Merge pull request #53321 from riswinto/purview-data-security-posture-management-understand

Purview data security posture management understand

Author: JamesJBarnett

learn-pr/wwl-sci/purview-data-security-investigations-understand/includes/data-security-investigation-understand.md

@@ -4,6 +4,8 @@ For example, an alert might show a file was downloaded. An activity-based invest
 
 A data security investigation exists to close that gap.
 
+
+
 ## How data security investigations differ from activity-based investigation
 
 Traditional security investigation often starts with activity. An alert fires, a user performs an action, or a signal indicates something unusual. From there, the investigation focuses on timelines, indicators, and behavior.

learn-pr/wwl-sci/purview-data-security-posture-management-understand/data-security-objectives.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-data-security-posture-management-understand.data-security-objectives
+title: Data security objectives as the organizing model
+metadata:
+  title: Data security objectives as the organizing model
+  description: "Data security objectives as the organizing model"
+  ms.date: 02/03/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 5
+content: |
+  [!include[](includes/data-security-objectives.md)]

learn-pr/wwl-sci/purview-data-security-posture-management-understand/data-security-posture-ai.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-data-security-posture-management-understand.data-security-posture-ai
+title: How AI is used inside DSPM
+metadata:
+  title: How AI is used inside DSPM
+  description: "How AI is used inside DSPM"
+  ms.date: 02/03/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 4
+content: |
+  [!include[](includes/data-security-posture-ai.md)]

learn-pr/wwl-sci/purview-data-security-posture-management-understand/data-security-workflow-fit.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-data-security-posture-management-understand.data-security-workflow-fit
+title: Where DSPM fits in the broader data security workflow
+metadata:
+  title: Where DSPM fits in the broader data security workflow
+  description: "Where DSPM fits in the broader data security workflow"
+  ms.date: 02/03/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 6
+content: |
+  [!include[](includes/data-security-workflow-fit.md)]

learn-pr/wwl-sci/purview-data-security-posture-management-understand/evaluate-risk-posture.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-data-security-posture-management-understand.evaluate-risk-posture
+title: How DSPM evaluates data risk and posture
+metadata:
+  title: How DSPM evaluates data risk and posture
+  description: "How DSPM evaluates data risk and posture"
+  ms.date: 02/03/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 5
+content: |
+  [!include[](includes/evaluate-risk-posture.md)]

learn-pr/wwl-sci/purview-data-security-posture-management-understand/includes/data-security-objectives.md

