Need support? Helpdesk: (780) 800-5528
Home / Insights & Resources / Connected AI and old permissions

Risk 03 of 13 · AI Risk Series

Connected AIMay 2026 • 8 min read

Connected AI and old permissions: what the assistant can find

The risky moment can look like a manager doing normal work.

Connected AI assistants read business systems through the user's permissions. Years of old SharePoint sites, broad groups, and forgotten access become AI source material.

Where it comes from A connected AI assistant inherits the user's effective permissions across mail, files, sites, and business systems.
What the business loses The ability to keep stale or over-broad access quietly in the background, because the assistant treats all of it as fair game.
What ends it A high-risk permissions cleanup before broad rollout, plus a reporting path when an AI draft surfaces unexpected content.
← Series introduction Article 03 of 13

The risky moment can look like a manager doing normal work.

She asks an AI assistant to help draft a performance review, summarize a client file, prepare a sales update, or find the latest policy language. The assistant is connected to Microsoft 365, the CRM, email, calendar, SharePoint, or another business system. It answers quickly because it can search the business systems the user can already access.

That access is the issue.

Connected AI assistants usually work through the user's existing permissions. They can see what the user can see: current files, old SharePoint sites, shared mailboxes, forgotten folders, broad group memberships, and documents someone was shared into years ago and can still read.

If the business has years of messy permissions, the AI assistant inherits that mess and turns it into drafts, summaries, and answers.

The AI is following the access rules it was given. The problem is that the business may never have checked whether those rules still make sense.

What the risk is

Connected AI means an AI assistant can read business systems directly. Examples include Microsoft 365 Copilot, AI mail and calendar assistants, CRM AI, and "ask your documents" tools that search across company files.

The risk is inherited permissions. The assistant sees what the user is allowed to see, even when that access is accidental, outdated, or too broad.

Most SMB leaders think about AI assistants as if they stay inside the task. If a manager asks for help with HR, the expectation is that the answer will come from HR material. If a salesperson asks about a client, the expectation is that the answer will come from that client file.

Connected AI works from the user's effective access: every site, mailbox, folder, group, shared drive, and business system the user can read.

In a clean environment, that can be powerful. In a typical SMB, permissions have often accumulated for years:

  • A SharePoint site was shared broadly during a rushed project.
  • "Everyone except external users" was added to a folder and never removed.
  • A manager kept access after changing roles.
  • A shared mailbox from 2019 still includes staff who no longer need it.
  • A migrated file share carried old permissions into the new system.
  • A CRM or document-search tool indexes content with an unreviewed permissions model.

The assistant can surface those forgotten access decisions in ordinary work. It may put a compensation detail into a draft, summarize a file the user had forgotten they could read, or pull one client's information into another client's work product.

This is separate from confidential data entering AI. That article is about what happens after confidential data enters an AI vendor's systems. This article is about connected AI reading business systems through permissions the business already has.

How it happens in a normal SMB

A small property management company enables Microsoft 365 Copilot for several managers. The owner wants to start with a practical productivity use case: drafting emails, summarizing Teams threads, finding old policy language, and helping managers prepare staff notes.

One property manager is preparing a quarterly performance review for a coordinator. She asks the assistant to help summarize relevant material from her work files, email, and company documents.

The assistant reads from places the manager can access. That includes her mailbox, team files, company documents, and a leadership SharePoint site she forgot she could read.

Three years earlier, when the company was smaller and moving quickly, someone added broad internal access to the leadership site. The site holds manager bonus planning, draft sale conversations, HR investigation material, and internal strategy documents. Regular staff rarely browsed the site, and it was buried in navigation, so the permission problem sat unnoticed.

The AI assistant retrieves content that matches the user's request from locations the user can access. In the draft performance review, it includes language from an old HR investigation note and a compensation planning spreadsheet that both mention the employee's name. The manager is surprised to learn she has access to either file.

She sends the draft to the coordinator as a "let's discuss" preview.

The coordinator recognizes details that were never part of her review process and asks where they came from. The manager searches for the phrase and finds the HR note and compensation spreadsheet. IT checks the site permissions and discovers the broader problem: the leadership site has been readable to far more staff than intended for years.

The permission problem already existed. The assistant made it visible in a new place.

