SharePoint Advanced Management & Data Access Governance: Preparing SharePoint for the AI Era

By Brett Lonsdale, Microsoft 365 MVP & Founder of Lightning Tools

Last week I published the first article in this permissions series, “Copilot Doesn’t Create Your Permissions Problem. It Reveals It.“ The message was simple: Copilot isn’t breaking SharePoint security. It simply works with the permissions you’ve already configured. If someone has access to information today, Copilot can potentially use that information to answer their questions tomorrow.

That leads to the next question.

How do you actually govern SharePoint in an AI-powered organisation?

The arrival of Microsoft 365 Copilot hasn’t created a new security problem, but it has raised the importance of information governance higher than I’ve ever seen before. The organisations that will get the greatest value from Copilot won’t necessarily be those with the best prompts. They’ll be the organisations that understand their data, know who owns it, regularly review access, and have confidence that the right people can see the right information.

This is exactly where SharePoint Advanced Management becomes so important.

SharePoint Advanced Management isn’t another administration tool

When Microsoft introduced SharePoint Advanced Management, many people looked at it as another collection of administration reports.

I think that’s missing the point. To me, SharePoint Advanced Management is less about administering SharePoint and more about understanding organisational exposure.

The questions it helps answer are the questions every organisation should already be asking:

• Who owns this site?
• Who currently has access?
• Should they still have access?
• Is this site still active?
• Is it being shared appropriately?
• Is this information still relevant?
• Would I be comfortable if Copilot surfaced this content tomorrow morning?

That’s a very different conversation from simply managing permissions.

Data Access Governance is about confidence

One of the areas in SharePoint Advanced Management is Data Access Governance.

I like that term because it moves the conversation away from technology and towards accountability.

Good governance isn’t about locking SharePoint down. It isn’t about preventing collaboration. It certainly isn’t about making users submit support tickets every time they need access to something.

• Good governance is about confidence.
• Confidence that the people who need access have it.
• Confidence that people who shouldn’t have access don’t.
• Confidence that sensitive information isn’t unintentionally exposed.
• And confidence that AI is grounding its responses from content that should genuinely be available.

The biggest governance question isn’t “Who has access?”

It’s “Who owns the data?”

One of the most common things I’ve seen over the years is a SharePoint site with no real owner.

• The original project manager has left.
• The Team is still active.
• Guests are still members.
• Nobody knows whether the documents are current.
• Nobody reviews permissions because nobody feels responsible.
• The permissions themselves may be technically correct, but governance has failed because ownership has disappeared.

That’s why I think one of the most valuable capabilities within SharePoint Advanced Management is its focus on Site Reviews.

A site review isn’t simply asking whether a site should exist.

It’s asking whether somebody in the business is still prepared to take responsibility for it.

During a review I would expect the Site Owner to ask questions such as:

• Is this site still being used?
• Does it still need external sharing?
• Are all the current members still involved?
• Does this information still have business value?
• Could Copilot surface something here that should have been archived?

Those are governance conversations, not technical ones.

(Screenshot: Site Access Reviews)

Oversharing rarely happens overnight

When people hear the word “oversharing” they often imagine somebody making a catastrophic mistake.

In reality, that’s rarely what happens.

• Oversharing usually grows slowly.
• A contractor is added to a Team.
• A project runs six months longer than expected.
• Someone creates an organisation-wide sharing link because it’s easier.
• A Microsoft 365 Group gains another department.
• Nobody removes the guests when the project finishes.
• Individually, none of these decisions feel particularly risky.

Collectively, these seemingly small decisions create an environment where information is far more widely available than anyone ever intended. This is where SharePoint Advanced Management’s Oversharing insights become particularly valuable. Rather than waiting for an incident or an awkward Copilot response to expose a problem, they help administrators identify gradually increasing exposure before it becomes a genuine risk.

The reason this matters so much is because AI has fundamentally changed how people discover information. In the past, users generally needed to know where content lived before they could search for it. They might have navigated to a Team, searched a specific site, or relied on someone pointing them in the right direction. Copilot changes that completely by connecting information across Microsoft 365 and surfacing it through natural language questions, often without the user needing to know where the content is stored.

(Screenshot: Oversharing Insights)

Old content deserves attention too

One feature I particularly like within SharePoint Advanced Management is its focus on inactive sites. It’s easy to assume that if nobody is actively visiting a site anymore, it doesn’t really matter. Unfortunately, that’s not how Microsoft Search—or Copilot—works. If the content still exists and users still have permission to access it, then it remains discoverable and can potentially contribute to AI responses.

That doesn’t mean every inactive site should be deleted. Far from it. Many organisations have legitimate reasons to retain historical project sites for compliance, legal or business purposes. However, every inactive site deserves a conscious decision. Should it be archived? Does it still have the right owner? Are the permissions still appropriate? Does it still need external users? Is there any value in keeping it available, or has it simply become digital clutter?

One of the biggest governance challenges I see is that organisations are very good at creating collaboration spaces, but much less disciplined about retiring them. Over time, those abandoned Teams and SharePoint sites quietly accumulate, along with years of documents, permissions and external sharing that nobody has reviewed. SharePoint Advanced Management helps shine a light on these forgotten areas, allowing administrators and Site Owners to make informed decisions rather than leaving them to become part of Copilot’s knowledge base by default.

(Screenshot: Inactive Sites)

External sharing should be reviewed, not feared

External collaboration has become a normal part of doing business. Whether it’s working with suppliers, consultants, customers or project partners, sharing information outside the organisation is no longer the exception—it’s often essential. The objective shouldn’t be to eliminate external sharing, but to make sure it remains appropriate throughout the lifetime of the collaboration.

The problem is that external access often outlives the reason it was granted. Projects come to an end, contracts expire, people move to different organisations, yet guest accounts and sharing links frequently remain in place simply because nobody remembers to review them. Over time, these small oversights accumulate and gradually increase the organisation’s exposure.

This is another area where I think SharePoint Advanced Management adds real value. Rather than treating external sharing as a one-time configuration decision, it encourages organisations to make it part of an ongoing governance process. External access should be reviewed regularly, challenged where necessary, and removed when it no longer serves a business purpose. Like permissions in general, governance works best when it’s continuous, not something that’s only revisited during an annual audit or after a security incident.

(Screenshot: External Sharing Insights)

Access Reviews are business decisions

One of the biggest mindset shifts I see organisations needing to make is around Site Access Reviews. For years, reviewing permissions has often been viewed as an IT responsibility, but I’m not convinced it ever really was. IT can provide the tools, policies and governance framework, but it can’t realistically decide who should have access to sensitive business information. It doesn’t know whether someone in HR should still be able to view redundancy planning documents, whether a finance user still needs access to next year’s budget, or whether someone should remain part of a confidential acquisition project.

Those decisions belong with the people who understand the information and the business context. That’s why I think Site Access Reviews are such an important capability. They allow organisations to push access decisions back to business owners, department managers and project leads, while IT retains oversight of the governance process. In my view, that’s exactly how modern governance should work. IT provides the framework and the automation, while the business provides the judgement. That partnership becomes even more important in the age of AI, because the quality of your governance is ultimately determined by the quality of the decisions behind it.

Sensitivity Labels provide context

Sensitivity Labels are often thought of as compliance features, but I think that’s a little too simplistic. In reality, they provide valuable context about the information an organisation holds and how it should be treated. They help users understand the sensitivity of the content they’re working with, enable administrators to apply consistent protection policies automatically, and ensure that information is handled appropriately throughout its lifecycle.

In Microsoft 365, that protection extends beyond individual documents. Sensitivity Labels can also be applied to SharePoint sites, Microsoft Teams and Microsoft 365 Groups, helping to control settings such as privacy, external sharing and unmanaged device access. Rather than relying on users to remember the rules every time they create a collaboration space, organisations can embed those rules into the environment from the outset.

As organisations adopt AI, I think these labels become even more valuable. They don’t just help meet compliance requirements; they help establish the context around the information itself. A document or site labelled Highly Confidential isn’t simply another piece of content—it represents information that deserves additional protection and more careful governance. When combined with good permissions, regular access reviews and sensible sharing policies, Sensitivity Labels become another important part of building confidence that the right information is available to the right people, and only the right people.

(Screenshot: Sensitivity Labels)

SharePoint governance isn’t about restricting collaboration

Whenever I present on SharePoint permissions, someone inevitably asks whether the answer is simply to become more restrictive. My answer is almost always the same: no. The goal isn’t to stop collaboration; it’s to make collaboration intentional.

Microsoft 365 is built around people working together. Teams should collaborate, departments should share knowledge, and external partners should be included when it makes business sense. The challenge isn’t collaboration itself—it’s ensuring that access remains appropriate as projects evolve, people move roles, and organisations change over time.

That’s why I believe every permission, every guest account and every sharing link should exist because somebody has consciously decided it still serves a business purpose, not simply because it was granted several years ago and never reviewed. Good governance isn’t about saying “no” more often; it’s about making better-informed decisions.

That’s the real value I see in SharePoint Advanced Management. It shifts the conversation away from reactive administration—only looking at permissions when something goes wrong—and towards continuous governance. By providing visibility into ownership, oversharing, external collaboration and inactive content, it gives organisations the information they need to make those decisions proactively, building a Microsoft 365 environment that is both collaborative and trustworthy in the age of AI.

Five recommendations for every SharePoint Administrator

If you’re wondering where to begin, these would be my priorities.

1. Establish clear ownership. Every SharePoint site and Microsoft Team should have an engaged business owner.
2. Make Site Reviews part of your governance process. Governance should be continuous, not something that only happens before an audit.
3. Use Oversharing Insights proactively. Don’t wait for a security incident to discover overly exposed content.
4. Build Access Reviews into normal business operations. Permissions naturally drift over time. Reviewing them should become routine.
5. Treat AI readiness as a governance programme rather than a Copilot project. Clean permissions, good ownership and sensible lifecycle management benefit every Microsoft 365 deployment, regardless of whether Copilot is enabled today.

Final thoughts

One thing I’d like to make clear is that I don’t see SharePoint Advanced Management as a tool that makes SharePoint more secure. SharePoint has always had a robust permissions model. What SharePoint Advanced Management does is give organisations far greater visibility into how that security model is actually being used. It helps answer the questions that matter: Who owns this information? Who has access to it? Has that access been reviewed recently? Has oversharing gradually crept into the environment? And are we comfortable with what Copilot could potentially discover?

In many ways, that’s the biggest challenge organisations face today. AI hasn’t changed the underlying permissions model, but it has fundamentally changed how information is discovered. Content that once sat quietly in an old project site or forgotten Team can now become part of a natural language conversation if users still have permission to access it. That’s why governance has moved from being an occasional administrative task to an ongoing business responsibility.

I believe the organisations that get the most value from Microsoft 365 Copilot won’t necessarily be those with the biggest AI budgets or the cleverest prompts. They’ll be the ones that understand their information estate, have clear ownership, review access regularly and treat governance as a continuous process rather than a once-a-year exercise.

Ultimately, that’s what SharePoint Advanced Management is really about. It’s not about restricting collaboration or making SharePoint harder to use. It’s about giving organisations the visibility they need to collaborate with confidence, knowing that the right people have access to the right information, at the right time. In the age of AI, I think that’s one of the most important investments any Microsoft 365 organisation can make.

This article is part two of my SharePoint Permissions series. In the next article, I’ll explore why Site Owners have become one of the most important people in a successful Microsoft 365 governance strategy, and the practical steps they can take to reduce oversharing without restricting collaboration.