Employees rarely wait for a formal AI rollout. If ChatGPT, Claude, Gemini, or a niche AI assistant helps them summarize a contract or rewrite a customer email faster, someone is probably already using it.
That speed is useful. The risk is that the prompt may include customer records, source code, HR data, financial forecasts, or regulated information that your organization never meant to send to an unmanaged AI service. Microsoft calls this problem out directly in its shadow AI deployment guidance: before blocking anything, you need to discover which AI apps are being used, who uses them, and whether sensitive data is involved.
The good news? If your organization already uses Microsoft 365 security and compliance tooling, you do not have to start from scratch. Microsoft Purview and Microsoft Defender for Cloud Apps can help you discover shadow AI usage, classify the data flowing into AI tools, apply data loss prevention (DLP), and keep audit evidence for compliance.
In this tutorial, you will build a practical shadow AI governance workflow using Microsoft Purview and Defender for Cloud Apps.
Prerequisites
To follow along, you will need:
-
A Microsoft 365 tenant with Microsoft Purview access.
-
Microsoft Defender for Cloud Apps enabled.
-
Permissions to manage Defender for Cloud Apps discovery and Microsoft Purview DLP policies.
-
Endpoint onboarding for devices you want to protect with Endpoint DLP.
-
Microsoft Purview Audit enabled. Microsoft notes that audit is on by default for new tenants, but verify your tenant before relying on it.
-
A short list of AI apps your organization wants to allow, review, or block.
1. Start with an AI app inventory
Do not begin shadow AI governance by blocking every AI website you can name. That approach usually creates two problems: users find workarounds, and security teams lose visibility.
Start by discovering what is actually happening.
-
Open the Microsoft Defender portal.
-
Go to Cloud Apps —> Cloud Discovery —> Discovered apps.
-
Filter the app catalog by App category —> Generative AI.
-
Review the discovered AI apps, users, IP addresses, upload/download volume, and risk scores.
-
Export or document the top apps by traffic, user count, and risk.

Defender for Cloud Apps assigns risk information to discovered cloud apps, which helps you avoid treating every AI app the same way. A consumer AI chatbot used by 400 employees is a different risk than a vendor-approved AI service used by one department under contract.
As you review each app, place it into one of three buckets:
-
Sanctioned — approved for business use.
-
Unsanctioned — not approved and should be blocked or restricted.
-
Needs review — requires legal, security, procurement, or data protection review before a decision.
This simple classification becomes the backbone of your AI governance program.
2. Tag AI apps as sanctioned or unsanctioned
Once you have an inventory, tag apps in Defender for Cloud Apps.
-
In Defender for Cloud Apps, open the app page for an AI service you reviewed.
-
Choose whether to tag the app as Sanctioned or Unsanctioned.
-
Repeat the process for your highest-risk and highest-volume AI apps first.
-
Revisit the Needs review bucket weekly until each app has an owner and a decision.

Tagging is not just documentation. Microsoft Defender for Cloud Apps cloud discovery policies can use governance actions such as tagging an app as unsanctioned. Microsoft documentation also notes that access can be automatically blocked when a matching policy tags an app as unsanctioned, and secure web gateway integrations can extend those blocking controls.
A good first policy is a high-risk AI discovery policy:
-
Policy type: App discovery policy.
-
Category: Generative AI.
-
Risk score: Low enough to catch questionable apps, but not so broad that every app triggers noise.
-
Usage threshold: Start with high-volume or newly discovered apps.
-
Governance action: Alert the security team or tag as unsanctioned after review.
3. Use Purview to understand what data is at risk
Knowing that users visit AI tools is helpful. Knowing whether they share sensitive data is much more useful.
Microsoft Purview brings information protection and compliance controls into AI governance. Microsoft’s Purview AI documentation describes support across areas such as sensitivity labels, data classification, DLP, Insider Risk Management, Audit, Communication Compliance, eDiscovery, Data Lifecycle Management, and Compliance Manager for supported AI interactions.
Start in Microsoft Purview with data classification:
-
Open the Microsoft Purview portal.
-
Go to Data classification and review built-in sensitive information types.
-
Confirm that common regulated data types are enabled or available, such as credit card numbers, government IDs, health information, and financial identifiers.
-
Create custom sensitive information types for business-specific data, such as customer account numbers, project code names, or internal contract IDs.
-
Review existing sensitivity labels and confirm that high-value content has labels such as Confidential, Highly Confidential, or Regulated.

This step matters because Purview DLP policies can use sensitive information types and sensitivity labels to detect risky AI interactions. If the sensitive data is not classified or labeled, your DLP rules will be weaker.
4. Create an Endpoint DLP policy for AI websites
Now that you know which AI apps exist and what data matters, create a DLP policy that watches for sensitive information being pasted or uploaded to AI tools.
In Microsoft Purview:
-
Go to Data Loss Prevention —> Policies.
-
Create a new policy or copy an existing policy template.
-
Choose the appropriate location. For browser and device activity, use Devices where Endpoint DLP is supported.
-
Add conditions for sensitive information types or sensitivity labels.
-
Add actions for risky activity, such as blocking copy/paste, upload to cloud services, or copying to the clipboard for AI application websites.
-
Start the policy in simulation or test mode.
-
Review alerts and activity before enforcing a block.

