Microsoft tightens Copilot governance

Microsoft is changing the part of Copilot that corporate buyers actually care about: not the chatbot demo, but the controls behind it. In an April 7 post, Microsoft said new Microsoft 365 Copilot updates are focused on security, management, analytics, and governance for information technology and security teams. (techcommunity.microsoft.com) One new control sits inside Microsoft Purview, Microsoft’s compliance and data-governance system. Microsoft said administrators can now use Data Loss Prevention rules to block prompts that contain sensitive information, so Copilot will not answer with that data or send it into web-grounded responses. (techcommunity.microsoft.com) Microsoft also expanded those rules to web search. In public preview, administrators can stop sensitive prompts from being used for web queries while still allowing responses to draw on a company’s internal Work IQ context inside Microsoft 365 Copilot and agents published through Copilot Studio. (techcommunity.microsoft.com, (microsoft.com)) The other problem Microsoft is targeting is oversharing, which is what happens when old SharePoint permissions quietly expose files to more people than intended. Microsoft said Purview and SharePoint controls can now identify overshared content and let administrators remediate or disable overshared links in bulk. (techcommunity.microsoft.com, (learn.microsoft.com)) That matters because Microsoft is asking companies to let Copilot work across email, documents, meetings, and internal sites all at once. In Microsoft’s March 9 Wave 3 announcement, the company said Microsoft 365 Copilot is moving toward longer-running, multi-step work that can reason across tools and files over minutes or hours, not just one prompt at a time. (microsoft.com) When an assistant can roam across a company’s files, measurement becomes a buying requirement, not a nice extra. Microsoft’s Copilot Control System now describes three pillars—security and governance, management controls, and measurement and reporting—and Microsoft’s latest update adds more visibility for administrators inside the Microsoft 365 admin center. (learn.microsoft.com, (techcommunity.microsoft.com)) At the same time, Microsoft had to clean up a very public contradiction in Copilot’s legal wording. TechCrunch reported on April 5 that Microsoft’s terms, last updated on October 24, 2025, said Copilot was “for entertainment purposes only,” and Microsoft said that text was legacy language that would be changed in the next update. (techcrunch.com) That clause looked especially awkward because Microsoft has spent the past year pitching Copilot as a paid work tool for Word, Excel, Outlook, Teams, and custom agents. A product sold for drafting documents, searching company files, and running multi-step office work cannot sound, in its own terms, like a toy left over from Bing chat. (microsoft.com, (techcrunch.com)) Microsoft is also changing how the Copilot brand shows up on Windows. In a March 4 Windows Insider update, Microsoft said the Copilot app now opens links in a side pane inside the app, saves those tabs with the conversation, and may pull back some features while it iterates before general availability. (blogs.windows.com) Put together, the pattern is clear in Microsoft’s own language: Copilot is becoming less of a single floating assistant and more of a set of controlled tools embedded inside specific work surfaces. Microsoft’s March 9 post said Wave 3 is about intelligence plus trust inside “the apps you already know,” and the April 7 update filled in the trust part with guardrails, reports, and cleanup tools. (microsoft.com, (techcommunity.microsoft.com))