Forum Discussion
I just want to secure AI. DLP vs Info Protection vs DSPM vs Governance vs...
Microsoft Purview can feel complex.
If you are looking at controls to minimise oversharing with Microsoft 365 Copilot and Copilot Chat then it depends on what licensing you have. Note that this applies to the enterprise versions, not the consumer Copilot.
The options are:
Available for all licences:
- Block content with sensitive data being shared with Copilot. Sensitive data is either the
out-of-the-box Sensitive Information Types Microsoft has defined, such as IT credentials, credit card data, etc., or your own custom SIT.
If you have E5 compliance or the Purview add-on for Business Premium, then you get additional functionality
- Block content labels with Purview sensitivity labels being uploaded or referenced by Copilot
- Block sensitive content based on SITs or labelled content being shared with third-party or consumer Gen AI apps in the browser
I have just written a blog on How to Deploy Microsoft Purview DLP for Copilot and Generative AI Deploy Microsoft Purview DLP for Copilot Security
Microsoft references
Learn about the default DLP policy for Microsoft 365 Copilot location | Microsoft Learn (available with all licences
https://learn.microsoft.com/en-us/purview/dlp-microsoft365-copilot-location-learn-about
Reach out if you need more information
nikkichapple​ looking thru a slideshow you made available on this subject. In one of the early slides, you recommend DSPM as a 'one-click' setup for default AI data protection. Do you still recommend this? Does this implement DLP / sensitivity policies?
Microsoft Purview is a comprehensive set of solutions that helps organizations govern, protect, and manage data wherever it lives. It includes more than a dozen capabilities organized around data security, data governance, and data compliance.
It can definitely be frustrating when getting started, especially if you try to follow the documentation directly from the portal. A good approach is to clearly identify the risks you want to mitigate, then map those risks to the appropriate Purview solutions.
Since your goal is to secure Copilot, I would suggest starting with DSPM as an entry point, then following the recommendations listed in the objectives page. This should also help guide your roadmap.
In addition to what nikkichapple​ already shared, I would recommend reviewing:
- The Oversharing Blueprint, which outlines the essential steps for establishing a secure and governed foundation for Copilot by remediating oversharing, implementing reliable guardrails, and supporting AI-related regulatory obligations. https://learn.microsoft.com/en-us/microsoft-365/copilot/secure-govern-copilot-foundational-deployment-guidance
- This Microsoft Purview blog on addressing oversharing risk:
https://techcommunity.microsoft.com/blog/microsoft-purview-blog/from-oversharing-to-enforcement-a-practical-guide-to-ai-data-security-with-micro/4513727 - The official Microsoft Purview documentation:
https://learn.microsoft.com/en-us/purview/purview