3.3 Prompt Governance and Controls
Key Takeaways
- Prompt governance defines organizational policies for approved Copilot use cases, prohibited data in prompts, and monitoring through Microsoft Purview.
- Users can save, share, schedule, and delete prompts — promoting team consistency without replacing admin-level governance controls.
- Prompt logging captures user prompts and Copilot responses in Purview audit logs for compliance investigation and retention.
- Microsoft Purview AI Hub centralizes visibility into AI-generated content and interactions across Microsoft 365 Copilot.
- Communication Compliance can review Copilot prompts and responses for harassment, discriminatory language, and sensitive data sharing.
Quick Answer: Prompt governance combines user-facing prompt management (save, share, schedule, delete) with admin controls through Microsoft Purview — prompt logging in audit logs, AI Hub visibility, and Communication Compliance policies that review Copilot interactions for policy violations.
Why Prompt Governance Appears on AB-900
Copilot turns natural-language prompts into actions over organizational data. Without governance, employees may paste credentials, PII, trade secrets, or regulated data into chat. AB-900 sits at the intersection of Domain 2 (Purview governance) and Domain 3 (Copilot administration). Prompt questions test user capabilities, compliance tooling, and the difference between personal prompt libraries and enterprise audit capture.
User Prompt Management Capabilities
End users — not just admins — manage prompts within Copilot experiences:
| User Action | Purpose |
|---|---|
| Save | Store effective prompts for personal reuse |
| Share | Distribute proven prompts to colleagues or teams |
| Schedule | Run prompts on a recurring basis |
| Delete | Remove outdated or sensitive prompt templates |
These capabilities promote consistency and reuse of high-quality instructions across a team. Sharing a well-crafted quarterly-report prompt reduces duplicated effort and improves output quality. They do not replace organizational governance — users can still share prompts that violate policy if admin controls are absent.
On the Exam: "Which prompt management actions can users perform?" → Saving, sharing, scheduling, and deleting prompts. Distractors about sensitivity labels, conditional access, or network encryption are wrong — prompts are instructions, not identity policies.
Organizational Prompt Governance
Administrators and compliance teams define prompt governance policies covering:
- Approved use cases — summarizing meetings yes; generating fake invoices no
- Prohibited content in prompts — passwords, API keys, customer SSNs, unreleased financials
- Monitoring and enforcement — Purview audit, Communication Compliance, AI Hub
- Training and prompt libraries — curated, approved templates for common workflows
Prompt governance connects to Microsoft's Responsible AI principles: fairness, reliability and safety, privacy and security, inclusiveness, transparency, and accountability. Admins apply these when deploying Copilot org-wide.
Prompt Logging (Compliance Context)
Prompt logging in governance means the capture of user-submitted prompts and Copilot responses in Microsoft Purview audit logs — not the user's personal Copilot conversation history visible in the app UI.
| Aspect | Detail |
|---|---|
| What is logged | Copilot interaction events — prompts and responses |
| Where to search | Microsoft Purview Audit (Audit Search) |
| Retention | Standard audit: 180 days; Premium: 1 year default, up to 10 years with add-on |
| Who uses it | Compliance admins, eDiscovery, forensic investigation |
Purview Audit (Premium) extends retention and adds intelligent insights for high-value events including Copilot interactions.
Microsoft Purview AI Hub
Microsoft Purview AI Hub is a dedicated compliance workspace that centralizes visibility into AI-generated content and interactions across Microsoft 365 Copilot. Compliance teams use AI Hub to:
- Review prompts and responses flagged for investigation
- Identify policy violations across AI activity
- Govern AI usage from a single location rather than scattered workload logs
AI Hub is a compliance visibility tool. It is not the Copilot Dashboard in Viva Insights (adoption/sentiment) and not Copilot Analytics (usage metrics).
Communication Compliance and Copilot
Microsoft Purview Communication Compliance policies can capture and review Copilot prompts and responses to detect:
- Harassment or threatening language
- Discriminatory content
- Financial regulatory breaches
- Inadvertent sharing of sensitive information types (SSNs, credit cards, health data)
Machine learning classifiers and keyword policies flag content for human reviewer investigation. License assignment anomalies, by contrast, are tracked through M365 admin center billing — not Communication Compliance.
Admin Controls Beyond Purview
Copilot administrators also govern prompts indirectly through:
- Web grounding toggle — limits whether external web data enters the prompt context
- Integrated apps — controls which plugins and connectors extend Copilot actions
- DLP policies — can block or warn when sensitive info types appear in Copilot interactions across Exchange, SharePoint, Teams, and Copilot surfaces
- Sensitivity labels — Copilot respects label policies when generating or referencing content
Worked Scenario: Regulated Industry Prompt Policy
A healthcare organization deploys Copilot. The compliance officer requires:
- Prompt logging enabled via Purview Audit Premium for one-year retention
- Communication Compliance policy scanning Copilot interactions for PHI patterns
- DLP blocking pasting of patient identifiers into Copilot chat
- Web grounding disabled so responses stay within governed tenant data
- Approved prompt library published internally for clinical documentation summaries
The administrator configures org settings and Purview policies; end users consume the shared prompt library. Adoption monitoring confirms usage stays within approved workflows.
Distinguishing Prompt Concepts
| Term | Meaning |
|---|---|
| Prompt management (user) | Save, share, schedule, delete personal/team prompts |
| Prompt governance (org) | Policies, approved use cases, prohibited data types |
| Prompt logging (compliance) | Audit log capture of prompts/responses |
| Grounding | Enriching LLM context with organizational data from Graph — separate from logging |
Common Exam Traps
| Trap | Reality |
|---|---|
| Personal chat history = prompt logging | Logging means audit log capture for compliance |
| AI Hub = adoption dashboard | AI Hub is compliance visibility for AI content |
| Sharing prompts encrypts email | Sharing promotes reuse, not encryption |
| Prompts are conditional access policies | Prompts are Copilot instructions, not Entra policies |
Insider Risk and Copilot Usage Patterns
Microsoft Purview Insider Risk Management can incorporate signals from risky Copilot usage patterns — such as an employee querying unusually broad sensitive content — alongside traditional exfiltration indicators. While prompt governance policies define acceptable behavior upfront, Insider Risk provides detective controls after the fact. AB-900 may present a scenario where both preventive DLP and detective Insider Risk are needed; choose the tool that matches the stem's timing (block vs investigate).
Which prompt management actions can users perform with Copilot prompts?
What does 'prompt logging' mean in Microsoft 365 Copilot governance?
What is the primary purpose of Microsoft Purview AI Hub?
What is the benefit of saving and sharing effective Copilot prompts within a team?