Challenge: Copilot Exposed a Long-Standing Oversharing Problem
Culligan, a global leader in water treatment and delivery services , has grown rapidly through acquisitions. With each new acquisition came another layer of unstructured data─adding to a tangled web of document shares, outdated permissions, and inconsistent governance.
The initial test of Microsoft Copilot seemed promising─until users began surfacing sensitive documents they shouldn’t have had access to. “Although people were using it for the right reasons,” Amir recalled, “some were just curious─testing what else they could find.”
That curiosity uncovered a larger problem: a lack of governance and visibility across SharePoint and Microsoft 365. Decades of decentralized site creation, legacy permissioning, and permissive policies on sharing data had left sensitive business data overexposed.
Impact: Uncontrolled Access = Hidden Risk
The Copilot pilot highlighted governance challenges common in growing, distributed enterprises:
- Employees creating public SharePoint sites by default
- Lack of centralized policy enforcement or permission reviews on data created
- Cultural habits of over-permissioning (“just give them full access so they won’t call IT”)
Solution: Oversharing detection and remediation with Opsin Security
Culligan partnered with Opsin Security to rapidly assess and remediate oversharing risks. Opsin’s platform mapped sensitive data exposures and access patterns across the company’s M365 ecosystem─focusing on what Copilot (and users) could see.
More importantly, Opsin helped Culligan put guardrails in place before the roll out:
AI Proactive Risk Assessment
Opsin performed a proactive risk assessment to identify high-risk SharePoint and OneDrive locations where sensitive data─especially PII and financial documents─could be unintentionally exposed to GenAI tools like Copilot.
Issue-Specific Remediation Guidance
Provided actionable workflows both for IT/security teams and for business units. Opsin enabled remediation to be either centrally executed or delegated to site owners and department heads through shareable, step-by-step instructions─empowering teams to fix issues without overwhelming IT.” own the risk”
Continuous Oversight of AI Activity
Monitored Copilot usage patterns in real time to detect behaviors that could pose insider threats or result in unintentional data leakage─alerting teams to violations of Culligan’s data security policy.
AI Policy Enforcement Through Existing Security Stack
Culligan used Opsin’s insights─specifically around which sensitive data and query patterns were flowing through Microsoft Copilot─to inform and implement CASB and DLP rules in their existing security infrastructure. This allows the organization to proactively block categories of sensitive data from being shared at scale and operationalize their AI usage policy across the enterprise.
Results: Confidence to Scale AI
With Opsin, Culligan was able to safely expand its Copilot rollout─while reducing the burden on central security and IT teams:
- Sensitive data returned in Copilot queries dropped from 80% to under 15%
- Culligan safely scaled Copilot to a broad user base that is growing on a daily basis─with confidence in policy enforcement and risk visibility
- Decentralized remediation workflows enabled SharePoint site owners and business teams to take ownership, saving valuable time for security and IT
- Established a company-wide AI usage policy and monitoring framework to govern safe AI use now and in future tools