Control 1.7: SharePoint Advanced Management Readiness for Copilot

Control ID: 1.7 Pillar: Readiness & Assessment Regulatory Reference: GLBA §501(b), FFIEC IT Examination Handbook (Information Security Booklet) Last Verified: 2026-06-05 Governance Levels: Baseline / Recommended / Regulated

Objective

Evaluate and deploy SharePoint Advanced Management (SAM) capabilities that provide Copilot-specific governance features including Data Access Governance (DAG) reports, site access reviews, Restricted Content Discovery (RCD), Restricted Access Control (RAC), and site lifecycle management. SAM extends the standard SharePoint admin experience with enterprise-grade governance tools that are critical for managing Copilot's interaction with SharePoint content at scale in regulated financial services environments.

Why This Matters for FSI

GLBA §501(b): SAM provides the technical tooling to implement and monitor safeguards for customer information stored in SharePoint. DAG reports specifically identify where customer data may be overshared, directly supporting GLBA safeguard requirements. Per GLBA §501(b), DAG reports and Restricted Access Control support the safeguards requirement by providing visibility into who has access to customer information and enforcing least-privilege access boundaries.
FFIEC IT Examination Handbook (Information Security): SAM features align with FFIEC expectations for access control monitoring, data access governance, and lifecycle management of information assets. These are foundational capabilities for technology risk management.
Sarbanes-Oxley §§302/404 (where applicable to ICFR): SAM site access reviews support periodic access certification requirements for sites containing financial data, supporting internal control assessment obligations.
SEC Regulation S-P: Restricted Content Discovery prevents Copilot from surfacing consumer financial information stored on specific SharePoint sites, supporting privacy safeguards. Restricted Access Control enforces least-privilege access boundaries per SEC Regulation S-P requirements.
Data Governance Best Practices: SAM represents Microsoft's enterprise governance layer for SharePoint and is a prerequisite for effective Copilot governance at scale.

Control Description

SAM Licensing Requirements

SharePoint Advanced Management (SAM) is included with Microsoft 365 Copilot licenses at no additional cost, enabling SharePoint Admins to deploy all SAM governance capabilities for Copilot environments (announced at Microsoft Ignite 2024, effective early 2025).

License	Includes SAM	Notes
Microsoft 365 E3	No	SAM available via standalone add-on or Copilot license
Microsoft 365 E5	Partial	E5 licenses provide access to DAG activity reports only (up to 10,000 sites; snapshot reports and remediation actions are not available); full SAM requires the standalone add-on or a Copilot license
Microsoft 365 Copilot	Yes	SAM included at no additional cost for Copilot governance (Ignite 2024)
SharePoint Advanced Management add-on	Yes	Per-user license for organizations without Copilot licenses (~$3/user/month)
Microsoft Syntex (SharePoint Premium)	Yes	Includes SAM capabilities

Licensing note: Organizations deploying Microsoft 365 Copilot already have access to all SAM governance capabilities and do not need to factor SAM into their Copilot deployment cost model. For SharePoint Admins who do not hold a Copilot license — such as IT staff managing SharePoint governance without using Copilot — the standalone SAM add-on provides equivalent access to SAM features.

SAM Feature Overview for Copilot Governance

SharePoint Advanced Management includes several features directly relevant to Copilot governance:

SAM Feature	Copilot Governance Use	Availability
Data Access Governance (DAG) Reports	Identify sites with oversharing, broad access, and sharing patterns that Copilot could exploit	Included with SAM (Copilot license or add-on)
Site Access Reviews	Trigger periodic access reviews with site owners to certify that current permissions are appropriate before Copilot deployment	Included with SAM
Restricted Content Discovery (RCD)	Exclude specific SharePoint sites from Copilot content discovery while maintaining direct user access	Included with SAM
Restricted Access Control (RAC)	Enforce a maximum access boundary on SharePoint sites, limiting access to security group members regardless of sharing links	Included with SAM
Site Lifecycle Management	Automate inactive site detection, owner notification, and archival to remove stale content from Copilot's grounding scope	Included with SAM
Content Management Assessment	Identify sites with oversized audiences, EEEU usage, broken permission inheritance, and inappropriate sharing patterns that create Copilot oversharing risk	Included with SAM
Microsoft 365 Archive	Store inactive but high-value content at a lower cost while preventing Copilot from processing or reasoning over archived sites	Requires M365 Archive add-on
Block Download Policy	Prevent file downloads from specific sites. Note: this restricts client-side downloads but does not restrict Copilot's server-side content access — use RCD or RAC to control Copilot access.	Included with SAM
Conditional Access for SharePoint Sites	Apply site-level conditional access policies that restrict Copilot access in specific contexts	Included with SAM
Change History	Track configuration changes to SharePoint sites for audit trail	Included with SAM
Agent Insight Report	Shows which agents access which SharePoint sites and OneDrive locations	Included with SAM (GA)
Catalog Management	Auto-groups sites by attributes for targeted governance policies	Included with SAM (GA)
SharePoint Admin Agent	AI-powered proactive risk monitoring for SharePoint governance	Included with SAM (GA)

