Control 4.5: Copilot Usage Analytics and Adoption Reporting
Control ID: 4.5 Pillar: Operations & Monitoring Regulatory Reference: SOX Section 404 (Control Effectiveness Monitoring), FFIEC IT Examination Handbook, GLBA 501(b) Last Verified: 2026-03-22 Governance Levels: Baseline / Recommended / Regulated
Objective
Implement structured monitoring and reporting for Microsoft 365 Copilot adoption, usage, and related agent activity so the organization can measure control effectiveness, detect unusual usage patterns, support license and spend decisions, and provide examination-ready evidence of ongoing AI governance.
Why This Matters for FSI
Usage analytics are a governance control, not just an adoption dashboard. Financial institutions are expected to monitor whether technology controls are operating as intended and whether AI use remains aligned with approved business scope. If Copilot usage expands faster than supervisory coverage, training, or monitoring, the institution can create gaps that are difficult to explain during examinations.
Usage reporting also supports:
- SOX Section 404 evidence that monitored controls continue to operate
- FINRA supervisory adequacy reviews for channels where Copilot assists communication or research workflows
- FFIEC proportionality expectations by showing where AI usage is concentrated
- budget stewardship for per-seat and PAYG usage models
Disclaimer
This control is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. See full disclaimer.
Control Description
Microsoft's current Copilot Analytics model spans several connected reporting surfaces rather than a single report:
| Analytics Surface | Primary Path | Governance Value |
|---|---|---|
| Copilot overview | M365 Admin Center > Copilot > Overview | Readiness, adoption signals, recommended actions, security links |
| Copilot usage reports | M365 Admin Center > Reports > Usage > Microsoft 365 Copilot | Tenant-wide usage, active users, workload adoption, and license utilization context |
| Copilot Dashboard (Adoption) | Viva Insights > Copilot Dashboard | Organizational adoption trends and feature engagement |
| Copilot Dashboard (Impact) | Viva Insights > Copilot Dashboard | Assisted work patterns and productivity-oriented measures |
| Business Impact reporting | Viva Insights / Copilot Analytics experience | Connects adoption and impact measures to business outcomes and executive reporting |
| Agent Overview | M365 Admin Center > Agents > Overview | Active users, total sessions, exception rate, and runtime for governed agent use |
Core Analytics Dimensions
| Dimension | Example Measures | Governance Question |
|---|---|---|
| Readiness | Licenses assigned, enabled user groups, recommended actions | Is rollout aligned with the approved deployment plan? |
| Adoption | Active users, returning users, feature usage by workload | Are approved users actually using Copilot as expected? |
| Impact | Assisted time, meeting/email/document support signals | Is the organization seeing measurable benefit from the deployment? |
| Risk and supervision | Usage concentration, after-hours usage, heavy usage in regulated populations | Do monitoring and supervisory controls remain proportional to use? |
| Agent operations | Active users, sessions, exception rate, ownerless agents | Are agents governed as they scale? |
Department and Role Segmentation
Usage should be segmented in ways that matter for FSI oversight:
| Segmentation | Purpose |
|---|---|
| Department / business unit | Compare operations, finance, legal, compliance, research, and frontline usage patterns |
| Role type | Distinguish regulated functions from lower-risk internal populations |
| Geography | Support jurisdiction-specific governance or data-residency reviews |
| License or billing model | Compare full Microsoft 365 Copilot seats to PAYG usage patterns |
| Agent-enabled vs. chat-only populations | Detect where agent governance demands more oversight |
Copilot Surface Coverage
| Surface | Analytics Available | Notes |
|---|---|---|
| Microsoft 365 Copilot Chat | Full | Core adoption and workload activity metrics |
| Teams meetings and chat | Full | Usage should be reviewed alongside supervision and meeting controls |
| Outlook | Full | Useful for communication-channel adoption tracking |
| Word / Excel / PowerPoint | Full | Supports business-case and training analysis |
| Copilot Pages / Notebooks | Partial | Review with SharePoint governance and collaboration controls |
| Agents | Growing / operational | Review through Agent Overview and Registry in addition to general Copilot analytics |
Governance Levels
Baseline
- Review M365 Copilot usage reports monthly
- Compare assigned licenses to active usage
- Document which administrators and analysts can access usage data
- Produce a quarterly summary for the governance committee
- Include agent metrics if the tenant has agents enabled
Recommended
- Segment usage by department, risk tier, and billing model
- Create anomaly thresholds for spikes, drops, and concentrated usage
- Correlate communication-channel adoption with supervisory capacity
- Combine native Microsoft reports with a governance dashboard for leadership
- Include agent adoption and exception metrics in the same reporting cycle
Regulated
- Include Copilot usage analytics in examination and SOX evidence packages where relevant
- Present quarterly AI usage reporting to a board, technology, or risk committee
- Archive governance reports according to the firm's evidence-retention standards
- Document methodology, data sources, and material assumptions for auditor review
- Track exceptions, overrides, or special-population enablement separately
Setup & Configuration
Step 1: Enable and Review Native Reports
- Open M365 Admin Center > Copilot > Overview.
- Open Reports > Usage > Microsoft 365 Copilot.
- Confirm the organization can view recent usage, adoption, and license-related signals.
Step 2: Assign Reporting Access
Define who can access which reporting surfaces:
| Surface | Typical Role |
|---|---|
| Copilot overview and usage reports | AI Administrator, Reports Reader, Global Reader (read-only scenarios) |
| Viva Insights Copilot Dashboard | Viva Insights Analyst or approved analytics role |
| Agent Overview | AI Administrator, Global Reader (read-only review) |
Step 3: Establish Reporting Cadence
| Report | Frequency | Audience |
|---|---|---|
| Operational usage summary | Monthly | IT Operations / Copilot program team |
| Department adoption report | Monthly | Business owners and governance leads |
| Supervisory capacity comparison | Quarterly | Compliance / supervisory leadership |
| Executive AI usage summary | Quarterly | Technology or risk committee |
Step 4: Configure Anomaly Thresholds
Define review triggers such as:
- sudden department-level usage spikes
- unexpected after-hours usage in high-risk teams
- high license assignment with low activation
- agent session growth without corresponding governance review
Step 5: Build the Governance Dashboard
Use native reports as the foundation and add curated dashboards or exports where needed. The Microsoft Open-Source Copilot Analytics Tools playbook can support readiness, usage, impact, and audit reporting if your team needs more tailored views.
Financial Sector Considerations
Supervisory adequacy: If Copilot usage in regulated communication channels grows materially, the institution should evaluate whether communication review and audit sampling remain proportional.
Spend accountability: Usage analytics should inform both seat-license optimization and PAYG billing policy reviews. A governance program that measures usage but ignores cost ownership is incomplete.
Examination readiness: Regulators increasingly ask how AI tools are used in practice, not just which policies exist. Trend reporting and decision logs help show that governance is active.
Agent sprawl visibility: Agents should not be reported separately from the rest of the Copilot governance story. Agent adoption, exception rates, and ownerless agents should be visible alongside core Copilot metrics.
Verification Criteria
| # | Verification Step | Expected Result |
|---|---|---|
| 1 | Access Copilot usage reports | Reports are accessible and populated |
| 2 | Review latest monthly usage summary | Summary exists and is current |
| 3 | Verify report access roles | Only designated personnel have access |
| 4 | Confirm segmentation is available or documented | Department/risk-based reporting exists |
| 5 | Review anomaly thresholds | Thresholds are defined and used |
| 6 | Confirm governance committee reporting | Periodic reporting is delivered to the intended audience |
| 7 | Review agent metrics if agents are enabled | Agent Overview data is incorporated into operational reporting |
| 8 | Confirm archival of reports | Governance reports are retained per policy |
Additional Resources
- Microsoft 365 activity reports
- Microsoft 365 Copilot usage report
- Microsoft 365 Usage Analytics
- Microsoft Adoption Score
- Agent 365 Overview in the Microsoft 365 admin center
- Microsoft Open-Source Copilot Analytics Tools - Companion repositories from Analytics Hub for readiness, usage, impact, and audit reporting
- SOX Section 404 - Internal Control Assessment
- FFIEC IT Examination Handbook - Audit
- Related Controls: 4.6 Viva Insights Measurement, 4.8 Cost Allocation, 3.1 Audit Logging, 4.4 Viva Suite Governance, 4.13 Extensibility Governance
FSI Copilot Governance Framework v1.2.1 - March 2026