A worked example of the assessment output. It covers making SharePoint, OneDrive and the Microsoft 365 tenant safe before enabling any AI over corporate data: Microsoft 365 Copilot, ChatGPT Enterprise, Claude, Gemini and connected AI tools. Client and data removed.
The full deliverable runs to roughly 67 pages. This sample reproduces the executive and findings sections in full and abridges the design and build sections. Sections marked abridged are shortened or redacted here.
The organisation runs three Microsoft 365 tenants across its home region and two international regions. A data discovery exercise combining Microsoft administrative exports and data security posture management found that all three tenants carry material data governance risk, with several findings severe enough to block the planned rollout of AI over corporate data.
The risk is not any single AI product. It is enabling AI of any kind, Copilot, ChatGPT Enterprise, Claude or a connector that syncs SharePoint and OneDrive, over content never governed for AI-scale search. Copilot grounds on the tenant and inherits each user's permissions. Third-party AI reaches the same content through connectors. Both surface whatever a user can already reach. Across roughly 46,000 indexable locations, access has grown without governance, and one of seven gates is met.
Every finding is rated two ways. Risk level is the severity against the organisation's data and operational risk. Deployment impact is the effect on enabling AI. A finding can be high risk without blocking AI, and can block AI without being the highest severity. The two are reported independently so remediation and release decisions stay separate.
| Risk level | Meaning | AI impact | Meaning |
|---|---|---|---|
| Critical | Immediate exposure of sensitive data or privileged access. Fix inside 14 days. | Blocked | AI cannot be recommended until fixed. The gate cannot clear. |
| High | Material exposure of data or configuration. Fix inside 30 to 60 days. | Conditional | May proceed only with compensating controls and a fix commitment. |
| Moderate | Localised gap contained to a specific scope. Fix this quarter. | Watch | Monitor during rollout. Does not prevent it. |
| Low | Limited exposure. Handle in standard governance cycles. | No impact | Does not affect the AI decision. |
| Finding area | Current state | Risk | AI |
|---|---|---|---|
| Indexable content | ~18,500 SharePoint sites and ~27,500 OneDrive accounts. No ownership or classification model across either. | High | Conditional |
| Orphaned OneDrive | ~13,200 of ~24,000 drives in the largest tenant have no owner. Departed-staff content stays searchable. | Critical | Blocked |
| Unauthenticated links | ~16,800 Anyone links across ~290 sites. No sign-in required. | Critical | Blocked |
| Data residency | ~40 findings where home-region data is stored outside the region. | Critical | Blocked |
| Privileged app | A third-party management app holds tenant-wide full control across all tenants. | Critical | Conditional |
| Sensitivity labels | Around 3 percent site coverage. Purview cannot constrain what AI grounds on. | High | Conditional |
AI does not create new access. It makes existing exposure instant. Every finding above exists today through normal access. Point Copilot, ChatGPT Enterprise or Claude at this estate and any user reaches it in one question, at scale.
AI adoption moves through three stages. Each adds capability and risk, and each depends on the stage below it.
| Stage | What it is | New risk |
|---|---|---|
| 1 · Productivity AI (consume) | AI assistants over your own content: Microsoft 365 Copilot, and ChatGPT Enterprise or Claude connected to SharePoint and OneDrive. | Oversharing, unclassified sensitive data, ownerless content surfaced in AI answers. |
| 2 · Connected AI (integrate) | AI joined to external tools and connectors, where data moves outside the tenant. | Data egress to third-party AI, shadow AI, connectors with excessive scope, loss of residency control. |
| 3 · Agentic AI (build) | Custom agents and workflows that act on their own and call other systems. | Non-human identities with broad standing access, no MFA anchor, prompt injection, unmonitored activity. |
This assessment covers Stage 1 readiness: whether AI can be enabled safely over corporate data for productivity use across the estate. Stage 2 and Stage 3 controls depend on the specific AI tools and use cases the business intends to pursue and are scoped separately. The seven gates apply whether the AI is Microsoft 365 Copilot grounding on the tenant, or a third-party tool reaching the same content through a connector.
Findings are based on data exported from SharePoint Online and OneDrive together with data security posture management findings. Controls that depend on Entra ID or Conditional Access could not be independently verified and are recorded on the basis of information provided by the client. Microsoft reports give a point-in-time view. Posture management adds correlations a point-in-time export cannot. At the time of writing, a first pass had scanned a fraction of the estate.
