Microsoft Copilot Bypassed DLP Sensitivity Labels Twice in Eight Months

Summary

VentureBeat reported on February 20, 2026, that Microsoft Copilot for Microsoft 365 had bypassed data loss prevention (DLP) sensitivity label controls on two separate occasions in the eight months prior — and that neither incident was detected by organizational DLP stacks until disclosed by Microsoft. The incidents involved Copilot's ability to summarize and surface content from emails and documents classified as "Confidential" or higher under Microsoft Information Protection labeling, despite p