Skip to content

Control 1.2: SharePoint Oversharing Detection and Remediation (DSPM for AI)

Control ID: 1.2 Pillar: Readiness & Assessment Regulatory Reference: GLBA 501(b), SEC Regulation S-P (Rule 248.30), FFIEC IT Handbook (Information Security Booklet) Last Verified: 2026-03-22 Governance Levels: Baseline / Recommended / Regulated

Objective

Detect, assess, and remediate SharePoint oversharing risks before and during Microsoft 365 Copilot deployment using Microsoft Purview Data Security Posture Management (DSPM). This control addresses the "discovery amplification" risk -- where Copilot's ability to search and synthesize content across a user's entire permission scope transforms latent oversharing issues into active data exposure incidents.

The unified DSPM experience (preview December 2025) merges the classic DSPM and DSPM for AI into a single platform, adding AI observability, item-level remediation, and the Purview Posture Agent across the full range of M365 and Copilot workloads. DSPM is accessible from Microsoft Purview > Data Security Posture Management. Where Microsoft 365 admin-center shortcuts are available, treat them as convenience entry points and verify the current path against the Purview experience before documenting operational procedures.

Why This Matters for FSI

  • GLBA 501(b): Requires financial institutions to protect against unauthorized access to customer financial information. SharePoint sites shared with "Everyone" or "Everyone Except External Users" create access paths that Copilot can exploit to surface non-public personal information (NPI) to users who should not have access.
  • SEC Regulation S-P (Rule 248.30): Requires broker-dealers, investment companies, and investment advisers to adopt written policies and procedures addressing administrative, technical, and physical safeguards for customer records and information. Oversharing detection directly supports these technical safeguards.
  • FFIEC IT Handbook (Access Control): Expects institutions to implement the principle of least privilege. Broad SharePoint sharing directly contradicts this principle and creates examination findings.
  • SOX 302/404: Oversharing of financial data and internal controls documentation creates risk that Copilot could surface pre-release financial information or internal audit findings to unauthorized personnel.
  • FINRA Rule 3110: Supervisory systems must account for the risk that Copilot could surface information across supervisory boundaries, potentially creating information barrier violations.

Control Description

Understanding Discovery Amplification

Microsoft 365 Copilot inherits the calling user's permissions and searches across all content that user can access via Microsoft Graph. Before Copilot, a user with overly broad SharePoint permissions might never navigate to or discover sensitive content. With Copilot, a simple natural language query can surface that content instantly.

Discovery amplification refers to this phenomenon: existing permission gaps that were low-risk due to practical obscurity become high-risk when AI-powered search makes all accessible content equally discoverable.

Pre-Copilot State Post-Copilot Reality
User has access to 500 SharePoint sites but regularly visits 10 Copilot searches all 500 sites on every query
"Everyone" sharing links exist but are rarely clicked Copilot treats these as valid access paths for grounding
Stale project sites with broad permissions sit unused Copilot can retrieve and cite content from these sites
Sensitive files buried in nested folders Copilot surfaces them based on relevance, not folder depth

DSPM Capabilities

Microsoft Purview DSPM provides purpose-built tools for detecting and remediating oversharing risks, with the unified experience adding AI-specific capabilities across the full M365 and Copilot surface:

Capability Description Frequency
Oversharing Assessment Scans SharePoint sites for content accessible to broad audiences (Everyone, EEEU, large groups) and cross-references with sensitivity labels On-demand + weekly scheduled
Item-Level Remediation Enables remediation of oversharing at the individual file or item level, not just at the site or library level. Addresses high-priority items without requiring site-wide permission changes. On-demand
AI Observability Unified view of AI activity across Microsoft 365 Copilot and third-party AI apps, providing a single pane for monitoring what AI tools are accessing and what data they are surfacing Continuous (near real-time)
Activity Explorer for Copilot Shows Copilot interaction data including which content Copilot accessed, which users triggered access, and which sensitivity labels were on accessed content Continuous (near real-time)
Purview Posture Agent Natural language search across M365 and Copilot interactions to discover sensitive data exposure without pre-defining sensitive information types. Useful for exploratory data risk investigation. (January 2026 preview) On-demand
Shadow AI Discovery Detection of unsanctioned AI tool usage integrated into the unified DSPM experience. Surfaces AI apps in use across the organization that are not sanctioned through the Copilot Control System or IT governance processes. Continuous
Data Risk Indicators Dashboard showing aggregate risk metrics: sites with oversharing, unlabeled sensitive content, content accessed by Copilot with no DLP protection Continuous
Recommendations Engine Prioritized remediation recommendations based on risk scoring (sensitivity of content x breadth of access x Copilot interaction frequency) Updated weekly

