CG
CopilotGuard
Copilot readiness security assessment
CopilotGuard Readiness Report
A metadata-only assessment of content exposure risks that may become more visible during Microsoft 365 Copilot rollout.
RED
Copilot Readiness Verdict: Not ready
Critical risks must be remediated before broad Copilot rollout.
Executive Summary
The review found 5 critical exposure issues in AgentGuard. These issues indicate that sensitive business content may be easier to discover during a Copilot rollout than leadership would expect. The highest priority is to reduce broad, external, or anonymous access before expanding Copilot usage. Addressing the top findings will lower the chance of confidential information being surfaced to users who should not need it.
Risk Overview
Critical5
High2
Medium3
Low0
Findings by Category
Anonymous & External Access3 findings
Sensitivity Labelling Gaps2 findings
Broad Access & Permissions4 findings
Content Ownership1 finding
Detailed Findings
| Severity | Score | Source | Sensitivity Label | Title | Object Path | Why this matters for Copilot | Evidence Summary | Recommendation |
|---|---|---|---|---|---|---|---|---|
| CRITICAL | 100 | SharePoint | Confidential - Finance | Organization link on seeded finance folder | https://agentguard.sharepoint.com/Shared%20Documents/M365%20Exposure%20Review%20Seed%20-%20Finance%20Payroll%20Board | Broad permissions increase the number of users who may discover this content through Copilot experiences. | Sensitivity label: Confidential - Finance, Principals: Organization view link, Anonymous links: 0, External links: 0, Broad access: 1, Owner status: active | Replace broad sharing links with named finance and executive groups. |
| CRITICAL | 96 | OneDrive | Highly Confidential - Customer Data | OneDrive customer pricing folder is broadly shared | https://agentguard-my.sharepoint.com/personal/john.smith_agentguard_onmicrosoft_com/Documents/M365%20Exposure%20Review%20Seed%20-%20OneDrive%20Customer%20Pricing | Copilot can make already-accessible shared content easier for users to find and reuse. | Sensitivity label: Highly Confidential - Customer Data, Principals: Organization view link, Anonymous links: 0, External links: 0, Broad access: 1, Owner status: active | Move business-critical customer pricing out of personal OneDrive or restrict it to named users. |
| HIGH | 82 | SharePoint | Unknown | Sensitive-looking file has no Purview label | https://agentguard.sharepoint.com/Shared%20Documents/M365%20Exposure%20Review%20Seed%20-%20Finance%20Payroll%20Board/HR%20Salary%20Bonus%20Planning.txt | Without a clear label, reviewers have weaker signals for deciding whether Copilot access is appropriate. | Sensitivity label: Unknown, Principals: Communication site Members, Anonymous links: 0, External links: 0, Broad access: 0, Owner status: active | Apply an appropriate sensitivity label or document why no label is required. |
| MEDIUM | 59 | OneDrive | Confidential | Nested OneDrive file discovered by recursive scan | https://agentguard-my.sharepoint.com/personal/john.smith_agentguard_onmicrosoft_com/Documents/M365%20Exposure%20Review%20Seed%20-%20OneDrive%20Customer%20Pricing/Confidential%20Vendor%20Renewal.txt | Without an accountable owner, risky access may remain in place after the business need has passed. | Sensitivity label: Confidential, Principals: none, Anonymous links: 0, External links: 0, Broad access: 0, Owner status: unknown | Assign an accountable owner and review inherited access. |
Remediation Priority
- Remove anonymous and external sharing links from the highest-risk sensitive locations.
- Replace broad access groups with named business groups for sensitive SharePoint and OneDrive content.
- Apply appropriate sensitivity labels to sensitive-looking content before expanding Copilot access.
- Assign accountable business owners to high-risk locations and confirm access is still required.
- Run the scan again after remediation to confirm exposure has reduced.