Skip to content

Control 2.1: DLP Policies for M365 Copilot Interactions

Control ID: 2.1 Pillar: Security & Protection Regulatory Reference: FINRA 4511, SEC Reg S-P, GLBA 501(b), SOX 404 Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated

Objective

Deploy Data Loss Prevention (DLP) policies that specifically target the Microsoft 365 Copilot location to detect and block sensitive financial data in user prompts, Copilot-generated responses, and files referenced during Copilot grounding. This control supports compliance with GLBA safeguard requirements and helps prevent the unauthorized exposure of personally identifiable information (PII), account numbers, and other regulated data types through AI-assisted interactions.

Why This Matters for FSI

  • GLBA 501(b) requires financial institutions to implement administrative, technical, and physical safeguards to protect customer information — Copilot interactions represent a new vector for potential data exposure that must be governed
  • SEC Reg S-P (17 CFR Section 248), amended effective December 3, 2025 (larger entities) mandates policies and procedures to safeguard customer records and information — DLP for Copilot helps prevent sensitive customer data from being surfaced in AI-generated responses shared beyond intended audiences, and the SIT-based prompt blocking type directly addresses the requirement that customer information safeguards cover AI interaction surfaces
  • FINRA Rule 4511 requires firms to make and preserve books and records — DLP policy match events create an auditable record of when sensitive data was detected in Copilot interactions
  • SOX Section 404 requires adequate internal controls over financial reporting — DLP policies help prevent material non-public information (MNPI) from leaking through AI-generated summaries or drafts
  • FFIEC IT Examination Handbook expects institutions to identify and protect sensitive data across all processing channels, including AI-assisted workflows

Control Description

Microsoft Purview DLP includes Microsoft 365 Copilot as a dedicated location in DLP policy configuration. Administrators can create two architecturally distinct policy types that govern different enforcement points in the Copilot interaction chain. These policy types address fundamentally different risk vectors and must be configured as separate policies — they cannot be merged into a single policy.

DLP Policy Type 1: Label-Based Response Blocking

Configured in the Microsoft 365 Copilot DLP policy location. When a user's Copilot prompt causes grounding against a file or email that carries a sensitivity label matching the policy condition, Copilot is blocked from including that content in its response.

  • Enforcement point: Copilot's response generation (grounding phase)
  • What is scanned: Files and emails referenced during Copilot's retrieval
  • Primary use: Prevent Copilot from surfacing labeled content to users who should not receive it via AI
  • FSI application: Block Copilot from including MNPI-labeled documents in responses to users on the public side of an information wall; prevent Highly Confidential regulatory materials from being surfaced through Copilot summarization

DLP Policy Type 2: SIT-Based Prompt Blocking

A distinct policy type that scans the user's prompt itself for sensitive information types before Copilot processes the request. When a user types sensitive data directly into a Copilot prompt (for example, pastes credit card numbers or SSNs), Copilot is blocked from responding, including blocking grounding via Microsoft Graph or web search.

  • Enforcement point: The user's prompt (before Copilot processes it)
  • What is scanned: The text the user types into Copilot
  • Primary use: Prevent users from inadvertently submitting sensitive data to Copilot
  • FSI application: Per SEC Regulation S-P (17 CFR Section 248), amended effective December 3, 2025 for larger entities, customer information safeguards must cover AI interaction surfaces — SIT-based prompt blocking addresses this requirement by preventing customer account numbers, SSNs, and other regulated data from entering the Copilot processing chain

These two policy types cannot be merged into a single policy — they are configured separately in Microsoft Purview and address different risk vectors.

Policy Type Comparison

Aspect Label-Based Response Blocking SIT-Based Prompt Blocking
Enforcement point Copilot response (grounding phase) User prompt (before processing)
What is scanned Files and emails referenced by Copilot The text the user types into Copilot
Trigger Sensitivity label on source content SIT pattern match in prompt text
Can be combined with the other type No — separate policy required No — separate policy required
FSI use Block AI surfacing of labeled NPI/MNPI Block users pasting account numbers, SSNs into prompts
Configured via Purview DLP > Create policy > Copilot location Purview DLP > Create policy > Copilot location

Default DLP Policy for Copilot

Microsoft deploys a default DLP policy for Copilot in simulation mode (GA January 2026, MC1182689). This is the SIT-based prompt blocking type. The default policy detects sensitive information in Copilot prompts and runs in simulation mode — audit only, no blocking — to provide visibility without disrupting users during initial deployment.

