AI governance fails when a broad policy statement is mistaken for an enforced control. A Fabric agent can query sensitive data, generate a narrative, and expose a derived fact through an interaction that crosses Fabric, Purview, identity, licensing, and retention boundaries. Each boundary needs an owner, current support status, test, and investigation path.

Datrick converts the governance program into a control-and-evidence matrix for the agents actually deployed. AI can accelerate inventory, sensitive-data discovery, policy mapping, test generation, event correlation, and finding classification. Security owners approve policy; deterministic fixtures and observed Purview evidence prove whether the control works.

Can you reconstruct who asked a Fabric agent what, which data it used, what it returned, and which policy applied? Start with one sensitive agent workflow.

Inventory agents and resolve the current support matrix

Inventory Fabric Data Agents, Operations Agents, Copilot experiences, Copilot Studio or Foundry integrations, owners, creators, workspaces, connected sources, users, actions, business purposes, sensitive domains, and external dependencies. Record whether the agent is development, pilot, or production and whether it handles regulated, confidential, customer, employee, credential, or operational data.

Map each agent to Microsoft's current Purview support matrix. Do not transfer capabilities from one agent type to another. Microsoft documents data classification and compliance coverage for Copilot in Fabric agents, while other agent families can have broader information-protection combinations. Confirm auditing, enterprise data governance prerequisites, licenses, pay-as-you-go billing, admin roles, regions, retention locations, and preview status in the target tenant.

Control domainAssessment evidenceDecision
Agent inventoryAgent type, item ID, owner, creator, purpose, environment, users, sources, actions, sharing, and lifecycle.Is every active agent accountable and approved for its data?
Grounding-data postureFabric workspaces and items, sensitive information, labels, oversharing, public or external access, stale data, and remediation.Is the source suitable for AI use before interaction controls?
Interaction protectionSupported classification, labels, DLP, policy tips, restrictions, blocked behavior, and agent-specific limitations.Which controls are enforced, observed only, unsupported, or unlicensed?
Risk monitoringDSPM dashboards, AI observability, unusual access, oversharing, exfiltration, Insider Risk indicators, alerts, and triage.Can security distinguish expected use from risky agent behavior?
Compliance evidenceAudit events, activity explorer, retention, eDiscovery, legal hold, content location, timestamps, actor, agent, and export.Can an investigator reconstruct the interaction under policy?
AdministrationPurview roles, Fabric admin, enterprise data governance, registered app, service principal, billing, least privilege, and separation of duties.Are prerequisites sustainable without excessive administrator access?
OperationsPolicy ownership, exceptions, review cadence, incidents, change approval, regression tests, product updates, and evidence retention.Will governance remain effective after the assessment?

Reduce grounding-data risk before monitoring prompts

Classify the workspaces and items agents use. Identify sensitive information, missing labels, broad workspace roles, direct shares, external access, stale content, unknown owners, shortcuts, exports, and ungoverned copies. DSPM and Fabric data risk assessments can help prioritize exposure, but findings require owner validation and remediation evidence.

Apply the durable control closest to the data: remove unnecessary access, correct groups, use effective RLS and CLS, label supported items, constrain sharing, retire stale data, and define authoritative sources. An interaction policy cannot compensate for a grounding source already available to an overprivileged user.

Define expected and prohibited AI interactions

Build a risk taxonomy for each agent: direct sensitive detail, restricted entity lookup, prohibited aggregation, small-cell inference, source combination, secrets, personal data, regulated data, cross-region access, unusual volume, repeated probing, prompt injection, unsupported action, and data exfiltration. Define expected control, telemetry, owner, severity, and response for each scenario.

Where DLP or interaction controls are supported, test the exact policy condition and action. Where only classification or audit is supported, label it as detective rather than preventive. Document unsupported controls and add compensating source-access, application, approval, or monitoring measures. Avoid language that implies Purview blocks every unsafe answer.

Make retention and investigation operational

Decide which AI interactions must be retained, for how long, under which policy, and for which legal or regulatory purpose. Verify supported content locations and agent types. Test eDiscovery search and export with representative actor, agent, date, prompt topic, and source. Confirm who can view sensitive interaction content and maintain separation between platform administrators and investigators.

Create an incident workflow from alert or report to triage, evidence preservation, access review, agent stop, source containment, user investigation, policy correction, regression test, and closure. Connect Purview evidence with Fabric item, identity, query, source, and agent configuration records.

Prove controls with a matched evidence suite

Test familyRepresentative testRequired evidence
DiscoveryKnown sensitive items, labeled and unlabeled copies, broad shares, external access, stale sources, and agent-connected workspaces.Assessment finding, scope, classification, exposure, owner, recommendation, and post-remediation result.
Allowed interactionAuthorized user asks an approved question against an approved source and receives permitted detail.Actor, agent, source, prompt/response event, policy result, query outcome, and retention record.
Restricted interactionUser requests prohibited rows, columns, identity, inference, aggregate, secret, or external-domain information.Expected prevention or detection, observed answer, alert, classification, audit event, and leakage score.
Risk patternRepeated probing, unusual volume, broad enumeration, off-hours access, export sequence, or cross-agent data collection.DSPM or Insider Risk signal where supported, correlated activity, severity, owner, and triage outcome.
ComplianceSearch, retain, hold, export, or delete a representative supported AI interaction under policy.Content location, timestamps, custodian, policy, search result, chain of custody, and authorized access.
Change regressionAgent source, sharing, label, DLP, retention, user role, product version, license, or billing configuration changes.Before/after event and enforcement behavior, approval, exception, and rollback or remediation.

Use unique canary values so prohibited disclosures are unambiguous. Record control latency: some posture and risk surfaces are not real-time, and Microsoft documents collection or assessment delays. Define whether each use case needs immediate prevention, near-real-time alerting, periodic posture review, or retrospective investigation.

Run a three-to-five-week governance assessment

  1. Select in-scope Fabric agents, sensitive domains, workspaces, users, owners, policies, legal requirements, and production decisions.
  2. Inventory grounding sources, effective access, labels, sharing, agent configurations, prompts and responses, actions, and existing Purview controls.
  3. Resolve the current Microsoft support, preview, license, billing, role, auditing, and enterprise-data-governance requirements for each capability.
  4. Run grounding-data risk assessment and validate sensitive information, labels, oversharing, external access, stale data, and ownership findings.
  5. Build allowed, prohibited, risky, retention, eDiscovery, and change-regression scenarios with deterministic expected outcomes.
  6. Execute tests, inspect Purview and Fabric evidence, classify prevention versus detection, and document unsupported or unproven controls.
  7. Deliver the agent register, control matrix, finding register, evidence pack, remediation backlog, investigation runbook, ownership model, and go/hold/stop recommendation.

Frequently asked questions

Can Microsoft Purview govern Fabric AI agents?

Microsoft documents Purview security and compliance support for Copilot in Fabric agents, including data classification for supported AI interactions and compliance-management capabilities. Fabric guidance also describes risk discovery in prompts and responses, audit coverage, and applicability of retention and eDiscovery. Exact support depends on the agent, interaction, workload, license, billing, and feature status, so validate the current matrix in the target tenant.

What should a Fabric AI agent governance assessment cover?

The assessment should cover agent and owner inventory, grounding sources, sensitive-data classification, effective access, prompt and response audit, oversharing and exfiltration scenarios, applicable DLP and insider-risk controls, retention, eDiscovery, investigation workflow, administrator permissions, licensing, pay-as-you-go requirements, evidence quality, and operational ownership.

Does Purview DLP apply to every Fabric AI agent interaction?

No universal assumption is safe. Microsoft publishes a support matrix by AI app and agent type, and individual Purview capabilities can differ. Copilot in Fabric agent information-protection coverage is documented differently from some Copilot Studio, Foundry, or Entra-registered agents. Confirm support for the exact agent, data source, prompt, response, action, policy, and license before treating DLP as an enforced control.

Can Purview audit Fabric AI agent prompts and responses?

Microsoft Fabric and Purview guidance describes audit and risk-discovery coverage for supported Fabric Copilot and agent interactions, with retention and eDiscovery applicability to supported AI-generated content. Test representative interactions and verify the event, actor, agent, source, timestamps, prompt or response evidence, policy result, retention behavior, and investigation permissions.

How long does a Microsoft Purview Fabric AI governance assessment take?

A focused assessment can often be completed in three to five weeks for a defined set of Fabric agents, workspaces, sensitive domains, policies, and investigation scenarios. More time is needed when Purview prerequisites, enterprise data governance, auditing, billing, labels, DLP, retention, or ownership are not yet established.

Official implementation references

Start with one Fabric agent that touches sensitive or regulated data. Datrick can map the support matrix, test the controls, validate investigation evidence, and produce a prioritized governance plan.