For the past two years, most conversations about AI in business have centred on what it can do: drafting content, summarising meetings, surfacing data, automating workflows.
The governance question, specifically what happens to your data when AI touches it, has tended to come second. That’s changing, and a cluster of updates from Microsoft and Anthropic in the last fortnight signals just how quickly.
Microsoft Purview’s new Data Security Posture Management (DSPM) experience is now generally available. Anthropic has connected Claude directly to Microsoft Purview through a dedicated Compliance API.
Microsoft has introduced Windows 365 for Agents, a managed cloud environment for running AI agents under your organisation’s existing policies and identity controls. Each of these is useful on its own. Together, they represent a meaningful shift in how Australian businesses can govern AI tools across their environment, not just the Microsoft ones.
If you’ve been watching AI adoption move faster than your security and compliance team can keep up with, this is the update worth understanding before your next decision.
Microsoft Purview DSPM: Visibility Before Control
One View of Where Your Sensitive Data Actually Lives
Data Security Posture Management sounds technical, but the core idea is straightforward. DSPM gives your security team a single, unified view of where sensitive data sits across your environment, how exposed it is, and what needs to be addressed.
Before DSPM, most businesses had to run separate processes to discover data, classify it, assess risk, and take action. Now those four steps sit inside one connected workflow in Microsoft Purview, which means fewer gaps and faster response when something needs attention.
For businesses running AI tools across Microsoft 365, this is where DSPM becomes particularly relevant. Copilot, AI agents built in Copilot Studio, and third-party tools like Claude can all access data that sits in your Microsoft environment.
DSPM gives you a clear picture of what’s reachable and what level of risk that represents, before an issue surfaces rather than after.
A Clearer Picture for Leadership Conversations
Your security and IT team can move from “we think our data is secure” to “here’s exactly where the risk is and here’s what we’ve done about it.” That shift matters for audit, for compliance, and for the conversations your board and leadership team are increasingly being asked to have about AI risk.
If your Purview configuration hasn’t been reviewed since before AI was part of your workflows, that’s the right place to start. A lot has changed in twelve months, and configuration that was fit for purpose then may not reflect your environment today.
The Claude Compliance API: Governance That Follows the Tool
What This Integration Actually Does
Anthropic has released a Claude Compliance API that connects Claude’s platform to a range of security and compliance tools, and Microsoft Purview is one of them.
For businesses using Claude Enterprise or running Claude through the API, this means conversation content, uploaded files, project activity, and admin actions can now flow directly into Purview and be monitored alongside your existing Microsoft 365 data.
In practice, your compliance team no longer needs to chase Claude activity separately. It sits inside the same governance environment as everything else. That matters because most businesses aren’t using one AI tool. They’re using several, and the risk often sits in the gaps between them.
A Direct Concern for Australian Businesses
Australia’s Privacy Act requires that personal data is only accessible to authorised people for authorised purposes. If your team is uploading documents or entering prompts into Claude that contain personal or commercially sensitive information, you need visibility into that activity and controls around it.
The Purview integration closes that gap for Claude users. Using multiple AI platforms isn’t inherently a risk. Not governing them is.
This is the same principle at the heart of the governance gap that catches many businesses off guard: AI doesn’t create poor data hygiene, it just moves through it faster and at greater scale than any person could.
The Claude Compliance API integration extends that governance logic beyond the Microsoft ecosystem, which is where most real-world AI environments now operate.
Windows 365 for Agents: A Managed Workspace for AI Agents
What This Is and Why It Matters Now
AI agents are automated tools that take action across your business systems: checking stock levels, drafting reports, updating CRM records, sending notifications, and more.
If you’ve been following the shift toward agentic AI, you’ll know these aren’t future-state scenarios. As explored in the piece on the agentic system of work, businesses are already running them in production, and the question of governance is now urgent.
The challenge until recently has been that if an agent can act across your systems, the controls around what it can do, where it can go, and who authorised it weren’t always clearly defined. Windows 365 for Agents addresses this directly.
It gives AI agents a managed Cloud PC environment to run in, governed by your organisational policies and identity controls. Think of it as giving your AI agents a secure, monitored workspace in the same way you’d give a new employee a company device rather than letting them work from a personal laptop with no oversight.
Questions Worth Raising With Your Team
If your business is already running AI agents through Copilot Studio or is planning to build them, a few questions are worth raising now:
Are your agents running under a named identity? Microsoft Entra Agent ID gives each agent a managed identity that ties directly into your access controls. Without it, agents may be acting with limited visibility.
