Microsoft 365 Copilot, Generative AI Tools, and AI Governance

Microsoft 365 Copilot, the rapid rise of Generative AI Tools, their Marketplaces, and the urgent need for implementing AI Governance Programs.

Generative AI (gen AI) is a branch of artificial intelligence that uses deep learning and large language models to create original and creative content such as art, music, and text. Gen AI tools have become increasingly popular and accessible in recent years, thanks to the advances in natural language processing, computer vision, and generative adversarial networks. Some of the most well-known examples of gen AI tools are Midjourney, Dall-E, and ChatGPT.

According to a McKinsey Global Survey on the current state of AI, one-third of the respondents say their organizations are using gen AI tools regularly in at least one business function. This is a remarkable growth rate, considering many of these tools were launched less than a year ago. The survey also found that 79 percent of all respondents have had at least some exposure to gen AI, either for work or outside of work.

The survey also revealed that gen AI has captured interest across regions, industries, and seniority levels and that 40 percent of respondents say their organizations will increase their investment in AI overall because of advances in gen AI.

Leading the way in this trend, Microsoft announced the Microsoft 365 Copilot, its new AI-powered productivity tool, back on March 16, 2023, and only recently made it available for purchase for its enterprise customers on November 1st, 2023.

This tool uses large language models (LLMs) as well as the implementing organization’s database when fully integrated with the Sharepoint repository of enterprise customers in order to create original and creative content based on the user’s input and the organization’s knowledge base. When fully integrated, it can work alongside popular Microsoft 365 apps such as Word, Excel, PowerPoint, Outlook, Teams, and more. Microsoft 365 Copilot, therefore, aims to help users save time, improve their writing, and generate new ideas.

“Copilot, can you create a new PowerPoint presentation based on the notes you took from yesterday’s Teams meeting and on the template we created a month ago? Immediately, your Highness”. Summarize emails, answer questions, and improve productivity across Microsoft 365 apps, a dream come true!

However, the rapid rise of gen AI also poses significant challenges and risks for society, such as ethical, legal, and social implications. For example, gen AI tools can be used to create fake or misleading content, such as deepfakes, that can harm individuals or groups, or influence public opinion.

At the business level, gen AI tools can also raise questions about intellectual property rights, data privacy, confidentiality and ethics.

Therefore, rapidly developing and implementing AI governance programs is essential to ensure the responsible and beneficial use of gen AI tools in any organization.

AI governance programs are frameworks and mechanisms that can guide the development, deployment, and oversight of AI systems in an organization. AI governance programs can involve various stakeholders, such as governments, regulators, industry, academia, civil society, and users. They can adopt multiple approaches, such as laws, policies, standards, codes of conduct, and best practices.

In this article, we will analyze Microsoft 365 Copilot from the perspective of a high-level AI governance framework. This is, by no means, the only way to analyze a tool, but it certainly has been my approach when making recommendations to my clients.

This image is an abstract oil painting of what a generative AI looks like according to MidJourney. Colors of black, blue, gold on a white Canva.

This image is an abstract oil painting of what a generative AI looks like according to MidJourney.

Preliminary Considerations of a High-level AI Analysis Framework

When assessing a new AI tool in the context of potential implementation in a business environment (this could be extended to public organizations as well), it’s vital to consider four main elements:

1. Data Input

Understanding the nature, the extent, and the sensitivity of the data that will be provided to the tool is paramount. This includes evaluating whether the data is confidential, proprietary, personal, or sensitive in any other manner, and how deep of an access to the user’s database will be accessible to the tool.

Data sensitivity will affect the level of risk and liability associated with using the AI tool, as well as the degree of protection and security required for the data. For example, suppose the data contains personal information, such as names, addresses, or health records.

In that case, the AI tool must comply and allow the users to comply with the relevant data protection laws and regulations, such as the General Data Protection Regulation (GDPR) in the European Union or the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. Data sensitivity can also influence the trust and confidence of the users and customers of the AI tool, as they may have different expectations and preferences regarding how their data is handled and used.

2. Data Appropriation

It’s essential to determine what data is to be provided to the tool and how user data is utilized, especially concerning model training. Ensuring data isn’t used beyond its intended purpose is key to maintaining trust and privacy. Data appropriation refers to the process of obtaining, using, and sharing data for specific purposes, such as developing, improving, or testing an AI tool. Data appropriation can raise issues such as data ownership, consent, fairness, and accountability.

For example, if the AI tool uses user data to train its model, the customers should be informed and given the option to opt-in or opt-out of the data collection and usage. Data appropriation can also affect the quality and performance of the AI tool, as the data should be relevant, representative, and accurate for the intended task and domain.

In the world of software, it is not uncommon to allow user’s usage data to be anonymized and then used in the process of improving a product. Still, more and more, the gen AI tools are now openly refusing to use the actual user’s inputted data to train their model. This, in part, alleviates concerns regarding the security and confidentiality of organizations’ data.

3. Usage Restrictions

Assessing the tool’s limitations or restrictions based on the intended customer use is critical. This ensures the tool aligns with user expectations and legal guidelines regarding, for example, creating a potentially competing product – a common usage restriction to any software. Usage restrictions refer to the boundaries and conditions that apply to the use of an AI tool (or any software, for that matter), such as the scope, context, and duration of the use. Usage restrictions can help prevent or mitigate the potential harms and risks of using the AI tool, such as misuse, abuse, or unintended consequences.

