AI, Microsoft Certification, AI Governance, AI Security, AB-900, security

Discover and manage AI activity by using DSPM for AI (Part 2) (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Discover and manage AI activity by using DSPM for AI

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

In Part 1, you learned how Microsoft Purview Data Security Posture Management (DSPM) for AI helps organizations discover AI activity, identify sensitive data exposure, detect oversharing, and provide visibility into how AI interacts with Microsoft 365 data.

This section (Part 2) focuses on how DSPM for AI helps administrators manage AI-related risks, integrates with other Microsoft security and compliance services, and supports secure AI adoption.

Security Recommendations Generated by DSPM for AI

One of DSPM for AI’s most valuable capabilities is providing actionable security recommendations rather than simply identifying problems.

After analyzing an organization’s AI environment, DSPM highlights areas that should be improved to reduce the likelihood of accidental data exposure or compliance violations.

Examples of recommendations include:

  • Reduce excessive SharePoint permissions.
  • Apply sensitivity labels to unclassified confidential files.
  • Configure Data Loss Prevention (DLP) policies.
  • Limit external sharing.
  • Protect highly confidential document libraries.
  • Enable auditing for AI-related activities.
  • Improve data governance before expanding AI deployments.

These recommendations help administrators prioritize improvements based on potential business impact and security risk.

Risk Prioritization

Not every security finding represents the same level of risk.

DSPM helps prioritize remediation efforts by evaluating factors such as:

  • Amount of sensitive data exposed
  • Number of users with access
  • Business importance of the data
  • Existing protection mechanisms
  • AI usage patterns
  • Permission inheritance
  • Regulatory implications

This enables administrators to address the highest-risk issues first.

For example:

RiskPriority
Public access to executive financial reportsHigh
Sensitive HR documents lacking labelsHigh
Marketing presentations shared internallyMedium
Public training documentsLow

Discovering AI-Related Data Exposure

Organizations often ask:

“If we enable Microsoft 365 Copilot today, what sensitive information could users potentially discover?”

DSPM helps answer this question.

It analyzes:

  • Existing permissions
  • Data classifications
  • Sharing configurations
  • Microsoft Graph relationships
  • Collaboration patterns

This provides insight into which sensitive data could become more discoverable through AI-assisted searches and summaries.

Remember:

Copilot does not bypass security permissions. It only accesses information that the signed-in user is already authorized to access. DSPM helps identify situations where those permissions may already be too broad.

Remediation Recommendations

After identifying risks, DSPM recommends remediation steps.

Common recommendations include:

Reduce Oversharing

Examples include:

  • Remove unnecessary SharePoint permissions.
  • Restrict Microsoft Teams membership.
  • Remove Everyone access.
  • Limit guest sharing.

Improve Data Classification

Examples include:

  • Apply sensitivity labels.
  • Enable automatic labeling.
  • Use trainable classifiers.
  • Configure sensitive information types.

Better classification improves downstream protections across Microsoft Purview.

Strengthen Data Protection Policies

DSPM may recommend:

  • Creating DLP policies
  • Encrypting confidential documents
  • Restricting downloads
  • Blocking external sharing
  • Applying retention labels

Review AI Access

Administrators may decide to:

  • Limit AI rollout to selected departments
  • Review permissions before enabling Copilot broadly
  • Reduce access to legacy repositories
  • Remove stale user accounts

Integration with Microsoft Purview

DSPM for AI does not operate as an isolated product.

Instead, it complements several Microsoft Purview solutions.

Understanding these relationships is important for the AB-900 exam.

Microsoft Purview Information Protection

Information Protection classifies and protects data.

DSPM benefits from these classifications.

For example:

A document labeled:

  • Highly Confidential
  • Internal Only
  • Financial
  • Legal

helps DSPM understand the sensitivity of AI-accessible content.

Without labels, DSPM has less context when evaluating risk.

Microsoft Purview Data Loss Prevention (DLP)

DLP prevents sensitive information from being shared inappropriately.

DSPM identifies potential risks.

DLP helps enforce policies to prevent those risks from becoming incidents.

Example workflow:

  1. DSPM discovers sensitive payroll files.
  2. DLP prevents external sharing.
  3. Organization reduces AI-related exposure.

Microsoft Purview Insider Risk Management

DSPM identifies risky data exposure.

Insider Risk Management identifies risky user behavior.

Together they help answer two different questions:

DSPM asks:

“What sensitive data could AI access?”

Insider Risk asks:

“Is someone attempting to misuse sensitive data?”

These products complement one another.

Microsoft Purview Activity Explorer

Activity Explorer provides visibility into user interactions with sensitive information.

