# Data Leakage Prevention in AI Contexts **Kategori:** AI Security Engineering **Sist oppdatert:** 2026-05 | Verified: MCP 2026-05 **Målgruppe:** Enterprise AI architects og security teams ## Oversikt Data leakage prevention (DLP) i AI-sammenheng omfatter beskyttelse mot utilsiktet eller ondsinnet eksponering av sensitiv informasjon gjennom AI-modeller, prompts, og responses. Dette dokumentet dekker Microsoft-plattformens verktøy og mønstre for å forhindre datalekkasje i tre kritiske lag: prompt context isolation, model extraction defense, og membership inference protection. **Sentrale risikoer:** - **Prompt-basert lekkasje:** Brukere injiserer sensitiv informasjon i prompts som deretter prosesseres eller lagres ukontrollert - **Model extraction:** Angripere bruker API-tilgang til å reverse-engineere proprietære modeller - **Membership inference:** Angripere deduserer om spesifikke data var i training set - **Cache leakage:** Sensitiv informasjon eksponeres via delte cacher eller prompt history - **Response leakage:** AI-modeller avslører PII, IP, eller confidential data i svar ## 1. Prompt Context Isolation ### 1.1 Microsoft Purview DLP for Microsoft 365 Copilot **Konsept:** Prevent Copilot from processing sensitive prompts in real-time ved å blokkere prompts som inneholder sensitive information types (SITs). **Kapabiliteter:** - **Prompt scanning:** Deep content inspection av user prompts før prosessering - **Sensitive information type (SIT) detection:** Deteksjon av kredittkortnummer, personnummer, passporter, etc. - **Real-time blocking:** Forhindrer Copilot i å returnere svar når prompts inneholder sensitiv data - **Web search blocking:** Blokkerer bruk av sensitiv data i både interne og eksterne web-søk **Policy configuration:** ```powershell # Eksempel: Blokkerer norske personnummer og kredittkortnummer i Copilot-prompts New-DlpCompliancePolicy ` -Name "Copilot Prompt Protection" ` -Comment "Prevents sensitive data in prompts" ` -Locations "[{\"Workload\":\"Applications\",\"Location\":\"470f2276-e011-4e9d-a6ec-20768be3a4b0\",\"Inclusions\":[{Type:\"Tenant\", Identity:\"All\"}]}]" ` -EnforcementPlanes @("CopilotExperiences") ` -Mode Enable New-DlpComplianceRule ` -Name "Block Norway SSN in Prompts" ` -Policy "Copilot Prompt Protection" ` -ContentContainsSensitiveInformation @{Name="Norway National Identity Number"; MinCount="1"} ` -RestrictAccess @(@{setting="ProcessingPrompts";value="Block"}) ` -NotifyUser Owner ` -NotifyPolicyTipDisplayOption "Dialog" ``` **Støttede lokasjoner:** *(Verified MCP 2026-04)* - Microsoft 365 Copilot og Copilot Chat (inkludert pre-built agents) - Copilot in Word, Excel, PowerPoint - Policy location er kun tilgjengelig i **Custom**-policymalen - Alle andre lokasjoner i policyen deaktiveres når denne lokasjonen velges **Begrensninger:** - Kan ikke kombinere "Content contains sensitive info types" og "Content contains sensitivity labels" i samme regel - Policy-oppdateringer tar opptil 4 timer å tre i kraft - Admin units støttes ikke - DLP kan ikke scanne innholdet i filer som lastes opp direkte i prompts — kun prompt-teksten selv evalueres *(Verified MCP 2026-04)* **Brukeropplevelse:** Når en bruker forsøker å sende en prompt med blokkert SIT, vises en melding: *"The request can't be completed because it contains sensitive information that the organization has blocked Microsoft 365 Copilot from using."