Stop SharePoint Agents From Leaking Your Data (The IT Pro Fix)

1
00:00:00,000 --> 00:00:02,600
Your SharePoint agent didn't hallucinate a leak.

2
00:00:02,600 --> 00:00:04,960
You handed it a fire hose and asked for a sip.

3
00:00:04,960 --> 00:00:07,680
Overscoped knowledge sources plus permissive inheritance

4
00:00:07,680 --> 00:00:10,000
equals accidental disclosure at machine speed.

5
00:00:10,000 --> 00:00:11,000
The fix isn't magic.

6
00:00:11,000 --> 00:00:13,280
It's scope discipline, permission hardening,

7
00:00:13,280 --> 00:00:14,600
and DLP with teeth.

8
00:00:14,600 --> 00:00:17,520
Rapped in a baseline policy pack you can deploy today.

9
00:00:17,520 --> 00:00:19,520
I'll show you how agents actually see data,

10
00:00:19,520 --> 00:00:21,760
why grounding doesn't isolate permissions,

11
00:00:21,760 --> 00:00:25,120
and the exact controls that cage them without killing usefulness.

12
00:00:25,120 --> 00:00:27,280
There's one setting, most admin skip,

13
00:00:27,280 --> 00:00:30,400
and approval gate you need, and a DLP pattern that actually

14
00:00:30,400 --> 00:00:31,280
blocks agents.

15
00:00:31,280 --> 00:00:33,320
Let's start with how they see.

16
00:00:33,320 --> 00:00:36,640
Foundation, how SharePoint agents actually see your data,

17
00:00:36,640 --> 00:00:37,960
permissions DNA.

18
00:00:37,960 --> 00:00:38,840
The truth?

19
00:00:38,840 --> 00:00:40,360
Agents don't read your intentions.

20
00:00:40,360 --> 00:00:41,600
They read Microsoft Graph.

21
00:00:41,600 --> 00:00:43,400
Think of Graph as the bloodstream.

22
00:00:43,400 --> 00:00:45,360
If content is accessible through your ACLs,

23
00:00:45,360 --> 00:00:46,720
the agent sees the oxygen.

24
00:00:46,720 --> 00:00:48,320
If you overscope a knowledge source,

25
00:00:48,320 --> 00:00:51,200
you just install the bypass around your carefully labeled

26
00:00:51,200 --> 00:00:51,720
arteries.

27
00:00:51,720 --> 00:00:52,840
Let me translate.

28
00:00:52,840 --> 00:00:55,520
An agent has two big ingredients, a user persona

29
00:00:55,520 --> 00:00:57,080
and retrieval filters.

30
00:00:57,080 --> 00:00:59,480
A persona equals the identity and its permissions

31
00:00:59,480 --> 00:01:03,160
across SharePoint OneDrive and any other connected surfaces.

32
00:01:03,160 --> 00:01:07,400
Retrieval equals what you pointed at, a library, a folder,

33
00:01:07,400 --> 00:01:10,280
a pile of files, or a few URLs.

34
00:01:10,280 --> 00:01:13,200
Most people confuse retrieval filters with security boundaries.

35
00:01:13,200 --> 00:01:14,000
They are not.

36
00:01:14,000 --> 00:01:16,280
Retrieval says search here first.

37
00:01:16,280 --> 00:01:18,160
Permissions say you may enter.

38
00:01:18,160 --> 00:01:21,080
The agent obeys permissions first, retrieval second.

39
00:01:21,080 --> 00:01:23,240
If you remember nothing else, remember that ordering.

40
00:01:23,240 --> 00:01:25,440
Now, sensitivity labels and purview DLP

41
00:01:25,440 --> 00:01:28,160
sit on top of content like signage and guardrails, labels

42
00:01:28,160 --> 00:01:32,160
classify, DLP enforces behavior when certain content is accessed

43
00:01:32,160 --> 00:01:33,600
or processed.

44
00:01:33,600 --> 00:01:35,440
The thing most people miss is simple.

45
00:01:35,440 --> 00:01:37,240
Grounding does not override rights.

46
00:01:37,240 --> 00:01:38,520
Grounding filters relevance.

47
00:01:38,520 --> 00:01:40,840
It doesn't shrink the agent's legal authority.

48
00:01:40,840 --> 00:01:43,600
So if your agent identity can see multiple adjacent libraries

49
00:01:43,600 --> 00:01:45,280
because you left inheritance intact,

50
00:01:45,280 --> 00:01:48,840
the LLM can and will stitch nearby truths into an answer,

51
00:01:48,840 --> 00:01:51,200
not spooky, predictable.

52
00:01:51,200 --> 00:01:54,040
Permissions inheritance is silent escalation.

53
00:01:54,040 --> 00:01:57,520
You swear a site is internal only, then discover a SharePoint

54
00:01:57,520 --> 00:02:00,480
group includes everyone or authenticated users.

55
00:02:00,480 --> 00:02:02,400
Guest-lingor-old-project groups persist.

56
00:02:02,400 --> 00:02:04,600
The agent respects ACLs, not vibes.

57
00:02:04,600 --> 00:02:06,960
If that identity can open the file in SharePoint,

58
00:02:06,960 --> 00:02:10,000
the agent can process it unless DLP or label policy

59
00:02:10,000 --> 00:02:12,440
combinations explicitly block agent operations.

60
00:02:12,440 --> 00:02:14,440
That's why your single library pilot suddenly

61
00:02:14,440 --> 00:02:17,000
quoted an HR policy from a neighboring library.

62
00:02:17,000 --> 00:02:18,520
You didn't isolate anything.

63
00:02:18,520 --> 00:02:21,840
You suggested a preferred shelf in an unlocked room.

64
00:02:21,840 --> 00:02:23,720
Enter the least-knowledge-necessary model.

65
00:02:23,720 --> 00:02:26,520
Instead of feeding a side route and hoping relevant saves you,

66
00:02:26,520 --> 00:02:28,800
bind knowledge sources to specific libraries.

67
00:02:28,800 --> 00:02:30,600
Avoid site-level ingestion.

68
00:02:30,600 --> 00:02:32,680
Cap folders, use metadata filters,

69
00:02:32,680 --> 00:02:34,760
so retrieval indexes only the documents

70
00:02:34,760 --> 00:02:36,520
that matter to the agent's mission.

71
00:02:36,520 --> 00:02:38,520
In co-pilot studio and SharePoint agent builders,

72
00:02:38,520 --> 00:02:42,320
you can designate official sources, disable general AI knowledge,

73
00:02:42,320 --> 00:02:44,360
and add fallback responses.

74
00:02:44,360 --> 00:02:47,000
That not authoritative fallback is your seatbelt.

75
00:02:47,000 --> 00:02:49,560
Without it, the model fills gaps with general knowledge

76
00:02:49,560 --> 00:02:51,640
that doesn't honor your compliance posture.

77
00:02:51,640 --> 00:02:52,760
Limits matter too.

78
00:02:52,760 --> 00:02:55,520
Platforms impose practical ceilings on files, folders,

79
00:02:55,520 --> 00:02:57,560
and URLs per knowledge source.

80
00:02:57,560 --> 00:02:58,960
Those aren't just performance notes.

81
00:02:58,960 --> 00:03:00,920
They are guardrails for governance.

82
00:03:00,920 --> 00:03:02,760
When you hit a limit, the wrong instinct

83
00:03:02,760 --> 00:03:05,640
is to widen the scope to a side-root just for now.

84
00:03:05,640 --> 00:03:06,720
That's how leaks begin.

85
00:03:06,720 --> 00:03:09,520
The right move is to orchestrate multiple narrow agents,

86
00:03:09,520 --> 00:03:11,360
each with tightly-scoped sources,

87
00:03:11,360 --> 00:03:13,960
rather than one encyclopedic bot with a buffet pass.

88
00:03:13,960 --> 00:03:15,960
Distribute knowledge, keep authority minimal.

89
00:03:15,960 --> 00:03:17,840
Let me back up and give you a mental model

90
00:03:17,840 --> 00:03:19,840
that won't betray you under pressure.

91
00:03:19,840 --> 00:03:22,480
Agent equals user persona plus retrieval filter.

92
00:03:22,480 --> 00:03:24,560
Permissions gate first, retrieval second,

93
00:03:24,560 --> 00:03:26,440
labels describe sensitivity.

94
00:03:26,440 --> 00:03:28,280
DLP decides what actions are allowed

95
00:03:28,280 --> 00:03:29,760
when that sensitivity is present.

96
00:03:29,760 --> 00:03:31,840
Grounding helps the model find the right paragraph.

97
00:03:31,840 --> 00:03:33,520
Permissions decide if it was allowed

98
00:03:33,520 --> 00:03:35,480
to see the paragraph at all.

99
00:03:35,480 --> 00:03:37,160
DLP can still say no processing,

100
00:03:37,160 --> 00:03:39,360
even when both of those say yes.

101
00:03:39,360 --> 00:03:42,760
That stack gate, find, and force keeps your thinking clean.

102
00:03:42,760 --> 00:03:44,680
Consequences of ignoring this data bleed

103
00:03:44,680 --> 00:03:46,480
that looks like AI being weird,

104
00:03:46,480 --> 00:03:48,560
but is actually your scope design colliding

105
00:03:48,560 --> 00:03:50,280
with permissive inheritance.

106
00:03:50,280 --> 00:03:52,720
Adjacent libraries feel nearby to the model

107
00:03:52,720 --> 00:03:54,920
because they are nearby in your permissions.

108
00:03:54,920 --> 00:03:57,240
And yes, the model will happily stitch truth

109
00:03:57,240 --> 00:03:59,120
across boundaries you never hardened.

110
00:03:59,120 --> 00:04:02,120
Once you internalize the plumbing, everything else clicks.

111
00:04:02,120 --> 00:04:04,160
You stop blaming the LLM for answering,

112
00:04:04,160 --> 00:04:06,720
and you start controlling what it's allowed to consider.

113
00:04:06,720 --> 00:04:08,000
Now that you see the bloodstream

114
00:04:08,000 --> 00:04:10,400
and the spine graph permissions and retrieval filters,

115
00:04:10,400 --> 00:04:12,800
let's stop the water from crossing rooms.

116
00:04:12,800 --> 00:04:14,240
Scope sources like a contract,

117
00:04:14,240 --> 00:04:16,920
then break inheritance and label like you mean it.

118
00:04:16,920 --> 00:04:18,240
Control plane one.

119
00:04:18,240 --> 00:04:21,160
Scope the knowledge sources like a lawyer reads contracts.

120
00:04:21,160 --> 00:04:22,680
Now we write scope like legal language,

121
00:04:22,680 --> 00:04:25,680
precise, bounded, and utterly intolerant of ambiguity

122
00:04:25,680 --> 00:04:28,080
because broad sources create crosstalk

123
00:04:28,080 --> 00:04:30,800
and the LLM will happily stitch nearby truths

124
00:04:30,800 --> 00:04:33,880
into an answer like a gossip column list with a long lens.

125
00:04:33,880 --> 00:04:36,880
Here's the scope rule that separates adults from interns,

126
00:04:36,880 --> 00:04:39,680
library-level sources only, not sites,

127
00:04:39,680 --> 00:04:41,480
not everything under this hub.

128
00:04:41,480 --> 00:04:43,960
A single document library per declared purpose.

129
00:04:43,960 --> 00:04:46,440
If the agent exists to answer product FAQs,

130
00:04:46,440 --> 00:04:49,080
it gets the product FAQ library and nothing else.

131
00:04:49,080 --> 00:04:49,920
The truth?

132
00:04:49,920 --> 00:04:52,160
Every extra inch of scope becomes latent risk

133
00:04:52,160 --> 00:04:54,320
the model can activate in milliseconds.

134
00:04:54,320 --> 00:04:56,480
Compare that to the average user's approach.

135
00:04:56,480 --> 00:04:59,040
Point at the side root, add and subfolders,

136
00:04:59,040 --> 00:05:00,680
and hope metadata saves them.

137
00:05:00,680 --> 00:05:01,520
It won't.

138
00:05:01,520 --> 00:05:04,640
Retrieval filters guide search, they don't erect a firewall.

139
00:05:04,640 --> 00:05:07,080
So you structure scope the way a lawyer structures clauses,

140
00:05:07,080 --> 00:05:09,000
specific exclusive and testable.

141
00:05:09,000 --> 00:05:11,320
Practical scoping mechanics you'll actually use.

142
00:05:11,320 --> 00:05:12,520
Avoid side routes.

143
00:05:12,520 --> 00:05:15,800
Always specify a concrete library path, capfolder depth.

144
00:05:15,800 --> 00:05:18,560
If you must use folders, freeze it at a shallow level

145
00:05:18,560 --> 00:05:21,520
with no recursive grab bag and force metadata filters,

146
00:05:21,520 --> 00:05:24,080
only ingest items where status ex-approved version

147
00:05:24,080 --> 00:05:28,480
equal published department, equal ex, no metadata, no ingestion.

148
00:05:28,480 --> 00:05:31,040
Exclude drafts, archives, and working subtrees.

149
00:05:31,040 --> 00:05:33,320
If you can't exclude them, move them out.

150
00:05:33,320 --> 00:05:35,360
Yes, refactor, that's called governance.

151
00:05:35,360 --> 00:05:37,880
Limits reality check, platforms are not infinite buffets.

152
00:05:37,880 --> 00:05:41,160
You've got file counts, folder caps, and URL quotas.

153
00:05:41,160 --> 00:05:44,080
Treat them like speed limits that keep the wheels on.

154
00:05:44,080 --> 00:05:46,480
In copilot studio and SharePoint agent builders,

155
00:05:46,480 --> 00:05:49,000
test your practical ceilings before go live.

156
00:05:49,000 --> 00:05:51,240
Create a pilot source with the real distribution.

157
00:05:51,240 --> 00:05:53,960
A few hundred approved PDFs, some Doc X Playbooks,

158
00:05:53,960 --> 00:05:56,800
a dozen Ppt's, if ingestion slows times out

159
00:05:56,800 --> 00:05:59,120
or starts helpfully skipping, you don't expand scope,

160
00:05:59,120 --> 00:06:00,240
you split scope.

161
00:06:00,240 --> 00:06:02,880
One domain per source, one source per agent persona.

162
00:06:02,880 --> 00:06:04,720
This is orchestration, not gluttony.

163
00:06:04,720 --> 00:06:06,200
The shortcut nobody teaches.

164
00:06:06,200 --> 00:06:10,320
Multiple narrow agents beat one encyclopedic monster every time.

165
00:06:10,320 --> 00:06:12,760
Build an HR policy agent, a benefits agent,

166
00:06:12,760 --> 00:06:15,520
a travel agent, each with their own tight library

167
00:06:15,520 --> 00:06:16,560
and enforced filters.

168
00:06:16,560 --> 00:06:18,720
Then if you need a single entry point orchestrate

169
00:06:18,720 --> 00:06:20,320
at the front door with a router agent

170
00:06:20,320 --> 00:06:22,560
that hands queries to the right specialist,

171
00:06:22,560 --> 00:06:24,400
pros do this because it scales governance.

172
00:06:24,400 --> 00:06:27,520
Beginners cram 200 mixed domain files into one agent

173
00:06:27,520 --> 00:06:29,880
and wonder why answers sound like a committee meeting.

174
00:06:29,880 --> 00:06:32,800
Disable general AI knowledge for regulated agents.

175
00:06:32,800 --> 00:06:35,280
If the agent is authoritative for a domain,

176
00:06:35,280 --> 00:06:37,200
it should be silent outside that domain.

177
00:06:37,200 --> 00:06:39,120
That's where fallback answers matter.

178
00:06:39,120 --> 00:06:41,640
Configure a clear humble response.

179
00:06:41,640 --> 00:06:43,280
I'm not authoritative for that.

180
00:06:43,280 --> 00:06:45,480
Here are the approved sources I cover.

181
00:06:45,480 --> 00:06:47,720
The second you let general knowledge fill gaps,

182
00:06:47,720 --> 00:06:49,680
you're back to unverifiable trivia

183
00:06:49,680 --> 00:06:52,280
that ignores your labels and DLP intent.

184
00:06:52,280 --> 00:06:53,640
Curation matters.

185
00:06:53,640 --> 00:06:55,440
Designate official sources.

186
00:06:55,440 --> 00:06:58,400
That means an approval workflow upstream of ingestion,

187
00:06:58,400 --> 00:07:00,880
only add content that's past review, accuracy,

188
00:07:00,880 --> 00:07:03,440
freshness and sensitivity labeling confirmed.

189
00:07:03,440 --> 00:07:05,120
If you can't prove a document's lineage,

190
00:07:05,120 --> 00:07:06,720
it doesn't belong in an agent's mouth.

191
00:07:06,720 --> 00:07:08,440
The model is confident, not correct.

192
00:07:08,440 --> 00:07:09,920
Your curation is the break.

193
00:07:09,920 --> 00:07:12,960
Common mistakes you will stop making today.

194
00:07:12,960 --> 00:07:15,520
Dumping mixed domains into a single source.

195
00:07:15,520 --> 00:07:18,960
Policies, tech docs, vendor contracts in one heap.

196
00:07:18,960 --> 00:07:20,040
Split them by purpose,

197
00:07:20,040 --> 00:07:22,320
letting agents crawl arbitrary web URLs.

198
00:07:22,320 --> 00:07:24,680
No, external URLs expand the blast radius

199
00:07:24,680 --> 00:07:26,240
and knee-cap auditability.

200
00:07:26,240 --> 00:07:27,880
Injusting drafts and chatter files,

201
00:07:27,880 --> 00:07:30,120
the model can't tell half-baked from published

202
00:07:30,120 --> 00:07:33,400
unless you enforce metadata and locations that separate them.

203
00:07:33,400 --> 00:07:35,360
Assuming hidden means protected.

204
00:07:35,360 --> 00:07:36,840
Hidden is a UI choice.

205
00:07:36,840 --> 00:07:38,040
Permissions are the law.

