In our experience, two things are simultaneously true in enterprise Microsoft 365 Copilot deployments in 2026. Adoption is finally scaling at meaningful numbers, and the security conversation around Copilot has split into two distinct workloads. Most enterprises we work with are resourced to handle one of them well and are still building the muscle for the other.
The first workload is the one CISOs have been working for two years: data oversharing in Copilot responses. Legacy SharePoint permissions, inherited group memberships, and overly permissive sensitivity labels cause Copilot to retrieve content the invoking user did not expect to see. This is a familiar problem with a maturing playbook.
The second workload is newer, and it is what we increasingly hear when talking to security leaders. Employees are now building Copilot agents in Copilot Studio and Microsoft Foundry faster than security teams can review them. Risk has evolved beyond the data retrieved by Copilot to encompass the actions of employee-developed agents, specifically who they act for, the extent of their reach, and their intended purpose.
That expansion changes who needs to be involved, what controls apply, and how quickly security teams need to operate. Recent industry research is consistent with both dynamics running in parallel across most enterprises.
In our view, Microsoft 365 Copilot security work through 2025 concentrated on the data layer. The center of gravity in 2026 is moving to the agent layer, and the data layer has not gone away.
The 2026 Gartner Microsoft 365 and Copilot Survey was conducted with IT leaders responsible for Microsoft 365 from 186 organizations from March through May 2026.
Two findings from that survey, in particular, anchor our perspective. According to Gartner, "fifty-one percent of respondents identified oversharing and data loss as the top barrier to successful Copilot deployment, with more organizations turning to third-party tooling to help manage and govern M365."
On the agent side, according to Gartner:
In our reading of the field, these numbers describe an environment in which both problems are active. Oversharing is not a solved problem in most enterprises. But agent governance is now an urgent one. The implication for security architecture, in our view, is that a Microsoft 365 Copilot security strategy needs to address both layers simultaneously, because the same data oversharing that produces a problematic Copilot response can produce a problematic agent action with broader downstream consequences.
The persistence of oversharing as the dominant Copilot risk is not a surprise to anyone running a Copilot deployment. In our experience, it is a function of three architectural realities that pre-date Copilot by years.
According to Gartner, "fixing oversharing and data exposure is not a one and done activity and requires ongoing management and tooling."
In our customer work, this is the area where the most measurable progress is possible quickly. Culligan, working with Opsin ahead of a broader Copilot rollout, reduced sensitive data exposure in Copilot queries from approximately 80% to under 15% by identifying and remediating the underlying permission and labeling issues before scaling. That kind of reduction is achievable, in our view, but it requires assessing the actual data exposure surface, not the assumed one.
The newer and faster-moving conversation, in our view, is about the agents employees are building on top of Copilot. Copilot Studio is the most visible surface. Microsoft Foundry adds more advanced custom development. Power Apps adds another path. Each surface produces non-human identities that can act on behalf of users, retrieve data through inherited permissions, and trigger downstream effects across the enterprise.
The reason agent governance is moving so quickly up the CISO priority list, in our experience, is that the velocity of agent creation has outpaced the maturity of agent review. A non-technical employee can build a Copilot Studio agent in an afternoon. There is no equivalent gating function in most enterprises today. The result is a population of non-human identities accumulating inside the Microsoft tenant without consistent ownership, scope review, or behavioral observation.
We feel the Gartner survey data is consistent with what we see. According to Gartner, "eighty percent of IT leaders agree or strongly agree that additional governance controls are required before widely deploying Copilot agents. Sixty-eight percent are worried about Copilot agent sprawl."
In practice, the categories of agent governance work we see most often inside Microsoft tenants are inventorying agents across Copilot Studio, Microsoft Foundry, and Power Apps, assigning ownership to every agent so a human is accountable for its behavior, assessing each agent's data scope based on inherited permissions and connector configuration, and observing what agents are actually doing rather than only what they are configured to do. These are the practical operational face of agent sprawl.
Microsoft has invested seriously in this layer.
In our view, the native stack is the right foundation for most Microsoft-heavy environments.
Yet, in our experience, security teams add third-party capability in three key situations:
The first of these is the most common.
According to Gartner, "among organizations deploying M365 Copilot, 66% are deploying at least two other EAIAs as well, signaling a clear preference for a multivendor approach. Indeed, Microsoft can no longer assume that its M365 installed base will automatically translate into Copilot adoption."
In our view, a Microsoft-only governance strategy produces a Microsoft-only view of risk, and most enterprises now operate well past that boundary. We feel Gartner data points to a parallel rise in third-party adoption. According to Gartner, "forty-nine percent of the survey respondents now use these tools to help manage and govern M365, up from 40% in 2025."
Opsin was named in the Gartner Microsoft 365 Copilot and Agents: Assessing Impact and Value in 2026 as an M365 governance vendor providing Copilot agent discovery, inventory, and remediation functionality.
In our view, that focus reflects the work we are most invested in right now. Our approach centers on what we call the dynamic contextual layer, which connects identity, data, and model behavior in one view across sanctioned Microsoft AI deployments.
In a Microsoft environment, that means we:
The same contextual layer extends across the rest of the agent estate, including ChatGPT Enterprise, Claude, and Google Gemini. In our experience, mixed agent estates are now the default rather than the exception, and coverage that stops at the Microsoft tenant boundary will produce a view of risk that stops there too.
In our view, Microsoft 365 Copilot security is becoming a two-layer discipline.
The enterprises moving fastest, in our experience, are the ones that have stopped treating these as separate projects. The same identity, data, and behavioral context that addresses Copilot oversharing also addresses Copilot Studio agent governance, because the underlying questions are the same: who is acting, on what data, with what scope, and is the behavior aligned with what the enterprise actually expects? Building that view once and applying it across both layers is what makes a Microsoft 365 Copilot security program sustainable as the agent estate grows.
For cybersecurity leaders, the practical question is no longer whether to invest in Microsoft 365 Copilot governance. The data on third-party adoption shows the investment is already happening. The question, in our view, is whether the governance model can keep pace with what employees are building on top of Copilot every week.
Gartner, Microsoft 365 Copilot and Agents: Assessing Impact and Value in 2026, Max Goss, Olga Martí, Craig Roth, Sebastian Kempf, Leonard Marshall, 9 June 2026.
GARTNER is a trademark of Gartner, Inc. and/or its affiliates
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
According to Gartner June 2026 research, Microsoft 365 Copilot and Agents: Assessing Impact and Value in 2026, "fifty-one percent of respondents identified oversharing and data loss as the top barrier to successful Copilot deployment, with more organizations turning to third-party tooling to help manage and govern M365." The same Gartner survey reflects a parallel concern about Copilot agents: "eighty percent of IT leaders agree or strongly agree that additional governance controls are required before widely deploying Copilot agents."
In our experience, the rate at which employees create Copilot agents has outpaced the rate at which security teams can review them. Copilot Studio and Microsoft Foundry make it possible for non-technical users to build and deploy agents in an afternoon, which creates a population of non-human identities accumulating inside the Microsoft tenant without consistent ownership, scope review, or behavioral observation.
Microsoft Entra, Purview, Defender, and the Microsoft Agent 365 control plane (currently in preview) cover essential capabilities including agent identity, conditional access, data security posture management for agents, sensitivity label enforcement, and anomaly detection. The most common gaps we see in the field are fragmentation across Microsoft surfaces, no coverage for non-Microsoft agents, and limited ability to correlate identity, data, and observed behavior in one view.
In our view, CISOs should treat Microsoft 365 Copilot security as a two-layer discipline. The data layer (oversharing, sensitivity, retrieval) has maturing remediation playbooks. The agent layer (inventory, ownership, scope, behavior) is the layer that needs design work in most enterprises today. Build a view of identity, data, and behavior that applies across both layers, and design it so it extends to ChatGPT Enterprise, Claude, Google Gemini, and custom agents as adoption grows.
In our experience, two things are simultaneously true in enterprise Microsoft 365 Copilot deployments in 2026. Adoption is finally scaling at meaningful numbers, and the security conversation around Copilot has split into two distinct workloads. Most enterprises we work with are resourced to handle one of them well and are still building the muscle for the other.
The first workload is the one CISOs have been working for two years: data oversharing in Copilot responses. Legacy SharePoint permissions, inherited group memberships, and overly permissive sensitivity labels cause Copilot to retrieve content the invoking user did not expect to see. This is a familiar problem with a maturing playbook.
The second workload is newer, and it is what we increasingly hear when talking to security leaders. Employees are now building Copilot agents in Copilot Studio and Microsoft Foundry faster than security teams can review them. Risk has evolved beyond the data retrieved by Copilot to encompass the actions of employee-developed agents, specifically who they act for, the extent of their reach, and their intended purpose.
That expansion changes who needs to be involved, what controls apply, and how quickly security teams need to operate. Recent industry research is consistent with both dynamics running in parallel across most enterprises.
In our view, Microsoft 365 Copilot security work through 2025 concentrated on the data layer. The center of gravity in 2026 is moving to the agent layer, and the data layer has not gone away.
The 2026 Gartner Microsoft 365 and Copilot Survey was conducted with IT leaders responsible for Microsoft 365 from 186 organizations from March through May 2026.
Two findings from that survey, in particular, anchor our perspective. According to Gartner, "fifty-one percent of respondents identified oversharing and data loss as the top barrier to successful Copilot deployment, with more organizations turning to third-party tooling to help manage and govern M365."
On the agent side, according to Gartner:
In our reading of the field, these numbers describe an environment in which both problems are active. Oversharing is not a solved problem in most enterprises. But agent governance is now an urgent one. The implication for security architecture, in our view, is that a Microsoft 365 Copilot security strategy needs to address both layers simultaneously, because the same data oversharing that produces a problematic Copilot response can produce a problematic agent action with broader downstream consequences.
The persistence of oversharing as the dominant Copilot risk is not a surprise to anyone running a Copilot deployment. In our experience, it is a function of three architectural realities that pre-date Copilot by years.
According to Gartner, "fixing oversharing and data exposure is not a one and done activity and requires ongoing management and tooling."
In our customer work, this is the area where the most measurable progress is possible quickly. Culligan, working with Opsin ahead of a broader Copilot rollout, reduced sensitive data exposure in Copilot queries from approximately 80% to under 15% by identifying and remediating the underlying permission and labeling issues before scaling. That kind of reduction is achievable, in our view, but it requires assessing the actual data exposure surface, not the assumed one.
The newer and faster-moving conversation, in our view, is about the agents employees are building on top of Copilot. Copilot Studio is the most visible surface. Microsoft Foundry adds more advanced custom development. Power Apps adds another path. Each surface produces non-human identities that can act on behalf of users, retrieve data through inherited permissions, and trigger downstream effects across the enterprise.
The reason agent governance is moving so quickly up the CISO priority list, in our experience, is that the velocity of agent creation has outpaced the maturity of agent review. A non-technical employee can build a Copilot Studio agent in an afternoon. There is no equivalent gating function in most enterprises today. The result is a population of non-human identities accumulating inside the Microsoft tenant without consistent ownership, scope review, or behavioral observation.
We feel the Gartner survey data is consistent with what we see. According to Gartner, "eighty percent of IT leaders agree or strongly agree that additional governance controls are required before widely deploying Copilot agents. Sixty-eight percent are worried about Copilot agent sprawl."
In practice, the categories of agent governance work we see most often inside Microsoft tenants are inventorying agents across Copilot Studio, Microsoft Foundry, and Power Apps, assigning ownership to every agent so a human is accountable for its behavior, assessing each agent's data scope based on inherited permissions and connector configuration, and observing what agents are actually doing rather than only what they are configured to do. These are the practical operational face of agent sprawl.
Microsoft has invested seriously in this layer.
In our view, the native stack is the right foundation for most Microsoft-heavy environments.
Yet, in our experience, security teams add third-party capability in three key situations:
The first of these is the most common.
According to Gartner, "among organizations deploying M365 Copilot, 66% are deploying at least two other EAIAs as well, signaling a clear preference for a multivendor approach. Indeed, Microsoft can no longer assume that its M365 installed base will automatically translate into Copilot adoption."
In our view, a Microsoft-only governance strategy produces a Microsoft-only view of risk, and most enterprises now operate well past that boundary. We feel Gartner data points to a parallel rise in third-party adoption. According to Gartner, "forty-nine percent of the survey respondents now use these tools to help manage and govern M365, up from 40% in 2025."
Opsin was named in the Gartner Microsoft 365 Copilot and Agents: Assessing Impact and Value in 2026 as an M365 governance vendor providing Copilot agent discovery, inventory, and remediation functionality.
In our view, that focus reflects the work we are most invested in right now. Our approach centers on what we call the dynamic contextual layer, which connects identity, data, and model behavior in one view across sanctioned Microsoft AI deployments.
In a Microsoft environment, that means we:
The same contextual layer extends across the rest of the agent estate, including ChatGPT Enterprise, Claude, and Google Gemini. In our experience, mixed agent estates are now the default rather than the exception, and coverage that stops at the Microsoft tenant boundary will produce a view of risk that stops there too.
In our view, Microsoft 365 Copilot security is becoming a two-layer discipline.
The enterprises moving fastest, in our experience, are the ones that have stopped treating these as separate projects. The same identity, data, and behavioral context that addresses Copilot oversharing also addresses Copilot Studio agent governance, because the underlying questions are the same: who is acting, on what data, with what scope, and is the behavior aligned with what the enterprise actually expects? Building that view once and applying it across both layers is what makes a Microsoft 365 Copilot security program sustainable as the agent estate grows.
For cybersecurity leaders, the practical question is no longer whether to invest in Microsoft 365 Copilot governance. The data on third-party adoption shows the investment is already happening. The question, in our view, is whether the governance model can keep pace with what employees are building on top of Copilot every week.
Gartner, Microsoft 365 Copilot and Agents: Assessing Impact and Value in 2026, Max Goss, Olga Martí, Craig Roth, Sebastian Kempf, Leonard Marshall, 9 June 2026.
GARTNER is a trademark of Gartner, Inc. and/or its affiliates
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
.png)
