Microsoft Copilot · AI Readiness

Microsoft Copilot readiness assessment for UK businesses

The short answer. A Microsoft Copilot readiness assessment is a pre-rollout review of whether your Microsoft 365 tenant is in a state where deploying Copilot will land safely — SharePoint and OneDrive permissions, sensitivity labelling, DLP policy coverage, audit logging, and the governance policy under which Copilot operates. The Arx Certa scorecard's Copilot lens is the 4-minute free version.

Copilot doesn't introduce new permissions — it reflects the permissions you already have. The hard part is finding out what those permissions actually look like before Copilot starts answering questions.

Microsoft's positioning of Copilot has been consistent and honest: Copilot respects the access controls you already have in place. What Microsoft does not say, because it cannot, is that almost no UK organisation has the access controls they think they have.

The Copilot readiness conversation is, in practice, a data discovery and permissions remediation conversation wearing an AI hat. The firms that go through this process discover things they did not know about their own SharePoint and OneDrive — and after a fortnight of cleanup, end up with a markedly more defensible tenant. The firms that skip the conversation often find out the hard way.

The Copilot-specific risk profile

Three patterns drive Copilot risk:

Over-permissive SharePoint sites. Sites created years ago for one purpose, then opened up to "everyone" because someone needed a file urgently and it was easier to share the site than to share the file. The site now contains documents nobody remembers, accessible to people nobody intends.

OneDrive sprawl. Personal OneDrives that have accumulated documents shared internally for collaboration. Each share grants access. The shares are never revoked. Years later, a Copilot prompt asks about "our pricing strategy" and discovers a 2022 commercial draft shared with someone who left in 2023.

Teams chat history. Years of internal messages, often containing commercially sensitive context, now searchable by Copilot for any user with the access. Chat history is regularly the most surprising surface in a Copilot pre-rollout assessment.

In each case, the issue is not Copilot. The issue is that Copilot makes pre-existing permission sprawl visible — visible to the user, visible to the auditor, visible to the regulator.

The pre-rollout checklist Microsoft doesn't put in the deck

Microsoft's Copilot adoption playbooks are competent, but they understandably focus on adoption. They are less explicit on what should happen before adoption begins:

  1. Audit existing SharePoint site sharing — which sites are open to "everyone in the organisation", and is that intentional?
  2. Audit OneDrive sharing — which documents are shared more widely than their original purpose required?
  3. Apply sensitivity labels at scale across Tier 2 and Tier 3 content.
  4. Configure Copilot's content boundaries against the sensitivity-labelled corpus.
  5. Define the pilot cohort and the data they will be allowed to access.
  6. Configure DLP policies that operate on Copilot interactions, not just classic file movement.
  7. Enable comprehensive audit logging — and confirm retention meets your audit cadence.
  8. Train the pilot cohort on the policy you have just put in place.

None of these are esoteric. All of them are skipped at least one in five rollouts.

What "Copilot data discovery" looks like

A typical Copilot data discovery engagement runs four to six weeks for a mid-sized organisation. The output: a map of every site, library, drive, and channel that Copilot will be able to read, classified by sensitivity, with remediation actions for the over-shared corpus and a configured DLP policy preventing the worst leaks.

Most organisations expect to remediate around 5% of their corpus. Most actually remediate 15–25%. The gap is the unknown unknowns surfaced by the assessment itself.

How the scorecard fits

The Arx Certa AI Readiness Scorecard covers Copilot readiness inside its broader five-dimension model. For a Copilot-specific pre-rollout review, the most relevant dimensions are Security (the SharePoint and OneDrive permissions baseline), Data (sensitivity classification and DLP), and Governance (the policy framework that makes Copilot usage defensible).

A scorecard band of "Operational" or higher generally indicates a Copilot rollout that will not surface surprises. A band below that indicates pre-rollout work needs to happen before the pilot opens up.

What "ready" looks like for Copilot

A Copilot-ready tenant has four properties:

  1. Sensitivity labelling is real and applied at scale, not aspirational.
  2. Site, library, and OneDrive sharing reflects current organisational intent, not historical accident.
  3. DLP policies operate on AI-mediated content, not just classic flows.
  4. Audit logging covers Copilot interactions with the same retention and accessibility as other tenant audit data.

Most organisations get to those properties through a sequenced six-to-twelve-week programme. The scorecard tells you where to start.

Frequently asked

What is a Microsoft Copilot readiness assessment?

A pre-rollout review of whether your Microsoft 365 tenant is in a state where deploying Copilot will land safely. The assessment covers SharePoint and OneDrive permissions, sensitivity labelling, DLP policy coverage, audit logging, and the governance policy under which Copilot operates. The Arx Certa scorecard's Copilot lens is the 4-minute free version.

Does Copilot really read everything you have access to?

Yes — Copilot respects existing access controls, which is what makes it powerful and risky in the same sentence. If a SharePoint site, OneDrive document, or Teams chat is accessible to a user, Copilot can summarise, query, and surface its contents in response to that user's prompts. The hard part of pre-rollout work is finding out what your users actually have access to today versus what you think they have.

How do I prepare SharePoint and OneDrive before Copilot rollout?

Four steps. Audit site sharing — which sites are open to "everyone in the organisation" and is that intentional. Audit OneDrive sharing — which documents are shared more widely than their original purpose required. Apply sensitivity labels at scale to Tier 2 and Tier 3 content. Configure DLP policies that operate on Copilot interactions, not just classic file movement. The readiness assessment surfaces which of these are most urgent.

What's the difference between a Copilot pilot and a Copilot rollout?

A pilot is a contained group with a defined data scope and a defined success metric, typically running 4–6 weeks. A rollout extends Copilot across the organisation. Most failed Copilot deployments are pilots that became rollouts without the data and governance work in between. The scorecard tells you whether the pilot you're planning is the right shape, or whether pre-rollout work needs to come first.

Does the Arx Certa scorecard work for Copilot-specific readiness?

The five-dimension model maps cleanly. Governance covers the AI policy under which Copilot operates. Data covers sensitivity classification and DLP. Infrastructure covers tenant configuration and conditional access. Security covers the M365 baseline applied to the Copilot surface. Use case covers what you're rolling Copilot out to do, with what success metric. A score of "Operational" or higher is typically a green light for Copilot rollout; below that, pre-rollout work needs to happen.

Related Arx Certa services

If the readiness gaps the scorecard surfaces for your business need outside help to close, these are the engagement types we run for UK firms:

  • AI services — implementation reviews, AI policy work, vendor due diligence, and pilot scoping for UK businesses adopting AI safely.
  • Cybersecurity — the security overlay AI use requires, including UK GDPR, NCSC alignment, vendor risk assessment, and audit-readiness.
  • Database — the data foundations work AI projects depend on. Most AI pilots fail because of the data underneath, not the model.
  • Infrastructure — cloud, identity, network and integration foundations that need to be in place before production AI deployment.

Test your Copilot readiness in 4 minutes

Twelve questions weighted toward the security, data, and governance dimensions that determine whether your Copilot rollout will surface surprises. Personalised report covers the SharePoint and OneDrive cleanup most tenants need first.

Get your AI readiness score → 4 minutes · 12 questions · Personalised report

Related insights