Control 4.5: SharePoint Security and Compliance Monitoring

Control ID: 4.5 Pillar: SharePoint Regulatory Reference: GLBA 501(b), SOX 404, FINRA 4511, SEC 17a-3/4 Last UI Verified: January 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03

---

Objective

Monitor SharePoint security posture, agent activity, and compliance status to ensure AI agents accessing SharePoint-based knowledge sources operate within established governance boundaries. Verify security alerts are generated within 15 minutes of policy violations to enable timely identification of unauthorized access patterns and compliance gaps.

---

Why This Matters for FSI

• FINRA 4511: Agent insights provide audit trail of AI access to records; continuous monitoring enables supervisory oversight
• SEC 17a-4: Data access reports verify content remains accessible for examination
• GLBA 501(b): Dashboard monitoring identifies security risks; agent access reports track customer data access
• SOX 404: Reports provide evidence for control testing; continuous monitoring validates control operation

---

Control Description

This control provides visibility into how AI agents interact with SharePoint content, enabling proactive identification of security risks and compliance gaps before they become incidents.

Capability	Description
Agent Insights	Monitor AI agent activity across SharePoint and OneDrive
Data Access Governance	Comprehensive reports on permissions and sharing
Dashboard Monitoring	At-a-glance metrics on SharePoint Admin Center home
Advanced Management	M365 Copilot readiness and content management assessments
Audit Logging	Track file access, modifications, and sharing events

---

Key Configuration Points

• Assign SharePoint Admin role to monitoring personnel
• Enable SharePoint Advanced Management for Agent insights
• Configure Data access governance reports baseline
• Run Advanced management assessments quarterly
• Establish monitoring cadence by zone (daily/weekly/monthly)
• Integrate with Microsoft Sentinel for Zone 3 real-time monitoring

---

Technical Implementation Notes

Agent Insights (November 2025)

Requires: SharePoint Advanced Management (SAM) license. Feature GA as of November 2025; verify availability in your tenant via SharePoint Admin Center > Reports > Agent insights.

Agent Insights provides tenant-wide visibility into SharePoint agent activity:

Metric	Description	Governance Use
Agents Created per Site	Count of agents using site as knowledge source	Identify high-activity sites
Agents Actively Used per Site	Count of agents with recent usage	Prioritize monitoring
RCD Status	Sites with Restricted Content Discovery enabled	Verify exclusion compliance
RAC Status	Sites with Restricted Access Control enabled	Verify information barriers

Access Agent Insights via SharePoint Admin Center > Reports > Agent insights, or export to CSV for analysis in Power BI.

SharePoint Admin Agent vs. Content Governance Agent

Microsoft has released two AI-assisted SharePoint governance tools with distinct purposes:

Agent	Release	Purpose	Access
SharePoint Admin Agent	GA November 2025	Administrative queries (permissions, sharing, compliance)	SharePoint Admin Center > Home
Content Governance Agent	Preview (limited availability)	Content lifecycle management, retention recommendations	SharePoint Admin Center > Content Services

SharePoint Admin Agent (GA November 2025):

• Query site permissions, sharing settings, and policy compliance in natural language
• Identify sites requiring governance attention
• Generate reports based on natural language requests
• Access via SharePoint Admin Center > Home > "Ask a question about SharePoint"

Content Governance Agent (Preview):

• Analyze content usage patterns for retention policy recommendations
• Identify stale or orphaned content across sites
• Recommend labeling strategies based on content characteristics
• Note: Preview availability may be limited; verify tenant eligibility

Site Permissions for Users Report (December 2025)

This new DAG report lists all SharePoint and OneDrive sites a specified user can access, enabling:

• Pre-Copilot deployment permission audits for pilot users
• Investigation of potential data exposure scope
• Access certification evidence for compliance

DSPM Item-Level Remediation (November 2025)

Data Security Posture Management now supports item-level risk assessment and bulk remediation:

• Identify overshared files and folders (not just sites)
• Bulk disable anonymous and organization-wide sharing links
• Generate remediation reports for compliance evidence

---

Zone-Specific Requirements

Zone	Requirement	Rationale
Zone 1 (Personal)	Monthly Agent insights review; weekly dashboard review	Low risk; basic awareness sufficient
Zone 2 (Team)	Weekly Agent access review; monthly data access reports; alert on high severity	Shared agents need consistent monitoring
Zone 3 (Enterprise)	Daily monitoring; SIEM integration; automated response; SOC alerting	Highest risk; continuous visibility required

---

Roles & Responsibilities

Role	Responsibility
SharePoint Admin	Report configuration and site settings
Security Operations	Threat monitoring and incident response
AI Governance Lead	Agent access review and policy enforcement
Compliance Team	Regulatory evidence and audit support

---

Related Controls

Control	Relationship
1.7 - Audit Logging	Audit logs complement SharePoint monitoring
3.1 - Agent Inventory	Agent insights feeds inventory
3.9 - Sentinel Integration	SIEM integration for SharePoint events
4.1 - Information Access Governance	Monitoring identifies content requiring restrictions
4.7 - M365 Copilot Data Governance	M365 Copilot governance drives monitoring requirements

---

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

• Portal Walkthrough — Step-by-step portal configuration
• PowerShell Setup — Automation scripts
• Verification & Testing — Test cases and evidence collection
• Troubleshooting — Common issues and resolutions

---

Verification Criteria

Confirm control effectiveness by verifying:

1. SharePoint Admin Center Home dashboard displays current metrics
2. Agent insights reports show agent inventory and access patterns
3. Data access governance reports generate successfully
4. Advanced management assessments complete without errors
5. Unified audit logging is enabled and returning results
6. Monitoring cadence is documented and followed
7. Alert response targets met: Review alerts within 4 hours, remediate within 24 hours

---

Additional Resources

• Agent insights in SharePoint
• Data access governance reports
• SharePoint Advanced Management overview
• Microsoft Purview Audit overview

---

Updated: February 2026 | Version: v1.2 | UI Verification Status: Current