Report finds Copilot accesses millions of records per company, raising data protection concerns

Confidential company information accounts for most data being shared across industries
Copilot accessed millions of business records and thousands of interactions per organization
Duplicate, stale, and orphaned records compound oversharing risks and weaken enterprise data protection

Microsoft Copilot is interacting with more sensitive data than many organizations realize, new research has warned.

Concentric AI’s 2025 Data Risk Report found Copilot accessed almost three million confidential records per organization in the first half of this year alone.

For context, that figure represents roughly 55% of all files being shared externally.

Major risks

The findings are based on aggregated data from Concentric AI customers across industries including technology, healthcare, government, and financial services.

The report noted confidential company information makes up the majority of files being shared across businesses.

On average, 57% of organization-wide shared data contained some form of privileged information. In financial services and healthcare that figure was closer to 70%.

Organizations are also leaving large amounts of data exposed.

An average of two million critical business records per organization were shared with no restrictions, working out to about half of unrestricted data overall.

More than 400,000 records on average were shared with personal accounts, and over 60 percent of those included confidential information.

Copilot activity is adding to these worries. The report found organizations averaged more than 3,000 interactions with Copilot, during which sensitive business information could potentially be modified or exposed.

This all illustrates the risk enterprises face when securing valuable data as GenAI becomes further integrated into daily operations.

The report also pointed to broader data management problems, including duplicate, stale, and orphaned records.

Organizations in the survey sample held an average of 10 million duplicate data records and nearly seven million older than 10 years. Orphaned and inactive user data accounted for millions more.

Oversharing, excessive permissions and uncontrolled GenAI use combine to increase risk, and without stronger governance, Concentric AI says organizations could struggle to protect intellectual property, financial information and personal data.