@@ -0,0 +1,67 @@
+Understanding posture tells you _where_ risk exists. The next challenge is deciding what to do about it.
+
+In complex environments, risk signals don't arrive neatly grouped. They come from different tools, cover different workloads, and vary in urgency. Looking at each signal in isolation makes it hard to decide where to start or how to measure progress.
+
+Data security objectives exist to solve that problem.
+
+## Objectives as outcome-driven workflows
+
+In data security posture management (DSPM), objectives are the primary way risk is organized and addressed. An objective represents a specific outcome related to data security, like reducing oversharing, limiting exposure, or strengthening protection for sensitive data.
+
+:::image type="content" source="../media/objectives-as-outcomes.png" border="false" alt-text="Diagram showing objectives progressing through assess, identify, recommend, and validate steps over time." lightbox="../media/objectives-as-outcomes.png":::
+
+Objectives aren’t checklists or static views. They function as workflows that link:
+
+- Assessing current posture
+- Identifying gaps or risks
+- Recommending actions
+- Validating and reporting over time
+
+This structure shifts the focus away from individual settings or alerts and toward measurable improvement.
+
+## How objectives group assessment, action, and reporting
+
+Each objective brings together information that would otherwise be spread across multiple solutions.
+
+Instead of separately reviewing posture insights, policy gaps, and follow-up actions, objectives present these elements in context. You can see:
+
+- why an objective exists
+- what signals are contributing to it
+- which actions are recommended
+- how changes affect posture over time
+
+This grouping reduces the need to manually connect information across tools and makes it easier to understand how individual actions contribute to broader risk reduction.
+
+## Why objectives replace navigating individual solutions
+
+Traditional workflows often require moving between multiple Purview solutions to understand a single risk area. That approach works for targeted tasks, but it doesn’t scale well when risk spans data types, workloads, and usage patterns.
+
+Objectives provide a higher-level entry point by shifting focus:
+
+- From individual tools to outcomes
+- From isolated signals to grouped context
+- From reactive navigation to prioritized action
+
+The underlying solutions are still used to take action. Objectives change how they're navigated and why they're used.
+
+## Tracking progress and improvement over time
+
+Because objectives are tied to posture, they support tracking progress over time rather than validating one-time changes.
+
+As actions are taken and conditions change, objectives reflect whether risk is decreasing, staying the same, or shifting elsewhere. This makes it easier to evaluate whether effort is leading to meaningful improvement or simply addressing symptoms.
+
+Progress is measured through trends and posture signals, not by checking whether a single recommendation was completed.
+
+## Objectives that address AI-related risk
+
+Some objectives explicitly focus on risks introduced or amplified by AI usage. These might relate to exposure through prompts, oversharing in responses, or movement of sensitive data through AI-driven workflows.
+
+These objectives treat AI activity as part of the broader data security landscape. Signals from AI interactions are evaluated alongside more traditional signals, like access and sharing, rather than being handled in isolation.
+
+## Why AI-related objectives aren't separate from data security
+
+AI-related risk doesn't replace existing data risk. It builds on it.
+
+Sensitive data that's poorly classified, widely accessible, or inconsistently protected becomes more exposed when used in AI interactions. Objectives reflect this reality by connecting AI-related signals to the same posture model used for other data risks.
+
+This approach avoids treating AI as a special case. Instead, it reinforces that strong data security fundamentals are what make AI usage safer and more predictable.

learn-pr/wwl-sci/purview-data-security-posture-management-understand/includes/data-security-posture-ai.md

@@ -0,0 +1,55 @@
+AI plays a supporting role inside data security posture management (DSPM). It doesn't replace human judgment or take action on its own. Its purpose is to help make sense of complex signals at scale.
+
+This distinction matters. Trust in DSPM depends on understanding where AI assists and where control remains firmly with people and policies.
+
+## Where AI fits in DSPM
+
+DSPM uses AI capabilities like Security Copilot and embedded agents to help analyze information that would otherwise be difficult to interpret manually.
+
+These capabilities operate within DSPM’s posture and objectives, rather than alongside them. They don't introduce new sources of authority or bypass existing controls. Instead, they help surface insights from posture data, objectives, and signals that are already available.
+
+AI is used to support understanding, not to decide outcomes.
+
+## What AI assists with
+
+Within DSPM, AI assists with tasks that benefit from pattern recognition and contextual analysis, including:
+
+- Triage of posture signals and objective-related findings
+- Prioritization of risks based on patterns, trends, and scope
+- Analysis that explains why certain risks surface and how they relate to posture
+
+These capabilities reduce the time spent interpreting data and connecting signals across tools. They don't change what actions are available or how those actions are taken.
+
+## What AI doesn't do
+
+AI inside DSPM doesn't perform autonomous enforcement.
+
+It doesn't:
+
+- Create or modify policies on its own
+- Block access or take corrective action without approval
+- Replace investigation or enforcement tools
+
+All actions still occur in the appropriate Microsoft Purview solution and follow existing permission models. AI might suggest or explain, but it doesn't execute.
+
+This boundary is intentional and central to how DSPM is designed.
+
+## Approval, auditing, and transparency
+
+Any AI-assisted insight or recommendation is visible and reviewable.
+
+DSPM maintains transparency around:
+
+- How conclusions are formed
+- Which signals contribute to recommendations
+- What actions are suggested versus required
+
+Actions taken in response to DSPM insights are still auditable through the underlying tools. This ensures accountability and supports review, validation, and governance processes.
+
+AI assists with clarity, not control.
+
+## Why trust and control matter
+
+As environments grow more complex, especially with increased AI usage, the volume of signals can overwhelm traditional workflows. AI helps manage that complexity, but only when its role is clearly defined.
+
+DSPM uses AI to support informed decision-making while preserving control, approval, and accountability. This balance allows AI to accelerate understanding without changing who owns risk decisions or how they're enforced.

