‘Every oversharing group and forgotten permission is one Copilot prompt away from becoming a real incident’
Nearly one in three organisations in the U.S., Canada and Europe using AI in Microsoft 365 have experienced an AI‑driven data exposure incident, exposing HR records and other sensitive information, according to a report.
Overall, 93% of organisations have fully or partially deployed Microsoft 365 Copilot, reports ShareGate.
The same proportion of IT leaders say their Microsoft 365 governance framework is ready to support AI responsibly, that their IT team has the skills and tools to address AI‑related governance issues, and that Copilot’s access reflects appropriate permissions.
Exposure incidents and data types
At the same time, 29% of organisations reported that AI tools have already surfaced sensitive internal data they should not have been able to access, according to ShareGate’s survey of more than 850 IT and security leaders across the United States, Canada, the United Kingdom, France, Germany, the Netherlands and Ireland. A further 8% said they did not know whether such incidents had occurred.
ShareGate states: “Here are two stats that should make you uncomfortable: 93% of IT leaders say they’re confident their Microsoft 365 governance is ready for AI, but 29% of those same organizations report that AI tools have already surfaced sensitive data that shouldn’t have been accessible. Another 8% said they didn’t know.”
The exposed information includes:
- customer records (36%)
- sensitive internal documents (31%)
- personal data and personally identifiable information (30%)
- HR records (30%)
- financial data (25%)
- proprietary intellectual property (21%)
The company wrote: “These aren’t obscure edge cases. This is the stuff that’s supposed to be locked down. Contracts. Employee records. Strategic plans. Customer lists.”
ShareGate said the incidents often stem from long‑standing permission settings rather than new security failures. “In most cases, nobody broke any rules to access it. The permissions were already there. Copilot just followed them,” the company reported.
Recently, Canada Life confirmed a cyber incident that exposed the personal information of up to 70,000 people, most of them employees covered under a large corporate group benefits and retirement plan.
Visibility and governance gaps
Benjamin Niaulin, vice‑president of product at ShareGate, said the introduction of AI is revealing existing weaknesses. “AI and Copilot didn’t create the governance problem. They exposed it,” he said. “IT teams have been papering over fragmented tools and blind spots for years. Now every oversharing group and forgotten permission is one Copilot prompt away from becoming a real incident. You can’t govern what you can’t see, and right now, most teams can’t see it.”
In its blog on the survey, ShareGate concluded that “the gap isn’t about competence. It’s about visibility. Most teams are confident because they’ve done the work they know about. The problem is the work they don’t know about—the forgotten shares, the inherited permissions, the content that’s technically accessible but practically invisible.”
Most organisations have taken some steps to prepare for AI, the research shows. ShareGate reported that 86% of respondents conducted a content clean‑up in preparation for AI deployment. However, only about half completed an organisation‑wide review of content and permissions.
Workload, automation and ROI
“Only half of respondents did a full content and permissions cleanup before deploying AI,” ShareGate stated. “Partial cleanups leave gaps. And AI doesn’t respect rollout phases. It indexes everything it can see.”
Governance workloads have risen as AI adoption has increased. According to ShareGate, 71% of respondents said their governance workload has grown since enabling AI tools, with nearly a quarter saying it has increased significantly. Only 37% described their governance as highly automated and continuously monitored, while 26% reported “operationalised” governance with consistent enforcement; the remainder rely largely on manual or reactive processes. “Manual governance doesn’t scale. Not when AI is surfacing risks faster than your team can review them,” ShareGate wrote.
The survey also links governance to AI return on investment. ShareGate found that 51% of respondents cited cost visibility and 47% cited governance complexity as barriers to measuring AI ROI. In total, 78% said governance activities directly affect their organisation’s confidence in AI investments. The company reported that 49% of organisations say AI‑related costs account for 11% or more of their IT budget, noting: “That’s real money. And without governance clarity, it’s money without a measurable return.”
On ownership, 48% of organisations reported having a clearly defined AI governance owner with formal policies and consistent enforcement, 26% said they have an owner but varying enforcement by department, and the rest indicated shared ownership or none. “No owner means no accountability,” ShareGate wrote. “And no accountability means no one to champion the business case.”
The modern workday has extended far beyond the regular working hours, according to previous findings from Microsoft, which called an end to employees' new "infinite workday".
Also, looking at “trillions of globally aggregated and anonymized Microsoft 365 productivity signals,” a previous report breaks down a typical day of Microsoft 365 global users based on productivity data and various market surveys, including 1,000 full-time users in Canada. It found that 48% of workers and 52% of leaders feel work is “chaotic and fragmented”.