206
00:07:38,040 --> 00:07:40,440
Testing discipline because yes, you actually test scope.

207
00:07:40,440 --> 00:07:43,360
Query the edge cases, ask the agent authoritative questions.

208
00:07:43,360 --> 00:07:45,760
It should answer cold, then bait it with adjacent topics.

209
00:07:45,760 --> 00:07:46,640
It must decline.

210
00:07:46,640 --> 00:07:49,560
If it answers out of domain, your scope or fallback is wrong.

211
00:07:49,560 --> 00:07:52,040
If it refuses in domain, your filters or approvals

212
00:07:52,040 --> 00:07:54,440
are too tight, tuning a subtraction, not addition.

213
00:07:54,440 --> 00:07:57,640
Remove irrelevant paths, reduce metadata ambiguity,

214
00:07:57,640 --> 00:08:00,440
and keep slicing until the answers are boringly predictable.

215
00:08:00,440 --> 00:08:02,280
And metrics, you'll track.

216
00:08:02,280 --> 00:08:04,520
Answerability, percentage of in-domain queries

217
00:08:04,520 --> 00:08:07,000
resolved with citations to the intended library.

218
00:08:07,000 --> 00:08:10,120
Containment, percentage of answers citing only approved sources.

219
00:08:10,120 --> 00:08:13,440
Silence quality, clarity and frequency of the fallback

220
00:08:13,440 --> 00:08:15,120
when asked out of domain.

221
00:08:15,120 --> 00:08:17,400
If you want a mental checkbox before we move on,

222
00:08:17,400 --> 00:08:21,000
library only, shallow folders, strict metadata,

223
00:08:21,000 --> 00:08:24,360
approved only, no general knowledge, multiple narrow agents,

224
00:08:24,360 --> 00:08:26,400
tested limits, measured outcomes.

225
00:08:26,400 --> 00:08:30,120
Once you lock this, everything downstream, permissions, labels,

226
00:08:30,120 --> 00:08:33,600
DLP works with you instead of fighting your overscoped mess.

227
00:08:33,600 --> 00:08:36,360
Now we harden inheritance, so the room itself is locked,

228
00:08:36,360 --> 00:08:38,120
not just the filing cabinet.

229
00:08:38,120 --> 00:08:41,360
Control plane two, break inheritance and label like you mean it.

230
00:08:41,360 --> 00:08:44,000
Scoped knowledge is useless if the doors are wide open.

231
00:08:44,000 --> 00:08:45,800
In SharePoint, inherited permissions

232
00:08:45,800 --> 00:08:48,240
are the hand-me-down sweaters of security.

233
00:08:48,240 --> 00:08:50,640
Ill-fitting, full of holes, and mysteriously good enough

234
00:08:50,640 --> 00:08:52,280
until the cold wind hits.

235
00:08:52,280 --> 00:08:54,560
Agents respect ACLs, not optimism.

236
00:08:54,560 --> 00:08:56,160
So we stop inheritance where it matters.

237
00:08:56,160 --> 00:08:59,080
We assign unique permissions, and we excise the broad groups

238
00:08:59,080 --> 00:09:02,320
that quietly turn internal into internet adjacent.

239
00:09:02,320 --> 00:09:04,320
Start with the uncomfortable audit.

240
00:09:04,320 --> 00:09:06,480
Pull your sensitive libraries into three buckets.

241
00:09:06,480 --> 00:09:09,120
Must isolate, can share, and unknown.

242
00:09:09,120 --> 00:09:10,280
Unknown is a red flag.

243
00:09:10,280 --> 00:09:12,440
If you can't explain who has access in one sentence,

244
00:09:12,440 --> 00:09:15,160
it belongs in must isolate until proven otherwise.

245
00:09:15,160 --> 00:09:17,680
Then for each must isolate library, break permission

246
00:09:17,680 --> 00:09:18,640
inheritance.

247
00:09:18,640 --> 00:09:21,640
Not at the site, at the library holding the crown jewels.

248
00:09:21,640 --> 00:09:25,040
Breaking inheritance is not a drama, it's adulthood.

249
00:09:25,040 --> 00:09:27,000
You aim for explicit minimum membership,

250
00:09:27,000 --> 00:09:29,480
a small owner's group, a defined members group,

251
00:09:29,480 --> 00:09:31,400
and readers only wear business requires.

252
00:09:31,400 --> 00:09:34,200
Now purge the lazy mechanics, broad groups like everyone,

253
00:09:34,200 --> 00:09:37,000
accept external users and authenticated users hide inside

254
00:09:37,000 --> 00:09:39,000
SharePoint groups like Matryoshka dolls.

255
00:09:39,000 --> 00:09:42,120
Pull them out, replace them with Azure AD security groups,

256
00:09:42,120 --> 00:09:44,440
mapped to roles you actually manage.

257
00:09:44,440 --> 00:09:46,920
Guests should be exceptional, temporary, and discoverable,

258
00:09:46,920 --> 00:09:49,120
never nested in a SharePoint group that was created

259
00:09:49,120 --> 00:09:51,520
during a project kickoff three years ago.

260
00:09:51,520 --> 00:09:53,920
If the word "all" appears in the group name,

261
00:09:53,920 --> 00:09:56,040
your agent will treat it like a buffet.

262
00:09:56,040 --> 00:09:58,960
Standardize permission tiers so you can reason about them.

263
00:09:58,960 --> 00:10:01,240
TIA, Confidential Libraries,

264
00:10:01,240 --> 00:10:04,600
Owners, Members, Small, Readers,

265
00:10:04,600 --> 00:10:07,280
Nanonero, No Guests.

266
00:10:07,280 --> 00:10:10,040
TIAB, Internal Only Libraries,

267
00:10:10,040 --> 00:10:13,080
Owners, Members, Managed, Readers,

268
00:10:13,080 --> 00:10:15,720
Department Group, No External.

269
00:10:15,720 --> 00:10:18,360
TSC, Public Internal Libraries, Owners, Members,

270
00:10:18,360 --> 00:10:20,760
Readers, All Employees, Still No Guests.

