8 min. read<\/p>\n
Sensitive customer data is ending up in public AI tools every day, often without anyone noticing. Microsoft is now building a protective layer directly into the prompt input, and IT managers in the SME sector must decide whether to jump on board or continue improvising.<\/strong><\/p>\n 06.05.2026<\/em><\/p>\n Key Takeaways<\/p>\n Related:<\/span>A2A Protocol 1.2 in production<\/a> \/<\/span> AWS and Google Cloud multicloud preview<\/a><\/p>\n What is Microsoft Intelligent Purview?<\/strong> Microsoft uses the term Intelligent Purview to describe the data and compliance platform that became generally available in May 2026, bundling classification, DLP, posture management, and agent governance into a single console. New features include real-time evaluation of AI prompts and agent responses against Sensitive Information Types, combined with a unified DSPM view of Microsoft 365 and external data sources.<\/p>\n While the headline is Intelligent Purview, the real leverage lies in two individual steps. First: DLP for Microsoft 365 Copilot has been generally available across the board since the end of April 2026, concluding the public preview status from November 2025. Second: May sees the arrival of the new, unified DSPM console alongside the GA of the Agent 365 compliance protection layer. Together, these form what Microsoft is positioning as a central AI security cockpit.<\/p>\n For cloud architects, this is more than just a console refresh. DLP now operates before the model call, rather than just on the storage system. If an employee types a contract clause or a credit card number into a Copilot prompt, the policy blocks the prompt before it reaches the foundation model. This applies to M365 Copilot, Copilot Chat, and, via the inline DLP extension, to custom-built Copilot Studio agents as well.<\/p>\n A small but significant detail: the licensing hurdles are gone. Until December 2025, you needed E5 or a dedicated compliance add-on to activate prompt DLP. With the April rollout, the feature is included in every Copilot license, including E1 and E3 tenants with a Copilot add-on. This changes the negotiation logic with Microsoft, as a frequently used argument for upselling has been removed.<\/p>\n Anyone who has viewed DLP primarily as file classification faces a conceptual problem. A prompt is not a file. It is ephemeral, often lasting less than two seconds, yet it is the exact point where plaintext data can leave the tenant. Three areas are shifting with this new interface.<\/p>\n First, classifier hygiene. Sensitive Information Types are now evaluated within the prompt. Those who have created custom SITs with overly loose regex patterns will trigger an avalanche of false positives in prompt DLP, as employees do not formulate their prompt language with the same control as a saved document. Before rollout, a stress test using the last 1,000 Copilot prompts from the audit logs is essential. Microsoft provides the Activity Explorer and Search-with-AI in Data Security Investigations for this purpose.<\/p>\n Second, the agent inventory. With Agent 365 GA, compliance teams receive a complete list of all Copilot Studio agents in the tenant, including a risk score, for the first time. This list is usually longer than expected. In typical DACH-region tenants with 5,000+ employees, 80 to 200 productive or semi-productive agents often appear. A data class, data source, and DLP profile must be assigned to each agent; otherwise, the tenant-default inheritance logic kicks in, blocking either too much or too little.<\/p>\n Third, the shadow AI layer. Network Data Security has been GA for third-party SASE since November 2025 and in public preview for Microsoft Entra GSA Internet Access. This brings ChatGPT, Claude, Mistral, or self-hosted LLM proxies into the same DSPM dashboard as Copilot. Pulling this lever provides, for the first time, a reliable picture of how many prompts are actually being sent to external models daily. The numbers are regularly uncomfortable.<\/p>\n A full migration to prompt-centric DLP requires more than just setting a policy. The sequence is critical, because a false start in week one will fill the next six weeks with tickets. A realistic roadmap for mid-sized DACH tenants with 2,000 to 10,000 seats.<\/p>\n \n“Sensitive customer data ends up in public AI tools every day without anyone noticing.”\n<\/p><\/blockquote>\n The pipeline is solid, but it has friction points that are often glossed over in roadmap documentation. Here are three examples from production setups that are delaying migration.<\/p>\n What breaks<\/p>\n What holds up<\/p>\n Three tenant profiles derive the clearest added value. Tenants with over 1,000 active Copilot licenses, because daily prompt volumes there reach the five-digit range, making manual audit spot checks hopeless. Regulated industries with DORA, NIS2, or BaFin backgrounds, because the multicloud audit requirement<\/a> remains incomplete without prompt logging. And setups with custom Copilot Studio agents in productive business processes, because a single misclassified response there can trigger a data protection incident.