To fully realize the potential of AI, organizations must pair innovation with responsibility and robust data security. This year, the Data Security Index report builds upon the responses of more than 1,700 security leaders to highlight three critical priorities for protecting organizational data and securing AI adoption:

1. Moving from fragmented tools to unified data security.
2. Managing AI-powered productivity securely.
3. Strengthening data security with generative AI itself.

By consolidating solutions for better visibility and governance controls, implementing robust controls processes to protect data in AI-powered workflows, and using generative AI agents and automation to enhance security programs, organizations can build a resilient foundation for their next wave of generative AI-powered productivity and innovation. The result is a future where AI both drives efficiency and acts as a powerful ally in defending against data risk, unlocking growth without compromising protection.

In this article we will delve into some of the Data Security Index report’s key findings that relate to generative AI and how they are being operationalized at Microsoft. The report itself has a much broader focus and depth of insight.

1. From fragmented tools to unified data security

Many organizations still rely on disjointed tools and siloed controls, creating blind spots that hinder the efficacy of security teams. According to the 2026 Data Security Index, decision-makers cite poor integration, lack of a unified view across environments, and disparate dashboards as their top challenges in maintaining proper visibility and governance. These gaps make it harder to connect insights and respond quickly to risks—especially as data volumes and data environment complexity surge. Security leaders simply aren’t getting the oversight they need.

Why it matters
Consolidating tools into integrated platforms improves visibility, governance, and proactive risk management.

To address these challenges, organizations are consolidating tools, investing in unified platforms like Microsoft Purview that bring operations together while improving holistic visibility and control. These integrated solutions frequently outperform fragmented toolsets, enabling better detection and response, streamlined management, and stronger governance.

As organizations adopt new AI-powered technologies, many are also leaning into emerging disciplines like Microsoft Purview Data Security Posture Management (DSPM) to keep pace with evolving risks. Effective DSPM programs help teams identify and prioritize data‑exposure risks, detect access to sensitive information, and enforce consistent controls while reducing complexity through unified visibility. When DSPM provides proactive, continuous oversight, it becomes a critical safeguard—especially as AI‑powered data flows grow more dynamic across core operations.

We’re trying to use fewer vendors. If we need 15 tools, we’d rather not manage 15 vendor solutions. We’d prefer to get that down to five, with each vendor handling three tools.”

—Global information security director in the hospitality and travel industry

2. Managing AI-powered productivity securely

Generative AI is already influencing data security incident patterns: 32% of surveyed organizations’ data security incidents involve the use of generative AI tools. Understandably, surveyed security leaders have responded to this trend rapidly. Nearly half (47%) the security leaders surveyed in the 2026 Data Security Index are implementing generative AI-specific controls—an increase of 8% since the 2025 report. This helps enable innovation through the confident adoption of generative AI apps and agents while maintaining security.

Why it matters
Generative AI boosts productivity and innovation, but both unsanctioned and sanctioned AI tools must be managed. It’s essential to control tool use and monitor how data is accessed and shared with AI.

In the full report, we explore more deeply how AI-powered productivity is changing the risk profile of enterprises. We also explore several mechanisms, both technical and cultural, already helping maintain trust and reduce risk without sacrificing productivity gains or compliance.

3. Strengthening data security with generative AI

The 2026 Data Security Index indicates that 82% of organizations have developed plans to embed generative AI into their data security operations, up from 64% the previous year. From discovering sensitive data and detecting critical risks to investigating and triaging incidents, as well as refining policies, generative AI is being deployed for both proactive and reactive use cases at scale. The report explores how AI is changing the day-to-day operations across security teams, including the emergence of AI-assisted automation and agents.

Our generative AI systems are constantly observing, learning, and making recommendations for modifications with far more data than would be possible with any kind of manual or quasi-manual process.”

—Director of IT in the energy industry

Turning recommendations into action

As organizations confront the challenges of data security in the age of AI, the 2026 Data Security Index report offers three clear imperatives: unifying data security, increasing generative AI oversight, and using AI solutions to improve data security effectiveness.

1. Unified data security requires continuous oversight and coordinated enforcement across your data estate. Achieving this scenario demands mechanisms that can discover, classify, and protect sensitive information at scale while extending safeguards to endpoints and workloads. Microsoft Purview DSPM operationalizes this principle through continuous discovery, classification, and protection of sensitive data across cloud, software as a service (SaaS), and on-premises assets.
2. Responsible AI adoption depends on strict (but dynamic) controls and proactive data risk management. Organizations must enforce automated mechanisms that prevent unauthorized data exposure, monitor for anomalous usage, and guide employees toward sanctioned tools and responsible practices. Microsoft enforces these principles through governance policies supported by Microsoft Purview Data Loss Prevention and Microsoft Defender for Cloud Apps. These solutions detect, prevent, and respond to risky generative AI behaviors that increase the likelihood of data exposure, policy violations, or unsafe outputs, ensuring innovation aligns with security and compliance requirements.
3. Modern security operations benefit from automation that accelerate detection and response alongside strong oversight. AI-powered agents can streamline threat investigation, recommend policies, and reduce manual workload while maintaining human oversight for accountability. We deliver this capability through Microsoft Security Copilot, embedded across Microsoft Sentinel, Microsoft Entra, Microsoft Intune, Microsoft Purview, and Microsoft Defender. These agents automate threat detection, incident investigation, and policy recommendations, enabling faster response and continuous improvement of security posture.

Stay informed, stay productive, stay protected

The insights we’ve covered here only scratch the surface of what the Microsoft Data Security Index reveals.The full report dives deeper into global trends, detailed metrics, and real-world perspectives from security leaders across industries and the globe. It provides specificity and context to help you shape your generative AI strategy with confidence.

If you want to explore the data behind these findings, see how priorities vary by region, and uncover actionable recommendations for secure AI adoption, read the full 2026 Microsoft Data Security Index to access comprehensive research, expert commentary, and practical guidance for building a security-first foundation for innovation.

Learn more

Learn more about the Microsoft Purview unified data security solutions.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post New Microsoft Data Security Index report explores secure AI adoption to protect sensitive data appeared first on Microsoft Security Blog.

The urgency for a unified AI governance strategy is being driven by stricter regulatory demands, the sheer complexity of managing AI systems across multiple AI platforms and multicloud and hybrid environments, and leadership concerns for risk related to negative brand impact. Centralized, end-to-end governance platforms help organizations reduce compliance bottlenecks, lower operational risks, and turn governance into a strategic driver for responsible AI innovation. In today’s landscape, unified AI governance is not just a compliance obligation—it is critical infrastructure for trust, transparency, and sustainable business transformation.

Our own approach to AI is anchored to Microsoft’s Responsible AI standard, backed by a dedicated Office of Responsible AI. Drawing from our internal experience in building, securing, and governing AI systems, we translate these learnings directly into our AI management tools and security platform. As a result, customers benefit from features such as transparency notes, fairness analysis, explainability tools, safety guardrails, regulatory compliance assessments, agent identity, data security, vulnerability identification, and protection against cyberthreats like prompt-injection attacks. These tools enable them to develop, secure, and govern AI that aligns with ethical principles and is built to help support compliance with regulatory requirements. By integrating these capabilities, we empower organizations to make ethical decisions and safeguard their business processes throughout the entire AI lifecycle.

Microsoft’s AI Governance capabilities aim to provide integrated and centralized control for observability, management, and security across IT, developer, and security teams, ensuring integrated governance within their existing tools. Microsoft Foundry acts as our main control point for model development, evaluation, deployment, and monitoring, featuring a curated model catalog, machine learning oeprations, robust evaluation, and embedded content safety guardrails. Microsoft Agent 365, which was not yet available at the time of the IDC publication, provides a centralized control plane for IT, helping teams confidently deploy, manage, and secure their agentic AI published through Microsoft 365 Copilot, Microsoft Copilot Studio, and Microsoft Foundry.

