ff6a50d14f
Updates across all 5 skills: ms-ai-advisor, ms-ai-engineering, ms-ai-governance, ms-ai-security, ms-ai-infrastructure. Key changes: - Language Services (Custom Text Classification, Text Analytics, QnA): retirement warning 2029-03-31, migration guides to Foundry/GPT-4o - Agentic Retrieval: 50M free reasoning tokens/month (Public Preview) - Computer Use: Claude Sonnet 4.5 (preview) + OpenAI CUA models - Agent Registry: Risks column (M365 E7), user-shared/org-published types - Declarative agents: schema v1.5 → v1.6, Store validation requirements - MLflow 3: 13 built-in LLM judges, production monitoring, Genie Code - AG-UI HITL: ApprovalRequiredAIFunction (C#) + @tool(approval_mode) (Python) - Entra ID Ignite 2025: Agent ID Admin/Developer RBAC roles, Conditional Access - Security Copilot: 400 SCU/month per 1000 M365 E5 licenses, auto-provisioned - Fast Transcription API: phrase lists, 14-language multi-lingual transcription - Azure Monitor Workbooks: Bicep support, RBAC specifics - Power Platform Copilot: data residency (Norway/Europe → EU DB, Bing → USA) - RAG security-rbac: 4-approach table (GA + 3 preview access control methods) - IaC MLOps: Well-Architected OE:05 principles, Bicep/Terraform patterns - Translator: image file batch translation Preview (JPEG/PNG/BMP/WebP) All 106 files: Last updated 2026-04 | Verified: MCP 2026-04 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
33 KiB
33 KiB
Data Leakage Prevention in AI Contexts
Kategori: AI Security Engineering Sist oppdatert: 2026-04 | Verified: MCP 2026-04 Målgruppe: Enterprise AI architects og security teams
Oversikt
Data leakage prevention (DLP) i AI-sammenheng omfatter beskyttelse mot utilsiktet eller ondsinnet eksponering av sensitiv informasjon gjennom AI-modeller, prompts, og responses. Dette dokumentet dekker Microsoft-plattformens verktøy og mønstre for å forhindre datalekkasje i tre kritiske lag: prompt context isolation, model extraction defense, og membership inference protection.
Sentrale risikoer:
- Prompt-basert lekkasje: Brukere injiserer sensitiv informasjon i prompts som deretter prosesseres eller lagres ukontrollert
- Model extraction: Angripere bruker API-tilgang til å reverse-engineere proprietære modeller
- Membership inference: Angripere deduserer om spesifikke data var i training set
- Cache leakage: Sensitiv informasjon eksponeres via delte cacher eller prompt history
- Response leakage: AI-modeller avslører PII, IP, eller confidential data i svar
1. Prompt Context Isolation
1.1 Microsoft Purview DLP for Microsoft 365 Copilot
Konsept: Prevent Copilot from processing sensitive prompts in real-time ved å blokkere prompts som inneholder sensitive information types (SITs).
Kapabiliteter:
- Prompt scanning: Deep content inspection av user prompts før prosessering
- Sensitive information type (SIT) detection: Deteksjon av kredittkortnummer, personnummer, passporter, etc.
