Copilot DLP Policies: The CISO’s Configuration Guide

Copilot DLP policies are Data Loss Prevention rules configured in Microsoft Purview that specifically monitor and control how Microsoft 365 Copilot interacts with sensitive data. Unlike traditional DLP that tracks file movement across endpoints and email, Copilot DLP must address a fundamentally different threat model: an AI assistant that aggregates fragments from dozens of documents into a single response, potentially combining information in ways that exceed the sensitivity of any individual source.

This guide walks CISOs and security teams through the complete configuration process for Copilot DLP, from understanding why traditional approaches fall short to deploying prompt-level enforcement and Communication Compliance monitoring.

Why Traditional DLP Fails for Copilot

Traditional DLP was designed for a world where data moves in predictable patterns: a user downloads a file, attaches it to an email, or shares it externally. DLP policies intercept these movements and enforce rules. The data stays in recognizable containers — files, messages, uploads — that DLP can inspect.

Copilot breaks this model. When a user asks Copilot to “summarize the key financial terms from our recent client negotiations,” the AI does not move a file. Instead, it reads across every document, email, and Teams message the user has access to, extracts relevant fragments, and synthesizes them into a new response. That response may contain salary figures from HR documents, deal terms from legal contracts, and revenue projections from finance spreadsheets — none of which were individually flagged by traditional DLP because no file was moved.

The aggregation problem is the core challenge. A Copilot response can be more sensitive than any of its source documents individually, because it combines information that was intentionally siloed across different departments and access boundaries.

The Three Layers of Copilot DLP

Effective Copilot data protection requires three enforcement layers working together. No single layer is sufficient.

Layer 1: Endpoint DLP (Pre-Copilot)

Endpoint DLP remains the first line of defense. Before Copilot ever processes a query, endpoint DLP policies should already be controlling how sensitive files are accessed, modified, and shared on managed devices. This layer prevents sensitive content from being in locations where Copilot can access it in the first place.

Key endpoint DLP configurations for Copilot readiness:

• Block copy-to-clipboard for documents with Highly Confidential sensitivity labels
• Restrict printing and screen capture for regulated content
• Audit access to sensitive file locations that Copilot could reference
• Configure sensitivity label inheritance so new documents created from sensitive sources carry the parent label

Layer 2: Communication DLP (Copilot Interactions)

Microsoft Purview Communication Compliance extends to Copilot interactions. This layer monitors what Copilot says in its responses and flags interactions that contain sensitive information patterns.

Configuration steps for Communication Compliance with Copilot:

1. Navigate to Microsoft Purview Compliance Portal → Communication Compliance
2. Create a new policy selecting “Microsoft 365 Copilot” as the monitored channel
3. Define detection conditions using sensitive information types (SSN, credit card, health records)
4. Configure the review workflow — assign compliance reviewers who will investigate flagged interactions
5. Set severity levels: informational for low-risk matches, high for regulated data types
6. Enable automated alerts to the security operations team for critical matches

Layer 3: Prompt-Level DLP (2026 Addition)

Prompt-level DLP evaluates the user’s input to Copilot — not just the response. This is the newest enforcement layer, introduced in 2026, and it addresses a gap that the first two layers could not cover: users deliberately or inadvertently requesting sensitive information through carefully constructed prompts.

Prompt-level DLP can detect and block queries such as:

• Requests for employee compensation data across departments
• Queries that attempt to access content outside the user’s normal working scope
• Prompts that reference specific regulated data categories (patient health information, student education records)
• Patterns indicating prompt engineering attempts to bypass content restrictions

Configuring Sensitive Information Types for Copilot

Microsoft Purview includes over 300 built-in sensitive information types (SITs), but effective Copilot DLP requires selecting and customizing the right set for your organization. The most impactful SITs for Copilot governance fall into four categories:

Financial data: Credit card numbers, bank account numbers, SWIFT codes, ABA routing numbers. These appear frequently in Copilot responses when users query across financial documents and emails.

Personal identifiers: Social Security numbers, passport numbers, driver’s license numbers, national ID numbers. Copilot can inadvertently surface these from HR documents, benefits enrollment forms, and employee communications.

Health information: ICD-10 codes, drug names in clinical context, patient identifiers. Critical for healthcare organizations or any company with employee health programs.

Custom SITs: Create organization-specific patterns for internal project codenames, unreleased product names, M&A target company names, and other proprietary identifiers that standard SITs will not catch.

Restricted SharePoint Search: The Nuclear Option

Restricted SharePoint Search (RSS) is the most powerful — and most blunt — Copilot control available. When enabled, RSS limits Copilot’s grounding to only the SharePoint site collections you explicitly allow. Everything else is invisible to Copilot regardless of user permissions.

RSS is appropriate when:

• Your sensitivity label coverage is below 80% and you cannot wait for full deployment
• Specific site collections contain regulated data that must never appear in Copilot responses
• You are in the initial deployment phase and want to limit Copilot’s scope while building confidence

RSS configuration:

1. Access the SharePoint Admin Center → Settings → Restricted SharePoint Search
2. Enable the feature and add site collections to the allowed list
3. Copilot will only ground responses using content from allowed sites
4. Review and expand the allowed list quarterly as governance matures

DLP Policy Templates for Regulated Industries

Financial Services Template

Monitor for: credit card numbers, bank account numbers, financial statement fragments, insider trading keywords, material non-public information patterns. Block: Copilot responses containing more than 2 financial identifiers in a single response. Alert: compliance team on any Copilot interaction referencing M&A codenames or unreleased earnings data.

Healthcare Template

Monitor for: patient names with medical record numbers, ICD-10 codes, drug prescriptions, PHI combinations (name + diagnosis + date). Block: any Copilot response containing a complete PHI record as defined by HIPAA. Alert: privacy officer on any Copilot interaction in clinical departments that references patient data.

Legal Template

Monitor for: attorney-client privilege markers, litigation hold references, settlement amounts, opposing counsel communications. Block: Copilot from synthesizing across matters that should be ethically walled. Alert: general counsel on any Copilot interaction that crosses matter boundaries.

Testing and Deployment Workflow

Never deploy Copilot DLP policies directly to enforcement mode. The recommended workflow:

1. Week 1-2: Deploy all policies in audit-only mode. Copilot continues to function normally, but every policy match is logged
2. Week 3: Review audit logs. Identify false positives and adjust detection thresholds
3. Week 4: Conduct tabletop exercise with sample Copilot interactions that should trigger each policy
4. Week 5: Move low-risk policies (informational alerts) to enforcement mode
5. Week 6: Move high-risk policies (blocking rules) to enforcement mode with override justification required
6. Ongoing: Monthly policy review cycle. Adjust as Copilot capabilities expand and new sensitive data patterns emerge

Measuring DLP Effectiveness for Copilot

Track these metrics monthly to assess whether your Copilot DLP policies are working:

• Policy match rate: Number of Copilot interactions flagged per 1,000 total interactions. Baseline this in audit mode, then track post-enforcement
• False positive rate: Percentage of flagged interactions that reviewers classify as non-issues. Target below 15%
• Sensitive data exposure incidents: Confirmed cases where Copilot surfaced protected data to unauthorized users. Target zero
• Mean time to investigation: Average time from DLP alert to completed compliance review
• User override rate: Percentage of blocked interactions where users request and receive an override. High rates suggest policies are too aggressive

Frequently Asked Questions