Microsoft’s Copilot trust test: Zero findings, more models, wider oversight

Microsoft 365 Copilot and Copilot Chat (Copilot) have been recertified under ISO/IEC 42001:2023 by an independent auditor for the second consecutive year. Copilot first received ISO 42001 certification in March 2025. This year’s recertification recorded zero non-conformities and zero improvement observations, resulting in a second audit in a row.

The certification evaluates the AI management system in areas including governance, risk assessment, data management, transparency, human oversight, and supplier management.

Microsoft 365 Copilot is an AI assistant integrated into Microsoft 365 apps that helps users write, summarize, analyze information, and complete everyday work tasks. Through Copilot Chat, users can ask questions, generate content, and work with web or business data in a conversational interface.

Changes since the first certification

The model portfolio expanded to support a multi-model, multi-provider approach, with GPT-5 as the default model and Anthropic Claude models available as an additional option. Before integration, third-party model providers undergo security and privacy reviews. Enterprise customers have administrative controls to enable or disable third-party models.

Microsoft streamlined the responsible AI assessment workflow by consolidating review steps and reducing duplicated effort while maintaining oversight requirements. The company added a structured harm-identification capability to strengthen pre-release risk evaluation and introduced a risk-tiered review model that aligns senior oversight with higher-impact AI systems and features.

Copilot Studio was added to the governance framework, expanding coverage from two AI systems to three under a single certified management system.

How Microsoft applies AI to governance

Microsoft uses AI internally to support responsible AI governance. AI agents assist engineering teams with assessments and review processes, while human reviewers make final decisions. Product teams working on Microsoft 365 Copilot use these tools as part of their governance workflow.

The company says its governance and security approach has supported adoption in regulated industries including finance, legal services, and government. Organizations deploying Copilot at scale have identified data protection, compliance controls, transparency, and human oversight as key requirements for enterprise AI use.

“Our commitment is to evolve the AI management system with the technology. As Microsoft 365 Copilot continues to add agentic capabilities and expand multi-model support, the governance framework will scale accordingly. ISO 42001 recertification is not a destination; it is the annual proof point of continuous improvement,” Oliver Bell, General Manager, M365 GRC, Privacy & Regulatory Compliance at Microsoft, explained.