Blog 3 min lezen
Oversharing: the biggest risk in a Copilot rollout (and how to fix it)
Copilot doesn't leak data — it surfaces what has been shared too widely for years. Here's how to map oversharing and fix it before you go live.
- Security
- SharePoint
- Governance
In nearly every Copilot readiness scan we run, we find the same thing: documents that are open to the entire organisation when that was never the intention. Draft budgets, reorganisation plans, a folder full of CVs. Nobody ever found them, so nobody noticed. Until Copilot arrived — because Copilot does find them. Let's be clear about what is happening here: Copilot does not leak data and it does not bypass permissions. It answers questions within the access a user already has. The problem is that, in many organisations, that access is set far too broadly.
How oversharing happens
Oversharing is rarely down to bad intent. It's the team site that was set to "everyone except external users" when it was created, simply because that was the easy option. The sharing link that was set to "everyone in the organisation". The project folder that nobody ever looked at again once the work was done. For years, the practical security control was that nobody could find it — security by obscurity. An AI assistant that searches semantically across everything you have access to puts a definitive end to that.
The step-by-step plan: from insight to cleaned up
Microsoft has a clear approach for this, and we follow it in a sharpened form. Step one: map the hundred most-used SharePoint sites and assess, site by site, whether the access is correct. Step two: run the permission reports from SharePoint Advanced Management and set them alongside the oversharing signals from Microsoft Purview. Step three: disable organisation-wide sharing groups such as "everyone except external users" as the default. Step four: have site owners confirm for themselves, through access reviews, who genuinely needs access — IT cannot make that call on their behalf. Step five: protect the truly sensitive content with sensitivity labels and, where necessary, restrict access at site level.
For organisations that want to get started quickly without spending months cleaning up first, there is an interim solution: Restricted SharePoint Search. It lets you temporarily limit Copilot to an approved list of sites while you bring the rest of the environment up to standard. Think of it as a bandage — useful, but no substitute for genuine clean-up.
Keeping sensitive sites out of Copilot
Some content you simply don't want appearing in AI answers at all, not even for people who do have access — think of payroll administration or live legal cases. That is possible: with DLP policies in Purview based on labels, or by removing a SharePoint site from the search index. Bear in mind that the latter option also removes the site from ordinary search; it is a deliberate trade-off between findability and sensitivity.
What this delivers — even without Copilot
The honest truth: every organisation should have done this clean-up anyway. Overly broad access is a risk even without AI — for data breaches, for compliance, for the GDPR. Copilot is mainly the trigger that makes the problem urgent and frees up the budget. So organisations that get their permission structure in order reap the rewards twice over: a secure Copilot rollout and a demonstrably better-managed information estate.
And there is reassurance for anyone now thinking this means months of delay: in practice, a focused approach — the most-used sites first, the rest in phases — gets you to the point where a pilot group can safely start within a few weeks.
Want to know where your environment stands?
Our Copilot Readiness Scan maps oversharing, your permission structure and data quality, and delivers a concrete step-by-step plan — including what must be done before go-live and what can be phased. Book a no-obligation introductory call and we'll explain exactly how the scan works.