Control 4.5: SharePoint Security and Compliance Monitoring
Control ID: 4.5
Pillar: SharePoint
Regulatory Reference: GLBA 501(b), SOX 404, FINRA 4511, FINRA 25-07, SEC 17a-3/4
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated
Objective
Monitor SharePoint security posture, agent activity, and compliance status so that AI agents accessing SharePoint-based knowledge sources can be observed against established governance boundaries. Configure alert policies that aim to surface high-severity policy violations within published Microsoft service targets (typically minutes to a few hours; alert latency is not contractually guaranteed) to support timely identification of unauthorized access patterns and compliance gaps.
Why This Matters for FSI
- FINRA 4511, FINRA 25-07: Agent insights provide audit trail of AI access to records; continuous monitoring enables supervisory oversight
- SEC 17a-4: Data access reports verify content remains accessible for examination
- GLBA 501(b): Dashboard monitoring identifies security risks; agent access reports track customer data access
- SOX 404: Reports provide evidence for control testing; continuous monitoring validates control operation
No companion solution by design
Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.
Control Description
This control provides visibility into how AI agents interact with SharePoint content, enabling proactive identification of security risks and compliance gaps before they become incidents.
| Capability | Description |
|---|---|
| Agent Insights | Monitor AI agent activity across SharePoint and OneDrive |
| Data Access Governance | Comprehensive reports on permissions and sharing |
| Dashboard Monitoring | At-a-glance metrics on SharePoint Admin Center home |
| Advanced Management | M365 Copilot readiness and content management assessments |
| Audit Logging | Track file access, modifications, and sharing events |
Key Configuration Points
- Assign SharePoint Admin role to monitoring personnel
- Enable SharePoint Advanced Management for Agent insights
- Configure Data access governance reports baseline
- Run Advanced management assessments quarterly
- Establish monitoring cadence by zone (daily/weekly/monthly)
- Integrate with Microsoft Sentinel for Zone 3 real-time monitoring
Technical Implementation Notes
Agent Insights (November 2025)
Requires: SharePoint Advanced Management (SAM). As of January 2025, SAM capabilities are included with every Microsoft 365 Copilot license; standalone SAM SKUs remain available for tenants that need SAM without Copilot. Feature GA as of November 2025; verify availability in your tenant via SharePoint Admin Center > Reports > Agent insights. Base licensing requires Office 365 E3/E5/A5 or Microsoft 365 E1/E3/E5/A5, plus either standalone SAM or at least one Microsoft 365 Copilot license assigned in the tenant. Confirm current licensing terms on the Microsoft 365 admin center "Your products" page before relying on SAM features.
Agent insights provides tenant-wide visibility into SharePoint agent activity:
| Metric | Description | Governance Use |
|---|---|---|
| Agents Created per Site | Count of agents using site as knowledge source | Identify high-activity sites |
| Agents Actively Used per Site | Count of agents with recent usage | Prioritize monitoring |
| RCD Status | Sites with Restricted Content Discovery enabled | Verify exclusion compliance |
| RAC Status | Sites with Restricted Access Control enabled | Verify information barriers |
Access agent insights via SharePoint Admin Center > Reports > Agent insights, or export to CSV for analysis in Power BI.
SharePoint Admin Agent vs. Content Governance Agent
Microsoft has released two AI-assisted SharePoint governance tools with distinct purposes:
| Agent | Release | Purpose | Access |
|---|---|---|---|
| SharePoint Admin Agent | GA November 2025 | Administrative queries (permissions, sharing, compliance) | SharePoint Admin Center > Home |
| Content Governance Agent | Preview (limited availability) | Content lifecycle management, retention recommendations | SharePoint Admin Center > Content Services |
SharePoint Admin Agent (GA November 2025):
- Query site permissions, sharing settings, and policy compliance in natural language
- Identify sites requiring governance attention
- Generate reports based on natural language requests
- Access via SharePoint Admin Center > Home > "Ask a question about SharePoint"
Content Governance Agent (Preview):
- Analyze content usage patterns for retention policy recommendations
- Identify stale or orphaned content across sites
- Recommend labeling strategies based on content characteristics
- Note: Preview availability may be limited; verify tenant eligibility
Site Permissions for Users Report (December 2025)
This new DAG report lists all SharePoint and OneDrive sites a specified user can access, enabling:
- Pre-Copilot deployment permission audits for pilot users
- Investigation of potential data exposure scope
- Access certification evidence for compliance
DSPM Item-Level Remediation (November 2025)
Data Security Posture Management now supports item-level risk assessment and bulk remediation:
- Identify overshared files and folders (not just sites)
- Bulk disable anonymous and organization-wide sharing links
- Generate remediation reports for compliance evidence
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Monthly Agent insights review; weekly dashboard review | Low risk; basic awareness sufficient |
| Zone 2 (Team) | Weekly Agent access review; monthly data access reports; alert on high severity | Shared agents need consistent monitoring |
| Zone 3 (Enterprise) | Daily monitoring; SIEM integration; automated response; SOC alerting | Highest risk; continuous visibility required |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| SharePoint Admin | Report configuration, dashboard review, and site-level monitoring settings |
| Entra Security Admin | Defender XDR and alert policy configuration; review of high-severity SharePoint alerts |
| SOC Analyst | Continuous monitoring of SIEM-forwarded events and incident triage (Zone 3) |
| Purview Audit Reader | Unified audit log search and evidence export |
| AI Governance Lead | Agent access review and governance policy enforcement |
| Compliance Officer | Regulatory evidence collection and audit support |
Related Controls
| Control | Relationship |
|---|---|
| 1.7 - Audit Logging | Audit logs complement SharePoint monitoring |
| 3.1 - Agent Inventory | Agent insights feeds inventory |
| 3.9 - Sentinel Integration | SIEM integration for SharePoint events |
| 4.1 - Information Access Governance | Monitoring identifies content requiring restrictions |
| 4.7 - M365 Copilot Data Governance | M365 Copilot governance drives monitoring requirements |
| 4.8 - Item-Level Permission Scanning | Item-level scanning extends monitoring to individual files in agent knowledge sources |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- SharePoint Admin Center Home dashboard displays current metrics
- Agent insights reports show agent inventory and access patterns
- Data access governance reports generate successfully
- Advanced management assessments complete without errors
- Unified audit logging is enabled and returning results
- SharePoint audit events are retained for the full SEC 17a-4 / FINRA 4511 retention period (typically 6 years for broker-dealers) via a Purview audit retention policy; Standard audit (180-day default) and Premium audit (1-year default) baselines are insufficient on their own
- Alert policies for high-severity SharePoint and agent events are configured, with documented expected latency tied to Microsoft published service targets (rather than a fixed local SLA)
- Monitoring cadence is documented and followed
- Alert response targets met: organization-defined triage and remediation SLAs (e.g., review high-severity alerts within 4 hours, remediate within 24 hours) are documented and tracked
Additional Resources
- Agent insights in SharePoint
- Data access governance reports
- SharePoint Advanced Management overview
- Microsoft Purview Audit overview
- Manage audit log retention policies
- SharePoint Admin agent overview
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current