Here's a sentence that has launched a thousand panicked IT meetings: Microsoft 365 Copilot surfaced a document nobody realised was shared. The instinct is to blame Copilot. The truth is harder. Copilot didn't create an oversharing problem, it made an existing one visible, at AI speed.
The uncomfortable truth
As Microsoft itself puts it, Copilot exposes data organisations didn't realise was overshared, not because it does anything wrong, but because it surfaces what users already had access to. The permissions were always too broad. Copilot just made that impossible to ignore. Microsoft's own guidance on mitigating oversharing to govern Copilot and agents is essential reading.
The four oversharing patterns
Almost every oversharing incident traces back to one of four patterns:
- "Everyone except external users" groups applied far too broadly, effectively making content org-wide.
- Broken permission inheritance, where a site or library quietly lost its intended access controls.
- Anonymous or organisation-wide sharing links created "just to make it easy," then forgotten.
- Legacy "All Employees" security groups that grant access nobody has reviewed in years.
If any of those sound familiar, and they will, that's exactly what Copilot will surface. Understanding how SharePoint permissions actually work is the foundation for fixing them.
Restricted Content Discovery
Restricted Content Discovery (RCD) is Microsoft's targeted control for this. When you enable RCD on a site, its content stops appearing in organisation-wide search and Copilot experiences unless a user has recently interacted with it, reducing accidental discovery while you evaluate and fix the underlying permissions. Think of it as a temporary safety curtain, not a permanent fix, but a genuinely useful one while you clean up.
SharePoint Advanced Management
SharePoint Advanced Management (SAM) is the visibility-and-control layer that makes remediation manageable at scale. It helps administrators identify risky sharing patterns, prioritise which sites to review, oversee lifecycle, and apply temporary discovery controls while deeper cleanup proceeds. Microsoft's Get ready for Copilot with SharePoint Advanced Management guide is the canonical reference.
A practical remediation plan
You don't fix oversharing by panicking or by locking everything down. You do it in order. First, use SAM reports to find your highest-risk sites, over-broad groups, anonymous links, broken inheritance. Second, apply RCD to the riskiest sites to buy time. Third, remediate the real permissions: replace broad groups with scoped ones, restore inheritance, revoke stale links. Fourth, apply sensitivity labels so protection is consistent going forward. This is the same discipline behind deploying Copilot safely.
Worried about what Copilot might surface?
A 30-minute call and a permissions review will tell you where your real exposure is, before Copilot finds it for you.
Book a free strategy call →Fix the cause, not the symptom
RCD and SAM are excellent tools, but they manage the symptom. The cause is permissions that were too broad long before Copilot existed. The organisations that handle AI well are the ones that treat this as what it is, a governance and permissions cleanup, and do it properly. Copilot just gave you the deadline you'd been putting off.
Ready to get more from SharePoint and Microsoft 365?
Every engagement starts with understanding your specific situation. One expert, on strategy and in the build.
Book a Free Strategy Call →