* ### 1.2 Sensitivity Label-basert Blocking **Konsept:** Prevent Copilot from processing files and emails med spesifikke sensitivity labels i response summaries. **Use case eksempel:** Organisasjonen har labels "Highly Confidential", "Confidential", "Internal", "Public", "Personal". De ønsker å ekskludere "Personal" og "Highly Confidential" fra Copilot-prosessering for å oppfylle GDPR og compliance-krav. ```powershell # Hent label GUID Get-Label | Format-List Priority,ContentType,Name,DisplayName,Identity,Guid $guidHighlyConfidential = "e222b65a-b3a8-46ec-ae12-00c2c91b71c0" $guidPersonal = "d4f28ae4-9c5e-4e7f-bf4a-5e3d6f1a7c8b" $loc = "[{\"Workload\":\"Applications\",\"Location\":\"470f2276-e011-4e9d-a6ec-20768be3a4b0\",\"Inclusions\":[{Type:\"Tenant\", Identity:\"All\"}]}]" New-DLPCompliancePolicy -Name "Copilot Sensitivity Label Policy" -Locations $loc -EnforcementPlanes @("CopilotExperiences") $advRule = @{ "Version" = "1.0" "Condition" = @{ "Operator" = "And" "SubConditions" = @( @{ "ConditionName" = "ContentContainsSensitiveInformation" "Value" = @( @{ "groups" = @( @{ "Operator" = "Or" "labels" = @( @{name = $guidHighlyConfidential; type = "Sensitivity"}, @{name = $guidPersonal; type = "Sensitivity"} ) "name" = "Default" } ) } ) } ) } } | ConvertTo-Json -Depth 100 New-DLPComplianceRule -Name "Exclude Confidential Content" -Policy "Copilot Sensitivity Label Policy" -AdvancedRule $advRule -RestrictAccess @(@{setting="ExcludeContentProcessing";value="Block"}) ``` **Støttede filtyper:** *(Verified MCP 2026-04)* - File items (stored og actively open): Word (.docx/.docm), Excel (.xlsx/.xlsm/.xlsb), PowerPoint (.pptx/.ppsx), og PDF-filer (ved aktivert PDF-støtte) - Emails sent on or after January 1, 2025 - Kun filer i SharePoint Online og OneDrive for Business - Labels med bruker-definerte tillatelser støttes nå for search, DLP og eDiscovery (kun nyopplastede/redigerte filer) **Begrensninger:** - Calendar invites støttes ikke - Når en fil med blokkert label er åpen i Word/Excel/PowerPoint, disables skills i disse appene **Resultat:** Identified items vises fortsatt i citations, men innholdet brukes ikke i response eller tilgang av Copilot. ## 2. Model Extraction Defense ### 2.1 Outbound URL Restriction (Azure AI Services DLP) **Konsept:** Begrens hvilke outbound URLs Azure OpenAI og Azure AI Services kan aksessere for å forhindre at modeller ekfiltrerer data eller lekker model weights til unauthorized endpoints. **Risikoreduksjon:** - Forhindrer model extraction via API calls til attacker-controlled servers - Blokkerer data exfiltration via tool calls eller plugin interactions - Reduserer supply chain risk ved å whiteliste kun trusted endpoints **Konfigurasjon (Azure CLI):** ```bash # Aktiver restrictOutboundNetworkAccess az rest -m patch \ -u /subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.CognitiveServices/accounts/{account-name}?api-version=2024-10-01 \ -b '{"properties": { "restrictOutboundNetworkAccess": true, "allowedFqdnList": [ "contoso.com", "api.trustedpartner.com" ] }}' ``` **Konfigurasjon (PowerShell):** ```powershell $patchParams = @{ ResourceGroupName = 'myresourcegroup' ResourceProviderName = 'Microsoft.CognitiveServices' ResourceType = 'accounts' Name = 'myaccount' ApiVersion = '2024-10-01' Payload = '{"properties": { "restrictOutboundNetworkAccess": true, "allowedFqdnList": [ "contoso.com", "api.trustedpartner.com" ] }}' Method = 'PATCH' } Invoke-AzRestMethod @patchParams ``` **Viktige detaljer:** - Maksimum 1000 URLs i `allowedFqdnList` - Støtter fully qualified domain names (FQDN) - Tar opptil 15 minutter før oppdatert liste trer i kraft **Støttede tjenester:** - Azure OpenAI - Azure AI Foundry (Foundry-based projects) - Azure Vision - Content Moderator - Custom Vision - Face API - Document Intelligence - Speech Services - QnA Maker ### 2.2 Network Security Perimeter (NSP) **Konsept:** Implementer network security perimeter for å begrense inbound og outbound access til Azure OpenAI og Foundry-baserte prosjekter. **Implementering:** - [Add network security perimeter to Azure OpenAI](https://learn.microsoft.com/en-us/azure/ai-foundry/openai/how-to/network-security-perimeter) - [Add Foundry to a network security perimeter](https://learn.microsoft.com/en-us/azure/ai-foundry/how-to/add-foundry-to-network-security-perimeter) **Kombiner med:** - Azure Private Link for network-level data isolation - Azure RBAC for workload og user group access control - Microsoft Entra ID for centralized authentication ### 2.3 Model Integrity Monitoring **Konsept:** Detect model drift og unauthorized modifications som kan indikere extraction attempts eller supply chain compromise. **Tilnærming:** - **Digital signatures:** Verifiser model files med hash verification - **Versioning:** Store models i Azure Blob Storage med versioning enabled - **Audit trails:** Log alle model-related activities (registration, deployment, access) i Azure Monitor - **Automated scanning:** Integrate security validation pipelines som scanner for embedded backdoors **Azure Machine Learning Model Registry:** ```bash # Eksempel: Deploy centralized model registry med RBAC az ml model register \ --name "my-verified-model" \ --model-path "azureml://..." \ --description "Verified model with signature" \ --tags "verified=true" "hash=sha256:abc123..." ``` **Monitoring:** ```kusto // Azure Monitor KQL: Detect unauthorized model access AzureDiagnostics | where ResourceType == "MICROSOFT.MACHINELEARNINGSERVICES/WORKSPACES" | where OperationName == "ModelDownload" | where Identity_claim_upn_s !in ("authorized-user@contoso.com") | project TimeGenerated, Identity_claim_upn_s, ResourceId, OperationName ``` ## 3. Membership Inference Protection ### 3.1 Differential Privacy **Konsept:** Apply differential privacy techniques for å forhindre at angripere kan dedusere om specific data points var i training set. **Microsoft SmartNoise:** Microsoft co-developed SmartNoise, et open-source differential privacy system. **Repository:** [https://github.com/opendifferentialprivacy/smartnoise-core](https://github.com/opendifferentialprivacy/smartnoise-core) **Use case:** - Fine-tuning på sensitive datasett (healthcare, financial) - Trening av custom models med PII - Compliance med GDPR Article 25 (data protection by design) **Integration med Azure Machine Learning:** ```python from opendp.smartnoise.sql import PandasReader, PrivateReader import pandas as pd # Load sensitive data df = pd.read_csv("sensitive_data.csv") reader = PandasReader(df, metadata) # Apply differential privacy to query private_reader = PrivateReader(reader, privacy=Privacy(epsilon=1.0)) result = private_reader.execute("SELECT AVG(age) FROM data") ``` **Privacy budget management:** - Epsilon (ε): Lavere verdi = høyere privacy, lavere accuracy - Delta (δ): Probability of privacy breach - Anbefaling: ε ≤ 1.0 for high-sensitivity data ### 3.2 Encryption at Rest & In Transit **Data at rest:** - **FIPS 140-2 compliant 256-bit AES encryption** for all Azure OpenAI data - **Customer-Managed Keys (CMK)** via Azure Key Vault for fine-tuned models og training data - **Microsoft-managed keys** som default (transparent encryption) **Data in transit:** - **TLS encryption** for all traffic mellom Databricks og model partners - **Zero data retention endpoints** for Partner-powered AI assistive features - **Azure Private Link** for network-level isolation **CMK configuration:** ```bash # Enable customer-managed key for Azure OpenAI az cognitiveservices account update \ --name myopenai \ --resource-group myresourcegroup \ --encryption KeyVaultKeyId=https://myvault.vault.azure.net/keys/mykey/version ``` **Key rotation:** - Rotate keys ved defined schedule eller ved key compromise - Audit key usage via Azure Key Vault diagnostics ### 3.3 Training Data Provenance **Konsept:** Maintain non-repudiable data provenance records for å verifisere at kun authorized data ble brukt i training. **Confidential AI med Azure Confidential Computing:** - **Attestation:** Data providers autoriserer bruk av