Updated: October 2, 2025 (October 2, 2025)
BlogCTO Talk: Compliance in the World of AI: Are You Ready?
By Barry Briggs
Compliance covers an ever-increasing, absolutely mandatory spectrum of activities, processes, and technologies with which your enterprise must concern itself.
The Compliance Imperative
Why compliance? Well, to start with, the penalties for noncompliance today can be severe. Just to note a few:
- Violations of the General Data Protection Act (GDPR) can mount as high as 4% of your company’s annual revenue. (Yes, GDPR is a European regulation, but if you do business in Europe, then you’re affected. And many countries and US states have followed suit with similar regulations.) Just ask Meta, hit with a €1.2b fine in 2023.
- Violations of the CAN-SPAM Act, which regulates unwanted email (all those opt-out and unsubscribe messages you see at the bottom of marketing emails? – that’s in response to CAN-SPAM) can reach over $50,000 per email.
- Violations of federal banking laws, such as anti-money laundering (AML) monitoring, have resulted in fines in the billions of dollars.
Fact: Compliance Has to Compete
Today’s CIO has to juggle numerous competing priorities, from adopting disruptive technologies like AI, to cybersecurity, maintenance (usually a huge and necessary part of any IT budget), technical debt, incremental feature improvements (like those in Power BI) and so on. Increasingly, however, regulatory compliance plays a role in every single IT expenditure and priority.
As AI becomes a key and pervasive mandate through nearly every enterprise, it opens up huge new risk areas for the compliance professional.
AI Changes Everything: Or Does It?
Recently I spoke with a senior compliance manager in one of the world’s top consulting organizations. When I asked how AI changes his job, his answer surprised me. “At one level,” he said, “AI changes nothing.”
He explained that the basic principles of compliance haven’t changed. Organizations must define a company-wide strategy for compliance by understanding which regulations and standards apply, who is accountable, and the tools and processes by which compliance will be assured; then continuously monitor activities to prevent intentional or inadvertent violations; and react to both internal activities (such as copying a sensitive file to a USB stick) and external requests (such as eDiscovery or a GDPR Subject Rights Request).
He went on to say, however, that AI increases the surface area that the compliance professional must manage and oversee. It’s certainly possible for individuals to use AI for (for example):
- Asking Copilot investment advice – and possibly (intentionally or not), pursuing insider trading;
- Finding inadequately protected sensitive data and exfiltrating it;
- Instigating discriminatory hiring practices with biased AI screening;
- Infringing on copyrights and/or plagiarizing;
- Violating patient, user, or employee privacy;
And so on. Many of these can happen even with the best of intentions so it’s key to develop comprehensive training and processes and use technologies to prevent them.
That’s where Microsoft Purview comes in.
Is Purview a Compliance Panacea?
Purview is Microsoft’s umbrella brand for a variety of risk and compliance related services, grouped and shown below. But not even all these varied capabilities suffice for the compliance professional.
There are two reasons Purview alone isn’t enough:
- You’ll need more than just Microsoft Purview services for compliance: you’ll need Entra (to manage user identities and access); Defender, for security incident management; Priva, for privacy management, and Azure services for roles and permissions. You might also need to access specific services via their own portal, such as Fabric, for application-specific, fine-grained controls.
- No doubt there are industry-specific regulations which apply to your organization for which you’ll need third-party tools. For example, banks and financial services institutions are required to maintain certain cash reserves; healthcare firms must have and maintain Business Associate Agreements (BAAs) with vendors; and so on.
Purview’s Expanded Purview Means You Need E5
All that said, Microsoft has made tremendous investments in Purview over the past few years; its capabilities have grown significantly and there’s lots that both use and address AI in the enterprise. But – there’s an essential truth here – effective compliance at the enterprise level pretty much requires a Microsoft 365 E5 license. Microsoft’s advances and innovations come at a cost – and, sorry to say, you’ll probably need them.
Here are a few examples:
The Compliance Manager runs “assessments” against over 300 international regulations and provides a score and suggested actions for improvement. But E3 only assesses against a generic, Microsoft-supplied amalgam of various regulations – a sort of least common denominator. If you want assessments against specific regulations – like PCI-DSS or the EU’s AI Act, or any others, you’ll need E5.
Information Protection, aka data classification, lets you assign labels to your content – a foundational part of data governance. But if you need to do it at scale – and who doesn’t – across SharePoint libraries, or by using AI to classify: you’ll need E5. Similar restrictions apply to classification’s cousin, Data Lifecycle Management, that provides data retention capabilities. (Pro tip: remember classification and retention are separate services.)
Similarly, Purview’s eDiscovery service offers features like reconstructing Teams conversations and accessing Microsoft 365 Copilot interactions – only in E5. Core features are offered in E3: but make sure your legal and compliance teams think they’re sufficient. They’re probably not.
Insider Risk Management – only available in E5 – helps organizations detect risky behavior, be it malicious or unintentional, such as IP theft or regulatory violations.
However, one piece of good news is that Purview’s new Data Security Posture Management (DSPM) for AI is available in lower tiers of Purview.
Think of DSPM for AI as a dashboard consolidating information from across the organization. You can use it to monitor AI usage, including with third party sites like ChatGPT and Claude; to see where sensitive data was accessed by AI tools; and to see where “risky” chats might be happening. It’s useful – and commendable – that this is available to non-E5 organizations.
Gotchas and Other Things to Know
While, as we’ve said, the principles of compliance haven’t changed, AI expands the surface area that compliance managers and tools have to monitor. There are a few things you should remember:
- Purview’s services are impressive. But they’re next to useless unless your employees have been trained, both in the importance of compliance and in the necessity of using the tools.
- AI eats data everywhere it finds it. It’s vitally important to protect your data estate as I described in my data governance video.
- To get the most from Purview, you’ll need E5. But remember a key Directions on Microsoft maxim: everybody who benefits from an E5 license must have one.
- For many of its services, Purview scans Microsoft 365 data and makes decisions – if it violates regulations, suggests risky behavior, and so on. Beware, however, of false positives.
Finally, as I’ve noted, remember that Purview is only one of likely many tools you’ll use for compliance. (In a recent webinar, I polled the audience and found over half used five or more compliance technologies.)
Disagree? Think I should comply with shorter blogs? Drop me a line at bbriggs@directionsonmicrosoft.com!
