Skip to content

Control 1.6: Microsoft Purview: DSPM for AI

Overview

Control ID: 1.6 Control Name: Microsoft Purview: DSPM for AI Regulatory Reference: FINRA Notice 25-07, SEC AI priorities, GLBA 501(a), SOX 302 Setup Time: 2-4 hours

Purpose

Implement Data Security Posture Management for AI to gain comprehensive visibility into how Microsoft 365 Copilot, Copilot Studio agents, and other AI applications interact with organizational data. DSPM for AI is the central hub for AI governance, providing monitoring, policy management, risk assessment, and compliance reporting for financial services organizations.

Description

Data Security Posture Management (DSPM) for AI provides comprehensive visibility into AI interactions across Microsoft 365 Copilot, Copilot Studio agents, and other AI applications. DSPM for AI helps organizations discover sensitive data exposure, monitor AI usage patterns, and implement protective policies.

See DSPM for AI for detailed capabilities.

Key Capabilities

Capability Description FSI Relevance
AI interaction monitoring Track all Microsoft 365 Copilot and agent interactions Complete visibility
Sensitive data detection Identify sensitive info in AI prompts/responses Data protection
Recommendations Guided security improvements Compliance posture
Policy integration DLP, Insider Risk, Communication Compliance Unified governance
Oversharing assessment Identify data exposure risks Risk mitigation

Scope (US-only)

This control is implemented for US-only operations:

  • Tenant and data boundary: Use a tenant configuration and data locations that keep content and compliance data within the United States (including any applicable tenant geography/data residency configuration you have enabled).
  • Operational boundary: Configure DSPM for AI and supporting policies for US supervisory expectations. If your tenant is multi-geo, document how US-only scope is enforced (which geographies/workloads are in scope and how cross-geo access is governed).
  • Evidence boundary: Store exported reports, screenshots, and audit exports in a US-only evidence repository with access controls and retention aligned to your recordkeeping requirements.

Prerequisites

Primary Owner Admin Role: Purview Compliance Admin Supporting Roles: None

Licenses Required

License Purpose Required For
Microsoft 365 E5 Full DSPM capabilities All governance levels
Microsoft 365 E5 Compliance Standalone compliance Alternative to E5
Microsoft Purview Data Loss Prevention DLP integration Level 2+
Microsoft 365 Copilot AI interactions to monitor Monitoring scope

Permissions Required

Role Purpose Assignment Method
Compliance Administrator Full DSPM access Entra ID
Security Administrator View reports and policies Entra ID
Insider Risk Management Admin IRM integration Purview RBAC
Privacy Management Admin Privacy features Purview RBAC

Dependencies

Dependency Description Verification
Control 1.7: Audit Logging Unified audit logging enabled and ingesting Purview Audit is enabled; recent events present
Microsoft 365 Copilot deployment AI users to monitor Verify license assignment
Browser extension (optional) Third-party AI monitoring Endpoint Manager deployment
Control 1.5: DLP and Sensitivity Labels DLP policies and labels support “protect what Copilot can access” DLP policies exist and are in intended mode; labels applied to sensitive content

If you cannot see DSPM for AI in the Purview portal navigation, validate licensing and role assignment first (see Troubleshooting).

Pre-Setup Checklist

  • [ ] E5 or E5 Compliance licenses active
  • [ ] Purview portal access verified
  • [ ] Unified audit logging enabled
  • [ ] Microsoft 365 Copilot deployed to users
  • [ ] Compliance Administrator role assigned
  • [ ] Agent inventory available (from Control 3.1)

Governance Levels

Level 1 - Baseline

Requirement Configuration
DSPM access DSPM for AI portal accessible
Basic setup Complete Get Started steps 1 and 4
Review frequency Monthly dashboard review

Minimum requirements:

  • Activate Microsoft Purview Audit
  • Review Overview dashboard monthly
  • Document any sensitive data exposure
Requirement Configuration
Full setup All 4 Get Started steps completed
Recommendations Address high-priority recommendations
Policies DLP and DSPM policies enabled
Reports Weekly report review

FSI recommendations:

  • Complete all setup steps including browser extension
  • Enable Communication Compliance for agent interactions
  • Weekly review of sensitive interactions reports
  • Implement top recommendations

