Domain 1 of 3 · Chapter 4 of 4

Responsible AI: Risks and Verification

Three risks that make verification non-optional

Imagine Copilot drafts a customer email that cites a refund policy clause, and the clause sounds exactly right but doesn't exist in any of your company's documents. That is the failure mode every Copilot user has to plan for. Microsoft is direct about it: the responsible-use guidance[1] tells users that outputs may be inaccurate, incomplete, biased, or irrelevant, and that you should review responses and verify they match your expectations before you rely on them. Three named risks drive that advice.

Fabrication (hallucination)

A fabrication is a confident but wrong or invented claim. Microsoft's own term for it is ungrounded content: "content that appears correct but isn't present in source materials." It happens because the underlying large language model is probabilistic, so even when Copilot is grounded in your files it "may include information in its response that isn't present in its input sources." The danger is precisely that it reads as plausible, so a fabricated revenue figure or a made-up policy clause sails past a quick skim.

Prompt injection

Prompt injection is a malicious instruction hidden inside content Copilot references, such as a forwarded email, a shared file, or a web page, that tries to hijack the response. The hidden text isn't your prompt; it's a payload smuggled into the grounding data, which is why Microsoft also calls it an indirect or cross-prompt injection attack. Copilot runs classifiers to detect and block these attempts, but the user-side tell is behavioral: a summary that suddenly instructs you to send a payment, share a file, or click a link is following instructions you never gave. See data-privacy-and-protection for how permissions limit what Copilot can reach in the first place; this subtopic is about recognizing a hijacked answer.

Over-reliance (automation bias)

Over-reliance, also called automation bias, is the human failure of accepting output without checking it. Microsoft defines it plainly: overreliance "happens when users accept incorrect or incomplete AI outputs, mainly because mistakes in AI outputs may be hard to detect," and lists consequences from lost productivity to financial and physical harm. It is the risk that turns a rare fabrication into a shipped mistake, because the safeguard that should have caught it, a human reading the output, was skipped.

Where each risk strikesGrounding datafiles, emails, web pagesCopilot outputthe drafted responseHuman accepts itused in real workPrompt injectionhidden instruction inthe grounding dataFabricationinvented claim not inthe input sourcesOver-relianceaccepting outputwithout checking it
Each named risk strikes a different stage: prompt injection in the grounding data, fabrication in Copilot's output, over-reliance at the human who accepts it.

Two verification steps: citation checks and human review

The exam asks you to select verification steps appropriate to the task, and there are two you need to name. They stack: a citation check confirms the facts, and human review confirms the judgment.

Citation check

When a response is grounded in your work content, Copilot attaches references to the sources. Microsoft built this in for exactly one purpose: "responses in Microsoft 365 Copilot that are based on business documents include references to the sources for users to verify the response and learn more," and users are "advised to check the source materials." A citation check is the concrete act of doing that: open the cited file, page, or email and confirm it actually says what Copilot claims. The reference is a clickable link in the response: in Teams chats, for example, you open the cited source by selecting Sources at the end of a response, which scrolls the thread to the message Copilot used. Two patterns deserve suspicion: a factual claim with no citation, and a citation that, when you open it, doesn't support the claim. Both are the signature of a fabrication.

Human review

Human review means a person validates the output before it is used. Microsoft frames this as human oversight: "AI might still make mistakes … users should review the responses generated by Microsoft 365 Copilot and verify that they match their expectations and requirements." Review is broader than a citation check. It catches problems a citation can't: tone that is wrong for the audience, a recommendation that is technically sourced but bad judgment, an omission, or a bias. For anything consequential, human review is non-negotiable, and Microsoft's mitigation for over-reliance is partly to add disclaimers, but "users should still make sure to review the accuracy of the answers."

Why grounding helps but doesn't replace verification

Grounding a prompt in your documents improves accuracy, and it is Microsoft's main mitigation against ungrounded content. It does not eliminate the need to verify, because even a grounded response "may include information … that isn't present in its input sources." Grounding raises the floor; the citation check and human review still set the ceiling.

Copilot responseread it firstCitation checkopen each cited sourceHuman reviewjudgment, tone,omissionsUse the outputconfirms the factsconfirms the judgment
Citation check then human review: facts first, judgment second, before a Copilot response is used.

Match the rigor of verification to the stakes

Verifying everything to the same depth wastes time; verifying nothing ships mistakes. The rule the exam tests is to match the rigor of verification to the stakes of the task. The more a wrong answer would cost, the more verification it earns.

Use a simple ladder. A low-stakes, reversible task, a personal brainstorm or an internal first draft you will rewrite anyway, needs little more than a quick read. A medium-stakes task, an internal report or a summary others will act on, earns a citation check on the specific claims (numbers, dates, names, quotes). A high-stakes task, anything external, financial, legal, HR, or about a person, earns both a citation check and human review by a person before it is used.