datasets for spesifikke tasks (verified by attestation) - **Confidential training:** Data forblir protected i use via Trusted Execution Environments (TEEs) - **Provenance records:** Generate non-repudiable logs av data/model lineage **Bruk:** - Medical diagnosis models (HIPAA compliance) - Financial risk assessment (SOX, PCI-DSS) - Business analysis med corporate IP ## 4. DLP Policy Enforcement Across AI Workloads ### 4.1 Multi-Layered Content Filtering **Konsept:** Implement filtering på tre lag: input, internal processing, output. **Layer 1: Input filtering** - **Azure AI Content Safety (Prompt Shield):** Scan user inputs for attack patterns (hate speech, violence, adversarial inputs) - **Azure API Management:** Enforce rate-limiting, schema validation, authentication policies - **Data format validation:** Reject malformed inputs **Layer 2: Internal processing validation** - **Azure Machine Learning model monitoring:** Track intermediate outputs, detect anomalies during inference - **Azure Defender for Cloud:** Scan runtime environments for adversarial behavior - **Robustness testing:** Validate behavior under adversarial conditions **Layer 3: Output filtering** - **Azure AI Content Safety:** Block harmful responses (bias, non-compliant content) - **Validation logic:** Cross-check outputs mot organizational policies via Azure Functions - **Logging:** Log all inputs/outputs i Azure Monitor for traceability **Eksempel-arkitektur:** ``` User Prompt ↓ [Azure API Management] → Rate-limit, Auth, Schema Validation ↓ [Prompt Shield] → Detect malicious patterns ↓ [Azure OpenAI] → Process prompt ↓ [AML Model Monitoring] → Detect anomalies ↓ [Content Safety Output Filter] → Block harmful content ↓ [Azure Functions Validator] → Cross-check policies ↓ [Azure Monitor] → Log interaction ↓ Response to User ``` ### 4.2 Endpoint DLP for Third-Party AI **Konsept:** Prevent sensitive data leakage to third-party generative AI sites (ChatGPT, Claude, etc.) via browser-based interactions. **Microsoft Purview Endpoint DLP:** - **Windows onboarding:** Onboard Windows computers til Microsoft Purview - **Policy enforcement:** Block eller warn users from pasting sensitive information i third-party AI sites - **Supported actions:** Block paste, block upload, warn with override **Eksempel:** User forsøker å paste kredittkortnummer til ChatGPT → Purview Endpoint DLP blokkerer action eller viser warning. **Konfigurere:** ```powershell New-DlpCompliancePolicy -Name "Block AI Site Data Leak" -ExchangeLocation All New-DlpComplianceRule ` -Name "Block Credit Card to ChatGPT" ` -Policy "Block AI Site Data Leak" ` -ContentContainsSensitiveInformation @{Name="Credit Card Number"; MinCount="1"} ` -BlockAccess $true ` -NotifyUser Owner ``` **Supported platforms:** Windows computers med Endpoint DLP agent installed. ### 4.3 Insider Risk Management for AI Interactions **Konsept:** Detect risky AI use via machine learning-based anomaly detection. **Microsoft Purview Insider Risk Management:** - **Risky interaction detection:** Attempted prompt injection, use of sensitive data - **Adaptive protection:** Block high-risk users from accessing sensitive content via Copilot - **Alerts:** Real-time alerts for policy violations **Policy templates:** - "DSPM for AI - Detect risky AI usage" - "DSPM for AI - Unethical behavior in AI apps" - "DSPM for AI - Protect sensitive data from Copilot processing" **One-click policies fra DSPM for AI (classic):** ```powershell # Aktiveres via Microsoft Purview portal → DSPM for AI → Recommendations ``` ## 5. Cache Security Management ### 5.1 Prompt History Isolation **Konsept:** Prevent shared caches eller prompt history fra å eksponere sensitive information på tvers av brukere eller sesjoner. **Microsoft 365 Copilot:** - **User context isolation:** Prompts