4.2.3. Prompt Governance

💡 First Principle: Prompts are the instructions users give to Copilot. When users save, share, or schedule prompts, those prompts become organizational content that can be accessed by others — and they can contain sensitive information, proprietary instructions, or inappropriate content. Prompt governance is about managing prompts as organizational assets.

Prompt management capabilities:

• Saving prompts: users can save prompts they use frequently (stored in their personal prompt library)
• Sharing prompts: users can share prompts with colleagues or publish them to the organization
• Scheduling prompts: prompts can be set to run automatically on a schedule (e.g., generate a weekly status report every Monday)
• Deleting prompts: users can delete their own saved prompts; admins can delete prompts that violate policy

Administrative controls for prompts:

• Admins can view and delete prompts that have been shared at the organizational level
• DLP policies can be configured to flag or block prompts containing sensitive information types
• Prompt history is retained in compliance logs — accessible via eDiscovery and Activity Explorer

💡 Key Point: Scheduled prompts run with the permissions of the user who created them. If a user schedules a prompt to run every Monday and then leaves the organization, the prompt should be deactivated to prevent orphaned automation.

⚠️ Exam Trap: Saved prompts that users share across the organization are not automatically reviewed for compliance. Without a DLP policy scoped to include Copilot interactions, sensitive information embedded in shared prompts may not trigger any alerts.

Reflection Question: A user creates a shared prompt that says "Summarize all documents in the Executive Leadership SharePoint site and email the summary to [external email]." What governance risk does this represent, and what technical control would catch it?