🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-401 Domain 3
Domain 3 — Module 9 of 9 100%
25 of 25 overall

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring
Domain 3: Manage Risks, Alerts, and Activities Premium ⏱ ~12 min read

DSPM for AI: Policies & Monitoring

Configure DSPM for AI policies to track how AI services interact with your sensitive data. Monitor AI activity, detect anomalies, and ensure your data security posture stays strong as AI adoption grows.

From setup to ongoing governance

☕ Simple explanation

Setting up DSPM is like installing security cameras. Configuring policies and monitoring is like actually watching the footage and setting up motion alerts.

In the previous module, you prepared your environment for AI. Now you create policies that define what to watch for, and use monitoring dashboards to track how AI interacts with your sensitive data day to day. You want to know: What sensitive data is AI accessing? Are there anomalies? Are oversharing patterns emerging?

DSPM for AI policies define the monitoring and detection rules for AI data interactions. They specify which AI services to monitor, what activities to track, and what thresholds trigger alerts. The monitoring dashboard provides real-time and historical views of AI activity — prompts processed, sensitive data referenced, oversharing detected, and recommendations generated. Together, policies and monitoring create a continuous governance loop for AI data security.

DSPM for AI policies

What policies monitor

Policy FocusWhat It Tracks
AI interactions with sensitive dataWhen Copilot or other AI services access, summarise, or reference content matching SITs
Oversharing in AI contextWhen AI surfaces broadly shared content that may not be appropriate
Unprotected sensitive dataWhen AI accesses sensitive content without sensitivity labels or encryption
Anomalous AI usageUnusual patterns — sudden spikes in AI queries about sensitive topics

Configuring a DSPM for AI policy

StepWhat You Configure
1. Policy scopeWhich AI services to monitor — Microsoft 365 Copilot, Azure AI services, third-party AI
2. Data conditionsWhich sensitive data types to watch — specific SITs, sensitivity labels, or all sensitive content
3. Activity typesWhich AI activities to track — prompts, responses, file references, summarisation
4. Alerts and thresholdsWhen to generate alerts — volume thresholds, anomaly detection, specific pattern matches
5. RecommendationsEnable actionable recommendations for improving data posture

Policy types

Different policy types address different AI data risks
Policy TypeWhat It DoesUse Case
Oversharing detectionIdentifies content accessible by AI due to broad permissionsPre-Copilot deployment assessment and ongoing monitoring
Sensitive data in AIMonitors when AI accesses content matching specific SITsTrack AI interaction with financial data, patient records, or PII
Unlabelled content riskFlags sensitive content without labels that AI could surfaceIdentify gaps in your labeling coverage
Anomalous AI usageDetects unusual spikes or patterns in AI data accessCatch potential misuse or compromised accounts using AI

Monitoring AI activities

The DSPM for AI dashboard

The dashboard provides a central view of AI data security:

Dashboard SectionWhat It Shows
OverviewSummary of AI data risks — total sensitive items accessible, oversharing count, unlabelled content
RecommendationsActionable steps to improve posture — fix permissions, apply labels, configure policies
Data assessmentsDeep-dive into specific risk areas — which sites, which data types, which users
Activity monitoringTimeline of AI interactions with sensitive data
ReportsExportable reports for compliance teams and auditors

Key metrics to track

MetricWhat It Tells YouTarget
Sensitive items accessible by AIVolume of sensitive data AI can surfaceDecreasing over time as you remediate
Overshared filesFiles with broad permissions containing sensitive dataNear zero before AI deployment
Unlabelled sensitive contentSensitive items without labelsDecreasing — auto-labeling should close gaps
AI interaction volumeHow actively AI services are being used with sensitive contentBaseline tracking — spikes may indicate misuse
Recommendations completionPercentage of DSPM recommendations addressed100% for critical items

Recommendations workflow

DSPM for AI generates recommendations based on its assessment:

