If You’re Worried About Security, Should You Even Be Doing AI?

image

The people most concerned about AI security are often the people who should be using AI first.

That sounds backwards, but hear me out.

I still meet organisations that have effectively banned AI because someone raised concerns about data leakage, privacy, compliance or intellectual property protection.

Meanwhile, staff are already using AI on personal devices, free online tools and consumer accounts completely outside corporate visibility.

That’s not security.

That’s avoidance.

The better question isn’t whether you should use AI.

The real question is whether you’re prepared to manage it properly.

What is AI security, really?

Many people think AI security is about stopping users from accessing AI tools.

I think that’s an outdated view.

AI security is about controlling how organisational data is accessed, processed and governed when AI becomes part of everyday work.

Notice what’s missing?

The AI itself.

The same principles we’ve applied to email, file sharing, Teams, SharePoint and mobile devices now apply to AI. Identity matters. Permissions matter. Data classification matters. Monitoring matters.

The organisations that already have these foundations in place are often much better positioned for AI adoption than they realise.

“Isn’t this just another technology that introduces risk?”

Every technology introduces risk.

Email introduced risk.

Cloud services introduced risk.

Mobile devices introduced risk.

The objective has never been to eliminate risk. The objective has always been to manage it.

Step-by-Step: Preparing Microsoft 365 for AI
Review Your Permissions

Open:

Microsoft 365 Admin Centre > Reports > Usage

and

SharePoint Admin Centre > Active Sites

Look for locations that contain sensitive information and identify who has access.

AI doesn’t magically create new permissions.

It simply makes existing permissions more visible and more useful.

If everyone can access everything today, AI will expose that problem faster.

Check Sharing Settings

Open:

SharePoint Admin Centre > Policies > Sharing

Review whether users can create anonymous sharing links or share broadly outside the organisation.

Many organisations discover their biggest security exposure has nothing to do with AI.

It’s uncontrolled sharing.

Microsoft provides useful guidance in its documentation on https://learn.microsoft.com/sharepoint/modern-experience-sharing-permissionsSharePoint sharing and permissions.

Classify Important Data

Open:

Microsoft Purview Portal > Information Protection

Apply sensitivity labels to important content.

Start simple.

Financial information.

Client information.

HR records.

Commercial agreements.

You don’t need a hundred labels.

You need a handful that people will actually use.

Microsoft provides detailed guidance on https://learn.microsoft.com/purview/sensitivity-labelssensitivity labels.

Configure Data Protection

Open:

Microsoft Purview Portal > Data Loss Prevention

Create policies that prevent sensitive information being shared incorrectly.

Think of this as putting guard rails around the business rather than trying to control every individual action.

A good starting point is Microsoft’s guidance on https://learn.microsoft.com/purview/dlp-learn-about-dlpData Loss Prevention.

Monitor and Improve

Open:

Microsoft Purview Portal > Audit

Review activity regularly.

Look at what users are doing.

Look at sharing behaviour.

Look at data movement.

Security isn’t a project.

It’s an ongoing discipline.

Why this actually changes behaviour

This is where I think many organisations miss the opportunity.

AI doesn’t just increase productivity.

It exposes operational weaknesses.

If permissions are messy, AI highlights it.

If data governance is weak, AI highlights it.

If information is scattered everywhere with no ownership, AI highlights it.

That’s a good thing.

For years, many businesses have accumulated technical debt around information management because users could only find information if they knew exactly where to look.

AI changes that equation.

Suddenly information becomes discoverable.

Suddenly forgotten files become valuable.

Suddenly people start asking questions about why certain information is available to everyone.

Those are all governance conversations that should have happened years ago.

AI isn’t creating new security problems as much as it’s revealing existing ones.

That’s an important distinction.

Visibility drives accountability.

The organisations seeing the best outcomes are not necessarily the ones with the biggest security budgets.

They’re the ones with the best operational habits.

Permissions are reviewed.

Data is classified.

Sharing is controlled.

Access is monitored.

Those practices were valuable before AI.

They’re even more valuable now.

Copilot doesn’t invent information. It works with what you’ve already allowed people to access.

That’s one reason I encourage organisations to start their AI journey even when they have concerns.

The process often becomes a catalyst for improving overall security.

If you’re not showing clients this, you’re leaving value on the table.

Many SMBs have spent years investing in Microsoft 365 security controls they barely use.

AI provides a practical reason to finally turn those investments into operational practices.

Here’s the real win.

The organisations that approach AI through a security lens often end up improving both.

They strengthen governance, improve data quality, reduce risk and gain productivity at the same time.

Not because AI solved the problem.