kjører i security context av bruker som initierer prompt - **Permission enforcement:** Brukere ser kun items de har permissions til - **No cross-user cache leakage:** Copilot deler ikke data mellom users ### 5.2 Azure OpenAI Prompt Caching **Konsept:** Azure OpenAI støtter ikke persistent prompt caching på tvers av users. Hver API call er stateless (med mindre conversation history sendes eksplisitt i request). **Sikkerhet:** - **Stateless API:** Ingen automatisk deling av prompts mellom users - **Token usage logging:** Log all token usage for audit purposes - **Customer-controlled retention:** Customers kontrollerer retention av conversation history ### 5.3 Databricks Assistant Cache Protection **DatabricksIQ Trust & Safety:** - **No training on user data:** Databricks does not train foundation models med data submitted to features - **No cross-customer data sharing:** Data ikke brukt for å generere suggestions for andre customers - **Zero data retention (model partners):** Partner-powered AI features bruker zero data retention endpoints - **Data residency controls:** DatabricksIQ-powered features comply med data residency boundaries (Geos) ## 6. Praktiske Arkitekturmønstre ### 6.1 Defense-in-Depth for AI Leakage Prevention **Lag 1: Network isolation** - Azure Private Link - Network Security Perimeter - VNet integration **Lag 2: Identity & Access** *(Verified MCP 2026-04)* - Microsoft Entra ID RBAC - Managed Identity (for sikker autentisering uten lagrede credentials — per CAF Secure AI) - Separation of duties (developers, reviewers, operators) - Virtual networks for isolering av AI-kommunikasjonskanaler **Lag 3: Data protection** - Microsoft Purview DLP (prompt + file/email blocking) - Sensitivity labels (automatic inheritance) - Data classification (PII, financial, IP) **Lag 4: Model security** - Model registry med approval workflows - Automated security scanning (hash verification, backdoor detection) - Version control i Azure Storage med versioning **Lag 5: Runtime protection** - Azure AI Content Safety (Prompt Shield + Output Filter) - Azure Defender for AI Services (threat detection) - AML Model Monitoring (drift detection, anomaly detection) **Lag 6: Audit & Compliance** - Microsoft Purview Audit (unified audit log for AI activities) - Azure Monitor (centralized logging) - Activity explorer (DSPM for AI) ### 6.2 Azure OpenAI + Purview DLP Reference Architecture ``` ┌─────────────────────────────────────────────────────────────────┐ │ User (M365 Copilot) │ └─────────────────────────────────────────────────────────────────┘ ↓ ┌─────────────────────────────────────────────────────────────────┐ │ Microsoft Purview DLP Policy Engine │ │ - Scan prompt for SITs (credit card, SSN, etc.) │ │ - Check file sensitivity labels │ │ - Block processing if policy match │ └─────────────────────────────────────────────────────────────────┘ ↓ (if allowed) ┌─────────────────────────────────────────────────────────────────┐ │ Microsoft 365 Copilot │ │ - Entra ID RBAC (user context isolation) │ │ - Grounding på SharePoint/OneDrive (permission-enforced) │ └─────────────────────────────────────────────────────────────────┘ ↓ ┌─────────────────────────────────────────────────────────────────┐ │ Azure OpenAI Service │ │ - Private endpoint (NSP) │ │ - Outbound URL restriction (DLP) │ │ - CMK encryption at rest │ │ - TLS in transit │ └─────────────────────────────────────────────────────────────────┘ ↓ ┌─────────────────────────────────────────────────────────────────┐ │ Azure AI Content Safety │ │ - Output filter (harmful content) │ │ - Validation against org policies │ └─────────────────────────────────────────────────────────────────┘ ↓ ┌─────────────────────────────────────────────────────────────────┐ │ Microsoft Purview Audit │ │ - Log prompt, response, referenced files │ │ - Activity explorer (DSPM for AI) │ └─────────────────────────────────────────────────────────────────┘ ``` ### 6.3 Enterprise AI Gateway Pattern **Konsept:** Centralize all AI traffic gjennom Azure API Management som AI Gateway. Azure API Management kan nå også sikre Model Context Protocol (MCP) server-endepunkter. *(Verified MCP 2026-04)* **Fordeler:** - **Unified security policies:** Enforce authentication, DLP, rate-limiting på ett sted - **Traffic monitoring:** Log all API usage for audit - **Cost control:** Track token usage per team/project - **Model versioning:** Route requests til ulike model versions basert på policy - **MCP endpoint security:** Deploy Azure API Management for å sikre MCP server-endepunkter (ny kapabilitet) *(Verified MCP 2026-04)* **Arkitektur:** ``` Applications ↓ [Azure API Management (AI Gateway)] - Entra ID authentication - Rate-limiting (TPM, RPM) - DLP policy enforcement (allowedFqdnList check) - Token usage logging ↓ [Azure OpenAI] or [Custom Models] or [Copilot Studio] ``` **Configuration:** ```bash # Deploy API Management med managed identity az apim create \ --name myaigateway \ --resource-group myresourcegroup \ --publisher-email admin@contoso.com \ --publisher-name Contoso \ --sku-name Developer # Integrate med Entra ID az apim api create \ --resource-group myresourcegroup \ --service-name myaigateway \ --api-id openai-api \ --path "/openai" \ --display-name "Azure OpenAI Gateway" \ --service-url "https://myopenai.openai.azure.com" \ --protocols https \ --subscription-required true ``` ## 7. Compliance & Audit ### 7.1 Unified Audit Log for AI Activities **Microsoft Purview Audit:** - **Captured events:** Prompts, responses, referenced files, sensitivity labels - **Context:** User, timestamp, service, files accessed - **Retention:** Configurable (90 days to 10 years) **Query AI activities:** ```powershell # Search unified audit log for Copilot activities Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -Operations "CopilotInteraction" ``` **Activity Explorer (DSPM for AI):** - Visual dashboard for AI interactions - Filter by user, sensitivity label, SIT, time range - Export for compliance reporting ### 7.2 Data Security Posture Management (DSPM) for AI **Capabilities:** - **Data risk assessments:** Identify oversharing risks - **Recommendations:** "Protect your data from potential oversharing risks" - **One-click policies:** Deploy DLP policies direkte fra recommendations - **Compliance Manager integration:** Map controls til regulatory templates (GDPR, HIPAA, etc.) **Rollout:** - **DSPM for AI (classic):** Generally available - **DSPM (preview):** New version med enhanced AI activities tab ### 7.3 Regulatory Compliance Mapping | Regulation | Relevant DLP Controls | Microsoft Purview Tools | |------------|----------------------|-------------------------| | **GDPR Art. 25** | Data protection by design, minimize data processing | Sensitivity labels, DLP for Copilot, Differential Privacy | | **HIPAA** | Protect PHI in AI interactions | DLP rules for PHI SITs, CMK encryption, Confidential AI | | **PCI-DSS** | Protect cardholder data | DLP rules for credit card SITs, Outbound URL restriction | | **SOX** | Protect financial records | Sensitivity labels (Highly Confidential), Audit logs | | **CCPA** | Protect consumer personal data | DLP rules for California SITs, Data residency controls | | **AI Act (EU)** | Risk management, transparency | DSPM for AI, Audit logs, Model provenance | ## 8. Tooling & Automation ### 8.1 PowerShell Module: ExchangePowerShell **Viktige cmdlets:** - `New-DlpCompliancePolicy`: Create DLP policy - `New-DlpComplianceRule`: Add rule til policy - `Get-DlpCompliancePolicy`: List policies - `Set-DlpPolicy`: Update existing policy - `Get-Label`: List sensitivity labels med GUIDs **Installer:** ```powershell Install-Module -Name ExchangeOnlineManagement Connect-IPPSSession ``` ### 8.2 Azure CLI Extensions ```bash # Cognitive Services DLP az cognitiveservices account show -g myresourcegroup -n myaccount az rest -m patch -u /subscriptions/.../accounts/myaccount?api-version=2024-10-01 -b '{...