Copilot Doesn't have a Permission Problem. You DO!

Copilot does not elevate access. It inherits it.

It reads what you can read. It writes where you can write. It searches what the Microsoft Graph already indexed for you.

For ten years, "you technically have access but you would never find it" was a working security model. Six clicks deep in a SharePoint site nobody remembers owning was, in practice, invisible.

Copilot just deleted the six clicks.

I have run this audit across enough tenants this year to stop being surprised.

The pattern is consistent.

• 802,000. Average number of over-permissioned files per enterprise tenant before a Copilot rollout. Most of them inherited "Everyone except external" from a site template set up in 2019.
• 12 percent. Share of sensitive documents that carry a sensitivity label. The other 88 percent are invisible to Purview, invisible to DLP, invisible to every guardrail you bought.
• 60 percent. Share of organisations that reported a Copilot-related data exposure incident within 90 days of broad rollout. Source: their own internal incident reviews, not vendor marketing.
• EchoLeak. A zero-click prompt injection that bypassed Microsoft's own XPIA classifier and exfiltrated data without the user ever clicking anything. Patched. Still proof.

These are not edge cases. This is the median tenant.

May 1 was Agent 365 GA. April was Entra Agent ID GA. Build 2026 next week will land another wave of agent primitives.

Every one of those agents inherits the same broken permission graph Copilot inherits.

One Copilot user with 802,000 stale permissions is a leak.

One hundred agents acting on behalf of that user is a flood.

The data layer underneath Copilot was already the weakest part of your AI stack. Agents are about to multiply it by the number of automations you deploy.

Microsoft quietly stopped calling this a Copilot problem.

The new line, repeated across three product teams now, is "search governance is AI governance." Purview, SharePoint Advanced Management, and Restricted SharePoint Search are being positioned as prerequisites, not add-ons.

Translation: the responsibility is moving back to you.

Microsoft will ship the LLM. You own the permission graph it reads from.

You do not need a new tool. You need to use the ones you already pay for.

1. Run the oversharing report. SharePoint Advanced Management ships it. Most tenants have never opened it. Do it this week.

2. Turn on Restricted SharePoint Search. Limit Copilot's reach to a curated set of sites until your labels catch up. Yes, users will complain. That is the point.

3. Label the top 200 sites, not all of them. 80 percent of the risk lives in 5 percent of the estate. Stop trying to boil the ocean.

4. Pre-stage Agent governance. Entra Agent ID, Conditional Access for Agents, and Agent 365 inventory. Set the policy before the agents arrive. Not after.

None of this is exotic. All of it is uncomfortable.

The Copilot business case was written assuming the data layer was clean.

It is not.

The faster you accept that the cheaper the next 12 months become. The longer you wait the more the first incident report writes itself.

Last week I wrote about Foundry Control Plane as the inventory layer for agents.

This week is the data layer Copilot reads from.

Same conversation. Different floor of the same building.

If you are rolling out Copilot to more than 5,000 seats in the next two quarters, the oversharing audit is the cheapest insurance you will buy this year.

Contact us now. A 30-minute conversation usually tells you which of those four moves you are missing.