Data Security & AI Report – September 2025

Introduction

Last year, I started sending a quarterly internal data security report on behalf of the Dutch solution engineering team. It proved helpful for spreading messages on key focus areas in the data security space, but I’ve realized these reports belong outside Microsoft as well.

Compared to any previous year, customer asks around data security have exploded, driven of course by the rise of AI. Legendary financial analyst Mary Meeker captured this in her May 2025 report on AI, where she used the word unprecedented more than 50 times. One striking use of the word to me was her coverage on mass tech adoption cycles: in the US each major technology wave - PCs, desktops, mobile, now AI - reached 50% household adoption in half the time of the previous wave. This time AI household adoption is projected to take as short as 3 years, which is sure to disrupt every (big) company’s long term planning efforts. It’s no wonder why our customers and partners want more frequent, high-quality broad-based insights to keep up. Perhaps I can add value as a curator.

For the first time, I’ll publish this kind of report publicly before resharing internally. Just as DJs became cultural curators during the digital music explosion, I see newsletters and reports playing a similar role in today’s content explosion, hopefully helping you dodge a lot of AI slop along the way

---

Security for AI: Microsoft’s Focus Areas

In the Netherlands, we recently delivered several Innovation Hub sessions with financial services customers to map out secure AI deployment strategies. These sessions target the Frontier Firms of tomorrow: organizations that can harness intelligence on tap to keep pace with business demands moving faster than human capacity.

The feedback was great. Here’s the PowerPoint material so you can jumpstart your own journey.

Overview: Security for AI – Intro – Sept 2025.pptx

• What it covers: Why agentic AI changes the threat landscape; risks across data, identity, threats, and regulations; Microsoft’s Zero Trust for AI approach.

• Framework: Prepare → Discover → Protect → Govern.

• Why it matters: Provides executives and technical teams with a shared mental model before diving into details.

1. Data Leakage & Inaccuracy: Security for AI 1 – Data Leakage and Inaccuracy – Sept 2025.pptx

• What it covers: Guardrails to prevent sensitive data loss and improve AI output quality. Covers access cleanup, sensitivity labels, DLP, AI usage discovery, and runtime checks.

• Why it matters: Provides concrete steps you can implement quickly to reduce oversharing, prevent exfiltration, and curb hallucinations.

2. Emerging Threats & Vulnerabilities: Security for AI 2 – Emerging AI threats and vulnerabilities – Sept 2025.pptx

• What it covers: New attack vectors (prompt injection, model theft, data poisoning, plugin flaws). Demonstrates AI red teaming, posture management, and runtime protections.

• Why it matters: Gives security architects and SOC leads actionable monitoring and incident response strategies.

3. Agent Sprawl & Risks: Security for AI 3 – Agent sprawl and risks – Sept 2025.pptx

• What it covers: How to manage the explosion of AI agents. Entra Agent IDs, least-privilege access, and monitoring of agent behaviours.

• Why it matters: Prevents “shadow agents,” compliance gaps, and risky automation—treating agents like digital employees with proper identity and access controls.

4. Compliance: Security for AI 4 – Compliance – Sept 2025.pptx

• What it covers: Aligning AI use with regulations like the EU AI Act, ISO/IEC 42001, and NIST AI RMF. Shows how Microsoft Purview, Defender, and other tools provide audit-ready evidence.

• Why it matters: Translates policy into proof, helping organizations stay compliant without stalling innovation.

Thanks to Tina Ying and her team for developing these resources, and to Dennis van de Laar, Charlotte van Beijsterveld and Alaa Riahi (among others) for organizing excellent Innovation Hub sessions where we could explore the relevance of these themes with customers.

---

Upcoming Events (ordered by Date)

• Microsoft AI Learning Month - from all of September 2025

  • For catering to different languages & regions in Europe, see country focused AI Learning Months and Weeks here: AI Learning | Empower Tomorrow’s Innovators

• Data Security in the Age of AI - Thursday, September 11, 2025, 11:00 AM – 12:00 PM CET - Part of AI Learning Month – presented by Ellen van Meurs & Jan Willem Roks

• The Zero Trust Workout Plan: Build AI-Ready Data Security. No Matter What Shape You’re In. Monday, September 15, 18:00 - 19:00 PM CET - presented by me.

  • Hosted by Justine Wolters and Anna Bordioug who created The International Data Security User Group to unite professionals around the world on Microsoft Purview and data security

• Copilot Als Collega - AI in Diesnt van de Public Sector (Dutch - In Person) - Monday 29 september 2025, 9:00 a.m. – 4:30 p.m

  • Presented by Jet de Ranitz, Linda Durand, Sjoerd Koolen and Mark Hoskam

• Microsoft Secure, October 1, 2025 -Explore the latest solutions that can help you protect your data, cloud, and AI investments with an AI-first, end-to-end platform

• Microsoft Ignite, November 18 - 20, 2025 - where you’ll hear the latest about all our enterprise products and platforms - intended for IT pros, developers, architects, and business/technical decision-makers

---

Executing Microsoft Blueprints for Data Security

For those tackling compliance and secure-by-design, good to remind you that Microsoft has developed Secure by Default with Purview blueprint, that includes a high level activities and presentations, downloadable here:

• PDF - https://aka.ms/PurviewDeploymentModels/SecureByDefault-pdf,

• PowerPoint - https://aka.ms/PurviewDeploymentModels/SecureByDefault-pptx,

Detailed guide - Secure by Default with Purview - Introduction to secure by default with Microsoft Purview | Microsoft Learn

Patrick Murray has launched a fantastic video series explaining and demoing this blueprint. Find the videos here:

• Secure by default with Microsoft Purview - Introduction

• Secure by default - Phase 1 - Foundation

• Secure by default - Phase 2 - Managed

Additional blueprints for specific data security use cases:

• Microsoft 365 Copilot blueprint for oversharing | Microsoft Learn

• Introduction to preventing data leakage to shadow AI | Microsoft Learn

Thanks to Maxime Bombardier, Sopie Ke and others for toiling away at these blueprints.

---

Deep Dives (Videos, Podcasts and Blogs)

Your #MicrosoftPurview L400 on Steroids — A great set of level 400 videos from Ray Reyes, showing how Purview data security capabilities work in practice. Watch on LinkedIn: Your #MicrosoftPurview L400 on steroid | LinkedIn

All Things M365 Compliance - Ryan John Murphy and Nikki Chapple host a pod/vodcast tackling customer and SME topics in security and compliance

• Watch on YouTube: All Things M365 Compliance - YouTube

• Listen on Spotify: All Things M365 Compliance | Podcast on Spotify

Hack the Hoax Podcast (Summer Specials)- Hosted by Ellen van Meurs and Jan Willem Roks, featuring Dutch customers at an Executive Briefing Centre (EBC) in Redmond, Seattle. These episodes explore how Purview product leaders see the future of data security, and how customers experienced the EBC

• Leadership perspectives: Hack the Hoax Summer Special #1, featuring Rudra Mitra, Maithili Dandige, Marguerite Cole, Aashish Ramdas, and Herain Oberoi.

• Customer feedback (in Dutch): Hack the Hoax with EBC participants, featuring Hans den Dunnen and Ton Sundermeijer.

Also thanks to Anela Jaganjac for her behind-the-scenes work in organizing the Dutch multi-customer EBC session.

---

Tell me what you think! At Microsoft we focus heavily on execution, but without customer and partner input, execution can easily become just a collection of hammers looking for nails. Your feedback ensures these resources truly address real-world business problems.