271
00:10:20,760 --> 00:10:22,840
The model is simple because it needs to be enforced

272
00:10:22,840 --> 00:10:24,680
by humans who get distracted.

273
00:10:24,680 --> 00:10:26,840
Agents will execute whatever you encode,

274
00:10:26,840 --> 00:10:29,480
encode sanity, enter sensitivity labels.

275
00:10:29,480 --> 00:10:32,040
Labels are not stickers, they are policy keys.

276
00:10:32,040 --> 00:10:35,240
You map confidential, restricted, public, and so on to behaviors.

277
00:10:35,240 --> 00:10:38,520
The trap most admins fall into is letting labels be decorative.

278
00:10:38,520 --> 00:10:39,240
We're done with that.

279
00:10:39,240 --> 00:10:41,000
You align labels with PerViewDLP,

280
00:10:41,000 --> 00:10:43,560
so the label means something machines can enforce.

281
00:10:43,560 --> 00:10:47,000
For example, ConfidentialHR triggers a DLP policy

282
00:10:47,000 --> 00:10:48,920
that blocks agent processing actions

283
00:10:48,920 --> 00:10:50,680
even when a user can view the file.

284
00:10:50,680 --> 00:10:51,960
Yes, you heard that correctly,

285
00:10:51,960 --> 00:10:53,560
the user can read it in SharePoint,

286
00:10:53,560 --> 00:10:56,120
but the agent gets a no at the processing layer.

287
00:10:56,120 --> 00:10:57,320
That's the game changer.

288
00:10:57,320 --> 00:10:59,960
Labels plus DLP, decouple human visibility

289
00:10:59,960 --> 00:11:01,400
from machine automation.

290
00:11:01,400 --> 00:11:02,680
Let's make that concrete.

291
00:11:02,680 --> 00:11:05,880
You've got an HR policy's library labeled ConfidentialHR.

292
00:11:05,880 --> 00:11:09,240
An HR agent needs to answer questions from that library.

293
00:11:09,240 --> 00:11:11,880
Good, that agent's identity is granted read access

294
00:11:11,880 --> 00:11:13,640
to that specific library.

295
00:11:13,640 --> 00:11:15,960
Adjacent libraries like HR working drafts

296
00:11:15,960 --> 00:11:17,640
are isolated with unique permissions

297
00:11:17,640 --> 00:11:19,640
the agent identity doesn't have.

298
00:11:19,640 --> 00:11:21,480
Meanwhile, your DLP policy says

299
00:11:21,480 --> 00:11:25,080
if label is confidential, HR and access attempt

300
00:11:25,080 --> 00:11:29,480
equals agent processing only allow if agent is in approved agents HR.

301
00:11:29,480 --> 00:11:32,600
Every other agent, including your enthusiastic company knowledge

302
00:11:32,600 --> 00:11:34,360
generalist gets blocked.

303
00:11:34,360 --> 00:11:37,320
This is how you stop, cross talk, even when someone forgets

304
00:11:37,320 --> 00:11:38,920
and gives the wrong agent a look.

305
00:11:38,920 --> 00:11:40,680
What about users who can see too much?

306
00:11:40,680 --> 00:11:42,120
That's the silent escalation.

307
00:11:42,120 --> 00:11:44,280
If you rely only on user visibility,

308
00:11:44,280 --> 00:11:47,960
then any agent acting on behalf of the user inherits the sprawl.

309
00:11:47,960 --> 00:11:49,720
So keep the agent identity narrow.

310
00:11:49,720 --> 00:11:52,280
Don't build agents that run as whoever invokes me.

311
00:11:52,280 --> 00:11:54,200
Build them to run as a service identity

312
00:11:54,200 --> 00:11:55,560
with least privilege.

313
00:11:55,560 --> 00:11:57,080
Pair that with labels and DLP

314
00:11:57,080 --> 00:11:59,320
so even privileged users can't trick an agent

315
00:11:59,320 --> 00:12:01,240
into processing out of bounds data.

316
00:12:01,240 --> 00:12:03,400
Your layering defense is like a sane adult

317
00:12:03,400 --> 00:12:05,160
not praying to the settings page.

318
00:12:05,160 --> 00:12:07,160
Common mistakes that ruin this layer.

319
00:12:07,160 --> 00:12:09,880
Assuming hidden equals secure.

320
00:12:09,880 --> 00:12:12,600
Leaving project sites with default inheritance?

321
00:12:12,600 --> 00:12:15,640
Letting guest access persist after the vendor is gone?

322
00:12:15,640 --> 00:12:19,320
And worst, stuffing broad M365 groups into reader

323
00:12:19,320 --> 00:12:20,600
because it was easier.

324
00:12:20,600 --> 00:12:22,840
It's easier right up until your agent stitches a quote

325
00:12:22,840 --> 00:12:24,440
from legal into a sales answer.

326
00:12:24,440 --> 00:12:26,200
Then it's incident response theater.

327
00:12:26,200 --> 00:12:28,360
Implementation rhythm, you can repeat.

328
00:12:28,360 --> 00:12:31,320
Isolate the library, replace broad groups with role groups,

329
00:12:31,320 --> 00:12:33,560
assign a service identity to the agent,

330
00:12:33,560 --> 00:12:36,600
apply sensitivity labels at the file and library level,

331
00:12:36,600 --> 00:12:38,520
and bind DLP policies to labels

332
00:12:38,520 --> 00:12:41,480
with explicit agent allow conditions.

333
00:12:41,480 --> 00:12:43,000
Test with a controlled query set,

334
00:12:43,000 --> 00:12:44,920
Indomain allowed, adjacent denied,

335
00:12:44,920 --> 00:12:47,720
labeled but unapproved agent blocked with a clear message.

336
00:12:47,720 --> 00:12:50,360
If any answer escapes permissions are wrong,

337
00:12:50,360 --> 00:12:53,560
if the agent processes labeled content without being approved,

338
00:12:53,560 --> 00:12:55,240
your DLP mapping is wrong.

339
00:12:55,240 --> 00:12:57,480
Fix the mapping, not the story you tell yourself.

340
00:12:57,480 --> 00:12:59,880
One more nuance, inheritance at the site can remain

341
00:12:59,880 --> 00:13:01,160
for the mundane stuff.

