GOVERNANCE SERIES — VOL. 7

AI Data Map & Permissions Review

Living inventory of SharePoint sites, Teams, OneDrive patterns, and shared mailboxes that Copilot and AI tools will search and summarize. Records access levels, sharing settings, remediation status, and review sign-off dates.

SOC 2 CC6.1 SOC 2 CC6.6 SOC 2 CC6.7 COPILOT READINESS QUARTERLY REVIEW SIGN-OFF REQUIRED

DOCUMENT OWNER

IT / Security + Risk Owner

FIRST REVIEW DATE

—

NEXT REVIEW DUE

—

VERSION

1.0

REVIEW CYCLE

Quarterly

01 Purpose· 02 Summary· 03 SharePoint Sites· 04 Teams & Channels· 05 OneDrive Patterns· 06 Shared Mailboxes· 07 Remediation Log· 08 Review Sign-Off

01 Purpose

Copilot and AI tools respect permissions — but only if permissions are correct. This document is the answer to the question every auditor asks before a Copilot deployment: do you know where your sensitive data lives and who can access it?

The goal is not a perfect inventory of every file. It is a documented, reviewed, and signed-off map of the highest-risk and highest-activity repositories that AI tools will search. A completed, dated, signed copy of this document is auditable evidence for SOC 2 CC6.1 and CC6.6, and directly supports Copilot readiness.

HOW TO USE THIS DOCUMENT Work through each section and fill in what you find. You do not need to complete everything in one session. The sign-off in Section 08 is what converts this from a working draft into auditable evidence — do not sign off until the remediation items in Section 07 are either resolved or have an owner and due date assigned.

02 Inventory Summary

TOTAL REPOSITORIES

NEED REMEDIATION

UNDER REVIEW

CLEAN / CONFIRMED

PRIORITY ORDER FOR REVIEW Start with HR, Finance, Legal, and Executive sites — these carry the highest risk if overshared. Then move to any site labeled "shared" or "general" with broad membership. OneDrive with high external share counts is the most common blind spot. Shared mailboxes with broad access are often forgotten entirely.

03 SharePoint Sites

Document your top SharePoint sites by activity and risk. Focus on the 20 highest-activity or highest-sensitivity sites first. Use the SharePoint Admin Center (Active Sites report) to identify sites by storage, page views, or sharing activity.

SITE NAME	URL / PATH	CONTENT TYPE	ACCESS LEVEL	EXTERNAL SHARING	SENSITIVITY LABEL	RISK	STATUS

04 Teams & Channels

Document Teams with broad membership, external guests, or sensitive channel content. Copilot summarizes Teams conversations — membership hygiene here directly affects what AI can surface to which users.

TEAM NAME	MEMBERSHIP COUNT	GUESTS PRESENT	CHANNEL CONTENT TYPE	SENSITIVITY LABEL	RISK	STATUS

05 OneDrive Sharing Patterns

Identify the users with the highest external share counts in OneDrive. Use the SharePoint Admin Center Reports section — OneDrive usage and sharing reports — to pull the top 20 sharers. Look specifically for "anyone with link" shares that have no expiration date.

COMMON BLIND SPOT OneDrive is where most oversharing actually lives. A single "anyone with link" share that was created three years ago and never expired is exactly what Copilot will surface to any user with access to that file. Run the sharing report before declaring this section clean.

USER / ACCOUNT	ROLE / DEPT	EXTERNAL SHARES (COUNT)	ANYONE-WITH-LINK SHARES	OLDEST SHARE DATE	STATUS

06 Shared Mailboxes & Distribution Groups

Shared mailboxes with broad access are frequently overlooked. Copilot can summarize shared mailbox content for anyone who has access — including anyone who was added years ago and never removed. Document and review all shared mailboxes with access broader than 5 members.

MAILBOX NAME	EMAIL ADDRESS	CONTENT TYPE	MEMBER COUNT	LAST ACCESS REVIEWED	STATUS

07 Remediation Log

Log every oversharing issue identified, who owns the remediation, and when it was resolved. This is the evidence that permissions cleanup actually happened — not just that problems were noted.

REPOSITORY / ITEM	ISSUE IDENTIFIED	OWNER	DUE DATE	RESOLVED DATE	STATUS

08 Review Sign-Off

Sign off on this review only when the inventory is complete, remediation items have owners and due dates, and the summary reflects the current state of the environment. A dated, signed sign-off converts this working document into auditable evidence.

QUARTERLY SIGN-OFF — REQUIRED

Data Map & Permissions Review — Completion Record

REVIEWED BY

ROLE

REVIEW DATE

NEXT REVIEW DUE

OPEN REMEDIATION ITEMS

COPILOT READINESS DETERMINATION

NOTES / SCOPE LIMITATIONS

✓ SIGN-OFF RECORDED — This review is now auditable evidence for SOC 2 CC6.1 and CC6.6. Wire to SharePoint Data Map Reviews list in Phase 1 for persistent storage.