Control 4.8: Item-Level Permission Scanning for Agent Knowledge Sources
Control ID: 4.8
Pillar: SharePoint
Regulatory Reference: GLBA §314.4(c)(3), SEC Rule 17a-4, NIST AI RMF, SR 11-7
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated
Objective
Require item-level permission scanning of all SharePoint libraries connected as knowledge sources to Copilot Studio agents before deployment and on a recurring cadence. This control addresses the amplified data exposure risk that occurs when an AI agent actively retrieves and returns document content to users — making overshared items in knowledge source libraries an active threat rather than a passive risk.
Why This Matters for FSI
- GLBA §314.4(c)(3): Requires access controls limiting access to customer information to authorized users only — AI agents accessing customer data files through knowledge sources must be scoped to prevent unauthorized disclosure
- SEC Rule 17a-4: Electronic records access must be documented and controlled — agent access to broker-dealer records through SharePoint knowledge sources requires audit trail and permission validation
- FFIEC AI/ML Risk Management: Emerging guidance on AI system access to regulated data identifies knowledge source scoping as a key control for managing data exposure through AI retrieval
- NIST AI RMF (GOVERN 1.2, MANAGE 2.2): AI system access controls and risk monitoring require organizations to validate that AI agents access only authorized content at the item level
- NIST SP 800-53 (AC-3, AC-6): Access Enforcement and Least Privilege principles require that file-level permissions in agent knowledge sources align with the agent's intended audience
- SR 11-7 (Model Risk Management): Data governance requirements applicable to AI models using SharePoint as a data source — item-level permissions in knowledge sources must be validated to support model data integrity
Automation Available
Companion automation for this control is available in the FSI-AgentGov-Solutions repository: agent-knowledge-source-scanner (Get-KnowledgeSourceItemPermissions.ps1). This script scans SharePoint libraries connected as agent knowledge sources and reports item-level permission risks.
Control Description
This control establishes mandatory item-level permission scanning for SharePoint libraries connected as knowledge sources to Copilot Studio agents. It addresses a specific and amplified risk: when an AI agent is connected to a SharePoint library, it actively retrieves and returns document content in response to user queries. Item-level oversharing in a knowledge source library is not a passive risk — the agent will surface it.
Quick Reference
| Attribute | Value |
|---|---|
| Control ID | 4.8 |
| Pillar | Pillar 4 — SharePoint |
| Priority | CRITICAL |
| Copilot Agent Risk Level | HIGH |
| Automation | Available (agent-knowledge-source-scanner) |
| Pre-Deployment Gate | Yes — agents must not go to production with CRITICAL items in knowledge sources |
Distinction from Related Controls
| Control | Scope | This Control (4.8) |
|---|---|---|
| 4.1 — IAG/RCD/RSS | Site-level access governance; excludes entire sites from AI grounding | Scans individual files and folders within agent-connected libraries |
| 4.5 — Security Monitoring | Tenant-wide security monitoring and DSPM; site/container-level risk scoring | Goes deeper to individual file and folder permissions within agent-connected libraries |
| 4.6 — Grounding Scope | Controls which sites are indexed for AI grounding via RCD/RSS/DLP | Validates item-level permissions within libraries already approved for grounding |
Microsoft Platform Behavior to Account For
Per current Microsoft Learn guidance (April 2026), Copilot Studio knowledge sources have platform behaviors that materially affect this control's risk model. Organizations should design scanning logic and remediation playbooks with these behaviors in mind:
| Platform Behavior | Implication for Control 4.8 |
|---|---|
| Items labeled Confidential or Highly Confidential are not indexed by Copilot Studio knowledge sources | A correctly labeled file should not be retrieved by the agent. CRITICAL findings most often indicate mislabeling, missing labels, or label removal — not active retrieval. Scan logic should treat unlabeled or under-labeled sensitive content as the dominant exposure path. |
| Agent responses that use SharePoint as a knowledge source are not included in Copilot Studio conversation transcripts | Examination evidence for agent-served content cannot rely on transcript review alone. Item-level scan output and SharePoint audit logs help support SEC Rule 17a-4 record-keeping where agent transcripts are incomplete. |
| SharePoint unstructured-data knowledge source limits: 1,000 files, 50 folders, 10 layers of subfolders, 512 MB per file | A library exceeding these limits may have content that is silently not indexed. Inventory the full library — unindexed items remain a sharing risk and may become indexed if limits change or content is moved. |
| Sensitivity-label sync to SharePoint item metadata can take up to 24 hours | A scan run immediately after labeling or remediation may report stale state. Verification scans should run after the sync window. |
How Agent Knowledge Sources Amplify Risk
AI agents connected to SharePoint knowledge sources create a fundamentally different risk profile than standard SharePoint access:
| Standard SharePoint Access | Agent Knowledge Source Access |
|---|---|
| User must navigate to the file | Agent proactively retrieves relevant content |
| Overshared content may remain undiscovered | Agent surfaces overshared content in direct response to queries |
| Risk is limited to users who find the file | Risk extends to all users who can interact with the agent |
| Discovery depends on user knowledge of location | Discovery is driven by semantic relevance — any related query may surface content |
Scanning Requirements
Organizations must scan all SharePoint libraries connected as agent knowledge sources at the item level:
- Before agent deployment — pre-deployment gate requirement
- Monthly thereafter — on all agent-connected libraries
- On-demand — when SharePoint Admin alerts on new sharing activity in an agent-connected library
Risk Classification
Scan output classifies items by risk level based on sensitivity labels and permission scope:
| Risk Level | Criteria | Required Action | SLA |
|---|---|---|---|
| CRITICAL | Confidential/Highly Confidential items accessible outside agent user group | Disconnect agent knowledge source OR restrict item permissions before re-enabling | 4 hours |
| HIGH | Items with Anyone links or external user access | Remove Anyone links and external user access; log evidence | 24 hours |
| MEDIUM | Items shared with broad internal groups (e.g., EEEU) beyond agent audience | Review and restrict to agent user group | 5 business days |
| LOW | Items with appropriate permissions aligned to agent audience | Document in scan report; no action required | Next scheduled review |
Key Configuration Points
- Identify all SharePoint libraries connected to each deployed Copilot Studio agent (from agent definition or via agent-knowledge-source-scanner site-level output)
- Run
Get-KnowledgeSourceItemPermissions.ps1against each identified library before agent deployment - Configure
config/item-scope-config.jsonto match organizational sensitivity label taxonomy - Establish CRITICAL/HIGH item remediation workflow with defined SLAs (4 hours / 24 hours)
- Configure pre-deployment gate: agents must not go to production if CRITICAL items exist in knowledge source libraries
- Schedule monthly recurring scans on all agent-connected libraries
- Feed item-level scan output into compliance-dashboard for unified governance view
- Retain item-level scan output for 7 years to support regulatory examination response
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Recommended item-level scan before deployment; quarterly recurring scan; document scan results | Personal agents have limited audience but still retrieve content actively |
| Zone 2 (Team) | Required item-level scan before deployment; monthly recurring scan; remediate HIGH and CRITICAL within SLA | Team agents share content across groups; oversharing risk scales with audience |
| Zone 3 (Enterprise) | Mandatory pre-deployment gate; monthly recurring scan; all CRITICAL items block deployment; integration with compliance dashboard; full evidence retention | Enterprise agents have broadest audience and highest regulatory exposure |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| AI Governance Lead | Define scanning policy, review scan results, enforce pre-deployment gate, approve remediation actions |
| SharePoint Admin | Execute item-level scans, configure scan scope, remediate permission findings |
| CISO | Accountable for overall agent data protection posture; approve risk acceptance for deferred remediation |
| Compliance Officer | Review scan evidence for regulatory examination readiness; validate 7-year retention compliance |
| Agent Owner | Informed of scan results affecting their agents; provide business context for remediation prioritization |
Related Controls
| Control | Relationship |
|---|---|
| 4.1 - Information Access Governance | Prerequisite: RAC/RCD/RSS must be configured before item-level scanning adds meaningful value |
| 4.2 - Site Access Reviews | Complementary: site-level access reviews identify broad permission issues; item-level scanning validates individual file permissions |
| 4.5 - Security & Compliance Monitoring | Prerequisite: DSPM must be enabled for container-level risk scoring; item-level scanning extends coverage to individual files |
| 4.6 - Grounding Scope Governance | Complementary: grounding scope controls which sites are indexed; item-level scanning validates permissions within indexed sites |
| 4.7 - M365 Copilot Data Governance | Complementary: M365 Copilot governance addresses broad Copilot data access; this control targets Copilot Studio agent knowledge sources specifically |
| 1.3 - SharePoint Content Governance | Foundation: base SharePoint permission model; item-level scanning validates permissions in agent-connected libraries |
| 1.5 - DLP and Sensitivity Labels | Complementary: sensitivity labels inform risk classification; DLP policies enforce content protection |
| 1.6 - DSPM for AI | Complementary: DSPM provides tenant-wide AI risk posture; item-level scanning provides targeted knowledge source assessment |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- All SharePoint libraries connected as agent knowledge sources are identified and documented
- Item-level permission scan has been executed against every agent knowledge source library
- CRITICAL risk items (Confidential/Highly Confidential with oversharing) are identified and remediated or agent is disconnected within 4-hour SLA
- HIGH risk items (Anyone links, external access) are remediated within 24-hour SLA
- Pre-deployment gate is enforced: no agent deploys to production with CRITICAL items in knowledge sources
- Monthly recurring scan schedule is configured and executing
- Scan output CSV is retained for 7 years with compliance evidence chain
config/item-scope-config.jsonmatches organizational sensitivity label taxonomy- Scan results are integrated into compliance dashboard for unified governance view
- Remediation actions are logged with evidence for regulatory examination response
Additional Resources
- Microsoft Copilot Studio knowledge sources
- Copilot Studio SharePoint knowledge source
- Copilot Studio requirements and quotas (SharePoint limits)
- SharePoint item-level permissions
- Microsoft Purview DSPM for AI
- NIST AI Risk Management Framework
- FFIEC IT Examination Handbook
- FSI-AgentGov-Solutions: agent-knowledge-source-scanner
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current