Microsoft Copilot for Engineering Firms: Why the Mid-Tier Gets It Wrong (and the Top Tier Already Figured It Out)

Posted on by

TL;DR

  • The top tier didn't win at Copilot by buying more licences. Firms like Arup, Aurecon and GHD publicly run AI strategy and governance functions. They did the unglamorous data-hygiene work before switching anything on.
  • Copilot inherits your permissions; it doesn't fix them. If your SharePoint access has been messy since 2018, AI will faithfully surface that mess to whoever asks. It's not misbehaving; it's trusting permissions set when you were half the size.
  • The real barrier isn't the licence. It's governance done before deployment. Gartner and MIT both point to data and governance, not model quality, as the reason most GenAI rollouts stall.
  • You don't need an in-house AI team to get this right. You need the same three things one would give you: a permissions and oversharing assessment, a sensitivity-labelling design, and a prioritised roadmap.
  • An AI Readiness Discovery and Roadmap is the peer review for your AI rollout. You wouldn't issue a structural drawing without one. Same logic.

The uncomfortable truth about why the big firms look so far ahead with AI

Here's the thing nobody says out loud at the industry conference: the top-tier engineering firms aren't beating you at AI because they bought better software. They bought the same Microsoft 365 Copilot you can buy. Same licence, same price per seat, same Microsoft.

What they have that you don't is a team whose actual job is to make sure the AI is safe to switch on. Arup publishes a formal AI policy with named executive governance. Aurecon markets in-house digital and innovation capability. GHD runs "GHD Digital" with public responsible-AI positioning. These aren't side projects. They're institutionalised functions with budgets and headcount.

So, when a tier-1 firm rolls out AI, there's a group of people who have already asked the awkward question: "When we turn this on, what is it going to show people that it shouldn't?"

Most mid-tier firms don't have that group. And that's a feature, not a flaw. A standing AI governance team is a real cost: headcount, salaries, a department that exists to write policy. Tier-one firms carry that overhead because at their scale they have to. Mostly likely you don't. You're leaner, you move faster, and importantly, you don't need a six-figure internal function sitting on the payroll to get this right. What you need isn't the org chart. It's the outcome that org chart produces. And that's a far smaller, far cheaper thing to put in place.

But here's the catch: Copilot doesn't wait for the governance to be done. It switches on, works beautifully, and every so often surfaces something it shouldn't: a salary spreadsheet, a half-finished tender, last month's board pack. Nothing breaks, no alarm sounds, so it feels fine. Right up until it isn't. That's the trap with skipping the cheap, one-off step: you don't find out you needed it until after you didn't do it.

AI isn't a search engine. It's a brilliant new grad with full network access.

We use this line a lot because it's the most relatable description we've found.

A search engine finds what you tell it to look for. A brilliant, eager new graduate with access to your entire network reads everything they're allowed to read, and then helpfully summarises it for whoever asks. Including the draft tender you haven't submitted, the unrevised report from three years ago, and the salary spreadsheet that drifted into a project folder by accident.

That's Copilot. It doesn't break your permissions. It inherits them. Microsoft's own documentation is explicit: Copilot "can only summarize or reference content that the user is authorized to access." Which sounds reassuring, until you remember who's actually authorised to access what in your SharePoint right now.

If a Project Engineer can technically open a folder they were added to in 2019 and forgotten about, Copilot treats that as fair game. Every "Everyone except external users" share, every broken permission inheritance, every guest sub-consultant still on a project group. All of it becomes instantly, conversationally query able.

The risk was always there. AI just makes it ask-and-answerable in plain English.

Why "just buy the licences" is the wrong instinct

When AI hits the executive agenda, the reflex is to treat it as procurement. Licences, rollout, training, done. That's the visible, billable, easy-to-approve part.

But the licence is the cheap bit. The expensive, invisible bit is the data-hygiene and governance work underneath it. And that's exactly what the data shows firms skip:

  • Gartner predicts at least 30% of GenAI projects get abandoned after proof of concept: citing poor data quality, weak risk controls and unclear value, not bad technology.
  • It also forecasts 60% of AI projects will be abandoned through 2026 for lack of AI-ready data, with 63% of organisations unsure they have the right data practices for AI.
  • MIT's NANDA study found 95% of enterprise GenAI pilots delivered zero return. And concluded the divide "does not seem to be driven by model quality."

The pattern is hard to miss: none of these failures are about the AI being bad. They're about the ground underneath it not being ready. That's why top-tier firms built governance functions instead of just buying seats.

And for engineering firms, the stakes are sharper.

Your SharePoint doesn't hold generic corporate fluff. It holds competitor-sensitive tenders, document-controlled drawings, draft expert opinions and client IP you're contractually and professionally obliged to protect. Both Engineers Australia and Engineering New Zealand's codes of ethics require you to keep client information confidential. "We turned on AI, and it surfaced a confidential report to the wrong client" is not a sentence you want to explain to a standards board.

You wouldn't release a structural drawing without a peer review. Don't release AI without one either.

The mid-tier's structural advantage (yes, you have one)

Here's the genuinely good news, and it's the part that gets missed.

You don't need to build a permanent in-house AI strategy team to get the same outcome.

Building one is slow and expensive. You'd be hiring for SharePoint architecture, Purview, sensitivity-label design and Entra ID governance, which is a niche, costly skill set to keep on the payroll for what is mostly an up-front project.

The tier-1 firms built the team because they're big enough to keep it busy. The mid-tier's structural advantage is that you can borrow the same capability without the headcount cost. A specialist partner who does this work has designed it dozens of times, and already knows what "good" looks like for an engineering firm specifically.

That's the honest pitch for what the WebVine team does. We're not engineering experts. We've never designed a structural wall, and we won't pretend to. What we know deeply is Microsoft 365 governance: SharePoint architecture, sensitivity labels, DLP, retention, Entra ID. And how to apply it to the specific work product engineering firms create. Your AI strategy and implementation team, on demand, for the months you actually need one.

Three things an AI Readiness Discovery and Roadmap gives you that an enterprise AI team would

Strip a tier-1 firm's AI governance function down to what it delivers before a Copilot rollout, and you get three things. A good readiness assessment gives you the same three.

1.     A clear picture of what Copilot will surface. Before it surfaces it.

An oversharing and permissions audit: where access has crept too wide, which sites carry "Everyone"-style shares, which libraries have broken inheritance, which external guests are still lingering on closed projects.

This is the "what will the new grad read?" check. The highest-value thing an internal AI team does. And the one almost nobody does for themselves, because the tooling throws up more findings than anyone can triage without a method.

2. A sensitivity-labelling design built for engineering work.

Not Microsoft's generic example labels. A label set tuned to your content: tenders, draft expert opinions, document-controlled deliverables, employee files. Done right, labels travel with the file and Copilot respects them, so "Highly Confidential — Project Team Only" stays inside the project team no matter where someone stumbles across it.

It's your biggest lever, and the easiest one to get wrong, which is why having it designed by someone who's done it twenty times beats doing it once yourself, under pressure.

3. A prioritised roadmap to execute.

Not a 4,000-line report that gets shelved. A ranked plan: highest-risk exposures first (tenders, expert opinions, HR, financials), then the structural fixes, the rest in parallel. The goal is a defensible baseline you can switch Copilot on against.

That's the whole game. The top tier built these three things in-house. You can buy them as a fixed, time-boxed engagement instead. No standing AI department required.

Not sure where you stand?

Start with our free "Is your SharePoint ready for Copilot?" check. A too to first look at your biggest exposure points.

Or just reach out to us and we'll walk you through what a readiness assessment would surface for your firm. That's the part the tier-one firms pay a full-time team for. You can have a conversation.

FAQs

Will Copilot work without doing any of this first?

Yes. And that's exactly the trap. It'll switch on and give people genuinely useful answers. It'll also, occasionally, surface something it shouldn't. The useful answers are immediate and visible; the exposure is silent until someone notices. "It works" and "it's safe" are not the same milestone.

We're mid-tier. Isn't AI governance overkill for a firm our size?

The governance effort scales to your environment; the exposure doesn't. A 300-person firm holds the same categories of sensitive content as a 3,000-person firm: tenders, expert opinions, client IP, salaries. You don't need a permanent team. You need the up-front work done once, properly.

Isn't this just a security audit or our Microsoft Secure Score?

No. A security audit asks "can someone break in?" A readiness assessment asks a different question: "when we switch AI on, what will it surface to the wrong internal person?" Your Secure Score can look healthy while your Copilot exposure is wide open. They're measuring different things.

Do we need to have bought Copilot licences before we start?

No. In fact, doing the readiness work first is the point. It's cheaper to fix the ground than to roll back a rollout. You can assess and remediate, then licence with confidence.

How long does implementation this take?

When you have your assessment and roadmap, the implementation path is typically over two to six months for a firm. Longer if sensitivity labels and DLP are new ground, since the oversharing scan alone can run a month before remediation even begins. A structured assessment compresses the diagnostic and design into a fixed, pragmatic, time-boxed engagement, with a roadmap your team executes afterwards.

What about our external collaborators: sub-consultants, surveyors, peer reviewers?

External access is legitimate and necessary; unmanaged external access is the problem. The goal is a known list of guests, each with a documented project scope and an off-boarding trigger when the project closes. The oversharing scan is where this gets surfaced.

Will sensitivity labels slow our engineers down?

Done well, barely. Auto-labelling does most of the work, and people only label the exceptions. Done badly, they'll be the most-complained-about thing you've ever rolled out. The design step matters far more than the technology, which is the whole argument for getting it designed properly the first time.

Sources

  1. Microsoft Learn — Microsoft 365 Copilot data protection architecture (Copilot honours existing access; EXTRACT/VIEW rights) — https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-architecture-data-protection-auditing
  2. Microsoft Learn — Copilot Control System: security and governance (use SharePoint Advanced Management + Purview to assess oversharing) — https://learn.microsoft.com/en-us/microsoft-365/copilot/copilot-control-system/security-governance
  3. Gartner — Lack of AI-Ready Data Puts AI Projects at Risk (60% abandoned without AI-ready data through 2026; 63% lack the practices) — https://www.gartner.com/en/newsroom/press-releases/2025-02-26-lack-of-ai-ready-data-puts-ai-projects-at-risk
  4. Gartner — 30% of GenAI Projects Abandoned After Proof of Concept by End-2025 — https://www.gartner.com/en/newsroom/press-releases/2024-07-29-gartner-predicts-30-percent-of-generative-ai-projects-will-be-abandoned-after-proof-of-concept-by-end-of-2025
  5. MIT Project NANDA — The GenAI Divide: State of AI in Business 2025 (95% zero return; barrier is integration, not model quality) — https://mlq.ai/media/quarterly_decks/v0.1_State_of_AI_in_Business_2025_Report.pdf
  6. Microsoft — 2025 Work Trend Index Annual Report — https://www.microsoft.com/en-us/worklab/work-trend-index
  7. Engineers Australia — Code of Ethics and Guidelines on Professional Conduct — https://www.engineersaustralia.org.au
  8. Engineering New Zealand — Code of Ethical Conduct — https://www.engineeringnz.org
  9. Arup — AI policy / responsible AI — https://www.arup.com
  10. GHD — GHD Digital — https://www.ghd.com