Control 1.5: Data Loss Prevention (DLP) and Sensitivity Labels
Control ID: 1.5 Pillar: Security Regulatory Reference: FINRA 4511, SEC Reg S-P, GLBA 501(b), SOX 404 Last UI Verified: February 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03
Agent 365 Architecture Update
Agent 365 enables cross-platform DLP enforcement via Purview integration, applying consistent data loss prevention policies across Copilot Studio, Agent Builder, and Microsoft Foundry agents. This addresses the current gap where per-platform DLP policies do not apply uniformly. See Unified Agent Governance for cross-platform DLP architecture details.
Objective
Prevent sensitive financial data from unauthorized exposure through AI agents by implementing DLP policies that detect and block sensitive information in agent knowledge sources, user prompts, and agent responses. Combined with sensitivity labels, this provides comprehensive data protection for Microsoft 365 Copilot and Copilot Studio agents.
Why This Matters for FSI
- FINRA 4511: Requires protection of customer records - DLP blocks customer PII in AI responses
- SEC Reg S-P: Privacy protection - sensitivity labels on customer data control AI access
- GLBA 501(b): Safeguard customer information - DLP helps prevent exposure of financial account numbers
- SOX 404: IT controls for data protection - audit logging of all DLP events
- FFIEC Guidelines: Data classification - label-based access control for AI agents
Control Description
DLP policies protect sensitive information from unauthorized exposure through AI agents. When combined with sensitivity labels, DLP provides comprehensive data protection across Microsoft 365 Copilot, Copilot Studio agents, and other AI applications. Integration with DSPM for AI enables oversharing detection and AI-specific policy enforcement.
Evolving Capability: Microsoft Purview DSPM for AI is an actively developing feature set. Monitor Microsoft Learn documentation for new capabilities and changes to existing functionality.
Mandatory DLP Enforcement (Since Early 2025)
Data policy enforcement is now in effect for all tenants. Organizations cannot opt out of DLP enforcement for Copilot Studio agents. DLP policies configured in Power Platform Admin Center are automatically enforced on all agents within the policy scope. Any agents that previously operated without DLP constraints are now subject to existing tenant policies.
Enforcement Timeline (per MC973179):
| Phase | Date | Status | Impact |
|---|---|---|---|
| Soft-Enabled | January 2025 | Complete | Audit-only; no blocking |
| Enabled | February 2025 | Complete | Full enforcement begins |
| Complete | March 2025 | Complete | All tenants enforcing |
11 Virtual Governance Connectors: DLP enforcement includes virtual governance connectors for AI capabilities:
- AI Builder (GPT, Document Processing)
- Copilot Studio (Topics, Skills, Knowledge)
- HTTP connectors (with and without Entra auth)
- Direct Line channels
Organizations should review existing DLP policies to ensure AI-related connectors are appropriately classified in Business, Non-Business, or Blocked categories.
| Capability | Description |
|---|---|
| AI-aware DLP policies | Policies targeting AI applications to prevent sensitive data exposure |
| Sensitivity label enforcement | Block or warn based on content classification labels |
| Oversharing assessment | Identify data exposure risks in agent knowledge sources |
| Channel control | DLP controls which publishing channels agents can use |
| DSPM integration | Unified AI data protection and visibility |
| HTTP endpoint filtering | Block or allow external HTTP calls based on URL patterns |
DLP Deny Event Visibility
DLP deny events for Copilot Studio agent actions may not consistently appear in Defender advanced hunting. Organizations should verify DLP enforcement through Power Platform Admin Center analytics and Purview audit logs in addition to Defender-based monitoring.
Copilot Studio DLP Connector Categories
DLP policies can control the following connector categories for Copilot Studio agents:
| Category | Connectors | FSI Governance Notes |
|---|---|---|
| Knowledge Sources | SharePoint, OneDrive, Dataverse, Public websites, Uploaded documents | Zone 3: Restrict to approved SharePoint sites only |
| Channels | Microsoft Teams, Direct Line, Facebook, SharePoint, WhatsApp, Custom website | Zone 2-3: Block social media channels (Facebook, WhatsApp) |
| Actions | HTTP with Microsoft Entra, HTTP webhook, Premium connectors | Zone 3: Require connector-level approval |
| AI Services | Azure OpenAI, AI Builder | Apply tenant-wide policies |
Virtual Governance Connectors
GA Feature
Virtual governance connectors are generally available as of Q1 2025. These connectors enable centralized DLP policy enforcement across all Copilot Studio AI capabilities.
Power Platform DLP policies enforce data protection through 11 virtual governance connectors for AI capabilities. These connectors control access to AI services, knowledge sources, and publishing channels:
| Connector | Status | Description | Zone 1-2 Recommendation | Zone 3 Recommendation |
|---|---|---|---|---|
| AI Builder (GPT) | GA | Controls access to GPT models via AI Builder for text generation and analysis | Business | Business (with usage monitoring) |
| AI Builder (Document Processing) | GA | Controls access to AI Builder document understanding and form processing capabilities | Business | Business (monitor for sensitive content) |
| Copilot Studio Topics | GA | Controls creation and editing of conversational topics within Copilot Studio agents | Business | Business |
| Copilot Studio Skills | GA | Controls integration of Power Automate flows and custom actions as agent skills | Business | Business (require flow approval) |
| Copilot Studio Knowledge | GA | Controls agent access to knowledge sources (SharePoint, websites, Dataverse, uploaded files) | Business | Business (only after Control 1.3 implemented) |
| HTTP with Microsoft Entra ID | GA | Controls authenticated HTTP calls to external APIs using Entra ID authentication | Business or Non-Business | Business (with endpoint filtering) |
| HTTP Webhook | GA | Controls unauthenticated HTTP webhook calls to external endpoints | Non-Business or Blocked | Blocked (data exfiltration risk) |
| Direct Line | GA | Controls agent publishing via Direct Line API for custom web chat and applications | Business | Business |
| Microsoft Teams Channel | GA | Controls agent publishing to Microsoft Teams as a bot | Business | Business |
| SharePoint Channel | GA | Controls agent embedding in SharePoint sites | Business or Non-Business | Non-Business or Blocked (require approval) |
| Custom Website Channel | GA | Controls agent publishing to external websites via embed code | Non-Business or Blocked | Blocked (security review required) |
Configuration: All connectors are classified via Power Platform Admin Center > Policies > Data policies > [Policy Name] > Connectors tab. Classifications apply to all environments within the DLP policy scope.
Zone-Specific Virtual Connector Configuration
The following table provides comprehensive zone-specific recommendations for financial services organizations:
| Zone | Configuration Approach | Rationale |
|---|---|---|
| Zone 1 (Personal Productivity) | Allow most connectors as Business; block social channels (Facebook, WhatsApp) | Enable self-service agent development while helping prevent external data sharing |
| Zone 2 (Team Collaboration) | Business classification for core capabilities; block HTTP Webhook and Custom Website; restrict social channels | Balance team collaboration needs with controlled external access |
| Zone 3 (Enterprise Managed) | Strict Business-only for approved connectors; block all unauthenticated external access; require endpoint filtering for HTTP with Entra ID | Highest security posture for customer-facing and regulated agents |
Per-Connector Zone 3 Governance:
| Connector | Zone 3 Classification | Governance Control |
|---|---|---|
| AI Builder (GPT) | Business | Required for generative AI; monitor via Control 3.1 (Usage Dashboards) |
| AI Builder (Document Processing) | Business | Document processing capability; log all document uploads |
| Copilot Studio Topics | Business | Core agent functionality; no restrictions |
| Copilot Studio Skills | Business | Power Automate integration; require flow approval per Control 2.2 |
| Copilot Studio Knowledge | Business | Prerequisites: Control 1.3 (SharePoint Governance), Control 4.1 (IAG/RCD) must be implemented first |
| HTTP with Microsoft Entra ID | Business | Required: HTTP endpoint filtering (allow list only); see below for FSI patterns |
| HTTP Webhook | Blocked | Unauthenticated HTTP poses data exfiltration risk; use Entra-authenticated alternative |
| Direct Line | Business | Required for web chat deployment; monitor via Control 3.3 (Conversation Transcripts) |
| Microsoft Teams Channel | Business | Primary publishing channel for internal agents |
| SharePoint Channel | Non-Business or Blocked | Require security review before enabling; embedding poses XSS risk |
| Custom Website Channel | Blocked | External publishing requires comprehensive security review and penetration testing |
FSI Governance Recommendations:
- Prerequisite Controls: Before classifying Copilot Studio Knowledge as Business, implement Control 1.3 (SharePoint Content Governance) and Control 4.1 (Information Access Governance) to prevent agents from grounding on unauthorized content
- HTTP Connector Strategy: Zone 3 agents should use HTTP with Microsoft Entra ID only (never HTTP Webhook); configure endpoint filtering with allow list of approved internal APIs and regulatory data sources
- Channel Publishing: For customer-facing agents, approve only Microsoft Teams Channel and Direct Line; block Custom Website and SharePoint channels until publishing strategy undergoes change control approval
- Separation of Duties: DLP policy changes for Zone 3 environments should require dual approval (Power Platform Admin + AI Governance Lead) per Control 2.3 (Change Management and Release Planning)
HTTP Endpoint Filtering
For agents that call external APIs via the "HTTP with Microsoft Entra ID" connector, DLP policies can enforce URL-based filtering. This capability helps support FINRA 4511 (helping prevent unauthorized data sharing via external API calls), GLBA 501(b) (controlling external access paths to customer information), and SOX 404 (documenting IT controls over external integrations).
