← All posts
· 3 min read

How to stop SharePoint from leaking everything to Copilot

Copilot only surfaces content the user already had access to. The problem is that 'already had access to' is doing far more work in that sentence than it sounds.

CopilotSharePointGovernance

The reassurance that doesn't reassure

Every Microsoft 365 Copilot deployment conversation eventually arrives at the same statement, usually delivered briskly by someone from IT: don't worry, Copilot only surfaces content the user already has access to. Technically, that's correct. Practically, it's the start of the problem rather than the end of it.

Most large organisations have spent fifteen years building up a SharePoint estate that nobody fully understands. Sites get inherited from people who've left. Permissions get widened just to make it easier this once. Documents get shared with Everyone except external users because someone in 2017 didn't know what else to click. The contents of that estate were technically accessible to everyone in the company already — but the only thing standing between technically accessible and anyone could find it was the fact that nobody could possibly search through it all.

Copilot can search through it all. That's the bit nobody warns you about until your CFO sees salary information appear in a polite drafting suggestion.

What Microsoft has built to deal with this

Three pieces of the M365 governance stack matter here, and they've matured significantly across 2025 and into 2026. They sit at different levels of the problem.

1. Visibility — Data Access Governance reports and DSPM for AI

SharePoint Advanced Management (SAM) is now included with every Microsoft 365 Copilot licence, having previously been a separate add-on. The single most useful thing it ships is Data Access Governance reports — a set of dashboards that surface oversharing baselines: which sites have the most unique permissions, which contain sensitive content, which are accessible to Everyone except external users (the most common silent leak), and which haven't been touched in years.

Sitting alongside it is Microsoft Purview's DSPM for AI — Data Security Posture Management — which gives you visibility into prompts, responses and sensitive-data interactions across Copilot and other generative AI tools. Together they answer the two questions every CISO eventually asks: what's exposed, and what's actually being touched.

2. Protection — sensitivity labels, RAC, and Restricted Content Discovery

Once you can see the problem, you have three tools to limit the blast radius.

Sensitivity labels, applied via Microsoft Purview Information Protection, are honoured by Copilot — labelled content surfaced in a response retains its highest sensitivity label, including any encryption.

Restricted Access Control (RAC) policies let you say only members of group X can access this site at all, regardless of any older sharing decisions buried in its history.

Restricted Content Discovery (RCD) is the most underused of the three. It excludes specific sites from Copilot and search entirely, even for users who have technical access. Use it on the half-dozen sites you're not yet ready to clean up — HR, Legal, M&A — and you've taken the most likely embarrassments off the table while you do the broader work.

3. Monitoring — Insider Risk Management for AI

Microsoft Purview now includes Insider Risk Management policies for risky AI usage — detecting when employees paste sensitive data into Copilot or third-party AI tools, and when sensitive content is being surfaced repeatedly to users who probably shouldn't be touching it. It's the safety net under the safety net.

The order to do it in

If you're starting cold, the deployment pattern that works in practice is:

  1. Run the Data Access Governance reports. You will be unhappy with what you see. That's the point.
  2. Apply RCD to the obvious time-bombs — HR, Legal, Finance, M&A — even if you haven't classified anything inside them yet. This is your fast-acting brake.
  3. Roll out sensitivity labels to the documents that matter most. Default labels for new content first; bulk classification for old content second.
  4. Turn on DSPM for AI and Insider Risk so you can see what's actually being touched.
  5. Close the Everyone except external users sharing loopholes systematically. SAM gives you the sites; the rest is a project, not a button.

The training conversation this enables

The interesting thing about doing this work is that it changes the conversation you can have with users. Most early Copilot training avoids data security entirely — it's awkward, it spooks people, it slows down adoption. Once your governance estate is healthy, you can be more open with users: Copilot can see your team's content. Here's what we've put in place so it doesn't see what it shouldn't. Here's what to do if it surfaces something odd.

That's a far better message than don't worry about it, and it's the only message that holds up after the first uncomfortable surfacing.