3.3 Prompt Governance and Controls

Key Takeaways

  • Prompt governance defines organizational policies for approved Copilot use cases, prohibited data in prompts, and monitoring through Microsoft Purview.
  • Users can save, share, schedule, and delete prompts — promoting team consistency without replacing admin-level governance controls.
  • Prompt logging captures user prompts and Copilot responses in Purview audit logs for compliance investigation and retention.
  • Microsoft Purview AI Hub centralizes visibility into AI-generated content and interactions across Microsoft 365 Copilot.
  • Communication Compliance can review Copilot prompts and responses for harassment, discriminatory language, and sensitive data sharing.
Last updated: July 2026

Quick Answer: Prompt governance combines user-facing prompt management (save, share, schedule, delete) with admin controls through Microsoft Purview — prompt logging in audit logs, AI Hub visibility, and Communication Compliance policies that review Copilot interactions for policy violations.

Why Prompt Governance Appears on AB-900

Copilot turns natural-language prompts into actions over organizational data. Without governance, employees may paste credentials, PII, trade secrets, or regulated data into chat. AB-900 sits at the intersection of Domain 2 (Purview governance) and Domain 3 (Copilot administration). Prompt questions test user capabilities, compliance tooling, and the difference between personal prompt libraries and enterprise audit capture.

User Prompt Management Capabilities

End users — not just admins — manage prompts within Copilot experiences:

User ActionPurpose
SaveStore effective prompts for personal reuse
ShareDistribute proven prompts to colleagues or teams
ScheduleRun prompts on a recurring basis
DeleteRemove outdated or sensitive prompt templates

These capabilities promote consistency and reuse of high-quality instructions across a team. Sharing a well-crafted quarterly-report prompt reduces duplicated effort and improves output quality. They do not replace organizational governance — users can still share prompts that violate policy if admin controls are absent.

On the Exam: "Which prompt management actions can users perform?"Saving, sharing, scheduling, and deleting prompts. Distractors about sensitivity labels, conditional access, or network encryption are wrong — prompts are instructions, not identity policies.

Organizational Prompt Governance

Administrators and compliance teams define prompt governance policies covering:

  1. Approved use cases — summarizing meetings yes; generating fake invoices no
  2. Prohibited content in prompts — passwords, API keys, customer SSNs, unreleased financials
  3. Monitoring and enforcement — Purview audit, Communication Compliance, AI Hub
  4. Training and prompt libraries — curated, approved templates for common workflows

Prompt governance connects to Microsoft's Responsible AI principles: fairness, reliability and safety, privacy and security, inclusiveness, transparency, and accountability. Admins apply these when deploying Copilot org-wide.

Prompt Logging (Compliance Context)

Prompt logging in governance means the capture of user-submitted prompts and Copilot responses in Microsoft Purview audit logs — not the user's personal Copilot conversation history visible in the app UI.

AspectDetail
What is loggedCopilot interaction events — prompts and responses
Where to searchMicrosoft Purview Audit (Audit Search)
RetentionStandard audit: 180 days; Premium: 1 year default, up to 10 years with add-on
Who uses itCompliance admins, eDiscovery, forensic investigation

Purview Audit (Premium) extends retention and adds intelligent insights for high-value events including Copilot interactions.

Microsoft Purview AI Hub

Microsoft Purview AI Hub is a dedicated compliance workspace that centralizes visibility into AI-generated content and interactions across Microsoft 365 Copilot. Compliance teams use AI Hub to:

  • Review prompts and responses flagged for investigation
  • Identify policy violations across AI activity
  • Govern AI usage from a single location rather than scattered workload logs

AI Hub is a compliance visibility tool. It is not the Copilot Dashboard in Viva Insights (adoption/sentiment) and not Copilot Analytics (usage metrics).

Communication Compliance and Copilot

Microsoft Purview Communication Compliance policies can capture and review Copilot prompts and responses to detect:

  • Harassment or threatening language
  • Discriminatory content
  • Financial regulatory breaches
  • Inadvertent sharing of sensitive information types (SSNs, credit cards, health data)

Machine learning classifiers and keyword policies flag content for human reviewer investigation. License assignment anomalies, by contrast, are tracked through M365 admin center billing — not Communication Compliance.

Admin Controls Beyond Purview

Copilot administrators also govern prompts indirectly through:

  • Web grounding toggle — limits whether external web data enters the prompt context
  • Integrated apps — controls which plugins and connectors extend Copilot actions
  • DLP policies — can block or warn when sensitive info types appear in Copilot interactions across Exchange, SharePoint, Teams, and Copilot surfaces
  • Sensitivity labels — Copilot respects label policies when generating or referencing content

Worked Scenario: Regulated Industry Prompt Policy

A healthcare organization deploys Copilot. The compliance officer requires:

  1. Prompt logging enabled via Purview Audit Premium for one-year retention
  2. Communication Compliance policy scanning Copilot interactions for PHI patterns
  3. DLP blocking pasting of patient identifiers into Copilot chat
  4. Web grounding disabled so responses stay within governed tenant data
  5. Approved prompt library published internally for clinical documentation summaries

The administrator configures org settings and Purview policies; end users consume the shared prompt library. Adoption monitoring confirms usage stays within approved workflows.

Distinguishing Prompt Concepts

TermMeaning
Prompt management (user)Save, share, schedule, delete personal/team prompts
Prompt governance (org)Policies, approved use cases, prohibited data types
Prompt logging (compliance)Audit log capture of prompts/responses
GroundingEnriching LLM context with organizational data from Graph — separate from logging

Common Exam Traps

TrapReality
Personal chat history = prompt loggingLogging means audit log capture for compliance
AI Hub = adoption dashboardAI Hub is compliance visibility for AI content
Sharing prompts encrypts emailSharing promotes reuse, not encryption
Prompts are conditional access policiesPrompts are Copilot instructions, not Entra policies

Insider Risk and Copilot Usage Patterns

Microsoft Purview Insider Risk Management can incorporate signals from risky Copilot usage patterns — such as an employee querying unusually broad sensitive content — alongside traditional exfiltration indicators. While prompt governance policies define acceptable behavior upfront, Insider Risk provides detective controls after the fact. AB-900 may present a scenario where both preventive DLP and detective Insider Risk are needed; choose the tool that matches the stem's timing (block vs investigate).

Test Your Knowledge

Which prompt management actions can users perform with Copilot prompts?

A
B
C
D
Test Your Knowledge

What does 'prompt logging' mean in Microsoft 365 Copilot governance?

A
B
C
D
Test Your Knowledge

What is the primary purpose of Microsoft Purview AI Hub?

A
B
C
D
Test Your Knowledge

What is the benefit of saving and sharing effective Copilot prompts within a team?

A
B
C
D