Elena Canorea
Communications Lead
Intro
The advent of generative AI has opened up a new paradigm in business. Its numerous use cases, the possibilities for process improvement, and greater productivity or employee empowerment have led many companies to implement this technology, but the vast majority are not doing so properly.
As with any evolving technology, the benefits it brings can be affected by the security loopholes it can open if not implemented safely and consciously. Purview plays a key role in enabling the development and implementation of responsible AI at Copilot. Here’s how.
Purview is an end-to-end data asset intelligence solution that assists in the protection and governance of data. It was created with the goal of providing comprehensive capabilities to help enterprises discover, protect, and manage information wherever it resides.
It offers capabilities to catalog, map, and monitor sensitive data across the organization’s entire data landscape. This gives professionals greater visibility and control to assess and mitigate potential ethical risks of AI when building and launching Copilot-powered applications.
Microsoft Purview enables you to manage and protect your data through benefits such as:
Purview’s data catalog maps where personally identifiable data, financial information, health data, and other sensitive data are located in on-premises, multi-cloud, and SaaS environments. This inventory identifies datasets that could lead to bias, fairness, or confidentiality issues if used to train AI models.
In addition, it applies confidentiality tags to correctly label and categorize the identified confidential data, which helps the proper handling of datasets when developing Copilot applications, as well as ensuring that they are anonymized or synthesized if necessary.
In addition, Purview’s data lineage feature provides visibility of upstream data flows from source to consumption. It shows how different data sources are interconnected and used in an organization. Combined with the catalog, it gives development teams complete visibility of data before launching Copilot-enabled applications.
In fact, in production, Purview’s continuous scanning and monitoring capabilities keep the AI data estate under control. Any new sensitive data that appears is immediately flagged through automated classification and tagging. It also features trainable classifiers, enabling customized identification of sensitive data types beyond the default patterns.
By using sample files to train the model, organization-specific data such as product codes, customer IDs, or unique content can be quickly detected to ensure comprehensive data governance across structured, unstructured, and customized data sources. Scanning can trigger notifications to data owners if unwanted data is detected in training, enabling rapid remediation to maintain AI ethics and compliance.
Access control and data governance become even more critical as Copilot or other AI tools become more widely used. However, with the advent of Purview, the risk can be addressed thanks to:
Microsoft 365 Copilot uses existing controls to ensure that data stored in the tenant is never returned to the user or used by a large language model (LLM) if the user does not have access to that data. If the data has your organization’s confidentiality tags applied to the content, there is an additional layer of protection when:
On the other hand, when Microsoft 365 Copilot is used to create new content based on an item that has a confidentiality tag applied to it, the source file’s confidentiality tag is automatically inherited, with the tag’s protection settings.
If multiple files are used to create new content, the confidentiality tag with the highest priority is used for tag inheritance. As with all automatic tagging scenarios, the user can always override and replace an inherited tag (or remove it, if not using mandatory tagging).
Purview’s compliance capabilities can be used with enterprise data protection to support the risk and compliance requirements of Microsoft 365 Copilot and Microsoft Copilot:
For communications compliance, you can analyze user requests and Copilot responses to detect inappropriate or risky interactions or the sharing of sensitive information.
For auditing, details are captured in the unified audit log when users interact with Copilot. Events include how and when users interact with Copilot, where the Microsoft 365 service occurred, and references to files stored in Microsoft 365 that were accessed during the interaction. If these files have a confidentiality tag applied, this is also captured.
For content search, since the user requests Copilot and Copilot’s responses are stored in a user’s mailbox, they can be searched and retrieved when the user’s mailbox is selected as the source of a search query.
Similarly, for eDiscovery, the same query process is used to select mailboxes and retrieve user requests to Copilot and Copilot responses. Once the collection is created and originated in the eDiscovery (Premium) review phase, this data is available to perform all existing review actions. These collections and review sets can be put on hold or exported.
For retention policies that support automatic retention and deletion, user messages and Copilot responses are identified by location Teams chats and Copilot interactions. Existing retention policies previously configured for Teams chats now automatically include user messages and replies to and from Microsoft 365 Copilot and Microsoft Copilot.
As with all retention and hold policies, if more than one policy for the same location is applied to a user, the retention principles resolve conflicts.
The Microsoft Purview AI Centre is in preview, providing easy-to-use graphical tools and reports to quickly gain insight into AI usage within your organization. One-click policies help you protect data and comply with regulatory requirements.
You can use AI Center in conjunction with other Purview functionality to strengthen data security and compliance for Microsoft 365 Copilot and Microsoft Copilot:
This AI Hub provides a central management location to help you quickly secure AI application data and proactively monitor AI usage. You can learn more in this how-to video.
It also offers a set of capabilities so you can safely adopt AI without having to choose between productivity and protection:
To get started, you can use the Microsoft Purview or compliance portal and have the appropriate permissions for compliance management.
