How to Mitigate Compliance and Security Risks of Microsoft 365 Copilot

• Microsoft 365 Copilot adoption introduces risks across several security and compliance categories.
• Customers must evaluate the risks and their potential mitigations before adopting the Copilot.
• Postponing addressing the risks until after adoption could result in issues such as leaked data and compliance violations.
• Some of the associated risks are mitigated by Microsoft, but customers should validate the company’s claims on how this is done.

Microsoft 365 Copilot (referred to as Copilot throughout this report, although Microsoft offers numerous other Copilots) is an assistance technology that enables Microsoft 365 and Office 365 application users to quickly generate content, find information, and execute tasks using a uniform natural language–based chat UI. (Copilot is licensed as a single add-on across all Microsoft 365 and Office 365 applications.) 

Organizations adopting Copilot should understand the potential risks and possible mitigations in several areas prior to adoption. These areas include data access, leakage, and residency; privacy; intellectual property; and the reliance on potentially incorrect information, all of which can affect an organization’s ability to meet compliance and security obligations.