The retrofitting problem is real, but there's a more specific design failure worth naming: the data flows in the wrong direction.

In traditional access control, the pattern is: user requests data -> permissions checked -> data returned or denied. The model never sees unauthorized data.

With Copilot and most LLM agents today, the pattern is: user asks question -> model retrieves broadly -> sensitivity label checked as a filter -> model generates answer. The label-checking happens after the data is already in the model's context.

That's the bug waiting to happen, label system or not. You can't reliably instruct a model to 'ignore what you just read.'

The pattern that actually works - and I've had to build this explicitly for agent pipelines - is pre-retrieval filtering. The model emits a structured query (what it needs), that query gets evaluated against a permission layer before anything comes back, and only permitted content enters the context window. The model architecturally can't see what it's not allowed to see.

The DLP label approach is trying to solve a retrieval problem with a generation-time filter. It's a category error, and it'll keep producing bugs like this one regardless of how good the label detection gets.