Oversharing Risk Categories

Risk Category Description Example Remediation Approach
Everyone / EEEU Access Content shared with all internal users via "Everyone" or "Everyone Except External Users" groups SharePoint site with "Everyone" as a member Remove broad groups, replace with specific security groups
Company-Wide Sharing Links Content shared via "People in your organization" sharing links Documents with company-wide links in sensitive libraries Revoke links, apply sensitivity labels, restrict link creation
Anonymous Sharing Links Content shared via "Anyone with the link" links Files accessible without authentication Revoke immediately, audit for data exposure
Large Group Membership Content accessible to groups with >500 members that effectively grant org-wide access "All Employees" group membership on sensitive sites Review group necessity, scope to relevant populations
Inherited Permissions Subsites or libraries inheriting permissions from broadly shared parent sites Sensitive library inheriting site-level "Everyone" permission Break inheritance, apply targeted permissions

Remediation Workflow

Detect ──> Triage ──> Remediate ──> Verify ──> Monitor

  1. DETECT: Run DSPM oversharing assessment
  2. TRIAGE: Prioritize findings by sensitivity x access breadth
  3. REMEDIATE: Apply appropriate fix per risk category
  4. VERIFY: Re-scan to confirm remediation effectiveness
  5. MONITOR: Set weekly cadence for ongoing detection

Remediation Actions by Type

Action When to Use Impact
Restrict access Remove broad groups (Everyone, EEEU) from site/library permissions Users lose access -- coordinate with site owners
Apply sensitivity labels Label content to enable DLP policies that prevent Copilot from processing Copilot respects label-based DLP restrictions
Remove sharing links Revoke company-wide or anonymous sharing links Existing links stop working -- communicate to affected users
Enable Restricted Content Discovery Use SAM to prevent Copilot from discovering content on specific sites Content remains accessible directly but is excluded from Copilot grounding
Relocate content Move sensitive content to properly governed sites with appropriate permissions Content available in correct governance context
Archive content Move stale content to archive with restricted access Removes from active Copilot grounding scope

Copilot Surface Coverage

Copilot Surface Oversharing Risk Level Why
Microsoft 365 Copilot Chat Critical Cross-workload search surfaces all overshared content
SharePoint Copilot Critical Directly queries SharePoint content and respects site-level permissions
Teams Copilot High Accesses files shared in channels, which may link to overshared SharePoint sites
Word / Excel / PowerPoint High "Draft from" and "Reference" features pull from accessible SharePoint content
Outlook Copilot Medium May reference SharePoint content linked in email threads
OneDrive Copilot Medium OneDrive-specific, but shared folders create similar risks
Copilot Pages High AI-generated pages may incorporate overshared content into new collaborative artifacts
Loop Copilot Medium Loop components can reference SharePoint content
Viva Engage Copilot Low Limited SharePoint content retrieval in social context

Governance Levels

Level Requirement Rationale
Baseline Enable the unified DSPM experience. Run oversharing assessment. Review and triage top 20 highest-risk sites. Remediate sites with "Everyone" or anonymous access containing sensitive information types. Establish monthly assessment cadence. Enable Shadow AI discovery to identify unsanctioned AI tools. Addresses the most critical oversharing risks that could result in immediate regulatory exposure when Copilot is enabled. Shadow AI visibility is minimum viable governance for Copilot rollouts.
Recommended All Baseline requirements plus: remediate top 50 oversharing sites. Establish weekly DSPM assessment cadence. Configure AI observability for continuous monitoring across Copilot and third-party AI apps. Configure Purview Posture Agent for exploratory data risk investigation. Implement automated alerts for new oversharing detections. Document remediation actions and outcomes. Provides ongoing oversharing governance with AI-specific visibility. Purview Posture Agent enables compliance teams to investigate data risks without requiring pre-defined SITs.
Regulated All Recommended requirements plus: remediate all flagged oversharing sites before Copilot enablement. Use item-level remediation for high-priority oversharing findings without disrupting site access. Implement continuous DSPM monitoring with SOC/compliance team integration. Enable full AI observability alerting for Copilot interaction anomalies. Establish formal oversharing incident response procedures. Maintain remediation evidence for regulatory examination. Conduct quarterly independent review of DSPM findings. Comprehensive oversharing governance that supports compliance with GLBA, SEC Reg S-P, and FFIEC expectations for access control and data protection. Item-level remediation enables surgical remediation without business disruption, supporting faster compliance timelines.

Setup & Configuration

Step 1: Access DSPM

The unified DSPM experience is accessible from two paths:

  • Full DSPM: Microsoft Purview > Data Security Posture Management
  • Copilot security quick access: Microsoft 365 Admin Center > Copilot > Overview > Security tab (provides access to the default DLP policy, Shadow AI findings, and Copilot-specific security actions)

Ensure DSPM is activated for your tenant from the Purview path.

Prerequisites: - Microsoft 365 E5 Compliance or Microsoft Purview add-on license - Purview Compliance Administrator or equivalent role - SharePoint Advanced Management license (recommended for full DAG integration)

Step 2: Run Initial Oversharing Assessment

From the DSPM dashboard: 1. Select Oversharing assessment from the left navigation 2. Choose scope: All sites or specific site collections 3. Run assessment (initial scan may take several hours for large tenants) 4. Review results organized by risk severity 5. Use item-level remediation for high-priority findings to address individual files without requiring site-wide permission changes

Step 3: Configure AI Observability and Shadow AI Detection

From the DSPM dashboard: 1. Navigate to the AI observability section to enable the unified view of AI activity across Microsoft 365 Copilot and any third-party AI apps in use 2. Review Shadow AI discovery findings to identify unsanctioned AI tools being used in the organization 3. Configure alerts for Shadow AI detections to notify the governance team when new unsanctioned AI apps are detected

Navigate to Microsoft Purview > Data Security Posture Management and access the Purview Posture Agent (January 2026 preview). Use natural language queries to investigate data exposure across M365 and Copilot interactions without requiring pre-defined sensitive information types. Example queries: - "Show me files accessed by Copilot in the last 30 days that may contain financial data" - "Which SharePoint sites have sensitive content accessible to users who don't have Copilot licenses"

Step 5: Configure Assessment Schedule

Set recurring assessments: - Baseline: Monthly automated assessment - Recommended: Weekly automated assessment - Regulated: Continuous monitoring with weekly formal review

Step 6: Set Up Activity Explorer Monitoring

Navigate to Microsoft Purview > Data Security Posture Management > Activity Explorer to monitor: - Copilot interactions with SharePoint content - Content accessed by Copilot that has sensitivity labels - Content accessed by Copilot that matches sensitive information types - Access patterns across user populations

Step 7: Configure Remediation Workflows

For each oversharing finding, determine the appropriate remediation action and track execution: - Assign site owner for remediation - Set remediation deadline based on risk severity - For critical items, use item-level remediation to address specific files immediately - Verify remediation through re-scan - Document action taken and outcome

Financial Sector Considerations

  • Non-Public Personal Information (NPI): Under GLBA, financial institutions must protect NPI. Run DSPM assessments with particular attention to sites containing customer account information, loan documents, credit reports, and financial statements. Oversharing of NPI-containing sites is a high-severity finding.
  • Chinese Wall / Information Barrier Risk: Investment banking, research, and trading operations that maintain information barriers must assess whether SharePoint oversharing could allow Copilot to bridge these barriers. Cross-reference DSPM findings with information barrier policies (see Control 2.x).
  • Merger & Acquisition Data Rooms: Deal-related SharePoint sites often have broad internal sharing for project teams. Assess whether these sites could expose material non-public information (MNPI) through Copilot queries by non-deal-team members.
  • Regulatory Examination Files: Maintain DSPM assessment reports, remediation logs, and verification records in your regulatory examination file. Demonstrating systematic oversharing detection and remediation supports favorable examination outcomes.
  • Third-Party / Vendor Content: Financial institutions often share SharePoint sites with external partners (auditors, consultants, regulators). Review external sharing configurations alongside internal oversharing to ensure Copilot does not surface content from externally shared sites inappropriately.
  • Dual-Registration Considerations: Entities registered with both FINRA and SEC (or state regulators) should map oversharing findings to each applicable regulatory requirement to ensure comprehensive coverage.

Verification Criteria

  1. The unified DSPM experience is activated and accessible from Microsoft Purview > Data Security Posture Management
  2. Initial oversharing assessment has been run across all in-scope SharePoint site collections
  3. Oversharing findings have been triaged and prioritized by risk severity (sensitivity x access breadth)
  4. Remediation actions have been completed for the appropriate number of sites per governance level (top 20 / top 50 / all flagged)
  5. Item-level remediation has been used for critical oversharing findings at the Regulated tier
  6. No sites containing sensitive information types have "Everyone," "Everyone Except External Users," or anonymous sharing links (Regulated level)
  7. AI observability is configured and providing unified visibility across Copilot and any third-party AI apps
  8. Shadow AI discovery is enabled and governance team is reviewing unsanctioned AI tool findings
  9. Purview Posture Agent has been used to conduct at least one exploratory data risk investigation (Recommended and Regulated levels)
  10. Activity Explorer for Copilot interactions is configured and being reviewed at the specified cadence
  11. Recurring assessment schedule is configured (monthly / weekly / continuous per governance level)
  12. Automated alerts are configured for new oversharing detections and Shadow AI discoveries (Recommended and Regulated levels)
  13. Remediation actions are documented with timestamps, responsible parties, and verification dates
  14. Assessment reports and remediation logs are retained per the organization's document retention policy and accessible for regulatory examination

Item-Level Oversharing Remediation (Solution 16)

While DSPM and Data Access Governance provide site-level oversharing detection, Microsoft 365 Copilot surfaces content at the individual file level — meaning a properly locked-down site can still contain individual files with unique permissions that expose sensitive content through Copilot queries. Solution 16 from FSI-CopilotGov-Solutions extends the oversharing detection in this control to the item level.

How Solution 16 Extends This Control

Capability DSPM (This Control) Solution 16 Extension
Scope Site collection level Individual file and folder level
Detection Sites shared with Everyone/EEEU/large groups Files with unique permissions differing from parent (broken inheritance)
Risk scoring Site-level risk score Item-level risk score (sensitivity × access breadth × permission delta)
Remediation Site-level permission changes Item-level permission restoration, inheritance repair
Cadence Weekly/monthly site assessment Monthly item scan (HIGH-risk sites weekly at Regulated tier)

When to Deploy Solution 16

Deploy Solution 16 after completing initial DSPM oversharing remediation through this control (1.2). The recommended sequence:

  1. Complete DSPM site-level oversharing assessment (this control)
  2. Remediate top site-level oversharing findings
  3. Deploy Solution 16 for item-level scanning on remediated sites
  4. Identify uniquely permissioned items that site-level remediation missed
  5. Remediate item-level findings through approval workflow

For full implementation details, see Control 1.14: Item-Level Permission Scanning.

Automating Access Reviews for High-Risk Sites (Solution 18)

DSPM identifies high-risk SharePoint sites through oversharing assessments and risk scoring, but does not automatically create access reviews to validate that current access is still appropriate. Solution 18 from FSI-CopilotGov-Solutions bridges this gap by reading DSPM risk scores and automatically creating Entra ID Access Reviews for high-risk sites.

The Gap Solution 18 Addresses

Process Step Native DSPM With Solution 18
Risk identification ✅ Identifies oversharing risk ✅ Reads DSPM risk scores
Access review creation ❌ Manual process required ✅ Auto-creates Entra ID Access Reviews
Review scope N/A Scoped to users with access to HIGH/CRITICAL risk sites
Review cadence N/A Configurable (quarterly for HIGH, monthly for CRITICAL)
Remediation Manual remediation Access Reviews revoke access upon reviewer denial
Audit trail DSPM assessment logs DSPM logs + Entra ID Access Review completion records

How Solution 18 Works

  1. Reads DSPM risk scores for all assessed SharePoint sites
  2. Filters sites at or above the configured risk threshold (HIGH or CRITICAL)
  3. Creates Entra ID Access Reviews scoped to users with access to each flagged site
  4. Configures review parameters: reviewer assignment (site owner + compliance delegate), review cadence, auto-apply of denied access
  5. Tracks completion and generates compliance evidence

Regulatory Value

For financial institutions subject to GLBA and FFIEC access control expectations, the combination of DSPM risk identification (this control) with automated access reviews (Solution 18) supports the continuous monitoring of access controls that regulators expect. Organizations should verify that review configurations meet their specific regulatory obligations.

Note: Solution 18 uses representative sample data for DSPM risk score integration. Organizations should validate risk score thresholds against their DSPM deployment before production use.

Additional Resources

FSI Copilot Governance Framework v1.2.1 - March 2026