Microsoft Copilot is a powerful tool to drive productivity and data analysis. It’s the shiny new object, and it’s easy to turn it on without engaging in Copilot training or consulting.
Unfortunately, we often see teams use the tool for a few weeks, then move on. This happens when an organization doesn’t fully understand what’s required to launch Copilot successfully.
Luckily, it’s easy to avoid this situation (or fix it if you’re already there). It’s all about understanding the prerequisites for launching Copilot.
Here are 10 requirements for implementing this incredible tool.
1. Build consensus among senior leadership
Launching Microsoft Copilot is not just an IT exercise. The AI tool has robust capabilities in two main areas:
- Increasing productivity by empowering your team to draft emails and documents, writing code snippets, and so on.
- Handling complex automation and data analysis.
Clearly, Copilot can drive efficiency in all parts of the organization. Implementing the tool has implications for data handling, permissions, and security in all departments. Copilot also touches on the question of company culture. How does AI best fit into your identity as an organization?
For all these reasons, it’s essential to build consensus among senior leadership before you launch Copilot. You want to have a well-defined answer when someone asks, “Why should we use AI?” That answer shouldn’t be generic. It should be articulated within the context of your unique processes, challenges, and opportunities. Getting this answer requires dialogue across the senior leadership team.
2. Review data sources that you want Copilot to access
Most organizations don’t go through a data readiness assessment before implementing Copilot. Yet this exercise is an essential prerequisite. It allows you to do several things:
- Identify your current data sources.
- Identify non-consolidated data storage procedures, such as using Microsoft SharePoint alongside Google Drive or Dropbox.
- Define your ideal state and identify the final data sources that you want Copilot to access.
- Review the data quality of those sources.
Once you have a picture of your current data landscape and where you want to go, you can start taking action to prepare for Copilot—which leads to the next requirement.
3. Consolidate, streamline, and clean up cloud data sources
If your internal data is spread out across services like SharePoint, Google Drive, and Dropbox, it’s very difficult to control it programmatically. To avoid this issue, you should use only one major cloud storage service. If you’re a Microsoft shop, you should use SharePoint and OneDrive exclusively. If you’re a Google shop, stick with Google Drive, and so on.
Of course, the source of your data isn’t the only thing to clean up. You want your data itself to be clean and properly structured. Copilot has powerful semantic search capabilities that allow it to understand context and meaning, but it can’t perform miracles. If you have bad data or structural inconsistencies, these issues will affect the quality and usefulness of Copilot’s output.
To eliminate these issues, you want to enrich and enhance your data with important context.
This matters less in things like Word documents or emails. But as you start using Copilot’s analytical capabilities in Excel and other systems, it will be very important that you have the right kinds of metadata in place to allow Copilot to make these inferences.
4. Review user permissions surrounding your data
Cleaning up and consolidating your data is a huge step. But it doesn’t cover all your Copilot requirements.
If your user permissions haven’t been implemented and maintained with care, your employees may have access to sensitive internal information that’s not related to their role. This matters less when the user doesn’t know those files exist, let alone how to access them. But it can become an issue with Copilot. The AI tool can include sensitive internal data in its output, so long as the user has permission to view that data.
For example, a team member in customer service may have access to company financial documents. No one intended to give them access—it was merely an oversight in how your users are configured. This customer service rep has never seen these financial documents and won’t go looking for them. But if the rep enters the right prompt, Copilot may show them that information because they’re technically allowed to see it.
The solution here is to audit your user permissions and make sure everyone has the appropriate access. You may be surprised at what you find—but it’s much better to catch it now, before you launch Copilot.
Once you have your permissions squared away, you can turn to one of the most critical Copilot prerequisites.
5. Implement data governance through DLP (data loss prevention)
Data landscapes have changed dramatically in the age of cloud systems. Data no longer lives behind the firewall alone. It lives in SaaS applications, different sources of cloud storage, and in any local systems that you may still have. It’s a broad set of data, and that fact creates a greater opportunity to lose or compromise that data.
Unfortunately, using the wrong AI tool can cause data leakage. ChatGPT is built to learn continually from the data that users enter in prompts. This means that any data entered in a prompt can appear in the tool’s output—for any user.
The good news is that Microsoft Copilot is secure by default. Microsoft explains it this way:
“Microsoft doesn’t use customers’ data to train LLMs. We believe the customers’ data is their data, aligned to the Microsoft’s data privacy policy… Prompts, responses, and data accessed through Microsoft 365 Graph and Microsoft services aren’t used to train Copilot capabilities in Dynamics 365 and Power Platform for use by other customers. The foundation models aren’t improved through your usage. This means your data is accessible only by authorized users within your organization unless you explicitly consent to other access or use.”
Learn more here: Microsoft Copilot vs. ChatGPT.
While Microsoft doesn’t use your data to train Copilot, it’s important to understand that Copilot does require a strategy to prevent data loss. Today’s complex environments—with numerous SaaS tools and different cloud systems—still require a careful approach to data security.
