By Noeleen Schenk |

December 15, 2023

What is Microsoft Copilot?

Embracing innovative technologies like Microsoft 365 Copilot and Generative AI marks a significant leap in how we interact with data.  These AI-driven advancements hold immense potential, reshaping workflows and enhancing productivity. However, amid this rapid technological evolution, the imperative for stringent information governance becomes apparent.

Copilot is one of Microsoft’s AI assistant tools that combines Large Language Models (LLMs) with organisations’ content in the Microsoft Graph and the Microsoft 365 apps to increase users’ productivity.

Consistent themes are emerging from organisations who are testing Copilot as well as software development houses, who are designing solutions to enhance its potential.

This blog aims to explore why information governance holds crucial significance in today’s technological landscape, especially in light of recent advancements like Microsoft Copilot and Generative AI. We will also highlight some of the potential information risks.

Microsoft copilot

Are we ready for Copilot?

We recently attended an event hosted by the Information and Records Management Society (IRMS) which focused on Copilot’s readiness for meeting organisations’ requirements, including privacy and security. Vivek Bhatt, CTO at Infotechtion, shared insights from his team’s own experience of testing Copilot in M365, as well as collaborating with other companies.  At a separate event, we heard from the Product Manager and Engineering Team Lead at Syskit, a software company for Microsoft 365 management and governance, who discussed ways to secure and govern Copilot for Microsoft 365.

Challenges and opportunities

The adoption and utilisation of Copilot can amplify prevailing information and governance challenges, emphasising the importance for organisations to proactively manage their governance risks.

Beyond the actors that traditionally play a part in information governance (e.g., Information Management, IT, Security, Legal), embracing products such as Microsoft Copilot presents an opportunity to engage users in security and governance, where historically these protocols have often been perceived as barriers. With effective change management, users are more likely to buy-in to the notion of managing information so that they can leverage the benefits of Generative AI.

Key information risks

The majority of information risks relating to the adoption of Microsoft Copilot fall broadly into two categories: security risk and data quality.

User requests can be generated from a number of different applications, e.g., Word, Excel, SharePoint, and Teams, then Copilot will use data from the organisations’ Microsoft tenant (set of services assigned to your organisation) to enrich the request before it goes to an LLM, and then via Microsoft Graph before returning a response. LLMs reside beyond the tenant boundary so do not have access to data within the boundary but do receive some data. This means that without sufficient controls in place there is a risk of sensitive information leaving your tenant.

Continuing the theme of security, Copilot can access sharing links, so where users have chosen to share a link with everyone in an organisation, as opposed to restricting access to an individual or group, Copilot could surface material which was not previously visible to someone.  Lack of data protection controls, including sensitivity labels, can exacerbate this issue. Similarly, public Teams sites should also be taken into consideration as Copilot can access those too.

Low quality input yields low quality output, so organisations need to ensure their data is current, accurate, relevant, complete, and void of ROT (Redundant, Outdated, or Trivial content.) Implementing lifecycle management, including sensitivity labels and retention rules, can help mitigate risks around data quality and ensure that Copilot returns meaningful results.

Generative AI is helping us create more content, but without sufficient controls and a governance framework in place, it will become increasingly challenging to manage.

Echoing these sentiments, Lisa Heneghan, KPMG’s Global Chief Digital Officer, noted that it “isn’t just about using technology, it is also about the policies you put in place to encourage ways of working.” Lisa also highlights the importance of having a clear and curated information architecture to ensure the integrity of the data, and setting appropriate permissions which is imperative for creating a secure environment. KPMG was among the limited number of global organisations granted early access to Microsoft 365 Copilot, during which time 300 professionals from selected functions across the organisation tested the technology.

A new frontier in data-driven innovation

The advent of Microsoft Copilot and Generative AI presents a new frontier in data-driven innovation. However, the true key to unlocking their potential lies not just in their capabilities but in the implementation of robust information governance practice. As echoed by industry experts and affirmed through recent experiences, embracing information governance in not merely a choice but a necessity in harnessing the true power of these technological advancements.  It’s in this strategic alignment between cutting-edge technology and meticulous governance that organisations will thrive in the AI-driven era.

Metataxis helps organisations address their information governance challenges, particularly in M365, which will prepare our clients well to embrace Copilot. We have extensive experience in developing information governance frameworks, access models and devising strategies how M365 functionality can be best used.

If you would like to learn more, simply get in touch today