Shadow AI · Tool risk profile
Microsoft 365 Copilot.
by Microsoft · native suite · Verified April 19, 2026
Vendor siteBase risk
2.0/ 5
LowMediumHighCritical
Microsoft 365 Copilot runs inside your tenant under M365 commercial data protections — no training on prompts, EU Data Boundary support, full Entra ID and Purview integration. The risk is downstream: Copilot can now retrieve any document the requesting user can already access, so weak SharePoint permission hygiene becomes a much louder problem.
Tier comparison
Same logo. Very different risks.
Free
low- Trains on inputs
- No
- Retention
- 0 days
- SSO
- No
- Admin controls
- No
Paid · consumer
low- Trains on inputs
- No
- Retention
- 90 days
- SSO
- Yes
- Admin controls
- Yes
Enterprise · team
low- Trains on inputs
- No
- Retention
- 90 days
- SSO
- Yes
- Admin controls
- Yes
No alternatives flagged for this tool yet. The research team adds them as safer drop-in replacements surface in the registry.
FAQ
Questions teams ask about Microsoft 365 Copilot.
Does Copilot for M365 use my data to train OpenAI?
No. Microsoft contractually excludes training and operates Copilot inside the M365 commercial trust boundary.
What new risk does Copilot create that we did not have before?
Discovery. Copilot exposes every document a user already had permission to but had not actually opened, surfacing weak permission hygiene that previously went unnoticed.
Audit your shadow AI
Is Microsoft 365 Copilot live in your org
alongside tools IT doesn’t know about?
Run a free 12-minute audit to surface every shadow AI tool on your network, score the risk, and walk away with a block-list your IT team can import.
Buzzi.ai publishes tool risk profiles for informational purposes only. Always validate terms with the vendor before operational decisions.