The hidden cost of unmanaged SharePoint

The first cost is time. People can't find what they need. They ask in Teams, they reattach old versions, they email PDFs to themselves. A search experience that doesn't return useful results trains everyone to bypass the system, which means even the documents that are well-organised stop being trusted.

The second cost is exposure. Sensitive documents drift into 'Everyone' or 'Everyone except external users' permissions, often because someone wanted a quick share with a colleague and never tightened it. Across thousands of sites, that adds up to a lot of material that's technically accessible to everyone in the tenant and, in practice, easy to surface with any half-decent search tool.

The third cost is downstream. Any AI tool plugged into the tenant - Copilot, Glean, Mendable, your own RAG pipeline - immediately surfaces what it can see. The third one is what stops Copilot rollouts. The first two are what stops everything else.

SharePoint sprawl is not the result of carelessness. It's the result of a sensible default behaviour stretched over years. Every Team creates a site. Every project creates a Team. Every department has its 'just for us' area that's somehow open to half the company. Nobody is responsible for the steady accumulation, so nobody acts.

By the time leadership notices, the tenant has tens of thousands of files, thousands of sites, and a permissions model that even the IT team finds hard to explain.

A useful first pass is small and concrete. A permissions and oversharing audit on the top 50 sites by activity. A clean information architecture for the top five most-used sites. A lifecycle policy that automatically retires sites that haven't been touched in two years, with a grace period and an owner notification.

After that, sensitivity labels and DLP policies for the categories of document you genuinely care about: contracts, financials, HR records, customer data. Not everything. Just the categories that would actually hurt if they leaked.

None of it is glamorous. All of it pays back, and most of it can be done quietly in the background without disrupting the business.

A well-managed SharePoint estate has a small set of well-known parent sites, a sensible naming convention, sensitivity labels applied to high-risk content, retention policies that actually retire things, and an owner per site who gets a quarterly nudge to confirm membership.

It also has a measurable trend: fewer 'Everyone' shares, fewer abandoned sites, faster search results, and fewer incidents that begin with someone finding a document they shouldn't have been able to find.

If you turned on Copilot tomorrow and asked it to summarise 'everything we know about our biggest customer', would the answer be useful and safe? Useful means the right documents come up. Safe means the wrong ones don't.

Most tenants fail that test today. The work to pass it is finite, it is unglamorous, and it pays back the day the next AI feature ships - because it's the same work underneath every one of them.

The most common reason SharePoint cleanup stalls is that nobody owns it. IT inherited the platform but doesn't own the content. The business owns the content but doesn't own the platform. The result is a permanent stalemate where everyone agrees something should happen and nobody does it.

Mature setups name an information governance lead, even part-time, who chairs a quarterly review of sites, owners and access. The role doesn't need to be senior; it needs to be persistent. A junior person with twenty per cent of their time on this, backed by a sponsor at the leadership table, will outperform any one-off cleanup project.

Once the role exists, the rest of the work compounds. Site owners get nudged, abandoned content gets retired, oversharing gets caught, and the platform stops drifting. That's the difference between a one-off tidy-up and a healthy estate.