
AI agents in Copilot Studio and Azure AI Foundry operate autonomously — without anyone monitoring every step. Microsoft Purview Insider Risk Management now extends to agents: behavioural analytics, agent inventory, and DLP policies for autonomous workflows. What can you do with it and how do you get started?
Organisations are increasingly deploying AI agents via Copilot Studio, Azure AI Foundry, and the Agent 365 environment. These agents operate largely autonomously: they retrieve data from SharePoint, process emails, generate reports, and make decisions based on instructions set up weeks earlier. That is exactly the strength of agents — but it is also the point where traditional risk management falls short. Who monitors what an agent does when no one is actively watching?
Microsoft Purview Insider Risk Management now officially extends to AI agents. General availability began in mid-June 2026, giving IT teams structured visibility into agent behaviour and the risks that come with it for the first time.
An employee who sends sensitive files to an external email address has been detected by Insider Risk Management for years. But an agent doing the same thing — autonomously, at greater scale, without a direct human action at every step — falls outside the visibility of traditional monitoring tools.
Agents act on instructions and workflows created by a human, but execute those without continuous supervision. That creates a new attack surface: a poorly configured agent, or one whose instruction set has been altered by someone with unwanted intentions, can access, copy, or forward large amounts of sensitive data in a short time. Examples that surface in practice: a Copilot Studio agent that downgrades sensitivity labels on documents before delivering them to an external system, an agent that requests more user data than its workflow requires, or an agent that carries out actions outside the normal business hours of the organisation.
Microsoft Purview extends its existing IRM functionality — built over years to detect risky human activity — to agent identities. The same behavioural analytics principles are applied, but now to agents that have been given their own identity through Entra ID.
Concretely, the system detects patterns such as: lowering a sensitivity label on a document followed by forwarding it to an external destination, access to files outside the normal scope of an agent's workflow, an unusually high volume of file actions within a short timeframe, and communication with external endpoints not included in the expected agent configuration. Monitoring is active for agents running on Copilot Studio, Azure AI Foundry, and Agent 365. The detection logic distinguishes incidental deviations from structural patterns that point to misconfiguration or abuse. When a pattern exceeds the configured threshold, an alert appears in the IRM work queue for the security team.
Beyond detecting specific risk events, Purview also provides a broader observability layer through Data Security Posture Management for AI. Administrators receive an inventory of all active agents in the tenant, with a risk score and posture indicators for each agent.
This is an overview that is currently missing in most organisations. Agents are built by project teams, divisions, or individual employees via Copilot Studio, and the central IT department often lacks a complete picture of which agents are active, which data sources they query, and what permissions they hold. The inventory function makes this visible. Per agent you see which data sources are used, which sensitivity labels were present on the accessed data, which users activated the agent, and whether any active DLP policy matches have been recorded.
An important consideration when configuring IRM for agents is the role structure around access to agent interaction content. By default, administrators in the Purview portal see metadata about agent activities: timestamp, files involved, the user who activated the agent, and any policy match.
The actual content of an agent prompt or response — the literal text of what the agent processed and returned — is only visible to users holding the Content Explorer Content Viewer role or the Data Security AI Content Viewer role. These roles must be explicitly assigned and are not included in Global Administrator rights by default. This is a deliberate design choice to prevent too many administrators from having unrestricted access to sensitive business communications. It requires IT teams to decide in advance who may access this type of data and to document that decision in the organisation's AI governance policy.
Alongside the detective function of Insider Risk Management, Purview offers a preventive layer via DLP policies that have been extended to AI interactions. You configure policies that evaluate the content of user input or agent prompts and take action the moment sensitive information types are recognised.
In practice, this means you can configure an agent not to respond when a prompt contains a social security number, bank account details, or medical terminology. The agent is blocked or sends a policy notification, depending on the configured action. This is a layer on top of the normal permission structure: an agent with read access to a mailbox can still be stopped by DLP if the data it queries contains classified information. The combination of permission control, DLP, and IRM provides a layered security structure that fits the way agents operate autonomously.
First, take inventory. Use Purview DSPM for AI to get a complete overview of all agents active in your tenant. This overview reveals which agents are operating outside the officially approved scope — for many IT teams, this turns out to be a surprising finding.
Second, check licensing. IRM for agents requires a licence covering Insider Risk Management, typically Microsoft 365 E5 Compliance or the standalone IRM add-on. Verify whether your current licence level includes this before starting configuration.
Third, configure agent policies. Start with the most critical detection patterns: label downgrades followed by exfiltration, unusually high data volumes, and access outside normal business hours. Set thresholds that reflect the normal behaviour in your specific environment.
Fourth, assign the right roles. Determine who within your IT or security team may view actual prompt content and explicitly assign the relevant Purview roles. Document this as part of your organisation's AI governance policy so that, in the event of an incident, there is no ambiguity about who has authority and who bears responsibility.
Want help configuring Purview for your agent environment, setting up DLP policies for AI applications, or running an agent inventory in your tenant? Zarioh helps IT teams build a layered security structure for autonomous AI. Contact us for a no-obligation conversation.
Zarioh Digital Solutions
IT specialists from Utrecht, the Netherlands. We help businesses with Microsoft 365, AI agents, hosting and telephony — and share what we learn in practice. Follow us on LinkedIn

Security

Security

Security