Copilot vs ChatGPT under the EU AI Act: why “compliant by design” changes your risk and governance workload

Everyone thinks AI compliance is Microsoft’s problem. In this episode of M365.fm, Mirko Peters explains why the EU AI Act actually splits obligations across the whole AI supply chain—providers like Microsoft, yes, but also deployers like you when you roll out tools such as Copilot or ChatGPT into real business workflows. He shows how one HR experiment with ChatGPT or Copilot for candidate screening can instantly put your organization into “high‑risk” territory, triggering documentation, monitoring, transparency, and human‑oversight requirements backed by fines of up to 7% of global revenue.Mirko walks through the AI Act’s four‑step risk ladder—unacceptable, high, limited, minimal—and makes it brutally clear that risk is defined by use case and context, not by how friendly the tool looks. A generic chatbot writing social posts may be minimal risk, but wire the same engine into hiring, compliance reporting, or credit decisions and it jumps into high‑risk classification with a full compliance checklist attached. You do not get to argue your way down the ladder; certain use cases, like automated CV screening or biometric ID, are pre‑stamped as high‑risk by the law itself.From there, he contrasts Copilot and ChatGPT as two very different starting points under the Act. Copilot arrives embedded in Microsoft 365, running on Azure OpenAI inside the Microsoft service boundary with an EU Data Boundary, established security certifications, and clear commitments that your prompts and responses are not used to train Microsoft’s foundation models. In practice, that means governance is built into the furniture: Purview handles classification and retention, the Trust Center documents residency and safeguards, and Microsoft exposes transparency notes and responsible‑AI tooling so you can show auditors your control surface instead of waving at a black box.ChatGPT, by contrast, lands as a highly flexible general‑purpose model with minimal enterprise scaffolding by default. In its consumer form it sits in the “limited risk” bucket, fine for casual use but requiring you to build your own residency guarantees, logging, access controls, and documentation once you embed it into HR, finance, or other sensitive workflows. Mirko describes this as “flexibility plus bureaucratic headache”: every powerful new use case you create with ChatGPT in a regulated environment becomes a compliance project you have to design, document, and defend—largely from scratch.Throughout the episode, Mirko’s core message is that “compliant by design” is not a magical exemption, but a meaningful head start. Choosing Copilot means starting with guardrails aligned to the AI Act’s expectations, but you still have to classify your use cases, configure Purview and RBAC correctly, and monitor real deployment risk. Choosing bare ChatGPT for enterprise use gives you amazing capabilities with almost no built‑in regulatory scaffolding—which is fine for experiments, but dangerous if you confuse “it works” with “it’s ready for an audit.”WHAT YOU WILL LEARNHow the EU AI Act splits obligations between providers and deployers, including you.How the AI risk ladder (unacceptable, high, limited, minimal) really drives your compliance burden.Why the same model can be minimal risk in one context and high‑risk in another.How Copilot’s enterprise design (EU Data Boundary, Purview, Trust Center) gives it a compliance head start.Why using ChatGPT in regulated workflows demands extra governance, documentation, and legal work from your side.THE CORE INSIGHT“Compliant by design” does not mean “Microsoft takes all the blame.” The EU AI Act expects you to understand where your AI use cases sit on the risk ladder and to pick tools that either arrive with guardrails—like Copilot—or accept that with raw models like ChatGPT, you are personally signing up to build that compliance scaffolding yourself.WHO THIS EPISODE IS FORThis episode is ideal for CIOs, CISOs, legal, and compliance teams evaluating Copilot and ChatGPT under the EU AI Act. It is especially valuable if internal stakeholders keep asking “Isn’t this Microsoft’s problem?” and you need a clear, non‑hyped way to explain shared responsibility, risk classification, and why tool choice changes how heavy your compliance workload will feel.ABOUT THE HOSTMirko Peters is a Microsoft 365 and governance consultant helping organizations deploy AI tools like Copilot inside strict regulatory environments without drowning in paperwork. Through M365.fm, he turns dense regulation—GDPR, the EU AI Act, and Microsoft’s Product Terms—into practical architectures, decision frameworks, and communication language that technical and legal teams can use together instead of talking past each other.Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.