What AI compliance asks of you now
AI compliance has shifted from principles to obligations. Several frameworks now set expectations for how organizations govern, document, and secure the AI they build and deploy. The common thread is the same one Siemserva applies to the rest of Microsoft 365: know what you have, control who and what it can reach, and prove it.
A risk-based law for AI systems placed on the EU market, with obligations that scale by risk tier and phase in over time. It pushes organizations toward inventory, risk classification, documentation, and human oversight of AI.
A voluntary US framework built around Govern, Map, Measure, and Manage. It is widely used as a practical structure for managing AI risk, including for generative AI.
The first management-system standard for AI, the AI equivalent of an ISO 27001 style program: policies, roles, controls, and continual improvement for responsible AI.
A practical catalog of the most common risks in LLM and agent applications, prompt injection, excessive agency, sensitive data exposure, that maps directly to controls you can enforce.
Microsoft's own guidance and Copilot governance controls, content filtering, data boundaries, and admin settings, set the baseline for AI deployed inside Microsoft 365.
The common thread
Inventory your AI, apply least privilege, keep a human in the loop, filter content, monitor, and test. These are configuration and posture questions, which is exactly what Siemserva assesses.
Frameworks evolve and obligations vary by jurisdiction and risk tier. Treat this as orientation, not legal advice, and confirm specifics with your compliance team.
AI compliance does not stand alone, and neither does Siemserva
An AI agent's risk is the risk of the identity it runs as, the data it can reach, and the tenant around it. Siemserva goes wall to wall across the Microsoft 365 stack, and treats Copilot and AI agents as part of that surface, not a separate afterthought.
Entra ID identity
MFA, Conditional Access, PIM, risky users, break-glass, FIDO2, OAuth and app credentials. 200+ checks.
Intune devices
Compliance and configuration policies, BitLocker, ASR, antivirus, firewall, update rings. 190+ checks.
Exchange & email
Anti-phishing, anti-malware, anti-spam, and Safe Links protection.
SharePoint & OneDrive
Sharing, access, and admin settings that quietly expose data.
Teams
Meeting, messaging, and external-access posture.
Purview
Sensitivity labels, retention, DLP, and unified audit log health.
Azure & subscriptions
Subscription role definitions and Azure RBAC assignments.
Copilot & AI
Copilot and AI agent configuration, the new attack surface.
How Siemserva checks your Microsoft AI agents
Siemserva assesses Microsoft Copilot and AI agent configuration against seven AI security controls, drawn from the same risk themes the frameworks above describe. It also discovers the agent identities living in your tenant and surfaces Copilot usage, so the agents nobody registered as a risk still show up.
Approved models
Whether AI usage is restricted to an approved, governed set of models rather than anything a user can wire up.
Multi-layered content filtering
Whether content filtering and data-loss controls are layered around AI inputs and outputs, not left to the model alone.
Safety meta-prompts
Whether system-level safety instructions constrain agent behavior and resist prompt injection.
Least privilege for agent functions
Whether agent identities and the functions they call are scoped tightly, so an agent cannot reach more than it should.
Human in the loop
Whether high-impact agent actions keep a person in the decision, rather than acting fully autonomously.
Monitoring and detection
Whether AI and agent activity is logged and monitored so misuse and anomalies can be detected.
Continuous red team
Whether AI agents are tested adversarially on an ongoing basis, not assessed once and forgotten.
Agent identities and Copilot usage
Alongside the seven controls, Siemserva surfaces the agent identities (app registrations and service principals) in your tenant and Copilot usage, tied back to the identity and privileged-access findings around them.
Microsoft's AI governance surface is still maturing, and not every setting is exposed through an API yet. Where a control cannot be read directly, Siemserva emits clear, advisory guidance so an operator can verify it, rather than pretending a gap does not exist. As Microsoft exposes more, Siemserva deepens these checks.
See what a full check finds, free, two ways
No tenant access required. Both run on a rich, realistic simulation so you can learn what a thorough Microsoft 365 security check looks like, what Siemserva surfaces, and what other tools miss.
Advanced Microsoft 365 Security Simulator
Explore the full dashboard, findings, AI analysis, and reports against a realistic demo tenant. Run siemserva demo dashboard after install, no key needed, or ask for a free key to go further.
The game: You v. Claude
Learn Microsoft 365 security by playing. A conversational quiz on real findings with Claude, five skill levels, and override moments when you catch the AI. Genuinely fun, genuinely educational.
Play the gameReady to check your own tenant?
When you want to run the check against your real Microsoft 365 environment, request a key and scan in minutes. No agents, no cloud, Windows and Mac. 501(c)(3) nonprofits get the full version free.
Drive it from the full Senserva UI, or entirely from Claude via MCP, your choice, over the same data.
Get a keyFrequently asked
Is the Microsoft 365 security check free?
You can explore a full check for free on our advanced simulation, and in the game, with no tenant access required. That is the best way to learn what a thorough check looks like and what Siemserva finds. To run the check against your own Microsoft 365 tenant you use a license key; 501(c)(3) nonprofits get the full version free.
How do I check my Microsoft 365 security settings?
Install Siemserva, run the advanced simulation to see how it works, then point it at your tenant with a key. It reads your configuration across Entra ID, Intune, Exchange, SharePoint, Teams, OneDrive, and Purview, ranks the findings by Severity, maps them to compliance controls, and gives you a validated remediation for each.
How is this different from Microsoft Secure Score?
Secure Score gives you a number. A Siemserva check gives you the specific misconfigurations behind it, ranked by Severity, each with the underlying evidence, the control it maps to, and a fix, across far more than Secure Score covers, with an AI interface on top.
Do I need to install an agent or connect to the cloud?
No agents and no cloud service. Siemserva runs on Windows or Mac and reads your tenant through Microsoft's APIs. The simulation needs nothing but the download.
Does Siemserva check Microsoft Copilot and AI agents today?
Yes. Siemserva assesses Copilot and AI agent configuration against seven AI security controls: approved models, multi-layered content filtering, safety meta-prompts, least privilege for agent functions, human in the loop, monitoring and detection, and continuous red team. It also discovers agent identities in your tenant and surfaces Copilot usage. Where a setting is not yet exposed by Microsoft's APIs, Siemserva gives clear advisory guidance to verify it.
Does Siemserva make me compliant with the EU AI Act or ISO 42001?
No single tool makes you compliant on its own, and AI obligations vary by jurisdiction and risk tier. Siemserva helps with the technical posture side: it assesses the AI and agent configuration in your Microsoft 365 tenant, ranks the gaps, and gives you evidence and validated remediation you can take into a broader compliance program. Confirm legal specifics with your compliance team.
Why treat AI agents as part of Microsoft 365 security, not separately?
Because an agent's risk is the risk of the identity it runs as and the data it can reach. An over-permissioned agent identity is an Entra ID problem; an agent reaching sensitive content is a Purview problem. Siemserva already assesses those layers, so it checks AI agents in the same context as the rest of the tenant rather than in isolation.
Helpful links
Authoritative references on AI compliance frameworks and Microsoft AI governance. Each opens in a new tab.
The European Commission's regulatory framework for AI, including risk tiers and obligations.
The Govern, Map, Measure, and Manage framework for AI risk, including generative AI.
The international management-system standard for artificial intelligence.
The OWASP GenAI Security Project's catalog of the most common LLM and agent risks.
CISA's Secure Cloud Business Applications baselines for Microsoft 365.
Microsoft's responsible AI principles, standards, and governance resources.
Microsoft Purview controls for data security and compliance of AI, including Copilot.
How Microsoft 365 Copilot handles data, privacy, and tenant boundaries.