TL;DR
- Agentic AI is AI that acts, not just answers - it reads, writes, and takes steps on your behalf.
- Every weak permission, orphaned site, and overshared library becomes a new attack surface.
- The risk isn’t the AI. It’s the permissions you already have, now queried at machine speed.
- A single user with ‘Everyone except external’ access can surface years of buried content through an agent.
- Foundations first: inheritance, labels, guest access, group ownership. Fix those before you fund agents.
- Start with a permissions and oversharing review - six gates, one weekend of findings.
Agentic AI sounds like a buzzword. It isn’t. It’s AI that takes actions on your behalf - reading documents, drafting emails, updating records, chaining tasks together without a human in the middle of every step.
That changes the security conversation. A chatbot that answers questions is one thing. An agent that can open a thousand files, summarise them, and email the result is something else entirely. Your permissions model is about to be stress-tested like never before.
Why agentic AI changes the permissions game
Think of your tenant as a very large library. For years, the only people browsing the shelves were humans - slow, distracted, usually looking for one specific book. Oversharing existed, but nobody had the time to exploit it.
An agent is a librarian who never sleeps, reads at machine speed, and follows every reference. If a finance folder is open to ‘Everyone except external users’, the agent will find it. If a decade-old HR site still has a broken inheritance, the agent will cheerfully surface it in a summary.
Spoiler: the AI isn’t doing anything wrong. It’s doing exactly what your permissions allow. The problem is that your permissions were written for slow humans, not fast agents.
The new attack surface: it’s your existing sprawl
When security leaders talk about agentic AI risk, they tend to focus on the model itself - prompt injection, hallucinated actions, runaway loops. Those are real. But the bigger exposure for most M365 tenants is far more boring: sprawl.
- Sites created for a project three years ago, still with company-wide read access.
- Libraries where someone broke inheritance once and never restored it.
- Guest users are invited to one file, still sitting in the group.
- Sensitivity labels configured but never applied, so nothing gets protected downstream.
- M365 group owners who left the organisation, leaving groups effectively unowned.
None of these are new problems. Agents just make them visible - and queryable - at scale.
What ‘governance’ means in the agent era
Governance has been a tired word for a while. Let’s unpack it.
In the agent era, governance is three practical things: knowing what exists, knowing who can see it, and knowing what’s sensitive. That’s it.
If you can answer those three questions for every site, library, and Team in your tenant, you’re ready to introduce agents. If you can’t, you’re not - and bolting on an AI policy on top of a shaky permissions model is like putting a smart lock on a door with no frame.
The good news: you don’t need a twelve-month transformation programme. You need a tight, repeatable review of the six gates that matter most. Foundations first. Always.
The quiet risk: oversharing by default
Microsoft’s default behaviour has improved, but a lot of tenants still carry the legacy of loose settings from earlier years. ‘Everyone except external users’ is the classic one - technically scoped, practically wide open. Most staff never realise a document is exposed to thousands of colleagues until an agent surfaces it in a summary for someone who shouldn’t have seen it.
The bottom line? Agents don’t leak data. Your permissions do. Agents speed up the discovery.
Mini-template: Agent Readiness - 6 permissions gates
Run through these six gates before you pilot any agent on top of SharePoint, Teams, or OneDrive content.
- Site permissions inheritance - confirm every site inherits from a known parent, or document why it doesn’t.
- Broken inheritance at library and folder level - list every exception and assign a reviewer.
- External sharing - check tenant, site, and link-level settings; disable ‘Anyone’ links where not needed.
- Sensitivity labels - confirm labels exist, are published, and are applied (manual or auto) to your top-risk content.
- M365 group owner hygiene - every group needs at least two active owners; remove ex-staff and orphaned owners.
- Guest access review - run a quarterly review of guests in groups and sites; remove anyone inactive for 90 days.
Most orgs miss this
The assumption that ‘Copilot only shows people what they already have access to’ is technically true and practically misleading. Most users have access to far more than they realise - often thousands of items they could technically open but would never find by browsing.
An agent finds them in seconds. So, the real question isn’t ‘what can Copilot see?‘ It’s ‘what can your average user already over-access, and are you comfortable with a machine surfacing all of it?‘
3 questions worth asking
If you answered yes to any of these, let’s have a chat.
- Do you know how many of your SharePoint sites are shared with ‘Everyone except external users’?
- Can you name the owner of every M365 group in your tenant - and confirm they still work there?
- If a senior leader asked an agent to summarise ‘everything sensitive about Project X’, would you be comfortable with what it surfaces?
So… what now?
Agentic AI isn’t a reason to panic. It’s a reason to finish the housekeeping you’ve been meaning to do anyway. Tidy the permissions, label the sensitive stuff, check your group owners, and you’ll be in a far better place to say yes to agents when the business asks. Foundations first. Then the fun stuff.
Take our free quiz to see how ready your SharePoint is for Copilot. You’ll receive a prioritised list of action items.
About the Author - Rachel Harnott
FAQs
Isn’t this just a Copilot problem?
No. Copilot is the most visible agent right now, but any tool that reads across your tenant - third-party AI, Power Platform agents, custom bots - runs on the same permissions. Fix the foundations once and every agent benefits.
We have sensitivity labels configured. Are we covered?
Configured isn’t the same as applied. Check how many documents actually carry a label. If most content is unlabelled, your downstream protections (DLP, encryption, access control) won’t trigger.
How long does a permissions review actually take?
For a mid-sized tenant, a focused review of the top-risk sites takes one to two weeks. A full audit takes longer, but you don’t need a full audit to start - prioritise by business sensitivity and recent activity.
Do we need to turn off external sharing?
Usually not. Blunt lockdowns push people to workarounds. Better: tighten defaults, require expiry on guest links, and review guests quarterly. Practical beats paranoid.
Who owns this - IT, security, or the business?
All three. IT owns the settings, security owns the policy, and the business owns the content. A governance group with one person from each is enough to start.
Sources
Configure a secure and governed foundation for Microsoft 365 Copilot https://learn.microsoft.com/en-us/microsoft-365/copilot/configure-secure-governed-data-foundation-microsoft-365-copilot
Secure & Governed Data Foundation for Microsoft 365 Copilot — Foundational Deployment Blueprint
Governance and security for AI agents across the organisation https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ai-agents/governance-security-across-organization
Manage ownerless Microsoft 365 groups and teams https://learn.microsoft.com/en-us/microsoft-365/admin/create-groups/ownerless-groups-teams
Manage guest access with access https://learn.microsoft.com/en-us/entra/id-governance/manage-guest-access-with-access-reviews