Hi @Cochran, Joel ,
We could not prevent internal sharing based on different departmental groups.
Per my research, we do have some methods to limit sharing in Microsoft 365, however, this does not apply to your situation.
Take conditional access as an example, organizations can select a group that contains all members of the HR department when an HR app is selected as the cloud app in conditional access, then block or grant access to them, even though you share with them, they will be blocked via this policy.
And this is based on different cloud apps, in your case, we only need one cloud app: SharePoint.
Therefore this is not for you, in short, it is necessary to check file permissions and remove unwanted groups manually.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.