Microsoft 365 Copilot in the enterprise: the governance audit nobody does

Transparency note. This article is written in line with IgnitionAI's editorial policy. Claims about the technical workings of Microsoft 365 Copilot and Microsoft Purview link to the official Microsoft Learn documentation with a link and date of access. The audit durations and costs cited are tagged IgnitionAI estimate with their observation basis. The opening scenario is a case reconstructed from several IgnitionAI engagements 2024-2025; no client is identifiable.

The typical scenario

A French organisation deploys Microsoft 365 Copilot company-wide on a collective license. The project is led by IT, presented as a productivity toolset augmented by AI. The internal pitch describes Copilot as a contextual assistant: it queries each user's document perimeter — Outlook emails, SharePoint and OneDrive files, Teams conversations, calendars — and generates answers tailored to their work context.

The technical deployment goes without a hitch. Licenses are distributed in waves. User training goes well. The first usage feedback is enthusiastic: Copilot summarises Teams meetings, drafts emails, extracts information from long memos in seconds.

A few weeks later, a report surfaces through an unexpected channel. An employee from an operational department, with no finance or HR clearance, asks Copilot about a routine business topic. The answer cites, with sources, passages from documents they would never have discovered through normal navigation. Depending on the engagement context, it might be a preparatory note for the compensation committee, a still-confidential acquisition project, or a lawyer's letter about an ongoing labour dispute.

No attack, no hack, no prompt injection. Copilot worked exactly as designed: querying the Microsoft Graph semantic index while respecting the technical permissions in force in the tenant. Microsoft documents this behaviour precisely: "Microsoft 365 Copilot only surfaces organizational data to which individual users have at least view permissions" (Microsoft Learn, Data, Privacy, and Security for Microsoft 365 Copilot, accessed 24 May 2026).

The problem lies in the definition of the word "permissions". The technical permissions in force go well beyond the permissions the business owners thought they had set up. This gap stayed invisible while no tool made it actionable at organisation scale.

The project is frozen pending a full audit. The DPO informs the CNIL. Executive leadership requests a status review of all AI systems in production. IgnitionAI estimate: across five post-incident Microsoft Purview audits run in 2024 and 2025, the typical cost of remediation after this kind of incident lands between €60,000 and €120,000 with two to four months of delay on the original project. Compare with a prior audit of six to ten weeks for an equivalent budget spread across the original deployment schedule.

Microsoft acknowledges it itself

The official Microsoft Learn documentation addresses the topic head-on and offers a dedicated technical stack to respond to it.

On the Microsoft Purview page for generative-AI apps: "Because of the power and speed AI can proactively surface content, generative AI amplifies the problem and risk of oversharing or leaking data" (Microsoft Learn, Microsoft Purview data security and compliance protections for generative AI apps, accessed 24 May 2026).

On the Restricted SharePoint Search page, in an "Important" box: "Restricted SharePoint Search is designed as a short-term solution to allow time for your organization's administrators to thoroughly review and audit site and file permissions, but it's not intended or scalable for long-term use" (Microsoft Learn, Restricted SharePoint Search, accessed 24 May 2026).

This second quote is particularly telling. Microsoft shipped a feature explicitly labelled as a temporary patch, pending administrators auditing and fixing the underlying permissions. The vendor implicitly acknowledges that most tenants aren't ready for Copilot as they are configured.

Microsoft even provides the canonical example in the Restricted SharePoint Search documentation. The scenario of marketing specialist Alex Wilber at Contoso Electronics literally describes the case: a budgeting site with "important business information" of which "most people don't know about this site, so the site owner hasn't set up proper permissions". When Alex asks Copilot, "Copilot gets information from the budgeting site". It's exactly the scenario described at the opening of this article, written by Microsoft to explain why Restricted SharePoint Search is necessary.

How Copilot accesses your tenant's data

Understanding the access mechanics helps understand where the risk sits.

Microsoft 365 Copilot orchestrates three components: one or more large language models (LLMs) hosted on Azure OpenAI Service, the organisational content accessible via Microsoft Graph, and the Microsoft 365 productivity applications (Word, Excel, PowerPoint, Outlook, Teams, etc.) the user works in.

The accessible organisational content includes, by default: "user documents, emails, calendar, chats, meetings, and contacts" (Microsoft Learn, Microsoft 365 Copilot privacy). Access goes through the Semantic Index of Microsoft Graph, which "honors the user identity-based access boundary so that the grounding process only accesses content that the current user is authorized to access".

Three operational consequences stem from this design.

First, Copilot relies strictly on the permissions defined at the level of the underlying Microsoft 365 services: SharePoint, OneDrive, Teams, Exchange. If those permissions are poorly scoped, Copilot exposes the corresponding content. If they're correctly scoped, Copilot respects the boundary.

Second, the data accessible to a user via Copilot can be much broader than what they usually consult. A file the user has theoretical read access to but has never opened can appear in a Copilot answer. This is precisely what makes pre-existing oversharing suddenly visible.

Third, prompts and responses are stored in the Microsoft 365 tenant and don't leave the EU Data Boundary perimeter for European customers. LLM processing stays within the Azure OpenAI perimeter. Prompts and responses aren't used to train the foundation models. Since 7 January 2026, Anthropic is a subprocessor for Microsoft 365 Copilot — its models, however, fall outside the EU Data Boundary perimeter (Microsoft Learn, Anthropic as a subprocessor for Microsoft Online Services).

The three main sources of oversharing

The experience of audits run since 2024 brings out three sources that recur in almost all audited organisations.

SharePoint sites open by default

During historical migrations from network shares (often carried out between 2017 and 2022), many organisations created SharePoint sites with the "Everyone in the organisation" option. This option, simple to enable, quickly replicated the "everyone sees" behaviour of the old SMB shares.

The business owner doesn't know their site is "public" at organisation scale, because they only see the users who actually consult the site (few by nature). Users don't discover it through normal navigation either, because it doesn't appear in their followed sites. But the Microsoft Graph semantic index indexes it in full.

OneDrive sharing links never revoked

OneDrive lets you generate "anyone with the link", "everyone in your organisation" or "specific people" sharing links. The observed pattern: "everyone in the organisation" links generated occasionally to facilitate sharing a document with a group not identified in advance, and never revoked afterwards.

These links materialise permanent read access at organisation scale. When the underlying content has become sensitive (an HR file initially shared broadly then enriched with named data, a strategic project evolving into confidential), the access is no longer aligned with the actual sensitivity.

Teams attachments stored in SharePoint

Attachments to Teams conversations are stored in underlying SharePoint libraries. For private chats, storage is OneDrive and stays compartmentalised. For Teams channels, storage is in the Teams' SharePoint site, and the channel's permissions apply.

On "General" channels of a Teams open to a whole division (a frequent case for cross-cutting sharing Teams), any attached document becomes indexable for the hundreds or thousands of division members. The employee who shares a sensitive file in a general channel doesn't realise they make this file accessible to Copilot for all channel members.

The Microsoft Purview stack to govern Copilot

Microsoft offers a complete stack of Purview products to address this topic (Microsoft Learn, Microsoft Purview for generative AI apps). Four components are the most structuring in practice.

Data Security Posture Management for AI (DSPM for AI). A central dashboard to visualise Copilot and other AI applications' usage in the organisation, identify risky interactions, and apply controls with personalised recommendations. Microsoft describes it as the "front door to discover, secure, and apply compliance controls for AI usage across your enterprise". It's the recommended entry point for a Copilot governance audit.

Sensitivity Labels. Sensitivity labels applied to Office documents and emails, with the option to include encryption and usage restrictions. For Copilot, the effect is twofold: the document's sensitivity is visible in the generated answer, and usage-rights restrictions (notably the absence of the EXTRACT right) prevent Copilot from returning the content. Explicit Microsoft recommendation: enable sensitivity labels for SharePoint and OneDrive before deployment.

Data Loss Prevention (DLP). Deep content inspection to identify sensitive elements (payment-card numbers, national IDs, medical data, intellectual property) and apply protection policies. Covers the Microsoft 365 services and, via Endpoint DLP, onboarded Windows workstations (for example to block copy-paste to third-party GenAI sites such as public ChatGPT).

