Connected AI and old permissions: what the assistant can find

The risky moment can look like a manager doing normal work.

She asks an AI assistant to help draft a performance review, summarize a client file, prepare a sales update, or find the latest policy language. The assistant is connected to Microsoft 365, the CRM, email, calendar, SharePoint, or another business system. It answers quickly because it can search the business systems the user can already access.

That access is the issue.

Connected AI assistants usually work through the user's existing permissions. They can see what the user can see: current files, old SharePoint sites, shared mailboxes, forgotten folders, broad group memberships, and documents someone was shared into years ago and can still read.

If the business has years of messy permissions, the AI assistant inherits that mess and turns it into drafts, summaries, and answers.

The AI is following the access rules it was given. The problem is that the business may never have checked whether those rules still make sense.

What the risk is

Connected AI means an AI assistant can read business systems directly. Examples include Microsoft 365 Copilot, AI mail and calendar assistants, CRM AI, and "ask your documents" tools that search across company files.

The risk is inherited permissions. The assistant sees what the user is allowed to see, even when that access is accidental, outdated, or too broad.

Most SMB leaders think about AI assistants as if they stay inside the task. If a manager asks for help with HR, the expectation is that the answer will come from HR material. If a salesperson asks about a client, the expectation is that the answer will come from that client file.

Connected AI works from the user's effective access: every site, mailbox, folder, group, shared drive, and business system the user can read.

In a clean environment, that can be powerful. In a typical SMB, permissions have often accumulated for years:

• A SharePoint site was shared broadly during a rushed project.
• "Everyone except external users" was added to a folder and never removed.
• A manager kept access after changing roles.
• A shared mailbox from 2019 still includes staff who no longer need it.
• A migrated file share carried old permissions into the new system.
• A CRM or document-search tool indexes content with an unreviewed permissions model.

The assistant can surface those forgotten access decisions in ordinary work. It may put a compensation detail into a draft, summarize a file the user had forgotten they could read, or pull one client's information into another client's work product.

This is separate from confidential data entering AI. That article is about what happens after confidential data enters an AI vendor's systems. This article is about connected AI reading business systems through permissions the business already has.

How it happens in a normal SMB

A small property management company enables Microsoft 365 Copilot for several managers. The owner wants to start with a practical productivity use case: drafting emails, summarizing Teams threads, finding old policy language, and helping managers prepare staff notes.

One property manager is preparing a quarterly performance review for a coordinator. She asks the assistant to help summarize relevant material from her work files, email, and company documents.

The assistant reads from places the manager can access. That includes her mailbox, team files, company documents, and a leadership SharePoint site she forgot she could read.

Three years earlier, when the company was smaller and moving quickly, someone added broad internal access to the leadership site. The site holds manager bonus planning, draft sale conversations, HR investigation material, and internal strategy documents. Regular staff rarely browsed the site, and it was buried in navigation, so the permission problem sat unnoticed.

The AI assistant retrieves content that matches the user's request from locations the user can access. In the draft performance review, it includes language from an old HR investigation note and a compensation planning spreadsheet that both mention the employee's name. The manager is surprised to learn she has access to either file.

The coordinator recognizes details that were never part of her review process and asks where they came from. The manager searches for the phrase and finds the HR note and compensation spreadsheet. IT checks the site permissions and discovers the broader problem: the leadership site has been readable to far more staff than intended for years.

The permission problem already existed. The assistant made it visible in a new place.

The failure path

The failure path looks like this:

Case file Sequence 03 · Connected AI

1. 01

   The business enables connected AI for useful work.

2. 02

   The assistant reads business systems using the user's existing permissions.

3. 03

   The user's access includes old sites, broad groups, shared mailboxes, migrated folders, or content shared too widely.

4. 04

   The user asks a normal question.

5. 05

   The assistant pulls from material outside the user's expected work scope.

6. 06

   The user sends or relies on a draft, answer, or summary that includes unexpected confidential content.

7. 07

   The business discovers that the AI surfaced a permissions problem that had been sitting in the background for years.

The technical point is straightforward: stale permissions are enough for connected AI to surface confidential material.

That distinction matters. If a person has permission to read a file, the assistant may treat that file as fair game for answering the person's question. The sharing decision happened earlier, in the file permissions.

Business consequence

The first consequence is usually internal trust.

In the property management company, staff learn that HR investigation notes and compensation planning material were reachable by more people than intended. The owner now has two problems: the original permissions error and the fact that an AI-generated draft carried that material into an employee conversation.

The business may have to answer hard internal questions:

• Who could access the leadership site?
• How long was it open?
• Did anyone else see manager bonus planning, HR notes, sale discussions, or client-confidential work?
• Did AI-generated drafts or summaries repeat any of that content?
• Which sites, mailboxes, or folders have the same problem?

The damage can be immediate. Staff may question whether compensation and HR material are handled carefully. Owners and managers may lose confidence in internal confidentiality. Managers may stop trusting AI drafts, even for safe tasks. If client files are involved, one client's information may appear in another client's draft or summary before anyone outside the firm is involved.

Legal and operational consequences can follow. If a dispute, investigation, legal hold, or acquisition diligence process is underway, the business may need to know what the AI assistant surfaced and to whom. Without useful logs for Copilot or another assistant, the business may have to reconstruct the issue from staff memory and whatever system logs are available.

The commercial problem is the same one that runs through this guide: the business enabled a tool before it understood the control surface underneath it.

Controls that interrupt the failure path

The first control is a high-risk permissions cleanup before broad rollout. Review the places where stale access would hurt most before connected AI starts surfacing them in drafts and summaries.