With its end-to-end visibility of sensitive data, automated insights, and policy enforcement, Purview is indispensable for the ethical and secure use of Copilot. With its capabilities to bring together Defender, Sentinel, Intune, and Entra in a single dashboard, it enables professionals to assess AI risks early, design appropriate controls, and maintain responsible oversight after implementation.
Purview will therefore help you ensure that Copilot respects your organizational values, regulations, and ethical AI best practices. This, in turn, will result in increased trust with customers, as well as the transparency and governance of data assets necessary for ethical and compliant innovation.
Plain Concepts’ security team is ready to help you implement Microsoft Purview into your enterprise security strategy, covering information protection, unified data governance, intelligent lifecycle management, internal risk management, auditing, compliance management, and NIS2. Don’t wait any longer contact our experts and transform the way you work securely!
Elena Canorea
Communications Lead
Cookie | Duration | Description |
---|---|---|
__cfduid | 1 year | The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information. |
__cfduid | 29 days 23 hours 59 minutes | The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information. |
__cfduid | 1 year | The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information. |
__cfduid | 29 days 23 hours 59 minutes | The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information. |
_ga | 1 year | This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors. |
_ga | 1 year | This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors. |
_ga | 1 year | This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors. |
_ga | 1 year | This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors. |
_gat_UA-326213-2 | 1 year | No description |
_gat_UA-326213-2 | 1 year | No description |
_gat_UA-326213-2 | 1 year | No description |
_gat_UA-326213-2 | 1 year | No description |
_gid | 1 year | This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form. |
_gid | 1 year | This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form. |
_gid | 1 year | This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form. |
_gid | 1 year | This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form. |
attributionCookie | session | No description |
cookielawinfo-checkbox-analytics | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category . |
cookielawinfo-checkbox-necessary | 1 year | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-necessary | 1 year | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-non-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary". |
cookielawinfo-checkbox-non-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary". |
cookielawinfo-checkbox-non-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary". |
cookielawinfo-checkbox-non-necessary | 1 year | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary". |
cookielawinfo-checkbox-performance | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance". |
cppro-ft | 1 year | No description |
cppro-ft | 7 years 1 months 12 days 23 hours 59 minutes | No description |
cppro-ft | 7 years 1 months 12 days 23 hours 59 minutes | No description |
cppro-ft | 1 year | No description |
cppro-ft-style | 1 year | No description |
cppro-ft-style | 1 year | No description |
cppro-ft-style | session | No description |
cppro-ft-style | session | No description |
cppro-ft-style-temp | 23 hours 59 minutes | No description |
cppro-ft-style-temp | 23 hours 59 minutes | No description |
cppro-ft-style-temp | 23 hours 59 minutes | No description |
cppro-ft-style-temp | 1 year | No description |
i18n | 10 years | No description available. |
IE-jwt | 62 years 6 months 9 days 9 hours | No description |
IE-LANG_CODE | 62 years 6 months 9 days 9 hours | No description |
IE-set_country | 62 years 6 months 9 days 9 hours | No description |
JSESSIONID | session | The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
viewed_cookie_policy | 1 year | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
viewed_cookie_policy | 1 year | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
wmc | 9 years 11 months 30 days 11 hours 59 minutes | No description |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
sp_landing | 1 day | The sp_landing is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content. |
sp_t | 1 year | The sp_t cookie is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content. |
Cookie | Duration | Description |
---|---|---|
_hjAbsoluteSessionInProgress | 1 year | No description |
_hjAbsoluteSessionInProgress | 1 year | No description |
_hjAbsoluteSessionInProgress | 1 year | No description |
_hjAbsoluteSessionInProgress | 1 year | No description |
_hjFirstSeen | 29 minutes | No description |
_hjFirstSeen | 29 minutes | No description |
_hjFirstSeen | 29 minutes | No description |
_hjFirstSeen | 1 year | No description |
_hjid | 11 months 29 days 23 hours 59 minutes | This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID. |
_hjid | 11 months 29 days 23 hours 59 minutes | This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID. |
_hjid | 1 year | This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID. |
_hjid | 1 year | This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID. |
_hjIncludedInPageviewSample | 1 year | No description |
_hjIncludedInPageviewSample | 1 year | No description |
_hjIncludedInPageviewSample | 1 year | No description |
_hjIncludedInPageviewSample | 1 year | No description |
_hjSession_1776154 | session | No description |
_hjSessionUser_1776154 | session | No description |
_hjTLDTest | 1 year | No description |
_hjTLDTest | 1 year | No description |
_hjTLDTest | session | No description |
_hjTLDTest | session | No description |
_lfa_test_cookie_stored | past | No description |
Cookie | Duration | Description |
---|---|---|
loglevel | never | No description available. |
prism_90878714 | 1 month | No description |
redirectFacebook | 2 minutes | No description |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt.innertube::nextId | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |