Tag: DSPM for AI

AI, Microsoft Certification, AI Governance, AI Security, AB-900, security

Discover and manage AI activity by using DSPM for AI (Part 2) (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Discover and manage AI activity by using DSPM for AI

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

In Part 1, you learned how Microsoft Purview Data Security Posture Management (DSPM) for AI helps organizations discover AI activity, identify sensitive data exposure, detect oversharing, and provide visibility into how AI interacts with Microsoft 365 data.

This section (Part 2) focuses on how DSPM for AI helps administrators manage AI-related risks, integrates with other Microsoft security and compliance services, and supports secure AI adoption.

Security Recommendations Generated by DSPM for AI

One of DSPM for AI’s most valuable capabilities is providing actionable security recommendations rather than simply identifying problems.

After analyzing an organization’s AI environment, DSPM highlights areas that should be improved to reduce the likelihood of accidental data exposure or compliance violations.

Examples of recommendations include:

  • Reduce excessive SharePoint permissions.
  • Apply sensitivity labels to unclassified confidential files.
  • Configure Data Loss Prevention (DLP) policies.
  • Limit external sharing.
  • Protect highly confidential document libraries.
  • Enable auditing for AI-related activities.
  • Improve data governance before expanding AI deployments.

These recommendations help administrators prioritize improvements based on potential business impact and security risk.

Risk Prioritization

Not every security finding represents the same level of risk.

DSPM helps prioritize remediation efforts by evaluating factors such as:

  • Amount of sensitive data exposed
  • Number of users with access
  • Business importance of the data
  • Existing protection mechanisms
  • AI usage patterns
  • Permission inheritance
  • Regulatory implications

This enables administrators to address the highest-risk issues first.

For example:

RiskPriority
Public access to executive financial reportsHigh
Sensitive HR documents lacking labelsHigh
Marketing presentations shared internallyMedium
Public training documentsLow

Discovering AI-Related Data Exposure

Organizations often ask:

“If we enable Microsoft 365 Copilot today, what sensitive information could users potentially discover?”

DSPM helps answer this question.

It analyzes:

  • Existing permissions
  • Data classifications
  • Sharing configurations
  • Microsoft Graph relationships
  • Collaboration patterns

This provides insight into which sensitive data could become more discoverable through AI-assisted searches and summaries.

Remember:

Copilot does not bypass security permissions. It only accesses information that the signed-in user is already authorized to access. DSPM helps identify situations where those permissions may already be too broad.

Remediation Recommendations

After identifying risks, DSPM recommends remediation steps.

Common recommendations include:

Reduce Oversharing

Examples include:

  • Remove unnecessary SharePoint permissions.
  • Restrict Microsoft Teams membership.
  • Remove Everyone access.
  • Limit guest sharing.

Improve Data Classification

Examples include:

  • Apply sensitivity labels.
  • Enable automatic labeling.
  • Use trainable classifiers.
  • Configure sensitive information types.

Better classification improves downstream protections across Microsoft Purview.

Strengthen Data Protection Policies

DSPM may recommend:

  • Creating DLP policies
  • Encrypting confidential documents
  • Restricting downloads
  • Blocking external sharing
  • Applying retention labels

Review AI Access

Administrators may decide to:

  • Limit AI rollout to selected departments
  • Review permissions before enabling Copilot broadly
  • Reduce access to legacy repositories
  • Remove stale user accounts

Integration with Microsoft Purview

DSPM for AI does not operate as an isolated product.

Instead, it complements several Microsoft Purview solutions.

Understanding these relationships is important for the AB-900 exam.

Microsoft Purview Information Protection

Information Protection classifies and protects data.

DSPM benefits from these classifications.

For example:

A document labeled:

  • Highly Confidential
  • Internal Only
  • Financial
  • Legal

helps DSPM understand the sensitivity of AI-accessible content.

Without labels, DSPM has less context when evaluating risk.

Microsoft Purview Data Loss Prevention (DLP)

DLP prevents sensitive information from being shared inappropriately.

DSPM identifies potential risks.

DLP helps enforce policies to prevent those risks from becoming incidents.

Example workflow:

  1. DSPM discovers sensitive payroll files.
  2. DLP prevents external sharing.
  3. Organization reduces AI-related exposure.

Microsoft Purview Insider Risk Management

DSPM identifies risky data exposure.

Insider Risk Management identifies risky user behavior.

Together they help answer two different questions:

DSPM asks:

“What sensitive data could AI access?”

Insider Risk asks:

“Is someone attempting to misuse sensitive data?”

These products complement one another.

Microsoft Purview Activity Explorer

Activity Explorer provides visibility into user interactions with sensitive information.

DSPM can use Activity Explorer insights to better understand:

  • Sensitive file access
  • Label usage
  • DLP events
  • Data movement

Administrators gain a clearer understanding of how protected information is being used across Microsoft 365.

Microsoft Purview Compliance Manager

Compliance Manager focuses on regulatory compliance.

DSPM focuses on AI data governance.

Together they help organizations:

  • Reduce compliance risk
  • Improve governance
  • Meet regulatory requirements
  • Protect sensitive information used by AI

Microsoft Defender

Microsoft Defender protects identities, endpoints, applications, and cloud resources.

DSPM complements Defender by focusing specifically on AI-related data risks.

Examples:

Microsoft Defender detects:

  • Malware
  • Credential theft
  • Phishing
  • Device compromise

DSPM identifies:

  • Overshared files
  • AI exposure
  • Sensitive data visibility
  • Permission risks

AI Governance Dashboard

DSPM provides dashboards that help administrators understand their organization’s AI posture.

Typical dashboard information includes:

  • AI adoption trends
  • Sensitive data exposure
  • High-risk repositories
  • Oversharing statistics
  • AI application inventory
  • Policy recommendations
  • Governance posture

Rather than investigating individual files, administrators receive a broad organizational view.

Discovering AI Applications

DSPM helps organizations understand:

  • Which AI tools are in use
  • Which departments use them
  • Adoption trends
  • AI usage over time

Examples include:

  • Microsoft 365 Copilot
  • Microsoft Copilot Chat
  • Supported third-party AI services

This visibility helps organizations establish AI governance policies.

Investigating AI Risks

Administrators typically investigate findings by asking questions such as:

  • Which sensitive files are accessible?
  • Who has access?
  • Why do they have access?
  • Is the data properly labeled?
  • Are permissions appropriate?
  • Is the data externally shared?
  • Should additional protection be applied?

DSPM helps surface this information so administrators can make informed decisions.

Typical Investigation Workflow

A simplified investigation might follow these steps:

Step 1

DSPM identifies an overshared SharePoint site.

Step 2

Administrator reviews permissions.

Step 3

Sensitive files are discovered.

Step 4

Sensitivity labels are applied.

Step 5

Permissions are reduced.

Step 6

DLP policies are enabled.

Step 7

Risk is reduced before broader Copilot deployment.

Best Practices

Organizations implementing Microsoft 365 Copilot should follow several best practices.

Review Permissions Before AI Rollout

Avoid enabling Copilot before understanding existing permissions.

Classify Sensitive Data

Use Microsoft Purview Information Protection to classify important documents.

Apply Least Privilege

Users should only have access to information required for their job.

Reduce Oversharing

Review:

  • SharePoint permissions
  • Teams memberships
  • OneDrive sharing
  • External sharing

Enable DLP

Prevent accidental sharing of confidential information.

Monitor AI Adoption

Understand:

  • Who uses AI
  • Which departments use AI
  • What information AI accesses

Regularly Review Recommendations

DSPM continuously evaluates the environment.

Administrators should regularly review new recommendations as data, permissions, and AI usage evolve.

Licensing Considerations

For the AB-900 exam, you are not expected to memorize licensing details, as licensing can change over time.

However, you should understand these general principles:

  • DSPM for AI is part of the Microsoft Purview family.
  • Advanced governance and AI security capabilities may require appropriate Microsoft licensing.
  • Organizations should verify current licensing requirements before deployment.

Common Exam Scenarios

You may encounter questions like:

Scenario 1

An organization wants to know whether Microsoft 365 Copilot could expose confidential HR documents because of existing permissions.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 2

Administrators want recommendations to reduce AI-related data exposure before deploying Copilot.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 3

Security administrators want visibility into AI adoption across Microsoft 365.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 4

Administrators want to identify overshared SharePoint sites that AI could access.

Relevant technology:

Microsoft Purview DSPM for AI

Scenario 5

An organization wants to understand where sensitive information may be exposed through AI.

Relevant technology:

Microsoft Purview DSPM for AI

Common Misconceptions

Misconception 1

DSPM blocks AI prompts.

Incorrect.

DSPM primarily discovers, assesses, and helps reduce AI-related data risks. It is not a prompt-filtering or AI-blocking solution.

Misconception 2

Copilot ignores permissions.

Incorrect.

Copilot always respects the signed-in user’s existing Microsoft 365 permissions.

Misconception 3

DSPM replaces Microsoft Purview DLP.

Incorrect.

DSPM identifies risks, while DLP enforces policies that help prevent inappropriate sharing of sensitive data.

Misconception 4

DSPM replaces Microsoft Defender.

Incorrect.

Defender focuses on threats and attacks, whereas DSPM focuses on AI-related data exposure and governance.

Misconception 5

DSPM automatically fixes security issues.

Incorrect.

DSPM provides visibility, recommendations, and guidance. Administrators remain responsible for implementing changes such as adjusting permissions, applying labels, or configuring policies.

AB-900 Exam Tips

Focus on these key concepts:

  • Microsoft Purview DSPM for AI is an AI governance and visibility solution.
  • It helps organizations discover AI usage, identify sensitive data exposure, and reduce AI-related risks.
  • DSPM does not bypass or modify Microsoft 365 permissions.
  • It works alongside Information Protection, DLP, Insider Risk Management, Activity Explorer, Compliance Manager, and Microsoft Defender.
  • One of its primary goals is to identify oversharing before it becomes a business risk.
  • DSPM provides recommendations, not automatic remediation.
  • It supports organizations throughout the AI adoption lifecycle by helping them continuously improve their security posture.

Chapter Summary

Microsoft Purview DSPM for AI enables organizations to adopt AI confidently by providing visibility into how AI interacts with organizational data. It discovers AI usage, inventories AI applications, identifies oversharing, evaluates sensitive data exposure, and recommends actions to strengthen governance.

Rather than replacing existing Microsoft Purview or Microsoft Defender capabilities, DSPM for AI enhances them by adding AI-specific insights. It integrates with Information Protection, Data Loss Prevention, Insider Risk Management, Activity Explorer, Compliance Manager, and Microsoft Defender to create a comprehensive approach to AI governance.

For the AB-900 exam, remember that DSPM for AI is fundamentally about discovering, assessing, and managing AI-related data risks. It helps administrators understand where AI could expose sensitive information due to existing permissions and governance gaps, enabling organizations to improve their security posture before and during Microsoft 365 Copilot deployment.

Practice Exam Questions

Question 1

A company plans to deploy Microsoft 365 Copilot across all departments. Before deployment, administrators want to determine whether confidential documents are overly accessible due to existing SharePoint permissions.

Which Microsoft solution should they use?

A. Microsoft Entra Domain Services

B. Microsoft Defender for Endpoint

C. Microsoft Intune

D. Microsoft Purview Data Security Posture Management (DSPM) for AI

Correct Answer: D

Explanation

Microsoft Purview DSPM for AI helps organizations discover overshared content, evaluate AI-related data exposure, and identify permission risks before deploying AI solutions such as Microsoft 365 Copilot.

  • A is correct because DSPM for AI analyzes permissions and identifies AI-related security risks.
  • B is incorrect because Defender for Endpoint protects devices.
  • C is incorrect because Intune manages devices and applications.
  • D is incorrect because Entra Domain Services provides managed domain services rather than AI governance.

Question 2

An administrator wants to understand which departments are actively using Microsoft 365 Copilot and other approved AI applications.

Which capability best addresses this requirement?

A. Microsoft Purview Information Protection

B. Microsoft Purview DSPM for AI

C. Microsoft Defender for Cloud Apps

D. Microsoft Entra Conditional Access

Correct Answer: B

Explanation

DSPM for AI provides visibility into AI adoption, AI application inventory, and usage trends across the organization.

  • B is correct because DSPM for AI discovers AI activity and AI adoption.
  • A classifies and protects data.
  • C monitors cloud applications but is not specifically designed for AI governance.
  • D controls authentication conditions.

Question 3

Which statement best describes how Microsoft 365 Copilot accesses organizational data?

A. It bypasses Microsoft 365 permissions when generating responses.

B. It can access all documents stored in Microsoft 365 regardless of permissions.

C. It only accesses content the signed-in user is already authorized to access.

D. It only accesses files created after Copilot was enabled.

Correct Answer: C

Explanation

Copilot respects existing Microsoft 365 permissions. It never bypasses authorization.

  • C is correct because Copilot only retrieves content the current user can already access.
  • A and B incorrectly imply that Copilot ignores permissions.
  • D is incorrect because file creation date is irrelevant.

Question 4

What is the primary purpose of Microsoft Purview DSPM for AI?