This deliverable defines the target and the sequence. Execution and remediation stay with the client, or with Cornerstone under a separate build engagement. There is no obligation to Cornerstone to act on it.
Three discrete Microsoft 365 tenants with no cross-tenant federation. Combined AI indexing surface is roughly 46,000 locations.
| Tenant | SharePoint sites | OneDrive | Notes |
|---|---|---|---|
| Home region | ~1,600 | ~2,600 | Deepest-scanned. Highest record exposure by volume. |
| Region NA (largest) | ~16,300 | ~24,000 | ~13,200 orphaned OneDrive (~430 TB). Highest sharing risk. |
| Region EU (smallest) | ~30 | ~190 | Small footprint, same absence of governance controls. |
| Exposure | Volume | Audience | Priority |
|---|---|---|---|
| Anyone links (unauthenticated) | ~16,800 | Anyone with the URL. No sign-in. Includes anonymous internet users. | Critical |
| All-internal-users permission | ~1,800 sites | Every licensed internal user, without explicit assignment. | High |
| Orphaned OneDrive accounts | ~13,200 | Departed owners. Existing sharing links stay live. | High |
| Single high-risk collaboration site | ~410,000 | Guest permission rows on one site. Highest single concentration. | Critical |
| Third-party firm access | ~9,500 rows | External identities scoped to specific files. Requires review and scoping. | High |
A third-party SharePoint management application holds tenant-wide full control across all three tenants. A single compromise of that identity bypasses every site-level control in the design. The fix is not to remove the app but to harden the identity: workload Conditional Access, credential rotation on a set cadence, restricted network egress and quarterly attestation of continued need.
Findings from direct review of SharePoint admin centre configuration, independent of the data-level findings. Abridged here to the highest-severity items.
| Finding | Current state | AI impact | Risk |
|---|---|---|---|
| Default sharing link inherits Anyone | New sites create Anyone links by default. | Every new workspace inherits exposure at creation. AI surfaces it to anyone with the URL. | Critical |
| No sensitivity labels on groups or Teams | Container labelling absent across reviewed groups. | No container-level protection. AI cannot tell sensitive from public. | Critical |
| Site lifecycle management off | No inactive, ownership or attestation policies. | Departed projects and dissolved teams stay indexed indefinitely. | High |
| No domain allowlist for external sharing | Sharing permitted to any external domain. | Sensitive material can leave the tenant with no approval or detection. | High |
| Content discovery unrestricted on sensitive sites | Restrict content discovery off on reviewed sites. | Confidential sites surface in org-wide search and AI to users with no business need. | High |
Not everything is a gap. The following were confirmed correct at org level and require no immediate change, subject to a site-level check during remediation:
Org-level settings establish the ceiling, not the floor. Each is confirmed again at site level during the audit, because a site can override the tenant default.
Posture management scans data at rest across the estate and classifies it, finding correlations a configuration export cannot. Figures below are illustrative.
| Severity | Findings | Records at risk | Primary category |
|---|---|---|---|
| Critical | ~60 | ~5,900,000 | Missing labels, residency violations |
| High | ~300 | Not quantified | Oversharing, unclassified PII |
| Medium | ~90 | Not quantified | External access, stale permissions |
| Low | ~50 | — | Hygiene, minor drift |
| Category | What it is | Impact on AI |
|---|---|---|
| Missing sensitivity labels | Largest set. Spans PII, financial records, contracts. | Purview cannot enforce protection or constrain grounding. Sensitive content is indistinguishable from public in AI answers. |
| Home-region residency violations | ~40 findings. Home-region data held outside the region. | A potential regulatory matter requiring review before relocation. |
| Oversharing and access drift | Members and guests hold access beyond current role. | AI surfaces out-of-role content to those users at scale. |
| Stale and orphaned content | Inactive sites and departed-staff drives. | Content stays discoverable with no disposition workflow. |
| Insider risk indicators | Anomalous access and bulk-download signals. | Behavioural risk compounds once AI is live. |
The aggregate record count is the primary measure of exposure. Reduction is the explicit success metric for Phase 1 and Phase 2. Enabling AI amplifies the consequence of every record left exposed.
Seven foundational gates must be satisfied before AI can be recommended over corporate data. The gates hold whether the AI is Copilot, ChatGPT Enterprise, Claude or a connector. Each is scored on evidence. One gate is met. Six remain open, three of them critical.
Ratings are evidence-based. A gate cannot rate above not started without an artefact from the environment. The scale runs not started, foundational, operational, optimised. The model is re-applied on a defined cadence after rollout, quarterly for the first year, then six-monthly.
One gate is met and several controls were confirmed sound. The scorecard tells you where to spend effort and where you are already in good shape, not that everything is broken.
Seven principles govern every design decision in the full document. They are derived from Cornerstone data management practice and adapted to the client estate.
A findings list closes today's gaps. Principles stop them reopening. Every rule in the design traces back to one of these seven, so the estate stays safe for AI as it grows.
The full document turns these principles into a target architecture: SharePoint information architecture, folder taxonomy and metadata, the group model, the access and permission model, data ownership, external sharing, governance, and the Purview design. The next pages show the shape of that design. The controlled vocabularies, naming conventions and configuration values are provided in the engagement, against your own estate.
A hub-and-site model organised by business unit and region. Hubs provide navigation, aggregated news and search scope. Content lives in associated member sites. Every site is classified into one of three tiers at creation.
| Tier | Content | Sharing restriction | Review |
|---|---|---|---|
| Tier 1 · Governed | Permanent, sensitive or regulated content | No Anyone links. Authenticated users only. Guest access by approval. | Quarterly |
| Tier 2 · Project | Time-bound project sites, moderate sensitivity | Authenticated users. Controlled guest access by invitation. | Semi-annual |
| Tier 3 · Archive | Expired or read-only sites, retained for record | Read-only. No new sharing. Removed from hub navigation. | Annual |
A three-layer folder model (header, sub-function, working) applies to governed sites, with access assigned by group at each layer. Four group types carry access: site permission groups, role groups, team groups and data owner groups. Site and group names follow a fixed pattern by region, business unit and access level.
| Element | Pattern (shape only) |
|---|---|
| Site name | [Region]-[Business unit]-[Site] |
| Site permission group | [Prefix]-[Region]-[Business unit]-[Site]-[Access] |
| Data owner group | [Prefix]-[Region]-[Site] |
Three permission levels, granted only through groups. Groups nest so that access is managed in one place and follows the joiner, mover, leaver lifecycle.
| Level | Granted to | Basis |
|---|---|---|
| Read | Default for members via role or team group | Standing, reviewed on cadence |
| Contribute | Working members of a site | By data owner approval |
| Full control | Site owners only, by exception | Named, attested quarterly |
Every site has a named data owner, accountable for content, access decisions and quarterly review. Ownership is tracked centrally through a dedicated group, not held in a person's head. Access reviews run quarterly for Tier 1, semi-annually for Tier 2.
Anyone links are removed and replaced with specific-person links. A domain allowlist limits external sharing to approved partners. Guest accounts carry expiry and periodic re-attestation. External sharing capability is restricted to an approved security group.
A standing operating model keeps the estate safe after remediation: defined governance roles, a site lifecycle from request to archive, a disposition workflow for orphaned drives, and a governance calendar of recurring reviews. Policy is monitored continuously by posture management, with drift routed back to the owner.
Access control, ownership, sharing and governance are one system. Fix them together and AI inherits a clean estate. Fix them in isolation and exposure returns within a quarter.
Microsoft native tooling enforces. Posture management discovers and monitors at a breadth native tooling does not reach. The design uses both, each for what it does best.
| Outcome | Microsoft native | Posture management (DSPM) |
|---|---|---|
| Discovery across the estate | Within Microsoft 365 | Across clouds, databases and file shares too |
| Classification at scale | Label-driven, needs coverage | Automated classification of unlabelled data |
| Enforcement for AI | Labels, DLP, Copilot controls | Feeds classification into native enforcement |
| Drift monitoring | Point-in-time | Continuous, with alerting |
The full document specifies the label taxonomy, auto-labelling logic, retention and a data loss prevention design that covers AI locations, sequenced so labels reach coverage before enforcement is switched on. Labels are what let any AI honour the client's protection model, so this design is the hinge of the whole programme.