Because AI forced them to look at the problem.

Security shouldn’t stop your AI journey.

Security should shape it.

When done properly, AI isn’t the risk.

The absence of governance is the risk.

Before You Buy Microsoft 365 Copilot, Clean Up Your Tenant First

image

One of the biggest mistakes I continue to see with Microsoft 365 Copilot is treating the licence purchase as the project.

It’s not.

The licence is the easy part. The hard part is making sure the information Copilot can access is actually worth finding.

Copilot doesn’t create information. It exposes what already exists.

If your tenant is messy, overshared and unmanaged, Copilot simply helps users find the mess faster.

What is Microsoft 365 Copilot readiness, really?

Most people think readiness is about licences, supported apps and technical prerequisites.

That’s not readiness. That’s procurement.

Real readiness means asking whether your Microsoft 365 environment contains information that is organised, secured and governed well enough for AI to work across it. Microsoft talks about defining your strategy, protecting sensitive data and checking readiness before rollout in its Microsoft 365 Copilot rollout guidance.

Copilot works across the data users already have access to. That should make every MSP pause.

Because if users already have access to content they shouldn’t, Copilot won’t politely ignore it. It will work with the permissions you’ve given it.

Step-by-Step: Review your tenant before assigning licences
Audit SharePoint permissions

Start with SharePoint.

This is where a lot of the Copilot value lives, and it’s also where many of the surprises hide.

Review high-value sites, external sharing, broad groups, anonymous links and old project workspaces. Microsoft has specific guidance around building a secure and governed data foundation for Copilot, including oversharing remediation and guardrails.

Notice what’s missing?

Most SMB tenants have never had a proper SharePoint permissions review.

Review OneDrive ownership

Every OneDrive is effectively a knowledge repository.

Look for departed staff, abandoned content, sensitive folders and business-critical files that only one person controls.

Copilot won’t know whether that file belongs in a managed SharePoint library instead. It will simply see information the user can access.

Clean up Teams sprawl

Open the Teams admin centre and look at inactive teams, duplicated teams and channels nobody owns.

If humans can’t tell which Team contains the source of truth, don’t expect Copilot to magically understand your operating model.

“We thought Copilot was giving bad answers.”

In many cases, the tenant was giving bad data.

Review sensitivity labels

If you use Microsoft Purview, check whether sensitivity labels exist, whether they’re published to the right users and whether people understand them.

Sensitivity labels are not decoration. They classify and can protect organisational data across Microsoft 365, as Microsoft explains in its sensitivity labels documentation.

Keep labels simple.

A label nobody understands is just another button nobody presses.

Check retention and stale content

Old content is not harmless just because storage is cheap.

Review retention policies, old libraries, archived Teams and documents that should no longer be active reference material.

Copilot can make stale content visible again.

That’s not intelligence. That’s exposure.

Validate identity and device controls

Before assigning Copilot licences, review MFA, Conditional Access, privileged accounts and device compliance.

This is where SMBs often underinvest.

They buy the AI licence, but the tenant still has weak identity hygiene and unmanaged devices.

That’s backwards.

Decide how you’ll measure usage

Don’t wait until renewal time to ask whether Copilot is working.

Set expectations early. The Microsoft 365 admin centre includes a Microsoft 365 Copilot usage report for adoption and usage metrics.

That matters because licence assignment is not adoption.

A user having Copilot and a user changing the way they work are two different things.

Why this actually changes behaviour

Here’s the real win.

A Copilot readiness review improves the tenant even before you assign the first paid licence.

Permissions get cleaned up.

Teams become easier to navigate.

Content ownership improves.

Old information gets archived.

Security conversations become practical instead of theoretical.

Copilot doesn’t get tired. Use that.

But don’t ask it to compensate for years of neglected governance.

The best Copilot deployments I’ve seen don’t start with a licence order. They start with a conversation about data, access and outcomes.

My recommendation?

Treat Copilot readiness as an MSP service, not a pre-sales checklist.

If you’re not showing clients what Copilot might expose before they pay for it, you’re leaving value on the table.

Microsoft 365 Copilot isn’t there to fix a messy tenant.

It’s there to make a well-run tenant dramatically more useful.

CIA Brief 20260704

image

Here’s a quick roundup of the Microsoft, security and AI news I’ve been tracking this week across the Patron and AI communities. As always, I’ve skipped the noise — videos, chatter and repeats — and kept only what actually matters for MSPs and SMBs.

Security

Microsoft 365 & Windows

Cloud & AI

As always, the challenge isn’t finding information — it’s focusing on what actually matters.