Agent Insight Report

The Agent Insight Report (GA) provides visibility into which Copilot agents access which SharePoint sites and OneDrive locations, enabling administrators to monitor agent data access patterns and identify potential oversharing risks introduced by agents.

Aspect	Detail
Portal	SharePoint Admin Center > Reports > Agent Insights
Coverage	Shows agent-to-site access relationships across SharePoint and OneDrive
Time window	Configurable from 1 to 28 days
License requirement	Requires Microsoft 365 Copilot license or standalone SAM license
Data collection	Must be explicitly enabled; data collection is not retroactive — historical access before enablement is not captured

FSI relevance: The Agent Insight Report helps institutions identify agents accessing sites containing regulated content (NPI, MNPI, client data) and supports examination readiness by providing documented evidence of agent data access governance.

Catalog Management

Catalog Management automatically groups SharePoint sites by attributes (sensitivity label, sharing posture, department, content type) to enable targeted governance policies at scale.

Administrators can create governance rules that apply to site groupings rather than individual sites
Supports natural-language admin queries (e.g., "Which sites are overshared?" or "Show me sites without sensitivity labels")
Enables bulk governance actions across site categories, reducing administrative overhead for large tenants

FSI relevance: Catalog Management helps institutions apply differentiated governance policies to categories of sites — for example, applying stricter Copilot access controls to all sites categorized as containing client financial data versus general collaboration sites.

SharePoint Admin Agent

The SharePoint Admin Agent (formerly known as the Content Governance Agent) is an AI-powered assistant for SharePoint Admins that provides proactive risk monitoring and governance recommendations. Using the SharePoint Admin Agent requires the SharePoint Advanced Management Administrator role assigned in Microsoft Entra ID.

Monitors for inactive sites, ownerless sites, and permission sprawl
Surfaces governance alerts and recommended actions within the SharePoint Admin Center
Supports natural-language queries for administrative tasks and site governance questions
Runs scheduled reports and surfaces information on a scheduled basis to help administrators view site governance status without manual navigation
Integrates with SAM capabilities including Data Access Governance reports, site access reviews, and site lifecycle management

Capabilities for Copilot governance:

Oversharing detection: Identifies sites with broad access (EEEU, anonymous links) that could expose sensitive content through Copilot grounding
Ownerless site identification: Flags sites without designated owners, which may lack governance oversight for Copilot data access
Permission sprawl analysis: Detects sites where permissions have drifted from intended configurations, increasing Copilot exposure risk
Governance gap alerts: Proactively surfaces sites missing sensitivity labels, lacking access reviews, or with outdated lifecycle status

FSI relevance: The SharePoint Admin Agent aids in identifying governance gaps that could affect Copilot data access — such as ownerless sites with broad sharing that may expose sensitive content through Copilot grounding. Organizations should document reliance on the SharePoint Admin Agent in their governance procedures and verify recommendations before acting on them. See SharePoint Admin Agent documentation for configuration details.

Content Management Assessment

The SAM Content Management Assessment provides a comprehensive scan of SharePoint content governance posture, identifying oversharing vectors that DSPM data risk assessments may not fully cover at the site-structure level:

Assessment Finding	Description	Copilot Risk
Oversized audiences	Sites accessible to large groups that effectively grant org-wide access	Copilot can surface content from sites with audiences exceeding intended scope
EEEU usage	Sites shared with "Everyone except external users"	EEEU is the primary oversharing vector for Copilot grounding
Broken permission inheritance	Libraries or folders where permissions diverge from the parent site	Sensitive content in sub-folders may be accessible to broader audiences than intended
Inappropriate sharing	Sites with sharing configurations that exceed organizational policy	Content shared beyond intended boundaries may be surfaced by Copilot
Inactive sites	Sites with no recent activity that may contain stale content	Stale content in Copilot grounding reduces response accuracy
Ownerless sites	Sites without a designated owner for access governance	No accountable owner to certify Copilot access appropriateness

FSI relevance: Run the Content Management Assessment before Copilot deployment to establish a baseline of content governance posture. Microsoft's Secure and Govern blueprint recommends running CMA alongside DSPM data risk assessments to identify sites requiring remediation before Copilot can access them. Organizations should schedule CMA runs quarterly and compare results against previous baselines to track governance improvement.

Data Access Governance (DAG) Reports

DAG reports are purpose-built for identifying access risks that Copilot amplifies. Reports are organized into two categories — snapshot reports that capture point-in-time permission state, and activity reports that track potential oversharing activity over the past 28 days.

Snapshot Reports

Report	What It Shows	Copilot Relevance
Site permissions across your organization (Recommended)	Point-in-time view of all site permissions across the tenant	Supports pre-deployment Copilot readiness audits; captures full permission state before Copilot go-live
Site permissions for users	Per-user view of which sites each user can access and with what permission level	Helps identify users with excessively broad access that Copilot could exploit across workloads
Sensitivity label applied to files	Files with and without sensitivity labels applied	Unlabeled files cannot be governed by label-based Copilot DLP controls

Activity Reports

Activity reports track potential oversharing activities that occurred in the past 28 days:

Report	What It Shows	Copilot Relevance
Sharing links	Sites with the most sharing links created (anonymous, company-wide, specific people) during the reporting period	Sharing links are access paths Copilot can traverse; trending link creation highlights emerging oversharing risk
Shared with "Everyone except external users"	Sites shared with EEEU group	EEEU is the #1 oversharing vector for Copilot

The "Site permissions across your organization" snapshot report is particularly useful for establishing a permission baseline before Copilot deployment and for compliance evidence demonstrating that permissions were reviewed before enabling AI access to SharePoint content. Organizations should schedule snapshot reports quarterly and compare results against previous baselines to track governance improvement.

Site Access Reviews

SAM enables automated site access review workflows:

1. TRIGGER: Admin initiates access review for selected sites
       |
2. NOTIFY: Site owners receive access review request
       |
3. REVIEW: Site owners review and certify current permissions
       |
4. REMEDIATE: Site owners remove inappropriate access
       |
5. CERTIFY: Review completion documented with timestamp
       |
6. REPORT: Admin reviews certification status across all sites

Access review parameters:

Parameter	Configuration Options
Scope	All sites, sites with specific labels, sites above sharing threshold
Frequency	One-time, quarterly, semi-annual, annual
Reviewer	Site owner (primary), site collection admin (secondary)
Escalation	Auto-escalate uncompleted reviews to admin after deadline
Auto-remediation	Optionally restrict access on sites with uncompleted reviews

Restricted Content Discovery (RCD)

RCD is a per-site control that excludes specific SharePoint sites from Copilot content discovery:

Aspect	RCD Behavior
Copilot search	Content on RCD-enabled sites is excluded from Copilot grounding queries
Direct access	Users can still navigate directly to the site and access content normally
SharePoint search	Content may still appear in direct SharePoint search results (configurable)
Scope	Per-site configuration -- applied to individual SharePoint site collections only; cannot be applied to OneDrive sites
Use case	Sites containing sensitive data that should not be surfaced by Copilot (e.g., HR data, legal holds, M&A data rooms)

Configuration path: SharePoint admin center > Sites > Active sites > [site] > Settings > Restricted Content Discovery

OneDrive limitation: RCD applies to SharePoint sites only and cannot be applied to OneDrive sites. Organizations should verify that their Copilot scope governance strategy accounts for this limitation — sensitivity labels, DLP policies, or user-level access controls should be used to govern Copilot access to sensitive OneDrive content.

Restricted Access Control (RAC)

Restricted Access Control is a SAM capability that enforces a maximum access boundary on SharePoint sites, directly supporting oversharing remediation for Copilot governance:

Aspect	RAC Behavior
How it works	Restricts access to a SharePoint site to only members of the site's associated security group, regardless of existing sharing permissions
Key distinction	Unlike sharing permissions which grant additional access, RAC enforces a maximum access boundary -- anyone not in the designated security group cannot access the site even if they have a sharing link
Copilot impact	Copilot cannot surface content from a RAC-enabled site to users who are not in the designated security group, even if those users hold a sharing link
Scope	Per-site configuration
Use case	Sensitive sites that should only be accessible to a defined group — financial model repositories, M&A deal rooms, regulatory examination sites, NPI datastores

Configuration path: SharePoint admin center > Sites > Active sites > [site] > Settings > Restricted Access Control

RAC is a strong complement to RCD: RCD excludes a site from Copilot discovery while RAC ensures only authorized users can access the site at all. Sites containing non-public material information (MNPI) or non-public personal information (NPI) should consider both controls.

Site Lifecycle Management

SAM's site lifecycle management helps reduce Copilot's exposure to stale content:

Lifecycle Stage	SAM Capability	Copilot Impact
Active	Site activity monitoring, owner verification	Content available to Copilot within permission scope
Inactive detection	Automated detection of sites with no activity for configurable period	Identifies stale content that may produce outdated Copilot responses
Owner notification	Automated email to site owners requesting confirmation of site need	Prompts cleanup of unnecessary content
Archival	Move inactive sites to archive state	Archived content removed from active Copilot grounding scope
Deletion	Scheduled deletion of confirmed unnecessary sites	Permanent removal from Copilot scope

Copilot Surface Coverage

Copilot Surface	SAM Governance Relevance	Key Feature
Microsoft 365 Copilot Chat	Critical	RCD, RAC, and DAG directly govern what Copilot Chat can access in SharePoint
SharePoint Copilot	Critical	SAM governs the primary content repository for SharePoint Copilot
Teams Copilot	High	Teams-linked SharePoint sites are governed by SAM
Word / Excel / PowerPoint	High	Documents stored in SharePoint are subject to SAM governance
OneDrive Copilot	Low	SAM primarily governs SharePoint, not OneDrive
Outlook Copilot	Low	SAM does not directly govern Exchange content
Copilot Pages	Medium	Pages may reference SharePoint content governed by SAM
Copilot Notebooks	Medium	notebooks may reference SharePoint content governed by SAM
Loop Copilot	Medium	Loop may reference SharePoint content governed by SAM
Viva Copilot	Medium	Viva may surface SharePoint content governed by SAM

Governance Levels

Level	Requirement	Rationale
Baseline	Verify SAM licensing (included with Copilot licenses). Generate DAG snapshot and activity reports to understand current sharing and oversharing posture. Document SAM feature availability and gap analysis.	Minimum awareness of SAM capabilities and current data access posture. Organizations with Copilot licenses already have SAM available -- this tier is about activating and using the baseline reporting capabilities.
Recommended	All Baseline requirements plus: enable DAG reporting with monthly review cadence. Configure RCD for sites containing highly sensitive data that should not be in Copilot scope. Deploy RAC on the 10 most sensitive sites (e.g., sites containing NPI, MNPI, or regulatory examination materials). Initiate site access reviews for top 50 sites with broadest sharing. Enable site lifecycle management for inactive site detection.	Active use of SAM governance features to manage Copilot's SharePoint interaction at enterprise scale. RAC provides an additional oversharing safeguard beyond sharing permissions alone.
Regulated	All Recommended requirements plus: configure quarterly site access reviews for all sites containing regulated data. Enable RCD for all sites that have not passed data hygiene certification. Enable RAC on all sites containing NPI or MNPI with quarterly review of security group membership. Implement automated site lifecycle management with 90-day inactivity detection. Integrate DAG reports into compliance dashboards. Document SAM governance configuration in regulatory examination file. Establish SAM configuration change management process.	Comprehensive SAM governance that provides examination-ready data access controls and documented evidence of SharePoint governance for Copilot.

Setup & Configuration

Step 1: Verify SAM Licensing

Navigate to Microsoft 365 Admin Center > Billing > Licenses and verify: - If the organization has Microsoft 365 Copilot licenses, SAM is already included -- no additional purchase is required - If the organization does not have Copilot licenses, verify whether the SharePoint Advanced Management add-on is provisioned and assigned to SharePoint Admins

Step 2: Enable and Run DAG Reports

Navigate to SharePoint admin center > Data access governance and:

Snapshot reports: Run the "Site permissions across your organization" report (Recommended) for a point-in-time baseline of all site permissions. Run "Site permissions for users" to identify individual users with excessively broad access. Run "Sensitivity label applied to files" to identify unlabeled files.
Activity reports: Run the "Sharing links" report to identify sites with recent broad sharing activity. Run the "Shared with 'Everyone except external users'" report to identify EEEU sharing patterns.
Review snapshot report results to establish the pre-deployment permission baseline (retain as evidence).
Schedule recurring snapshot reports (quarterly minimum) and activity reports (monthly minimum).

Step 3: Configure Restricted Content Discovery

For sites that should be excluded from Copilot content discovery:

Navigate to SharePoint admin center > Sites > Active Sites > [Select site] > Settings

Enable Restricted Content Discovery for the selected site. Verify that Copilot queries no longer surface content from the site (test with a licensed Copilot user).

Step 4: Configure Restricted Access Control

For sites that require hard access boundaries (not just Copilot exclusion):

Navigate to SharePoint admin center > Sites > Active Sites > [Select site] > Settings > Restricted Access Control

Enable Restricted Access Control for the site
Specify the designated security group whose members are permitted to access the site
Verify that users with existing sharing links who are not in the security group can no longer access the site
Document the RAC configuration and security group membership in governance records

Step 5: Initiate Site Access Reviews

Navigate to SharePoint admin center > Data access governance > Site access reviews:

Select sites for review (start with sites flagged by DAG reports)
Configure review parameters (scope, deadline, escalation)
Notify site owners
Monitor completion status
Document outcomes

Step 6: Configure Site Lifecycle Management

Navigate to SharePoint admin center > Policies > Site lifecycle management:

Set inactivity detection threshold (e.g., 180 days for Baseline, 90 days for Regulated)
Configure owner notification templates
Set archival automation rules
Define deletion timelines for confirmed unnecessary sites

Financial Sector Considerations

SAM Licensing Clarification: Organizations deploying Microsoft 365 Copilot have SAM included in their licensing at no additional cost. SharePoint Admins who do not personally hold a Copilot license should use the standalone SAM add-on to access SAM administration capabilities.
RCD for Regulatory Data: Sites containing regulatory examination materials, enforcement actions, consent orders, or examination responses should have RCD enabled to prevent Copilot from surfacing these materials in non-regulatory contexts.
RAC for MNPI and NPI Sites: Sites containing material non-public information (M&A deal rooms, pre-announcement financials) or non-public personal information (customer account data, credit files) should have RAC enabled to enforce hard access boundaries. RAC is particularly effective for ensuring that sharing links do not bypass intended access restrictions, per GLBA §501(b) and SEC Regulation S-P requirements.
Access Review Regulatory Alignment: SAM site access reviews can serve dual purpose for Sarbanes-Oxley access certification requirements (where applicable to ICFR). Coordinate SAM access reviews with existing SOX compliance calendars to avoid duplicative effort.
M&A Data Room Governance: Deal-related SharePoint sites should have both RCD and RAC enabled by default, with DAG reporting used to monitor for permission drift during deal lifecycle. RAC ensures that even if sharing links are inadvertently created during deal activity, access remains bounded to authorized deal team members.
Site Lifecycle for Regulatory Retention: Site lifecycle management automation must respect regulatory retention obligations. Configure archival and deletion policies to align with FINRA 4511, SEC 17a-4, and institution-specific retention schedules.
DAG Report Distribution: Consider distributing DAG report summaries to first-line risk managers (not just IT) to integrate SharePoint access governance into the institution's three lines of defense model.

Verification Criteria

SAM licensing status has been evaluated and confirmed (included with Copilot licenses; documented)
DAG snapshot and activity reports have been generated and reviewed within the past 30 days
"Site permissions across your organization" snapshot report has been generated as a pre-deployment baseline (documented with date)
DAG report findings have been triaged and assigned for remediation
RCD is enabled for sites containing highly sensitive data that should not be in Copilot scope (Recommended and Regulated levels)
RAC is enabled for sites containing NPI or MNPI with documented security group membership (Recommended and Regulated levels)
Site access reviews have been initiated for sites with broadest sharing (Recommended and Regulated levels)
Site access review completion rates are tracked and reported
Site lifecycle management is configured with appropriate inactivity thresholds (Recommended and Regulated levels)
DAG reporting cadence is established (monthly minimum for Recommended; continuous for Regulated)
SAM configuration (RCD, RAC, lifecycle policies) is documented in the organization's Copilot governance documentation
SAM governance features and their outputs are included in regulatory examination readiness materials (Regulated level)

Additional Resources

FSI Copilot Governance Framework v1.4.0 - April 2026