Microsoft has begun rolling out prompt-level Data Loss Prevention (DLP) for Microsoft 365 Copilot to its government cloud environments, finally giving public sector organizations automated tools to stop sensitive or classified data from reaching generative AI. The expansion, confirmed in a recent Microsoft advisory, covers GCC, GCC High, and DoD tenants—clouds that handle everything from controlled unclassified information (CUI) to national security secrets.

What Changed

Until now, government cloud customers using Microsoft 365 Copilot couldn’t inspect or block what users typed into the AI assistant at the prompt level. Commercial tenants have had this capability since early 2024, but the government clouds—subject to stricter compliance certifications and isolated infrastructure—lagged behind.

That changes today. Purview DLP policies can now evaluate user prompts before they’re sent to the large language model. If a prompt contains a credit card number, a passport identifier, or a keyword tied to a classified project, the policy can block the submission outright, audit it silently, or show a policy tip warning the user. The same controls work for published Copilot Studio agents, so custom AI bots inside a government agency are covered too.

Key details:
- The feature uses the existing Purview DLP policy engine. Admins don’t need to learn a new console.
- Over 300 pre-built sensitive information types are available, plus custom trainable classifiers.
- Actions include block, block with override, and audit-only.
- Policy tips can educate users in real time, e.g., “Don’t paste contract numbers into Copilot.”
- Responses generated by Copilot are also scanned; if the model regurgitates sensitive data, a DLP policy can catch it.

What It Means for You

For Government IT and Compliance Admins

You finally have a lever to control the surge of unsanctioned AI use. Copilot is often turned on by default in M365 suites, and without prompt-level DLP, users could inadvertently paste CUI, ITAR data, or even classified information into a chat window. Now you can enforce policies that mirror your existing DLP rules for email and documents. This closes a blind spot that auditors and agency CISOs have been worried about since Copilot launched.

Practical impact:
- You can create a single DLP policy that covers Exchange, SharePoint, Teams, and Copilot prompts, reducing management overhead.
- DoD tenants gain protection at DISA IL5 and IL6 impact levels, where data spillage can carry severe consequences.
- Audit logs capture every blocked prompt, giving you the evidence you need for compliance reporting.

For End Users in Government Agencies

Your workflow might hiccup the first time a policy tip pops up. But this isn’t about spying—it’s about keeping you from making a career-ending mistake. If you routinely handle project names, budget codes, or personnel records, expect to see reminders that Copilot isn’t a safe place for that data. In most cases, you’ll still be able to proceed after acknowledging the tip, but if the data is extremely sensitive, the prompt will be blocked entirely.

For Copilot Studio Developers

Every published agent now inherits the organization’s DLP posture. If you built a bot that processes grant applications, for example, a prompt DLP policy that catches Social Security numbers will automatically apply to agent interactions. You don’t need to change a single line of code, but you should test your agents to ensure policy tips or blocks don’t disrupt the user experience unexpectedly.

How We Got Here

The road to government cloud parity has been methodical. Microsoft first announced general availability of Purview DLP for Copilot prompts in the commercial cloud in February 2024, following a private preview that started in late 2023. At the time, the company promised government cloud support “in the coming months,” but the reality took longer because each environment—GCC, GCC High, and DoD—requires separate authorization and certification.

This milestone didn’t happen in a vacuum. Government agencies have been racing to adopt generative AI while simultaneously building guardrails. A December 2024 memo from the Department of Defense’s Chief Digital and AI Office emphasized the need for “prompt-level inspection” and “real-time data classification enforcement” before services like Copilot could be widely deployed. Purview DLP for prompts directly addresses those requirements.

The delay also reflected the complexity of government cloud isolation. Copilot in GCC High and DoD runs on Azure Government infrastructure, which uses separate authentication endpoints and data boundaries. Integrating Purview’s classification engine—which must scan prompts in transit without storing them—required architectural work that couldn’t simply be copied from the public cloud.

What to Do Now

If you administer a GCC, GCC High, or DoD tenant, here’s where to start:

  1. Verify availability: Check your Purview compliance portal (compliance.microsoft.com) under Data loss prevention > Policies. If you see “Microsoft 365 Copilot” as a location option when creating a new policy, the rollout has reached your tenant. Microsoft says the feature is rolling out automatically; no opt-in is required, but it can take a few weeks to reach all tenants.

  2. Review existing DLP policies: Your current DLP rules likely target Exchange, SharePoint, and Teams. Consider whether they should also cover Copilot. For highly sensitive data types (e.g., ITAR-related keyword dictionaries), you may want a separate, stricter policy just for AI channels.

  3. Start with audit mode: Before blocking prompts, run a policy in “audit” mode for one to two weeks. Purview will log every prompt that matches the rule without interrupting users. This shows you the real volume and types of sensitive data people are trying to feed Copilot—often an eye-opening exercise.

  4. Customize policy tips: The default tip says something generic like “Your prompt contains sensitive info.” Replace it with agency-specific guidance, such as “Pasting CUI into Copilot is prohibited per DoDI 5200.01. Use your secure enclave instead.” Policy tips are your best training tool.

  5. Educate users before you block: A sudden block can frustrate employees who rely on Copilot for summarization or drafting. Send a communication that explains:
    - Why DLP is being extended to AI prompts
    - What kinds of data are restricted
    - Where to get approval for exceptions if needed

  6. Test with Copilot Studio agents: If your agency builds custom agents, coordinate with developers to test DLP behavior. Some agent prompts might be auto-generated from databases; make sure those aren’t inadvertently blocked by a keyword rule.

What’s Next

Microsoft isn’t stopping at prompt-level DLP. The company’s AI governance roadmap—laid out at its 2025 Government Leaders Summit—includes end-user-driven risk labeling, where users can flag AI responses as inappropriate, and tighter integration with Azure’s content safety classifiers. Even more important for government customers, Microsoft is pursuing FedRAMP High and DISA IL6 provisional authorizations for Copilot itself, which would allow DoD agencies to use it with top-secret data if the rest of the security stack aligns.

In the immediate term, expect refinements. The initial rollout supports the most common sensitive info types, but niche government schemas—like CAGE codes or weapon system identifiers—may require custom classifiers. And while the DLP engine can scan prompts in English, Spanish, French, and a handful of other languages, agencies working in less common languages will need to train their own models or rely on Microsoft’s forthcoming multilingual expansion.

For the hundreds of thousands of federal, state, and local government employees already using Microsoft 365 Copilot, prompt-level DLP transforms the AI from a potential data leak vector into a tool that can be used with confidence. The compliance gap is closing—and with it, one of the biggest barriers to AI adoption in the public sector.