PolicyBot in Microsoft Word
PolicyBot is the InPolicy reviewer for Microsoft 365 Word documents. Share any .docx with policybot@inpolicy.ai as an Editor (or Reviewer — see permission levels), and within about a minute it will:
- Leave a summary comment at the top of the document listing each policy that was flagged, and a closing paragraph telling you how to verify PolicyBot’s access has been removed.
- Add anchored comments on text that may violate a policy, with clickable links back to the policy detail page.
- Inject tracked changes that suggest redactions and rewrites — accept or reject them one click at a time.
- Remove the file from its OneDrive Shared with me view when it’s done.
If you’ve used PolicyBot for Google Docs, this is the same flow. PolicyBot opens the document in Word for the Web and streams annotations one at a time: the doc-top summary lands first, then each anchored comment, then any tracked-change rewrites. Expect a total wait of roughly 30–90 seconds depending on how many violations were flagged.
Sharing a .docx with PolicyBot
Section titled “Sharing a .docx with PolicyBot”The recommended path is to have your Microsoft 365 admin invite PolicyBot as a tenant guest once. After that, sharing works the same as sharing with any internal colleague.
Option A: Invite PolicyBot as a tenant guest (recommended)
Section titled “Option A: Invite PolicyBot as a tenant guest (recommended)”A one-time admin action that gives PolicyBot a proper, auditable identity in your tenant. Subsequent shares require no admin involvement.
- In Entra admin center → Users → New guest user.
- Email:
policybot@inpolicy.ai. Display name:PolicyBot. Send the invitation. - PolicyBot accepts within a few minutes.
Option B: Ad-hoc external share
Section titled “Option B: Ad-hoc external share”If your tenant policy doesn’t allow guest invitations, ad-hoc external sharing works too, provided your tenant allows sharing with inpolicy.ai-domain users (most do by default).
Day-to-day sharing
Section titled “Day-to-day sharing”Once setup is done (either path above), every user follows the same flow:
- Open the
.docxin Word for the web or the Word desktop app. - Click Share in the top-right.
- Add
policybot@inpolicy.aiwith Can edit (or Can review — see below). - Click Send.
That’s it — PolicyBot picks up the share and posts its summary within about a minute.
Permission levels: Can edit vs Can review
Section titled “Permission levels: Can edit vs Can review”Word comments are stored inside the .docx package itself (in contrast to Google Docs, where comments are a separate metadata layer). PolicyBot needs write access to inject them.
- Can edit (recommended): always works. PolicyBot uses tracked changes for any rewrites, so accepting or rejecting its suggestions stays in your hands.
- Can review (when available): the Microsoft equivalent of Google’s “Commenter” — PolicyBot can add comments and tracked changes but cannot directly edit the document. Equivalent in behaviour to what we produce; available on newer M365 tenants.
- Can view: PolicyBot will not be able to write back annotations and the share will surface as an error.
If you’re not sure which is enabled on your tenant, Can edit is the safe default.
What the summary comment tells you
Section titled “What the summary comment tells you”Every reviewed document gets a top-of-document summary comment from PolicyBot, anchored to the document’s title or first paragraph. The exact text depends on what we found when we looked you up:
| What we found | What the summary says |
|---|---|
| No InPolicy account for your company | PolicyBot didn’t find an account on your email’s domain and sends you to inpolicy.ai to sign up (the first user at every company is free). |
| Company has an account but you don’t | PolicyBot tells you the admin email to contact for access. |
| Your account exists but has no policies | PolicyBot tells you to reach out to help@inpolicy.ai to get a role on a Policy Area. |
| Reviewed, no violations found | PolicyBot confirms it ran against the policies you have access to and nothing crossed the confidence threshold. |
| Reviewed, violations found | PolicyBot lists each finding with policy name, severity, AI confidence, and a link to the policy, anchored to the relevant text below. |
In every case, the summary ends with PolicyBot’s closing paragraph asking you to verify removal via Share → Manage Access. PolicyBot removes the document from its own Shared with me view automatically; the manual verification is a defense-in-depth step.
Reading the per-violation comments
Section titled “Reading the per-violation comments”Each anchored comment ends with the actual rule and the metadata so you can size up the finding without leaving the doc:
WARNING: This passage discloses an internal product roadmap to an external recipient.
— “No internal product roadmaps may be shared with external parties without explicit VP approval.” High severity · 87% confidence · https://app.inpolicy.ai/policies/conf-roadmap-1
For tracked-change fixes, the change itself is the explanation — accept it to apply the redaction or rewrite, reject it to keep the original.
The fields:
- Quoted rule — the exact policy text that flagged the passage.
- Severity — Minor, Low, Medium, High, or Critical. Set per policy by your admin or Policy Lead.
- Confidence — how sure PolicyBot’s model is, from 0–100%. Each policy has a configurable threshold; below it, PolicyBot stays silent.
- Policy link — opens the policy detail page in InPolicy so you can read the full policy, severity rationale, and any examples. Renders as a clickable hyperlink inside the comment.
Removing PolicyBot’s access manually
Section titled “Removing PolicyBot’s access manually”PolicyBot removes the file from its own Shared with me view when it finishes a review. As a defense-in-depth measure, you can also verify or manually revoke access:
- Open the file in Word for the web.
- Click Share (top-right) → Manage Access.
- Find
policybot@inpolicy.aiin the people list. - Click the dropdown next to PolicyBot and select Remove direct access.
Re-sharing the file (with Can edit or Can review) busts our review cache, so the next review picks up your latest changes even if the document body hasn’t changed since last time.
Re-sharing won’t duplicate prior comments. Before posting, PolicyBot checks the document for its own open comments and skips any whose anchored passage and policy match a comment that’s still live. Resolved comments don’t count — if a finding is still relevant, PolicyBot re-flags it.
Privacy
Section titled “Privacy”PolicyBot only sees the documents you explicitly share with it. It uses the same policy-evaluation infrastructure as the rest of InPolicy and does not store your document contents past the review window. See Privacy & data handling for the full data-handling policy.