Introducing Security for AI Copilots in SaaS Apps

The Risks of Uncontrolled Copilot Rollout

As a result of these SharePoint data security governance challenges, many organizations are left with a tough choice: either turn off Copilot access entirely or face the insider risk of employees gaining unauthorized access to sensitive data.

But the risks don’t end there. Beyond insider threats, there’s also the danger of data exfiltration. Employees may inadvertently share sensitive information externally or copy it to unsecured locations. Even more concerning, attackers could compromise an employee’s identity, gaining access to Copilot and using it for larger reconnaissance attacks.

Gartner has predicted that by April 2025, Copilot will be involved in a major data breach. On top of security concerns, organizations also face compliance risks—especially when employees can access each other’s personal data, potentially leading to significant regulatory fines.

So, how can you safely adopt Copilot while mitigating these risks?

6-Step Approach to Enable Safe Use of Copilot with Microsoft SharePoint

At Securiti AI, we believe in enabling AI innovation while keeping your data secure. Here’s how we help you safely adopt Copilot by automating SharePoint data security and governance through our six-step framework:

1) Identify & Remediate Risky and Unintended Access Permissions

The most complex data risk that organizations using Microsoft Copilot must address is ‘unintended entitlements.’ Within SharePoint, granting incorrect permissions can result in unintended exposure of sensitive data between team members. Microsoft Copilot amplifies this risk by making it easier to analyze information available through these access permissions. To mitigate this, organizations need to continuously uncover and fix such risky entitlement combinations. This requires a systematic detection and remediation program.

Securiti’s powerful Data Command Graph simplifies the process of identifying ‘risky combinations’ of file and folder permissions using graph rules. The Data Command Graph provides the relationship context of each file, its sensitivity, individual and group user permissions, and regulatory constructs. It allows you to simply create graph rules, generate findings, and assign them to the right teams for remediation. For example, it’s easy to configure a rule to detect users outside of HR and Finance who have access to files with sensitive compensation information owned by those departments.

You can instantly find users, groups and the specific permissions they have to access sites or files as well as leverage advanced metadata data such as ownership information to identify entitlements that must be fixed to establish least-privileged access controls like restricting access to files with high-sensitivity data labels.

2) Leverage Copilot Native Security Controls

You can configure Microsoft Copilot to avoid files with certain labels when generating answers, but applying these labels at scale and with accuracy is a challenge. Even Microsoft’s native tools struggle to scale and offer limited flexibility.

Securiti’s powerful Data Command Graph provides ultimate flexibility to label files with precision and at scale based on a variety of attributes such as data classification, file types, content profile, ownership, location, security posture, regulations, age and more, For instance, you can label files containing intellectual property data as “Confidential”. Once these labels are applied, you can then instruct Copilot to exclude files labeled “Confidential” when responding to user queries. This ensures that you fully leverage Copilot’s native security controls to protect your company’s sensitive data.

3) Prioritize Sensitive Data Risks

Misconfigurations in Microsoft SharePoint can expose sensitive data that Microsoft Copilot might use to generate answers, leading to significant data leaks and breaches. 

Securiti helps you prioritize toxic or risky combinations where sensitive data is shared too broadly within the organization or is accessible externally by non-employees.

The built-in, AI-powered data classification accurately identifies hundreds of types of sensitive data elements, including proprietary documents like financial reports, company secrets, and strategic plans. Securiti also analyzes the configuration posture of Microsoft SharePoint, detecting files and folders that are shared too broadly or exposed externally. With Securiti’s out-of-the-box risky-combination rules powered by the Data Command Graph, you can quickly prioritize and prevent exposure of sensitive data through Microsoft Copilot.

4) Automatically Assess SharePoint Security Posture

Securiti automatically reviews your SharePoint security settings to ensure proper configurations, such as preventing files in new sites from being accessible to external users by default. Companies should also ensure that Microsoft Copilot adheres to native security best practices. 

5) Automatically Remediate Access Issues

Securiti automatically notifies SharePoint site and file owners of misconfigured access, enabling them to quickly fix security posture and access issues—without disrupting employees’ access to critical data they need. Solution enables you to scope your Sharepoint remediation policy to specific findings such as those related to critical sites or files containing sensitive information to make it manageable for site owners to address the issues then need to fix. Notifications can be routed to ticketing systems such ServiceNow or Jira as well as messaging options such as Slack or Email, thus enabling users to prioritize remediations as a part of their daily administrative tasks.

6) Minimize Obsolete and Rotten Data

Obsolete and rotten data in Microsoft Sharepoint is not only a data security or privacy risk, but can also hamper the accuracy and freshness of answers provided by Microsoft Copilot. As employees would increasingly rely on Copilot, the impact of such answers can be significant. 

Securiti provides advanced capabilities to find duplicate and near-duplicate files.  Also, graph rules can be configured using Data Command Graph to find obsolete files based on various attributes such as file content, age of files, access and modification patterns, file ownership, etc.

Additionally, with Securiti’s labeling policies, you can automatically label these files to ensure Microsoft Copilot excludes them when generating answers.