← Back to the desk
AI GovernanceCopilot Readiness · part 2

A sensitivity label isn't a sticker. It's a gate.

A
Arletty Garcia Caraballo
Jun 14, 2026 · 4 min read

A sensitivity label looks like a tag; a coloured word in the corner of a document telling people how careful to be. In a Copilot tenant, that mental model is expensive. The label isn't a description of your content; it's the gate that decides, mechanically, what every AI in your tenant is allowed to read.

What a label actually does

Two gates stack here. Copilot gets no god's-eye view of your tenant — it reasons only over content the signed-in user is already authorised to open (Microsoft Learn). And where a label applies encryption, that user must hold the EXTRACT and VIEW usage rights before Copilot can process the content at all (Microsoft Learn).

So the label's protection settings aren't sitting next to the access decision. Through the rights they grant, they are the decision the AI obeys.

"Encrypted" is not the same as "locked out"

Here's the misread I hear most: we encrypt our confidential content, so Copilot can't use it. Not quite — the lever isn't encryption, it's who the label grants rights to.

Microsoft's own Secure by Default deployment model makes the file default a label called Confidential\All Employees — one that encrypts and grants every employee Co-Author rights (Microsoft Learn). The content is encrypted, and Copilot reads it without a problem, because every signed-in user already holds the rights it needs. Encrypted is not the opposite of usable.

One taxonomy, three outcomes — and only one variable

From a single label family you can produce three completely different results for the AI:

  • Grant the rights to all employees, and the AI reads the content freely.
  • Scope the grant to a handful of named people, and the AI reads it only for them.
  • Reach for Double Key Encryption — where you hold a key Microsoft never sees — and the AI can never touch it. Microsoft positions DKE for roughly the top 5% of data, the crown jewels (Microsoft Learn).

The classification name on the front didn't change between those three outcomes. The usage-rights grant did. That grant is your access-control plane; the name is almost incidental.

Why label design is AI access-control design

If the grant is the gate, every label you create is a read-boundary for every agent you deploy.

Design your labels as sensitivity adjectives — Internal, Confidential, Secret — and you'll fuse classification with access by accident, scoping the rights tighter every time a new team wants its own flavour. Design them as access decisions — who should be able to read this, and therefore what the AI can read — and the question "what can Copilot see in this content?" finally has an answer you can point at.

Agents break harder than people do

Copilot acts as the signed-in user, so it inherits a human's permissions. Agents are more brittle against label settings than people are. Copilot agents can't read files protected with user-defined label permissions at all (Microsoft Learn).

And there's a tenant-level switch underneath all of this. When sensitivity labels aren't enabled for SharePoint and OneDrive, the encrypted content Copilot and agents can reach is limited to data in use in Office apps on Windows (Microsoft Learn). A label configuration you set with humans in mind can wall your agents out without anyone noticing.

Worked example: is this even switched on — and how to switch it

That last limit only bites when labels aren't enabled for SharePoint and OneDrive — and that's opt-in, not on by default.

How to check: in the Microsoft Purview portal, go to Solutions → Information Protection → Sensitivity labels. If you still see a banner offering to turn on processing of Office Online content, it's off. Once it's on, that banner disappears when the page refreshes.

How to turn it on: as a global administrator, click Turn on now (it takes about 15 minutes to apply), or run it from the SharePoint Online Management Shell:

Set-SPOTenant -EnableAIPIntegration $true

It's a tenant configuration, not a separate licence — if you're already using sensitivity labels, this is a switch, not a purchase (Microsoft Learn). Until it's on, every encrypting label in your taxonomy is effectively invisible to agents, no matter how generously you granted the usage rights.

PurviewInformation Protectiongovernancebeginner
← previous
Copilot isn't broken. It's locked out.
A
Arletty Garcia Caraballo
Power Platform Consultant · building toward AI Business Solution Architect. Writing in the open about the road from low-code delivery to AI governance — one honest step at a time.
— AGC

0 comments

Join the conversation
Be kind · comments are reviewed before they appear

You might also love

Chosen by shared tags, the same series, and category — the backbone quietly doing its job.
AI GovernanceCopilot isn't broken. It's locked out.

Everyone prepping for Copilot hears the same advice: fix your oversharing first. It's good advice but in a regulated tenant it's only half the job. Th…

Jun 14, 2026·4 min
AI GovernanceWhat data can this system touch?

The EU AI Act, NIST's AI Risk Management Framework, and ISO/IEC 42001 agree on almost nothing. Not scope, not structure, not even whether they're law …

Jun 18, 2026·4 min
AI GovernanceCopilot is you. An autonomous agent isn't.

Copilot has never had an opinion about what it's allowed to read. It reads what you can read: your groups, your permissions, the rights your labels gr…

Jun 17, 2026·4 min