Copilot and enterprise-search oversharing

what it is

Microsoft 365 Copilot, Google Gemini for Workspace, and similar enterprise AI assistants ground their answers in the files, mail, and chats the asking user has access to. They respect permissions precisely. The problem is what those permissions actually are.

In most environments, years of "share with everyone in the company," anyone-with-the-link shortcuts, and inherited folder rights mean people can technically reach far more than anyone intends. Before AI, that excess was theoretical: nobody browsed ten thousand files they had no reason to open. An AI assistant does exactly that, on every prompt. A salary sheet shared org-wide in 2022 becomes a one-line answer to "what does our leadership earn" in 2026.

The accurate framing matters: the assistant reveals what was always reachable, and the permissions, granted years earlier, define what that is.

why it accumulates

Sharing is easy and unsharing has no trigger. People share to the whole company because picking individuals is slow. Folders inherit permissions nobody re-checks. Links created for one meeting live forever. Each act is reasonable; nothing ever reverses any of them.

The numbers are what you would expect. Concentric AI's 2H 2025 Data Risk Report found Copilot touching nearly three million sensitive records per organization in six months, and Varonis's 2025 State of Data Security report found 99% of organizations had sensitive data exposed to AI tools. Microsoft's own deployment guidance includes a dedicated "blueprint for oversharing": the vendor expects you to clean permissions before switching the assistant on.

what it costs you

The day-one risk is internal exposure: HR files, payroll, M&A material, and board documents surfacing in answers to employees who had latent access. That is a privacy incident and often a GDPR matter, even though no attacker was involved.

The day-two risk is that an attacker who compromises one account inherits the same AI-powered search across everything that account can reach. The assistant becomes the fastest data-discovery tool the intruder never had to install.

And there is a rollout cost: companies that discover the problem mid-deployment pause the project, which wastes licenses and stalls the productivity case the purchase was made on.

what works

Cleanup yields the most when it starts wide. Org-wide links, "everyone" groups, and anyone-with-the-link files are the highest-yield targets, and both the Google and Microsoft admin consoles can report them directly. Most exposed files trace back to a handful of broadly shared folders whose permissions everything beneath them inherits, so re-permissioning one folder fixes thousands of files at a stroke. The crown jewels work in the opposite direction: HR, finance, legal, and customer-data locations get explicit, short access lists and monitored paths, whatever the rest of the estate does.

The test-account pilot is the cheapest oversharing report available. A standard-permissions account gets the assistant and asks it the awkward questions: salaries, terminations, passwords, the unannounced deal. Whatever it answers is what any employee could find, and the transcript doubles as a cleanup priority list. The same logic extends to the identity layer, because a leaver's lingering account or an over-broad group inherits exactly the same AI-powered reach; dormant accounts and group memberships belong in the same review as the file shares.

What keeps the estate clean afterward is making unsharing routine. Quarterly reviews of external and org-wide shares, plus expiry dates on links where the platform supports them, give sharing the reversal trigger it never naturally has.