AI’s rapid adoption has made data governance a first‑order security priority. In Microsoft 365, assistants like Copilot can surface any file a user can technically access, which turns broad or stale permissions into instant findings. Before enabling Copilot at scale, enterprises should understand where sensitive data lives, who can reach it, and how usage will be monitored.
This Q&A breaks down what large enterprises must understand to deploy AI safely. We explore the key layers of the AI stack, the blockers that prevent secure rollouts, the risks that matter most today, how to reduce AI access to sensitive information, and how to detect unusual or concerning behaviour as assistants and agents query your environment.
What parts of the AI stack should enterprises secure?
Enterprise AI spans user chatbots, autonomous agents that can act across systems, and the model and data infrastructure that powers them. Each layer changes who can touch sensitive data and how actions are executed, so controls must be tailored to the layer. This layered view helps you prioritise identity, access, logging, and governance where they matter most.
we really need to break this down into three distinct sections. So if we think about the first domain, you know, these AI chat bots and chat you know, Microsoft three sixty five Copilot, ChatTBT, Google Gemini, would say that that's for large measure, most accessible to users. But these are the tools that are designed to enhance user productivity, and they're assisting with various tasks like answering questions and generating insights. And one of the things that these distinct copilots, depending on how they're designed, have an impact on is risk. And risk based on, you know, we're interacting with a copilot, and that copilot can go and respond and pull sensitive data from our organization if our sensitive data is a part of that corpus. And so that is something that is the most tangible. You know, as we continue down this spectrum here, you know, and this is going now to get into the AI agents. So, you know, these AI agents are a little bit more on the service base. Right? So unlike the simple chat bots, the AI agents are advanced AI systems. They're designed to autonomously perform tasks. They're the smart assistants. They're understanding our our goals. They're planning and executing and even interacting with other applications. So, you know, one of these things when we start to separate that, this is more of the autonomous AI functionality that exists. Now when we get to the final piece here, and that's the AI infrastructure. And this includes cloud platforms like Microsoft Azure OpenAI, Amazon Bedrock, Google Vertex. And these platforms really provide that foundation for building and training and deploying the AI models.
Key points:
- Chatbots can surface data that a user already has access to, thereby mitigating the risk of over‑permissive access
- Agents plan and act across applications, increasing potential impact without tight guardrails and roles
- Infrastructure platforms require strong identity, data, and platform controls across model training and deployment
What is stopping organizations from safely deploying AI?
Boards hesitate on rolling out AI tools when visibility, policy maturity, and operational readiness are unclear. Capability may exist, but confidence lags in data governance, prompt monitoring, and staffing to watch AI usage. Delay creates a vacuum that users fill with unsanctioned tools, expanding your exposure and compliance risk.
There are organizations that were very well intended on rolling out Copilot and rolling out AI, writ large across their organization wherever they could find opportunity and where the solutions kinda fit the needs of their user base. And a lot of times, those organizations were struggling to get complete buy in from the board, from their CIO, from their CISO, and everybody involved, to roll out Copilot because they were just concerns about data risk, and data governance. And it's not because they didn't have potentially solutions that they could use. It's just they lacked that confidence and also visibility into what they had, currently in their stack and then also to what they could possibly look to, deploy within their environment to protect that data. And so you see these statistics. This is a a report that Gartner put out literally this month. Forty seven percent of IT leaders reported that they were either not confident or have no confidence at all in the organization's ability to manage security and access risk associated with Copilot. And that's not because, they didn't have possibly the right technology. It's, they maybe didn't have the right policies even, like, documentation. You know, we don't wanna necessarily knock on a particular technology or stack. But, you know, in many cases, it was documentation. It was, you know, policies and procedures. You having the right people in place to do monitoring because you can have the right technology and the right, solutions, but, potentially, maybe you don't have the the right staffing and the right skill sets, to monitor AI user behavior and prompting and also maybe even back end if you're doing, you know, pro code versus low code AI development like the right hand side of your slide previously, Scott. And so, nevertheless, we even have, a webinar, shameless plug, we have a webinar coming up soon. I believe the title of that webinar is going beyond the Copilot pilot, the CISOs perspective. So that's, I think, in March next month. So check that out. I think Haley or somebody may be dropping the the link to that in chat. We'll be talking a little bit about this. The reason I'm also taking a a quick tangent in talking about this, not only just to shamelessly plug, an upcoming webinar while we're on a webinar. The other thing is, one of the risks that we don't really get into entirely on in this slide where and what we're gonna talk about today is shadow AI. So, essentially, if your organization isn't able to get over the hurdle or get over the hump and roll out, AI solutions for your user base, there is an additional risk that they're going to then pursue, other AI applications that are not sanctioned by you potentially. Now, of course, there's technologies and things like that to prevent those users from going out and downloading a particular application on their mobile device or their other endpoints. But, nevertheless, your users may continue to explore that if they don't have good, safe, and secure options that you provide them. And so there's this kind of risk. DeepSeek is probably one of the most noteworthy, instances of this that most recently came out and got pretty viral, both from the press and the media, but also from downloads. And so, nevertheless, this is why this stuff is important.
Key points:
- 47% of IT leaders report they are not very confident or have no confidence in their ability to manage Microsoft 365 Copilot security and access risks. According to Gartner, “How to Secure and Govern Microsoft 365 Copilot at Scale,” January 2025.
- Confidence drops when policies, documentation, and prompt‑layer monitoring are immature or untested.
- Skills gaps and limited resourcing to monitor AI usage are common blockers for CISOs and CIOs.
- Shadow AI adoption increases when secure enterprise options are slow to launch, creating ungoverned data flows.
What AI risks matter most for large organisations today?
First one right out the gate. It's relatively self explanatory, but this is users being able to use the AI applications that you have deployed within your environment that are tapping into sensitive data that you hold. And, being able to prompt engineer their way into sensitive information, whether maliciously or haphazardly. One of the two. They're able to basically get in and see things that they're not supposed to. This is something that was one of the very first things that were concerns of customers, that when I was at Microsoft and, still continues to be a concern today. And it's, again, not because maybe they don't have the right technologies in place. It's just it's something that they haven't looked at. And in many organizations where we do data risk assessments, DRAs, we see customers time and time again that find out in those DRAs that they have sensitive information that potentially is exposed in one way or another. And as we continue to adopt other AI solutions within the organization that are looking at not just maybe your Microsoft three sixty five tenant, and maybe it's information, in your Azure environment, other databases, etcetera. This is gonna be important that we continue to look at and manage how AI solutions are looking at data, and then if we give that access to for the, for the model to look at that data, how are we governing which users can access that AI solution, and on and on we go. So there's multiple layers, defense and depth when it comes to rolling out these AI solutions to prevent data
Key points:
- AI assistants can return files from SharePoint, OneDrive, Exchange, and Teams if those stores are broadly shared or unlabeled. Labels and DLP help, but unknown or unclassified data often remains exposed
- Limit which users can query AI against which repositories. Reduce exposure at the data layer first so assistants cannot surface high‑risk content by default
- Prompt injection and jailbreaking allow users to manipulate model behaviour to bypass safeguards and retrieve sensitive information. Monitor prompt patterns for repeated re‑phrasing
- Model poisoning, training on sensitive data, and exposed datasets require identity, DSPM, and UEBA across data lakes and pipelines to protect integrity and confidentiality
- Map controls to NIST AI RMF and NIST CSF Detect functions to monitor prompt activity and backend usage, meet policy expectations, and brief the board with confidence.
How can we reduce AI access to sensitive data?
Copilot aggregates across multiple Microsoft 365 stores, so any over‑permissive access multiplies. Labels and DLP help, but much sensitive content remains unlabelled or broadly shared. Shrink exposure by reducing who can use AI against which repositories and by fixing data‑layer overexposure first.
Blast radius exploitation. So this is one of those situations where, yes, you've already given access, to the AI solution to sensitive information, but maybe you don't have currently the right safeguards to prevent the the leakage of that particular sensitive information. So AI in this case or Copilot in this case, I'll use Copilot as an example. Copilot is not just looking at SharePoint files. It's looking at, items in personal OneDrive storage. It's looking at email traffic and attachments in emails. It's looking at Teams chat and files shared within Teams. And so there are a lot of places, that sensitive information can be, exposed to Copilot and also to Copilot can create sensitive information. Now granted, if you have potentially, all of your files and sensitive information labeled and encrypted, using MIP information protection and you have DLP policies in place, there's a lot of work you can do to potentially, prevent a user from, you know, maybe creating multiple assets from a Copilot prompt. So giving it sensitive information, and then it like a file, and then it spitting out other sensitive information, and maybe that label's gonna follow it. And so there's some safeguards that you can do and put into place. But in many cases, there's a lot of files within email and SharePoint, etcetera, that go unlabeled and possibly unclassified and possibly unnoticed. And so it's very important to, have a full scope of your Microsoft three sixty five tenant if we're just talking about Copilot. Obviously, as we get into Salesforce and some other, data resources, then, you know, the blast radius continues to expand, in those different cloud environments, in those different applications, in those different platforms,
Key points:
- AI tools span SharePoint, OneDrive, email, and Teams, so mis‑scoped access spreads quickly.
- Labels and DLP do not protect unknown or unclassified data.
- Limit AI feature entitlement and narrow the data in scope to cut risk fast.
How can we limit our risk of a data breach when adopting Microsoft Copilot?
Microsoft Copilot amplifies any existing overexposure in your Microsoft 365 environment. Because Copilot returns anything a user can technically access, even if that access was never intended, sensitive data can be surfaced instantly through natural‑language prompts. The most effective way to reduce breach risk is to shrink overexposed data access before rollout and continuously monitor Copilot interactions so unusual or high‑risk retrievals are caught early.
So when Copilot, you know, is is has come out, you know, this was basically just taking what we knew as an organization as a data governance issue and threw gas on that fire. You know? Because at the end of the day, when Copilot is being utilized, the user is going to have a prompt, be able to work with that prompt, ask for specific data, and anything they had access to, they were going to have returned to them. In a lot of cases, most people don't know what they have access to. And as a security leader and practitioner and someone that cares about data security, if you took any user out of their seat and put a bad actor in there, would we be comfortable with everything that they had access to? Would we even know everything they have access to? So not only that, you know, we have to put some sense on that risk of data exposure, unauthorized data detection, and access, but we have to consider the likelihood now with the Copilot engine behind it is that that user is not going to have to take time, energy and effort to get to that data. It's going to happen almost immediately. So we need to understand and monitor on Copilot, you know, activity. And that's something that we're providing as well as because of the full activity log and being able to audit all user interactions, we can provide alerts on abnormal interactions, and we can identify if someone is doing some active searching for sensitive data in their environment.
Key points:
- Copilot aggregates across SharePoint, OneDrive, Teams, and Exchange, so any broad or stale permissions become a direct path to sensitive data retrieval.
- Reducing overexposed access before Copilot rollout is the single biggest way to prevent AI‑driven breach impact.
- Monitoring Copilot activity helps detect unusual queries, sensitive‑file retrievals, or signals of account compromise.
- Limiting which users can query Copilot — and which repositories it can access — significantly shrinks breach blast radius.
- Ongoing least privilege enforcement ensures today’s safer access state does not drift as data “moves like water.”
Strengthening your defences
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.
-1.png)
