Introducing a faster, more intelligent, end-to-end insider risk investigation experience

Modern insider risk investigations succeed or fail based on how quickly teams can move from signal to clarity. That’s why the latest Microsoft Purview Insider Risk Management (IRM) investigation enhancements are designed as a progressive 3-step acceleration model, starting with AI‑driven prioritization, followed by faster validation, and easier escalations.

Step 1: Accelerate triage with the newly enhanced Data Security Triage Agent

The first and most impactful speed improvement happens before analysts even begin reviewing individual activities.

The newly enhanced Data Security Triage Agent acts as the front door to investigations, helping teams immediately understand who and what matters most. Instead of manually reviewing raw alerts, the Data Security Triage Agent provides analysts with:

• Prioritized alerts based on meaningful user and activity risk
• Behavioral risk patterns that summarize activity into clear investigative themes
• Critical user context, such as role, employment status (including last working date), and prior alert history, surfaced upfront to inform urgency and scope

To make these insights even more actionable, we’re now adding an advanced AI reasoning layer that enables deeper, multi-step analysis across these data signals. This new reasoning layer analyzes the massive quantity of logs received each day to better identify risk patterns within IRM alerts. This further improves analysts’ ability to focus attention where risk is most likely, rather than spending time assembling context across multiple views.

Launch details:

• Public Preview: March 2026
• Roadmap ID: 557683

Figure 1: Microsoft Purview Insider Risk Management Alerts page showing a prioritized list of insider risk alerts. The view highlights AI‑generated risk summaries, behavioral patterns, and user context such as role, employment status, and prior alerts to help analysts focus on high‑risk activity.

Don't have the data security triage agent deployed yet?

Navigate to Purview's Agent tab and turn on the Data Security Triage Agent in Insider Risk Management. Analysts and investigators can also access the Data Security Triage Agent from the Triage Agent toggle in the Alerts tab of Insider Risk Management. To help teams get started more quickly, Security Copilot is being made available to all Microsoft 365 E5 customers. Rollout has already begun and will continue in the upcoming months for all Microsoft 365 E5 customers. Customers will receive advanced notice before activation. Learn more.

Step 2: Validate risk instantly with content preview in Activity Explorer

Once activity is identified, the next question is immediate and practical: “Is this activity actually risky for our business?”

With content preview in Activity Explorer, investigators can validate risk the moment suspicious activity appears, without creating a case or waiting for content to be downloaded. Supported file and message content can be previewed inline, allowing analysts to:

• Confirm whether sensitive data is present
• Identify false positives early
• Decide whether escalation is warranted

This turns Activity Explorer into a true triage surface, enabling fast, informed decisions before committing to a full investigation workflow.

Launch details:

• Public preview: April 2026
• Roadmap ID: 557189

Figure 2: Activity Explorer displaying a table of file activities with inline content preview. A document preview pane shows file contents and metadata, allowing investigators to quickly assess whether accessed content contains sensitive business information.

Step 3: Escalate immediately by creating cases without content download

When risk is confirmed, speed matters.

With the ability to create cases without content download enabled, teams no longer have to wait for content collection before taking action. Analysts can immediately:

• Create and escalate a case
• Assign ownership and measure progress
• Begin coordination with investigators, legal, or HR

Content download can be enabled later while the case remains active, allowing teams to maintain momentum while deciding whether deeper evidence review is required. This also enables scale—supporting up to 2,000 active cases, while prioritizing content access for the subset of investigations that truly need it.

Launch details:

• Public preview: March 2026
• Roadmap ID: 554940

Figure 3: Microsoft Purview Insider Risk Management dashboard showing alerts for a single user with options to create and manage investigation cases. The interface illustrates case creation and escalation without requiring content download.

The enhanced Insider Risk Management investigation experience isn’t about doing more—it’s about moving faster with confidence.

By combining AI‑driven prioritization, early risk validation, and easier escalations with these new enhancements, teams can move from signal to action without losing momentum.

Get started with Insider Risk investigations

Click this link to get started today!

Privacy Statement:

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.