Microsoft 365 Copilot doesn’t read the internet version of your tenant. It reads the real one — the same one your engineers, attorneys, and product leads see, with the same permissions, the same broken inheritance, the same ten-year-old “Everyone except external users” ACLs that nobody has audited since the site was spun up. That is precisely the problem. Copilot is not a new attack surface so much as a ruthless auditor of the one you already have. Anything a user can technically reach, Copilot can surface, summarize, and recompose into a single tidy answer. For an organization’s Secret Squirrel content, patents in prosecution, trademark strategy, source code and architecture, copyrighted works, and above all trade secrets, that risk is acute.
It is also a legal risk of a particular kind. Trade secret status under the Defend Trade Secrets Act and the Uniform Trade Secrets Act requires the owner to take “reasonable measures” to maintain secrecy. A tenant in which Copilot routinely summarizes trade secret documents into responses for users who have no legitimate need to see them is a tenant whose counsel will have a hard time arguing that reasonable measures were taken. The controls in this guide are not just governance hygiene; they are part of the evidentiary record for preserving IP rights.
This guide is a technical playbook for keeping Secret Squirrel content out of Copilot’s grounding set in SharePoint and OneDrive. It is organized around a layered defense model: classify the data, lock the container, scope what Copilot and enterprise search can even see, restrict what encrypted content Copilot is permitted to process, and monitor continuously with DSPM for AI. None of these layers is sufficient on its own. Together, they form a defensible posture — and a defensible record.
How Copilot actually grounds on SharePoint content
Before choosing controls, understand the retrieval path. Copilot’s SharePoint grounding runs through three layers:
1. The user’s delegated permissions: Copilot inherits the identity of the prompting user and honors SharePoint/OneDrive ACLs via security trimming. If the user cannot open the file in a browser, Copilot cannot ground on it. This is the single most important control — and the single most overstated one, because “cannot open” is a lower bar than most organizations realize once you count Everyone Except External Users (EEEU), broad-scope sharing links, group nesting, and site-level membership that accumulated during a decade of cross-team R&D collaboration.
2. **The Microsoft Graph semantic index.** Graph maintains a per-tenant semantic index of content and activity signals that Copilot uses to retrieve candidate documents. Items the user has permission to see are candidates for grounding; items they do not are excluded at query time.
3. **Grounding and response composition.** Copilot retrieves top candidates, passes relevant chunks to the LLM as grounding context, and composes an answer. If a document carries a sensitivity label with usage rights that deny EXTRACT, Copilot will not include its content in the composed answer even if the user has VIEW access.
Two implications matter for IP:
– **Security trimming is necessary but not sufficient.** An engineer who legitimately has read access to an R&D SharePoint site — because somebody once added “Platform Engineering” to the site’s Members group “temporarily” — will have that content grounded into answers about “what is our approach to [X]” or “summarize the roadmap” without any deliberate request for trade secret material. The cross-domain query is how the leak happens.
– **Encryption with usage rights is a hard stop.** A label that withholds EXTRACT from a given user prevents Copilot from composing content from that file into a response, even when Copilot can locate it. For trade secrets this is structurally the right posture: a broad “can read” audience combined with a narrow “can have Copilot synthesize” audience.
The goal of the control stack below is to reduce the candidate set Copilot can retrieve from (RAC, RCD, RSS), make the items that remain unusable when retrieved (sensitivity labels with usage rights), prevent items from being processed at all for labeled content (DLP for Copilot), and give you telemetry to prove it (DSPM for AI, Purview Audit).
## The layered model at a glance
