Most Copilot pilots we see stall for the same reason: the tooling works, but people don't trust what it returns. That's almost never a model problem. It's a permissions problem.
Copilot inherits whatever access a user already has. So if your SharePoint and Teams permissions are loose, Copilot will happily surface a draft acquisition memo to someone in the post room. Tighten nothing, and the rollout dies on the first embarrassing answer.
Three things that need to be true first
Before you buy a single seat, three things need to hold:
- Permissions reflect reality — oversharing is audited and cleaned up, not assumed away.
- Sensitive content is labelled — so Copilot can be told what it may never repeat.
- A retention and POPIA position exists — because "the AI said it" is not a defence to the Regulator.
Copilot exposes the problem you already had
Copilot doesn't create a governance problem. It exposes the one you already had. The productivity gains are real — but they land on a clean data foundation, not a hopeful one.
Get the data estate right first. Everything useful about Copilot depends on it.