Microsoft has shipped a major round of governance and security updates for its Purview platform inside Fabric, putting automated data protection, loss prevention, and insider risk detection directly into the analytics and AI workflow. Announced at the European Fabric Community Conference in Vienna on September 16, the release marks general availability for information protection labels on Fabric items, data loss prevention (DLP) for structured data in OneLake, insider risk indicators for Power BI, and compliance controls for Copilot in Power BI. Simultaneously, Microsoft opened previews for AI‑focused data risk assessments and deeper metadata in the unified catalog.
The package is aimed squarely at enterprises that want to feed AI models with trustworthy data without sacrificing security. By embedding Purview’s capabilities into the same management plane as Fabric, Microsoft is making it easier for organizations to discover overshared data, prevent accidental leaks, and audit AI interactions—all from a single console.
What just shipped: The concrete updates
Fabric security gets labels, DLP, and insider risk monitoring
The most immediately impactful changes are the general‑availability milestones. Three sets of controls now operate natively on Fabric items:
- Information Protection sensitivity labels can be applied manually to Fabric artifacts, and access controls automatically follow the label’s policy. A compliance admin can, for example, mark a Power BI report “Confidential – Finance” and have row‑level security or sharing restrictions enforce that classification everywhere the data travels.
- DLP for structured data in OneLake now fires policy tips—and can block actions—when sensitive data types are detected inside lakehouse tables or other structured assets. This means a DLP rule that looks for credit card numbers will trigger not just on a file upload but on a column in a SQL endpoint or a Fabric notebook output.
- Insider Risk Management indicators for Power BI feed user activities (view, download, export, sensitivity‑label changes) into the same risk‑scoring engine that already monitors email, SharePoint, and Teams. A security analyst can now correlate a Power BI export with a suspicious sign‑in and a large file download to build a single risk case.
AI‑specific posture management and Copilot oversight
Recognizing that generative AI creates new leak vectors, Microsoft is expanding its Data Security Posture Management for AI (DSPM) toolkit. A new Data Risk Assessment for Fabric—currently in preview—automatically scans the 100 most‑accessed Fabric workspaces and flags overshared dashboards, reports, and top‑touched items. The assessment appears inside the Purview posture dashboard, alongside existing checks for overshared M365 content and Azure data sources.
Copilot in Power BI is also now under explicit governance. The GA controls let organizations:
- Discover when sensitive data appears in Copilot prompts or responses.
- Apply audit, eDiscovery, and retention policies to Copilot interactions.
- Detect non‑compliant usage, such as a user pasting a full customer list into a prompt, and surface the event with risk details.
Catalog gains granularity and quality signals
On the governance side, the Unified Catalog—the search and discovery layer for the entire Fabric estate—is picking up three preview capabilities:
- Sub‑item metadata for lakehouses: users can now see table, column, and file‑level metadata, making it far easier to find a specific column without opening the dataset.
- Custom business attributes: data stewards can tag assets with business‑specific labels (e.g., “GDPR‑Article‑9” or “Marketing‑Qualified”) that appear in search and lineage views, so analysts speak the same language as the data owners.
- Published error records in OneLake: when a data quality check fails, the malformed rows are written to a dedicated location inside OneLake. This lets data engineers troubleshoot directly in the Fabric environment rather than switching to a separate quality tool.
What this means for you
For enterprise security and compliance teams
The biggest operational win is consolidation. Instead of toggling between a DLP dashboard for email, a separate tool for cloud app security, and yet another for insider risk, teams can now manage Fabric protection in the same Purview console. Labels set on Fabric items inherit protection policies that also cover M365 files and Azure databases, reducing the chance of a policy gap when data moves between services.
That said, the full feature set requires appropriate licensing. Many advanced Purview capabilities—comprehensive DSPM, advanced DLP, Insider Risk Management—are bundled with E5 or equivalent premium suites. Organizations should inventory which subsets of these controls they already own and factor in any needed SKU upgrades before rolling out new policies.
For data engineers, analysts, and AI builders
The catalog and quality updates directly address a common frustration: finding trustworthy data for a model or report. With sub‑item metadata, a data scientist can search for a column name across all lakehouses and immediately see its schema and business attributes. Published error records let engineers correct bad rows at the source, rather than having to remember which separate data‑quality tool flagged a problem three days ago.
The Copilot controls also introduce a new layer of responsibility. Analysts who use Power BI Copilot to generate DAX queries or summarize reports should be aware that their prompt history is now discoverable by compliance teams. That’s good for the organization, but it means prompt hygiene becomes a real operational practice—no more pasting sensitive free‑text into a chat box.
