Control 4.6: Grounding Scope Governance
Control ID: 4.6
Pillar: SharePoint
Regulatory Reference: SEC 17a-3/4, GLBA 501(b), FINRA 4511, FINRA 25-07, SOX 302/404, OCC 2011-12
Last UI Verified: March 2026
Governance Levels: Baseline / Recommended / Regulated
Objective
Govern which SharePoint content is included in the Microsoft 365 Semantic Index for AI agent grounding. This control restricts agent access to authorized content and helps prevent inadvertent exposure of draft documents, archived materials, or content not intended for AI consumption.
Why This Matters for FSI
- SEC 17a-3/4: Helps restrict agent access to finalized records, not draft or incomplete documents
- GLBA 501(b): Controls agent data access scope to protect customer information
- FINRA 4511, FINRA 25-07: Helps prevent agents from citing draft or unverified documents in responses
- SOX 302/404: Documents data governance decisions as part of internal controls
- OCC 2011-12: Supports agent grounding on accurate, quality-controlled data
No companion solution by design
Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.
Control Description
This control establishes policies for controlling which SharePoint content is indexed and available for AI agent grounding through the Microsoft 365 Semantic Index.
| Capability | Description |
|---|---|
| Site Exclusion | Exclude entire SharePoint sites from Semantic Index via Restricted Content Discovery |
| Content Type Filtering | Exclude Draft, Archived, or Personal content categories |
| CopilotReady Tagging | Positive governance with explicit approval for indexing |
| Metadata-Based Rules | Use site metadata to control index inclusion |
| Restricted Search | Positive governance with allowed site list for AI grounding (up to 100 sites) |
| Audit and Monitoring | Track what content is indexed and accessed |
Restricted SharePoint Search (RSS)
GA Feature — short-term remediation control, not a security boundary
Restricted SharePoint Search is generally available for Microsoft 365 Copilot customers. Microsoft positions RSS as a short-term measure to limit overshare exposure during a permission-remediation window — not as a long-term Zone 3 governance posture. Use it as a stop-gap while you remediate site permissions, sensitivity labeling, and DLP coverage. Configure via Set-SPOTenantRestrictedSearchMode, Add-SPOTenantRestrictedSearchAllowedListSites, and Get-SPOTenantRestrictedSearchAllowedList (verify exact cmdlet names with Get-Command -Module Microsoft.Online.SharePoint.PowerShell -Name *RestrictedSearch* against the latest SPO Management Shell).
SAM Licensing Included with Copilot
SharePoint Advanced Management (SAM) features used in this control (RCD, Restricted SharePoint Search, Data Access Governance reports) are included with Microsoft 365 Copilot licenses, and SAM is also available as a standalone purchase. The only SAM feature requiring a separate add-on is Restricted Site Creation.
Restricted SharePoint Search (RSS) implements an allowed-list model for SharePoint sites surfaced to tenant-wide search and Copilot — up to 100 sites maximum. Unlike Restricted Content Discovery (RCD) which excludes specific sites, RSS scopes the tenant search corpus to approved sites only.
Restricted SharePoint Search vs. Restricted Content Discovery
| Approach | Model | Scope | Use Case |
|---|---|---|---|
| Restricted Content Discovery (RCD) | Exclusion list (block specific sites) | Unlimited exclusions | Surgically exclude high-risk sites |
| Restricted SharePoint Search (RSS) | Allowed list (permit specific sites only) | Up to 100 sites | Short-term overshare remediation while permissions are cleaned up |
For FSI organizations, do not treat RSS as the long-term Zone 3 control. Use it during a remediation window and transition to the layered model: SharePoint permissions hygiene + sensitivity labels + DLP + Purview DSPM for AI + RCD on highest-risk sites.
What RSS actually does (and does not do)
When RSS is enabled, the allowed list scopes which SharePoint sites surface in tenant-wide search and in Copilot Business Chat / agentic experiences as the primary corpus.