<\/p>\n Anyone ignoring this setup will be operating with a structural blind spot in 2026. Data classes protected in storage are flowing into third-party models via prompts. External audit readiness may remain formally established, but in practice, it is becoming increasingly porous.<\/p>\n A second observation from the pilot tenants: friction does not primarily stem from the technology, but from the question of ownership. Each agent requires a clear owner, a clear data class scope, and a clear decommissioning date. These are three fields in an inventory that remain unmaintained in most setups. Microsoft provides the data structure and telemetry, but maintenance remains the responsibility of your own architecture function. Those who start the inventory in an Excel list and migrate it to a CMDB after three months will move significantly faster than a team waiting for a complete tooling solution.<\/p>\n And one final note on reporting. DSPM posture reports provide a decent initial audit view but are only conditionally suitable for external auditors. Anyone needing to document for DORA, NIS2, or a BaFin audit should mirror the telemetry into their own logging pipeline early on\u2014most easily via Microsoft Sentinel with a two-year retention period. The audit trail in Purview itself defaults to 180 days, which is sufficient for internal reviews but not for regulated industries.<\/p>\n And yes, I was skeptical at first. A central console that combines storage DLP, prompt DLP, agent inventory, and shadow AI into one dashboard sounds like classic marketing fluff. After three weeks of testing in a pilot tenant, my skepticism has diminished. The telemetry is consistent, the policies take effect as documented, and the false-positive rate is manageable if your SIT hygiene is on point. The leverage lies in the tenant setup, not the tool.<\/p>\n A separate policy is mandatory. While DLP-for-Copilot uses the same Sensitive Information Types, the location selection is independent. A policy without an explicitly activated Copilot location will not take effect at the prompt layer, even if the same classification has long been active in storage.<\/p>\n<\/details>\n Agents on Microsoft Foundry are captured via the Risky-Agents policy in Insider Risk Management, which has been in preview since November 2025. External frameworks like LangGraph or n8n are not covered; here, only network data security capture via edge traffic, combined with manual CMDB maintenance for owners and data classes, will help.<\/p>\n<\/details>\n For DLP-for-Copilot, any Copilot license will suffice starting in April 2026; this applies to E1, E3, and E5. Agent 365 is licensed independently, costing between 15 and 30 USD per agent slot per month, depending on the tenant. DSPM for AI in the new version is available in the E5 compliance bundle and via pay-as-you-go.<\/p>\n<\/details>\n Microsoft 365 Copilot has been storing prompt and response data in the audit log since its GA in early 2024. Those wishing to audit data retrospectively can load it via Search-with-AI in Data Security Investigations and scan it against SIT classes. Retention is based on the configured audit policy, i.e., the standard 180 days or up to ten years with premium eDiscovery.<\/p>\n<\/details>\n Not directly. Purview DLP operates at the Microsoft 365 layer, i.e., Copilot, Copilot Studio agents, and Agent 365. For AWS Bedrock and Google Vertex, the protection point remains either in the application layer of your own software or in the network data security hop if requests run through a controlled edge. Microsoft will not provide native platform symmetry in 2026.<\/p>\n<\/details>\n About the author<\/p>\n Adrian Garcia-Kunz<\/strong> is a Web Developer at Evernine. He reads release notes for breakfast and monitors the intersection between cloud platforms, frontend architecture, and the question of what a new feature actually costs a tenant before it goes live.<\/p>\n<\/div>\n More from the MBF Media Network<\/p>\n A2A Protocol 1.2: What DACH cloud architects need to change in Istio now<\/a><\/p>\n<\/div>\n\n
What has really changed in May 2026<\/h2>\n
Three architectural points where teams must now catch up<\/h2>\n
What a 60-day activation looks like in practice<\/h2>\n
What holds up, what breaks in the tenant<\/h2>\n
\n
\n
Where the effort is truly worth it<\/h2>\n
Frequently Asked Questions<\/h2>\n
Is an existing DLP policy on SharePoint and Exchange sufficient, or must a new policy be created for Copilot?<\/strong><\/summary>\n
How can agents outside of Copilot Studio be added to the DSPM inventory?<\/strong><\/summary>\n
Which license does an E3 tenant require for full functionality?<\/strong><\/summary>\n
What happens to historical prompt logs from before the rollout?<\/strong><\/summary>\n
How can prompt DLP be mapped in a multicloud strategy using AWS Bedrock or Google Vertex AI?<\/strong><\/summary>\n