For Windows‑centric shops and mixed‑estate organizations
If your enterprise runs mostly on Microsoft 365, Power BI, and Fabric, these updates deliver an out‑of‑the‑box governance lift with minimal integration work. However, the picture is more complex for firms that also run Snowflake, Databricks, or third‑party BI tools alongside Fabric. While Purview can scan many external sources, the tight enforcement features—label inheritance, DLP blocking on structured data, Insider Risk signals from Power BI—apply only inside the Microsoft ecosystem. In a hybrid estate, teams will need to decide whether to extend Fabric as the primary data plane or invest in bridging controls that connect Purview alerts to non‑Microsoft tools.
How we got here: the risk that forced these updates
Fabric’s architecture—a single storage layer (OneLake) and a set of integrated experiences for analytics and AI—was designed to simplify data management. That same consolidation, however, concentrates risk. When sensitive data sits in one logical lake, a misconfigured sharing link or an over‑permissioned workspace can expose it to far more consumers, including AI models.
Microsoft internalized this reality as it built Copilot into Power BI. In early 2024, the company began rolling out basic Purview integrations—labeling for Power BI datasets, DLP for some Fabric artifacts—but the coverage was fragmented. Meanwhile, industry data amplified the urgency. A widely cited 2025 study by Varonis, a security vendor, found that roughly 99% of sampled organizations had sensitive data exposed to AI‑capable tools due to permissive access controls. While that figure reflects a specific methodology and shouldn’t be interpreted as an absolute measure for every company, it underscores a hard truth: the “security by obscurity” of buried files no longer works when AI can surface anything that is readable.
The FabCon 2025 updates represent Microsoft’s answer to close that window. By bringing labels, DLP, insider risk, and DSPM into a single plane for Fabric, the company is betting that integrated governance will become a competitive advantage—especially for enterprises that are already deep in the Microsoft stack and want to turn on AI safely.
What to do now: a phased action plan
Organizations shouldn’t try to enable every new control on day one. A staged rollout reduces policy fatigue and keeps users from abandoning governed tools for unmanaged consumer AI.
1. Scan your top‑used content
Activate the default Data Risk Assessment for Fabric (preview). It will run against the 100 most‑accessed workspaces and surface overshared dashboards and reports. Use the results to compile a priority remediation list before you touch any controls.
2. Pilot sensitive labels
Pick two or three well‑defined data domains—HR, finance, intellectual property—and apply Information Protection labels to their Fabric items. Test label‑driven access restrictions in a dev or test workspace first. Once you confirm that downstream processes (scheduled refreshes, embedded reports) still work, expand to production.
3. Tune DLP in monitor mode
Create DLP policies for structured data in OneLake but keep them in “alert only” mode initially. Let the policy tips fire for a week, review false positives with business owners, and adjust detection rules before turning on blocking. A policy that flags every salary column may cause more harm than good if it blocks legitimate financial reporting.
4. Wire up Insider Risk signals
Add the new Power BI indicators to existing data‑theft and data‑leak policies. Because Insider Risk Management already correlates signals from other Microsoft services, you’re likely to see a rise in alerts. Design a clear triage process: automated off‑hours alerts get immediate review; low‑severity signals (e.g., a single export) are batched for weekly audit.
5. Govern Copilot with education, not just technology
Even with the new audit and detection controls, the easiest way to prevent sensitive data from entering a Copilot prompt is to teach users what not to paste. Publish a one‑page Copilot usage policy, illustrate risky prompts in training, and make the prompt‑log audit visible to teams so they understand the oversight exists. The Purview controls give you the logs; the behavioral change still depends on people.
What to watch next
The FabCon announcements are a meaningful step, but they are unlikely to be the final word. Three indicators will determine how far these capabilities go in practice:
- Customer adoption velocity: Will enterprises flip the switch on DLP and DSPM en masse, or will adoption be limited to the most regulated sectors? Early public case studies will reveal whether the integrated model actually reduces overhead.
- Licensing clarity: Microsoft has historically tied advanced Purview features to top‑tier bundles. Transparent, predictable pricing for the Fabric‑specific controls could accelerate mid‑market adoption; a confusing matrix could leave valuable tools on the table.
- Multi‑cloud coverage: For organizations that can’t move everything to Fabric, Purview’s ability to govern data in Snowflake, Databricks, or S3 buckets will be a litmus test. Microsoft’s track record here is improving, but gaps remain.
The AI‑data risk equation isn’t going away. With these updates, Microsoft has given Fabric customers a direct way to manage it—and a reason to pay attention to governance before, not after, an AI‑fueled data leak makes headlines.