Microsoft Copilot (Microsoft 365): Drafting on a selection includes being able to reference files, emails, and meetings

🚨 The Signal: Copilot can now reference selected document content alongside files, emails, and meetings for drafting. This increases the potential for sensitive data exposure if users are not trained on responsible AI use and data handling.

The Impact

All users are affected, increasing the risk of inadvertent sensitive data exposure through Copilot's enhanced referencing capabilities.

• End users: Risk of oversharing sensitive data in Copilot-generated content.
• Security teams: Increased monitoring complexity for data leakage via Copilot.
• Data owners: Potential for unauthorized access to sensitive information.
• Compliance officers: Challenges in demonstrating adherence to data protection policies.

The Action

1. Review and update existing data loss prevention (DLP) policies to specifically address Copilot interactions and content generation.
2. Implement or reinforce sensitivity labels on all sensitive documents, emails, and meeting transcripts.
3. Conduct mandatory user training on responsible AI use, data classification, and the implications of Copilot's enhanced referencing.
4. Monitor Microsoft Purview Audit logs for Copilot activities involving sensitive data.
5. Evaluate Microsoft Purview Communication Compliance policies for potential Copilot-related data leakage.

Domain: Agentic-AI · Impact: high · Workload: Microsoft Purview