Configuration: Power Platform Admin Center > Policies > Data policies > [Policy Name] > Connectors > HTTP with Microsoft Entra ID > Configure connector > Endpoint filtering.
| Filter Type | How It Works | When to Use |
|---|---|---|
| Allow list | Only specified URL patterns permitted; all others blocked | Zone 3 environments (default deny approach) |
| Block list | Specified URL patterns blocked; all others allowed | Zone 1-2 environments (block known risky endpoints) |
| Pattern matching | Wildcards (*) and domain patterns for flexible matching |
Both modes; enables domain-level or path-level control |
Common FSI Endpoint Patterns
URLs below are illustrative patterns for endpoint filtering configuration — replace with your organization's actual domains.
The following table provides FSI-specific endpoint patterns for HTTP endpoint filtering allow lists:
| Pattern | Purpose | Example URLs | Allow/Block |
|---|---|---|---|
*.internal.example.com |
Internal corporate APIs | https://api.internal.example.com/customer |
Allow (Zone 3) |
*.example.com |
Corporate domain APIs | https://api.example.com/* |
Allow (Zone 3) |
https://api.sec.gov/* |
SEC EDGAR API for regulatory filings | https://api.sec.gov/submissions/ |
Allow (Zone 2-3) |
https://api.finra.org/* |
FINRA regulatory data APIs | https://api.finra.org/data/ |
Allow (Zone 2-3) |
https://www.ffiec.gov/* |
FFIEC Central Data Repository | https://www.ffiec.gov/nicpubweb/ |
Allow (Zone 2-3) |
https://data.treasury.gov/* |
U.S. Treasury data feeds | https://data.treasury.gov/datasets/ |
Allow (Zone 2-3) |
*.marketdata.example.com |
Approved market data vendors (Bloomberg, Refinitiv) | https://api.marketdata.example.com/v2/ |
Allow (Zone 2-3, with vendor approval) |
https://*.social-network.example.com/* |
Social media APIs (LinkedIn, Twitter, Facebook) | https://api.twitter.com/2/tweets |
Block (Zone 2-3) |
https://*.file-sharing.example.com/* |
Consumer file sharing (Dropbox, Box personal) | https://api.dropbox.com/2/files/ |
Block (Zone 3) |
https://api.*.free-tier.example.com/* |
Free-tier external APIs (no SLA, no BAA) | Various | Block (Zone 3) |
http://* (non-HTTPS) |
Unencrypted HTTP endpoints | Any non-HTTPS URL | Block (all zones) |
Zone-Specific Filtering Strategies:
- Zone 1: Use block list mode; block social media APIs, consumer file sharing, and unencrypted HTTP
- Zone 2: Use allow list or block list depending on agent scope; document approved external endpoints in agent registration
- Zone 3: Use allow list mode exclusively; explicitly permit only internal APIs and approved regulatory data sources
Banking System API Patterns:
For internal banking systems, common patterns to allow in Zone 3:
*.internal.example.com # Internal domain (all subdomains)
api.example.com # Primary API gateway
*.core-banking-system.local # On-premises core banking APIs
https://api.partner.example.com/* # Approved partner bank APIs (with BAA)
Regulatory Data Source Patterns:
For agents that need access to regulatory data:
https://api.sec.gov/* # SEC EDGAR API
https://api.finra.org/* # FINRA regulatory APIs
https://www.ffiec.gov/* # FFIEC data repository
https://data.treasury.gov/* # U.S. Treasury data feeds
https://www.federalreserve.gov/* # Federal Reserve data
Zone 3 Best Practice
For customer-facing agents, configure HTTP endpoint filtering to allow only pre-approved external APIs. Combine with network isolation (Control 1.20) for defense in depth. Document all allowed external endpoints in your IT change control system per Control 2.3 (Change Management and Release Planning).
