AI assistant — not human

Data leaks + departing employees + policy violations + IP theft + healthcare-specific. Fixed-fee tiers.
Last updated July 7, 2026 by Errin O'Connor, Founder & Chief AI Architect, EPC Group
Microsoft Purview Insider Risk Management detects risky user behavior via ML + rules + user context. 6 risk categories: data leaks, departing employees, priority users, security violations, healthcare-specific, custom. 6 policy templates. Signals: file activity + email + communications + access patterns + HR events + security. HR integration: Workday native + Power Automate custom + manual CSV. Alert-to-resolution: alert → review → case → investigation → action → closure. Compliance frameworks satisfied: HIPAA + SOC 2 + SEC 17a-4 + FINRA + NIST 800-171 + CMMC L2-3 + EU AI Act. EPC Group tiers: Readiness $25K + Foundation $75K + Advanced $75K + Managed Service $10K-$25K/mo.
Microsoft Purview Insider Risk Management (IRM) detects + investigates + acts on risky user behavior inside your Microsoft 365 tenant. Six risk categories: (1) Data leaks — content shared with unauthorized destinations. (2) Data theft by departing employees — abnormal downloads before termination. (3) Priority user data leaks — VIPs, executives, high-privilege accounts. (4) Security policy violations — Defender alerts + Conditional Access failures. (5) Healthcare-specific — PHI access anomalies. (6) Custom policies — organization-specific patterns. IRM uses ML + rules + user context. Integrates with Purview Communication Compliance + Insider Risk analytics.
IRM signal categories: (1) File activity — download volume, external sharing, printing, USB copy, cloud upload. (2) Email — auto-forward to personal, large attachments to external, sensitive-labeled sends. (3) Communications — code of conduct violations, harassment, threatening language (via Communication Compliance). (4) Access patterns — after-hours activity, unusual location, dormant-account reactivation. (5) HR events — resignation, PIP, termination trigger elevated monitoring. (6) Security events — Defender alerts, sign-in risk, malicious file. Signals combined via risk scoring — no single signal triggers action; pattern matters.
Purview IRM ships with 6 policy templates: (1) Data leaks — detects abnormal data movement. (2) Data leaks by priority users — same as above for VIPs. (3) Data theft by departing users — elevated monitoring for known departing employees. (4) Security policy violations — Defender + Conditional Access signals. (5) Healthcare-specific — PHI-related anomalies. (6) Physical asset theft — building access + IT ticket integration. Custom policies: build using signal library + risk-scoring rules. EPC Group typical deployment starts with 3 templates + 2-3 custom policies tuned to industry. Timeline: 6-8 weeks for baseline + tuning.
IRM integrates with HR system (Workday, SAP SuccessFactors, custom HRIS, or Microsoft Entra) to detect: (1) Resignation notification — elevate monitoring 30/60/90 days pre-departure. (2) Termination event — automated policy hold + evidence preservation. (3) PIP (Performance Improvement Plan) — heightened attention. (4) Role change — updated risk baseline. (5) Reorganization — team-level monitoring adjustment. HR connector implementation: (1) Native — Workday HR connector (preview). (2) Custom — Power Automate flow from HR system to Purview API. (3) Manual — HR uploads CSV of departing employee list. EPC Group IRM engagements include HR integration design + implementation.
IRM alert-to-resolution workflow: (1) Alert triggered — ML/rule combination generates alert with risk score. (2) Analyst review — assigned analyst reviews alert + user context + activity timeline. (3) Case creation — if warranted, create case with evidence preservation. (4) Investigation — analyst reviews content + interviews with legal + HR. (5) Action — depending on findings: dismiss, coaching, HR escalation, legal escalation, employment action. (6) Case closure — with documented rationale + evidence archive. Timeline for baseline IRM to alert: signal collection 1-2 weeks after policy enabling; refined alerts 4-8 weeks after tuning; steady-state 8-12 weeks. False positive rate targets: under 20% after tuning.
IRM satisfies specific requirements from: (1) HIPAA — audit + monitoring of PHI access. (2) SOC 2 — access + activity monitoring for customer data. (3) SEC 17a-4 — supervisory monitoring for broker-dealers (via Communication Compliance). (4) FINRA Rule 3110 — supervisory system for financial services. (5) NIST 800-171 3.14.3 (System + Information Integrity — monitoring). (6) CMMC 2.0 Level 2-3 — insider threat program. (7) EU AI Act — human oversight of high-risk AI. (8) State privacy — reasonable safeguards. EPC Group IRM engagements include compliance framework mapping.
EPC Group IRM methodology: (1) IRM Readiness ($25K, 3 weeks) — HR system inventory + policy scope + compliance mapping. (2) IRM Foundation ($75K, 8 weeks) — 3 policy templates + HR connector + analyst training + baseline tuning. (3) Advanced IRM ($75K, 8 weeks) — 2-3 custom policies + industry-specific tuning + Priority User protection + Communication Compliance integration. (4) Ongoing IRM Managed Service ($10K-$25K/month) — analyst support + policy tuning + case review + quarterly compliance reporting. (5) Incident Investigation Support (project-based) — deep-dive investigations for material incidents. All led by senior compliance architect with insider threat specialization.
$25K/3wk HR inventory + policy scope + compliance mapping. Call (888) 381-9725.
Monday-Friday, 8 AM - 7 PM CT
We respond to all inquiries within one business day