342
00:13:01,160 --> 00:13:02,760
We're not performing open heart surgery

343
00:13:02,760 --> 00:13:04,520
on the cafeteria menu.

344
00:13:04,520 --> 00:13:07,320
Reserve unique permissions for the libraries that feed agents

345
00:13:07,320 --> 00:13:09,560
that keeps your admin workload sane

346
00:13:09,560 --> 00:13:12,760
while hardening the exact surfaces automation will hit.

347
00:13:12,760 --> 00:13:15,000
Break inheritance, use unique minimal groups,

348
00:13:15,000 --> 00:13:16,760
label like the label controls money

349
00:13:16,760 --> 00:13:18,280
because leaks cost money.

350
00:13:18,280 --> 00:13:21,400
Then, wire labels to DLP so agents follow rules

351
00:13:21,400 --> 00:13:22,600
even when humans forget.

352
00:13:22,600 --> 00:13:24,920
Now the room is locked, not just the filing cabinet.

353
00:13:24,920 --> 00:13:27,640
Control plane three, approval gates,

354
00:13:27,640 --> 00:13:29,960
page E licensing boundaries and data policies.

355
00:13:29,960 --> 00:13:32,280
You've scoped sources and killed lazy inheritance.

356
00:13:32,280 --> 00:13:33,480
Good.

357
00:13:33,480 --> 00:13:34,600
Now gate the front door,

358
00:13:34,600 --> 00:13:37,000
so random enthusiasts don't spin up shadow agents

359
00:13:37,000 --> 00:13:38,600
with helpful access.

360
00:13:38,600 --> 00:13:40,200
If anyone can create an agent,

361
00:13:40,200 --> 00:13:42,440
governance becomes crowdsourced chaos.

362
00:13:42,440 --> 00:13:44,360
The fix is boring and effective.

363
00:13:44,360 --> 00:13:46,680
Approvals, licensing boundaries,

364
00:13:46,680 --> 00:13:48,760
and data policies that act like seatbelts

365
00:13:48,760 --> 00:13:50,360
you can't unbuckle mid-drive.

366
00:13:50,360 --> 00:13:52,760
Start with an approval workflow for agent creation.

367
00:13:52,760 --> 00:13:53,800
No free for all.

368
00:13:53,800 --> 00:13:56,600
New agent requests go to designated approvals.

369
00:13:56,600 --> 00:13:58,760
Think security compliance and a business owner

370
00:13:58,760 --> 00:14:00,760
who actually understands the domain.

371
00:14:00,760 --> 00:14:02,520
You enforce naming conventions,

372
00:14:02,520 --> 00:14:03,960
a declared purpose statement,

373
00:14:03,960 --> 00:14:05,080
a documented owner,

374
00:14:05,080 --> 00:14:07,000
a support contact and an expiration date.

375
00:14:07,000 --> 00:14:08,120
No owner, no approval.

376
00:14:08,120 --> 00:14:09,400
No purpose, no approval.

377
00:14:09,400 --> 00:14:11,400
If this sounds pedantic, congratulations,

378
00:14:11,400 --> 00:14:13,400
you're finally doing governance.

379
00:14:13,400 --> 00:14:15,160
Standardize the application form.

380
00:14:15,160 --> 00:14:17,000
Require, target audience,

381
00:14:17,000 --> 00:14:18,600
business capability served,

382
00:14:18,600 --> 00:14:21,640
exact knowledge sources with URLs down to library level,

383
00:14:21,640 --> 00:14:22,920
label expectations,

384
00:14:22,920 --> 00:14:24,120
fallback behavior,

385
00:14:24,120 --> 00:14:26,120
not authoritative outside scope,

386
00:14:26,120 --> 00:14:27,880
and the service identity to be used.

387
00:14:27,880 --> 00:14:30,840
Force them to pick from pre-approved templates,

388
00:14:30,840 --> 00:14:34,200
HR Q&A, policy browser, ITKB and so on,

389
00:14:34,200 --> 00:14:37,080
so you inherit constrained defaults instead of improvisation.

390
00:14:37,080 --> 00:14:38,280
Now licensing boundaries,

391
00:14:38,280 --> 00:14:39,960
you will choose one of two parts,

392
00:14:39,960 --> 00:14:42,360
user-based, Microsoft 365 co-pilot

393
00:14:42,360 --> 00:14:43,960
or SharePoint pay as you go.

394
00:14:43,960 --> 00:14:44,840
The truth?

395
00:14:44,840 --> 00:14:46,360
Licensing is not a budget line,

396
00:14:46,360 --> 00:14:47,800
it's a control surface.

397
00:14:47,800 --> 00:14:50,200
With user-based co-pilot, only licensed users

398
00:14:50,200 --> 00:14:51,640
can use agent features,

399
00:14:51,640 --> 00:14:53,160
which naturally limits sprawl.

400
00:14:53,160 --> 00:14:54,760
With PG, you enable consumption

401
00:14:54,760 --> 00:14:56,680
at the tenant or environment level

402
00:14:56,680 --> 00:14:57,640
and centralize billing,

403
00:14:57,640 --> 00:14:58,600
which is flexible,

404
00:14:58,600 --> 00:15:00,600
and if you're careless, an open bar.

405
00:15:00,600 --> 00:15:02,200
So you put fences around it,

406
00:15:02,200 --> 00:15:04,440
separate environments for pilot and production,

407
00:15:04,440 --> 00:15:06,840
PG enabled only where finance can see the meter.

408
00:15:06,840 --> 00:15:07,800
Cost alerts tune,

409
00:15:07,800 --> 00:15:10,360
so a runaway pilot doesn't turn into a poetry slam

410
00:15:10,360 --> 00:15:11,480
for your cloud bill.

411
00:15:11,480 --> 00:15:14,120
Approval policy must capture licensing choice.

412
00:15:14,120 --> 00:15:16,840
If it's PG, require a cost center,

413
00:15:16,840 --> 00:15:18,600
an owner who signs for charges,

414
00:15:18,600 --> 00:15:20,200
and an estimated usage profile.