Deeply embedded security systems are integral to Microsoft’s AI governance solution. Integrations with Microsoft Purview provide real-time data security, compliance, and governance tools, while Microsoft Entra provides agent identity and controls to manage agent sprawl and prevent unauthorized access to confidential resources. Microsoft Defender offers AI-specific posture management, threat detection, and runtime protection. Microsoft Purview Compliance Manager automates adherence to more than 100 regulatory frameworks. Granular audit logging and automated documentation bolster regulatory and forensic capabilities, enabling organizations in regulated industries to innovate with AI while maintaining oversight, secure collaboration, and consistent policy enforcement.

Guidance for security and governance leaders and CISOs

To empower organizations in advancing their AI transformation initiatives, it is crucial to focus on the following priorities for establishing a secure, well-governed, and scalable AI framework. The guidance below provides Microsoft’s recommendations for fulfilling these best practices:

We believe we are differentiated in the AI governance space by delivering a unified, end-to-end platform that embeds responsible AI principles and robust security at every layer—from agents and applications to underlying infrastructure. Through native integration of Microsoft Foundry, Microsoft Agent 365, Purview, Entra, and Defender, organizations benefit from centralized oversight and observability across the layers of the organization with consistent protection and operationalized compliance across the AI lifecycle. Our comprehensive approach removes disparate and disconnected tooling, enabling organizations to build trustworthy, transparent, and secure AI solutions that can start secure and stay secure. We believe this approach uniquely differentiates Microsoft as a leader in operationalizing responsible, secure, and auditable AI at scale.

Strengthen your security strategy with Microsoft AI governance solutions

Agentic and generative AI are reshaping business processes, creating a new frontier for security and governance. Organizations that act early and prioritize governance best practices—unified governance platforms, build-in responsible AI tooling, and integrated security—will be best positioned to innovate confidently and maintain trust.

Microsoft approaches AI governance with a commitment to embedding responsible practices and robust security at every layer of the AI ecosystem. Our AI governance and security solutions empower customers with built-in transparency, fairness, and compliance tools throughout engineering and operations. We believe this approach allows organizations to benefit from centralized oversight, enforce policies consistently across the entire AI lifecycle, and achieve audit readiness—even in the rapidly changing landscape of generative and agentic AI.

Explore more

• Read the IDC MarketScape excerpt.
• Learn more about AI Security, Governance and Compliance.
• Read our latest Security for AI blog to learn more about our latest capabilities

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft named a Leader in IDC MarketScape for Unified AI Governance Platforms appeared first on Microsoft Security Blog.

Figure 1: KuppingerCole Generative AI Defense Leadership Compass chart highlighting Microsoft as the top Overall Leader, with other vendors including Palo Alto Networks, Cisco, F5, NeuralTrust, IBM, and others positioned as challengers or followers.

At Microsoft, our approach to Generative AI Defense is grounded in a simple principle: security is a core primitive which must be embedded everywhere – across AI apps, agents, platforms, and infrastructure. Microsoft delivers this through a comprehensive and integrated approach that provides visibility, protection, and governance across the full AI stack.

Our capabilities and controls help organizations address the most pressing challenges CISOs and security leaders face as AI adoption accelerates. We protect against agent sprawl and resource access with identity-first controls like Entra Agent ID and lifecycle governance, alongside network-layer controls that surface hidden shadow AI risks.  We prevent sensitive data leaks with Microsoft Purview’s real-time data loss prevention, classification, and inference safeguards. We defend against new AI threats and vulnerabilities with Microsoft Defender’s runtime protection, posture management, and AI-driven red teaming. Finally, we help organizations stay in compliance with evolving AI regulations with built-in support for frameworks like the EU AI Act, NIST AI RMF, and ISO 42001, so teams can confidently innovate while meeting governance requirements. Foundational security is also built into Microsoft 365 Copilot and Microsoft Foundry, with identity controls, data safeguards, threat protection, and compliance integrated from the start.

Guidance for Security Leaders and CISOs

For CISOs enabling their organizations to accelerate their AI transformation journeys, the following priorities are essential to building a secure, governed, and scalable AI foundation.  This guidance reflects a combination of key recommendations from KuppingerCole and Microsoft’s perspective on how we deliver on those recommendations:

What differentiates Microsoft is the comprehensive set of security capabilities woven into the Microsoft AI agents, apps, and platform. Shared capabilities across Microsoft Entra, Purview, and Defender deliver consistent protection for IT, developers, and security teams, while tools such as Microsoft Agent 365, Foundry Control Plane, and Security Dashboard for AI integrate security and observability directly where AI applications and agents are built, deployed, and governed. Together, these capabilities, including our latest capabilities from Ignite, help organizations deploy AI securely, reduce operational complexity, and strengthen trust across their environment.

Closing Thoughts

Agentic AI is transforming how organizations work, and with that shift comes a new security frontier. As AI becomes embedded across business processes, taking a proactive approach to defense-in-depth, governance, and integrated AI security is essential. Organizations that act early will be better positioned to innovate confidently and maintain trust.

At Microsoft, we recognize that securing AI requires purpose-built, enterprise-ready protection. With Microsoft Security for AI, organizations can safeguard sensitive data, protect against emerging AI threats, detect and remediate vulnerabilities, maintain compliance with evolving regulations, and strengthen trust as AI adoption accelerates. In this rapidly evolving landscape, AI defense is not optional, it is foundational to protecting innovation and ensuring enterprise readiness.

Explore more

• Read the full KuppingerCole Leadership Compass on Generative AI Defense (GAD)
• Learn more about Security for AI
• Read our latest Security for AI blog to learn more about our latest capabilities
• Visit the Microsoft Security site for the latest innovations.

Updated Dec 15, 2025

Version 1.0

The post Microsoft named an overall leader in KuppingerCole Leadership Compass for Generative AI Defense appeared first on Microsoft Security Blog.

A recent Total Economic Impact™ (TEI) of Microsoft Purview study by Forrester Consulting, commissioned by Microsoft, offers valuable insights into how organizations are modernizing their data protection strategies.¹ The study covers the tangible benefits of unifying data security, data governance, and data compliance under a single platform—an approach exemplified by Microsoft Purview.

Why data security is a strategic imperative

In an era where data is the lifeblood of digital operations, the importance of securing that data cannot be overstated. Organizations are increasingly reliant on data to drive decision-making, customer engagement, and innovation. However, this reliance also makes them prime targets for cyberattacks, insider threats, and accidental data leaks. The complexity of hybrid and multi-cloud environments further complicates visibility and control, making a unified data security strategy essential.

Moreover, regulatory bodies around the world are tightening data protection laws, such as General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA). Non-compliance can result in hefty fines and reputational damage. For organizations, this means that data security is not just a technical requirement but a business-critical function that supports organizational resilience and trust.

The composite organization in the study faces a 70% annual likelihood of experiencing a data breach, with potential costs exceeding $3.3 million. Yet many enterprises still operate with fragmented tools, manual processes, and limited visibility into where sensitive data resides or how it’s accessed. This lack of visibility increases the risk of insider threats, non-compliance, and operational inefficiencies.

For organizations, this means more time spent reacting to incidents, less time proactively managing risk, and slower access to trusted data, hindering digital transformation.

Key areas of impact

These areas of impact are not isolated; they are interconnected and reinforce one another. For example, improved data classification enhances both breach prevention and compliance automation. Similarly, streamlined investigations reduce the time to respond to incidents, which in turn minimizes potential damage and supports regulatory reporting requirements.

1. Data breach prevention and risk reduction

The 2025 Forrester TEI study of Purview found that organizations achieved a 30% reduction in the likelihood of data breaches by implementing fine-tuned data loss prevention (DLP) policies and gaining visibility into sensitive data across clouds, devices, and applications. This translated into more than $225,000 in annual savings from avoided security incidents and regulatory fines.

Purview helps us determine our data loss prevention (DLP) rules. Now we get alerts to any possible threats to data loss for our privileged information.

—Interviewee, Global Risk and Compliance Director, Food Processing Organization

2. Streamlined security investigations

Security teams reduced investigation time by 75%, freeing up resources to focus on higher-value tasks. With centralized audit logs, automated alerts, and machine learning-informed policies, teams could detect and respond to cyberthreats faster and more effectively.

With Purview, we get alerts for those types of activities so my team and I are notified and can investigate them further.

—Chief Commercial Officer, Financial Services

3. User productivity gains

Users saved 75% of the time previously spent searching for and classifying data. With automated data classification and centralized access, employees could find the data they needed without relying on manual tagging or risking non-compliance.

Compliance teams benefit from simplification of previously manual data classification, compliance, and audit tasks.

4. Compliance automation and audit readiness

Compliance teams reduced manual effort by 60%, thanks to tools that automated classification, retention, and audit workflows. This not only improved regulatory compliance but also elevated the role of compliance from a cost center to a strategic enabler of business agility.

Our records and information management team has gone from being stuck in the corner to now where we get invited to strategic planning meetings.

—Records and Information Management Lead, Government

5. Legacy cost avoidance

By consolidating data security and governance tools, organizations eliminated redundant systems and infrastructure, saving nearly $500,000 over three years. This simplification also reduced IT complexity and improved system interoperability.

Cultural and strategic benefits

Organizations interviewed in the study also reported a cultural shift where data security became a shared responsibility rather than a siloed function. This cultural evolution is critical in fostering a proactive security posture. Employees began to see themselves as stewards of data, leading to more mindful data handling practices and fewer accidental breaches.

Strategically, this shift enabled security and compliance teams to participate in broader business planning. Their insights into data usage and risk became valuable inputs for product development, customer engagement strategies, and operational improvements.

Beyond the numbers, organizations reported a shift in culture and strategy. Security and compliance teams became more integrated with business units. Users became more engaged in protecting data. And leadership gained confidence in their ability to support innovation without compromising security.

The role of unified information governance

Unified information governance simplifies the management of data across its lifecycle—from creation and storage to sharing and deletion. It ensures that policies are consistently applied, reducing the risk of human error and policy drift. This consistency is particularly important in large organizations with diverse teams and global operations.

By integrating governance with security and compliance, organizations can create a more agile data environment. This agility supports faster innovation cycles, as teams can access the data they need without compromising on security or compliance.

A key takeaway from the Total Economic Impact™ (TEI) study is the importance of unified information governance. By consolidating data classification, access control, and compliance monitoring into a single platform, organizations can reduce risk, improve efficiency, and unlock new business value.

Solutions like Microsoft Purview exemplify this unified approach. While not the only option, it demonstrates how integrating data security, compliance, and governance into a single ecosystem can yield measurable business outcomes into a single ecosystem can yield measurable business outcomes.

Next steps for your organization

If you’re looking to modernize your data security and governance strategy, here are three actionable steps:

1. Protect and govern your data estate: Conduct a thorough assessment of your current data landscape to identify and classify sensitive data across your organization.
2. Safeguard your data for AI innovation: Protect sensitive data used in all applications by implementing encryption and rights management controls.
3. Support compliance and regulatory requirements: Stay up to date with evolving regulatory requirements. Microsoft Purview Compliance Manager helps you to stay current with regulations and certifications, and reporting to auditors.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

*Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders. Results are for a composite organization based on interviewed customers.  

¹The financial results calculated in the Benefits and Costs sections can be used to determine the return on investment (ROI), net present value (NPV), and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.  

These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.  

The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. Present value (PV) calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.  

The post Microsoft Purview delivered 30% reduction in data breach likelihood appeared first on Microsoft Security Blog.

Secure and govern AI apps built with the DeepSeek R1 model on Azure AI Foundry and GitHub 

Develop with trustworthy AI 

Last week, we announced DeepSeek R1’s availability on Azure AI Foundry and GitHub, joining a diverse portfolio of more than 1,800 models.   

Customers today are building production-ready AI applications with Azure AI Foundry, while accounting for their varying security, safety, and privacy requirements. Similar to other models provided in Azure AI Foundry, DeepSeek R1 has undergone rigorous red teaming and safety evaluations, including automated assessments of model behavior and extensive security reviews to mitigate potential risks. Microsoft’s hosting safeguards for AI models are designed to keep customer data within Azure’s secure boundaries. 

With Azure AI Content Safety, built-in content filtering is available by default to help detect and block malicious, harmful, or ungrounded content, with opt-out options for flexibility. Additionally, the safety evaluation system allows customers to efficiently test their applications before deployment. These safeguards help Azure AI Foundry provide a secure, compliant, and responsible environment for enterprises to confidently build and deploy AI solutions. See Azure AI Foundry and GitHub for more details.

Start with Security Posture Management

AI workloads introduce new cyberattack surfaces and vulnerabilities, especially when developers leverage open-source resources. Therefore, it’s critical to start with security posture management, to discover all AI inventories, such as models, orchestrators, grounding data sources, and the direct and indirect risks around these components. When developers build AI workloads with DeepSeek R1 or other AI models, Microsoft Defender for Cloud’s AI security posture management capabilities can help security teams gain visibility into AI workloads, discover AI cyberattack surfaces and vulnerabilities, detect cyberattack paths that can be exploited by bad actors, and get recommendations to proactively strengthen their security posture against cyberthreats.

By mapping out AI workloads and synthesizing security insights such as identity risks, sensitive data, and internet exposure, Defender for Cloud continuously surfaces contextualized security issues and suggests risk-based security recommendations tailored to prioritize critical gaps across your AI workloads. Relevant security recommendations also appear within the Azure AI resource itself in the Azure portal. This provides developers or workload owners with direct access to recommendations and helps them remediate cyberthreats faster. 

Safeguard DeepSeek R1 AI workloads with cyberthreat protection

While having a strong security posture reduces the risk of cyberattacks, the complex and dynamic nature of AI requires active monitoring in runtime as well. No AI model is exempt from malicious activity and can be vulnerable to prompt injection cyberattacks and other cyberthreats. Monitoring the latest models is critical to ensuring your AI applications are protected.

Integrated with Azure AI Foundry, Defender for Cloud continuously monitors your DeepSeek AI applications for unusual and harmful activity, correlates findings, and enriches security alerts with supporting evidence. This provides your security operations center (SOC) analysts with alerts on active cyberthreats such as jailbreak cyberattacks, credential theft, and sensitive data leaks. For example, when a prompt injection cyberattack occurs, Azure AI Content Safety prompt shields can block it in real-time. The alert is then sent to Microsoft Defender for Cloud, where the incident is enriched with Microsoft Threat Intelligence, helping SOC analysts understand user behaviors with visibility into supporting evidence, such as IP address, model deployment details, and suspicious user prompts that triggered the alert. 

Additionally, these alerts integrate with Microsoft Defender XDR, allowing security teams to centralize AI workload alerts into correlated incidents to understand the full scope of a cyberattack, including malicious activities related to their generative AI applications. 

Secure and govern the use of the DeepSeek app

In addition to the DeepSeek R1 model, DeepSeek also provides a consumer app hosted on its local servers, where data collection and cybersecurity practices may not align with your organizational requirements, as is often the case with consumer-focused apps. This underscores the risks organizations face if employees and partners introduce unsanctioned AI apps leading to potential data leaks and policy violations. Microsoft Security provides capabilities to discover the use of third-party AI applications in your organization and provides controls for protecting and governing their use.

Secure and gain visibility into DeepSeek app usage 

Microsoft Defender for Cloud Apps provides ready-to-use risk assessments for more than 850 Generative AI apps, and the list of apps is updated continuously as new ones become popular. This means that you can discover the use of these Generative AI apps in your organization, including the DeepSeek app, assess their security, compliance, and legal risks, and set up controls accordingly. For example, for high-risk AI apps, security teams can tag them as unsanctioned apps and block user’s access to the apps outright.

Comprehensive data security 

In addition, Microsoft Purview Data Security Posture Management (DSPM) for AI provides visibility into data security and compliance risks, such as sensitive data in user prompts and non-compliant usage, and recommends controls to mitigate the risks. For example, the reports in DSPM for AI can offer insights on the type of sensitive data being pasted to Generative AI consumer apps, including the DeepSeek consumer app, so data security teams can create and fine-tune their data security policies to protect that data and prevent data leaks. 

Prevent sensitive data leaks and exfiltration  

The leakage of organizational data is among the top concerns for security leaders regarding AI usage, highlighting the importance for organizations to implement controls that prevent users from sharing sensitive information with external third-party AI applications.

Microsoft Purview Data Loss Prevention (DLP) enables you to prevent users from pasting sensitive data or uploading files containing sensitive content into Generative AI apps from supported browsers. Your DLP policy can also adapt to insider risk levels, applying stronger restrictions to users that are categorized as ‘elevated risk’ and less stringent restrictions for those categorized as ‘low-risk’. For example, elevated-risk users are restricted from pasting sensitive data into AI applications, while low-risk users can continue their productivity uninterrupted. By leveraging these capabilities, you can safeguard your sensitive data from potential risks from using external third-party AI applications. Security admins can then investigate these data security risks and perform insider risk investigations within Purview. These same data security risks are surfaced in Defender XDR for holistic investigations.

This is a quick overview of some of the capabilities to help you secure and govern AI apps that you build on Azure AI Foundry and GitHub, as well as AI apps that users in your organization use. We hope you find this useful!

To learn more and to get started with securing your AI apps, take a look at the additional resources below:  

• AI security posture management in Microsoft Defender for Cloud 
• Threat protection for AI workloads in Microsoft Defender for Cloud
• Get visibility into your DeepSeek use with Defender for Cloud Apps 
• Microsoft Purview data security and compliance protections for generative AI apps 

Learn more with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post Securing DeepSeek and other AI systems with Microsoft Security appeared first on Microsoft Security Blog.

Historically, organizations have relied on the traditional approach to data security and governance, largely involving stitching together fragmented solutions. According to Gartner®, “75% of security leaders are actively pursuing a security vendor consolidation strategy as of 2022.”² Consolidation, however, is no easy feat. In a recent study, more than 95% of security leaders acknowledge that unifying the handling of data security, compliance, and privacy across teams and tools is both a priority and a challenge.³ These approaches often fall short because of duplicate data, redundant alerts, and siloed investigations, ultimately leading to increased data risks. Over time, this approach has been increasingly difficult for organizations to maintain.

Unify how you protect and govern your data with Microsoft Purview

Unlike traditional data security and governance strategies that require disparate solutions to achieve comprehensive data protection, Microsoft Purview is purpose-built to unify data security, governance, and compliance into a single platform experience. This integration aims to reduce complexity, simplify management, and mitigate risk, while helping enhance efficiency across teams to support a culture of collaboration. With Microsoft Purview you can:

• Enable comprehensive data protection.
• Support compliance and regulatory requirements.
• Help safeguard AI Innovation.

What’s new in Microsoft Purview?

To meet our growing customer needs, the team has been delivering a lot of innovation at a rapid pace. In this blog, we’re excited to recap all the new capabilities we announced at Microsoft Ignite last month.

Enable comprehensive data protection

Microsoft Purview enables you to discover, secure, and govern data across Microsoft and third-party sources. Today, Microsoft Purview delivers rich data security capabilities through Microsoft Purview Data Loss Prevention, Microsoft Purview Information Protection, and Microsoft Purview Insider Risk Management, enhanced with AI-powered Adaptive Protection. To drive AI transformation, you need to build and maintain a strong data foundation, categorized by data that is not just secured but also governed. Microsoft Purview also addresses your data governance needs with the newly reimagined Microsoft Purview Unified Catalog. These data security and data governance products leverage shared capabilities such as a common data catalog, connectors, classifications, and audit logs—helping reduce inconsistencies, inefficiencies, and exposure gaps, commonly experienced by using disparate tools.

Introducing Microsoft Purview Data Security Posture Management

Microsoft Purview Data Security Posture Management (DSPM) provides visibility into data security risks and recommends controls to protect that data. DSPM provides contextual insights, usage analysis, and continuous risk assessments of your data, helping you mitigate risks and enhance data security. With DSPM, you get a shared understanding of key risks through a series of reports that correlate insights across location and type of sensitive data, risky user activities, and common exfiltration channels. In addition, DSPM provides actionable, scenario-based recommendations for detection and protection policies. For example, DSPM can help you create an Insider Risk Management policy that identifies risky behavior such as downgrading labels in documents followed by exfiltration, and a data loss prevention (DLP) policy to block that exfiltration at the same time.

DSPM also brings a view of historical trends and insights based on sensitivity labels applied, sensitive assets covered by at least one DLP policy, and potentially risky users so show the effectiveness of your data security policies over time. And finally, DSPM leverages the power of generative AI through its deep integration with Microsoft Security Copilot. With this integration, you can easily uncover risks that might not be immediately apparent and drive efficient and richer investigations—all in natural language.

With DSPM, you can easily identify possible labeling and policy gaps such as unlabeled content and users that aren’t scoped in a DLP policy, unusual patterns and activities that might indicate potential risks, as well as opportunities to adapt and strengthen your data security program.

Figure 1. DSPM overview page provides centralized visibility across data, users, and activities, as well as access to reports.

Learn more about this announcement in the Data Security Posture Management blog.

Increasing data security and security operations center integration

Understanding data and user context is vital for improving security operations and prioritizing investigations, especially when sensitive data is at stake. By integrating insights such as data classification, access controls, and user activity into the security operations center (SOC) experience, organizations can better assess the impact of security incidents, reduce false alerts, and enhance containment efforts. In addition to the already present DLP alerts in the Microsoft Defender XDR incident investigation and data security remediation actions enabled directly from Defender XDR, we’ve also added Insider Risk Management context to the user entity page to provide a more comprehensive view of user activities.

With Microsoft Purview’s latest integration with Microsoft Defender, now in preview, you get insider risk alerts in Defender XDR and can correlate them with incidents. This gives you critical user context for your security investigations. SOC teams can now better distinguish internal incidents from external cyberattacks and refine their response strategies. For more complex analysis to identify risks such as attack patterns, we are integrating insider risk signals into Defender XDR’s Advanced Hunting, giving you deeper insights and allowing you to improve your policies in partnership with data security teams. Together, these advancements allow your organization to stay ahead of evolving cyberthreats, providing a collaborative and data-driven approach to security.

Learn more about this announcement in the Purview Insider Risk Management blog.

Protecting data and preventing sensitive data loss

As AI generates new data in unprecedented volumes, the need to secure that data and prevent the loss of sensitive information has become even more crucial. Our new DLP capabilities help you effectively investigate DLP incidents, fortify existing protections, and refine your overall DLP program. You can now customize Purview DLP to the established processes of your organization with the Microsoft Power Automate connector in preview. This lets you automate and customize your DLP policy actions through Power Automate workflows to integrate your DLP incidents into new or established IT, security, and business operations workflows, like stakeholder awareness or incident remediation.

DLP policy insights in Security Copilot, also in preview, summarize existing DLP policies in natural language and helps you understand any gaps in policy coverage across your environment. This makes it easier for you to quickly and easily understand the full breadth of DLP policy coverage across your organization and address gaps in protection. We are also enhancing DLP protections on endpoints by expanding our file type coverage from more than 40 to more than 110 file types. Users can also now store and view full files on Windows devices as evidence for forensic investigations using Microsoft-managed storage. With the Microsoft-managed option, your admins can save time otherwise spent configuring additional settings, assigning permissions, and selecting the storage in the policy workflow. Finally, you can now enforce blanket protections on file types that cannot currently be scanned or classified by endpoint DLP, such as blocking copy to removable media for all computer-aided design (CAD) files regardless of those files’ contents. This helps ensure that the diverse range of file types found in your environment are still protected even if they cannot currently be scanned and classified by Microsoft Purview endpoint DLP. 

Learn more about these announcements in our Microsoft Purview Data Loss Prevention blog.

Microsoft Purview Data Governance innovations to drive greater business value

Research indicates that data practitioners spend 80% of their time finding, cleaning, and organizing data, leaving only 20% of time to process and analyze it.⁴ To simplify the data governance practice in the age of AI, the Microsoft Purview Unified Catalog is a comprehensive enterprise catalog that automatically inventories and tags your organization’s critical data assets. This gives your business users the ability to search for specific business data when building analytics reports or AI models. The Unified Catalog gives you visibility and confidence in your data across your disparate data sources and local catalogs with built-in data quality management and end-to-end lineage. You can integrate metadata from diverse catalogs such as Fabric OneLake, Databricks Unity, and Snowflake Polaris, into a unified catalog for all your data stewards, data owners, and business users.

Now in preview, Unified Catalog provides deeper data quality through a new scan engine that supports open standard file and table formats for big data platforms, including Microsoft Fabric, Databricks Unity Catalog, Snowflake, Google Big Query, and Amazon S3. This new scan engine enables rich data quality management at the asset level for improved data quality management at the asset level for overall improved data quality health. Lastly, Microsoft Purview Analytics in OneLake (preview) allows you to extract tenant-specific metadata from the Unified Catalog and export it directly into OneLake. You can then use Microsoft Power BI to analyze the metadata to further understand and report on your data’s quality and lineage.

Learn more about these announcements in our Microsoft Purview Data Governance blog.

Support compliance and regulatory requirements

As regulatory requirements evolve with the proliferation of AI, it is more critical than ever for businesses to keep compliance and privacy top of mind. However, adhering to requirements is becoming increasingly complex, while consequences for non-compliance are growing more severe. Microsoft Purview empowers you to address regulatory demands and comply with corporate policies by offering compliance and privacy controls that are both scalable and adaptable to changing needs.

New templates in Compliance Manager to help simplify compliance

Microsoft Purview Compliance Manager provides insights into your organization’s compliance status through compliance templates and provides suggested actions and next steps to help you along your compliance journey. Compliance Manager continues to add new templates to help you address new and evolving regulations, including templates for the European Union AI Act (EUAI Act), NIST 2 AI, ISO 42001, ISO 23894, Digital Operations Resiliency Act (DORA), and additional industry and regional regulations. Compliance Manager now includes historical records that help track your organization’s compliance and provides actionable next steps to understand how new regulations or policies affect your compliance score over time. In addition, you can now leverage custom templates to address both regulatory and your organization’s specific policies and preferences.

Figure 2. EUAI Act Assessment in Compliance Manager.

Learn more about this announcement in the Microsoft Purview Compliance Manager blog.

New Microsoft Purview controls for ChatGPT Enterprise with integration with OpenAI for improved compliance

Microsoft Purview now integrates with ChatGPT Enterprise, allowing you to gain visibility and govern the prompts and responses of your ChatGPT Enterprise interactions. This integration, currently in preview, includes Microsoft Purview Audit for auditing ChatGPT Enterprise interactions, Microsoft Purview Data Lifecycle Management for enabling retention and deletion policies, Microsoft Purview Communication Compliance to proactively detect regulatory and corporate policy violations, and Microsoft Purview eDiscovery to streamline legal investigations.

Learn more about all these announcements in our Security for AI blog.   

Microsoft Purview is built to help safeguard AI Innovation

With the rapid adoption of AI, new vulnerabilities have emerged, highlighting the need for strong data security and governance of AI workloads. Microsoft Purview is built to secure and govern data related to pre-built and custom-built AI apps.

Introducing Microsoft Data Security Posture Management for AI (DSPM for AI)

Security teams often find themselves in the dark when it comes to data security and compliance risks associated with AI usage. Without proper visibility, organizations often struggle to safeguard their AI assets effectively. DSPM for AI, now generally available, gives you visibility through a centralized dashboard and reports, enables you to proactively discover and manage your AI-related data risks, such as sensitive data in user prompts, and gives you actionable recommendations and real-time insights to respond effectively to security incidents.

Microsoft Purview controls for Microsoft 365 Copilot help prevent data oversharing

Data oversharing occurs when users have access to more data than necessary for their job duties. Organizations need effective data security controls to help mitigate this risk. At Microsoft Ignite we announced a number of new Microsoft Purview capabilities in preview to prevent data oversharing in Microsoft 365 Copilot.

Data oversharing assessments: Discover data that is at risk of oversharing by scanning files containing sensitive data, identifying risky data sources such as SharePoint sites with overly permissive user access, and by providing recommendations such as auto-labeling policies and default labels to prevent sensitive data from being overshared. The oversharing assessment report can identify unlabeled files accessed by users before deploying Copilot or can be run post-deployment to identify sensitive data referenced in Copilot responses. 

Label-based permissions: Microsoft 365 Copilot honors permissions based on sensitivity labels assigned by Microsoft Purview when referencing sensitive documents.

Purview DLP for Microsoft 365 Copilot: You can create DLP policies to exclude documents with specified sensitivity labels from being processed, summarized, or used in responses in Microsoft 365 Copilot, preventing sensitive data from being inadvertently overshared.

New Microsoft Purview capabilities to detect risky activities in Microsoft 365 Copilot

Security teams need ways to detect risky use of AI applications like deliberate or accidental access to sensitive data, jailbreaks, and copyright violations. Insider Risk Management and Communication Compliance now provide risky AI usage indicators, a policy template, and an analytics report in preview to help detect and investigate the risky use of AI. These new capabilities not only help detect risky activities and prompts but also integrate with Microsoft Defender XDR, enabling your security teams to investigate new AI-related risks holistically alongside other risks, such as identity risks through Microsoft Entra and data oversharing and data loss risks through Purview DLP.

New Microsoft Purview capabilities for agents built with Microsoft Copilot Studio

When new and citizen developers are building low code or no-code AI, they often lack security expertise and tools to enable security and compliance controls. Microsoft Purview now provides data controls for agents built in Copilot Studio to enable low code and no-code developers to build more secure agents. For example, when an agent built with Copilot Studio accesses sensitive data, it will recognize and honor the sensitivity labels of the data being accessed. Microsoft Purview will also protect sensitive data generated by the agent through label inheritance and will enforce label permissions, ensuring only authorized users have access.

Data security admins also get visibility into the sensitivity of data in user prompts and agent responses within DSPM for AI. Moreover, Microsoft Purview will enable you to detect anomalous user activity and risky or non-compliant AI use and apply retention or deletion policies on your agent prompts and responses. These new controls give you visibility and and insights into risks for your agents built with Copilot Studio, strengthening your data security posture.

Learn more about all these announcements in our Security for AI blog.   

Unified solutions that empower your organization

As you navigate the complexities of AI proliferation, regulatory requirements, and security threats, we are excited to innovate, invest in, and expand the capabilities of Microsoft Purview to address your most pressing data security, governance, and compliance challenges.

Get started with Microsoft Purview today

To get started, we invite you to try Microsoft Purview free and to learn more about Microsoft Purview today.

• Read the Data Security Index report.
• Read our new whitepaper: Accelerating AI transformation by prioritizing security, a path to implementing effective security for AI that enables innovation.
• Watch Microsoft Purview sessions from Microsoft Ignite.
• Try Microsoft Purview for free.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft internal research, May 2023. 

²Gartner, Innovation Insight for Security Platforms, Peter Firstbrook, Craig Lawson. October 16, 2024. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. 

³Microsoft internal research, August 2024. 

⁴Overcoming the 80/20 Rule in Data Science, Pragmatic Institute.

The post New Microsoft Purview features help protect and govern your data in the era of AI appeared first on Microsoft Security Blog.

84% of surveyed organizations want to feel more confident about managing and discovering data input into AI apps and tools. This report includes research to provide you with the actionable industry-agnostic insights and guidance to better secure your data used by your generative AI applications. 

Microsoft Data Security Index

Gain deeper insights about generative AI and its influence on data security.

Discover more

In 2023, we commissioned our first independent research that surveyed more than 800 data security professionals to help business leaders develop their data security strategies. This year, we expanded the survey to 1,300 security professionals to uncover new learnings on data security and AI practices.   

Some of the top-level insights from our expanded research are:  

1. The data security landscape remains fractured across traditional and new risks due to AI.
2. User adoption of generative AI increases the risk and exposure of sensitive data.
3. Decision-makers are optimistic about AI’s potential to boost their data security effectiveness.

The data security landscape remains fractured across traditional and new risks

On average, organizations are juggling 12 different data security solutions, creating complexity that increases their vulnerability. This is especially true for the largest organizations: On average, medium enterprises use nine tools, large enterprises use 11, and extra-large enterprises use 14. In addition, 21% of decision-makers cite the lack of consolidated and comprehensive visibility caused by disparate tools as their biggest challenge and risk.

Fragmented solutions make it difficult to understand data security posture since data is isolated and disparate workflows could limit comprehensive visibility into potential risks. When tools don’t integrate, data security teams have to build processes to correlate data and establish a cohesive view of risks, which can lead to blind spots and make it challenging to detect and mitigate risks effectively.

As a result, the data also shows a strong correlation between the number of data security tools used and the frequency of data security incidents. In 2024, organizations using more data security tools (11 or more) experienced an average of 202 data security incidents, compared to 139 incidents for those with 10 or fewer tools.

In addition, a growing area of concern is the rise in data security incidents from the use of AI applications, which nearly doubled from 27% in 2023 to 40% in 2024. Attacks from the use of AI apps not only expose sensitive data but also compromise the functionality of the AI systems themselves, further complicating an already fractured data security landscape.

In short, there’s an increasingly urgent need for more integrated and cohesive data security strategies that can address both traditional and emerging risks linked to the use of AI tools.

Adoption of generative AI increases the risk and exposure of sensitive data

User adoption of generative AI increases the risk and exposure of sensitive data. As AI becomes more embedded in daily operations, organizations recognize the need for stronger protection. 96% of companies surveyed admitted that they harbored some level of reservation about employee use of generative AI. However, 93% of companies also reported that they had taken proactive action and were at some stage of either developing or implementing new controls around employee use of generative AI.  

Unauthorized AI applications can access and misuse data, leading to potential breaches. The use of these unauthorized AI applications often occurs with employees logging in with personal credentials or using personal devices for work-related tasks. On average, 65% of organizations admit that their employees are using unsanctioned AI apps.

Given these concerns, it is important for organizations to implement the right data security controls and to mitigate these risks and ensure that AI tools are used responsibly. Currently, 43% of companies are focused on preventing sensitive data from being uploaded into AI apps, while another 42% are logging all activities and content within these apps for potential investigations or incident response. Similarly, 42% are blocking user access to unauthorized tools, and an equal percentage are investing in employee training on secure AI use.

To implement the right data security controls, customers need to increase their visibility of their AI application usage as well as the data that is flowing through those applications. In addition, they need a way to assess the risk levels of emerging generative AI applications and be able to apply conditional access policies to those applications based on a user’s risk levels.

Finally, they need to be able to access audit logs and generate reports to help them assess their overall risk levels as well as provide transparency and reporting for regulatory compliance.

AI’s potential to boost data security effectiveness

Traditional data security measures often struggle to keep up with the sheer volume of data generated in today’s digital landscape. AI, however, can sift through this data, identifying patterns and anomalies that might indicate a security threat. Regardless of where they are in their generative AI adoption journeys, organizations that have implemented AI-enabled data security solutions often gain both increased visibility across their digital estates and increased capacity to process and analyze incidents as they are detected.

77% of organizations believe that AI will accelerate their ability to discover unprotected sensitive data, detect anomalous activity, and automatically protect at-risk data. 76% believe AI will improve the accuracy of their data security strategies, and an overwhelming 93% are at least planning to use AI for data security.

Organizations already using AI as part of their data security operations also report fewer alerts. On average, organizations using AI security tools receive 47 alerts per day, compared to an average 79 alerts among those that have yet to implement similar AI solutions.

AI’s ability to analyze vast amounts of data, detect anomalies, and respond to threats in real-time offers a promising avenue for strengthening data security. This optimism is also driving investments in AI-powered data security solutions, which are expected to play a pivotal role in future security strategies.

As we look to the future, customers are looking for ways to streamline how they discover and label sensitive data, provide more effective and accurate alerts, simplify investigations, make recommendations to better secure their data environments, and ultimately reduce the number of data security incidents.

Final thoughts 

So, what can be made of this new generative AI revolution, especially as it pertains to data security? For those beginning their adoption roadmap or looking for ways to improve, here are three broadly applicable recommendations:  

• Hedge against data security incidents by adopting an integrated platform.
• Adopt controls for employee use of generative AI that won’t impact productivity. 
• Uplevel your data security strategy with help from AI.

Gain deeper insights about generative AI and its influence on data security by exploring Data Security Index: Trends, insights, and strategies to keep your data secure and navigate generative AI. There you’ll also find in-depth sentiment analysis from participating data security professionals, providing even more insight into common thought processes around generative AI adoption. For further reading, you can also check out the Data Security as a Foundation for Secure AI Adoption white paper. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post Microsoft Data Security Index annual report highlights evolving generative AI security needs appeared first on Microsoft Security Blog.

Data security as a foundation for secure AI adoption

Learn the four steps organizations can take to prepare their data for AI.

Get the whitepaper

Preparing data for AI adoption

In a recent survey on the state of generative AI, business leaders expressed optimism on the potential of AI, but shared their struggle to gain full visibility into their AI programs—creating data security and compliance risks.² 58% of organizations surveyed expressed concern about the unsanctioned use of generative AI at their companies, and the general lack of visibility into it. And 93% of leaders report heightened concern about shadow AI—unsanctioned or undetected AI usage by employees.³ Our whitepaper walks through four key steps organizations can take to prepare their data for AI and includes a detailed checklist at each stage. The stages include knowing your data, governing your data, protecting your data, and preventing data loss. Taking these steps and understanding how to prepare your data properly for AI tools can help mitigate leader concerns and decrease data risk.

