Control 1.6: Microsoft Purview DSPM for AI

Control ID: 1.6
Pillar: Security
Regulatory Reference: FINRA Rule 3110, FINRA 25-07, SEC Reg S-P, SEC AI priorities, GLBA 501(b), SOX 302
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated

Naming History

This capability was originally launched as AI Hub in Microsoft Purview, then renamed to Data Security Posture Management for AI (DSPM for AI) in late 2024. As of April 2026 it is labeled "DSPM for AI (classic)" in the portal, while the new unified DSPM (preview) experience (consolidating DSPM and DSPM for AI) is rolling out per MC1191257 with GA expected in May 2026. Older Microsoft Learn URLs and admin search results may still surface "AI Hub" — treat them as DSPM for AI. Portal navigation: Microsoft Purview > Solutions > DSPM for AI (classic) (commercial portal https://purview.microsoft.com).

Sovereign Cloud Availability (April 2026)

DSPM for AI is GA in Commercial and GCC (https://purview.microsoft.com) and in GCC High and DoD (https://purview.microsoft.us) as of May 2025. Feature parity is partial: the unified DSPM (preview) is commercial-first; Insider Risk Management dependencies (Adaptive Protection, the IRM-backed one-click templates) are not available in US Government clouds at parity — verify against your tenant's cloud before relying on those capabilities.

Agent 365 Architecture Update

Agent 365 integrates with Microsoft Purview DSPM to provide security posture visibility across all agent types, extending current DSPM coverage beyond individual platforms. See Unified Agent Governance for security posture integration details.

Objective

Implement Data Security Posture Management for AI to gain visibility into how Microsoft 365 Copilot, Copilot Studio agents, and other AI applications interact with organizational data within configured scopes. DSPM for AI is the primary Purview surface for AI risk surfacing, providing monitoring, one-click policy templates, weekly risk assessment of in-scope SharePoint sites, and reporting that helps support FSI supervisory and recordkeeping obligations.

Why This Matters for FSI

FINRA Rule 3110 / 25-07: Activity Explorer surfaces in-scope agent interactions and helps support AI supervisory review; FINRA 25-07 extends supervisory expectations to AI systems. DSPM is a detection surface, not the books-and-records system of record — pair with Audit Premium retention (Control 1.7).
SEC Reg S-P (2024 amendments §248.30(a)(4)): DSPM sensitive-interaction alerts can aid in detecting events that may trigger the amended customer-notification timeline. Reportability remains a Compliance/Legal determination.
SEC AI examination priorities: Reports help support transparency in AI-assisted activity by inventorying configured-scope interactions.
GLBA 501(b): Oversharing assessments and sensitive-info detection help identify potential customer-information exposure to AI.
SOX 302/404: Policy enforcement and Activity Explorer evidence support internal-controls-over-financial-reporting where AI assists FR-relevant processes.
OCC 2011-12 / Fed SR 11-7: Data risk assessments and per-agent risk signals support model risk management and ongoing monitoring; pair with Control 2.13.
Interagency Guidance on Third-Party Relationships (OCC/FRB/FDIC, 2023-17/SR 23-4/FIL-29-2023): DSPM extended insights for ChatGPT Enterprise, Gemini, Foundry, and Entra-registered AI apps help support the ongoing monitoring phase only; due diligence and contracting remain manual.
NY DFS Part 500 (23 NYCRR 500): Loss of DSPM telemetry on a Zone 3 workload may be a 72-hour reportability trigger — see troubleshooting playbook.

No companion solution by design

Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.

Control Description

DSPM for AI provides comprehensive visibility into AI interactions across Microsoft 365 Copilot, Copilot Studio agents, and third-party AI applications. It helps organizations discover sensitive data exposure, monitor AI usage patterns, and implement protective policies.

Evolving Capability: Microsoft Purview DSPM for AI is an actively developing feature set. Monitor Microsoft Learn documentation for new capabilities and changes to existing functionality.

Capability	Description
AI interaction monitoring	Track configured-scope Copilot and agent interactions surfaced via the Unified Audit Log (`CopilotInteraction` record type); long-term retention requires Audit Premium (Control 1.7)
Sensitive data detection	Identify sensitive info in AI prompts and responses
Recommendations	Guided security improvements with prioritized actions
Policy integration	Unified view of DLP, Insider Risk, Communication Compliance policies
Oversharing assessment	Identify and remediate data exposure risks
Activity explorer	Detailed interaction logs for investigation and compliance

Security Event Consistency

DSPM Activity Explorer completeness may be affected when ingesting Defender agent activity events. Blocked prompt events from Copilot Studio agents may not consistently appear in Defender advanced hunting, which can affect the completeness of activity data surfaced in DSPM. Monitor Microsoft updates on Defender event consistency for Copilot Studio agents.