DSPM can use Activity Explorer insights to better understand:

  • Sensitive file access
  • Label usage
  • DLP events
  • Data movement

Administrators gain a clearer understanding of how protected information is being used across Microsoft 365.

Microsoft Purview Compliance Manager

Compliance Manager focuses on regulatory compliance.

DSPM focuses on AI data governance.

Together they help organizations:

  • Reduce compliance risk
  • Improve governance
  • Meet regulatory requirements
  • Protect sensitive information used by AI

Microsoft Defender

Microsoft Defender protects identities, endpoints, applications, and cloud resources.

DSPM complements Defender by focusing specifically on AI-related data risks.

Examples:

Microsoft Defender detects:

  • Malware
  • Credential theft
  • Phishing
  • Device compromise

DSPM identifies:

  • Overshared files
  • AI exposure
  • Sensitive data visibility
  • Permission risks

AI Governance Dashboard

DSPM provides dashboards that help administrators understand their organization’s AI posture.

Typical dashboard information includes:

  • AI adoption trends
  • Sensitive data exposure
  • High-risk repositories
  • Oversharing statistics
  • AI application inventory
  • Policy recommendations
  • Governance posture

Rather than investigating individual files, administrators receive a broad organizational view.

Discovering AI Applications

DSPM helps organizations understand:

  • Which AI tools are in use
  • Which departments use them
  • Adoption trends
  • AI usage over time

Examples include:

  • Microsoft 365 Copilot
  • Microsoft Copilot Chat
  • Supported third-party AI services

This visibility helps organizations establish AI governance policies.

Investigating AI Risks

Administrators typically investigate findings by asking questions such as:

  • Which sensitive files are accessible?
  • Who has access?
  • Why do they have access?
  • Is the data properly labeled?
  • Are permissions appropriate?
  • Is the data externally shared?
  • Should additional protection be applied?

DSPM helps surface this information so administrators can make informed decisions.

Typical Investigation Workflow

A simplified investigation might follow these steps:

Step 1

DSPM identifies an overshared SharePoint site.

Step 2

Administrator reviews permissions.

Step 3

Sensitive files are discovered.

Step 4

Sensitivity labels are applied.

Step 5

Permissions are reduced.

Step 6

DLP policies are enabled.

Step 7

Risk is reduced before broader Copilot deployment.

Best Practices

Organizations implementing Microsoft 365 Copilot should follow several best practices.

Review Permissions Before AI Rollout

Avoid enabling Copilot before understanding existing permissions.

Classify Sensitive Data

Use Microsoft Purview Information Protection to classify important documents.

Apply Least Privilege

Users should only have access to information required for their job.

Reduce Oversharing

Review:

  • SharePoint permissions
  • Teams memberships
  • OneDrive sharing
  • External sharing

Enable DLP

Prevent accidental sharing of confidential information.

Monitor AI Adoption

Understand:

  • Who uses AI
  • Which departments use AI
  • What information AI accesses

Regularly Review Recommendations

DSPM continuously evaluates the environment.

Administrators should regularly review new recommendations as data, permissions, and AI usage evolve.

Licensing Considerations

For the AB-900 exam, you are not expected to memorize licensing details, as licensing can change over time.

However, you should understand these general principles:

  • DSPM for AI is part of the Microsoft Purview family.
  • Advanced governance and AI security capabilities may require appropriate Microsoft licensing.
  • Organizations should verify current licensing requirements before deployment.

Common Exam Scenarios

You may encounter questions like:

Scenario 1

An organization wants to know whether Microsoft 365 Copilot could expose confidential HR documents because of existing permissions.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 2

Administrators want recommendations to reduce AI-related data exposure before deploying Copilot.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 3

Security administrators want visibility into AI adoption across Microsoft 365.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 4

Administrators want to identify overshared SharePoint sites that AI could access.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 5

An organization wants to understand where sensitive information may be exposed through AI.

Relevant technology:

Microsoft Purview DSPM for AI

Common Misconceptions

Misconception 1

DSPM blocks AI prompts.

Incorrect.

DSPM primarily discovers, assesses, and helps reduce AI-related data risks. It is not a prompt-filtering or AI-blocking solution.

Misconception 2

Copilot ignores permissions.

Incorrect.

Copilot always respects the signed-in user’s existing Microsoft 365 permissions.

Misconception 3

DSPM replaces Microsoft Purview DLP.

Incorrect.

DSPM identifies risks, while DLP enforces policies that help prevent inappropriate sharing of sensitive data.

Misconception 4

DSPM replaces Microsoft Defender.

