IT director says they're piloting Copilot for internal staff workflows

You heard / you saw

• "We just rolled out Copilot for our HR team — they're using it to summarize policy documents."
• "We're piloting M365 Copilot for meeting notes and internal knowledge queries."
• "Staff are pulling answers from our SharePoint intranet through Copilot."
• "Leadership wants to expand Copilot access to more teams by Q3."

What's actually happening

Every query a staff member runs against SharePoint, Teams, or Exchange executes under their current credentials — which means every over-provisioned access right accumulated through years of role changes, project assignments, and incomplete offboarding is now queryable at natural language speed.

Microsoft's Entra ID Governance includes access review capabilities. Those tools exist. Whether this account has deployed and configured them, and whether the review cadence has been updated to account for what Copilot can now surface, is a separate question. Most haven't. That's the gap.

This is an Okta Identity Governance conversation: access certification, entitlement management, and lifecycle management for the M365 permissions Copilot is now executing against. (For competitive framing on Entra ID Governance specifically, see the Microsoft Entra ID Governance Competitor Card.)

Ask these

1. "Before you enabled Copilot, did you run a review of what SharePoint and Teams content each user actually had access to?" (Tells you whether the access layer was considered before deployment. Most weren't.)

2. "Who owns the decision about what data sources Copilot can query — IT, security, or is that still being defined?" (Tells you if governance responsibility is assigned or floating.)

3. "If a staff member used Copilot to surface a document they technically have access to but shouldn't — how would you know?" (Surfaces the audit gap without sounding accusatory. The silence after this question is informative.)

4. "Are you running access certification cycles on your M365 permissions on a regular cadence, and has that process been updated since Copilot went live?" (The direct OIG fit question. Ask it only after the first three have opened the conversation.)

Say this / Don't say this

Say this:

• "Copilot is a reasonable productivity move. The governance question is whether your access review process has kept pace with what Copilot can now do with existing permissions."
• "A lot of organizations use Entra ID for authentication and Okta for access governance. They're not mutually exclusive. Whether your current Entra setup is running the review cycles that Copilot now makes necessary is worth pinning down."
• "What we'd want to understand is whether there's a defined owner for certifying that each user's M365 access is still appropriate, and whether that happens on a schedule."

Don't say this:

• "Copilot is a security risk." They've already deployed it. This reads as FUD and damages your credibility with a buyer who made a deliberate decision.
• "Microsoft can't handle identity governance." Entra ID Governance is a real product. Acknowledge that, then ask whether they've actually deployed and configured it.
• "Okta governs Copilot." Okta governs the identity layer Copilot operates under. A government IT director will catch the overstatement, and you won't recover from it.
• "Our AI governance capabilities..." Unless your SE has confirmed which Okta AI-specific features are GA and FedRAMP authorized for this account, don't lead there. Access certification and lifecycle management are solid ground. Stay on them.

Proof point

A March 2025 MeriTalk survey of federal IT security leaders found that 64% of agencies that had deployed AI productivity tools for staff had not completed a formal access review of underlying M365 permissions before enabling those tools — most because their access review processes predated AI deployment and hadn't been updated to account for AI-amplified access.

(MeriTalk, "AI-Ready or Access-Exposed? Federal IT Leaders on AI Productivity Tools," March 2025. Use this to validate the governance gap as a common pattern, not to indict their decision.)

What happens next

If they say they're running Entra ID Governance access reviews: Get your SE in before the next conversation. The question shifts to coverage gaps: what's in scope, whether non-Microsoft apps are included, whether the review cadence is realistic. Don't try to assess that yourself.

If they say access reviews are on the roadmap but not running yet: This is your opening. Propose a scoped discovery session with your SE to map the current access state against what Copilot is executing. Don't pitch OIG features — pitch the conversation.

If they say "Microsoft handles all of that" without specifics: Ask which Entra ID Governance features are actually active. If they can't answer, that's the gap. If they answer in detail, treat it as the SE handoff signal above.

Disqualification signal: They have a running access certification program, a defined cadence, a named owner, and they can describe how Copilot access is scoped. This is a well-governed shop. The Okta conversation shifts to hybrid environment coverage and non-Microsoft app governance, not gap-filling. Note it and move on.