Control 1.24: Defender AI Security Posture Management (AI-SPM)
Control ID: 1.24 Pillar: Security Regulatory Reference: OCC 2011-12, Fed SR 11-7, FFIEC CAT, GLBA 501(b) Last UI Verified: February 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03
Agent 365 Architecture Update
Agent 365 security posture dashboard integrates with Microsoft Defender, providing centralized visibility into agent security risks across platforms. See Unified Agent Governance for security posture management architecture.
Objective
Implement Microsoft Defender for Cloud AI Security Posture Management (AI-SPM) to gain comprehensive visibility into multi-cloud AI security posture, identify attack paths targeting AI workloads, and maintain an AI Bill of Materials (AI BOM) for agent discovery and risk assessment across Azure, AWS, and GCP environments.
Why This Matters for FSI
- OCC 2011-12: Model risk management requires understanding of AI system attack surfaces and vulnerabilities
- Fed SR 11-7: Effective challenge of AI models requires visibility into security posture and risk factors
- FFIEC CAT: Cybersecurity assessment requires comprehensive inventory and risk evaluation of AI assets
- GLBA 501(b): Safeguards rule requires understanding of AI-related threats to customer information
- NYDFS Part 500: Requires risk-based cybersecurity program including AI-enabled threat assessment
Control Description
Defender AI-SPM provides multi-cloud AI security posture management capabilities that complement Microsoft Purview DSPM for AI. While DSPM for AI (Control 1.6) focuses on data security and compliance within Microsoft 365, AI-SPM addresses the broader attack surface and vulnerability management for AI workloads across cloud platforms.
Relationship to DSPM for AI: AI-SPM and DSPM for AI serve complementary purposes. DSPM for AI monitors how AI applications interact with organizational data (data-centric). AI-SPM identifies vulnerabilities, attack paths, and security misconfigurations in AI infrastructure (security-centric). Organizations using both M365 Copilot/Copilot Studio and Azure AI services should implement both controls.
| Capability | Description |
|---|---|
| Agent discovery | Automatically discovers AI agents across Microsoft Foundry, Copilot Studio, and multi-cloud environments |
| AI Bill of Materials (AI BOM) | Inventories AI components, models, SDKs, and dependencies |
| Attack path analysis | Identifies exploitable paths to AI workloads and sensitive data |
| Risk factors | Assesses indirect prompt injection, data exfiltration, and other AI-specific risks |
| Security recommendations | Provides prioritized remediation guidance for AI security gaps |
| Multi-cloud support | Extends visibility to AWS Bedrock, GCP Vertex AI, and other cloud AI services |
Recent Enhancements (2025-2026)
| Enhancement | Release | Description |
|---|---|---|
| GCP Vertex AI Support | GA November 2025 | Full posture management for Google Cloud Vertex AI workloads |
| Agent-Specific Recommendations | January 2026 | Targeted security recommendations for Copilot Studio and Agent 365 SDK agents |
| Attack Path Expansion | January 2026 | New AI-specific attack path scenarios including indirect prompt injection chains |
| Agent 365 SDK Discovery | Preview | Blueprint-registered agent inventory and risk assessment |
AI-SPM vs. DSPM for AI Comparison
| Feature | Defender AI-SPM | Purview DSPM for AI |
|---|---|---|
| Primary Focus | Attack surface & vulnerabilities | Data security & compliance |
| Scope | Multi-cloud (Azure, AWS, GCP) | Microsoft 365 AI applications |
| Key Capabilities | Attack path analysis, AI BOM | Oversharing assessment, activity monitoring |
| Discovery | Agent inventory & infrastructure | AI interaction monitoring |
| Risk Assessment | Security misconfigurations | Sensitive data exposure |
| FSI Control | Control 1.24 | Control 1.6 |
AI Threat Protection Alerts (GA)
Microsoft Defender now generates specific threat alerts for AI workloads:
| Alert Type | Description |
|---|---|
| Jailbreak attempt | Detects prompt injection attempts to bypass agent guardrails |
| Prompt leak | Detects attempts to extract system prompts or instructions |
| Phishing via AI | Detects agents being used to generate phishing content |
| ASCII smuggling | Detects unicode/ASCII encoding attacks in agent interactions |
| Reconnaissance | Detects systematic probing of agent capabilities and data access |
These alerts integrate with Microsoft Sentinel and the Defender XDR incident queue for unified security operations.
