Compliance Meets AI: Wrapping Up an Incredible Series and Looking Ahead
Over the past six sessions, the Compliance Meets AI webinar series has taken us on a journey through the evolving landscape of compliance, security, and generative AI. From SharePoint advanced management and data security posture for AI to eDiscovery, auditing, and communication compliance, we’ve explored how Microsoft Purview and Copilot can transform governance strategies. Today’s final session, Deep Dive: Insider Risk for Copilot, was a powerful close to the series. Led by Kevin Uy and supported by our team, we unpacked how Insider Risk Management (IRM) helps organizations detect and mitigate risky behaviors—intentional or accidental—before they become costly incidents. Key highlights included: Risky AI Usage Policies: How to monitor prompts and responses for sensitive data exposure across Copilot and third-party AI tools. Policy Templates & Indicators: Leveraging built-in templates for data leaks, health record misuse, and AI-specific risks. Integration with DLP: Understanding how IRM complements real-time blocking by providing investigative context. Adaptive Protection: Moving from passive monitoring to proactive enforcement by linking IRM insights with DLP policies. If you missed today's session: No worries you can watch the recording here https://aka.ms/Compliance-Meets-Ai-Session-Six We also shared practical tips on policy configuration, threshold tuning, and privacy controls, plus a sneak peek at forensic evidence and case escalation workflows. Why This Series Matters Compliance isn’t just about meeting regulatory requirements—it’s about building trust in an era of AI-driven innovation. This series brought together experts and practitioners to demystify complex topics and provide actionable strategies for safeguarding sensitive data while enabling productivity. What’s Next? The conversation doesn’t stop here. We’re thrilled to announce that Compliance Meets AI will return in 2026 with new topics, deeper demos, and fresh insights into governance for emerging technologies. Expect sessions on advanced AI risk scenarios, cross-cloud compliance, and automation strategies that redefine security operations. Stay tuned for registration links early next year—and in the meantime, revisit all six recorded sessions here and follow me on LinkedIn for ongoing updates. Thank you to everyone who joined us for this series. Your engagement and feedback shape what comes next. Here’s to a future where compliance and AI work hand in hand to empower secure innovation.🚀 Compliance Meets AI: Communication Compliance for Copilot – What You Missed!
Last Friday’s session was a game-changer for anyone looking to keep AI use safe, ethical, and compliant. We didn’t just talk theory—we showed real-world strategies for monitoring Copilot interactions and protecting sensitive data with Microsoft Purview Communication Compliance. Missed the session? No worries we have you covered. You can watch it here https://aka.ms/Compliance-Meets-Ai-Session-Five 🔥 Top Highlights The Big Picture Copilot is transforming productivity—but with great power comes great responsibility. Communication Compliance helps you spot risky prompts, prevent data leaks, and enforce ethical AI use across Copilot, Copilot Chat, Agents and Copilot Studio. Policy Power Moves Learn how to build smart policies that detect sensitive info like MRNs, credit card numbers, or custom keywords. We explored trainable classifiers for prompt injection attacks and inappropriate content—plus tips for scoping policies to specific teams or roles. From Alerts to Action Tag it. Resolve it. Escalate it. Even kick off Power Automate workflows for instant notifications. We showed how to turn alerts into actionable compliance steps that keep your organization secure. Insights That Matter Dive into dashboards that reveal top triggered policies, sensitive data trends, and user activity—so you can make informed decisions and strengthen governance. ✅ Next Up: Insider Risk Management for Copilot 📅 Date: 11.7.25 🎤 Host: Kevin Uy 👉 https://aka.ms/ComplianceMeetsAI Don’t miss this one—we’re taking compliance to the next level!Compliance Meets AI: Deep Dive into Sensitivity Labels and DLP for Copilot
Last Friday’s session was packed with insights on Data Loss Prevention (DLP) and Sensitivity Labels in Microsoft Purview, and how they integrate with Copilot for M365 to keep your data secure while enabling productivity. If you missed the session, we have you covered you can watch it here https://aka.ms/Compliance-Meets-Ai-Session-Three Key Highlights: Sensitivity Labels & Copilot: We explored how labels inherit across Copilot-generated content, why label priority matters, and the critical role of extract permissions for Copilot responses. Endpoint DLP: Ben Perkins walked us through onboarding endpoints, using Purview clients, and applying policies to prevent sensitive data egress to browsers, USB devices, and even generative AI sites. Policy Design Tips: From inline browser protection to advanced classification scanning, we covered best practices for creating robust DLP rules without sacrificing Copilot’s power. Licensing & Integration: E5 licensing simplifies DLP coverage across Exchange, SharePoint, OneDrive, Teams, and endpoints—plus integration with Microsoft Defender for Cloud Apps for cloud-based controls. Upcoming Features: Expect expanded support for sensitive information types in Copilot DLP policies soon, and adaptive protection tied to insider risk levels. Ben’s live demo showcased real-world configurations, including auto-labeling, simulation mode, and advanced rule tuning. The Q&A touched on practical challenges like encrypted PDFs, trainable classifiers, and overlapping policies with MDCA. What’s Next? Don’t miss our next session on Retention and Unified Audit Logs—critical for compliance and Copilot investigations. We’ll also dive into eDiscovery strategies. 📅 Next Session: Friday, October 24 🕛 Time: Noon Eastern ✅ Register here: Compliance Meets Ai: Microsoft Purview in the Age of Ai | Microsoft Community HubMicrosoft deployment blueprint - Address oversharing concerns for your M365 Copilot deployment
Optimized deployment leverages advanced compliance and automation capabilities available in Microsoft 365 E5. This episode outlines how E5 customers can proactively secure data and enhance Copilot performance.Microsoft deployment blueprint - Address oversharing concerns for your M365 Copilot deployment
In regulated industries, internal oversharing can compromise data integrity and Copilot effectiveness. This episode defines what “Foundational” means for Microsoft 365 E3 customers and outlines actionable steps to mitigate oversharing risks during Copilot deployment.
