Microsoft 365 Copilot is genuinely useful. It's also, by design, an agent that sees everything its calling user has permission to see. In a SharePoint environment that's been accumulating files since 2017 with permissive defaults, that's usually a lot more than the user knows they have access to.

Microsoft's own guidance is unambiguous: enable Microsoft Purview Audit before Copilot activation. Use Purview to apply sensitivity labels. Use Conditional Access and Restricted Search to scope what Copilot can pull from. Set up Insider Risk Management for AI-specific scenarios.

The failure mode is not subtle: a finance assistant asks Copilot "summarise the latest exec compensation discussions" and gets a confident, well-formatted answer pulled from a folder no one realised was open to everyone. That's not a Copilot bug. It's a permissions hangover that was already there — Copilot just made it visible.

Governance is the work. Purview is the tooling. Both before Copilot, not after.

What it means for your businessTreat Copilot rollout like a privileged-access change, not a feature flag. Purview labels, audit logs, and Conditional Access scope first — then the "Enable" button.
Source & referenceMicrosoft Learn — Use Microsoft Purview to manage data security & compliance for Microsoft 365 Copilot ↑