Microsoft Copilot (Microsoft 365): Copilot uses enterprise assets hosted on SharePoint OAL or Templafy when creating a slide

🚨 The Signal: Copilot can now use images from SharePoint Organization Asset Libraries or Templafy to create slides. This expands Copilot's access to internal content, increasing the risk of sensitive data exposure if asset libraries are not properly secured.

The Impact

All users leveraging Copilot are affected, with a security risk of inadvertent exposure of sensitive or unapproved organisational assets.

• Security Teams: Increased risk of data leakage from improperly secured asset libraries.
• Content Owners: Risk of unapproved or sensitive images being used in Copilot-generated content.
• End Users: Potential for accidental inclusion of restricted assets in presentations.
• Compliance Teams: New considerations for data governance and classification of organisational assets.

The Action

1. Review permissions on all SharePoint Organization Asset Libraries (OALs) to ensure least privilege.
2. Implement or refine data classification labels for all assets stored in OALs and Templafy.
3. Educate users on responsible use of Copilot and the implications of using organisational assets.
4. Monitor Copilot usage logs for unusual access patterns to OALs or Templafy-connected assets.
5. Establish clear guidelines for what content is permissible in OALs for Copilot consumption.

Domain: Agentic-AI · Impact: high · Workload: SharePoint