Microsoft Purview - Compliance Score (Part 1) - Overview
Blog Series Part 1 - Microsoft Purview - Compliance Score (Part 1) - Overview Part 2 - Microsoft Purview - Compliance Score (Part 2) - Sample Assessment Scoring Part 3 - Microsoft Purview - Compliance Score (Part 3) - HITRUST Part 4 - Microsoft Purview - Compliance Score (Part 4) - HIPAA / HITECH Part 5 - Microsoft Purview - Compliance Score (Part 5) - GDPR Part 6 - Microsoft Purview - Compliance Score (Part 6) - CCPA Part 7 - Microsoft Purview - Compliance Score (Part 7) - Data Protection Baseline Part 8 - Microsoft Purview - Compliance Score (Part 😎 - ARMA GARP Part 9 - Microsoft Purview - Compliance Score (Part 9) - NIST Privacy Framework Part 10 - Microsoft Purview - Compliance Score (Part 10) - ISO 15489 Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience This blog series is aimed at Security and Compliance officers who need to understand how the Microsoft Purview Compliance Manager assessments can help them meet their regulatory and certification needs. Document Scope This document will be covering: the goal of this blog series discussing Compliance Manager assessment at a high level and how to leverage them to meet a business need such as HIPAA, GDPR, CCPA, NIST, etc Out-of-Scope This document does not cover any other aspect of Microsoft E5 Purview, including: Compliance Manager (configuration) Data Classification Information Protection Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) eDiscovery Insider Risk Management (IRM) Priva Advanced Audit Microsoft Cloud App Security (MCAS) Information Barriers Communications Compliance Licensing For details on licensing (ie. which components and functions of Purview are in E3 vs E5) you will need to contact your Microsoft Security Specialist, Account Manager, or certified partner. We will not be walking through the HITRUST assessment step-by-step. For more information on running an assessment in Compliance Manager, you should reference the corresponding documentation listed in the Appendix and Links section below. You can also find a blog series covering how to do this and how to run other Purview functions at the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Overview of Document We will be walking through: the goal of this blog series Compliance Manager and What it does Compliance Score Compliance Manager – finding applicable Microsoft Solutions Use Case Using Compliance Manager assessments to meeting government regulations or industry certifications. Definitions Actions– the things that need to be done to mark a Control as completed and Assessments – these help you implement data protection controls specified by compliance, security, privacy, and data protection standards, regulations, and laws. Assessments include actions that have been taken by Microsoft to protect your data, and they're completed when you take action to implement the controls included in the assessment. Assessment Templates – these templates track compliance with over 300 industry and government regulations around the world. Compliance Score - Compliance Manager awards you points for completing improvement actions taken to comply with a regulation, standard, or policy, and combines those points into an overall compliance score. Each action has a different impact on your score depending on the potential risks involved. Your compliance score can help prioritize which action to focus on to improve your overall compliance posture. You receive an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance. Controls – the various requirements in your tenant that must be met to meet a part of an assessment Control Family – a grouping of Controls Microsoft Actions – These are actions that Microsoft has performed in side of your tenant to help it meet a specific assessment. Progress – each assessment has a progress chart to help you visualize the progress you are making to meet the requirements of the assessment Your Improvement Actions – These are actions that you and your organization must perform to meet a specific assessment. Regulations – the regulations or standards pertaining to the action (Microsoft) Solutions – the solution where you can go to perform the action Action Types – indicates whether the improvement action is technical, meaning it can be implemented within a solution or product, or non-technical, which would be implemented outside of a technical solution Group - the group to which you assigned the action Categories – the related data protection category (such as, protect information, manage devices, etc.) Notes None Pre-requisites You should have a basic understanding of Compliance Manager and how it works. You can find this information in the blog named “Paint By Numbers” and the official Microsoft documentation found at docs.microsoft.com. You an find links to these in the section below labeled Appendix and Links. Overview of this blog series This blog will review specific Microsoft Compliance Manager Assessments and how they relate to Microsoft Purview solutions. Here is a list of the specific assessments: HITRUST for Microsoft 365 HIPAA/HITECH for Microsoft 365 GDPR for Microsoft 365 California Consumer Privacy Act (CCPA) for Microsoft 365 Data Protection