AI and Copilot

Is your organisation ready for Microsoft Copilot?

13/03/2026 13 min read Michael Mardahl · Microsoft MVP

Copilot licences are easy to buy. The hard part is making sure your data is accessible in the right way, governance is in place, and users are genuinely ready to use it effectively.

Copilot licences can be purchased in an afternoon. That does not mean the organisation is ready to get value from them. Microsoft Copilot for Microsoft 365 is not a standalone AI tool sitting beside your existing estate. It works on top of your Microsoft 365 environment, your permissions model, your content hygiene and your day-to-day working patterns. In practice, readiness is as much an information governance question as it is a licensing question.

That is why two organisations with the same licence mix can have completely different outcomes. One sees fast value in Outlook, Teams and Word. The other gets hesitant users, security concerns and weak adoption after the first burst of curiosity. Microsoft describes the underlying model clearly in Microsoft 365 Copilot architecture: large language models work together with Microsoft Graph and the access controls that already exist inside your tenant. That architecture is exactly why readiness matters.

Readiness means being able to answer the uncomfortable questions

A useful Copilot readiness assessment is not a vague maturity exercise. It should tell you whether you can answer six practical questions without hand-waving:

  1. Which users should get Copilot first, and why them?
  2. What information can those users already reach in SharePoint, OneDrive, Teams and Exchange?
  3. Is the content that matters actually stored in Microsoft 365, or is it still fragmented across local drives, file shares and unmanaged attachments?
  4. Do you have enough governance to deal with confidential data, oversharing and unclear ownership?
  5. Have you defined what success looks like for a pilot?
  6. Who will own adoption once the technical enablement is finished?

If those answers are still fuzzy, the organisation is not fully ready. That does not mean you need a six-month programme before doing anything. It means licence assignment should not be mistaken for implementation.

Licences are the entry ticket, not the business case

The formal requirements are straightforward. Microsoft documents the supported licence baselines and platform prerequisites in Microsoft 365 Copilot requirements. Most organisations can work through that part quickly. The harder part comes after eligibility, when you discover that a user can technically receive Copilot but still lacks the content foundation needed for useful output.

Copilot does not create value from empty context. If a user keeps core documents on a local desktop, if project collaboration happens outside Teams, or if mailbox data only captures part of the real customer conversation, then the AI layer has less to work with. The result is not impressive productivity. It is thin context wrapped in a confident interface.

This is where business cases often become unrealistic. People calculate savings from drafting emails or summarising meetings, but they underestimate the operational work required to make those scenarios reliable. Readiness is what turns a licence line item into something users can trust.

The biggest readiness risk is not the model. It is your existing access model

Copilot works within the permissions a user already has. That is a strength because it aligns with Microsoft 365 security boundaries. It is also the most important readiness risk because Copilot makes existing governance problems visible very quickly.

If an employee can already read a SharePoint library they should never have had access to, Copilot can also use that content in answers and summaries. Copilot is not creating a new exposure in that scenario. It is surfacing a problem that was already there. Microsoft’s guidance on Manage SharePoint site permissions is a practical place to start if you need to review broad or inherited access.

Data quality matters just as much as permissions. Copilot can work across messy content, but the quality of the output is limited by the quality of the underlying information. The same patterns show up again and again:

  • Multiple copies of the same file across different libraries
  • Old presentations that still look current
  • Project sites with no clear owner
  • Important decisions buried in ad hoc Teams conversations
  • Document structures that made sense three reorganisations ago

When users say Copilot feels inconsistent, that often means the information estate was already inconsistent for humans. Copilot just exposes the issue faster.

SharePoint, OneDrive and Exchange are the real platform prerequisites

Readiness discussions often stay too abstract. In practice, they almost always come back to the same three workloads: SharePoint, OneDrive and Exchange Online. Microsoft makes that dependency clear in Microsoft 365 Copilot setup. If those services are only partially adopted, Copilot value will also be partial.

SharePoint

For most organisations, SharePoint is where shared working knowledge should live. Before a pilot, you should be able to answer a few very basic questions with confidence:

  • Are the key sites and libraries still active and owned?
  • Is access assigned through groups where possible rather than ad hoc per-user permissions?
  • Are there libraries with broad all-company access that no longer make business sense?
  • Do you know which locations hold HR, finance, contract or board material?

If the answer is no to several of those, your first Copilot challenge is not adoption. It is control.

OneDrive

OneDrive is not just a sync destination in the Copilot conversation. It forms part of each user’s working context. If OneDrive is not properly provisioned, not actively used, or only used as an occasional dumping ground while real work still happens locally, Copilot becomes weaker at helping with drafting, summarisation and retrieval.

A common mistake is assuming OneDrive adoption exists because the service is licensed. That is not the same as day-to-day usage. Readiness is about behavioural reality, not entitlement.

Exchange Online

Exchange Online matters for Outlook scenarios, meeting context and the broader signals Copilot uses across mail and calendar data. Hybrid mail environments may be manageable operationally, but they often introduce uneven Copilot experiences. If mailboxes, delegates, calendar visibility or mailbox placement differ across users, the rollout will not feel consistent.

Meeting value depends on culture as much as technology. If you expect strong outcomes from Teams meeting summaries, action items and follow-up, then your transcription, recording and meeting hygiene practices need to support that expectation. Otherwise you are paying for a feature the organisation is not actually prepared to use.

Governance before pilot does not need to be perfect, but it does need to be real

Some organisations delay Copilot because they assume governance must be fully mature before they start. Others rush into broad activation without deciding how confidential material should be labelled, shared or reviewed. Both extremes are costly.

The better approach is to establish a workable baseline before the pilot and then use pilot findings to prioritise the next wave of improvements. Microsoft has relevant guidance in AI in Microsoft Purview, and for document controls specifically, Sensitivity labels for files in SharePoint and OneDrive is directly relevant.

A sensible minimum baseline before the first pilot usually looks like this:

  • The most sensitive SharePoint access patterns have been reviewed for obvious oversharing
  • You know which document categories are genuinely confidential
  • There is at least a simple rule set for how sensitive content is handled and labelled
  • The sites and libraries used by pilot users have named owners
  • Security and compliance stakeholders understand the pilot scope
  • There is a clear path for escalation if users surface accidental access or problematic content

That is usually enough to start responsibly. Not because everything is solved, but because the pilot can now generate useful learning without creating unnecessary avoidable risk.

A good pilot is small enough to learn from and broad enough to be credible

The most common pilot mistake is choosing too few, too similar users, or trying to activate half the company at once. Both approaches generate poor evidence.

A strong pilot usually includes 10 to 25 people across several roles. Not just IT. Not just senior leadership. Not just the most enthusiastic AI users. If the pilot group does not reflect real work, you will learn very little about what broad adoption will actually require.

A practical starting mix often includes:

  • One or two leaders with heavy meeting loads
  • Knowledge workers who spend significant time in Word and Outlook
  • Users with intensive Teams collaboration
  • A document-heavy function such as sales, HR or delivery
  • An IT or governance representative who can track support and risk patterns

The success criteria should also stay grounded. A pilot is not successful because people say the demos were impressive. It is successful when you can answer practical questions such as:

  • How many users are actively using Copilot every week?
  • Which three scenarios create measurable time savings?
  • Where do users become uncertain about data sources or permissions?
  • Which prompts actually work for each role?
  • Which work patterns are changing, and which are not?

For telemetry, Microsoft 365 Copilot usage reports are useful. They tell you whether features are being used. They do not tell you whether users trust the output or whether the chosen scenarios were the right ones in the first place.

Adoption is rarely automatic, even when the setup is technically correct

A lot of organisations expect Copilot to spread through the business on its own because the value looks obvious in demos. That is rarely how it plays out. The first month often looks uneven, with a handful of highly active users and a larger group of light or inconsistent usage.

That is normal. The real question is not whether 100 percent of the pilot uses Copilot after two weeks. The real question is whether the right roles are using it for the right work and seeing reliable value. In many organisations, 30 to 50 percent meaningful usage in the first month is already a healthy signal. When the rollout includes role-based scenarios, internal champions and management support, adoption usually becomes more durable after 60 to 90 days.

That only happens if expectations are realistic. Copilot does not remove the need for judgement, review or data awareness. Users need to learn how to ask better and how to verify better. If enablement stops at showing where the button is in Word or Outlook, the value will be shallow.

The blockers are usually predictable

When Copilot projects stall, it is rarely because activation itself is difficult. The blockers are usually familiar:

  • SharePoint permissions are too broad, and no one wants to proceed before cleanup starts
  • OneDrive is technically available but not consistently adopted
  • Exchange is hybrid or configured unevenly across user groups
  • Important business content still lives outside Microsoft 365
  • No one in the business owns the pilot outcomes
  • Users receive licences without concrete scenarios, prompts or week-one tasks

The good news is that most of these issues are manageable without turning the entire organisation upside down. You do not need a perfect transformation programme. You need an honest view of what is missing and an order of operations that reduces risk first.

A realistic Copilot readiness checklist

Use this checklist as a practical temperature check before buying broadly:

  1. Have you identified the first users and their key scenarios?
  2. Does the pilot group’s document work primarily live in SharePoint or OneDrive?
  3. Are pilot mailboxes and calendars in Exchange Online?
  4. Have you reviewed your most sensitive SharePoint locations for broad access?
  5. Do you know which kinds of data should not circulate through ordinary sharing patterns?
  6. Do you have at least a basic approach to labelling or handling confidential documents?
  7. Are the sites and libraries used by the pilot clearly owned?
  8. Have you defined what success looks like after 30 and 60 days?
  9. Do you have one owner in the business and one owner in IT for follow-up?
  10. Have users been given concrete Copilot tasks for week one?
  11. Do you have a response path if Copilot exposes unintended data access?
  12. Do you already know how licences will be expanded, reassigned or stopped after the pilot?

A simple rule of thumb:

  • 10 to 12 yes answers: you are likely ready for a controlled pilot
  • 7 to 9 yes answers: you can start, but should expect targeted remediation in parallel
  • 0 to 6 yes answers: focus on the Microsoft 365 foundation before broad Copilot rollout

What this means for your organisation

Copilot readiness is really a maturity test of your Microsoft 365 environment. Not because everything has to be perfect, but because Copilot will only be as useful as your data quality, permissions model and working habits allow. That is why the best next question is rarely how fast you can buy licences for everyone. It is how fast you can run an honest pilot with the right foundations in place.

At inciro, we typically help with three things: readiness assessment, targeted governance cleanup and a pilot design that produces usable answers rather than optimistic slides. In most cases, that is enough to separate genuine value from wishful thinking.

Book a strategic conversation — we will assess your Microsoft 365 environment and tell you plainly whether you are ready for Copilot, or what needs to be fixed first.

Book a strategic conversation

Related service

Need help with this?

If this topic is relevant in your Microsoft environment, we are happy to have a concrete conversation about sensible next steps.

Copilot