- Real-time blocking: Forhindrer Copilot i å returnere svar når prompts inneholder sensitiv data
- Web search blocking: Blokkerer bruk av sensitiv data i både interne og eksterne web-søk
Policy configuration:
# Eksempel: Blokkerer norske personnummer og kredittkortnummer i Copilot-prompts
New-DlpCompliancePolicy `
-Name "Copilot Prompt Protection" `
-Comment "Prevents sensitive data in prompts" `
-Locations "[{\"Workload\":\"Applications\",\"Location\":\"470f2276-e011-4e9d-a6ec-20768be3a4b0\",\"Inclusions\":[{Type:\"Tenant\", Identity:\"All\"}]}]" `
-EnforcementPlanes @("CopilotExperiences") `
-Mode Enable
New-DlpComplianceRule `
-Name "Block Norway SSN in Prompts" `
-Policy "Copilot Prompt Protection" `
-ContentContainsSensitiveInformation @{Name="Norway National Identity Number"; MinCount="1"} `
-RestrictAccess @(@{setting="ProcessingPrompts";value="Block"}) `
-NotifyUser Owner `
-NotifyPolicyTipDisplayOption "Dialog"
Støttede lokasjoner: (Verified MCP 2026-04)
- Microsoft 365 Copilot og Copilot Chat (inkludert pre-built agents)
- Copilot in Word, Excel, PowerPoint
- Policy location er kun tilgjengelig i Custom-policymalen
- Alle andre lokasjoner i policyen deaktiveres når denne lokasjonen velges
Begrensninger:
- Kan ikke kombinere "Content contains sensitive info types" og "Content contains sensitivity labels" i samme regel
- Policy-oppdateringer tar opptil 4 timer å tre i kraft
- Admin units støttes ikke
- DLP kan ikke scanne innholdet i filer som lastes opp direkte i prompts — kun prompt-teksten selv evalueres (Verified MCP 2026-04)
Brukeropplevelse: Når en bruker forsøker å sende en prompt med blokkert SIT, vises en melding: "The request can't be completed because it contains sensitive information that the organization has blocked Microsoft 365 Copilot from using."
1.2 Sensitivity Label-basert Blocking
Konsept: Prevent Copilot from processing files and emails med spesifikke sensitivity labels i response summaries.
Use case eksempel: Organisasjonen har labels "Highly Confidential", "Confidential", "Internal", "Public", "Personal". De ønsker å ekskludere "Personal" og "Highly Confidential" fra Copilot-prosessering for å oppfylle GDPR og compliance-krav.
# Hent label GUID
Get-Label | Format-List Priority,ContentType,Name,DisplayName,Identity,Guid
$guidHighlyConfidential = "e222b65a-b3a8-46ec-ae12-00c2c91b71c0"
$guidPersonal = "d4f28ae4-9c5e-4e7f-bf4a-5e3d6f1a7c8b"
$loc = "[{\"Workload\":\"Applications\",\"Location\":\"470f2276-e011-4e9d-a6ec-20768be3a4b0\",\"Inclusions\":[{Type:\"Tenant\", Identity:\"All\"}]}]"
New-DLPCompliancePolicy -Name "Copilot Sensitivity Label Policy" -Locations $loc -EnforcementPlanes @("CopilotExperiences")
$advRule = @{
"Version" = "1.0"
"Condition" = @{
"Operator" = "And"
"SubConditions" = @(
@{
"ConditionName" = "ContentContainsSensitiveInformation"
"Value" = @(
@{
"groups" = @(
@{
"Operator" = "Or"
"labels" = @(
@{name = $guidHighlyConfidential; type = "Sensitivity"},
@{name = $guidPersonal; type = "Sensitivity"}
)
"name" = "Default"
}
)
}
)
}
)
}
} | ConvertTo-Json -Depth 100
New-DLPComplianceRule -Name "Exclude Confidential Content" -Policy "Copilot Sensitivity Label Policy" -AdvancedRule $advRule -RestrictAccess @(@{setting="ExcludeContentProcessing";value="Block"})
Støttede filtyper: (Verified MCP 2026-04)
- File items (stored og actively open): Word (.docx/.docm), Excel (.xlsx/.xlsm/.xlsb), PowerPoint (.pptx/.ppsx), og PDF-filer (ved aktivert PDF-støtte)
- Emails sent on or after January 1, 2025
- Kun filer i SharePoint Online og OneDrive for Business
- Labels med bruker-definerte tillatelser støttes nå for search, DLP og eDiscovery (kun nyopplastede/redigerte filer)
Begrensninger:
- Calendar invites støttes ikke
- Når en fil med blokkert label er åpen i Word/Excel/PowerPoint, disables skills i disse appene
Resultat: Identified items vises fortsatt i citations, men innholdet brukes ikke i response eller tilgang av Copilot.
