Published: 9th July 2025

Trust, transparency and governance in the age of AI.

Microsoft 365 Copilot is changing how we work, unlocking new levels of productivity, creativity and efficiency across the digital workplace. But with this potential comes a big question: is your data ready?

That’s exactly what we explored in our recent webinar, featuring Microsoft MVP Nikki Chapple and our very own Mark Thompson. From oversharing risks to shadow AI, they unpacked the reality of Copilot readiness with clarity and confidence.

Here are the key takeaways.

Copilot doesn’t create new risks. It reveals them

One of the biggest myths about Copilot is that it introduces brand-new data security risks. But as Nikki pointed out, “Copilot can only access what you already have access to.” The real issue? Poor governance.

If your SharePoint permissions are wide open, or if Teams sites are set to public by default, Copilot will surface that data, not because it’s snooping, but because your current setup allows it

Quick tip

Head into your Microsoft 365 admin centre and check whether any sensitive Teams or SharePoint sites are public. You might be surprised!

Labels, limits and control

You’ve got more power than you think

Copilot respects your sensitivity labels. When files are tagged with terms like Highly Confidential, it applies those labels to anything it creates or references. You can even block Copilot from accessing labelled content altogether.

Microsoft Purview offers a range of controls from Data Loss Prevention (DLP) to “Restricted content discovery” that limits Copilot’s reach to only files you’ve recently interacted with. The key? Start small, label new content and build iteratively.

As Nikki said: “It’s not about tackling everything at once. It’s about putting in guardrails for the future and working your way back.”

Doing nothing is a bigger risk

Still holding back on Copilot adoption? You’re not alone. Many organisations hesitate out of caution. But ironically, that caution can create new problems.

78% of employees are already using GenAI tools at work. And if you’re not offering secure, enterprise-ready tools like Copilot, they’ll turn to unsecured alternatives like ChatGPT, Gemini or DeepSeek.

Nikki put it bluntly: “If you’re not blocking other AI tools, it’s not a risk. It’s already an issue.”

So… how do you keep copilot safe?

  • Use sensitivity labels and DLP to restrict Copilot’s access.
  • Monitor usage through audit logs and Microsoft Purview.
  • Phase your rollout and start with priority sites or users.
  • Use Viva Insights to combine usage data with sentiment.
  • Educate users on risks and raise awareness of shadow IT.
  • Set policies for third-party GenAI usage before bad habits form.

Most importantly, listen. The best prompts aren’t typed, they’re spoken in team meetings, raised in communities or picked up in quiet moments of hesitation.

Final word? It’s too late to wait

If your governance isn’t perfect, that’s okay. Start small. Start now.

As Nikki reminded us, “Copilot doesn’t create new risks. It reveals the ones that are already there. And if it reveals them, you can fix them.”

Need help getting started with Copilot?

Let’s talk about your governance, change plan and adoption journey. Get in touch.

Your name
Sign up for news from Inform

Like this story? Share on social

Related articles

  • AI and Copilot, Change management, Microsoft 365

    Better Copilot prompts: how to get stronger results in Teams, Word and PowerPoint

    28 Apr 2026

    2 minutes

  • AI and Copilot, Change management, Microsoft 365

    One year of Copilot: What actually drives adoption (and what doesn’t)

    8 Apr 2026

    3 minutes

  • AI and Copilot, Change management, Microsoft 365

    Emotional intelligence in the age of Copilot: can AI understand us?

    2 Apr 2026

    2 minutes