Microsoft Copilot (Microsoft 365): Show more results in Copilot Chat

🚨 The Signal: Copilot Chat now retrieves more search results (emails, meetings, files) on demand. This increases the potential exposure of sensitive information if underlying data permissions are not strictly controlled, impacting data governance and compliance.

The Impact

All users are affected, increasing the risk of inadvertent sensitive data exposure through Copilot's enhanced retrieval capabilities.

• End users: Increased risk of inadvertently accessing or sharing sensitive data.
• Security teams: Heightened need to audit and enforce data access policies.
• Data owners: Greater responsibility to ensure correct permissions on all M365 content.
• Compliance officers: Potential for non-compliance with data handling regulations due to broader data access.

The Action

1. Review and enforce Microsoft Purview Data Loss Prevention (DLP) policies for Copilot interactions.
2. Audit SharePoint Online and OneDrive for Business site permissions and sharing settings to ensure least privilege.
3. Implement or refine sensitivity labels in Microsoft Purview to classify and protect sensitive information.
4. Educate users on responsible Copilot usage and the implications of 'show me more' for data exposure.
5. Monitor Copilot activity logs for unusual data access patterns or sensitive information retrieval.

Domain: Agentic-AI · Impact: high · Workload: Microsoft Purview