Forum Discussion
DSPM for AI - Block sensitive info from AI apps in Edge
This is still very new in Purview, so you are not alone in finding it tricky. The “DSPM for AI – Block sensitive info from AI apps in Edge” rule relies on several moving parts working together:
First, the machine must be onboarded to Purview with the Microsoft Purview extension for Edge installed and active, and the user must be signed in with their Entra ID account. Second, you need a Data Loss Prevention (DLP) policy in Purview that targets explicitly “Microsoft Edge for Business” under the cloud apps selector. Within that DLP policy, you add your sensitive information types or trainable classifiers, set the action to block, and choose the AI app category (this is what covers ChatGPT, Copilot, Gemini, etc., when accessed via Edge). Third, confirm that device compliance telemetry is flowing, in the Purview compliance portal under Activity explorer you should start to see events from Edge once the extension is properly enforced.
When the rule does trigger, the end user experience is similar to other DLP enforcement in Edge. Suppose a user tries to paste or type a credit card number or other sensitive string into the AI app prompt. In that case, Edge intercepts it and shows a toast-style notification that “This content is blocked by your organization’s data loss prevention policy.” The text will not be submitted to the AI service. If you configure user overrides, the user can provide a justification and proceed; otherwise, the prompt is blocked.
If you are not seeing triggers, check three things: that your SIT definitions match the test data (use the “Test” function in the Purview compliance portal to validate), that your policy is scoped to the correct users and to “Microsoft Edge for Business,” and that the devices are running the latest Edge build with the Purview extension visible in the browser. Also note that it can take several hours for a new DLP policy to propagate to endpoints.
So the expected experience is a block notification in the browser itself, not a silent failure of the AI prompt.
Hit like if you found this approach helpful.
Hi Ankit,
Thank you for your response. Devices are onboarded to purview, browser extension deployed, SIT's tested in purview and I see the data in activity explorer, for visiting the Generative AI sites and also when DLP policy gets matched for the Endpoint DLP rules. "
For edge, do you mind clarifying what you mean by "you need a Data Loss Prevention (DLP) policy in Purview that targets explicitly “Microsoft Edge for Business” under the cloud apps selector" in your previous message?
The DLP policy for Edge was created from DPSM for AI recommendations initially, but I tried creating a new one and here is what i see below, is this what you are referring to? or where is the selection you are referring to for Edge for Business?
Thanks!