A digital graphic for PSM Partners features the text: “Copilot Inherits Your Security. Until It Doesn’t.” It discusses Microsoft 365 Copilot security, agent types, security inheritance limits, and scaling AI. Blue abstract background.

Copilot Inherits Your Security. Until It Doesn’t.

/ AI, Managed Microsoft 365 / By

Why some Microsoft 365 Copilot agents inherit your user security, some only partly do, and some don’t at all, and why that difference matters

Key Takeaways

  • The popular advice that “Copilot just inherits your existing security” is true, but only for the basic Copilot experience most people picture.
  • As Copilot agents get more capable and more independent, that inheritance weakens in a predictable order, and for some agents it disappears entirely.
  • There are three tiers. Agents that inherit your security fully, agents that inherit it but cost you some control, and agents that do not inherit it at all.
  • The single most useful governance question is not “is Copilot secure.” It is “which tier is this agent in.”
  • A lot of the security you need is already in Microsoft’s own stack, but not all of it, and the observability gaps are real.

It Depends

In consulting, the best and the worst answer you can give someone is the same two words: it depends. The phrase is so overused that some of us, myself included, will laugh out loud when a technical question gets answered that way. But the uncomfortable truth is that in almost every complicated technical conversation, it really does depend. What it depends on changes from one situation to the next, and Copilot security is no different.

Microsoft’s documentation tells you that Copilot inherits your security. Your existing security posture is extended into Copilot. Your content stays encrypted at rest and in transit, the same as the rest of Microsoft 365. Copilot reads data as the signed-in user, so it can only see what that user can already see. Microsoft even names the rule: “no new privileges.” You will hear AI consultants go a step further and call Copilot the safest AI platform for users, precisely because of that default inheritance.

All of that is true, and it is genuinely reassuring. But here is how “it depends” extends to Copilot security. Copilot does not always inherit your security posture. Sometimes it inherits it completely. Sometimes it only partially inherits it. And sometimes it does not inherit it at all. The good news is that which one you get is not random. It follows a predictable order, and once you can see the order, you can govern it.

Three Tiers of Inheritance

Forget the marketing names for a moment and sort every agent by one question: how much of your existing user security does it actually inherit. Three tiers fall out.

Tier 1: Inherits Fully

This is Copilot as most people imagine it.

Everyday Copilot in chat and inside Word, Outlook, Excel, and Teams. It has no identity of its own. It acts purely as the signed-in user and can only reach what that user can reach.

User-built lite agents that your employees create with simple tools like Agent Builder. These still run on the user’s permissions, so the “no new privileges” rule still holds.

For this tier, the inheritance story is the whole story. The only real exposure is one you created yourself: oversharing. And this is where a hard security principle applies. Security through obscurity is no security at all. Something is not secure because it is difficult to find. A file buried in a SharePoint site nobody visits is not protected by being buried, it is only protected by the permissions on it. If a confidential document is technically open to people who should never see it, it was never secure. Copilot did not create that gap. It just removed the obscurity that was hiding it and made it easy to find on demand.

Tier 2: Inherits, but You Lose Some Control

Here the clean guarantee starts to soften.

This tier is Microsoft’s own built-in agents, the ones that go beyond simple answers. Some can draft and send mail, schedule, or create documents on a user’s behalf. The newer frontier agents Microsoft is shipping go further still, and increasingly they ask the user to grant permissions before they will act. That consent moment is the tell. The agent still runs as the user, so it inherits the access boundary, but the user is now extending it new capabilities, and most users will click Allow without reading what they just authorized.

What you lose in this tier is control over the agent itself. Some of these agents cannot be fully scoped or switched off through normal admin settings, so you inherit Microsoft’s identity model without inheriting full authority over the agent. Tier 2 still lives inside Microsoft, so you are not flying blind, but “Copilot only sees what the user sees” is no longer a complete description of what is happening.

Tier 3: Does Not Inherit at All

This is where the comforting story breaks completely. These agents do not ride a user’s identity. They have their own, which means inheritance is off the table. What changes inside this tier is how easy each one is to govern.

Copilot Studio custom agents that your team builds for specific jobs. This is the most manageable risk in the tier, but it is still a risk. Instead of quietly riding a user’s identity, a Studio agent gets its own principal in Entra, and with it its own scope of permissions. Far too often those permissions are over scoped, so the agent can reach more than any single person was ever meant to. The saving grace is that the principal is right there in Entra where you can see it, scope it, and review it. The risk is real, but it is governable, as long as someone actually does the governing.

