Purview DPSM for AI collection policies disabled but still collecting AI Interactions

Question

Hello.

The "One-click" DPSM for AI collection policies where created and then promptly disabled. Yet we are still collecting AI interaction events within the "Activity Explorer". The events have AI prompts and responses. Should this be happening even though we disabled the collection policies? If so how do we stop collection?

Answer 1

Hi Ryan Chaney,
You’re right that simply toggling a one-click DPSM for AI collection policy off doesn’t necessarily stop all AI interaction events from showing up in Activity Explorer. Here’s why, and what you can do to fully stop collection:

1. Two different pipelines feed AI interactions into Purview’s Activity Explorer • Microsoft 365 Copilot & Copilot Chat → these events come from the unified Office 365 audit log (which Purview pulls for “AI interaction” events). Disabling a DSPM collection policy has no effect here. • Copilot in Fabric/Security Copilot & third-party AI apps → these events require an active DSPM collection policy with “capture content” selected.
2. What you’re likely seeing • Copilot events from the audit log (prompts + responses) because Copilot auditing is still turned on in your tenant. • Pending entries from the DPSM collection policy you disabled (policies go into “PendingDeletion” first and can take up to an hour or more to fully drop off).
3. How to stop collection completely a. Turn off Copilot auditing in the Microsoft Purview Compliance portal
   1. Go to Compliance center → Audit (preview)
   2. Under “Copilot & generative AI” auditing, switch it OFF
   3. Wait ~24 hours for changes to propagate and new audit-log pulls to stop
   b. Remove or edit your DSPM collection policies for non-Copilot AI apps
   1. In Purview portal → Policies → select the DSPM policy (for example, “DSPM for AI – Capture interactions for Copilot experiences” or “Detect sensitive info shared with AI via network”)
   2. Either delete it (wait for PendingDeletion to clear) or edit and uncheck “Capture content for AI interactions”
   3. Confirm status under Policies that it’s fully deleted or content capture is disabled

After both steps, you shouldn’t see any new AI interaction entries in Activity Explorer. Existing historical events will remain viewable until you purge or let them age out.

Follow-up questions to nail down your scenario:

1. Are the AI interaction events you’re seeing tagged as Copilot/Copilot Chat versus non-Copilot AI apps?
2. Which exact DSPM policies did you disable (policy names) and how long ago?
3. Have you turned off Copilot auditing in the Compliance portal already, or is that still on?

Hope this helps!

—Your Azure Purview Support Team

Reference documentation

1. DSPM for AI considerations (collection policies & activity explorer events): https://learn.microsoft.com/purview/dspm-for-ai-considerations?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#one-click-policies-from-data-security-posture-management-for-ai
2. Collection policies overview (capture content setting): https://learn.microsoft.com/purview/collection-policies-solution-overview#content-capture-for-ai-interactions
3. Audit (preview) Copilot settings in Compliance center: https://learn.microsoft.com/microsoft-365/compliance/audit/generative-ai-audit?view=o365-worldwide

Hope this helps. If you have any follow-up questions, please let me know. I would be happy to help.

Please do not forget to "Accept Answer" and "up-vote" wherever the information provided helps you, as this can be beneficial to other community members.

Answer 2

AI interaction events with prompts and responses can still appear in Activity explorer even after disabling DSPM for AI one-click collection policies, because:

1. Other data sources can still feed AI interactions
   • For Microsoft 365 Copilot and Microsoft 365 Copilot Chat, AI interaction events (including prompts and responses) are written to the unified audit log when auditing is turned on, independent of collection policies.
   • For Entra-registered and Enterprise AI apps, prompts and responses are also captured in the unified audit log and surfaced into Activity explorer.
   • DSPM for AI then reads these events into Activity explorer, so disabling collection policies alone does not stop all AI interaction logging.
2. Collection policies control what is collected from certain sources, not all AI logging
   • Collection policies primarily affect device and network/browser-based collection and, when enabled, can add content capture for AI interactions from Copilot experiences, Enterprise AI, and unmanaged AI apps.
   • When content capture is not enabled, events are still logged, but content is limited to sensitive information types rather than full prompts and responses.

To reduce or stop collection of AI prompts and responses, use these levers (depending on which AI apps are in use):

1. For Copilot experiences and Microsoft 365 services
   • Prompts and responses for Microsoft 365 Copilot and Microsoft 365 Copilot Chat require auditing to be turned on. To stop capturing prompts and responses for these workloads, auditing for those activities must be disabled at the tenant level. (Note: this affects broader compliance/audit coverage and should be evaluated with security/compliance stakeholders.)
2. For collection policies that are still influencing AI content capture
   • Verify that no active collection policy has Content capture for AI interactions enabled for:
     • Copilot experiences
     • Enterprise AI
     • Unmanaged cloud apps categorized as generative AI
     • All unmanaged AI apps adaptive app scope
   • If any such policy is still enabled, either:
     • Disable the policy, or
     • Edit the policy and turn off Content capture for AI interactions, and/or change the Content contains classifiers condition so it is not set to All (required for AI content capture).
3. For device and browser/network-based collection
   • If Always audit file activity for devices is enabled, device activities are collected by default. To reduce AI-related collection coming from devices:
     • Either disable Always audit file activity for devices, or
     • Keep it enabled but ensure no collection policy scoped to devices is configured to capture AI interactions/content.
4. Confirm in Activity explorer
   • After adjusting auditing and collection policies, use Activity explorer in DSPM for AI to validate:
     • Whether AI interaction events are still being generated.
     • Whether prompts and responses are still visible, or only sensitive info type hits are shown.

In summary, disabling the one-click DSPM for AI collection policies alone does not guarantee that AI interactions (with prompts and responses) stop appearing, because these events can originate from the unified audit log and other Purview data sources. Stopping or minimizing collection requires adjusting tenant auditing for AI workloads and ensuring no active collection policy is configured with AI content capture.

---

References:

• Considerations for DSPM for AI to manage data security and compliance protections for AI interactions - (classic)
• Collection Policies solution overview
• Collection policy reference
• Considerations for Microsoft Purview Data Security Posture Management
• Learn about Data Security Posture Management for AI - (classic)
• Use Microsoft Purview to manage data security & compliance for Entra-registered AI apps
• Manage generative AI apps for your organization
• Test Purview Configuration