New research indicates that Microsoft Copilot is interacting with significantly more sensitive data than many organizations are aware of. According to the 2025 Data Risk Report by Concentric AI, Copilot accessed nearly three million confidential records per organization in the first half of this year. This alarming statistic represents about 55% of all files being shared externally across various sectors.
The report, which aggregates data from Concentric AI’s customer base, highlights that confidential company information accounts for the majority of files shared within businesses. On average, 57% of organization-wide shared data contains some form of privileged information, with sectors like financial services and healthcare seeing figures closer to 70%.
Data Oversharing and Security Risks
Organizations are not only sharing sensitive data but are also leaving vast amounts exposed. The report reveals that, on average, two million critical business records per organization were shared without any restrictions. This equates to approximately half of all unrestricted data. Furthermore, over 400,000 records were shared with personal accounts, with more than 60% containing confidential information.
Copilot’s activities contribute to these growing concerns. The average organization engaged in over 3,000 interactions with Copilot, during which sensitive business information could be altered or made vulnerable. This interaction raises critical questions about data management and security as organizations increasingly integrate generative AI into their daily operations.
Data Management Challenges
The research also sheds light on broader data management issues that organizations face. On average, businesses hold approximately 10 million duplicate records, with nearly seven million of these being over a decade old. Additionally, orphaned and inactive user data account for millions more records.
Such challenges, combined with excessive permissions and uncontrolled use of generative AI, heighten the risk of data breaches. Without robust governance measures, organizations may struggle to protect their intellectual property, financial information, and personal data effectively.
The findings from Concentric AI emphasize the urgent need for businesses to reevaluate their data management practices and implement stronger security protocols to safeguard sensitive information as AI technologies continue to evolve.
