Microsoft has pushed a significant update to its Purview Insider Risk Management suite, giving security teams a long-requested capability: the power to select exactly which AI applications are scanned for risky user prompts and sensitive model responses. The change, which started rolling out in June 2026, marks a pivotal shift from blanket monitoring to granular, app-specific oversight in the age of generative AI.
Insider risk management has become one of the thorniest challenges for enterprises racing to adopt tools like Microsoft 365 Copilot, ChatGPT, and a growing constellation of third‑party AI assistants. Until now, Purview could detect potentially dangerous interactions—such as an employee pasting source code into a chatbot or asking for a summary of confidential financials—but administrators had little control over which applications triggered those alerts. The new update closes that gap.
What Microsoft Purview Insider Risk Management Does
Microsoft Purview Insider Risk Management (IRM) is a compliance solution that uses machine learning and configurable policies to spot risky activities by employees, contractors, and other insiders. It sifts through signals from endpoints, cloud apps, and communication channels to surface behaviors like data exfiltration, unusual file access, and—increasingly—prompt injection or sensitive disclosures involving AI tools.
Organizations deploy IRM to protect intellectual property, enforce compliance with regulations such as GDPR and HIPAA, and reduce the blast radius of accidental or malicious data leaks. The service correlates events from Windows 10 and 11 devices, Microsoft 365 apps, and a variety of connected data sources, building a risk score that triggers alerts or, in some configurations, automated remediation steps.
With the explosion of AI copilots, the attack surface has widened dramatically. An employee who innocently pastes a customer list into a public chatbot can inadvertently expose personal data. A disgruntled worker might use an internal AI summarization tool to siphon sensitive merger documents before leaving the company. IRM’s job is to catch these moments, but without app‑level precision, security teams were drowning in noise.
The June 2026 Update: Selecting AI Applications
The headline feature of this release is an interface within the Purview compliance portal that lets administrators define which AI applications are included—and excluded—from risky prompt and sensitive response detection. Instead of a binary on/off switch for all AI activity, teams can now build a curated list of apps that matter most to their risk posture.
For example, a health‑care organization might want to monitor prompts sent to a patient‑facing chatbot but ignore interactions with a narrowly‑scoped internal HR bot. A financial services firm could focus exclusively on generative AI tools that process unstructured text, while allowing code‑focused assistants to operate without triggering false positives.
The configuration works at two levels: risky prompts and sensitive AI responses. Risky prompts are user queries that contain indicators like PII, credentials, or confidential keywords. Sensitive responses are the AI‑generated outputs that inadvertently echo or expand upon that sensitive data. By decoupling these categories and tying them to specific applications, IRM allows far more nuanced policies.
How It Works Under the Hood
When an organization enables the feature, Purview’s policy engine taps into the same signal‑collection pipeline that monitors endpoints and cloud activities. For each supported AI application—ranging from Microsoft 365 Copilot and Bing Chat Enterprise to select third‑party tools that have integrated with Purview’s API—the system extracts prompts and responses in near real-time.
Administrators navigate to the Insider Risk Management section of the Purview compliance portal, open a policy template (or create a new one), and look for the “AI application filtering” node. There, they see a list of detectable AI apps, each with a toggle to include or exclude it from the policy.
Crucially, the filtering is not all‑or‑nothing. For an included app, admins can further refine monitoring by specifying:
- Data classifications (such as “credit card number” or “project code name”)
- User groups (e.g., only monitor the finance department)
- Contextual thresholds (alert only if a certain volume of sensitive material appears in a short window)
This layered approach means that a company can, for instance, watch for intellectual property leaks in Copilot chats but restrict monitoring to employees in the R&D division, while ignoring HR‑related AI tools entirely.
Why App‑Level Control Matters
Before this update, many security teams faced a dilemma: they could either cast a wide net and suffer alert fatigue, or they could disable AI monitoring altogether and accept the risk. Neither option was tenable as AI adoption accelerated.
“We’ve seen a 400% increase in AI‑related insider risk alerts over the past twelve months,” said a chief information security officer at a Fortune 500 manufacturing firm, speaking on background. “Without the ability to tune which apps we care about, our analysts were spending hours each day chasing down low‑value incidents. This update is finally giving us the scalpel we need.”
The move also aligns with the broader trend of data sovereignty and regulatory compliance. In the European Union, for instance, the EU AI Act introduces tiered obligations for high‑risk AI systems. Organizations that can demonstrate precise monitoring and control over which AI applications handle sensitive data will be in a stronger position to meet those requirements.
Integration with Microsoft 365 Copilot and Beyond
Unsurprisingly, Microsoft 365 Copilot is the first application fully optimized for this new filtering capability. Because Copilot is deeply integrated with the Microsoft Graph, Purview can correlate its queries and responses with user activity across Word, Excel, PowerPoint, Outlook, and Teams. An alert about a risky Copilot prompt can now instantly surface the document, email, or meeting transcript that may have triggered it, along with the exact AI response.
But Microsoft is not limiting the feature to its own ecosystem. The company has been steadily expanding Purview’s support for third‑party AI apps that use the Microsoft Information Protection SDK. Early adopters in the healthcare and legal sectors have already connected custom‑built AI chatbots, enabling them to apply the same insider risk policies across in‑house and Microsoft‑native tools.
“This is about meeting customers where they are,” a Microsoft program manager noted during the technical preview briefing. “We know enterprises aren’t using just one AI tool. They’re using Copilot, they’re using ChatGPT, they may be using a domain‑specific model for contract analysis. With this update, Purview becomes the unifying pane of glass for AI risk, regardless of which app generates the signal.”
Managing Risky Prompts and Sensitive Responses
The dual focus on prompts and responses reflects a nuanced understanding of how AI‑borne risk actually materializes. A risky prompt might not cause immediate damage—especially if the AI model refuses to answer—but it still signals a user’s intent or a gap in training. Conversely, a sensitive response could expose data even if the original prompt was innocuous, because the model drew on contaminated training data or over‑privileged access to internal files.
IRM’s policy templates now include separate severity sliders for “Prompt containing sensitive info” and “Response containing sensitive info.” A SOC manager can decide, for instance, that prompts containing credit card numbers warrant a high‑severity alert and an automatic email to the user’s manager, while responses that merely mention a project code name generate a low‑severity notification to the security team.
These granular controls extend to remediation actions. For severe violations, Purview can be configured to:
- Block the AI application’s network access for that specific user
- Quarantine the user’s device from accessing any AI endpoints
- Trigger an investigation workflow in Microsoft Sentinel or ServiceNow
- Automatically notify the data protection officer
Less severe hits might simply be logged for auditing or aggregated into a weekly risk digest.
Real‑World Impact: Early Feedback
Though the update only reached general availability in June 2026, the private preview that started in late 2025 gave several large enterprises a head start. Their experiences highlight both the promise and the remaining friction points.
A global insurance company used the new filters to restrict AI monitoring to just two applications: its internal claims‑processing bot and Microsoft 365 Copilot. In the first month, the volume of actionable alerts dropped by 65%, while the detection rate for actual data leaks (measured through post‑incident reviews) remained unchanged. “We stopped chasing shadows and started seeing real incidents faster,” the firm’s compliance lead reported.
However, some testers pointed out that configuring the app list requires a thorough inventory of AI tools in use—something many organizations still lack. Shadow IT in AI is rampant; a marketing team might have signed up for a third‑party content generator without IT’s knowledge. If an app isn’t registered in Purview, it won’t appear in the selection list, creating a blind spot.
To address this, Microsoft has beefed up the discovery capabilities of Defender for Cloud Apps, which can now detect and categorize generative AI services based on network traffic analysis. Integrating that discovery data into Purview’s AI app catalog is on the roadmap, but for now, administrators must manually add custom connectors for unsupported tools.
Challenges and Considerations
No security tool is a silver bullet, and the new AI filtering feature has its own set of caveats. Performance overhead is one of the first questions from IT architects. Because prompt and response inspection happens in near real‑time, there is a latency cost. Microsoft says the processing adds less than 200 milliseconds to most interactions, and it offers an asynchronous analysis mode for low‑priority apps to minimize impact. Still, organizations with strict latency SLAs for customer‑facing AI services will need to test carefully.
Privacy is another sensitive dimension. In‑depth monitoring of AI interactions means that Purview is capturing the exact text of what employees type and what the model returns. For countries with strict employee monitoring laws, such as Germany, the feature must be coupled with clear user notice and legal justification. Microsoft provides templates for employee consent notices and recommends deploying the feature in “anonymized” mode for initial tuning, where user identities are hashed until a threshold is exceeded.
False positives remain a stubborn issue. An AI prompt that contains a string resembling a Social Security number might be a false alarm if the employee is testing a data‑masking function. Without careful tuning of sensitive information types and data classifications, the new app‑specific controls could merely shift the noise from one set of applications to another.
The Broader AI Governance Picture
The Purview update is part of a much larger push by Microsoft to position itself as the responsible steward of enterprise AI. In the same timeframe, the company announced expansions to Azure AI Content Safety, deeper integration of Copilot with Purview’s data lifecycle management, and a new “AI governance” dashboard in the Microsoft 365 admin center.
This aligns with what regulators are demanding. The EU AI Act, finalized in 2024, classifies AI systems into risk tiers and mandates rigorous human oversight for high‑risk applications. In the United States, the White House’s Executive Order on AI and subsequent NIST frameworks emphasize real‑time monitoring and access controls for AI models that handle sensitive data. Tools like Purview IRM are Microsoft’s answer to the question, “How do we actually operationalize these principles?”
Analysts see the app‑selection feature as a necessary building block. “You can’t govern what you can’t selectively observe,” said a Gartner analyst during a 2026 Security & Risk Management Summit session. “The ability to scope AI risk monitoring to specific applications resolves a fundamental scalability problem. It’s a prerequisite for any serious AI risk program.”
What’s Next?
The June 2026 release is labeled version 2306 (build 16.0.16501.20000) and rolls out automatically to tenants with an E5 compliance license or the Insider Risk Management add-on. Microsoft’s public roadmap shows several follow‑up items already in development: support for additional AI application categories (including voice‑based assistants), AI‑driven anomaly scoring that learns normal prompt behavior per user, and export of AI‑related risk events to third‑party SIEMs using the Microsoft Graph security API.
Perhaps most intriguing is an experimental feature that will let Purview’s own AI models suggest optimal app‑filter configurations based on an organization’s data sensitivity tags and historical alert patterns. If it works as promised, it could dramatically reduce the upfront tuning effort required and help smaller teams adopt AI governance without deep expertise.
For now, however, the message from Microsoft is clear: AI risk is not a monolithic problem. By giving enterprises the ability to choose which AI applications fall under the insider risk microscope, Purview puts the control back in the hands of security teams—right where it belongs.
Conclusion
The new Microsoft Purview Insider Risk Management update is a critical step toward mature AI governance. It replaces a blunt instrument with a precision tool, allowing organizations to focus their monitoring on the AI applications that pose the greatest threat while dialing down noise from low‑risk tools. As enterprise AI adoption continues its steep climb, capabilities like app‑specific filtering will transition from nice‑to‑have to essential.
Security leaders should begin by auditing their AI landscape, cataloging every tool that employees use for generating, summarizing, or analyzing content. That inventory will feed directly into Purview’s new configuration interface and help shape policies that are both effective and minimally intrusive. The technology is ready; the real work will lie in aligning people, process, and policy to truly tame the age of AI risk.