Insider Risk Management

A Microsoft Purview capability that uses behavioural analytics to detect and investigate risky activities by current or former employees — such as data exfiltration before resignation, policy violations, and security breaches.

Also known asinsider risk policiesinsider risk monitoring

In plain English

Insider Risk Management monitors patterns of behaviour that could indicate an employee is stealing data, violating policies, or acting maliciously. It can correlate signals from HR systems (resignation triggers), file access logs, Teams messages, and email to detect patterns like "downloaded 500 files the week before their last day" — without invasive real-time surveillance.

Full definition

Management is part of and uses machine learning to score users' risk level based on sequences of activity. Policies define the indicators to watch — such as sequences of: sensitive file downloads, external email sends, and USB uploads occurring in close proximity.

Privacy is built into the workflow. User identities are anonymised during initial investigation and only de-anonymised by authorised investigators when a case warrants escalation. This balances the need to detect insider threats against employee privacy expectations.

Keep learning

More terms in the IronSights Glossary.

Back to glossary Read insights