Incorrect.

Defender focuses on threats and attacks, whereas DSPM focuses on AI-related data exposure and governance.

Misconception 5

DSPM automatically fixes security issues.

Incorrect.

DSPM provides visibility, recommendations, and guidance. Administrators remain responsible for implementing changes such as adjusting permissions, applying labels, or configuring policies.

AB-900 Exam Tips

Focus on these key concepts:

  • Microsoft Purview DSPM for AI is an AI governance and visibility solution.
  • It helps organizations discover AI usage, identify sensitive data exposure, and reduce AI-related risks.
  • DSPM does not bypass or modify Microsoft 365 permissions.
  • It works alongside Information Protection, DLP, Insider Risk Management, Activity Explorer, Compliance Manager, and Microsoft Defender.
  • One of its primary goals is to identify oversharing before it becomes a business risk.
  • DSPM provides recommendations, not automatic remediation.
  • It supports organizations throughout the AI adoption lifecycle by helping them continuously improve their security posture.

Chapter Summary

Microsoft Purview DSPM for AI enables organizations to adopt AI confidently by providing visibility into how AI interacts with organizational data. It discovers AI usage, inventories AI applications, identifies oversharing, evaluates sensitive data exposure, and recommends actions to strengthen governance.

Rather than replacing existing Microsoft Purview or Microsoft Defender capabilities, DSPM for AI enhances them by adding AI-specific insights. It integrates with Information Protection, Data Loss Prevention, Insider Risk Management, Activity Explorer, Compliance Manager, and Microsoft Defender to create a comprehensive approach to AI governance.

For the AB-900 exam, remember that DSPM for AI is fundamentally about discovering, assessing, and managing AI-related data risks. It helps administrators understand where AI could expose sensitive information due to existing permissions and governance gaps, enabling organizations to improve their security posture before and during Microsoft 365 Copilot deployment.

Practice Exam Questions

Question 1

A company plans to deploy Microsoft 365 Copilot across all departments. Before deployment, administrators want to determine whether confidential documents are overly accessible due to existing SharePoint permissions.

Which Microsoft solution should they use?

A. Microsoft Entra Domain Services

B. Microsoft Defender for Endpoint

C. Microsoft Intune

D. Microsoft Purview Data Security Posture Management (DSPM) for AI

Correct Answer: D

Explanation

Microsoft Purview DSPM for AI helps organizations discover overshared content, evaluate AI-related data exposure, and identify permission risks before deploying AI solutions such as Microsoft 365 Copilot.

  • A is correct because DSPM for AI analyzes permissions and identifies AI-related security risks.
  • B is incorrect because Defender for Endpoint protects devices.
  • C is incorrect because Intune manages devices and applications.
  • D is incorrect because Entra Domain Services provides managed domain services rather than AI governance.

Question 2

An administrator wants to understand which departments are actively using Microsoft 365 Copilot and other approved AI applications.

Which capability best addresses this requirement?

A. Microsoft Purview Information Protection

B. Microsoft Purview DSPM for AI

C. Microsoft Defender for Cloud Apps

D. Microsoft Entra Conditional Access

Correct Answer: B

Explanation

DSPM for AI provides visibility into AI adoption, AI application inventory, and usage trends across the organization.

  • B is correct because DSPM for AI discovers AI activity and AI adoption.
  • A classifies and protects data.
  • C monitors cloud applications but is not specifically designed for AI governance.
  • D controls authentication conditions.

Question 3

Which statement best describes how Microsoft 365 Copilot accesses organizational data?

A. It bypasses Microsoft 365 permissions when generating responses.

B. It can access all documents stored in Microsoft 365 regardless of permissions.

C. It only accesses content the signed-in user is already authorized to access.

D. It only accesses files created after Copilot was enabled.

Correct Answer: C

Explanation

Copilot respects existing Microsoft 365 permissions. It never bypasses authorization.

  • C is correct because Copilot only retrieves content the current user can already access.
  • A and B incorrectly imply that Copilot ignores permissions.
  • D is incorrect because file creation date is irrelevant.

Question 4

What is the primary purpose of Microsoft Purview DSPM for AI?

A. Prevent all AI-generated responses

B. Replace Microsoft Defender

C. Automatically encrypt all Microsoft 365 data

D. Discover AI activity and identify AI-related data risks

Correct Answer: D

Explanation

DSPM for AI provides visibility into AI usage and helps identify governance and security risks.

  • D is correct because discovering AI activity and assessing AI-related risks are its primary objectives.
  • A, B, and C describe capabilities DSPM does not provide.

