Microsoft 365 Copilot is genuinely useful, and turning it on takes about two minutes. The trouble is that those two minutes can quietly expose years of messy file sharing. Before you flip the switch, it is worth a short, structured tidy-up. Here is the plain-English checklist we run through with clients.
Why Copilot makes governance urgent
Copilot answers questions using the files, emails and chats a person already has permission to see. It does not break any rules or reach into places staff cannot already go. That sounds reassuring, and in a tidy environment it is.
The catch is that most businesses do not have a tidy environment. Over the years, folders get shared “just for now”, links get sent to whole teams, and old documents pile up in places nobody remembers. None of that mattered much when finding a file meant knowing where to look. Copilot changes that. Ask it “what is our highest-paid role?” or “summarise the redundancy plan”, and it will happily surface anything a person can technically reach, in seconds.
So Copilot does not create a new risk. It removes the effort that used to hide an existing one. The good news is that the fix is straightforward, and most businesses find the exercise worthwhile on its own. Work through the checklist below before you roll Copilot out.
The checklist
1. Know where your sensitive data actually lives
You cannot protect what you have not mapped. Spend an hour listing where the genuinely sensitive material sits: payroll and HR records, client contracts, financials, anything with personal information in it. In most small businesses it is a handful of SharePoint sites, a few OneDrive accounts and a shared mailbox or two. Write it down. This list is what the rest of the checklist protects.
2. Fix who can see what
This is the big one. For each of the sensitive locations you just listed, check who actually has access, and confirm it matches who should. The usual problems are:
- Whole-company groups (like “Everyone” or “All Staff”) added to folders that should be restricted
- Former staff or contractors who were never removed
- People who moved teams but kept old access
Tightening this is the single most valuable thing you can do before Copilot goes live, and it is good hygiene regardless.
3. Hunt down over-shared files and links
Separate from folder permissions, individual files often get shared with a link. Those “anyone with the link” links are the quiet danger, because they can sit live for years. Review the sharing links on your sensitive sites, kill the ones that are too broad, and set link sharing to default to “specific people” rather than “anyone” going forward.
4. Label your confidential information
Microsoft 365 lets you apply sensitivity labels (through Microsoft Purview) that mark a document as, say, “Confidential”. Labels do two jobs: they signal to staff how to handle a file, and they let you apply protection such as encryption or blocking Copilot from summarising the most sensitive material. You do not need an elaborate scheme. Even a simple “Confidential” label on your crown-jewel documents is a big step up from nothing.
5. Decide what Copilot should not touch
For a small number of truly sensitive areas, the right answer is to keep them out of Copilot’s reach entirely. Microsoft 365 gives you controls to restrict which sites Copilot can draw on, so board papers, an acquisition folder or sensitive HR cases can be walled off. Decide this deliberately rather than assuming everything is fair game.
6. Set the ground rules for your team
Governance is not only technical. Your people need to know what is and is not okay: which tool to use for what, that Copilot output still needs a human check, and that client or personal data should be handled with care. A short, readable AI use policy does the job. It does not need to be a legal document, just a one-pager everyone actually reads. (We are drafting a fuller guide on what to put in one; in the meantime, keep it simple and specific to how your team works.)
7. Turn on the audit trail and review
Before go-live, make sure you can see how Copilot is being used. Microsoft 365 logs Copilot activity, so you can spot unusual patterns and answer the “who accessed what” question if you ever need to. Then plan a review a month in: check what people are actually doing with it, and tighten anything that looks off.
A sensible rollout order
You do not have to do all seven at once, but the order matters. In practice:
- Map your sensitive data (step 1)
- Fix permissions and over-shared links on those locations (steps 2 and 3)
- Label and, where needed, wall off the most sensitive material (steps 4 and 5)
- Publish a short AI use policy and switch on auditing (steps 6 and 7)
- Turn Copilot on for a small pilot group, then review before you expand
That sequence means the risky stuff is handled before anyone starts asking Copilot questions, and you learn from a small group rather than the whole business at once.
Where this fits
If your team is still deciding whether Copilot is worth it in the first place, start with our companion piece, is Microsoft 365 Copilot worth it for small business?. If the live debate in your office is “Copilot or Claude?”, our guide to which AI is safe for client data covers the privacy side in plain English.
Getting the foundations right, permissions, labels and clear ground rules, is exactly the work we do as part of AI and automation projects, and it leans heavily on solid IT security underneath. Done once, properly, it makes every AI tool you adopt afterwards safer by default.
The bottom line
Copilot is not risky because it is powerful. It is risky when it is switched on over a messy, over-shared environment that nobody has tidied. Spend a day on the checklist above and you turn that risk into an advantage: a business where AI is genuinely useful and under control.
If you would like a hand running through the checklist, tidying your permissions and getting Copilot set up safely, get in touch for a no-pressure chat. We will make sure it is switched on the right way round.
Adam leads the Itopia team in Brisbane, helping professional-services firms get secure, productive and confident with their technology, in plain English.