RSS is NOT a security boundary
Per Microsoft's product guidance, RSS does not change SharePoint permissions and does not guarantee that only allowed-list sites appear in Copilot results. Even with RSS enabled, Copilot can surface content from sites that are NOT on the allowed list when:
- The user recently accessed the site or its files
- The site or file was shared with the user in Teams or Outlook
- The user owns the content
This recent-interaction / sharing / ownership carve-out is the single most important caveat for FSI compliance officers. Do not represent RSS to auditors as enforcing record-isolation under SEC 17a-4 or FINRA 4511.
| Agent Type | Effect of RSS | Configuration |
|---|---|---|
| M365 Copilot | Allowed-list scopes the primary corpus (subject to the recent-interaction carve-out above) | SharePoint Admin Center / Set-SPOTenantRestrictedSearchMode |
| Copilot Studio (SharePoint knowledge) | Inherits tenant RSS setting (subject to the same carve-out) | Inherits tenant setting |
| Agent Builder declarative agents | Allowed-list scopes the primary corpus (subject to the same carve-out) | SharePoint Admin Center |
Key implications:
- The 100-site limit forces curation of high-value, approved content
- RSS is complementary to — not a substitute for — DLP policies, sensitivity labels, and SharePoint permissions
- Plan an RSS exit strategy: enable to limit overshare during remediation, then disable once the layered controls are in place
RCD License Prerequisite
Restricted Content Discovery (RCD) requires the tenant to have access to SharePoint Advanced Management (SAM). This is satisfied by either (a) at least one user assigned a Microsoft 365 Copilot license, or (b) a standalone SharePoint Advanced Management license. The administrator running configuration cmdlets must hold the SharePoint Admin role. Verify license posture before enablement: see RCD licensing and SAM overview.
Sovereign Cloud and Preview Notice
Restricted Content Discovery, Restricted SharePoint Search, and SharePoint Advanced Management roll out to GCC, GCC High, and DoD on a delayed cadence vs. commercial. Verify feature availability via the Microsoft 365 Roadmap and tenant Message Center for your cloud before committing to a control posture. The Copilot Studio connector payload limit in GCC is 450 KB (vs. 5 MB in commercial), which constrains DLP/connector policy design for grounding-related flows.
SharePoint Restricted Search (RSS) implements a positive governance model for controlling which content AI agents can access for grounding. Unlike Restricted Content Discovery (RCD) which excludes specific sites, Restricted Search allows ONLY approved sites — up to 100 maximum.
100-Site Allowed List Governance
Restricted Search enforces a maximum of 100 SharePoint sites in the allowed list. Organizations must establish a governance process for managing this limited capacity:
Site Selection Criteria:
| Criterion | Zone 3 Guidance | Rationale |
|---|---|---|
| Content ownership | Clearly identified content owner | Accountability |
| Sensitivity labeling | All content labeled | Data classification |
| Access review | Quarterly access review completed | Permission hygiene |
| Content currency | Content updated within 12 months | Data quality |
| Regulatory clearance | Compliance officer approved for AI access | Regulatory alignment |
Governance Process:
- Site nomination — Content owners nominate sites with business justification
- Compliance review — Compliance officer verifies regulatory suitability
- Security assessment — Security team confirms labeling and access controls
- Approval workflow — AI Governance Lead approves addition to allowed list
- Quarterly review — Reassess all 100 sites for continued relevance
Organizations approaching the 100-site limit should prioritize authoritative, frequently accessed, compliance-approved content sources.
Prepare Now: Restricted Search Readiness
Organizations can prepare for Restricted Search implementation today:
- Audit current SharePoint site inventory for AI-relevant content
- Identify candidate sites for the 100-site allowed list based on selection criteria
- Review sensitivity labeling coverage on candidate sites (ensure all content labeled)
- Establish site nomination and approval workflow with documented decision criteria
- Document current search scopes and Copilot grounding behavior (baseline)
- Train SharePoint admins on Restricted Search configuration and PowerShell cmdlets
Regulatory Mapping: Restricted SharePoint Search helps support SEC 17a-3/4 (limiting which records AI agents primarily surface), GLBA 501(b) (narrowing the AI agent data surface area), FINRA 4511 and FINRA Regulatory Notice 25-07 (helping limit agent citations to approved, finalized documents — subject to the recent-interaction carve-out documented above), and OCC 2011-12 (data quality for AI-grounded responses). RSS alone does not constitute a record-isolation boundary.
Key Configuration Points
- RCD prerequisite: Confirm SAM access via Copilot license assignment (≥ 1 user) or standalone SAM license before enabling RCD
- Enable Restricted Content Discovery (RCD) on sensitive sites
- Use Restricted SharePoint Search (RSS) as a short-term overshare-remediation control during permission cleanup; do not represent it as a long-term security boundary
- Exclude sites with "draft", "archive", or "test" in the URL where business risk warrants
- RCD cannot be applied to OneDrive sites; personal OneDrive remains accessible to that user's own Copilot experiences
- Implement CopilotReady metadata for positive governance (explicit opt-in) where the firm has tooling to enforce it
- Document grounding scope decisions for compliance
- Establish quarterly review process for grounding scope
RCD Scope Clarification
Restricted Content Discovery (RCD) affects tenant-wide search (SharePoint home, Office.com, Bing) and Microsoft 365 Copilot Discovery scenarios (including Business Chat). RCD does NOT affect: (a) data-in-use Copilot experiences such as "summarize this document" in Word/PowerPoint, (b) site-context search, (c) Microsoft 365 Feed and Recommendations, or (d) Purview eDiscovery and autolabeling. For data-in-use protection, combine RCD with permissions, sensitivity labels, and DLP (see Control 1.5).
Avoid Overuse of RCD
Microsoft advises against applying RCD to more sites than necessary. Excessive use degrades search quality and Copilot effectiveness across the tenant. Use RCD surgically for highly sensitive sites and rely on permissions-based access controls as the primary governance mechanism.
Technical Implementation Notes
DLP Policy Enforcement for Knowledge Sources
Power Platform DLP policies can govern Copilot Studio knowledge sources via the connector(s) that surface SharePoint and OneDrive grounding. This enables policy-based control over which SharePoint sites agents can use for grounding.
Connector Naming — Verify in PPAC Before Authoring Policy
Connector naming for Copilot Studio knowledge sources has changed across H2-2025 / H1-2026. In PPAC > Data policies > Add connectors, search for "Copilot Studio" and select the connector(s) governing SharePoint/OneDrive knowledge sources for your tenant. Confirm the exact connector identifier before authoring the policy. If your tenant does not show a knowledge-source-specific connector, fall back to the connector classification reference: Power Platform DLP connector classification.
Configuration Steps:
- Power Platform Admin Center > Data Policies > Create new policy
- Add the verified Copilot Studio knowledge-source connector(s) for SharePoint and OneDrive
- Configure endpoint filtering to allow or deny specific SharePoint site URLs
- Apply policy to target environments and confirm enforcement at maker time
Note: DLP enforcement must be enabled at the environment level. Makers typically receive feedback when attempting to add blocked knowledge sources, but enforcement messaging in Copilot Studio has shown latency historically; verify in your tenant.
Endpoint Filtering
Endpoint filtering allows granular control over specific SharePoint URLs:
- Allowlist: Only specified SharePoint sites can be used as knowledge sources
- Blocklist: Specific sites (HR, Legal, M&A) are blocked from agent access
- Pattern Matching: Use wildcards to allow/block site collections (e.g.,
contoso.sharepoint.com/sites/hr-*)
Technical Limits for Copilot Studio Knowledge Sources
Limits below are extracted from the Microsoft Learn Copilot Studio quotas reference. Re-verify before large-scale deployment, as Microsoft updates this page frequently.
| Limit | Value |
|---|---|
| File upload size (file knowledge source) | 512 MB |
| Files uploaded (file knowledge source) | 500 — does NOT apply to SharePoint as a knowledge source |
| SharePoint file size (with Copilot license + Tenant graph grounding) | Up to 200 MB |
| SharePoint file size (without Copilot license in same tenant) | Generative answers limited to files under 7 MB |
| Connector payload (commercial cloud) | 5 MB |
| Connector payload (GCC) | 450 KB |
| Skills per agent | 100 |
| Topics per agent (Dataverse env) | 1,000 |
| Trigger phrases per topic | 200 |
For folder/depth/batch/source-count limits, sync frequencies, and any limit not listed above, verify directly against the Learn quotas page for your cloud and tenant configuration.
Sovereign Cloud Considerations
Verify the following before deploying in GCC, GCC High, or DoD tenants:
- Copilot Studio connector payload limit: 450 KB in GCC (vs. 5 MB in commercial). This constrains DLP/connector policy design.
- RCD, RSS, and SAM availability: Rollout in gov clouds typically lags commercial. Verify feature availability via the Microsoft 365 Roadmap and tenant Message Center before committing to a control posture.
- Microsoft 365 Copilot availability in gov clouds: Subject to separate regulatory and contractual constraints; confirm with the Microsoft Federal account team for GCC High / DoD scenarios.
- PowerShell endpoints: Use
Connect-SPOService -Regionfor ITAR/Germany variants;Connect-PnPOnline -AzureEnvironment USGovernment | USGovernmentHigh | USGovernmentDoD; Microsoft.PowerApps.Administration with-Endpoint usgov | usgovhigh | dod.
Grounding-Leak Incident Handling
When agent grounding surfaces content to an unauthorized user (out-of-scope SharePoint site, mis-scoped knowledge source, RSS allowed-list error, RCD silently no-op due to missing license), treat it as a reportable event:
| Trigger | Reporting obligation |
|---|---|
| Nonpublic Information disclosed to unauthorized internal/external user | NY DFS Part 500 §500.17(a) — 72-hour Cybersecurity Event notification (regulated entities) |
| Customer financial information disclosed | SEC Regulation S-P §248.30(a)(4) — customer notification per amended notification rules |
| Disclosure involving registered representatives or member firm activities | FINRA Rule 4530(b) — quarterly reporting; FINRA Regulatory Notice 25-07 oversight |
| Audit-relevant grounding-scope change | SEC 17a-4 / SOX 302/404 — preserve evidence per retention policy |
Wire grounding-scope alerts into the audit and incident pipeline (see Control 1.7 — Comprehensive Audit Logging and the AI Incident Response Playbook).
Supported Content Types
- Modern SharePoint pages (classic ASPX pages are NOT indexed for Copilot grounding)
- File types: DOC/DOCX, PPT/PPTX, PDF, XLS/XLSX
- Sensitivity labels alone do not exclude content from the search index. Use Purview DSPM for AI policies (or label-based "exclude from Copilot processing" rules) to gate Copilot use of labeled content
- Password-protected documents cannot be indexed
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Personal OneDrive excluded by default; document personal site policy | Personal agents access only individual user content |
| Zone 2 (Team) | Exclude draft/archive sites; implement CopilotReady tagging; monthly review | Team agents need controlled access to shared content |
| Zone 3 (Enterprise) | Explicit approval required for indexing; sensitivity label integration; quarterly attestation | Enterprise agents require strictest content governance |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| SharePoint Admin | Configure site exclusions via RCD |
| AI Governance Lead | Define grounding scope policy and approve changes |
| Compliance Officer | Review regulatory requirements for content access |
| Content Owners | Certify sites as CopilotReady |
Related Controls
| Control | Relationship |
|---|---|
| 4.1 - Information Access Governance | Complementary: RCD excludes sites, Restricted Search allows sites |
| 1.5 - DLP and Sensitivity Labels | Content classification for grounding decisions |
| 1.14 - Data Minimization | Scope control principles |
| 2.16 - RAG Source Integrity | Knowledge source approval |
| 4.8 - Item-Level Permission Scanning | Item-level permission validation within grounding-approved libraries |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- SAM access is in place via either ≥ 1 Copilot license assignment OR a standalone SAM license; SharePoint Admin role assigned to operators
- Site inventory is completed with Copilot exclusion status documented
Get-SPOSite -Identity <url> | Select RestrictContentOrgWideSearchreturnsTruefor each intended RCD-protected siteStart-SPORestrictedContentDiscoverabilityReportevidence is captured and retained per retention policy- Audit-log events for RCD enable/disable and RSS allowed-list changes are captured in the SIEM/UAL pipeline
- Power Platform DLP enforcement validated at the environment scope: maker attempt to add a blocked SharePoint URL as a Copilot Studio knowledge source is rejected
- Negative test executed: a user with recent interaction on a now-restricted site verifies the carve-out is observed and operationally understood (RSS not represented as record-isolation)
- Copilot query against an RCD-excluded site does not return content in tenant-wide search / Business Chat; query against an approved site returns content appropriately
- GCC tenants additionally verify the 450 KB connector payload limit in any DLP-affected flows
- Quarterly review process is established and documented; allowed-list nominations have separation-of-duties between content owner, compliance, security, and AI Governance Lead
Additional Resources
- Microsoft 365 Copilot data, privacy, and security
- Restrict Discovery of SharePoint Sites and Content
- Microsoft Learn: Restricted SharePoint Search
- Data Access Governance Reports
- SharePoint Advanced Management overview
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current (AI Council Review 9)