Microsoft Copilot (Microsoft 365): Copilot Prompt Gallery - Company-wide prompt publishing

🚨 The Signal: Organisations can now publish custom Copilot prompt galleries tenant-wide. This centralises prompt management, but introduces new risks for prompt injection and data exfiltration if not governed correctly.

The Impact

All users are affected, with a high security risk due to potential for prompt injection and sensitive data exposure via poorly designed or malicious prompts.

• End Users: Risk of data exposure if prompts are not vetted.
• Security Team: Increased attack surface for prompt injection.
• Admins: New responsibility for prompt governance and review.
• Compliance Officers: Need to update acceptable use policies for AI.

The Action

1. Define a clear policy for prompt creation and publishing.
2. Establish a review and approval workflow for all published prompts.
3. Educate users on secure prompting practices and data handling.
4. Monitor Copilot usage for unusual prompt patterns or data access.
5. Regularly audit published prompts for compliance and security.

Domain: Agentic-AI · Impact: high · Workload: Other