Copilot surfaces everything you forgot you overshared.

The Oversharing Problem Copilot Didn't Create — It Just Exposed

Microsoft Copilot doesn't create new permissions. It doesn't bypass access controls or hack into documents employees aren't allowed to see. What it does is remove the friction of finding things. And that distinction is everything.

Before Copilot, an overshared HR policy sitting in a SharePoint site nobody visited stayed quiet. Nobody knew it was there. Nobody searched for it. The security risk existed, but it was effectively dormant — buried under years of file sprawl and organizational inertia.

Now, any employee with a Copilot license can ask "what's the vacation policy?" and Copilot will surface that document from wherever it lives, regardless of whether it was ever meant to be broadly accessible. It respects the permissions as configured — and that's precisely the problem. The permissions were wrong to begin with.

Microsoft reports that on average, 16% of business-critical organizational data is overshared, with approximately 802,000 files per organization at risk. When those 802,000 files were inaccessible through sheer obscurity, the exposure was theoretical. Copilot makes it real and instantaneous.

Three Categories of Pre-Flight Work

When we prepare a client for Copilot deployment, the work falls into three categories. None of them are optional. All of them take longer than clients expect.

1. SharePoint Permission Archaeology

The first job is understanding what your SharePoint environment actually looks like, not what it was supposed to look like. Most organizations have years of permission drift: sites shared with "Everyone," "Everyone except external users" grants that nobody ever removed, org-wide sharing links created for one-time convenience that became permanent, and content inherited from organizational restructurings that left permissions pointing at ghost groups.

The remediation process is methodical: enumerate every broad sharing grant across the entire tenant, triage by content sensitivity, then either remove the grant, quarantine the content, or explicitly confirm the access is intentional. We run this before a single Copilot license is provisioned. No exceptions.

2. Sensitivity Label Deployment

Permission cleanup handles the access layer. Sensitivity labels handle the classification layer. Documents containing PII, financial data, attorney-client communications, HR records, or any content subject to regulatory requirements need labels that tell the Microsoft Purview stack exactly how to treat them — including whether Copilot is permitted to surface them to a given user.

Auto-labeling policies, applied through Purview, can scan existing content and apply labels based on detected data types. This is the difference between relying on employees to remember to label things and having the system label things for them. It's not perfect, but it's dramatically better than no labeling at all.

3. Restricted Content Discovery (RCD)

Restricted Content Discovery is the bridge control: for SharePoint sites you cannot fully remediate before the Copilot rollout deadline, RCD blocks Copilot from accessing content on those sites while you continue the cleanup work. It's a targeted block at the site level, not a tenant-wide suspension. Think of it as a quarantine zone — you get Copilot running for the business while you clean up the problem sites in parallel.

RCD is not a permanent solution. It's a sequencing tool. Every site in RCD should have a remediation timeline attached to it.

The 12-Step Pre-Flight Checklist

Here is the exact checklist we run before enabling Copilot for any client. Each step exists because we've seen what happens when it's skipped.

1. Run SharePoint Permission Reports. Pull site-level and item-level permissions across the entire tenant. Use the SharePoint admin center reports and the Microsoft 365 Assessment Tool for full coverage.
2. Audit all "Anyone" and org-wide sharing links. Enumerate every link that allows access without sign-in or grants access to the entire organization. Document the business justification for each one that remains.
3. Apply sensitivity labels to the top five content categories. Identify the highest-risk content types in your organization (HR, finance, legal, executive, regulated data) and deploy labels with appropriate protection settings. Start with auto-labeling for existing content.
4. Enable Restricted Content Discovery on high-risk sites. Sites that contain sensitive content that cannot be fully remediated before go-live get RCD applied. Every site gets a remediation owner and a deadline.
5. Deploy DLP policies for Copilot outputs. Purview Data Loss Prevention now has specific controls for Copilot. Configure policies that prevent Copilot from outputting content containing regulated data types to users who aren't authorized to see them. This step is frequently missed.
6. Configure unified audit logging. Confirm that audit logging is enabled for all Copilot interactions. You need a record of what Copilot surfaced, to whom, and when. This is your forensic baseline.
7. Deploy Copilot to a pilot group of 5–10 users first. Do not license the organization. Pick a representative cross-section of roles and give them Copilot for two to three weeks before broader rollout.
8. Run a tabletop exercise: ask Copilot something you shouldn't know. This is not optional. Have someone ask Copilot about salary data, personnel decisions, M&A discussions, or any category of information that should be restricted. Document what it surfaces. The answer almost always finds something worth fixing.
9. Review audit logs from the pilot. After two weeks of pilot usage, pull Copilot audit logs and look for anomalous data access — content surfaced from sites that weren't expected to be in scope, or sensitive data types appearing in responses.
10. Update the Acceptable Use Policy. Employees need written guidance on what Copilot should and should not be used for, how to handle AI-generated outputs that contain sensitive information, and the policy on using Copilot for content involving third-party confidential information.
11. Train all end users before licensing. Not a one-paragraph email. A structured training session covering what Copilot can access, what the AUP requires, how to report unexpected data exposure, and what responsible Copilot use looks like for their role.
12. License the organization. Only after completing the above eleven steps. Not before.

We don't skip the pilot step. In every deployment, the tabletop exercise finds at least one thing the permission cleanup missed. Usually more than one.

The Label Inheritance Problem

There is one technical behavior that surprises clients more than any other during Copilot deployments, and it creates real compliance exposure if left unaddressed.

Copilot outputs do not automatically inherit the sensitivity label of the source document. If Copilot reads a document labeled Confidential and generates a summary, that summary is unlabeled by default. The source is protected. The output is not.

This means an employee can ask Copilot to summarize a confidential document, paste the output into an email, and send it externally — without any DLP policy triggering, because the output itself carries no classification.

Microsoft's Purview DLP for Copilot, which reached general availability in 2026, closes this gap — but it must be configured explicitly. The out-of-box Copilot deployment does not enable it. Our pre-flight checklist includes DLP policy configuration for Copilot outputs at Step 5, because it's not a nice-to-have. It's the control that makes sensitivity labels meaningful in a Copilot environment.

If You've Already Deployed Copilot

If you've already enabled Copilot licenses across your organization without completing a pre-flight process, you're not necessarily in a crisis — but you have an unknown risk surface. The overshared content is there. Copilot can reach it. You may not know what's been surfaced already.

The right response is not to disable Copilot. It's to run the pre-flight checklist retroactively, starting with the permission audit and the tabletop exercise. Understanding your actual exposure is always better than not knowing.

We run Copilot Readiness Assessments as a standalone engagement for exactly this scenario: organizations that have already deployed, organizations that are weeks away from go-live, and organizations that want to understand what a Copilot rollout would expose before they commit. The engagement requires two hours of tenant access and produces a one-page findings report. No sales pitch. No retainer required. You get the report and decide what to do with it.

If you're about to click "Assign Copilot License" — or you already did — reach out. We'll tell you what we find.

Laz De La Vega

Laz De La Vega leads Primetime IT Solutions, a managed IT and cybersecurity practice serving South Florida businesses since 2005.

Learn more about Laz →