Part 1: Understanding Access in the Age of AI
By Brett Lonsdale, Microsoft MVP, CEO & Founder of Lightning Tools
Last week, I had the opportunity to present a session at ThriveConf Slovenia titled SharePoint Permissions in the Age of AI and Copilot. It was a topic that generated a lot of discussion because, wherever I go at the moment, organisations are asking similar questions. They want to understand how AI, Copilot, and the emerging world of agents will impact their Microsoft 365 environments. They are excited about the productivity gains and the opportunities that AI presents, but they are also concerned about security, governance, and who can access what.
Throughout the session, I kept returning to the same message. Copilot does not create a permissions problem. It simply reveals the permissions problem that already exists.
That might sound like a subtle distinction, but it is an important one. Copilot can only work with the information users already have access to. If a user can access a document today, Copilot can potentially discover, summarise, and reference that content tomorrow. The challenge is not that Copilot suddenly exposes information; the challenge is that many organisations have accumulated years of permissions decisions that have never been revisited.
As the World Cup gets underway, it feels like a fitting analogy. Every football team wants to focus on scoring goals. That’s the exciting part. Nobody buys a ticket hoping to watch a team defend for ninety minutes. Yet tournaments are often won by teams that are organised defensively. They understand their weaknesses, they close the gaps, and they make it difficult for mistakes to be exploited.
Microsoft 365 is becoming much the same. Organisations are understandably focused on the attacking opportunities presented by AI, automation, and Copilot. However, before embracing those opportunities, it is worth taking a close look at the defensive side of the game. Permissions management may not be the most glamorous topic in Microsoft 365, but it has become one of the most important.
One of the reasons this conversation resonates with so many organisations is because most tenants already have some degree of oversharing. In my experience, this rarely happens because someone deliberately set out to expose sensitive information. More often, it is the result of years of perfectly reasonable business decisions. A supplier needed access to a project site. A department shared a folder with a wider audience. A Team was created for a short-term initiative and then forgotten. A migration brought across legacy permissions. Individually, none of these decisions seem problematic. Over time, however, they accumulate and create an environment where people can access information they probably no longer need.
When organisations begin investigating permissions, they often discover familiar patterns. Sites that still use “Everyone Except External Users”. Old Teams that haven’t been reviewed for years. Sharing links that were created for a specific purpose and never removed. Libraries with broken inheritance. Microsoft 365 Groups that have grown significantly beyond their original audience. None of these issues are new, but AI is making them far more visible.
A common misconception is that permissions management is purely an IT responsibility. In reality, successful governance requires a partnership between Site Owners and SharePoint Administrators. During my session, I made a point that seemed to resonate strongly with the audience. A SharePoint Administrator cannot possibly know that an HR Manager has accidentally shared a document discussing redundancies with everyone in the organisation. The administrator manages the platform, but they do not necessarily understand the business context behind every document, folder, or site.
This is why Site Owners play such a critical role. They are closest to the content and the people using it. They understand which projects are active, which external users are still engaged, and which information is commercially sensitive. SharePoint provides a number of tools that help Site Owners manage access, including Manage Access, site sharing settings, and sharing link controls. The challenge is that many Site Owners only engage with these tools when a user requests access or a problem arises. Permissions management is often treated as a one-time task rather than an ongoing responsibility.
At the same time, SharePoint Administrators are responsible for the wider governance framework. Their role is to establish guardrails that allow collaboration to happen safely and consistently across the organisation. Microsoft has introduced a growing set of capabilities to support this, including SharePoint Advanced Management (SAM), Data Access Governance (DAG), Microsoft Purview, Site Access Reviews, and the SharePoint Admin Agent. Together, these tools provide administrators with greater visibility into oversharing, ownership issues, inactive sites, external access, and other governance risks that would be almost impossible to identify manually at scale.
One area that deserves particular attention is sharing links. Many organisations spend considerable time reviewing group memberships while overlooking the sharing links that have accumulated over the years. In practice, these links are often where some of the biggest surprises are discovered. Files that were shared years ago may still be accessible today. Temporary access may have become permanent access. Links intended for a small audience may have reached a much wider one. As organisations prepare for Copilot and AI, sharing links need to be viewed as an integral part of their permissions strategy.
Sensitivity labels also have an increasingly important role to play. Permissions determine who can access content, but sensitivity labels provide an additional layer of protection around the content itself. They help organisations classify information, control sharing, apply protection, and reduce the likelihood of sensitive data being exposed inappropriately. As AI becomes more deeply integrated into everyday work, the combination of well-managed permissions and effective information protection will become increasingly important.
The good news is that organisations do not need to solve everything overnight. The first step is simply understanding where you are today. Who has access to your sites? How often are permissions reviewed? Are sharing links being monitored? Do Site Owners understand their responsibilities? Are governance tools such as SharePoint Advanced Management and Data Access Governance being used effectively?
These are the questions organisations should be asking before they focus on AI readiness.
This article is the first in a series where I will explore these topics in much greater depth. Over the coming weeks, I will take a closer look at SharePoint Advanced Management, Data Access Governance, Site Access Reviews, Sensitivity Labels, Sharing Links, and the practical steps both Site Owners and Administrators can take to improve governance across Microsoft 365.
I am genuinely excited about what Copilot and AI can bring to the Microsoft ecosystem. However, the organisations that will achieve the greatest success are not necessarily those that deploy AI first. They will be the organisations that understand their data, their permissions, and their governance responsibilities before they do.
After all, if you would be uncomfortable hearing Copilot summarise a document, it is probably worth reviewing who currently has access to it.
Ready to Set Your Microsoft 365 Goals?
As part of our World Cup campaign, we are inviting organisations to share their Microsoft 365 goals and register for our upcoming webinar series. Whether your focus is governance, Copilot readiness, permissions management, InfoPath migration, forms, or automation, we’d love to hear what you’re aiming to achieve and help you get there.
Submit your goals, register for an upcoming webinar, and follow this series as we explore the practical side of Microsoft 365 governance in the age of AI.
