Microsoft’s Copilot has been found to access nearly three million sensitive data records per organization, according to a recent report from Concentric AI. This alarming statistic highlights the extent to which organizations may be inadvertently sharing confidential information. The study, part of the 2025 Data Risk Report, indicates that around 55% of all files shared externally are classified as sensitive.
The findings are based on aggregated data from various sectors, including technology, healthcare, government, and financial services. It reveals that a significant portion of shared data contains privileged information. On average, 57% of all organization-wide shared data included some form of confidential content. In sectors like financial services and healthcare, this figure rose to approximately 70%.
A particularly concerning trend is the lack of restrictions on critical business records. The report indicates that, on average, organizations shared two million critical records without limitations. This unrestricted sharing accounted for nearly half of all exposed data. Moreover, more than 400,000 records were shared with personal accounts, with over 60% of these containing confidential information.
Risks Associated with Copilot Interactions
The report highlights the growing risk associated with the use of Microsoft Copilot. Organizations reported an average of over 3,000 interactions with Copilot, during which sensitive business information could potentially be modified or exposed. This raises concerns about insider risks, especially as surveys indicate that 50% of employees have excessive privileged access.
The increasing integration of Generative AI (GenAI) into daily operations also exacerbates these risks. The study underscores broader data management issues, including the presence of duplicate, stale, and orphaned records. On average, organizations in the survey maintained around 10 million duplicate records and nearly seven million records older than a decade. Orphaned and inactive user data accounted for millions more.
The Need for Stronger Governance
These findings illustrate the potential vulnerabilities enterprises face in securing valuable data. According to Concentric AI, the combination of oversharing, excessive permissions, and uncontrolled GenAI use significantly heightens risk. Without stronger governance measures, organizations may struggle to protect their intellectual property, financial information, and personal data.
As businesses increasingly rely on AI technologies like Microsoft Copilot, ensuring robust data protection strategies becomes paramount. Organizations must address both their data management practices and the inherent risks associated with AI integration to safeguard sensitive information effectively.