Microsoft Copilot (Microsoft 365): Copilot Memory

🚨 The Signal: Microsoft 365 Copilot now retains conversation memory, custom instructions, and Microsoft Graph insights to personalize responses. Users control their memory, enabling tailored assistance but increasing data exposure risk.

The Impact

All Copilot users are affected, with a moderate security risk due to increased data persistence and potential for sensitive information retention.

• End-users: Risk of sensitive data being retained in Copilot memory.
• Security Teams: Increased scope for data governance and e-discovery.
• Privacy Officers: New considerations for user consent and data retention policies.
• Compliance Teams: Potential for non-compliance with data handling regulations.

The Action

1. Review and update data retention policies for Copilot interactions.
2. Communicate to users how Copilot memory works and their control options.
3. Monitor Copilot usage for sensitive data exposure via Purview Audit logs.
4. Educate users on responsible use of Copilot with sensitive information.
5. Consider implementing Microsoft Purview Data Loss Prevention (DLP) policies for Copilot.

Domain: Agentic-AI · Impact: medium · Workload: Other