Merge pull request #53360 from MicrosoftDocs/main

Auto Publish – main to live - 2026-02-05 18:00 UTC

Author: learn-build-service-prod[bot]

learn-pr/wwl-azure/apply-governance-controls-ai-ready-workloads/1-introduction.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.apply-governance-controls-ai-ready-workloads.introduction
+title: "Introduction"
+metadata:
+  title: "Introduction"
+  description: "Introduction."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 3
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/wwl-azure/apply-governance-controls-ai-ready-workloads/2-discover-classify-ai-infrastructure-assets.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.apply-governance-controls-ai-ready-workloads.discover-classify-ai-infrastructure-assets
+title: "Discover and classify AI infrastructure assets"
+metadata:
+  title: "Discover and classify AI infrastructure assets"
+  description: "Discover and classify AI infrastructure assets."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 12
+content: |
+  [!include[](includes/2-discover-classify-ai-infrastructure-assets.md)]

learn-pr/wwl-azure/apply-governance-controls-ai-ready-workloads/3-implement-azure-policy-guardrails-workloads.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.apply-governance-controls-ai-ready-workloads.implement-azure-policy-guardrails-workloads
+title: "Implement Azure Policy guardrails for AI workloads"
+metadata:
+  title: "Implement Azure Policy guardrails for AI workloads"
+  description: "Implement Azure Policy guardrails for AI workloads."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 11
+content: |
+  [!include[](includes/3-implement-azure-policy-guardrails-workloads.md)]

learn-pr/wwl-azure/apply-governance-controls-ai-ready-workloads/4-establish-data-lineage-track-pipelines.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.apply-governance-controls-ai-ready-workloads.establish-data-lineage-track-pipelines
+title: "Establish data lineage tracking for AI pipelines Azure Policy guardrails for AI workloads"
+metadata:
+  title: "Establish data lineage tracking for AI pipelines Azure Policy guardrails for AI workloads"
+  description: "Establish data lineage tracking for AI pipelines Azure Policy guardrails for AI workloads."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 10
+content: |
+  [!include[](includes/4-establish-data-lineage-track-pipelines.md)]

learn-pr/wwl-azure/apply-governance-controls-ai-ready-workloads/5-exercise-configure-governance-ai-deployment.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.apply-governance-controls-ai-ready-workloads.exercise-configure-governance-ai-deployment
+title: "Enable threat protection for AI services"
+metadata:
+  title: "Enable threat protection for AI services"
+  description: "Enable threat protection for AI services."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 18
+content: |
+  [!include[](includes/5-exercise-configure-governance-ai-deployment.md)]

learn-pr/wwl-azure/apply-governance-controls-ai-ready-workloads/6-knowledge-check.yml

@@ -0,0 +1,48 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.apply-governance-controls-ai-ready-workloads.knowledge-check
+title: "Module assessment"
+metadata:
+  title: "Knowledge check"
+  description: "Knowledge check"
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+  module_assessment: true
+durationInMinutes: 6
+content: "Choose the best response for each of the following questions."
+quiz:
+  questions:
+  - content: "Your data science team trained an Azure Machine Learning model using a dataset that Purview classified as **Internal Use Only**. After deployment, Purview's automated classification detects that the source dataset now contains customer email addresses, upgrading the classification to **Confidential - personal data**. What governance action should you take first?"
+    choices:
+    - content: "Review lineage in Purview to identify all models trained from this dataset, verify that deployed endpoints use private network access, and flag models for security review to confirm access controls match the upgraded sensitivity level."
+      isCorrect: true
+      explanation: "Purview lineage identifies affected models so you can validate that existing security controls (private endpoints, access policies) match the elevated sensitivity. Security review confirms whether current protections suffice or require enhancement before taking disruptive action."
+    - content: "Immediately delete all models trained from this dataset and redeploy them after removing personal data from the training data, as any model exposure represents a compliance violation requiring immediate remediation."
+      isCorrect: false
+      explanation: "Immediate deletion disrupts production without assessing actual risk—existing controls mayovide adequate protection for the upgraded classification. Downgrading classification ignores the discovered personal data and creates compliance risk by misrepresenting the data's true sensitivity level."
+    - content: "Change the Purview classification back to **Internal Use Only** since the model was trained before the personal data was discovered, maintaining the original classification to avoid disrupting production services."
+      isCorrect: false
+      explanation: "Immediate deletion disrupts production without assessing actual risk—existing controls mayovide adequate protection for the upgraded classification. Downgrading classification ignores the discovered personal data and creates compliance risk by misrepresenting the data's true sensitivity level."
+  - content: "You need to deploy an Azure Policy that enforces encryption with customer-managed keys for all Azure Machine Learning workspaces. Development teams report this requirement slows their experimentation because provisioning Key Vault and keys adds 15-20 minutes to workspace setup. Which policy enforcement strategy balances governance requirements with developer productivity?"
+    choices:
+    - content: "Assign the policy with DeployIfNotExists effect at the management group level, configuring automatic Key Vault and key provisioning so encryption is enforced transparently without manual developer configuration steps."
+      isCorrect: false
+      explanation: "DeployIfNotExists with automatic Key Vault provisioning still adds 15-20 minutes regardless of automation, and may create cost concerns with numerous test Key Vaults. Exemptions eliminate protection during development when data leaks often occur through experiment artifacts, creating unnecessary risk that staged enforcement avoids."
+    - content: "Assign the policy with Audit effect to development subscriptions and Deny effect to production subscriptions, allowing developers to experiment freely while enforcing strict encryption controls before production deployment."
+      isCorrect: true
+      explanation: "Different policy effects for different environments balance security with productivity—Audit provides visibility in development without blocking work, while Deny enforces compliance in production where customer data risk is highest."
+    - content: "Create a policy exemption for all development workspaces to eliminate the encryption requirement during experimentation, then require manual security review and encryption enablement before promoting workspaces to production."
+      isCorrect: false
+      explanation: "DeployIfNotExists with automatic Key Vault provisioning still adds 15-20 minutes regardless of automation, and may create cost concerns with numerous test Key Vaults. Exemptions eliminate protection during development when data leaks often occur through experiment artifacts, creating unnecessary risk that staged enforcement avoids."
+  - content: "Your compliance team asks for a report showing which customer records influenced predictions made by your fraud detection model during August 2024. You need to provide this audit trail within 48 hours. Which Microsoft Purview capability enables you to meet this requirement efficiently?"
+    choices:
+    - content: "Use Purview's data lineage viewer to trace the model's inference endpoint back through registered model versions to the specific training dataset version used during August retraining, then query that dataset's lineage to identify source customer records."
+      isCorrect: true
+      explanation: "Purview lineage automatically captures version-specific relationships between inference endpoints, models, training datasets, and source records, letting you trace backwards from predictions to input data within minutes rather than days."
+    - content: "Generate a Purview Data Catalog export showing all assets classified as **Confidential - Customer Data** and manually filter by creation dates in August, assuming these represent the records used for model training that month."
+      isCorrect: false
+      explanation: "Catalog exports show asset inventory but not data flow relationships, requiring manual correlation that takes days and introduces human error. Audit logs capture execution events but not data lineage—knowing a training job ran doesn't reveal which specific records it consumed without querying lineage metadata."
+    - content: "Configure Purview audit logs to track all Azure Machine Learning training job executions during August, then contact data scientists to manually document which customer records they included in training datasets for that period."
+      isCorrect: false
+      explanation: "Catalog exports show asset inventory but not data flow relationships, requiring manual correlation that takes days and introduces human error. Audit logs capture execution events but not data lineage—knowing a training job ran doesn't reveal which specific records it consumed without querying lineage metadata."

learn-pr/wwl-azure/apply-governance-controls-ai-ready-workloads/7-summary.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.apply-governance-controls-ai-ready-workloads.summary
+title: "Summary"
+metadata:
+  title: "Summary"
+  description: "Summary."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 3
+content: |
+  [!include[](includes/7-summary.md)]

learn-pr/wwl-azure/apply-governance-controls-ai-ready-workloads/includes/1-introduction.md

@@ -0,0 +1,23 @@
+Your organization deployed Azure OpenAI Service across three business units, each team spinning up models independently. Within weeks, your compliance officer discovers training datasets containing customer personal data scattered across storage accounts in five different regions—some outside approved jurisdictions. Meanwhile, your security team can't answer an Audit (Standard) question: which production applications consume which AI models, and who approved those connections?
+
+This scenario reflects a common challenge as organizations scale AI workloads. Without governance controls, AI infrastructure becomes a compliance uncertainty. Training datasets multiply across environments without classification. Model deployments bypass network security policies. Data lineage remains invisible, making regulatory audits time-consuming and error-prone. As AI adoption accelerates, these gaps create measurable risk: organizations face potential regulatory fines, data breaches exposing sensitive training data, and operational overhead managing access controls across hundreds of AI resources.
+
+Microsoft Purview and Azure Policy provide a unified governance framework that addresses these challenges head-on. Purview automatically discovers AI assets across your Azure environment, classifies sensitive data, and traces lineage from source datasets through model training to inference endpoints. Azure Policy enforces guardrails that prevent noncompliant deployments before they reach production. Together, these services transform AI governance from reactive firefighting into proactive risk management.
+
+In this module, you implement governance controls for a multi-region AI deployment. You configure Purview to discover and classify Azure OpenAI Service and Azure Machine Learning resources, deploy policy guardrails that enforce data residency and encryption requirements, establish data lineage tracking for training pipelines, and monitor compliance using audit logs and reports. By the end, you have a repeatable framework for governing AI infrastructure that reduces compliance risk while enabling innovation.
+
+## Learning objectives
+
+By the end of this module, you're able to:
+
+- Configure Microsoft Purview to discover and classify AI infrastructure assets
+- Implement Azure Policy guardrails for AI resource provisioning and management
+- Establish data lineage tracking for AI training datasets and model outputs
+- Monitor AI workload compliance using Microsoft Purview audit logs and reports
+- Design access controls that protect AI models and sensitive training data
+
+## Prerequisites
+
+- Familiarity with Azure fundamentals and resource management
+- Basic understanding of AI and machine learning concepts
+- Experience with Microsoft Entra ID (formerly Azure Active Directory) for identity management

learn-pr/wwl-azure/apply-governance-controls-ai-ready-workloads/includes/2-discover-classify-ai-infrastructure-assets.md

@@ -0,0 +1,34 @@
+Before you can govern AI infrastructure, you need visibility into what exists across your Azure environment. Consider a scenario where your data science teams have deployed Azure OpenAI Service instances, Azure Machine Learning workspaces, and storage accounts for training datasets across multiple subscriptions. Without a centralized catalog, your governance team can't answer fundamental questions: How many AI models are running in production? Which datasets contain regulated data? Who owns each resource?
+
+Microsoft Purview Data Map solves this discovery challenge by automatically scanning your Azure subscriptions and cataloging AI resources. Unlike manual inventory spreadsheets that become outdated within days, Purview maintains a real-time catalog that reflects your actual environment. The Data Map discovers four critical categories of AI assets: Azure OpenAI Service deployments, Azure Machine Learning models and endpoints, training datasets in storage accounts, and inference pipelines. Each discovered asset appears in Purview's unified catalog with metadata including resource location, creation date, and ownership information.
+
+## Automated discovery process
+
+Purview's discovery engine integrates with Azure Resource Graph to enumerate AI resources across subscriptions you specify during setup. When you register an Azure subscription as a data source in Purview, the scanner queries Resource Graph APIs to identify Azure OpenAI Service instances, Azure Machine Learning workspaces, and storage accounts tagged for AI workloads. This automated approach eliminates the manual effort of tracking resources across environments. The scanner runs on a schedule you configure—typically daily for production environments—ensuring your catalog stays current as teams deploy new models or decommission old ones.
+
+Once discovered, each asset requires classification to support governance decisions. With this foundation of discovery in place, you need a systematic approach to categorizing the sensitivity of your AI resources and the data they process.
+
+## Classification schemas and sensitivity labeling
+
+Purview applies classification rules to AI assets using built-in and custom schemas that identify sensitive data patterns. For training datasets stored in Azure Data Lake Storage or Blob Storage, Purview's automated classification engine scans file contents looking for patterns that match regulatory categories: credit card numbers, social security identifiers, healthcare records, or personal data. When the classifier detects sensitive patterns, it applies appropriate labels automatically—eliminating the manual review burden that slows governance initiatives.
+
+Building on automated classification, you can integrate information protection sensitivity labels that propagate throughout the AI lifecycle. Suppose your organization defines a "Confidential - Customer Data" label for datasets containing personal data. When Purview classifies a training dataset with this label, the protection follows the data through transformation pipelines. The Azure Machine Learning model trained on that dataset inherits the sensitivity label, as does the inference endpoint that serves predictions. This cascading protection ensures governance controls remain consistent from source data to production deployment.
+
+At the same time, you maintain flexibility for AI assets that require manual classification decisions. Custom classification rules let you define business-specific patterns—for example, identifying proprietary product designs or internal financial forecasts in training data. You create these rules using regular expressions or keyword matching, then assign them to scan policies that target specific storage accounts or resource groups. This becomes especially important when your organization's data sensitivity extends beyond regulatory categories into competitive intellectual property.
+
+:::image type="content" source="../media/confidential-sensitivity-label-applied-train-dataset.png" alt-text="Diagram showing how a Confidential sensitivity label applied to a training dataset automatically propagates to derived models during training.":::
+
+## Integration with governance workflows
+
+The classified asset catalog becomes the foundation for downstream governance capabilities. With assets discovered and labeled, you can enforce access controls based on sensitivity. For example, your policy might restrict "Highly Confidential" AI models to private network access only, preventing public internet exposure. Purview's integration with Azure role-based access control (RBAC) lets you map sensitivity labels to permission requirements: data scientists can read training datasets labeled "Internal Use Only," while only designated model reviewers can access "Confidential" model artifacts.
+
+Consider what happens when a new data scientist joins your team. Without Purview classification, they might accidentally use a dataset containing customer personal data for an experimental model, creating compliance risk. With classification in place, the dataset's "Confidential" label triggers an approval workflow before granting access. The data scientist submits a justification, their manager approves, and Purview logs the decision for audit purposes. This automated governance reduces security team workload by 40-60% compared to manual access request processing.
+
+Now that you understand how Purview discovers and classifies AI assets, you're ready to explore how Azure Policy enforces guardrails that prevent noncompliant deployments before they reach production. The combination of asset visibility and proactive policy enforcement creates a defense-in-depth governance strategy.
+
+:::image type="content" source="../media/microsoft-purview-data-map.png" alt-text="Diagram showing Azure subscriptions feeding into Microsoft Purview Data Map through Azure Resource Graph.":::
+
+*Microsoft Purview Data Map discovering and cataloging AI assets across Azure environments with automated classification and sensitivity labeling*
+
+
+