Exposure & Access Control

Practice — 02

Exposure & Access Control

Every \”share with everyone\” link, every legacy permission, every site that outlived its project is standing exposure. We withdraw it — methodically, measurably, and without bringing collaboration to a halt.

What the practice delivers

Oversharing, withdrawn

Anonymous links, organisation-wide grants and stale guest access are found, triaged by sensitivity, and revoked in controlled waves — with owners informed and exceptions documented.

Permissions, rationalised

Access is rebuilt around roles and business purpose rather than accumulated history. Site and container owners get a model they can actually maintain.

Protection where it counts

Sensitivity labels, encryption and loss-prevention policies applied in proportion to consequence — strict where data is regulated, light where friction would only breed workarounds.

Exposure as a metric

A standing exposure index your risk committee can watch fall, month on month — and see immediately when a migration or reorganisation pushes it back up.

Signals you need this practice

  • A Copilot pilot surfaced documents that made someone in the room go quiet.
  • Nobody can say, with evidence, who outside the firm can currently reach client data.
  • Access reviews exist on paper and are theatre in practice.
  • Your last penetration test found the front door locked and the filing cabinets open.

See your exposure index

A two-week assessment produces your first exposure index and the ten remediations that will move it furthest.

Shopping Basket