415
00:15:20,200 --> 00:15:21,240
If it's user-based,

416
00:15:21,240 --> 00:15:23,240
require a roster of licensed users

417
00:15:23,240 --> 00:15:24,920
and a plan for off-boarding.

418
00:15:24,920 --> 00:15:25,960
You're not being difficult,

419
00:15:25,960 --> 00:15:28,840
you're preventing the "we didn't know it was on" incident.

420
00:15:28,840 --> 00:15:30,120
Data policies come next,

421
00:15:30,120 --> 00:15:31,720
the rules that keep agents from slurping

422
00:15:31,720 --> 00:15:32,920
from prohibited connectors,

423
00:15:32,920 --> 00:15:34,360
like they're at a smoothie bar.

424
00:15:34,360 --> 00:15:36,680
Use Power Platform tenant-level data policies

425
00:15:36,680 --> 00:15:38,200
to restrict which connectors are allowed

426
00:15:38,200 --> 00:15:40,200
in the same data group as SharePoint.

427
00:15:40,200 --> 00:15:42,280
Regulated agents live in a restricted group

428
00:15:42,280 --> 00:15:44,040
with only Microsoft 365

429
00:15:44,040 --> 00:15:45,960
and approved internal APIs.

430
00:15:45,960 --> 00:15:48,520
No random web, no consumer services, no shadow cells.

431
00:15:48,520 --> 00:15:49,880
If an integration is required,

432
00:15:49,880 --> 00:15:51,160
it goes through review,

433
00:15:51,160 --> 00:15:52,520
gets an enterprise connector,

434
00:15:52,520 --> 00:15:53,960
and lands in the allowed list.

435
00:15:53,960 --> 00:15:55,320
Yes, that takes time.

436
00:15:55,320 --> 00:15:57,240
That's called not violating policy.

437
00:15:57,240 --> 00:15:59,320
Pay those data policies with PerView.

438
00:15:59,320 --> 00:16:01,480
Use PerView to define data boundaries.

439
00:16:01,480 --> 00:16:04,120
Locations where sensitive labeled content lives,

440
00:16:04,120 --> 00:16:06,520
X-fill paths that are simply not allowed,

441
00:16:06,520 --> 00:16:08,760
and monitoring that flags attempts to bridge groups,

442
00:16:08,760 --> 00:16:10,840
you are building lanes and rumbled strips,

443
00:16:10,840 --> 00:16:13,240
the agent can drive quickly inside the lane.

444
00:16:13,240 --> 00:16:15,560
It cannot hop mediums into the oncoming traffic

445
00:16:15,560 --> 00:16:16,920
of public endpoints,

446
00:16:16,920 --> 00:16:19,240
implement agent templates with pre-approved sources.

447
00:16:19,240 --> 00:16:21,400
This is the part everyone skips and then regrets.

448
00:16:21,400 --> 00:16:24,440
Templates bake in, disabled general knowledge,

449
00:16:24,440 --> 00:16:26,120
the not authoritative fallback,

450
00:16:26,120 --> 00:16:27,400
library-level sources,

451
00:16:27,400 --> 00:16:28,920
required metadata filters,

452
00:16:28,920 --> 00:16:30,840
and the correct service identity.

453
00:16:30,840 --> 00:16:32,920
Approvers see HR policy template

454
00:16:32,920 --> 00:16:34,680
and know it ships with the right defaults.

455
00:16:34,680 --> 00:16:35,800
Make us fill in the blanks,

456
00:16:35,800 --> 00:16:38,280
they don't reinvent the wheel with square edges.

457
00:16:38,280 --> 00:16:39,720
Common mistakes to stop,

458
00:16:39,720 --> 00:16:42,840
letting pilots spawn in unmanaged sites just for testing,

459
00:16:42,840 --> 00:16:45,320
enabling PG without tagging costs or alerts,

460
00:16:45,320 --> 00:16:47,800
and granting maker roles to anyone with a pulse.

461
00:16:47,800 --> 00:16:49,640
Also, never allow agents to default

462
00:16:49,640 --> 00:16:51,240
to use general knowledge if not found.

463
00:16:51,240 --> 00:16:53,560
That's how you get confident nonsense

464
00:16:53,560 --> 00:16:55,400
wrapped in plausible citations.

465
00:16:55,400 --> 00:16:57,800
Final rhythm, request via template,

466
00:16:57,800 --> 00:17:01,160
review by security/compliance/owner trio,

467
00:17:01,160 --> 00:17:02,920
choose licensing with cost controls

468
00:17:02,920 --> 00:17:04,760
bind to the restricted data group,

469
00:17:04,760 --> 00:17:06,280
confirm PerView boundaries,

470
00:17:06,280 --> 00:17:07,640
approve with expiration,

471
00:17:07,640 --> 00:17:09,480
and schedule a 90-day renewal.

472
00:17:09,480 --> 00:17:11,400
No renewal, auto disable.

473
00:17:11,400 --> 00:17:14,520
Agents are not immortal, neither are their use cases.

474
00:17:14,520 --> 00:17:16,760
Control plane 4,

475
00:17:16,760 --> 00:17:19,000
DLP that actually stops agents.

476
00:17:19,000 --> 00:17:20,600
PerView patterns that bite.

477
00:17:20,600 --> 00:17:22,360
Without real-time enforcement agents

478
00:17:22,360 --> 00:17:23,880
are just high-speed data couriers.

479
00:17:23,880 --> 00:17:24,920
You need breaks,

480
00:17:24,920 --> 00:17:26,440
enter PerView DLP patterns

481
00:17:26,440 --> 00:17:27,640
that don't just wag a finger,

482
00:17:27,640 --> 00:17:28,520
they block, alert,

483
00:17:28,520 --> 00:17:30,360
and leave a paper trail your auditor can love.

484
00:17:30,360 --> 00:17:31,800
Why this matters?

485
00:17:31,800 --> 00:17:32,920
Agents process content,

486
00:17:32,920 --> 00:17:34,120
not just view it.

487
00:17:34,120 --> 00:17:36,040
Viewing can be permissible for a human.

488
00:17:36,040 --> 00:17:38,600
Automated processing is a different risk class.

