Get the Newsletter
Sign up for our newsletter because we provide best practices, insights and more about SecOps, Security Engineering and more!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Somewhere in your Microsoft 365 tenant right now, there are four sensitivity labels that somebody created eighteen months ago: Public, Internal, Confidential, Highly Confidential. They were published to "All Users." An email went out explaining them. Nobody read it.
Today, roughly 3–5% of your documents have a label. The ones that do were labeled by the same handful of people who actually care about data classification — probably someone in compliance and someone in IT security. The rest of your organization has been happily ignoring the sensitivity button in the ribbon since it appeared.
This was an acceptable state of affairs. Not great, but acceptable. Unlabeled data was still findable, but finding it required knowing where to look. A user had to navigate to the right SharePoint site, have the right permissions, and know the right folder structure. The barrier to stumbling into sensitive data was friction, and friction was doing the job your labels weren't.
Copilot just removed all the friction.
When you deploy M365 Copilot, every licensed user gets an AI assistant that searches across all content they have access to via the Microsoft Graph. It doesn't navigate folder structures. It doesn't need to know which SharePoint site the board materials live in. A user types "show me our Q3 acquisition targets" and Copilot surfaces every matching document their permissions allow — classified or not, governed or not.
Here's the part that keeps CISOs up at night: Copilot doesn't make new access decisions. It inherits your existing permissions. Every overshared site, every stale guest account, every "Everyone except external users" sharing link is now instantly searchable through natural language. The data was always exposed. Copilot just made it trivially easy to find.
Labels are the mechanism that tells the rest of Purview — DLP policies, encryption, Copilot-specific DLP controls — how to treat content. Without labels, you have no classification layer. Without a classification layer, DLP has nothing to reference. And without DLP, Copilot has no guardrails.
We run Copilot Readiness Assessments across 7 security domains and 27 control points. Domain 1 is Data Security & Governance — sensitivity labels, DLP, and data classification. It's the domain with the lowest average maturity score, and it isn't close. Here's what we see in nearly every engagement:
Labels exist but aren't mandatory. If users can skip labeling, they will. This isn't a training problem. It's a configuration problem. Mandatory labeling is a policy setting that takes five minutes to enable. Without it, you'll never get above 10% label coverage.
No default label. Every new document should start with a classification. Set "Internal" as the default. A document that starts classified and gets reclassified is infinitely better than a document that starts with nothing and stays that way forever.
Container labels aren't deployed. This is the biggest miss. Container labels apply to SharePoint sites, Teams, and Microsoft 365 Groups — they enforce private access, control guest sharing, and can set a default file label for everything created inside the container. Most organizations have file-level labels configured but zero container labels. That means every SharePoint site is governed by whatever sharing settings someone picked when they created it three years ago.
Auto-labeling isn't turned on. Manual labeling gets you to 80% coverage on a good day. Auto-labeling — which scans for sensitive information types, trainable classifiers, and custom patterns — closes the gap. It requires E5-tier licensing (full M365 E5, E5 Compliance add-on, or E5 Information Protection & Governance add-on), and most organizations that have it don't use it.
Labels don't enforce anything. A "Confidential" label that doesn't encrypt, doesn't restrict sharing, and doesn't trigger DLP policies isn't a security control. It's a sticker. Every label above "Internal" should have at least one enforcement action attached to it.
The remediation isn't complicated. It's just methodical:
1. Simplify the taxonomy. Four to six top-level labels. Microsoft's default ships with five. If yours needs a decision tree to navigate, rebuild it.
2. Enable default + mandatory labeling. Default label: Internal. Mandatory labeling: on for everyone. This single change will take you from 5% coverage to 70%+ within weeks.
3. Deploy container labels. Label your SharePoint sites and Teams. Enforce private access on anything containing sensitive data. Set default file labels for sensitive containers.
4. Turn on auto-labeling in simulation mode. Start with high-confidence SITs — credit card numbers, SSNs, account numbers. Review simulation results. Enforce when accuracy is acceptable.
5. Build DLP policies that reference your labels. Block external sharing of "Highly Confidential." Alert on "Confidential" documents being downloaded to unmanaged devices. This is where labels become enforcement.
6. Measure with Content Explorer and Activity Explorer. Track label coverage weekly. Watch for downgrade activity. Report to leadership monthly. A label program nobody measures is a label program that dies.
None of this is new technology. None of it requires a six-month project. The typical timeline for a full sensitivity label deployment — from taxonomy design through auto-labeling enforcement — is three to six weeks. The problem has never been the technology. It's that nobody prioritized it until Copilot made the consequences of unlabeled data impossible to ignore.
If you've been trying to get budget and attention for data classification and failing, Copilot is your leverage. Executives who yawn at "data classification maturity improvement" will pay very close attention when the message is "without this, Copilot will show every employee your M&A documents, compensation data, and board presentations."
That's not hypothetical. That's what the assessment finds. Every time.
—
Blue Cycle holds the Microsoft Information Protection & Governance specialization and runs Copilot Readiness Assessments across 7 security domains and 27 control points. If you're deploying Copilot — or if your labels aren't doing their job — book an assessment and find out exactly where the gaps are before Copilot finds them for you.
Let’s talk about how Blue Cycle can help with your security operations.
Book an Assessment