Microsoft Purview · DSPM (Preview)

Data Security AI Admin (Preview)

[Preview] Edit DLP policies related to Copilot and view AI content in the unified DSPM (Preview). Cannot read prompts and responses of AI interactions. Role group: Data Security AI Admins.

Scope: DLP policy editing for Copilot workloads plus AI content viewing in DSPM (Preview). Does not include prompt/response viewing or non-AI DLP policy editing.

Permissions

  • Copilot DLP - Edit Data Loss Prevention policies related to Copilot location
  • AI Content Viewing - View AI content in Data Security Posture Management (preview)
  • AI Activity Explorer - View AI-related events in Activity Explorer
  • AI Observability - View Apps and agents page for AI app usage monitoring
  • AI Reports - View AI-related reports and metrics
  • AI Recommendations - View and act on AI-related recommendation cards
  • Data Risk Assessments - View data risk assessments for AI readiness
  • DLP Configuration - Manage DLP policies specifically for Copilot and AI workloads
  • Cannot Read Prompts - Does NOT have access to read prompts/responses of AI interactions

Common use cases

  • Security engineers creating DLP policies specifically for Copilot interactions
  • Compliance team members managing AI-specific data loss prevention controls
  • AI governance teams needing to create DLP protections for AI apps without broader DLP access
  • Security administrators configuring Copilot DLP to prevent sensitive data in AI prompts
  • IT security staff implementing AI-specific data protection policies
  • Organizations wanting targeted DLP administration for AI workloads only

Best practices

  • Use this role for targeted AI DLP administration without granting full DLP Compliance Management
  • Start DLP policies for Copilot in test/simulation mode before enforcement
  • Coordinate with broader DLP team to ensure AI policies align with organizational DLP strategy
  • Monitor AI Activity Explorer events to validate DLP policy effectiveness
  • Review data risk assessments to identify oversharing before applying Copilot DLP
  • Use recommendations to guide policy creation for AI workloads
  • Document AI DLP policy decisions for audit trail and compliance evidence
  • Test policies with pilot user groups before organization-wide rollout

Security considerations

  • Can edit DLP policies for Copilot - changes affect AI data protection for entire organization
  • Cannot read AI prompts/responses - reduced privacy exposure compared to Content Viewer
  • DLP policy changes for Copilot can impact user productivity - test thoroughly
  • Scoped to AI/Copilot DLP only - cannot edit broader DLP policies
  • AI content viewing shows aggregate data without individual prompt/response access
  • Safe for security engineers who need AI DLP configuration without investigation access
  • Monitor Copilot DLP policy changes through audit logs

Common questions

When should I assign the Data Security AI Admin (Preview) role?

Assign Data Security AI Admin (Preview) when you need to: Security engineers creating DLP policies specifically for Copilot interactions; Compliance team members managing AI-specific data loss prevention controls; AI governance teams needing to create DLP protections for AI apps without broader DLP access; Security administrators configuring Copilot DLP to prevent sensitive data in AI prompts; and IT security staff implementing AI-specific data protection policies. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Data Security AI Admin (Preview) role do?

The Data Security AI Admin (Preview) role grants permissions including: Copilot DLP - Edit Data Loss Prevention policies related to Copilot location; AI Content Viewing - View AI content in Data Security Posture Management (preview); AI Activity Explorer - View AI-related events in Activity Explorer; AI Observability - View Apps and agents page for AI app usage monitoring; AI Reports - View AI-related reports and metrics; and AI Recommendations - View and act on AI-related recommendation cards. See the Permissions section above for the full list.

What are the security risks of the Data Security AI Admin (Preview) role?

Key considerations when assigning Data Security AI Admin (Preview): Can edit DLP policies for Copilot - changes affect AI data protection for entire organization; Cannot read AI prompts/responses - reduced privacy exposure compared to Content Viewer; DLP policy changes for Copilot can impact user productivity - test thoroughly; and Scoped to AI/Copilot DLP only - cannot edit broader DLP policies. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →