Skip to content
AI 08/07/2026 · 8 min · Kamil Juřík

SharePoint Online and AI readiness: the licence takes a day to buy — the ready environment doesn't

AI in SharePoint is no longer an add-on — it's a new layer of the platform. Whether you get there via Copilot, agents or your own AI solution, they all read the same data through the same permissions. Five questions that will test how ready your environment really is.

When organisations talk about “AI readiness” today, the conversation quickly drifts towards licences. How much Copilot costs, who gets it, when we’ll buy it. That’s understandable — a licence is a tangible budget line and can be decided in a single meeting. But that’s exactly why it’s a misleading shortcut. A licence takes a day to buy. An environment in which AI answers correctly and safely can’t be bought in a day — it has to be built.

Summer 2026 has made that difference more visible than ever. AI has stopped being an optional add-on in SharePoint and become part of the platform: the new SharePoint Experience is completing its worldwide rollout and brings AI features directly into the product, Copilot in SharePoint (the successor to last year’s Knowledge Agent) is rolling out in preview, administrators got an AI assistant in the admin centre, and SharePoint Copilot Apps are opening up for developers. The question is no longer whether AI will reach your SharePoint data. The question is: what will it find when it gets there.

How AI reaches SharePoint content

AI readiness is often narrowed down to “Copilot readiness”. That’s just a slice of it. If you look at how AI actually reaches SharePoint content today, you’ll see three broad categories — each with several forms:

  1. AI that Microsoft built into the platform. At the top, Microsoft 365 Copilot with a full licence — chat grounded in your organisation’s data through the semantic index, plus integration in Word, Excel, Outlook and Teams. Alongside it, Copilot Chat, which is now included with a Microsoft 365 subscription: on its own it’s grounded in web data, but pay-as-you-go billing unlocks chat grounded in your work data too. And directly inside SharePoint: Copilot in SharePoint (the Knowledge Agent’s successor), the SharePoint Admin Agent for administrators, and AI insights on top of governance reports. A special chapter is the content AI in SharePoint Premium (formerly Syntex) — it classifies documents and extracts metadata; it doesn’t answer from your content, it enriches it, so it actually helps readiness.
  2. Agents you build on the platform yourself. SharePoint agents — assistants anchored to a specific site or library — and declarative or fully custom agents from Copilot Studio, including multi-agent orchestration. They work both with a full Copilot licence and without one, billed by actual consumption.
  3. AI solutions outside the Copilot ecosystem. Microsoft is progressively opening up interfaces through which AI applications outside Copilot reach SharePoint content — from search APIs with security trimming to the newer Copilot retrieval API. Our own EasyPortal 365 AI Chat belongs to this category: it reads SharePoint through the standard search interface, so it only ever sees what the signed-in user is allowed to see, and it requires no Copilot licences.

The individual routes differ in price, capabilities and rollout speed. But they have one thing in common, and it’s the whole point of this article: they all read the same data and they all respect the same permission model. None of them has any judgement of its own about what is sensitive, what is outdated and what is the official version. All of that they inherit from the state of your environment.

AI is an amplifier of your environment’s state

Here’s something that needs saying bluntly: AI in SharePoint doesn’t create a single new security or quality problem. It only amplifies the ones you already have.

Take a typical tenant that has grown organically for ten years. There are team sites with no owner, documents shared with “Everyone except external users”, “anyone with the link” links created in 2022 and forgotten, three versions of the same policy in different libraries, and hundreds of gigabytes of content from projects that ended long ago. As long as only people moved around that environment, a natural protection applied: finding something you weren’t meant to reach took effort. You had to know where to look.

AI removes that natural barrier. It answers a question in seconds and assembles the answer from everything the person asking technically has access to — regardless of whether anyone knows about that access. Microsoft itself has long identified oversharing — content shared far too broadly — as the number one issue when deploying Copilot and dedicates a separate deployment blueprint to it. And AI has the same effect on quality: give it no signal about what is current and official, and it will happily assemble an answer from a five-year-old draft. No language model, however good, can tell a valid policy from its abandoned copy — unless your environment tells it.

That’s why AI readiness can’t be bought. It can, however, be measured quite precisely.

Five questions that test your readiness

When we assess how ready a customer’s SharePoint is for AI, it always comes down to five questions. They work regardless of which route to AI you choose.

1. Do you know who can actually reach what?

Not “who should be able to” — who can. Those are two different things, and the gap between them is exactly what AI makes visible. Specifically: where organisation-wide sharing is used, how many active “anyone with the link” links exist, which sites have broken permission inheritance, and who has access through groups nobody knows the membership of.