Supported AI Workloads

DSPM for AI monitors the following AI applications and workloads:

Workload	Coverage	Notes
Microsoft 365 Copilot	Full	Embedded Copilot in Word, Excel, PowerPoint, Outlook, Teams
Copilot Studio agents	Full	Custom agents published to Microsoft 365
Agent Builder agents	Full	Declarative agents created in Agent Builder
ChatGPT Enterprise	Extended	Requires browser extension and extended insights
Google Gemini	Extended	Requires browser extension and extended insights
Entra-registered apps with Purview SDK	Extended	Custom apps using Microsoft Purview SDK for data classification
Third-party AI apps	Extended	Apps integrated via Purview SDK or browser extension
Microsoft Foundry	Extended	Microsoft Foundry workloads registered via Purview SDK integration

Extended Insights Configuration

To monitor third-party AI applications (ChatGPT Enterprise, Gemini, custom apps), complete the "Extended Insights" step in DSPM for AI Get Started wizard. This requires deploying the Microsoft Purview Browser Extension to managed devices.

Weekly Risk Assessments

DSPM for AI includes automated weekly risk assessments to identify data exposure risks in SharePoint sites accessed by AI agents. These assessments provide comprehensive visibility into oversharing, sensitivity label coverage, and data access patterns.

Default Weekly Risk Assessment — Top-100 Coverage Caveat

DSPM for AI's Default Weekly Assessment scans only the top 100 SharePoint sites by usage. For Zone 3 tenants (typically far more than 100 sites), sites 101+ are not assessed by the default — they require manual custom assessments. Maintain an inventory of in-scope Zone 3 sites and schedule custom assessments for everything outside the top 100.

Feature	Status	Description	Configuration
Default Weekly Assessment	GA	Automated weekly scan of top 100 SharePoint sites by usage; does not cover sites 101+	Purview > DSPM for AI > Data risk assessments
Custom Site Assessment	GA	On-demand assessment for specific sites (required for any site outside top 100)	Purview > DSPM for AI > New Assessment
Sensitivity Label Detection	GA	Identifies unlabeled or mislabeled content in AI-accessible sites	Integrated with assessment results
Oversharing Detection	GA	Identifies sites with broad sharing permissions accessible by AI	Assessment > Protect tab
Unified DSPM Experience	Preview (May 2026 GA expected per MC1191257)	Consolidation of DSPM and DSPM for AI — see Enhanced DSPM AI Observability subsection below	Check Message Center for current rollout status

Preview — GA Expected May 2026

The Unified DSPM experience will consolidate DSPM and DSPM for AI into a single Purview experience. Check Microsoft Message Center for the latest rollout timeline.

Assessment Schedule Details (per Microsoft Learn — dspm-for-ai-considerations):

Default Assessment: Runs weekly for the top 100 SharePoint sites by usage. Sites outside the top 100 require custom assessments.
Initial delay: Allow up to 4 days before first results display (per Learn).
Wait time for updates: Allow at least 48 hours after assessment completion before results refresh.
Policy propagation: New DSPM/DLP policies can take up to 24 hours to surface in reports; DLP for Microsoft 365 Copilot location changes can take up to 4 hours.
Custom assessments: Must be triggered manually for in-scope sites beyond the top 100 — track these in a CAB-approved assessment register.

Dashboard Guidance:

The DSPM for AI dashboard provides four tabs for comprehensive risk visibility:

Tab	Purpose	Key Metrics	FSI Action
Overview	Summary insights per site/workspace	Sites scanned, sensitive items found, risk score	Weekly executive review
Identify	Data scanned vs. not scanned for SITs	Coverage percentage, unscanned volumes	Prioritize unscanned high-risk sites
Protect	Oversharing remediation options	Sites with org-wide sharing, external sharing	Remediate within 14-day SLA (Zone 3)
Monitor	Sharing breakdown by access type	Specific people, external, organization-wide, group-based	Track sharing trends month-over-month

Remediation Workflows:

When DSPM assessments identify data exposure risks, implement remediation workflows appropriate to your governance zone:

Oversharing Remediation: Restrict broad sharing permissions on flagged sites
Review sites with organization-wide or external sharing in Protect tab
Update SharePoint site permissions to restrict access
Apply sharing policy restrictions at site or tenant level
Document remediation actions in compliance tracking system
Label Remediation: Apply sensitivity labels to unlabeled content in AI-accessible locations
Review unlabeled volumes in Identify tab
Apply auto-labeling policies for high-volume content
Conduct manual labeling for sensitive content requiring review
Track labeling coverage improvements month-over-month

Zone-Specific Remediation SLAs:

Zone	Remediation SLA	Escalation
Zone 1	30 days	AI Governance Lead
Zone 2	14 days	Compliance Officer
Zone 3	7 days	CISO + Compliance Officer

Enhanced DSPM AI Observability

Preview Feature

The unified DSPM experience consolidating DSPM and DSPM for AI is in preview. GA rollout expected May 2026 (per MC1191257). Check Message Center for current rollout status. Feature availability and UI may change before general availability.

The unified DSPM experience represents Microsoft's evolution toward a single pane of glass for data security posture management across all data types, including AI-specific interactions. Enhanced DSPM AI Observability capabilities provide deeper visibility into agent risk profiles, advanced activity filtering, and unified dashboards that help FSI organizations meet comprehensive monitoring requirements.

Key Characteristics:

Consolidated Experience: Single Purview interface combining traditional DSPM (data security across all locations) with DSPM for AI (agent-specific monitoring)
Agent Risk Observability: Per-agent risk scoring based on data sensitivity, access patterns, and policy violations
Enhanced Activity Explorer: Improved filtering, search capabilities, and export functionality for AI-specific event investigation
Unified Dashboard: Comprehensive data security posture view eliminating the need to navigate between separate DSPM and DSPM for AI interfaces
Data Classification Insights: Enhanced visibility into how AI agents interact with classified data, including unlabeled content detection and sensitivity mismatch identification

FSI Use Case: Organizations subject to FINRA Rule 3110 supervision requirements benefit from centralized agent risk dashboards that surface high-risk agents immediately, enabling prioritized review workflows. The unified experience streamlines compliance reporting by consolidating AI and non-AI data security metrics into a single export.

Enhanced DSPM AI Observability Capabilities:

Capability	Classic DSPM for AI	Unified DSPM Experience (Preview)	FSI Benefit
Agent Risk Dashboards	Basic usage metrics per agent	Per-agent risk scores with contributing factors (data sensitivity, access patterns, policy violations)	Prioritized supervision of high-risk agents for FINRA 3110 compliance
Activity Explorer	Standard filtering by agent, user, timeframe	Enhanced filters with advanced search, multi-dimensional correlation, improved export	Faster investigation for SEC exam responses and OCC audit trails
Data Classification Visibility	Sensitivity label detection in weekly assessments	Real-time classification insights showing agent interactions with labeled/unlabeled data	Proactive detection of GLBA 501(b) customer information exposure before weekly assessment cycle
Dashboard Experience	Separate DSPM and DSPM for AI dashboards	Single unified dashboard with drill-down from overall posture to AI-specific risks	Simplified executive reporting and reduced admin overhead
Remediation Workflows	Manual correlation between DSPM findings and AI activity	Integrated remediation with direct links from agent risk findings to relevant policy controls	Faster response to data exposure incidents, supporting SOX 302 internal control requirements

Prepare Now — Pre-GA Configuration Steps:

Organizations can prepare for the unified DSPM experience migration before general availability:

Verify Current DSPM for AI Configuration: Complete all four Get Started steps (Audit, Browser Extension, Device Onboarding, Extended Insights) to ensure baseline coverage
Review and Remediate Findings: Address current weekly risk assessment findings and oversharing issues to establish a clean baseline before unified experience migration
Document Activity Explorer Filters: Export current saved searches and filter configurations from classic DSPM for AI Activity Explorer for recreation in unified experience
Enable Extended Insights for Third-Party AI: If monitoring ChatGPT Enterprise, Gemini, or other third-party AI apps, ensure extended insights are configured to maintain visibility post-migration
Prepare for Unified Dashboard Migration: Ensure all data sources (SharePoint, OneDrive, Exchange, Teams) are connected to DSPM to enable comprehensive unified dashboard visibility
Review Current Reporting Cadence: Document existing DSPM for AI review schedules (daily Activity Explorer checks for Zone 3, weekly report reviews for Zone 2) to maintain continuity post-migration

Regulatory Mapping: Enhanced DSPM AI Observability capabilities help support FINRA Rule 3110 supervision requirements through comprehensive AI interaction monitoring and per-agent risk scoring. The unified experience aids in meeting SEC AI priorities for transparent agent data access reporting. OCC 2011-12 model risk management benefits from continuous agent risk assessment and classification insights that detect scope drift and excessive data access patterns.

Prerequisites & Licensing

DSPM for AI surfacing depends on a stack of licenses, billing modes, device-onboarding, and browser configuration. An "E5 or E5 Compliance" check alone is not sufficient.

Requirement	Applies To	Source
Microsoft 365 E5 or Microsoft 365 E5 Compliance or Microsoft Purview Suite per monitored user	All DSPM for AI capabilities	Learn: `ai-microsoft-purview`
Microsoft 365 Copilot per-user license	Visibility of M365 Copilot interactions in Activity Explorer	Learn: `dspm-for-ai-considerations`
Microsoft Purview pay-as-you-go (PAYG) billing linked to an Azure subscription	Coverage of non-Microsoft AI apps (ChatGPT Enterprise, Gemini, Foundry, Other)	Learn: `dspm-for-ai-considerations`
Audit (Premium) entitlement	Long-term `CopilotInteraction` retention beyond ~180 days; required for FSI 6-year evidence — see Control 1.7	Learn: `audit-premium`
Microsoft Defender for Endpoint or standalone Purview device onboarding	Endpoint-derived AI signals from managed Windows/Mac devices	Learn: `device-onboarding-overview`
Microsoft Edge configuration policy (NOT browser extension)	Edge integration for AI/DLP signal capture	Learn: `microsoft-edge-dlp-purview-configuration`
Microsoft Purview browser extension for Chrome/Firefox (Windows-only)	Third-party AI visit detection on non-Edge browsers; also required for endpoint DLP on Windows + Chrome	Learn: `dlp-chrome-firefox-extension`
Microsoft Purview SDK integration	Entra-registered custom AI apps and Foundry workloads	Learn: `purview-sdk`
Microsoft Purview enterprise data governance	Copilot in Fabric and Security Copilot monitoring	Learn: `data-governance`

Administrative Units Restriction

DSPM for AI does not support administrative units for one-click policy creation as of April 2026 (per Learn data-security-posture-management-considerations). Restricted admins scoped to an AU cannot create one-click DSPM/DLP/IRM policies. Plan for tenant-scoped admin coverage of these workflows.

One-Click Policy Templates (DSPM for AI Policies pane)

The DSPM for AI Policies pane surfaces named one-click templates that land in different underlying solutions and require different role groups. Each template's prerequisites must be met independently.

Template (as displayed in portal)	Underlying solution	Role required to create	Default scope	Zone 1	Zone 2	Zone 3
Detect risky AI usage in apps	Insider Risk Management	IRM role group	All users	Optional	Recommended	Required
Detect risky interactions in AI apps	Insider Risk Management (`Risky AI usage`)	IRM role group	All users	—	Recommended	Required
Detect sensitive info shared with AI via network	Endpoint DLP	DLP Compliance Admin	All managed devices	Optional	Required	Required
Secure interactions for Microsoft Copilot experiences	Collection / DLP for Copilot location	DLP Compliance Admin	M365 Copilot users	—	Recommended	Required
Capture interactions for Copilot experiences	Collection policy (content capture)	Compliance Admin	M365 Copilot users	—	Required	Required
Capture interactions for enterprise AI apps	Collection policy (content capture)	Compliance Admin	PAYG-billed AI apps	—	Optional	Required
Discover and govern interactions with ChatGPT Enterprise AI	Collection policy + extended insights	Compliance Admin	ChatGPT Enterprise tenant	—	Optional	Conditional*
Secure data in Azure AI apps and agents	DLP / Purview SDK	DLP Compliance Admin	Azure AI / Foundry apps	—	Optional	Conditional*

*Conditional = required if the workload is in scope for the tenant.

Content capture caveat: Templates with "Capture" in the name require content capture to be explicitly enabled — without it, Activity Explorer rows appear but prompt/response content is not stored.