Microsoft’s shadow AI guidance recommends running DLP controls in simulation first to understand impact.
A practical first rule might be:
- If a user attempts to paste content containing credit card numbers, government IDs, or a Highly Confidential sensitivity label into a generative AI website, show a policy tip and block the action.
A layered approach gives users a chance to correct mistakes without making security the department of “no.”
5. Handle sanctioned AI differently from unsanctioned AI
Shadow AI governance is not only about blocking bad tools. It is also about making approved tools safer.
For unsanctioned AI apps, use Defender for Cloud Apps, Microsoft Entra, Intune, and network controls to restrict access based on your environment. For example, you might block access at the secure web gateway, prevent installation of unapproved desktop apps with Intune, or restrict OAuth consent for risky apps.
For sanctioned AI apps, keep access available but protect the data:
-
Require users to authenticate with corporate identities where possible.
-
Prefer enterprise versions of AI tools with contractual data protections.
-
Apply Purview DLP to prompts, uploads, and copy/paste events.
-
Monitor for unusual usage patterns in Defender for Cloud Apps.
-
Use labels and access controls so Copilot and other AI experiences do not summarize data users should not access.

This is where Copilot data governance becomes especially important. Microsoft Purview’s AI documentation notes that supported AI apps use existing controls so data stored in your tenant is not returned to a user if the user does not have access to that data. In other words, permissions, sensitivity labels, and DLP still matter. Copilot does not fix oversharing in SharePoint or OneDrive; it can make oversharing easier to notice.
6. Turn AI usage into auditable evidence
AI compliance in 2026 is not just about preventing leakage. You also need to prove that controls exist and that incidents can be investigated.
Use Microsoft Purview to retain and investigate AI-related activity:
-
Verify Microsoft Purview Audit is capturing AI interactions supported by your licenses and configuration.
-
Use Communication Compliance to detect inappropriate or policy-violating prompts where supported.
-
Use Data Lifecycle Management retention policies for AI interaction locations where applicable.
-
Use eDiscovery to preserve, search, review, and export AI prompts and responses during investigations.
-
Use Insider Risk Management and Adaptive Protection for elevated-risk users when your organization has the licensing and governance process to support it.

These controls help answer the questions auditors and leadership will ask:
-
Which AI apps are being used?
-
Who is using them?
-
Was sensitive data shared?
-
Was the app approved?
-
Was the user warned or blocked?
-
Can legal or compliance teams preserve the interaction if needed?
7. Build the operating model
Tools are only half of shadow AI governance. The other half is a repeatable operating model.
Use this lightweight framework:
| Area | Owner | Cadence | Output |
|---|---|---|---|
| AI app discovery | Security operations | Weekly | New and high-risk AI apps |
| App approval | Security, legal, procurement | Biweekly | Sanctioned/unsanctioned decision |
| Data classification | Data owners | Monthly | Updated labels and sensitive information types |
| DLP tuning | Security engineering | Weekly during rollout, monthly after | Reduced false positives and stronger blocks |
| Compliance review | Compliance/legal | Monthly or quarterly | Audit, retention, and investigation evidence |
The goal is not to eliminate AI usage. The goal is to move AI usage from unmanaged to governed.
Wrapping Up
Shadow AI is not going away. Employees will continue to use AI tools because they save time, and business teams will continue to demand faster access to AI-assisted workflows.
Microsoft Purview and Defender for Cloud Apps give you a practical way to manage that reality. Use Defender for Cloud Apps to discover generative AI apps, tag them as sanctioned or unsanctioned, and create discovery policies. Use Purview to classify sensitive data, apply Endpoint DLP to AI websites, audit AI interactions, and retain evidence for compliance.
Start with visibility. Then protect sensitive data. Then enforce access decisions. That sequence gives your users room to adopt AI safely while giving security and compliance teams the control they need.
Sources
-
https://learn.microsoft.com/en-us/purview/deploymentmodels/depmod-data-leak-shadow-ai-step1
-
https://learn.microsoft.com/en-us/purview/deploymentmodels/depmod-data-leak-shadow-ai-step2
-
https://learn.microsoft.com/en-us/purview/deploymentmodels/depmod-data-leak-shadow-ai-step3
-
https://learn.microsoft.com/en-us/purview/deploymentmodels/depmod-data-leak-shadow-ai-step4
-
https://learn.microsoft.com/en-us/purview/ai-microsoft-purview
-
https://learn.microsoft.com/en-us/purview/ai-other-apps
-
https://learn.microsoft.com/en-us/defender-cloud-apps/discovered-apps
-
https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery
-
https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp