Microsoft’s Copilot and other AI models introduce new security, privacy and compliance risks. If these models aren’t adequately secured, organizations risk being the next headline, from data breaches to violating privacy regulations. 

The risks of AI Copilots are not just theoretical — real-world incidents have already demonstrated the dangers of ungoverned AI adoption. Recently, Microsoft’s Copilot AI assistant exposed the contents of more than 20,000 private GitHub repositories from companies including Google, Intel, Huawei, PayPal, IBM, Tencent, and, ironically, Microsoft. Additionally, in 2023, Microsoft AI leaked 38TB of confidential data by misconfiguring access controls on GitHub. 

These real-world incidents serve as a stark warning about the risks posed by overexposed data and inadequate governance. 

Open System vs. Closed-Loop AI Model 

Before discussing how to safely secure AI models, we need to understand what it means when talking about whether an AI model is an open system or a closed loop.  

A closed-loop AI model allows enterprises to train AI models only on their data within their Azure environment. A closed loop minimizes the risk of the AI sharing sensitive data across customers or geolocations.  

However, AI models like Copilot and ChatGPT aren’t closed-loop models and continuously learn and update their responses based on user prompts and data from the internet. While there are many benefits to open AI models, they also introduce the risks mentioned above. Organizations can ensure they are adopting AI safely if they implement a multi-layered approach to security and governance.  

A Multi-Layered Approach to Generative AI Security 

You can’t protect what you don’t know. The first step to getting your organization ready for AI is the ability to classify and tag all the data that lives in your systems, including what’s sensitive, confidential, or fit for AI consumption. Without proper classification and tagging, AI – like Microsoft Copilot –  may process and expose data that should remain confidential. Organizations must implement governance measures such as: 

• Conduct comprehensive data risk assessments across platforms like OneDrive, SharePoint and Teams 

• Label and tag sensitive, critical, or regulated data to identify data safe for AI to train on (or restricted) 

• Establish automated policies to flag or remediate policy violations before they escalate 

• Delete duplicate, redundant and obsolete data from data stores that are used to train AI 

• Lock down AI access permissions to access data that has been designated and validated as safe for AI use 

Once organizations establish visibility over their data, the next crucial step is controlling access. As witnessed from the GitHub data exposure mentioned above, even tagged and classified data can still be a risk if we don’t restrict access to the type of data fed into an AI model.  

Security leaders need to be able to track which datasets are being used to train AI models and audit AI-generated outputs for potential compliance violations. Without successfully implementing strong AI data management measures, organizations risk violating GDPR, CCPA, or other privacy regulations.  

These regulatory violations lead to fines levied against the organizations and could damage the organization’s brand and loss of consumer trust. That’s why organizations need to make sure that privacy is built into the foundation of their AI security and governance strategy to avoid inadvertently breaching regulatory obligations. 

AI Data Security and Governance in the AI Era 

The AI-driven digital transformation is here, and it requires a new mindset for security and compliance. Organizations that fail to implement strong governance measures risk exposing their most valuable asset — data. Now is the time for IT leaders to enforce AI security policies and ensure that generative AI is leveraged safely and responsibly.