Control 4.5: SharePoint Security and Compliance Monitoring
Control ID: 4.5
Pillar: SharePoint
Regulatory Reference: GLBA 501(b), SOX 404, FINRA 4511, FINRA 3110, FINRA RN 24-09, SEC 17a-3/4
Last UI Verified: May 2026
Governance Levels: Baseline / Recommended / Regulated
Objective
Monitor SharePoint security posture, agent activity, and compliance status so that AI agents accessing SharePoint-based knowledge sources can be observed against established governance boundaries. Configure alert policies that aim to surface high-severity policy violations within published Microsoft service targets (typically minutes to a few hours; alert latency is not contractually guaranteed) to support timely identification of unauthorized access patterns and compliance gaps.
Why This Matters for FSI
- FINRA 4511 / RN 24-09 / Rule 3110: Agent insights provide audit trail of AI access to records (Rule 4511); continuous monitoring enables supervisory oversight under FINRA Rule 3110 and the generative-AI guidance in FINRA Regulatory Notice 24-09. (FINRA RN 25-07 is a monitored RFC on workplace modernization that touches AI-generated communications recordkeeping; not yet adopted — see framework/regulatory-framework.md.)
- SEC 17a-4: Data access reports verify content remains accessible for examination
- GLBA 501(b): Dashboard monitoring identifies security risks; agent access reports track customer data access
- SOX 404: Reports provide evidence for control testing; continuous monitoring validates control operation
No companion solution by design
Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.
Control Description
This control provides visibility into how AI agents interact with SharePoint content, enabling proactive identification of security risks and compliance gaps before they become incidents.
| Capability | Description |
|---|---|
| Agent Insights | Monitor AI agent activity across SharePoint and OneDrive |
| Data Access Governance | Comprehensive reports on permissions and sharing |
| Dashboard Monitoring | At-a-glance metrics on SharePoint Admin Center home |
| Advanced Management | M365 Copilot readiness and content management assessments |
| Audit Logging | Track file access, modifications, and sharing events |
Key Configuration Points
- Assign SharePoint Admin role to monitoring personnel
- Enable SharePoint Advanced Management for Agent insights
- Configure Data access governance reports baseline
- Run Advanced management assessments quarterly
- Establish monitoring cadence by zone (daily/weekly/monthly)
- Integrate with Microsoft Sentinel for Zone 3 real-time monitoring
Technical Implementation Notes
Agent Insights (November 2025)
Requires: SharePoint Advanced Management (SAM). As of January 2025, SAM capabilities are included with every Microsoft 365 Copilot license; standalone SAM SKUs remain available for tenants that need SAM without Copilot. Feature GA as of November 2025; verify availability in your tenant via SharePoint Admin Center > Reports > Agent insights. Base licensing requires Office 365 E3/E5/A5 or Microsoft 365 E1/E3/E5/A5, plus either standalone SAM or at least one Microsoft 365 Copilot license assigned in the tenant. Confirm current licensing terms on the Microsoft 365 admin center "Your products" page before relying on SAM features.
Agent insights provides tenant-wide visibility into SharePoint agent activity:
| Metric | Description | Governance Use |
|---|---|---|
| Agents Created per Site | Count of agents using site as knowledge source | Identify high-activity sites |
| Agents Actively Used per Site | Count of agents with recent usage | Prioritize monitoring |
| RCD Status | Sites with Restricted Content Discovery enabled | Verify exclusion compliance |
| RAC Status | Sites with Restricted Access Control enabled | Verify information barriers |
Access agent insights via SharePoint Admin Center > Reports > Agent insights, or export to CSV for analysis in Power BI.
SharePoint Admin Agent
Microsoft's primary AI-assisted SharePoint governance tool is the SharePoint Admin Agent — an AI-powered governance experience that helps administrators assess and remediate content-related risks across SharePoint and OneDrive using natural-language queries. It consolidates capabilities that were previously discussed in pre-GA materials under names such as "Content Governance Agent" (the Microsoft Learn URL slug content-governance-agent now resolves to the SharePoint Admin Agent page).
Capabilities (combined administrative + content-governance queries):
- Query site permissions, sharing settings, and policy compliance in natural language
- Identify sites requiring governance attention (oversharing, stale content, orphaned ownership)
- Analyze content usage patterns and surface retention-policy and labeling recommendations
- Identify stale or orphaned content across sites
- Generate guided remediation actions and reports from natural-language requests
Open the SharePoint Admin Agent from any of the following surfaces:
- SharePoint admin center: select the Copilot button in the admin center UI
- Microsoft 365 Copilot app: expand Agents and search for "SharePoint Admin Agent"
- Microsoft Teams: open Apps and search for "SharePoint Admin Agent"
See What is the SharePoint Admin Agent? for the current capability set and access prerequisites.
Site Permissions for Users Report (December 2025)
This new DAG report lists all SharePoint and OneDrive sites a specified user can access, enabling:
- Pre-Copilot deployment permission audits for pilot users
- Investigation of potential data exposure scope
- Access certification evidence for compliance
DSPM Item-Level Remediation (December 2025)
Data Security Posture Management supports item-level oversharing assessment and per-item remediation through custom data risk assessments with item-level scanning enabled (requires a registered Entra application for one-time authentication):
- Discovery: Identify potentially overshared files (with anonymous or organization-wide sharing links) within scanned SharePoint sites — see the "Potentially overshared items" tab in the assessment results
- Per-item remediation actions:
- Resolve — mark as not at risk
- Apply sensitivity label — for unlabeled or under-labeled items
- Notify — email the site owner (notification template not customizable)
- Remove sharing link — removes the specific sharing link on the item (use sparingly; site owner must replace with a less permissive link for authorized users)
- Export: Export results to Excel, CSV, JSON, or TSV for compliance evidence
Limits (Microsoft 365):
- Maximum 10 SharePoint sites per item-level scan (custom assessment)
- OneDrive is not supported for item-level scanning
- Maximum 200,000 items per location (file counts may be approximate above 100,000 per location)
For broader coverage across Zone 3 enterprise estates, schedule repeated assessments rotating across site sets, or use the companion agent-knowledge-source-scanner. See Prevent oversharing with data risk assessments from DSPM.
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Monthly Agent insights review; weekly dashboard review | Low risk; basic awareness sufficient |
| Zone 2 (Team) | Weekly Agent access review; monthly data access reports; alert on high severity | Shared agents need consistent monitoring |
| Zone 3 (Enterprise) | Daily monitoring; SIEM integration; automated response; SOC alerting | Highest risk; continuous visibility required |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| SharePoint Admin | Report configuration, dashboard review, and site-level monitoring settings |
| Entra Security Admin | Defender XDR and alert policy configuration; review of high-severity SharePoint alerts |
| SOC Analyst | Continuous monitoring of SIEM-forwarded events and incident triage (Zone 3) |
| Purview Audit Reader | Unified audit log search and evidence export |
| AI Governance Lead | Agent access review and governance policy enforcement |
| Compliance Officer | Regulatory evidence collection and audit support |
Related Controls
| Control | Relationship |
|---|---|
| 1.7 - Audit Logging | Audit logs complement SharePoint monitoring |
| 3.1 - Agent Inventory | Agent insights feeds inventory |
| 3.9 - Sentinel Integration | SIEM integration for SharePoint events |
| 4.1 - Information Access Governance | Monitoring identifies content requiring restrictions |
| 4.7 - M365 Copilot Data Governance | M365 Copilot governance drives monitoring requirements |
| 4.8 - Item-Level Permission Scanning | Item-level scanning extends monitoring to individual files in agent knowledge sources |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- SharePoint Admin Center Home dashboard displays current metrics
- Agent insights reports show agent inventory and access patterns
- Data access governance reports generate successfully
- Advanced management assessments complete without errors
- Unified audit logging is enabled and returning results
- SharePoint audit events are retained for the full SEC 17a-4 / FINRA 4511 retention period (typically 6 years for broker-dealers) via a Purview audit retention policy; Standard audit (180-day default) and Premium audit (1-year default) baselines are insufficient on their own
- Alert policies for high-severity SharePoint and agent events are configured, with documented expected latency tied to Microsoft published service targets (rather than a fixed local SLA)
- Monitoring cadence is documented and followed
- Alert response targets met: organization-defined triage and remediation SLAs (e.g., review high-severity alerts within 4 hours, remediate within 24 hours) are documented and tracked
Additional Resources
- Agent insights in SharePoint
- Data access governance reports
- SharePoint Advanced Management overview
- Microsoft Purview Audit overview
- Manage audit log retention policies
- SharePoint Admin agent overview
Updated: June 2026 | Version: v1.6.2 | UI Verification Status: Current