For years, organisations have treated SharePoint governance as primarily an IT responsibility. Permissions, access reviews, sharing controls, and content ownership have often been managed centrally, with Site Owners playing only a limited role.
That model is now being challenged by AI.
Microsoft Copilot is changing how users interact with content across Microsoft 365. Instead of searching manually through sites, libraries, folders, Teams, emails, and documents, users can now simply ask questions in natural language and receive summarised answers in seconds.
But Copilot does not understand business intent.
It does not know which files are outdated, overshared, sensitive, or inappropriate to surface. It simply works with the access users already have.
That means many organisations are about to discover that their permissions problem was never theoretical. It already exists.
The Risk Was Always There but Copilot Just Makes It Visible
Oversharing in SharePoint is not new.
Broken inheritance, forgotten Anyone links, large SharePoint groups, inactive users retaining access, duplicated content, and poorly managed permissions structures have existed in many environments for years.
Traditionally, those risks were harder to expose. Users needed to know where content lived or actively search for it.
Copilot changes that completely.
Now, a simple prompt such as:
“Summarise our upcoming acquisition plans.”
“Show me discussions about restructuring.”
“What confidential supplier issues are we dealing with?”
…could potentially surface information from locations users technically had access to, even if nobody intended them to see or find it easily.
The uncomfortable truth is that Copilot is not creating the permissions problem. It is revealing the permissions problem.
Why IT Cannot Solve This Alone
One of the biggest challenges organisations face is that IT teams often do not truly know who should have access to business content.
They can manage infrastructure, policies, and platform governance, but they rarely understand the day-to-day context of every department, project, committee, or team.
Site Owners do.
They know:
- Which documents are sensitive
- Which external users should no longer have access
- Which content is outdated
- Which folders should never have been shared broadly
- Which Team or SharePoint site has become unmanaged over time
That is why the governance model must evolve.
Instead of IT attempting to centrally police every permission across Microsoft 365, organisations need to empower Site Owners with the tools, visibility, and responsibility to manage their own environments safely.
IT should provide guardrails and oversight & Site Owners should manage the permissions on the content.
The Biggest Copilot Readiness Mistake
Many organisations are currently focusing heavily on:
- AI adoption
- Prompt engineering
- Copilot licensing
- Change management
- Productivity gains
But they are skipping the most important question:
“What can Copilot already see?”
If permissions are messy, AI will amplify the problem.
If content is stale, irrelevant, duplicated, or overshared, AI will still consume it.
In many ways, Copilot readiness is actually a governance project.
Common Risks We Demonstrated in the Webinar
During the webinar, we explored several real-world governance risks that organisations commonly discover when reviewing SharePoint permissions and sharing.
These included:
Anyone Links and External Sharing
Sharing links are one of the largest hidden risks in Microsoft 365.
Many organisations have thousands of legacy Anyone links that:
- Never expire
- Are no longer needed
- Provide access outside the organisation
- Are invisible to most Site Owners
Copilot increases the importance of identifying and reviewing these links.
Stale and Outdated Content
Old project documentation, historic HR discussions, abandoned restructuring plans, and irrelevant committee files often remain searchable and accessible for years.
Even if users forget the content exists, Copilot may still surface it.
Excessive Permissions
Over time, users accumulate access through:
- SharePoint Groups
- Microsoft 365 Groups
- Entra Security Groups
- Direct permissions
- Inherited permissions
This creates permission sprawl that becomes extremely difficult to understand without proper reporting and visualisation.
Sensitivity Labels Without Enforcement
Many organisations apply labels inconsistently or fail to educate users on what labels actually mean.
Without strong governance and visibility, sensitive content may still be widely accessible despite classification efforts.
Empowering Site Owners Changes Everything
The organisations that will manage AI risk most effectively are not necessarily the ones with the largest IT departments.
They are the organisations that:
- Empower Site Owners
- Make permissions understandable
- Provide actionable reporting
- Enable safe clean-up activities
- Create accountability close to the business
- Continuously review sharing and access
Governance must become operational and continuous.
Not a once-a-year audit exercise.
Watch the Webinar
In this session, Brett Lonsdale demonstrates:
- Real-world SharePoint governance risks
- How Copilot changes the risk landscape
- Why Site Owners are critical
- Practical approaches to permissions management
- Oversharing and sharing-link visibility
- Copilot readiness strategies
- Governance tooling and reporting demonstrations
Watch the full webinar recording below:
Learn More
To learn more about SharePoint governance and permissions management, visit:
