Practice — 02
Exposure & Access Control
Every \”share with everyone\” link, every legacy permission, every site that outlived its project is standing exposure. We withdraw it — methodically, measurably, and without bringing collaboration to a halt.
What the practice delivers
Oversharing, withdrawn
Anonymous links, organisation-wide grants and stale guest access are found, triaged by sensitivity, and revoked in controlled waves — with owners informed and exceptions documented.
Permissions, rationalised
Access is rebuilt around roles and business purpose rather than accumulated history. Site and container owners get a model they can actually maintain.
Protection where it counts
Sensitivity labels, encryption and loss-prevention policies applied in proportion to consequence — strict where data is regulated, light where friction would only breed workarounds.
Exposure as a metric
A standing exposure index your risk committee can watch fall, month on month — and see immediately when a migration or reorganisation pushes it back up.
Signals you need this practice
- A Copilot pilot surfaced documents that made someone in the room go quiet.
- Nobody can say, with evidence, who outside the firm can currently reach client data.
- Access reviews exist on paper and are theatre in practice.
- Your last penetration test found the front door locked and the filing cabinets open.
See your exposure index
A two-week assessment produces your first exposure index and the ten remediations that will move it furthest.
