Non-Standard Policy Development

What Is Non-Standard Policy Development?

Non-Standard Policy Development (NSPD) is the engineering discipline for creating Microsoft Purview sensitive information types (SITs), DLP rules, and DLP policies for operational artifacts that built-in SITs cannot reliably detect — documents such as subpoenas, internal investigations, personnel actions, governance markings, and other intent-bearing content.

Where standard DLP relies on structured PII patterns (credit card numbers, SSNs), NSPD targets meaning and intent: a subpoena is dangerous not because of the numbers it contains, but because of what it is. The NSPD framework uses the SitPak 2026 methodology to build context-rich, interpretable detection that dramatically reduces false positives and surfaces actionable telemetry directly in Activity Explorer.

Single-prompt model: The entire pipeline — baseline extraction, discovery, SIT engineering, rule design, policy deployment, and approval routing — is triggered from one structured domain instruction such as: "Non-Standard Policy Development today: Legal."

End-to-End Pipeline

01

Domain Intake

Structured prompt defines domain, mode, locations, and deployment target

02

Baseline Extract

Export current SITs, DLP policies, rules, and configs via PowerShell

03

File Discovery

Filename-pattern corpus harvest for candidate content identification

04

Content Analysis

AI mines anchors, dictionaries, facets, and suppressor patterns

05

SIT Engineering

Generate or modify XML rule packages for discovery and production SITs

06

Rule & Policy

Create or update DLP rules and policies scoped to target workloads

07

Approval Gate

Power Automate routes manifest for Legal / Compliance / Security review

08

Deploy & Tune

Deploy in Test mode, validate telemetry, promote to enforcement

Automation Architecture

🤖

AI Agent — Analysis & Authoring

Parses domain intent. Compares current and desired state. Mines corpus features. Proposes SIT dictionaries, regex, proximity, and confidence settings. Emits XML rule packages, PowerShell scripts, and approval manifests.

Domain parsing Baseline comparison SIT authoring XML generation PS1 script generation

⚡

Power Automate — Approval & Orchestration

Receives AI-generated deployment manifest. Routes approval to Legal / Compliance / Security stakeholders. Records approver identity and timestamps. Triggers PowerShell execution after approval. Writes change metadata to audit log.

Gate 1: Discovery auth Gate 2: Test deploy Gate 3: Enforcement Audit logging

💻

PowerShell — Execution Plane

Connects to Purview via Connect-IPPSSession. Exports baseline state. Imports or updates SIT rule packages. Creates or updates DLP policies and rules. Runs in TestWithNotifications mode by default until Gate 3 approval.

Connect-IPPSSession Get-DlpCompliancePolicy New-DlpSensitiveInformationTypeRulePackage New-DlpCompliancePolicy New-DlpComplianceRule

🛡️

Microsoft Purview — Control Plane

Stores and syncs DLP policies, SITs, and rules. Enforces controls on Exchange, SharePoint, OneDrive, Teams, endpoints, and Copilot. Surfaces telemetry in Activity Explorer for validation and tuning.

Custom SIT Rule Packages DLP Policies & Rules Activity Explorer TestWithNotifications mode

Thematic Domain Packs (NSSITPak)

Each domain pack is an independent v2 Packed SitPak — a single custom SIT containing all primary elements, supporting dictionaries, and risk facets for that domain. Complex and Simple variants are available. Hybrid filename detection rules are supported at the DLP policy level during the discovery phase.

⚖️ Legal-Complex / Simple

Detects legal demand documents using primary anchors, authority language, case reference facets, and deadline facets. Complex variant requires primary + supporting + facet. Simple variant requires primary + supporting only.

Sub-Topics Covered

Subpoena
Search Warrant
Law Enforcement Inquiry
Preservation Request
Grand Jury Correspondence

Hybrid Filename Discovery Patterns


          subpoena*.pdf  ·  subpoena*.docx  ·  search-warrant*.pdf  ·  search-warrant*.docx

          LE-inquiry*.msg  ·  preservation-request*.xlsx  ·  grand-jury*.pdf

SIT Pattern Template

Dict A — Init

Anchor terms: "subpoena," "search warrant," "law enforcement," "grand jury," "preservation notice"

Dict B — Support

Structure terms: "you are hereby commanded," "produce and permit," "records and documents," "return date"

Dict C/D — Facets

Risk amplifiers: agency names, court identifiers, case numbers, compliance deadline language, sealed matter references

Exceptions

Training materials, mock examples, templates, compliance guides, helpdesk articles

Proximity guidance: Legal anchor terms ≤100 characters · Investigation narrative ≤300 characters · Governance markings: Anywhere

🔐 Security-Complex / Simple

Detects sensitive internal security investigation and incident documents. Targets content describing active investigations, damage assessments, and threats — not generic security policy documentation.

Sub-Topics Covered

Internal Investigation
Damage Assessment
Threat of Violence
Breach Impact Assessment
Insider Threat Reports

Hybrid Filename Discovery Patterns


          internal-investigation*.pdf  ·  damage-assessment*.docx  ·  threat-of-violence*.msg

          breach-impact*.pdf  ·  incident-report*.docx  ·  insider-threat*.pdf

👥 HR-Complex / Simple

Detects sensitive HR investigation and disciplinary documents. Distinguishes actual active investigations from routine HR policy communications, training documents, or process guides.

Sub-Topics Covered

HR Investigation
Employee Investigation
Harassment Investigation
Workplace Investigation
Disciplinary Actions

Hybrid Filename Discovery Patterns


          HR-investigation*.pdf  ·  employee-investigation*.docx  ·  harassment-investigation*.pdf

          workplace-investigation*.docx  ·  disciplinary*.pdf

🏛️ Governance-Complex / Simple

Detects controlled unclassified information (CUI) and TLP-marked documents. Targets the presence of formal governance markings and their accompanying authorization and handling instructions.

Sub-Topics Covered

CUI (Controlled Unclassified Information)
TLP:RED
TLP:AMBER
Official Use Only

Hybrid Filename Discovery Patterns


          CUI*.pdf  ·  CUI-marked*.docx  ·  TLP-RED*.pdf  ·  TLP-AMBER*.docx

          controlled-unclassified*.pdf  ·  official-use-only*.docx

SitPak 2026 Methodology

v1 — Discrete SitPak

Multiple individual SITs combined at the policy layer. Each facet is a separate SIT with its own Activity Explorer entry. Maximum telemetry granularity. Best for stable, well-defined identifiers (CCN, banking, driver's license).

Very high telemetry detail per facet
Higher administrative overhead
Multiple SIT objects to manage

v2 — Packed SitPak (2026)

Single custom SIT with multiple internal patterns. All primary, dictionary, and facet logic is encapsulated. Lower overhead. Best for non-standard document-class artifacts like subpoenas, investigations, CUI, and TLP markings.

Single SIT object — easier to manage
Lower administrative overhead
Facets internal to patterns (less granular telemetry)

Key principle: SitPaks are a methodology, not an object type. v1 and v2 coexist. v1 for standard PII. v2 for non-standard operational artifacts. Both are valid and supported.

Detection Performance Comparison

Method	True Positives	False Positives	Undetermined	Triage Time
Built-in Single SIT	47%	34%	18%	Minutes per event
v1/v2 SitPak (Multi-Dictionary)	87%	0.08%	0.02%	Seconds per event

Evidence Scoring Model

Before converting content analysis into Purview objects, the AI agent scores candidate evidence to determine where each finding should go — SIT, dictionary, facet, exception, or rejection. This model is an engineering aid, not a Purview-native object.

P × 40

Primary Anchor

S × 25

Supporting Evidence

F × 20

Facet Evidence

X × 35

Suppressor (subtract)

= R

Total Relevance Score

High R → primary SIT · Medium R → supporting dictionary · Low R with context → facet · Negative R → exception rule

Single-Prompt Contract

The AI agent operates from a structured prompt manifest. The operator provides a domain declaration; the agent executes all downstream pipeline steps and emits the full artifact bundle.