Key Configuration Points

DSPM for AI Naming Update (2025)

The original DSPM for AI capability is now labeled "DSPM for AI (classic)" in the Microsoft Purview portal. A new unified Data Security Posture Management experience is in preview, providing expanded capabilities including AI observability, data security objectives, posture reports, and the Purview Posture Agent. This control currently documents DSPM for AI (classic) capabilities. The framework will incorporate the unified DSPM experience as it reaches general availability.

Complete all 4 Get Started steps in DSPM for AI (classic): Audit, Browser Extension, Device Onboarding, Extended Insights
Review and implement high-priority recommendations
Enable AI-specific DLP policies visible in DSPM for AI (classic) Policies view
Configure Activity explorer filters for enterprise agent monitoring
Monitor weekly risk assessment results in DSPM for AI (classic) dashboard
Review all four dashboard tabs (Overview, Identify, Protect, Monitor) for risk insights
Configure remediation workflows for oversharing findings
Set up assessment notification alerts for new findings
Run custom assessments for high-priority sites beyond top 100
Enable Insider Risk Management for Zone 2-3 agents
Export Activity explorer data for compliance evidence
Monitor unified DSPM experience preview for GA migration readiness (May 2026)

e-Discovery and Examination Readiness

Configure Purview eDiscovery (Premium) to include AI interaction audit records in legal hold and search scopes
DSPM Activity Explorer is a detection/triage UI, not the long-term system of record. Native Activity Explorer historical view is limited (~30 days in current UI; see Learn data-classification-activity-explorer). Durable evidence for FINRA 4511 / SEC 17a-4(f) lives in the Unified Audit Log under Audit Premium retention (Control 1.7) — pair the two surfaces; do not substitute one for the other.
Maintain quarterly evidence packages for regulatory examinations: Activity Explorer exports (with SHA-256 sidecars), oversharing assessment summaries with remediation status, policy configuration snapshots (JSON), and agent inventory cross-referenced with DSPM monitoring scope

Zone-Specific Requirements

Zone	Requirement	Rationale
Zone 1 (Personal)	Monthly dashboard review; basic monitoring	Low risk, reduced friction
Zone 2 (Team)	Weekly report review; DLP + DSPM policies enabled	Shared agents require consistent controls
Zone 3 (Enterprise)	Daily Activity explorer review; all policy types enabled; 6-year retention via Audit Premium retention policies + scheduled SIEM export (see Control 1.7)	Highest audit/regulatory risk

Roles & Responsibilities

Per Microsoft Learn (ai-microsoft-purview-permissions), DSPM for AI access is granted by specific role groups. Several common admin roles do not grant DSPM for AI access — verify role assignment per action.

Role	Responsibility	Notes
Microsoft Purview Compliance Admin (role group)	Full DSPM for AI configuration, recommendations, custom assessments	Cannot complete "Activate Audit" Get Started step; cannot create IRM-backed templates
Entra Compliance Admin	Equivalent to Purview Compliance Admin for DSPM for AI; alternative path	Least-privilege alternative to Global Admin
Entra Global Admin	Full DSPM for AI access (all Get Started steps)	Use sparingly — least-privilege guidance prefers Compliance Admin
Exchange Organization Management (or Exchange Compliance/Records Management)	Required to complete the Activate Audit Get Started step	Audit ingestion is per-tenant default since 2023 — verify state before mutating
Insider Risk Management (role group)	Required to create / view / manage IRM-backed templates ("Detect risky AI usage", "Risky AI usage")	Not available in US Government clouds at parity
Communication Compliance (role group)	Required for Communication Compliance one-click templates	Cross-link Control 1.10
Purview Security Reader	View-only access to DSPM for AI dashboards	View-only
Purview Data Security AI Viewer	View-only DSPM for AI metadata	View-only
Purview Data Security AI Content Viewer	View-only DSPM for AI prompt/response content in Activity Explorer	Required for content review during examination — assign sparingly with tenure-based reviews
Entra AI Administrator (role)	View AI-related compliance metadata	View-only; Entra role, not a Purview role
AI Governance Lead	Overall AI governance strategy	Role definition is organizational (RACI-driven), not a tenant role

Control	Relationship
1.5 - DLP and Sensitivity Labels	Data protection policies integrated in DSPM
1.7 - Audit Logging	Required dependency; provides activity data
1.8 - Runtime Protection and External Threat Detection	Defender for Cloud Apps agent activity events flow to DSPM Activity Explorer
1.12 - Insider Risk Detection	Risk management integration
1.10 - Communication Compliance	Content monitoring integration

