Secure your data before Copilot: the new Purview DSPM, a how-to for SMBs

Before you turn Copilot on, fix the problem nobody is looking at: oversharing

Turning on Microsoft 365 Copilot takes five minutes. The catch is that Copilot inherits the user's permissions exactly — and reads everything that user is allowed to see, including what they should never see. In most of the estates we audit at io4, years of "quick" SharePoint shares, folders opened to "the whole organization," and forgotten public links have created massive oversharing that nobody noticed, because nobody was actively trying to exploit it. Copilot finds it in a single prompt.

That is exactly what the new DSPM (Data Security Posture Management) experience in Microsoft Purview is built to address — generally available worldwide since May 2026. Before you <a href="/en/copilot">roll out Copilot</a> in your SMB, this is the tool that tells you where your sensitive data lives, who can reach it, and what Copilot is likely to surface on day one.

Why Copilot turns oversharing into an immediate risk

Oversharing isn't new. What's new is how fast an AI assistant makes it exploitable. Before Copilot, a poorly shared payroll document was theoretically accessible, but you still had to know it existed and where it sat. With Copilot, an employee who asks "what are the leadership team's salaries?" gets the answer if the file is within their access scope — without ever opening SharePoint.

Microsoft puts it plainly: generative AI amplifies the oversharing problem because it proactively and instantly surfaces content that is stale, over-permissioned, or ungoverned. For a Québec SMB, the stakes are twofold: an operational risk (internal leak of HR, financial, or contractual information) and a <a href="/en/law-25">Law 25 compliance</a> risk, since overexposed personal information becomes readable by employees who have no reason to access it.

What the new DSPM experience changes

DSPM already existed, but as two separate tools: DSPM "classic" for traditional data, and DSPM for AI for AI apps. The new experience, announced in the message center under reference MC1191257 (roadmap 532728), unifies the two into a single console, with three concrete additions.

First, outcome-based security objectives: instead of a raw list of alerts, Purview offers guided journeys like "Prevent data exposure in Copilot" or "Prevent oversharing of sensitive data," turning a finding into a prioritized action plan.

Second, built-in Security Copilot agents that automate triage and policy management — useful for an SMB without a full-time dedicated security team. Finally, coverage that extends beyond Microsoft (third-party signals from partners like BigID, Cyera, OneTrust, Varonis) and an extension of risk assessments to Microsoft Fabric, with direct remediation actions.

The concrete weapon: the Data Risk Assessment

The genuinely useful core of DSPM for an SMB is the data risk assessment. Purview automatically runs a default assessment every week across the 100 most-used SharePoint sites in your tenant. The report shows you — with no long project or heavy configuration — which sites hold sensitive data, which files are overshared, and through which links.

Above all, it comes with bulk remediation: you can select multiple overexposed sharing links across your SharePoint sites at once and disable them in a single operation. In practical terms, that's what lets you move from "we know we have a problem" to "we've reduced the exposure surface" in one working session, rather than reviewing permissions file by file.

This is exactly the reflex we apply everywhere at io4, on Azure costs as much as on <a href="/en/microsoft-security">security posture</a>: you only fix well what you've first measured. DSPM finally brings that measurement to the data side.

The sequence to follow before turning Copilot on

Rolling out Copilot properly isn't about turning it on and then watching. It's about framing the data first. The sequence we recommend to our SMB clients comes in four steps:

• Measure: run DSPM and its risk assessment to map where sensitive data lives and where oversharing concentrates. Nothing else until that snapshot is taken.
• Label: apply Purview sensitivity labels (Confidential, HR, Financial…) to the content you need to protect, so protections follow the file rather than the location.
• Remediate: use bulk remediation to disable overshared links and close off "whole-organization" access on sensitive sites, before Copilot can reach them.
• Deploy then monitor: enable Copilot on a controlled scope, and keep DSPM in continuous monitoring to catch new oversharing cases as they appear.

A governance building block, not a magic licence

DSPM is a powerful visibility and remediation tool, but it replaces neither a Copilot usage policy nor real access governance. Sensitivity labels, SharePoint permission cleanup, and user training remain the underlying work. DSPM makes that work measurable and prioritizable — it doesn't do it for you.

On licensing, full access to DSPM for AI capabilities and advanced remediation relies on Microsoft Purview and, depending on the feature, on Microsoft 365 licensing prerequisites (often E5 or compliance add-ons). That's a point to validate against your actual estate before building the plan, not a detail to discover mid-course.

Bottom line: visibility before activation

The new Purview DSPM lands at the right time: for the first time, it gives SMBs a simple way to see their data exposure before opening Copilot to everyone. The mistake to avoid is treating data security as a "later" step — because with Copilot, "later" is measured in days before the first incident.

If you want to know what Copilot would surface in your tenant today, talk to an io4 expert. We run the DSPM assessment, the SharePoint access cleanup, and the Copilot governance rollout with the same method we use across the rest of your Microsoft environment: visibility first, deployment second.