The SharePoint admin centre has Data Access Governance reports for this today — including an overview of sites with content shared to the whole organisation and sharing-link activity. The newer Content Management Assessment wraps it all into a guided evaluation with recommendations that can be re-run every 30 days to track the trend.

2. Does your environment know what’s sensitive?

Permissions say who can reach content. They say nothing about what that content is. A contract, a salary statement and a Christmas party invitation can sit in the same library with the same rights — and to AI they are equals until classification tells them apart.

The practical tool is sensitivity labels: classification labels that travel with the document and that further protections attach to — encryption, blocking external sharing, exclusion from AI answers via DLP policies. The key is to set up auto-labelling, because nobody is going to label thousands of existing documents by hand.

3. Is the content AI finds the right content?

This is the most underestimated pillar. AI answers from what exists — and in an environment that has grown for ten years, what exists is mostly clutter. Inactive sites, documents named “final_v3_REALLY_final”, copies of copies. Every outdated document that doesn’t need to exist is a candidate for a wrong answer.

The remedy is content lifecycle: policies for inactive sites, archiving (archived content disappears from AI answers but stays retrievable for compliance), retention policies for controlled deletion. Less clutter means measurably better answers — this is the one place where AI quality can literally be “bought” with a clean-up.

4. Can AI tell what’s official?

When a user asks about the current travel policy, the answer should come from the HR site, not from a working copy in a project team site. AI can’t tell the difference on its own — it needs a signal. In SharePoint that signal comes from marking authoritative sources, a well-thought-out information architecture and metadata. And the other way round: sites that have no business appearing in AI answers (legal matters, M&A, board materials) can be deliberately excluded from AI search via Restricted Content Discovery — without changing anyone’s permissions.

5. Who owns it and how is it measured?

The four previous points are not a project that finishes one day. They are operational disciplines — and without an owner, every one of them falls apart within a year. Someone has to have it in their job description that governance reports actually get read, that the assessment gets repeated, that site-creation rules apply to new teams too, and that exceptions get approved. In a smaller organisation that tends to be the IT manager; in a larger one it’s a dedicated responsibility. Without it, AI readiness remains a one-off clean-up nobody will recognise a year later.

What you can get done this month

None of the above requires a year-long project. A sensible first month looks like this:

  1. Run the assessment or the Data Access Governance reports and look at the results for your most used sites. Within an hour you know where the biggest risk sits — typically organisation-wide sharing where it has no business being.
  2. Tighten the default sharing settings. Default link type set to “specific people”, link expiration, restrictions on “anyone with the link”. One change in the admin centre that slows down new oversharing from tomorrow onwards.
  3. Take the sites that don’t belong in AI out of its reach. Identify the 3–5 sites with the most sensitive agenda and switch on Restricted Content Discovery for them.
  4. Mark your authoritative content. Pick the sites that are the official source of company information — intranet, HR, policies — and make sure they are marked as authoritative and kept up to date.
  5. Name an owner. One sentence in a role description that decides whether, a year from now, your environment will be in a better or worse state than today.

And where do licences fit in?

Deliberately only now. Some of the tools mentioned are part of SharePoint itself; others (Data Access Governance in full scope, Restricted Content Discovery, lifecycle policies, the assessment) belong to SharePoint Advanced Management, which a tenant gets today with Copilot licences, and classification with DLP requires the corresponding Microsoft Purview plan. We took the licensing puzzle apart in a separate article.

The essential point, though, is that readiness is not a reward for buying a licence. Even if you decide not to roll out full Copilot and take a different route to AI — through pay-as-you-go agents, or through a custom or partner solution such as our AI Chat — the five questions above apply unchanged. AI that respects permissions is exactly as safe as those permissions are healthy. And AI that answers from your content is exactly as good as that content is.

What to take away

  1. In SharePoint, AI is a layer of the platform, not a feature you switch on. There’s more than one route to it — but they all read the same data through the same permissions.
  2. AI doesn’t create new problems, it amplifies existing ones. Oversharing, clutter and missing classification were a problem before AI. With AI they’re visible from the first prompt.
  3. AI readiness isn’t measured in licences, it’s measured by the state of your environment. And that can be established within an hour — the reports are already in your admin centre.

This article was created in collaboration between EasyPortal 365 and Aricoma Enterprise Applications, an authorised EasyPortal 365 partner. Both teams help organisations prepare their Microsoft 365 environment for a safe AI rollout — from audit and governance to ongoing operations. If you’d like to check where your environment stands, get in touch — a 30-minute conversation over your reports is the fastest way to find out.

In the next part we’ll get practical: how the Content Management Assessment works step by step, how to read its results, and which findings to tackle first.

SHARE ARTICLE