Last updated June 12, 2026 by Errin O'Connor, Founder & Chief AI Architect, EPC Group
Copilot Readiness Score
Is Your Microsoft 365 Tenant Copilot-Ready?
Ten yes/no/maybe questions across four dimensions: data governance, identity hygiene, permissions and oversharing, and adoption/operations. Output: a tenant readiness tier, dimension-level breakdown, and a recommended program timeline. Built from EPC Group's 100+ enterprise Copilot deployments. Five minutes.
- 1
Data Governance
Microsoft Purview sensitivity labels are deployed and applied to documents and emails across the tenant.
Copilot inherits labels — unlabeled regulated content becomes a Copilot grounding risk.
- 2
Data Governance
Purview DLP policies actively block inappropriate sharing of PHI / PII / financial data / regulated content.
DLP is what stops Copilot from surfacing or generating regulated content to wrong users.
- 3
Data Governance
You have completed a SharePoint and OneDrive oversharing audit in the past 12 months and remediated tenant-wide "Everyone except external" permissions.
Copilot surfaces what it sees. Tenant-wide shares = tenant-wide Copilot exposure.
- 4
Identity Hygiene
Phishing-resistant MFA (FIDO2 / Windows Hello for Business / passkeys) is enforced for all users with Copilot license — not just SMS or Authenticator-push.
Copilot agent identity sprawl makes phishing-resistant MFA non-negotiable.
- 5
Identity Hygiene
Entra ID Conditional Access policies cover Copilot endpoints (Microsoft 365 Copilot, Copilot Studio, agent identity service principals).
Without CA, Copilot is reachable from any device and any network.
- 6
Permissions & Oversharing
There are zero remaining "Everyone in the organization" sharing links on SharePoint sites containing HR, finance, legal, or M&A content.
This is the single most common Copilot incident pattern.
- 7
Permissions & Oversharing
Every site with regulated content has at least one sensitivity label (Confidential, Highly Confidential, or industry-specific) applied at the site level.
Site-level labels propagate to all content and shape Copilot grounding scope.
- 8
Permissions & Oversharing
SharePoint Restricted Access Control or Restricted Content Discovery is configured for sites containing the most sensitive data so Copilot cannot index those sites.
RAC and RCD are the Copilot scope-limit controls Microsoft added in 2024 specifically for this risk.
- 9
Adoption & Operations
There is a named single accountable owner (CAIO / CIO / CISO designate) for Copilot governance with budget authority and a decision charter.
Diffused ownership = no owner = no governance.
- 10
Adoption & Operations
Audit log retention is configured for 6+ years (HIPAA / FINRA / SEC 17a-4 / GxP / FedRAMP minimum) and Copilot interactions are captured in Purview Audit Premium.
Without long-term audit, regulators cannot reconstruct what Copilot did.
What the score actually measures
Most Microsoft Copilot incidents are governance incidents — they look like AI incidents because Copilot surfaces the data. The actual root causes are well-understood: an unremediated SharePoint share, a missing sensitivity label, a Conditional Access gap, a service-principal grant that nobody owns. The scorecard measures the four foundations that prevent these incidents.
Data Governance (3 questions, 12 points)
Microsoft Purview sensitivity labels deployed and applied. Purview DLP actively blocking inappropriate sharing. SharePoint and OneDrive oversharing audit completed in the past 12 months with remediation. See the Purview checklist playbook.
Identity Hygiene (2 questions, 8 points)
Phishing-resistant MFA enforced (FIDO2 / Windows Hello / passkeys) — not just SMS or push. Entra ID Conditional Access covering Copilot endpoints, Copilot Studio, agent service principals.
Permissions & Oversharing (3 questions, 12 points)
Zero remaining "Everyone in organization" shares on HR / finance / legal / M&A SharePoint sites. Site-level sensitivity labels on every site with regulated content. SharePoint Restricted Access Control or Restricted Content Discovery configured for the most sensitive sites so Copilot cannot index them.
Adoption & Operations (2 questions, 8 points)
Named single accountable owner (CAIO / CIO / CISO designate) with budget authority and decision charter. Audit log retention configured for 6+ years (regulatory minimum) with Copilot interactions captured in Purview Audit Premium.
Tier interpretation
- Production-Ready (36-40): Deploy now. Quarterly governance reviews.
- Conditionally Ready (28-35): 90-day Copilot Readiness Remediation. Pilot low-risk cohorts during remediation.
- Foundation Needed (18-27): 180-day Copilot Readiness Program. Do not roll out broadly until foundations are in place.
- Not Ready (0-17): 6-12 month foundational program. Halt Copilot procurement until governance foundations exist.
Where this connects
- Microsoft Copilot Consulting — parent practice.
- AI ROI Assessment — 30-day productized economic assessment.
- Microsoft Purview Consulting — classification + DLP foundation.
- AI Identity Security — non-human identity governance.
- Copilot-Ready Data Governance: The Purview Checklist.
- Microsoft Copilot ROI Measurement Tier System.
- Shadow AI Identity Blind Spot.
- The EPC Group Lifecycle.
Want a senior architect to walk through your score?
30-minute call. Honest read on your tier, the highest-leverage remediation steps, and whether you need a 90 / 180 / 365-day program. No deck.