Choosing which AI to deploy

Once you secure your data and prepare to deploy AI, how do you decide which generative AI application is best for your organization? For many customers, choosing AI that integrates with their existing Microsoft 365 apps helps maintain security and maximize their current technology investments.

Copilot for Microsoft 365 is integrated into Microsoft 365 apps so that it understands a user’s work context, is grounded in Microsoft Graph to provide more personalized and relevant responses, and can connect to business data sources to reason over all of user’s enterprise data. Copilot inherits Microsoft 365 controls and commitments, such as access permissions, as well as data commitments and controls for the European Union Data Boundary, providing customers with comprehensive enterprise data protection. And with Microsoft Purview, Copilot customers receive real-time data security and compliance controls seamlessly integrated into their organization’s Microsoft 365 deployment.

Secure and govern usage of Copilot for Microsoft 365

As organizations deploy Copilot and other generative AI applications, they want to get ahead of the inherent risks of data being shared with generative AI applications—including data oversharing, data leakage, and non-compliant use of generative AI apps. In the whitepaper, we walk through the steps you can take to discover and protect your organization data as it interacts with AI, then how to govern usage of Copilot once it is deployed. Many organizations also choose to add Microsoft Purview, which provides value like Microsoft Purview AI Hub to help you gain visibility into how your organization is already using AI, including insights into sensitive data being shared with AI applications. The whitepaper shares more detail on the AI Hub interface, its capabilities, and insights into the risks identified by Microsoft Purview. It also shows how you can protect sensitive data throughout its AI journey, with information on sensitivity labeling, data security controls, and data loss prevention capabilities.

The whitepaper also details how your organization can prioritize compliance obligations with Microsoft Purview, assess your compliance with existing AI regulations, and conduct legal investigations for incidents where AI interactions were involved.

Gain the confidence to innovate with AI, securely

Implementing the strategies described in our whitepaper—Data security as a foundation for secure AI adoption—can help give your organization the confidence to explore new avenues and opportunities with AI while protecting and governing your data to minimize security risks and stay ahead of compliance obligations.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹PwC AI Analysis—Sizing the Prize, PwC.

²The 2023 State of Generative AI Survey, Portal26.

³As Companies Eye Generative AI to Improve Productivity and Growth, Two-thirds Admit to GenAI-related Security or Misuse Incident in the Last Year, Yahoo.

The post New Microsoft whitepaper shares how to prepare your data for secure AI adoption appeared first on Microsoft Security Blog.

This week, we are thrilled to announce the expansion of the Microsoft Priva family of products. Microsoft Priva was introduced in 2021 to help organizations navigate the complex world of privacy operations. The expansion of Microsoft Priva brings automated capabilities to help organizations meet adapting privacy requirements related to personal data.

Microsoft Priva

Protect personal data, automate risk mitigation, and manage subject rights requests at scale.

Explore product family

“Understanding and managing privacy is crucial for our clients. Exponential flows of sensitive data and emerging technologies such as generative AI have amplified the need for a strong privacy solution; we are confident in Microsoft’s vision to take on this challenge with Microsoft Priva. The richness of data and activities in Microsoft 365 and Priva’s ability to monitor and action on related workflows allows for a proactive approach to privacy. This capability aligns with our commitment to privacy and data protection, reinforcing our partnership with Microsoft to serve our global clients with solutions that address their privacy management needs.”

—Jon Kessler, Vice President, Information Governance, Epiq Legal Solutions

What will the Priva family address?

In today’s digital landscape, people’s awareness of data privacy has surged to unprecedented levels. Individuals are increasingly aware of the intricate web of data points that define their online existence and how their data is collected and used. This has prompted a collective call for the safeguarding of personal information from unwarranted intrusions and establishing ways for people to take control of their personal data. The public has become more discerning about the need for stringent measures to protect their sensitive data and keep it private. The heightened awareness surrounding individual data privacy rights is not merely a fleeting trend—it’s a fundamental shift in the way society perceives and values the sanctity of personal information.

In response to this evolving landscape, the need to build and maintain customer trust has never been more pronounced. Privacy solutions have emerged to empower organizations to establish transparent and ethical data practices. Building customer trust is about a commitment to empowering individuals to have control over their own data.

Robust privacy solutions are essential for regulatory adherence and in cultivating a culture of transparency, accountability, and respect for user privacy. By embracing more robust privacy solutions, organizations not only fortify their defenses, but they also embark on a journey to forge enduring relationships with their customers—relationships based on mutual trust and data integrity. Beyond regulatory compliance, organizations should use transparent data practices to gain deeper insights into customer preferences, behaviors, and trends. This managed data can become a strategic asset—enabling more informed decision-making, delivering targeted marketing to customers who’ve consent to receive it, and developing personalized services. Prioritizing privacy is not just a legal necessity but a pathway to extracting meaningful and sustainable value from the wealth of data at an organization’s disposal.

Microsoft Priva is here to help your organization meet privacy and compliance requirements

Organizations must mitigate risk for privacy non-compliance and be ready for new and emerging regulations. They need an end-to-end solution that helps them oversee and establish privacy protocols across their entire organization. Microsoft Priva solutions support privacy operations across entire data estates—paving quick and cost-effective paths to meet privacy regulations and avoid the risks of non-compliance. With the Microsoft Priva family, organizations can automate the management, definition, and tracking of privacy procedures at scale to ensure personal data stays private, secure, and compliant with regulations. Let’s take a quick look at each member of the family.

Microsoft Priva Privacy Assessments

Build the foundation of your privacy posture with Microsoft Priva Privacy Assessments—a solution that automates the discovery, documentation, and evaluation of personal data use across your entire data estate. Automate privacy assessments and build a complete compliance record for the responsible use of personal data. Embed your custom privacy risk framework into each assessment to programmatically identify the factors contributing to privacy risk. Lower organizational risk and build trust with your data subjects. Priva Privacy Assessments help at any stage of the privacy journey, enabling you to fully utilize your company’s data while ensuring its proper use.

Key features

• Automate the creation of privacy assessments: Discover and document personal data usage across your data estate through easily created custom assessments.
• Monitor personal data usage: Automate monitoring for changes in data processing activities that require privacy compliance actions.
• Evaluate privacy risks: Design a personalized privacy risk framework and use automated risk analysis based on the data usage information obtained from a privacy assessment.

Microsoft Priva Privacy Risk Management

Microsoft Priva Privacy Risk Management is here to empower you to simplify the identification of unstructured personal data usage. Priva Privacy Risk Management enables you to automate risk mitigation through easily definable policies that conform to your specific needs. It can also help you build a privacy-resilient workplace by identifying personal data and critical privacy risks around it, automating risk mitigation to prevent privacy incidents, and empowering employees to make smart data handling decisions.

Key features

• Identify personal data and critical privacy risks: Gain visibility into your personal data and associated privacy risks arising from overexposure, hoarding, and transfers with automated data discovery, user mapping intelligence, and correlated signals.
• Automate risk mitigation and prevent privacy incidents: Effectively mitigate privacy risks and prevent privacy incidents with automated policies and recommended user actions.
• Empower employees to make smart data handling decisions: Foster a proactive privacy culture by increasing awareness of and accountability towards privacy risks without hindering employee productivity.

Microsoft Priva Tracker Scanning

With data privacy regulation laws surrounding tracking technologies continuously evolving—and fines for non-compliance exponentially increasing—organizations need a platform that enables them to avoid risk and standardize tracking compliance at scale. Microsoft Priva Tracker Scanning empowers organizations to automate the discovery and categorization of tracking technologies—including cookies, pixels, and beacons—across all their websites. With Priva Tracker Scanning, organizations can remediate risks for tracker non-compliance, effectively monitor website compliance, and easily address compliance issues. Priva Tracker Scanning enables your organization to embolden your privacy posture for maximum control and visibility.

