We’re encountering significant challenges in assessing and managing the legal and data privacy risks associated with the Microsoft Copilot suite (Copilot for M365, Copilot Studio, Copilot Chat, Agents, etc.). Key concerns include: - The complexity and legal ambiguity of Microsoft’s online-only terms and documentation - Frequent updates to terms without clear versioning or notifications - Limited transparency around how user and organizational data is processed, stored, and used by Copilot services Has anyone developed effective strategies or governance practices to keep up with these evolving risks? How are you keeping legal, security, and procurement teams informed and aligned as Microsoft continues to expand and modify these offerings?

As Data is next protection critical objective for every public sector initiative. All Cloud Service provider doesn't align to Sovereignty Data Principle and GDPR 100 % Compliance

We had a lot of problems with Microsoft copilot for O365 because it pulls in all the content in all the Microsoft tools.   I read something on Gartner I think that said 10% of all documents pulled in will be sensitive that should not be shared with the person accessing it.  It was painful working with Microsoft because they really didn't think this through and were pushing the tool hard.  Our SharePoint is very large and has millions of documents, ultimately they offered an option where we could limit the search in SharePoint to 100 sites which reduced our risk a lot.  Ultimately I don't think its a very good tool, people are using it but so far its value is not equivalent to the risk.

Not here. We've halted our deployment of any Copilot products for this exact reason. We are focusing on replacing its use with other Gen AI tools that present fewer risks. 

Yeah, we’re in the same boat. Honestly, the pace at which Microsoft updates their Copilot terms without proper versioning or clear comms is a real challenge. What worked for us was setting up a biweekly sync between legal, IT security, and procurement just to stay on top of any changes and translate that into internal risk registers. We also created a lightweight governance checklist that flags any new service being rolled out, and we push Microsoft to give us written clarifications during QBRs. It’s not perfect, but it helps us stay somewhat sane while Copilot keeps evolving.