understand dspm module

Author: riswinto

learn-pr/wwl-sci/purview-data-security-posture-management-understand/data-security-objectives.yml

@@ -0,0 +1,2 @@
+Data security objectives as the organizing model
+5

learn-pr/wwl-sci/purview-data-security-posture-management-understand/data-security-posture-ai.yml

@@ -0,0 +1,2 @@
+How AI is used inside DSPM
+4

learn-pr/wwl-sci/purview-data-security-posture-management-understand/evaluate-risk-posture.yml

@@ -0,0 +1,2 @@
+How DSPM evaluates data risk and posture
+5

learn-pr/wwl-sci/purview-data-security-posture-management-understand/includes/data-security-objectives.md

@@ -0,0 +1,65 @@
+Understanding posture tells you _where_ risk exists. The next challenge is deciding what to do about it.
+
+In complex environments, risk signals don't arrive neatly grouped. They come from different tools, cover different workloads, and vary in urgency. Looking at each signal in isolation makes it hard to decide where to start or how to measure progress.
+
+Data security objectives exist to solve that problem.
+
+## Objectives as outcome-driven workflows
+
+In data security posture management (DSPM), objectives are the primary way risk is organized and addressed. An objective represents a specific outcome related to data security, like reducing oversharing, limiting exposure, or strengthening protection for sensitive data.
+
+Objectives aren't checklists or static views. They function as workflows that connect:
+
+- Assessing current posture
+- Identifying gaps or risks
+- Recommending actions
+- Validating and reporting over time
+
+This structure shifts the focus away from individual settings or alerts and toward measurable improvement.
+
+## How objectives group assessment, action, and reporting
+
+Each objective brings together information that would otherwise be spread across multiple solutions.
+
+Instead of separately reviewing posture insights, policy gaps, and follow-up actions, objectives present these elements in context. You can see:
+
+- why an objective exists
+- what signals are contributing to it
+- which actions are recommended
+- how changes affect posture over time
+
+This grouping reduces the need to manually connect information across tools and makes it easier to understand how individual actions contribute to broader risk reduction.
+
+## Why objectives replace navigating individual solutions
+
+Traditional workflows often require moving between multiple Purview solutions to understand a single risk area. That approach works for targeted tasks, but it doesn’t scale well when risk spans data types, workloads, and usage patterns.
+
+Objectives provide a higher-level entry point by shifting focus:
+
+- From individual tools to outcomes
+- From isolated signals to grouped context
+- From reactive navigation to prioritized action
+
+The underlying solutions are still used to take action. Objectives change how they're navigated and why they're used.
+
+## Tracking progress and improvement over time
+
+Because objectives are tied to posture, they support tracking progress over time rather than validating one-time changes.
+
+As actions are taken and conditions change, objectives reflect whether risk is decreasing, staying the same, or shifting elsewhere. This makes it easier to evaluate whether effort is leading to meaningful improvement or simply addressing symptoms.
+
+Progress is measured through trends and posture signals, not by checking whether a single recommendation was completed.
+
+## Objectives that address AI-related risk
+
+Some objectives explicitly focus on risks introduced or amplified by AI usage. These might relate to exposure through prompts, oversharing in responses, or movement of sensitive data through AI-driven workflows.
+
+These objectives treat AI activity as part of the broader data security landscape. Signals from AI interactions are evaluated alongside more traditional signals, like access and sharing, rather than being handled in isolation.
+
+## Why AI-related objectives aren't separate from data security
+
+AI-related risk doesn't replace existing data risk. It builds on it.
+
+Sensitive data that's poorly classified, widely accessible, or inconsistently protected becomes more exposed when used in AI interactions. Objectives reflect this reality by connecting AI-related signals to the same posture model used for other data risks.
+
+This approach avoids treating AI as a special case. Instead, it reinforces that strong data security fundamentals are what make AI usage safer and more predictable.

learn-pr/wwl-sci/purview-data-security-posture-management-understand/includes/data-security-posture-ai.md

@@ -0,0 +1,55 @@
+AI plays a supporting role inside data security posture management (DSPM). It doesn't replace human judgment or take action on its own. Its purpose is to help make sense of complex signals at scale.
+
+This distinction matters. Trust in DSPM depends on understanding where AI assists and where control remains firmly with people and policies.
+
+## Where AI fits in DSPM
+
+DSPM uses AI capabilities like Security Copilot and embedded agents to help analyze information that would otherwise be difficult to interpret manually.
+
+These capabilities operate within the context DSPM already provides. They don't introduce new sources of authority or bypass existing controls. Instead, they help surface insights from posture data, objectives, and signals that are already available.
+
+AI is used to support understanding, not to decide outcomes.
+
+## What AI assists with
+
+Within DSPM, AI assists with tasks that benefit from pattern recognition and contextual analysis, including:
+
+- Triage of posture signals and objective-related findings
+- Prioritization of risks based on patterns, trends, and scope
+- Analysis that explains why certain risks surface and how they relate to posture
+
+These capabilities help reduce the time spent interpreting data and connecting signals across tools. They don't change what actions are available or how those actions are taken.
+
+## What AI doesn't do
+
+AI inside DSPM doesn't perform autonomous enforcement.
+
+It doesn't:
+
+- Create or modify policies on its own
+- Block access or take corrective action without approval
+- Replace investigation or enforcement tools
+
+All actions still occur in the appropriate Microsoft Purview solution and follow existing permission models. AI might suggest or explain, but it doesn't execute.
+
+This boundary is intentional and central to how DSPM is designed.
+
+## Approval, auditing, and transparency
+
+Any AI-assisted insight or recommendation is visible and reviewable.
+
+DSPM maintains transparency around:
+
+- How conclusions are formed
+- Which signals contribute to recommendations
+- What actions are suggested versus required
+
+Actions taken in response to DSPM insights are still auditable through the underlying tools. This ensures accountability and supports review, validation, and governance processes.
+
+AI assists with clarity, not control.
+
+## Why trust and control matter
+
+As environments grow more complex, especially with increased AI usage, the volume of signals can overwhelm traditional workflows. AI helps manage that complexity, but only when its role is clearly defined.
+
+DSPM uses AI to support informed decision-making while preserving control, approval, and accountability. This balance allows AI to accelerate understanding without changing who owns risk decisions or how they're enforced.

learn-pr/wwl-sci/purview-data-security-posture-management-understand/includes/evaluate-risk-posture.md

@@ -0,0 +1,60 @@
+Understanding what data security posture management (DSPM) is responsible for is only part of the picture. Risk evaluation depends on how posture is assessed across the environment and how that assessment changes over time.
+
+DSPM doesn't rely on point-in-time checks or one-off scans. It builds its view of risk through continuous discovery and assessment, using signals that already exist across Microsoft Purview.
+
+## Continuous discovery and assessment
+
+Data environments don't stay still. Files are created, shared, moved, and reused. Access changes. New apps appear. AI accelerates all of this.
+
+DSPM accounts for this by continuously assessing where sensitive data exists and how it's being used. Instead of asking whether a scan ran or a policy fired, DSPM looks at what the environment looks like _now_ and how that picture changes over time.
+
+This ongoing assessment is what allows DSPM to surface trends and shifts in exposure, not just isolated findings. Posture reflects patterns and conditions over time, not individual events or momentary findings.
+
+## What "posture" represents in DSPM
+
+In DSPM, posture represents the overall state of data risk and protection across the organization.
+
+Posture isn't a compliance score and it's not a single metric. It's a composite view built from:
+
+- The presence and location of sensitive data
+- How broadly that data is accessible
+- How it's being used
+- Whether protections like labels and policies are applied consistently
+
+This view helps you understand readiness and exposure at a higher level. Instead of reacting to individual events, posture supports decisions about where to focus effort and which risks deserve attention first.
+
+## Metrics, trends, and prioritization
+
+Because DSPM evaluates posture over time, it can surface metrics and trends that aren't visible when working inside individual tools.
+
+These insights help answer questions like:
+
+- Is exposure increasing or decreasing?
+- Are protections improving in high-risk areas?
+- Where are gaps persisting despite existing controls?
+
+DSPM uses these signals to prioritize recommendations and actions. The goal isn't to surface everything that could be improved. The goal is to highlight what matters most based on current risk and potential exposure.
+
+## Coverage gaps and prerequisites
+
+What DSPM can evaluate depends on what's configured in the environment.
+
+If auditing isn't enabled, certain activity signals won't be available. If devices aren't onboarded or policies aren't deployed, coverage will be incomplete. DSPM reflects these gaps clearly so it's apparent where visibility is limited.
+
+This transparency is important. Posture insights are only as complete as the data behind them. DSPM doesn't hide missing coverage or infer what it can't see.
+
+## AI interactions as a signal source
+
+AI interactions introduce a different type of signal into posture evaluation.
+
+Prompts and responses represent data in use, not data sitting at rest. Sensitive information might be shared, summarized, or transformed without creating a traditional file or triggering a familiar workflow. DSPM treats these interactions as signals that contribute to overall posture, not as a separate category of risk.
+
+By including AI activity alongside more traditional signals, DSPM provides a clearer view of how sensitive data is actually being used across the environment.
+
+## Why data in use matters for posture
+
+Focusing only on data at rest leaves gaps in modern environments.
+
+Risk increasingly comes from how data is accessed, shared, and reused, especially through AI-driven experiences. Posture evaluation needs to account for this active use of data, not just where it's stored or how it's labeled.
+
+DSPM incorporates data in use into its posture model to support reasoning about exposure in environments where data is constantly moving and being acted on.

learn-pr/wwl-sci/purview-data-security-posture-management-understand/includes/introduction.md

