In the short time since it entered general availability in 2024, Microsoft Copilot has had a profound impact on business IT. But while Copilot and other AI assistants can offer huge productivity gains, they do require in-depth strategic planning, proactive management, and effective end user enablement to maximise gains while reducing risks to data protection and governance.
The governance challenge
Research from Microsoft shows that 75% of users are already utilising AI in their day-to-day workflows but, of these, 78% are adopting a “bring your own AI” approach, making use of personal tools rather than assistants that have been authorised by the business. Since these solutions exist as shadow IT, it’s near impossible for IT teams to monitor them and prevent inadvertent data breaches. This creates a significant security risk, especially when users fail to follow best practice and input potentially confidential data includes company names and other identifiable information.
While corporate-sanctioned AI assistants help to negate this issue to an extent, they come with their own data protection concerns. Microsoft 365 Copilot, for example, exists within the organisation’s own environment, allowing it to surface information and documents as needed by users, based on the users’ individual permissions. This provides a huge benefit in terms of productivity, as users can search for and quickly surface information from multiple sources without having to scour through the environment themselves.
But without proper governance and data protection measures in place, this can be a double-edged sword. Many environments – especially those in large enterprises – rely on security through obscurity, and the idea that users are less likely to stumble upon sensitive information if they don’t know it’s there in the first place. Copilot’s ability to mine for information removes this protection, allowing any user to access potentially confidential data.
AI has some drawbacks, as Copilot is unable to exercise the same level of discretion as a human employee – while a user can identify and avoid a potentially malicious attachment or embedded link, Copilot might accidentally surface these as part of an email summary, prompting the user to click and compromise their device. As such, it’s critical to ensure that any Copilot deployment is carefully controlled, using security tools to limit the data it can access, and ensure it doesn’t amplify existing cyber risks.
Immediate protection measures
Fortunately, the solutions for these problems are already accessible to most businesses using Copilot for Microsoft 365. Microsoft 365 Business Premium offers a range of security systems which are designed to limit and control Copilot:
Microsoft Entra ID P1 (formerly Azure Active Directory) enables multi-factor authentication (MFA) for user sign-ins, limiting the ability for bad actors to get access to IT environments using compromised credentials. When using the free, browser-based version of Microsoft Copilot, signing into an Entra ID account also activates protections which prevent user input being used to train the model, helping to close down the risk of accidental data breaches.
Microsoft Intune P1 serves a similar purpose, providing a comprehensive mobile device management (MDM) solution that helps keep business data secure, and prevents users from leaking confidential information via screenshots or unauthorised apps.
Microsoft Defender for Business strengthens your security with enterprise-grade protection, providing next-generation antivirus solutions to help you automatically detect and respond to cyber threats in real-time.
Microsoft Defender for Office 365 P1 is a cloud-based system providing advanced protection that helps to secure your organisation’s email and collaboration tools, using technology such as Safe Links and Safe Attachments, which mitigates the risk of cyber threats that are inadvertently surfaced by Copilot.
Microsoft Purview offers the all-important ability to classify and label sensitive data. At the subscription level offered by Business Premium, this is limited to manual classification, but this is a critical tool to have to control what Copilot can and cannot access, making it vital for ensuring governance at a data level, not just the documents themselves.
Outside of Business Premium, organisations also have the ability to enable Restricted SharePoint Search, which limits which SharePoint folders Microsoft Copilot is able to access. While this is a useful feature, it is a stop-gap measure, and Microsoft have announced plans to remove this in the near future.
Establishing advanced security architecture
While Business Premium’s features offer a core set of security tools to help organisations utilise Microsoft 365 Copilot without compromising on data protection, there are further steps that can be taken to enhance security, and reduce the administrative burden required. Microsoft Purview is central to these – the P2 Purview licence allows users to enable automatic detection and labelling of sensitive information.
This means that Purview’s own AI can effectively be used to automatically label confidential information such as payment details or sensitive IP without the need for any manual categorisation.
Copilot is also designed to synergise with Microsoft Purview’s automatic labelling. One of Copilot for Microsoft 365’s main use cases is the ability to generate new documents based on existing files – if one of these base files is tagged as sensitive, Copilot will automatically carry this flag over, preventing any data from accidentally leaking into the wider IT environment.
Outside of Purview, SharePoint Advanced Management also helps to ensure data protection and governance. This useful feature helps to identify unused SharePoint sites, manage permissions, and enforce conditional access policies which help to keep data protected, both from inadvertent exposure from Copilot, and genuine insider threats.
Conclusion
If you’re preparing to deploy Microsoft 365 Copilot or have already dived in and need to retroactively secure your data, we can help. Starting with a Copilot Optimisation Assessment, we can walk you through your deployment, ensuring governance and data protection at every step of the way. Get in touch with the team today to find out more.
About the Author
Adam's expertise lies in empowering organisations by facilitating the effective adoption of scalable, cloud-ready Microsoft 365 technologies through advice, solutions, workshops, and services.
