Forum Widgets
Latest Discussions
Collection Policies for AI Prompts
Hello, my goal is to exclude AI prompts from being logged into Purview and Activity Explorer, or to at least not be shown in Activity Explorer. Specifically, I need Purview to only log (or show in Activity Explorer) prompts and responses involving few Sensitive Info Types (let's say Credit Card Numbers) only. I read that collection policies should achieve this: https://learn.microsoft.com/en-us/purview/collection-policies-solution-overview "Collection policies are an event collection and filtering tool in Microsoft Purview that enables monitoring and classification of events from apps and locations that lay both inside of and beyond your organizations trust boundaries. They let you filter which events from both untrusted and trusted sources are ingested into Purview. Once ingested, that data can be classified and used by various Microsoft Purview signal consuming solutions, such as Microsoft Purview Activity explorer, Microsoft Purview Insider Risk Management, Microsoft Purview eDiscovery, Microsoft Purview Data Lifecycle Management. Collection policies can help you achieve these data security outcomes: Only ingest the events that you want" This sounds great, but the problem I have is actually implementing it. I need all AI apps (starting with Copilot and 365 Copilot) to not log basic prompts without key Sensitive Info Types, but it simply does not work. For testing, my current policy is this: Scope is to 3 classifiers (All Physical Addresses, Country1 Physical Address, Country2 Physical Address) Activities to detect: Text sent to or shared with cloud or AI app; Text received from cloud or AI app Data Sources: Unmanaged cloud apps: Microsoft Copilot; Microsoft Copilot for Microsoft 365 | All unmanaged AI apps Decide whether to capture content from AI interactions: Don't capture content (Capture Content is grayed out unless I select all sensitive info types) Choose how to detect unmanaged cloud apps: Browser and Network Now I would assume with this Collection Policy it would not capture prompts with the specified sensitive info types, but they are captured (AI Interaction activity), just not detected (no SIT attached/no additional Sensitive Info Types activity). Additionally, for testing, I have a Collection Policy with scope set to all Classifiers as I assume this would only ingest prompts with Sensitive information types in them, but this was not the case. Some clarification how this works and how to achieve what I explained previously would be welcome.