Answer box
Microsoft 365 Copilot and ChatGPT Enterprise both promise enterprise-grade AI without the data exposure of consumer chatbots — and both deliver, partially. They leak differently. Copilot's leaks are mostly internal — it surfaces files and data users have permission to see but shouldn't, because the underlying M365 permissions were never tight enough. ChatGPT Enterprise's leaks are mostly external — employees paste sensitive data into prompts, attach files with classified content, or use connected tools that expose data to the model provider. Both require dedicated prompt DLP and response inspection layered on top of the vendor controls. This guide is the side-by-side teardown of each leak profile and the specific controls that close them.
Why this comparison matters
Microsoft 365 Copilot and ChatGPT Enterprise are now the two most-deployed enterprise AI products. By the end of 2026, most Fortune 1000 enterprises will run both. The two products solve overlapping problems with very different architectures — and very different leak profiles. Most CISOs we talk to treat them as equivalent risks. They are not.
Microsoft itself published Copilot readiness guidance acknowledging that Copilot does not break your permissions model — it exposes the one you already had. OpenAI publishes a similar acknowledgment for ChatGPT Enterprise: data sent through prompts is governed by the customer's controls, not OpenAI's. In both cases, the vendor draws a line at the platform's edge. Everything beyond that line is the CISO's job.
Below is what that job actually looks like.
Where Microsoft 365 Copilot leaks
Copilot's threat model is inward-facing. It is a search and reasoning layer on top of your existing M365 tenant. It only ever surfaces content the user is already authorized to see. That sounds safe — until you remember the typical M365 permissions hygiene.
Leak class 1 — Permissions oversharing
The single largest source of Copilot incidents. Users have access to documents, sites, and OneDrive folders they shouldn't, because the tenant accumulated Everyone except external users ACLs, broken inheritance, and forgotten "shared with my team" links over a decade.
Pre-Copilot, the oversharing was latent. Users had access in theory but never browsed there. Copilot operationalizes the access — a single prompt now returns information from every document the user was technically permitted to see.
Common scenarios:
- HR documents shared with
Everyone in the companyappear in answers to "what's our parental leave policy" — including draft policies, exec compensation discussions, or PIP templates. - M&A working folders left at default permissions surface in answers to seemingly innocent queries.
- SharePoint sites for finance, legal, or strategy created with permissive defaults get summarized in Teams answers.
Leak class 2 — Plugin and connector exfiltration
Copilot connects to third-party connectors and Graph plugins. Each adds a data path out of the tenant. Permissions granted to plugins are often broader than the user understands. A "marketing analytics" plugin granted Files.Read.All can read across the tenant.
Leak class 3 — Prompt and response logging
Copilot's prompts and responses are logged. By default, they are retained per Microsoft Purview policy. If your audit team doesn't have Purview AI Hub configured, those interactions are still happening and being retained somewhere — they're just not visible to you.
Leak class 4 — Sensitivity label inheritance failures
Copilot is supposed to inherit sensitivity labels and propagate them to generated outputs. In practice, labels are applied inconsistently, mixed-source outputs sometimes lose their highest label, and downstream actions (Teams paste, email send) sometimes drop the label entirely.
Leak class 5 — Chat and email content reuse
Copilot reads chat and email history to answer queries. A confidential thread between two executives becomes context for a third executive's prompt if they were copied on the chain. Most "M365 oversharing" diagnostic tools focus on files; chat oversharing is structurally less audited.
Where ChatGPT Enterprise leaks
ChatGPT Enterprise's threat model is outward-facing. The product itself is well-designed — SSO, SCIM, no training on customer data by default, enterprise-grade logging. The leaks come from how employees use it.
Leak class 1 — Direct prompt paste
The dominant pattern. An employee pastes a customer support transcript, a financial spreadsheet, a code file, or a contract into the chat. The data leaves the corporate boundary even though ChatGPT Enterprise doesn't train on it — because the data is now in OpenAI's compute path, logged in your tenant, and outside your DLP's normal flow.
