Microsoft Copilot · AI Readiness

Microsoft Copilot readiness assessment for UK businesses

Copilot doesn't introduce new permissions — it reflects the permissions you already have. The hard part is finding out what those permissions actually look like before Copilot starts answering questions.

Microsoft's positioning of Copilot has been consistent and honest: Copilot respects the access controls you already have in place. What Microsoft does not say, because it cannot, is that almost no UK organisation has the access controls they think they have.

The Copilot readiness conversation is, in practice, a data discovery and permissions remediation conversation wearing an AI hat. The firms that go through this process discover things they did not know about their own SharePoint and OneDrive — and after a fortnight of cleanup, end up with a markedly more defensible tenant. The firms that skip the conversation often find out the hard way.

The Copilot-specific risk profile

Three patterns drive Copilot risk:

Over-permissive SharePoint sites. Sites created years ago for one purpose, then opened up to "everyone" because someone needed a file urgently and it was easier to share the site than to share the file. The site now contains documents nobody remembers, accessible to people nobody intends.

OneDrive sprawl. Personal OneDrives that have accumulated documents shared internally for collaboration. Each share grants access. The shares are never revoked. Years later, a Copilot prompt asks about "our pricing strategy" and discovers a 2022 commercial draft shared with someone who left in 2023.

Teams chat history. Years of internal messages, often containing commercially sensitive context, now searchable by Copilot for any user with the access. Chat history is regularly the most surprising surface in a Copilot pre-rollout assessment.

In each case, the issue is not Copilot. The issue is that Copilot makes pre-existing permission sprawl visible — visible to the user, visible to the auditor, visible to the regulator.

The pre-rollout checklist Microsoft doesn't put in the deck

Microsoft's Copilot adoption playbooks are competent, but they understandably focus on adoption. They are less explicit on what should happen before adoption begins:

  1. Audit existing SharePoint site sharing — which sites are open to "everyone in the organisation", and is that intentional?
  2. Audit OneDrive sharing — which documents are shared more widely than their original purpose required?
  3. Apply sensitivity labels at scale across Tier 2 and Tier 3 content.
  4. Configure Copilot's content boundaries against the sensitivity-labelled corpus.
  5. Define the pilot cohort and the data they will be allowed to access.
  6. Configure DLP policies that operate on Copilot interactions, not just classic file movement.
  7. Enable comprehensive audit logging — and confirm retention meets your audit cadence.
  8. Train the pilot cohort on the policy you have just put in place.

None of these are esoteric. All of them are skipped at least one in five rollouts.

What "Copilot data discovery" looks like

A typical Copilot data discovery engagement runs four to six weeks for a mid-sized organisation. The output: a map of every site, library, drive, and channel that Copilot will be able to read, classified by sensitivity, with remediation actions for the over-shared corpus and a configured DLP policy preventing the worst leaks.

Most organisations expect to remediate around 5% of their corpus. Most actually remediate 15–25%. The gap is the unknown unknowns surfaced by the assessment itself.

How the scorecard fits

The Arx Certa AI Readiness Scorecard covers Copilot readiness inside its broader five-dimension model. For a Copilot-specific pre-rollout review, the most relevant dimensions are Security (the SharePoint and OneDrive permissions baseline), Data (sensitivity classification and DLP), and Governance (the policy framework that makes Copilot usage defensible).

A scorecard band of "Operational" or higher generally indicates a Copilot rollout that will not surface surprises. A band below that indicates pre-rollout work needs to happen before the pilot opens up.

What "ready" looks like for Copilot

A Copilot-ready tenant has four properties:

  1. Sensitivity labelling is real and applied at scale, not aspirational.
  2. Site, library, and OneDrive sharing reflects current organisational intent, not historical accident.
  3. DLP policies operate on AI-mediated content, not just classic flows.
  4. Audit logging covers Copilot interactions with the same retention and accessibility as other tenant audit data.

Most organisations get to those properties through a sequenced six-to-twelve-week programme. The scorecard tells you where to start.

Test your Copilot readiness in 4 minutes

Twelve questions weighted toward the security, data, and governance dimensions that determine whether your Copilot rollout will surface surprises. Personalised report covers the SharePoint and OneDrive cleanup most tenants need first.

Get your AI readiness score → 4 minutes · 12 questions · Personalised report

Related insights