The brief
Our customer, a City-based financial advisory firm, operates in a highly regulated, data‑sensitive environment. Client confidentiality, controlled access to information and auditability are critical to their operations. The organisation wanted to understand how Microsoft 365 Copilot could be adopted without increasing regulatory or data‑leakage risk.
The client wanted us to assess their SharePoint and Microsoft 365 readiness for Copilot, focusing on whether Copilot could be enabled safely and compliantly, rather than simply whether it was technically available.
Intersys was asked to:
- Identify risks where Copilot could surface sensitive financial or client data
- Assess governance, permissions and data structures Copilot would rely on
- Provide actionable recommendations to improve security and compliance before rollout
Project delivery
We proposed a detailed review of the client’s SharePoint Estate and MS365 environment
1. SharePoint and Microsoft 365 environment
We conducted a detailed review of the client’s SharePoint estate, including:
- Site structure across client, audit and internal portals
- Public vs private sites and Teams
- Storage usage and unmanaged or stale content
This was done specifically to understand what information Copilot would be able to surface once enabled.
2. Permissions and access controls
A core finding was the extensive use of explicit, folder‑level permissions, which are difficult to manage and audit at scale. This was highlighted as a material Copilot risk because Copilot will surface content based on existing access rights.
Our recommendations were:
- Move from explicit permissions to group‑based access models
- Align permission management with Entra ID / Microsoft 365 Admin Centre for auditability
3. External sharing and unmanaged access
The assessment identified risks associated with:
- External sharing configurations
- Sharing links that could expose sensitive financial data
- Internal users with active accounts but no licences or sign‑in restrictions
These issues were flagged as particularly important in a financial services regulatory context, where unauthorised data access could lead to compliance breaches.
4. Data governance and sensitivity labelling
The project reviewed:
- Use (and gaps) in sensitivity labels
- The presence of stale or poorly governed content
- Whether data classification was sufficient for Copilot‑driven discovery
Our findings reinforced that Copilot does not determine what is compliant or appropriate. It relies entirely on existing governance.
Copilot‑specific findings
Our assessment explicitly linked Microsoft Copilot behaviour to the client’s existing controls, concluding that:
- Copilot could inadvertently expose sensitive client or financial information if permissions were not remediated
- Technical readiness alone was insufficient without governance and staff awareness
- Training and controlled rollout were essential to reduce misuse and shadow‑AI behaviour
What we delivered
Our assessment produced a formal Copilot Readiness Audit, including:
- An executive summary tailored to financial‑services leadership
- Clear findings and prioritised recommendations
- Practical remediation guidance aligned to security and compliance best practice.
Benefits
Our assessment went beyond mere licensing or feature enablement. It mapped our client’s plans for adopting Copilot directly to financial‑services regulatory risk and provided evidence‑based recommendations that compliance, risk, and IT teams could act on.
