Microsoft's documentation for Copilot governance has firmed up over 2025 into a clear sequence: enable Microsoft Purview Audit before Copilot activation, configure DLP policies for prompts, apply sensitivity-label inheritance for agent-generated content, and verify that Copilot-specific events (invocations, content sources accessed, outputs generated) are captured in the unified audit log.
The audit log integration matters because it's where everything else hangs off: SIEM forwarding, insider risk management, data-life-cycle controls, regulator-friendly evidence. Without it, Copilot becomes an opaque productivity tool, useful but un-auditable. With it, Copilot is just another well-governed M365 workload.
The operational cost of enabling Purview Audit before Copilot is hours of configuration, not days. The cost of skipping it is discovering, mid-incident, that no one can answer "what did Copilot read, and for whom?". Choose the cheap problem.