Spell-check for privacy
Blog
AI data leakage 11 min read

Microsoft Copilot inherits your access - including the files you forgot you could open

Copilot does not break permissions - it respects them perfectly. That is the problem. It makes every overshared folder, every stale 'anyone with the link', and every forgotten access right instantly findable by asking a question in plain English.

Copilot
Draft a short referral summary from these clinical notes.
I can help draft a structured summary. Review identifiers before you share anything outside the clinical context.
Review sensitive details before sharing outside the browser.

The example above is interactive. Click a highlighted value to see your action options.

Quick answer

Microsoft 365 Copilot is built on Microsoft's enterprise commitments: it does not train foundation models on your tenant data, and it only surfaces content a user already has permission to open. The risk is exactly that last point. Copilot inherits each user's access, so years of oversharing - broad links, broken permission inheritance, stale rights - becomes instantly discoverable by typing a question. The exposure is not a Copilot bug; it is your existing permissions, made searchable.

01

Copilot only surfaces data a user can already access - the risk is pre-existing oversharing becoming discoverable

02

Restricted SharePoint Search is a temporary throttle, not a security boundary, per Microsoft

03

Microsoft does not train foundation models on tenant prompts, responses, or Graph data

04

Flex routing can send Copilot's processing outside the EU Data Boundary at peak load unless you turn it off

05

There are three different 'Copilots' with completely different data protections

An analyst at a mid-sized firm types a simple question into Microsoft 365 Copilot: "What's the latest on the leadership reorg?" Copilot answers helpfully, summarising a draft plan, complete with names, proposed redundancies, and severance figures.

The analyst was never meant to see that document. But two years ago, someone saved it to a SharePoint site that had been shared with "everyone except external users," and the permission was never revisited. Technically, the analyst always had access. They just never knew the file existed - until Copilot made it findable by answering a question in plain English.

Nothing was hacked. No permission was broken. Copilot did exactly what Microsoft designed it to do: it inherited the user's access and made it searchable. And that is the whole privacy story of Copilot at work.

Is Microsoft 365 Copilot safe for business data?

As a platform, yes - and Microsoft's commitments here are genuinely strong. Microsoft 365 Copilot does not use your prompts, responses, or Microsoft Graph data to train its foundation models. Processing stays within the Microsoft 365 service boundary, and it only ever returns data the asking user already has permission to open.

That last guarantee is also the catch. Copilot inherits each person's access exactly. So if your organisation has years of accumulated oversharing - broad sharing links, broken permission inheritance, sites opened to "everyone," files dropped in the wrong place - Copilot does not create new exposure, but it removes the obscurity that was quietly protecting you. What used to require knowing a file existed and hunting for it now takes one well-phrased question.

The risk in Copilot is not the AI. It is your permissions, made instantly legible.

How Copilot handles your data

There is not one Copilot. There are three, with very different protections.

Free Copilot (consumer)Copilot Chat (work)Microsoft 365 Copilot (add-on)
Sign-inPersonal / noneWork accountWork account
Enterprise data protectionNoYesYes
Trains foundation models on your dataPossibleNoNo
Access to your email/files/TeamsNoLimited (uploads, on-screen)Full, via Microsoft Graph
The "inherits your access" riskNoLimitedYes

Free consumer Copilot (copilot.microsoft.com, no work sign-in) grounds on the public web and has no enterprise data protection. It is not for work data - this is the version the US House of Representatives blocked for staff.

Microsoft 365 Copilot Chat, used signed in with a work account, runs under enterprise data protection but does not automatically reach across your mailbox and Graph.

Microsoft 365 Copilot (the paid add-on) is the one with full Microsoft Graph access - email, files, calendar, Teams, SharePoint - and it is the version where the oversharing problem lives.

On data residency, Microsoft 365 Copilot is an EU Data Boundary service and stored data stays in the EU. But "flex routing" can let LLM processing happen in the US, Canada, or Australia during peak demand, and it defaults on for newer tenants. Some Anthropic-model paths and Bing web queries also sit outside the EU boundary. Stored data stays in the EU; processing may not, unless you intervene.

The biggest privacy risks in Copilot

1. Oversharing made searchable

The headline risk. A payroll file on an overshared site, a board pack in an open Teams channel, an HR letter in a misconfigured library - all already accessible to more people than intended, all now one question away. Copilot does not widen access; it makes existing over-access usable.

2. Stale and inherited permissions

People change roles, projects end, contractors leave - and their access often lingers. Copilot draws on whatever each user can still reach today, including rights that should have been removed months ago.

3. The "which Copilot" mistake

An employee who uses free consumer Copilot on a work task, signed in with a personal account, gets none of the enterprise protections. The same prompt in signed-in Copilot Chat is governed; in consumer Copilot it is not. Most users cannot tell which one they are in.

4. Prompt injection reaching governed data

In 2025, researchers demonstrated "EchoLeak" (CVE-2025-32711), a zero-click flaw where a crafted email could make Copilot pull internal data and exfiltrate it - no clicking required. Microsoft patched it server-side before any known abuse, but it proved that prompt injection reaches enterprise Copilot, precisely because Copilot's scope is everything the victim can access.

5. Hallucinated personal data

Copilot can generate confident, inaccurate statements about real, identifiable people. Under GDPR, inaccurate personal data is itself a data-quality issue - and a Dutch sector DPIA flagged exactly this as a residual risk.

6. Processing leaving the EU at peak

With flex routing on by default for newer tenants, Copilot's LLM processing can temporarily leave the EU Data Boundary. For organisations with strict EU-residency requirements, that is a decision to make deliberately, not inherit.

Each of these has caused real hesitation in organisations that assumed "it's Microsoft, it's fine."

What is actually at stake: consequences

Under GDPR, surfacing personal data to someone who should not have it - salaries, health information, a disciplinary file - can be a personal data breach even though no attacker was involved and no permission was technically broken. If there is risk to people's rights and freedoms, the organisation must notify its supervisory authority within 72 hours.

Fines reach EUR 20 million or 4% of global annual turnover, whichever is higher, and the liability rests with the organisation as controller. Beyond the regulator, internal oversharing surfaced by Copilot - an employee reading colleagues' salaries or a reorg plan - creates trust and HR damage that is immediate and hard to contain.

The uncomfortable part: a flawless contract with Microsoft offers no defence when the exposure was your own permissions, made searchable.

Verified incidents

March 2024 - US House of Representatives blocks Copilot

The Office of the Chief Administrative Officer declared the commercial version of Microsoft Copilot "unauthorized for House use," citing the risk of leaking House data to non-approved cloud services, and said it would evaluate the government edition later. It targeted the consumer-grade version, not enterprise M365 Copilot - but it set the tone for enterprise caution. Source: Axios, March 2024.

December 2024 to 2025 - SURF Copilot DPIA (Netherlands)

SURF, the Dutch education and research collaboration, published a Data Protection Impact Assessment on Microsoft 365 Copilot in December 2024 finding four high privacy risks and advising institutions not to use it for the time being. After Microsoft changes, a September 2025 update downgraded the risks to "amber," leaving two residual concerns: inaccurate personal data generated about real people, and an 18-month retention period for pseudonymised metadata. Source: SURF, 2024-2025.

June 2025 - EchoLeak (CVE-2025-32711)

Aim Labs disclosed a zero-click prompt-injection flaw in Microsoft 365 Copilot, rated critical (CVSS 9.3), that could exfiltrate internal data without user interaction. Microsoft fixed it server-side in May 2025 and reported no evidence of exploitation in the wild. Source: BleepingComputer / The Hacker News, June 2025.

The thread across these is not a single failure. It is a tool whose power - reaching everything a user can access - is also its largest privacy surface.

Settings that help

1. Find and fix oversharing with SharePoint Advanced Management Use Data Access Governance and permission-state reports to locate broken inheritance, "everyone" links, and overshared sites - then remediate. This is the actual fix, included with Microsoft 365 Copilot.

2. Apply Microsoft Purview sensitivity labels Labels that apply encryption are honoured by Copilot - it returns content only if the user has the rights to extract it. Labelling coverage is the dependency: an unlabeled overshared file is still fair game.

3. Configure Purview DLP for Copilot DLP for the Microsoft 365 Copilot location can exclude sensitivity-labelled content from being processed in Copilot interactions.

4. Use Restricted SharePoint Search - but only temporarily RSS can throttle Copilot discovery to an allow-list of up to 100 sites while you remediate. Microsoft is explicit that it is not a security boundary, does not change permissions, and is a short-term stopgap.

5. Turn off flex routing if you need strict EU processing Microsoft 365 admin center > Copilot > Settings > flex routing > "Do not allow flex routing" keeps LLM processing inside the EU Data Boundary.

6. Scope or remove Copilot licences Disable Copilot per user via licence removal or Integrated Apps to limit the blast radius during a phased rollout.

Steps verified in June 2026; Microsoft reorganises the Copilot control surface frequently, so menu labels shift.

What settings do not solve

Settings govern what Microsoft does with your data and how widely Copilot searches. They do not fix the permissions underneath, and they do not decide what an employee types into the prompt.

No toggle un-shares the folder that was opened to "everyone" three years ago. No data-residency setting removes a client's account number that someone pasted into a Copilot prompt to "summarise this." The two failure modes Copilot amplifies - overshared content and over-shared prompts - are both human decisions that a configuration screen cannot reach.

That is the gap: between the access an organisation has accumulated and the content a person is about to type.

How BeeSensible helps before you send

BeeSensible checks personal data in browser text fields - including the Copilot prompt - as you type. Through the desktop app, detection runs entirely on the device and no text leaves the machine. For browser-only use, the extension sends the text to BeeSensible's EU detection service, where analysis runs in working memory and the text is discarded after detection. When sensitive content appears in a prompt, BeeSensible marks it inline so the user can see exactly what they are about to share - and delete it, replace it with a placeholder, or mask it before sending.

Copilot
Draft a short referral summary from these clinical notes.
I can help draft a structured summary. Review identifiers before you share anything outside the clinical context.
Review sensitive details before sharing outside the browser.
Hover or tap a highlighted value to replace, mask, or delete it - before the draft reaches anyone.

Message content is not stored. The user makes every decision.

For Copilot, this covers the prompt side of the risk - the client name beside an account number, the patient identifier pasted in to "draft a summary." It does not fix oversharing or your permission model; those are essential, separate, governance work. It keeps the person typing aware of what is about to leave the keyboard, while there is still time to change it.

Copilot's strength is that it reaches everything you can access. That is also why it deserves a governed rollout: fix the permissions so Copilot has nothing it shouldn't surface, and keep awareness at the prompt so it receives nothing it shouldn't. The platform is Microsoft's to secure; the access and the typing are yours.

FAQ

Common questions

Is Microsoft 365 Copilot safe for business data?

Microsoft 365 Copilot is covered by Microsoft's enterprise data protection: it does not train foundation models on your tenant data and only returns content the user already has permission to open. It is safe as a platform, but it amplifies any existing oversharing in SharePoint and OneDrive. The work is on your side: fix broad permissions and stale access before a broad rollout, because Copilot makes all of it findable in seconds.

Can Copilot show an employee data they shouldn't see?

Copilot only surfaces content a user already has at least view permission to. It does not grant new access. But if a file was overshared - for example a payroll spreadsheet on a site open to 'everyone except external users' - that employee could already open it, and Copilot now makes it trivially discoverable by asking a question instead of hunting through folders. The fix is correcting the permissions, not the AI.

Does Microsoft train its AI on Copilot prompts?

Microsoft states that prompts, responses, and data accessed through Microsoft Graph are not used to train the foundation large language models behind Microsoft 365 Copilot. Processing stays within the Microsoft 365 service boundary using Azure OpenAI, and abuse-monitoring human review is opted out for Copilot. This is a contractual enterprise commitment, distinct from consumer Copilot.

Does Copilot keep my data inside the EU?

Microsoft 365 Copilot is an EU Data Boundary service and stored data stays in the EU. However, 'flex routing' can allow LLM processing to occur outside the EU Data Boundary - in the US, Canada, or Australia - during peak demand, and it is on by default for newer tenants. Some Anthropic-model paths and web queries are also carve-outs. Administrators who need strict EU processing should turn flex routing off.

What is the difference between the free Copilot and Microsoft 365 Copilot?

Free consumer Copilot (no work sign-in) has no enterprise data protection and should not be used for work data - it is the version the US House of Representatives blocked for staff. Microsoft 365 Copilot Chat (signed in with a work account) and the paid Microsoft 365 Copilot add-on both have enterprise data protection; only the paid add-on has full access to your Microsoft Graph - email, files, Teams, SharePoint.

How do we stop Copilot from exposing overshared files?

Use SharePoint Advanced Management to find oversharing (broken inheritance, broad links, 'everyone' access), apply Microsoft Purview sensitivity labels so encrypted items are excluded, and configure Purview DLP for Copilot. Restricted SharePoint Search can throttle discovery temporarily while you remediate, but Microsoft is explicit that it is not a security boundary.

See how BeeSensible works

Detect sensitive data before it leaves your team, in any app, in real time.