How to discover and protect activity in Copilot and other generative AI apps in Microsoft Purview

Microsoft MVP Jasper Oosterveld on getting started with Microsoft Purview Data Security Posture Management (DSPM) for AI.

If you’ve been keeping up, you know I’m all about sharing straight-up insights that fortify your Microsoft 365 environment. 

I’ve put that same straightforward approach to a variety of articles covering Microsoft Purview’s features and how IT folks can use them to support security, governance, and compliance efforts.  

Now, with generative AI and Copilot for Microsoft 365 ushering in a new era of interactions, concerns about data protection are understandably on the rise. Some organizations are pausing or even putting the brakes on AI because they’re worried about not having enough visibility and control over their data.  

Let’s move on to the latest installment.

What is Data Security Posture Management for AI?

DSPM for AI in the Microsoft Purview portal acts as a control center where you can secure data for AI applications and keep an eye on how AI is being used. It supports apps like Microsoft Copilot for Microsoft 365 and AI tools from other providers.  

The DSPM for AI Hub integrates with various Purview features, including: 

• Sensitivity labels and content encrypted by Microsoft Purview Information Protection

• Data classification

• Customer Key

• Communication compliance

• Auditing

• Content search

• eDiscovery

• Retention and deletion

• Customer Lockbox

The hub offers the following capabilities to help organizations adopt AI securely: 

• Insights and analytics to track AI activity  

• Ready-to-use policies to protect data and prevent data loss in AI prompts

• Compliance controls to apply the best practices for handling data and storing policies

For supported generative AI sites like ChatGPT, check out Microsoft’s list of supported AI sites by Microsoft Purview Data Security Posture Management for AI.

How to get started with Microsoft Purview Data Security Posture Management for AI  

Depending on the portal you’re using, navigate to the following locations to start using the DSPM for AI hub: 

• Sign in to the Microsoft Purview portal or the Microsoft Purview compliance portal

• Select DSPM for AI hub (preview)

• Click on the Analytics tab

Our next stop is the Get started menu:

Before diving into the DSPM for AI hub, I recommend following each of those actions (Activate Microsoft Purview Audit, Install Microsoft Purview browser extension, and so on). Select each one to get more information and take action according to your AI security requirements. For example, selecting Extend your insights for data discovery will allow you to create policies:

When you click on the Create policies button, Microsoft automatically creates connected Copilot policies for you so you can get up and running quickly.  

By the way, you can also find those policies in related Microsoft Purview services. For example, Microsoft Purview Data Loss Prevention receives a policy from the “Get started” menu:

Of course, this only works when you have the correct Microsoft Purview licenses.  

Once you’re done in the “Get started” menu, it’s time to let the DSPM for AI hub analyze your Microsoft 365 environment for at least 24 hours.  

Analyze AI data

The main menu of the Microsoft Purview DSPM for AI hub gives you insights, such as AI interactions involving sensitive information:

To monitor the interactions with other generative AI apps, you need to onboard your organizational devices.  

View your policies

Microsoft Purview policies related to monitoring Copilot for Microsoft 365 and third-party generative AI apps are displayed in the policy section:

You can quickly change any policy by clicking on the title and the “Edit policy in solution” button:

Monitor AI activities

The activity explorer has been around the Microsoft Purview block for years. The DSPM for AI Hub provides an out-of-the-box integration with AI interactions:

In the activity explorer, you can focus on specific AI interactions that need attention. For example, you can review interactions involving sensitive information types:

Use data risk assessments

With data assessments, you can identify potential oversharing risks in your organization. They also provide fixes to limit access to sensitive data.

Here's what the default and automatic assessment looks like:

Each site provides additional details:

That’s it for now! It’s still in the testing phase so Microsoft may retract or modify certain features. No licenses needed for now, but don’t get too comfy; that’ll change when the preview ends.  

Check out the official Microsoft documentation to learn more about Microsoft Purview DSPM for AI.