pyne

The M365 Copilot Problem nobody prepared for

The M365 Copilot Problem nobody prepared for

Copilot Just Shows You What Was Already Broken

Most M365 Copilot rollouts are stalling. And it's not the AI.

The question nobody asked first

"We're rolling out Copilot to 500 people next month."

I hear this a lot. And my first question is always the same.

Did you audit your SharePoint permissions first?

Usually, the answer is no. Sometimes it's "we're working on it." Occasionally someone says yes — then pauses when I ask about OneDrive. And Teams.

Look. Microsoft 365 Copilot is genuinely impressive. It can summarize documents, draft emails, find information across your tenant. Real time savings for real people.

But it does all of this using your existing permissions.

And for most organizations? Those permissions are a mess.

What's actually happening

Copilot shows you what was already broken.

Years of "just share it with everyone." Permission inheritance that nobody cleaned up. Sensitive documents sitting in folders that technically half the company can access — they just never thought to look there.

Until now.

With Copilot, people ask natural language questions and get answers from across SharePoint, OneDrive, Teams, email. If they technically have access to something, Copilot will surface it.

This is working as designed. That's the uncomfortable part.

"Technically has access" and "should have access" — those are often very different things. And nobody wanted to deal with it. Until an AI made it impossible to ignore.

HR documents showing up in marketing queries. Board materials appearing in junior employee searches. Salary information, client contracts, M&A discussions. All technically accessible. Now easily discoverable.

IT and security teams are calling this the "oversharing problem." And it's stalling rollouts everywhere.

What the numbers say

Gartner surveyed organizations deploying M365 Copilot in 2025. The findings are... not great.

64% said information governance and security risks required "significantly more time and resources than expected."

Only 6% had finished pilots and were planning large-scale deployment.

Only 1% had completed deployment to all eligible workers.

Nearly half rated Copilot as "some value, shows promise." Which is corporate-speak for lukewarm.

And Microsoft's own CVP of Modern Work, Jared Spataro, acknowledged the challenge at a Goldman Sachs conference: "It is hard to make the ROI argument for it... We feel good about it, but it is hard."

I'm not trying to pile on here. The technology works. The data hygiene doesn't.

Why this keeps happening

A few patterns I keep seeing.

Nobody owns permissions across everything. SharePoint has an admin. Teams has an admin. OneDrive kind of manages itself. But who owns the holistic view of "who can access what"? Usually nobody.

"It's always been like this." Permission sprawl builds slowly. Every "just share it with the team" decision. Every inherited permission from a folder structure created in 2019. Every guest access link that was never revoked. It accumulates invisibly — until an AI makes it visible.

Governance feels like a blocker. When leadership is excited about AI productivity gains, asking for 3-6 months of cleanup work is a hard sell. It feels like bureaucracy.

But honestly? It might be the only thing that makes this work long-term.

Vendors don't emphasize the prerequisites. This isn't unique to Microsoft. Most AI vendors emphasize what their tool can do, not the organizational readiness required to do it safely. The sales motion is about capabilities. The implementation reality is about governance.

What I'd do before any broad rollout

If you're planning a Copilot deployment in Q1 or beyond, here's where I'd start.

Map where sensitive data actually lives. Not where you think it lives. Where it actually lives. Microsoft Purview can help here, but the key is visibility first. You can't protect what you can't find.

Audit permission inheritance. This is the unglamorous work that prevents 90% of oversharing incidents. Go through SharePoint sites and document libraries. Check who has access and why. Break inheritance where it doesn't make sense. Remove access that was granted "temporarily" three years ago.

Implement sensitivity labels. Labels let you classify documents by sensitivity and control what Copilot can do with them. A document labeled "Confidential" can be excluded from Copilot responses entirely. This is your safety net for the stuff that absolutely shouldn't surface unexpectedly.

Pilot with IT and security first. Don't start with executives or power users. Start with the people who know where the bodies are buried. They'll find the permission gaps, the unexpected access patterns, the documents that shouldn't be discoverable. Better they find these issues than your CEO finding board materials in a Copilot summary.

Train on responsible use, not just promptin. Most Copilot training focuses on "how to write good prompts." That's useful, but it misses the point. People need to understand what Copilot can access, what it might surface, and what to do when something shows up unexpectedly.

The uncomfortable part

Distributing licenses is not enablement.

A successful rollout isn't measured by seats activated. It's measured by whether people are still using it — productively and safely — six months later.

The organizations I've seen do this well treat the governance work as part of the value. They use the Copilot deployment as a forcing function to finally clean up years of permission sprawl. They come out the other side with better data hygiene, clearer access policies, and an AI tool that actually works as intended.

Maybe I'm being harsh. But I've seen too many "successful" rollouts turn into security fire drills within weeks.

Where this leaves us

Copilot is basically a stress test for your data governance.

It will find every permission gap, every overshared folder, every access decision that seemed fine at the time but really wasn't.

You can discover these issues proactively, on your timeline, with a controlled pilot.

Or you can discover them when someone asks Copilot a question and gets an answer they really shouldn't have.

I'm not sure there's a shortcut here. Governance feels like a blocker. But it might be the only thing that makes this actually work.

If you're planning a Copilot rollout and want to talk through what we've learned, reach out. Happy to share the pre-flight checklist we use with clients.

← Back to Blog