The Announcement
A new survey of 851 IT leaders across seven countries has put a sharp number on one of enterprise AI’s most uncomfortable contradictions. Conducted by a Microsoft 365 governance vendor, the study finds that 93% of respondents say their governance framework is ready to support AI responsibly, yet 29% of those same organizations have already experienced incidents where AI tools surfaced sensitive data that shouldn’t have been accessible. Another 8% weren’t sure. The exposed content spans contracts, employee records, strategic plans, and customer lists. With Copilot deployed in 93% of surveyed environments, the gap between declared readiness and operational reality is no longer theoretical.
Our Analysis
The Confidence Gap Is a Visibility Problem, Not a Competence Problem
The 93%/29% split deserves to be read carefully. These aren’t organizations that skipped governance planning. Most have done permission reviews, established policies, and deployed Copilot through IT-sanctioned channels. The problem is that their confidence is calibrated to the work they’ve already done, not the exposure they can’t see.
Oversharing in Microsoft 365 environments is almost always the product of entropy. Permissions inherited across reorganizations. SharePoint sites that outlived their projects. Guest access granted for a vendor engagement and never revoked. In a pre-AI environment, this accumulated quietly. A forgotten “anyone with the link” share was a theoretical risk that rarely materialized, because humans don’t manually trawl through thousands of documents looking for sensitive content. Copilot does, in seconds, at the direction of any user who happens to have inherited the wrong access level.
This is the core dynamic the survey exposes: AI didn’t create the oversharing problem. It industrialized it. The organizations reporting incidents aren’t necessarily the ones with worse governance cultures. They may simply be the ones where Copilot found the exposure first.
What ITDMs Need to Understand About the ROI Calculus
The financial framing in this survey is telling. Forty-nine percent of organizations report that AI-related costs are consuming 11% or more of their IT budget. Yet 51% say cost visibility is their primary barrier to measuring AI ROI, and 47% cite governance complexity as a close second. That’s a meaningful share of budget spent on capabilities that leadership can’t yet quantify.
Seventy-eight percent of respondents connect governance quality directly to organizational confidence in AI investments. That linkage matters. If the next budget cycle includes a Copilot expansion or a broader Microsoft 365 Copilot rollout, the governance story has to hold up. A 29% incident rate doesn’t hold up. It invites scrutiny, compresses timelines, and gives skeptical stakeholders the evidence they need to delay or defund expansion.
ECI Research’s analysis of enterprise FinOps maturity found that organizations with the highest FinOps maturity are distinguished not by the most advanced tools, but by the most integrated teams. The same principle applies to AI governance. The organizations avoiding Copilot data exposure aren’t necessarily running the most sophisticated access control platforms. They’re the ones where IT, security, and data governance work from a shared accountability model rather than siloed checklists. This survey’s finding that only 48% have a clearly defined AI governance owner with consistent enforcement is the structural problem underneath the incident numbers.
What Developers and Platform Teams Need to Act On
For developers and platform engineers, the practical implication is that permissions hygiene is now a release-readiness consideration, not just an IT ops concern. If your organization is building applications that integrate with Microsoft 365 data through Copilot or the Graph API, the access surface of those integrations is a security boundary, full stop.
The survey shows that only 51% of organizations completed an organization-wide content cleanup before deploying Copilot. The other 35% did departmental cleanups, and the remainder did nothing. Partial cleanup creates a class of production environments where the blast radius of a misconfigured permission isn’t bounded to the department that got cleaned up. It extends to everything still indexed.
ECI Research’s 2025 Application Development survey found that 83.8% of respondents use code scan tools during CI/CD processes. That level of adoption reflects a mature understanding that automated scanning during the pipeline is cheaper and more reliable than catching issues in production. The same logic should be applied to permissions and data governance in AI-enabled environments: continuous automated monitoring before and after deployment, not periodic manual reviews.
Only 37% of surveyed organizations describe their governance as highly automated and continuously monitored. The remaining 63% are operating a manual or reactive model in an environment where AI creates and surfaces exposure faster than any manual review cycle can track.
Looking Ahead
Governance Will Become a Copilot Procurement Criterion
Over the next 12 to 18 months, expect enterprise procurement criteria for Copilot expansions and renewals to increasingly include governance readiness benchmarks. The 78% of respondents who already connect governance to AI investment confidence are, in effect, setting up a demand signal. CISOs and data protection officers who have experienced even one Copilot-related exposure incident are unlikely to approve expanded licensing without documented evidence of remediation.
This will accelerate consolidation in the Microsoft 365 governance tooling market. Organizations running a patchwork of periodic reviews and departmental cleanups will face pressure from both legal and procurement to move toward continuously monitored, auditable governance postures. ECI Research’s analysis of the cloud market found that the average enterprise now uses more than two public cloud platforms, with Kubernetes, Snowflake, and GenAI often coexisting across a patchwork of teams, workloads, and tools. Add Copilot to that picture, and the governance surface area compounds. Organizations that treat Microsoft 365 governance as isolated from their broader cloud and AI governance strategy will find themselves managing incidents across multiple exposure vectors simultaneously.
The Organizational Model Matters More Than the Tooling Tier
The organizations that close this gap fastest won’t necessarily be the ones with the most sophisticated platforms. They’ll be the ones that appoint clear ownership, implement continuous monitoring as a baseline, and treat permissions cleanup as an ongoing operational practice rather than a one-time pre-deployment project. The survey’s data on governance workload increasing for 71% of organizations after AI deployment confirms what most experienced practitioners already know: AI governance is not a project with an end date. It’s an operational discipline. The teams that build it into their operating model now will spend less on incident remediation, have more defensible ROI numbers, and face fewer uncomfortable conversations with leadership and regulators in the years ahead.
Stay Ahead of Application Development Trends
Get weekly analyst insights, research notes, event coverage, and AppDevANGLE updates delivered directly to your inbox.
Subscribe for Weekly Insights
Join technology leaders, practitioners, and GTM teams following the trends shaping modern software delivery.
Looking for deeper research access?
Explore ECI Research reports, survey insights, and market analysis through the ECI Research Portal.
