Microsoft confirmed a bug in CW1226324 allowed Copilot Chat to read and summarize confidential emails for weeks, bypassing data loss prevention and affecting Sent Items and Drafts labeled confidential.

A fix began rolling out in mid-February 2026, but deployment is staggered and has not yet reached all affected customers.

Microsoft did not disclose how many organizations are affected or provide a full remediation timeline, and the incident is classified as an advisory.

Industry context notes AI’s growing role and rising concerns about privacy and trust in AI-powered tools for professional workflows.

EU policymakers have long urged stronger data guardrails for AI, with incidents like this fueling debate on tech sovereignty and dependence on foreign vendors.

Experts warn that rapid AI feature releases create inherent risks, suggesting governance and feature-toggle controls are essential to mitigate harm.

The rollout of fixes is expected to continue for weeks, urging governance and careful monitoring of AI deployments.

Enterprise implications include extended remediation timelines, the need to audit logs for data exposure, and heightened regulatory scrutiny across finance, healthcare, and government sectors.

Concerns include the risk of sensitive data being transmitted to external servers and potential use of submitted data to improve AI models.

Practical guidance for businesses includes ensuring correct Microsoft 365 permissions, enabling audit logs, training employees on responsible AI use, and involving security teams before expanding Copilot deployment.

Administrators should ensure Copilot updates are installed, review DLP policies and access logs for unusual activity, temporarily restrict Copilot for highly sensitive communications, and update employee training on AI data handling.

The incident prompts organizations to reassess AI deployments, tighten guardrails around confidential content, and question vendor disclosures on how AI systems access and handle sensitive information.