SharePoint vs OneDrive for AI - where your files live decides what AI can see

AI doesn’t create new permission problems. It makes your existing ones impossible to ignore. When Copilot or Claude indexes your M365 files, the difference between SharePoint and OneDrive isn’t just a storage question - it determines what AI can see, who it can tell, and what you can’t take back.

The thing is, most companies have years of accumulated sharing decisions buried across hundreds of SharePoint sites. Nobody thought twice about those decisions until AI made every shared file instantly searchable, summarizable, and quotable. That’s the real problem here.

The permission model changes everything for AI

OneDrive is private by default. Your files, your control. When you connect an AI tool, you pick which files it can access. The exposure surface is narrow because you’re making deliberate choices about what to share with the AI agent.

SharePoint works completely differently. Permissions are team-based, role-inherited, and site-scoped. When Copilot gets access to a SharePoint site, it can search across every document in that site that your role permits. Not just the files you care about - everything your account technically has access to. Orchestry’s research on SharePoint permissions and AI security calls this the “blast radius” problem, and it’s spot on.

Here’s the nightmare scenario that keeps showing up. There’s a permission group in M365 called “Everyone Except External Users” - EEEU for short. Sounds reasonable until you realize it includes every guest account, every contractor, every service principal in your tenant. Syskit documented real cases where an HR employee asked Copilot to “summarize Q3 performance” and got back entire company financial data because Finance had accidentally shared a board deck with EEEU months earlier. Nobody noticed. Copilot noticed.

Permission debt compounds like technical debt, but honestly it’s worse. Technical debt you can refactor with code. Permission debt requires human review of every site, every library, every sharing link. You can’t automate that at scale without breaking workflows people depend on. In building Tallyfy, I’ve seen how even simple permission structures get messy fast once real humans start sharing things under deadline pressure - and that’s in a purpose-built workflow tool, not a sprawling document platform.

Why does this matter more now than it did two years ago? Because before AI, a badly shared document just sat there. Someone would have to know it existed, know where to find it, and go look for it. Now AI agents actively crawl and index everything they can reach. The difference between “technically accessible” and “actively surfaced” is the entire ballgame.

What AI actually sees in each platform

Copilot accesses SharePoint through site-level role-based access control. It can search across multiple site collections simultaneously, pulling content from different teams and departments in a single query. If your account has read access to the Finance site, the Legal site, and the Marketing site, Copilot can blend information from all three in one answer. That’s powerful when it works as intended. It’s a disaster when permissions are sloppy.

OneDrive access is fundamentally different. AI tools typically only see files you’ve explicitly selected or shared with the application.

The Claude M365 connector works through read-only, delegated permissions via OAuth 2.0, requiring Entra Global Admin consent before anyone can use it. That’s a proper gate. But it also means one admin decision opens the door for the entire organization, so the decision itself carries real weight. If you’ve already done the work of organizing files for Claude, this becomes less scary because you’ve thought through what should be accessible.

There’s a nasty gap in Copilot Studio that doesn’t get enough attention. When you build custom agents and embed files as knowledge sources, those files get auto-shared with every user of the agent. Access persists even after you revoke the original sharing link. Microsoft has acknowledged this behavior, but it’s still sort of a trap for anyone building internal AI tools quickly without reading the fine print.

Then there’s the departure window. When an employee leaves, their OneDrive enters a 30-93 day retention period. During that window, Copilot can still access and surface content from that departed employee’s files. Sensitive strategy documents, draft communications, salary spreadsheets - all still searchable by AI for months after someone walks out the door.

And it’s not just Microsoft’s own AI. Obsidian Security’s research highlights that third-party apps like ChatGPT, Slack, and ClickUp often request Files.Read.All permissions through OAuth. That single permission scope gives them read access to every file in a user’s OneDrive and SharePoint. When consulting with companies on their AI security posture, this is the elephant in the room that almost nobody has audited properly.

The governance gap nobody talks about

SharePoint Advanced Management introduced several features that sound great on paper. Restricted Content Discovery hides specific content from Copilot’s search results - but it doesn’t actually remove the underlying access. If someone knows the direct URL, they can still get to it. Restricted Access Control locks sites down to specific security groups. Permission State Reports detect broken inheritance across your tenant. AI Insights use semantic policy matching to flag content that might violate your policies.

OneDrive governance is intentionally minimal, and honestly, that’s kind of the point. It’s your personal space. The governance burden is lighter because the sharing model is simpler.

But here’s where things get properly broken. Sensitivity labels applied at the container level - meaning the SharePoint site itself - don’t automatically propagate down to individual files within that site. You can label a site as “Confidential” and the documents inside it won’t inherit that classification. Microsoft’s own internal Copilot governance team defaults everything to “Confidential/Internal Only” labels and uses Graph Data Connect for automated oversharing reports. If Microsoft needs that level of tooling to govern their own tenant, what does that tell you about everyone else?

Knostic’s analysis puts it bluntly - Purview protects files, not AI outputs. Once Copilot reads a confidential document and generates a summary, that summary doesn’t carry the original sensitivity label. The AI output lives in chat history, in emails, in meeting notes, completely detached from the governance that protected the source. Their research found that roughly 8.5% of enterprise prompts risk exposing sensitive information through this gap. Metomic’s deeper analysis of Purview’s limitations confirms this isn’t a configuration problem - it’s an architectural one.

The OWASP Top 10 for Agentic AI lists excessive agency and permission misuse as top-tier risks for exactly this reason. AI agents that operate within broad permission scopes will surface whatever they can find, regardless of whether someone intended for that content to be accessible in that context. The problem isn’t malice. It’s math.

A three-tier strategy that actually works

Rather than trying to fix everything at once - which is basically yak shaving at enterprise scale - a tiered approach lets you match governance intensity to actual risk.

Tier 1 - OneDrive for personal drafts. AI access is none or limited. Governance is light - user-managed, no admin overhead. This is where work-in-progress lives before it’s ready for team consumption. Keep sensitive personal documents here and don’t connect AI tools to this space unless you have a specific reason.

Tier 2 - SharePoint for open projects. AI access is site-level via Copilot, which is fine for collaborative work where the whole team should see everything. Moderate governance with clear site ownership and regular activity monitoring. Review membership quarterly. This is where most day-to-day collaboration happens.

Tier 3 - SharePoint restricted sites. AI access is blocked via Restricted Content Discovery. Heavy governance with Restricted Access Control, conditional access policies, and mandatory sensitivity labels on every document. This tier is for board materials, M&A documents, salary data, legal privileged communications - anything where AI surfacing the wrong content to the wrong person creates real liability.

In advisory work with mid-size companies, I’ve found the practical implementation takes three to four weeks for a 200-person organization. The technology setup is the easy part. Roughly 80% of governance success is non-technical - stakeholder alignment, getting department heads to actually review their site permissions, and integrating the new rules into existing workflows so people don’t just route around them.

For the AI governance framework to hold, it can’t live in a policy document nobody reads. This connects directly to the broader shadow AI problem - if your governance makes legitimate work harder, people will find workarounds. The governance has to be lighter than the pain of non-compliance.

One contrarian view worth noting: some practitioners argue that attempting full governance before delivering any AI value is unrealistic and counterproductive. They suggest using trust models that assess data by lineage, value, and risk rather than trying to classify everything upfront. There’s merit to that. Perfect governance that ships in 2027 is less useful than good-enough governance that ships next month. Mind you, “good enough” still means you’ve at least audited your EEEU exposure and locked down your most sensitive sites.

The question you should be asking isn’t whether AI can access your files. It already can - or it will the moment someone in IT flips the Copilot switch. The real question is whether you know which files AI can see right now, and whether that’s what you actually intended. If you can’t answer that confidently, start with the data access governance report. It takes 30 minutes. What it reveals might take considerably longer to fix - but at least you’ll know where the security threats actually live instead of guessing. And knowing, as they say, is the prerequisite for doing anything useful about data privacy in the age of AI agents.