What's actually different about Copilot governance in 2026 vs. 2025?

Three things shipped or matured in the past 12 months. Restricted SharePoint Search gives admins a 100-site allowed list that limits Copilot's reach while permissions get cleaned up. Microsoft Purview Data Security Posture Management (DSPM) for AI runs weekly automated risk assessments on the top 100 SharePoint sites and surfaces oversharing as a continuous signal rather than a one-time audit. SharePoint Advanced Management (SAM) added data access governance reports, including a 'Shared with Everyone except external users' report and per-site sharing-link reports. The combined effect is that the manual permission audit is no longer the only option, and audit-driven remediation is now realistic at mid-market budgets.

Should we disable Copilot if oversharing is found?

Almost never. Disabling Copilot after a finding creates three problems: paid licenses go unused, executive sponsors lose confidence in the IT team, and the underlying oversharing is still there for anyone using SharePoint search to find. The better move is to put the affected sites behind Restricted SharePoint Search (which excludes them from Copilot grounding) while remediation runs, deploy Purview sensitivity labels on the top five sensitive content categories, and enable DSPM for AI so the audit trail is continuous. Copilot stays on, the leakage path is closed, and the auditor gets a defensible remediation plan.

Do we need to re-permission 12,000 sites manually?

No. That's the mistake the original 'permission problem' framing pushed people toward, and at mid-market scale (200 to 2,000 seats) it's not feasible. The 2026 approach is targeted: use SAM data access governance reports to identify the 20 to 50 sites that account for most of the oversharing risk, quarantine them with Restricted SharePoint Search, label the top five content categories with Purview sensitivity labels, and let DSPM for AI flag new oversharing as it appears. Four controls, not 40. The remaining sites stay accessible to Copilot under the existing permission graph, with the high-risk surface area pulled out.

What does the 90-day remediation actually cost a 500-seat mid-market shop?

Most of the licensing is already in place if the tenant has Microsoft 365 E5 (Purview DSPM for AI, sensitivity labels, DLP are bundled). SharePoint Advanced Management is the add-on layer; it ships with Microsoft 365 Copilot licenses or as a standalone SKU. Professional services for a 500-seat 90-day rollout typically run $35K to $75K depending on how much label taxonomy work and end-user training is in scope. The compare-against number is the cost of one Copilot-related data incident, which lands six figures once legal and audit time are counted.

What's the auditor going to ask about Copilot data access in a 2026 SOC 2 or HIPAA review?

Four questions, in our experience. (1) Show me the inventory of sites Copilot can read. (2) Show me how sensitive content is identified and labeled. (3) Show me the audit trail of Copilot prompts that touched sensitive data in the last 90 days. (4) Show me the policy that determines who can invoke Copilot from which device. Purview DSPM for AI plus the unified audit log answers (1) and (3). Sensitivity labels plus auto-labeling rules answer (2). Conditional Access policies for Copilot answer (4). If any of those four are missing, expect a finding.

Is this only a problem for healthcare and defense contractors, or does every mid-market shop need to care?

Every shop with a SharePoint estate older than three years has the same underlying tenant sprawl. The regulated verticals (healthcare under HIPAA, defense under CMMC, financial under SOC 2 and GLBA) are the first to feel audit pressure, but state attorneys general in California, Illinois, and Washington have opened AI data-access inquiries that are not industry-specific. Practically, if the company is large enough to license Copilot, it's large enough to need the governance work. The 'we'll worry about it later' position from 2025 has aged into 'the auditor is going to find this' in 2026.

Field notes · 13 min read · May 18, 2026

Copilot Governance, One Year On: a Tenant-Sprawl Reckoning

CMMC Phase 2 enforcement Nov 10, 2026. SOC 2 Type II auditors now ask about AI data access. Copilot prompts leave a queryable audit trail your auditor will pull.

A year ago we wrote about the 12,000-permission problem and warned that mid-market shops needed to clean up SharePoint and OneDrive permissions before turning Copilot on. A meaningful chunk of readers did the work. A larger chunk filed the post under "we'll worry about it later" and shipped Copilot anyway. One year later, in 2026, we're seeing what happened to the second group.

The pattern is consistent. A 750-seat healthcare provider we work with found Copilot returning HR salary documents inside a casual employee query about benefits enrollment. A regional credit union discovered its 2027 finance forecast surfacing in a "summarize this folder" prompt issued by a junior analyst who had no business reading it. A professional services firm watched its M&A working files appear in a project-team chat because a SharePoint site nobody remembered restricting had inherited permissions from a parent collection three migrations ago. None of these were Copilot bugs. All three were tenant sprawl that Copilot finally made visible.

The good news is that Microsoft's governance toolset shipped a generation of capability between mid-2025 and Q1 2026 that didn't exist when the original post ran. Restricted SharePoint Search, Purview Data Security Posture Management (DSPM) for AI, SharePoint Advanced Management oversharing reports, and the Purview AI Hub are now real. The remediation playbook is correspondingly different. This post is the 2026 follow-up, the field-note version of what we're actually doing in 90-day engagements right now.

The one-year reckoning

The shops that ignored the 2025 warning fall into three clusters in 2026. The first is the "no incident yet, but the auditor is asking" cluster. Their SOC 2 Type II renewal questionnaire added a section on AI data access controls. Their HIPAA risk assessor wants to know how Copilot prompts are logged. Their cyber insurance renewal added an AI exclusion that doesn't apply if controls are documented. They're not bleeding; they're on the clock.

The second cluster is the "small incident, big quiet" group. A Copilot prompt surfaced something it shouldn't. Someone in HR or legal noticed. There's no breach notification obligation (the data didn't leave the tenant) but there's an internal trust problem and a CIO who's now nervous about the next prompt. The remediation budget is unlocked but the political capital is thin.

The third cluster is the "we shut Copilot off" group. After an incident or a near-miss, the company revoked licenses across the board. The licenses are still being paid. The Copilot rollout is on the executive team's list of failed initiatives. The CIO needs a path back to "on" without re-litigating the original decision.

All three clusters share the same underlying remediation. The difference is how much political surface area is left to operate in.

The mental model update for 2026: Copilot didn't create the oversharing. Copilot made the oversharing legible to users who would never have found it through SharePoint search. The remediation is permission and label hygiene at mid-market scale, not a Copilot configuration change.

Why tenant sprawl was the upstream cause

Permission rot in 2026 mid-market SharePoint estates is overwhelmingly the residue of migrations done between 2017 and 2022. The pattern looks like this. A file server got lifted to SharePoint with inherited NTFS-style permissions translated mechanically into SharePoint groups. An M365 Group was created for every Teams channel spun up during the 2020 to 2021 remote-work surge, with no naming convention and no owner lifecycle. OneDrive "share with anyone in the company" became the default workaround when permissions broke. Ex-employee personal folders accumulated, often containing the only copy of a working document that the team forgot to migrate.

None of that is a Copilot problem. It's a "we did the migration but we didn't do the cleanup" problem. The failure mode in 2025 was that everyone knew the cleanup was overdue and nobody had the budget or political will to do it as a standalone project. The failure mode in 2026 is that the auditor and the AI now both have visibility into it.

What Microsoft actually shipped between mid-2025 and early 2026

Four capabilities matured to the point of being useful in mid-market budgets. They overlap in coverage but each answers a different question.

Restricted SharePoint Search

The most useful immediate control. Restricted SharePoint Search lets a SharePoint admin define an allowed list of up to 100 sites (hub sites count as one and pull their subsites for free) that are visible to organization-wide search and to Copilot grounding. Sites outside the list still exist; users with explicit permissions can still access them directly. They're just excluded from search and Copilot's "what does my organization know about X" pattern. Microsoft positions it as a temporary measure while permissions get rationalized. In practice, "temporary" runs six to nine months for a mid-market shop, which is the right amount of time to do the cleanup properly.

Microsoft Purview DSPM for AI

Data Security Posture Management for AI is the continuous-monitoring layer. It runs an automated weekly data risk assessment on the top 100 SharePoint sites by usage in the tenant, surfaces oversharing patterns, and flags prompt-and-response activity where Copilot touched labeled or sensitive content. Critically, DSPM for AI is bundled into Microsoft 365 E5, which means most mid-market shops with Copilot deployed already have the license entitlement.

SharePoint Advanced Management

SharePoint Advanced Management (SAM) is the admin reporting layer. The data access governance (DAG) reports are the part that matters for Copilot prep: permission state reports across sites and OneDrive, sharing-link reports identifying the sites with the most freshly created Anyone or company-wide links, and the "Shared with Everyone except external users" report that catches the broad-internal-exposure pattern that drives most Copilot incidents. SAM ships included with Microsoft 365 Copilot licenses and is available as a standalone SKU otherwise.

Sensitivity labels with Copilot integration

Purview sensitivity labels aren't new, but the Copilot integration matured significantly. Copilot now displays sensitivity labels for citations in its responses, inherits the highest-priority label from grounding data, and refuses to summarize encrypted content unless the requesting user has EXTRACT and VIEW usage rights. One caveat that bites mid-market shops: labels applied to containers (groups and sites) are not inherited by items inside the container. That means a "Confidential" label on a SharePoint site doesn't propagate to the documents in it. Auto-labeling rules at the content level are still required for actual document-level protection.

The Purview AI Hub

The Purview AI Hub aggregates the auditing surface. Copilot prompts and responses are captured in the unified audit log, accessible through Activity Explorer in DSPM for AI, with role-based access controls that separate "see that a prompt happened" from "read the prompt content." The hub also surfaces ready-to-use DLP policies for the Copilot location, which is the surface where a prompt is treated as a potential exfiltration channel.

The 90-day remediation playbook

This is the version we run for mid-market clients in the 200 to 2,000 seat band. Four controls, not 40. No enterprise overhead. Designed to be done by a 200-seat IT team with senior consulting support, not by a standalone CISO office with 12 analysts.

Weeks 1 to 2: Inventory and triage

Run the SAM data access governance reports across the tenant. Pull the "Shared with Everyone except external users" report, the sharing-links report, and the permission state report.
Inventory M365 groups with external members and active guest accounts. Cross-reference against last sign-in.
Pull the top 100 sites by usage from the SharePoint admin center. This is the cohort DSPM for AI will auto-assess weekly; the cleanup priority follows that list.
Identify the top 20 highest-risk sites by combining usage, permission breadth, and presence of obviously sensitive content categories (HR, finance, legal, M&A, intellectual property).

Weeks 3 to 4: Quarantine

Configure Restricted SharePoint Search with an initial allowed list of sites that have been validated as safe for Copilot grounding. The top 20 high-risk sites identified in weeks 1 to 2 stay off the allowed list during remediation. Communicate the change to site owners and the executive sponsor before activation so that the Copilot user base understands why certain queries are returning narrower results.

Weeks 5 to 8: Label the sensitive five

Deploy Purview sensitivity labels for the top five content categories. The list is consistent across most mid-market clients: HR (compensation, performance, severance), finance (forecasts, board materials), legal (contracts, litigation hold), M&A (working files, term sheets), and intellectual property (product roadmap, customer lists, source assets). Use auto-labeling rules where the content matches durable signals (file names with "salary," presence of compensation numeric patterns, files in known HR libraries) and manual labeling for the rest.

Weeks 9 to 12: Monitor and retrain

Enable Purview DSPM for AI in full collection mode. Configure DLP policies for the Microsoft 365 Copilot location to flag prompts that touch labeled-sensitive content. Build a query-pattern review cadence (weekly for the first 60 days, monthly thereafter). Retrain Copilot users on what the labels mean and how to respond when Copilot returns a labeled citation. Move quarantined sites off Restricted SharePoint Search's exclusion list as their permissions are rationalized.

The four-control summary table

Control	What it does	Where it lives	License entitlement
Restricted SharePoint Search	100-site allowed list that bounds Copilot grounding while permissions get cleaned up	SharePoint admin center	Bundled with M365 Copilot
SAM oversharing reports	Identifies the 20 to 50 sites that drive most of the oversharing risk	SharePoint Advanced Management	Bundled with M365 Copilot or standalone SKU
Purview sensitivity labels + auto-labeling	Document-level classification on the top five sensitive content categories	Microsoft Purview portal	Microsoft 365 E5 / E5 Compliance
Purview DSPM for AI	Weekly automated risk assessment + Copilot prompt audit trail	Microsoft Purview portal (DSPM for AI)	Microsoft 365 E5 / E5 Compliance

Field notes: a 220-seat aerospace supplier

Anonymized engagement summary. A 220-seat aerospace supplier had Microsoft 365 GCC High with Copilot deployed to roughly 60 power users. During an internal audit, the compliance officer typed a procurement-related query into Copilot and received a summary that included unredacted contract values from a supplier negotiation that was supposed to be restricted to the procurement team. The site holding the contracts was a 2019-era SharePoint library that had been migrated from a file server with inherited "domain users read" permissions, and the permission inheritance had never been broken.

The engagement ran six weeks. Week 1, we ran SAM reports and identified the contracts library plus 14 other sites with similar inheritance patterns. Weeks 2 to 3, all 15 sites went onto the Restricted SharePoint Search exclusion list. Weeks 3 to 5, Purview sensitivity labels were applied to ITAR-flagged content categories with auto-labeling rules tied to ITAR designators in file names and document properties. Week 6, DSPM for AI was enabled with weekly review.

Outcome: Copilot stayed on for the 60-user power-user group. The audit finding closed with a documented remediation plan. No PHI or ITAR re-exposure has occurred in the eight months since. The compliance officer can now demonstrate continuous monitoring to the third-party assessor on demand.

What not to do

Don't disable Copilot

The political cost of an executive-visible Copilot rollback is worse than the original incident in most mid-market shops. Once licenses are revoked, getting them re-issued requires the same executive sponsor to re-fund a program they just watched fail. The work to bring Copilot back online is the same work that would have prevented the incident, only now it has to be done under a credibility deficit.

Don't try to re-permission 12,000 sites manually

The original 2025 framing pushed people toward a permission audit at the scale of the entire tenant. At mid-market budgets, that's a non-starter. The 2026 approach is to target the 20 to 50 sites that account for most of the risk and let Restricted SharePoint Search hold the line on the rest. The remaining sites get cleaned up opportunistically as part of normal SharePoint admin work, not as a dedicated $200K project.

Don't buy a separate DLP tool when Purview is already in your E5

The third-party data security tools that pitch into Copilot oversharing conversations have legitimate capability, but most mid-market shops with Copilot already have Microsoft 365 E5 or E5 Compliance, which bundles Purview DSPM for AI, sensitivity labels, and DLP for the Copilot location. The marginal value of a third-party tool over the bundled Microsoft capability is usually not worth the integration cost at this size. Re-evaluate at 5,000+ seats.

Don't wait for the auditor to find it

The audit finding pattern in 2026 is consistent. The auditor pulls Copilot prompts from the unified audit log, correlates them against known sensitive document libraries, and asks the IT team to demonstrate the classification and access controls that gated the prompt. If the controls aren't in place, the finding writes itself. The remediation cost is unchanged whether it's done proactively or in response to a finding; the political cost is much higher in the second case.

The 30-second version: Copilot didn't break governance. Copilot made existing tenant sprawl legible to non-technical users. The fix in 2026 is four controls (Restricted SharePoint Search, SAM oversharing reports, Purview sensitivity labels, DSPM for AI) deployed over 90 days, using licensing most mid-market shops already pay for. Copilot stays on. The audit trail becomes continuous. The "we'll worry about it later" position from 2025 is no longer available.

Why this is suddenly urgent in 2026

Four 2026 signals turned Copilot governance from a "should do" into a "must do" for mid-market shops.

CMMC Phase 2 enforcement begins November 10, 2026. Defense contractors handling Controlled Unclassified Information lose the self-attestation option for Level 2 contracts; third-party C3PAO assessment becomes mandatory by default. Copilot access to CUI-bearing SharePoint sites without documented controls is a Level 2 finding.
HHS HIPAA AI-specific guidance is expected in H2 2026. The Office for Civil Rights signaled throughout 2025 that AI-specific guidance under the HIPAA Security Rule was in development. The early indicators point at access controls, audit logging of AI interactions with PHI, and documented risk analysis. Healthcare organizations running Copilot without DSPM for AI logging will be on the wrong side of the guidance the moment it lands.
SOC 2 Type II auditors added AI data access controls to standard questionnaires. The Trust Services Criteria didn't change, but the way auditors apply CC6 (Logical and Physical Access) and CC7 (System Operations) now routinely includes AI access patterns. We're seeing this consistently in 2026 Type II renewals.
State attorneys general in California, Illinois, and Washington opened AI data-leak inquiries. The questions are exploratory, not enforcement, but the precedent is set. Companies that can demonstrate DSPM for AI logging and sensitivity-label coverage are off the inquiry list quickly. Companies that can't are not.

The NIST AI Risk Management Framework (AI RMF 1.0) and its Generative AI Profile are increasingly cited in audit working papers as the reference for "reasonable AI governance" even where they're not formally adopted. The GOVERN-MAP-MEASURE-MANAGE structure maps cleanly onto the four-control playbook above; auditors are starting to expect that mapping in writing.

What this looks like for the regulated verticals

Healthcare clients in particular need the healthcare-specific framing on top of the general playbook. PHI gets a higher-sensitivity label tier, auto-labeling rules tied to MRN and ICD-10 patterns, and DSPM for AI policy rules that flag Copilot prompts touching PHI for separate review. The sister post on the Microsoft BAA and Copilot covers the contractual layer; this post is the operational layer.

Defense contractors running Copilot in GCC High have a narrower governance surface (GCC High has its own feature lag relative to commercial) but the four-control playbook adapts. The GCC High before CMMC Phase 2 post covers the tenant-level move; this post covers the Copilot governance overlay.

Tying it back to the original migration

Most of the tenant sprawl that drives the 2026 Copilot governance work is residue from M365 migration decisions made in 2017 to 2022. If the original migration didn't include permission rationalization and label deployment as a workstream, the cleanup is happening now whether it's scoped as Copilot prep or not. The Microsoft 365 migration practice at Pro IT NW now includes governance as a default workstream for exactly this reason; the cost of inserting governance into a migration is a fraction of the cost of retrofitting it three years later under audit pressure.

Sources and further reading

Pro IT NW does senior-led Microsoft project work. Vendor-neutral. Labor-only. The Copilot governance 90-day engagement is a fixed-scope follow-on to the 2-week readiness assessment, and is available as a Microsoft Marketplace consulting offer.

Written by the team at Pro IT NW · Senior-led Microsoft project consultancy · Seattle / USA-wide.

Share on LinkedIn Follow Pro IT NW