Microsoft Copilot: Establishing governance for responsible AI assistance

8 min read
Header_blogpost_Establishing governance for responsible AI assistance
8 min read

Months after Microsoft made Copilot available for audiences worldwide, many organizations are already looking into introducing this AI tool for their teams.    

To maximize the benefits of Copilot, however, it is essential to consider the governance aspects. Because when governance is not thought of, chances are that it can burn your fingers and cause your ambitious Copilot project to hit the wall. This is precisely what you would be avoiding by understanding the relevance of Copilot Governance.  

What is Microsoft 365 Governance? 

M365 governance comprises of a set of processes and structures used to manage and control the tenant. In the context of Copilot for Microsoft 365, this means that organizations need to establish policies and automated procedures to control the use of Copilot and ensure that it meets the organization's compliance requirements and security standards. 

Why is Governance important for Copilot and how can it be implemented? 

Copilot has access to a wide range of data and information, including sensitive company data, thanks to the Microsoft Graph API, access to Semantic Search Index and its various Copilot extensions. It is therefore important that companies regulate data security, compliance, and control before implementing Copilot.  

Data security through guidelines 

First, companies must ensure that the data used by Copilot is protected against unauthorised access, any kinds of loss or damage. Copilot uses existing and already assigned permission structures to function – be it in SharePoint, OneDrive or Microsoft Teams. However, any permission settings, no matter how well designed, gets superseded the moment users "share" the file freely. Have you already discovered documents on Delve that should not be visible to you? This is the first litmus test. 

Allow me to expand my point with a simple example: Adele Vance creates sensitive documents about salary increases and reorganisations in a private "Payroll HR" team with very few members. 

Then, through ignorance or sabotage, these documents are shared in a public team with many members. By simply "copying and pasting" the document URL, this sensitive document is now accessible to everyone in the chat, who can immediately access the information. 



When we are asking Copilot about Reorganisation initiatives inside the company, salary lists or new CEOs, Copilot highlights that these documents are found but are information protected. Nevertheless, they can be accessed easily by clicking on the footnote. 


How Rencore Copilot Dashboard can support you 

The Rencore Governance Copilot Dashboard can help here and list these sensitive documents. 


The report "SharePoint Files shared with everyone in the tenant" (top right) is built as follows in the Report Builder and reads SharePoint file sharings (of course, it also works at OneDrive level. Teams uses both): 


It is important to emphasise here that we do not want to conclude our efforts at dashboards and reports. Automated processes take over the workload for us and help us to not forget security and compliance-related tasks. As a firm believer in change management, I first recommend proactive communication with users to show them the best practices around Governance & Copilot and inform them that they are not yet handling it perfectly. This can also be communicated to an entire team using a Microsoft Teams channel message. Only if the users do not show any change in behaviour is it advisable to stop sharing automatically. All 3 activities can be automated as follows if a threshold value is reached in the reports. 


Compliance optimisation with sensitivity labels 

Companies must ensure that the use of Copilot meets all relevant compliance requirements, e.g. the General Data Protection Regulation (GDPR), and the portfolio of Microsoft Purview applications is central here, especially data loss prevention (DLP) tools with manual and automatic sensitivity labelling. The use of access control lists (access reviews in Entra ID Identity Governance or third-party providers) helps to regularly correct access permissions and members in SharePoint, Teams and M365 Groups. It's better to do this quickly and easily once a month than once a year, which could be daunting. Your compliance and security team and, above all, your users will thank you for it. 


Cost transparency & control  

Copilot has certain price tags that are often considered not too low. This is where M365 governance solutions can help to monitor exactly which users are not using Copilot or which users with licences are "disabled". The actions after these measurements are clear: offer Copilot training courses or "Copilot training snacks" like Pascal Brunner's newsletter to whet the appetite again and don't be afraid to calculate the ROI. Each department finds its own use cases and specific benefits. The following screenshot show annual costs for different Copilot licenses like Copilot for Microsoft and Copilot for Services. You can also get the same reports for monthly costs or - as mentioned – monthly costs for unused licenses. 


Visually summarised, the interplay of dashboards, (compliance) reports, inventory of Copilot subscriptions and automation looks like this: 


How to use Microsoft Copilot? 

If your organization is already using Copilot or is planning to do so, then the answer is clear – your organization needs a governance tool. Read more about Copilot governance here and book a free demo to see how our tool can work for you.  

If you want to know more about Copilot, then watch Rencore's on-demand webinar. 

Subscribe to our newsletter