Level 4 - Regulated/High-Risk

Requirement Configuration
Comprehensive monitoring All policy types enabled
Risk assessments Regular oversharing assessments
Activity review Daily Activity explorer review for Tier 3 (enterprise managed)
Integration Insider Risk Management enabled
Evidence retention Export and retain activity logs

FSI requirements:

  • All Insider Risk Management policies active
  • Custom data risk assessments for customer data
  • Daily review of Tier 3 (enterprise managed) agent interactions
  • Integration with SOC for alert escalation
  • Quarterly compliance reporting from DSPM

Setup & Configuration

DSPM for AI Navigation

The Microsoft Purview portal UI changes frequently. As of Dec 2025, common navigation patterns include:

  1. Open Microsoft Purview
  2. In the left navigation, locate Solutions (or expand the nav if collapsed)
  3. Select DSPM for AI
  4. Use the DSPM sub-pages: Overview, Recommendations, Reports, Policies, Activity explorer, Data risk assessments

Evidence tip (UI): capture a screenshot showing the left navigation with DSPM for AI selected and the tenant name visible.

Accessing DSPM for AI

  1. Open Microsoft Purview
  2. Navigate to DSPM for AI in left navigation
  3. Select the appropriate sub-page

DSPM for AI Sub-Pages

Page Purpose Key Features
Overview Dashboard and quick start Get started steps, metrics, recommendations
Recommendations Security improvement guidance Prioritized actions, completion tracking
Reports AI activity analytics Interactions, sensitive data, insider risk
Policies Policy management DLP, DSPM, IRM, Communication Compliance
Activity explorer Detailed interaction logs Filters, export, investigation
Data risk assessments Oversharing detection Custom assessments, remediation

Get Started Setup

The Overview page provides four required setup steps:

Step Task Description Time
1 Activate Microsoft Purview Audit Get insights into user interactions with Microsoft 365 Copilot experiences and agents 7 min
2 Install Microsoft Purview browser extension Detect risky user activity and get insights into user interactions with other AI apps 1 hour
3 Onboard devices to Microsoft Purview Prevent sensitive data from leaking to other AI apps 1 hour
4 Extend your insights for data discovery Discover sensitive data in user interactions with other AI apps 10 min

FSI Recommendation

Complete all four setup steps to enable comprehensive AI monitoring across Microsoft and third-party AI applications.

Step 1 (Required): Activate Microsoft Purview Audit (dependency alignment with Control 1.7)

DSPM for AI relies on audit signals. For evidence-grade implementation:

  1. In Purview → DSPM for AI → Overview, open the Get started card.
  2. Select Activate Microsoft Purview Audit and complete the guided workflow.
  3. In Purview → Audit, confirm audit is enabled and that recent events are present.

Verification artifacts (minimum):

  • Screenshot: DSPM Get started shows Step 1 completed
  • Screenshot: Purview Audit page indicates logging is enabled
  • Export (or screenshot): a small sample of audit results demonstrating recent activity exists (redact as needed)

Steps 2–4 expand coverage to other AI apps. If your US-only scope disallows monitoring certain endpoints or browsers, document the exception, the rationale, and what coverage remains.

Overview Dashboard

View Options

View Coverage
All AI apps Microsoft 365 Copilot, Copilot Studio, third-party AI
Microsoft 365 Copilot M365 Copilot interactions only

Dashboard Sections

Recommendations:

  • "Fortify your data security" - Data protection actions
  • "Get guided assistance to AI regulations" - ISO 42001, NIST AI RMF compliance

Reports:

  • Total interactions over time (Microsoft 365 Copilot and agents)
  • Sensitive interactions per AI app (pie chart by sensitive info type)

Metrics:

  • Interactions with sensitive data (last 30 days)
  • Activity counts by AI application

Recommendations

Recommendation Tracking

Status Description
Not Started Actions pending implementation
Dismissed Actions marked as not applicable
Completed Actions successfully implemented

Recommendation Types

Type Examples
Data security Protect sensitive data in Microsoft 365 Copilot responses, Safeguard Microsoft 365 Copilot interactions
AI regulations Guided assistance to AI regulations (ISO 42001, NIST AI RMF)
Data discovery Discover and govern ChatGPT Enterprise AI interactions
Insider risk management Detect risky interactions in AI apps

