All insights
AlignMicrosoft 365Compliance

Your staff are already using AI. For a HIPAA-regulated org, governed Copilot beats banning it.

When staff paste protected health information into public chatbots, you can't ban your way out; a governed Microsoft 365 Copilot keeps the data in your tenant.

Wired CIOApril 16, 2026
The short version
  • For a HIPAA-regulated org the real exposure isn't the locked-down system of record but staff pasting client names, diagnoses, or case notes into consumer chatbots to work faster.
  • Standardizing on Microsoft 365 Copilot keeps data inside your tenant under your agreements and respects each user's existing permissions, so it only sees what they're allowed to see.
  • Lockdown and enablement are one motion: stand up the governed tool while using Intune device policies and web filtering to block consumer chatbots on company hardware.
  • Copilot respecting permissions is only as good as your permissions, so cleaning up oversharing is part of the project, and adoption work like pilots and training is the real effort.
Bottom line: Shadow AI is a tooling gap, not a discipline problem, so give people a governed Copilot, block the risky alternatives, and fix permissions so the safe tool stays safe.

This spring, the leadership team at a care nonprofit that handles protected health information named a worry we hear more and more: their staff have started pasting client details into public AI chatbots to save time, and a training memo won't reliably stop it. "We'd like a backstop so we don't have leaks of confidential data," one of them said. That instinct, a backstop rather than a ban, is exactly right.

The risk isn't your core system

For a HIPAA-regulated organization (HIPAA being the federal health-privacy law), the obvious worry is the system of record, the case-management or health-records platform. But that's usually already locked down. The real exposure is what happens outside it: a well-meaning employee pasting a client name, a diagnosis, or case notes into a consumer chatbot to draft a letter faster.

You cannot ban your way out of this. Tell people not to use AI and they'll use it quietly, because it helps them do their jobs. A memo is not a control.

Displace the shadow, don't just forbid it

The move that works is to give people a sanctioned tool they actually want, then close the side doors. Standardizing on Microsoft 365 Copilot does two things at once: it keeps the data inside your tenant under your agreements, and it respects the permissions your staff already have, so it only sees what each person is allowed to see.

Lockdown and Enablement Together

Lockdown and enablement are one motion, not two. You stand up the governed tool people want, and at the same time you use device policies and web filtering to block the consumer chatbots on company hardware. Demand gets redirected to the safe option instead of going underground.

The layered version of that lockdown: remove local admin rights, push device policies through Intune, filter the web to block consumer AI sites, and encrypt the laptops so data on a lost device is safe.

Two things people underestimate

First, Copilot respecting permissions is only as good as your permissions. If your SharePoint is overshared, Copilot will faithfully surface things people shouldn't see. Cleaning up access is part of the project, not an afterthought.

Second, a Copilot license that just sits on the desktop delivers nothing. Adoption is the real work: start with a pilot group, build a few role-specific use cases, train the trainers, and show people what good looks like.

The takeaway

Shadow AI is not a discipline problem, it's a tooling gap. People reach for public chatbots because they're useful and available. Give them something equally useful that keeps the data where it belongs, block the risky alternatives, and fix your permissions so the safe tool stays safe. That's a backstop you can actually rely on.

If your team is already using AI in ways that make you nervous, you're not behind, you're normal, and there's a governed path. Let's talk it through.

Filed under
Compliance
Read more insights
Free strategy session

See where you stand. Then move forward.

Book a free intro call. We'll talk through where you are today and map a strategic plan for growth, protection, automation, and alignment.

A 30-minute discovery call, no obligationA full team of specialists at a fraction of in-house costA clear next step before you spend a dollar
Loading scheduler…