@@ -0,0 +1,56 @@
+In many environments, data security work is driven by individual tools. Data loss prevention (DLP) policies are configured, alerts are reviewed, users are investigated, and sensitivity labels are applied. Each task is valid on its own.
+
+The challenge is that these tasks don't always answer a more basic question: _where is the organization most exposed right now, and why?_
+
+Data security posture management (DSPM) exists to answer that question. It focuses on understanding risk before it turns into an incident. Instead of starting with alerts or investigations, it starts with visibility and context.
+
+## From tool-centric work to data-centric thinking
+
+Tool-centric security focuses on what each solution can do. Data-centric security focuses on the data itself.
+
+Instead of asking whether a policy exists or whether an alert fired, posture management looks at conditions that increase risk. That includes where sensitive data lives, how widely it's shared, how it's being used, and whether protections are applied consistently. The goal isn't to replace day-to-day security work. The goal is to help you decide where that work matters most.
+
+Microsoft Purview Data Security Posture Management, or DSPM, applies this model to data across the organization.
+
+## The four questions DSPM is designed to answer
+
+At its core, DSPM is built around four questions that need to be answered to support informed decisions:
+
+- _What data exists_
+- _Where it resides_
+- _Who can access it_
+- _How it's protected_
+
+These questions sound simple, but answering them consistently across workloads, users, and AI interactions is hard. Data moves. Access changes. New tools and apps appear. AI accelerates all of this.
+
+DSPM brings these questions together in one place so you can reason about exposure and risk across the environment, not just inside a single tool.
+
+## How DSPM builds its view of posture
+
+DSPM doesn't inspect data or user behavior on its own. It aggregates signals from other Microsoft Purview solutions that already do that work.
+
+Those signals come from areas like:
+
+- **Data Loss Prevention**, which detects risky data handling
+- **Information Protection**, which shows how data is classified and labeled
+- **Insider Risk Management**, which highlights risky patterns and behaviors
+- **Audit and activity data**, which provide evidence of how data is used
+- **Investigation tools**, which add context when deeper review is needed
+
+DSPM brings these signals together to show patterns, trends, and gaps. This is what "posture" represents in practice. It's a way to understand overall exposure and readiness, not a single event or misconfiguration.
+
+## What DSPM does and doesn't do
+
+DSPM informs and guides. It doesn't enforce policies, block actions, or replace investigation tools.
+
+When DSPM highlights a risk, the response still happens in the appropriate solution. A DLP policy is created or adjusted in DLP. A case is investigated using audit or investigation tools. DSPM helps determine _what_ to address and _why_, but it doesn't take control away from the underlying tools.
+
+Keeping this boundary clear is important. DSPM is a starting point for action, not the place where all actions happen.
+
+## How AI changes data security posture
+
+AI changes how data moves through an organization. Prompts, responses, summaries, and agent workflows create new paths for sensitive information to be shared, reused, or exposed. This activity is often distributed across users, apps, and services, which makes risk harder to see when you look at tools in isolation.
+
+In these environments, posture matters more than individual alerts. You need to understand patterns like oversharing, repeated exposure, or gaps in protection before those patterns lead to incidents. DSPM treats AI interactions as another signal source, not a separate problem to solve in isolation.
+
+By focusing on posture, DSPM helps organizations stay ahead of risk in environments where data is constantly in use, not just sitting at rest.

learn-pr/wwl-sci/purview-data-security-posture-management-understand/includes/summary.md

@@ -0,0 +1,53 @@
+### YamlMime:Module
+uid: learn.wwl.purview-data-security-posture-management-understand
+metadata:
+  title: Understand Data Security Investigations
+  description: Understand Data Security Investigations.
+  ms.date: 01/15/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: module
+  ai-usage: ai-assisted
+  ms.service: purview
+title: Understand Data Security Investigations
+summary: |
+  Data security investigations help organizations understand data risk beyond activity alone. This module focuses on the concepts that define data security investigations, how they differ from alerts and audit, and when deeper, data-focused investigation adds value to security decisions.
+abstract: |
+  In this module you learn to:
+  - Explain what a data security investigation is and what it's designed to address
+  - Describe why data security investigations are needed alongside alerts, cases, and audit
+  - Distinguish between reactive and proactive investigation approaches
+  - Recognize what data security investigations are and are not designed to replace
+  - Identify when deeper investigation adds value and when simpler paths are sufficient
+  - Understand how data security investigations fit into broader Microsoft security workflows
+
+prerequisites: |
+  - Familiarity with basic security investigation concepts
+  - General awareness of Microsoft security and data protection tools
+
+iconUrl: /training/achievements/generic-badge.svg
+levels:
+- intermediate
+roles:
+- administrator
+- risk-practitioner
+products:
+- m365
+- microsoft-purview
+subjects:
+- threat-protection
+- security
+units:
+- learn.wwl.purview-data-security-posture-management-understand.introduction
+- learn.wwl.purview-data-security-posture-management-understand.understand-data-security-posture-management
+- learn.wwl.purview-data-security-posture-management-understand.evaluate-risk-posture
+- learn.wwl.purview-data-security-posture-management-understand.data-security-objectives
+- learn.wwl.purview-data-security-posture-management-understand.data-security-posture-ai
+
+
+
+
+- learn.wwl.purview-data-security-posture-management-understand.knowledge-check
+- learn.wwl.purview-data-security-posture-management-understand.summary
+badge:
+  uid: learn.wwl.purview-data-security-posture-management-understand.badge