One of the harder questions for Copilot governance has always been: how do you control what users ask Copilot about? Sensitivity labels on the source content help, but they're upstream. Conditional Access helps with who can use Copilot, but it's binary. The missing piece has been prompt-level controls.
Microsoft's Purview DLP capabilities have been progressively extended through 2025–26 to support exactly this. Policies can now flag prompts containing specific content types (credit-card numbers, identifiers, project codenames), restrict Copilot from generating responses involving particular sensitivity classifications, and surface high-risk prompt activity to compliance reviewers.
This isn't a complete answer to AI governance — nothing is, yet — but it's a meaningful control surface that didn't exist a year ago. For organisations rolling out Copilot to broader user populations, prompt-level DLP belongs in the design from day one.