Sample Copilot Control-Gap Report Excerpt

This sample shows the kind of output a Copilot readiness review can produce.

It is illustrative only. It is not a real client report, qualified advice, certification, penetration test, or Microsoft 365 implementation plan.

Executive Summary Example

The firm is preparing to expand Microsoft 365 Copilot beyond a small pilot group.

Supplied evidence shows useful governance foundations, but several content locations appear to rely on broad inherited permissions. That creates a risk that Copilot-enabled users may summarise client or internal material outside the intended matter team.

The recommended decision is to proceed with a controlled pilot only after high-risk repositories are reviewed, approved Copilot use cases are defined, and staff guidance is updated.

Sample Finding 1: Matter Site Permission Inheritance

Risk rating: High

Observation: Sample matter sites appear to inherit permissions from broader practice-area groups. This may allow users outside the active matter team to access documents that Copilot could summarise.

Why it matters: Copilot does not need a breach to expose information. If a user can access a document, Copilot may be able to reason across it for that user.

Evidence reviewed: Supplied SharePoint permission export, sample matter-site screenshots, stakeholder interview with IT lead.

Recommended action: Identify high-sensitivity matter sites, break inappropriate inheritance where needed, confirm ownership, and review access before pilot expansion.

Sample Finding 2: AI Acceptable-Use Rules Are Not Matter-Aware

Risk rating: Medium

Observation: The firm has draft AI guidance, but it does not distinguish between internal productivity use and client or matter-related use.

Why it matters: Lawyers and support staff need practical rules about when Copilot can summarise, draft, or analyse client material, and when partner approval or human review is required.

Evidence reviewed: Draft AI policy, pilot briefing note, interview with risk/compliance owner.

Recommended action: Add matter-aware examples, prohibited data rules, review requirements, and an escalation pathway for uncertain use cases.

Sample Finding 3: No Single Copilot Risk Register

Risk rating: Medium

Observation: Copilot risks are discussed across IT, risk, and leadership, but there is no single record of risks, owners, controls, and residual decisions.

Why it matters: Without a risk register, the firm may repeat decisions informally and lose evidence of why rollout was approved or delayed.

Evidence reviewed: Steering notes, rollout plan, interview notes.

Recommended action: Create a Copilot risk register covering data exposure, confidentiality, review quality, staff behaviour, vendor dependency, incident response, and ownership.

Sample 30/60/90-Day Roadmap

First 30 days
- Confirm pilot scope and approved use cases
- Review high-risk SharePoint and Teams locations
- Create a Copilot risk register
- Update AI acceptable-use guidance for matter-related work

Days 31-60
- Remediate high-priority permission issues through IT or MSP owner
- Brief pilot users and partners on prohibited and restricted use
- Define exception and incident reporting process
- Review evidence with leadership before wider rollout

Days 61-90
- Expand pilot only where controls are evidenced
- Add periodic access review rhythm
- Update roadmap based on pilot findings
- Prepare leadership summary for partner or board review

Use This Sample To Judge Fit

If your firm needs this kind of evidence before Copilot rollout, see the Copilot Readiness Review for Law Firms.