The Workflow That Worked Perfectly — and Still Broke Security

A security analyst at a large enterprise recently discovered something odd: sensitive HR documents sitting inside a Microsoft Teams channel that hundreds of employees could open. No hacker had broken in. No password had been stolen. The cause was a document-approval automation, built with the help of an AI assistant, that quietly moved files from SharePoint into Teams — and did its job exactly as asked.

A laptop showing a business workflow diagram, highlighting how AI-generated workflows can create security risks in Microsoft 365

That’s the uncomfortable part of this story. The workflow was not broken. It worked. Documents moved, notifications fired, approvals sped up. Nobody had checked what permissions the automation actually held or where the data was allowed to travel — and that gap, not any malfunction, is what created the exposure.

This is becoming a familiar pattern as AI coding assistants make it dramatically easier to build automation inside everyday business tools. The tools aren’t the problem. The problem is that "it works" and "it’s safe" have quietly become two different questions, and most organizations are only answering the first one.

Why Microsoft 365 Is Where This Risk Concentrates

Microsoft 365 is the connective tissue of most modern offices — email, SharePoint document libraries, Teams conversations, OneDrive files, compliance records, and identity data all live there. Power Automate, Microsoft’s workflow-building tool, is designed to stitch these pieces together: pull a file from SharePoint, post it to Teams, email a notification, update a spreadsheet. That connectivity is exactly why it’s useful, and exactly why a careless connection can move sensitive data somewhere it shouldn’t go.

Traditional software development usually passes through peer review, testing, and deployment checks before it reaches production. Microsoft 365 automation frequently skips all of that. Flows and scripts are built by business analysts, admins, and "citizen developers" whose main goal is simply to make a task faster — not to model out who should have access to what.

AI assistants remove the last real barrier to entry. A person no longer needs to understand Microsoft Graph permission scopes, SharePoint inheritance rules, or data-loss-prevention policies to get a working flow. They can describe what they want in plain language and get functioning code back in minutes. That’s genuinely useful for productivity — and it also means many more people, most of whom have never thought about access control, are now capable of deploying automation that touches sensitive company data.

Working vs. Secure Are Not the Same Test

It helps to separate two questions that often get collapsed into one:

Does the automation do what I asked? That’s a functional test — did the file move, did the notification arrive.

Does the automation only touch what it needs to, only move data where it should, and leave a trail someone can review? That’s a security and compliance test — and it’s rarely run at all on everyday workplace automation.

Microsoft’s own documentation on Graph permissions describes exactly this distinction. An app can be granted delegated access, meaning it acts on behalf of a signed-in user and can never see more than that user could already see — or application access, meaning it acts under its own identity and can potentially read or write data across the entire tenant, with no user in the loop at all. Microsoft explicitly recommends the narrowest scope that gets the job done, warning that over-broad permissions increase "exposure to unauthorized and unintended access to data". That is the textbook definition of least privilege: grant only what a task actually requires, nothing more.

The trouble is that broad permissions are often the path of least resistance for generated code. A script that asks for wide, tenant-level read access is simply more likely to run without errors than one scoped tightly to a single SharePoint site or Teams channel. Nobody chooses the broad version out of carelessness — it just works more reliably on the first try, and "it worked" is usually where testing stops.

Where the Damage Actually Happens

Common workflow behavior Why it looks fine The security or compliance gap it creates
Requesting broad Graph permissions to "make sure it works" Automation runs without permission errors Creates a standing privileged pathway; if the account is compromised, exposure is far wider than the task required
Auto-routing files between SharePoint, Teams, Outlook, and OneDrive Speeds up reporting and approvals Can silently send payroll, legal, or customer data to the wrong channel or external mailbox for weeks before anyone notices
AI-generated eDiscovery or audit queries Collects data quickly for a compliance request Can over-collect, miss required evidence, or expose privileged communications
Flow built and deployed by a non-developer in minutes Fast, functional, no bottleneck Skips the review step that traditional code changes usually go through
No central inventory of active flows Each flow looks harmless in isolation Security teams can’t assess risk in workflows they don’t know exist

None of this requires an AI assistant to "go wrong" in any dramatic sense. The assistant does what it’s asked, the same as the developer’s Teams-and-SharePoint flow did. The risk lives in the gap between functional testing and security review — a gap that used to be smaller because building automation required more specialized knowledge, and therefore fewer, more experienced hands.

From Prompt to Blind Spot

It’s worth tracing how an ordinary, well-intentioned request can end up as unmonitored exposure:

flowchart TD
 A[Employee describes task to AI assistant] --> B[AI generates workflow / script]
 B --> C[Functional test only: does it run?]
 C --> D[Deployed to production]
 D --> E[Runs automatically, unreviewed]
 E --> F[Overexposure or compliance drift, unnoticed]

Each step is reasonable on its own. The failure is cumulative: speed at the front end, and no equivalent speed of oversight at the back end. A flow that runs on a schedule doesn’t get tired or hesitant — it keeps moving data exactly as configured until a human notices and intervenes.

Governing the Layer Nobody Watches

Most security teams have matured their control over applications, cloud infrastructure, and identities. Far fewer have equivalent visibility into the automation layer that connects those pieces together — the flows, scripts, and integrations quietly running in the background.

Microsoft’s own Power Platform governance guidance points to the practical levers available: organizing work into separate environments for development, testing, and production; using data policies that keep "business data" connectors separated from open, unrestricted ones; blocking specific connectors tenant-wide; and reviewing audit logs for new flows, permission grants, and unusual data movement. Applied consistently, these controls meaningfully reduce risk — they narrow what a workflow can reach and make silent data drift easier to catch early. They don’t make risk disappear entirely, because governance is only as reliable as its enforcement, and new flows are created faster than most review cycles run.

Banning AI assistants isn’t a realistic response, and neither is blocking automation outright — both are now embedded in how modern work gets done. The more useful shift is treating AI-generated workflows the way mature teams already treat AI-generated code: a draft, not an approved artifact. That means an inventory of what’s running, a habit of asking what permissions a new flow actually needs versus what it was given, and ongoing monitoring rather than a one-time approval.

The Real Question to Ask

The next time someone proudly demos a workflow that "just works," the more useful question isn’t whether it completed the task. It’s whether anyone checked what it can touch, where it can send data, and who would notice if it kept doing that quietly for the next six months. If AI can produce a working automation in minutes, the controls around it need to move at a comparable speed — evaluating access and data flow, not just outcomes. That’s a governance problem with practical answers, not a reason to fear the tools that made building automation so much easier in the first place.

Sources

  1. AI-Generated Workflows Are a Silent Security Disaster
  2. Overview of Microsoft Graph permissions – Microsoft Graph
  3. Security and governance considerations in Power Platform – Power Platform
Scroll to Top