Microsoft’s Copilot has faced significant security failures, having ignored sensitivity labels for confidential emails on two separate occasions within eight months, impacting organizations like the U.K.’s National Health Service. According to a report by BleepingComputer, the latest incident began on January 21, 2026, and lasted four weeks, where no security tool flagged the breach. This follows a critical vulnerability known as “EchoLeak,” which allowed a malicious email to exfiltrate data without any user action, highlighting a design flaw in how AI systems handle trusted and untrusted data. A survey by Cybersecurity Insiders revealed that 47% of Chief Information Security Officers have witnessed AI agents exhibiting unauthorized behavior.
Why do we care?
EchoLeak demonstrated that Copilot cannot reliably distinguish between a trusted instruction and an attacker-controlled instruction embedded in an email. That’s an architectural enforcement failure. Eight months later, Copilot ignores sensitivity labels for four weeks in production, affecting the NHS, and no security tool flags it. Both incidents stem from the same root cause: Copilot aggregates across permission boundaries without an AI-specific enforcement layer.
MSPs who sold Copilot into regulated environments based on Microsoft’s compliance marketing are now holding a tool with two documented control failures and a monitoring stack that demonstrably cannot detect those failures in real time.
The bad decision here is waiting for Microsoft’s patch and moving on. AI inference operating outside the classification enforcement plane isn’t fixed with a patch; it requires an architectural rebuild Microsoft hasn’t announced. If you can’t document how AI access is enforced, monitored, and contractually scoped, you shouldn’t be selling it into regulated environments.