  • Access path: Microsoft 365 Admin Center > Copilot > Overview > Security tab, or Microsoft Purview > Data loss prevention > Policies
  • Default behavior: Simulation mode — matches are logged but not blocked
  • When to act: Review the default policy simulation results before enabling enforcement; tune SIT confidence levels based on observed false positive rates

Edge Browser DLP for Copilot

DLP policies now extend to Copilot interactions within Microsoft Edge, preventing sensitive data from being submitted through browser-based Copilot interfaces (GA September 2025). Edge browser DLP catches interactions through the browser that the native M365 app DLP location may not cover.

  • How it works: Edge browser DLP applies policy evaluation to Copilot interactions at m365copilot.com and other Copilot web surfaces accessed through Edge
  • Complement to app DLP: The native Copilot location in Purview DLP covers Copilot within M365 apps (Word, Teams, Outlook, etc.); Edge DLP extends coverage to browser-based access
  • Configuration: Enable through Microsoft Purview > Data loss prevention > Endpoint DLP settings, with Edge configured as a monitored browser

DLP Policy Components for Copilot

Component Description FSI Application
Copilot Location Dedicated DLP location targeting all Copilot interactions Apply FSI-specific SIT detection to all AI interactions
Sensitive Information Types (SITs) Built-in and custom pattern matching for regulated data Detect SSNs, account numbers, ABA routing numbers, SWIFT codes
Sensitivity Label Conditions DLP rules triggered by document labels Block Copilot from processing "Highly Confidential" labeled content (Type 1)
Policy Tips Real-time user notifications when DLP triggers Educate users about data handling during Copilot use
Block Actions Prevent Copilot from processing or returning matched content Hard-block MNPI and customer PII in Copilot responses or prompts

FSI-Specific Sensitive Information Types

SIT Name Pattern Confidence Level Example
US Social Security Number \d{3}-\d{2}-\d{4} High 123-45-6789
ABA Routing Number \d{9} with check digit validation High 021000021
Credit Card Number Luhn-validated 13-19 digit patterns High 4111-1111-1111-1111
US Bank Account Number 8-17 digit patterns with context keywords Medium Account: 12345678901
SWIFT/BIC Code [A-Z]{4}[A-Z]{2}[A-Z0-9]{2}([A-Z0-9]{3})? High BOFAUS3N
CUSIP Number [A-Z0-9]{6}[A-Z0-9]{2}[0-9] Medium 037833100
ISIN Number [A-Z]{2}[A-Z0-9]{9}[0-9] Medium US0378331005
FINRA CRD Number Custom SIT with CRD context keywords Medium CRD# 12345
Material Non-Public Information Custom keyword dictionary + context Medium "insider", "material", "non-public"

DLP for Copilot Architecture

User Prompt ──────────────────────────────────────→ Copilot Service
     │                                                     │
     ▼                                                     ▼
SIT-Based Prompt Blocking (Type 2)           Label-Based Response Blocking (Type 1)
Scans the prompt itself for SIT patterns     Scans referenced files/emails for labels
     │                                                     │
     ├── No SIT match → Copilot processes    ├── No HC label → Copilot returns content
     └── SIT match → Block + Audit Log       └── HC label found → Block + Audit Log

Edge Browser DLP (September 2025)
Applied to Copilot interactions via Microsoft Edge browser
Extends coverage to browser-based Copilot surfaces (m365copilot.com)

Integration with DSPM for AI

Data Security Posture Management (DSPM) for AI in Microsoft Purview provides visibility into how sensitive data flows through Copilot. When combined with DLP policies, DSPM enables:

  • Real-time dashboards showing DLP policy matches across Copilot interactions (both policy types)
  • Identification of users who frequently trigger DLP policies in Copilot
  • Trend analysis of sensitive data exposure attempts through AI interactions
  • Risk scoring for Copilot usage patterns based on data sensitivity
  • Accessible from: Microsoft Purview > Data Security Posture Management, or MAC > Copilot > Overview > Security tab

Copilot Surface Coverage

M365 Application DLP for Prompts DLP for Responses DLP for Referenced Files Notes
Microsoft 365 Copilot Chat Yes Yes Yes Primary concern — accesses all workloads
Word Yes Yes Yes Document drafting and summarization
Excel Yes Yes Yes Formula generation, data analysis
PowerPoint Yes Yes Yes Presentation generation
Outlook Yes Yes Yes Email drafting and summarization
Teams Yes Yes Yes Meeting summaries, chat interactions
OneNote Yes Yes Yes Note summarization
Loop Yes Yes Yes Collaborative content generation
Copilot Pages Yes Yes Yes New collaboration surface
SharePoint (Agents) Yes Yes Yes Declarative agent interactions
Edge Browser (Copilot web) Yes Yes Yes Edge DLP (GA September 2025) — browser-based access

Governance Levels

Level Requirement Rationale
Baseline Enable the default DLP policy for Copilot (SIT-based, simulation mode); enable at least one label-based DLP policy with US PII SITs (SSN, credit card) in audit-only mode; review simulation matches weekly Provides visibility across both policy types without blocking — suitable for initial deployment to understand data flow patterns
Recommended Enable both DLP policy types with enforcement: label-based blocking for Highly Confidential content; SIT-based prompt blocking for high-confidence matches (SSN, account numbers, ABA routing); enable Edge browser DLP; add MNPI keyword dictionary; enable policy tips for medium-confidence matches; transition default policy from simulation to enforcement after tuning Balances user productivity with data protection — appropriate for most FSI firms after initial monitoring period
Regulated Both policy types enforced with custom FSI SITs (CUSIP, ISIN, CRD, SWIFT); Edge DLP mandatory with Endpoint DLP for complete browser and device coverage; no simulation mode — all policies in enforcement; label-based blocking applied to all Confidential and above sub-labels; DLP incident review within 4 hours; DSPM for AI dashboards reviewed weekly by compliance Comprehensive protection for firms subject to frequent examinations or handling highest-sensitivity data

Setup & Configuration

Step 1: Navigate to DLP Policy Creation

Portal: Microsoft Purview Compliance Portal > Data loss prevention > Policies > Create policy Alternative: Microsoft 365 Admin Center > Copilot > Overview > Security tab (for accessing the default Copilot DLP policy)

Step 2: Create a Label-Based Response Blocking Policy (Type 1)

  1. Select Custom policy in the policy creation wizard
  2. In the "Choose locations to apply the policy" step, enable Microsoft 365 Copilot
  3. Optionally scope to specific users or groups for phased rollout
  4. Keep other locations (Exchange, SharePoint, OneDrive, Teams) enabled for comprehensive coverage
  5. Add rule condition: "Content contains sensitivity label = Highly Confidential"
  6. Action: Block Copilot from processing the content
  7. Policy tip: "This document is classified as Highly Confidential and cannot be processed by Copilot"

Step 3: Create a SIT-Based Prompt Blocking Policy (Type 2)

This is a separate policy from Type 1 — configure it independently in Purview DLP:

  1. Create a new DLP policy targeting the Microsoft 365 Copilot location
  2. Add rule conditions for FSI SITs:
  3. U.S. Social Security Number (SSN)
  4. Credit Card Number
  5. U.S. Bank Account Number
  6. ABA Routing Number
  7. Action: Block Copilot from responding to the prompt
  8. Policy tip: Notify the user that their prompt contains sensitive information

Step 4: Review and Configure the Default DLP Policy

  1. Access via: MAC > Copilot > Overview > Security tab, or Purview > DLP > Policies
  2. The default policy runs in simulation mode — review match data before enabling enforcement
  3. Tune SIT confidence levels based on observed false positive rates
  4. Enable enforcement after validation period (minimum 2 weeks of simulation data)

Step 5: Configure Edge Browser DLP

  1. In Microsoft Purview > Data loss prevention > Endpoint DLP settings
  2. Enable Microsoft Edge as a monitored browser for DLP enforcement
  3. Ensure the Endpoint DLP policies include the Copilot web surface conditions
  4. Verify Edge browser version meets minimum requirements for DLP policy enforcement

Step 6: Configure Sensitive Information Types

  1. Select built-in SITs for US financial data:
  2. U.S. Social Security Number (SSN)
  3. Credit Card Number
  4. U.S. Bank Account Number
  5. ABA Routing Number
  6. Add custom SITs for FSI-specific patterns:
  7. CUSIP Numbers
  8. ISIN Numbers
  9. MNPI keyword dictionaries

Step 7: Set Policy Actions

Match Confidence Baseline Action Recommended Action Regulated Action
High (>85%) Audit Block + notify user Block + notify user + alert compliance
Medium (65-85%) Audit Warn (policy tip) Block + notify user
Low (40-65%) No action Audit Warn (policy tip)

