Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
In today’s rapidly evolving landscape of generative and agentic artificial intelligence, such as Microsoft 365 Copilot, businesses are not just transforming operations but also facing new cybersecurity challenges. While these tools can streamline processes and access information, they can also exacerbate existing security risks, particularly concerning data governance. One significant issue is internal oversharing—when employees have more access to information than they truly need. This oversight can lead to serious vulnerabilities and exposure of sensitive data.
It’s common for oversharing to arise from simple configuration issues rather than malicious intent. Organizations might set site privacy settings that allow access to everyone in the company, or they might forget to implement proper sensitivity labels for certain files. Default sharing options often bypass more secure settings, and broken permission inheritance could mean that the rights set at the site level don’t reflect the permissions needed at the file or folder levels.
To combat these concerns, organizations are encouraged to transition from reactive oversight to proactive governance. This approach ensures that all data feeds into AI systems are well-managed, labeled, and securely handled. The article proposes a structured framework for governing tools like Copilot, primarily emphasizing the use of Microsoft Purview and SharePoint Advanced Management (SAM).
To begin with, addressing the governance of data access is paramount. As Gartner warns, a staggering percentage of companies might not fully realize the benefits of their AI investments due to poorly organized data frameworks. This governance should focus on controlling the environments from which AI gathers data. A phased strategy recommended by Microsoft includes: **Pilot, Deploy, and Operate**.
First, organizations can initiate a pilot program, deploying Copilot to a select group of users with access to key low-risk sites. This stage is essential for understanding how well the permissions work and identifying any oversharing that may occur before scaling up across the organization.
The next phase involves deploying Copilot organization-wide while remediating any oversharing risks encountered. During this step, it’s vital to leverage the native tools available for securing sensitive data and enforcing privacy labels to ensure robust protection is in place.
Finally, establishing ongoing governance through automated policies and regular monitoring is crucial. This will help to ensure that as collaboration increases, AI access remains aligned with both business objectives and security standards.
For organizations utilizing SharePoint, understanding the governance controls offered by SAM is critical. SharePoint serves as a central hub for file sharing across various platforms, including Teams and OneDrive. Actions within SharePoint dictate what Copilot and agents can summarize or present to users. SAM plays a key role in helping administrators manage their SharePoint environments effectively.
Key features of SAM include content management assessments which provide insights into misconfigurations and permission issues across vast SharePoint sites. Site lifecycle management helps identify sites that are inactive or lack proper ownership, enabling administrators to take corrective actions, such as archiving or marking them as read-only. Additionally, permission state reports allow for customizable evaluations of site permissions, uncovering risks associated with oversharing.
A restricted access control feature enables administrators to promptly lock down access to specifically defined users, ensuring rapid response to suspicious activity. Meanwhile, restricted content discovery allows organizations to quickly block certain SharePoint sites from being accessed by Copilot or agents, thereby enhancing data security.
Microsoft Purview takes this a step further by offering a suite of protective and reactive measures across all Microsoft applications. With Purview, organizations can enforce protections and monitor potential data exposures tied to AI usage. The platform’s Data Security Posture Management (DSPM) for AI can guide security teams in identifying risks and assessing how tools like Copilot and agents are leveraged.
Data Risk Assessments within DSPM for AI run regularly on high-traffic SharePoint sites, searching for sensitive files and exposing potential sharing risks. Custom assessments can also be conducted for specific teams or projects, providing comprehensive insights into the overall risk landscape.
Once high-risk sites have been identified, organizations gain access to targeted remediation suggestions, allowing them to take immediate action to restore security protocols. Preventing unnecessary AI and agent access to sensitive files is one action. Additionally, organizations can use SharePoint’s Restricted Content Discovery feature for entire sites temporarily, allowing time for proper remediation processes.
Data lifecycle policies also help tame the sprawl of sensitive information by automating the deletion of outdated or rarely modified files, refining the risk landscape.
With these governance strategies in place, organizations can secure their data and leverage AI tools like Copilot effectively, turning potential liabilities into valuable assets and fostering a culture of security-aware innovation.
Source: