Risk and Compliance topics

Organisational vs model-level AI governance — where's the real gap?

MarcusHall — Sat, 28 Mar 2026 18:14:11 GMT

Most AI governance conversations I'm seeing focus on model-level controls, like bias testing and prompt

injection defence. These matter enormously for individual AI systems.

But I'd argue the bigger gap is one level up: the organisational governance layer. Having the policies,

accountability structures, risk frameworks, and oversight mechanisms to govern AI use at enterprise scale. Who is accountable for

AI-related decisions? Where is sensitive data being processed? What AI tools are actually being used across the business?

Forrester research indicates 60% of organisations still lack a formal AI governance framework. Meanwhile, the EU AI Act reaches

full compliance obligations in August 2026, and ISO/IEC 42001 is gaining traction as the certifiable benchmark for AI management

systems.

Microsoft is building strong technical solutions for the model-level challenge, Purview for data governance, Entra Agent ID, Defender for threat protection, Compliance Manager for regulatory mapping. But in my experience, organisations that jump straight to configuring technical controls without first understanding their organisational maturity end up with tools deployed but governance gaps unchanged.

Are we solving the right problem first?

Inbound Screening & PCI-DSS

scarbini — Mon, 22 Sep 2025 10:27:38 GMT

PCI-DSS frowns on having credit card numbers and related information in systems not otherwise in scope. Yet we sometimes have law enforcement asking for us for researching by these very terms; they send these sometimes via E-mail. I wonder therefore whether Exchange can screen using DLP policies, with the intent of adding controls, such as masking or adding "no forwarding, no printing," and so on. Possible? Advisable?

STALE-FORGOTTEN/ABANDONED existing sensitive emails with sensitive information

sergioandreslq — Fri, 19 Sep 2025 16:03:45 GMT

Hello team,

In my company we have stale emails from 200 which contain sensitive data like: SINs, Driver Licenses, invoices, etc.
the users reject to delete those emails as they may needs for reference.
i.e.:
Use case: HR needs to keep sensitive email as reference if end-user update life insurance beneficiaries, this email must be kept as evidence of the user's request update. this kind of emails can't be removed.

However, this emails without protection in the user's mailbox is only meat for the attackers.

unfortunately, we can`t protect existing emails with auto-labeling.

So, what is the best practice to take backup emails, secure the emails and remove those from un-secure storage like user`s mailbox.

This case apply almost 100% to any organization, this is a problem for everyone.

------------------------------------------------------------------------------------------------------------------------------------------
My approach:
eDiscovery download all sensitive emails discovered.
Apply label using AIP UL client to the download *.msg which put the files *.pfile

Create folder in HR user's OneDrive which the email will be removed.
If the user needs to search for any email's metadata, he can search directly, or if they need to search using email's content, he manually should remove sensitivity label to all items inside the folder.

After the search content in *.msg, the user should apply protection again.

Fallback: If the user forget protect the sensitive emails, the idea is to run schedule script to check for *msg, if found, it will apply label using PS.

I want to check any other approach best practice is recommended?

Backup & Setup

Global Admin (GA) prepares local backup: export saved as native *.msg files.

Create & Secure the Evidence Folder

GA connects to user’s OneDrive.
GA creates folder: ArchivedSensitiveEmails.
GA applies retention label (Record) to folder → prevents rename/move
GA breaks inheritance → only the OneDrive owner (Edit)

Upload & Protect

GA uploads the backup emails (*.msg) into the new folder.
GA applies sensitivity label (Viewer-only) → user can open but not print/copy/forward.
Now all items are protected as *.msg.pfile.

User Workflow (On-Demand Search)

User may remove protection on a file/folder to perform keyword search on native .msg.
User is required to reapply protection after finishing the search (via Purview client).

Automatic Weekly Enforcement

Scheduled PowerShell job runs weekly across all OneDrives.
Script scans ArchivedSensitiveEmails folder for unprotected .msg.
If found → automatically applies encryption using the GA’s published sensitivity label.
Access rights: only the OneDrive owner (Viewer) — optional HR group can also be added.
Script deletes original .msg after creating .msg.pfile to enforce security.
CSV log maintained for audit of actions (protected, skipped, errors).

------------------------------------------------------------------------------------------------------------------------------------------
So, what is the best practice or recommendation from Microsoft to protect the existing sensitive emails?

Deep Dive: Insider Risk Management in Microsoft Purview

Perparim_Abdullahu — Tue, 26 Aug 2025 02:12:45 GMT

Hi everyone

I recently explored the Insider Risk Management (IRM) workflow in Microsoft Purview and how it connects across governance, compliance, and security. This end-to-end process helps organizations detect risky activities, triage alerts, investigate incidents, and take corrective action.

Key Phases in the IRM Workflow:

Policy: Define rules to detect both accidental (data spillage) and malicious risks (IP theft, fraud, insider trading).
Alerts: Generate alerts when policies are violated.
Triage: Prioritize and classify alerts by severity.
Investigate: Use dashboards, Content Explorer, and Activity Explorer to dig into context.
Action: Take remediation steps such as user training, legal escalation, or SIEM integration.

Key takeaways from my lab:

Transparency is essential (balancing privacy vs. protection).
Integration across Microsoft 365 apps makes IRM policies actionable.
Defender + Purview together unify detection + governance for insider risk.

This was part of my ongoing security lab series.
Curious to hear from the community — how are you applying Insider Risk Management in your environments or labs?

eDiscovery is NOT working correctly with KeyQL Sensitive Type

sergioandreslq — Fri, 06 Jun 2025 18:51:47 GMT

Hello team,

I am running in eDiscovery using KeyQL or Query builder data at REST in EXO (Stale emails) that contain sensitive Info like: Canada Social Insurance number.

The query run correctly, however, the output statistics pull out other type of sensitive Info, this means that the eDiscovery is not discovering what is was requested in the KeyQL query.

Canada Social Insurance Number a2f29c85-ecb8-4514-a610-364790c0773e

KeyQL Query: (SensitiveType:a2f29c85-ecb8-4514-a610-364790c0773e|1..|85..100) AND Date>2025-01-01

Please see the output of the Query:

In addition with this problem, Why we can't delete the stale emails using as condition the "Sensitive info", so, If I need to delete the emails before 2020 with "Canada Social Insurance number", how can I do it?
It will be almost impossible if the cybersecurity team needs to do with the end-user email by email?

Best regards,

Microsoft Risky Business or Community?

ALeCroy0720 — Sun, 11 May 2025 21:53:55 GMT

Verifying every access measure....

Zero Trust Architecture

Identity & Access Management - How does Zero Trust enhance identity protection through tools like Microsoft Entra ID (formerly Azure AD)?

Threat Detection & Response - How does Zero Trust integrate with Microsoft Defender and Sentinel to provide real-time threat detection and response?

This is to implement every access measure that I have permission to provide.

Insights

MarcP61 — Wed, 12 Mar 2025 13:41:25 GMT

"Hey everyone, I’d love to get your insights on managing risks and compliance effectively. What do you see as the key steps in ensuring a strong risk management and compliance framework? How do you approach identifying, assessing, and mitigating risks in your areas?"