Organizations that manage sensitive data often rely on HITRUST CSF certification to demonstrate security and compliance. Microsoft Copilot, when integrated with Microsoft 365 and Azure services, inherits certain HITRUST controls from the underlying platform. This article explains which HITRUST CSF control domains and requirements are covered through inheritance when you use Copilot. It also clarifies what your organization must still manage directly.
Key Takeaways: Copilot HITRUST CSF Inheritance Scope
- HITRUST CSF v11.0 control domains inherited: Copilot inherits controls from Azure and Microsoft 365 for domains such as Access Control, Audit Logging, and Data Protection.
- Microsoft 365 admin center > Compliance > HITRUST assessment: Use this path to review the inherited control coverage report for Copilot.
- Shared Responsibility Model: Your organization remains responsible for user permissions, data classification, and custom Copilot configurations.
How Copilot Inherits HITRUST CSF Controls
HITRUST CSF is a certifiable framework that combines multiple standards including ISO 27001, NIST, and HIPAA. Microsoft Azure and Microsoft 365 have achieved HITRUST CSF certification at the highest tier, which means many security controls are already in place. Copilot, as a service built on these certified platforms, inherits those controls without requiring your organization to implement them separately. The inheritance covers infrastructure, physical security, network security, and platform-level identity management. However, Copilot-specific features such as grounding data, plugin execution, and user prompts fall under your operational control. Microsoft publishes a Shared Responsibility Matrix for Copilot that maps each control to either Microsoft or the customer. You can access this matrix in the Microsoft 365 admin center under Compliance > HITRUST assessments.
Control Domains Fully Covered by Inheritance
The following HITRUST CSF control domains are fully inherited from Azure and Microsoft 365 for Copilot services:
- Access Control (01.a – 01.f): User authentication, role-based access, and session management are handled by Azure Active Directory and Microsoft Entra ID.
- Audit Logging (02.a – 02.c): All Copilot interactions are logged in the Microsoft 365 Audit Log and Azure Monitor. Retention and tamper protection are inherited.
- Data Protection (05.a – 05.g): Encryption at rest and in transit, key management, and data isolation are provided by Azure Storage and Microsoft 365 data centers.
- Physical Security (07.a – 07.d): Data center access controls, environmental controls, and equipment security are inherited from Azure infrastructure.
- Network Security (09.a – 09.e): Firewalls, network segmentation, and intrusion detection are inherited from the Azure network backbone.
Control Domains Requiring Customer Action
Some HITRUST controls are not fully inherited because they involve user behavior, data classification, or custom configurations. Your organization must address these:
- User Access Reviews (01.g – 01.i): You must regularly review Copilot user permissions and remove inactive accounts.
- Data Classification (05.h – 05.j): You must label sensitive data using Microsoft Purview Information Protection so Copilot respects access policies.
- Third-Party Plugin Management (09.f – 09.g): If you enable third-party plugins for Copilot, you must assess their security posture.
- Incident Response (12.a – 12.c): Your organization must integrate Copilot-related security events into your incident response plan.
Steps to Review Copilot HITRUST Coverage in Your Tenant
Follow these steps to verify which HITRUST controls are inherited for Copilot in your Microsoft 365 tenant.
- Open the Microsoft 365 admin center
Sign in with a Global Admin or Compliance Admin account. Navigate to Admin centers > Compliance. - Go to HITRUST assessments
In the left navigation, expand Assessment and select HITRUST. If you have not started an assessment, click Create assessment and choose the HITRUST CSF v11.0 template. - Locate the Copilot coverage report
Inside the assessment, look for a section labeled Shared Responsibility Matrix or Service-specific coverage. Click Copilot to view the list of controls that Microsoft manages. - Export the report
Click Export and choose CSV or PDF. This report lists each control, its status inherited or customer-managed, and supporting evidence references. - Map to your own controls
Use the exported report to update your HITRUST documentation. For customer-managed controls, document your own policies and procedures.
Common Misunderstandings About Copilot HITRUST Coverage
Copilot Is Not Independently HITRUST Certified
Some organizations assume that Copilot itself holds a HITRUST certification. This is not accurate. Copilot inherits controls from Azure and Microsoft 365, both of which are HITRUST certified. Your HITRUST assessment must reference the underlying platform certifications rather than a separate Copilot certificate.
Inheritance Does Not Cover Custom Grounding Data
If you connect Copilot to custom data sources such as SharePoint sites, databases, or third-party apps, the security of those sources is your responsibility. HITRUST controls for data at rest in those external systems are not inherited. You must ensure those sources comply with your HITRUST requirements.
Audit Logs for Copilot Prompts Are Your Responsibility
While Microsoft retains audit logs for Copilot interactions, you must configure log retention policies in the Microsoft 365 admin center. The default retention period may not meet HITRUST requirements. Set retention to at least one year for compliance.
| Item | Inherited from Microsoft | Customer-Managed |
|---|---|---|
| Infrastructure security | Azure data centers, physical controls, network security | None |
| User authentication | Azure AD / Microsoft Entra ID | User access reviews, role assignments |
| Data encryption | At rest AES-256, in transit TLS 1.2+ | Customer key management if using BYOK |
| Audit logging | Platform-level logs, 90-day default retention | Log retention policy, log analysis |
| Plugin security | Microsoft-managed plugins only | Third-party plugin vetting |
| Incident response | Microsoft incident notification | Integration with your SOC |
This table summarizes the split between inherited and customer-managed controls for Copilot under HITRUST CSF v11.0. Use it as a starting point for your compliance documentation.
Now that you understand which HITRUST CSF controls Copilot inherits, you can focus your compliance efforts on the areas that require your direct management. Start by reviewing the Shared Responsibility Matrix in the Microsoft 365 admin center. Then update your data classification policies and user access review procedures. For a deeper dive, examine the Azure HITRUST certification report available in the Service Trust Portal.