Microsoft Purview · DSPM (Preview)

AI Administrator (DSPM)

[Preview] Entra ID role providing view-only access to AI-related data in DSPM (Preview) including AI observability, AI activities, AI objectives, and AI-related risk patterns. New role introduced with the unified DSPM experience.

Scope: View-only access to AI-related DSPM (Preview) data only. Cannot view non-AI data security information, cannot create policies or complete actions.

Permissions

  • AI Observability - View Apps and agents page showing AI app usage including Agent 365
  • AI Activities - View events in Activity Explorer AI activities tab
  • AI Objectives - View AI-related data security objectives (e.g., prevent exfiltration to AI apps)
  • AI Reports - View AI-related graphs and metrics from the Reports page
  • AI Risk Patterns - View AI-related risk patterns and posture trends
  • Recommendations - View all recommendation cards including AI recommendations
  • Recommendation Status - View completion status of recommendation cards (excludes Unethical Behavior card)
  • Data Risk Assessments - View existing data risk assessments
  • Setup Steps - View getting started step completion status (excludes Audit and Extend Insights)
  • Policy List - Cannot view Information Protection policies (unlike Security Reader)

Common use cases

  • AI governance teams monitoring organizational AI adoption and risk
  • AI Administrator designated by organization to oversee Copilot and third-party AI usage
  • Executive leadership tracking AI-related data security for board reporting
  • Privacy officers monitoring AI interactions with sensitive data at scale
  • IT leadership understanding which AI apps (Copilot, ChatGPT, Gemini) are being used
  • Risk management teams assessing AI-specific data oversharing risk
  • Security consultants evaluating AI security posture and policy coverage
  • Compliance officers monitoring AI app usage for regulatory requirements (GDPR, HIPAA)

Best practices

  • Use for dedicated AI governance roles that do not need broader data security visibility
  • Monitor AI observability page regularly for new AI apps and agent activity
  • Review AI activities in Activity Explorer to identify risky AI usage patterns
  • Track AI-related objective progress for overall AI security posture
  • Coordinate with DSPM Full Access holders for policy creation based on AI insights
  • Generate AI-focused reports for AI governance committee or board presentations
  • Use data risk assessments to understand AI oversharing risk before Copilot deployment
  • Compare AI Administrator view with Security Reader view to understand scope differences

Security considerations

  • Read-only access to AI data only - minimal privacy impact, scoped to AI activities
  • Cannot create policies, complete actions, or modify any settings
  • Cannot view non-AI Activity Explorer events or non-AI security data
  • Cannot view Information Protection policies (unlike Security Reader)
  • Cannot view Unethical Behavior recommendation card completion status
  • Safe role for AI governance teams and external AI security consultants
  • AI observability data shows organizational AI adoption - may be business-sensitive
  • This is an Entra ID role - supports PIM for just-in-time activation

Official Microsoft Learn documentation →

Open the interactive RBACMap →