Recommendation TypeExamplePriority
Fix oversharing”Remove ‘Everyone’ access from site containing 340 source code files”High
Apply labels”8,500 documents contain PII but have no sensitivity label — configure auto-labeling”High
Remove stale access”45 sites have access for former employees — review and revoke”Medium
Configure DLP”No DLP policy monitors AI interactions with financial data — create one”Medium
Enable audit”Audit logging is not capturing AI activities — enable Copilot audit events”High
💡 Scenario: Marcus monitors AI at NovaTech

Three months after deploying Copilot, Marcus reviews the DSPM dashboard:

Good news:

  • Overshared files dropped from 12,000 to 200 (pre-deployment remediation worked)
  • 95% of sensitive documents now have labels (auto-labeling closed the gap)

Concerns:

  • 3 users are making unusually high volumes of AI queries about “client contracts” and “pricing” — DSPM flagged this as anomalous
  • 500 new files were created without labels in the last month (new employees not trained on labeling)

Actions:

  • Investigate the 3 users via Insider Risk Management
  • Configure auto-labeling for the new document library
  • Update the mandatory labeling policy to cover new user segments

Monitoring for Azure AI services

DSPM for AI extends beyond Microsoft 365 Copilot to Azure AI services:

Azure AI ScopeWhat It Monitors
Azure OpenAI ServicePrompts and responses processed by your Azure OpenAI deployments
Azure AI FoundryAI apps and agents built on the Foundry platform
Custom AI appsApplications using Azure AI services that process your organisation’s data

To capture these signals:

  1. Connect Azure subscriptions to DSPM for AI
  2. Enable prompt and response logging in your Azure AI deployments
  3. Configure policies to monitor for sensitive data in AI prompts and responses
💡 Exam tip: DSPM for AI monitoring scope

The exam may ask what DSPM for AI can monitor. Key scopes:

  • Microsoft 365 Copilot — prompts, responses, file references, meeting summaries
  • Azure AI services — Azure OpenAI, Foundry, custom apps (requires Azure subscription connection)
  • Third-party AI — limited, primarily through DLP and sensitivity labels

DSPM for AI is NOT a real-time blocking tool. It monitors, assesses, and recommends. Blocking is done by DLP policies and sensitivity labels, which DSPM helps you configure correctly.

Question

What are the four main DSPM for AI policy types?

Click or press Enter to reveal answer

Answer

1. Oversharing detection — finds broadly shared content AI could surface. 2. Sensitive data in AI — monitors AI access to SIT-matching content. 3. Unlabelled content risk — flags sensitive content without labels. 4. Anomalous AI usage — detects unusual patterns in AI data access.

Click to flip back
Question

What is the key difference between DSPM for AI and DLP?

Click or press Enter to reveal answer

Answer

DSPM for AI assesses, monitors, and recommends — it identifies data security risks in AI environments and suggests fixes. DLP enforces — it blocks, warns, or audits when sensitive data is shared. DSPM tells you what to fix. DLP prevents the exposure. They work together.

Click to flip back
Question

Can DSPM for AI monitor Azure AI services in addition to Microsoft 365 Copilot?

Click or press Enter to reveal answer

Answer

Yes. DSPM for AI can monitor Azure OpenAI Service, Azure AI Foundry, and custom AI apps — but this requires connecting your Azure subscriptions and enabling prompt/response logging. This extends data security monitoring beyond M365 Copilot to enterprise AI applications.

Click to flip back
Knowledge Check

Marcus at NovaTech sees a DSPM recommendation: '8,500 documents contain PII but have no sensitivity label.' What should he do to address this at scale?
Knowledge Check

DSPM for AI flags that 3 NovaTech users are making abnormally high volumes of AI queries about 'client contracts' and 'pricing data'. What should Marcus investigate and how?

🎬 Video coming soon

🎉 Congratulations — you’ve completed all 25 modules of the SC-401 study guide!

You’ve covered:

  • Domain 1: Classification, sensitivity labels, encryption, and on-premises protection
  • Domain 2: DLP policies, endpoint DLP, and data retention lifecycle
  • Domain 3: Insider Risk Management, Adaptive Protection, audit, alerts, and DSPM for AI

Ready to test your knowledge? Head to the SC-401 Practice Questions when available.

← Previous

DSPM for AI: Setup & Controls

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.