learn-pr/wwl-sci/purview-data-security-posture-management-understand/includes/data-security-workflow-fit.md

@@ -0,0 +1,73 @@
+Data security posture management (DSPM) isn't designed to replace existing security tools. It helps decide how and when those tools should be used.
+
+Throughout the data security lifecycle, different solutions serve different purposes. DSPM sits upstream of that work. It helps identify where risk is concentrated so follow-up actions are intentional, not reactive.
+
+## DSPM and data loss prevention
+
+Data loss prevention (DLP) is where controls are defined and enforced. Policies determine what actions are allowed, blocked, or audited.
+
+DSPM doesn’t create or enforce DLP policies. Instead, it helps surface where sensitive data is most exposed, where protections are inconsistent, or where existing controls might not be sufficient. These insights can inform decisions about creating new policies, refining scope, or adjusting actions.
+
+In practice:
+
+- DSPM helps identify where DLP effort will have the most effect
+- DLP enforces controls based on those decisions
+
+## DSPM and Insider Risk Management
+
+Insider Risk Management focuses on detecting and analyzing risky patterns of behavior.
+
+DSPM complements this by highlighting data-related conditions that might increase insider risk, like broad access to sensitive information or repeated exposure across workloads. When posture insights suggest elevated risk, Insider Risk Management provides the tools to investigate behavior in more detail.
+
+In practice:
+
+- DSPM highlights conditions that increase risk
+- Insider Risk Management supports behavioral analysis
+
+## DSPM and Audit
+
+Audit provides the evidence layer for data activity. It records what happened, when it happened, and who was involved.
+
+DSPM relies on audit signals to understand how data is being used over time. When posture insights raise questions, audit data supports validation and follow-up by providing the underlying activity context.
+
+In practice:
+
+- DSPM helps decide what to look for
+- Audit shows what actually occurred
+
+## DSPM and data security investigations
+
+Data security investigations bring together evidence, context, and analysis when a deeper review is needed.
+
+DSPM doesn’t replace investigations or manage cases. It helps justify when an investigation is warranted by identifying patterns, trends, or exposure that go beyond isolated events.
+
+When posture insights indicate sustained or elevated risk, investigations provide the structured environment to examine data, activity, and outcomes more closely.
+
+In practice:
+
+- DSPM helps justify when an investigation is needed
+- Investigations provide structured, case-based analysis
+
+## When DSPM insights justify deeper investigation
+
+Not every posture finding requires immediate action. Some indicate emerging risk, others reflect known conditions that are already being addressed.
+
+DSPM helps differentiate between:
+
+- Isolated findings and broader patterns
+- Temporary conditions and sustained exposure
+- Low-priority gaps and high-risk areas
+
+This context helps determine when to adjust controls, when to monitor trends, and when to escalate into investigation or enforcement workflows.
+
+## Why DSPM is a starting point, not an end state
+
+DSPM is designed to guide action, not complete it.
+
+:::image type="content" source="../media/data-security-posture-lifecycle.png" border="false" alt-text="Diagram showing posture insights leading to protections, activity review, and outcome validation that refine posture over time." lightbox="../media/data-security-posture-lifecycle.png":::
+
+It brings visibility, prioritization, and context together so decisions about data security are informed and focused. The actual work of enforcing policies, investigating activity, and validating outcomes still happens in the appropriate tools.
+
+By starting with posture, data security work becomes more intentional. Effort is directed where it matters most. Actions across DLP, Insider Risk Management, audit, and investigations stay aligned to real risk.
+
+This is how DSPM closes the loop.

learn-pr/wwl-sci/purview-data-security-posture-management-understand/includes/evaluate-risk-posture.md