Microsoft sets the top of that ladder explicitly. Its guidance is to "exercise caution and evaluate outcomes when using Microsoft 365 Copilot for consequential decisions or in sensitive domains," naming financial services, healthcare, housing, employment, and legal status as cases that "require particular care." It also warns against high-stakes uses like diagnosing patients or prescribing medication. The throughline: stakes set the floor for how hard you check, and for consequential work a human is always in the loop.

One caution about the ladder: stakes are about the consequences of being wrong, not the length of the output. A one-line figure pasted into a board deck is high-stakes; a long internal brainstorm is not. Judge by where the output goes and what acting on a mistake would cost.

What does a wrong answer cost?judge by stakes, not lengthLowMediumHighReversible, internal draftbrainstorm, throwawayOthers will act on itinternal report, summaryExternal or about a personfinancial, legal, HR, publicQuick readCitation checkCitation check+ human reviewConsequential decisions: a human is always in the loop
Scale verification to stakes; consequential or sensitive-domain work always keeps a human in the loop (Microsoft 365 Copilot application card).

Spotting the risks: exam scenarios

Exam items put you in a business scenario and ask which responsible-AI behavior fits. The right answer is almost always the proportionate verification step, not a platform control. Watch for these patterns.

"Copilot produced a figure / quote / clause not in the source." This is a fabrication (ungrounded content). The fix is a citation check: open the cited source and confirm it. A distractor that says "trust it because Copilot is grounded in your data" is wrong, because grounded responses can still include content not in the sources.

"A summary of a forwarded email tells the user to wire money or share a file." This is prompt injection: a hidden instruction in referenced content trying to hijack the response. The user-facing behavior is to be skeptical of output that acts on instructions you never gave, and to confirm against a trusted source. Do not treat such output as a legitimate task. (Whether Copilot could reach that file is a permissions question, covered in data-privacy-and-protection.)

"The user pasted Copilot's answer straight into a client deliverable." This is over-reliance / automation bias. The correct behavior is human review before the output is used, scaled up because the work is external and high-stakes. "It saved time" is not a defense the exam rewards.

"Which task needs the most verification?" Choose the most consequential one: external, financial, legal, HR, or affecting a person. Microsoft singles out consequential decisions and sensitive domains for extra caution. An internal brainstorm is the least verification-hungry option, and picking it as the high-rigor case is the trap.

"What does a citation in a Copilot response let you do?" Verify the claim by opening the source it points to. A citation is a verification aid, not a guarantee that the surrounding sentence is correct; you still have to open it and read.

A useful frame for the whole subtopic: Copilot is a capable assistant whose work you sign off on. Naming the risk (fabrication, prompt injection, or over-reliance) points you straight at the matching step (citation check, trusted-source cross-check, or human review), and the stakes tell you how hard to apply it.

Name the riskMatching verification stepFabricationconfident but invented claimPrompt injectionhidden instruction in referenced contentOver-relianceaccepting output without checkingCitation checkopen the cited source, confirm itCross-check trusted sourcedistrust output acting on hidden ordersHuman reviewa person validates before use
Name the risk, then apply the matching step: fabrication a citation check, prompt injection a trusted-source cross-check, over-reliance human review (Microsoft 365 Copilot application card).

Three risks, what each looks like, and the verification step that catches it

RiskWhat it looks like in a business scenarioVerification step that catches it
Fabrication (hallucination)A draft cites a Q3 revenue figure or a policy clause that isn't in any of your filesCitation check: open the cited source and confirm it says what Copilot claims
Prompt injectionA summary of a forwarded email suddenly tells you to send a payment or share a file, following hidden instructions you never gaveCross-check against a trusted source; be skeptical of output that acts on instructions from referenced content
Over-reliance (automation bias)Pasting a Copilot answer straight into a client deck without reading it because it sounded rightHuman review: a person validates the output before it is used, scaled to the stakes

Decision tree

What does a wrong answer cost?judge by stakes, not lengthLowMediumHighReversible, internal draft?brainstorm, throwawayOthers will act on it?internal report, summaryExternal or about a person?financial, legal, HR, publicQuick readCitation checkCitation check+ human reviewConsequential decisions: a human is always in the loop

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A fabrication is confident output that isn't grounded in any source

A fabrication, also called a hallucination, is a confident but wrong or invented claim. Microsoft's term for it is ungrounded content: text that appears correct but isn't present in the source materials. It happens because the model is probabilistic, so even a response grounded in your files can include information that isn't in those inputs. The danger is that it reads as plausible, so an invented figure or policy clause survives a quick skim.

Trap Assuming a response grounded in your own documents cannot be fabricated; grounding lowers the risk but Copilot can still add claims not present in the inputs.

20 questions test this
Prompt injection hides a malicious instruction inside content Copilot reads

Prompt injection is a hostile instruction smuggled into content Copilot references, such as a forwarded email, a shared file, or a web page, that tries to hijack the response. Because the payload rides in the grounding data rather than your prompt, it is also called indirect or cross-prompt injection. The user-facing tell is behavioral: output that instructs you to send a payment, share a file, or click a link is acting on orders you never gave.

Trap Treating a Copilot summary's embedded instruction as a legitimate task because Copilot surfaced it; the instruction came from the untrusted content, not from you.

11 questions test this
Over-reliance is accepting AI output without checking it

Over-reliance, also called automation bias, is the human failure of accepting incorrect or incomplete output without verifying it. Microsoft flags it as especially dangerous because mistakes in AI output can be hard to detect, and lists consequences from lost productivity and broken trust to financial and physical harm. It is the failure that turns a rare fabrication into a shipped mistake, because the human check that would have caught it was skipped.

12 questions test this
A citation check means opening the cited source and confirming the claim

A citation check is the act of opening the file, page, or email Copilot cited and confirming it actually says what the response claims. When a response is grounded in work content, Copilot attaches clickable references to the sources precisely so users can verify the response. It is the fastest way to catch a fabrication, because the failure shows up immediately when the source does not contain the claim.

Trap Treating the presence of a citation as proof the claim is correct; a citation only helps if you open it and confirm it supports the sentence.

14 questions test this
Human review means a person validates the output before it is used

Human review, which Microsoft frames as human oversight, is a person checking the output against expectations and requirements before anyone acts on it. It catches problems a citation check cannot: wrong tone for the audience, a sourced but ill-judged recommendation, an omission, or bias. For consequential or external work it is non-negotiable, because the product disclaimers Microsoft adds reduce but do not remove the need to review accuracy.

17 questions test this
Match the rigor of verification to the stakes of the task

Scale how hard you verify to what a wrong answer would cost. A low-stakes reversible draft needs little more than a quick read; medium-stakes work others act on earns a citation check on the specific claims; high-stakes work earns a citation check plus human review. The more a mistake would cost, the more verification it earns, so the stakes set the floor for rigor.

1 question tests this
Stakes are about consequences of being wrong, not output length

Judge stakes by where the output goes and what acting on a mistake would cost, not by how long the text is. A one-line figure pasted into a board deck is high-stakes; a long internal brainstorm is low-stakes. The exam will offer a long but throwaway output as the high-rigor choice to see if you confuse volume with consequence.

Trap Picking the longest output as the one needing the most verification; rigor follows where the output lands and the cost of error, not word count.

Consequential and sensitive-domain work always keeps a human in the loop

Microsoft advises exercising caution and evaluating outcomes when using Copilot for consequential decisions or sensitive domains, naming financial services, healthcare, housing, employment, and legal status as needing particular care. For these, a person must validate the output before it is used, and high-stakes uses like diagnosing patients or prescribing medication are to be avoided. The throughline is that a human stays in the loop wherever a wrong answer carries legal, financial, or personal harm.

2 questions test this
Grounding raises accuracy but does not replace verification

Grounding a prompt in your documents improves accuracy and is Microsoft's main mitigation against ungrounded content, but it does not remove the need to verify, because a grounded response can still include content not present in its input sources. Grounding raises the floor; the citation check and human review still set the ceiling. Lean on grounding to get better drafts, not as a reason to skip checking.

Trap Skipping verification because the prompt was grounded in trusted files; grounding reduces fabrication but cannot guarantee every claim came from the sources.

1 question tests this
A missing or unsupported citation is the signature of a fabrication

Two patterns deserve suspicion in any response: a factual claim with no citation, and a citation that, once opened, does not support the claim. Both are how fabrication shows up in a grounded response. When you spot either, treat the claim as unverified and check it against a trusted source before reusing it.

6 questions test this
The matching verification step depends on which risk you face

Naming the risk points to the step that catches it: a fabrication is caught by a citation check, prompt injection by cross-checking against a trusted source and distrusting output that acts on hidden instructions, and over-reliance by human review before use. On a scenario item, identify the risk first, then choose the proportionate step rather than a generic answer.

1 question tests this
Verify specifics like numbers, dates, names, and quotes against the source

Specifics are where fabrication hides, so check every figure, date, name, and quoted clause against its cited source rather than trusting the surrounding prose. A single wrong number can invalidate a whole document, which is why a citation check focuses on the exact claims an exam question would turn on. The fluent narrative around a figure is no evidence the figure itself is right.

8 questions test this
Treat Copilot output as a draft you still own and sign off on

Microsoft's guidance is to review responses and verify they match your expectations before relying on them, so treat what Copilot returns as a starting point, the way you would treat a first draft from a new colleague. The responsibility for the final content stays with the person who uses it, not the tool that drafted it. This framing is why review is expected even when the output looks finished.

4 questions test this
Output verification is separate from platform data protection

Checking whether a response is accurate and trustworthy is distinct from controlling what data Copilot can reach. Whether Copilot can open a file, and how permissions and sensitivity labels limit what it sees, is data protection, not output verification. On a scenario about a wrong or hijacked answer, the responsible-AI behavior is the verification step, not a permissions or labeling control.

Trap Answering a fabrication or prompt-injection scenario with a permissions or sensitivity-label fix; access controls govern what Copilot can reach, not whether its answer is correct.

Also tested in

References

  1. https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-application-card