Sensitivity Labels and Copilot: Why Enforcement Matters More Than Configuration
85% of organizations have sensitivity labels configured. Fewer than 15% have them enforced. That gap is where Copilot data exposure happens.
85% of organizations have sensitivity labels configured. Fewer than 15% have them enforced. That gap is where Copilot data exposure happens. A label that users can ignore — or that does not cover legacy content — provides zero protection. Only labels backed by Azure Rights Management encryption restrict Copilot from including content in its output.
Key Facts
- Configuration means labels exist and are published. Enforcement means users must apply them and legacy content is retroactively covered.
- Only encryption-backed sensitivity labels restrict Copilot access. Labels with content marking only (headers, footers, watermarks) do not restrict Copilot.
- Target label adoption rate before Copilot goes live: 80%+ of sensitive content covered by enforced labels.
- Auto-labeling has two modes: client-side (applies during document creation) and service-side (scans existing content at rest).
- Label downgrade prevention stops users from reducing a label's protection without a justification recorded in the audit log.
The Enforcement Gap That Exposes Your Data to Copilot
Quick Answer: Sensitivity labels protect data from Copilot only when they are applied to documents. They are not protected just by being configured in the Microsoft Purview portal.
Many organizations complete label configuration. This includes:
- Creating the taxonomy
- Defining protection actions
- Publishing to users
Many organizations believe their data is secure. However, in the average enterprise tenant, fewer than 15% of documents have sensitivity labels applied. This indicates that 85% of documents do not have protection from label-based policies.
As a result:
- Copilot can access unprotected documents.
- Any user with the right permissions can view these documents.
To close the enforcement gap, organizations should implement:
- Auto-labeling
- Mandatory labeling policies
- Downgrade prevention
- Retroactive labeling of legacy content
Microsoft's documentation sees sensitivity label deployment as a straightforward configuration task. This involves:
- Creating labels
- Defining protection actions
- Publishing to users
- Enabling auto-labeling
However, the documentation does not stress that configuration is only the beginning of the process.
The true measure of label effectiveness is enforcement. This refers to the percentage of content in your tenant that has labels applied and protection policies that actively control access.
Before Copilot, the enforcement gap created a compliance risk. Now, with Copilot, it introduces a data exposure risk. Copilot queries include:
- All documents
- Emails
- Teams messages that a user can access
If 85% of your content lacks a sensitivity label, then:
- 85% of your content has no label-based protection.
- This increases the risk of Copilot revealing sensitive information in responses.
- It also affects summaries and generated documents.
EPC Group has audited sensitivity label deployment in 700+ Microsoft 365 tenants. The pattern is consistent: label configuration is complete, but label enforcement is minimal. This guide explains why the gap exists, what Copilot does with labeled vs. unlabeled content, and how to close the enforcement gap before deploying Copilot. If you need a comprehensive assessment, start with EPC Group's 47-Point Copilot & M365 Security Review.
Labels Configured vs. Labels Enforced
It is important to understand the difference between configuration and enforcement when deploying sensitivity labels. Microsoft's admin portal can make these concepts unclear. A green checkmark next to “Sensitivity Labels” in the Purview compliance portal indicates that labels are configured and published. However, this does not mean they are applied to content.
Configuration (What Most Organizations Complete)
- Label taxonomy created (Public, Internal, Confidential, Highly Confidential)
- Protection actions defined (encryption, watermarks, headers/footers)
- Labels published to users via label policies
- Auto-labeling rules defined in the portal
- Admin documentation completed
Enforcement (What Most Organizations Skip)
- Auto-labeling policies deployed and actively scanning content
- Mandatory labeling enabled — users cannot save without a label
- Legacy content retroactively labeled via bulk operations
- Label adoption measured and tracked (target: 80%+)
- Downgrade prevention policies enforced
The Numbers: EPC Group has conducted over 700 tenant audits. The average enforcement rate for sensitivity labels is 12%. This means that 88% of content in a typical enterprise tenant lacks a sensitivity label.
For organizations that use auto-labeling, the enforcement rate rises to 35-45%. Despite this, much content is still unprotected.
To achieve an enforcement rate of over 80%, organizations need to implement:
- Mandatory labeling policies
- Retroactive labeling campaigns
What Copilot Does with Labeled Content
Copilot works with sensitivity labels according to the protection actions assigned to each label. Understanding this interaction is crucial. This knowledge allows you to evaluate whether your current label deployment effectively protects content from exposure caused by Copilot.
Labeled + Encrypted
Copilot cannot access content encrypted with sensitivity label-based encryption unless the querying user has the decryption rights defined in the label policy. This is the strongest protection. If a document is labeled "Highly Confidential" with encryption restricting access to the Legal department, Copilot will not surface this content to users outside Legal — even if the underlying SharePoint permissions would allow access.
Labeled + Access Restricted (No Encryption)
Labels with access restrictions but without encryption provide partial protection. Copilot respects DLP policies tied to labels, but without encryption, the content is still accessible to users with underlying permissions. A label that says "Confidential — Do Not Share" without encryption is an advisory — Copilot may still surface it.
Labeled + Content Marking Only
Labels that only apply headers, footers, or watermarks provide zero protection from Copilot. These are visual indicators for human readers. Copilot ignores content markings entirely. A watermark reading "CONFIDENTIAL" on a Word document does not prevent Copilot from including that document in search results or generated content.
Unlabeled Content
Content with no sensitivity label has no label-based protection. Copilot treats it the same as Public content — accessible to any user with underlying permissions. This is the 85% of content in most tenants: financial records, HR documents, legal contracts, strategic plans — all searchable by Copilot with no sensitivity classification.
Key Takeaway: Only labels that include encryption offer reliable protection for Copilot. Labels with access restrictions, but no encryption, provide partial DLP-based protection. Labels that only mark content do not protect against Copilot at all. Unlabeled content is completely unprotected.
If your label taxonomy does not include encryption for Confidential and Highly Confidential labels, your labels are not effectively protecting content from Copilot.
The Enforcement Gap: Why It Exists and Why It Matters
The enforcement gap is not caused by a technology failure; it is an operational failure. The technology is effective and includes features like:
- Labels
- Encryption
- Auto-labeling
- Mandatory labeling
These features work as intended. However, the gap occurs because most organizations focus only on configuration and do not fully implement enforcement.
Legacy Content Problem
Organizations with 5-15 years of SharePoint and OneDrive content have millions of documents that predate sensitivity label deployment. These documents were created, shared, and stored without any classification system. Auto-labeling can address some of this retroactively, but most auto-labeling deployments are limited in scope (covering only specific sensitive information types) and capacity (processing limits on bulk operations).
User Adoption Failure
Without mandatory labeling policies, label application depends on user behavior. Users are not trained on when to apply labels, do not understand the label taxonomy, or skip labeling because it adds friction to their workflow. The result: new documents are created daily without labels, expanding the enforcement gap even as auto-labeling addresses legacy content.
Auto-Labeling Scope Limitations
Auto-labeling policies rely on sensitive information type detection — pattern matching for Social Security numbers, credit card numbers, medical terms, and similar identifiable data. But much sensitive content does not contain detectable patterns: strategic plans, competitive analyses, merger discussions, internal investigations. These documents require manual labeling or custom trainable classifiers, which most organizations have not deployed.
No Measurement or Accountability
Most organizations do not track label enforcement metrics. They know labels are configured but have no dashboard showing what percentage of content is labeled, what percentage is unlabeled, or how the enforcement rate is trending over time. Without measurement, there is no accountability and no improvement. The enforcement gap persists indefinitely.
Auto-Labeling for Copilot Protection
Auto-labeling is the most effective mechanism for closing the enforcement gap at scale. It operates in two modes, and both are essential for comprehensive Copilot protection.
Client-Side Auto-Labeling
Operates within Office applications (Word, Excel, PowerPoint, Outlook). Detects sensitive information types as users create or edit content and either recommends or automatically applies a sensitivity label.
- Protects new content at creation time
- Real-time detection and labeling
- User-visible (builds awareness)
- Does not address legacy content
- Users can dismiss recommendations
Service-Side Auto-Labeling
Our services operate at the level of SharePoint, OneDrive, and Exchange. We scan both content at rest, which includes existing documents, and content in transit, such as new uploads.
We apply labels based on the detection of sensitive information types.
- Addresses legacy content retroactively
- Operates automatically (no user action)
- Covers SharePoint, OneDrive, Exchange
- Limited to detectable SITs (pattern-based)
- Processing time for large volumes
EPC Group Recommendation: We recommend using both client-side and service-side auto-labeling together. Client-side auto-labeling stops new unlabeled content from being created. Service-side auto-labeling helps manage the existing content backlog.
Begin with high-confidence sensitive information types, such as:
- Exact data match for employee IDs
- Account numbers
- Medical record numbers
After validating accuracy, expand to medium-confidence patterns. The goal is to achieve 80%+ label coverage within 90 days of deployment.
Label Priority and Downgrade Prevention
Labels can still be compromised if users can downgrade or remove them. To maintain label effectiveness, two key mechanisms are in place:
- Label priority ordering
- Downgrade prevention
These mechanisms help ensure that labels stay effective over time.
Label Priority Order (Highest to Lowest)
Downgrade Prevention Settings
Configure your label policy to prevent users from lowering label protection. This step is vital for Copilot environments. A single label downgrade can allow a document to be accessed by all Copilot queries within the organization.
- Require justification for label downgrade: Users must provide a business reason when changing from a higher to a lower sensitivity level. Justifications are logged and auditable.
- Require justification for label removal: Users must explain why they are removing a label entirely. This prevents accidental or intentional removal of protection.
- Block downgrade of Highly Confidential: The most sensitive content cannot be relabeled without administrator approval, preventing users from circumventing protection on the most critical documents.
- Audit all label changes: Every label application, change, and removal is logged in Purview Activity Explorer, providing a compliance trail for label governance.
Testing Label Effectiveness for Copilot
Deploying labels without testing their effectiveness against Copilot is unwise. It is similar to installing a firewall without verifying its rules.
You need to confirm that labels work as intended when Copilot searches for content across your tenant.
Create Controlled Test Content
Build test documents at each sensitivity level containing identifiable content (not real data). Place them in a controlled SharePoint site with defined permissions.
Apply Labels with Known Protection Actions
Apply each sensitivity label to the test documents. Verify encryption is active on Confidential and Highly Confidential documents. Confirm DLP policies are associated with each label level.
Test as Authorized User
Sign in as a user who has access to all sensitivity levels. Query Copilot with prompts designed to surface test content. Verify that labeled and encrypted content is accessible (confirming labels do not over-block authorized access).
Test as Unauthorized User
Sign in as a user who should NOT have access to Highly Confidential content. Query Copilot with the same prompts. Verify that encrypted Highly Confidential content is NOT surfaced. This confirms label-based encryption is functioning.
Test Unlabeled Content Exposure
Create identical test documents without labels. Verify that Copilot CAN access them for all users with underlying permissions. This proves that labels are the differentiator — not permissions alone.
Document and Remediate
Record test results in a matrix. Any failure (Copilot surfacing restricted content to unauthorized users, or blocking authorized users from accessible content) indicates a label configuration or enforcement issue that must be resolved before Copilot deployment.
Frequently Asked Questions
Do sensitivity labels protect data from Copilot?
Sensitivity labels protect data from Copilot only when they are enforced — meaning actually applied to documents, not just configured in the Microsoft Purview portal. A configured label that has not been applied to a document provides zero protection. Copilot accesses content based on user permissions and treats unlabeled content as general-access material. If a document containing financial forecasts, HR records, or legal strategies has no sensitivity label applied, Copilot will surface it to any user who has permission to the SharePoint site, OneDrive folder, or Teams channel where it resides. The critical distinction: configuration creates the label taxonomy and defines protection actions (encryption, access restrictions, watermarks). Enforcement means labels are actually applied to content — either manually by users, automatically by auto-labeling policies, or mandatorily through labeling requirements.
What is the difference between configuring and enforcing sensitivity labels?
Configuration is the administrative act of creating sensitivity labels in the Microsoft Purview portal: defining the label hierarchy (Public, Internal, Confidential, Highly Confidential), assigning protection actions to each label (encryption, content marking, access restrictions), and publishing labels to users through label policies. This is a one-time setup that takes 1-2 days. Enforcement is the operational reality of labels being applied to actual content across your tenant. Enforcement requires: auto-labeling policies that scan existing and new content for sensitive information types, mandatory labeling policies that prevent users from saving documents without a label, default labels that automatically apply a baseline classification, and retroactive labeling campaigns for legacy content. In most organizations, configuration is 100% complete but enforcement covers fewer than 15% of documents.
How do I measure sensitivity label adoption in my tenant?
Microsoft Purview provides sensitivity label analytics through the Purview compliance portal under Data Classification > Overview. Key metrics to track: total documents labeled vs. total documents in tenant (your enforcement percentage), label distribution (how many documents at each sensitivity level), auto-label vs. manual label ratio (indicates whether users are actually applying labels or relying on automation), unlabeled document count by location (SharePoint sites, OneDrive accounts, Exchange mailboxes), and label changes over time (trend showing whether adoption is increasing or stagnating). You can also use Microsoft Graph API reports to extract label analytics programmatically. EPC Group considers 80% label coverage the minimum threshold for Copilot deployment — most organizations are below 15% when they first engage us.
What happens when Copilot accesses unlabeled content?
When Copilot accesses unlabeled content, it treats the content as accessible to anyone with the underlying permissions — no encryption, no access restriction, no DLP policy enforcement based on sensitivity. Copilot will include unlabeled content in search results, summaries, and generated responses without any sensitivity classification. This means a Copilot-generated executive summary could combine data from a labeled Confidential document (which has encryption and access controls) with data from unlabeled documents containing equally sensitive information (which have no protection). The resulting output inherits no label from the unlabeled sources, creating a document that contains sensitive data with no classification or protection. This is the fundamental enforcement gap: labels only protect content they are applied to.
How does auto-labeling work for Copilot protection?
Auto-labeling uses Microsoft Purview sensitive information types (SITs) to automatically detect and classify content. There are two modes: client-side auto-labeling recommends or automatically applies labels in Office apps as users create or edit documents. Service-side auto-labeling scans content at rest in SharePoint, OneDrive, and Exchange, applying labels to existing documents that match configured rules. For Copilot protection, service-side auto-labeling is critical because it addresses the legacy content problem — millions of documents created before labels existed. Configure auto-labeling rules for sensitive information types relevant to your organization: Social Security numbers, credit card numbers, medical record numbers, financial account numbers, and custom SITs for proprietary data. EPC Group recommends starting with high-confidence SITs (exact match) and expanding to medium-confidence patterns after validating accuracy.
Can users downgrade sensitivity labels on documents?
By default, Microsoft Purview allows users to change or remove sensitivity labels on documents they own or have edit permissions for. This creates a significant Copilot risk: a user could downgrade a Highly Confidential document to Internal or Public, removing encryption and access restrictions, making the content broadly accessible to Copilot queries across the organization. Label downgrade prevention is configured in label policies: require justification for label changes (users must provide a reason for downgrading), require justification for label removal, and optionally block label downgrade entirely. EPC Group recommends requiring justification for all downgrades and blocking removal of Highly Confidential labels without admin approval. The justification log is auditable through Purview Activity Explorer, providing a compliance trail for label changes.
How do I test whether sensitivity labels are actually protecting content from Copilot?
Testing label effectiveness for Copilot requires a systematic approach: 1) Create test documents at each sensitivity level in a controlled SharePoint site. 2) Apply sensitivity labels with known protection actions (encryption, access restrictions). 3) Sign in as a user who should NOT have access to Highly Confidential content. 4) Query Copilot with prompts designed to surface the test documents ("summarize the financial forecast" or "what are the Q4 projections"). 5) Verify that Copilot respects the label-based restrictions — Highly Confidential documents should not appear in results for users without appropriate clearance. 6) Test with unlabeled documents containing similar content to confirm Copilot CAN access them (proving labels are the differentiator). 7) Document results in a test matrix. EPC Group performs this testing as part of every 47-Point Assessment, using controlled test data to validate that labels are functioning as expected.
Close the Enforcement Gap Before Deploying Copilot
EPC Group offers Copilot and M365 Tenant Security Reviews for businesses across all sectors. We have secured over 700 tenants and have 29 years of experience with Microsoft.
Our goal is to identify what Copilot can access that it should not.
Our 47-Point Assessment measures your actual label enforcement rate — not just configuration status — and provides a prioritized remediation roadmap to achieve 80%+ coverage before Copilot deployment.
Sensitivity Labels and Copilot: Why Enforcement Matters More Than Configuration
85% of organizations have sensitivity labels set up. However, fewer than 15% have these labels enforced. This gap leads to data exposure with Copilot.
Labels that users can ignore, or those that do not cover legacy content, offer no protection. Only labels supported by Azure Rights Management encryption can prevent Copilot from including content in its output.
Key facts
- Configuration means labels exist and are published. Enforcement means users must apply them and legacy content is retroactively covered.
- Only encryption-backed sensitivity labels restrict Copilot access. Labels with content marking only (headers, footers, watermarks) do not restrict Copilot.
- Target label adoption rate before Copilot goes live: 80%+ of sensitive content covered by enforced labels.
- Auto-labeling has two modes: client-side (applies during document creation) and service-side (scans existing content at rest).
- Label downgrade prevention stops users from reducing a label's protection without a justification recorded in the audit log.
Configuration vs Enforcement: The Critical Difference
Configuration (What Most Organizations Have Completed)
- Label taxonomy created (Public, Internal, Confidential, Highly Confidential)
- Protection actions defined (encryption, watermarks, headers/footers)
- Labels published to users via label policies
- Auto-labeling rules defined in the Purview portal
- Admin documentation completed
Enforcement (What Most Organizations Have Not Done)
- Auto-labeling policies deployed and actively scanning content
- Mandatory labeling enabled — users cannot save without selecting a label
- Legacy content retroactively labeled via bulk auto-labeling operations
- Label adoption rate measured and tracked (target: 80%+)
- Downgrade prevention policies enforced with justification required
What Copilot Does with Labeled Content
Label protection level determines whether Copilot can access content. Only encryption blocks Copilot. Everything else is advisory.
Labeled with Encryption (Azure Rights Management)
Copilot can access content only if the user has decryption rights. If the user lacks these rights, the content will not be included in Copilot's response. This is the only label type that restricts Copilot.
Labeled with Access Restrictions but No Encryption
Copilot can access and include this content in responses. The label restricts manual actions (downloading, printing, forwarding) but does not block Copilot queries.
Labeled with Content Marking Only
Headers, footers, and watermarks are visual indicators only. Copilot ignores them entirely. The label does not restrict data access in any way.
Unlabeled Content
Copilot treats unlabeled content the same as content labeled "Public." It is fully accessible and includable in any response.
The Enforcement Gap: Why It Exists
Legacy Content Problem
Many organizations have documents that were created before any labeling policy was in place. Auto-labeling only applies to new content published to users. As a result, legacy content remains unlabeled and fully accessible to Copilot.
User Adoption Failure
Users can dismiss or ignore label prompts if mandatory labeling is not enforced. In most tenants, applying labels is optional.
Copilot searches through content, even if users have not labeled it.
Auto-Labeling Scope Limitations
Client-side auto-labeling happens when documents are created. Users must have a current Office client to use this feature. On the other hand, service-side auto-labeling works in the background. Most organizations enable it only for Exchange. They often do not enable it for SharePoint and OneDrive, where many sensitive files are stored.
No Measurement or Accountability
Without tracking label adoption rates in Purview, organizations do not know how much of their sensitive content is unlabeled. The gap grows silently until Copilot surfaces it.
Auto-Labeling for Copilot Protection
Client-Side Auto-Labeling
Applies labels automatically when users create or edit documents in Office applications. The label is suggested or applied based on content detection rules. Best for new content going forward.
- Configure rules in Microsoft Purview: Information Protection → Auto-labeling policies.
- Define sensitive information types (SSN, credit card, MRN, ICD codes, financial terms).
- Set action: recommend label (user sees prompt) or apply label automatically.
- Scope to specific SharePoint sites, OneDrive accounts, or all locations.
Service-Side Auto-Labeling
Scans existing content at rest across SharePoint, OneDrive, and Exchange. Applies labels retroactively to legacy content. This is the mechanism that closes the legacy content gap for Copilot.
- Run a simulation first — service-side auto-labeling shows what would be labeled before committing.
- Review simulation results in Purview before activating enforcement mode.
- Prioritize SharePoint sites with the highest concentration of sensitive content.
- Monitor labeling progress daily — large SharePoint environments can take weeks to scan fully.
Label Priority and Downgrade Prevention
Label Priority Order (Highest to Lowest)
- Highly Confidential — All Employees (encryption + access restricted to all employees)
- Highly Confidential — Specific People (encryption + access restricted to named individuals)
- Confidential — All Employees
- Confidential — Specific People
- Internal
- Public
Downgrade Prevention Settings
- Require users to provide a business justification when reducing a label's protection level.
- Log all downgrade actions to the Purview audit log.
- Alert compliance teams when Highly Confidential content is downgraded to Internal or Public.
Testing Label Effectiveness for Copilot
Six-Step Testing Process
- Step 1: Create controlled test documents with known sensitive content (synthetic SSNs, test MRNs).
- Step 2: Apply labels with known protection actions — encryption for one set, content marking only for another.
- Step 3: Test as an authorized user — confirm Copilot returns encrypted-label content correctly.
- Step 4: Test as an unauthorized user — confirm Copilot excludes encrypted-label content from responses.
- Step 5: Test unlabeled content — confirm Copilot returns it freely (as expected — this validates the gap you need to close).
- Step 6: Document findings and remediate: apply labels to any content that should restrict Copilot but currently does not.
Frequently Asked Questions
Do sensitivity labels protect data from Copilot?
Only labels supported by Azure Rights Management encryption can restrict Copilot access. Labels that only mark content, such as headers, footers, or watermarks, do not block Copilot.
A label that is configured but not enforced, or one that does not cover legacy content, offers no protection.
What is the difference between configuring and enforcing sensitivity labels?
Configuration involves creating labels and making them available to users. Enforcement requires users to apply these labels, a process known as mandatory labeling. Auto-labeling assists in managing legacy content, and organizations frequently measure and track adoption rates. However, many organizations primarily focus on configuration.
How do I measure sensitivity label adoption in my tenant?
In Microsoft Purview, go to Information Protection and select Label activity. This section shows the number of labeled and unlabeled files by location.
You can also use Content Explorer to see labeled content. This feature allows you to filter by location and label type.
The goal is to cover 80% or more of sensitive content before Copilot launches.
What happens when Copilot accesses unlabeled content?
Copilot treats unlabeled content as Public, which makes it fully accessible. This content is included in responses without restrictions. As a result, there is a notable legacy content gap.
Years of sensitive unlabeled documents are available to any user with a Copilot license.
How do I test whether sensitivity labels are actually protecting content from Copilot?
Create test documents that contain known synthetic sensitive data. Apply labels that have different protection levels. Then, test Copilot queries as both authorized and unauthorized users.
Encryption-backed labels should block unauthorized access. However, content-marking labels will not.
Close the Enforcement Gap Before Deploying Copilot
EPC Group measures label adoption, deploys auto-labeling, and validates protection effectiveness before any Copilot license is assigned. Call (888) 381-9725 or schedule a sensitivity label enforcement review.