Control 4.1: SharePoint Information Access Governance (IAG) / Restricted Content Discovery
Control ID: 4.1 Pillar: SharePoint Regulatory Reference: GLBA 501(b), GLBA §§521-523, SEC Reg S-P, FINRA 4511 Last UI Verified: February 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03
Objective
Control which SharePoint sites and content Microsoft 365 Copilot and AI agents can access. Verify that Copilot queries against RCD-protected sites return no results, even when users have permission to view the content directly.
Why This Matters for FSI
- GLBA 501(b): Requires safeguards for customer nonpublic personal information (NPI); IAG restricts AI from surfacing NPI from restricted sites
- SEC Reg S-P: Mandates protection of customer information; controls AI access to customer data repositories
- FINRA 4511: Books and records integrity requirements; maintains governance over AI content access
- SOX 302: Internal controls over financial reporting; restricts agent access to financial reporting sites
- Information Barriers: Enables "ethical walls" required by FSI regulations to separate business units (M&A, trading, research)
- GLBA §§521-523:[^1] Prohibits obtaining customer information through false pretenses (pretexting); IAG controls help demonstrate that AI agents access only legitimately authorized content
[^1]: GLBA §§521-523 (15 USC 6821-6823) address pretexting — obtaining customer information under false pretenses. While primarily a prohibition rather than a safeguard requirement, IAG controls help demonstrate that AI agents are not circumventing access controls to obtain customer information inappropriately.
Control Description
Licensing Prerequisites
This control requires SharePoint Advanced Management (SAM) capabilities. SAM features (including RCD, RSS, RAC, and Data Access Governance reports) are now included with Microsoft 365 Copilot licenses — no separate add-on purchase is required for Copilot-licensed organizations. The only SAM feature requiring a separate add-on is Restricted Site Creation. Organizations without Copilot licenses still require the standalone SAM add-on.
This control establishes governance over SharePoint content accessibility to Microsoft 365 Copilot and AI agents. SharePoint Information Access Governance provides multiple mechanisms to control what content AI can access:
Restricted Content Discovery (RCD) is a block-list approach where administrators specify sites to exclude from Copilot. This is ideal for mature deployments with good data hygiene.
Restricted SharePoint Search (RSS) is an allow-list approach where only explicitly approved sites are accessible to Copilot. This Zero Trust model is recommended for initial Copilot deployments.
Verify Current RSS Site Limit
The 100-site limit referenced below was current as of January 2026. Microsoft may update this limit — verify the current value at Restricted SharePoint Search documentation before implementation.
Current documented limit: Up to 100 sites can be added to the RSS allowlist.
Restricted Access Control (RAC) enables ethical walls by limiting site access to specific security groups regardless of individual sharing permissions, ideal for M&A deal rooms, trading desk separation, and regulatory examination sites.
The control is designed to prevent AI agents from surfacing sensitive content inappropriately, even when users have legitimate access to it.
Key Configuration Points
- Enable Restricted Content Discovery (RCD) for all enterprise-managed and regulated sites containing sensitive data
- Consider Restricted SharePoint Search (RSS) allow-list approach for initial Copilot deployments (Zero Trust)
- Configure Restricted Access Control (RAC) for information barrier scenarios (M&A, trading, research separation)
- Run Data Access Governance reports to identify oversharing risks before Copilot deployment
- Document all restricted sites with business justification and review schedule
- RCD delegation with justification logging (GA): SharePoint site administrators can now manage RCD settings for their sites when delegated by tenant administrators. When site admins enable or disable RCD, they must provide a justification, which is captured in the audit log for compliance tracking
- RCD audit events: All RCD state changes (enable, disable, justification records) are captured as SharePoint audit events, supporting FINRA 4511 recordkeeping requirements and providing evidence trails for compliance audits
- Restricted Access Control (RAC) enhancements: RAC now supports up to 10 security groups per site (expanded from previous limits), providing more granular access control. Use
Start-SPORestrictedAccessForSitesInsightsPowerShell cmdlet to generate reports on RAC-protected site access patterns
Technical Implementation Notes
RCD Reindexing Latency
When RCD is enabled on a site, SharePoint must reindex every file in the site to update the Semantic Index. This process may take several hours for large sites with thousands of documents. Plan RCD enablement during maintenance windows and verify restriction effectiveness after reindexing completes.
Site Administrator Control (January 2026)
As of January 2026, site collection administrators can enable or disable RCD for their own sites without requiring SharePoint tenant administrator intervention. This enables a distributed governance model where site owners can protect sensitive content while maintaining central oversight through tenant-level monitoring and DAG reports.
Recent Interaction Discovery Exception
Users who have recently interacted with content (viewed, edited, or shared) may still discover that content through Microsoft 365 Copilot even when RCD is enabled on the site. RCD primarily prevents org-wide discovery scenarios (SharePoint home, Office.com, Bing) but does not override a user's individual interaction history.
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Baseline tenant-wide IAG settings; document exceptions | Reduces personal use risk while keeping friction low |
| Zone 2 (Team) | Apply RCD for shared agent knowledge sources; require owner approval | Shared agents increase data exposure; consistent controls needed |
| Zone 3 (Enterprise) | Mandatory RCD for all regulated sites; RAC for information barriers; quarterly review | Highest regulatory risk; strictest content governance required |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| SharePoint Admin | Configure RCD/RSS/RAC settings, run Data Access Governance reports |
| SharePoint Site Collection Admin | Manage site-specific access restrictions |
| Compliance Officer | Approve restriction configurations, review audit logs |
| AI Governance Lead | Define policies for content accessibility to agents |
Related Controls
| Control | Relationship |
|---|---|
| 1.3 - SharePoint Content Governance | Foundation for SharePoint permissions; IAG builds on base security |
| 1.5 - DLP and Sensitivity Labels | Labels can trigger automatic content restrictions |
| 1.6 - DSPM for AI | AI access monitoring and oversharing assessment |
| 1.14 - Data Minimization | Complementary scope control principles |
| 4.2 - Site Access Reviews | Periodic reviews of restricted sites |
| 4.6 - Grounding Scope Governance | Controls Semantic Index content inclusion |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- All regulated/enterprise-managed sites have RCD enabled (RestrictContentOrgWideSearch = true)
- Microsoft 365 Copilot does NOT return content from restricted sites when queried
- Test RCD enforcement: Query Copilot for content from a sample restricted site and verify no results returned
- RAC-protected sites deny access to users outside authorized security groups
- Audit logs capture all IAG setting changes with user, timestamp, and site details
- Quarterly review of restricted sites list is documented
Additional Resources
- Restrict SharePoint site content from Microsoft 365 Copilot (RCD)
- Restricted SharePoint Search (RSS) - Allow-list approach
- Manage site access based on sensitivity label (RAC)
- SharePoint Advanced Management overview
- Data access governance reports for SharePoint sites
Implementation Note
Organizations should verify that their implementation meets their specific regulatory obligations. This control supports compliance efforts but requires proper configuration and ongoing validation.
Updated: February 2026 | Version: v1.2 | UI Verification Status: Current