Skip to content

Control 1.15: SharePoint Permissions Drift Detection

Control ID: 1.15 Pillar: Readiness & Assessment Regulatory Reference: GLBA §314.4(c), SEC Rule 17a-4, SEC Rule 17a-4(f), FFIEC IT Handbook (Access Controls, Change Management), NIST SP 800-53 (CM-3, SI-7, AC-6) Last Verified: 2026-03-17 Governance Levels: Baseline / Recommended / Regulated

Objective

Detect and remediate permissions drift from established baselines in SharePoint Online environments before and during Microsoft 365 Copilot deployment. Permissions drift — the gradual, often unnoticed expansion of access rights over time — creates a growing attack surface that Copilot amplifies by making all accessible content instantly discoverable through natural language queries. This control establishes baseline permission snapshots and continuous monitoring to identify unauthorized or unintended permission changes that could expand Copilot's data surface beyond approved boundaries.

Why This Matters for FSI

  • GLBA §314.4(c): Requires financial institutions to detect and respond to unauthorized access to customer information. Permissions drift creates gradual access expansion that may go undetected by periodic audits but becomes immediately exploitable by Copilot.
  • SEC Rule 17a-4: Records access controls must be verifiable. Baseline/drift comparison provides auditable evidence of permission state over time, supporting access accountability.
  • SEC Rule 17a-4(f): Requires that electronic records systems maintain integrity and prevent unauthorized alteration. Permissions drift monitoring extends this integrity concept to access control configurations.
  • FFIEC IT Handbook (Access Controls): Expects institutions to monitor access controls for unauthorized changes. Drift detection automates this monitoring requirement.
  • FFIEC IT Handbook (Change Management): Expects formal change control for IT configuration changes. Permissions changes outside approved change windows represent unauthorized configuration drift.
  • NIST SP 800-53 CM-3: Configuration change control requires monitoring systems for unauthorized configuration changes. Permissions are a critical configuration element.
  • NIST SP 800-53 SI-7: Software, firmware, and information integrity extends to ensuring permission configurations haven't been altered from approved baselines.
  • NIST SP 800-53 AC-6: Least privilege requires ongoing verification that access rights haven't expanded beyond what's authorized.
  • SOX 302/404: Changes to access controls on financial systems and documents must be tracked and authorized. Drift detection supports this continuous monitoring obligation.

Control Description

Understanding Permissions Drift

Permissions drift is the gradual, often unintended expansion of access permissions over time through:

Drift Type Description Copilot Impact
Organic drift Users added to groups, sharing links created, permissions granted for ad-hoc collaboration that are never revoked Copilot's grounding scope expands silently as more users gain access to more content
Administrative drift IT or site administrators making permission changes outside change management process Authorized but untracked changes create gaps between documented and actual access
Inherited drift Changes to parent site/library permissions propagating to child items A single parent-level change can dramatically expand Copilot access across thousands of items
Group membership drift Security group membership changes that indirectly expand SharePoint access Adding users to groups grants SharePoint access without any SharePoint-specific audit trail
Lifecycle drift Permissions accumulated through role changes, project assignments, and team transfers without corresponding removal Users accumulate access over their tenure, creating broad Copilot grounding scope

Why Periodic Audits Are Not Sufficient

Approach Detection Latency Copilot Risk
Annual access review Up to 12 months Copilot can surface drifted content for an entire year before detection
Quarterly permission audit Up to 3 months Still leaves a significant window of undetected access expansion
Continuous drift detection (this control) Hours to days Minimizes the window during which drifted permissions can be exploited by Copilot

Drift Detection Approach

  1. Baseline Establishment: Capture a comprehensive snapshot of SharePoint permissions across all in-scope sites using New-PermissionsBaseline.ps1 (FSI-CopilotGov-Solutions Solution 17). The baseline records:
  2. Site collection permissions (owners, members, visitors)
  3. Library and list-level permissions
  4. Uniquely permissioned items (from Control 1.14 if deployed)
  5. Sharing links (types and targets)
  6. Security group memberships relevant to SharePoint access

  7. Timestamp and approval reference for baseline capture

  8. Drift Scanning: Schedule Invoke-DriftScan.ps1 to compare current permissions against the established baseline, detecting:

  9. New users or groups added to sites
  10. Permission level changes (e.g., from Read to Edit)
  11. New sharing links created
  12. Broken inheritance (new uniquely permissioned items)
  13. Removed restrictions (permissions broadened)

  14. Group membership changes affecting SharePoint access

  15. Drift Classification: Categorize detected drift by severity:

Severity Criteria Response SLA
CRITICAL "Everyone" or "EEEU" added to any site; permissions changed on MNPI/NPI sites 4 hours
HIGH New sharing links on Confidential content; significant group membership expansion 24 hours
MEDIUM New users added to sites with sensitive content; permission level upgrades 5 business days
LOW Minor group changes; permissions on non-sensitive sites Next scheduled review
  1. Auto-Revert Policy: Configure auto-revert-policy.json with approval gates:
  2. CRITICAL drift: Auto-revert with immediate notification to CISO and site owner (post-revert approval)
  3. HIGH drift: Alert with 24-hour revert countdown (approval gate to cancel revert)
  4. MEDIUM drift: Alert only, manual remediation required
  5. LOW drift: Logged and reported in next scheduled review

Evidence Retention

Element Retention Period Requirement
Baseline snapshots 7 years SEC 17a-4
Drift scan results 7 years SEC 17a-4
Remediation/revert records 7 years SEC 17a-4
Approval gate decisions 7 years SEC 17a-4
Configuration change logs 7 years SEC 17a-4(f)

Remediation Playbook

Element Detail
Trigger Drift scan detects permissions changes exceeding severity threshold
Owner SharePoint Admin (execution), Compliance team (oversight)
RACI R: SharePoint Admin, A: CISO/Compliance Lead, C: Site Owner/Business Unit, I: Internal Audit
Approval Gate SLAs CRITICAL: Auto-revert, post-revert CISO approval within 4 hours. HIGH: Revert approval within 24 hours. MEDIUM: Remediation plan within 5 business days.
Escalation CRITICAL drift unremediated after 4 hours → CISO + CRO notification. HIGH drift after 24 hours → CISO notification.

Reference: FSI-CopilotGov-Solutions Solution 17 provides baseline capture, drift scanning, and auto-revert scripts.

Copilot Surface Coverage

Copilot Surface Drift Risk Level Notes
Microsoft 365 Copilot Chat Critical Cross-workload search means any permission drift immediately expands Copilot's grounding scope
SharePoint Copilot Critical Directly affected by SharePoint permission changes
Teams Copilot High Teams-linked SharePoint sites are subject to drift from Teams channel management
Word / Excel / PowerPoint High Permission drift on document libraries directly affects what Copilot can reference
Outlook Copilot Medium Indirectly affected through SharePoint-linked content in emails
OneDrive Copilot Medium OneDrive sharing changes represent a form of permissions drift
Copilot Pages High Pages referencing drifted content inherit the expanded access
Loop Copilot Medium Loop components linked to SharePoint may be affected by drift

Governance Levels

Level Requirement Rationale
Baseline Establish initial permissions baseline for top 20 sites by risk score. Run quarterly drift scans. Review and remediate CRITICAL drift findings. Document baseline and drift scan results. Minimum viable drift detection on the highest-risk sites, providing a foundation for continuous monitoring.
Recommended All Baseline requirements plus: expand baseline to all sites in Copilot scope. Implement monthly drift scans with bi-weekly scans on HIGH-risk sites. Configure automated alerts for CRITICAL and HIGH severity drift. Implement approval workflow for drift remediation. Integrate drift findings with DSPM reporting. Retain evidence per organizational policy. Systematic drift detection across the Copilot scope with automated alerting and remediation workflows.
Regulated All Recommended requirements plus: weekly drift scanning across all sites. Auto-revert policy configured for CRITICAL drift with CISO approval gate. Dual approval for HIGH drift remediation. Integration with compliance reporting and SOC alerting. Quarterly independent review of baseline accuracy. 7-year evidence retention per SEC 17a-4. Include drift reports in regulatory examination evidence package. Comprehensive permissions drift governance that supports compliance with GLBA, SEC, and FFIEC change management and access control expectations.

Setup & Configuration

Step 1: Establish Prerequisites

Verify:

  • SharePoint Online Management Shell access
  • Microsoft Graph API permissions (Sites.Read.All minimum; Sites.ReadWrite.All for auto-revert)
  • Solution 02 (site inventory) deployed (prerequisite)
  • Control 1.2 (DSPM oversharing assessment) completed

Step 2: Capture Initial Baseline (Solution 17)

Deploy FSI-CopilotGov-Solutions Solution 17. Run New-PermissionsBaseline.ps1:

  • Scope: Start with top 20 sites by DSPM risk score (Baseline), expand to all Copilot-scoped sites (Recommended/Regulated)
  • Capture: Site permissions, library permissions, sharing links, group memberships
  • Store: Baseline JSON files with timestamp and approval reference
  • Approval: Baseline must be reviewed and approved by site owner and Compliance Lead

Step 3: Configure Drift Scanning

Schedule Invoke-DriftScan.ps1:

  • Quarterly for Baseline, monthly for Recommended, weekly for Regulated
  • Configure comparison parameters (what constitutes "drift" vs. "approved change")
  • Integration with change management system to exclude pre-approved changes

Step 4: Configure Drift Classification Thresholds

Define severity thresholds in scan configuration:

  • CRITICAL: "Everyone"/"EEEU" additions, changes on MNPI/NPI sites
  • HIGH: New sharing links on Confidential content, group expansion >50 members
  • MEDIUM: New user additions to sensitive sites, permission level changes
  • LOW: Minor changes on non-sensitive sites

Step 5: Configure Auto-Revert Policy (Regulated)

For Regulated governance level, configure auto-revert-policy.json:

  • Define which drift types trigger auto-revert
  • Configure approval gates and SLAs
  • Set notification targets (CISO, site owners, compliance team)
  • Define rollback procedures if auto-revert causes business disruption

Step 6: Configure Evidence Retention

Set up evidence storage:

  • Baseline files, drift reports, remediation records → secure compliance repository
  • Retention period: 7 years for regulated entities (SEC 17a-4)
  • Include in regulatory examination file

Step 7: Integrate with Compliance Reporting

Configure drift detection reporting:

  • Dashboard for real-time drift status across monitored sites
  • Weekly summary reports for governance team
  • Monthly executive summary for CISO/CRO
  • Quarterly evidence package for regulatory examination file

Financial Sector Considerations

  • NPI Access Drift: Under GLBA, even small permission changes on sites containing customer financial information (NPI) may create regulatory exposure. Drift detection should flag ANY permission change on NPI-classified sites as HIGH or CRITICAL severity.
  • Information Barrier Integrity: Permissions drift that crosses information barrier boundaries (e.g., a research analyst gaining access to investment banking content) represents both a regulatory violation and a Copilot risk. Integrate drift detection with information barrier monitoring.
  • Change Window Enforcement: Financial institutions with formal change management processes should configure drift detection to flag any permission change outside approved change windows as unauthorized drift, regardless of who made the change.
  • M&A Deal Lifecycle: Post-deal, data room permissions often drift as teams wind down but access is not revoked. Configure accelerated drift scanning during and after deal lifecycle events.
  • Examination Evidence: Regulators increasingly expect continuous monitoring evidence, not just point-in-time audits. Drift detection reports provide the continuous monitoring evidence that supports favorable examination outcomes.
  • Third-Party Access Drift: Monitor for drift in permissions granted to external parties (auditors, consultants, regulators). External access that expands beyond approved scope creates both security and regulatory risk.

Verification Criteria

  1. Initial permissions baseline has been established for all in-scope sites per governance level
  2. Baseline has been reviewed and approved by site owners and Compliance Lead
  3. Drift scanning is deployed and running at the configured cadence (quarterly / monthly / weekly)
  4. Drift classification thresholds are configured and documented
  5. All CRITICAL drift findings have been remediated or reverted within SLA (4 hours)
  6. All HIGH drift findings have been remediated within SLA (24 hours)
  7. Approval workflow is operational for drift remediation decisions
  8. Auto-revert policy is configured and tested (Regulated level)
  9. Evidence retention is configured with 7-year retention for regulated entities per SEC 17a-4
  10. Drift detection reports are integrated into compliance reporting and accessible for regulatory examination
  11. Quarterly baseline accuracy review has been conducted (Regulated level)
  12. Drift detection findings are correlated with DSPM oversharing assessments (Control 1.2) for comprehensive access risk visibility

Additional Resources

FSI Copilot Governance Framework v1.2.1 - March 2026