Key features

• Register and scan web domains: Automate scans for various forms of trackers—empowering you to quickly identify and categorize all tracking technologies on your websites.
• Evaluate and manage web trackers: Use flexible scan configurations to easily identify missing compliance elements across your websites.
• Streamline compliance reporting: Scan for areas of non-compliance and monitor compliance issues throughout the lifecycle of websites.

Microsoft Priva Consent Management

Gain better value from your user-consented data and meet today’s most challenging data privacy regulations with an approach to streamlining consent management and consented data usage. Built by harnessing Microsoft’s extensive experience and expertise in privacy operations, Microsoft Priva Consent Management provides a solution for bolstering your organization’s personal data consent management and publishing capabilities in a simplified and streamlined manner.

Key features

• Create customizable and regulatory-compliant consent models: Quickly author dynamic consent models using prebuilt templates for easy deployment.
• Streamline the deployment of consent models: Use a centralized process to publish consent models at scale to multiple regions.
• Organization specific layouts: Create on-brand layouts for consent models that conform to changing business needs.

Microsoft Priva Subject Rights Requests

With personal data often distributed across multiple environments, organizations need a solution that enables them to fulfill and manage subject rights requests across their entire data estate for maximum visibility. Crafted from Microsoft’s extensive experience and expertise in data privacy operations, Microsoft Priva Subject Rights Requests is a next-generation privacy solution that enables organizations to automate the fulfillment of subject rights requests across their on-premises, hybrid, and multicloud environments. With Priva Subject Rights Request, organizations can manage the access, deletion, and export of subject rights requests across their entire data landscape. to help build trust with customers.

Key features

• Efficiently manage subject rights requests: Streamline the fulfillment of subject rights request tasks using configurable settings within your workflows, providing end-to-end oversight of subject rights request operations.
• Discover personal data across various data types and locations: Discover and manage subject rights requests across multicloud data estates, including Microsoft Azure, Microsoft 365, and third-party data sources like Amazon Web Services, Google Cloud Platform, and more.
• Create low-code data agents to automate task fulfillment: Create low-code agents to automatically find and fulfill personal data requests using Microsoft Power Automate.

Learn more about new Priva capabilities at the IAPP Global Privacy Summit

From April 2 to 5, 2024, the world’s largest forum for exploring privacy and data protection law, regulation, policy, management, and operations takes place in Washington, D.C. The International Association of Privacy Professionals (IAPP) Summit is a key event for information privacy professionals to learn about innovative solutions and expand your privacy and data protection network. Microsoft will have a strong presence with a spotlight feature, breakout sessions, and networking events. Check the agenda for times and locations for these events and more:

Spotlight stage: Microsoft Priva Privacy—Paul Brightmore, Head of Product for Microsoft Privacy, and Terrell Cox, Vice President (VP) of Privacy Engineering at Microsoft, will be featured on the spotlight stage sharing about Microsoft Priva privacy solutions.

Breakout session: Managing Privacy at Scale—Explore how large organizations keep pace with today’s privacy obligations, share strategies and tools available to manage privacy at scale, and share updates on the latest privacy governance tools. Get insight into the emerging role of AI in managing privacy.

Mainstage session: Regulator’s Agenda—Shifting Priorities and Practices—Julie Brill, Chief Privacy Officer, Corporate VP, Global Privacy, Safety and Regulatory Affairs at Microsoft, moderates this discussion where you’ll learn the top priorities of privacy authorities, understand how AI governance factors into the Data Protection Authorities’ 2024 plans, and review lessons learned from recent privacy enforcement actions.

VIP reception—Microsoft is hosting this event to bring privacy experts together on April 3, 2024. This event promises an engaging showcase of Priva demonstrations, enriching conversations, and valuable insights within the field of privacy. 

CDT Spring Fling—Microsoft is the lead sponsor of this reception organized in partnership with the Center for Democracy in Technology. The event includes a panel discussion on AI as a catalyst for ushering in the next era of data governance. Julie Brill, Chief Privacy Officer, Corporate VP, Global Privacy, Safety and Regulatory Affairs at Microsoft, will be speaking on this panel.

LGBTQ+ Allies After Party—Registration and tickets are required in advance for this Wednesday, April 3, 2024, afterparty at Pitchers. We hope to see you there.

Optimize your privacy operations today, and streamline compliance adherence

Thanks for taking the time to get to know the members of the Microsoft Priva suite of products. We’re so excited to continue to be your trusted partner in helping you meet your privacy and compliance regulations. Please check in on the Priva family from time to time to stay informed about our products.

Interested in learning more now? Head over to the Microsoft Priva homepage. To get a deeper dive into our product capabilities, read our Tech Community post or watch our video.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Priva announces new solutions to help modernize your privacy program appeared first on Microsoft Security Blog.

NIS2 key features 

As we take a closer look at the key features of NIS2, we see the new directive includes risk assessments, multifactor authentication, security procedures for employees with access to sensitive data, and more. NIS2 also includes requirements around supply chain security, incident management, and business recovery plans. In total, the comprehensive framework ups the bar from previous requirements to bring: 

• Stronger requirements and more affected sectors.
• A focus on securing business continuity—including supply chain security.
• Improved and streamlined reporting obligations.
• More serious repercussions—including fines and legal liability for management.
• Localized enforcement in all EU Member States. 

Preparing for NIS2 may take considerable effort for organizations still working through digital transformation. But it doesn’t have to be overwhelming. 

NIS2 guiding principles guide

Get started on your transformation with three guiding principles for preparing for NIS2.

Download the guide today

Proactive defense: The future of cloud security

At Microsoft, our approach to NIS2 readiness is a blend of technical insight, innovative strategies, and deep legal understanding. We’re dedicated to nurturing a security-first mindset—one that’s ingrained in every aspect of our operations and resonates with the tech community’s ethos. Our strategy for NIS2 compliance addresses the full range of risks associated with cloud technology. And we’re committed to ensuring that Microsoft’s cloud services set the benchmark for regulatory compliance and cybersecurity excellence in the tech world. Now more than ever, cloud technology is integral to business operations. With NIS2, organizations are facing a fresh set of security protocols, risk management strategies, and incident response tactics. Microsoft cloud security management tools are designed to tackle these challenges head-on, helping to ensure a secure digital environment for our community.  

NIS2 compliance aligns to the same Zero Trust principles addressed by Microsoft Security solutions, which can help provide a solid wall of protection against cyberthreats across any organization’s entire attack surface. If your security posture is aligned with Zero Trust, you’re well positioned to assess and help assure your organization’s compliance with NIS2. 

For effective cybersecurity, it takes a fully integrated approach to protection and streamlined threat investigation and response. Microsoft Security solutions provide just that, with: 

• Microsoft Sentinel – Gain visibility and manage threats across your entire digital estate with a modern security information and event management (SIEM). 
• Microsoft XDR – Stop attacks and coordinate response across assets with extended detection and response (XDR) built into Microsoft 365 and Azure. 
• Microsoft Defender Threat Intelligence – Expose and eliminate modern threats using dynamic cyberthreat intelligence. 

Next steps for navigating new regulatory terrain 

The introduction of NIS2 is reshaping the cybersecurity landscape. We’re at the forefront of this transformation, equipping tech professionals—especially Chief Information Security Officers and their teams—with the knowledge and tools to excel in this new regulatory environment. To take the next step for NIS2 in your organization, download our NIS2 guiding principles guide or reach out to your Microsoft account team to learn more. 

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

Explore data security resources and trends

Gain insights into the latest data security advancements, including expert guidance, best practices, trends, and solutions.

Get started

The post Navigating NIS2 requirements with Microsoft Security solutions appeared first on Microsoft Security Blog.