AboutExpertiseWorkBlogCredentialsContact
← Back to the blog Governance & security

What to put in order before switching Copilot on

Copilot does not create permission problems. It makes the ones already there findable, and you no longer need to know what you are looking for.

pH7x Systems® · · 2 min read

An organisation decides to try Copilot. It buys a few licences, enables one user, and within the first week somebody asks the assistant an innocent question and gets back a salary document they were never meant to see.

The usual reaction is to blame the tool. The tool did nothing wrong. It respected exactly the permissions that existed. The problem is that nobody had looked at them in eight years.

Copilot is a mirror, not a door

This is the one thing to understand before anything else: Copilot gives access to nothing the user did not already have access to. It merely makes that access usable.

Before, a badly shared file in a forgotten library was technically reachable but practically invisible. Nobody knew it existed, nobody searched for it, nobody stumbled into it. Copilot searches. And it finds.

What was a theoretical risk becomes a real incident, and it becomes one at scale: whoever has a licence now has something searching on their behalf, and you no longer need to know what you are looking for in order to find it.

What gets fixed first

Oversharing. "Anyone in the organisation" links scattered across years of hurried work. Libraries with broken permission inheritance and nobody left who remembers why. Orphaned sites whose owner left the company in 2019.

Sensitivity and classification. If nothing is labelled, nothing can be protected differently. Salary information, health data, contracts: all carry the same weight in the system's eyes, which is to say none.

Lifecycle. Sites that no longer serve anyone are not harmless. They are surface. A dead site is still indexed, still searchable, and still holds whatever was put there in 2017.

The right order is boring, and it is the one that works

First assess what exists. Then fix what is wrong. Only then switch on Copilot, and to a small group, so you can see what surfaces. Never the other way round.

The temptation is to invert it, because switching on is fast and tidying up is slow. But switching on first means the first incident will be discovered by a user, not by you. And a first incident discovered by a user is not a technical problem. It is a trust problem, and those cost far more.

What you gain by doing this properly

It is not only about avoiding the incident. An organisation with tidy permissions, classified information and owned sites works better with or without Copilot. Governance work is never wasted.

Copilot is simply the reason that finally convinces the board to pay for it.

Keep reading