Two years ago you were closing a deal and moving fast. A prospect wanted to see three proposals, a rate card, and a couple of case studies, and the quickest way to get them across was to drop everything in a folder, hit share, pick the option that reads "anyone with the link," and paste the link into an email. The deal closed. You never thought about that folder again. It is still there, and the link still works, and anyone who has it, or who was ever forwarded it, can open every file inside without signing in, without a password, without you having any idea they are looking.
That is the quiet cost of the fastest sharing option in Microsoft 365 and Google Workspace. It does exactly what you asked. The problem is that it keeps doing it long after the reason you created it has gone.
The fast option is the one that stays open
When you share a file in OneDrive, SharePoint, or Google Drive, you are choosing between a few kinds of access, and the difference matters far more than it looks at the moment you pick one. Sharing with specific people means only named accounts can open the file, and every open is tied to an identity you can see and revoke. The "anyone with the link" option throws that away. It creates a URL that grants access to whoever holds it, with no login and, on most tenants, no expiry date. The link can be forwarded, pasted into a chat, saved in a browser, or sit in an email thread that gets handed to a new hire at the recipient's company a year from now.
Nobody sets out to build a security hole. They set out to avoid the friction of asking a client to sign in, or of tracking down someone's exact email address, and the anonymous link removes that friction beautifully. Then it accumulates. One founder does it for a proposal, a project lead does it for a shared spreadsheet, someone in finance does it for a document they meant to send to one person, and none of them ever go back to turn the link off because nothing prompts them to. A company of thirty people can rack up thousands of these links over a few years, and almost none of them are still needed.
The reason this rarely surfaces is that oversharing has no symptom. A file that is readable by too many people looks and behaves exactly like a file that is locked down correctly. It opens when you click it. It shows up where you expect. There is no error, no warning, no slow performance, nothing that would ever land it on a to-do list. The exposure only becomes visible when someone outside the company opens something they should never have seen, and by then it is an incident rather than a setting.
The assistant that reads everything at once
For years this sprawl sat there doing very little harm, because finding an overshared file required knowing it existed and having the link. That assumption stopped holding the moment AI assistants arrived inside these platforms.
Microsoft 365 Copilot and Google's Gemini for Workspace answer questions by reading across everything the person asking is allowed to see. Ask Copilot to summarise the company's current pricing and it will search every document that user can reach, including that folder of proposals from two years ago and the rate card nobody remembered was still shared. The assistant does not distinguish between a file someone deliberately gave you and a file you happen to have access to because of a forgotten link or an over-broad permission. It treats reachable and intended as the same thing, because from the system's point of view they always were.
This turns a pile of low-risk clutter into something searchable and instant. An employee who would never have gone hunting through old SharePoint folders can now ask a plain-English question and have the assistant pull the sensitive answer out of a document they were never meant to open. Microsoft took the concern seriously enough to ship a feature called Restricted SharePoint Search, which lets administrators limit what Copilot can reach while they clean up permissions. That feature exists precisely because so many tenants turned on the assistant before anyone had looked at what it could see. Rolling out an AI assistant on top of years of unreviewed sharing is how a firm discovers its oversharing all at once, usually in front of the wrong person.
What the defaults quietly allow
Both platforms ship with sharing settings that lean toward openness, because openness is what makes people productive on day one. On many Microsoft 365 tenants, external sharing is enabled broadly and anonymous links carry no expiration unless an administrator sets one. Google Workspace similarly allows link sharing outside the organisation depending on how the domain was configured, and link expiry is something you turn on rather than something that is on already. Guest accounts add another layer, because a person you invited to one project keeps their access until someone removes it, and that removal rarely happens on its own.
None of these defaults are reckless. They are the vendor betting that most customers value getting started over locking down, a fair bet for a brand-new tenant with nothing sensitive in it. The trouble is that the tenant fills up with client contracts, financials, and confidential proposals over the following years while the settings stay exactly where they were on the first day.
Reining it back in
The fix is a settings review and a cleanup, and neither requires new software. In Microsoft 365, the SharePoint admin center gives you control over external sharing at the tenant and site level, and this is where you can require that anonymous links expire after a set number of days and default new shares to specific people rather than anyone. The admin center also produces a sharing report that lists what is currently shared and how, which is the document to read before you turn on any AI assistant. Sensitivity labels let you mark genuinely confidential material so it cannot be shared externally at all, and reviewing the guest accounts in Entra ID clears out the collaborators who finished their project months ago.
Google Workspace offers the same handholds through the Admin console. You can restrict link sharing so files default to being visible only to named people, set external links to expire, and use the Drive audit log and the security investigation tool to find what has been shared outside the domain. For firms on a Business or Enterprise plan, the data loss prevention rules can stop certain content from being shared externally in the first place, which moves the guardrail earlier in the process where it belongs.
The through line is that identity should decide who reads a file, the same way it should decide who logs in. An anonymous link is the one sharing method that steps around identity entirely, and treating it as the exception rather than the reflex is most of the battle. We made a version of this case about who can log in when we wrote about the app that walks past your MFA; this is the same principle applied to who can read.
Worth an afternoon this week
If your team has been on Microsoft 365 or Google Workspace for more than a year or two, there are almost certainly live links out there that outlived their purpose. Pull the sharing report on whichever platform you run and read it. You will probably find a folder or a file that is open to anyone, that you forgot existed, that should have been closed the week after you sent it. Closing it costs you nothing and removes a door you did not know was standing open. And if you are anywhere near turning on Copilot or Gemini, do this first, because the assistant will find everything that link ever exposed, and it will not wait to be asked twice. Reach out if you want help reading what your tenant is currently sharing with the world.