The gates clear in a set order. Identity and residency first, then oversharing and lifecycle, then classification and data loss prevention, then guardrails and operations. Enabling AI, of any kind, follows the clearance of the critical and high gates.
| Stage | Scenario | Prevented by |
|---|---|---|
| 1 · Productivity | A user asks an AI tool to summarise a topic. A broadly shared confidential document appears. The exposure existed already; AI made it instant. | Access control, labels, DLP (G3, G4) |
| 1 · Productivity | An AI answer surfaces personal or financial data from an ownerless site with no label. | Classification, DLP, ownership (G2, G4) |
| 2 · Connected | Staff paste client data into a public AI tool, or a connector syncs content to a third-party AI outside residency. | Shadow AI discovery, guardrails, DLP to AI (G5) |
| 3 · Agentic | An over-permissioned agent reaches and moves data at machine speed with no user to challenge it. | Non-human identity governance (forward scope) |
Where the business chooses to proceed ahead of a gate, the residual risk is named, owned and time-bound. The report does not hide a decision to accept risk. It documents it.
The full document carries the settings reference and the step-by-step remediation the client's administrators execute. Sections 19 and 20 are the runnable core and are the most heavily abridged in this sample.
A single illustrative line, to show the format:
| Setting | Target (Tier 1) | Where |
|---|---|---|
| Default sharing link type | Specific people | Site sharing settings |
The fix is sequenced into four phases across a year. Each phase maps to the gates it clears.
Revoke or convert unauthenticated links on the highest-risk sites. Lock down org-level sharing. Harden the privileged management identity. Begin residency remediation. Clears the path on G3 and G6.
Assign owners and the data-owner model. Deploy the label taxonomy and auto-labelling. Introduce guest expiry and site lifecycle policies. Builds G2 and G4.
Roll out the target SharePoint and access architecture. Activate data loss prevention once label coverage is sufficient. Stand up insider risk and posture management for AI. Builds G4 and G5.
Pilot AI with a defined cohort and scenario backlog. Establish measurement, an AI council and a reassessment cadence. Builds G7.
| Activity | Cornerstone | Client IT | Client business | Tooling |
|---|---|---|---|---|
| Assessment and design | R / A | C | I | C |
| Remediation execution | C | R / A | C | R |
| Data owner decisions | I | C | R / A | I |
| Ongoing monitoring | I | A | I | R |
| Item | Note | Likelihood |
|---|---|---|
| Link revocation at scale | Bulk revocation can disrupt business-critical sharing. Analyse and communicate first. | High |
| Residency remediation | May carry legal and contractual implications. Engage legal before moving data. | Medium |
| Privileged app dependency | Management app may run scheduled jobs. Confirm minimum permissions before change. | High |
| Attribute data quality | Inconsistent directory attributes reduce automated group accuracy. Audit before build. | Medium |
Adoption depends on people, not only controls. The full plan covers governance fundamentals for all staff, data owner responsibilities, administrator workshops, posture management operations, and safe AI use for the pilot cohort, each tied to the phase it supports.
A: regional data summary. B: AI readiness checklist. C and D: naming references. E: the seven-gate model. F: glossary. G: the stage model. The seven-gate model in Appendix E is the assessment method itself, reproduced below.
| Gate | Readiness domain | Purpose |
|---|---|---|
| G1 | Tenant and identity baseline | Licensing, identity and network conditions AI needs to operate in your risk appetite. |
| G2 | Content lifecycle and ownership | Current, owned and governed content before any AI indexes it. |
| G3 | Oversharing remediation | Reduce the surface area AI can ground on. |
| G4 | Data classification and protection | Labels, encryption and DLP so AI honours your protection model. |
| G5 | Interaction guardrails and insider risk | AI interactions inherit protection and are observed for risky use. |
| G6 | Regulatory, audit and residency | AI operates inside regulatory, evidentiary and residency commitments. |
| G7 | Adoption, measurement and operations | The operating model to turn a rollout into sustained value. |
This sample reproduces the findings and the shape of the design and roadmap. The detail that lets your team build is delivered in your own engagement, against your own data. Held back here:
A findings list tells you that you have a problem. A design tells you exactly how to fix it, in your environment, in the right order, with the controls named and the owners assigned. It applies whether the AI you enable is Microsoft 365 Copilot, ChatGPT Enterprise, Claude, Gemini or a connector that syncs your data. The sample proves the output is clear and actionable. The engagement gives you the build.
Book an AI readiness assessment and we will score your seven gates against your own tenant, then hand you a report like this one, unredacted, for your estate. Visit cornerstonecyber.com.au or contact the team.
This document is an anonymised, illustrative sample. It does not describe any identifiable organisation. Figures have been altered and are not real measurements. Prepared by Cornerstone Cyber.