Transparent control of authorizations and data access is a central component of AI Act preparation. Microsoft Copilot accesses company data in M365 (SharePoint, Teams, OneDrive, Outlook, etc.) – often including content that users did not want to share.
Companies should therefore check this at an early stage:

  • Which data sources can Copilot read or search?
  • Is sensitive data (e.g. HR, finances, contracts) technically protected or excluded?
  • Are there roles and groups that have too far-reaching access?

You can find a practical checklist and concrete to-do list for setting up, checking and securing Copilot access in our blog article: Microsoft Copilot – To-do list for authorizations and accesses