2. Model Extraction Defense
2.1 Outbound URL Restriction (Azure AI Services DLP)
Konsept: Begrens hvilke outbound URLs Azure OpenAI og Azure AI Services kan aksessere for å forhindre at modeller ekfiltrerer data eller lekker model weights til unauthorized endpoints.
Risikoreduksjon:
- Forhindrer model extraction via API calls til attacker-controlled servers
- Blokkerer data exfiltration via tool calls eller plugin interactions
- Reduserer supply chain risk ved å whiteliste kun trusted endpoints
Konfigurasjon (Azure CLI):
# Aktiver restrictOutboundNetworkAccess
az rest -m patch \
-u /subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.CognitiveServices/accounts/{account-name}?api-version=2024-10-01 \
-b '{"properties": { "restrictOutboundNetworkAccess": true, "allowedFqdnList": [ "contoso.com", "api.trustedpartner.com" ] }}'
Konfigurasjon (PowerShell):
$patchParams = @{
ResourceGroupName = 'myresourcegroup'
ResourceProviderName = 'Microsoft.CognitiveServices'
ResourceType = 'accounts'
Name = 'myaccount'
ApiVersion = '2024-10-01'
Payload = '{"properties": { "restrictOutboundNetworkAccess": true, "allowedFqdnList": [ "contoso.com", "api.trustedpartner.com" ] }}'
Method = 'PATCH'
}
Invoke-AzRestMethod @patchParams
Viktige detaljer:
- Maksimum 1000 URLs i
allowedFqdnList - Støtter fully qualified domain names (FQDN)
- Tar opptil 15 minutter før oppdatert liste trer i kraft
Støttede tjenester:
- Azure OpenAI
- Azure AI Foundry (Foundry-based projects)
- Azure Vision
- Content Moderator
- Custom Vision
- Face API
- Document Intelligence
- Speech Services
- QnA Maker
2.2 Network Security Perimeter (NSP)
Konsept: Implementer network security perimeter for å begrense inbound og outbound access til Azure OpenAI og Foundry-baserte prosjekter.
Implementering:
Kombiner med:
- Azure Private Link for network-level data isolation
- Azure RBAC for workload og user group access control
- Microsoft Entra ID for centralized authentication
2.3 Model Integrity Monitoring
Konsept: Detect model drift og unauthorized modifications som kan indikere extraction attempts eller supply chain compromise.
Tilnærming:
- Digital signatures: Verifiser model files med hash verification
- Versioning: Store models i Azure Blob Storage med versioning enabled
- Audit trails: Log alle model-related activities (registration, deployment, access) i Azure Monitor
- Automated scanning: Integrate security validation pipelines som scanner for embedded backdoors
Azure Machine Learning Model Registry:
# Eksempel: Deploy centralized model registry med RBAC
az ml model register \
--name "my-verified-model" \
--model-path "azureml://..." \
--description "Verified model with signature" \
--tags "verified=true" "hash=sha256:abc123..."
Monitoring:
// Azure Monitor KQL: Detect unauthorized model access
AzureDiagnostics
| where ResourceType == "MICROSOFT.MACHINELEARNINGSERVICES/WORKSPACES"
| where OperationName == "ModelDownload"
| where Identity_claim_upn_s !in ("authorized-user@contoso.com")
| project TimeGenerated, Identity_claim_upn_s, ResourceId, OperationName
3. Membership Inference Protection
3.1 Differential Privacy
Konsept: Apply differential privacy techniques for å forhindre at angripere kan dedusere om specific data points var i training set.
Microsoft SmartNoise: Microsoft co-developed SmartNoise, et open-source differential privacy system.
