OneNote: Summary and Q&A in OneNote Mobile with Copilot (Iphone)

🚨 The Signal: Copilot in OneNote mobile now offers AI-generated summaries and Q&A for notes. This introduces new avenues for data exposure and potential for prompt injection, impacting information governance.

The Impact

All users are affected, with a high security risk due to potential for data leakage and prompt injection through AI features.

• End users: Risk of inadvertently exposing sensitive data via Copilot prompts.
• Security teams: Increased surface area for prompt injection attacks and data exfiltration.
• Compliance teams: New challenges in monitoring and auditing data processed by AI.
• Administrators: Need to review and update data governance policies for AI interactions.

The Action

1. Review and update Microsoft Purview Data Loss Prevention (DLP) policies to include OneNote mobile and Copilot interactions.
2. Implement Microsoft Entra Conditional Access policies to restrict Copilot access based on device compliance or network location.
3. Educate users on secure prompting practices and the risks of sharing sensitive information with AI.
4. Monitor Microsoft Purview Audit logs for unusual Copilot activity in OneNote.
5. Review Microsoft 365 Copilot data governance settings in the Microsoft 365 admin center.

Domain: Agentic-AI · Impact: high · Workload: M365 Apps