DLP Policy - DSPM Block sensitive info from AI sites

Hey Bosanac89,

Your upload blocking works but paste doesn't, and that points to a specific gap in how you've scoped the rule.

Paste to Browser does not follow the global Service Domain list under Endpoint Settings. Microsoft documents this. It only honors Sensitive Service Domain Groups configured directly on the rule itself, under "Service domain and browser activities" > "Paste to supported browsers." If your AI sites group is only set at the global endpoint settings level and not attached inside the rule at that specific action, your custom rule will never match PasteToBrowser events. That's exactly why you keep seeing the JIT Fallback Allow Rule instead of your configured rule.

Second thing to check: Paste to Browser does not support advanced classification. It evaluates clipboard content locally, not through the cloud classification service. Standard pattern-based SITs like Credit Card and SSN should still detect, but if your rule conditions include trainable classifiers or exact data match alongside the SITs, paste events won't match.

Also try switching the paste action to "Block with override" instead of silent "Block." Multiple community threads confirm the override variant enforces more reliably for clipboard operations because it triggers a user-facing prompt. Silent block for paste has inconsistent enforcement.

One more variable since you're testing on a Parallels VM: if you're copying test data from macOS and pasting into Edge inside the Windows guest, the clipboard handoff between host and guest can bypass the Endpoint DLP interception point. Copy your test SIT payloads from Notepad or Word inside the VM to eliminate that.

Give the policy an hour to sync after changes, then retest. You should see your custom rule name in Activity Explorer instead of the fallback.

Please mark as solution if you find this helpful. It helps others in the community find the solution quickly. 🖖