+44 3301 333 307 magma@magmacloud.co.uk
AI Security & Trust

AI & Microsoft Copilot
Security Services

We secure the AI your organisation is already using — and the AI you're about to adopt. From Copilot readiness and shadow AI discovery to Azure OpenAI guardrails and governance evidence for auditors.

From £TBC — fixed fee, scoped after your Ignite Assessment
The Challenge

AI is already inside your organisation.
The question is whether you know about it.

Microsoft Copilot is live in many UK organisations. Most switched it on before the data governance was ready — and now have an AI assistant that can surface HR files in legal conversations, executive salary data in general searches, and confidential documents across teams that never knew they were over-sharing. Copilot doesn't create these risks. It makes existing permissions problems visible and fast.

The challenge isn't the AI itself. It's the permissions model underneath it, the data classification gaps, the absence of logging, and the lack of policy for what AI tools your people are actually using. Shadow AI — staff using ChatGPT, Claude, Gemini for work tasks — is already inside most organisations. The question is whether you know about it, and whether your sensitive data is leaving with it.

Copilot Readiness

Microsoft Copilot Security Readiness

Copilot for Microsoft 365 is powerful — and it respects your existing permissions model precisely. That's the problem. If your SharePoint is over-shared, your sensitivity labels are missing, and your DLP policies haven't been updated, Copilot will happily surface the wrong data to the wrong people.

Our Copilot readiness assessment checks the security foundations before you go live — or tightens them if you're already live. We focus on data boundary, over-sharing, Purview labelling, and the audit logging that lets you see what Copilot is doing.

What we check
  • SharePoint & OneDrive permissions review
  • Sensitivity label coverage & policy
  • DLP policy extension for AI contexts
  • Copilot interaction logging & audit
  • Guest access and external sharing
  • Teams channel and meeting data exposure
Outcomes
  • Copilot deployed with confidence
  • Data boundary clearly defined
  • Sensitive data not exposed to AI queries
  • Audit trail for compliance and governance
Shadow AI

Shadow AI Discovery & Containment

Your staff are already using AI. ChatGPT, Claude, Gemini, Perplexity, Otter.ai, Grammarly — dozens of AI-powered tools are already inside your organisation, most without IT awareness, none with DLP controls. Sensitive data is leaving, and you can't see it.

We analyse your Defender for Cloud Apps telemetry, network logs, and browser activity to map exactly which AI tools are in use, by whom, and with what frequency. We then help you build a policy framework: sanctioned tools with guardrails, tolerated tools with usage agreements, and blocked tools where the risk is unacceptable.

What we deliver
  • Shadow AI discovery & usage mapping
  • Risk assessment per AI tool
  • Sanctioned / tolerated / blocked policy
  • Defender for Cloud Apps CASB controls
  • Staff guidance & usage agreements
  • Ongoing monitoring configuration
Outcomes
  • Full visibility of AI tool usage
  • Sensitive data not leaving uncontrolled
  • Clear, enforced AI usage policy
  • Staff enabled to use AI safely
AI Workload Security

Securing AI Workloads
(Azure OpenAI & AI Foundry)

If your organisation is building on Azure OpenAI or Microsoft AI Foundry, the security envelope around those workloads needs the same rigour you'd apply to any sensitive application. Public endpoints, overprivileged service accounts, absent audit logging, and no content filtering are common in early-stage AI deployments.

We don't design the AI application — that's your development team or NeuraSec. We make sure the security controls around it are solid: network isolation, identity, logging, guardrails, and detection rules in Sentinel so you know when something unusual is happening.

What we deliver
  • Private networking & no public endpoints
  • Managed identity & Entra ID access
  • Content filtering configuration
  • Prompt injection defence review
  • Audit logging to Microsoft Sentinel
  • Detection rules for anomalous AI usage
Outcomes
  • AI workloads with no public attack surface
  • Full audit trail for every AI interaction
  • Guardrails that catch misuse early
  • Security posture your board can defend
Governance & Compliance

AI Governance Evidence
for Auditors & Regulators

Regulators — FCA, ICO, CQC, sector-specific bodies — are increasingly asking about AI. They want to see more than "we use Copilot responsibly." They want documented evidence: a register of AI use cases, risk assessments, DPIAs, human oversight mechanisms, and audit logs of AI-assisted decisions.

We help you build this evidence base from the ground up — structured around your regulatory obligations, not a generic AI policy template. The output is a governance framework your DPO, legal team, and auditors can work with.

What we deliver
  • AI use case register
  • Risk assessment per use case
  • Data Protection Impact Assessments
  • AI policy & responsible use framework
  • Human oversight controls & evidence
  • Audit log strategy & retention
Outcomes
  • Regulator-ready AI governance evidence
  • DPO and legal team aligned
  • Auditable decisions and oversight
  • EU AI Act and ICO readiness posture
Full AI Security Service

Everything We Deliver

What we deliver
  • Microsoft Copilot readiness assessment
  • Shadow AI discovery & containment
  • AI governance & policy framework
  • Data boundary & over-sharing controls
  • Purview labelling pre-flight for AI
  • DLP policy extension for AI contexts
  • Azure OpenAI & AI Foundry security review
  • Prompt injection risk assessment
  • AI workload audit logging to Sentinel
  • Risk & trust review for AI use cases
  • Responsible AI principles & sign-off
  • Regulatory evidence pack
Outcomes you can measure
  • Copilot deployed with clear data boundaries
  • Shadow AI visible, governed, and controlled
  • Sensitive data not exposed to AI tools
  • Clear AI use policies for your people
  • Auditable evidence of responsible AI
  • Regulator-ready governance documentation
  • AI workloads with full security controls

Building an AI strategy or rolling out Copilot?

That's our sister company, NeuraSec — AI delivery consultants for organisations of 200–5,000 staff. They handle strategy, governance, Copilot programme architecture, and Microsoft Fabric data foundations. We make what they build secure. One family, two distinct specialisms.

How It's Delivered

The Magma Cloud Lifecycle

AI security is not a one-time project. We work through all six phases — from initial governance assessment through to ongoing monitoring and assurance.

01
Strategy

AI security roadmap & governance design

02
Assess

Copilot readiness & shadow AI discovery

03
Implement

Controls, policy, and guardrails

04
Optimise

Tighten as AI adoption grows

05
Manage

Ongoing monitoring & shadow AI detection

06
Assure

Governance evidence & regulatory readiness

Related Security Services
Common Questions

Frequently Asked Questions

Safe to deploy once you've done the groundwork: data classification and labelling, permissions review, over-sharing remediation, DLP policy extension, and audit logging configured. Without this preparation, Copilot is a powerful tool that amplifies whatever data governance problems you already had — it doesn't create them, but it makes them move much faster.

Shadow AI is AI tools your staff are already using without IT or security awareness — ChatGPT, Claude, Gemini, Perplexity, Otter.ai, and dozens of others. The risk isn't the tool itself; it's sensitive data (client names, financial figures, unreleased plans, regulated personal data) being entered into external AI services with no oversight, no DLP controls, and no data residency guarantee. Most organisations have 8–15 shadow AI tools in active use before they start looking.

We analyse Microsoft Defender for Cloud Apps logs, network traffic patterns, and browser activity data to build a picture of which AI services are in active use, by which users, and with what frequency. We then help you build a policy framework: sanctioned tools with guardrails, tolerated tools with usage agreements, and blocked tools where the risk is unacceptable. Ongoing monitoring is then configured so you can detect new shadow AI tools as they appear.

Magma Cloud secures AI: we make sure the AI tools your organisation uses — Copilot, Azure OpenAI, third-party services — don't leak data, breach regulations, or surface the wrong information to the wrong people. NeuraSec delivers AI: they handle the strategy, governance frameworks, Copilot programme architecture, and Microsoft Fabric data foundations for organisations adopting AI. We make what they build secure. Same founding team, two distinct specialisms.

Regulators — FCA, ICO, CQC, and sector-specific bodies — increasingly want to see: a register of AI use cases, a risk assessment per use case, documented Data Protection Impact Assessments (DPIAs), human oversight mechanisms, and logs of AI-assisted decisions. The EU AI Act adds additional obligations for high-risk AI systems. We help you build this evidence base structured around your specific regulatory obligations, not a generic policy template.

We configure the security controls around Azure OpenAI: private networking so there are no public endpoints, managed identity authentication instead of shared API keys, Entra ID access control with least-privilege RBAC, content filtering to prevent misuse, prompt injection defences, audit logging of all interactions to Microsoft Sentinel, and detection rules so unusual usage triggers an alert. We don't design the AI application — that's your development team or NeuraSec. We make sure the security envelope around it is solid.

Start with a Free
Ignite Assessment

The Ignite Assessment

A free 30-minute call with a senior security architect. You leave with: a quick-look read of your current AI security posture, the top three risks we'd tackle first — whether that's Copilot data exposure, shadow AI, or missing governance — and a clear view of whether and how we can help.

  • Free — no charge, no catch
  • 30 minutes with a senior architect
  • AI-specific, not generic advice
  • No obligation to proceed
AI Security Specialists

Book Your
Ignite Assessment

Whether you're about to roll out Copilot, already live with AI tools, or trying to get shadow AI under control — we'll tell you honestly what we see and what we'd do first.

Book Ignite Assessment