Microsoft Copilot promises real productivity gains for fee-earners — but for a firm handling privileged, confidential client data, 'is it safe?' is the right first question. Here's an honest answer.
Microsoft Copilot can be safe for a law firm — but only if your Microsoft 365 environment is configured correctly first. Out of the box, Copilot inherits whatever permissions and sharing already exist in your tenant. If your data governance is weak, Copilot doesn't create a new risk so much as expose an existing one, quickly and at scale. The work that makes Copilot safe is the same work that should already be protecting your client data.
Microsoft 365 Copilot sits on top of your existing tenant — your SharePoint, OneDrive, Teams and Exchange data — and uses the Microsoft Graph to find and reason over content the user already has permission to see. Crucially, it operates inside your tenant's compliance boundary, and Microsoft states it does not use your business data to train its underlying foundation models.
The key phrase is content the user already has permission to see. Copilot does not bypass permissions — but it does make it trivially easy for a fee-earner to surface anything they can technically access, just by asking a question in plain English.
In most firms, the genuine danger isn't Microsoft's AI — it's years of accumulated oversharing. "Share with everyone", broad Teams membership, legacy SharePoint permissions and forgotten external guests mean staff can usually reach far more than partners assume. Copilot turns that latent problem into an immediate one:
None of these are Copilot faults — they're pre-existing governance gaps. But Copilot finds them faster than any auditor would.
We always do the data governance work before switching Copilot on:
We align the controls with NCSC guidance on cloud and data security, so your COLP can evidence the decision rather than just hope for the best.
Using AI doesn't change your duties of confidentiality, competence and supervision. You remain responsible for the work product, for protecting client information, and for being able to explain your technology choices. That's why we treat a Copilot rollout as a governance project with an IT component — not an IT project with a governance footnote. If you want the wider regulatory context, see our guide to SRA and Lexcel IT requirements.
We've prepared and rolled out Copilot for firms ranging from five to over a hundred fee-earners, always governance-first. We audit your tenant, fix the oversharing, configure the controls, run a pilot and train your people — so you get the productivity benefit without handing your AI assistant the keys to everything. This guide is part of our wider work on IT, cybersecurity and AI for UK law firms.
It can be, but only if your Microsoft 365 tenant is configured correctly first. Copilot respects the existing permissions in your tenant, so if files and mailboxes are over-shared, Copilot will surface privileged or confidential content to people who shouldn't see it. The safety of Copilot is really a question about the state of your data governance. Once sharing is audited, permissions are tightened, sensitivity labels and retention are applied and risky defaults are disabled, Copilot can be rolled out safely to partners and fee-earners.
Microsoft 365 Copilot operates within your tenant's compliance boundary and Microsoft states that it does not use your business data to train the underlying foundation models. That said, your obligations under client confidentiality and UK GDPR don't disappear — you still need to control who can access what, keep records of your decisions, and be able to explain your approach to clients and your regulator if asked.
Oversharing. Years of 'share with everyone in the firm' SharePoint and Teams permissions mean most firms have far more open access than partners realise. Copilot makes that latent problem visible and fast — a fee-earner can ask a plain-English question and Copilot will happily pull from anything they technically have access to. The fix is a permissions and information-governance clean-up before, not after, you switch Copilot on.
Do the governance work first: audit sharing and external access, tighten permissions to least-privilege, apply sensitivity labels and retention policies, and disable risky defaults. Then pilot Copilot with a small group, give fee-earners clear guidance on what is and isn't appropriate for client matters, and document the decisions so your COLP can evidence them. We align this with NCSC cloud and data-security guidance so the rollout is defensible.
Sources: NCSC small organisations guide
Book a 30-minute call with James, Genmar's Managing Director. No deck, no hard sell — just honest advice for your firm.
More legal IT guides from the Genmar team.
Click-to-dial, screen pop and call logging against matters for firms running LEAP.
Read guideConnect Wildix to Clio Manage for click-to-dial, caller screen pop and matter-linked call records.
Read guideIntegrate Wildix with Actionstep so calls are logged against the right matter automatically.
Read guideA plain-English guide to what the SRA Standards and Lexcel expect from your IT.
Read guide