Microsoft Purview · DSPM (Preview)
AI Administrator (DSPM)
[Preview] Entra ID role providing view-only access to AI-related data in DSPM (Preview) including AI observability, AI activities, AI objectives, and AI-related risk patterns. New role introduced with the unified DSPM experience.
Scope: View-only access to AI-related DSPM (Preview) data only. Cannot view non-AI data security information, cannot create policies or complete actions.
Permissions
- AI Observability - View Apps and agents page showing AI app usage including Agent 365
- AI Activities - View events in Activity Explorer AI activities tab
- AI Objectives - View AI-related data security objectives (e.g., prevent exfiltration to AI apps)
- AI Reports - View AI-related graphs and metrics from the Reports page
- AI Risk Patterns - View AI-related risk patterns and posture trends
- Recommendations - View all recommendation cards including AI recommendations
- Recommendation Status - View completion status of recommendation cards (excludes Unethical Behavior card)
- Data Risk Assessments - View existing data risk assessments
- Setup Steps - View getting started step completion status (excludes Audit and Extend Insights)
- Policy List - Cannot view Information Protection policies (unlike Security Reader)
Common use cases
- AI governance teams monitoring organizational AI adoption and risk
- AI Administrator designated by organization to oversee Copilot and third-party AI usage
- Executive leadership tracking AI-related data security for board reporting
- Privacy officers monitoring AI interactions with sensitive data at scale
- IT leadership understanding which AI apps (Copilot, ChatGPT, Gemini) are being used
- Risk management teams assessing AI-specific data oversharing risk
- Security consultants evaluating AI security posture and policy coverage
- Compliance officers monitoring AI app usage for regulatory requirements (GDPR, HIPAA)
Best practices
- Use for dedicated AI governance roles that do not need broader data security visibility
- Monitor AI observability page regularly for new AI apps and agent activity
- Review AI activities in Activity Explorer to identify risky AI usage patterns
- Track AI-related objective progress for overall AI security posture
- Coordinate with DSPM Full Access holders for policy creation based on AI insights
- Generate AI-focused reports for AI governance committee or board presentations
- Use data risk assessments to understand AI oversharing risk before Copilot deployment
- Compare AI Administrator view with Security Reader view to understand scope differences
Security considerations
- Read-only access to AI data only - minimal privacy impact, scoped to AI activities
- Cannot create policies, complete actions, or modify any settings
- Cannot view non-AI Activity Explorer events or non-AI security data
- Cannot view Information Protection policies (unlike Security Reader)
- Cannot view Unethical Behavior recommendation card completion status
- Safe role for AI governance teams and external AI security consultants
- AI observability data shows organizational AI adoption - may be business-sensitive
- This is an Entra ID role - supports PIM for just-in-time activation
Common questions
When should I assign the AI Administrator (DSPM) role?
Assign AI Administrator (DSPM) when you need to: AI governance teams monitoring organizational AI adoption and risk; AI Administrator designated by organization to oversee Copilot and third-party AI usage; Executive leadership tracking AI-related data security for board reporting; Privacy officers monitoring AI interactions with sensitive data at scale; and IT leadership understanding which AI apps (Copilot, ChatGPT, Gemini) are being used. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the AI Administrator (DSPM) role do?
The AI Administrator (DSPM) role grants permissions including: AI Observability - View Apps and agents page showing AI app usage including Agent 365; AI Activities - View events in Activity Explorer AI activities tab; AI Objectives - View AI-related data security objectives (e.g., prevent exfiltration to AI apps); AI Reports - View AI-related graphs and metrics from the Reports page; AI Risk Patterns - View AI-related risk patterns and posture trends; and Recommendations - View all recommendation cards including AI recommendations. See the Permissions section above for the full list.
What are the security risks of the AI Administrator (DSPM) role?
Key considerations when assigning AI Administrator (DSPM): Read-only access to AI data only - minimal privacy impact, scoped to AI activities; Cannot create policies, complete actions, or modify any settings; Cannot view non-AI Activity Explorer events or non-AI security data; and Cannot view Information Protection policies (unlike Security Reader). Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.