Governed grounding
Grounding means answering a question using your organization's own documents instead of only the model's general knowledge. ThreatLens grounds answers in your Microsoft 365 content — and governs every step.
How it works
- Retrieve. When a user attaches a file (or enables a knowledge source), ThreatLens fetches matching documents from the connected source — OneDrive or SharePoint.
- Access-trim, fail-closed. It checks each document against the requesting user's permissions and keeps only what they're allowed to see. If permissions can't be confirmed, the document is dropped — the default is deny.
- Apply DLP. Every retrieved document runs through data-leak protection and the policy matrix, exactly like typed content — redacted, routed, or blocked as needed.
- Ground. The permitted, governed content is used to answer, with citations back to the source.
A pasted figure and an attached document are held to the same standard. Grounding doesn't open a side door around your policy.
Access-trimming matters
Two people can attach the same file and get different results: each only ever grounds on the documents they personally have permission to access. ThreatLens never widens a user's reach — it mirrors your existing access controls and fails closed on any doubt.
The file picker
Users attach specific files with the M365 source picker in the composer — choose a source, pick a file, and it grounds only that file. This keeps retrieval scoped and predictable.
Governed grounding supports OneDrive and SharePoint today. Grounding from Teams and Outlook, and using Microsoft Purview sensitivity labels as a governance signal, are on the roadmap.