}' # Monitor AI activities az monitor activity-log list --resource-group myresourcegroup --resource-type "Microsoft.CognitiveServices/accounts" ``` ### 8.3 GitHub Samples **Microsoft Purview API integration:** - **Sample:** [serverless-chat-langchainjs-purview](https://github.com/Azure-Samples/serverless-chat-langchainjs-purview) - **Use case:** Integrate Entra-registered AI app med Purview APIs for DLP enforcement **Counterfit (AI security testing):** - **Repository:** [https://github.com/Azure/counterfit/](https://github.com/Azure/counterfit/) - **Use case:** Simulate cyberattacks mot AI systems for å validere DLP controls **PyRIT (Python Risk Identification Toolkit):** - **Repository:** [https://azure.github.io/PyRIT/](https://azure.github.io/PyRIT/) - **Use case:** Red teaming av AI systems for prompt injection, jailbreak, data exfiltration testing ## 9. Monitoring & Detection ### 9.1 Microsoft Defender for AI Services **Capabilities:** - **AI threat protection:** Detect prompt injection, model manipulation, jailbreak attempts - **Continuous monitoring:** Monitor model inference, API calls, plugin interactions - **Integration:** Azure Sentinel for SIEM correlation med MITRE ATLAS og OWASP LLM Top 10 **Deployment:** ```bash az security pricing create \ --name "AI" \ --tier "Standard" \ --resource-group myresourcegroup ``` ### 9.2 Anomaly Detection for AI Workloads **Azure AI Anomaly Detector:** - **Metrics:** API request patterns, model confidence scores, token usage - **Alerts:** Unusual spikes i API calls, unexpected model outputs, irregular data access **KQL query for anomaly detection:** ```kusto AzureDiagnostics | where ResourceType == "MICROSOFT.COGNITIVESERVICES/ACCOUNTS" | where OperationName == "Inference" | summarize RequestCount = count() by bin(TimeGenerated, 1h), CallerIpAddress | where RequestCount > 1000 // Threshold | project TimeGenerated, CallerIpAddress, RequestCount ``` ### 9.3 Alerting & Incident Response **Azure Monitor Alerts:** ```bash az monitor metrics alert create \ --name "High Token Usage Alert" \ --resource-group myresourcegroup \ --scopes "/subscriptions/.../providers/Microsoft.CognitiveServices/accounts/myopenai" \ --condition "total TokensUsed > 100000" \ --window-size 5m \ --evaluation-frequency 1m \ --action-group "/subscriptions/.../actionGroups/ai-security-team" ``` **Incident response workflow:** 1. **Alert triggered** (e.g., suspected data exfiltration) 2. **Azure Sentinel** → Correlate med threat intelligence 3. **Purview Audit** → Retrieve prompt/response logs 4. **Block user** → Via Adaptive Protection (Insider Risk Management) 5. **Rotate keys** → If API key compromise suspected 6. **Post-incident review** → Update DLP policies ## 10. Anbefalinger for Cosmo Skyberg ### For Azure OpenAI 1. **Alltid enable outbound URL restriction** (`restrictOutboundNetworkAccess: true`) med whitelisted FQDNs 2. **Bruk Private Link + NSP** for production deployments 3. **Enable CMK encryption** hvis fine-tuning på sensitive data 4. **Log all API calls** til Azure Monitor med minimum 90 days retention ### For Microsoft 365 Copilot 1. **Deploy DLP policies for prompts** (SIT detection) og files/emails (sensitivity labels) 2. **Kombiner med Sensitivity Labels** — auto-classify data, inherit protection 3. **Enable Insider Risk Management** for risky AI interaction detection 4. **Bruk DSPM for AI** for continuous posture assessment ### For Custom AI Applications 1. **Implement AI Gateway** (Azure API