Repository: https://github.com/opendifferentialprivacy/smartnoise-core
Use case:
- Fine-tuning på sensitive datasett (healthcare, financial)
- Trening av custom models med PII
- Compliance med GDPR Article 25 (data protection by design)
Integration med Azure Machine Learning:
from opendp.smartnoise.sql import PandasReader, PrivateReader
import pandas as pd
# Load sensitive data
df = pd.read_csv("sensitive_data.csv")
reader = PandasReader(df, metadata)
# Apply differential privacy to query
private_reader = PrivateReader(reader, privacy=Privacy(epsilon=1.0))
result = private_reader.execute("SELECT AVG(age) FROM data")
Privacy budget management:
- Epsilon (ε): Lavere verdi = høyere privacy, lavere accuracy
- Delta (δ): Probability of privacy breach
- Anbefaling: ε ≤ 1.0 for high-sensitivity data
3.2 Encryption at Rest & In Transit
Data at rest:
- FIPS 140-2 compliant 256-bit AES encryption for all Azure OpenAI data
- Customer-Managed Keys (CMK) via Azure Key Vault for fine-tuned models og training data
- Microsoft-managed keys som default (transparent encryption)
Data in transit:
- TLS encryption for all traffic mellom Databricks og model partners
- Zero data retention endpoints for Partner-powered AI assistive features
- Azure Private Link for network-level isolation
CMK configuration:
# Enable customer-managed key for Azure OpenAI
az cognitiveservices account update \
--name myopenai \
--resource-group myresourcegroup \
--encryption KeyVaultKeyId=https://myvault.vault.azure.net/keys/mykey/version
Key rotation:
- Rotate keys ved defined schedule eller ved key compromise
- Audit key usage via Azure Key Vault diagnostics
3.3 Training Data Provenance
Konsept: Maintain non-repudiable data provenance records for å verifisere at kun authorized data ble brukt i training.
Confidential AI med Azure Confidential Computing:
- Attestation: Data providers autoriserer bruk av datasets for spesifikke tasks (verified by attestation)
- Confidential training: Data forblir protected i use via Trusted Execution Environments (TEEs)
- Provenance records: Generate non-repudiable logs av data/model lineage
Bruk:
- Medical diagnosis models (HIPAA compliance)
- Financial risk assessment (SOX, PCI-DSS)
- Business analysis med corporate IP
4. DLP Policy Enforcement Across AI Workloads
4.1 Multi-Layered Content Filtering
Konsept: Implement filtering på tre lag: input, internal processing, output.
Layer 1: Input filtering
- Azure AI Content Safety (Prompt Shield): Scan user inputs for attack patterns (hate speech, violence, adversarial inputs)
- Azure API Management: Enforce rate-limiting, schema validation, authentication policies
- Data format validation: Reject malformed inputs
Layer 2: Internal processing validation
- Azure Machine Learning model monitoring: Track intermediate outputs, detect anomalies during inference
- Azure Defender for Cloud: Scan runtime environments for adversarial behavior
- Robustness testing: Validate behavior under adversarial conditions
Layer 3: Output filtering
- Azure AI Content Safety: Block harmful responses (bias, non-compliant content)
- Validation logic: Cross-check outputs mot organizational policies via Azure Functions
- Logging: Log all inputs/outputs i Azure Monitor for traceability
Eksempel-arkitektur:
User Prompt
↓
[Azure API Management] → Rate-limit, Auth, Schema Validation
↓
[Prompt Shield] → Detect malicious patterns
↓
[Azure OpenAI] → Process prompt
↓
[AML Model Monitoring] → Detect anomalies
↓
[Content Safety Output Filter] → Block harmful content
↓
[Azure Functions Validator] → Cross-check policies
↓
[Azure Monitor] → Log interaction
↓
Response to User
4.2 Endpoint DLP for Third-Party AI
Konsept: Prevent sensitive data leakage to third-party generative AI sites (ChatGPT, Claude, etc.) via browser-based interactions.
Microsoft Purview Endpoint DLP:
- Windows onboarding: Onboard Windows computers til Microsoft Purview
- Policy enforcement: Block eller warn users from pasting sensitive information i third-party AI sites
- Supported actions: Block paste, block upload, warn with override
Eksempel: User forsøker å paste kredittkortnummer til ChatGPT → Purview Endpoint DLP blokkerer action eller viser warning.
