Purview Governs Your Microsoft AI. What Governs Everything Else?

Microsoft Purview is a serious governance platform. It captures Copilot prompts and responses, maps them to sensitivity labels, applies DLP policies, retains audit logs, and produces EU AI Act-aligned compliance reports. For enterprises running Microsoft AI workloads, it is the right tool.

The problem is the word "Microsoft."

What Purview actually covers

Purview governs AI interactions from Microsoft 365 Copilot, Copilot Studio agents, Azure OpenAI applications, and Microsoft Foundry deployments. It connects directly to Microsoft's tenant infrastructure, which gives it genuine depth: prompt-level logging, grounding source tracking, user-level risk scoring, and integration with Compliance Manager's EU AI Act assessment template.

That is a real compliance capability. For the Microsoft stack, it is close to what the EU AI Act Article 26 requires from deployers.

What Purview cannot reach

The average enterprise in 2026 runs 6-8 AI vendors simultaneously. Purview covers at most 2-3 of them.

What falls outside Purview's governance boundary:

• Anthropic Claude direct — claude.ai subscriptions, API integrations, Claude Code
• Google Gemini direct — Gemini for Workspace, Vertex AI deployments outside Azure
• AWS Bedrock — Claude on Bedrock, Llama on Bedrock, Titan, Mistral via Bedrock
• IBM Watsonx — Granite models, Watsonx.ai API
• xAI Grok — SuperGrok, Grok Business
• Meta Llama — self-hosted, via Groq, via Together.ai

Every one of these is a separate GPAI provider with separate Article 26 deployer obligations. None of them flow into Purview's audit trail. None of them appear in Compliance Manager's EU AI Act assessment.

Why this is an Article 26 problem

Article 26 of the EU AI Act requires deployers of high-risk AI systems to:

• Maintain an inventory of every high-risk use case
• Assign human oversight with documented competence and authority
• Retain automated logs for at least six months
• Complete a Fundamental Rights Impact Assessment before first deployment
• Notify affected workers
• Ensure transparency disclosures are live for affected persons

These obligations apply per vendor, per use case. An enterprise using Claude for CV screening and Copilot for the same use case has two separate sets of Article 26 obligations — not one. Purview handles the Copilot side. Nothing handles the Claude side.

The compliance gap in practice

Consider a financial services firm running:

• M365 Copilot for document drafting → Purview covers this
• GitHub Copilot for code review → Purview covers this (Microsoft umbrella)
• Claude direct for credit assessment → no governance tooling
• AWS Bedrock (Llama) for loan document processing → no governance tooling
• Grok for market analysis → no governance tooling

Three of five vendors are ungoverned from an Article 26 perspective. If credit assessment or loan processing is classified as Annex III high-risk — which both are, under the essential services domain — the firm has compliance exposure on every use case running outside the Microsoft stack.

The GPAI compliance layer underneath

Before you can close your Article 26 evidence pack, you need to understand your vendors' own GPAI obligations. This is where the gaps deepen.

Microsoft, Google, Anthropic, IBM, and Mistral all signed the GPAI Code of Practice in full — which means their compliance documentation is available and their transparency obligations are being met. For enterprises deploying these vendors, the upstream documentation gap is closed.

Two vendors are different:

xAI Grok signed only the Safety and Security chapter. The Transparency and Copyright chapters — required under Article 53 for all GPAI providers — are being demonstrated via "alternative adequate means" that the EU AI Office will evaluate case by case. Enterprises deploying Grok in Annex III use cases need to request xAI's alternative compliance documentation directly and store it in their Article 26 evidence pack.

Meta Llama refused to sign any chapter of the GPAI Code of Practice. This places Llama under enhanced scrutiny from the EU AI Office. For enterprises deploying Llama, there is zero upstream compliance documentation from the provider — the full Article 26 evidence burden falls on the deployer.

One important distinction: Llama deployed via AWS Bedrock sits under Amazon's CoP signatory umbrella. Self-hosted Llama does not. The same model, two completely different compliance postures.

What the Purview gap means for your August 2 deadline

For enterprises relying on Purview as their EU AI Act compliance solution, the coverage looks complete from inside the Microsoft admin console. From an auditor's perspective, it is not.

The Article 26 evidence pack your legal team will need to produce covers every high-risk AI use case — not just the ones running through Microsoft infrastructure. The gap between what Purview captures and what the regulation requires is where most enterprise compliance programs are currently exposed.

The practical question before August 2 is not "do we have Purview?" It is "what governs the other four vendors?"

See how PromptKing covers non-Microsoft AI governance →