DSPM for AI - Part 2: Data Risk Assessment
Deploying sensitivity labels, DLP, and retention is a strong start — but it doesn’t answer the bigger question: where is your sensitive data actually stored, and how is it being shared?
That’s where Data Risk Assessment in DSPM for AI comes in. It gives you visibility into oversharing, unlabeled files, and high-risk sites, so you can close the gaps before Copilot makes use of them.
Real-world scenario: HR file in the wrong place
An HR document containing employee PII is accidentally stored in a Team that’s open to “Everyone in the organization.”
- The risk: If Copilot queries that Team, sensitive HR data could be surfaced in a prompt response.
- How DSPM helps: The Data Risk Assessment flags the oversharing, shows the affected site, and allows IT to remediate access or apply the correct sensitivity label.
Running a Data Risk Assessment
Here’s how to enable and use the default assessment:
- Go to the Microsoft Purview portal → Solutions → DSPM for AI → Risk Assessment
- Enable the assessment (runtime up to 72 hours for first scan)
- Results are updated weekly, based on the top 100 most active SharePoint sites (30-day lookback limit)
- View findings in the portal or export for review
What the results show
The assessment gives you an overview of:
- Total items scanned
- How many items are labeled
- Sharing patterns (Anyone, Internal, Specific People, External)
- A list of SharePoint sites involved
This summary gives you a quick understanding of how well your environment is aligned with your sensitivity labeling and DLP strategy.
Site-level details
When you expand a specific site in the Data Risk Assessment, DSPM for AI provides detailed information and remediation options across four panes:
Overview
Shows the same results as the general assessment, but scoped to the selected site.
- Useful for validating whether the risks are concentrated or spread out
Identify
Use On-demand classification to scan for sensitive information types or custom classifiers.
- Note: This is a pay-as-you-go feature. It identifies sensitive data but does not apply labels.
- Helpful if you need to understand newly created data types or business-specific classifications.
On-demand classification scans allow you to classify data at rest — outside of the normal flow where classification only happens on new or modified items.
This is particularly useful when you introduce new classifiers or sensitive information types that need to be applied retroactively to existing data, without waiting for the standard labeling workflow.
The scan provides an estimate so you know the aprroximate cost upfront.
Protect
Provides options to secure the data in the site:
- Restrict Copilot access by sensitivity label (recommended)
- Restrict all items (not recommended, only blocks indexing)
- Apply a default sensitivity label for a document library (e.g., HR site = Confidential)
- Apply a default label per user
- This will ensure that all users have a specific label that is the default label assigned, when they open a document.
- Enable auto-labeling policies (requires Purview Content Explorer/Viewer permissions)
- Apply a SharePoint site sensitivity label (controls site access, not file content)
- Review unused files and apply retention policies
Monitor
Allows you to monitor and review access to the site:
- Start a SharePoint site access review
- Or run an access review through Entra ID for broader control
Wrap-up
Data Risk Assessments move DSPM for AI from policy setup to visibility. They show you where sensitive data is overshared, unlabeled, or exposed — and provide clear options for remediation.
With this in place, you’re not just assuming your data is protected — you have evidence and insights to back it up.