Your AI is Only As Good As Your Data | Data Governance

There’s a pattern we see if many new prospects or customers, interested in rolling out AI. They’ve bought the licences. They’ve seen the demos. They’re ready to roll out Copilot or connect ChatGPT to their SharePoint. And then we ask a question that slows everything down: “What’s your data governance like?”

Generative AI tools like Microsoft 365 Copilot don’t create intelligence out of thin air. They work by reading your organisation’s data: your emails, your documents, your SharePoint sites, your Teams conversations. If that data is well-organised, properly labelled, and sensibly permissioned, AI becomes genuinely powerful. If it’s a mess, AI just makes the mess faster and more visible.

Without data governance. AI amplifies risk.

With proper data governance. AI amplifies opportunity.

We’ve seen Copilot surface confidential documents to people who had no idea they had access. We’ve seen it pull outdated policies from SharePoint libraries that should have been archived years ago. We’ve seen it generate confident-sounding summaries from files that were wrong. None of that is AI’s fault. It’s a data governance problem.

Here are five things worth getting right.

This is the big one, and it’s where most organisations have the most technical debt. Over the years, SharePoint permissions accumulate like that drawer in your kitchen where you throw all your junk. Someone needed access to a site for a project three years ago and still has it. A team site was set up with “everyone except external users” as the default, and nobody ever tightened it. Files get shared with broad groups because it was easier than figuring out the right permission level.

None of this matters much when humans are browsing SharePoint manually, because people tend to stay in their lane. It’s not ideal, but it exists.

But AI doesn’t have lanes. Copilot will search across every SharePoint site and document library that a user has access to. If your permissions are too broad, the AI will happily surface things people were never meant to see.

What to do: Run a SharePoint access review. Identify sites and libraries with overly broad permissions (particularly “Everyone” or “Everyone except external users” groups). Tighten sharing defaults to “specific people” rather than “anyone with the link.”

Most organisations are sitting on years of outdated content: old project files, superseded policies, draft documents that were never finalised, duplicate copies scattered across personal OneDrives and team sites. This isn’t just a storage problem. It’s an AI quality problem.

When Copilot generates a summary or answers a question, it draws from everything it can access. If your SharePoint contains three versions of the same policy document from 2019, 2022, and 2025, there’s no guarantee AI will pick the right one. It might blend all three. It might confidently cite the outdated version.

What to do: Implement a retention policy. Microsoft 365 has built-in retention labels and policies that can automatically archive or delete content after a set period. Start with the obvious: project sites for completed projects should be archived. Documents older than your retention schedule should be reviewed. If nobody has opened a file in three years, it probably doesn’t need to be in the AI’s search scope.

Sensitivity labels in Microsoft 365 tell AI (and your users) what’s confidential and what isn’t. Without them, Copilot treats every document the same. A board paper gets the same handling as a team lunch menu.

This matters because AI tools can pull content from sensitive documents into less-sensitive contexts. Someone asks Copilot to summarise their recent emails, and suddenly a snippet from a confidential restructuring plan appears in a summary that gets pasted into a Teams chat. The information wasn’t “leaked” in the traditional sense, but it moved somewhere it shouldn’t have.

What to do: Set up Microsoft Purview sensitivity labels if you haven’t already. Start simple: Confidential, Internal, and Public is enough for most organisations. Apply them to your most sensitive content first (finance, HR, legal, board materials) and then expand. Make sure the EXTRACT usage right is enabled on your labels, otherwise Copilot won’t be able to access encrypted content at all, which creates its own problems.

This sounds basic, but it makes a real difference to AI quality. If your SharePoint is a maze of sites called things like “Team Site 1,” “New Project,” and “Misc Documents,” the AI has very little context to work with. It doesn’t know which site belongs to which team, what a document is about from its filename, or where to look first.

Good information architecture helps AI give better answers because it has more context to draw on. A document called “Q1-2026-Revenue-Forecast-Final.xlsx” in a site called “Finance – Reporting” is far more useful to AI than “Copy of Sheet1 (2).xlsx” in “John’s Files.”

What to do: Agree on naming conventions for sites, libraries, and key document types. Use metadata (columns in SharePoint) rather than folder structures where possible, as AI works better with tagged content than deeply nested folders. Review your site structure and consolidate where you can. This doesn’t need to be a massive project; even tidying the top 10 most-used sites makes a noticeable difference.

Data governance ultimately comes down to ownership. Someone needs to be responsible for each SharePoint site, each data source, each set of permissions. Without clear ownership, nobody archives old content, nobody reviews access, nobody updates labels, and the whole thing quietly degrades.

This is the step most organisations skip because it feels like bureaucracy. But without it, the other four steps don’t stick. You clean up permissions today, and six months from now they’ve drifted back to where they were.

What to do: Assign a site owner to every SharePoint site in your tenant. Make it part of their role, not an afterthought. Set up a quarterly access review cycle where owners confirm that permissions are still appropriate. Use Microsoft 365 groups to manage access rather than individual user permissions, as they’re much easier to maintain. And if you don’t have the internal capacity to manage this ongoing, that’s exactly the kind of thing an MSP can take off your plate.

---

AI readiness isn’t about buying the right licence. It’s about making sure the data AI will work with is accurate, well-organised, properly classified, and appropriately secured. Get these five things right, and your AI tools will be dramatically more useful from day one. Skip them, and you’re essentially giving a very fast, very confident assistant access to a filing system that nobody has tidied since 2018.

If you’re planning an AI rollout, or you’ve already started one and the results aren’t what you expected, your data governance is almost certainly the reason. We help businesses across Moray, the Highlands, and the Isle of Man get their Microsoft 365 environments in shape before, during, and after AI deployment.