Control 2.11: Copilot Pages Security and Sharing Controls
Control ID: 2.11 Pillar: Security & Protection Regulatory Reference: GLBA 501(b), FINRA 4511 Last Verified: 2026-03-22 Governance Levels: Baseline / Recommended / Regulated
Objective
Establish governance controls for Copilot Pages and Copilot Notebooks as AI-generated collaboration surfaces in Microsoft 365. This control covers Cloud Policy decisions, storage in SharePoint Embedded, sharing restrictions, sensitivity labeling, retention, eDiscovery, and offboarding procedures so that Pages-related content is governed consistently with broader financial services data protection and records management expectations.
Why This Matters for FSI
- GLBA 501(b) requires safeguards for customer information. Copilot Pages can aggregate content from multiple regulated sources into a new shareable artifact, which increases the need for clear creation, sharing, and retention controls.
- FINRA Rule 4511 requires firms to preserve books and records that may include Copilot-generated summaries, working notes, or collaboration artifacts if they relate to firm business.
- SEC 17a-3/4 may apply when Pages document advisory activity, investment research, client service workflows, or draft communications that become part of the business record.
- SOX Section 404 internal control expectations extend to new collaboration surfaces that can contain financial reporting support material or control evidence.
- Information Barriers limitations matter in broker-dealer and banking environments because Copilot Pages and Copilot Notebooks use SharePoint Embedded storage, where Information Barriers are not currently supported.
Control Description
Copilot Pages (.page files) and Copilot Notebooks are stored in a single user-owned SharePoint Embedded container that is also used by Loop My workspace. They are not stored in the user's OneDrive in the traditional sense, even though the container follows a lifecycle similar to OneDrive cleanup after user departure.
Creation and use are governed through Microsoft 365 Cloud Policy, while retention, eDiscovery, sensitivity labels, and DLP rely on SharePoint and Purview controls that apply to SharePoint Embedded content.
Copilot Pages Data Flow
User interacts with Copilot Chat or a supported Copilot surface
|
v
Copilot generates content
|
v
User selects "Create Page" or adds content to a Notebook
|
v
+-----------------------------------------------+
| SharePoint Embedded user-owned container |
| |
| - Created when policy allows Pages/Notebooks |
| - Shared platform with Loop My workspace |
| - Governed by SharePoint/Purview controls |
| - Discoverable through eDiscovery |
| - Retained through All SharePoint Sites scope |
+------------------------+----------------------+
|
+--------+--------+
| |
Private Shared internally
by default with approved users
Pages Security Controls
| Control Area | Description | Configuration Location |
|---|---|---|
| Creation and use | Allow or block creation of Copilot Pages and Copilot Notebooks | Microsoft 365 Cloud Policy (config.office.com) |
| Code previews | Allow or block code previews in Copilot Chat and Pages | Microsoft 365 Cloud Policy |
| Storage administration | View and manage user-owned SharePoint Embedded containers | SharePoint Admin Center / SharePoint PowerShell |
| Sharing scope | Control whether collaboration is limited to named internal users | SharePoint sharing controls, Loop component settings, supported app sharing behavior |
| Sensitivity labels | Apply or auto-apply labels to Pages content | Microsoft Purview > Information Protection |
| DLP | Detect sensitive content and show policy tips for Pages content | Microsoft Purview > Data loss prevention |
| Retention | Apply lifecycle controls to SharePoint Embedded content | Microsoft Purview > Data Lifecycle Management > All SharePoint Sites |
| eDiscovery / legal hold | Search, review, export, and preserve content | Microsoft Purview eDiscovery; manual container hold workflow |
| Information barriers | Document unsupported scenarios and compensating controls | Governance decision; disable Pages/Notebooks where IB is required |
Storage and Lifecycle Considerations
| Scenario | Current Behavior | Governance Implication |
|---|---|---|
| User creates first Page or Notebook | A SharePoint Embedded container can be created for that user if policy allows | Creation policy should be intentional and scoped to approved users |
| Loop disabled but Pages enabled | Pages can still create the shared user-owned container | Review Loop and Pages policies together |
| Pages disabled but Loop enabled | The shared container can still exist because Loop can create it | Do not assume blocking Pages removes the container |
| User departure | Container follows OneDrive-like cleanup schedule; there is no manager handoff workflow | Preservation steps should happen before cleanup windows expire |
| Legal hold | Supported, but the container must be added manually per user | Litigation response playbooks should include manual container targeting |
| Information barriers required | Not supported for SharePoint Embedded content | Disable or tightly scope Pages/Notebooks for IB-sensitive populations |
Pages Sharing Guidance
| Sharing Pattern | FSI Guidance | Notes |
|---|---|---|
| Creator-only / specific people | Preferred | Best fit for early rollout and regulated teams |
| Broad internal sharing | Review before enabling | Validate audience, purpose, and downstream recordkeeping obligations |
| Interactive sharing through Loop-enabled apps | Review carefully | Sharing behavior depends on Loop components being enabled in the Microsoft 365 ecosystem |
| Guest / external sharing | Avoid for regulated content | Product capabilities continue to evolve; validate exact behavior in your tenant before permitting any external scenario |
Copilot Surface Coverage
| M365 Application | Creates Pages | Accesses Pages | Governance Notes |
|---|---|---|---|
| Microsoft 365 Copilot Chat | Yes | Yes | Primary creation surface |
| Teams | Yes | Yes | Pages can be shared in supported chat experiences |
| SharePoint agents | Yes | Yes | Agent responses can generate or reference Pages |
| Loop app | Yes | Yes | Shares the same SharePoint Embedded storage substrate |
| Copilot Notebooks | Related | Yes | Uses the same user-owned container model |
| Word / Excel / PowerPoint / Outlook | No | Indirect | Content may flow into Pages, but creation is centered on Copilot/Loop experiences |
Governance Levels
| Level | Requirement | Rationale |
|---|---|---|
| Baseline | Scope Cloud Policy for who can create and view Copilot Pages and Copilot Notebooks; document SharePoint Embedded storage behavior; restrict sharing to named internal users where possible; cover Pages with SharePoint retention and DLP policies; document manual legal hold process | Minimum viable governance for introducing Pages without treating them as unmanaged scratch space |
| Recommended | All Baseline requirements plus: create separate policy scopes for approved business groups; decide whether code previews are allowed; test sensitivity labels, DLP, and eDiscovery on Pages content; add quarterly review of Pages sharing and usage; document offboarding preservation workflow | Balanced production governance for most FSI deployments |
| Regulated | All Recommended requirements plus: disable Pages/Notebooks for populations that require Information Barriers; require compliance review before enabling broad sharing; include Pages/Notebooks in records management procedures and examination evidence packs; perform annual control validation against SharePoint Embedded limitations | Stronger posture for environments with heightened supervision, records, or segmentation requirements |
Setup & Configuration
Step 1: Configure Creation and Use Policy
Portal: Microsoft 365 Cloud Policy service
Path: https://config.office.com > Customization > Policy Management
- Create or edit a policy that scopes approved users or groups.
- Configure Create and view Copilot Pages and Copilot Notebooks.
- For Baseline and Recommended tiers, scope the policy to approved security or dynamic groups instead of enabling it broadly by default.
- Document the policy owner, target groups, and business justification.
Step 2: Configure Code Preview Policy
Portal: Microsoft 365 Cloud Policy service
Path: https://config.office.com > Customization > Policy Management
- Review Enable code previews for AI-generated content in Microsoft 365 Copilot Chat and Copilot Pages.
- Disable it unless there is a documented need for code-preview workflows.
- If enabled, include code preview usage in secure development and data handling guidance.
Step 3: Review Storage and Container Visibility
Portal: SharePoint Admin Center / SharePoint PowerShell
- Confirm administrators can locate user-owned SharePoint Embedded containers for Pages/Notebooks.
- Document how orphaned or ownerless containers are identified and escalated.
- Record cleanup timing for departing users so evidence preservation occurs before container deletion.
Step 4: Apply Sensitivity Labels and DLP
Portal: Microsoft Purview
- Publish sensitivity labels appropriate for Pages content.
- Test whether Pages that contain regulated material trigger the expected DLP policy tips and actions.
- Document whether manual labeling, auto-labeling, or default labeling is required for your environment.
Step 5: Configure Retention
Portal: Microsoft Purview > Data lifecycle management > Retention policies
- Include All SharePoint Sites in the relevant retention policy scope so SharePoint Embedded content is covered.
- Verify Pages and Notebooks are included in records management decisions for regulated business content.
- Document any exceptions for ephemeral collaboration content and validate those exceptions with records management counsel.
Step 6: Configure eDiscovery and Legal Hold Procedures
Portal: Microsoft Purview > eDiscovery
- Test search and export of
.pagecontent. - Document the manual step required to add the user's container to a legal hold workflow.
- Validate that your eDiscovery team knows how to find SharePoint Embedded-backed Pages content during examinations or litigation.
Step 7: Document Unsupported and High-Risk Scenarios
- Identify populations that depend on Information Barriers or other unsupported controls.
- Disable or tightly scope Pages/Notebooks for those users.
- Add Pages/Notebooks to offboarding, investigation, and incident response procedures.
Financial Sector Considerations
- Record-keeping classification: Organizations should determine which Copilot Pages constitute books and records under FINRA Rule 4511 or SEC Rule 17a-4 based on business use, not file type alone.
- Information Barriers limitation: Because SharePoint Embedded content doesn't currently support Information Barriers, broker-dealers and firms with strict MNPI segmentation should treat Pages enablement as an explicit governance decision, not a default feature rollout.
- Departing employee workflow: There is no manager takeover workflow for the user's container. Offboarding procedures should include retention, export, or eDiscovery preservation steps before the SharePoint Embedded container reaches cleanup deadlines.
- Manual legal hold step: Legal hold can support Pages content, but the team should verify the manual container-targeting step is reflected in litigation procedures.
- Training: Users should understand that Copilot Pages are governed business content. They are not outside the firm's retention, discovery, or supervisory scope simply because they originate from a Copilot interaction.
Verification Criteria
- Creation policy scoped: Verify the Cloud Policy for Create and view Copilot Pages and Copilot Notebooks is applied to the intended users or groups only.
- Code preview decision documented: Confirm the code preview policy is either disabled or enabled with documented business justification.
- Storage visibility confirmed: Verify administrators can identify user-owned SharePoint Embedded containers for Pages/Notebooks.
- Sharing posture validated: Create a test Page and confirm sharing behavior matches the firm's approved model.
- Sensitivity and DLP controls tested: Confirm Pages content can be labeled and that DLP policies detect test sensitive data.
- Retention coverage verified: Confirm relevant retention policies covering All SharePoint Sites apply to Pages/Notebooks content.
- eDiscovery search tested: Run an eDiscovery test for Pages content and verify results can be reviewed and exported.
- Legal hold workflow documented: Confirm the team can manually target the user's container for hold when required.
- IB exception handling documented: Verify high-segmentation populations are either excluded from Pages/Notebooks or have compensating controls documented.
- Offboarding procedure updated: Confirm user departure procedures address preservation of Pages/Notebooks content before cleanup windows expire.
Additional Resources
- Manage Copilot Pages and Copilot Notebooks in your organization
- Overview of Copilot Pages and Copilot Notebooks storage
- Summary of governance, lifecycle, and compliance capabilities
- Managing SharePoint Embedded containers for Copilot content
- Sensitivity labels for Loop components and Copilot Pages
- Related Controls: 2.2 Sensitivity Labels, 2.12 External Sharing, 3.2 Data Retention Policies, 3.3 eDiscovery Copilot Content
- Playbooks: 2.11 Portal Walkthrough, 2.11 Verification & Testing