Microsoft tightens Copilot governance — with caveats

Microsoft is giving information technology teams more gauges and more switches for Microsoft 365 Copilot at the exact moment it is also loosening one border rule in Europe. On April 7, Microsoft said it added new security, management, and analytics features for Copilot, including prompt filtering, oversharing remediation, and more admin visibility. (techcommunity.microsoft.com) The new controls are aimed at a basic enterprise fear: Copilot does not invent access to files, but it can surface whatever a worker already has permission to open. Microsoft’s own deployment guidance now centers on three steps: remediate oversharing, implement guardrails, and meet artificial intelligence regulatory obligations. (techcommunity.microsoft.com 1) (techcommunity.microsoft.com 2) One of the biggest additions is Microsoft Purview Data Loss Prevention for prompts. That policy engine can now detect sensitive information types in a Copilot prompt and block Copilot from answering or using that prompt for web grounding. (techcommunity.microsoft.com) Microsoft also expanded those Purview rules to web queries in Microsoft 365 Copilot and Copilot Chat. In public preview, an admin can stop a worker from sending sensitive text into a web search while still allowing the answer to use the company’s internal work data. (techcommunity.microsoft.com) The visibility piece is getting sharper too. Microsoft’s Copilot usage report now tracks enabled users, active users, active user rate, active agent users, and total prompts submitted across 7, 30, 90, or 180 days, with data typically appearing within 72 hours after a given day ends in Coordinated Universal Time. (learn.microsoft.com) Microsoft is also pushing more of that governance into the same admin screens where companies already manage Microsoft 365. In the Microsoft 365 admin center, artificial intelligence and information technology admins can now see oversharing risks, see how many sensitive Copilot interactions are protected, and turn on Purview Data Loss Prevention for Copilot from that console. (techcommunity.microsoft.com) Then comes the caveat for Europe. Microsoft’s new “flex routing” setting lets large language model inferencing, which is the step where the model processes a prompt and generates an answer, happen outside the European Union Data Boundary during peak demand. (learn.microsoft.com 1) (learn.microsoft.com 2) Microsoft says stored customer data stays inside the European Union boundary, except for limited pseudonymized data used for security and operations, and says the traffic is encrypted in transit and at rest. But for eligible tenants created after March 25, 2026, flex routing is on by default, which means the “keep it in Europe” story now depends on an admin noticing and changing a setting. (learn.microsoft.com 1) (learn.microsoft.com 2) At the same time, Microsoft is scattering Copilot-branded behavior into ordinary apps under plainer names. In Notepad, the company now describes Rewrite, Summarize, and Write as built-in artificial intelligence features powered by a cloud service with GPT, and the support page presents them as Notepad tools rather than as one big Copilot product surface. (support.microsoft.com) That makes governance cleaner in one place and messier in another. A compliance team can now lock down Microsoft 365 Copilot more precisely, but it also has to keep asking which artificial intelligence feature is “Copilot,” which one is just “Write,” and which admin switch controls data movement when the same company is selling all three under different labels. (techcommunity.microsoft.com) (learn.microsoft.com) (support.microsoft.com)