For Microsoft 365 environments, ask IT for a practical oversharing review before Copilot is broadly enabled. The exact tooling depends on licensing, but the question is simple: which sites, folders, groups, and mailboxes are too broadly available, and which of those would hurt most if Copilot surfaced them?

The business should treat unexpected AI output as a signal. If the assistant surfaces a document outside the user's expected work scope, report it, identify the source document, and fix the permission that allowed the assistant to retrieve it.

Policy rule this creates

Common questions about connected AI and permissions

The questions that come up most often when a business considers turning on a connected AI assistant like Copilot.

If we turn on Copilot, will it surface files staff forgot they had access to?

Connected AI assistants like Copilot read business systems through each user's existing permissions, including access the user may have forgotten about. The assistant treats every site, mailbox, folder, and document the user can read as fair game for answering the user's question. In a business with several years of accumulated access (old SharePoint sites, broad group memberships, shared mailboxes, migrated folders), the assistant will surface content the user never thinks about during normal work. That includes leadership material, HR notes, compensation planning, and client files that were shared more broadly than intended.

Does connected AI bypass the permissions we already have set up?

Connected AI assistants do not bypass permissions. They inherit them. The assistant retrieves content from the systems the user can already access, using the same permissions model that controls files, sites, mailboxes, and records in those systems. What changes is visibility: material that has been technically accessible for years but rarely browsed becomes easy to find when the assistant searches across everything at once. The fix is not to lock down the AI assistant but to clean up the permissions the assistant is reading through. Locking down the assistant without fixing the upstream permissions leaves the same access problem in place for any other tool, search query, or staff member who happens to look.

How do I find out where our permissions are too broad before turning Copilot on?

Start by asking IT or an MSP for an oversharing review on the systems Copilot will read, focused on the highest-risk locations first: leadership, HR, finance, legal, board, owner, payroll, and client-confidential sites. Microsoft 365 includes oversharing reports and access reviews at most business tiers, and IT or the business's MSP can run them before broad Copilot rollout. The questions that matter are which sites have 'Everyone except external users' or large internal groups attached, which shared mailboxes still include people who no longer need them, and which old SharePoint sites contain confidential material with broad access. A focused pass on the top five high-risk locations is usually a few days of IT or MSP work, while a full tenant cleanup can take several weeks depending on the size of the environment and how much old content needs to be reviewed.

Is permissions cleanup really necessary for a small business?

Smaller and newer businesses are not automatically lower risk for connected AI oversharing. In some ways the opposite: small businesses often skip formal permissions discipline in the early years, share broadly so people can get things done, and end up with 'Everyone' or 'Everyone except external users' attached to sites that have since accumulated sensitive content. The cleanup work for a small business is usually smaller in scope than for an enterprise, but the highest-risk locations (leadership, HR, finance, and client files) need the same review before connected AI starts reading through them.

Can we just turn Copilot on for a few people first and see what happens?

A pilot is the right instinct, but the pilot needs to include the high-risk users, not avoid them. Many businesses pilot Copilot with a few cooperative staff in low-sensitivity roles, see no problems, and conclude that broader rollout is safe. The surfacing problem only shows up when the assistant runs through the permissions of someone who happens to have stale access to leadership, HR, finance, legal, or client-confidential material. A useful pilot includes one or two people from each high-risk function and gives them prompts that touch the kinds of work where unexpected surfacing would hurt most. The pilot's purpose is to find out what the business's permissions actually look like when Copilot starts using them.

Can I block connected AI from reading specific sites or folders?

Microsoft 365 supports several controls that restrict what Copilot can read, including sensitivity labels, restricted SharePoint sites, and Copilot-specific exclusion settings on certain plans. Other connected AI products and 'ask your documents' tools vary widely. Some let administrators exclude specific data sources, while others read whatever the user can read with no per-source control. Before broad rollout, the business should confirm which exclusion controls the chosen tool actually supports and configure them for the highest-risk locations. The brake pedal for Microsoft Copilot helps with specific sites and folders, but the underlying permissions issue remains visible to staff, search, and any other tool the business adds later.

What should staff do when an AI draft includes something they didn't expect to see?

Treat the unexpected content as a signal that a permission needs to change, not as a personal mistake. The immediate steps are simple: do not send the draft, note the source document or system the AI assistant pulled the content from, and report the incident to IT or the policy owner. The business uses the report to find the underlying access problem, fix the permission, and check whether other staff have similar exposure. Staff need a clear and blame-free reporting path, because the alternative is that they quietly delete the surprising content from the draft, send the cleaned-up version, and the permission gap stays open for the next user.

Does this apply to Google Workspace AI, CRM AI, and other 'ask your documents' tools, or just Microsoft Copilot?

The permissions-inheritance pattern applies to any connected AI that reads business systems through user accounts. That includes Gemini in Google Workspace, AI features built into CRMs that index company records, AI assistants in document management or knowledge tools, and third-party 'ask your documents' products. The platform and the specific access model change, but the underlying problem does not. Each product needs its own version of the same questions: which systems does this AI read, whose permissions does it inherit, where is the content over-shared, and what exclusion controls does the product support? A business that has done the cleanup for Microsoft Copilot still needs to repeat the review for each additional connected AI tool.

We already enabled Copilot. What should we check now?

Treat the existing Copilot rollout as evidence-gathering rather than starting over. First, ask staff whether they have seen AI drafts, summaries, or answers that included content outside their expected work scope, and make the question easy to answer honestly. Second, review Copilot's available audit and activity logs to see which sites and document types it has been retrieving from and for which users. Third, run the same oversharing review on the high-risk locations (leadership, HR, finance, legal, client) and tighten access before more staff are granted Copilot. The work is the same as a pre-rollout cleanup; the difference is that the business now has live data about where the problems actually are.