Market Data Vendor APIs
If agents require access to market data provider APIs (Bloomberg, Refinitiv, etc.), verify that:
- A Business Associate Agreement (BAA) or data processing agreement is in place
- The vendor API supports audit logging of all data access
- API credentials are stored in Azure Key Vault (Control 1.15)
- API access is limited to specific agents via endpoint filtering
Document vendor API approvals in your third-party risk management system per Control 2.7 (Vendor and Third-Party Risk Management).
Regulatory Mapping: Virtual connector governance and HTTP endpoint filtering help support FINRA 4511 (helping prevent unauthorized data sharing by controlling external API access paths and publishing channels), GLBA 501(b) (safeguarding customer information access by restricting knowledge sources and blocking unauthenticated connectors), and SOX 404 (documenting IT controls over AI data flows by enforcing DLP policy classification for all 11 virtual governance connectors).
DLP for Copilot Prompts (Public Preview)
Public Preview - November 2025
DLP for Copilot prompts is in Public Preview as of November 2025. Feature availability and functionality may change before general availability.
A new DLP capability allows organizations to block sensitive information from being processed in Microsoft 365 Copilot and Copilot Chat prompts. This is distinct from DLP for files and email.
| Aspect | DLP for Copilot Prompts | DLP for Files/Email |
|---|---|---|
| Scope | User prompts to M365 Copilot and Copilot Chat | Documents, emails, messages |
| License | Included with M365 Copilot/Copilot Chat (no additional cost) | Requires A5/E5 or E5 Compliance |
| Location | "Microsoft 365 Copilot and Copilot Chat" in DLP policy | Standard file/email locations |
| Action | Blocks prompt containing sensitive data | Block, notify, or warn |
Key Characteristics:
- Available to all Microsoft 365 Copilot and Copilot Chat users at no additional license cost
- Helps prevent sensitive data (SSN, account numbers, etc.) from being submitted in AI prompts
- Uses existing Sensitive Information Types (SITs) from your DLP configuration
- Complements (does not replace) document/email DLP policies
FSI Use Case: Block users from pasting customer account numbers, SSNs, or other regulated PII directly into Copilot prompts, even when the source document itself allows access.
Key Configuration Points
- Configure DLP policies with AI locations (Microsoft 365 Copilot, Copilot Studio)
- Create sensitivity label taxonomy (Public, Internal, Confidential, Highly Confidential)
- Implement SITs for financial data (SSN, ABA routing, account numbers) per Control 1.13
- Configure label-based DLP rules to block Highly Confidential content from agents
- Use channel DLP to control where Copilot Studio agents can publish
- Enable DSPM for AI integration for oversharing assessments
- Start policies in "Test with notifications" before enforcement
- Block SITs in Copilot prompts (Preview): DLP policies can detect and block sensitive information types entered directly into Copilot prompts, helping prevent users from pasting account numbers, SSNs, or other regulated data into AI interactions
Block Labeled Files from Copilot Processing (GA)
DLP policies can now block Microsoft 365 Copilot from processing files with specific sensitivity labels. When configured, Copilot cannot summarize, reference, or generate content from files bearing the designated labels — even if the user has access. Configure via Purview DLP with the Microsoft 365 Copilot (preview) location and the Block Copilot from processing action. This supports compliance with GLBA 501(b) data protection requirements for highly confidential content.
Automated Validation: Deny Event Correlation Report
For aggregated DLP violation reporting correlating deny events across Purview Audit, DLP, and Application Insights with anomaly detection and zone-based alerting, see the Deny Event Correlation Report solution.
