Oversharing Risks: What Copilot Surfaces

Overview

When security teams test Copilot, they sometimes get a scare: Copilot summarizes a document they didn’t think anyone could see.

The immediate reaction is often: “Copilot is leaking data!”

But the reality is usually simpler—and harder to fix: “We gave everyone access to that site three years ago and forgot about it.”

This video tackles the problem of Oversharing. We’ll explain why Copilot acts as a spotlight on your permission hygiene, identify the most common bad habits in SharePoint and Teams, and give you a plan to clean it up.

What You’ll Learn

• The difference between “technical access” and “discoverability”
• Common oversharing patterns in government agencies
• A prioritized list of sites to audit before rollout
• How to talk to leadership about permission hygiene

Script

Hook: “Copilot didn’t leak it—your permissions did”

If Copilot summarizes a sensitive document for a user, the first question isn’t “How did Copilot get it?”

The real question is: “Did that user already have access?”

And 99 times out of 100, the answer is yes. They had access. They just didn’t know it.

Why Copilot surfaces oversharing

Copilot is permission-trimmed. It can only see what the user can see.

The difference is discovery.

Before Copilot, if I wanted to find a sensitive file, I needed to know the site name, browse the folder structure, or guess the right keyword. Security through obscurity often worked—imperfectly.

Copilot changes that. It can connect information across sites. It can answer questions like “What is the budget for Project X?” by finding the one Excel file I technically have access to in a forgotten public folder.

So the takeaway is: Copilot increases the impact of oversharing because it makes overshared content easy to find.

The most common oversharing patterns

Where does this happen? In most agencies, it’s not malicious. It’s usually “mission speed” choices.

Here are the patterns we see most often:

1. The “Everyone” Group: A site owner wants to share a document quickly, so they add “Everyone except external users” to the site members group. Now the whole agency has access.
2. The “Public” Team: A Microsoft Team is created as “Public” by default, meaning every file in it is open to the organization.
3. Legacy Migrations: File shares were lifted and shifted into SharePoint five years ago, carrying over broken or overly permissive ACLs.
4. External Sharing Links: “Anyone with the link” settings that were never expired or reviewed.

Remediation plan: what to do before broad Copilot rollout

You don’t have to fix the entire ocean. You just need to clean the drinking water.

Focus your remediation on high-risk, high-value areas first:

• Executive Staff Sites: Ensure the Director’s office isn’t open to the public.
• HR and Finance: These should be locked down by default.
• Acquisition and Contracting: Protect sensitive procurement data.

Your action plan is:

1. Audit these top sites. Check for broad groups like “Everyone” or “All Users.”
2. Review Sharing Links. Expire old external links.
3. Use Tools. Microsoft has tools like SharePoint Advanced Management that can generate reports on “overshared sites.” Use them.

Close: the sound bite for leadership

Here is the line for your leadership briefing:

Copilot doesn’t break permissions. It makes permissions matter more.

If we fix oversharing now, Copilot becomes safer—and our agency’s data hygiene gets better overall.

Next up, we’ll look at Security Monitoring and what you should be watching in the logs.

Sources & References

• Get ready for Microsoft 365 Copilot with SharePoint Advanced Management — Guidance on identifying and fixing oversharing using SharePoint tools
• Sharing & permissions in the SharePoint modern experience — Core concepts of sharing, groups, and permission inheritance
• Data, Privacy, and Security for Microsoft 365 Copilot — Context on Copilot’s permission-trimmed retrieval model