Why 80% of Microsoft 365 Tenants Aren't Ready for Copilot
Based on 700+ tenant audits, EPC Group has identified the 5 reasons most organizations fail Copilot readiness — and the 10-question self-assessment to evaluate your own.
The 80% Problem: Data from 700+ Tenant Audits
Quick Answer: Most Microsoft 365 tenants are not ready for Copilot because they were designed for human access patterns, not AI-assisted search. Over 5-15 years of operation, tenants accumulate overshared permissions, unlabeled documents, stale guest accounts, and insufficient DLP policies. These issues were manageable when data discovery required manual browsing. Copilot eliminates that friction, making every permission gap and governance failure instantly exploitable. Based on EPC Group's 700+ tenant audits, 80% of organizations have at least 3 of the 5 critical readiness gaps that create data exposure risk when Copilot is enabled.
EPC Group has audited Microsoft 365 tenants for 29 years — first for SharePoint governance, then for cloud migration readiness, and now for Copilot security. The patterns we see are remarkably consistent across industries, tenant sizes, and geographic regions. The 80% figure is not an estimate — it is derived from actual assessment data across 700+ engagements.
The good news: every readiness gap has a known fix. The bad news: most organizations do not know they have the gaps until after Copilot surfaces sensitive data to the wrong people. This guide presents the 5 most common reasons tenants fail readiness, a 10-question self-assessment checklist, and the path from “not ready” to “Copilot-secure” in 10-12 weeks.
If you want the definitive answer for your specific tenant, start with EPC Group's 47-Point Copilot & M365 Security Review — a 2-week assessment that evaluates 47 specific security checkpoints and delivers a prioritized remediation roadmap.
Overshared Permissions
Affects 73% of tenantsThe Problem
SharePoint sites and OneDrive folders with overly broad access — "Everyone except external users" permissions, broken inheritance creating permission mazes, and Teams channels with membership far exceeding the audience for the content they contain.
What the Data Shows
Average enterprise tenant: 2,400 SharePoint sites. Average with overshared permissions: 340 sites (14%). Average containing sensitive data with overshared access: 67 sites. That is 67 sites where Copilot can surface sensitive financial, HR, legal, or strategic content to any employee who asks.
How to Fix It
SharePoint permission audit using PowerShell or ShareGate. Remove "Everyone" and "Everyone except external users" from all sites with sensitive content. Review and repair broken inheritance. Right-size Teams channel membership.
Sensitivity Labels Not Enforced
Affects 85% of tenantsThe Problem
Sensitivity labels are configured in the Purview portal but not applied to actual content. Auto-labeling is either not deployed or limited in scope. Mandatory labeling is not enabled. Legacy content is completely unlabeled.
What the Data Shows
Average label enforcement rate across EPC Group audits: 12%. That means 88% of documents in the typical tenant have no sensitivity label. These documents have no label-based encryption, no label-based DLP protection, and no label-based access restrictions. Copilot treats them all as general-access content.
How to Fix It
Deploy service-side auto-labeling for SharePoint and OneDrive. Enable mandatory labeling to prevent new unlabeled content. Run retroactive labeling campaigns for high-value legacy content. Target: 80%+ label coverage before Copilot deployment.
DLP Gaps for Copilot
Affects 68% of tenantsThe Problem
Existing DLP policies cover traditional scenarios (email attachments, SharePoint downloads) but do not address Copilot-specific risks: content aggregation from multiple sensitivity levels, Copilot-generated documents inheriting no label, and meeting summaries containing sensitive discussion points.
What the Data Shows
An executive asks Copilot to draft a quarterly review. Copilot pulls financial data (Confidential), HR data (Confidential-HR), and strategy notes (Highly Confidential) into a single Word document. The document has no sensitivity label. The executive shares it in a Teams chat with 15 people, 5 of whom do not have Highly Confidential clearance. Existing DLP policies catch none of this.
How to Fix It
Extend DLP policies to cover Copilot-generated content in all M365 applications. Configure DLP rules that detect cross-classification aggregation. Enable mandatory sensitivity labeling for all new documents to catch Copilot-generated content. Monitor Copilot usage logs for queries spanning multiple sensitivity levels.
Identity and Access Issues
Affects 80% of tenantsThe Problem
No Conditional Access policies governing Copilot access from unmanaged devices or untrusted locations. No MFA requirement for M365 apps. Stale guest accounts with residual permissions. No device compliance requirements for Copilot-enabled applications.
What the Data Shows
An employee's password is compromised in a phishing attack. Without MFA, the attacker logs into M365 from a personal device in another country. Using Copilot, they query "show me financial forecasts," "summarize executive compensation," and "what are the acquisition targets." In 10 minutes, they extract more sensitive data than a traditional attack would yield in days.
How to Fix It
Deploy the 5 essential Conditional Access policies: compliant device, block unmanaged, MFA, location-based restrictions, and session controls. Clean up stale guest accounts. Implement quarterly access reviews for all external and privileged accounts.
Governance Gaps
Affects 75% of tenantsThe Problem
No Teams meeting recording policies differentiating sensitive from standard meetings. No Copilot usage monitoring or audit logging. No data classification program for legacy content. No Copilot-specific incident response procedures.
What the Data Shows
A healthcare organization records clinical case conferences in a Teams channel accessible to 200 staff. Board meetings use the same default recording policy as daily standups. When Copilot is enabled, any employee can ask about patient discussions, executive decisions, or legal strategy from meeting transcripts — all discoverable via Copilot with zero additional security controls.
How to Fix It
Create tiered meeting policies (Standard, Sensitive, Highly Sensitive). Deploy Copilot usage monitoring and alerting. Establish a data classification program for legacy content. Develop Copilot-specific incident response procedures including data exposure notification protocols.
10-Question Self-Assessment Checklist
Answer these 10 questions honestly. If you answer “No” or “Don't know” to 3 or more, your tenant is not ready for Copilot. If you answer “No” to 5 or more, deploying Copilot creates significant data exposure risk.
Can you report the exact number of SharePoint sites with "Everyone" or "Everyone except external users" access?
Red flag answer: No / Don't know
What percentage of your documents have sensitivity labels applied?
Red flag answer: Below 50% or unknown
Do you have Conditional Access policies requiring compliant devices for all M365 apps?
Red flag answer: No
Do you require MFA for all M365 application access (not just admin accounts)?
Red flag answer: No
Have you audited guest accounts in the last 90 days?
Red flag answer: No
Do you have separate Teams meeting policies for board, legal, and HR meetings?
Red flag answer: No
Are DLP policies configured to cover Copilot-generated content?
Red flag answer: No / Don't know
Can you identify all SharePoint sites with broken permission inheritance?
Red flag answer: No / Don't know
Is auto-labeling deployed for SharePoint and OneDrive (not just Exchange)?
Red flag answer: No
Do you have Copilot usage monitoring and alerting configured?
Red flag answer: No
Scoring
- 0-2 red flags: Your tenant has strong governance foundations. A focused Copilot readiness review (1 week) should confirm readiness.
- 3-5 red flags: Your tenant has gaps that need remediation before Copilot deployment. Estimated timeline: 6-8 weeks of remediation after assessment.
- 6-8 red flags: Your tenant has significant readiness gaps. Copilot deployment without remediation will create data exposure incidents. Estimated timeline: 10-12 weeks.
- 9-10 red flags: Your tenant requires comprehensive governance overhaul before Copilot. Estimated timeline: 16-20 weeks.
The Cost of Deploying Copilot Before the Tenant Is Ready
Data Exposure Incidents
$50K-$250K per incident
Incident response, legal review, notification, and remediation. HIPAA fines: up to $50K per violation. SOC 2 audit failures can cost $100K+ in re-certification.
Copilot Rollback
$30K-$100K waste
Disabling Copilot tenant-wide wastes license investment ($30/user/month), disrupts productive users, and requires re-deployment after remediation. Average rollback duration: 8-12 weeks.
Trust and Adoption
Incalculable
Internal data exposure erodes employee trust in IT. "Copilot showed me my manager's salary" becomes organizational folklore. Future technology deployments face resistance and skepticism.
The ROI of Readiness: EPC Group's 47-Point Assessment costs $15,000. The average data exposure incident costs $50,000-$250,000. The assessment pays for itself if it prevents a single incident — and it typically identifies 15-25 issues across the 47 checkpoints. The question is not whether your tenant has gaps. The question is whether you discover them before or after Copilot does.
EPC Group's 2-Week Copilot Readiness Assessment
The 47-Point Assessment is a structured 2-week engagement that evaluates your tenant's Copilot readiness across 6 security domains. Every checkpoint receives a Pass/Fail/Partial rating with specific remediation steps and effort estimates.
Identity & Access
8 checkpoints
MFA, Conditional Access, PIM, risk policies, break-glass, guest access, stale accounts, admin roles
Email Security
7 checkpoints
SPF, DKIM, DMARC, anti-phishing, safe attachments, safe links, mail flow rules
Data Protection
9 checkpoints
Sensitivity labels, auto-labeling, DLP, information barriers, retention, eDiscovery, encryption
Endpoint Management
7 checkpoints
Device compliance, app protection, updates, BitLocker, Defender, attack surface reduction
Compliance & Governance
8 checkpoints
Audit logging, compliance score, insider risk, communication compliance, records, lifecycle
Copilot & AI Readiness
8 checkpoints
Permission analysis, data exposure modeling, meeting policies, Copilot DLP, usage monitoring
Assessment Deliverables
- 40+ page assessment report with Pass/Fail/Partial per checkpoint
- Prioritized 30/60/90 day remediation roadmap
- Effort estimates for each remediation task (hours, resources, complexity)
- SharePoint permission inheritance analysis across all sites
- Sensitivity label enforcement measurement and gap analysis
- Copilot data exposure modeling (what Copilot can access that it should not)
- Executive summary for CIO/CISO presentation
Case Study: Financial Services Firm (8,000 Employees)
Before Assessment
- 2,400 SharePoint sites, 340 overshared
- 8% sensitivity label enforcement
- 4,200 guest accounts (1,100 stale)
- No Conditional Access for M365 apps
- Single default meeting policy for all meetings
- 9 out of 10 self-assessment red flags
After 12-Week Remediation
- 340 overshared sites remediated to least-privilege
- 82% sensitivity label enforcement (auto-labeling + mandatory)
- 1,100 stale guest accounts removed, 90-day expiration policy
- 5 Conditional Access policies deployed and enforced
- 3-tier meeting policy (Standard, Sensitive, Highly Sensitive)
- Copilot deployed to 2,000 users with zero data exposure incidents
Frequently Asked Questions
Why aren't most Microsoft 365 tenants ready for Copilot?
Most Microsoft 365 tenants are not ready for Copilot because they were built for human access patterns, not AI-assisted search. Over 5-15 years of operation, tenants accumulate overshared SharePoint sites, broken permission inheritance, unlabeled documents, inactive guest accounts, and insufficient DLP policies. These issues were manageable when data exposure required a user to know where to look and manually browse to the content. Copilot eliminates this friction — it can search, summarize, and aggregate content across the entire tenant in seconds. The security model that was "good enough" for manual access is fundamentally insufficient for AI-assisted access. Based on EPC Group's 700+ tenant audits, 80% of organizations have at least 3 of the 5 critical readiness gaps.
What are the 5 reasons Microsoft 365 tenants fail Copilot readiness?
The 5 most common reasons are: 1) Overshared permissions — SharePoint sites, OneDrive folders, and Teams channels with broad access that gives Copilot reach into sensitive content. 2) Sensitivity labels not enforced — labels are configured but fewer than 15% of documents have labels applied, leaving 85% of content unprotected. 3) DLP gaps for Copilot — existing DLP policies do not cover Copilot-generated content or cross-source data aggregation. 4) Identity and access issues — no Conditional Access policies governing Copilot access, stale guest accounts, no device compliance requirements. 5) Governance gaps — no meeting recording policies, no Copilot usage monitoring, no data classification for legacy content. Each gap independently creates data exposure risk. Combined, they make Copilot deployment a security incident waiting to happen.
How do I know if my Microsoft 365 tenant is ready for Copilot?
Use this quick self-assessment: 1) Can you report the exact number of SharePoint sites with "Everyone" or "Everyone except external users" access? 2) What percentage of your documents have sensitivity labels applied (not just configured)? 3) Do you have Conditional Access policies requiring compliant devices and MFA for all M365 apps? 4) Have you audited guest accounts in the last 90 days? 5) Do you have separate Teams meeting policies for sensitive meetings? If you answered "no" or "I don't know" to 3 or more questions, your tenant is not ready for Copilot. EPC Group's 47-Point Assessment provides a comprehensive readiness evaluation with specific remediation steps.
What is the cost of deploying Copilot before the tenant is ready?
The cost of premature Copilot deployment manifests in three areas: 1) Data exposure incidents — when Copilot surfaces sensitive content to unauthorized users, the organization faces incident response costs ($50,000-$250,000 per incident), legal review, and potential regulatory fines. For HIPAA violations, fines range from $100 to $50,000 per violation with an annual maximum of $1.5 million per violation category. 2) Rollback costs — organizations that deploy Copilot and discover data exposure issues often have to disable Copilot tenant-wide while they remediate, wasting the license investment and disrupting users who were productively using the tool. 3) Reputation and trust — internal data exposure incidents erode employee trust in IT and create resistance to future technology deployments. The $15,000 investment in a pre-deployment assessment is trivial compared to any of these costs.
How long does it take to make a Microsoft 365 tenant Copilot-ready?
Timeline depends on the starting state of the tenant. EPC Group's typical engagement: Week 1-2: Assessment (47-Point Security Review to identify all gaps). Week 3-4: Quick wins (fix overshared permissions, enable mandatory labeling, deploy Conditional Access policies). Week 5-8: Remediation (auto-labeling deployment, DLP policy updates, meeting policy configuration, guest access cleanup). Week 9-10: Validation (test Copilot in controlled environment with test data, verify label enforcement, validate Conditional Access policies). Week 11-12: Controlled deployment (enable Copilot for pilot group, monitor for data exposure, adjust policies). Total: 10-12 weeks for a typical enterprise tenant. Organizations with severe permission sprawl or minimal existing governance may need 16-20 weeks.
What does EPC Group's 2-Week Assessment cover?
EPC Group's 2-Week Copilot & M365 Security Assessment evaluates 47 specific security checkpoints across 6 domains: Identity & Access (8 points — MFA, Conditional Access, PIM, risk policies, break-glass accounts, guest access, stale accounts, admin role review). Email Security (7 points — SPF, DKIM, DMARC, anti-phishing, safe attachments, safe links, mail flow rules). Data Protection (9 points — sensitivity labels, auto-labeling, DLP policies, information barriers, retention policies, eDiscovery readiness, encryption). Endpoint Management (7 points — device compliance, app protection, update management, BitLocker, Defender for Endpoint, attack surface reduction). Compliance & Governance (8 points — audit logging, compliance score, insider risk, communication compliance, records management, data lifecycle). Copilot & AI Readiness (8 points — permission analysis, Copilot data exposure modeling, meeting policy review, Copilot-specific DLP, usage monitoring). Deliverable: 40+ page report with Pass/Fail per checkpoint and prioritized 30/60/90 day remediation roadmap. Cost: $15,000.
Can I deploy Copilot to a subset of users while preparing the full tenant?
Yes, but with important caveats. Copilot licenses can be assigned to specific users, and only licensed users can use Copilot features. However, Copilot still accesses content based on the licensed user's permissions — not the content creator's license status. If a Copilot-licensed user has access to broadly shared SharePoint sites, they can query all content in those sites regardless of whether the content owners have Copilot licenses. A phased deployment should: 1) Start with users who have well-governed data access (not executives with broad permissions). 2) Deploy Conditional Access policies before enabling any Copilot licenses. 3) Fix the most critical permission issues first (overshared sites with sensitive content). 4) Monitor Copilot usage logs during the pilot to identify unexpected data access patterns. 5) Expand only after the 47-point assessment identifies and remediates all critical gaps.
Find Out If Your Tenant Is Ready — Before Copilot Does
EPC Group performs Copilot & M365 Tenant Security Reviews for enterprises across all industries. With 700+ tenants secured and 29 years of Microsoft expertise, we identify exactly what Copilot can access that it shouldn't.
Our 47-Point Assessment takes 2 weeks. Remediation takes 10-12 weeks. The alternative — deploying Copilot unprepared — takes one incident to regret. Start with the assessment and get the full picture.