SharePoint Online Governance: why it's required before you switch on the new Copilot

New SharePoint, dual Copilot, Restricted Content Discovery and Authoritative Sites. The May wave of news in Microsoft 365 makes SharePoint Online governance a mandatory prerequisite — not an optional add-on. What specifically to address before you switch the new features on.

---

A few years ago SharePoint governance was a topic organisations could afford to postpone. Nobody looked into what was sitting in the libraries, “anyone with the link” sharing was only addressed after an incident, and permissions like “Everyone except external users” lay dormant unnoticed. That era is now definitively coming to an end. And the reason has a name: Copilot.

Spring 2026 brought several changes to Microsoft 365 that at first glance seem unrelated. The new SharePoint Experience is rolling out without an opt-out. Microsoft 365 Copilot has been split into Basic and Premium licences. Authoritative Sites are now in the admin centre, and Restricted Content Discovery is moving down to individual sites. Put them next to each other and you’ll see they all address one and the same thing — what Copilot will see when you switch it on inside your organisation.

And if you don’t have an answer to that question, it’s time to start looking for one.

Copilot isn’t the problem. It’s a detector of problems you already had.

Let’s start with what Copilot actually does. It’s not just better search. Copilot actively reads through content the user perceives as “accessible” — that is, anything they have permission to inside the tenant. Which means: team libraries they were added to, sites where they have a member role through some group, documents with sharing links they once clicked from a stranger’s email back in 2022. Plus everything shared “Everyone except external users” inside the organisation — which in most tenants includes tens of thousands of items nobody knows about.

Microsoft says it bluntly in its own internal materials: oversharing is the most frequent cause of Copilot incidents, and according to its own data, 70 to 90 % of enterprise environments have a significant oversharing problem that needs to be resolved before rolling out Copilot.

It’s important to understand that Copilot didn’t create any of these problems. It just made them visible. Previously, employees had to actively search, click and remember where things lived. Copilot does it in a single prompt. And returns it in a tidy summary. Including the salary spreadsheet someone accidentally shared with the whole company in 2023.

What’s specifically changing in Copilot right now

Before we dive into governance, it’s worth knowing what terrain is currently forming. Spring 2026 brought several changes that have a direct security impact:

• The new SharePoint Experience (GA, May–July 2026). Rollout with no opt-out. The app bar and start page change, AI features and 31 new page templates are added. For users it means new habits. For administrators, it means old training materials are useless from next week.
• Microsoft 365 Copilot Basic vs. Premium (from 15 April 2026). Full functionality in Word, Excel, PowerPoint and OneNote is reserved for Premium licences. Basic gets only chat. Auditing licence assignments is a now-job, not a once-the-tickets-arrive job.
• Microsoft 365 E7 and Agent 365 (GA, 1 May 2026). A new licence tier for organisations that want to roll out AI agents at scale. It introduces a unified governance layer for agents — but that layer only works if there’s already governance over the data the agents run on top of.
• SharePoint Authoritative Sites. In the admin centre you can mark specific sites as the official source of information — corporate news, policies, HR handbooks. Copilot then preferentially uses them when looking for answers. Without this, Copilot “leans” on whatever it finds — and that’s often an old draft, an outdated version or someone else’s note.
• Restricted Content Discovery (RCD) at site level. A site admin can independently switch on a rule that the site will not appear in Copilot answers or in organisational search at all. Public Preview from March 2026, GA later in the year.
• Multi-agent orchestration in Copilot Studio (GA). Agents collaborate, share context, drive workflows. Technically it’s wonderful. From a governance perspective it’s a new kind of actor that reaches data outside the standard user perspective.
• AI Citations Analytics (May 2026). A new page in site usage — it shows how Copilot and agents cite your documents. The first standardised metric for content quality from an AI grounding perspective.

Putting it together: AI in M365 has stopped being an add-on and is becoming an operational layer. And operational layers need rules.

What governance means in the context of Copilot

In conversations with managers I often hear that “governance” sounds like something the compliance department does in a 200-page document. In reality, governance in the context of SharePoint Online is a set of concrete questions that need a written answer:

1. Who creates new sites and under what rules? If it’s “anyone”, in a year’s time you’ll have 2,000 sites of which 1,200 have no owner.
2. What does the site lifecycle look like? From creation through inactivity to archiving and deletion. Without it, data keeps piling up that Copilot will index — and you don’t know what’s relevant and what’s debris from a three-year-old reorganisation.
3. How are permissions and sharing handled? Default sharing-link type, expiration, allowed external domains, “Everyone except external users” on sensitive content. This is not an optional debate. It’s hygiene.
4. What is your authoritative content and what is a draft? If Copilot has no way of distinguishing “Official HR Policy 2026” from “Draft HR Policy 2022”, it will return a random mix. Authoritative Sites and sensitivity labels are the tools for telling it which is which.
5. What is sensitive and how is it labelled? Sensitivity labels are not marketing. They are the bridge between permission and classification. Without them, Copilot sees all content equally.
6. Who approves exceptions, and how? External guests on a sales site, sharing with a competitor’s domain, temporary full access for a partner. Without an approval process, exceptions become the default.

