Loyens & Loeff, a leading Benelux law firm, has become one of the first in the highly regulated legal industry to deploy generative AI at scale, rolling out Microsoft 365 Copilot to all 1,600 employees. The firm coupled the AI assistant with a rigorous governance framework built on Microsoft Purview, Defender for Cloud, and SharePoint Advanced Management, proving that even the most risk-averse sectors can harness large language models without compromising client confidentiality or regulatory compliance.

The deployment, which also included issuing Surface Laptop 7 devices to staff, marks a significant milestone for AI adoption in legal and tax advisory work. By embedding Copilot into daily workflows, Loyens & Loeff aims to boost efficiency in document drafting, legal research, email summarization, and meeting recaps, while the layered security and compliance controls ensure sensitive data never leaves the firm’s tenant or falls prey to improper access.

The Firm and the Bet on Productive AI

Loyens & Loeff is a full-service law firm with offices in the Netherlands, Belgium, Luxembourg, Switzerland, and key financial centers including London and New York. Known for its integrated tax and legal advice, the firm handles highly confidential M&A transactions, cross-border structuring, and litigation for multinational clients. In recent years, partners recognized that generative AI could give the firm an edge in a competitive market where billable hours are under pressure and clients demand faster turnaround.

Early in 2024, the firm’s innovation team began piloting Microsoft 365 Copilot. Unlike consumer-facing AI tools, Copilot is grounded in the user’s own Microsoft 365 data—emails, documents, meetings, and chats—and promises to keep that data within the organization’s compliance boundary. That architectural commitment was crucial for Loyens & Loeff, where client privilege and GDPR compliance are non-negotiable. The pilot quickly demonstrated that Copilot could cut the time to produce first drafts of contracts by 40% and automate the summarization of deposition transcripts and email threads, freeing lawyers for higher-value analysis.

The Governance Stack: Purview, Defender, and SharePoint Advanced Management

Regulatory compliance in legal work goes far beyond data residency. Loyens & Loeff needed to ensure that Copilot did not inadvertently surface privileged documents to the wrong person, that internal ethical walls between practice groups were respected, and that any AI-generated content was auditable. The firm built its governance backbone using three Microsoft services working in tandem.

Microsoft Purview provided the data classification and labeling engine. Sensitive documents—such as those covered by attorney-client privilege, containing personal data, or related to specific client matters—are automatically labeled using trainable classifiers and sensitive info types. These labels then govern what Copilot can index and surface. For example, a lawyer in the tax practice querying Copilot about a merger will not see results from the corporate litigation team’s privileged documents, even if both are stored in SharePoint. Purview’s Data Loss Prevention (DLP) policies also block Copilot from including protected content in generated outputs, such as draft emails or Word documents, if doing so would violate labeling rules.

Microsoft Defender for Cloud Apps (part of the broader Defender suite) extends these protections to the SaaS layer. The firm configured session policies to monitor and control how Copilot interacts with data across Microsoft 365. Anomalous usage patterns, such as a user suddenly querying large volumes of financial documents outside their normal scope, trigger alerts and can automatically restrict access until a security analyst reviews the activity. Defender for Cloud Apps also enforces the firm’s Conditional Access policies, ensuring that Copilot is only accessible from managed, compliant devices—a key consideration given the issuance of new Surface Laptop 7 hardware.

Perhaps the most critical piece for fine-grained control was SharePoint Advanced Management (SAM). Standard SharePoint permissions alone are insufficient for an AI that can interpret and cross-reference content at scale. SAM’s advanced access policies allow Loyens & Loeff to restrict Copilot’s search scope to specific site collections or even libraries. This ensures that highly confidential client data stored in locked-down document libraries is completely invisible to Copilot, regardless of a user’s individual permissions. Additionally, SAM’s data access governance reports help the IT team audit exactly which sites and content Copilot has indexed, providing the transparency that partners and clients demand.

Hardware That Enables the Experience: Surface Laptop 7

Copilot in Microsoft 365 runs in the cloud, but the firm wanted a device that would natively complement the AI experience. Loyens & Loeff chose the Surface Laptop 7, the first Copilot+ PC from Microsoft, for its rollout. These ARM-based devices feature a dedicated neural processing unit (NPU) capable of 45 TOPS, which accelerates local AI tasks such as real-time captioning, Windows Studio Effects during Teams calls, and on-device recall features in a secure manner.

For a law firm, the business-grade security of Surface devices was a major factor. The Laptop 7 comes with firmware-level protections and ships with Windows 11 Secured-core PC certification. When combined with Defender for Endpoint and the firm’s mobile device management through Intune, every device acts as a hardened endpoint. The NPU also offloads AI workloads from the CPU and GPU, preserving battery life for lawyers who are often in court or traveling between client offices. During the deployment, IT pushed pre-configured policies that restrict Copilot access to the managed browser and Microsoft 365 apps, ensuring that AI interactions occur only within the secured ecosystem.

Implementation and Change Management

Rolling out AI to 1,600 lawyers, tax advisors, and support staff required more than technology. Loyens & Loeff’s IT and professional development teams collaborated on a phased introduction. First, practice group leaders received Copilot and underwent “train the trainer” sessions. These early adopters created use-case libraries for their colleagues, demonstrating how to prompt Copilot to draft a non-disclosure agreement, summarize a 50-page due diligence report, or outline a legal memo. The firm also issued guidelines on responsible AI use, clarifying that Copilot is an assistant—all output must be verified by a qualified professional—and that it must never be used to generate final client advice without human review.

Feedback from the pilot shaped the governance policies. Lawyers raised concerns about the “black box” nature of AI responses. In response, IT enabled Copilot’s grounding citations, which show users the source document each fact or passage comes from. Combined with Purview’s labeling, this creates a transparent audit trail. The firm also integrated Copilot with its existing matter management system, so when a lawyer drafts an email about a particular client matter, Copilot can reference only the documents and emails tagged with that matter number—another safeguard against mixing data.

Results and Efficiencies Gained

Three months after the full rollout, Loyens & Loeff reports measurable gains. Internal surveys show that 78% of professionals say Copilot saves them at least 30 minutes per day, primarily through email triage and document summarization. The corporate M&A team reduced the time to compile first drafts of transaction documents by an average of 35%. The tax practice, which deals with voluminous legislative updates, uses Copilot to summarize new regulations and compare them against existing ones, a process that previously consumed hours of junior associate time.

Crucially, the governance framework has held up under real-world pressure. Microsoft Purview has blocked over 1,200 instances in which Copilot attempted to include restricted content in generated outputs, according to the firm’s internal security team. Defender for Cloud Apps flagged two incidents of abnormal query patterns that turned out to be well-intentioned but overly broad searches by new associates—both were resolved without data leakage. SharePoint Advanced Management’s scoping prevented any accidental exposure of special committee documents that were unsearchable by design.

Clients have reacted positively, too. Loyens & Loeff proactively informed its top clients about the AI adoption and the safeguards in place. A senior partner noted, “When a client hears that we use AI, their first question is about confidentiality. Being able to walk them through Purview labels, SAM restrictions, and the fact that their data stays in our tenant—that builds trust.” Several clients have since asked the firm to share its governance blueprint for their own legal departments.

Broader Implications for Regulated Industries

Loyens & Loeff’s success provides a template for other firms and regulated entities, from accounting to healthcare, that have hesitated to deploy generative AI due to compliance fears. The key takeaway is that governance must be architected before the AI is turned on. Off-the-shelf Copilot without Purview’s sensitivity labels or SAM’s access restrictions would be a non-starter for any organization bound by professional secrecy or data protection laws.

Microsoft has been aggressively positioning its governance stack as the differentiator for enterprise AI, and this deployment lends credence to that pitch. The tight integration among Purview, Defender, and SharePoint Advanced Management creates a control plane that can adapt to different regulatory frameworks, whether GDPR in Europe, the SEC’s cybersecurity rules in the US, or professional codes of conduct. For Microsoft’s partners, the blueprint also opens a lucrative services opportunity in AI governance consulting.

Challenges and Continuing Vigilance

Despite the smooth rollout, Loyens & Loeff acknowledges that AI governance is not a one-time setup. The firm must continuously update its sensitivity labels as new client matters are opened and old ones closed. The explosion of Copilot-generated content—draft emails, meeting notes, document versions—requires careful data lifecycle management to avoid sprawl and rising storage costs. SharePoint Advanced Management’s reporting is now part of the IT team’s weekly routine, and the firm is exploring Microsoft’s new AI-powered data governance tools, such as those in Purview that can retrospectively identify overshared content.

Training remains an ongoing effort. Some senior partners are still reluctant to trust AI-generated drafts, preferring to dictate to assistants. The innovation team is working on personalized coaching to show reluctant users how to validate Copilot’s output efficiently, emphasizing that the goal is augmentation, not replacement.

The Road Ahead

Loyens & Loeff plans to expand its AI use beyond Copilot’s current capabilities. The firm is testing Microsoft Copilot Studio to build custom AI agents that can answer questions based on proprietary legal knowledge bases, such as prior transaction structures or internal legal opinions. These agents will be governed by the same Purview labels and SAM restrictions, demonstrating how the governance foundation scales to custom AI solutions.

The firm is also contributing feedback to Microsoft on features legal professionals need most, such as better handling of local court formatting requirements, more transparent reasoning for legal summaries, and integration with third-party legal research platforms like Westlaw and LexisNexis. Microsoft’s evolving Copilot platform, with its promise of third-party skill plugins, may eventually address some of these needs.

For the wider Windows community, Loyens & Loeff’s deployment validates the Copilot+ PC category as more than a consumer gimmick. The combination of Surface Laptop 7 hardware and the Microsoft 365 Copilot software, wrapped in a defense-in-depth compliance strategy, shows that the modern PC can be a secure AI portal even in the most sensitive professions.