After reading that disabling an account is not governance, many partners reach a familiar conclusion:
“Fine—but our real risk is legacy file shares.”
That conclusion is understandable.
It is also incomplete.
File shares are not inherently unsafe.
They are governance-neutral.
And neutrality, in regulated environments, is where risk quietly accumulates.
The File Share Misdiagnosis
File shares are often blamed for:
Overexposure
Inconsistent access
Poor audit outcomes
Confidentiality concerns
As a result, many firms assume:
“If we move to the cloud, this problem goes away”
“If we modernize the platform, access improves”
“If we adopt newer tools, governance follows”
But the issue is not where the files live.
The issue is how access decisions are made—and whether they are ever revisited.
How Access Actually Gets Granted
In most firms, file share access follows a predictable pattern:
A new hire joins
They are added to a department or role group
That group has access to broad folders
Subfolders represent matters, clients, or case types
Access is inherited automatically
This model optimizes for speed and convenience.
It does not optimize for confidentiality boundaries.
Over time:
People accumulate access
Matters close but permissions persist
Temporary access becomes permanent
No one remembers why access exists
Nothing breaks.
Nothing alerts.
Nothing forces reconsideration.
This is how drift begins.
Example:
An attorney leaves the employment practice group to join litigation. Her file share access remains unchanged—she can still see active employment cases she is no longer working on. A year later, one of those cases involves her new client’s competitor. The conflict is never flagged because access was never tied to the matter lifecycle. The exposure existed silently.
Drift Is Not Negligence
It is important to be clear:
Most access drift is not caused by carelessness or bad intent.
It is caused by:
Reasonable operational decisions
Time pressure
Staff turnover
Lack of ownership
Absence of lifecycle triggers
No one explicitly decides:
“This person should still see this case five years later.”
It simply never gets undone.
Why File Shares Make Drift Easy
File shares are built around structure, not context.
They understand:
Folders
Paths
Permissions
Groups
They do not understand:
Matters
Ethical walls
Case closure
Client sensitivity
Professional obligation
As a result:
Access decisions are decoupled from legal reality
The system cannot enforce intent
Everything depends on memory and process
And memory is not a control.
The Quiet Risk This Creates
The risk is not that “everyone can see everything.”
The risk is subtler—and more dangerous:
People can see things they should not need
Exposure exists without awareness
Violations occur without intent
Proof becomes impossible later
When challenged, firms discover they cannot confidently answer:
Who had access to this matter?
Why did they have it?
When should it have ended?
Was it reviewed?
The firm may believe it is compliant—until asked to prove it.
Why This Rarely Surfaces Internally
Access drift is invisible because:
There is no immediate harm
No alerts fire
No systems complain
No one complains
Clients assume confidentiality.
Partners assume controls.
Staff assume access is appropriate.
Until one of three events occurs:
An audit
A dispute
A transaction or investigation
Only then does the question arise:
“Who could see this?”
And only then does the gap become obvious.
Why “We’ll Clean It Up Later” Doesn’t Work
Some firms acknowledge drift and plan to address it periodically.
In practice, this fails because:
There is no authoritative baseline
Reviewing permissions is manual and disruptive
No one owns the decision
Business operations resist friction
Without governance, cleanup becomes:
Expensive
Incomplete
Short-lived
The system returns to drift as soon as attention shifts elsewhere.
The Real Issue Is Not File Shares
This is the critical reframing:
File shares do not fail firms.
Governance absence does.
If you move files to:
A newer server
A different platform
A cloud drive
A SaaS tool
Without changing how access is governed, the same drift reappears—often faster.
Modern tools amplify both good governance and bad discipline.
What Governance Would Change (Conceptually)
Governance introduces three missing elements:
Intent
Access is granted for a reason, not by inheritance.
Scope
Access aligns to matters, not departments.
Lifecycle
Access ends when the work ends—not when someone remembers.
File shares cannot enforce these on their own.
Neither can cloud platforms—without governance layered on top.
Why This Matters to Partners
Partners often assume file access is an IT issue—administrative housekeeping delegated to others.
In reality, access control decisions:
Define ethical exposure
Shape client trust
Influence liability
Affect valuation
Determine audit outcomes
They are governance decisions—whether the firm treats them that way or not.
The Takeaway
File shares are not outdated villains.
They are mirrors.
They reflect:
How deliberately a firm manages access
Whether confidentiality is enforced or assumed
Whether governance exists beyond policy documents
If access is drifting today, it is not because of the file share.
It is because no system exists to stop it.
Where This Leads Next
In the next article, we will examine why:
Cloud platforms
Legal SaaS tools
Identity-based access systems
Do not automatically solve this problem—and can sometimes make it worse without governance.
For now, the conclusion is simple:
Changing platforms does not change outcomes unless governance changes with it.
About the Author
James Phipps is CEO of BeCloud, an advisory firm specializing in governance frameworks for compliance-intensive organizations. BeCloud works with legal services organizations, healthcare providers, and professional services firms to design infrastructure where security and compliance are embedded by design rather than retrofitted after deployment.