Copilot’s governance push

Microsoft is finally adding the part big companies care about most: a paper trail for artificial intelligence work. In new April 7 updates, Microsoft said administrators can now see more of how Microsoft 365 Copilot is used, what risks it creates, and where to turn on protections inside the Microsoft 365 admin center. (techcommunity.microsoft.com) That sounds dry until you remember what Copilot actually does. It reads across a company’s Microsoft 365 files, emails, meetings, and chats to answer questions, so one careless prompt can pull in the wrong spreadsheet as easily as the right one. (learn.microsoft.com) For information technology teams, “governance” mostly means knowing who used the tool, what kind of data was involved, and whether company rules were enforced. Microsoft’s own admin documentation says Copilot reporting now spans the Microsoft 365 admin center, Viva Insights analytics, Microsoft Purview audit logs, and Copilot Studio analytics. (learn.microsoft.com) The new push is centered on Microsoft Purview, which is the company’s compliance and data-control layer. Microsoft says Purview can classify data, apply sensitivity labels, run audits, enforce data loss prevention, support eDiscovery, and surface artificial intelligence risks through Data Security Posture Management. (learn.microsoft.com) One of the new controls blocks sensitive information before it ever becomes a prompt. Microsoft said Data Loss Prevention for Microsoft 365 Copilot is now generally available, letting administrators detect sensitive information types and stop Copilot from responding to those prompts or using them for web grounding. (techcommunity.microsoft.com) Another control goes after a quieter problem: oversharing. Microsoft said Purview can now bulk-remediate or disable overshared SharePoint links at scale, which matters because Copilot can only be as safe as the files and permissions it is allowed to see. (techcommunity.microsoft.com) Microsoft is also making the usage side easier to measure, not just the risk side. Its reporting guide says administrators can track adoption and basic usage in the Microsoft 365 admin center, while Viva Insights adds a Copilot Dashboard and analyst tools for deeper reporting. (learn.microsoft.com) That measurement problem has been hanging over Copilot for months. On Microsoft’s January 28, 2026 earnings call, the company said it had 15 million paid Microsoft 365 Copilot seats and more than 450 million Microsoft 365 commercial seats overall, which means the paid add-on was still attached to only about 3% of the base. (microsoft.com) (cnbc.com) So this is Microsoft moving Copilot from demo mode to budget-review mode. If a chief information officer can show which teams use Copilot, which prompts were protected, which files were overshared, and which policies blocked risky behavior, the renewal conversation starts to look less like hype and more like software procurement. (learn.microsoft.com) (techcommunity.microsoft.com) Microsoft is not selling a chatbot anymore. It is selling an audited employee that lives inside Word, Outlook, Teams, and SharePoint, and audited employees are much easier for regulated companies to keep. (learn.microsoft.com)