← Back to blog
EN | NO
AI Implementation 6 min read

Why Microsoft Copilot Isn't Working – and What You Need to Have in Place

Uros Vujic 7. april 2026

"We paid for Copilot. It doesn't work."

That's the sentence we hear most often when speaking with Norwegian SME leaders who have tried Microsoft Copilot.

Not that the tool is poor. Not that the technology fails. But that the answers are imprecise, nobody actually uses it, and it doesn't save the time they were promised.

The problem is almost never Copilot. The problem is what is – or isn't – in place around it.

Copilot is a mirror tool. It reflects the structure of your organisation. If your data is orderly, access is clearly defined, and you have a grounded AI policy – Copilot works. If not, it gives you chaos back. Just faster.

The Three Most Common Reasons Microsoft Copilot Doesn't Work

1. Your data isn't ready

Copilot pulls information from SharePoint, Teams, email, and OneNote. That sounds promising – but only if the content is structured and up to date.

In most Norwegian SMEs the reality is different: outdated files that are never deleted, documents scattered across local drives and private email folders, and SharePoint structures nobody bothers to maintain. Copilot reads all of this equally. It cannot distinguish between a current contract and an outdated version from three years ago.

The result? Answers that are uncertain, imprecise, or outright wrong. And employees who stop trusting the tool after the first week.

What needs to be in place: A clean and consistent information architecture in Microsoft 365. Clear rules for what is stored, where it is stored, and who is responsible for keeping it current.

2. Access management isn't set up correctly

Copilot gives users access to – and answers based on – all the information they already have access to in Microsoft 365. That means if a salesperson has overly broad access, Copilot will surface data they should never have seen. And if a manager has too narrow access, Copilot will give incomplete answers even when the information exists.

This isn't just a usability problem. It's a GDPR problem. It's an AI Act problem. And it's a trust problem – internally and externally.

We see this in almost every organisation that hasn't actively worked on RBAC (role-based access control): permissions set up years ago, nobody has cleaned them up, and employees have access to far more than they need day-to-day.

What needs to be in place: A reviewed and documented RBAC setup. The right person should have access to the right information – no more, no less. This is the foundational work that makes Copilot safe and useful.

3. Nobody has explained what Copilot is – and isn't

Many businesses roll out Copilot without training. Licences are activated and employees are left to their own devices.

The problem is that Copilot requires a new way of working. You need to learn to ask good questions. You need to understand that Copilot isn't a search engine – it's an assistant that reasons. And you need to know what not to put in: national ID numbers, sensitive client data, trade secrets.

Without training and guidelines, one of two things happens: either nobody uses it, or someone uses it in ways that create problems.

What needs to be in place: An AI policy that explains approved tools, permitted use, and what should never be fed in. And at least one half-day of training that makes employees confident – not paranoid.

Checklist: Are You Ready for Copilot?

Go through these questions internally. If you answer no to more than two, you're probably not ready yet – and Copilot will disappoint.

  • Do we know which files and folders in SharePoint are current and active?
  • Have we cleaned up outdated documents in the past 12 months?
  • Is it defined who has access to what – and is it documented?
  • Do we have an AI policy that employees have read and understood?
  • Do employees know what they should never type into Copilot?
  • Is there one person internally who owns AI use and can answer questions?

Zero no answers? You're probably ready. Get in touch and we'll confirm it.

Three or more? The foundational work is missing – not the licence.

What Does the AI Act Say About This?

The EU AI Act came into force in 2024 and applies to anyone using AI tools that process personal data or take part in decision-making processes. That includes Microsoft Copilot.

As a Norwegian business you are already subject to GDPR. The AI Act adds requirements for transparency and traceability: you must be able to document which AI systems you use, for what purpose, and how decisions are made. High-risk systems – such as AI in recruitment – require additional documentation.

That sounds heavy. But in practice it comes down to two things: have an AI policy, and have your access management in order. Both are things you should have in place anyway to use Copilot sensibly.

Read more about what the EU AI Act means for Norwegian SMBs.

What IT Buddy Does About This

Our role is to do the foundational work – so that Copilot can actually deliver on its promise.

In practice that means:

AI Ready Assessment — We review data architecture, access management, and existing use of Microsoft 365. You receive a concrete report: what is ready, what is missing, and what you should address first.

RBAC Setup — We configure role-based access control so Copilot gives the right information to the right person – and nobody else.

AI Policy — We develop a practical policy tailored to your business. Employees know what they can use Copilot for, and what they should never put in.

Training — A half-day workshop where employees learn to use Copilot effectively and responsibly.

An example from our practice: A Norwegian recruitment firm was spending 122 hours per hire on manual CV screening and candidate follow-up. After we laid the foundational structure and introduced AI-supported recruitment, that dropped to 23 hours. A documented time saving of 83 per cent.

It wasn't Copilot alone that delivered that. It was the structure around it.

Read more about what AI Governance actually is – and why it's a leadership responsibility.

You're Already Paying for the Licence

Many Norwegian businesses have Copilot included in their Microsoft 365 agreement, or have paid for licences that go unused. That's money out the window – not because Copilot doesn't work, but because the foundation hasn't been laid.

Setting up the foundational structure doesn't take months. It takes weeks. And it's far cheaper than continuing to pay for a tool nobody trusts.

Not sure whether you're ready for Copilot? We do a quick review of your data architecture and access management – and give you a concrete answer.

Book a free review →

Read also: How to Implement AI in Your Business – a Practical Guide for Norwegian SMBs

UV

Uros Vujic

Daglig leder, IT Buddy AS

Uros hjelper norske SMB-er med å innføre AI på en kontrollert og bærekraftig måte. Bakgrunn fra IT-infrastruktur i bank og finans, med spesialisering i AI governance, RBAC og GDPR-compliant implementering.

Ready for the next step?

Take our AI Ready assessment and find out where your business stands.

Take AI Ready Assessment