Surveys consistently find 1 in 3 employees paste sensitive data into LLMs weekly. ChatGPT Enterprise doesn't fix that; it just gives the practice a corporate license.
Leak class 2 — File upload and connector breadth
ChatGPT's enterprise file upload + connector model lets users attach files or connect their own GitHub, Google Drive, and SharePoint. The connectors are scoped to the user — which means the connector has access to anything the user has access to. The same oversharing problem as Copilot, applied to OpenAI's context window.
Leak class 3 — GPT custom-action data flow
Custom GPTs can be configured to call external APIs. An employee builds a "research assistant" that calls a third-party data provider — and now data routed through that GPT also routes through the external API. Few enterprises track the data-flow surface of custom GPTs.
Leak class 4 — Prompt history shadow
ChatGPT Enterprise logs prompts to your tenant. If those logs are not pulled into your SIEM and inspected, you have a parallel record of sensitive prompts no human reviews. Compliance teams have started asking what's in this log; most enterprises cannot answer.
Leak class 5 — Cross-employee context bleed
ChatGPT memory features, if enabled, can create cross-session context that surfaces information from prior conversations to current users. Memory is supposed to be per-user — but configuration errors and shared-account misuse have produced incidents.
Side-by-side risk comparison
| Risk dimension | Microsoft 365 Copilot | ChatGPT Enterprise |
|---|---|---|
| Data boundary | Stays inside tenant; leaks are internal exposure | Crosses to OpenAI; leaks are external exposure |
| Primary leak vector | Permissions oversharing | Direct prompt paste |
| Vendor control coverage | Identity, audit (with Purview), sensitivity labels | SSO, SCIM, no-training, audit logs |
| CISO control coverage | Permissions remediation, sensitivity labels, plugin governance | Prompt DLP, file inspection, connector allowlist |
| Hardest leak to detect | Sensitivity-label inheritance failure | Custom GPT external API exfiltration |
| Auditor's first question | "What does the tenant actually share?" | "What's in the prompt logs?" |
| Time to first incident | Days after rollout, almost always permissions-driven | Days after rollout, almost always paste-driven |
Both products are safer than the consumer alternatives users would otherwise reach for. Neither is a complete control on its own.
The control layer that plugs both
Five controls cover the bulk of both leak profiles. None of them is in either vendor product by default.
Control 1 — Inline prompt inspection
Every prompt to either platform passes through inspection before reaching the model. PII, PHI, source code, secrets, financial data, M&A keywords, customer identifiers — all detected and redacted before the prompt leaves the corporate trust boundary.
For Copilot, this catches prompts that would surface oversharing patterns ("summarize the latest PIP templates"). For ChatGPT, it catches the paste-into-chat pattern that drives most incidents.
Control 2 — Response inspection
Every model response passes through inspection before reaching the user. Sensitive data the model surfaced from connectors, files, or permissions oversharing is redacted with audit logging.
This is the structural defense against Copilot oversharing — the user might be technically permitted to see the document, but the response inspection enforces policy, not just permissions.
Control 3 — Connector and plugin governance
A signed allowlist of approved connectors, plugins, and custom GPTs. Anything else is denied at the runtime. Connector data flows are documented in the AI Bill of Materials.
Control 4 — Sensitivity propagation
Sensitivity labels are read at prompt time and applied to responses. Mixed-source responses receive the highest label of any source. Downstream actions (paste, send) respect the label.
Control 5 — Unified audit
Every prompt and response — Copilot, ChatGPT Enterprise, Claude Enterprise, Gemini Workspace — flows into a single audit store with consistent schema. This is what makes incident response and compliance evidence possible. Without it, you have four separate audit silos and four separate stories to tell auditors.
What Microsoft and OpenAI give you, and what they don't
It is worth being explicit about the vendor split, because both vendors are doing real work — just not all of it.
Microsoft Purview AI Hub gives you sensitivity labels, prompt and response logging, and a basic DLP layer over Copilot interactions. It does not solve the underlying permissions oversharing. It does not extend to ChatGPT Enterprise, Claude, or Gemini. It is most effective if your tenant is Purview-native; otherwise the coverage is partial.