Konfigurere:
New-DlpCompliancePolicy -Name "Block AI Site Data Leak" -ExchangeLocation All
New-DlpComplianceRule `
-Name "Block Credit Card to ChatGPT" `
-Policy "Block AI Site Data Leak" `
-ContentContainsSensitiveInformation @{Name="Credit Card Number"; MinCount="1"} `
-BlockAccess $true `
-NotifyUser Owner
Supported platforms: Windows computers med Endpoint DLP agent installed.
4.3 Insider Risk Management for AI Interactions
Konsept: Detect risky AI use via machine learning-based anomaly detection.
Microsoft Purview Insider Risk Management:
- Risky interaction detection: Attempted prompt injection, use of sensitive data
- Adaptive protection: Block high-risk users from accessing sensitive content via Copilot
- Alerts: Real-time alerts for policy violations
Policy templates:
- "DSPM for AI - Detect risky AI usage"
- "DSPM for AI - Unethical behavior in AI apps"
- "DSPM for AI - Protect sensitive data from Copilot processing"
One-click policies fra DSPM for AI (classic):
# Aktiveres via Microsoft Purview portal → DSPM for AI → Recommendations
5. Cache Security Management
5.1 Prompt History Isolation
Konsept: Prevent shared caches eller prompt history fra å eksponere sensitive information på tvers av brukere eller sesjoner.
Microsoft 365 Copilot:
- User context isolation: Prompts kjører i security context av bruker som initierer prompt
- Permission enforcement: Brukere ser kun items de har permissions til
- No cross-user cache leakage: Copilot deler ikke data mellom users
5.2 Azure OpenAI Prompt Caching
Konsept: Azure OpenAI støtter ikke persistent prompt caching på tvers av users. Hver API call er stateless (med mindre conversation history sendes eksplisitt i request).
Sikkerhet:
- Stateless API: Ingen automatisk deling av prompts mellom users
- Token usage logging: Log all token usage for audit purposes
- Customer-controlled retention: Customers kontrollerer retention av conversation history
5.3 Databricks Assistant Cache Protection
DatabricksIQ Trust & Safety:
- No training on user data: Databricks does not train foundation models med data submitted to features
- No cross-customer data sharing: Data ikke brukt for å generere suggestions for andre customers
- Zero data retention (model partners): Partner-powered AI features bruker zero data retention endpoints
- Data residency controls: DatabricksIQ-powered features comply med data residency boundaries (Geos)
6. Praktiske Arkitekturmønstre
6.1 Defense-in-Depth for AI Leakage Prevention
Lag 1: Network isolation
- Azure Private Link
- Network Security Perimeter
- VNet integration
Lag 2: Identity & Access (Verified MCP 2026-04)
- Microsoft Entra ID RBAC
- Managed Identity (for sikker autentisering uten lagrede credentials — per CAF Secure AI)
- Separation of duties (developers, reviewers, operators)
- Virtual networks for isolering av AI-kommunikasjonskanaler
Lag 3: Data protection
- Microsoft Purview DLP (prompt + file/email blocking)
- Sensitivity labels (automatic inheritance)
- Data classification (PII, financial, IP)
Lag 4: Model security
- Model registry med approval workflows
- Automated security scanning (hash verification, backdoor detection)
- Version control i Azure Storage med versioning
Lag 5: Runtime protection
- Azure AI Content Safety (Prompt Shield + Output Filter)
- Azure Defender for AI Services (threat detection)
- AML Model Monitoring (drift detection, anomaly detection)
Lag 6: Audit & Compliance
- Microsoft Purview Audit (unified audit log for AI activities)
- Azure Monitor (centralized logging)
- Activity explorer (DSPM for AI)
6.2 Azure OpenAI + Purview DLP Reference Architecture
┌─────────────────────────────────────────────────────────────────┐
│ User (M365 Copilot) │
└─────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ Microsoft Purview DLP Policy Engine │
│ - Scan prompt for SITs (credit card, SSN, etc.) │
│ - Check file sensitivity labels │
│ - Block processing if policy match │
└─────────────────────────────────────────────────────────────────┘
↓ (if allowed)
┌─────────────────────────────────────────────────────────────────┐
│ Microsoft 365 Copilot │
│ - Entra ID RBAC (user context isolation) │
│ - Grounding på SharePoint/OneDrive (permission-enforced) │
└─────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ Azure OpenAI Service │
│ - Private endpoint (NSP) │
│ - Outbound URL restriction (DLP) │
│ - CMK encryption at rest │
│ - TLS in transit │
└─────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ Azure AI Content Safety │
│ - Output filter (harmful content) │
│ - Validation against org policies │
└─────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ Microsoft Purview Audit │
│ - Log prompt, response, referenced files │
│ - Activity explorer (DSPM for AI) │
└─────────────────────────────────────────────────────────────────┘
6.3 Enterprise AI Gateway Pattern
Konsept: Centralize all AI traffic gjennom Azure API Management som AI Gateway. Azure API Management kan nå også sikre Model Context Protocol (MCP) server-endepunkter. (Verified MCP 2026-04)
Fordeler:
- Unified security policies: Enforce authentication, DLP, rate-limiting på ett sted
- Traffic monitoring: Log all API usage for audit
- Cost control: Track token usage per team/project
- Model versioning: Route requests til ulike model versions basert på policy
- MCP endpoint security: Deploy Azure API Management for å sikre MCP server-endepunkter (ny kapabilitet) (Verified MCP 2026-04)
Arkitektur:
Applications
↓
[Azure API Management (AI Gateway)]
- Entra ID authentication
- Rate-limiting (TPM, RPM)
- DLP policy enforcement (allowedFqdnList check)
- Token usage logging
↓
[Azure OpenAI] or [Custom Models] or [Copilot Studio]
Configuration:
# Deploy API Management med managed identity
az apim create \
--name myaigateway \
--resource-group myresourcegroup \
--publisher-email admin@contoso.com \
--publisher-name Contoso \
--sku-name Developer
# Integrate med Entra ID
az apim api create \
--resource-group myresourcegroup \
--service-name myaigateway \
--api-id openai-api \
--path "/openai" \
--display-name "Azure OpenAI Gateway" \
--service-url "https://myopenai.openai.azure.com" \
--protocols https \
--subscription-required true
7. Compliance & Audit
7.1 Unified Audit Log for AI Activities
Microsoft Purview Audit:
- Captured events: Prompts, responses, referenced files, sensitivity labels
- Context: User, timestamp, service, files accessed
- Retention: Configurable (90 days to 10 years)
Query AI activities:
# Search unified audit log for Copilot activities
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -Operations "CopilotInteraction"
Activity Explorer (DSPM for AI):
- Visual dashboard for AI interactions
- Filter by user, sensitivity label, SIT, time range
- Export for compliance reporting
7.2 Data Security Posture Management (DSPM) for AI
Capabilities:
- Data risk assessments: Identify oversharing risks
- Recommendations: "Protect your data from potential oversharing risks"
- One-click policies: Deploy DLP policies direkte fra recommendations
- Compliance Manager integration: Map controls til regulatory templates (GDPR, HIPAA, etc.)
