Copilot Readiness Checklist: 47 Enterprise Questions

Category 1: Identity and Access Management (10 Questions)

Copilot respects your existing Microsoft 365 permissions. If permissions are wrong, Copilot answers will expose the wrong data to the wrong people.

1. Are all Entra ID groups reviewed and current? Stale groups with former employees or incorrect members give Copilot access to data those users should not see.
2. Is guest access scoped and audited? External guests with broad SharePoint access will have those same permissions reflected in Copilot responses.
3. Are shared mailboxes properly permissioned? Copilot can surface shared mailbox content to anyone with delegate access.
4. Is Conditional Access configured for Copilot? You should be able to restrict Copilot access by device compliance, location, and risk level.
5. Are service accounts excluded from Copilot licensing? Service accounts with broad permissions should never have Copilot enabled.
6. Is Privileged Identity Management (PIM) active for admin roles? Admins with standing access have Copilot access to everything they can see.
7. Are access reviews scheduled in Entra ID Governance? Quarterly access reviews catch permission drift before Copilot surfaces it.
8. Is multi-factor authentication enforced for all Copilot users? Copilot amplifies the damage of compromised accounts.
9. Are dynamic groups used where appropriate? Dynamic groups based on attributes reduce manual group management errors.
10. Is the Entra ID sign-in log monitored for anomalies? Unusual Copilot query patterns can indicate account compromise or data exfiltration attempts.

Category 2: Data Access and Governance (12 Questions)

This is the highest-risk category. Most Copilot incidents trace back to overshared data, not Copilot bugs.

11. Have you audited SharePoint site permissions for “Everyone except external users”? This is the number one Copilot data exposure vector. Remove it from every site that contains sensitive content.
12. Are SharePoint sites classified by sensitivity? Sites should be labeled as Public, Internal, Confidential, or Highly Confidential with corresponding access controls.
13. Is OneDrive sharing restricted to appropriate levels? Users sharing files via “Anyone with the link” creates Copilot-accessible content with no access boundaries.
14. Are Microsoft Purview sensitivity labels deployed? Sensitivity labels enable Copilot to respect data classification in its responses.
15. Is Data Loss Prevention (DLP) configured for sensitive content types? DLP policies prevent Copilot from including credit card numbers, SSNs, or other PII in responses.
16. Are Teams channels and chats governed? Copilot can access Teams messages the user has access to, including channels with broad membership.
17. Is there a data retention policy in place? Stale data from 5+ years ago should not be surfacing in Copilot responses if it is no longer relevant.
18. Are file shares migrated to SharePoint with proper permissions? On-premises file shares migrated with inherited permissions often carry permission bloat.
19. Is there a process to review Copilot-surfaced content for accuracy? Copilot can generate plausible but incorrect answers. Users need guidance on verification.
20. Are Power BI datasets governed with row-level security? Power BI Copilot will respect RLS, but only if it is configured.
21. Is Microsoft Graph API access audited? Third-party apps with Graph API permissions can access the same data Copilot uses.
22. Are sensitivity labels auto-applied to high-risk content? Auto-labeling catches sensitive documents that users forget to classify manually.

Category 3: Compliance and Regulatory (8 Questions)

For organizations in regulated industries, Copilot compliance is non-negotiable.

23. Does your Copilot deployment meet data residency requirements? Copilot processes data in the region of your Microsoft 365 tenant, but verify this against your specific regulatory requirements.
24. Is there an AI acceptable use policy? Employees need clear guidance on what they can and cannot ask Copilot, especially regarding customer data.
25. Are Copilot interactions logged for audit purposes? Microsoft Purview Audit logs Copilot interactions, but it must be enabled and retained per your compliance requirements.
26. Is there a process for responding to Copilot-related data incidents? If Copilot surfaces data it should not, there must be an incident response procedure.
27. Are legal hold and eDiscovery processes updated for Copilot? Copilot interactions are discoverable and may be subject to legal hold.
28. Is there board-level awareness of AI risk? Boards increasingly require disclosure of AI deployments and associated risks.
29. Are vendor AI agreements reviewed? Microsoft's data processing terms for Copilot should be reviewed by legal counsel.
30. Is there a process for AI impact assessments? Regulated industries may require formal impact assessments before deploying AI that processes PII or PHI.

Category 4: Infrastructure and Technical (7 Questions)

31. Are Microsoft 365 licenses at E3 or E5? Copilot for Microsoft 365 requires E3/E5, Business Standard, or Business Premium as a prerequisite.
32. Is the Microsoft 365 tenant on the latest update channel? Copilot features require Current Channel or Monthly Enterprise Channel for Office apps.
33. Is network bandwidth sufficient for Copilot traffic? Copilot adds API traffic to Microsoft 365 services. Large-scale deployments should validate network capacity.
34. Are Microsoft 365 Apps (desktop) deployed and current? Copilot requires Microsoft 365 Apps (not Office 2019/2021) on supported versions.
35. Is the Microsoft 365 admin center Copilot dashboard configured? The dashboard provides adoption metrics, query volume, and user satisfaction data.
36. Are semantic index settings reviewed? The semantic index powers Copilot's understanding of your organizational data. Verify it is indexing the right content.
37. Is Microsoft Teams on the new client? Copilot in Teams requires the new Teams client (Teams 2.1+), not the classic client.

Category 5: Change Management and Adoption (10 Questions)

Technology readiness without organizational readiness produces expensive shelfware.

38. Is there executive sponsorship for the Copilot deployment? A named C-level sponsor who uses Copilot publicly accelerates adoption.
39. Are department-specific use cases documented? “Use Copilot” is not a use case. “Use Copilot to draft client proposals from previous SOWs” is.
40. Is there a Copilot champion network? 1 champion per 50-100 users, trained ahead of rollout, providing peer support.
41. Are role-specific prompt libraries created? Pre-written prompts for sales, HR, finance, legal, and engineering dramatically accelerate time-to-value.
42. Is there a training plan by role? Executives need 30-minute sessions. Power users need 2-hour workshops. IT admins need governance training.
43. Are success metrics defined before deployment? Time saved per user, meeting summary adoption, email draft acceptance rate, and help desk ticket reduction.
44. Is there a feedback mechanism for Copilot issues? A Teams channel or form where users report inaccurate or inappropriate Copilot responses.
45. Is there a communication plan? Users should know what Copilot is, what it can access, what it cannot do, and where to get help.
46. Are there guidelines for Copilot use with customer data? Employees need clear rules about using Copilot to draft customer-facing communications.
47. Is there a plan to measure and communicate ROI? Monthly adoption reports showing time saved, productivity gains, and user satisfaction justify continued investment.

How EPC Group Runs the Assessment

This self-assessment checklist gives you a directional score. EPC Group's formal Copilot Readiness Assessment ($15,000 fixed fee) validates each item with technical evidence:

• Automated scanning of Entra ID groups, SharePoint permissions, and sharing links using PowerShell and Graph API.
• Purview configuration audit verifying sensitivity labels, DLP policies, and retention policies are properly deployed.
• Simulated Copilot queries testing whether sensitive data surfaces for users who should not see it.
• Compliance mapping against HIPAA, SOC 2, GDPR, or FedRAMP requirements specific to your industry.
• Scored report with red/yellow/green status per item and a prioritized 30-60-90 day remediation roadmap.

Our vCAIO engagement includes ongoing readiness monitoring as your tenant evolves, ensuring Copilot governance keeps pace with organizational changes.

Frequently Asked Questions