Microsoft has published a Transparency Note for Copilot for Microsoft 365, warning enterprises to ensure user access rights are correctly managed before rolling out the technology.
Concerns over data governance have held up some Copilot projects as biz customers consider how best to integrate the service into their organizations, and Microsoft's Transparency Note warns that administrators must check user access is configured correctly before rolling anything out.
The note makes it clear: "Copilot for Microsoft 365 only accesses data that an individual user has existing access to, based on, for example, existing Microsoft 365 role-based access controls."
Copilot for Microsoft 365 is an add-on for which Microsoft expects $30 per user per month, with an annual subscription. It uses large language models (LLMs) and integrates data with Microsoft Graph and Microsoft 365 apps and services to summarize, predict, and generate content.
At first glance, the service is innocuous enough. It gets input from a user in an app, such as Word. That user prompt is then parsed to improve the odds of getting something useful out of the service and then sent to the LLM for processing. What comes out of the LLM is post-processed before being returned to the user.
According to Microsoft: "This post-processing includes other grounding calls to Microsoft Graph, responsible AI checks such as content classifiers, security, compliance and privacy checks, and command generation."
In addition to ensuring user access is configured correctly, the Transparency Note warns organizations to consider legal and compliance issues when using the service, particularly in regulated industries.
"Microsoft is examining regulatory requirements that apply to Microsoft as a provider of the technology and addressing them within the product through a process of continuous improvement," the document states.
Then there's the recommendation to allow Copilot for Microsoft 365 to reference web content from Bing to improve "the quality, accuracy, and relevance" of its responses. Allowing Microsoft Graph to be extended with sources like CRM systems, external file repositories, and other organizational data is another recommendation that will require enterprises to take a long, hard look at governance.
Microsoft's Transparency Note for Copilot for Microsoft 365 is a useful document, highlighting that enterprises must consider the implications of deploying the service.
Last month, Jack Berkowitz, chief data officer of Securiti, told us of bigger corporations pausing Copilot deployments because the tool is accessing data and "aggressively summarizing information" that certain employees shouldn't have access to - salaries, for example.
"Now, maybe if you set up a totally clean Microsoft environment from day one, that would be alleviated," he said. "But nobody has that. People have implemented these systems over time, particularly really big companies. And you get these conflicting authorizations or conflicting access to data."
The much-touted productivity gains from the AI service need to be balanced by its risks - even Microsoft notes "users should always take caution and use their best judgment when using outputs from Copilot for Microsoft 365" - and worries over compliance and data governance must be addressed before unleashing the service on an organization. ®
Identity management vendors like Okta see an opening to calm CISOs worried about agents running amok
An attempt to provide vendor-neutral oversight as the agent train barrels on
Trixie may have gone 64-bit for installs, but WMLive still ships an i686-bootable build
Brussels probes whether unpaid web and YouTube content - and rivals' lock-outs - amount to abuse of dominance
Analysts say demand keeps rising despite constraints, shaky returns, and mounting investor nerves
February product launch fails to register, with concerns remaining about integration
Younger finance pros are just as loyal to Microsoft's venerable spreadsheet app as their elders