Rollout:
- DSPM for AI (classic): Generally available
- DSPM (preview): New version med enhanced AI activities tab
7.3 Regulatory Compliance Mapping
| Regulation | Relevant DLP Controls | Microsoft Purview Tools |
|---|---|---|
| GDPR Art. 25 | Data protection by design, minimize data processing | Sensitivity labels, DLP for Copilot, Differential Privacy |
| HIPAA | Protect PHI in AI interactions | DLP rules for PHI SITs, CMK encryption, Confidential AI |
| PCI-DSS | Protect cardholder data | DLP rules for credit card SITs, Outbound URL restriction |
| SOX | Protect financial records | Sensitivity labels (Highly Confidential), Audit logs |
| CCPA | Protect consumer personal data | DLP rules for California SITs, Data residency controls |
| AI Act (EU) | Risk management, transparency | DSPM for AI, Audit logs, Model provenance |
8. Tooling & Automation
8.1 PowerShell Module: ExchangePowerShell
Viktige cmdlets:
New-DlpCompliancePolicy: Create DLP policyNew-DlpComplianceRule: Add rule til policyGet-DlpCompliancePolicy: List policiesSet-DlpPolicy: Update existing policyGet-Label: List sensitivity labels med GUIDs
Installer:
Install-Module -Name ExchangeOnlineManagement
Connect-IPPSSession
8.2 Azure CLI Extensions
# Cognitive Services DLP
az cognitiveservices account show -g myresourcegroup -n myaccount
az rest -m patch -u /subscriptions/.../accounts/myaccount?api-version=2024-10-01 -b '{...}'
# Monitor AI activities
az monitor activity-log list --resource-group myresourcegroup --resource-type "Microsoft.CognitiveServices/accounts"
8.3 GitHub Samples
Microsoft Purview API integration:
- Sample: serverless-chat-langchainjs-purview
- Use case: Integrate Entra-registered AI app med Purview APIs for DLP enforcement
Counterfit (AI security testing):
- Repository: https://github.com/Azure/counterfit/
- Use case: Simulate cyberattacks mot AI systems for å validere DLP controls
PyRIT (Python Risk Identification Toolkit):
- Repository: https://azure.github.io/PyRIT/
- Use case: Red teaming av AI systems for prompt injection, jailbreak, data exfiltration testing
9. Monitoring & Detection
9.1 Microsoft Defender for AI Services
Capabilities:
- AI threat protection: Detect prompt injection, model manipulation, jailbreak attempts
- Continuous monitoring: Monitor model inference, API calls, plugin interactions
- Integration: Azure Sentinel for SIEM correlation med MITRE ATLAS og OWASP LLM Top 10
Deployment:
az security pricing create \
--name "AI" \
--tier "Standard" \
--resource-group myresourcegroup
9.2 Anomaly Detection for AI Workloads
Azure AI Anomaly Detector:
- Metrics: API request patterns, model confidence scores, token usage
- Alerts: Unusual spikes i API calls, unexpected model outputs, irregular data access
KQL query for anomaly detection:
AzureDiagnostics
| where ResourceType == "MICROSOFT.COGNITIVESERVICES/ACCOUNTS"
| where OperationName == "Inference"
| summarize RequestCount = count() by bin(TimeGenerated, 1h), CallerIpAddress
| where RequestCount > 1000 // Threshold
| project TimeGenerated, CallerIpAddress, RequestCount
9.3 Alerting & Incident Response
Azure Monitor Alerts:
az monitor metrics alert create \
--name "High Token Usage Alert" \
--resource-group myresourcegroup \
--scopes "/subscriptions/.../providers/Microsoft.CognitiveServices/accounts/myopenai" \
--condition "total TokensUsed > 100000" \
--window-size 5m \
--evaluation-frequency 1m \
--action-group "/subscriptions/.../actionGroups/ai-security-team"
Incident response workflow:
- Alert triggered (e.g., suspected data exfiltration)
- Azure Sentinel → Correlate med threat intelligence
- Purview Audit → Retrieve prompt/response logs
- Block user → Via Adaptive Protection (Insider Risk Management)
- Rotate keys → If API key compromise suspected
- Post-incident review → Update DLP policies
10. Anbefalinger for Cosmo Skyberg
For Azure OpenAI
- Alltid enable outbound URL restriction (
restrictOutboundNetworkAccess: true) med whitelisted FQDNs - Bruk Private Link + NSP for production deployments
- Enable CMK encryption hvis fine-tuning på sensitive data
- Log all API calls til Azure Monitor med minimum 90 days retention
For Microsoft 365 Copilot
- Deploy DLP policies for prompts (SIT detection) og files/emails (sensitivity labels)
- Kombiner med Sensitivity Labels — auto-classify data, inherit protection
- Enable Insider Risk Management for risky AI interaction detection
- Bruk DSPM for AI for continuous posture assessment
For Custom AI Applications
- Implement AI Gateway (Azure API Management) for unified security
- Multi-layered content filtering (input → processing → output)
- Integrate Purview APIs for DLP enforcement i custom apps
- Red team regularly med PyRIT, Counterfit, Azure AI Red Teaming Agent
For Compliance & Audit
- Enable Unified Audit Log for alle AI services
- Map DLP policies til regulations (GDPR, HIPAA, PCI-DSS, etc.)
- Use Activity Explorer for visual analysis av AI interactions
- Document decisions i ADRs når du velger DLP strategy
Security Checklist
- Outbound URL restriction enabled på Azure OpenAI?
- DLP policy for Copilot prompts (SITs) deployed?
- DLP policy for Copilot files/emails (sensitivity labels) deployed?
- Private Link + NSP configured?
- CMK encryption enabled for fine-tuned models?
- Unified Audit Log enabled (90+ days retention)?
- Insider Risk Management policies active?
- AI Gateway (APIM) deployed med rate-limiting + auth?
- Multi-layered content filtering (Azure AI Content Safety)?
- Red teaming plan established (quarterly)?
- Incident response runbook documented?
For Cosmo Skyberg
Når bruke dette:
- Kunde spør om "hvordan forhindre datalekkasje i AI-løsninger"
- Compliance-krav (GDPR, HIPAA) krever DLP for AI workloads
- Security assessment avdekker risiko for prompt injection eller model extraction
- Enterprise AI deployment trenger defense-in-depth strategi
Praktisk tilnærming:
- Start med risikovurdering: Hvilke data er mest sensitive? Hvilke leakage vectors er mest sannsynlige?
- Prioriter quick wins: Deploy Microsoft Purview DLP for Copilot (prompts + files) — får immediate risk reduction
- Bygg lag-for-lag: Network isolation → Data protection → Model security → Runtime monitoring
- Automatiser enforcement: Bruk one-click policies fra DSPM for AI
- Valider med red teaming: Kjør PyRIT/Counterfit før production rollout
Kombiner med andre kunnskapsfiler:
prompt-injection-defense-mechanisms.md— For input validation strategiesjailbreak-prevention-strategies.md— For output filtering og behavioral controlsai-threat-modeling.md— For systematic risk identificationrag-security-patterns.md— For grounding data protection (når det finnes)azure-ai-services/document-intelligence-security.md— For PII redaction i documents (når det finnes)
Typisk arkitekturanbefaling:
"For å beskytte mot datalekkasje anbefaler jeg en multi-layered tilnærming:
- Prompt-nivå: Microsoft Purview DLP for å blokkere sensitive SITs i Copilot-prompts.
- Model-nivå: Outbound URL restriction på Azure OpenAI + Private Link for network isolation.
- Output-nivå: Azure AI Content Safety for å filtrere harmful/non-compliant responses.
- Audit-nivå: Unified Audit Log + DSPM for AI for continuous monitoring. Dette gir defense-in-depth med både preventive, detective, og corrective controls."
Microsoft Learn kilder:
- Microsoft Purview DLP for Copilot
- Azure AI Services DLP
- Secure AI (Cloud Adoption Framework) — Verified MCP 2026-04: Bekrefter bruk av Microsoft Purview DLP for AI-workflows, content filtering for å forhindre sensitiv informasjonslekkasje, og Purview Insider Risk Management for prompt-basert data exfiltration-deteksjon og identifisering av risikofull AI-atferd.
- Artificial Intelligence Security (MCSB)
- Confidential AI