TL;DR: The FTC is investigating Microsoft for bundling its AI assistant Copilot into enterprise software suites like Office 365. The issue: AI tools are being deployed into organizations without anyone making a deliberate decision to adopt them. That creates ungoverned AI usage at scale. This probe signals a new era of AI enforcement where the distribution model matters as much as the technology itself.
The AI That Nobody Decided to Deploy
Sometime in 2024, Microsoft Copilot started appearing inside Office 365 applications. It showed up in Word. In Excel. In Outlook. In Teams. One day it wasn't there. The next day it was, sitting in the toolbar, ready to process whatever data employees fed into it.
No one in your organization made a deliberate decision to deploy an AI assistant. No one conducted a risk assessment. No one reviewed the data handling practices. No one established usage policies. No one asked IT or legal or compliance whether this was appropriate.
The AI just appeared. And employees started using it. Because of course they did. It was right there. It was helpful. It made their work faster. Why wouldn't they?
The FTC noticed.
What the FTC Is Actually Investigating
The Federal Trade Commission's probe into Microsoft isn't about whether Copilot works well or whether it's a good product. The investigation focuses on the bundling mechanism itself.
When Microsoft bundles Copilot into software suites that businesses already depend on, it creates a dynamic where AI adoption happens by default, not by decision. The typical enterprise procurement process (identify need, evaluate vendors, assess risks, approve deployment, train users) gets bypassed entirely.
The FTC's concern breaks down into several threads:
Unfair competitive practices. Bundling AI into a dominant software suite (Office 365 has over 400 million commercial users) makes it nearly impossible for competing AI products to get a fair evaluation. Why would a company evaluate standalone AI assistants when one comes pre-installed in the software they're already paying for?
Consumer protection. Enterprise customers purchased Office 365 for email, documents, and spreadsheets. AI capabilities were added later. The nature of the product changed after the purchase decision was made. Employees may not understand they're interacting with AI when they use features that are seamlessly integrated into familiar tools.
Data practices. When Copilot is embedded in Outlook, it can access email content, calendar data, contact information, and attachments. When it's in Word, it can access document content and revision history. When it's in Teams, it can access meeting transcripts and chat logs. The scope of data accessible to the AI expands with every integration point, and most organizations haven't assessed the implications.
Why This Matters Beyond Microsoft
This probe is bigger than one company. It establishes a principle: the way AI tools are distributed to end users is a regulatory concern.
Consider the parallel to the browser wars of the late 1990s. Microsoft bundled Internet Explorer with Windows, which led to one of the most significant antitrust cases in technology history. The issue wasn't that Internet Explorer was a bad browser. The issue was that bundling it with the dominant operating system gave it an unfair distribution advantage and denied consumers a genuine choice.
Copilot bundled with Office 365 is the AI version of IE bundled with Windows. The distribution mechanism creates adoption without deliberation.
And Microsoft isn't the only company doing this. Google is embedding Gemini into Workspace. Salesforce is embedding Einstein AI into its CRM. Adobe is embedding Firefly into Creative Cloud. Every major enterprise software vendor is racing to embed AI into existing products.
If the FTC establishes that AI bundling raises consumer protection or competition concerns, the implications ripple across the entire enterprise software industry.
The Shadow AI Problem This Creates
From a governance perspective, the bundling problem is devastating.
Companies that have carefully built AI governance frameworks (approved tool lists, data classification systems, usage policies) suddenly discover that AI capabilities were deployed into their environment without going through any of those processes.
Consider a financial services company that spent six months building an AI governance framework. They evaluated specific AI tools for specific use cases. They conducted risk assessments. They built audit trails. They trained their teams.
Then Microsoft pushes a Copilot update and every employee with an Office 365 license suddenly has an AI assistant that can access their email, documents, and meetings. None of that went through the governance framework. None of it was risk-assessed. None of it was covered by the usage policy because the policy was written for tools that employees deliberately choose to use, not tools that appear in their toolbar overnight.
This is shadow AI at a scale that's difficult to comprehend. We're talking about millions of enterprise users who have AI capabilities they didn't ask for, processing data that was never classified for AI consumption, in workflows that were never assessed for AI risk.
The Data Flow Nobody Mapped
When your employee opens a Word document and asks Copilot to summarize it, where does the data go?
This isn't a rhetorical question. The answer depends on your organization's Microsoft tenant configuration, your data residency settings, your AI service agreements, and the specific Copilot feature being used. In many configurations, the document content is processed by Microsoft's AI infrastructure, which may be hosted in data centers outside your jurisdiction.
For companies subject to data localization requirements (healthcare organizations with HIPAA obligations, financial institutions with regulatory data residency rules, any organization handling EU citizen data under GDPR), this creates an unassessed compliance risk.
The data flow was designed for email and document storage. AI processing was layered on top. The compliance implications of that additional processing layer were not assessed because nobody decided to add AI to the workflow. It was added for them.
What Your Organization Should Do
1. Assess Your Current Exposure
Check your Microsoft 365 admin center. Determine which Copilot features are enabled for your organization. You may find that AI capabilities are active that nobody explicitly turned on.
The same audit should cover every enterprise software suite in your environment. Google Workspace, Salesforce, Adobe, ServiceNow. Check for AI features that were activated by default or through vendor updates.
2. Make Deliberate Decisions
For each bundled AI capability, make a conscious yes/no decision. Should this be active? Has it been risk-assessed? Does it comply with your data governance policies? Is your team trained on appropriate use?
"It was on by default" is not a governance posture.
3. Configure, Don't Just Accept Defaults
Most bundled AI features can be configured at the admin level. You can disable Copilot for specific user groups, restrict which data sources it can access, and control which features are available.
Use these controls. The default configuration is optimized for Microsoft's business objectives (maximum adoption), not for your compliance objectives.
4. Update Your Governance Framework
If your AI governance framework only covers tools that employees deliberately adopt, it has a massive blind spot. Update it to include vendor-embedded AI capabilities. Your approved tool list should include a section for "AI features within approved platforms" with separate assessments for each.
5. Talk to Your Vendors
Engage your Microsoft (or Google, or Salesforce) account team directly. Ask specific questions:
- What AI features are currently active in our environment?
- What data do these features process?
- Where is that data processed?
- What opt-out mechanisms are available?
- What data processing agreements cover AI-specific processing?
Document the answers. If the account team can't answer these questions, escalate.
Where This Is Heading
The FTC probe is the first shot in what will be an extended regulatory engagement with AI bundling practices. Whether it results in formal enforcement action, a consent decree, or just increased scrutiny, the signal is clear: regulators are paying attention to how AI reaches end users, not just what AI does.
For business leaders, the takeaway is straightforward. You are responsible for every AI tool in your environment, including the ones you didn't choose to deploy. Vendor defaults are not your governance policy. Bundled features are not pre-approved.
Every AI capability in your organization needs a deliberate, documented decision behind it. If that decision hasn't been made, make it now. Before a regulator makes it for you.
Kaizen AI Lab helps organizations audit their AI footprint (including vendor-bundled capabilities) and build governance frameworks that account for the full scope of AI deployment.
Take the AI Compliance Readiness Assessment: acra.kaizenailab.com
Learn more: kaizenailab.com
Book a call: cal.com/dhoesq/kaizen