Stop sharing files with users in organization who dont have access to site

Hi

We are using SharePoint online, and have setup a Site with security groups, from Active Directory, to allow only those access to the site.

This works fine.

Following an audit, we wanted to test 2 scenarios:

  1. Could a user share a document externally (e.g. [email protected])
    Pass - no issues.

  2. Could a user share a document internally to someone who does not have access to the site. (accident/error/malice etc)
    This Failed.

It appears that if "Mary Smith" does not exist in the Security Group, she can still be given access to view that document but not access to the view the Full Site.

Is there a way to stop this so that only users who have access to the site, can be shared documents with only those users?