Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

3.3.2. DLP Alerts, Activity Explorer, and DSPM for AI

šŸ’” First Principle: When something goes wrong with data ā€” a policy violation, a suspicious action, an AI interaction with sensitive content ā€” you need tools to detect it in near real time and build an audit trail. DLP alerts, Activity Explorer, and DSPM for AI are the operational monitoring layer of Purview.

DLP alerts: When a DLP policy match occurs and the policy is configured to alert, an alert appears in the Microsoft Purview compliance portal. Administrators can review the alert, see the content that triggered it, and decide whether to escalate or dismiss. DLP alerts feed into the broader incident management workflow.

Activity Explorer: A timeline view of data-related user activity across M365. You can see:

  • When sensitivity labels were applied, changed, or removed from content
  • When DLP policies were triggered (and whether users overrode them)
  • When sensitive files were accessed, downloaded, moved, or shared
  • Who performed each action and from which device

Activity Explorer is your audit trail for data governance. If a user claims they didn't share a sensitive file externally, Activity Explorer shows the truth.

DSPM for AI (Data Security Posture Management for AI):
  • Microsoft's newest governance capability, purpose-built for AI risks
  • Surfaces AI-related data activity: what data Copilot accessed, which sensitive files were referenced in Copilot prompts, which users are generating high volumes of AI interactions with sensitive content
  • Identifies oversharing risks that Copilot is likely to expose
  • Recommends remediation actions (fix permissions, apply labels, create DLP policies for AI)

šŸ’” Key Point: DSPM for AI is a discovery and reporting tool, not a blocking tool. It shows you what's happening; DLP policies and permissions changes are what you do about it.

āš ļø Exam Trap: Activity Explorer shows activity after the fact ā€” it's forensic, not preventive. To prevent a sensitive action, use DLP. To see what happened after the fact, use Activity Explorer.

Reflection Question: After deploying Copilot, your security team wants to know which sensitive files are being referenced in user prompts. Which Microsoft Purview feature should they use, and what follow-up actions might it recommend?

Alvin Varughese
Written byAlvin Varughese
Founderā€¢15 professional certifications