In many real-world enterprise scenarios, Dynamics 365 forms display data that comes from external systems (such as ERPs, registries, or national data providers). These fields are intentionally read-only to prevent user edits — often due to compliance, governance, or integration logic.

However, the Copilot Form Fill Assistant currently allows users to insert suggested values into these read-only fields, even if they are disabled or locked on the form. This bypasses the UI-level protection configured by system administrators and creates a potential security and data integrity risk.

The issue is not just usability — it's about respecting control design:

• If a field is disabled, it should not be modifiable by Copilot or any other automation unless explicitly permitted.
• Organizations rely on field locking to enforce data boundaries.
• This behavior breaks the principle of front-end enforcement and could lead to unauthorized modifications.

🔒 Suggested improvements:

• Copilot should never override a disabled or locked field, unless the platform administrator configures an explicit override rule.
• A Power Platform setting should allow admins to control:
• Whether Copilot can write to fields.
• Which fields are allowed to receive AI-suggested input.
• Whether Copilot respects the editable state of controls.

This is not only a UX issue, but a compliance concern for regulated environments.