Service 03
Copilot can see more than you think.
AI assistants inherit every permission a user already has. In most tenants that includes years of over-broad sharing nobody noticed, because until now nobody could search for it in plain English.
Why this comes before deployment, not after
A permission audit before you switch Copilot on costs far less than an exposure afterward. The reason is simple: Copilot does not break permissions, it obeys them. If a salary spreadsheet was shared with "everyone in the organization" in 2021 and forgotten, it was technically open the whole time. Nobody found it because nobody thought to search. Natural language search removes that accident of obscurity.
What the audit covers
The audit covers four layers: where content is over-shared, what is sensitive enough to need labeling, what should be blocked from leaving, and what your staff are allowed to do with AI tools in the first place.
- Permission exposure. SharePoint, OneDrive, and Teams reviewed for organization-wide links, anonymous links, and stale external guests.
- Sensitivity labeling. Microsoft Purview labels applied to the categories that matter, with automatic labeling where the pattern is reliable.
- Data loss prevention. Policies that stop the specific things you care about leaving, tested against real files instead of theory.
- Acceptable-use policy. A written, readable AI policy your staff can follow, covering what may be pasted into which tools.
- Shadow AI discovery. Which unapproved AI tools are already in use, found through DNS and tenant telemetry.
What it costs
AI governance audits start at $2,500 as a fixed fee. Larger or messier tenants cost more, and we tell you which you are before starting, not after. Remediation is quoted separately once we know the size of the problem, because quoting cleanup before measuring it is guesswork dressed as a proposal.
The insurance angle worth knowing
Several major carriers added AI exclusions to standard technology errors and omissions policies during 2026. If your business is deploying AI tools, it is worth confirming in writing whether your own policy still responds. We are not insurance advisors and will not pretend to be, but we will tell you what we see, and a documented governance position helps that conversation.
Questions
Common questions
Why does Copilot need a security review before deployment?
Copilot surfaces any content a user already has permission to open. Most tenants have accumulated years of over-broad sharing that went unnoticed because nobody searched for it. Natural language search makes that content easy to find, so the permission review should happen first.
What does an AI governance audit cost?
Audits start at $2,500 as a fixed fee. Remediation is quoted separately after the audit, once the scope of cleanup is actually known.
Do we need Microsoft Purview licensing?
Sensitivity labeling and basic DLP are included in Microsoft 365 Business Premium and E3. Advanced capabilities need additional licensing, and we will tell you whether you need it before you buy it.
What is shadow AI?
Shadow AI is any AI tool your staff use without approval, typically free consumer chatbots. The risk is company data pasted into a service with no agreement covering it. Discovery finds what is already in use so policy can be realistic.
Can you write our AI acceptable-use policy?
Yes, and it is included in the audit. It is written to be read by staff, not filed by legal, because a policy nobody reads changes no behavior.
Also from Kildaris
Next step
Thirty minutes, and you will know where you stand.
No pitch deck. We look at what you are running, tell you what we would do first, and you decide whether that is worth paying for.