OneNote: Summary and Q&A in OneNote Mobile with Copilot (Android)

🚨 The Signal: Copilot in OneNote Mobile (Android) now offers AI-powered summaries and Q&A. This introduces new avenues for data exposure and potential for prompt injection, increasing the risk of sensitive information leakage from OneNote content.

The Impact

All users are affected, with a high security risk due to potential for sensitive data exposure via AI summarisation and Q&A.

• End-users: Risk of inadvertently exposing sensitive data through AI summaries.
• Security Teams: Increased surface area for data leakage and prompt injection attacks.
• Admins: Need to review and update data governance policies for AI-generated content.
• Compliance Teams: New challenges in maintaining data classification and privacy standards.

The Action

1. Review and update Microsoft Purview Data Loss Prevention (DLP) policies to include OneNote content and Copilot interactions.
2. Implement or refine Microsoft Entra Conditional Access policies to restrict Copilot access based on device compliance or location.
3. Educate users on responsible Copilot use, data classification, and the risks of sharing sensitive information with AI.
4. Monitor Microsoft 365 audit logs for unusual Copilot activity or data access patterns within OneNote.
5. Evaluate and update your organisation's AI governance framework to specifically address Copilot in OneNote Mobile.

Domain: Agentic-AI · Impact: high · Workload: M365 Apps