Microsoft's AI Stack Decoded, Part 4: The Governance Layer
Why enterprise AI fails without governance. Deep dive into Content Safety, Purview, Defender, and Entra — the layer that unlocks adoption.
The Real Blocker Isn’t Capability
Ask any enterprise AI project why they’re stuck, and you’ll hear:
- “Legal won’t sign off”
- “Compliance needs an audit trail”
- “CISO wants to understand the risk”
- “We can’t put customer data in there”
- “What if the AI says something wrong?”
The technology works. The governance doesn’t exist.
This is why Microsoft’s governance layer matters more than their models. It’s the unlock for enterprise adoption.
This is Part 4 of the Microsoft AI Stack series.
The Four Pillars
Microsoft’s AI governance stack has four components:
| Component | Function |
|---|---|
| Azure AI Content Safety | Real-time content filtering |
| Microsoft Purview | Data governance, lineage, compliance |
| Defender for AI | Threat detection and response |
| Microsoft Entra | Identity for users AND agents |
Each solves a different compliance question.
Azure AI Content Safety
The Problem
Your AI agent could generate harmful, biased, or inappropriate content. Legal wants to know: how do you prevent that?
The Solution
Content Safety analyzes text and images in real-time:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from azure.ai.contentsafety import ContentSafetyClient
from azure.core.credentials import AzureKeyCredential
client = ContentSafetyClient(
endpoint="https://your-resource.cognitiveservices.azure.com",
credential=AzureKeyCredential(api_key)
)
# Check agent response before sending to user
def check_response(agent_response: str) -> str:
result = client.analyze_text(
text=agent_response,
categories=["Hate", "Violence", "SelfHarm", "Sexual"]
)
# Check severity levels (0-6 scale)
if any(cat.severity > 2 for cat in result.categories):
# Log for review
log_blocked_content(agent_response, result)
return "I can't provide that response. Let me try a different approach."
return agent_response
What It Catches
| Category | Examples |
|---|---|
| Hate | Discriminatory language, slurs |
| Violence | Graphic descriptions, threats |
| Self-harm | Dangerous instructions |
| Sexual | Explicit content |
| Jailbreaks | Prompt injection attempts |
| Protected material | Copyrighted content |
Custom Categories
For your specific domain, add custom blocklists:
1
2
3
4
5
6
7
8
9
10
11
# Block competitor mentions in customer-facing agent
client.add_blocklist_items(
blocklist_name="competitors",
items=["CompetitorName", "CompetitorProduct", "alternative vendors"]
)
# Block internal project codenames
client.add_blocklist_items(
blocklist_name="internal",
items=["Project Phoenix", "Operation Bluebird", "Q4 restructure"]
)
Integration with Agent Framework
Content Safety integrates directly as middleware:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
from agent_framework import Agent
from agent_framework.middleware import ContentSafetyMiddleware
agent = client.as_agent(
name="CustomerSupport",
instructions="...",
middleware=[
ContentSafetyMiddleware(
endpoint="https://your-resource.cognitiveservices.azure.com",
block_threshold=2, # 0-6 severity
log_blocked=True
)
]
)
Microsoft Purview
The Problem
- Where did the AI get that information?
- Is it using data it shouldn’t?
- Can we prove compliance to auditors?
The Solution
Purview provides data governance for AI:
Data Lineage: Track where AI training data and RAG sources come from:
1
2
3
Document → SharePoint → AI Search Index → Agent Response
↓
Purview Catalog (metadata, classification, owner)
Sensitivity Labels: AI respects the same labels as your documents:
1
2
3
4
5
6
7
8
9
10
11
12
# AI Search integration with Purview
search_client = SearchClient(
endpoint="https://your-search.search.windows.net",
index_name="documents",
credential=credential
)
# Query automatically filters by user's clearance
results = search_client.search(
query,
filter=f"sensitivity_level le {user.clearance_level}"
)
Audit Logs: Every AI interaction logged:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
"timestamp": "2026-04-13T10:23:45Z",
"user": "jsmith@agency.gov",
"agent": "PolicyAdvisor",
"query": "What are the rules for government travel?",
"sources_used": [
"FTR Chapter 301",
"Agency Travel Policy v3.2"
],
"response_snippet": "According to the Federal Travel Regulation...",
"tokens_used": 847,
"content_safety_score": 0,
"session_id": "abc123"
}
Compliance Reports
Generate reports for auditors:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
AI Usage Report - Q1 2026
==========================
Total interactions: 145,000
Unique users: 3,200
Most used agents: PolicyBot (45%), ITHelp (32%), HR Assistant (23%)
Data Sources Accessed:
- SharePoint HR: 34,000 queries
- Policy Database: 28,000 queries
- Public OPM sites: 12,000 queries
Content Safety Blocks: 47 (0.03%)
- Category breakdown: Prompt injection (34), Profanity (8), PII request (5)
Sensitive Data:
- Classified sources accessed: 0
- PII in responses: 0 (filtered)
- FOUO content: 2,340 (authorized users only)
Defender for AI
The Problem
AI systems are a new attack surface. How do you detect threats?
