At Workplace Ninjas Norway on the 27 May 2026, I delivered two sessions focused on AI governance and data security in Microsoft 365, exploring one of the biggest challenges organisations are facing today: how to govern AI safely while protecting sensitive data.
This event brought together Microsoft 365 and security professionals to share practical, real-world guidance, and my sessions focused on two connected themes. The first was how to reduce the risk of data leaking to unsanctioned generative AI apps. The second was how to evaluate AI risk using Microsoft’s Security Dashboard for AI.
Session 1: Preventing Data Leaks to Shadow AI
My first session, Preventing Data Leaks to Shadow AI: Managing Generative AI Apps in Your Organisation, focused on the reality that AI is already being used across many organisations, often without formal approval, governance, or visibility.
The key challenge is not simply that AI tools exist. The challenge is understanding where organisational data is going, which tools are being used, and whether the organisation has the right controls in place.
In this session, I explored a practical model for governing Shadow AI using Microsoft technologies such as Microsoft Defender for Cloud Apps, Microsoft Entra, Microsoft Intune, and Microsoft Purview. I explained how organisations can:
- discover which generative AI applications are in use
- assess which apps create the greatest risk
- decide which tools should be sanctioned, restricted, or blocked
- apply controls to reduce the likelihood of data leakage
A key message throughout the session was that organisations are unlikely to stop users from trying AI tools. Instead, the goal should be to create a governance model that gives visibility, applies controls consistently, and protects sensitive data.
Session 2: Evaluating AI Risk with Microsoft’s Security Dashboard for AI
My second session, Evaluating AI Risk with Microsoft’s Security Dashboard for AI, focused on how organisations can make better decisions about AI risk.
One of the points I wanted to emphasise is that AI risk cannot be assessed by a single score or signal alone. Effective governance requires both observable signals and business context.
In the session, I explained an approach that combines:
- usage: who is using the tool, how often, and how widespread adoption is
- data exposure: whether sensitive information may be involved
- use case: what business problem the AI tool is solving
- vendor risk profile: the provider’s security, compliance, and data handling posture
This is important because not every AI application carries the same level of risk. Some tools may be widely used but lower risk, while others may present significant exposure depending on what data is being shared and how the provider handles it.
The Microsoft Security Dashboard for AI helps organisations move from simple visibility to more structured evaluation. That makes it a valuable starting point for governance discussions, especially when combined with wider Microsoft 365 security and compliance capabilities.
The Practical Model Behind Both Sessions
Across both sessions, I kept coming back to a simple governance principle:
- Control the apps → decide where data can go
- Control the data → decide what data can leave
This is the model I use when helping organisations think about Shadow AI governance in Microsoft 365. App governance and data protection are different control layers, and both are needed. If an organisation only focuses on one, the risk remains.
That is why Workplace Ninjas Norway AI governance was such a useful theme for these sessions. It created space to talk not just about the technology, but about how organisations can apply a practical and scalable operating model.
Explore More
I cover these topics in more detail in my related blog posts:
- Shadow AI Governance: Why You Must Control AI Data Risk In Microsoft 365
- How To Govern Shadow AI Using Microsoft Purview, Defender And DSPM
If you are working through how to govern AI, reduce data exposure, and protect sensitive information in Microsoft 365, these posts expand on the key ideas from my Workplace Ninjas Norway sessions.
Need help governing AI and protecting your data in Microsoft 365?
If you’re working through these challenges in your organisation, I can help.
Nikki Chapple is a dual Microsoft MVP in Microsoft 365 and Security and a Principal Cloud Architect at CloudWay. She helps organisations secure data, govern AI, and prepare Microsoft 365 environments for Copilot using Microsoft Purview, data security, compliance, and information governance solutions.
Learn more about her background and experience.
Nikki specialises in helping enterprises reduce data exposure, prevent data loss, and manage AI risk across Microsoft 365.
Co-host of the All Things M365 Compliance with Ryan Murphy, sharing practical insights on Microsoft 365 security, compliance, AI governance, and data protection.
📺 Watch on YouTube · 🎧 Listen on Spotify
🔗 Connect on LinkedIn