Capabilities:
- Multi-source deny event extraction (RAI telemetry, Purview Audit, Purview DLP)
- Daily correlation engine with 7-day trend analysis and volume anomaly detection
- Zone-based alerting with Teams adaptive cards and email notifications
- Dataverse persistence with zone-based retention (90d/365d/730d)
- SHA-256 integrity-hashed evidence export with regulatory alignment mapping
Deployable Solution: deny-event-correlation-report provides PowerShell extraction scripts, Dataverse infrastructure, Power Automate orchestration flow, and evidence export pipeline.
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Baseline DLP policies; avoid scope beyond user's own data | Low friction while maintaining safety |
| Zone 2 (Team) | DLP with label conditions; identified owner and approval trail | Shared agents increase blast radius |
| Zone 3 (Enterprise) | Strictest DLP with mandatory labels; block mode enforcement | Highest audit/regulatory risk |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Purview Compliance Admin | Create and manage DLP policies; configure DLP locations for AI workloads |
| Purview Info Protection Admin | Manage sensitivity labels and taxonomy |
| Power Platform Admin | Configure Power Platform DLP policies and virtual governance connector classification |
| AI Administrator | Manage Copilot connector delegation, AI-specific DLP policy scoping, and Copilot data protection settings |
| Purview Data Security AI Admin | Configure Purview DSPM for AI policies and AI data security posture assessments (new role) |
| Entra Security Admin | View DLP reports and alerts; investigate DLP violations |
| AI Governance Lead | Agent data protection strategy; approve HTTP endpoint filtering allow lists |
Related Controls
| Control | Relationship |
|---|---|
| 1.6 - DSPM for AI | AI monitoring and assessment |
| 1.13 - Sensitive Information Types | SITs power DLP detection |
| 1.3 - SharePoint Content Governance | Knowledge source protection |
| 4.1 - SharePoint IAG | Content discovery controls |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- DLP policies include AI locations (Microsoft 365 Copilot, Copilot Studio)
- Sensitivity labels are created and published to appropriate users
- Label-based DLP rules block Highly Confidential content from agents
- SITs are validated and detecting sensitive content (per Control 1.13)
- Test prompts with sensitive data trigger expected DLP actions
- DLP events appear in Microsoft Purview Audit logs
Additional Resources
- Microsoft Learn: DLP for Microsoft 365 Copilot
- Microsoft Learn: Create and Deploy DLP Policies
- Microsoft Learn: Sensitivity Labels Overview
- Microsoft Learn: DSPM for AI Overview
- Microsoft Learn: DLP PowerShell Cmdlets
Agent Essentials (Preview)
Note: The following resources are preview documentation and may change.
- Microsoft Learn: Agent Deployment Checklist (Preview) - Category 7 covers data security and compliance requirements for agent deployments
Agent 365 DLP Configuration (Preview)
Note: The following guidance applies to Blueprint-registered agents using the Agent 365 SDK.
Agent 365 SDK-built agents require additional DLP considerations beyond standard Copilot Studio policies:
| Configuration Area | Requirement | Implementation |
|---|---|---|
| Blueprint DLP Enforcement | DLP policies must be evaluated at Blueprint registration | Configure DLP location to include Agent 365 workloads |
| SDK Prompt/Response Classification | Agent 365 SDK telemetry enables data classification | Enable DSPM for AI integration with Observability SDK |
| Multi-turn Context Protection | Prevent sensitive data aggregation across conversation turns | Configure DLP rules with conversation-level scope |
Agent 365 DLP Policy Scope:
- At Registration - DLP policies evaluate agent manifest and declared data sources
- At Runtime - DLP evaluates prompts and responses via SDK telemetry integration
- At Promotion - DLP compliance verified before Blueprint phase transitions
Configuration Steps:
- In Microsoft Purview > DLP > Create policy
- Select Microsoft 365 Copilot location (includes Agent 365 workloads)
- Configure conditions for financial SITs (account numbers, SSN, ABA routing)
- Set action to Block for Zone 3 agents, Warn for Zone 2
- Enable Extended telemetry to capture Agent 365 SDK events
For Blueprint-specific data governance guidance, see Control 1.6 - DSPM for AI.
Updated: February 2026 | Version: v1.3 | UI Verification Status: Current