DSPM is one product now. Here is what actually changed

In May 2026 Microsoft merged Data Security Posture Management and DSPM for AI into a single solution, now generally available. In the Purview portal it sits under Solutions > DSPM.

The old products did not disappear. They were renamed Data Security Posture Management (classic) and DSPM for AI (classic), and both still work. But Microsoft has been clear: new features land in the unified version only. The classics are in maintenance mode.

Two things are still in preview even though the product is GA: partner integrations for non-Microsoft data sources, and the Data Security Posture Agent. Worth knowing before you demo either to stakeholders.

The old DSPM showed you dashboards organised by Purview solution. The new one is organised around data security objectives - outcome cards like Prevent oversharing of sensitive data, Prevent exfiltration to risky locations, Prevent data exposure in Copilot interactions, and Discover sensitive data in your organisation.

Pick an objective and it walks you through an end-to-end workflow: the relevant mix of Information Protection, DLP, Insider Risk, and eDiscovery, with one-click policies and a prioritised action list tailored to your tenant. Each outcome card shows metrics like policy coverage percentage and risky sharing incidents, so you can track progress without stitching together reports.

This is a genuine improvement for one specific reason: it answers the question practitioners actually get asked. Nobody in leadership asks how your DLP policies are configured. They ask whether sensitive data is leaking. The objectives map to that conversation.

If you used either classic version, the tasks still exist but moved:

One-click default policies (the old DSPM for AI staples) now live under Tasks and actions > Remediation actions. Same policies, new home.

Data risk assessments for oversharing are under Discover > Data risk assessments, with default and custom assessments.

AI activity tracking is under Discover > Activity explorer, with a dedicated AI activities tab showing prompts, responses, and DLP rule matches in AI interactions.

The AI app inventory got promoted. AI observability is now a top-level page covering every AI app and agent active in the last 30 days, including Agent 365 agents, with high-risk counts and sensitive-interaction totals.

Microsoft publishes a full task mapping table for both classics. Search 'Find familiar tasks DSPM' on Learn if something you relied on is not where you expect.

Third-party data coverage. Through Microsoft Sentinel data lake plus partner solutions (Varonis, Cyera, BigID, OneTrust), DSPM can now show posture insights for Google Cloud Platform, Snowflake, Databricks, and Salesforce. Still in preview, and it needs the Sentinel integration set up first.

Security Copilot is embedded, and agents can act. Beyond asking natural-language questions about your posture, AI agents can take remediation actions on detected risks: removing public sharing links, applying DLP policies, revoking permissions. You review and approve, and every action is audited. Triage agents also filter DLP and Insider Risk alert queues.

Proactive exfiltration insights. The exfiltration objective can auto-create a Data Security Investigations investigation that refreshes every 24 hours, showing risk counts across five categories without anyone manually building an investigation.

Administrative unit support arrived with GA, bringing parity with the classics for delegated administration.

First run is not instant. DSPM prompts you to accept setup tasks on first use, then needs a day or so before real tenant data shows up. Do not open it for the first time in front of an audience.

Permissions: you need Compliance Administrator (the Entra role or the Purview role group). Security Copilot features additionally need the Data Security Viewer role, and Security Copilot itself needs provisioned capacity, which is a separate cost conversation.

The portal has three DSPM entries. DSPM, DSPM (classic), and DSPM for AI (classic). Bookmark the right one and tell your team which is which, because the classics still look alive.

Inactive tenants get paused. If nobody opens DSPM for 60 days, processing of Microsoft 365 data stops to save resources. It resumes automatically when you return, but expect a gap in the data.

Asset explorer's Microsoft coverage is Microsoft 365 only. Azure and Fabric insights come through other routes, and non-Microsoft locations need the partner integrations.

DSPM consolidates signals from labels, DLP, and Insider Risk. It is only as good as the foundations underneath it. If your labelling is patchy and your DLP policies are noise, DSPM will faithfully report a mess.

A sensible first month: open DSPM and accept the setup tasks, give it a day, then work through the objectives in the order it ranks them. Run a data risk assessment to find oversharing before Copilot does. Review the AI observability inventory, because the list of AI apps with sensitive interactions in your tenant is usually longer than anyone expects.

Then go back to fundamentals. The objectives will point you at gaps in labelling and DLP coverage, and those are still fixed in the underlying solutions, not in DSPM itself.