Can you see what each agent is accessing? Defender for Endpoint’s new Agent 365 connector lets your security team monitor AI agent activity through Microsoft Sentinel as part of standard security operations.
Are your Purview policies scoped to include agent activity? The extension of Insider Risk Management to AI agents means you can now set policies that flag or block unusual agent behaviour, not just unusual user behaviour.
How These Three Updates Connect
A Security Architecture Built for How AI Works Now
These three updates, DSPM in Purview, the Claude Compliance API, and Windows 365 for Agents, aren’t separate announcements.
They’re part of the same direction. Microsoft and Anthropic are both moving toward a model where AI tools can be used confidently, at scale, across a business, because the governance infrastructure underneath them has grown to match.
The architecture that makes this work is built on three connected layers. Microsoft Purview sets the rules: what data can be accessed, by whom, and what sensitivity levels apply. Microsoft Defender watches for anything that breaks those rules and responds in near real-time, including unusual behaviour from AI agents.
Microsoft Entra confirms identity: who or what is making a request, and whether that access is appropriate. When these three work together, and when tools like Claude are connected through the Compliance API, you get a complete view across your AI environment.
That’s meaningful for a business leader who wants to move quickly on AI without carrying unnecessary risk.
Practical Starting Points
You don’t need to be across every technical detail to make progress here. Most Microsoft 365 businesses already have access to Purview, Defender, and Entra. For many, the gap isn’t access. It’s configuration and knowing what to prioritise.
Ask your IT team if your Purview DSPM experience has been reviewed recently. If it hasn’t, schedule that conversation. The goal is a clear picture of where your sensitive data sits and what AI tools can currently reach it.
If your business uses Claude, ask whether the Compliance API has been connected to Purview. It’s available now for Claude Enterprise and Claude API customers, and your compliance team will want it in place.
If you’re building or running AI agents, confirm they have managed identities through Entra Agent ID. This is the identity and access foundation that everything else builds on.
Review whether Purview’s Insider Risk policies have been extended to include AI agent activity. This is a recent capability that many businesses haven’t yet switched on.
These steps are part of a structured review rather than a large project, but they do need a clear owner and a plan to work through them.
If you want to understand where your business currently stands and what the practical path forward looks like, reach out.
It’s the kind of conversation we have regularly with business leaders, and a clear picture of your current position is always the best place to start.
About the Author
Carlos Garcia is the Founder and Managing Director of CG TECH, where he leads enterprise digital transformation projects across Australia.
With deep experience in business process automation, Microsoft 365, and AI-powered workplace solutions, Carlos has helped businesses in government, healthcare, and enterprise sectors streamline workflows and improve efficiency.
He holds Microsoft certifications in Power Platform and Azure and regularly shares practical guidance on Copilot readiness, data strategy, and AI adoption.
For the past two years, most conversations about AI in business have centred on what it can do: drafting content, summarising meetings, surfacing data, automating workflows.
The governance question, specifically what happens to your data when AI touches it, has tended to come second. That’s changing, and a cluster of updates from Microsoft and Anthropic in the last fortnight signals just how quickly.
Microsoft Purview’s new Data Security Posture Management (DSPM) experience is now generally available. Anthropic has connected Claude directly to Microsoft Purview through a dedicated Compliance API.
Microsoft has introduced Windows 365 for Agents, a managed cloud environment for running AI agents under your organisation’s existing policies and identity controls. Each of these is useful on its own. Together, they represent a meaningful shift in how Australian businesses can govern AI tools across their environment, not just the Microsoft ones.
If you’ve been watching AI adoption move faster than your security and compliance team can keep up with, this is the update worth understanding before your next decision.
Microsoft Purview DSPM: Visibility Before Control
One View of Where Your Sensitive Data Actually Lives
Data Security Posture Management sounds technical, but the core idea is straightforward. DSPM gives your security team a single, unified view of where sensitive data sits across your environment, how exposed it is, and what needs to be addressed.
Before DSPM, most businesses had to run separate processes to discover data, classify it, assess risk, and take action. Now those four steps sit inside one connected workflow in Microsoft Purview, which means fewer gaps and faster response when something needs attention.
For businesses running AI tools across Microsoft 365, this is where DSPM becomes particularly relevant. Copilot, AI agents built in Copilot Studio, and third-party tools like Claude can all access data that sits in your Microsoft environment.
DSPM gives you a clear picture of what’s reachable and what level of risk that represents, before an issue surfaces rather than after.
A Clearer Picture for Leadership Conversations
Your security and IT team can move from “we think our data is secure” to “here’s exactly where the risk is and here’s what we’ve done about it.” That shift matters for audit, for compliance, and for the conversations your board and leadership team are increasingly being asked to have about AI risk.
The question of what your Microsoft 365 data can actually reach is one many businesses haven’t fully mapped yet, and DSPM is the tool that makes that mapping practical.
If your Purview configuration hasn’t been reviewed since before AI was part of your workflows, that’s the right place to start. A lot has changed in twelve months, and configuration that was fit for purpose then may not reflect your environment today.
The Claude Compliance API: Governance That Follows the Tool
What This Integration Actually Does
Anthropic has released a Claude Compliance API that connects Claude’s platform to a range of security and compliance tools, and Microsoft Purview is one of them.
For businesses using Claude Enterprise or running Claude through the API, this means conversation content, uploaded files, project activity, and admin actions can now flow directly into Purview and be monitored alongside your existing Microsoft 365 data.
In practice, your compliance team no longer needs to chase Claude activity separately. It sits inside the same governance environment as everything else. That matters because most businesses aren’t using one AI tool. They’re using several, and the risk often sits in the gaps between them.
A Direct Concern for Australian Businesses
Australia’s Privacy Act requires that personal data is only accessible to authorised people for authorised purposes. If your team is uploading documents or entering prompts into Claude that contain personal or commercially sensitive information, you need visibility into that activity and controls around it.
The Purview integration closes that gap for Claude users. Using multiple AI platforms isn’t inherently a risk. Not governing them is.
This is the same principle at the heart of the governance gap that catches many businesses off guard: AI doesn’t create poor data hygiene, it just moves through it faster and at greater scale than any person could.
The Claude Compliance API integration extends that governance logic beyond the Microsoft ecosystem, which is where most real-world AI environments now operate.
Windows 365 for Agents: A Managed Workspace for AI Agents
What This Is and Why It Matters Now
AI agents are automated tools that take action across your business systems: checking stock levels, drafting reports, updating CRM records, sending notifications, and more.
If you’ve been following the shift toward agentic AI, you’ll know these aren’t future-state scenarios. As explored in the piece on the agentic system of work, businesses are already running them in production, and the question of governance is now urgent.
The challenge until recently has been that if an agent can act across your systems, the controls around what it can do, where it can go, and who authorised it weren’t always clearly defined. Windows 365 for Agents addresses this directly.
It gives AI agents a managed Cloud PC environment to run in, governed by your organisational policies and identity controls. Think of it as giving your AI agents a secure, monitored workspace in the same way you’d give a new employee a company device rather than letting them work from a personal laptop with no oversight.
Questions Worth Raising With Your Team
If your business is already running AI agents through Copilot Studio or is planning to build them, a few questions are worth raising now:
How These Three Updates Connect
A Security Architecture Built for How AI Works Now
These three updates, DSPM in Purview, the Claude Compliance API, and Windows 365 for Agents, aren’t separate announcements.
They’re part of the same direction. Microsoft and Anthropic are both moving toward a model where AI tools can be used confidently, at scale, across a business, because the governance infrastructure underneath them has grown to match.
The architecture that makes this work is built on three connected layers. Microsoft Purview sets the rules: what data can be accessed, by whom, and what sensitivity levels apply. Microsoft Defender watches for anything that breaks those rules and responds in near real-time, including unusual behaviour from AI agents.
Microsoft Entra confirms identity: who or what is making a request, and whether that access is appropriate. When these three work together, and when tools like Claude are connected through the Compliance API, you get a complete view across your AI environment.
That’s meaningful for a business leader who wants to move quickly on AI without carrying unnecessary risk.
Practical Starting Points
You don’t need to be across every technical detail to make progress here. Most Microsoft 365 businesses already have access to Purview, Defender, and Entra. For many, the gap isn’t access. It’s configuration and knowing what to prioritise.
These steps are part of a structured review rather than a large project, but they do need a clear owner and a plan to work through them.
If you want to understand where your business currently stands and what the practical path forward looks like, reach out.
It’s the kind of conversation we have regularly with business leaders, and a clear picture of your current position is always the best place to start.
About the Author
Carlos Garcia is the Founder and Managing Director of CG TECH, where he leads enterprise digital transformation projects across Australia.
With deep experience in business process automation, Microsoft 365, and AI-powered workplace solutions, Carlos has helped businesses in government, healthcare, and enterprise sectors streamline workflows and improve efficiency.
He holds Microsoft certifications in Power Platform and Azure and regularly shares practical guidance on Copilot readiness, data strategy, and AI adoption.
Sources
Recent Posts
Popular Categories
Archives