Baseline for Microsoft 365 This is not meant to be an exhaustive list as there are 700+ assessments in Compliance Manager as of the writing of this blog. Overview of Compliance Manager and What it does Here is the official answer as listed in docs.microsoft.com “Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal that helps you manage your organization’s compliance requirements with greater ease and convenience. Compliance Manager can help you throughout your compliance journey, from taking inventory of your data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.” Compliance Manager – What does it scan and track? Each assessment in Microsoft Purview Compliance Manager tracks all the regulatory/certification requirements relative to your Microsoft 365/Office 365 environment. Here is a visualization on how this scanning and tracking works. Compliance Score Here is the official definition as found in docs.microsoft.com. The URL can be found in t Appendix and Links section below. “Compliance Manager awards you points for completing improvement actions taken to comply with a regulation, standard, or policy, and combines those points into an overall compliance score. Each action has a different impact on your score depending on the potential risks involved. Your compliance score can help prioritize which action to focus on to improve your overall compliance posture. Compliance Manager gives you an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance.” Compliance Manager – Finding Applicable Microsoft Solutions Built into Compliance Manager is a way to review which Microsoft Solutions will be applicable to each certification/regulation along with the Compliance Score that each of these solutions will bring to your organization. Go to Compliance Manager -> Solutions Here you will see all the Microsoft solutions that are applicable to the assessments you have run. On the right hands side, click Filters You can filter these solutions based on various criteria: Regulations – the regulations or standards pertaining to the action (Microsoft) Solutions – the solution where you can go to perform the action Action Types – indicates whether the improvement action is technical, meaning it can be implemented within a solution or product, or non-technical, which would be implemented outside of a technical solution Group - the group to which you assigned the action Categories – the related data protection category (such as, protect information, manage devices, etc.) You can filter any of these criteria, but we will choose Regulation -> Data Protection Baseline for purposes in this blog. This will narrow ALL Microsoft Solutions down to just the ones relevant to a particular Assessment/Regulation/Certification. You can narrow this further by Categories. Here I will select the categories relevant to Purview/Compliance workloads: Discover and Respond, Govern information, Manage compliance, Privacy Management, and Protect information. For now, we will not run any other filters inside the Compliance Manager -> Solutions section. Returning to the Solutions page, we will now look at the two columns relevant to your Compliance Score: Current score contribution and Potential score remaining. These will allow you to know which Microsoft Solutions will provide the most value to meeting your regulation/certification needs. We are now done with looking at the Compliance Manager – Solutions page. Microsoft Managed Scoring Compliance Manager keeps track of both 1) the organizations responsibilities (ie. Your organization) and 2) Microsoft’s responsibilities, as they pertain each assessment, and then maps a score to those responsibilities. Here is an example of where you would find both of these scores in a Compliance Manager assessment that I have already run. I have gone to Compliance Manager -> Assessment -> HITRUST Then go to Progress tab on the right side to find the Your points achieved score and Microsoft managed points achieved score. Thank Yous Before finishing this overview, I want to thank the members of the Microsoft Health Life Sciences Purview Technical Specialist team (HLS Purview TS) team for their assistance in creating, researching and developing this blog series. This includes, but is not limited to: Erfan Setork, Ken Sicinski, and Chad Lightfoot. Appendix and Links Microsoft Purview Compliance Manager - Microsoft Purview (compliance) | Microsoft Docs Working with improvement actions in Microsoft Purview Compliance Manager - Microsoft Purview (compliance) | Microsoft Docs Build and manage assessments in Microsoft Purview Compliance Manager - Microsoft Purview (compliance) | Microsoft Docs About the Microsoft Purview Compliance Manager premium assessment trial - Microsoft Purview (compliance) | Microsoft Docs Microsoft Purview Compliance Manager alerts and alert policies - Microsoft Purview (compliance) | Microsoft Docs Get started with Microsoft Purview Compliance Manager - Microsoft Purview (compliance) | Microsoft Docs Compliance score calculation - Microsoft Purview (compliance) | Microsoft Learn Working with improvement actions in Microsoft Purview Compliance Manager - Microsoft Purview (compliance) | Microsoft Learn Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.
