When shadow AI comes up in a CISO or IT director meeting, the first response is often some version of: “We already have Purview for that.”
It’s a reasonable assumption. Microsoft Purview is a mature, well-integrated data governance and DLP platform. If you’re on Microsoft 365, you’re probably already using parts of it. It handles data classification, sensitivity labels, data loss prevention policies, and compliance workflows across the Microsoft ecosystem — and it does all of that well.
The problem is that AI prompts are not files. They are not emails. They are not documents in SharePoint. Purview was built to govern data in motion across Microsoft’s infrastructure. It was not built to govern what your employees type into ChatGPT, what they paste into Claude, or what an AI agent submits to an API on their behalf.
This article is for the security leader who has Purview deployed and wants to understand, specifically, where the coverage ends when it comes to AI.
What Microsoft Purview actually does well
Before describing the gap, it’s worth being precise about what Purview covers — because the strengths are real.
Data classification and sensitivity labels: Purview’s Information Protection module lets you classify content across Microsoft 365 — documents, emails, Teams messages, SharePoint files — and apply sensitivity labels that control what happens to that content (encryption, access restriction, retention rules). For organizations that live in M365, this is powerful.
Data loss prevention for Microsoft channels: Purview DLP policies can detect and block the transfer of sensitive content across Microsoft channels: email attachments, SharePoint uploads, Teams messages, OneDrive sync. If an employee tries to email a document containing PII or a credit card number, Purview can catch it.
Compliance and audit for Microsoft activities: Purview’s Compliance Manager and Audit features give security teams visibility into M365 user activity and help meet regulatory requirements tied to Microsoft-managed data.
Records management and retention: For organizations under regulatory retention requirements (financial services, healthcare, legal), Purview’s Records Management module handles policy-based retention and disposition across M365 content.
If your primary security concern is data moving through Microsoft’s own infrastructure — SharePoint, Exchange, OneDrive, Teams — Purview is the right tool.
Where Purview ends and the AI gap begins
The gap is not a flaw in Purview. It is a scope boundary. Purview was designed to govern data within and between Microsoft services. The AI activity happening in your organization mostly falls outside that scope.
ChatGPT, Claude, Gemini — and every non-Microsoft AI tool
When your employee opens a browser and goes to chat.openai.com, they are operating completely outside the Microsoft 365 perimeter. There is no Purview policy that governs what they type into that prompt box. If they paste in client contract language, source code, or confidential financial data, Purview does not see it, cannot classify it, and cannot block it.
The same is true for Claude.ai, Google Gemini, Perplexity, and every other web-based AI tool your employees use. These are HTTPS sessions to external domains. Purview DLP operates on Microsoft-controlled data paths — not on arbitrary web traffic to third-party AI providers.
This is not a configuration problem. There is no Purview setting that closes this gap. It is a fundamental scope boundary of the platform.
Copilot for Microsoft 365 — partially covered, with important limits
Microsoft Copilot for M365 operates within the M365 perimeter, so some Purview policies apply. Sensitivity labels on documents can restrict what Copilot accesses and summarizes. DLP policies can block Copilot from surfacing content flagged as sensitive in certain configurations.
But the coverage is not complete. Copilot prompts are not systematically logged in the same way that email or file activity is logged. There is no field in Purview’s audit logs that shows you the exact prompt an employee submitted to Copilot, what Copilot retrieved to generate its response, or what the employee did with the output. Compliance visibility into Copilot activity is improving with each Microsoft release, but as of 2026, prompt-level audit trails for Copilot are not equivalent to what Purview provides for email and file transfers.
Additionally, Copilot for M365 does not govern the non-Microsoft AI tools your employees also use — and in most organizations, those are the majority of AI usage.
AI agents and autonomous workflows
AI agents — systems that use an LLM to plan and execute multi-step tasks, call APIs, read and write data — operate at the API layer. They make HTTP requests to AI provider APIs, not file transfers through Microsoft channels. Purview has no visibility into what data an AI agent submits to an external model, what the model returns, or what the agent does with that output.
For organizations beginning to deploy AI agents in production workflows (coding assistants, document review agents, customer-facing chatbots), this is a significant gap. The agent may be calling OpenAI’s API with data from your internal systems — and none of that traffic passes through any Purview-governed channel.
The prompt is the exposure event
The reason this gap matters is that the AI prompt is the data exposure event. It is not a file leaving your network. It is not an email going to an unauthorized recipient. It is text that an employee typed into a box or that an agent constructed programmatically — text that may include client names, contract terms, financial projections, source code, or PII — transmitted directly to a third-party model provider that is not party to your data agreements with your clients.
Purview’s DLP engine is excellent at catching sensitive content in files and structured data flows. It was not designed to inspect the content of prompts submitted to external AI APIs. That is a different problem requiring a different control.
What a complete AI governance layer needs
Purview covers the Microsoft perimeter. The rest of AI governance — which in most organizations is most of the problem — requires a purpose-built AI control layer.
Specifically, a complete AI governance stack for an organization using M365 alongside external AI tools needs:
Prompt-level inspection across all surfaces. Not just Microsoft channels — every browser session, desktop application, and API call where an employee or agent submits content to an AI model. This requires a control that understands AI prompt traffic, not just file transfers and email headers.
Cross-provider governance. A single policy that applies consistently whether an employee is using Copilot, ChatGPT, Claude, or a custom model via API. Purview governs Microsoft; you need something that governs everything else.
Agent runtime controls. For AI agents calling external APIs on behalf of users, you need tool-call-level inspection — what API was called, with what data, with what outcome — not just network-level logging.
A prompt-level audit trail. An immutable record of what was submitted to which model, by whom, when, under which policy decision. This is the evidence that answers vendor questionnaires, auditor requests, and regulatory reviews that Purview alone cannot produce for AI activity.
The practical picture: Purview plus an AI gateway
For most M365 organizations, the right answer is not “replace Purview.” Purview is doing real work on your M365 data — keep it. The gap is specifically the AI layer: the browser, desktop, and API channels through which your employees and agents are interacting with external AI providers.
The practical architecture is a purpose-built AI gateway that sits in front of those channels — inspecting prompts, enforcing your data classification policy, producing the audit trail — while Purview continues to govern your M365 data flows. The two work in parallel; they are not substitutes.
If you are getting “we already have Purview” in internal conversations about AI governance, the right response is: “Purview covers our files and email. It does not cover what our employees type into ChatGPT or what our agents submit to the OpenAI API. We need both.”
That is a specific, accurate, and auditable claim. And it is a much better answer than discovering the gap when a client questionnaire arrives or an audit starts.
Qadar AI Shield is purpose-built for the AI governance gap: prompt inspection, cross-provider policy enforcement, and a tamper-evident audit trail across browser, desktop, mobile, and agentic AI activity. It complements your existing Microsoft Purview deployment rather than replacing it. See how it works.