A. Prevent all AI-generated responses

B. Replace Microsoft Defender

C. Automatically encrypt all Microsoft 365 data

D. Discover AI activity and identify AI-related data risks

Correct Answer: D

Explanation

DSPM for AI provides visibility into AI usage and helps identify governance and security risks.

  • D is correct because discovering AI activity and assessing AI-related risks are its primary objectives.
  • A, B, and C describe capabilities DSPM does not provide.

Question 5

An organization discovers that hundreds of employees can access executive financial reports because of inherited SharePoint permissions.

What type of risk has DSPM for AI identified?

A. Malware infection

B. Oversharing

C. Identity synchronization failure

D. Device compliance failure

Correct Answer: B

Explanation

Oversharing occurs when users have broader access to information than intended.

  • B is correct because excessive permissions increase AI-related exposure.
  • A, C, and D are unrelated to data governance.

Question 6

Which Microsoft technology provides much of the contextual relationship information that helps DSPM for AI understand user access to Microsoft 365 content?

A. Microsoft SQL Server

B. Microsoft Defender XDR

C. Microsoft Graph

D. Azure Kubernetes Service

Correct Answer: C

Explanation

Microsoft Graph provides relationships between users, files, emails, Teams, SharePoint, and other Microsoft 365 resources.

  • C is correct because DSPM uses Microsoft Graph signals to understand data access.
  • The remaining options do not provide organizational relationship data.

Question 7

Which Microsoft Purview solution works alongside DSPM for AI by preventing inappropriate sharing of sensitive information?

A. Microsoft Purview Data Loss Prevention (DLP)

B. Microsoft Entra ID Protection

C. Microsoft Intune

D. Windows Autopilot

Correct Answer: A

Explanation

DLP enforces policies that prevent sensitive information from being shared improperly.

  • A is correct because DLP complements DSPM by enforcing protection policies.
  • B, C, and D serve different purposes.

Question 8

An administrator wants recommendations for reducing AI-related security risks before expanding Microsoft 365 Copilot deployment.

What should they use?

A. Microsoft Defender Antivirus

B. Microsoft Purview DSPM for AI

C. Exchange Online Protection

D. Microsoft Entra Connect

Correct Answer: B

Explanation

DSPM for AI evaluates AI-related risks and recommends improvements such as reducing oversharing, improving data classification, and strengthening governance.

  • B is correct because providing security recommendations is one of its core capabilities.
  • The other products address different areas of Microsoft security.

Question 9

Which action would most effectively reduce AI-related data exposure identified by DSPM for AI?

A. Disable Microsoft Teams

B. Increase mailbox quotas

C. Review permissions and apply sensitivity labels to confidential data

D. Upgrade Windows devices

Correct Answer: C

Explanation

Reducing excessive permissions and properly classifying sensitive information significantly reduces AI-related exposure.

  • C is correct because both permission management and data classification are recommended remediation actions.
  • A, B, and D do not directly address AI governance.

Question 10

Which statement best summarizes Microsoft’s approach to AI governance with DSPM for AI?

A. DSPM automatically blocks all AI interactions involving confidential information.

B. DSPM replaces Microsoft Purview Information Protection.

C. DSPM eliminates the need for Microsoft Defender.

D. DSPM provides visibility, identifies risks, and recommends actions that help organizations securely adopt AI.

Correct Answer: D

Explanation

Microsoft Purview DSPM for AI is designed to improve organizational AI security posture by discovering AI usage, identifying risks, and recommending governance improvements.

  • D is correct because it accurately reflects the purpose of DSPM for AI.
  • A is incorrect because DSPM is primarily a discovery and governance solution rather than an AI-blocking mechanism.
  • B is incorrect because Information Protection remains responsible for classifying and protecting data.
  • C is incorrect because Microsoft Defender continues to provide threat protection and complements, rather than is replaced by, DSPM for AI.

Key Takeaways for the AB-900 Exam

After studying this topic, you should be able to:

  • Explain the purpose of Microsoft Purview DSPM for AI.
  • Describe how DSPM for AI helps organizations discover and govern AI activity.
  • Understand that Microsoft 365 Copilot always respects existing user permissions.
  • Explain the concept of oversharing and why it is a significant AI-related risk.
  • Describe how Microsoft Graph provides context that enables DSPM for AI to evaluate data access.
  • Identify how DSPM for AI integrates with Microsoft Purview Information Protection, Data Loss Prevention (DLP), Insider Risk Management, Activity Explorer, Compliance Manager, and Microsoft Defender.
  • Recognize that DSPM for AI provides visibility, risk assessment, and recommendations, but administrators remain responsible for implementing remediation actions.
  • Apply DSPM for AI concepts to common AB-900 scenario-based questions involving Microsoft 365 Copilot deployments and AI governance.

