In the 2025 Gartner Microsoft 365 and Copilot Survey, only 14% of organizations agreed they have the right governance structures in place to manage AI agents, with 70% being worried about agent sprawl.
Orchestry has been named in the 2026 GartnerĀ® Close the AI Agent Governance Gap in Microsoft SharePoint With 5 Practical Steps report.
SharePoint-based AI agents don't generate their own knowledge. They draw from the site content you've connected them to: documents, pages, and libraries that already exist in your tenant.
That makes them useful, and it makes governance a precondition rather than something you layer on afterward.
Connect an agent to a workspace with stale documentation and it surfaces outdated information as current. Connect it to one with overshared permissions and it makes those files accessible to anyone asking questions of it. Your existing governance posture is your AI agent governance posture. The agent inherits it.
AI doesn't create the debt. It just makes the cost of carrying it impossible to ignore.
Most M365 governance structures put IT at the center: IT owns the policies, the reviews, and the remediation. At small scale, that works.
It stops working somewhere around the 200-workspace mark, often earlier. At that point, the volume of decisions that need to happen across the tenant is simply too large for a central team: which sites are still active, who owns them now, whether the permissions set up at launch still reflect who should have access.
The people closest to the content are site owners, team leads, and department admins. They know what's current, what's shared with the wrong people, who the active owners are. But without prompts, tools, or explicit accountability structures, that knowledge doesn't translate into governance action.
The problem is structural: governance execution was never distributed to the people with the context to carry it out.
Based on Orchestry data, 67% of workspaces are inactive on average when organizations first connect to the platform. That's not a statistic about a governance failure that just happened. It's the accumulated result of decisions that were never made.
Before you connect a SharePoint site to an AI agent, or allow Copilot to surface its content, ask yourself: would you trust a new employee to draw conclusions from whatever they find in this site?
Most admins already know the sites they'd say no to. The project workspace with a year-old status document still listed as current. The department site where a contractor's permissions were never cleaned up after they left. The team with no active owner since the lead moved roles six months ago.
Each of those scenarios represents a governance problem that predates Copilot. When an AI agent uses the workspace as a knowledge source, it inherits all of it. For a closer look at how Copilot specifically exposes broken permission structures, see our post on Microsoft 365 broken permissions and Copilot risks.
None of this is AI-specific. These are the conditions a well-run M365 tenant maintains on a regular cadence, regardless of whether AI is in the picture.
Orchestry's Workspace Review automates that cadence. It surfaces workspaces where content hasn't been updated, flags ownership gaps and risky sharing links inside the review itself. The process is backed by tenant-wide insights that flag broken inheritance, exposed folders, and oversharing patterns, and routes the work to the site owners responsible for resolving it.
Microsoft's native admin center gives you visibility across the tenant. You can see which sites are active, which have external users, which haven't been modified in months. That visibility is real and useful.
What it doesn't give you is workflow. Knowing that 400 workspaces have unreviewed permissions doesn't tell you who should review them, or give those people a mechanism to act. The information stays in IT; there's no mechanism to distribute the execution.
Gartner states: "Bolster AI governance by redefining the site-owner role as a frontline AI steward. Empower them to manage the life cycle of agents in SharePoint, ensure data quality and monitor permissions." That redefinition only becomes operational, though, when site owners have tooling that makes the new accountability executable.
Orchestry routes governance execution to site owners automatically. IT configures the criteria: which workspaces get reviewed, on what schedule, with what thresholds. Site owners receive tasks and act on them without needing admin center access or scripting knowledge.
Governance decisions happen at the workspace level, made by the people with the context to make them, at a scale IT couldn't sustain from the center.
The organizations that can confidently deploy AI agents across SharePoint have one thing in common: the underlying workspace hygiene was already there.
Workspaces were created through a process that assigned ownership from day one. Inactive sites get identified and resolved before their content goes stale, not discovered after an AI agent has already surfaced a two-year-old policy as current guidance. Permissions are reviewed on a cadence that reflects how access shifts in your organization, not just when something goes wrong. Sharing links get the same treatment: external shares that outlived their purpose get flagged and removed before an agent surfaces the files behind them.
Orchestry's lifecycle management handles the operational layer: provisioning templates that enforce ownership at creation, activity monitoring that flags workspaces that have crossed the inactivity threshold, and archiving workflows that pull at-risk workspaces out of Copilot's reach before their content surfaces in an answer.
When Orchestry archives a workspace, it sets the SharePoint site's search visibility to off and applies a read-only lock. These are the signals Microsoft 365 Copilot follows for what to include in its grounding. On Microsoft's next index refresh, the workspace stops surfacing in Copilot answers. For tenants with Microsoft 365 Archive licensed, the same policy can invoke Microsoft's native archive action, moving the site to a no-access state that Microsoft excludes from the Copilot semantic index entirely.
Combined with Workspace Review, lifecycle management creates a closed loop: governance tasks surface, route to the right owners, get resolved, and the tenant stays in a state where AI agents can be trusted to use what they find. For more on how SharePoint agents use site content and how to govern them once they're active, see our post on Microsoft Copilot agents: what they are and how to manage them.
As Gartner notes: "Increased reliance on AI agents that interact with and reason over SharePoint content, changes SharePoint from a simple content repository to an active knowledge layer, which IT cannot manage alone. The urgency to rethink governance becomes critical. Organizations that do not shift SharePoint site owners to AI stewards increase the risk of data exposure and compliance failures."
If you want to see where your tenant stands on the governance conditions AI agents depend on, Orchestry's Workspace Review gives you a live picture of what needs attention, then routes the work to the right people to act on it. To see what that looks like in your own environment, start a trial or book a walkthrough.
Source: Gartner, "Close the AI Agent Governance Gap in Microsoft SharePoint With 5 Practical Steps," Melinda Morales, 7 May 2026. Gartner is a trademark of Gartner, Inc. and/or its affiliates.
Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner's business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose.