Microsoft 365 Governance Blog | Security & Copilot

Shadow AI Governance: You Can’t Stop AI. But You Can Control the Risk

Posted on 31 May 2026Updated on 31 May 2026by Nikki Chapple

Shadow AI governance is now a critical challenge for organisations.

Shadow AI is already inside your organisation.

Employees are using AI tools every day to summarise documents, improve emails, analyse spreadsheets, generate presentations, and draft proposals. Most are not trying to break policy. They are trying to work faster and smarter.

That is exactly what makes Shadow AI such a serious governance risk.

This is no longer a question of whether AI is being used at work. It is a question of whether your organisation has visibility into which AI tools are in use, what data is being shared, and which controls are in place to reduce risk.

The urgency is real. Microsoft’s 2026 Data Security Index report says that 32% of surveyed organisations’ data security incidents involve the use of generative AI tools, while only 47% of surveyed organisations are implementing controls focused on generative AI workloads. More than 80% of surveyed organisations are implementing or developing Data Security Posture Management strategies to improve visibility and governance.

AI adoption is accelerating.

Governance is still catching up.

This article explains the practical control model I use with organisations to understand Shadow AI risk, improve visibility, and apply effective governance at scale.

How to Govern Shadow AI with Microsoft Purview, Defender and DSPM

Posted on 31 May 2026Updated on 31 May 2026by Nikki Chapple

Most organisations are already dealing with Shadow AI, whether they realise it or not.

Employees are using ChatGPT, Claude, Gemini, AI-powered browser extensions, meeting assistants, coding tools, and countless other generative AI services to work faster.

The challenge is not stopping people from using AI.

The challenge is governing where organisational data goes.

In my previous article, Shadow AI Governance: Why You Must Control AI Data Risk In Microsoft 365 I explained why Shadow AI has become one of the fastest-growing data security challenges facing IT and security teams.

This article focuses on the next question:

How do you actually govern it?

Microsoft recently published a deployment model called Prevent Data Leak To Shadow AI, which combines Microsoft Purview, Microsoft Defender for Cloud Apps, Microsoft Entra, and Microsoft Intune into a unified approach for managing AI risk.

Microsoft’s guidance is excellent.
But in practice, I simplify it into two control layers:

Control the Apps
Control the Data

Everything else supports these two decisions.

Because successful AI governance is not about blocking AI.
It is about enabling AI safely.

You cannot stop users using AI.
But you can control what happens to your data.

How To Apply Container Sensitivity Labels at Scale in Microsoft 365

Posted on 16 May 2026Updated on 31 May 2026by Nikki Chapple

Introduction: Oversharing Does Not Start With Files

How to apply sensitivity labels at scale to existing Microsoft 365 Groups, Microsoft Teams and SharePoint sites is one of the most common follow-up questions I receive when discussing container sensitivity labels.

If your environment only contains a small number of workspaces, applying labels manually is manageable.

However, most organisations operate at scale. Hundreds or even thousands of Microsoft 365 Groups, Microsoft Teams and SharePoint sites already exist.

This is where governance becomes inconsistent and risky.

In this post, I show how to:

✅ Analyse your existing environment
✅ Identify oversharing risk
✅ Apply container sensitivity labels at scale using PowerShell

The goal is not just automation.

It is to apply consistent, risk-based governance and reduce oversharing in Microsoft 365 and Copilot environments.

This approach ensures you can apply container sensitivity labels at scale across existing Microsoft 365 environments in a consistent and controlled way.

How to Deploy Microsoft Purview DLP for Copilot and Generative AI

Posted on 16 May 2026Updated on 20 May 2026by Nikki Chapple

Organisations adopting Microsoft 365 Copilot and generative AI are facing a common challenge. Data is no longer static. It is constantly moving, reused, and now being surfaced and generated by AI.

This changes the risk profile.

The questions I hear most often are:

What are the real data security risks with AI?
Which controls actually make a difference?
How do we deploy them effectively in Microsoft Purview?

This guide builds on my ECS 2026 session and focuses on the controls that provide the greatest practical value. It cuts through the noise and shows how to use Microsoft Purview DLP for Copilot and generative AI, with a practical approach to reducing real-world data leakage risk across both internal and external AI tools.

Container Sensitivity Labels: The Purview “Hack” That Fixes Copilot Oversharing Fast

Posted on 16 May 2026Updated on 31 May 2026by Nikki Chapple

Introduction: Oversharing Starts Before a Single File Exists

Copilot oversharing is one of the most misunderstood risks in Microsoft 365. In reality, it often starts before a single file is uploaded.

It begins when Microsoft Teams, SharePoint sites, and Microsoft 365 Groups are created using generic tenant-wide defaults.

In an AI-enabled world, those overly permissive defaults become significantly more dangerous because Microsoft 365 Copilot operates within existing permissions.

Copilot does not create access.

It reveals it.

How to Configure Container Sensitivity Labels in Microsoft Purview (Step-by-Step)

Posted on 15 May 2026Updated on 16 May 2026by Nikki Chapple

Microsoft Purview container sensitivity labels allow organisations to apply consistent, risk-based collaboration and access controls across Microsoft Teams, Microsoft 365 Groups, and SharePoint sites without relying on manual decisions at the point of creation.

Instead of users or administrators deciding security settings each time a workspace is created, container sensitivity labels enforce governance automatically based on collaboration risk.

This is one of the most effective ways to reduce Microsoft 365 Copilot oversharing risk because Copilot surfaces only what users already have access to.

If access controls are overly broad, AI exposure becomes overly broad.

This guide focuses specifically on implementation:

✅ How to configure Microsoft Purview container sensitivity labels
✅ How to apply risk-based collaboration controls
✅ How to govern guest access and sharing consistently
✅ How to integrate with Microsoft Entra Conditional Access
✅ How to operationalise secure-by-default collaboration governance

Why Ex‑Employee OneDrive Data Never Dies in Microsoft 365 (and How to Fix It)

Posted on 8 February 2026Updated on 16 May 2026by Nikki Chapple

Ex-employee OneDrive retention is no longer primarily a licensing problem. Since January 2025, Microsoft has reduced one of the biggest historical causes of indefinite OneDrive retention. However, many organisations are still retaining former employees’ OneDrive data for years, sometimes indefinitely.

The reason is governance design.

This article explains how identity lifecycle, OneDrive service behaviour, and Microsoft 365 retention (via Microsoft Purview) interact today; why ex‑employee OneDrive data can still persist indefinitely; and how to design retention so every leaver’s OneDrive reaches a predictable, auditable end‑of‑life.

👉 Read the full guide to understand why ex‑employee OneDrive data can still be retained forever, and how to fix it.

Do You Really Need More SharePoint Storage? Here’s How to Optimize Instead.

Posted on 30 September 2025Updated on 16 May 2026by Nikki Chapple

Many organizations reach their SharePoint storage limits and assume the only solution is to purchase additional storage. In most cases, you can avoid extra costs by optimizing what you already have. This article explains how to reduce storage consumption by managing file version history, governing site lifecycle, and leveraging Microsoft 365 Archive for inactive content. Keeping your environment lean not only saves money but also improves Microsoft 365 Copilot quality by decreasing ROT (redundant, obsolete, trivial) data that clutters search and AI responses. By applying these measures, you can control costs, enhance compliance, and improve user experience without unnecessary spending.

Why Microsoft 365 Copilot Data Readiness Matters

Posted on 11 September 2025Updated on 16 May 2026by Nikki Chapple

Microsoft 365 Copilot Data Readiness is essential for secure and effective AI adoption. Copilot is transforming the way we work by boosting productivity, creativity, and efficiency across Microsoft 365. But here is the challenge: Copilot surfaces what users already have access to. If your data governance is not in order, sensitive information could be exposed.

So, the big question is:
Is your data ready for Microsoft 365 Copilot?

I recently joined Mark Thompson from The Inform Team for a webinar on this topic. We explored how Copilot interacts with your Microsoft 365 environment, the risks of oversharing, and how to build a secure, governed foundation for responsible AI adoption.

🎥 Watch the full webinar: YouTube Recording

Mastering Records Management in Microsoft Purview: A Practical Guide for AI-Ready Governance

Posted on 9 September 2025Updated on 16 May 2026by Nikki Chapple

Microsoft Purview Records Management has become a critical priority for organizations adopting AI tools like Microsoft 365 Copilot. Because Copilot surfaces everything a user can access, including redundant, obsolete, and trivial (ROT) data, weak governance now directly translates into productivity loss, compliance risks, and potential legal exposure.

In a recent episode of All Things M365 Compliance, I joined Ryan John Murphy and Susan Lamb, Principal Data Governance SME at Infotechtion and former global records management lead at Shell, to explore how Microsoft Purview has evolved and what practical steps organizations must take to clean up their data estate.