Third-party agents connected through a consent prompt. A vendor’s agent is granted access to your environment, and its model, memory, and logs live in the vendor’s cloud. The moment data is retrieved, it has left your security boundary. What happens to it next is governed by your contract with that vendor, not by your Microsoft 365 controls.

Shadow AI. Locally installed agentic tools and unsanctioned consumer AI that nobody approved. No identity in your environment, no consent record, no audit trail. There is no inheritance here because there is nothing to inherit from, and nothing to govern because you cannot govern what you cannot see. This is the highest-risk corner of the tier precisely because it is invisible.

If you apply the “Copilot just inherits your security” assumption to anything in this tier, you have made a mistake. These agents inherit none of it. Some are easy to control once you know they exist. Some you cannot control at all.

Why the Detail Matters

This is what “it depends” matters. Inheritance is strongest at the top and gone by the bottom, and your ability to see and control these agents follows the same curve. Risk runs the opposite direction. The agents you can govern best were already the safest, and the agents that inherit the least are the hardest to even find.

That is why the blanket reassurance is dangerous. “Copilot inherits your security” is solid advice for Tier 1, partial advice for Tier 2, and flatly wrong for Tier 3. Same product, three different answers, which is exactly why the honest response to “is Copilot secure” is the one consultants lean on; “it depends.”  The gap is not theoretical; researchers have already shown that an attacker can hide instructions inside ordinary content that Copilot is asked to read, then use Copilot to leak data, without the user clicking anything. Inheritance does not stop that, because the attacker never needed new permissions, they simply borrowed the user’s.  

You Already Own Most of the Fix

Here is the encouraging part. A lot of the security you need for this is already sitting in Microsoft’s own stack, waiting to be turned on and pointed at the right tier.

  • For Tier 1, fix oversharing first. Find and clean up overshared content before agents can surface it, and keep sensitive sites out of Copilot’s reach. This is the highest-value step you can take, and it is the one that closes the security-through-obscurity gap for good.
  • For Tier 2, understand what you are consenting to. Know what Microsoft’s built-in agents can do, watch what permissions users are granting them, and know which ones you can scope or disable and which ones you cannot.
  • For Tier 3, govern the principals and find the shadows. Scope Studio agent identities to least privilege and review them on a schedule, make admin approval the only path for a third-party agent to get in, and use discovery tooling to surface the unsanctioned AI already running on your network.

Across all three, keep the basics strong. Conditional Access, multifactor authentication, compliant devices, and good audit logging are the foundation everything else inherits from.

But be honest about the ceiling. Microsoft’s stack does not cover one hundred percent of this, and it does not pretend to. There are real observability gaps, especially once data leaves through a third-party agent or a shadow tool, where your visibility drops to almost nothing. The right move is not to assume the platform has it handled. It is to treat those gaps as named risks you either close with added tooling and process or formally accept, with your eyes open.

The Bottom Line: Microsoft Deferred the Decision to You

Copilot is not secure or insecure on its own. Microsoft made a deliberate choice to defer Copilot’s security to the security posture already in your environment. That is what inheritance really means. If your environment is secure, Copilot will be secure. If your environment is not secure, Copilot will not make it worse, but it will expose the risks you already had, faster and at scale.

So the honest answer to whether Copilot inherits your security is the one we started with. It depends. It depends on which agent you are talking about, and it depends on the state of the environment underneath it. Some agents inherit your security completely. Some inherit it but cost you control. Some inherit nothing at all. Knowing which is which, and getting your environment in order underneath all of them, is the whole job.

Ready to Find Out Which Tier Your Agents Are In?

Before you scale Copilot, you need a clear picture of what is running and how much of your security it actually inherits. PSM’s experts can help you:

  • Inventory the Copilot and agent types active in your environment
  • Find and remediate the oversharing Copilot would otherwise expose
  • Build a practical governance roadmap that fits your licensing

Let’s talk about governing AI before it governs itself. Contact us to book your Microsoft 365 Copilot readiness assessment today.

 

Together, we make it happen

Tell Us About Your Project.

Don’t hesitate to reach out. Our specialists are ready to help transform your business. 

Let’s talk

Phone

(312) 940-7830

Contact Form