Microsoft Copilot (Microsoft 365): Copilot uses enterprise assets hosted on SharePoint OAL when creating presentations with Copilot

🚨 The Signal: Copilot can now use images from SharePoint Organization Asset Libraries (OALs) to create presentations. This expands Copilot's access to internal visual assets, increasing the risk of sensitive image exposure if OALs are not properly secured.

The Impact

Content creators and security teams are affected; there is a risk of inadvertent exposure of sensitive organizational images.

• Content creators: May inadvertently include sensitive images if OALs are not curated.
• Security teams: Increased scope for data loss prevention and access control monitoring.
• Compliance officers: Need to verify OAL content aligns with data classification policies.
• IT administrators: Must ensure OAL permissions are strictly managed and reviewed.

The Action

1. Review all existing SharePoint Organization Asset Libraries for sensitive or unapproved content.
2. Implement strict access controls (e.g., Entra ID groups) for who can upload and manage OAL content.
3. Utilize Microsoft Purview Data Loss Prevention (DLP) policies to scan OALs for sensitive information.
4. Educate users on appropriate content for OALs and the implications of Copilot's access.
5. Regularly audit OAL content and permissions to ensure ongoing compliance and security.

Domain: SharePoint · Impact: high · Workload: SharePoint