossible to debug in the designer. The AI counts nesting depth and flags flows that exceed a threshold.

7. Missing Retry Policies on HTTP Actions

HTTP actions calling external services should have retry policies configured. The default behavior is to fail on the first error. A transient 429 (rate limit) or 503 (service unavailable) should trigger a retry, not a flow failure. The AI checks whether HTTP actions have explicit retry policies set.

8. PII Detection

The AI scans expressions and hardcoded strings for patterns that look like personally identifiable information: email addresses, phone numbers, social security numbers, or other sensitive data embedded in the flow definition. These should never be hardcoded - they should come from Dataverse records or secure inputs.

The Review Prompt Template

Here is a generic prompt template that works with any AI model. Adapt it to your organization’s specific standards.

You are reviewing a Power Automate cloud flow definition for quality and
governance compliance before production deployment.

FLOW JSON:
[paste flow clientdata JSON here]

Review the flow against these criteria and provide a structured assessment:

1. NAMING: Does the flow name follow the pattern [Dept]-[Process]-[Type]?
   Are internal actions renamed from defaults?

2. ERROR HANDLING: Are critical actions (HTTP calls, external connectors,
   data operations) wrapped in Try/Catch scopes? Are Configure Run After
   settings used for failure paths?

3. HARDCODED VALUES: Are there URLs, email addresses, file paths, API keys,
   or environment-specific values hardcoded instead of using environment
   variables or configuration?

4. CONNECTORS: List all connectors used. Flag any HTTP or custom connector
   calls to external services.

5. VARIABLES: Are variable names consistent in convention?

6. NESTING DEPTH: What is the maximum scope nesting depth? Flag if > 4.

7. RETRY POLICIES: Do HTTP actions have explicit retry policies configured?

8. PII: Are there patterns resembling PII in expressions or hardcoded strings?

For each criterion, respond with:
- PASS / WARN / FAIL
- Brief explanation
- Specific location in the flow (action name) if applicable

End with an overall assessment: APPROVE / REVIEW NEEDED / BLOCK

Pass/Fail Criteria

Not every finding should block a deployment. Define a clear severity model:

Severity Action Examples
BLOCK Deployment cannot proceed until fixed PII in hardcoded strings, API keys in expressions, no error handling on financial data operations
WARN Deployment proceeds, findings logged for follow-up Default action names, missing retry policies, hardcoded non-sensitive URLs
INFO No action required, improvement suggestion only Naming convention minor deviations, deeply nested but functionally correct scopes

Start conservative. In the first month, set everything to WARN and collect data on what the AI flags. Review the findings with your team. Then promote the most critical patterns to BLOCK once you have confidence in the detection accuracy.

Integration Options

Option 1: Manual Review Before Approval

The simplest approach. Before approving a deployment in Pipelines, the admin:

  1. Exports the solution or reads the flow JSON from Dataverse
  2. Pastes it into an AI chat (or uses a dedicated review tool)
  3. Reviews the AI output
  4. Makes the approval decision based on findings

No automation. No integration. Works today with any AI tool you have access to. Good for getting started and calibrating your criteria.

Option 2: Semi-Automated via Power Automate

Build a cloud flow in the pipelines host environment:

  1. 1

    Trigger on OnApprovalStarted

    The same trigger used for delegated deployment approvals. When a deployment request comes in, your flow starts.

  2. 2

    Read flow definitions from the solution

    Query the Dataverse workflow table in the source environment for flows in the deploying solution. Read the clientdata column for each flow.

  3. 3

    Send to AI for review

    Use an HTTP action to call your AI service (Azure OpenAI, any other provider). Include the flow JSON and your review prompt.

  4. 4

    Parse the response

    Extract the overall assessment (APPROVE / REVIEW NEEDED / BLOCK) and individual findings from the AI response.

  5. 5

    Route based on results

    If APPROVE: send approval to the admin with AI review summary attached. If REVIEW NEEDED: send to admin with findings highlighted. If BLOCK: auto-reject with detailed findings, or flag for senior review.

  6. 6

    Store results

    Save the review results in a Dataverse table linked to the deployment record. This creates an audit trail of what was reviewed and what was found.

Option 3: Pre-Export Gate

Use the pre-export extension point in Pipelines. Before the solution is even exported from dev, run the AI review against the current flow definitions. If the review finds BLOCK-level issues, reject the pre-export step and send the findings back to the maker with specific guidance on what to fix.

