Control 4.4: Copilot in Viva Suite Governance
Control ID: 4.4 Pillar: Operations & Monitoring Regulatory Reference: GLBA 501(b), Labor Regulations (FLSA, State Privacy Laws), EEOC Guidance on AI, FFIEC Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated
Objective
Establish governance controls for Microsoft 365 Copilot across the Viva suite -- including Viva Insights, Viva Engage, Viva Learning, Viva Pulse, and Viva Goals -- to address employee privacy protections, data aggregation limits, manager access boundaries, and appropriate use of AI-driven workforce analytics within regulated financial services environments.
Why This Matters for FSI
The Microsoft Viva suite with Copilot capabilities introduces AI-powered workforce analytics, engagement tools, and productivity insights into the financial services workplace. While these tools offer operational value, they create governance challenges at the intersection of employee privacy, labor law, data protection, and regulatory expectations.
GLBA 501(b) requires financial institutions to protect customer information, but Viva suite governance primarily addresses a different dimension: employee data protection. Financial regulators increasingly expect that institutions demonstrate responsible use of AI in employment-related decisions. The EEOC has issued guidance on AI and automated systems in employment decisions, noting that AI tools that affect hiring, promotion, or performance evaluation may implicate Title VII and other employment discrimination statutes.
For financial services specifically:
- Viva Insights aggregates employee productivity data that could, if misused, support discriminatory management practices or create a hostile surveillance environment. Privacy controls and data aggregation minimums are critical.
- Viva Engage serves as an internal social platform where employees may discuss market views, client situations, or compliance concerns. Copilot-generated content in Engage communities could create recordkeeping obligations if substantive business discussions occur.
- Viva Learning tracks employee training completions, which for FINRA-registered representatives includes required continuing education and firm element training.
- Viva Pulse collects employee feedback that may include commentary on compliance culture, ethical concerns, or management practices -- content that could be relevant in regulatory investigations.
- Viva Goals tracks organizational objectives that may include compliance targets, risk metrics, or regulatory program milestones.
Disclaimer
This control is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. See full disclaimer.
Control Description
Viva Insights Copilot Governance
Copilot in Viva Insights provides AI-generated productivity analysis and recommendations:
| Feature | Description | Privacy Control |
|---|---|---|
| Personal Insights | Individual productivity patterns and suggestions | Visible only to the individual employee |
| Manager Insights | Team-level aggregated productivity data | Minimum group size of 10 (configurable higher) |
| Leader Insights | Organization-wide trends and patterns | Aggregated data only; no individual identification |
| Advanced Analytics | Custom analysis of work patterns | Requires Viva Insights Analyst role; data access agreements |
| Copilot Dashboard | AI impact measurement and adoption analytics | See Control 4.6 for detailed governance |
| Copilot Chat Insights | Analytics for Microsoft 365 Copilot Chat usage patterns across the organization | Aggregated to groups meeting the configured minimum; individual queries never visible |
Copilot Chat Analytics in Viva Insights
Viva Insights now provides analytics specifically for Microsoft 365 Copilot Chat usage patterns. These Copilot Chat insights deliver organizational visibility into how the workforce is engaging with AI-assisted work, including:
- Adoption metrics: Copilot Chat adoption rates by department and role, showing which organizational units are actively using Copilot Chat versus those with low engagement
- Interaction frequency: Average Copilot Chat interactions per user per week, enabling trend analysis over time
- Productivity correlation: Copilot Chat usage correlation with productivity metrics such as meeting reduction and document creation time
- Topic clustering: Anonymized clustering of Copilot Chat query themes, showing how the organization uses Copilot Chat at a categorical level without exposing individual query content
Privacy controls for Copilot Chat insights are consistent with Viva Insights' existing privacy architecture: all Copilot Chat usage data is aggregated to groups meeting the configured minimum group size (default 10, recommended 25 for FSI environments), individual query content is never visible to managers or administrators, and opt-out mechanisms apply equally to Copilot Chat analytics.
From an FSI governance perspective, Copilot Chat usage analytics provide evidence of AI governance effectiveness for internal audit and regulatory examination. The FFIEC IT Examination Handbook, which expects institutions to monitor technology usage patterns as part of IT risk management, is directly served by Copilot Chat adoption and utilization reporting. Unusual usage patterns — such as elevated overnight Copilot Chat activity or query clustering around sensitive topics — can be flagged for compliance review when the Regulated tier monitoring configuration is in place.
Privacy protections for Viva Insights:
- Minimum Aggregation Group Size: Default is 10 people; financial institutions should consider increasing to 25 for sensitive departments
- Opt-Out: Employees can opt out of Viva Insights personal features, including Copilot Chat analytics
- Data Exclusions: Specific users or groups can be excluded from organizational analytics
- Attribute Controls: Limit which HR attributes (department, level, location) are available for analysis
- Data Retention: Insights data is retained for a configurable period; default is 12 months of historical data
- Individual Query Protection: Copilot Chat usage data is presented only in aggregated, de-identified form; individual query content is not accessible through Viva Insights
Viva Engage Copilot Governance
Copilot in Viva Engage assists with community management and content creation:
| Feature | Governance Concern |
|---|---|
| Post Drafting | AI-generated content in internal social channels may contain inaccurate statements |
| Community Summaries | Summaries of community discussions may miss context or nuance |
| Answers in Viva | AI-sourced answers from organizational knowledge; accuracy and authority concerns |
| Leadership Communications | AI-assisted executive messaging; authenticity and attribution |
| Engage-to-Teams Integration | Engage community discussions surfacing in Teams channels extend compliance perimeter to Teams policies |
For regulated firms, Viva Engage discussions that involve substantive business content (market commentary, product recommendations, client discussions) may constitute business communications subject to recordkeeping and supervisory review requirements.
Engage-to-Teams Integration and Compliance Perimeter
Microsoft has deepened the integration between Viva Engage and Teams, allowing Engage community discussions to surface directly in Teams channels. When Copilot assists in Engage conversations that surface in Teams, the content becomes subject to Teams retention and compliance policies in addition to any Engage/Yammer-specific policies.
This integration has a significant governance implication: Engage conversations about business topics that surface in Teams are captured by Teams retention policies and Communication Compliance policies. The result is a broader compliance perimeter for Copilot-assisted Engage content — content that previously may have been captured only under Yammer/Engage policies is now also governed by the firm's Teams compliance infrastructure.
For FSI firms: if Engage communities include discussions of market views, investment strategies, or client matters, the Engage-to-Teams integration means those conversations are automatically covered by the firm's Teams compliance infrastructure. This is a net positive for recordkeeping compliance — the same retention schedules and supervisory review workflows that apply to Teams communications will capture Engage content that surfaces in Teams channels, reducing the risk of recordkeeping gaps across communication platforms.
Viva Learning Copilot Governance
Copilot in Viva Learning provides AI-driven training recommendations:
| Feature | Governance Concern |
|---|---|
| Course Recommendations | Recommendations should align with regulatory training requirements |
| Learning Summaries | AI-generated course summaries should not substitute for actual completion |
| Skills Mapping | AI-derived skills assessments should not be sole input for employment decisions |
| Compliance Training Tracking | FINRA CE/FE tracking must use authoritative systems, not Copilot summaries |
Viva Pulse Copilot Governance
Copilot in Viva Pulse assists with employee feedback collection:
| Feature | Governance Concern |
|---|---|
| Survey Generation | AI-generated survey questions should be reviewed for bias and appropriateness |
| Response Analysis | Aggregation minimums must be enforced to protect individual anonymity |
| Trend Identification | AI-identified trends should be validated before management action |
| Confidentiality | Employee feedback must remain confidential per organizational commitments |
Viva Goals Copilot Governance
Copilot in Viva Goals assists with OKR tracking:
| Feature | Governance Concern |
|---|---|
| Goal Suggestions | AI-suggested goals should align with regulatory obligations |
| Progress Summaries | AI-generated progress reports should be verified for accuracy |
| Alignment Mapping | Cross-team goal alignment should respect information barriers |
Copilot Surface Coverage
| Surface | Coverage | Notes |
|---|---|---|
| Viva Insights - Personal | Full | Individual-only; privacy by design |
| Viva Insights - Manager | Full | Aggregation minimums enforced |
| Viva Insights - Leader | Full | Organization-level only |
| Viva Insights - Copilot Chat Analytics | Full | Aggregated Copilot Chat usage by department; individual queries never visible |
| Viva Engage - Communities | Full | Post creation, summaries, answers |
| Viva Engage - Teams Integration | Full | Engage content surfacing in Teams subject to Teams retention and Communication Compliance |
| Viva Learning - Recommendations | Full | Course suggestions and summaries |
| Viva Pulse - Surveys | Full | Survey creation and analysis |
| Viva Goals - OKRs | Full | Goal tracking and progress reporting |
Governance Levels
Administration Limitation
All Viva Copilot feature toggles are portal-only — no PowerShell cmdlets are available for any Viva app Copilot feature controls. All configuration is performed through M365 Admin Center > Viva > [app name].
Baseline
- Configure Viva Insights minimum aggregation group size — default is 10; FSI recommended minimum is 10–25 for regulated departments. Differential privacy is applied to aggregated analytics. Portal: M365 Admin Center > Viva > Viva Insights > Settings
-
Document which Viva suite features have Copilot enabled and for which user groups — per-app Copilot capabilities:
Viva App Copilot Features Portal Path UAL AppHost Insights Copilot Dashboard, meeting effectiveness, productivity recommendations M365 Admin Center > Viva > Viva Insights — Engage Post drafting, thread summarization, community Q&A M365 Admin Center > Viva > Viva Engage VivaEngageLearning AI-recommended learning paths, natural language search (no generative content) M365 Admin Center > Viva > Viva Learning — Goals OKR drafting assistance, progress summarization M365 Admin Center > Viva > Viva Goals VivaGoalsPulse Survey question generation, response theme summarization M365 Admin Center > Viva > Viva Pulse VivaPulse -
Establish employee notification and opt-out procedures for Viva Insights — personal insights are private to the individual by default; manager/leader insights use aggregated data only
- Enable Copilot Chat usage reporting in Viva Insights to establish baseline adoption visibility — Dashboard:
insights.viva.cloud.microsoft> Copilot Dashboard; Graph API:GET /reports/microsoft365CopilotUsageSummary(period='D30') - Verify that Viva Engage retention policies align with communication recordkeeping requirements — Viva Engage Copilot interactions log under
AppHost=VivaEngagein the UAL; Communication Compliance policies must reference "Viva Engage" as the location (not legacy "Yammer") - Confirm that Viva Learning Copilot recommendations do not replace authoritative compliance training systems — Viva Learning provides AI learning paths but no generative content creation
- Restrict manager access to Viva Insights organizational data based on reporting hierarchy; configure executive exclusions via M365 Admin Center > Viva > Viva Insights
- Verify Engage-to-Teams integration status and confirm Teams retention policies extend to surfaced Engage content
Recommended
- Exclude sensitive departments (legal, compliance, HR, internal audit) from Viva Insights organizational analytics — configure tenant admin exclusions to remove specific users (e.g., executives) from Insights analysis
- Configure department-level Copilot Chat analytics dashboards in Viva Insights to monitor adoption and usage trends by business unit — Dashboard:
insights.viva.cloud.microsoft> Copilot Dashboard - Configure information barriers for Viva Engage communities that discuss regulated topics
- Implement content moderation for Viva Engage communities where AI-generated content is enabled
- Establish guidelines for when Copilot-generated content in Viva Engage constitutes a business communication — Engage content is subject to Communication Compliance policies that include the "Viva Engage" location
- Confirm Communication Compliance policies cover Engage content that surfaces in Teams channels via the Engage-to-Teams integration
- Review and approve AI-generated Viva Pulse survey questions before distribution — Portal: M365 Admin Center > Viva > Viva Pulse (AppHost=
VivaPulse) - Integrate Viva Learning completion data with the firm's regulatory training tracking system
Regulated
- Include Viva Engage content in communication surveillance scope for communities discussing regulated topics — verify Communication Compliance policies reference "Viva Engage" location
- Integrate Copilot Chat usage data from Viva Insights with compliance monitoring workflows, including alerts for unusual patterns such as elevated off-hours activity or query clustering around sensitive topics — use Graph API:
GET /reports/microsoft365CopilotUsageSummary(period='D30')for programmatic monitoring - Implement data access agreements for any use of Viva Insights advanced analytics — requires Viva Insights Analyst role and data access agreements
- Conduct annual privacy impact assessment for Viva suite AI features, including Copilot Chat usage analytics — verify differential privacy settings and minimum group size thresholds (recommended 10–25 for FSI)
- Require compliance review of Viva Goals objectives that reference regulatory programs — OKR drafting uses Copilot (AppHost=
VivaGoals) - Establish employee data protection committee oversight of Viva Insights configuration including Copilot Chat analytics scope
- Document and restrict which HR attributes are available in Viva Insights organizational analytics
- Maintain audit log of all administrative changes to Viva suite Copilot settings — note: all Viva Copilot toggles are portal-only; document changes manually or via screenshot evidence
Setup & Configuration
Step 1: Configure Viva Insights Privacy Settings
Navigate to Viva Insights Admin Settings (via M365 Admin Center or Viva Insights Admin Portal):
- Set minimum aggregation group size:
- Default: 10
- Recommended for FSI: 25
- For highly sensitive departments: consider exclusion entirely
- Configure opt-out settings:
- Enable employee opt-out for personal insights
- Document the opt-out process and communicate to employees
- Define data exclusions:
- Exclude executive leadership from organizational analytics (to protect sensitive calendar data)
- Exclude legal, compliance, and internal audit teams
- Set HR attribute availability:
- Limit to department, location, and level
- Exclude compensation, performance rating, and personal demographic data
Step 1b: Configure Copilot Chat Analytics in Viva Insights
Navigate to Viva Insights Admin Settings > Advanced Insights > Copilot analytics:
- Enable Copilot Chat usage reporting (requires Viva Insights P2 license or Viva Suite):
- Toggle Copilot Chat usage reporting to On
- Confirm minimum aggregation group size applies to Copilot Chat data (inherits from Step 1 configuration)
- Configure analytics scope:
- Select which organizational attributes to include in Copilot Chat dashboards (recommend: department and role level only)
- Confirm that individual-level Copilot Chat data is not exposed to analyst queries
- Set up department-level dashboards (Recommended tier):
- Create analyst assignments for business unit leaders to view their department's Copilot Chat analytics
- Configure refresh frequency (typically weekly)
- Configure compliance monitoring triggers (Regulated tier):
- Establish baseline usage patterns and set anomaly detection parameters
- Define alert thresholds for unusual Copilot Chat activity patterns (e.g., off-hours spikes exceeding 2x baseline)
Step 2: Configure Viva Engage Governance
- Community Classification: Apply sensitivity labels to Viva Engage communities that discuss regulated topics
- Copilot Controls: Determine which communities allow Copilot-assisted posting
- Retention: Configure retention policies for Viva Engage content:
- Navigate to Microsoft Purview > Data Lifecycle Management
- Create retention policy for Yammer/Viva Engage messages
- Set retention period per recordkeeping requirements
- Engage-to-Teams Integration: Verify and configure the compliance perimeter for Engage content that surfaces in Teams:
- Confirm Viva Engage communities are connected to Teams channels via the Engage-to-Teams integration
- In Microsoft Purview > Communication Compliance, verify policies include both Yammer/Viva Engage and Teams locations to capture content regardless of where it appears
- In Microsoft Purview > Data Lifecycle Management, verify Teams retention policies have a scope that covers Teams channels receiving Engage content
- Moderation: Assign moderators to communities where AI-generated content is permitted
Step 3: Configure Viva Learning Integration
- Verify that the firm's compliance training platform is the system of record for regulatory training
- Configure Viva Learning to surface compliance training recommendations but not replace mandatory assignment workflows
- Document that Copilot-generated learning summaries do not constitute proof of training completion
- For FINRA firms: confirm that continuing education (CE) and firm element (FE) training completions are tracked through the firm's official CE/FE system, not Viva Learning
Step 4: Configure Viva Pulse Privacy
- Set minimum response thresholds for Viva Pulse surveys (recommend minimum 10 responses)
- Configure anonymity settings to prevent identification of individual respondents
- Establish review process for AI-generated survey questions before distribution
- Document data retention for Viva Pulse responses
Financial Sector Considerations
Copilot Chat Analytics and Regulatory Monitoring: The FFIEC IT Examination Handbook (Management Booklet, Section II.C) expects institutions to monitor technology usage patterns as part of IT risk management. Viva Insights Copilot Chat analytics directly support this expectation by providing aggregated, privacy-preserving visibility into AI tool adoption across the organization. Compliance and audit teams can use Copilot Chat usage data to demonstrate AI governance effectiveness during regulatory examinations.
Employee Surveillance Boundaries: Financial regulators expect that employee monitoring is conducted for legitimate supervisory and compliance purposes. Using Viva Insights data for performance management decisions -- particularly termination or promotion -- without appropriate safeguards could expose the institution to employment law claims. Establish clear policies on how Viva Insights data can and cannot be used. This applies equally to Copilot Chat usage analytics — the data may show which employees use AI tools heavily, but individual usage data must not be used for performance evaluation purposes.
Registered Representative Considerations: FINRA-registered individuals have specific continuing education requirements. While Viva Learning can supplement training discovery, it should not replace the firm's CRD-integrated training management system. Training completions tracked only in Viva Learning may not satisfy regulatory requirements.
Whistleblower Protections: Viva Pulse surveys and Viva Engage discussions may surface employee concerns about compliance violations, unethical conduct, or regulatory issues. These communications may be protected under whistleblower statutes (Dodd-Frank, SOX). The firm should avoid using Copilot analytics on feedback channels in ways that could identify or retaliate against whistleblowers.
Labor Law Considerations: Some jurisdictions have enacted employee monitoring notification laws. If the firm uses Viva Insights organizational analytics, employees may need to be notified about the nature and scope of productivity monitoring. Consult employment counsel regarding notification obligations.
Manager Insights Limits: Copilot-generated manager insights about team productivity should not be the sole basis for performance evaluations. Financial regulators have expressed concern about AI-driven employment decisions that lack human oversight and transparency.
Verification Criteria
| # | Verification Step | Expected Result |
|---|---|---|
| 1 | Review Viva Insights aggregation minimum settings | Minimum set to 25 or higher for regulated departments |
| 2 | Verify employee opt-out process is documented and communicated | Opt-out instructions published and accessible |
| 3 | Confirm excluded groups in Viva Insights admin settings | Legal, compliance, HR, internal audit excluded from org analytics |
| 4 | Confirm Copilot Chat usage reporting is active in Viva Insights | Copilot Chat adoption and usage metrics visible at department level |
| 5 | Review Viva Engage retention policies | Retention policies applied to Viva Engage content |
| 6 | Verify Engage-to-Teams integration compliance coverage | Teams Communication Compliance policies confirmed to capture surfaced Engage content |
| 7 | Verify Viva Learning is not sole tracking system for regulatory training | Official CE/FE systems remain system of record |
| 8 | Confirm Viva Pulse anonymity settings | Minimum response threshold enforced; anonymity maintained |
| 9 | Review HR attribute configuration in Viva Insights | Only approved attributes available for analysis |
| 10 | Confirm annual privacy impact assessment (Regulated) | Assessment completed within past 12 months |
Additional Resources
- Microsoft Viva Insights - Privacy and Data Protection
- Viva Insights Admin Settings
- Microsoft Viva Engage Overview
- Microsoft Viva Learning
- Microsoft Viva Pulse
- EEOC Guidance on AI in Employment
-
Related Controls: 4.5 Usage Analytics, 4.6 Viva Insights Measurement, 4.1 Admin Settings and Feature Management, 3.10 SEC Reg S-P Privacy
FSI Copilot Governance Framework v1.2.1 - March 2026