Key Recommendations for FSI

Recommendation Priority FSI Impact
Protect sensitive data referenced in Microsoft 365 Copilot and agent responses High Customer data protection
Detect risky interactions in AI apps High Insider threat detection
Protect items with sensitivity labels from Microsoft 365 Copilot High Classification enforcement
Secure interactions from enterprise AI apps Medium Third-party AI governance

Reports

Report Filters

Filter Options
Copilot experiences & agents Microsoft 365 Copilot, Copilot Studio agents
Enterprise AI apps ChatGPT Enterprise, other corporate AI
Other AI apps Consumer AI applications

Report Sections

Activity:

  • Total interactions over time (trend chart)
  • Interaction counts by AI application

Data:

  • Sensitive interactions per AI app
  • Top unethical AI interactions
  • Sensitive interactions by department
  • Top sensitivity labels referenced in Microsoft 365 Copilot and agents

User:

  • Insider risk severity (by risk level)
  • Insider risk severity per AI app
  • Potential risky AI usage

Policies

DSPM for AI policies integrate with multiple Microsoft Purview solutions:

Policy Types

Solution Purpose Example Policies
Data Loss Prevention Prevent sensitive data exposure Detect sensitive info added to AI sites
DSPM for AI AI-specific protections Detect sensitive info shared in AI prompts in Edge
Insider Risk Management Risky behavior detection Risky AI usage, Data theft by departing users
Communication Compliance Content monitoring Unethical behavior in AI apps, M365 Copilot interactions

Policy Management

  1. Navigate to DSPM for AI → Policies
  2. View policies grouped by solution type
  3. Check status (On/Off) for each policy
  4. Review last modified date and owner

Policy configuration (evidence-grade) — align with Control 1.5 (DLP)

Use DSPM for AI to confirm your DLP baseline is reducing exposure in AI usage:

  1. Go to DSPM for AI → Policies → Data Loss Prevention.
  2. Identify the DLP policies that apply to the data sources Microsoft 365 Copilot and agents can reach (commonly SharePoint, OneDrive, Teams).
  3. Confirm policy Mode aligns with your governance level (e.g., test vs enforced) and that user scoping matches your intended AI rollout groups.
  4. If you use sensitivity labels, confirm labeled content is covered by DLP conditions/actions that enforce your desired behavior when content is accessed or shared.

Verification artifacts (recommended):

  • Screenshot: the relevant DLP policies as displayed in DSPM for AI → Policies (showing status and last modified)
  • Screenshot (or export): DLP policy details page showing scope and mode (redact names if needed)
  • Link evidence: cross-reference your Control 1.5 implementation record (policy name, purpose, owner, change ticket)

Evidence-grade interaction review (Reports + Activity explorer)

To produce audit-ready evidence of AI usage and sensitive data exposure:

  1. Go to DSPM for AI → Reports and select a timeframe that matches your evidence window (e.g., last 7/30 days).
  2. Capture the following minimum views for your evidence pack:
    • Total interactions trend
    • Sensitive interactions summary (by AI app and sensitive info type)
  3. Go to DSPM for AI → Activity explorer:
    • Filter AI app category to Copilot experiences & agents
    • Filter Activity type to AI Interaction (and/or sensitive info type activity as needed)
    • Optionally filter by Agent name for Tier 3 (enterprise managed) agents in scope
  4. Use Export to produce a CSV for your evidence repository.

Verification artifacts (minimum):

  • Screenshot: Reports page with filters visible
  • Export: Activity explorer CSV (stored US-only) + evidence log entry (date, scope, exporter)
  • Screenshot: Activity explorer filters showing scoping (date range, AI app category, and agent filter if used)

FSI Policy Recommendations

Tier Recommended Policies
Tier 1 (personal productivity) Basic DLP policies
Tier 2 (team collaboration) DLP + DSPM for AI + Communication Compliance
Tier 3 (enterprise managed) All policy types enabled + Insider Risk Management

Activity Explorer

Overview

Activity explorer provides detailed logs of AI interactions for investigation and compliance:

Description: "Review AI activity including AI interactions (prompts and responses), activity with sensitive info types, and more."

