All insights

Copilot Governance · 18 April 2026 · 3 min read

Can You Use Microsoft Copilot with Client Data? A Practical Governance Guide

Can you use Microsoft Copilot with client data? Yes, but only inside clear governance, approved tools and a review process built around risk levels.

Author FiveForward
TL;DR
  • Client data can be used with Copilot only inside clear governance, approved tools and the right Microsoft 365 permissions.
  • Copilot should not be used to bypass access controls or replace professional review.
  • The practical work is permissions, labels, user guidance, review standards and a clear rule for what must stay out of AI tools.

Can you use Microsoft Copilot with client data? Many firms want the efficiency but pause when client confidentiality is involved. That hesitation is healthy. Client work carries duties of confidentiality, accuracy and professional judgement. AI does not remove those duties.

The practical question is not “is client data allowed or forbidden?” The better question is: under what conditions can our people use Copilot safely and usefully?

Start with the approved environment

There is a major difference between using an approved Microsoft 365 Copilot environment and pasting confidential material into an unmanaged public AI tool.

Microsoft 365 Copilot is designed to work inside the Microsoft 365 service boundary and respect the signed-in user’s permissions. That matters. It means governance starts with your tenant, your licences, your security settings and your access model.

Even then, the tool is only as safe as the environment around it. If permissions are too broad, if old client files are exposed, or if staff are unclear about what they can use, the risk is not solved by the Copilot licence.

Permissions are the first control

Copilot can make information easier to find. That is useful when permissions are right and uncomfortable when they are not.

Before encouraging client-data use, review:

  • SharePoint and Teams permissions for client matter or project areas.
  • Guest access and external sharing.
  • Old folders that still contain sensitive material.
  • Whether leavers and role changes are handled properly.
  • Whether staff can access client files outside their remit.
  • Whether sensitive information is labelled and protected.

This is not just IT hygiene. It is AI readiness.

Give staff clear rules

Policies are often too abstract. Staff need rules they can remember while doing the work.

For example:

  • Use only approved AI tools for client work.
  • Do not paste confidential data into personal or public AI accounts.
  • Do not ask Copilot to summarise material you should not be able to access.
  • Treat Copilot output as a draft or assistant, not advice.
  • Check facts, numbers, dates and legal or financial interpretations.
  • Escalate anything involving highly sensitive data, regulated advice or unusual client instructions.

The aim is not to frighten people away from Copilot. It is to make safe use normal.

Separate drafting from deciding

Copilot is often useful for first-pass work: summarising a call, turning notes into a follow-up email, rephrasing a client explanation, creating an internal briefing or preparing a meeting agenda.

It should not be treated as the decision-maker. A professional still needs to review what goes to the client. That review should cover accuracy, completeness, tone, confidentiality and whether the output reflects the firm’s standards.

This is especially important in accountancy, legal, consultancy, financial advice and HR contexts, where a polished but wrong answer can be worse than a rough draft.

The same review habit sits behind Copilot for accountancy firms, Copilot for law firms and any later move into Microsoft Copilot agents.

Create use cases by risk level

Not every use case carries the same risk. A practical rollout can start with lower-risk tasks before moving into more sensitive workflows.

Lower-risk examples might include internal meeting summaries, non-confidential templates, drafting a structure for an agenda or turning public guidance into a plain-English explainer.

Medium-risk examples might include summarising client meeting notes, drafting follow-up emails or preparing internal reports using client information.

Higher-risk examples might include regulated advice, legal interpretation, complex tax matters, disciplinary cases or anything involving special category data. These need stronger controls and senior review.

Make review standards explicit

“Check the output” is too vague. Tell staff what checking means:

  • Verify facts against the source.
  • Check names, dates, figures and obligations.
  • Remove information the recipient should not see.
  • Adjust tone to match the client relationship.
  • Confirm that the output does not overstate certainty.
  • Keep records where the workflow requires them.

This turns responsible use into a practical habit.

What safe client-data use looks like

You can get real value from Copilot in client work, but only when governance is concrete. Start with permissions, approved tools, risk-based use cases and clear human review.

For a practical adoption route, the anonymised accountancy Copilot adoption case study shows how a firm can start with lower-risk client workflows before considering agents or automation.

The safest organisations are not the ones that simply ban everything. They are the ones that make good use easy and risky use hard.

Related reading

More on copilot governance

Automation Strategy Copilot Studio vs Power Automate: when each is the right answer A practical guide to choosing between Copilot Studio agents and Power Automate flows for Microsoft 365 work, with examples for UK professional services firms. Copilot Readiness SharePoint Copilot Readiness: Preparing Your Files, Permissions and Knowledge Base SharePoint Copilot readiness is the foundation of safer AI. Fix permissions, content ownership and duplicates in the areas where Copilot will matter most. Industry Copilot Microsoft Copilot for Accountants: AI Workflows for Client Emails, Reports and Admin Microsoft Copilot for accountants: practical workflows for client emails, meeting summaries, report narratives and admin, with the governance UK firms need. Service Copilot Adoption Consultancy A practical route from Copilot licences to confident everyday use. Service Microsoft 365 Copilot Training Training that helps staff use Copilot in the Microsoft 365 apps they already work in. Agents Microsoft Copilot agents Plain-English guidance on where Microsoft Copilot agents fit, how to govern them and when to build. Accountancy Accountancy Copilot adoption A partner-led UK accountancy practice wanted Copilot to support real client-facing work without asking the whole firm to change at once. Service area Automate services Build useful workflows, automations and agents around real processes. Industry Copilot for law firms Copilot can help legal teams move faster through drafting, review preparation and internal knowledge. It needs to be introduced with clear guardrails and examples that respect how legal work is done in practice. Industry Copilot for accountancy firms For accountancy firms, Copilot earns its place across client emails, engagement letters, tax and audit notes, and the search for the right template or precedent. We help your team adopt it without weakening professional judgement or review. Next step Talk through your Copilot plans Share where you are now and what you want Microsoft 365 to help with next.

Common questions

Questions about can you use Microsoft Copilot with client data

Can Copilot see all client data in Microsoft 365?
Microsoft 365 Copilot should be scoped to what the signed-in user is already permitted to access. That makes your existing permissions extremely important.
Can staff paste client data into any AI tool?
No. Staff should use only approved tools and follow the organisation's data rules. Public or personal AI tools are usually not appropriate for confidential client work.
Does Copilot remove the need for human review?
No. Client-facing output still needs professional review for accuracy, tone, confidentiality and regulatory obligations.

← Previous

Automation Maintenance for Microsoft 365: Why Workflows Need Ongoing Support

Next →

What AI Models Does Microsoft Copilot Use? A Technical Look at the Stack