Insider Risk and Communication Compliance
Key Takeaways
- Insider Risk Management (IRM) uses behavioral analytics and signals — including unusual Microsoft 365 Copilot retrieval patterns — to score users who may exfiltrate data or violate policy.
- IRM flags risk and may trigger Adaptive Protection; it does not automatically revoke Copilot licenses or permanently block access.
- Communication Compliance monitors email, Teams, and Copilot prompts/responses for harassment, threats, regulatory language violations, and sensitive data sharing.
- Microsoft Purview AI Hub centralizes compliance review of AI interactions; Communication Compliance is the policy engine that detects violations within those interactions.
- eDiscovery searches and exports content for legal matters; Communication Compliance proactively detects ongoing policy violations — different jobs on the exam.
Quick Answer: Insider Risk Management (IRM) scores risky user behavior using signals that can include unusual Copilot data retrieval. Communication Compliance reviews Copilot prompts and responses for harassment, regulatory violations, and sensitive data sharing. AI Hub centralizes AI compliance review.
Why These Tools Matter for Copilot
Generative AI changes insider threat patterns. An employee can exfiltrate intellectual property by asking Copilot to "summarize all merger documents I can access" instead of downloading files to a USB drive. AB-900 tests whether you know which Purview solution detects that behavior versus which solution reviews the actual prompt text for harassment or regulatory breaches.
Insider Risk Management (IRM)
Insider Risk Management is a Microsoft Purview solution that identifies potentially risky insider activity using analytics across Microsoft 365 signals:
- Unusual downloads or SharePoint access spikes.
- Use of personal email to send corporate attachments.
- Microsoft 365 Copilot activity — abnormal volumes of sensitive queries or broad data retrieval patterns.
- Security policy violations and HR-triggered events (resignation, performance improvement).
IRM builds user risk scores and surfaces cases for investigation by compliance or security teams. It is predictive and behavioral — not a real-time content filter.
What IRM Does NOT Do (Exam Traps)
| Wrong answer pattern | Reality |
|---|---|
| Automatically revokes Copilot licenses | Admins remediate manually after investigation |
| Permanently blocks Copilot for risky users | Adaptive Protection may tighten DLP; blocking requires separate action |
| Reports usage to external regulators | Internal compliance workflow only |
| Replaces DLP | Complements DLP via Adaptive Protection |
On the Exam: Copilot activity is a signal feeding risk scores — not an automatic enforcement hammer.
IRM Policy Templates and Triggers
IRM ships policy templates aligned to scenarios AB-900 references:
| Template focus | Example trigger |
|---|---|
| Data theft by departing users | Spike in downloads + resignation date |
| Data leaks | Sensitive data sent to external recipients |
| Security policy violations | Repeated DLP overrides |
| Risky AI usage | Copilot queries retrieving unusual sensitive content volumes |
Administrators scope policies to users, groups, or adaptive scopes, then assign priority content (crown-jewel SharePoint sites) for heightened monitoring.
Communication Compliance
Communication Compliance monitors communications content — including Microsoft 365 Copilot prompts and responses — against organizational policies. It uses:
- Keyword and phrase policies — match prohibited language.
- Trainable classifiers — detect bullying, discrimination, or threats.
- Sensitive information types — flag PCI or PHI shared in Copilot chat.
- Regulatory compliance templates — financial services language indicative of market manipulation or insider trading.
Flagged items land in a reviewer queue where compliance officers assess severity, escalate, or dismiss false positives.
Copilot-Specific Detection Examples
Communication Compliance can capture interactions where a user:
- Pastes credentials or API keys into a Copilot prompt.
- Uses harassing language in Teams Copilot chat.
- Requests help drafting content that violates financial conduct rules.
This is content inspection — distinct from IRM's behavioral scoring. A user might score low risk behaviorally but still trigger Communication Compliance with one egregious prompt.
AI Hub vs Communication Compliance vs IRM
| Tool | Primary question it answers |
|---|---|
| AI Hub | "What is happening across our AI tools in one compliance workspace?" |
| Communication Compliance | "Did this prompt or response violate our communication policies?" |
| Insider Risk Management | "Is this user's overall behavior pattern risky over time?" |
| eDiscovery | "Preserve and export content for legal investigation?" |
Microsoft Purview AI Hub is the centralized compliance workspace for governing AI-generated content and interactions across Microsoft 365 Copilot. It gives compliance officers visibility to review prompts, responses, and policy violations in one place. Communication Compliance supplies many of the underlying detection policies; AI Hub aggregates the compliance story for AI.
Common Trap: Viva Insights Copilot Dashboard shows adoption and sentiment — not DLP violations or regulatory prompt review. Purview Audit stores forensic logs — AI Hub is the officer's operational workspace.
Adaptive Protection Bridge
When IRM elevates a user's risk level, Adaptive Protection can automatically enforce stricter DLP actions for that individual. Copilot retrieval spikes might raise risk → DLP blocks additional sensitive exports → investigator reviews IRM case. Know the chain: IRM signal → risk score → Adaptive Protection → tighter DLP.
Worked Scenario: Departing Employee
A product manager submits resignation. HR adds a resignation date to the HR connector (where licensed). IRM's departing-user policy detects:
- 300% increase in SharePoint downloads over seven days.
- Copilot queries summarizing "all roadmap documents for Product X."
- Emails with attachments to a personal Gmail address.
The correct admin interpretation for AB-900: IRM surfaces a case for investigation. The admin should not assume IRM already revoked Copilot. Next steps might include legal hold, DLP block, or account suspension — manual actions.
Separately, if the employee's Copilot prompt contained discriminatory language, Communication Compliance — not IRM — flags that content for reviewers.
Privacy and Licensing Notes
IRM and Communication Compliance require appropriate Microsoft 365 E5 Compliance (or equivalent) licensing. AB-900 may reference E5 vs E3 at a high level: E3 lacks several advanced compliance analytics needed for comprehensive Copilot governance.
Privacy officers should know IRM uses pseudonymization options and role-based access so investigators see only what their role permits.
Study Checklist
- Explain how IRM uses Copilot activity as a behavioral signal.
- List content types Communication Compliance monitors, including Copilot.
- Contrast AI Hub, Communication Compliance, IRM, and eDiscovery.
- Describe the IRM → Adaptive Protection → DLP chain.
- Identify what IRM does not automatically do to Copilot access.
How does Microsoft Purview Insider Risk Management use Copilot activity signals?
What can Communication Compliance policies detect in Microsoft 365 Copilot interactions?
Which Microsoft Purview feature provides a centralized workspace for compliance officers to review and govern Copilot AI interactions?