Pillar 4: SharePoint Controls

Govern content access, site lifecycle, and external sharing within SharePoint as a knowledge source for AI agents.

Overview

Pillar 4 addresses SharePoint-specific governance requirements when SharePoint serves as a knowledge source for Microsoft 365 Copilot and Copilot Studio agents. These 5 controls ensure that agents only access authorized content, site permissions are regularly reviewed, retention policies are enforced, and external sharing is appropriately restricted—critical for preventing unauthorized disclosure of sensitive financial information.

Primary Regulatory Alignment: GLBA 501(b) (safeguards), SEC 17a-4 (records retention), FINRA 4511 (recordkeeping)

Key Considerations:

• Information Access Governance (IAG): Control which SharePoint sites and content agents can access
• Oversharing Prevention: Prevent agents from surfacing content users shouldn't see
• External Sharing: Restrict agent access to externally shared content
• Retention Compliance: Ensure SharePoint content meets regulatory retention requirements

Controls

• 4.1 SharePoint Information Access Governance (IAG)
• 4.2 Site Access Reviews and Certification
• 4.3 Site and Document Retention Management
• 4.4 Guest and External User Access Controls
• 4.5 SharePoint Security and Compliance Monitoring