The three tiers your firm already has — enforced.
Your data classification policy names the tiers. The Data Sovereignty Rules Framework turns each tier into a running rule: which AI models may see it, where it may travel, and what happens the moment a prompt tries to cross the line.
One sovereignty rule per tier
Financial firms classify data in remarkably consistent ways. We adopted the industry's standard three tiers — then gave each one a technical rule the platform enforces on every prompt.
Public / Low Sensitivity
Marketing materials, published research, general product information, press releases.
- Broadly available — no confidentiality requirements
- Basic integrity controls to prevent unauthorized edits
- Shareable externally without approval
- Models
- Any approved model — frontier models included
- Data path
- May leave your environment on approved routes
- Controls
- Integrity checks and standard logging
Internal / Confidential
Internal reports, non-public business strategy, vendor contracts, aggregated (non-identifiable) client data.
- Employees and authorized contractors only — role-based access
- Encryption at rest and in transit, access logging
- Need-to-know sharing across departments
- Models
- Powerful models on governed, org-approved routes only
- Data path
- Org-controlled, logged, compliance-reportable calls
- Controls
- Identity-bound access, DLP screening, full audit trail
Highly Restricted / Regulated
Customer PII, transaction records, trading algorithms, KYC/AML data, material non-public information (MNPI).
- Strict least-privilege access with information barriers
- Strong encryption, continuous monitoring, DLP tooling
- Governed by GLBA, SEC/FINRA rules, Reg S-P, CCPA/CPRA
- Models
- In-tenant Azure models or local models on your hardware only
- Data path
- Prompts physically cannot reach external endpoints
- Controls
- Circuit breakers, dual-layer DLP, immutable audit trails
A practical note on Tier 3.
Many firms split Tier 3 into “Restricted” and “Highly Restricted” — MNPI carries insider-trading risk while PII carries identity-theft risk, and the failure modes differ. The framework supports as many tiers as your policy defines; three is simply where most firms start. Your compliance and legal teams map the tiers to the statutes that apply to your license type and jurisdiction — the framework makes their mapping enforceable.
What happens when someone hits Enter
The framework isn't a quarterly review. It runs in the request path — four checks between a keystroke and a model.
Classify
The assistant, its connectors, and the data involved establish which tier the interaction touches — inherited from your existing labels and permissions.
Route
The sovereignty policy selects the allowed destination: frontier models for Tier 1, governed routes for Tier 2, in-tenant or local models for Tier 3.
Enforce
DLP and Generative Rules screen the content itself. Circuit breakers stand ready to interrupt or constrain the interaction if conditions trip.
Record
The full decision — user, tier, model, route, outcome — lands in an immutable audit trail your compliance team can search and report on.
The enforcement stack behind the rules
Six technical controls make the tiers real. None of them depend on people remembering the policy.
Assistants carry the rules
Each assistant is built for a job and carries the tier rules for that job. A trading-desk assistant and a marketing assistant get different models, different data, different boundaries — by default.
Connectors honor permissions
Connectors decide what data an assistant can reach. They honor your existing access controls and sensitivity labels, so the AI only ever sees what the authenticated person already can.
Sovereignty policy checks every prompt
Set the rule once per tier: which models, for which teams, with which data. Every prompt is evaluated against that policy before anything moves — not reviewed after the fact.
Dual-layer protection watches content
Deterministic DLP pattern matching catches SSNs, account numbers, and sensitive data patterns. AI-powered Generative Rules catch the behavioral cases regex can't.
Circuit breakers act in real time
When defined conditions are met, enforcement can interrupt, constrain, or stop an interaction as it happens — a technical control, not a policy reminder.
Immutable audit trails record it all
Who asked what, which model answered, which tier the data belonged to, what the policy decided. Answer regulators with evidence rather than assertions.
The framework builds on our Data Sovereignty architecture — the whole platform runs inside your own cloud. See also Transparency & Audit Trails and Governance & Compliance.
We didn't invent a new taxonomy
The framework applies the same tiered-sensitivity and AI-data-control principles Microsoft documents for Purview and Entra — extended across every model and every assistant, not just Microsoft 365 Copilot.
Same tiered-sensitivity shape
Our three tiers mirror the sensitivity label taxonomy Microsoft recommends in Purview — Public, General, Confidential, Highly Confidential — collapsed to the tiers most regulated firms already run.
Microsoft Learn — Default sensitivity labels and policiesSame idea as DSPM for AI, generalized
Microsoft's own answer to “should AI see this data?” is Purview DSPM for AI, which can block Microsoft 365 Copilot from processing content carrying certain sensitivity labels. Our Tier 3 rule applies that logic to every model and every assistant — not just Copilot.
Microsoft Learn — Purview DSPM for AIIdentity-bound access, not a new model
Every assistant acts through the user's own Microsoft Entra ID, honoring the verify-explicitly and least-privilege principles Microsoft documents as the identity pillar of Zero Trust.
Microsoft Learn — Identity, the first pillar of Zero TrustAudit trails in the same spirit as Purview
Microsoft's Purview audit logs capture every Copilot and AI-application interaction — who, when, what was touched. Our immutable audit trail holds every model and assistant to that same evidentiary standard.
Microsoft Learn — Audit logs for Copilot and AI applicationsNote: Microsoft also uses “sovereignty” to describe Microsoft Sovereign Cloud, its data-residency and operational-sovereignty offering for governments and regulated industries. That's a different, broader layer — infrastructure and residency. This framework operates one level up: which model may see which tier of data, enforced on every prompt, regardless of where your infrastructure sits.
Regulators are asking the enforcement question
The SEC's amended Reg S-P is in full effect as of June 2026, and examiners increasingly ask not whether your safeguards exist on paper, but whether they operate when AI touches customer information.
A tiered framework that routes by sensitivity, blocks by policy, and logs immutably answers that question with a report — not a story.
Explore Reg S-P readinessReg S-P & SEC/FINRA rules
Safeguards and incident response for customer information — the primary driver for broker-dealers and advisers.
GLBA & state privacy laws
Gramm-Leach-Bliley and CCPA/CPRA-style statutes govern PII handling, breach notification, and retention.
MNPI & information barriers
Insider-trading exposure demands barriers between desks — a different failure mode than identity theft, with different controls.
See your tiers as running policy
Bring your firm's classification policy. We'll walk through how each tier becomes an enforced sovereignty rule inside your own environment.
Read the thinking behind the framework: How We See Data Privacy Protections