Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
Microsoft Purview Insider Risk Management enables organizations to identify, investigate, and respond to potential insider risks across users and agents. As organizations increasingly adopt AI agents, Insider Risk Management provides built-in capabilities to help monitor agent activity and surface risky behaviors that could lead to data exposure, compliance violations, or security concerns.
Before you begin monitoring agents in your organization, you must complete the steps provided in Get started with Insider Risk Management. For information about subscriptions, licensing, and permissions, see Subscriptions and licensing and Permissions in Insider Risk Management.
Risky Agents policy
The Risky Agents (preview) policy provides out-of-the-box coverage for common risk scenarios associated with AI agents. The policy is designed to help surface behaviors that may indicate inappropriate or unsafe agent usage, including situations where agents interact with sensitive data, generate risky outputs, or share information outside organizational boundaries.
By default, the policy detects:
- Risky prompts
- Agents generating sensitive responses
- Agents accessing sensitive data
- Accessing risky websites
These detections help security, compliance, and risk teams gain visibility into how agents are being used and where potential risks may exist.
Supported agents
The Risky Agents (preview) policy supports the following agent types:
- Copilot Studio agents
- Microsoft Foundry agents
- Agents built using the P4AI SDK
Default policy availability and behavior
The Risky Agents (preview) policy is available by default to all organizations with supported licenses. When the service is set up, this policy is automatically present and ready to generate alerts based on observed agent activity.
This default configuration enables organizations to:
- Begin monitoring agent activity immediately.
- Gain early visibility into potential agent-related risks.
- Investigate agent behaviors using established Insider Risk Management workflows.
Customize agent risk monitoring
While the default Risky Agents (preview) policy provides broad coverage for common scenarios, some organizations may require more specific or tailored monitoring.
If the default policy doesn't meet your organizational requirements, you can create a custom Insider Risk Management policy to better align with your risk posture or investigation needs. For more information, see Create a new policy.
Investigate agent-related alerts
When the Risky Agents (preview) policy detects relevant activity, alerts are generated within Insider Risk Management. These alerts can be reviewed and investigated using the standard alert investigation workflow.
Through alert investigation, analysts can:
- Review details of the detected activity.
- Understand the context of agent behavior.
- Determine whether further action is required.
For detailed guidance on reviewing and managing alerts, see Triaging alerts.
Share agent risk with other Microsoft solutions
Agent risk calculated in Microsoft Purview Insider Risk Management is shared with the following solutions: