Enable Microsoft Purview Audit for AI interactions
Implementation Effort: Low – Audit logging is on by default for most Microsoft 365 organizations; verification and enablement require a single PowerShell command or portal action.
User Impact: Low – Audit logging operates transparently; end users are not affected.
Overview
Microsoft Purview Audit captures user and admin activity across Microsoft 365 services, including interactions with AI tools like Microsoft 365 Copilot and third-party generative AI applications accessed through managed browsers. Without audit logging enabled, the organization has no durable record of who interacted with which AI service, what prompts were submitted, what data was referenced, or whether data loss prevention policies were triggered during AI interactions. This gap is not theoretical — it means the organization cannot investigate AI-related incidents, cannot demonstrate compliance with data handling policies, and cannot answer a regulator's question about how sensitive data was used in AI contexts.
Audit logging is enabled by default for enterprise Microsoft 365 organizations, but it is not enabled by default for small and medium business licenses or unmanaged tenants with free trials. The verification step — checking the UnifiedAuditLogIngestionEnabled property in Exchange Online PowerShell — confirms whether audit data is being collected. Once enabled, audit records are retained for 180 days by default, with retention policies configurable per license tier. The audit data feeds into Microsoft Purview DSPM for AI activity explorer, where security teams can review AI-specific events: user interactions with generative AI sites, DLP rule matches during AI interactions, and sensitive information types found in AI prompts or responses.
This supports Verify explicitly by providing the evidentiary record needed to validate that AI interactions comply with organizational data handling policies. It supports Assume breach by ensuring that if an AI-related data exposure occurs, investigators have the audit trail needed to determine scope, timeline, and responsible parties. Without audit logging, AI interactions are invisible to the compliance and security teams, incident investigations lack evidence, and the organization cannot demonstrate governance over its AI usage.