Implement Data Access Governance by starting with getting good visibility of data access: who has access to any information, who gave it to them, when and why they got it, should they still have access, and what else can they access.
From a list of who can access a file, you must be sure that everyone should actually have access. Who is the one person who shouldn’t be there, and how are you going to spot them?
There are thousands or millions of files, and many are sensitive. So, you need visibility of access across everything, and a way to actually consider all that access once you can see it.