Skip to content
Hidden In NumbersHidden In NumbersAI-Powered Document Intelligence
All posts
compliance

Scope Overreach: How 'All,' 'Any,' and 'Every' Create Unintended Obligations

Ibrahim ArbiJuly 9, 2026 8 min read

The words "all," "any," "every," and "none" are among the most powerful in legal and policy writing. They are also among the most dangerous, because they are frequently written with a narrower intention than they express.

What is scope overreach?

Scope overreach occurs when the stated scope of an obligation, restriction, or claim is broader than the drafter intended — or broader than can reasonably be fulfilled. The most common markers are absolute quantifiers:

  • "All data will be encrypted at all times"
  • "Any employee may request a review"
  • "Every incident must be reported within 24 hours"
  • "The vendor will provide support for all versions of the software"
  • "None of the limitations in this agreement apply to indemnity claims"

Each of these may accurately represent a genuine obligation. Or each may be an absolute statement that was written for rhetorical effect and that exceeds what was actually intended or is operationally achievable.

The legal significance of absolute language

Courts interpret absolute language literally. "All data" means all data — not all sensitive data, not all data in the primary system, not all data above a certain size. If the contract says "all data," the obligation is as broad as the English language permits.

This creates two classes of problem. First, parties may be in breach of obligations they never intended to assume. An organisation that commits to encrypting "all data at all times" and later experiences an audit finding that data in a legacy archive was not encrypted has breached the contract — regardless of whether anyone ever expected that archive to be covered.

Second, absolute obligations can be used strategically against the party that drafted them. A counterparty looking to exit a contract will search for technical breaches of absolute obligations. Broad language creates more opportunities.

Operational consequences of scope overreach in policies

Internal policies suffer from scope overreach in a different way. A policy that says "all incidents must be reported within 24 hours" creates a compliance obligation that may be impossible to meet in practice. If incidents are discovered over weekends, if the reporting system is unavailable, or if the definition of "incident" is broader than anyone anticipated, the policy creates a permanent state of non-compliance.

This is not a theoretical risk. Regulatory enforcement actions have been triggered by organisations whose own policies stated a standard they could not demonstrate having met.

Identifying scope overreach

Automated detection flags absolute quantifiers — all, any, every, none, always, never, at all times, without exception — in the context of obligations and restrictions. Each instance is a candidate for review.

The review question is: does this absolute language represent the actual intended obligation, and is that obligation achievable?

How to rewrite overreaching scope

The goal is to match the stated scope to the actual obligation. This usually involves one of three moves:

**Adding specificity.** "All data" → "all data classified as Confidential or Restricted under the organisation's data classification policy." The obligation is the same in practice but clearly bounded.

**Adding conditions.** "All incidents must be reported within 24 hours" → "All confirmed incidents must be reported within 24 business hours of confirmation." The 24-hour clock starts at a defined point and excludes non-business hours.

**Limiting the absolute.** "The vendor will provide support for all versions of the software" → "The vendor will provide support for the two most recent major versions of the software." The obligation is real but finite.

Each rewrite requires a decision about what the obligation actually is. That decision — made explicitly during drafting — is far less costly than making it during a dispute.

A note on intentional absolutes

Not all absolute language is an error. Some obligations genuinely are absolute. "The vendor will not share confidential information with any third party" may be exactly right. The test is not whether absolute language exists, but whether each instance was chosen deliberately and accurately reflects the intended obligation.

A systematic review ensures that every absolute is intentional, every broad obligation is achievable, and every quantifier matches the actual scope of what was meant.

Try it on your own document

Scan a Document
Hidden Signal Engine™ Online

Discover What Your Documents Are Hiding

AI-powered document intelligence that uncovers contradictions, anomalies, missing references, and hidden patterns — in seconds.