Enforcing AI Protections for Copilot

DefensX AI Protections are designed to enforce robust commercial data protection over AI tools, ensuring that sensitive information remains secure when organizations and employees utilize generative AI services.

When using generative AI services, such as Microsoft Copilot, it’s crucial to understand how these services manage user and chat data. Microsoft Copilot includes features for commercial data protection. By signing in with a work or school account before using the tool, a green badge is displayed on the screen, indicating that "Commercial data protection applies to this chat."

However, if a user inadvertently uses Copilot or Bing chat without signing in, they risk exposing sensitive information. DefensX AI Protections address this vulnerability by enforcing Microsoft Commercial Data Protections at both the DNS and HTTP request levels. Once enabled, this ensures that no one can interact with Copilot services without proper authentication. This proactive measure prevents accidental data exposure, providing an additional layer of security and peace of mind for organizations.

To prevent eligible users in your organization from accessing Copilot without commercial data protection (formerly Bing Chat) when signed in with their Entra ID, Microsoft supports both DNS redirection and HTTP header injection methods. [https://learn.microsoft.com/en-us/compliance/anz/blueprint-copilot-recconfig#enforce-commercial-data-protection]

In DefensX, both methods are also supported by redirecting the DNS requests with our agent and injecting required HTTP headers through the DefensX browser extensions.

After enforcing commercial data protection both user and organizational data are protected:

Access to Copilot without commercial data protection enforcement:

Access to Copilot after enforcing commercial data protection:

You can enable AI protections with a single click in the DefensX backend. Just navigate to the Settings → AI Protections menu and turn on the feature. After changing this setting, you may need to wait up to 5 minutes for the previously cached responses to expire and the new settings to take effect.