489
00:17:38,600 --> 00:17:41,320
The fix is to bind sensitivity and pattern detection

490
00:17:41,320 --> 00:17:44,440
to explicit action blocks for agent contexts.

491
00:17:44,440 --> 00:17:45,560
Here's the spine.

492
00:17:45,560 --> 00:17:49,160
Build policies that target SharePoint locations feeding agents,

493
00:17:49,160 --> 00:17:51,640
match on sensitivity labels and sensitive info types

494
00:17:51,640 --> 00:17:53,800
and set actions to block agent processing,

495
00:17:53,800 --> 00:17:56,760
sharing, or downloading when confidence hits your threshold.

496
00:17:56,760 --> 00:17:58,200
Yes, confidence thresholds,

497
00:17:58,200 --> 00:17:59,960
stop treating them like decor.

498
00:17:59,960 --> 00:18:01,080
For noisy patterns,

499
00:18:01,080 --> 00:18:02,360
like generic PII,

500
00:18:02,360 --> 00:18:05,560
raise confidence and require multiple evidence hits.

501
00:18:05,560 --> 00:18:06,360
For crown jewels,

502
00:18:06,360 --> 00:18:09,560
trade secrets exact data match of employee IDs

503
00:18:09,560 --> 00:18:12,520
use high severity with immediate block patterns that bite.

504
00:18:12,520 --> 00:18:17,000
Sensitivity labels mapped to agent block unless allow listed.

505
00:18:17,000 --> 00:18:19,720
Sensitivity info types,

506
00:18:19,720 --> 00:18:20,840
financial IDs,

507
00:18:20,840 --> 00:18:22,200
government identifiers,

508
00:18:22,200 --> 00:18:23,240
health terms,

509
00:18:23,240 --> 00:18:24,760
tuned with higher confidence.

510
00:18:24,760 --> 00:18:25,960
Exact data match,

511
00:18:25,960 --> 00:18:27,880
EDM for your real identifiers,

512
00:18:27,880 --> 00:18:29,080
employee numbers,

513
00:18:29,080 --> 00:18:30,360
customer IDs,

514
00:18:30,360 --> 00:18:32,680
so false positives don't drown you.

515
00:18:32,680 --> 00:18:35,240
Keyword dictionaries for proprietary project code names,

516
00:18:35,240 --> 00:18:36,520
low volume, high signal,

517
00:18:36,520 --> 00:18:37,400
actions that matter.

518
00:18:37,400 --> 00:18:40,120
Block with override disabled for agents.

519
00:18:40,120 --> 00:18:42,200
Humans may justify agents do not.

520
00:18:42,200 --> 00:18:44,760
Machines don't have business context, they have triggers.

521
00:18:44,760 --> 00:18:47,880
Quarantine or restrict download when triggered by agent workflows.

522
00:18:47,880 --> 00:18:49,320
If the agent can't fetch the file,

523
00:18:49,320 --> 00:18:51,000
it can't hallucinate from it.

524
00:18:51,000 --> 00:18:53,160
Alert to "SecOps" with rich context,

525
00:18:53,160 --> 00:18:56,600
site library label triggering pattern calling agent identity,

526
00:18:56,600 --> 00:18:59,400
noise reduction so people don't root around controls.

527
00:18:59,400 --> 00:19:01,720
Start in simulation mode in non-production sites.

528
00:19:01,720 --> 00:19:03,880
Tune thresholds until alerts reflect reality,

529
00:19:03,880 --> 00:19:04,840
not fantasy.

530
00:19:04,840 --> 00:19:06,680
Scope tightly to agent libraries first,

531
00:19:06,680 --> 00:19:08,680
expand only after signal is clean,

532
00:19:08,680 --> 00:19:11,160
use combined conditions, label per sensitive info type,

533
00:19:11,160 --> 00:19:12,760
two logs, one door.

534
00:19:12,760 --> 00:19:14,840
User messaging is not a nicety,

535
00:19:14,840 --> 00:19:17,640
it's the difference between compliance and site channels.

536
00:19:17,640 --> 00:19:19,400
Write clear error text.

537
00:19:19,400 --> 00:19:23,000
This agent is not authorized to process confidential HR content.

538
00:19:23,000 --> 00:19:25,640
Ask the HR agent or request access via process.

539
00:19:25,640 --> 00:19:27,960
You're giving them the right door, not a brick wall.

540
00:19:27,960 --> 00:19:29,160
If you just say blocked,

541
00:19:29,160 --> 00:19:31,080
they'll paste data into teams.

542
00:19:31,080 --> 00:19:32,360
That's your fault.

543
00:19:32,360 --> 00:19:33,320
Common mistakes,

544
00:19:33,320 --> 00:19:35,240
scoping DLP to exchange in teams

545
00:19:35,240 --> 00:19:37,080
because SharePoint policies were noisy.

546
00:19:37,080 --> 00:19:38,840
They were noisy because you didn't tune them,

547
00:19:38,840 --> 00:19:41,000
also excluding SharePoint for performance.

548
00:19:41,000 --> 00:19:41,880
Performance of what?

549
00:19:41,880 --> 00:19:43,720
Your next incident response?

550
00:19:43,720 --> 00:19:45,640
Finally relying only on generic PI types

551
00:19:45,640 --> 00:19:46,760
while ignoring EDM.

552
00:19:46,760 --> 00:19:48,440
You own the exact identifiers.

553
00:19:48,440 --> 00:19:49,480
Use them.

554
00:19:49,480 --> 00:19:50,520
The litmus test.

555
00:19:50,520 --> 00:19:52,840
An out-of-scope agent attempts to answer a question

556
00:19:52,840 --> 00:19:55,080
that requires a confidential labeled file.

557
00:19:55,080 --> 00:19:56,520
Result should be an immediate block,

558
00:19:56,520 --> 00:19:57,720
an instructive message,

559
00:19:57,720 --> 00:20:00,280
and a high severity alert in your pipeline.

560
00:20:00,280 --> 00:20:02,200
If instead you get a confident answer,

561
00:20:02,200 --> 00:20:05,240
your DLP is decorative, make a teethnotsignage.