Your Data Doesn’t Have an AI Eligibility Label. It Should.

Your AI controls govern where data goes. They don't govern what should never be there.

Blog
|

Dominick Paynter

Two years into the enterprise AI rollout, most organizations still cannot answer a basic question. Which of their data is allowed to be processed by an LLM, and which is not?

Access controls tell you who can open a file. Sensitivity labels tell you how it is protected at rest and in transit. Neither answers whether the document should ever be retrieved by Microsoft 365 Copilot, grounded into a Microsoft Copilot Studio agent, indexed by a Microsoft Foundry workload, or pasted into ChatGPT.

That gap is the real story behind every risk article published in the last twelve months.

Access controls tell you who can open a file. Sensitivity labels tell you how it is protected. Neither answers whether the document should ever be touched by AI.

The Landscape

Two Conversations, A Shared Blind Spot

Most AI security content right now sits in one of two camps. Camp one is secure Microsoft 365 Copilot, covering Microsoft Purview sensitivity labels, DSPM for AI, DLP for Microsoft 365 Copilot prompts, and the Microsoft enterprise story. Camp two is secure shadow AI, covering Microsoft Edge for Business blocking ChatGPT and Gemini, browser-level prompt inspection, and third-party SaaS controls. Both are necessary. Neither is sufficient.

Both camps share an assumption the 2026 landscape stresses. They assume the unit of control is the AI surface. Block the prompt at the browser. Block the retrieval at Copilot. Block the upload at the SaaS gateway. That logic works when you can predict where AI will appear. In 2026, you cannot. Every productivity tool, every IDE, every SaaS application is shipping its own assistant or agent. Microsoft 365 E7 and Agent 365 both became generally available on May 1, expanding the surface where tenant data can be grounded into autonomous agents. The governance capabilities exist; the question is whether organizations have configured them to cover this new surface.

AI Control Surface Fragments By Channel Diagram
Figure 1: The AI control surface fragments by channel. Each surface today requires its own policy console, scope definition, and enforcement model.
The Gap

Why AI Eligibility Belongs at the Data Layer

The control that is missing is data-layer policy that travels with the document and is enforced by every AI surface that touches it. Not “this file is confidential,” which Purview already does well. Something more specific. This file is not eligible for LLM ingestion.

That label needs to mean the same thing whether a user invokes Copilot, an agent grounds on a Microsoft SharePoint library, an Microsoft Foundry pipeline indexes a Microsoft Graph endpoint, or a developer pastes contents into ChatGPT. Today, each of those channels is governed separately. Each has a different policy console, a different enforcement model, and a different failure mode when the policy is missing or stale.

Most customers have invested heavily in Purview, but they haven’t extended their taxonomy to cover AI eligibility. The result is correctly labeled data flowing into AI surfaces nobody intended.

Logo for ArmorDominick Paynter Cloud Security Architect Armor

What It Looks Like

What the Gap Looks Like in Practice

A draft acquisition memo lives in a SharePoint library scoped to the corporate development team. It is labeled “Confidential, Internal.” Sensitivity-label-based DLP prevents external sharing. It is also fully retrievable by any Copilot agent the corp dev team builds in Copilot Studio, because no policy says otherwise.

A source code repository is mirrored to a SharePoint folder for cross-team access. Edge for Business blocks pasting from that folder into ChatGPT. The same repository is indexed by an internal Microsoft Foundry RAG pipeline, with no equivalent control.

A customer contact list is correctly classified as PII for compliance purposes. The classification governs export, retention, and access. It does not govern AI eligibility, because AI eligibility is not a dimension the labeling taxonomy was designed to express.

In all three cases, the data has a label. The label is doing work for traditional controls. It is not doing work for AI exposure, because the policy authors never had a reason to add that dimension.