- Copilot Studio and Foundry agent alerts (Preview): Defender can now generate threat alerts specific to Copilot Studio and Microsoft Foundry agents, including alerts for agents discovered in the tenant that haven't been registered in the governance framework
- Defender for Cloud Apps discovery (Preview): Copilot Studio agents can be discovered and monitored through Microsoft Defender for Cloud Apps, providing shadow agent discovery capabilities for agents that may have been created without governance oversight
Key Configuration Points
- Enable Defender for Cloud with AI-SPM plan on Azure subscriptions hosting AI workloads
- Configure multi-cloud connectors for AWS and GCP AI services (if applicable)
- Enable AI workload discovery for Microsoft Foundry and Copilot Studio environments
- Configure attack path analysis with AI-specific scenarios enabled
- Set up security recommendations filtering for AI/ML workloads
- Integrate with Microsoft Sentinel for AI security alerting
- Configure risk factor thresholds aligned with zone requirements
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Monthly AI-SPM dashboard review; discovery enabled | Baseline visibility for all AI agents |
| Zone 2 (Team) | Weekly posture review; attack path remediation within 14 days | Shared agents require consistent security posture |
| Zone 3 (Enterprise) | Daily posture review; critical risk remediation within 72 hours; continuous attack path monitoring | Customer-facing agents require highest security |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Entra Security Admin | Enable AI-SPM, configure connectors, manage recommendations |
| Cloud Security Architect | Review attack paths, prioritize remediation |
| AI Governance Lead | Align AI-SPM findings with governance requirements |
| SOC Analyst | Monitor AI security alerts and investigate incidents |
Related Controls
| Control | Relationship |
|---|---|
| 1.6 - DSPM for AI | Complementary data-centric AI monitoring |
| 1.8 - Runtime Protection | Runtime threat detection for agents |
| 3.7 - PPAC Security Posture | Power Platform security posture assessment |
| 3.1 - Agent Inventory | Agent inventory management |
| 3.9 - Sentinel Integration | SIEM integration for AI security events |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- AI-SPM is enabled in Defender for Cloud for all subscriptions hosting AI workloads
- AI workload discovery is active and agents are inventoried
- Attack paths targeting AI workloads are identified and triaged
- Risk factors (prompt injection, data exfiltration) are assessed
- Security recommendations for AI workloads are reviewed weekly (Zone 2) or daily (Zone 3)
- Multi-cloud connectors are configured for non-Azure AI services (if applicable)
Additional Resources
- Microsoft Learn: AI security posture management
- Microsoft Learn: Defender for Cloud overview
- Microsoft Learn: Attack path analysis
- Microsoft Learn: Multi-cloud security
- Microsoft Learn: Security recommendations
FSI Scope Note
Power Platform Focus: While AI-SPM provides valuable multi-cloud visibility, this framework primarily targets Power Platform and Microsoft 365 AI governance. Organizations should implement AI-SPM when:
- AI agents call Azure AI services (Azure OpenAI, Cognitive Services)
- Custom agents are built with Microsoft Foundry
- Multi-cloud AI workloads exist alongside Copilot Studio agents
For organizations exclusively using Copilot Studio without Azure AI integration, Control 1.6 (DSPM for AI) and Control 3.7 (PPAC Security Posture) may provide sufficient coverage.
Complement with Defender for AI Services (GA)
Defender for AI Services provides runtime threat protection as a complement to AI-SPM's posture management. While AI-SPM identifies misconfigurations and attack paths (proactive), Defender for AI Services detects and blocks threats during agent execution (reactive). Organizations should implement both for defense-in-depth coverage. See Microsoft Learn: Defender for AI Services for details.
Updated: February 2026 | Version: v1.2 | UI Verification Status: Current