Copilot Security Checklist: 25 Pre-Deployment Controls

Review all site-level and library-level permissions. Remove "Everyone" and "Everyone except external users" access from sensitive libraries.

Audit group-based access to ensure users only belong to groups relevant to their role. Remove stale memberships from departed or transferred employees.

Configure role-based access controls (RBAC) aligned with job functions. Limit Copilot data access to content users genuinely need for their work.

Require MFA for Copilot access. Restrict Copilot usage to managed devices and compliant locations based on organizational risk tolerance.

Schedule quarterly access reviews for sensitive SharePoint sites, Microsoft Teams, and Microsoft 365 Groups to prevent permission drift.

Configure Microsoft Purview sensitivity labels (e.g., Public, Internal, Confidential, Highly Confidential) and apply default labels to SharePoint libraries.

Configure auto-labeling rules using sensitive information types (SITs) to detect and label PII, PHI, financial data, and other regulated content automatically.

Run Content Explorer and Activity Explorer in Microsoft Purview to identify unlabeled sensitive content. Prioritize high-risk libraries for manual classification.

Set container-level labels on SharePoint sites and Teams so files inherit the classification of their parent container by default.

Verify that sensitivity labels properly restrict Copilot from surfacing Highly Confidential content to users without appropriate clearance.

Create DLP policies detecting SSN, credit card numbers, health records, and custom SITs specific to your organization. Block or warn on sharing.

Extend DLP policies to Microsoft Teams to prevent sensitive data exposure in chat messages and channel conversations accessed by Copilot.

Deploy endpoint DLP to monitor and restrict sensitive data in Copilot-generated content on managed devices.

Build custom SITs and DLP policies for regulated data types specific to your industry (e.g., HIPAA identifiers, ITAR markings, SOX financial controls).

Ensure Microsoft 365 Unified Audit Log is enabled and configured with appropriate retention (minimum 90 days, 365 days recommended for regulated industries).

Monitor CopilotInteraction audit events including prompts, responses, data sources accessed, and files referenced in Copilot outputs.

Create alert policies for unusual patterns: bulk data access, off-hours queries against sensitive libraries, or repeated failed access attempts through Copilot.

Export Copilot audit data to your SIEM (Sentinel, Splunk, etc.) for correlation with other security events and automated incident response.

Apply retention labels to Copilot-generated content matching your organizational retention schedule. Ensure AI outputs are subject to legal hold capabilities.

Verify that Copilot interactions and AI-generated content are discoverable through Microsoft Purview eDiscovery for legal and regulatory inquiries.

For financial services and legal organizations, configure Information Barriers to prevent Copilot from crossing ethical walls between departments.

Create a formal Copilot Acceptable Use Policy covering permitted use cases, prohibited activities, data handling expectations, and incident reporting procedures.

For GDPR-subject organizations, complete a DPIA documenting Copilot data processing activities, legal basis, risks, and mitigation measures.

Create role-specific training covering proper Copilot usage, data handling expectations, prompt best practices, and how to report security concerns.

Form a cross-functional governance committee (IT, Legal, Compliance, HR) to oversee Copilot policies, review incidents, and approve expansion.