Purview can block sensitive data in AI prompts: turn it on before Copilot rollout

🚨 The Signal: Microsoft Purview can block sensitive data -- including credit card numbers and personal data -- from being pasted into Microsoft 365 Copilot and third-party AI apps. Endpoint DLP enforces this at the browser. Without it, staff can leak regulated data into AI prompts in seconds.

The Impact

Generative AI amplifies oversharing; Purview controls let you warn or block sensitive data entering prompts and surface where it already happens.

• Purview / compliance admins: configure DLP for AI before broad Copilot rollout.
• End users: pasting regulated data into AI tools can be warned or hard-blocked.
• Data owners: oversharing risk amplified by AI surfacing labelled content.
• Risk: PII and financial data leaking into third-party LLMs (ChatGPT, Gemini, DeepSeek).

The Action

1. In the Microsoft Purview portal, open Data Security Posture Management (DSPM) for AI to discover AI usage.
2. Onboard Windows devices to Purview, then create an Endpoint DLP policy that blocks sensitive info types on generative-AI sites.
3. Enable sensitivity labels for SharePoint and OneDrive so Copilot honours the EXTRACT usage right.
4. Switch on the Insider Risk Management Risky AI usage policy template to detect prompt injection and protected-material access.
5. Enable Audit and Communication Compliance for Copilot prompts and responses.

Domain: Purview · Impact: high · Workload: Microsoft Purview