Management) for unified security 2. **Multi-layered content filtering** (input → processing → output) 3. **Integrate Purview APIs** for DLP enforcement i custom apps 4. **Red team regularly** med PyRIT, Counterfit, Azure AI Red Teaming Agent ### For Compliance & Audit 1. **Enable Unified Audit Log** for alle AI services 2. **Map DLP policies til regulations** (GDPR, HIPAA, PCI-DSS, etc.) 3. **Use Activity Explorer** for visual analysis av AI interactions 4. **Document decisions** i ADRs når du velger DLP strategy ### Security Checklist - [ ] Outbound URL restriction enabled på Azure OpenAI? - [ ] DLP policy for Copilot prompts (SITs) deployed? - [ ] DLP policy for Copilot files/emails (sensitivity labels) deployed? - [ ] Private Link + NSP configured? - [ ] CMK encryption enabled for fine-tuned models? - [ ] Unified Audit Log enabled (90+ days retention)? - [ ] Insider Risk Management policies active? - [ ] AI Gateway (APIM) deployed med rate-limiting + auth? - [ ] Multi-layered content filtering (Azure AI Content Safety)? - [ ] Red teaming plan established (quarterly)? - [ ] Incident response runbook documented? ## For Cosmo Skyberg **Når bruke dette:** - Kunde spør om "hvordan forhindre datalekkasje i AI-løsninger" - Compliance-krav (GDPR, HIPAA) krever DLP for AI workloads - Security assessment avdekker risiko for prompt injection eller model extraction - Enterprise AI deployment trenger defense-in-depth strategi **Praktisk tilnærming:** 1. **Start med risikovurdering:** Hvilke data er mest sensitive? Hvilke leakage vectors er mest sannsynlige? 2. **Prioriter quick wins:** Deploy Microsoft Purview DLP for Copilot (prompts + files) — får immediate risk reduction 3. **Bygg lag-for-lag:** Network isolation → Data protection → Model security → Runtime monitoring 4. **Automatiser enforcement:** Bruk one-click policies fra DSPM for AI 5. **Valider med red teaming:** Kjør PyRIT/Counterfit før production rollout **Kombiner med andre kunnskapsfiler:** - `prompt-injection-defense-mechanisms.md` — For input validation strategies - `jailbreak-prevention-strategies.md` — For output filtering og behavioral controls - `ai-threat-modeling.md` — For systematic risk identification - `rag-security-patterns.md` — For grounding data protection (når det finnes) - `azure-ai-services/document-intelligence-security.md` — For PII redaction i documents (når det finnes) **Typisk arkitekturanbefaling:** > "For å beskytte mot datalekkasje anbefaler jeg en multi-layered tilnærming: > 1. **Prompt-nivå:** Microsoft Purview DLP for å blokkere sensitive SITs i Copilot-prompts. > 2. **Model-nivå:** Outbound URL restriction på Azure OpenAI + Private Link for network isolation. > 3. **Output-nivå:** Azure AI Content Safety for å filtrere harmful/non-compliant responses. > 4. **Audit-nivå:** Unified Audit Log + DSPM for AI for continuous monitoring. > Dette gir defense-in-depth med både preventive, detective, og corrective controls." **Microsoft Learn kilder:** - [Microsoft Purview DLP for Copilot](https://learn.microsoft.com/en-us/purview/dlp-microsoft365-copilot-location-learn-about) - [Azure AI Services DLP](https://learn.microsoft.com/en-us/azure/ai-services/cognitive-services-data-loss-prevention) - [Secure AI (Cloud Adoption Framework)](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/ai/secure) — Verified MCP 2026-04: Bekrefter bruk av Microsoft Purview DLP for AI-workflows, content filtering for å forhindre sensitiv informasjonslekkasje, og Purview Insider Risk Management for prompt-basert data exfiltration-deteksjon og identifisering av risikofull AI-atferd. - [Artificial Intelligence Security (MCSB)](https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-v2-artificial-intelligence-security) - [Confidential AI](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-ai)