Microsoft 365 Copilot: Tackling Oversharing Risks with New Governance Features

  • Thread Author
Microsoft is making significant strides to address a growing concern for enterprise users of its Microsoft 365 Copilot: inadvertent "oversharing" of sensitive company data. Debuting at Microsoft's Ignite 2024 event, new features targeting data governance and security are aimed at taming the risks attached to this AI-driven assistant. While the promise of streamlined work and unparalleled access to organizational knowledge makes tools like Copilot very enticing, many companies have halted or delayed deployments due to fears surrounding unauthorized data access.
Let’s dive into the crux of this issue and explore how Microsoft plans to keep data governance nightmares at bay.

The Problem: Generative AI’s Double-Edged Sword​

At its best, M365 Copilot leverages generative AI to simplify workflows by surfacing relevant documents, email content, Teams discussions, and organizational files to users with context-specific precision. But therein lies the catch: the assistant operates by analyzing oceans of corporate data, and without proper safeguards, it could inadvertently deliver sensitive files to unauthorized eyes.
Here are a few real-world scenarios where Copilot’s efficiency turned problematic:
  • Unintended Disclosures: Employees unknowingly viewed payroll details, confidential legal documents, or strategic plans that were accidentally available for Autosuggestions.
  • Mismanaged Permissions: SharePoint or OneDrive setups with lax access controls ("public" versus "private" permissions) allowed unintentional data exposure.
  • Sensitivity Labels Ignored: A lack of sensitivity tags rendered sensitive files indistinguishable from benign documents within Copilot's requests.
Such issues stem from structural and operational oversights, including default settings that prioritize ease of collaboration while inadvertently compromising data exclusivity.

Microsoft’s Enhanced Toolkit Against Oversharing​

1. Upgraded SharePoint Advanced Management (SAM) for Oversharing Fixes

Microsoft’s first order of business is drastically tightening SharePoint’s governance tools. Previously a SharePoint Premium add-on, SAM will now provide:
  • Permission Reports: Real-time status updates can highlight "overshared" sites or files.
  • Access Reviews: Notifications will push site administrators to evaluate active permissions and make corrective adjustments.
  • Restricted Content Discovery: Admins can completely block Copilot from accessing data within flagged SharePoint sites. Regular users retain access, but the AI is kept out.
Interestingly, while SAM tools usually come with an extra cost ($3/user per month), these will be available to all Copilot subscribers for free starting in early 2025.

2. Purview: The Powerhouse of Data Governance

Purview, Microsoft’s data governance suite, takes center stage in this fight. New features designed specifically for Copilot include:
  • Oversharing Assessments: Purview’s AI scans SharePoint and OneDrive files for overly permissive access and flags their exposure risk.
  • Data Loss Prevention (DLP): Organizations can now set sensitivity-based exclusion criteria, barring specific documents from being processed by Copilot.
  • Insider Risk Management for AI: A clever mechanism under deployment, it detects suspicious behavior like employees using prompts involving sensitive keywords or attempting to retrieve restricted data within the AI system.
Notably, the Purview updates are considered premium features (available through Microsoft’s E5 subscriptions). This division ensures enterprises serious about safeguarding data can onboard advanced tools while maintaining scalability.

3. Blueprints for Rollout Governance

To ease the adoption process, Microsoft has launched deployment "blueprints." These are detailed guides tailored to three stages:
  • Pilot Testing: Ensure small-scale testing uses minimally sensitive data pools.
  • Full Deployment: Deploy secure configurations.
  • Ongoing Maintenance: Periodically monitor for policy drift or potential oversights.
Organizations can choose from basic or "optimized" paths depending on their governance needs and Microsoft Purview license.

Challenges to Adoption: Why Data Governance Isn’t Plug-and-Play​

The biggest hurdle? Implementing these governance models across multi-departmental setups overflowing with legacy SharePoint archives and inconsistent permissions. Here’s why:
  1. File Volume Chaos: Some organizations store millions of files, making manual reviews impractical without advanced automation.
  2. User Awareness Gaps: Many employees, comfortable sharing files for collaboration, haven’t been educated on access hierarchies.
  3. Cost Scenarios: Adding tools like Purview stretches budgets in environments already managing escalating IT expenditures.
A study conducted by Gartner revealed that 40% of businesses delayed M365 Copilot rollouts due to governance concerns. Alarmingly, the same survey found that nearly two-thirds of firms found securing generative AI deployments to be resource-draining.
Even with Microsoft's robust tools, InfoSec professionals must grapple with follow-up challenges: ensuring file owners apply the correct security labels and training employees on avoiding unsafe storage practices.

Innovations Born of Competition: Third-Party Tools Jump Into the Fray​

Notably, Microsoft is far from alone in this ecosystem. Third-party vendors like Varonis and Syskit are developing standalone solutions that integrate with M365 specifically to address oversharing risks. These firms provide their own nuanced versions of permission diagnostics, user auditing, and sensitivity-aware access restrictions.
For businesses whose workflows span hybrid setups (involving Google Workspace or Slack connectors alongside Microsoft), these tools often provide broader compatibility.

So, What Does This Mean for the Everyday User?​

Let’s reframe the impact through an approachable lens: Imagine a scenario at your workplace. You innocently ask Copilot to “summarize recent company announcements.” Voila—minutes later, it produces announcements…plus salary figures inadvertently buried inside an innocuous document. That’s the nightmare everyone is racing to prevent, and thankfully, the newest upgrades drastically reduce that risk.
For employees, expect to:
  1. Adapt Quickly: Recognize which files can safely be included in prompts without triggering alarms (or summoning the wrath of your DLP officer).
  2. Retrain Permissions Logic: Watch for notifications requesting periodic file or site permissions revisions.
  3. Carry Awareness: Before hitting "upload" on SharePoint or OneDrive, verify that unnecessary sharing permissions aren't enabled by default.

Long-Term Implications for Microsoft and Beyond​

Microsoft’s rollout of Copilot governance features is one chapter in a larger story about reconciling generative AI promise with security priorities. Many expect rival platforms—Amazon’s Bedrock or Google Workspace’s Duet AI—to encounter similar dilemmas as their AI assistants reach enterprise readiness.
For now, Microsoft is capitalizing on both its multi-billion-dollar cloud ecosystem and a growing trend: nearly 25% of surveyed firms have upgraded to Microsoft Purview services to futureproof AI deployments.
From an industry perspective, these developments will almost certainly reshape Total Cost of Ownership (TCO) calculations for AI tools:
  • Organizations will weigh Copilot's ability to boost worker productivity against required infrastructure and governance investments.
  • Meanwhile, employees will increasingly evaluate their own habits to avoid unintentional leaks or compliance violations.

The Verdict: Progress, Not Perfection​

Microsoft’s willingness to clamp down on Copilot oversharing deserves recognition. The challenges of generative AI governance represent uncharted waters, yet tools like SharePoint's interconnected SAM and Purview promise smoother sailing for enterprise adopters.
Ultimately, the fate of AI in the workplace will depend on how successfully designers (and users) tame rogue systems. Until then, deploying Copilot might feel less like plugging in a new assistant and more like babysitting a hyper-curious intern who occasionally stumbles upon classified secrets.

Source: Computerworld Microsoft moves to stop M365 Copilot from ‘oversharing’ data
 


Back
Top