TL;DR: Microsoft 365 Copilot was found accessing confidential emails in Outlook Sent and Draft folders that users had marked restricted, with the issue patched on February 20 after appearing in late 2025, according to Swarmnetics. The problem is not just a product bug but a governance failure: once an AI system can see sensitive content, access scope, metadata handling, and retention assumptions all need explicit control.
NHIMG editorial — based on content published by Swarmnetics: "Agentic" AI Tools Continue to Struggle as Copilot Helps Itself to Confidential Emails
Questions worth separating out
Q: How should security teams govern data access for agentic AI workflows?
A: Security teams should treat data access as part of the agent’s decision boundary, not as a separate storage problem.
Q: Why do confidential labels often fail to contain AI access risk?
A: Because labels only work if the enforcement layer applies them consistently across every path the AI can use.
Q: What breaks when AI assistants retain summaries of confidential content?
A: The programme loses control over derivative data.
Practitioner guidance
- Map AI tools to delegated identity scope Inventory every mailbox, document, and workflow permission granted to AI assistants, then compare that scope with the data they actually touch during normal use.
- Enforce object-level sensitivity controls Validate that confidential labels are enforced at the object or record level, not only through folder placement or client-side UI rules.
- Treat AI outputs as governed derivatives Classify summaries, prompt history, and cached references as controlled data with retention and access rules.
What's in the full analysis
Swarmnetics's full analysis covers the operational detail this post intentionally leaves for the source:
- The exact Outlook folder behaviour that caused confidential items in Sent and Draft to remain accessible to Copilot.
- The vendor's stated privacy and retention handling for Microsoft 365 data, including what is and is not used for training.
- The patch timing and product-specific workflow details practitioners would need to validate their own controls.
- The practical implications for businesses deciding whether to limit AI access to sensitive mailboxes and similar content.
👉 Read Swarmnetics's analysis of Copilot accessing confidential emails →
Copilot confidential email access: are agentic AI controls keeping up?
Explore further
Agentic AI policy gaps are now an identity governance problem, not just an AI safety issue. When a tool can read sensitive content and produce new artefacts from it, it is operating as a non-human identity with delegated authority. That means IAM, PAM, and data governance all need to participate in the control model. The practitioner conclusion is straightforward: if the AI can access it, summarise it, or store it, then it is in scope for identity governance.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who is accountable when an AI agent accesses sensitive data it was not meant to use?
A: Accountability sits with the team that approved the agent, its connectors, and its policy boundaries, not with the runtime behaviour alone. Organisations need ownership for intent, permissions, monitoring, and validation so they can prove whether the agent stayed inside its approved purpose. Without that, audit and regulatory response become retrospective guesswork.
👉 Read our full editorial: Copilot email access shows the AI governance gap in agentic tools