Microsoft Copilot (Microsoft 365): Copilot uses enterprise assets hosted on SharePoint OAL or Templafy when creating a slide

🚨 The Signal: Copilot can now use images from SharePoint Organization Asset Libraries or Templafy to create slides. This expands Copilot's access to internal assets, increasing the risk of sensitive data exposure if asset libraries are not properly secured.

The Impact

All users leveraging Copilot are affected, increasing the risk of inadvertent exposure of sensitive or unapproved organizational assets.

• End Users: Risk of inadvertently including sensitive images in Copilot-generated content.
• Security Teams: Increased surface area for data leakage if asset library permissions are not granular.
• Admins: Requires review of existing SharePoint OAL and Templafy configurations for appropriate access controls.
• Compliance Teams: New considerations for data residency and classification of assets used by Copilot.

The Action

1. Review permissions on all SharePoint Organization Asset Libraries (OALs) to ensure least privilege access.
2. Verify data classification and sensitivity labels are applied to all assets within OALs.
3. Audit Templafy connectors and configurations to ensure only approved content sources are accessible by Copilot.
4. Implement or reinforce data loss prevention (DLP) policies to detect and prevent sharing of sensitive content generated by Copilot.
5. Educate users on responsible use of Copilot with organizational assets and the importance of verifying generated content.

Domain: Agentic-AI · Impact: high · Workload: SharePoint