Purview controls what the data is. Defender for Cloud Apps controls where it's allowed to go. Neither closes the loop on its own — together, they're the clearest answer most tenants have to the governance question AI now makes urgent.
Purview handles what the data is. Defender for Cloud Apps handles where it's allowed to go. Both are needed the moment staff start pasting things into AI tools outside your tenancy — which is already happening.
A sensitivity-labelled document. A user opens ChatGPT and tries to paste it in. Here's what happens when the tandem is live — and why neither product can do it alone.
Either by a user, or automatically by a Purview trained classifier — "Confidential · Client" sits in the document header and the file's metadata.
Browser session, personal account, no tenant involvement. The kind of shadow-AI use most tenants can't see happening today.
Defender for Cloud Apps reverse-proxies the session, reads the Purview label as the paste happens, and matches it against policy.
User sees a tenant-branded message explaining why. The paste doesn't reach ChatGPT's context window. Everything else in the session continues normally.
Who tried to upload what, when, to which AI app, and what policy caught it — filed alongside the rest of your security telemetry, ready for the regulator.
Defender for Cloud Apps scores 800+ generative AI apps on data handling, compliance posture and residency. An ongoing telemetry loop, not a one-off audit — new apps are surfaced the week they hit your network.
Purview sensitivity labels travel into session policies, so confidential content can be blocked from upload to ChatGPT, Claude, Gemini, Copilot and the long tail of consumer AI tools — without blocking the apps outright.
See which AI tools have been granted tenant-level permissions by staff via OAuth, score them on risk, and revoke or gate the ones that shouldn't be there. The bit most tenants have never audited.
Every block, every allow, every consent revocation — timestamped, attributed, exportable. The defensible answer when the auditor asks how AI is controlled.
The tandem gets designed, deployed and maintained alongside the rest of the consultancy practice — not in isolation.
The readiness review picks up Defender for Cloud Apps alongside Purview in the tenancy audit — so the go / no-go recommendation accounts for both planes.
Read moreThe governance sprint designs and rolls out the sensitivity labels that session policies then consume. The two programmes share a taxonomy by design.
Read moreOAuth consent governance sits naturally alongside the Entra and Conditional Access work. AI-tool tenant consents are audited in the same pass.
Read moreDelivered by M-Tech Labs with the compliance and security discipline of M-Tech Systems — Cyber Essentials certified, aligned to NCSC CAF 4.0 and progressing through the Assurix trustmark programme. Code is continuously scanned for quality and security with Aikido, with independent QA and penetration testing by Zoonou available where engagements call for it, and hosted on our own Nutanix / Fortinet platform — continuously pen-tested, current-version, UK-based. See secure development for the full picture.
Back to AI ConsultancyWe'll show you what your tenancy looks like to an LLM today — and what the tandem would block tomorrow.