Governance, Risk and Compliance

AI is turning overshared data into a major security risk

Digital warning sign on circuit board with glitch effect. Alert system error, data breach, cybersecurity threat, urgent issue notification. Red warning light indicates critical danger.

COMMENTARY: In every organization there is someone on the security team, often the CISO, who knows exactly how bad the data exposure situation is. They have been trying to get this fixed for months, sometimes years. The reason it has not been fixed is rarely technical: by the time a business case gets approved, the problem has gotten larger.

Policy is not practice

Every framework your organization has aligned to (NIST CSF, ISO 27001, SOC 2 Type II) and every privacy regulation that applies to you includes the same operational requirement: manage access to personal and sensitive data on an ongoing basis.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Your policies say you do this. Your auditors are told you do this. The reality is different, not because your teams are failing, but because this work is not happening continuously and at scale. That gap is real, and it compounds every day.

How oversharing accumulates

Research consistently shows the majority of organizations have sensitive files exposed to far more employees than intended in their cloud collaboration environments. Over time, thousands of small decisions (a file shared too broadly, a link that was never revoked) accumulate silently.

IT teams can see the problem, but cannot fix it at scale because they lack the business context to know which shares are still legitimate. Only the person who created the share knows that. So the work does not get done, and the risk compounds.

AI just eliminated your last line of defense

For years, there was a quiet form of protection built into the chaos: sheer volume. The fact that sensitive files were buried across millions of folders made it statistically unlikely that any one person would stumble across them. That was not real governance, but it was something.

AI productivity tools have eliminated it. Copilots, AI agents, and autonomous tools connected to your cloud collaboration environment inherit whatever access conditions already exist. Every salary file, every board document, every contract that was overshared and never reviewed is now instantly discoverable, summarizable, and actionable. A single compromised account, combined with AI-powered tooling, can mine years of collaboration data in minutes.

The personal stakes are higher than most CISOs realize

Regulators are no longer asking whether you have good intentions. Under GDPR, penalties can reach four percent of global turnover. HIPAA enforcement has pivoted toward access governance, with OCR settlements routinely citing inadequate access controls. NYDFS Part 500 now requires the CISO to file an annual attestation of material compliance in their own name.


Related reading:


In 2023, the SEC charged a sitting CISO personally, and not the organization, for allegedly misleading investors about the company’s cybersecurity posture. The security community has been absorbing that signal ever since: if you are the person responsible for data protection controls, and those controls are not actually operating, your personal exposure does not end where the company’s begins.

There is also a quieter risk that boards rarely see: Directors & Officers insurance was designed to protect named officers of the company. CISOs often fall into coverage gaps that carve out regulatory fines or personal enforcement actions. The people most exposed when controls fail are frequently the least insured against that exposure.

What actually moves this forward

The pattern is consistent across organizations of every size. Security teams recognize the problem quickly. The delay is not technical; it is the process: business case, budget justification, procurement, competing priorities. While that deliberation runs its course, employees are creating new shares and new access that no one will review.

Three things tend to actually move this forward. First, framing the problem in board language: not “overshared files” but “personal attestation risk” and “AI-amplified exposure.” Second, tying it to a compliance deadline or renewal event that has a real date attached. Third, demonstrating that the remediation burden can be distributed — that the people who created the sharing conditions are also the ones best positioned to resolve them, with the right tooling and guidance.

The organizations that close this gap fastest are the ones that stop treating access governance as a transformation project and start treating it as an operational discipline — something that happens continuously, at the employee level, with real metrics to show the board.

The question is no longer whether the organization can afford to act. It is what each month of inaction adds to the remediation bill and to the personal exposure of the person who will sign the next compliance attestation.

Guillaume Brault

Guillaume Brault is a Microsoft cloud and infrastructure advisor at Mondata, a Canadian cybersecurity firm. He works with organizations to assess and reduce data exposure risk in Microsoft 365 environments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds