These days, you can’t escape AI. While AI offers many opportunities for businesses, it also raises plenty of questions. For instance, how can you manage the usage of ChatGPT, Copilot or Gemini by employees? And how do you ensure that company data isn’t being unintentionally shared with certain AI models, especially with the rapid growth of available AI language models? Data Security Posture Management can help you with this, and not only for Copilot.
As an organization, your data is stored in various locations—such as OneDrive, Teams, and SharePoint—but potentially also in places you aren’t even aware of. How do you handle employees using files and data in tools like ChatGPT or Microsoft Copilot? During Ignite 2024 I was excited to see how Microsoft Purview could help answer these questions. Since then, I’ve tested it myself. Spoiler: you can get started with it very quickly.
Data Security Posture Management (DSPM) gives organizations visibility into how employees handle (sensitive) data and provides the tools to take action. For example, if you use data classification for your files, DSPM allows you to see in one overview where sensitive data is being used, helping you prevent it from unexpected sharing with AI tools.
The best part? DSPM works for monitoring your data’s use with third party AI tools - not just in Microsoft Copilot - but also in tools like ChatGPT and Google Gemini!
Data Security Posture Management can track how employees interact with AI within your organization. It provides insights into whether sensitive data is uploaded or pasted into AI prompts and whether confidential company information is shared with tools like Copilot and other AI apps. With this information, you can take appropriate action to protect your data.
The good news is that DSPM can be implemented quite easily, even if you’re not currently using Microsoft Purview. Purview comes with built-in sensitivity labels that automatically detect sensitive data in your Microsoft 365 environment, such as social security numbers, credit card details, or other Personally Identifiable Information (PII). Even if you haven’t created custom classifications, Purview can already provide basic insights into your data’s use in AI models.
Once DSPM is activated (details on how to do this are shared later), it takes some time for reports to reflect actual usage. When the data starts coming in, you’ll see a clear overview of AI usage within your organization. For example, you can monitor which AI applications employees are using and how often.
You’ll also gain visibility into data usage within SharePoint and the sensitivity of that data. The example below shows labeled and unlabeled information on a SharePoint site, highlighting which files contain sensitive information with Data Assessments.
Additional features become available over time, such as weekly reports on AI usage by employees and the ability to take action on potential risks.
Getting started with DSPM in Microsoft Purview is straightforward. Here’s what you need to do:
Auditing is enabled by default for new Microsoft tenants. However, if you’ve disabled it or your tenant hasn’t activated this feature yet, you can enable it as follows:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $trueFor Microsoft Copilot, assigning specific Copilot licenses is needed for each employee to use this inside your organization. However, because Copilot is billed per user, and employees may also be using third-party AI tools (e.g., ChatGPT or Google Gemini), additional setup is required. To gain visibility into these third-party tools, you need to install the Purview Browser Extension and onboard devices into Purview.
Edge users: The Purview Browser Extension is already built into Microsoft Edge and will be activated with the DLP policies in your organization.
Browsers like Chrome or Firefox: You need to deploy the Purview Browser Extensions as these are not managed browsers. You can deploy this with for example Intune.
If your devices are not yet managed, they must first be onboarded. Onboarding allows Purview to monitor and detect when sensitive data is shared or used. Since this article focuses on DSPM for AI, onboarding is essential to track user activities in third-party AI applications.
Device onboarding can be managed using tools like Microsoft Intune. You can find an overview of onboarding options here: Onboard Windows devices into Microsoft 365 overview | Microsoft Learn.
Once auditing, the browser extension, and Endpoint DLP are enabled, you can start creating policies to monitor and manage AI usage in your organization. For example:
Microsoft offers several pre-defined policies in the Recommendations tab of Purview. These include policies that can be implemented directly in your tenant, as well as additional assessments and insights into how AI is being used within your organization:
For me, it took about one day before data actually started appearing in Purview.
I’m genuinely excited about the enhanced capabilities of Microsoft Purview regarding AI! As AI becomes increasingly standard to our daily lives, it’s crucial to think about how employees interact with company data in this evolving landscape. AI can’t be ignored, and banning it out your organization isn’t an option. DSPM for AI provides the extra layer of control organizations need to protect their data.
What do you think? Are you as excited as I am?
If you want to know more information about Microsoft Data Security Posture Management and how to start with this, refer to the following documentation:
Hi, I'm Ziggy Itjoejaree. I work as Modern Workplace Engineer and have a big interest in Microsoft Purview, Data, AI and compliancy. In my daily job, I am mostly helping customers transform and migrate to a Cloud work environment.
Nice article! Can we start with DSPM without having labeling turned on in our organization?
Hi Ree,
You can use DSPM without labeling, as you can also use the builtin sensitive info types in Purview. However, to get all of the benefits with DLP or Insider Risk Management, scoped labeling and classification in your tenant should be my advise. But you can use DSPM right away and later dive into use of labeling.
Thanks. And can I also use it without E5?
Hi Ree,
No. DSPM is part of E5 for Compliancy. However, you can start a free trial if you've hadn't this before.