Governing AI Shadow IT with the Microsoft Purview Browser Extension

AI tools like ChatGPT, Bard, and Claude are transforming the workplace. From customer service to content creation, employees are increasingly turning to them as productivity boosters. But with this innovation comes a challenge:

⚠️ How do you protect sensitive company data from being unintentionally exposed, while still enabling the benefits of AI?

The answer: the Microsoft Purview Browser Extension — a lightweight, privacy-first tool that gives organizations visibility and control over browser activity without becoming intrusive. When combined with Endpoint DLP, Insider Risk Management (IRM), and Data Security Posture Management (DSPM) for AI, it provides a powerful way to govern risky behavior, including shadow AI.

• A four‑step guide to using DSPM for AI to monitor and manage risky behaviour — without compromising privacy
• What the Purview Browser Extension is and why it matters
• How it works alongside Endpoint DLP and Insider Risk Management (IRM)

The Risk of AI Shadow IT

Employees are experimenting with GenAI tools in their browsers, often outside IT’s control. This creates blind spots where:

• Confidential data is pasted into ChatGPT or Bard
• Sensitive documents are uploaded to personal storage
• Business information is shared over social media or Gmail
• Staff visit competitor or job search sites during work

Left unmanaged, this activity increases compliance risks, insider threats, and potential regulatory breaches under GDPR, UK DPA, and emerging frameworks like the EU AI Act.

---

Meet the Purview Browser Extension

The Purview Browser Extension is a policy-based monitoring tool that integrates directly with Microsoft Purview. Available for Edge, Chrome, and Firefox, it:

• Works seamlessly with Endpoint DLP and Insider Risk Management
• Activates only when a user’s action violates policy — protecting privacy
• Logs activity metadata (e.g., site visited, type of sensitive info, labels applied)
• Respects compliance boundaries (data residency, RBAC, no eDiscovery exposure)

Think of it like a motion-activated camera: it doesn’t continuously track browsing, but switches on when risky behavior is detected.

---

What It Monitors (and What It Doesn’t)

✅ When a policy is triggered, it can capture:

• AI site visited (e.g., ChatGPT, Bard, Claude)
• Timestamp and frequency of visits
• Username and IP address
• DLP matches (sensitive info types, file names, labels)
• Policy action taken (block, warn, log)

🛑 It never collects:

• Full browsing history
• AI prompts or responses
• File contents, unless tied to a DLP violation

This “privacy by design” approach ensures organizations balance trust with protection.

---

Why It Matters for Compliance

For IT security, the extension prevents data leakage into unmanaged AI tools.
For compliance teams, it provides audit-ready evidence of how data is shared — without blanket monitoring.
For governance professionals, it reduces uncontrolled data duplication and aligns with regulatory frameworks like ISO 27001, NIST AI RMF, and the EU AI Act.

---

Four Steps to Governing AI with Purview

To get from risk to control, follow these steps:

Step 1 – Onboard Devices into Microsoft Purview

Extend Purview compliance capabilities to your managed devices. This enables Endpoint DLP and Insider Risk signals. Once onboarded, you can detect when users copy, paste, or upload sensitive data into unapproved AI sites.

Step 2 – Enable the Microsoft Purview Browser Extension

Use Intune or another device management tool to push the extension to Edge, Chrome, and Firefox. It applies your Endpoint DLP and IRM policies directly inside the browser, monitoring uploads, form entries, and copy/paste actions.

Step 3 – Enable DSPM for AI One-click policies

Microsoft Purview now includes Data Security Posture Management (DSPM) for AI with pre-built one-click policies. These:

• Detect sensitive data before it’s shared with AI services
• Apply AI-optimized DLP and IRM rules automatically
• Trigger protective actions (block, warn, log) in real time

👉 Important clarification: DSPM for AI monitors metadata and policy matches, not the full content of AI prompts or outputs.

Step 4 — Monitor AI Activity in DSPM Reports

The Purview dashboard gives visibility into:

• Frequency of visits to unapproved AI tools
• Patterns of sensitive data interaction
• High-risk users identified by Insider Risk signals
• Policy actions taken across devices and browsers

This insight helps security and compliance teams adapt policies to evolving AI usage.

Using Activity Explorer, you can drill down further to identify high-risk users based on usage frequency and triggered policy matches, helping security and compliance teams focus investigations where they matter most.

---

Beyond AI: Other High-Risk Use Cases

While AI tools are the newest shadow IT challenge, the Browser Extension also protects against:

• Uploading sensitive data to personal apps (e.g., Gmail, Dropbox, Google Drive)
• Sharing confidential info on public platforms (e.g., LinkedIn, social media)
• Accessing competitor or recruitment sites during work hours

---

Privacy and Trust by Design

Microsoft has built the extension with strict privacy safeguards:

• Event-based monitoring only (no always-on tracking)
• Data residency respected within your Purview boundaries
• Role-based access ensures only authorized reviewers can see logs
• No eDiscovery exposure, keeping captured data out of Content Search

This helps organizations build a culture of trust, focusing on education and prevention rather than punishment.

---

Final Thoughts

AI tools are quickly becoming the new shadow IT. Without visibility, organizations face data leaks, insider threats, and compliance failures.

The Microsoft Purview Browser Extension, combined with Endpoint DLP, Insider Risk Management, and DSPM for AI, offers a practical, privacy-first way to govern AI usage while supporting compliance with GDPR, UK DPA, ISO 27001, and emerging AI regulations.

💡 Getting Started:

1. Onboard a pilot group of devices into Purview.
2. Deploy the Browser Extension via Intune.
3. Enable one-click DSPM for AI policies.
4. Review reports and tune policies for your risk profile.

By starting small and scaling gradually, you can safeguard sensitive data, enable responsible AI use, and maintain user trust.

---

🙋‍♀️ FAQ

---

🔗References

• Learn how Microsoft Purview Data Security Posture Management (DSPM) for AI provides data security and compliance protections for Copilots and other generative AI apps | Microsoft Learn
• Learn about and configure insider risk management browser signal detection | Microsoft Learn
• Considerations for deploying Microsoft Purview Data Security Posture Management for AI & data security and compliance protections for Microsoft Copilot and other generative AI apps | Microsoft Learn
• Supported AI sites by Microsoft Purview for data security and compliance protections | Microsoft Learn
• Microsoft 365 guidance for security & compliance – Service Descriptions | Microsoft Learn