Every firm that grows beyond 10 people ends up with shared drive sprawl. SharePoint, Google Drive, OneDrive, Dropbox Business — pick one, it doesn't matter. The permission model breaks in the same ways. Here are the hidden gotchas that cause real leaks.

The inheritance trap

Shared drives use permission inheritance — subfolders inherit permissions from their parents unless you explicitly break the inheritance. This works fine for two levels but breaks down at three or four. People create a subfolder for a sensitive project inside a broadly-accessible parent, and forget to restrict the subfolder. Suddenly the whole firm has access to something they shouldn't.

The worst version: someone restricts a parent folder after it already had broad permissions, and the subfolder inheritance gets out of sync in a way that's invisible in the UI.

The link-sharing trap

Most shared drives support "anyone with the link" sharing. It's fast and convenient and horribly dangerous. The link goes out in an email. The email gets forwarded. The forwarded email ends up in an archive. Two years later, a completely unrelated person clicks the link and accesses the file. You had no idea any of this happened.

Some firms try to police link sharing through policy. It doesn't work. If the feature exists and is the fastest way to share a file, people will use it under pressure.

The departed staff trap

When someone leaves the firm, IT typically disables their account. But disabling an account doesn't always remove them from shared drives where they were granted personal access. In some systems, the permission persists as a dangling reference, and if the account is ever re-enabled (or if their email address gets reused), access is restored.

Related: external collaborators. Every time you share a folder with a partner at another firm, that permission persists until you actively revoke it. Most firms never revoke.

The group membership trap

"All staff" is a permission group. So is "Partners." Someone creates a subfolder, grants "All staff" access, and thinks they're making it visible to employees. But "All staff" might include contractors, interns, and in some firms even external consultants on vendor accounts. "Partners" might include a junior partner who joined three months ago and shouldn't have access to the firm's financial data.

The audit approach

The fix is a quarterly access audit. Pull the list of people with access to every sensitive folder. Compare against your current staff list. Revoke everything that doesn't have a current business justification. Document the review so you have evidence if something goes wrong.

For sensitive documents, the better fix is to stop using shared drives for them entirely and move them to a data room with per-document audit trails. Shared drives are fine for internal collaboration; they're the wrong tool for anything that would appear in a regulator's complaint.