Oversharing in the Age of Copilot: Your Data’s Worst Enemy

Copilot is brilliant at surfacing the information you need, but it’s just as good at surfacing the information you didn’t know was shared. In today’s world of fast collaboration, old files, loose permissions, and “just‑quickly” shared folders can quietly create a perfect storm of accidental exposure. Copilot doesn’t guess, hack, or bypass security. It simply uses what it’s allowed to see, and if your organization has overshared content, Copilot will shine a very bright light on it.

In this blog, we’ll unpack the hidden dangers of oversharing in Microsoft 365, how accidental discovery happens, and why good permission hygiene is now non‑negotiable. If Copilot is the engine powering your productivity, your permissions are the brakes, and you really want those working.

“I’m always amused when organisations express fear about adopting Copilot. It instantly transports me back to the Delve days, when people nearly fainted at the sight of documents they didn’t realise were visible to others. It was funny then, but the underlying issue hasn’t changed. Employees were never properly trained, organisations didn’t take information governance seriously, and now those old habits have become a much bigger problem. Copilot isn’t the risk, the oversharing is.“

What is “oversharing”?

In Microsoft 365, the situation I’m describing is commonly referred to as oversharing, i.e., content is shared more broadly than intended (often via “Everyone/Everyone Except External Users,” public sites, permissive links, or broken inheritance), so it gets surfaced by Copilot and Microsoft Search to users who technically have access but shouldn’t. Microsoft guidance, and many governance resources, use the term oversharing explicitly and provide controls to mitigate it (e.g., Restricted Content Discovery/Restricted SharePoint Search, Purview DSPM, DLP, sensitivity labels, and SharePoint Advanced Management).

If you’re documenting it internally, you’ll also see it described as “accidental discovery” or “over‑permissioned content”, but oversharing is the primary Microsoft-aligned term and the one used across Copilot deployment guidance.

Why it happens (typical causes):

Public/organizational‑wide sites or groups; “Everyone except external users” on sites.
Broad sharing links (e.g., “Anyone” or “People in your organization”).
Broken permission inheritance; stale guest access; missing sensitivity labels.

Some Examples:

1. Sharing Entire Folders Instead of a Single File

Many users click Share → Copy link on a folder instead of the specific file inside it.

What goes wrong:
When a whole folder is shared, every current and future file in that folder becomes visible to the recipient, sometimes hundreds of documents the user never intended to share.

Why Copilot surfaces it:
If someone has access, Copilot assumes it’s intentional and can reference or summarise that content.

2. Using “Anyone with the link” (Anonymous) Sharing

This is the simplest link type, so people choose it out of convenience.

Risks:

Anyone who gets the link can open it
Links can be forwarded
Users forget they used this setting
Content becomes impossible to track

Result:
Content is effectively exposed to the world, and Copilot treats it as legitimate access for anyone who receives the link.

3. Oversharing at the Parent Level (Teams & SharePoint)

Users commonly overshare by giving people access at a library, site, or Team level “just to make the problem go away.”

Example:
Someone can’t open a file → user grants access to the entire library out of frustration.

Impact:
Huge volumes of content become accessible without anyone realising.

Copilot effect:
Everything in that parent container instantly becomes discoverable.

4. “Shared with Everyone” or Old Legacy Permissions

Some older SharePoint setups still have libraries or folders shared with:

Everyone
Everyone except external users
All staff

These are permissions left over from the early Office 365 days, and they’re a minefield.

Copilot sees all of it.

5. Incorrect Guest Access

Users often share content with external guests:

Without limiting access
Without expiry dates
Without tracking who has what
Without blocking downloads

Guests then have ongoing access to confidential material.

Copilot isn’t the problem, your guests are.

6. Storing Sensitive Content in Public/General Channels

In Microsoft Teams:

Public Teams are open to the entire organisation
Users mistake visibility for security
Sensitive files get saved in the General channel “just to keep it somewhere”

Once it’s there, it’s accessible to hundreds or thousands of employees.

Yes, Copilot will happily surface it.

7. Misunderstanding OneDrive “Shared” vs “Private”

Users think OneDrive is always private.
It isn’t.

They share:

A single file
Then a folder
Then a parent folder
Then forget what they shared

OneDrive becomes a spiderweb of accidentally shared content.

Copilot respects those permissions, too.

8. Using “Send a Copy” Instead of “Share a Link”

Users download a file, email it to someone else, who uploads it somewhere less secure.

Now multiple unmanaged copies of the same document exist across the tenant.

Result:
Copilot finds versions the user didn’t even know were out there.

9. No Concept of “Permission Hygiene”

Most employees don’t clean up old sharing.
Access often remains open:

After a project ends
After a user leaves the company
After contractors finish work
After emergencies (“Just give them access for now!”)

Years later, Copilot sees everything they still have access to.

Where Microsoft points you to mitigate it:

Restricted Content Discovery / Restricted SharePoint Search to limit what shows up in tenant‑wide search and Copilot while you fix permissions.
Microsoft Purview (DSPM for AI, DLP, sensitivity labels, audits) and SharePoint Advanced Management for ongoing governance.
Restrict discovery of SharePoint sites and content
Address oversharing in Microsoft 365 Copilot
Oversharing Control at Enterprise Scale | Updates for Microsoft 365 Copilot in Microsoft Purview

My Top Tips for avoiding / fixing this:

Train employees on sharing links and how to manage permissions
Train employees on managing the members on their Microsoft Teams
Change the default sharing links on the tenant
Remove “Anyone” from the sharing link options
Get the experts in to help with Microsoft Purview / Zero Trust. Reach out to Alistair Pugin and Donavan Schaper.

With great power, comes great responsibility. Copilot is by far the best gift you can give to your employees – but there’s some work to do….

Microsoft Resources:

Other Copilot related blogs I’ve written:

“Build confidence, boost creativity, and let Copilot do the heavy lifting. Your journey from beginner to brilliant starts with one good prompt.”

Contact me:

Do you need help with your #Microsoft365 #Copilot journey? Contact me.

Please DO NOT contact me to publish blogs on your behalf, advertise on my site, endorse your product or solve a problem you have (that could have been solved by posting on an online forum). As part of the #Micosoft365 #Copilot #Community, we work really hard on content and support that we give back to you, for free – because we really do care. You are always welcome to leave (relevant) comments on my blogs / videos, and I’ll respond, as this way, others also get value from it.

Stay awesome, keep learning, help others.

Tracy van der Schyff

Facilitating The Evolution of Human Capabilities