Using Compliance Manager with Copilot
A practical walkthrough of using Microsoft Purview Compliance Manager to manage Copilot-related compliance work. We'll cover how to translate Copilot security and privacy documentation into assessments, track improvement actions, and produce a status view that's useful for ATO and leadership updates.
Overview
Copilot readiness isn’t one decision. It’s a set of controls, evidence, and ongoing actions that span identity, data governance, auditing, and retention. For government agencies in GCC, GCC High, and DoD environments, you need a structured way to track what’s done versus what’s next.
Microsoft Purview Compliance Manager gives you a control and assessment workflow that’s designed for exactly this kind of work. It helps you translate compliance requirements into trackable improvement actions, attach evidence, and produce reportable status views.
This video walks through how to use Compliance Manager as your system of record for Copilot compliance work. You’ll learn how to build assessments that reflect your compliance baseline, track improvement actions with measurable outcomes, and report progress to leadership and auditors.
What You’ll Learn
- What Compliance Manager Is: A control-tracking workflow inside Purview for managing compliance assessments
- Building Assessments: How to structure a Copilot-focused assessment using your existing frameworks
- Tracking Actions and Evidence: How to assign owners, define “done,” and attach compliance evidence
- Reporting Status: How to create a simple status story for leadership and ATO documentation
Script
Hook: turn Copilot compliance into a trackable plan
Copilot readiness isn’t one decision. It’s a set of controls, evidence, and ongoing actions.
When leadership asks, “Are we ready for Copilot?” they’re really asking: Do we have the right identity controls? Are our data governance policies in place? Can we audit and monitor what’s happening? Do we have evidence?
That’s not a yes-or-no answer. That’s a project with multiple workstreams, multiple owners, and a need for ongoing tracking.
Compliance Manager helps you keep that work structured and reportable. It doesn’t replace your ATO process. It helps you manage the work that feeds it.
Let’s walk through how to use it.
What Compliance Manager is
Compliance Manager is a control and assessment workflow inside Microsoft Purview.
It’s built around a simple idea: you pick a compliance framework, like NIST 800-53 or FedRAMP, and Compliance Manager maps that framework to specific improvement actions. Each action has an owner, a due date, and a place to attach evidence.
You’re not just checking boxes. You’re tracking real work. You’re documenting outcomes. You’re creating a reportable view of where you are and what’s left to do.
And here’s the key thing to understand: Compliance Manager doesn’t replace your ATO process. It doesn’t generate your System Security Plan. It doesn’t submit anything to your authorizing official.
What it does is help you manage the work that feeds those processes. It gives you a structured way to track actions, store evidence, and report progress. That’s valuable when you’re trying to bring something as complex as Copilot through an authorization process.
Build a Copilot-focused assessment approach
So how do you use Compliance Manager for Copilot readiness?
Start by building an assessment. An assessment is just a collection of controls and improvement actions you’re tracking together.
Start from your baseline. If you’re already tracking NIST 800-53, FedRAMP, or CMMC, start there. Don’t reinvent the wheel. Use the framework your agency already recognizes.
Then add Copilot-specific focus areas. You’re not creating a new control set. You’re filtering existing controls to focus on what matters most for Copilot.
Here’s what that looks like.
First, data handling and privacy commitments. What does Copilot do with your data? Where’s it stored? What are Microsoft’s commitments? You need actions that document answers and attach evidence.
Second, identity and session controls. Who can use Copilot? From what devices? With what authentication? You need actions that verify Conditional Access policies, device compliance, and MFA enforcement.
Third, information governance. That’s sensitivity labels, DLP policies, and retention policies. Copilot respects these controls, but you configure them. You need actions proving they’re in place and working.
Fourth, auditing and monitoring. You need audit logs on, retention policies that keep logs long enough, and actions showing you’ve tested coverage and can retrieve Copilot activity when needed.
For each focus area, create or filter to the relevant improvement actions, assign an owner and due date. That’s your roadmap.
Track improvement actions and evidence
Now let’s talk about how to track the actual work.
Each improvement action has a lifecycle: not implemented, planned, in progress, then implemented with evidence attached.
But here’s the thing: “done” has to mean something measurable. You can’t just say, “We have a DLP policy.” You have to say, “We have a DLP policy that covers these workloads, blocks these actions, and we’ve tested it.”
That level of specificity makes an improvement action defensible for an ATO or audit.
So for each action, define what “done” looks like, then attach evidence that proves you got there.
Here’s what recommended evidence looks like for Copilot.
For identity controls, attach Conditional Access policy exports showing which users are in scope, what device compliance requirements apply, and what session controls are enforced.
For DLP and sensitivity labels, attach policy configurations showing which labels are published, which DLP rules apply to Copilot workloads, and what actions are blocked or audited.
For audit log coverage, attach test results. Show you can query Copilot activity in the audit log, that retention keeps those logs long enough, and that you can investigate when needed.
For retention and eDiscovery, attach validation showing how Copilot interactions fit your records schedules and that legal holds can capture Copilot data when required.
This is not theoretical. This is, “Here’s the policy, here’s the test, here’s the result.” That’s what goes into Compliance Manager as evidence and what you’ll pull when auditors ask for proof.
Reporting: how to brief leadership and auditors
So you’ve built your assessment. You’ve tracked your actions. You’ve attached evidence. Now you need to report status.
Compliance Manager gives you a few different views for this.
You’ve got a compliance score. That’s a rollup number that shows how much of your planned work is complete. It’s useful as a high-level indicator, but don’t over-rely on it. The real value is in the detail.
You’ve got a list of improvement actions filtered by status. You can show leadership what’s implemented, what’s in progress, and what’s not started. That’s your simple status story.
Here’s how to structure that story for a briefing.
Start with what controls are implemented. “We have Conditional Access policies enforcing device compliance and MFA for all Copilot users. We have DLP policies blocking external sharing of sensitive content. We have audit logging configured and tested.”
Then talk about what risks remain. “We’re still implementing sensitivity label enforcement for all pilot users. That’s due next week. We’re still finalizing our retention policy for Copilot chat data. That’s due in two weeks.”
Then close with what’s next and when. “Our remaining actions are scheduled through the end of the month. We’ll have a full compliance posture ready for the ATO package by March 1st.”
That’s a defensible, accurate, and reportable status update. And you can pull it straight from Compliance Manager.
Close: keep it alive post-rollout
One last thing: Compliance Manager isn’t just for the initial ATO.
Compliance is ongoing. Copilot evolves. Microsoft adds new features. Your agency makes new risk decisions. Your threat model changes.
Use Compliance Manager to track that drift. When a new Copilot feature lands, create a new improvement action. When an audit finding comes back, track the remediation. When a policy needs updating, document it and attach the new evidence.
Compliance Manager is your system of record. Keep it current, and it’ll keep you ready for the next audit, the next ATO review, or the next leadership question.
Sources & References
- Microsoft Purview Compliance Manager — Compliance Manager overview and capabilities
- Compliance Manager Assessments — How assessments work, including actions, scoring, and tracking
- Copilot AI Security — Copilot security model and control areas used to define assessment scope