Microsoft Copilot (Microsoft 365): Copilot extensibility – Embedded Knowledge capability support for declarative agents.

🚨 The Signal: Developers can now embed documents (PDF, Word, PowerPoint) directly into Copilot declarative agents for enhanced grounding. This expands agent knowledge sources, increasing potential for data exposure if not properly governed.

The Impact

Developers and security teams are affected by new risks of sensitive data exposure through Copilot agents.

• Developers: Can inadvertently embed sensitive data into agents.
• Security Teams: Must monitor and audit agent knowledge sources for compliance.
• Data Owners: Risk of their sensitive documents being exposed via agents.
• Compliance Officers: Increased complexity in demonstrating data protection for AI.

The Action

1. Establish clear data classification and handling policies for Copilot agent knowledge.
2. Implement data loss prevention (DLP) policies to prevent embedding of sensitive data into agents.
3. Conduct regular security audits of Copilot agent configurations and embedded knowledge sources.
4. Educate developers on secure coding practices for AI agents and data governance principles.
5. Review and update existing information security policies to explicitly cover AI agent data handling.

Domain: Agentic-AI · Impact: high · Workload: Other