These concepts form an important part of the “Identify data protection and governance risks for Microsoft 365 and Copilot” objective and are frequently tested through scenario-based questions that assess your understanding of secure AI adoption and governance.

Go to the AB-900 Exam Prep Hub main page

AB-900, AI, AI Governance, AI Security, Data Security, Microsoft Certification

Discover and Manage AI activity by using DSPM for AI (Part 1) (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Discover and Manage AI activity by using DSPM for AI

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

As organizations increasingly adopt AI-powered tools such as Microsoft 365 Copilot, administrators face a new challenge: understanding how AI accesses, processes, and exposes organizational data. Traditional security tools focus on protecting users, devices, and data, but AI introduces new considerations. AI assistants can summarize documents, answer questions, generate reports, and analyze data from across an organization’s Microsoft 365 environment. If permissions are overly broad or sensitive information is poorly governed, AI can unintentionally surface information to users who already have access but should not necessarily see it in a summarized or easily discoverable form.

To address these challenges, Microsoft introduced Microsoft Purview Data Security Posture Management (DSPM) for AI, a solution designed to help organizations discover AI usage, identify potential security risks, understand data exposure, and strengthen governance before and during AI adoption.

For the AB-900 exam, you are not expected to configure DSPM for AI. Instead, you should understand:

  • What DSPM for AI is
  • Why organizations use it
  • How it discovers AI activity
  • How it helps identify risks
  • How it integrates with Microsoft Purview
  • The types of recommendations it provides

What Is Microsoft Purview DSPM for AI?

Microsoft Purview DSPM for AI is a governance and security solution that provides visibility into how artificial intelligence applications interact with organizational data.

Rather than preventing AI usage, DSPM for AI helps administrators answer important questions such as:

  • Which AI applications are employees using?
  • What sensitive information is being accessed?
  • Are AI tools exposing confidential content?
  • Are permissions overly broad?
  • Are Microsoft 365 Copilot users accessing highly sensitive data?
  • Where should security controls be strengthened?

Think of DSPM for AI as a risk discovery and governance solution specifically designed for AI workloads.

What Does “Data Security Posture Management” Mean?

The term Data Security Posture Management (DSPM) refers to continuously evaluating an organization’s data environment to identify security weaknesses before they become incidents.

DSPM focuses on questions such as:

  • Where is sensitive data stored?
  • Who has access?
  • Is the data properly classified?
  • Are security policies protecting it?
  • Could AI expose it more easily?

When AI is introduced, DSPM expands these questions to include:

  • Which AI tools are interacting with company data?
  • Which users are using AI?
  • What content is AI accessing?
  • Could AI reveal confidential information?
  • Are there oversharing risks?

Rather than reacting after a breach occurs, DSPM promotes proactive risk management.

Why Organizations Need DSPM for AI

Many organizations begin using AI before fully understanding their existing data environment.

Common issues include:

  • Excessive file permissions
  • Sensitive documents shared too broadly
  • Unlabeled confidential data
  • Legacy SharePoint permissions
  • Public Teams channels
  • Old collaboration sites
  • Inactive security policies

Without visibility into these issues, AI may legally retrieve information based on existing permissions—even though administrators were unaware those permissions existed.

DSPM for AI helps organizations discover these weaknesses before they become security problems.

Core Capabilities of DSPM for AI

Microsoft Purview DSPM for AI provides several major capabilities.

1. Discover AI Usage

DSPM identifies where AI is being used throughout the organization.

Examples include:

  • Microsoft 365 Copilot
  • Microsoft Copilot Chat
  • AI-enabled Microsoft services
  • Supported third-party AI applications

Administrators gain visibility into:

  • AI adoption
  • AI usage trends
  • Departments using AI
  • Types of AI interactions

This helps organizations understand how quickly AI is being adopted.

2. Discover Sensitive Data Exposure

DSPM evaluates whether AI has access to sensitive organizational data.

Examples include:

  • Financial reports
  • HR records
  • Customer information
  • Legal documents
  • Intellectual property
  • Healthcare information
  • Personally identifiable information (PII)

The solution identifies locations where sensitive information may be accessible through AI.

3. Identify Oversharing Risks

One of the most important concepts for the AB-900 exam is oversharing.

Oversharing occurs when users have legitimate permissions to data that administrators did not intend them to have.

For example:

  • A confidential SharePoint library inherits incorrect permissions.
  • Hundreds of employees can read executive documents.
  • Microsoft 365 Copilot can summarize those documents for anyone with existing access.

The problem is not Copilot.

The problem is the underlying permissions.

DSPM helps identify these situations.

4. Inventory AI Applications

Organizations often have many AI applications in use.

DSPM helps administrators discover:

  • Approved AI tools
  • Newly adopted AI tools
  • Shadow AI applications
  • AI usage across departments

This visibility supports governance decisions.

5. Monitor AI Interactions

DSPM can provide insights into how AI interacts with organizational content.

Examples include:

  • Documents accessed
  • Sensitive data locations
  • AI usage frequency
  • Common AI workflows
  • Business units using AI

Administrators gain a better understanding of AI usage patterns without reading users’ private prompts or monitoring employee productivity.

How DSPM for AI Discovers AI Activity

DSPM analyzes signals across Microsoft 365 services to understand AI usage.

These signals may include:

  • User activity
  • Data access
  • File classifications
  • Permissions
  • Labels
  • Microsoft Graph relationships
  • Microsoft Purview metadata

Rather than simply counting AI prompts, DSPM builds a broader picture of how AI interacts with organizational data.

Microsoft Graph’s Role

One important concept for the AB-900 exam is understanding the relationship between Microsoft Graph and DSPM.

Microsoft Graph acts as the intelligence layer connecting Microsoft 365 services.

DSPM uses Microsoft Graph signals to understand:

  • Which files users can access
  • Collaboration relationships
  • SharePoint permissions
  • Teams memberships
  • OneDrive access
  • Email relationships
  • Microsoft 365 activity

This allows DSPM to identify situations where AI could expose sensitive information because users already possess excessive permissions.

Data Sources Evaluated by DSPM

DSPM evaluates multiple Microsoft 365 services.

Examples include:

SharePoint Online

  • Sensitive document libraries
  • Overshared sites
  • Confidential folders
  • File permissions

OneDrive

  • Shared personal files
  • External sharing
  • Sensitive documents
  • Personal work data

Microsoft Teams

  • Shared files
  • Team memberships
  • Collaboration spaces
  • Shared conversations

Exchange Online

  • Email data
  • Mailbox access
  • Shared mailboxes
  • Sensitive communications

Microsoft 365 Copilot

DSPM evaluates how Copilot interacts with organizational data by examining:

  • Available permissions
  • Data sources
  • Sensitive information exposure
  • Governance controls

Types of Risks DSPM Can Identify

DSPM helps identify a variety of AI-related risks.

Overshared Content

Examples include:

  • Everyone can access HR documents.
  • Finance reports are visible to the entire company.
  • Sensitive SharePoint sites inherit incorrect permissions.

Sensitive Information Exposure

Examples include:

  • Credit card numbers
  • Passport numbers
  • Social Security numbers
  • Customer records
  • Healthcare data
  • Intellectual property

Excessive Permissions

Users frequently accumulate permissions over time.

DSPM identifies situations where users have access to more information than necessary.

This supports the principle of least privilege.

Unclassified Sensitive Data

Organizations often possess sensitive information that has never been classified.

DSPM can identify repositories containing:

  • Unlabeled confidential documents
  • Sensitive spreadsheets
  • Legal contracts
  • Financial reports

This allows administrators to apply Microsoft Purview Information Protection labels.

Shadow AI

Shadow AI refers to employees using AI tools that have not been approved by the organization.

Examples might include:

  • Public AI chat services
  • AI writing assistants
  • AI coding assistants
  • AI document summarizers

DSPM helps organizations understand where unmanaged AI usage exists so appropriate governance decisions can be made.

Key Exam Tips

For the AB-900 exam, remember these important points:

  • DSPM for AI is primarily a visibility and governance solution, not an AI blocking solution.
  • It helps organizations discover, understand, and reduce AI-related risks.
  • It identifies oversharing, sensitive data exposure, and permission issues.
  • DSPM works closely with other Microsoft Purview solutions to improve an organization’s overall AI security posture.
  • Microsoft Graph provides much of the contextual information that enables DSPM to evaluate AI data access and potential risks.
  • The goal is not to restrict productive AI use, but to ensure that AI operates within an organization’s existing security, compliance, and governance framework.

Go to Part 2 of this topic.

Go to the AB-900 Exam Prep Hub main page