The Solution
Defender for AI monitors your AI workloads:
Threat Detection:
- Prompt injection attempts
- Data exfiltration via AI
- Unusual usage patterns
- Jailbreak attempts
- Credential stuffing via AI
Alert Example:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
🚨 ALERT: Potential Prompt Injection Attack
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Severity: High
Time: 2026-04-13 14:32:00 UTC
User: external_contractor@vendor.com
Agent: DocumentAnalyzer
Details:
User submitted 47 queries in 3 minutes containing:
- System prompt extraction attempts
- "Ignore previous instructions" patterns
- Base64 encoded payloads
Action Taken:
- Session terminated
- User flagged for review
- IP temporarily blocked
Recommended:
- Review user access
- Check for data exfiltration
- Update prompt hardening
Integration with SIEM: Defender alerts flow to your existing security tools:
- Microsoft Sentinel
- Splunk
- Chronicle
- Any SIEM via webhook
Red Team Your Agents
Defender includes red team tools:
1
2
3
4
5
6
# Run adversarial testing against your agent
az defender ai red-team \
--agent-endpoint https://your-agent.azurewebsites.net \
--attack-categories "prompt-injection,data-extraction,jailbreak" \
--report-format html \
--output red-team-report.html
Report shows:
- Vulnerabilities found
- Successful attack vectors
- Recommended mitigations
Microsoft Entra
The Problem
Who can use the AI? What can they do? And here’s the new one: what can the AI agent itself do?
The Solution
User Identity: Standard Entra authentication for users:
1
2
3
4
5
6
7
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()
agent = client.as_agent(..., credential=credential)
# User's identity flows through to agent
# Agent only accesses data user is authorized for
Agent Identity: This is new. Agents themselves get identities:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
"displayName": "HR Benefits Agent",
"appId": "12345678-...",
"servicePrincipalType": "Agent",
"permissions": [
"SharePoint.Read.HR",
"Dataverse.Read.Employees",
"ServiceNow.Create.Tickets"
],
"restrictions": {
"maxTokensPerHour": 100000,
"allowedUsers": ["@agency.gov"],
"blockedActions": ["delete", "export-bulk"]
}
}
Why Agent Identity Matters:
- Audit trail — Know which agent did what
- Least privilege — Agents only have permissions they need
- Revocation — Disable a compromised agent instantly
- Billing — Track costs per agent
Conditional Access for Agents:
1
2
3
4
5
6
Policy: Restrict HR Agent to Internal Network
Applies to: HR Benefits Agent (service principal)
Conditions:
- Location: NOT Corporate Network
- Time: Outside 6am-8pm EST
Action: Block
Putting It Together
Here’s a compliant AI architecture:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
┌─────────────────────────────────────────────────────────────┐
│ User Request │
│ "What's my leave balance?" │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Entra Authentication │
│ User: jsmith@agency.gov │
│ Groups: AllEmployees, HRSelfService │
│ Clearance: Unclassified │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Content Safety (Input) │
│ Check for: PII requests, prompt injection, harmful content │
│ Result: PASS │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ HR Agent (Agent Identity) │
│ Permissions: HR.Read, Leave.Read │
│ Accesses: Employee leave balance (filtered by user) │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Purview (Data Governance) │
│ Log: Query, sources accessed, response metadata │
│ Verify: User authorized for this data │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Content Safety (Output) │
│ Check for: PII in response, harmful content │
│ Result: PASS │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Defender (Monitoring) │
│ Log: Normal interaction, no anomalies │
│ Status: OK │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Response to User │
│ "Your current leave balance is 120 hours of annual leave │
│ and 80 hours of sick leave." │
└─────────────────────────────────────────────────────────────┘
Every step logged. Every access controlled. Auditable end-to-end.
Compliance Frameworks
This stack maps to common frameworks:
| Requirement | Microsoft Component |
|---|---|
| FedRAMP | Azure Government + Purview |
| HIPAA | Content Safety (PHI filtering) + Purview (audit) |
| SOC 2 | Defender (monitoring) + Entra (access control) |
| GDPR | Purview (data lineage) + Content Safety (PII) |
| NIST 800-53 | Full stack coverage |
The Unlock
Here’s what changes when you have governance:
Before: “We can’t deploy AI because compliance won’t approve it.”
After: “Compliance approved our AI deployment. Here’s the audit trail, here’s the content filtering, here’s the access control. It meets the same standards as our other systems.”
Governance isn’t a blocker. It’s the unlock.
What’s Next
That’s the governance layer. In Part 5, we’ll put it all together with Multi-Agent Workflows — orchestrating multiple agents for complex processes with human-in-the-loop approval.
This is Part 4 of the “Microsoft AI Stack Decoded” series. Part 1 covers the full platform. Part 2 covers Agent Framework. Part 3 covers Copilot Studio.