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Portal Walkthrough — Step-by-step portal configuration
PowerShell Setup — Automation scripts
Verification & Testing — Test cases and evidence collection
Troubleshooting — Common issues and resolutions

Verification Criteria

Confirm control effectiveness by verifying (deterministic — generate a known interaction and assert specific event counts/contents, not portal-presence):

DSPM for AI is accessible at https://purview.microsoft.com (or purview.microsoft.us for GCC High/DoD) and the four Get Started steps show completed with the appropriate role group recorded for each step
Audit ingestion is True when checked from Exchange Online PowerShell (Connect-ExchangeOnline → Get-AdminAuditLogConfig); see Control 1.7 — value from Security & Compliance PowerShell is unreliable
License entitlement test: every monitored user carries M365 Copilot SKU (Graph Get-MgUserLicenseDetail); PAYG billing is enabled where non-Microsoft AI apps are in scope
Each enabled one-click policy template is recorded with: template name, underlying solution, mode, scope, exclusions, content-capture state
Generate a known Copilot prompt from a named licensed user at a known UTC timestamp; after documented wait window, query Activity Explorer with explicit filters and assert event count ≥ 1 with matching user / app / activity (silent-zero-row test)
Weekly risk assessments are running for the top 100 sites; in-scope Zone 3 sites outside the top 100 are inventoried in the custom-assessment register
Sensitivity-label propagation test: label a source doc → invoke Copilot summarization → confirm response carries label / inherits restriction
Negative test set: unauthorized role, paused policy, missing browser extension on a managed Windows endpoint, unlicensed Copilot user, restricted-AU admin
Oversharing remediation tickets are tracked and closed within Zone-specific SLA (Zone 3: 7 days)
Evidence pack for the run includes Activity Explorer CSV + assessment PDF + policy snapshot JSON, each with a .sha256 sidecar, stored in immutable storage with retention label aligned to Control 1.7

Additional Resources

Agent Essentials

Note: Agent governance features in the M365 Admin Center are rolling out progressively. Verify feature availability in your tenant.

Microsoft Learn: Agent Deployment Checklist - Category 7 data security requirements align with DSPM policies

Agent 365 Blueprint Data Governance (Preview)

Note: The following guidance applies to Blueprint-registered agents using the Agent 365 SDK.

DSPM for AI provides enhanced visibility into Agent 365 Blueprint-registered agents through integration with the Observability SDK. This enables comprehensive data governance across the agent lifecycle.

Blueprint → DSPM Data Flow:

Agent 365 SDK → Observability SDK → Application Insights → DSPM Activity Explorer
     ↓                                      ↓
Blueprint Metadata              Prompt/Response Telemetry
(data sources, permissions)     (sensitive data detection)

DSPM Capability	Agent 365 Integration	FSI Benefit
Activity Explorer	Ingests Agent 365 telemetry via Observability SDK	Complete audit trail of agent interactions
Oversharing Assessment	Evaluates Blueprint-declared data sources	Identifies excessive data access at registration
Sensitive Data Detection	Analyzes SDK-captured prompts/responses	Detects NPI exposure in agent conversations
Policy Recommendations	Includes Agent 365-specific guidance	Tailored DLP/IRM recommendations for agents

Blueprint-Specific Data Classification Requirements:

Data Source Declaration - Blueprint registration requires explicit declaration of data sources
Permission Scope Validation - DSPM evaluates whether declared permissions match data sensitivity
Runtime Monitoring - Observability SDK telemetry feeds DSPM for continuous data access monitoring

Configuration for Agent 365:

Enable DSPM for AI extended insights (Get Started > Extended Insights)
Configure Application Insights integration for Agent 365 SDK agents
Create Activity Explorer filter for ApplicationId matching Agent 365 workloads
Run oversharing assessment including Blueprint-registered agent data sources
Review recommendations for Agent 365-specific data protection policies

Zone-Specific DSPM Requirements for Agent 365:

Zone	Requirement
Zone 1	DSPM monitoring optional for personal agents
Zone 2	DSPM Activity Explorer review weekly; Blueprint data source validation
Zone 3	Daily DSPM review required; Oversharing assessment before Blueprint promotion

For DLP policy configuration specific to Agent 365, see Control 1.5 - DLP and Sensitivity Labels.

Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current