OpenAI's ChatGPT Enterprise controls give you SSO, SCIM, audit logs, no-training-on-data, and admin controls over connectors. They do not inspect prompt content for sensitive data. They do not inspect responses. They do not extend to Microsoft Copilot, Claude, or Gemini.
If you stop at vendor-native controls, you have two strong baselines and four gaps: prompt content inspection, response inspection, connector governance, and unified audit. Those four gaps are exactly what dedicated AI control planes — AccuroAI included — fill.
Practical rollout plan
A 60-day plan that covers both products in parallel:
| Week | Copilot side | ChatGPT Enterprise side |
|---|---|---|
| 1 | Run an oversharing scan on the M365 tenant | Inventory custom GPTs and connectors |
| 2 | Enable Purview AI Hub if not already; pipe logs to SIEM | Enable prompt + response inspection |
| 3 | Apply sensitivity labels to top 100 most-accessed sites | Deploy paste-pattern DLP rules |
| 4 | Remediate top 20 oversharing findings | Audit external connector data flows |
| 5 | Deploy response inspection over Copilot answers | Deploy response inspection over ChatGPT |
| 6 | Test sensitivity-label propagation end-to-end | Lock down custom GPT external actions |
| 7 | Tabletop: M&A document surfaces in HR answer | Tabletop: customer data pasted into prompt |
| 8 | Sign off on unified audit; brief AI risk committee | Sign off on unified audit; brief AI risk committee |
At week 8 you should be able to answer the auditor's first questions on both platforms with evidence.
What this looks like on the AccuroAI platform
AccuroAI's Protect layer applies Controls 1, 2, and 4 to Copilot, ChatGPT Enterprise, Claude Enterprise, Gemini Workspace, Perplexity, and any model behind a custom GPT or MCP server, with a single policy engine and unified audit log. The Govern layer applies Control 3. Customers running both Copilot and ChatGPT Enterprise typically deploy AccuroAI between users and both platforms because the alternative is operating two parallel control stacks.
We cover the Copilot and ChatGPT Enterprise integrations directly on the product page: Data Security for AI — Microsoft Copilot and Data Security for AI — ChatGPT.
FAQ
Is ChatGPT Enterprise more or less secure than Microsoft 365 Copilot? Neither is more or less secure in the abstract. They have different leak profiles and require different controls. Copilot's risk is internal oversharing; ChatGPT Enterprise's risk is external exfiltration via prompts and connectors. A complete program addresses both.
Does Microsoft Purview AI Hub cover ChatGPT Enterprise? Limited and indirect coverage. Purview can apply some endpoint and browser DLP to ChatGPT usage, but it does not natively inspect ChatGPT Enterprise prompts or responses at the platform level. Enterprises running both typically use a dedicated AI control plane for unified coverage.
Does ChatGPT Enterprise's "no training on data" guarantee mean my data is safe? No. It means OpenAI will not use your data to train its public models. Your data still passes through OpenAI's infrastructure, is logged in your tenant, and can be exposed by prompt-paste, connector configurations, or custom GPT actions. Vendor data-handling guarantees and enterprise DLP are separate concerns.
Which platform should I roll out first? Whichever your business demands faster. From a security standpoint, the controls overlap heavily — the same prompt DLP, response inspection, and audit pipeline work for both. Build them once and apply to both.
How do I detect Copilot oversharing without a full M365 permissions audit? Run sample prompts known to surface oversharing patterns (HR policies, exec compensation, M&A keywords). The results tell you where to focus the audit. AccuroAI runs this as part of pilots.
Sources: Microsoft Copilot readiness guidance (Microsoft Learn), OpenAI ChatGPT Enterprise security documentation, WitnessAI on Copilot risks, Nightfall AI on Glean + Claude data flow.
Related: The OWASP Top 10 for Agentic Applications 2026, Annotated for Enterprises · Microsoft 365 Copilot Oversharing: Why Your M365 Tenant Is About to Leak Itself · AI DLP vs. Legacy DLP: Why Your Existing Tools Miss GenAI Leaks.