Available Filters

Filter Purpose
Timestamp Date range selection
Activity type AI Interaction, Sensitive info types
AI app category Copilot experiences & agents, Enterprise AI, Other
App Specific application (Copilot Studio, M365 apps)
App accessed in Access context
Agent name Specific agent identifier
User participant User who performed the interaction
Sensitive info type Types of sensitive data detected
Web searched Whether web search was used
Sensitivity label Applied sensitivity labels

Activity Columns

Column Description
Activity type AI Interaction or Sensitive info types
Timestamp (UTC) When the activity occurred
AI app category Category of AI application
App Specific application name
App accessed in Access context
Agent name Name of the agent involved
User participant User who performed the action
Sensitive info type Detected sensitive information
Web searched Yes/No
Sensitivity label Applied label

Export Capability

  • Export activity data for compliance documentation
  • Use for regulatory examination evidence
  • Support incident investigations

Data Risk Assessments

Oversharing Prevention

Data risk assessments help identify and remediate oversharing risks:

Tabs: Microsoft 365 | Fabric

Three-Step Process

Step Action Description
1. Identify Review assessments Weekly results from default assessment or custom assessments
2. Protect Apply controls Limit Copilot access to sensitive data, apply labels and retention
3. Monitor Ongoing review SharePoint site and access reviews for permissions

Oversharing assessment (evidence-grade) — what to run and what to keep

For US-only implementations, oversharing evidence should demonstrate (a) the assessment ran successfully, (b) overshared items were identified (or confirmed minimal), and (c) remediation was tracked.

  1. Navigate to DSPM for AI → Data risk assessments.
  2. Run the default assessment (if available) for the defined scope and wait for completion.
  3. Review results and record:
    • Assessment name
    • Scope (sites/users/data sources included)
    • Run timestamp and completion timestamp
    • Overshared items count and severity (if shown)
  4. Create a remediation record that ties findings to corrective actions (e.g., SharePoint permission cleanup, label application, DLP policy tightening).

Verification artifacts (minimum):

  • Screenshot: assessment list showing status and completion time
  • Screenshot: results summary showing overshared items count
  • Change evidence: ticket(s) or work items for remediation, including before/after access state where feasible

Custom Assessments (Preview)

Create targeted assessments for specific data sources:

  1. Navigate to DSPM for AI → Data risk assessments
  2. Click + Create custom assessment
  3. Define data sources and users to assess
  4. Review results for overshared items
  5. Take remediation actions

Assessment tracking: Name, Status, Started on, Completed on, Results expiry, Overshared items count

PowerShell Configuration

Enable Unified Audit Logging

# Connect to Security & Compliance Center
Connect-IPPSSession -UserPrincipalName admin@contoso.com

# Enable unified audit logging (required for DSPM)
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

# Verify audit logging is enabled
Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled

# Search for Copilot-related audit events
$startDate = (Get-Date).AddDays(-30)
$endDate = Get-Date

# Note: audit schemas/record types can change. If your tenant does not support a specific
# RecordType (such as CopilotInteraction), remove it and filter using Operations/AuditData.

# Get recent audit events (filter as needed)
$copilotEvents = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate `
    -ResultSize 5000

$copilotEvents = $copilotEvents | Where-Object {
    $_.Operations -match 'Copilot|AI' -or $_.AuditData -match 'Copilot'
}

# Export results for analysis
$copilotEvents | Select-Object CreationDate, UserIds, Operations, AuditData |
    Export-Csv -Path "Copilot-Audit-Events.csv" -NoTypeInformation

# Parse and display recent AI interactions
foreach ($event in $copilotEvents | Select-Object -First 10) {
    $data = $event.AuditData | ConvertFrom-Json
    Write-Host "User: $($event.UserIds) - App: $($data.Application) - Time: $($event.CreationDate)"
}

Export DSPM Activity Data

# Search for specific sensitive information in AI interactions
$sensitiveSearch = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate `
    -ResultSize 5000