Objective: Non-Standard Policy Development Domain: Legal Mode: ExtractCurrent, ModifyCurrent, CreateNovel Discovery: Enable filename-assisted discovery Production: Content-dominant detection only Outputs: 1. Current-state extraction and comparison 2. Candidate discovery corpus summary 3. Proposed dictionaries, facets, and SIT patterns 4. XML rule package changes 5. DLP policy/rule deployment script 6. Power Automate approval payload 7. Test plan, rollback plan, and version notes Locations: Exchange, SharePoint, OneDrive, Teams DeploymentMode: TestWithNotifications ApprovalRequired: Yes

Three-Gate Approval Model

1

Gate 1 — Discovery Authorization

Allows broad discovery and telemetry collection. Filename-assisted patterns. Simulation only. No enforcement. Routes to Security and Compliance for approval.

2

Gate 2 — Test Deployment Approval

Deploys SIT package and DLP policy in TestWithNotifications mode. Users see policy tips but no blocking. Telemetry is reviewed against baseline. Routes to Legal, Compliance, and Security for approval.

3

Gate 3 — Enforcement Approval

Promotes policy to active enforcement (block/restrict). Requires validated false-positive rate, documented rollback plan, and approval from Legal, Security, and Compliance leadership. Change control record created.

PowerShell Reference

🔌 Connect

Import-Module ExchangeOnlineManagement
Connect-IPPSSession -UserPrincipalName admin@yourtenant.onmicrosoft.com

📤 Export Baseline

Get-DlpCompliancePolicy | ConvertTo-Json -Depth 100
Get-DlpSensitiveInformationTypeRulePackage
Get-DlpSensitiveInformationType

📥 Import New SIT Package

New-DlpSensitiveInformationTypeRulePackage
  -FileData ([System.IO.File]::ReadAllBytes('Legal-Complex.xml'))

🔄 Update Existing SIT

Set-DlpSensitiveInformationTypeRulePackage
  -FileData ([System.IO.File]::ReadAllBytes('Legal-Complex-v2.xml'))

🏗️ Create DLP Policy

New-DlpCompliancePolicy -Name "Legal-NSP"
  -Mode TestWithNotifications
  -ExchangeLocation All -SharePointLocation All

📋 Create DLP Rule

New-DlpComplianceRule -Name "Legal-Rule"
  -Policy "Legal-NSP"
  -ContentContainsSensitiveInformation @{Name="Legal-Complex";minConfidence=75}

Rollback procedure: Before any SIT import or update, export the existing rule package using Get-DlpSensitiveInformationTypeRulePackage and save to a versioned XML file. This is the rollback artifact.

Governance Checklist

Every SIT artifact must have

Owner (person, not team)
Domain (Legal / Security / HR / Governance)
Version and creation date
Source corpus reference (where discovery candidates came from)
Approval record (Gate 1, 2, 3 sign-offs)
Test status (discovery / test / enforcement)
Rollback XML (pre-import baseline export)
Retirement criteria (what triggers deprecation)

Every DLP policy must have

Named owner
Scope rationale (why these workloads, not others)
Mode documented (Test / Audit / Enforce) and date of each promotion
Exception rules for known-good content
Linked SIT(s) with version references
Test period minimum: one full week before notifications, two weeks before enforcement
False positive rate baseline before enforcement promotion

Quarterly maintenance tasks

Export current DLP policy and SIT baseline — compare to last quarter's snapshot
Review Activity Explorer for each active domain SitPak — check TP/FP rates
Update SIT dictionaries for new vocabulary (agency names, form numbers, terminology changes)
Review exception lists — remove stale suppressors, add new known-good patterns
Review ownership assignments — confirm owners are still active and responsible
Simulate upcoming SIT changes in Test mode before promoting

References

Non-Standard Policy Development

Purpose

Single-Prompt Model

01 Intake

02 Baseline

03 Discovery

04 Analysis

05 SIT Eng.

06 Rule/Policy

07 Approval

08 Deploy

⚖️ Legal

🔐 Security

👥 HR

🏛️ Governance

Built-in Single SIT

v1/v2 SitPak Multi-Dictionary