After hours

Above the Cloud: Building Data Centers in Space – Richard Campbell – https://www.youtube.com/watch?v=eo7MEPgWGic

Editorial

If you found this valuable, the I’d appreciate a ‘like’ or perhaps a donation at https://ko-fi.com/ciaops. This helps me know that people enjoy what I have created and provides resources to allow me to create more content. If you have any feedback or suggestions around this, I’m all ears. You can also find me via email director@ciaops.com and on X (Twitter) at https://www.twitter.com/directorcia.

If you want to be part of a dedicated Microsoft Cloud community with information and interactions daily, then consider becoming a CIAOPS Patron – www.ciaopspatron.com.

Watch out for the next CIA Brief next week

Creating a Digital Twin of Your Business

image

When most people hear “digital twin”, they picture an engineer running a virtual copy of a jet engine, or watching a simulated factory floor hum along on a screen. It sounds like something built for heavy industry, a long way from a business that runs on email, spreadsheets and the occasional frantic search through old files. I’ve come to think the idea fits an ordinary organisation just as well — and that most of us are far closer to having one than we’d assume. The raw material is already sitting there. We’ve just never thought of it in those terms.

A digital twin of a business isn’t a 3D model. It’s a living representation of how your organisation actually thinks: the decisions it has made, the reasons behind them, the way a job quietly moves from one person to the next. That knowledge already exists. The problem is that it’s scattered. Some of it sits in SharePoint, some in a Teams thread nobody has opened in a year, some buried in a colleague’s sent items — and an uncomfortable amount lives only inside one person’s head.

You already own the knowledge

A while back I watched someone spend half a morning answering a question their business had already answered twice. The work existed. It simply couldn’t be found quickly enough, so they built it again from nothing. That’s the everyday cost of not having a twin you can talk to. You’re not short of information. You’re short of a way to ask your own business what it already knows.

This is where Copilot starts to shift things. Connected across your Microsoft 365 tenant, it lets you put a question in plain language and pulls the thread together for you. Ask why a particular client moved onto a different plan, and Copilot can surface the Outlook email where it was decided, the meeting where it was thrashed out, and the document that recorded the outcome. A new staff member can ask it how something is normally done and get an answer drawn from real history, not folklore. You stop hunting for a file and start interrogating your own past.

The twin is only as good as what you feed it

This is where most businesses come undone. If a decision gets made on a phone call and never written down, the twin can’t see it. If the reasoning lives only in someone’s memory, it isn’t in the model. So the habit worth building is unglamorous but powerful: put decisions somewhere Copilot can reach. Keep the Teams meeting recap instead of letting it disappear. Write the why into the document, not just the what. Treat a SharePoint page or a Loop component as the place your thinking genuinely lives, rather than a tidy-up job for later.

None of that is technical work. It’s a discipline — choosing to treat your own knowledge as something worth keeping, instead of something you’ll cobble back together under pressure when you next need it.

What it actually buys you

I don’t think the goal is a perfect replica. No model captures everything, and you wouldn’t want one that tried. But a business that can answer its own questions — one that remembers why it did things — moves faster and argues less. It brings new people up to speed sooner. It stops relitigating decisions that were settled months ago.

The pieces are already sitting in your tenant, waiting to be connected. What I’m watching now is which businesses bother to feed the twin, and which keep solving the same problem every Tuesday morning, none the wiser for having solved it before.

CIAOPS Need to Know Microsoft 365 Webinar – July

laptop-eyes-technology-computer_thumb

Now in our tenth year!

Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at Why Your Microsoft 365 Is Still a Mess (Even with AI).

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite.

You can register for the regular monthly webinar here:

July Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2607 )

The details are:

CIAOPS Need to Know Webinar – July 2026
Friday 31st of July 2026
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Youtube channel.

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

CIAOPS AI Dojo 14

image

What’s the session about?

This month we will be focusing on new Copilot Cowork features and updates as well as optimising AI for Small Business.

Who should attend?

This session is perfect for:

  • IT administrators and support staff
  • Business owners
  • People looking to get more done with Microsoft 365
  • Anyone looking to automate their daily grind

Save the Date

Date: Friday the 31st of July 2026

Time: 9:30 AM Sydney AU time

Location: Online (link will be provided upon registration)

Cost: $80 per attendee (free for Dojo subscribers)

Register Now

The AI Toolkit Monetization Strategy: Building Enterprise Value with Microsoft Technologies

image

I’ll start with something that won’t win me any friends at the next AI meetup: owning the cleverest AI tool in the room won’t make you a cent. Not the model, not the agent, not the prompt you spent a weekend perfecting. I’ve watched a lot of people fall in love with the technology and then wonder why the invoices aren’t getting any bigger. The uncomfortable truth is that nobody pays for tools. They pay for problems disappearing.