Step 8: Configure Alerts and Notifications

  1. Set up alert policies for DLP matches in Copilot
  2. Route high-severity alerts to the compliance team distribution group
  3. Configure incident reports with matched content samples (for authorized reviewers only)
  4. Set escalation timeline: 4 hours for high-severity, 24 hours for medium-severity

Key PowerShell Commands

# Connect to Security & Compliance PowerShell
Connect-IPPSSession

# View existing DLP policies targeting Copilot
Get-DlpCompliancePolicy | Where-Object { $_.Workload -match "Copilot" }

# View DLP policy rules and their SIT configurations
Get-DlpComplianceRule -Policy "FSI Copilot DLP Policy"

# Export DLP match report for Copilot location
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) `
  -Operations "DlpRuleMatch" -ResultSize 5000 | Export-Csv "CopilotDLPMatches.csv"

Financial Sector Considerations

  • Broker-Dealers: Deploy both DLP policy types. The label-based type should include MNPI keyword dictionaries aligned with the firm's restricted list — preventing Copilot from surfacing MNPI content in responses. The SIT-based prompt blocking type catches registered representatives who inadvertently paste client account details or position data into Copilot prompts.
  • Registered Investment Advisers: Client portfolio details (account numbers, holdings, performance data) must be protected when Copilot summarizes or generates documents. Custom SITs for portfolio identifiers support the SIT-based prompt blocking policy; label-based DLP prevents Copilot from summarizing labeled client files for unauthorized users.
  • Banking (Commercial/Retail): Loan application data (SSN, income, credit scores) processed through Copilot must trigger DLP policies. The SIT-based prompt blocking type prevents bank employees from pasting SSNs or account numbers into Copilot queries; label-based blocking prevents Copilot from surfacing loan files labeled Highly Confidential.
  • Insurance Carriers: Protected health information (PHI) that intersects with insurance claims processing requires DLP rules aligned with both GLBA and HIPAA where applicable.
  • Examination Readiness: During FINRA or SEC examinations, regulators may ask to see DLP policy configuration and match statistics for AI-assisted tools. Maintain documented evidence of both policy types — their deployment dates, configuration, and match histories demonstrate proactive risk management across both the prompt and response enforcement points.
  • DSPM for AI Reports: Use DSPM for AI dashboards to generate examination-ready reports showing how sensitive data is governed across Copilot interactions. These reports can demonstrate proactive risk management to examiners.
  • Cross-Workload Considerations: Microsoft 365 Copilot Chat searches across all workloads. A single Copilot Chat prompt may retrieve content from SharePoint, OneDrive, Exchange, and Teams simultaneously — label-based DLP policies must account for this cross-workload grounding behavior.

Verification Criteria

  1. Two DLP Policy Types Deployed: Confirm at least one label-based response blocking policy and one SIT-based prompt blocking policy exist with the Microsoft 365 Copilot location enabled — verify in Microsoft Purview > DLP > Policies
  2. Default Policy Status: Locate the Microsoft-deployed default DLP policy in simulation mode; review match statistics; document whether enforcement has been enabled
  3. SIT Coverage: Verify that FSI-relevant SITs (SSN, ABA routing, account numbers, credit card numbers) are included in the SIT-based prompt blocking policy
  4. Label-Based Blocking: Upload a test document labeled "Highly Confidential" to SharePoint, then attempt to reference it via Copilot — confirm Copilot is blocked from processing
  5. SIT Prompt Blocking: Submit a test prompt containing a test SSN pattern (000-00-0000) directly to Copilot — confirm the SIT-based policy triggers (audit event or block) based on governance level
  6. Edge DLP Coverage: Verify that DLP policies extend to Copilot interactions accessed via Microsoft Edge browser
  7. Alert Routing: Verify that DLP match alerts for Copilot interactions are routed to the designated compliance team mailbox or SIEM
  8. Audit Log Entries: Confirm DLP match events appear in the Unified Audit Log with the "DlpRuleMatch" operation and Copilot workload identifier
  9. DSPM Dashboard: Verify that DSPM for AI shows Copilot DLP policy match data for both policy types and that dashboards are accessible to compliance reviewers
  10. Policy Tip Display: Confirm that users see policy tips when medium-confidence SIT matches occur during Copilot interactions
  11. Custom SIT Accuracy: Validate that custom FSI SITs (CUSIP, ISIN, CRD) correctly match intended patterns and do not produce excessive false positives (target <5% false positive rate)
  12. Periodic Review Evidence: Confirm that DLP policy review cadence is documented (quarterly at minimum) and that review records are retained

Additional Resources