These are not topics for “sometime next year”. They are prerequisites for Copilot to do, in your organisation, what you expect of it — and not to do what you’d rather not see.

Where Microsoft helped: SharePoint Advanced Management

The good news is that Microsoft isn’t waiting for organisations to build their governance manually. SharePoint Advanced Management (SAM) is a set of admin tools that come with every tenant that has at least one Copilot licence. And it contains exactly what you need for Copilot readiness:

• Data Access Governance reports — an overview of sites that may have overshared content or sensitive documents. The first place to look when you want to know “where to start”.
• Restricted Access Control (RAC) — a site limited to a specific group of users. It doesn’t matter what others see in a sharing link — they won’t reach it. And Copilot honours that too.
• Restricted Content Discovery (RCD) — the site doesn’t appear in organisational search or Copilot Chat at all. Good for M&A projects, legal matters, executive materials.
• Sharing link policies — default link type, expiration, allowed domains. Set it once, applies everywhere.
• Site lifecycle management — inactive site policy, archive, controlled deletion. Less data = better signal for Copilot.
• SharePoint Admin Agent — an AI assistant for managing your own tenant. Skills around storage, lifecycle and oversharing management. From an admin productivity standpoint, the novelty of the year.

Bottom line: the tools are there. What’s missing is a systematic approach to deploying them — and, above all, deciding where it has to be done immediately and where it can wait.

Three things worth doing this month

If you’re planning to roll out Copilot, or you’ve already switched it on and want to sleep better, three steps make sense:

1) Run the Data Access Governance report and look at the top 50 sites

Thirty minutes of an administrator’s time and you’ll know where the biggest risk lies. Typically you’ll find sites with thousands of “Everyone except external users” items, sharing links without expiration, externally shared content with sensitive files. That’s your priority list for the next few weeks.

2) Mark authoritative content and consider RCD

Pick 5–10 sites that genuinely are the official source of company information (intranet, HR, IT handbooks, corporate news) and mark them as Authoritative Sites. In parallel, identify 3–5 sites that don’t belong in Copilot at all (M&A, legal, exec) and switch RCD on there.

3) Agree internally who owns governance

Without an owner, governance gets going and then falls apart. In a small organisation it tends to be the IT manager, in a larger one a separate “M365 Governance Lead” role. The important thing is that someone has both the technical configuration and the user-facing communication of the rules in their remit.

This isn’t a year-long project. It’s the baseline level on which you gradually build the rest — information architecture, lifecycle, change management, training. But without that baseline, the Copilot news is not an advantage, it’s a risk.

A short EasyPortal 365 perspective

We work on this topic with organisations almost daily. The most common entry point is SharePoint Restart — a two- to three-week audit that maps the state of the environment, permissions, external sharing and risks before AI. The output is a dashboard, a PDF report and a 90-minute workshop with a prioritised plan.

If the audit shows you need a more structured intervention, Governance Setup follows on — a five- to eight-week project in which we set up the governance model, roles, lifecycle, information architecture, data protection and backup rules. The output is a documented standard the environment will be run by.

And for organisations that don’t have their own SharePoint specialists or want a partner for ongoing development, there’s SharePoint Care — continuous care, oversight, evaluation of M365 news and monthly reporting. That’s the most common form of keeping governance alive in practice over the long term.

Takeaways

Spring 2026 in Microsoft 365 isn’t just a collection of news items. It’s the point at which the meaning of “secure SharePoint” is changing. Before Copilot, it was enough that no one had access to sensitive content who shouldn’t. After Copilot, on top of that the content has to be properly labelled, every site has to have a clear owner, unused content has to be archived, and there has to be a difference between an “authoritative” and a “working” version of a document.

Three sentences worth remembering:

1. Copilot didn’t create any new security holes. It just makes them visible at a speed that takes you by surprise.
2. Governance is not a document. It’s an operational discipline. If it has no owner and no rhythm, it falls apart.
3. This year is not a “let’s switch Copilot on sometime” year. It’s a “Copilot is already indexing” year. The question isn’t whether to switch it on, but what it will see once you do.

---

If you don’t know where to start, or just want to verify whether you’re ready for the May news, get in touch. We’ll set up a 30-minute call, walk through your situation and recommend the first step — be it an audit, a governance setup, or just a short consultation on a specific problem.