@@ -0,0 +1,60 @@
+Understanding what data security posture management (DSPM) is responsible for is only part of the picture. Risk evaluation depends on how posture is assessed across the environment and how that assessment changes over time.
+
+DSPM doesn't rely on point-in-time checks or one-off scans. It builds its view of risk through continuous discovery and assessment, using signals that already exist across Microsoft Purview.
+
+## Continuous discovery and assessment
+
+Data environments don't stay still. Files are created, shared, moved, and reused. Access changes. New apps appear. AI accelerates all of this.
+
+DSPM continuously assesses where sensitive data exists and how it’s being used. Instead of asking whether a scan ran or a policy fired, DSPM looks at what the environment looks like _now_ and how that picture changes over time.
+
+This ongoing assessment is what allows DSPM to surface trends and shifts in exposure, not just isolated findings. Posture reflects patterns and conditions over time, not individual events or momentary findings.
+
+## What "posture" represents in DSPM
+
+In DSPM, posture represents the overall state of data risk and protection across the organization.
+
+Posture isn't a compliance score and it's not a single metric. It's a composite view built from:
+
+- The presence and location of sensitive data
+- How broadly that data is accessible
+- How it's being used
+- Whether protections like labels and policies are applied consistently
+
+This view helps you understand readiness and exposure at a higher level. Instead of reacting to individual events, posture supports decisions about where to focus effort and which risks deserve attention first.
+
+## Metrics, trends, and prioritization
+
+Because DSPM evaluates posture over time, it can surface metrics and trends that aren't visible when working inside individual tools.
+
+These insights help answer questions like:
+
+- Is exposure increasing or decreasing?
+- Are protections improving in high-risk areas?
+- Where are gaps persisting despite existing controls?
+
+DSPM uses these signals to prioritize recommendations and actions. The goal isn't to surface everything that could be improved. The goal is to highlight what matters most based on current risk and potential exposure.
+
+## Coverage gaps and prerequisites
+
+What DSPM can evaluate depends on what's configured in the environment.
+
+If auditing isn't enabled, certain activity signals won't be available. If devices aren't onboarded or policies aren't deployed, coverage will be incomplete. DSPM reflects these gaps clearly so it's apparent where visibility is limited.
+
+This transparency is important. Posture insights are only as complete as the data behind them. DSPM doesn't hide missing coverage or infer what it can't see.
+
+## AI interactions as a signal source
+
+AI interactions introduce a different type of signal into posture evaluation.
+
+Prompts and responses represent data in use, not data sitting at rest. Sensitive information might be shared, summarized, or transformed without creating a traditional file or triggering a familiar workflow. DSPM treats these interactions as signals that contribute to overall posture, not as a separate category of risk.
+
+By including AI activity alongside more traditional signals, DSPM provides a clearer view of how sensitive data is actually being used across the environment.
+
+## Why data in use matters for posture
+
+Focusing only on data at rest leaves gaps in modern environments.
+
+Risk increasingly comes from how data is accessed, shared, and reused, especially through AI-driven experiences. Posture evaluation needs to account for this active use of data, not just where it's stored or how it's labeled.
+
+DSPM incorporates data in use into its posture model to support reasoning about exposure in environments where data is constantly moving and being acted on.

learn-pr/wwl-sci/purview-data-security-posture-management-understand/includes/introduction.md

@@ -0,0 +1,15 @@
+Data security work often starts in the middle. Teams respond to alerts, investigate activity, and adjust policies based on what surfaces in individual tools. What's harder to answer is a more basic question: **where is the organization most exposed right now, and why**.
+
+When sensitive data is spread across workloads, widely accessible, or actively used through AI-driven experiences, isolated signals don't provide enough context to guide decisions. Without a clear view of posture, teams might spend effort in the wrong places or react to symptoms instead of underlying risk.
+
+Data security posture management exists to solve this problem. It helps teams understand where sensitive data exists, how it’s being used, and how consistently it's protected. This context helps direct effort intentionally before configuring controls or launching investigations.
+
+## Learning objectives
+
+By the end of this module, you'll be able to:
+
+- Explain what data security posture management is and the problem it addresses
+- Describe how posture is evaluated over time
+- Explain how data security objectives organize risk into outcomes
+- Describe the role of AI in data security posture management
+- Explain how data security posture management fits with data loss prevention (DLP), Insider Risk Management, audit, and investigations