Control 1.1: Copilot Readiness Assessment and Data Hygiene
Control ID: 1.1 Pillar: Readiness & Assessment Regulatory Reference: GLBA 501(b), FFIEC IT Handbook (Information Security Booklet), Interagency AI Guidance (2023) Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated
Objective
Conduct a comprehensive pre-deployment assessment of the organization's data environment to identify and remediate data hygiene issues before enabling Microsoft 365 Copilot. This control supports compliance with regulatory expectations that financial institutions evaluate the risk posture of new technology deployments, including understanding where sensitive data resides, who has access to it, and whether existing classification and permission models are sufficient for AI-assisted data retrieval.
Why This Matters for FSI
- GLBA 501(b): Requires financial institutions to develop, implement, and maintain a comprehensive information security program. Pre-deployment assessment of data hygiene directly supports this obligation by identifying gaps in data protection before Copilot amplifies access patterns.
- FFIEC IT Handbook (Information Security Booklet): Expects risk assessments for new technology deployments, including evaluation of how the technology interacts with existing data stores and access models.
- Interagency AI Guidance (2023), Section III: Calls for institutions to assess AI-related risks as part of existing risk management frameworks, including data quality, data governance, and access control adequacy.
- SOX 302/404: Internal control assessments must account for AI tools that may surface or generate content used in financial reporting workflows.
- OCC Bulletin 2013-29: Third-party risk management expectations require assessment of how vendor AI services interact with institutional data.
Control Description
The Copilot Readiness Assessment evaluates four key dimensions of data hygiene before Copilot is enabled for any user group:
Assessment Dimensions
| Dimension | What It Evaluates | Key Risk if Unaddressed |
|---|---|---|
| Data Classification Maturity | Whether sensitivity labels are applied consistently across M365 content | Copilot may surface unclassified sensitive data (PII, NPI, trade secrets) to unauthorized users |
| Permission Sprawl Analysis | Breadth of user access across SharePoint, OneDrive, Exchange, Teams | Copilot inherits all user permissions -- overly broad access means overly broad AI retrieval |
| Stale Content Identification | Volume and risk profile of outdated, orphaned, or obsolete content | Copilot may generate responses based on outdated policies, superseded procedures, or archived data |
| Sensitive Data Inventory | Location and volume of sensitive data types (SSN, account numbers, PII) | Copilot could surface regulated data in responses without proper DLP controls in place |
Assessment Tools and Data Sources
| Tool | Purpose | Admin Portal |
|---|---|---|
| Microsoft 365 Copilot Optimization Assessment | Pre-deployment network readiness, Office update channel compliance, and app compatibility validation | Microsoft 365 Admin Center > Health > Copilot readiness |
| Microsoft Purview DSPM for AI | AI-specific readiness reports, oversharing detection, sensitivity label coverage analysis | Microsoft Purview > Data Security Posture Management |
| SharePoint Advanced Management (SAM) | Data Access Governance (DAG) reports, site access reviews, sharing analytics | SharePoint Admin Center > Data access governance |
| Microsoft Purview Data Map | Automated data discovery and classification scanning across M365 workloads | Microsoft Purview governance portal > Data Map |
| Microsoft Purview Content Explorer | Browse and audit actual content matched by sensitive information types | Microsoft Purview > Information Protection > Content Explorer |
| Microsoft Graph API | Programmatic access to permission models, sharing links, and group memberships | Microsoft Graph Explorer or custom scripts |
Readiness Scoring Model
Organizations should develop a readiness score based on quantifiable metrics:
| Metric | Target (Baseline) | Target (Recommended) | Target (Regulated) |
|---|---|---|---|
| Sensitivity label coverage | >50% of documents | >75% of documents | >90% of documents |
| Sites with oversharing findings | Reviewed top 20 | Remediated top 50 | Remediated all flagged |
| Stale content (>2 years, no access) | Identified | Archived or deleted | Archived with retention policy |
| Sensitive data types inventoried | Top 5 SIT types | All standard SITs | Custom SITs for institution |
| Permission audit coverage | SharePoint only | SharePoint + OneDrive + Teams | All M365 workloads + Graph API |
| Office update channel compliance | >80% on Current Channel or Monthly Enterprise Channel | >95% on Current or Monthly Enterprise Channel | 100% enforced via Intune or Group Policy |
Assessment Workflow
- Scope Definition: Identify which M365 workloads and user populations are in scope for initial Copilot deployment
- Optimization Assessment: Run the Microsoft 365 Copilot Optimization Assessment from Microsoft 365 Admin Center > Health > Copilot readiness. This Microsoft-provided tool evaluates network readiness (bandwidth, latency, proxy compatibility), Office update channel compliance, and app compatibility against Copilot requirements. Per FFIEC IT Examination Handbook (Information Security Booklet), risk assessments for new technology deployments must include infrastructure readiness evaluation.
- Update Channel Validation: Confirm that endpoints in the Copilot rollout scope are on Current Channel or Monthly Enterprise Channel. Semi-Annual Enterprise Channel does not receive Copilot feature updates and is not supported for Copilot deployment.
- Data Discovery: Run Microsoft Purview data classification scans across in-scope workloads
- Permission Analysis: Generate DAG reports from SharePoint Advanced Management and export sharing link inventory
- Stale Content Review: Identify content with no access activity in 12+ months using SharePoint site analytics
- Sensitive Data Mapping: Use Content Explorer and sensitive information type (SIT) matches to map regulated data locations
- Gap Analysis: Compare current state against target readiness scores for the intended governance level
- Remediation Plan: Develop prioritized remediation plan addressing highest-risk findings first
- Stakeholder Report: Present readiness assessment findings to compliance, legal, and IT leadership
Copilot Surface Coverage
This control applies to readiness assessment for all Copilot surfaces, as data hygiene issues affect every surface where Copilot retrieves content:
| Copilot Surface | Relevance | Assessment Focus |
|---|---|---|
| Microsoft 365 Copilot Chat | Critical | Searches across all M365 data -- broadest exposure surface |
| Word / Excel / PowerPoint | High | Document-level content retrieval and generation |
| Outlook | High | Email content, attachment access, calendar data |
| Teams | High | Chat history, channel files, meeting transcripts |
| SharePoint | Critical | Document libraries, site content, metadata |
| OneDrive | High | Personal files that may contain sensitive data |
| Loop / Whiteboard | Medium | Collaborative content with potentially broad sharing |
| Viva (Insights, Engage) | Medium | Organizational analytics and communications data |
| Copilot Pages | High | AI-generated collaborative artifacts with sharing |
| Extensibility (Plugins, Graph connectors) | High | External data brought into Copilot grounding scope |
Governance Levels
| Level | Requirement | Rationale |
|---|---|---|
| Baseline | Conduct readiness assessment using DSPM for AI reports and SharePoint DAG reports. Run Optimization Assessment to validate infrastructure readiness. Confirm >80% of in-scope endpoints are on Current Channel or Monthly Enterprise Channel. Review top 20 sites for oversharing. Document findings and present to IT leadership. | Minimum due diligence before enabling Copilot for any user group. Addresses immediate, high-visibility risks including infrastructure gaps that block Copilot feature delivery. |
| Recommended | All Baseline requirements plus: comprehensive permission audit across SharePoint, OneDrive, and Teams. Remediate top 50 oversharing sites. Achieve >75% sensitivity label coverage for in-scope content. Achieve >95% update channel compliance for in-scope endpoints. Develop remediation roadmap with timelines. | Addresses broader data hygiene risks and demonstrates proactive governance to regulators. Ensures Copilot feature parity across the in-scope user population. |
| Regulated | All Recommended requirements plus: full permission audit across all M365 workloads including Exchange and Graph API permissions. Remediate all flagged oversharing sites. Achieve >90% label coverage. Enforce 100% update channel compliance via policy (Intune or Group Policy). Engage internal audit or compliance for independent validation of readiness assessment. Document assessment in regulatory examination file. | Comprehensive, examination-ready posture that supports compliance with GLBA, FFIEC, and interagency guidance expectations. Policy-enforced update channel compliance ensures no endpoint delivers degraded Copilot features due to stale Office versions. |
Setup & Configuration
Step 1: Run the Optimization Assessment
Navigate to Microsoft 365 Admin Center > Health > Copilot readiness to access the Microsoft 365 Copilot Optimization Assessment. This tool evaluates:
- Network readiness: Bandwidth, latency, and proxy/firewall compatibility with Copilot service endpoints
- Office update channel compliance: Percentage of endpoints on Current Channel or Monthly Enterprise Channel (required for Copilot features)
- App compatibility: Identification of Office add-ins or applications with known Copilot compatibility issues
Address any infrastructure findings from the Optimization Assessment before proceeding with Copilot license assignment.
Step 2: Enable DSPM for AI
Navigate to Microsoft Purview > Data Security Posture Management to access readiness dashboards and AI-specific reports.
Key reports to review:
- Data oversharing assessment: Identifies sites and content with broad access that Copilot could surface
- Sensitivity label coverage: Shows percentage of content with applied labels vs. unlabeled content
- Copilot interaction insights: After initial deployment, shows what content Copilot is accessing
Step 3: Run SharePoint Data Access Governance Reports
Navigate to SharePoint Admin Center > Data access governance and generate reports for:
- Sites with broad sharing (Everyone, Everyone Except External Users)
- Sites with sensitivity labels applied
- Sites with sharing links (company-wide, anyone links)
Step 4: Content Explorer Analysis
Navigate to Microsoft Purview > Information Protection > Content Explorer and review:
- Volume of content matching sensitive information types (SSN, credit card, bank account)
- Distribution of sensitive content across SharePoint sites, OneDrive accounts, and Exchange mailboxes
- Content with no sensitivity labels applied
Step 5: Permission Audit via PowerShell
Use SharePoint Online Management Shell and Microsoft Graph PowerShell SDK to export detailed permission reports:
# Key audit areas (refer to Playbook 1.1.2 for full scripts):
# - SharePoint site collection permissions
# - Sharing link inventory (anonymous, company-wide, specific people)
# - Microsoft 365 Group memberships tied to Teams and SharePoint
# - OneDrive sharing configuration per user
# - Exchange mailbox delegation and folder permissions
Step 6: Document and Report
Compile findings into a Copilot Readiness Assessment Report. Document data hygiene findings, oversharing risks identified, remediation actions taken, and residual risk assessment.
Financial Sector Considerations
- Examination Readiness: Maintain the readiness assessment report in your regulatory examination file. FFIEC examiners and FINRA auditors increasingly ask about AI governance during examinations, and demonstrating pre-deployment due diligence is a strong indicator of mature risk management.
- Customer Data Sensitivity: Financial institutions hold particularly sensitive customer data (NPI under GLBA, account information, transaction histories). The readiness assessment should pay special attention to the location and accessibility of this data across M365 workloads.
- Multi-Entity Considerations: Broker-dealers, banks, and insurance subsidiaries within a holding company may each have distinct regulatory obligations. Readiness assessments should be scoped per legal entity where regulatory regimes differ.
- Board Reporting: For institutions where AI adoption is a board-level initiative, readiness assessment findings should be summarized for board risk committee reporting. Consider including readiness scores in existing technology risk dashboards.
- Merger and Acquisition Risk: Institutions that have recently completed M&A activity should pay particular attention to data hygiene in environments inherited from acquired entities, where permission models and classification practices may differ significantly.
- Regulatory Change Velocity: The regulatory landscape for AI in financial services is evolving rapidly. Build readiness assessment processes that can be repeated as new regulatory guidance emerges, not just at initial deployment.
Verification Criteria
- Microsoft 365 Copilot Optimization Assessment has been run and infrastructure findings (network, update channel, app compatibility) have been reviewed and addressed
- Office update channel compliance has been measured and meets the target for the organization's governance level (>80% Baseline / >95% Recommended / 100% policy-enforced for Regulated)
- DSPM for AI reports have been generated and reviewed by designated personnel within the past 30 days
- SharePoint Data Access Governance reports have been run for all in-scope site collections
- Content Explorer analysis has identified and documented the location and volume of sensitive information types across M365 workloads
- Permission audit has been completed for all workloads at the appropriate governance level (SharePoint minimum; all workloads for Regulated)
- Readiness scoring model has been applied and current scores documented
- Gap analysis comparing current state to target governance level has been completed
- Remediation plan with prioritized actions and timelines has been developed and approved by appropriate stakeholders
- Readiness assessment findings have been presented to IT leadership and compliance (Baseline) or documented in regulatory examination file (Regulated)
- Assessment artifacts (reports, exports, scoring worksheets) are retained per the organization's document retention policy
- Re-assessment cadence has been established (quarterly recommended; semi-annual minimum)
Additional Resources
- Microsoft Learn: Data Security Posture Management for AI
- Microsoft Learn: SharePoint Data Access Governance reports
- Microsoft Learn: Content Explorer
- FFIEC IT Examination Handbook - Information Security
- Interagency Guidance on AI (2023)
- Related Controls: 1.2 SharePoint Oversharing Detection, 1.5 Sensitivity Label Taxonomy Review, 1.6 Permission Model Audit, 3.1 Copilot Audit Logging, 4.1 Admin Settings & Feature Management
- Playbooks: Playbook 1.1.1 (DSPM for AI Setup), Playbook 1.1.2 (Permission Audit Scripts), Playbook 1.1.3 (Readiness Scoring Template), Playbook 1.1.4 (Remediation Prioritization)
FSI Copilot Governance Framework v1.2.1 - March 2026