Control 4.4: Copilot in Viva Suite Governance — Verification & Testing

Test cases and evidence collection procedures for Copilot governance across the Microsoft Viva suite.

Test Cases

Objective: Verify that Copilot Chat usage analytics are available in Viva Insights and respect privacy thresholds
Steps:
Navigate to the Viva Insights Advanced portal at insights.viva.office.com.
Access Analyst Workbench > Copilot Dashboard and verify the Copilot Chat usage metrics tab is present.
Confirm that department-level Copilot Chat adoption data is visible and shows aggregated metrics (not individual query content).
Verify that departments with fewer users than the configured minimum group size show suppressed (no data) rather than individual-level data.
Run Script 1 from the PowerShell Setup guide and confirm output matches the Viva Insights portal display.
Expected Result: Copilot Chat insights are available at department level, individual query data is not accessible, and small departments are appropriately suppressed.
Evidence: Screenshots of the Copilot Dashboard with department adoption data; Script 1 output CSV.

Objective: Verify that Viva Engage content surfacing in Teams is captured by retention and compliance policies
Steps:
Identify a Viva Engage community that is connected to a Teams channel via the Engage-to-Teams integration.
Post a test message in the Engage community using Copilot-assisted drafting.
Verify the message appears in the connected Teams channel.
In Microsoft Purview > eDiscovery, search for the test message using both Yammer and Teams location filters — confirm it appears in both locations.
Run Script 4 from the PowerShell Setup guide and confirm retention policies exist for both Yammer and Teams locations.
Expected Result: Engage content surfacing in Teams is captured by the organization's Teams retention policies and communication compliance policies.
Evidence: eDiscovery search results showing message in both locations; Script 4 retention policy validation output.

Objective: Verify that Copilot-assisted Viva Engage posts are captured by communication compliance
Steps:
Use Copilot to draft a Viva Engage post as a test user.
Publish the post to a monitored community.
Verify the post appears in the Communication compliance review queue if it matches policy conditions.
Confirm the post metadata identifies it as Copilot-assisted.
Expected Result: Copilot-assisted Engage posts are captured by communication compliance policies.
Evidence: Communication compliance review queue showing the Engage post.

Objective: Confirm that Copilot AI recommendations do not bypass mandatory compliance training
Steps:
Verify mandatory compliance training courses are configured in Viva Learning.
Use Copilot to request learning recommendations.
Confirm Copilot recommendations supplement but do not replace mandatory training.
Verify completion tracking for mandatory training is independent of AI recommendations.
Expected Result: Mandatory compliance training integrity is maintained alongside Copilot recommendations.
Evidence: Training completion reports showing mandatory courses are tracked independently.

Objective: Validate that Copilot in Viva Goals respects organizational data boundaries
Steps:
Create test goals in Viva Goals at different organizational levels.
Use Copilot to request goal suggestions and progress analysis.
Verify that Copilot only references data the user is authorized to access.
Confirm that confidential executive goals are not surfaced to unauthorized users.
Expected Result: Copilot respects organizational hierarchies and access controls in Viva Goals.
Evidence: Test results showing data boundary enforcement.

Objective: Verify that Copilot respects sensitivity labels when surfacing content in Viva Connections
Steps:
Create test news articles with different sensitivity labels.
Access Viva Connections as a user and use Copilot to search for news.
Verify that highly sensitive content is not surfaced to users without appropriate permissions.
Confirm sensitivity label visual markings appear on surfaced content.
Expected Result: Sensitivity labels are respected and content access is appropriately controlled.
Evidence: Screenshots showing sensitivity-appropriate content surfacing.

Evidence Item	Source	Format	Retention
Copilot Chat insights data availability	Viva Insights portal + Script 1	Screenshot + CSV	With control documentation
Engage-to-Teams retention coverage	Purview eDiscovery + Script 4	Screenshot + Script output	With control documentation
Engage compliance test	Communication compliance	Screenshot	With control documentation
Learning compliance report	Viva Learning	CSV	With control documentation
Goals access test results	Viva Goals	Screenshot	With control documentation
Connections sensitivity test	Viva Connections	Screenshot	With control documentation

Regulation	Requirement	How This Control Helps
FINRA 3110	Supervision of internal communications	Supports monitoring of AI-assisted Viva Engage communications, including content surfacing through Teams integration
FFIEC Management Booklet, Section II.C	IT risk monitoring — technology usage pattern oversight	Copilot Chat analytics in Viva Insights directly fulfills this monitoring expectation
SOX 404	Internal controls	Supports governance of AI tools affecting business processes
EEOC AI Guidance	Non-discriminatory use of AI analytics	Privacy-protected Copilot Chat analytics ensure individual query data is not used for employment decisions