Question 5

An organization discovers that hundreds of employees can access executive financial reports because of inherited SharePoint permissions.

What type of risk has DSPM for AI identified?

A. Malware infection

B. Oversharing

C. Identity synchronization failure

D. Device compliance failure

Correct Answer: B

Explanation

Oversharing occurs when users have broader access to information than intended.

  • B is correct because excessive permissions increase AI-related exposure.
  • A, C, and D are unrelated to data governance.

Question 6

Which Microsoft technology provides much of the contextual relationship information that helps DSPM for AI understand user access to Microsoft 365 content?

A. Microsoft SQL Server

B. Microsoft Defender XDR

C. Microsoft Graph

D. Azure Kubernetes Service

Correct Answer: C

Explanation

Microsoft Graph provides relationships between users, files, emails, Teams, SharePoint, and other Microsoft 365 resources.

  • C is correct because DSPM uses Microsoft Graph signals to understand data access.
  • The remaining options do not provide organizational relationship data.

Question 7

Which Microsoft Purview solution works alongside DSPM for AI by preventing inappropriate sharing of sensitive information?

A. Microsoft Purview Data Loss Prevention (DLP)

B. Microsoft Entra ID Protection

C. Microsoft Intune

D. Windows Autopilot

Correct Answer: A

Explanation

DLP enforces policies that prevent sensitive information from being shared improperly.

  • A is correct because DLP complements DSPM by enforcing protection policies.
  • B, C, and D serve different purposes.

Question 8

An administrator wants recommendations for reducing AI-related security risks before expanding Microsoft 365 Copilot deployment.

What should they use?

A. Microsoft Defender Antivirus

B. Microsoft Purview DSPM for AI

C. Exchange Online Protection

D. Microsoft Entra Connect

Correct Answer: B

Explanation

DSPM for AI evaluates AI-related risks and recommends improvements such as reducing oversharing, improving data classification, and strengthening governance.

  • B is correct because providing security recommendations is one of its core capabilities.
  • The other products address different areas of Microsoft security.

Question 9

Which action would most effectively reduce AI-related data exposure identified by DSPM for AI?

A. Disable Microsoft Teams

B. Increase mailbox quotas

C. Review permissions and apply sensitivity labels to confidential data

D. Upgrade Windows devices

Correct Answer: C

Explanation

Reducing excessive permissions and properly classifying sensitive information significantly reduces AI-related exposure.

  • C is correct because both permission management and data classification are recommended remediation actions.
  • A, B, and D do not directly address AI governance.

Question 10

Which statement best summarizes Microsoft’s approach to AI governance with DSPM for AI?

A. DSPM automatically blocks all AI interactions involving confidential information.

B. DSPM replaces Microsoft Purview Information Protection.

C. DSPM eliminates the need for Microsoft Defender.

D. DSPM provides visibility, identifies risks, and recommends actions that help organizations securely adopt AI.

Correct Answer: D

Explanation

Microsoft Purview DSPM for AI is designed to improve organizational AI security posture by discovering AI usage, identifying risks, and recommending governance improvements.

  • D is correct because it accurately reflects the purpose of DSPM for AI.
  • A is incorrect because DSPM is primarily a discovery and governance solution rather than an AI-blocking mechanism.
  • B is incorrect because Information Protection remains responsible for classifying and protecting data.
  • C is incorrect because Microsoft Defender continues to provide threat protection and complements, rather than is replaced by, DSPM for AI.

Key Takeaways for the AB-900 Exam

After studying this topic, you should be able to:

  • Explain the purpose of Microsoft Purview DSPM for AI.
  • Describe how DSPM for AI helps organizations discover and govern AI activity.
  • Understand that Microsoft 365 Copilot always respects existing user permissions.
  • Explain the concept of oversharing and why it is a significant AI-related risk.
  • Describe how Microsoft Graph provides context that enables DSPM for AI to evaluate data access.
  • Identify how DSPM for AI integrates with Microsoft Purview Information Protection, Data Loss Prevention (DLP), Insider Risk Management, Activity Explorer, Compliance Manager, and Microsoft Defender.
  • Recognize that DSPM for AI provides visibility, risk assessment, and recommendations, but administrators remain responsible for implementing remediation actions.
  • Apply DSPM for AI concepts to common AB-900 scenario-based questions involving Microsoft 365 Copilot deployments and AI governance.

These concepts form an important part of the “Identify data protection and governance risks for Microsoft 365 and Copilot” objective and are frequently tested through scenario-based questions that assess your understanding of secure AI adoption and governance.

Go to the AB-900 Exam Prep Hub main page

Leave a comment