Think about a carpenter for a moment. A carpenter doesn’t get wealthy selling you a single hammer off the back of the ute. They get paid because they walk onto a site, look at a house that needs building or a roof that’s letting the rain in, and they know exactly which tool to reach for and when. The hammer matters, but only because of the hand holding it and the job it’s pointed at. That’s the mindset I think anyone serious about AI needs to adopt — and if your organisation already lives inside the Microsoft cloud, you’ve quietly been handed a very good toolkit. Most people just haven’t worked out how to pick it up.

The hammer: Copilot and Azure OpenAI

The language model is your hammer. It’s the tool you swing by hand, and it’s genuinely powerful — but it does what you tell it, no more. In the Microsoft world that’s Microsoft Copilot sitting across your Outlook, Word and Teams, with Azure OpenAI underneath when you need to build something bespoke.

Here’s where most people get it wrong: they treat Copilot like a fancier search box. They type a vague half-question, get a vague half-answer, and conclude the whole thing is overhyped. The people getting real value approach it with a bit of discipline. The way I think about it is four steps — mission, ask, parameters, shape.

Start with the mission: the business outcome, not the chore. Don’t ask Copilot to “find me some leads.” Tell it you need thirty new enterprise clients this quarter to hit a revenue target. Then comes the ask — one sharp, specific request, like pulling together forty qualified IT directors in healthcare with their contact details. Then parameters — the context and the guardrails. This is where Copilot in Microsoft 365 earns its keep, because you can point it straight at the files in your SharePoint or OneDrive so it’s reasoning over your data, not a guess about the world. A tip I lean on constantly: dictate your context rather than typing it. The voice option in Copilot lets you talk through the background in thirty seconds, and you talk far faster than you type. Finally, shape — tell it the format you want. A clean table, a CSV you can drop into Excel, a tight bulleted summary. Stop reformatting things by hand like it’s 2015.

The screwdriver: Power Automate

A hammer needs a fresh swing every single time. The moment you find yourself doing the same AI-assisted task over and over, you’ve outgrown it. That’s when you reach for the screwdriver — automation — and in the Microsoft stack that’s Power Automate with AI Builder doing the heavy lifting.

The shift here is subtle but enormous. Instead of opening Copilot every morning to run the same prompt, you build a flow once and let it run on a schedule or off a trigger, quietly, in the cloud, forever.

Not everything deserves a flow, though, and this is where people burn weeks they’ll never get back. I run three quick tests before building anything. Is it repetitive — happening at least weekly, ideally daily? Is it rule-based, with predictable inputs and a predictable result? And does it actually pay back — does the time saved over a year dwarf the time spent building it? Don’t spend sixty hours constructing a flow that rescues someone two minutes a week. That’s not automation, that’s a hobby.

A example I like: a sales call recording lands in a Teams channel. Power Automate sees it, AI Builder pulls the transcript, reads the sentiment, drops the action items straight into Dynamics 365, and posts a tidy weekly summary back into the leadership channel in Teams. Nobody touched it. That’s the screwdriver doing its job.

The power drill: Copilot Studio

Then there are the jobs where you don’t want to define the steps at all — you just want the outcome. That’s the power drill, and Microsoft’s answer is Copilot Studio, where you build agents that handle whole processes on their own.

With the hammer and the screwdriver, you’re still drawing the map. With an agent, you describe the destination and let it find its own way through the subsystems. The trick to doing this without disaster is what I’d call staying on the loop rather than in it. Pick a genuinely meaty workflow — vendor onboarding end to end, say, from reading the invoice email, to cross-checking your Dataverse tables, to running compliance, to setting up billing. Then, and this is the hard part, don’t keep grabbing the wheel. Let it run.

Two habits make this safe. First, have agents check each other — a builder agent in Copilot Studio writes a script, and a separate reviewing agent picks it apart for security gaps before anything reaches a human. Second, watch for drift. An agent grinding away over hours or days can slowly lose the plot, so your role becomes the manager who inspects, resets the context when it wanders, and keeps it pointed at the goal.

The orchestrator gets paid

Here’s the part that actually moves the money. Owning these three tools doesn’t make you rich. Conducting them does. The orchestrator is the one who looks at a bleaking supply chain or a drowning support desk and reaches across the whole Microsoft AI toolkit — Copilot, Power Automate, Copilot Studio — to make the pain stop.

Your clients don’t lie awake wondering whether you used GPT-4o through Azure or a Copilot Studio agent. They lie awake about their costs. Solve that, and the technology underneath becomes a footnote. Problems are where the value lives.

So the real shift isn’t learning another tool. It’s moving from doing the work to directing it. Step back, find the problem worth solving, and orchestrate the kit you already own.

Outlook Draft Instructions vs Microsoft 365 Copilot Personalization — what’s the difference and which takes priority?

image

I see a lot of people trying out Microsoft 365 Copilot for Outlook, then asking why the emails it drafts don’t sound like them. Many end up manually tweaking every email Copilot writes, thinking it’s unavoidable.

“Why does Copilot always add ‘I hope you’re well’? I’m spending more time editing than drafting!”

Sound familiar? That’s not a failure of Copilot. That’s a missed opportunity. If you keep re-teaching Copilot your style every time you use it, you’re doing it wrong. The solution: set up the right instructions once, so Copilot learns how you want your emails written from the start.

What are Outlook Draft Instructions and Copilot Personalization, really?

Think of them as layers of guidance for Copilot. Outlook Draft Instructions are your email-specific preferences stored in Outlook. They’re all about how your email drafts should look: friendly vs formal tone, how long or detailed to make messages, whether to use bullet points, how to greet people, the sign-off you prefer—basically, how to sound like you in email (https://support.microsoft.com/outlook/copilot-outlook/ask-copilot-to-make-email-drafts-sound-like-you).

By contrast, Microsoft 365 Copilot Personalization is your global Copilot profile—the custom instructions and memory that apply across all Copilot experiences in Microsoft 365 (Word, Outlook, Teams, etc.), not just email. These personalization settings let Copilot know your role, typical audience, and general communication style so it can tailor any response, in any app, closer to what you need (Customize how Microsoft 365 Copilot responds to you).

Put simply: Draft Instructions tell Copilot how to handle your emails, while Copilot Personalization defines how Copilot behaves everywhere. And there’s no mystery about which one takes priority. When you click Draft with Copilot in Outlook, here’s the order in which Copilot follows your instructions:

  • Your prompt (highest priority): Anything you explicitly ask for (tone, style, language, etc.) in the prompt overrides everything else.

  • Outlook Draft Instructions: Your app-specific email defaults; used whenever your prompt doesn’t override them.

  • Global Copilot Personalization: Your general preferences fill any gaps not covered by your prompt or Outlook’s instructions.

  • Organizational policies: These always apply for compliance and safety (e.g. Data Loss Prevention (DLP) blocking sensitive info) but they don’t affect writing style.
Step-by-Step: Fine-tune Copilot for your email style
Open Outlook’s Copilot Draft Instructions

To set this up, you’ll need the new Outlook (or Outlook on the web) since the feature isn’t in classic Outlook’s UI. In the new Outlook on Windows or web, click the Copilot icon in the compose window. From the dropdown, select Settings, then click Draft Instructions.

Add your email style preferences

Turn on Use custom instructions when drafting email. Now type a short description of how you want Copilot to draft your emails. Be specific about tone, structure, greetings, and sign-offs. Do you prefer concise messages or detailed ones? Formal language or a friendly vibe? For example, you might write:

Use a friendly tone.
Start each email with "Hi [Name],".
Avoid corporate jargon and fluff.
Sign off with "Thanks, [Your Name]".

Notice what’s missing? We didn’t mention anything about length or level of detail in those instructions. That’s on purpose – if you leave something out here, Copilot will fall back to your global Personalization settings to fill in the blanks.

Set global Copilot Personalization

Next, open your Microsoft 365 Copilot settings (for example, in the Copilot Chat app or via the Copilot sidebar in any Office app). Go to Settings and select Personalization. Under Custom instructions, add broad guidance about yourself and your style that should apply everywhere. Tell it who you are and how you like your output across Microsoft 365. For instance, “I’m a small business owner writing for busy clients, so keep everything concise and professional.” Save your instructions.

Why this changes how you email

Once you’ve set up these preferences, you’ll stop fighting with Copilot’s tone and phrasing. Instead of manually fixing greetings or trimming fluff each time, you get drafts that fit your style on the first try. It’s like hiring an assistant who already knows your voice—from day one.

Better yet, showing your clients how to configure these settings is an easy win. It reduces their frustration with generic AI output, boosts their trust in Copilot, and makes you look like a trusted advisor. If you’re not helping them set their Copilot’s style, you’re leaving a lot of value on the table.

Copilot’s drafting preferences aren’t about adding complexity – they’re there to remove it.

Set them up once, and you can stop rewriting Copilot’s emails and start reaping the benefits of an AI that truly sounds like you.