Configure DSPM for AI
Microsoft Purview Data Security Posture Management (DSPM) for AI helps organizations secure AI interactions, track AI-generated content, and enforce compliance policies. To use DSPM for AI effectively, organizations need to configure key settings, enable monitoring, and apply security controls.
Prerequisites
Before configuring DSPM for AI, check that your environment meets these requirements:
- Check permissions: Your account needs appropriate permissions in Microsoft Entra or Microsoft Purview, such as Compliance Administrator or a related role with compliance management permissions.
- Verify Microsoft Purview Audit is enabled: Auditing is on by default for new tenants, but it's a good idea to verify.
- Assign Copilot Licenses: Users should be assigned Microsoft 365 Copilot licenses for activity tracking.
- Onboard Devices to Microsoft Purview: Devices need to be onboarded to Microsoft Purview to track AI interactions.
- Install the Microsoft Purview Browser Extension: The Microsoft Purview browser extension is required to monitor non-Microsoft AI site visits.
Steps to configure DSPM for AI
After completing the prerequisites, configure DSPM for AI in Microsoft Purview. This process includes enabling built-in policies, running data assessments, and verifying that AI-related security controls are in place.
Step 1: Set up DSPM for AI
Sign in to the Microsoft Purview portal.
Navigate to Solutions > DSPM for AI.
From the Overview page, go to Get started to complete the required setup tasks.
Verify that Microsoft Purview Audit is enabled to track AI interactions.
Install the Microsoft Purview browser extension to detect AI-related activity.
Onboard devices to Microsoft Purview to monitor AI interactions.
Enable Extend your insights for data discovery to create policies that detect risky AI usage, track AI site visits, and identify when users paste sensitive data into AI apps.
Step 2: Review and configure recommendations and policies
Microsoft Purview provides AI security recommendations that help organizations protect sensitive data and monitor AI interactions. These recommendations include preconfigured policies (one-click policies) or suggested actions that require manual review.
How to use recommendations
Go to Recommendations in the Microsoft Purview portal.
Review the available AI security recommendations and their status.
Select a recommendation to:
- Create a policy: Instantly apply a one-click policy with built-in security settings.
- View the recommendation: Assess and manually take action based on guidance.
Note
Recommendations that provide one-click policies include a Create policy button, while manual recommendations require reviewing and taking action based on the provided guidance.
Types of AI security recommendations
Recommendations are grouped into categories such as Data Security, Data Discovery, or AI Regulations. When selecting a recommendation, DSPM for AI provides either:
- A preconfigured policy that can be activated immediately (one-click policy)
- Guidance on security measures that require manual implementation
Recommendations in DSPM for AI:
| Recommendation | Type | Description |
|---|---|---|
| Fortify your data security | Data security | Uses Adaptive Protection to apply a block-with-override rule for high-risk users interacting with AI sites. |
| Control unethical behavior in AI | Insight into communications | Creates a policy to detect unethical behavior in Microsoft 365 Copilot. Alerts are generated in Communication Compliance. |
| Guided assistance to AI regulations | AI regulations | Provides guidance on regulatory compliance for AI interactions. |
| Protect sensitive data referenced in Copilot responses | Data security | Runs a data assessment to identify oversharing risks in Copilot interactions. |
| Discover and govern interactions with ChatGPT Enterprise AI (Preview) | Data discovery | Requires setting up a connector in Purview to track ChatGPT Enterprise interactions. |
| Protect sensitive data referenced in Microsoft 365 Copilot (Preview) | Data security | Creates a data loss prevention policy to prevent Copilot from processing labeled content. |
| Protect your data from potential oversharing risks | Data security | Provides insights into oversharing risks based on a weekly scan. |
| Use Copilot to improve your data security posture (Preview) | Data security | Uses Security Copilot to investigate alerts and analyze security risks. |
| Information Protection Policy for Sensitivity Labels | Data security | Sets up default sensitivity labels to preserve document access rights and protect Copilot output. |
Understand recommendation status
Each recommendation falls into one of three categories:
- Not Started: Recommendations that haven't been acted on.
- Dismissed: Recommendations that were reviewed but not applied.
- Completed: Recommendations that have been fully implemented.
Policy activation timeline
Policies take up to 24 hours to take effect. Once activated, they track AI interactions based on configured rules, with results appearing in DSPM reports and Activity Explorer after data processing. Deleted policies remain visible with a PendingDeletion status until fully removed.
After configuring DSPM for AI, use Microsoft Purview reports and data assessments to evaluate AI interactions and identify potential risks. Reports provide insights into policy enforcement, AI data exposure, and compliance status, while data assessments help detect oversharing risks before they affect security.