4. Responsibility for Output Data

Identifying who bears responsibility for the data outputted by the tool is essential. This aspect covers data accuracy, privacy, and legal compliance issues. Responsibility for output data refers to allocating and distributing duties and obligations for the data produced, modified, or influenced by the AI tool.

For example, if the AI tool outputs data that breaches a third-party intellectual property right, inaccurate, misleading, or harmful, the responsibility for correcting, deleting, or compensating for the data should be clearly defined and assigned. Responsibility for output data can also enhance the transparency and accountability of the AI tool, as the data should be traceable, auditable, and explainable.

Overview Analysis of Microsoft 365 Copilot

Microsoft 365 Copilot offers excellent promises. As a matter of fact, I would love to try it out myself with all the legal templates I could feed it, but I digress. Here is an overview analysis based on the four significant factors identified above:

1. Data Input

Microsoft 365 Copilot potentially accesses sensitive corporate data stored on SharePoint and will only be limited to the actual permissions the user has in the database. This can include personal, proprietary, and confidential information. That being said, despite the potentially very sensitive information being shared, chances are an implementing organization is already sharing all this information with Microsoft through its usage of its ecosystem.

More importantly, Microsoft being a pioneer in cybersecurity and privacy, already has an extensive compliance program to ensure any subscribing organization will be compliant with their applicable jurisdiction requirements. You can find more information about this here.

2. Data Appropriation

While the tool does not use data for training purposes, user interactions are stored. In Microsoft’s words:

“The stored data includes the user’s prompt, how Copilot responded, and information used to ground Copilot’s response. For example, this stored data provides users with chat history in Microsoft 365 Chat and meetings in Microsoft Teams. This data is stored in alignment with contractual commitments with your organization’s other content in Microsoft 365. The data is encrypted while it’s stored and isn’t used to train foundation LLMs, including those used by Microsoft Copilot for Microsoft 365.”

That being said, the users’s Microsoft 365 Admins can submit a support ticket to request such data be deleted.

3. Intended Usage

The intent of your organization will most likely revolve around using Microsoft Copilot in order to improve productivity and not to develop a competitive product. Chances are this will be an easy evaluation to make, but this should still be part of an analysis grid to make sure that the business objectives and the license restrictions are aligned.

4. Responsibility and Indemnity

Microsoft now provides indemnification against copyright infringement for data output, which is a significant step in reassuring organizations about using Microsoft 365 Copilot. This does not mean an organization should use whatever the tool outputs without looking at it. Still, it certainly brings some level of comfort when using gen AI tools to produce lines of codes, strings of words, or images that could belong to another. Organizations should still internally regulate the outputs of Microsfot Copilot from the perspective of inaccurate, harmful or unethical outputs from the tools.

Primary Risks Associated with Microsoft 365 Copilot

From my analysis and as openly described by Microsoft here, the two primary risk categories associated with Microsoft 365 Copilot are:

1. Permission Management

Access to data in Microsoft 365 Copilot depends on user permissions. It’s crucial to ensure that potential users of Copilot (or any other AI tools) are categorized within a permission system before integration. An insufficient permissions management system could potentially allow an AI tool to access sensitive personal data that it has no business touching.

Permission management refers to the process of granting, revoking, and monitoring the access rights and privileges of users to data and resources. Permission management can affect the security and privacy of the data, as well as the accountability and compliance of the users. For example, if the users of Copilot have different roles and responsibilities within the organization, such as managers, employees, or contractors, they should have different levels of access and control over the data, such as read-only, edit, or delete. Permission management can also help prevent or mitigate the potential harms and risks of using Copilot, such as data leakage, unauthorized access, or misuse.

2. Marketplaces and Plugin Integration

With the announcement of Microsoft Copilot Studio and the integration with OpenAI GPTs, a marketplace will inevitably allow developers to shop for custom-built applications and integration with other tools.

Plugin integration can enhance the performance and usability of the tool, as well as the customization and personalization of the user experience. For example, if the users of Copilot want to add more capabilities or options to the tool, such as giving access to third-party software for accounting, sentiment analysis, or plagiarism detection, they can install and use the plugins that offer these services. However, plugin integration can also raise additional legal issues.

The availability of additional plugins through a marketplace introduces the risk of additional terms, conditions, and privacy policies which should all be thoroughly reviewed before integration to ensure compliance is maintained through the whole chain of tools.

AI Governance programs as a risk mitigation tool

With the rapid growth of gen AI tools and associated plugins, businesses should rapidly, and minimally establish an internal AI Governance Policy.

Among other things, such a policy should, at the very minimum, outline the process for reviewing new tools and user permissions before any integration. This process should involve evaluating the potential benefits and risks of using the new tools and plugins, such as their impact on data security, privacy, quality, and compliance. The process should also involve assigning and monitoring the access rights and privileges of the users of the new tools and plugins, such as their roles, responsibilities, and accountability to minimize any unauthorized access by the tools implemented.

In conclusion, while Microsoft 365 Copilot and other generative AI tools present several advantages, it’s imperative to approach its integration with caution, focusing on data sensitivity, appropriate use, and robust permission management. Establishing a clear governance policy can mitigate risks and ensure a secure, compliant use of AI tools in the corporate environment.

For more information, don’t hesitate to Contact Me!