Ask Downloads
Domain 2 β€” Module 5 of 10 50%
15 of 28 overall
Domain 2: Data Protection & Governance Free ⏱ ~12 min read

DSPM for AI & Data Lifecycle

Data Security Posture Management for AI watches how your data is used with Copilot and other AI tools. Data Lifecycle Management controls how long data lives. Both are essential for Copilot governance.

Two critical concepts for the AI era

Simple explanation

DSPM for AI is like a GPS tracker on your data when it travels through AI tools. It shows: β€œThis confidential document was accessed by Copilot 47 times this week by 12 different users.” It helps you answer: β€œIs our sensitive data being used safely with AI?”

Data Lifecycle Management is like an expiry date on food. Some data must be kept for 7 years (legal records). Some data should be deleted after 90 days (old chat logs). Retention policies automate this β€” keep what you need, delete what you don’t, and never lose something you’re legally required to keep.

DSPM for AI β€” governing your AI data

What DSPM for AI shows you

InsightWhy It Matters
Which sensitive data AI accessesAre labelled documents being surfaced by Copilot?
Who’s using AI with sensitive dataAre the right people accessing the right data through AI?
Unlabelled data being used in AIData without sensitivity labels is a blind spot
AI interaction volumeHow heavily is your org using Copilot with sensitive content?
Risky AI patternsUsers prompting Copilot for data they shouldn’t have access to
Scenario: Northwave discovers AI blind spots

After deploying Copilot, Priya (Compliance) checks DSPM for AI and finds:

  • 2,400 documents accessed by Copilot in the first month
  • 340 of those had sensitivity labels (good β€” protected)
  • 2,060 had NO labels (bad β€” blind spot)
  • 15 users used Copilot to access data in SharePoint sites they hadn’t directly visited before

Actions:

  1. Priority: auto-label the 2,060 unlabelled documents (Information Protection)
  2. Review the 15 users’ access patterns β€” were they accessing data through oversharing?
  3. Set up DSPM alerts for unlabelled data accessed by Copilot
  4. Report to Jordan (CISO) β€” β€œOur labelling coverage is only 14%. Copilot exposes the gap.”

Key exam concept: DSPM for AI doesn’t block anything β€” it provides VISIBILITY. It tells you what’s happening so you can take action with other tools (labels, DLP, permissions). Think of it as the dashboard, not the brakes.

Data Lifecycle Management β€” retention and deletion

Retention policies vs retention labels

Retention policies vs retention labels
FeatureRetention PolicyRetention Label
ScopeApplied to locations (entire mailbox, entire site)Applied to individual items (specific document, email)
How appliedAdmin configures for locationsManual, auto-applied, or recommended
FlexibilityBroad β€” same rules for everything in the locationGranular β€” different rules per item
Use caseKeep all email for 3 yearsKeep this specific contract for 10 years
Legal holdNot designed for thisSupports legal holds on specific items

Retention actions

SettingWhat Happens
Retain onlyKeep data for X period, then do nothing (user can still delete before)
Retain then deleteKeep for X period, then auto-delete
Delete onlyAuto-delete after X period (no retention requirement)
Scenario: Clearfield Council's retention rules

Clearfield Council has regulatory requirements:

  • Council meeting minutes β†’ retain for 10 years, then delete (retention label, auto-applied to β€œCouncil Minutes” library)
  • General email β†’ retain for 3 years, then delete (retention policy on all Exchange mailboxes)
  • Teams chat β†’ retain for 1 year, then delete (retention policy on Teams)
  • Active investigation documents β†’ legal hold, retain indefinitely (retention label, manually applied by legal team)

The key principle: retain what you must, delete what you should, and never lose what you’re legally required to keep.

🎬 Video walkthrough

Flashcards

Question

What does DSPM for AI do?

Click or press Enter to reveal answer

Answer

Discovers and monitors how organisational data interacts with AI tools like Copilot. Shows which sensitive/unlabelled data AI accesses, who's using AI with sensitive data, and risky AI patterns. Provides visibility, not enforcement.

Click to flip back
Question

What's the difference between a retention policy and a retention label?

Click or press Enter to reveal answer

Answer

Retention policy = broad rules applied to locations (entire mailbox, entire site). Retention label = granular rules applied to individual items (specific document, email). Labels also support legal holds.

Click to flip back
Question

What are the three retention actions?

Click or press Enter to reveal answer

Answer

1) Retain only β€” keep data, user can still delete. 2) Retain then delete β€” keep for X period, then auto-delete. 3) Delete only β€” auto-delete after X period, no retention.

Click to flip back

Knowledge Check

Knowledge Check

After deploying Copilot, Northwave finds that 80% of documents accessed by Copilot have no sensitivity labels. Which Purview tool revealed this insight?

Next up: How Copilot Accesses Your Data β€” the Microsoft Graph connection and why data governance is the foundation of safe Copilot deployment.