MICROSOFT 365 COPILOT: Data Readiness Checklist
In-depth research report for building a data readiness & governance checklist before AI integration (updated per Microsoft documentation as of 2026-03-24)
1. Executive Summary
Microsoft 365 Copilot (and related experiences such as Copilot Chat, Copilot Studio/agents, connectors) does not “create” new access rights: Copilot operates within the Microsoft 365 service boundary and data scope is always constrained by the signed-in user’s permissions. Therefore, the risk of “catastrophic internal data leakage” typically stems from:
- Oversharing/permission sprawl (overly broad permissions, misconfigured sharing, “Anyone” links, “Everyone except external users” groups…)
- Uncontrolled extensibility (agents/connectors/API)
- Lack of monitoring/auditing — all of which Copilot “amplifies the speed and discoverability of” rather than generating on its own.
From a “data readiness” perspective, an effective checklist should follow three pillars:
- Pillar 1: Data & Access Readiness (data/permission hygiene) — reduce oversharing, standardize sharing, ensure site ownership, content lifecycle, and least-privilege permission models.
- Pillar 2: “AI-Aware” Technical Controls (Purview/Entra/Defender) — DLP for Copilot/Copilot Chat, Sensitivity Labels + encryption/rights (EXTRACT/VIEW), Audit logs, eDiscovery/retention, DSPM for AI, Communication Compliance, Insider Risk + Adaptive Protection.
- Pillar 3: Extended Governance & Secure Operations (agents/connectors/web grounding + IR) — agent governance, connector controls (ACL/security trimming), block connectors/HTTP in Copilot Studio, web search governance, and incident response processes.