This is the fastest feedback loop. The maker gets the review results before anyone else is involved.

Limitations

Be honest about what AI review cannot do.

It does not understand your business logic. The AI can tell you that a flow is missing error handling. It cannot tell you whether the flow’s business logic is correct. “Send invoice reminder after 30 days” vs “send invoice reminder after 60 days” is a business decision, not a quality issue.

False positives on complex expressions. Some flows legitimately need deeply nested scopes or complex expressions. The AI may flag these as warnings when they are actually well-structured for the use case. This is why WARN exists as a severity. Let humans override.

Token limits on large flows. A single flow definition can be 50,000+ tokens. If the flow is very large, you may need to chunk the JSON or focus the review on specific sections (error handling patterns, connector usage) rather than the entire definition.

It does not replace human judgment. AI review catches patterns. It does not understand organizational context or regulatory requirements. Treat AI findings as input to a human decision, not as the decision itself.

Consistency varies between runs. Mitigate this by using structured output formats, explicit criteria, and a clear severity model.

Storing Review Results

Every review should be documented. Create a custom Dataverse table with: Solution Name, Flow Name, Review Date, AI Model Used, Overall Assessment (Approve / Review Needed / Block), Findings JSON, Reviewer Override, and Override Justification. Link it to the deployment stage run record.

Attach the review summary to the pipeline approval as documentation. When auditors ask “how do you review flows before production?”, you point to this table.

What This Looks Like in Practice

A maker submits a deployment request for a solution containing 5 cloud flows. The pre-export gate triggers and sends each flow definition to the AI service.

Results: Flow 1 and 3 pass. Flow 2 gets a WARN for default action names. Flow 4 gets a BLOCK - SharePoint site URL hardcoded instead of using an environment variable. Flow 5 gets a WARN for deep nesting.

The pre-export step is rejected. The maker gets specific findings: “Flow 4 has a hardcoded SharePoint URL on the ‘Get_Items’ action. Replace with environment variable SiteUrl before resubmitting.”

Maker fixes Flow 4, resubmits. Second review passes. The admin sees the AI review summary attached to the approval request. One click to approve with confidence. Total added time: 2-3 minutes.

Getting Started Today

You do not need to build the full automated pipeline integration on day one. Start here:

  1. 1

    Pick 5 production flows to review manually

    Export their definitions from Dataverse. Paste the JSON into any AI chat with the review prompt template above. See what comes back.

  2. 2

    Calibrate your criteria

    Review the findings. Which ones are genuinely useful? Which are noise? Adjust the prompt and severity levels based on what you learn.

  3. 3

    Define your pass/fail model

    Decide what blocks a deployment vs. what generates a warning. Get buy-in from your governance team.

  4. 4

    Automate the review in a cloud flow

    Build the Power Automate flow that reads flow JSON and calls the AI service. Start with a manual trigger before wiring it into Pipelines.

  5. 5

    Integrate with your pipeline approval process

    Connect the review flow to your OnApprovalStarted or pre-export gate. Attach results to the approval request.

The AI review does not need to be perfect to be valuable. Even catching a fraction of quality issues before production is better than catching none. Refine the prompt over time. Add checks specific to your patterns. Let the review criteria evolve with your organization’s maturity.

Power Automate Governance - The Enterprise Playbook

This article is part of a 10-part series:

  1. Naming Conventions That Scale
  2. Environment Strategy - Dev Test Prod
  3. Solution-Aware Flows
  4. Flow Inventory
  5. Pipelines - Dev to Prod
  6. CoE Starter Kit
  7. AI-Powered Flow Review
  8. Versioning and Source Control
  9. The Governance Repo
  10. Weekly Governance Digest

AZ365.ai - Azure and AI insights for architects building on Microsoft. Follow Alex on LinkedIn for architecture deep dives.

Stay in the loop

Get new posts delivered to your inbox. No spam, unsubscribe anytime.

Related articles

The 10-Minute Build: How Specs and AI Produced 14 Power Automate Flows

Power Automate flows built by AI in 10 minutes -- but only because two years of governance made specs machine-readable. The full architecture story.

Spec-Driven Power Platform: The Complete Series

7 articles on building Power Automate flows with specs, governance, and AI. From tag-based architecture to solution packaging to honest AI collaboration.

What AI Gets Wrong About Power Platform (And Why That Is the Point)

AI made three Power Automate architecture mistakes in 10 minutes. After correction, it delivered 14 production-ready flows. Here is the real pattern.