What every small business owner needs to know — what Copilot accesses, what the real risks are, and how to protect your firm's data.
A quick note before you dive in: the steps in this guide describe settings that exist in Microsoft 365 as of June 2026. Every business environment is different. What works cleanly in one setup can have unintended side effects in another. Before changing any connected experience settings, user permissions, or group policies, have a conversation with your IT department or a qualified IT professional first — they need to verify that any changes are appropriate for your specific environment. Registry edits, permission changes, and network policy modifications especially should never be a solo project and only done by an experienced technician. Think of this guide as a way to get informed and start the right conversation in your firm — not a self-service technical manual to work through alone.
Microsoft has begun embedding its artificial intelligence assistant — called Copilot — directly into Microsoft 365 applications including Word, Excel, PowerPoint, and Outlook. This is not a separate product you opt into. Depending on your subscription plan, it may already be installed, active, or in the process of being activated on your computers without a separate notification.
This is not necessarily cause for alarm, but it is cause for awareness. Understanding what Copilot does, how it accesses your data, and what controls are available to you is an informed business decision — not a technical one.
Firms that handle client financial records, bank statements, tax documents, payroll data, or any personally identifiable financial information carry a heightened responsibility. Copilot accesses everything in your Microsoft 365 environment that you have permission to see — including documents, emails, and shared files. In a professional services context, that is a much larger risk surface than in a typical small business. If your firm maintains a Written Information Security Policy (WISP) or makes data privacy representations to clients, those commitments may be affected by AI tools operating in the background of your daily software.
There are two distinct versions of Copilot in Microsoft 365. Understanding the difference matters:
The lighter version now bundled into most Microsoft 365 subscriptions at no additional charge. Functions as an AI assistant inside Word, Excel, PowerPoint, and other apps. Became active for most subscribers during late 2025.
The full-featured version — deeper document drafting, meeting summaries, data analysis, and AI agents that can act on your behalf across applications. Requires a paid license on top of your base subscription.
Copilot is enabled by a broader Microsoft framework called Connected Experiences — cloud-based features that use your document content to power AI suggestions, grammar checks, design recommendations, and live data enrichment. There are three categories, and the distinction matters:
PowerPoint Designer, Editor/grammar AI, Translator, Smart Lookup. These send document content to Microsoft servers for processing. This is the primary privacy concern for businesses handling sensitive data.
Online templates, Insert Online Pictures, weather in Outlook calendar, Excel data types. These pull content in from Microsoft/Bing but do not send your documents out.
LinkedIn integration, Bing-powered features, and third-party add-ons. Separately controlled and lower priority for most firms.
Microsoft states that document content processed by Copilot and Connected Experiences is not used to train its AI models — meaning your business data is not being fed into a public language model. Copilot also operates within your Microsoft 365 tenant, respecting your organization's existing permission and compliance settings.
The independent security community has identified concerns that go beyond data training. The more significant risks are:
If your Microsoft 365 environment contains documents for multiple clients stored in shared or broadly accessible folders, Copilot could potentially surface one client's information while you are working on another's. Client data isolation — keeping each client's files in properly scoped, permission-limited folders — is your most important protection, regardless of whether Copilot is active. If your firm makes written representations to clients about data handling, AI tools operating in the background of your daily software warrant a policy review.
Understanding the risks of embedded AI like Copilot naturally raises a question: is there a safer way to use AI in your business? The answer is yes — and the distinction comes down to one word: deliberate.
Copilot is ambient — it runs in the background of your daily software, sees everything in your environment, and acts on your behalf without you consciously deciding what to share. Tools like Claude and ChatGPT (on the right plan) work differently. You open a session, you decide exactly what context to provide, and nothing happens without your direct input. That fundamental difference changes the security picture entirely.
The three tools your firm is most likely to encounter — Microsoft Copilot, ChatGPT, and Claude — have meaningfully different security profiles depending on the plan. Here is how they compare for professional services use:
For any professional services firm handling client financial data: use deliberate, session-based AI tools on business plans — not embedded ambient AI on personal plans. The monthly cost of a business plan is modest. The cost of a data incident is not.
Not every business needs to take the most restrictive approach. The right decision depends on your industry, your data, and how you use Microsoft 365 today.
| Your Situation | Recommended Action |
|---|---|
| My firm handles highly sensitive client financial data | Turn off ALL content-analyzing connected experiences + disable Copilot explicitly |
| I use AutoSave on OneDrive daily | Turn off ONLY content-analyzing experiences; leave download-online-content ON |
| I use co-authoring / real-time shared editing | Do NOT use the master "turn off all" toggle — use per-category controls instead |
| I want to block Copilot but keep everything else | Disable Copilot in each app directly via File → Account → Privacy |
| I want the most locked-down configuration possible | Disable all connected experiences + Copilot + set diagnostic data to "Neither" in Trust Center |
Before making any changes, confirm which Microsoft 365 plan you are on and whether Copilot is already active.
The steps below are organized from least disruptive to most restrictive. Work through them based on your decision from the framework above. These steps apply to Windows computers running Microsoft 365.
The most targeted option — turns off Copilot specifically without touching other connected experiences like AutoSave. Recommended first step.
Disables AI content-scanning features (Editor AI, Designer, Smart Lookup, Translator) without affecting AutoSave or co-authoring.
If you use the master "turn off ALL connected experiences" toggle rather than the per-category control above, you will lose AutoSave functionality for files stored on OneDrive. There are also reports of the master toggle affecting shared mailbox sync in Outlook Classic. The per-category approach in Step B avoids these side effects. Use the master toggle only if maximum restriction is your priority and you accept the trade-offs.
Disables LinkedIn integration, Bing-powered features, and third-party add-ons. Lower priority for most firms, but appropriate for a fully closed environment.
By default, Microsoft collects usage and diagnostic data from Office applications. You can reduce this to "Required only." Advanced — optional for most firms.
If you manage multiple seats, these settings can be applied organization-wide through the Microsoft 365 Apps Admin Center (config.office.com) using Cloud Policy, which pushes settings to all users automatically. This is the recommended approach for firms with more than one seat — it ensures consistency and prevents individual users from inadvertently re-enabling features. Search for "Allow the use of connected experiences in Office that analyze content" in the Policy Management section.
Regardless of which steps above you take, the following will continue to function normally:
Microsoft updates its 365 applications automatically and has a history of re-introducing features or adjusting default settings through updates. A one-time configuration is not sufficient.
Turning off Copilot in Microsoft 365 does not mean avoiding AI tools altogether. There is an important difference between an always-on AI embedded in your daily software that has access to everything in your environment, and a deliberate session-based AI tool where you control exactly what information you share. Many professional services firms are finding that a thoughtful, controlled use of AI — where the user decides what context to provide — is both more secure and more effective than ambient AI that operates in the background.
Reach out — we're happy to talk through how we handle your financial information and what protections are in place.
Get in Touch · 512.422.4996