The oversharing audit most firms skip before rollout, and why it is the whole job.
The oversharing audit most firms skip before rollout, and why it is the whole job.
The most common misconception about Microsoft 365 Copilot is that it introduces a new data exposure risk. It does not. Copilot honors existing permissions. It will never show a user a document they could not already open.
That reassurance is technically correct and practically useless, because it contains the actual problem inside it.
For twenty years, your permissions have been protected by obscurity. The compensation model sits in a SharePoint site that inherited "Everyone except external users" from a template nobody read. Legally, technically, permissions-wise: half the firm can open it. Practically, nobody ever has, because nobody knew it existed and SharePoint search is bad enough that nobody found it.
Copilot is not bad at search.
Ask it "what is the bonus structure for the research team" and it will do exactly what it was built to do. It will find the file the user was always allowed to read, and summarize it for them in a sentence.
Nothing was breached. Nothing was misconfigured on the day of the query. The permissions were wrong for years, and Copilot is the first system competent enough to notice.
This is the work we do before a single Copilot license is assigned.
EEEU is the default that quietly does the most damage. It appears when someone creates a site from a template, when a Team is made public, and in a dozen other places. Find every instance. For each one, decide whether "literally every employee" is the intended audience. In our experience, for a firm with market-sensitive content, it almost never is.
"Anyone with the link" links do not expire by default unless you configure expiry. Every one of these is a live URL sitting in an email thread, a Slack export, or a personal note. Inventory them. Kill the ones that have outlived their purpose. Set a default expiry so this problem does not regrow.
Every firm has them: sites created for a deal, a vendor evaluation, a project that ended in 2023. The owner has left. The content is still indexed and still permissioned. These are pure liability. Archive or delete.
Users treat OneDrive as a private drive. It is not, the moment they share a folder with a colleague and forget. Copilot reads a user's own OneDrive as a first-class source. Run the sharing reports.
Private channels have their own SharePoint site with its own permissions, and those permissions drift. Shared channels can include external tenants. Both need explicit review, and neither is visible from the places most admins look.
Data Access Governance reports in the SharePoint admin center are where you start. They surface sharing links, EEEU grants, and sensitivity label coverage across sites. Free, and most firms have never opened them.
Restricted SharePoint Search is the pragmatic stopgap. It lets you allowlist a limited set of sites that Copilot may search, so you can roll out to a pilot group before you have finished remediating the whole tenant. It is a tourniquet, not a treatment. Firms that turn it on and stop have not solved anything; they have deferred it.
SharePoint Advanced Management buys you site access reviews (push remediation to the site owner rather than doing it centrally, which is the only way this scales), inactive site policies, and richer governance reporting. It is a separate license. For a tenant of any real size, it pays for itself in engineer-hours.
Purview sensitivity labels are the durable answer. Label the content, let the label carry encryption and usage rights, and the protection travels with the file rather than depending on where it happens to sit. Copilot honors labels, and DLP policies for Copilot let you stop labeled content from being used in responses at all.
Labeling is the slowest item on this list and the only one that survives contact with the next reorganization.
Weeks 1 to 2: measure. Run the governance reports. Do not remediate yet. You need to know the size of the problem before you commit to a timeline, and the number is usually larger than the sponsor expects.
Weeks 3 to 6: remediate the top of the list. Not everything. The sites with the most sensitive content and the widest permissions. This is a ranked exercise, not an exhaustive one, and pretending otherwise is how these projects stall.
Weeks 5 to 8: label the crown jewels. Research, positions, LP communications, compensation, legal. Not the whole tenant. The categories where exposure is not survivable.
Week 8: pilot. Ten to twenty users, Restricted SharePoint Search on, audit logging verified, a named person reading the Copilot interaction logs in Purview.
Week 12 onward: widen. Turn off the restriction as remediation catches up.
Worth saying plainly, because the vendor pitch obscures it. Copilot's return in a professional-services or investment firm is not "AI transformation." It is concentrated in a handful of unglamorous places:
If the buying case rests on anything more visionary than that, it will not survive its first quarterly review.
The Copilot readiness project is not a Copilot project. It is the SharePoint permissions cleanup that has been deferred every year since the tenant was created, wearing a new name that finally got it funded.
Some firms find that deflating. We think it is the best argument for doing it. You were going to have to fix this eventually, in the worst case after an incident and under counsel. Doing it now, with a productivity payoff at the end instead of a breach notification, is the good version.
Planning a Copilot Rollout?
KYA Consulting runs tenant, identity, and permissions reviews ahead of Copilot rollouts for firms where discretion is non-negotiable. If you want to know what Copilot would surface in your tenant today, get in touch.
Get in Touch