Current Capabilities

What Microsoft Purview Does Today, and the Next Step

Microsoft has been closing pieces of this gap:

  • Sensitivity-label-based file blocking prevents Copilot from using labeled files in responses.
  • SIT-based prompt blocking detects sensitive information in user prompts before Copilot responds.
  • DLP for Copilot Studio agents extends inline controls to custom agents.
  • Edge for Business blocks sensitive paste into third-party AI.
  • DSPM for AI surfaces overshare risk and agent inventory.

These are real and substantive controls, and Microsoft continues to expand them. The opportunity for security teams is to add a unifying dimension on top: AI eligibility as a label property that drives every channel from a single taxonomy, rather than authoring each control in isolation. The labels themselves are already channel-agnostic; the next step is making the enforcement coordinated.

Most organizations haven’t taken the next maturity step: treating AI eligibility as a label dimension itself, and driving every Purview control from that dimension rather than from independent rules.

The Proposal

Eligibility as a Label Dimension

Extend your labeling taxonomy to include an explicit AI eligibility tier. Then map every Purview control, including Copilot, Copilot Studio, Microsoft Foundry, and Edge for Business, to that tier rather than authoring each in isolation.

Three tiers usually cover it.

Eligible

Retrievable, summarizable, groundable in AI workflows. No restriction.

  • Copilot
  • Copilot Studio
  • AI Foundry
  • Third-party AI

Eligible with Attribution

Processible, but must surface source in output. Logged for review.

  • Copilot with citation
  • Copilot Studio audited
  • AI Foundry logged
  • Third-party AI blocked

Restricted from AI

Not ingestible by any AI surface, internal or external.

  • Copilot blocked
  • Copilot Studio blocked
  • AI Foundry blocked
  • Third-party AI blocked
Residual Risk

Where This Leaves the Threat Layer

Even with disciplined classification, gaps remain. New AI surfaces appear faster than policies can be authored. Labels are imperfect. Users override defaults. Agents reach data through indirect paths nobody anticipated. An attacker on a compromised identity will exercise AI surfaces in ways that look subtly different from a legitimate user, pulling broader context, asking unusual aggregation questions, grounding agents on data the user has access to but rarely touches.

That is the residual risk that detection has to cover. Anomalies in how labeled data is accessed, by whom, and through what AI surface are some of the earliest signals that a control has failed or an identity has been compromised. Purview generates that telemetry. The work is in correlating it with endpoint, identity, and network signal in real time.

What We Do

Where Armor Fits

Purview governs the data layer. Armor works on both sides of it.

Armor’s Professional Services team helps organizations design AI eligibility taxonomies, map them to Purview labels and policies, and apply them consistently across Copilot, Copilot Studio, Microsoft Foundry, and third-party AI surfaces. The output is a labeling model the security team can defend in front of an auditor, a board, or a regulator, and a Purview configuration that enforces it.

Armor MDR ingests Purview DLP alerts, sensitivity-label violations, and DSPM signals through our integration with Microsoft’s unified SecOps platform (Microsoft Sentinel in the Microsoft Defender portal). When a label is missing, when a policy fails, when an agent reaches data it should not, the SOC sees it and investigates before the customer does.

The right combination of preparation, scoping, and inheritance can compress the timeline dramatically.

Schedule a Microsoft AI Security Review

We will map your current Purview labeling taxonomy against the AI surfaces in your environment and identify where eligibility gaps exist.

Get your free assessment

About Armor

Armor is a global leader in cloud-native managed detection and response. Trusted by over 1,700 organizations across 40 countries, Armor delivers cybersecurity, compliance consulting, and 24/7 managed defense built for transparency, speed, and results. By combining human expertise with AI-driven precision, Armor safeguards critical environments to outpace evolving threats and build lasting resilience. For more information visit our website, follow us on LinkedIn, or request a free Cyber Resilience assessment.

This Site Uses Cookies

We use cookies to enhance browsing and personalize your experience. By continuing you are consenting to the use of cookies. You may opt out of cookie usage but certain site features may be unavailable.

Accept Opt-Out