This is why we recommend implementing a solution for DLP (data loss prevention) as a prerequisite to your Copilot rollout. In fact, we consider DLP an essential requirement in a safe Copilot implementation.
DLP offers several critical benefits:
- It provides software and processes for safeguarding sensitive data against unauthorized access.
- It helps prevent against unintended deletion of data.
- It allows us to label data with metadata that indicates sensitivity levels. (Note that Copilot will honor those sensitivity labels if they’re properly implemented.)
- It helps us comply with cybersecurity regulation.
If you’re launching Copilot, we can assume you’re a Microsoft shop. That means you should consider using Microsoft Purview. Microsoft’s DLP solution is actively updated and released on a continual basis, and it includes an AI hub. This hub not only tracks the usage of Copilot in your organization, but it includes plugins that allow you to control and monitor AI usage in third-party tools.
Purview also eliminates some manual work that’s usually associated with DLP. On its own, Purview can start to identify PII (personally identifiable information) and other types of data that require a higher sensitivity classification before you launch Copilot. And with Purview in place, you can identify and manage these risks over time.
Hint: If you don’t have enough resources to handle this, a partner like Corsica Technologies can help. We implement and manage DLP solutions as part of our managed services packages.
6. Use your DLP solution to put a compliance framework in place
A DLP solution can do more than classify data and prevent its loss. It can help you implement a compliance framework so you take proactive control of your data.
A compliance framework puts structure to the management of your data health. It empowers you to move from ad hoc actions to a proactive approach. This helps ensure that your data isn’t healthy only on the day you launch Copilot. It equips you to manage and maintain good data health indefinitely—which is a critical requirement for the ongoing use of Copilot.
7. Establish monitoring and system logs
This requirement is really a subset of establishing a compliance framework. However, it’s worth calling out on its own because it’s such an important prerequisite for launching Copilot.
You want to configure your DLP solution to monitor your data usage and create system logs. This might sound like a SIEM solution from 5-10 years ago, but it’s actually a much different process today. Without DLP, you don’t have a centralized location where you (or your managed services provider) can monitor the exfiltration of your data.
This exfiltration could happen on a mobile device or in a third-party application that you don’t even know your team is using. Leveraging the tool and its plugins can help your MSP watch the movement of your data from various systems. This way, you can profile and understand where that data is going.
8. Establish your organization’s AI policies
Every organization should have a policy for AI use. You want to be proactive here, determining what’s acceptable and communicating it to employees, so everyone is on the same page.
There are two things to cover here:
- Acceptable use of AI within your organization. How does it fit into your values and culture?
- Where are we using AI in customer interaction? What should we disclose about that? (More on this in #9 below)
You can download our Generative AI Policy Template to get a jump on defining your policies. While the template is a great start, it’s also helpful to see real AI policy documents and understand what other organizations are doing. Just contact us if you’d like to get some perspective on how to develop these documents.
9. Determine what you’ll disclose to customers
Depending on how you plan to use AI, you may or may not want to disclose these policies to customers. As of this writing, there is no legal requirement in the US to disclose AI usage publicly, but we should expect that legislation to come along eventually. It makes sense to start developing a healthy public posture on how your company uses AI.
If AI is beneficial to your customers, or if it helps you differentiate from the competition, there may be a business advantage to communicating your use of AI. The specifics will depend on your exact use case and the needs of your customers.
In some cases, it may be distracting to customers to receive lots of information about your use of AI. If the technology is being used behind the scenes, or if it has no impact on customer experience, you may want to consider whether disclosure is necessary at this time. Either way, you should still plan for the day when disclosure is required by law.
10. Establish fun, informative Copilot training for employees
Ultimately, you want to equip your team to use Copilot effectively. That will require more than simply turning the tool on and letting people know about it.
This is one of the biggest gaps we see when companies come to us for help with Copilot requirements. Without dedicated training, their team has a limited understanding of what Copilot can actually do. This leads to unrealized productivity gains.
For example, your finance and accounting team needs interactive training that shows them how to use Copilot for financial analysis.
Likewise, your customer service team needs help using Copilot on the front lines of customer engagement.
In every department, Copilot offers unique benefits—but your team won’t know about them without proper Copilot training. This is the last piece of the puzzle, but it’s no less important than the other prerequisites.
Moving forward: Covering all Copilot requirements
There’s a lot to do to ensure you realize the full power of Copilot. If your IT team already has their hands full—or if you don’t have an IT team—it’s time to bring in a partner.
Here at Corsica Technologies, our Microsoft specialists offer deep experience in data management and cybersecurity as well Copilot consulting and implementation. Reach out to us today, and let’s fulfill your requirements for launching Copilot.
Ready to prepare for Copilot?
Reach out to schedule a consultation with our Microsoft Copilot specialists.
