Secure the AI ecosystem

Completed

Security is foundational to any successful AI initiative, especially in the public sector. Government organizations manage highly sensitive personal data, operate critical infrastructure, and are held to the highest standards of accountability. When AI adoption outpaces security planning, the risks extend beyond systems and data to public trust itself.

Confidence—not capability—is the primary barrier to AI adoption in government. Leaders must trust that AI systems handle data responsibly, operate within defined policy boundaries, and can be governed effectively over time. Yet that confidence gap remains significant. In a global Capgemini Research Institute study, 79% of public sector organizations identified data security as a major barrier to AI implementation, underscoring how foundational security concerns shape adoption decisions.

At the same time, organizations recognize that more work is needed. Research highlighted by Frontier Enterprise shows that 92% of public sector leaders believe their organizations must do more to secure generative AI models and applications, reinforcing that security and governance are still evolving alongside innovation.

This lack of confidence has real-world implications for adoption at scale. Gartner projects that fewer than 25% of government organizations will deliver generative AI–enabled citizen-facing services by 2027, with fear of public failure and lack of trust cited as key barriers.

Together, these insights point to a clear conclusion: security can't be an afterthought. It must be designed into every stage of the AI lifecycle—from data access and model development to deployment, monitoring, and governance. For public sector organizations, building secure, trusted AI systems isn’t just a technical requirement—it’s essential to maintaining public confidence and unlocking the full value of agentic AI.

Note

The accompanying video for this unit introduces the four-step security framework (Prepare, Discover, Protect, Govern) and provides an overview of the Microsoft tools that support each step. This unit goes deeper into each concept and explains how the tools work in practice for public sector organizations.

The three core concerns

Public sector leaders consistently identify three priorities when evaluating AI adoption for their organizations:

Data privacy

Data privacy refers to the protection of personal and sensitive information that AI systems access and process. AI agents often interact with citizen records, case histories, health data, and other protected information. Without proper controls, agents might expose data to unauthorized users, retain information beyond permitted periods, or transfer data across jurisdictions in ways that violate applicable regulations.

Data privacy requirements for AI systems include:

• Controlling what data an agent can access and what it retains after an interaction
• Ensuring citizen data is processed only for its explicitly stated and authorized purpose
• Supporting data subject rights, such as access, correction, deletion, and portability of personal information
• Complying with applicable regulations including GDPR, national data protection laws, and region-specific requirements such as FedRAMP in the United States

Governance

Governance refers to the policies, processes, and accountability structures that ensure AI systems are used lawfully, ethically, and consistently with organizational policy. Good governance answers practical questions: Who authorized this agent? What data can it access? Who reviews its outputs? How are errors or misuse detected and addressed? Who is accountable when something goes wrong?

Governance practices for AI include:

• Defining and enforcing acceptable use policies for AI agents across the organization
• Maintaining a current inventory of AI systems in use, including who owns each and what it can access
• Establishing clear accountability for each deployed agent, including who is responsible for its outputs and behavior
• Monitoring AI behavior against policy requirements on an ongoing basis, not just at the time of deployment

Safeguards

Safeguards are the technical and procedural controls that prevent AI systems from being misused, manipulated, or compromised. AI-specific threats are distinct from traditional cybersecurity threats and require specialized protections such as:

• Prompt injection attacks: Attempts by malicious actors to override an agent’s instructions by embedding misleading content in inputs the agent processes, causing it to take unintended actions
• Data poisoning: Corrupting the information an agent relies on (example: by inserting false content into a document repository the agent uses as a knowledge source)
• Model abuse: Using an agent in ways that violate policy, drain organizational resources, or generate harmful outputs

Safeguards include input and output filtering, rate limiting and anomaly detection, strict access controls, and human review checkpoints for high-risk decisions.

The four-step security framework

Microsoft recommends a four-step approach to securing AI adoption in public sector environments. These steps work together to build a comprehensive security posture from initial preparation through ongoing governance.

Step 1: Prepare

Preparing the environment means establishing the security foundations that AI adoption will build on. The core strategy is Zero Trust, a security model that assumes no user, device, or system is inherently trusted, and that access must be continuously verified.

Preparing for secure AI adoption means:

• Implementing strong identity verification for everyone who interacts with AI tools, using multi-factor authentication and risk-based access policies
• Applying least-privilege access so agents and users can access only what their specific role and task require
• Establishing device health and compliance requirements before granting access to AI tools and data
• Documenting planned AI deployments: what systems will be used, who will interact with them, and what data they will access

Step 2: Discover

Discovery is about gaining visibility into AI usage across the organization. Before risks can be managed, they need to be known. Many organizations find that AI tools have been adopted informally—sometimes referred to as “shadow AI”—before formal governance processes are in place. Discovery addresses this by building a clear picture of:

• What AI systems and agents are in use across the organization, including those not formally sanctioned
• What data those systems can access and what they do with it
• Who is interacting with AI tools and in what ways
• Where sensitive data flows through AI workflows and whether those flows comply with policy

Step 3: Protect

Protection focuses on preventing data exposure, reducing attack surfaces, and detecting and responding to AI-specific threats. As agents become more capable and more connected to sensitive systems, the protection layer becomes increasingly critical.

Protection measures include:

• Data loss prevention policies that prevent agents from exposing classified, protected, or sensitive information in responses or outputs
• Prompt injection detection to identify and block attempts to manipulate agent behavior through malicious inputs
• Monitoring for unusual patterns of data access or agent activity that might indicate compromise or misuse
• Guardrails within AI systems that prevent agents from acting outside their defined scope, even if instructed to do so

Step 4: Govern

Governance is the ongoing work of ensuring AI systems remain compliant with policy and regulatory requirements over time. This isn’t a one-time setup; AI systems evolve, policies change, and new risks emerge. Governance must be continuous.

Governance activities include:

• Auditing AI decisions and outputs for compliance, accuracy, and potential bias
• Enforcing data retention and deletion policies for AI-generated content and interaction logs
• Maintaining documentation of AI system configurations and recording changes over time
• Supporting regulatory reporting and demonstrating accountability to oversight bodies and the public

Microsoft tools for securing AI

Several Microsoft tools support the four-step framework. Most public sector organizations will use them in combination to build a comprehensive security posture for their AI environments.

Microsoft Entra

Microsoft Entra is Microsoft’s identity and access management platform and the foundation of Zero Trust security for AI environments. In the context of AI adoption, Entra:

• Verifies the identity of everyone accessing AI tools, using multi-factor authentication and continuous risk assessment
• Implements conditional access policies that evaluate user identity, device health, location, and risk level before granting access to AI systems and data
• Enforces least-privilege access so agents and users can access only the resources their specific role and task require
• Provides a unified policy engine for managing access across Microsoft 365, Azure, and connected third-party systems

Microsoft Entra supports the Prepare and Protect steps of the framework.

Microsoft Purview

Microsoft Purview is Microsoft’s data governance and compliance platform. For organizations deploying AI, Purview:

• Discovers and classifies sensitive data across Microsoft 365 and connected systems, providing visibility into what AI agents can access and how data flows through AI workflows
• Applies data security policies to generative AI applications, including Microsoft 365 Copilot and custom agents built with Copilot Studio
• Tracks data lineage and access history to support audit and compliance requirements
• Manages data subject rights requests related to AI processing—such as access, correction, or deletion under GDPR
• Monitors AI interactions for potential compliance violations through its Data Security Posture Management (DSPM) for AI capability

Microsoft Purview supports the Discover and Govern steps of the framework.

Microsoft Defender

Microsoft Defender provides threat detection and response capabilities specifically extended to AI workloads. For public sector organizations deploying agents, Defender:

• Discovers AI workloads across the organization and maintains an AI Bill of Materials (BOM)—a complete, auditable inventory of AI systems, models, and their connections
• Assesses the security posture of AI deployments, including identity configuration, data exposure risks, and internet-facing vulnerabilities
• Detects and responds to AI-specific threats at runtime, including prompt injection attacks, sensitive data leaks, data poisoning attempts, and denial-of-service patterns
• Integrates AI security alerts into the Microsoft Defender XDR platform for centralized detection and response alongside broader security operations

Microsoft Defender supports the Protect step of the framework.

Microsoft Priva

Microsoft Priva focuses specifically on privacy risk management—the intersection of data protection and AI governance. Priva:

• Continuously evaluates personal data in Microsoft 365 for privacy risks, including overexposure, unauthorized data transfers, and retention policy violations
• Automates the management of data subject rights requests—such as access, correction, and deletion requests under GDPR and similar regulations—at scale
• Provides visibility into where personal data is being processed within AI workflows, helping organizations identify where privacy policies need to be applied or updated

Microsoft Priva supports the Govern step of the framework.

Azure AI Foundry

Beyond its role as a development platform, Azure AI Foundry provides built-in governance and safety capabilities for AI systems:

• Content filtering and prompt shields that detect and block harmful, policy-violating, or manipulative inputs and outputs before they reach users or systems
• Risk assessment tools that evaluate AI models and deployments for potential harms before and after they go live
• Monitoring and observability dashboards that provide visibility into agent behavior, decision patterns, and usage over time
• Integration with Microsoft Purview and Microsoft Defender for end-to-end AI security coverage

Azure AI Foundry supports the Discover, Protect, and Govern steps of the framework.

Azure portal

The Azure portal provides centralized configuration and monitoring for AI workloads deployed in Azure. It gives IT administrators a single location to:

• Configure and manage access policies for Azure AI services and resources
• Monitor usage, performance, and cost across AI deployments
• Set organizational guardrails for AI model deployment, including which models and configurations are permitted
• Maintain audit logs that support compliance reporting and internal accountability processes

The Azure portal supports the Prepare and Govern steps of the framework.

This table summarizes key information about these tools.

Platform	Key capabilities	AI adoption functions	Framework steps supported
Microsoft Entra	Identity and access management, Zero Trust, multi-factor authentication, continuous risk assessment, Conditional Access, least-privilege access, unified policy engine	Verifies identity, implements Conditional Access, enforces least-privilege, manages access across Microsoft 365, Azure, third-party systems	Prepare, Protect
Microsoft Purview	Data governance, compliance, sensitive data discovery/classification, data security policies, data lineage, audit, data subject rights, DSPM for AI	Discovers/classifies sensitive data, applies security policies, tracks data lineage/access history, manages data subject rights, monitors AI interactions	Discover, Govern
Microsoft Defender	Threat detection/response for AI, AI BOM, security posture assessment, runtime threat detection, XDR integration	Discovers AI workloads, maintains AI BOM, assesses security posture, detects/responds to AI-specific threats, integrates alerts into XDR	Protect
Microsoft Priva	Privacy risk management, personal data evaluation, automated data subject rights, visibility into AI processing	Evaluates personal data for privacy risks, automates rights requests, provides visibility into data processing in AI workflows	Govern
Azure AI Foundry	Governance/safety for AI, content filtering, prompt shields, risk assessment tools, monitoring dashboards, integration with Purview/Defender	Content filtering/prompt shields, risk assessment, monitoring/observability, integration for end-to-end security	Discover, Protect, Govern
Azure portal	Centralized configuration/monitoring, access policy management, usage/performance/cost monitoring, guardrails, audit logs	Configure/manage access policies, monitor AI deployments, set guardrails, maintain audit logs	Prepare, Govern

Tip

Organizations don’t need to implement all of these tools at once. A practical starting point is to establish identity controls through Microsoft Entra and data visibility through Microsoft Purview. From there, add protection and governance capabilities as the AI footprint grows.

Resources

• Securing the future: A five-point blueprint to transform public sector cyber defense in the GenAI era
• Public Sector Cyber Defense: Skilling for the GenAI Era
• Foundations of a modern public sector security operations center
• Learn How to Implement Zero Trust in Your Public Sector Organization
• All public sector cybersecurity skilling content