The failure path

The failure path looks like this:

Case file Sequence 03 · Connected AI

  1. The business enables connected AI for useful work.

  2. The assistant reads business systems using the user's existing permissions.

  3. The user's access includes old sites, broad groups, shared mailboxes, migrated folders, or content shared too widely.

  4. The user asks a normal question.

  5. The assistant pulls from material outside the user's expected work scope.

  6. The user sends or relies on a draft, answer, or summary that includes unexpected confidential content.

  7. The business discovers that the AI surfaced a permissions problem that had been sitting in the background for years.

The technical point is straightforward: stale permissions are enough for connected AI to surface confidential material.

That distinction matters. If a person has permission to read a file, the assistant may treat that file as fair game for answering the person's question. The sharing decision happened earlier, in the file permissions.

Business consequence

The first consequence is usually internal trust.

In the property management company, staff learn that HR investigation notes and compensation planning material were reachable by more people than intended. The owner now has two problems: the original permissions error and the fact that an AI-generated draft carried that material into an employee conversation.

The business may have to answer hard internal questions:

  • Who could access the leadership site?
  • How long was it open?
  • Did anyone else see manager bonus planning, HR notes, sale discussions, or client-confidential work?
  • Did AI-generated drafts or summaries repeat any of that content?
  • Which sites, mailboxes, or folders have the same problem?

The damage can be immediate. Staff may question whether compensation and HR material are handled carefully. Owners and managers may lose confidence in internal confidentiality. Managers may stop trusting AI drafts, even for safe tasks. If client files are involved, one client's information may appear in another client's draft or summary before anyone outside the firm is involved.

Legal and operational consequences can follow. If a dispute, investigation, legal hold, or acquisition diligence process is underway, the business may need to know what the AI assistant surfaced and to whom. Without useful logs for Copilot or another assistant, the business may have to reconstruct the issue from staff memory and whatever system logs are available.

The commercial problem is the same one that runs through this guide: the business enabled a tool before it understood the control surface underneath it.

Controls that interrupt the failure path

The first control is a high-risk permissions cleanup before broad rollout. Review the places where stale access would hurt most before connected AI starts surfacing them in drafts and summaries.

Start here

  • Identify the systems the assistant will read: SharePoint, OneDrive, Teams, mailboxes, CRM, file shares, or document repositories.
  • Review high-risk locations first: leadership, HR, finance, legal, board, owner, payroll, and client-confidential sites.
  • Remove broad access grants such as "Everyone except external users" where there is no current business need.
  • Clean up old group memberships, shared mailboxes, stale guest access, and role changes.
  • Enable connected AI for a pilot group before wider rollout.
  • Give staff a clear reporting path when an AI draft surfaces content outside the expected work scope.

Add where needed

  • Apply labels and access controls to leadership, HR, finance, legal, and client-confidential sites before AI access is granted.
  • Begin with approved users or roles before broader enablement.
  • Review connected "ask your documents" products before indexing business content, especially if the product keeps its own copy or permissions model.
  • Confirm where AI prompts, responses, citations, and interaction logs are stored and who reviews them.
  • Re-run the permissions review after major staffing changes, system migrations, mergers, or department reorganizations.

For Microsoft 365 environments, ask IT for a practical oversharing review before Copilot is broadly enabled. The exact tooling depends on licensing, but the question is simple: which sites, folders, groups, and mailboxes are too broadly available, and which of those would hurt most if Copilot surfaced them?

The business should treat unexpected AI output as a signal. If the assistant surfaces a document outside the user's expected work scope, report it, identify the source document, and fix the permission that allowed the assistant to retrieve it.

Policy rule this creates

Rule 03 of 13

Connected AI assistants, including Copilot, AI mail and calendar assistants, CRM AI, and "ask your documents" tools, may only be broadly enabled after the business has reviewed and cleaned up high-risk permissions on the systems the assistant will read. Rollout must start with approved users or roles before broader enablement. Leadership, HR, finance, legal, and client-confidential content must have named owners and restricted access before connected AI can retrieve it. Staff must report AI drafts, summaries, or answers that surface content outside the expected work scope.

One of 13 rules for your AI usage policy

The rule above is one of 13 that make up a working AI Usage Policy. The SMB AI Policy Builder walks you through the full set of decisions and produces the policy, working documents, and a 90-day implementation plan.

Launching soon. Join the waitlist to be notified.

Get practical insights like this in your inbox

Occasional articles and updates on technology, risk, operations, and support.