Audit and eDiscovery. All Copilot interactions, user prompts and generated responses, are logged in the Unified Audit Log with references to the consulted files and the associated sensitivity labels. eDiscovery allows these interactions to be retrieved and exported for legal or disciplinary needs.

To these four components are added Insider Risk Management (a pre-defined Risky AI usage policy to detect prompt injections and unauthorized access attempts), Communication Compliance (detection of violations in AI interactions), Data Lifecycle Management (retention policies on Copilot conversations) and Compliance Manager (templates to assess compliance with AI regulations, including the AI Act).

The Copilot governance audit, in six weeks

IgnitionAI estimate based on five Purview audit engagements run in 2024-2025 at French mid-market companies of 500 to 5,000 employees.

Weeks 1 and 2, Initial mapping. Enabling DSPM for AI on the tenant. Identifying existing Teams, SharePoint sites and OneDrive libraries. Inventory of sites with the "everyone in the organisation" option via SharePoint Advanced Management. Inventory of active OneDrive sharing links (filter those generated more than six months ago). A first DSPM report identifying the risk zones.

Weeks 3 and 4, Defining the classification policy. Defining the business sensitivity grid (Public, Internal, Confidential, Secret), often four levels. Mapping to Microsoft Purview Sensitivity Labels. Defining the associated protection policies (encryption, limited usage rights, mandatory labels on certain containers). Validation by the legal committee and the DPO. Creating the labels in the tenant.

Weeks 5 and 6, Applying and enabling the controls. Applying labels by priority batches (legal, HR, finance, leadership-committee spaces first). Enabling DLP policies on sensitive content. If needed to save time, enabling Restricted SharePoint Search as a temporary measure to limit Copilot to validated sites. Configuring the continuous-monitoring dashboard in DSPM for AI.

Beyond week 6. A monthly Copilot steering committee during the first six months post-deployment, led by a designated lead (typically DPO or CISO), with representation from the main business departments. Reviewing reported cases, adjusting labels, gradually disabling Restricted SharePoint Search as permissions are actually cleaned up.

IgnitionAI estimate: typical budget for this full audit at a 500-to-5,000-person mid-market company: between €35,000 and €80,000 depending on the volume of SharePoint sites to analyse and the number of active OneDrive libraries. Possible to reduce to a two-week "flash audit" for around €15,000 if the goal is only to produce a status review and prioritise, with no application phase.

AI Act and GDPR specifics for Copilot

Microsoft 365 Copilot falls into the "limited risk" category within the meaning of Article 50 of Regulation (EU) 2024/1689 on artificial intelligence. The main obligations applicable to Copilot and its agents: transparency about the AI nature of the system (Copilot explicitly presents itself as an AI assistant), marking of generated content. Applies on 2 August 2026.

The use of Copilot by deployers (your organisation) nonetheless remains subject to the regulation's cross-cutting obligations, notably Article 4 on the AI literacy of employees (applicable since 2 February 2025).

On the GDPR side, two dimensions structure compliance.

The perimeter of the data processed. Copilot processes by construction personal data present in the tenant (email content, Teams conversations, named files). The organisation remains the controller within the meaning of Article 4 of Regulation (EU) 2016/679. Microsoft is the processor within the meaning of Article 28. A Microsoft DPA is included in the standard Microsoft 365 contractual terms.

The right to erasure (GDPR Article 17). A user's Copilot interactions (prompts and responses) are stored in their "Copilot activity history" accessible via the My Account portal. The user can delete them themselves. For erasure needs at the request of an external data subject or a former employee, the Purview eDiscovery tools allow targeted search and deletion.

Note: Microsoft 365 Copilot holds GDPR, ISO 27001, HIPAA and ISO/IEC 42001 certifications (Microsoft Learn, Microsoft 365 Copilot privacy section Meeting regulatory compliance requirements). The ISO 42001 certification is particularly structuring: it's the first international standard dedicated to AI management systems, and its adoption by Microsoft accelerates its establishment as the reference standard for organisations using Copilot.

Recommendation by organisational maturity

All the recommendations that follow are IgnitionAI estimates based on our 2024-2025 engagements.

Organisation pre-Copilot deployment

Start the Purview audit before signing the license. The audit and remediation phase takes six to ten weeks at a reasonable pace. Build this lead time into the deployment schedule rather than trying to negotiate it down. The cost is lower than the post-incident remediation cost by a factor of around one to three.

Organisation mid-Copilot deployment

Freeze the new license waves pending a two-week flash audit. Enable Restricted SharePoint Search as a precautionary measure during the audit. Immediately set up a Copilot steering committee including the DPO, the CISO and a business lead per department.

Organisation with Copilot deployed without a prior audit

Immediately launch a full DSPM for AI audit. Enable Insider Risk Management in parallel with the Risky AI usage template to detect anomalous uses during the audit period. Communicate to users about the "compliance phase" without interrupting Copilot use, unless a concrete incident has already been reported.

Conclusion

Microsoft 365 Copilot turns a latent problem — the oversharing accumulated in the Microsoft 365 tenant over the years — into an actionable problem at organisation scale within a few weeks.

The gap between the speed of Copilot deployment (a few technical days) and the time needed for a prior governance audit (six to ten weeks) is the main operational trap. Organisations that skip the audit to meet the original schedule then pay for that shortcut three times over in post-incident remediation, plus an unquantifiable reputational cost if the incident gets out.

Microsoft offers a complete stack of Purview tools to address the topic, and publicly acknowledges in its own documentation that most tenants aren't ready for Copilot as they are configured. The Restricted SharePoint Search feature is explicitly labelled by Microsoft as a temporary patch pending a proper permissions audit.

The right reflex: treat the Copilot deployment as a governance and compliance project. The Copilot steering committee mandatorily brings together the DPO, the CISO and a business lead per major department. Its first meeting takes place before the license is signed.

Methodology and sources

Microsoft technical sources (accessed 24 May 2026)

• Microsoft Learn, Data, Privacy, and Security for Microsoft 365 Copilot
• Microsoft Learn, Microsoft Purview data security and compliance protections for generative AI apps
• Microsoft Learn, Restricted SharePoint Search
• Microsoft Learn, Sensitivity labels for files and emails
• Microsoft Learn, Anthropic as a subprocessor for Microsoft Online Services
• Microsoft Learn, Apply principles of Zero Trust to Microsoft 365 Copilot
• Microsoft Learn, SharePoint Advanced Management

Regulatory sources (accessed 24 May 2026)

• Regulation (EU) 2024/1689 of 13 June 2024 (AI Act, amended by the Digital Omnibus of 7 May 2026), official EUR-Lex version. Articles cited: 4 (AI literacy), 50 (transparency for limited-risk systems), 99 (penalties).
• Regulation (EU) 2016/679 of 27 April 2016 (GDPR), official EUR-Lex version. Articles cited: 4 (definitions), 17 (right to erasure), 28 (processing).

Standards mentioned

• ISO/IEC 42001:2023, Information technology, Artificial intelligence, Management system

IgnitionAI estimates

The duration and cost ranges cited in the article rest on five Microsoft Purview audit engagements run in 2024-2025 at French mid-market companies of 500 to 5,000 employees (industry, B2B services, public sector, insurance). The orders of magnitude can vary by ±30% depending on the volume of SharePoint sites and organisational complexity. A specific scoping is needed to price a real initiative.

Limitations and invitations to verify

• Microsoft Purview features evolve rapidly. The commercial names, the interface and the exact capabilities may have changed since the access date indicated.
• The opening scenario is a case reconstructed from several IgnitionAI engagements. No client is identifiable. The precise details (type of document cited, sector, size) vary from one real case to another.
• This article does not constitute legal advice. The regulatory compliance of a Copilot deployment must be validated case by case with your DPO, your legal department and your external counsel.

Correction policy

If you identify a factual error, a source that has become outdated or a recent Microsoft change not taken into account, report it via the dedicated form on our editorial policy. The correction procedure applies within 5 business days.

Last source review

24 May 2026. This article is part of our January annual review.

---

This article is part of our approach to AI governance at IgnitionAI. For a Microsoft Purview audit of your Microsoft 365 tenant before or after a Copilot deployment, tell us about your project. Our page dedicated to AI governance details our full approach. See also our article on access control in an enterprise RAG which addresses the technical dimension of this topic beyond the Microsoft perimeter.