“Agentic” AI Tools Continue to Struggle as Copilot Helps Itself to Confidential Emails

Another day, another story about agentic AI tools overstepping their bounds. This time it’s Microsoft’s Copilot for 365 business customers, which has been found accessing confidential emails it is not supposed to and creating summaries of them.

This single issue may not be all that bad, at least if Microsoft’s privacy statements are to be believed; as the company notes, the summaries of the confidential emails were likely not exposed to anyone that did not already have access. Continual stories of AI tools going rogue are not inspiring confidence in the early wave of the agentic AI revolution, however, and businesses are grappling with potential exposure to training models and other internal systems that are not necessarily visible.

Confidential emails in Outlook for desktop folders impacted

The issue is with Microsoft 365 Copilot’s “Work Tab” chat feature for business customers. Users are able to label confidential emails, which should then restrict Copilot from accessing them when asked to create summaries. In practice, the AI tool reliably did that only with emails sitting in the inbox. Those in the Outlook “Sent” or “Draft” folders were fair game due to some sort of programming oversight. The issue was likely present from sometime in late 2025 to February 20, when Microsoft issued a patch.

Microsoft has downplayed the issue, claiming that the summaries would not be visible to someone who did not already have access to the confidential emails. That may be true, but the broader concern is what happens to this sort of private business data when AI tools get ahold of it. Microsoft assures customers that it does not use data from 365 for training, but in the same privacy statement also indicates that it saves at least some of it on its own servers for other purposes.

Agentic AI is supposed to be the next big thing in the business world, but a long series of missteps of this type is definitely hampering adoption. Popular tools have been caught autonomously doing everything from deleting user code, to deleting the contents of email inboxes, even to giving away crypto when (rather foolishly) given access to wallets.

This has already made agentic AI tools “non grata” at some companies until they show substantially more stability and security-by-design, mirroring the early days of financial firms and other industries banning ChatGPT and similar as a precaution. At minimum, their level of access to sensitive information and potentially destructive functions is being carefully limited (which to some degree also restricts their utility). Microsoft already seems to have seen which way the wind is blowing on this, starting off 2026 by backpedaling on its “AI everywhere” plans for Windows just announced several months ago.

Breakneck pace of AI tool development prompts caution

While agentic AI tools are developing and offering genuinely useful services in a very short period of time, this case (among many others) serves as a reminder to proceed with great caution. There is always the risk of something splashy happening like confidential emails being exposed or inboxes being trashed by a “helpful” AI, but an even more subtle and common risk is personal and confidential data making its way into an AI training or reference collection even when the company offers assurances that this does not happen.

This also means more employee training. Just as employees may have been turning a corner in things like password hygiene and recognizing phishing attempts, a whole new world of AI expectations and handling has to be taught to them. Organizations must consider not just what data the AI might ingest, but what metadata it has attached to it. Ultimately this case demonstrates that while AI tools are far from being autonomous thinking creatures, they are already being treated and given the reins as such and assurances about their safety often rely on them making the right decision (which they may not). In addition to employee training, AI safety countermeasures are likely going to be needed going forward to counteract this possibility.