# Filter for events with sensitive data
$sensitiveEvents = $sensitiveSearch | ForEach-Object {
    $data = $_.AuditData | ConvertFrom-Json
    if ($data.SensitiveInfoTypes) {
        [PSCustomObject]@{
            Date = $_.CreationDate
            User = $_.UserIds
            SensitiveTypes = ($data.SensitiveInfoTypes -join ", ")
            Application = $data.Application
        }
    }
}

$sensitiveEvents | Export-Csv -Path "DSPM-Sensitive-Events.csv" -NoTypeInformation

Verify Policy Status

# Get DLP policies for DSPM integration
Get-DlpCompliancePolicy | Where-Object { $_.Mode -eq "Enable" } |
    Select-Object Name, Mode, Enabled, WhenCreated |
    Format-Table

# Get Communication Compliance policies
# Note: Limited PowerShell support - use Purview portal for full management

# Check retention policies that may affect AI data
Get-RetentionCompliancePolicy | Where-Object { $_.Enabled -eq $true } |
    Select-Object Name, Mode, RetentionDuration |
    Format-Table

Audit Administrator Access to DSPM

# Track who has accessed DSPM for AI
$dspmAccess = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate `
    -Operations "PageViewed" -ResultSize 1000

$dspmPageViews = $dspmAccess | ForEach-Object {
    $data = $_.AuditData | ConvertFrom-Json
    if ($data.ObjectId -match "DSPM|ai-microsoft-purview") {
        [PSCustomObject]@{
            Date = $_.CreationDate
            User = $_.UserIds
            Page = $data.ObjectId
        }
    }
}

$dspmPageViews | Export-Csv -Path "DSPM-Admin-Access.csv" -NoTypeInformation

Financial Sector Considerations

Regulatory Mapping

Regulation DSPM for AI Requirement Control Implementation
FINRA 25-07 AI supervision and monitoring Activity explorer for agent interactions
SEC AI priorities Transparency in AI-assisted decisions Reports → Sensitive interactions
GLBA 501(a) Protection of customer information Oversharing assessments
SOX 302 Internal controls over AI systems Policy enforcement and audit trail
OCC 2011-12 Model risk management Data risk assessments

Zone-Specific DSPM Configuration

Tier Monitoring Level Review Frequency Alert Threshold Evidence Retention
Tier 1 (personal productivity) Basic Monthly High risk only 90 days
Tier 2 (team collaboration) Enhanced Weekly Medium + High 1 year
Tier 3 (enterprise managed) Comprehensive Daily All sensitive 6 years (per FINRA 4511)

FSI-Specific Recommendations Priority

DSPM Recommendation FSI Priority Implementation
Enable Insider Risk Management Critical Required for Tier 2–3 (team collaboration–enterprise managed)
Configure Communication Compliance Critical Required for Tier 3 (enterprise managed)
Deploy browser extension High Capture third-party AI use
Enable DLP for AI Critical Required for all zones
Run oversharing assessment High Monthly for customer data

FSI Example: DSPM Dashboard Configuration

Organization: Regional Investment Bank
DSPM Configuration:
  Overview:
    - Get Started: All 4 steps completed
    - Key metrics monitored:
      - Total AI interactions (trending)
      - Sensitive data exposure events (zero tolerance)
      - Recommendation completion rate (>90%)

  Reports:
        - "Interactions" reviewed: Daily for Tier 3 (enterprise managed)
    - "Sensitive AI interactions" reviewed: Real-time alerts
    - "Data oversharing" reviewed: Weekly

  Policies Enabled:
    - DLP for Copilot: Block mode
    - Insider Risk: Data theft template active
    - Communication Compliance: Regulatory template

  Custom Assessments:
    - Customer Data Sites: Weekly scan
    - Trading Data SharePoint: Daily scan
    - Agent Knowledge Sources: Bi-weekly scan

Regulatory Context

Primary Regulations: FINRA Notice 25-07, SEC AI priorities, GLBA 501(a), SOX 302

Regulation DSPM for AI Support
FINRA 25-07 AI supervision and monitoring requirements
SEC AI priorities Transparency in AI-assisted decisions
GLBA 501(a) Protection of customer information in AI
SOX 302 Internal controls over AI systems

AI Regulation Compliance

DSPM for AI provides guided assistance for:

  • ISO 42001 - AI Management System standard
  • NIST AI RMF - AI Risk Management Framework

Examination Considerations

Regulators may request:

  • AI interaction logs and audit trails
  • Sensitive data exposure reports
  • Policy configuration evidence
  • Risk assessment results
  • Remediation action documentation

Zone-Specific Configuration

Zone 1 (Personal Productivity):

  • Apply a baseline minimum of Microsoft Purview: DSPM for AI controls that impacts tenant-wide safety (where applicable), and document any exceptions for personal agents.
  • Avoid expanding scope beyond the user’s own data unless explicitly justified.
  • Rationale: reduces risk from personal use while keeping friction low; legal/compliance can tighten later.

Zone 2 (Team Collaboration):

  • Apply the control for shared agents and shared data sources; require an identified owner and an approval trail.
  • Validate configuration in a pilot environment before broader rollout; retain evidence (screenshots/exports/logs).
  • Rationale: shared agents increase blast radius; controls must be consistently applied and provable.

Zone 3 (Enterprise Managed):

  • Require the strictest configuration for Microsoft Purview: DSPM for AI controls and enforce it via policy where possible (not manual-only).
  • Treat changes as controlled (change ticket + documented testing); retain evidence (screenshots/exports/logs).
  • Rationale: enterprise agents handle the most sensitive content and are the highest audit/regulatory risk.

Verification & Testing

Step Action Expected Result
1 Navigate to purview.microsoft.com → DSPM for AI Dashboard displayed
2 Check Get Started completion All steps show completed
3 Review Recommendations Actions tracked with status
4 Access Reports Interaction data visible
5 Check Policies Required policies enabled
6 Open Activity explorer AI interactions logged
7 Review Data risk assessments Assessment capability available

Troubleshooting & Validation

Issue: DSPM Dashboard Shows No AI Interactions

Symptoms: Overview displays zero interactions despite active Copilot usage

Solutions:

  1. Verify unified audit logging is enabled (Get Started step 1)
  2. Check that users have Microsoft 365 Copilot licenses assigned
  3. Wait 24-48 hours for initial data population
  4. Verify date range filter in reports
  5. Confirm users are actually using Copilot features

Issue: Browser Extension Not Capturing Third-Party AI

Symptoms: ChatGPT, Claude, other AI usage not appearing in reports

Solutions:

  1. Verify extension deployment via Intune/Endpoint Manager
  2. Check extension is enabled in user browsers
  3. Confirm AI domains are in the monitored list
  4. Verify users are signed in to browser with work account
  5. Check extension version is current

Issue: Recommendations Not Updating

Symptoms: Completed actions still show as pending in Recommendations

Solutions:

  1. Manually mark recommendation as complete if action was taken
  2. Refresh the browser/dashboard
  3. Wait for sync (can take up to 24 hours)
  4. Verify the action was fully completed in source system
  5. Contact Microsoft support if stuck for >48 hours

Issue: Activity Explorer Missing Expected Events

Symptoms: Known AI interactions not appearing in Activity explorer

Solutions:

  1. Adjust date range filter to include event timeframe
  2. Check filter settings (user, app, activity type)
  3. Verify audit retention policy hasn't deleted events
  4. Confirm user/app is in scope for monitoring
  5. Export all data and search manually if needed

Issue: Oversharing Assessment Returns Errors

Symptoms: Data risk assessment fails or shows errors

Solutions:

  1. Verify SharePoint sites are accessible
  2. Check permissions to run assessments
  3. Ensure sites aren't in a locked/read-only state
  4. Reduce scope and retry with smaller site set
  5. Check service health for Purview/SharePoint issues

Additional Resources

Control Relationship
Control 1.5: DLP and Sensitivity Labels Data protection policies
Control 1.7: Audit Logging Activity logging
Control 1.12: Insider Risk Detection Risk management
Control 1.10: Communication Compliance Content monitoring

Support & Questions

For implementation support or questions about this control, contact:

  • Microsoft Purview Administrator: DSPM configuration
  • Security Operations: Alert monitoring and escalation
  • Compliance Officer: Regulatory reporting requirements
  • AI Governance Lead: Overall AI governance strategy

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification