The decision to grant a language model read access to a corporate information graph is not a feature upgrade—it is a fundamental redefinition of the system's attack surface. When Microsoft embedded generative AI into Microsoft 365 Copilot, it implicitly connected every document, email, and permission relationship to an interpreter that cannot, in general, be constrained to output only permissible inferences. This gap between can read and should not reveal is not a bug awaiting a patch; it is an architectural property that must be made explicit and systematically governed.
The vulnerability designated CVE-2026-45497 and CVE-2026-42824, dubbed "SearchLeak," made this gap starkly visible 3,6,7,8,9,20. Attackers exploited parameter-to-prompt injection to extract two-factor authentication codes and sensitive email contents. The mechanism was not exotic: it relied on the system's failure to distinguish between a legitimate query and a crafted input that recontextualized internal data into an exfiltration prompt. Separately, researchers demonstrated that simple markup language formatting or HTML tags could bypass the guardrails intended to prevent such misuse 20. The immediate exploit has been patched 4, but the underlying problem persists: Copilot acts as a privilege-amplifying oracle, scaling the consequences of pre-existing permission oversharing 22,23,24. A misconfigured access control list that once meant an errant spreadsheet might be glimpsed by a colleague now means that spreadsheet's contents can be synthesized into a conversation by an autonomous agent, potentially in response to a third party.
The Logic of the Exposure
What makes this exposure structurally concerning is not the sophistication of the attack but the weakness of the specification. A system that can access all data a user can access, and that is asked to satisfy open-ended natural-language requests, cannot be made secure merely by adding pattern-matching guardrails. That approach attempts to filter a Turing-complete interaction layer with heuristics—an approach that will always admit adversarial inputs. The requirement to prevent data exfiltration, if taken literally, is undecidable in the general case: there is no procedure that can examine an arbitrary prompt and definitively determine whether the resulting output contains information that the caller is not authorized to know, without access to a formal model of the confidentiality policy and the data graph. The SearchLeak incident is a concrete demonstration of this boundary.
The Governance Response: Toward Computable Guardrails
In the wake of the disclosure, Microsoft leaned on Microsoft Purview, sensitivity labels, and a setting called BlockContentAnalysisServices to give administrators granular control over what AI agents can ingest 1,5,17,18,19,21. This is a necessary move, but it reveals the deeper challenge: governance itself must become a computable layer, not merely a policy document. A sensitivity label attached to a document is a claim; whether the label accurately reflects the document's contents and the organization's actual confidentiality requirements is a separate, and often undecidable, problem.
Consider a scenario: An employee drafts a contract that references a client's proprietary pricing table. The document is stored in a SharePoint folder that inherits generous permissions. The author never applies a sensitivity label. Copilot, when asked to summarize recent contract activity, faithfully incorporates the pricing data into its response. No rule was broken, yet the organization has leaked a trade secret. The system followed its specification precisely; the specification was simply incomplete. This is not a failure of compliance; it is a failure to formalize what confidential means in a way that can be automatically verified across a dynamic information environment.
The Undecidability at the Core
We can frame the problem more sharply: Given a data graph, a set of access control rules, and a natural-language request, determine whether any permissible response from Copilot contains a statement that, if disclosed, would violate the spirit of the organization's data handling policy. This problem is not merely difficult; it is formally undecidable in the general case for any sufficiently expressive language model environment. The practical consequence is that enterprise security for agentic AI will always be an approximation—a set of invariants we can prove and a set of residual risks we must monitor. The value of Purview and sensitivity labels lies in how well they shrink that residual into a known, manageable residue.
Implications for Enterprise Security Monitoring
Microsoft’s announcement that Agentic Mode will become the default in Word, Excel, and PowerPoint transforms this from a disclosure risk into an action risk 2. A Copilot that not only reads your emails but drafts replies and schedules meetings on your behalf is a Copilot that can exfiltrate data by composing actions, not just text. The SearchLeak exploit showed how a 2FA code could be stolen via prompt injection; an agentic variant might forward attachments or modify routing rules, all while operating within its granted permissions.
An enterprise monitoring strategy for such a system must move beyond static permission checks to behavior verification. The necessary invariants need to be specified: “Copilot must never include an authentication token in an outgoing message,” “Copilot must not access documents labeled Finance-Secure in the context of responding to external domains,” and so on. These are high-level constraints that must be compiled down to runtime checks—a task that resembles the specification of a security automaton more than a compliance checklist. Without this, the first indication of a breach will be a query result that should never have been generated.
The Scale of Exposure
The NHS England deployment of 500,000 Copilot licenses provides a sobering scale reference 11,12,14. In an environment where even a 1% misconfiguration rate implies thousands of data objects accessible in unintended ways, the amplification effect is non-linear. The same integration that can save 43 minutes of administrative time per day 10,13,15,16 can also propagate a single permission error into systemic oversharing. The governance bottleneck, therefore, is not merely a technical inconvenience; it is the primary determinant of whether large-scale agentic AI deployments will be economically rational given the liability they introduce.
The Next Question
The patch for CVE-2026-45497 closes one adversary path, but it does not—cannot—close the class of vulnerabilities that arise when a language model is placed inside the trust boundary. The honest next step for enterprise security teams is to ask: What would my current Copilot deployment produce if a regulator demanded a full causal explanation of every data disclosure made by the AI in the last quarter? For most organizations, the answer is not a set of logs but an uncomfortable silence. Building an infrastructure that can answer that question precisely—that can produce an auditable, mathematically coherent account of which data was accessed, transformed, and exposed—is the difference between trusting Copilot and merely hoping it is secure. The capability is no longer a nice-to-have; it is a necessary condition for any compliance regime that takes its own requirements seriously.
