Disciplines · 11 · Governance
Purview doesn't write your rules. But it will enforce the ones you do.
Governance is the work of deciding what counts as confidential, who can read it, how long it stays, and what happens when any of those rules get broken. Purview is the mechanism that turns those decisions into enforcement — labels, DLP, and retention working as one program instead of three disconnected features. Most SMBs already own the tool. Almost none of them use it the way it was built to be used. That is the gap we close.
Governance is decisions. Purview is the enforcement.
Data governance is two different things that get confused for each other. One is the work of deciding, in language the business speaks — what we treat as confidential, how long we keep it, who is allowed to see it, and what happens when any of those rules get broken. That work belongs to the people who understand the business's risk appetite, its regulatory exposure, and its client commitments. It doesn't happen in a portal.
The second thing is enforcement — the control plane that makes the decisions real across email, files, Teams, and everywhere else data moves. For organizations in the Microsoft estate, that control plane is Purview. It is almost certainly already in the license. The value isn't in buying it. The value is in configuring it to reflect what the business actually decided.
The two get confused because IT usually gets handed the portal without being handed the decisions. So the defaults get turned on, the policy list looks busy, and the business still can't answer the question a client or a regulator is about to ask. The first conversation we have about governance almost never starts with Purview. It starts with a question the business already half-knew it couldn't answer.
Most SMBs own Purview. Almost none of them use it.
What we most often walk into is a tenant on an E3 or E5 plan, Purview partially switched on by whoever ran the migration, a handful of default sensitivity labels nobody has applied, and a leadership team that assumes the work is done because the tool is there. It isn't. Licensing Purview takes five minutes. Configuring a default label taxonomy takes an afternoon. The work that produces actual governance sits upstream of all of that — in the business deciding what it wants the rules to be, in language those rules can be expressed and enforced in.
The reflex to break is treating Purview as a product you install. It isn't a product in that sense. It's the mechanism that turns a set of business decisions into enforced policy, evidence someone outside the company can read, and a program that survives a question from a regulator, an auditor, or an acquirer. Without the decisions, none of those outcomes arrive. The license just accumulates audit logs nobody reviews.
Every useful governance engagement we've run has started with the same move — pulling the decision work out of the portal and putting it back where it belongs, which is with the people who have the authority to make the calls and the standing to defend them later.
The license is the easy part. The decisions the license is supposed to enforce are the whole program. The stance on governance
Purview is the easy part. Policy in English is the hard part.
Microsoft Purview is a capable, well-documented toolset. A competent administrator can stand up sensitivity labels, retention policies, and data loss prevention rules in a few weeks. The portal isn't the bottleneck. The bottleneck is upstream of the portal — in the work of deciding, in plain English, what your organization considers confidential, how long you're willing to keep things, who is allowed to see what, and what happens when any of those rules get broken.
That decision work isn't a technology problem. It's a leadership problem. It belongs to the people who understand the business's risk tolerance, its regulatory exposure, its client commitments, and its appetite for trade-offs between speed and control. The audience for a governance conversation is the C-suite, whoever owns legal or risk, and the executive who'll sign the next client security questionnaire — not the IT admin who will eventually implement the decisions.
That's also why we start every engagement with a questionnaire rather than a workshop. Twenty minutes of structured questions, completed by the business before we meet, gives us both the shape of the gaps and a clean agenda for the working session that follows. Without the questionnaire, we end up in a room waiting for someone to email the compliance officer and ask whether DLP is turned on. With it, we spend the session on the hard part — turning business intent into policy language that holds up under questioning.
Three Purview workloads that carry the program. They only work together.
Purview has a wide surface. The pieces that do the real governance work for the organizations we help are three — sensitivity labels, data loss prevention, and retention. Each does a different job. They get deployed as one program because each one without the others is incomplete. A label without a DLP policy that acts on it is decoration. A retention rule without a label to target is a blunt instrument. A DLP policy without a classification taxonomy is guesswork dressed up as control.
Sensitivity labels.
Labels are the classification scheme that tells the other two controls what to do. Confidential vs. General. Internal vs. Client-facing. The categories only work when they mean something specific in the business's own language — when every person in sales, finance, and ops understands what the label covers and what the consequence is of applying it. A taxonomy copied from a Microsoft template helps no one. A taxonomy the business wrote lives in every subsequent decision the program makes.
Data loss prevention.
DLP is the wall between sensitive content and the wrong destination. It sees payment card numbers pasted into a Teams chat, client financials attached to a personal email, a labelled contract heading to an external address — and it does what the business asked. Block, warn, audit, notify. The hard part isn't writing the ruleset. It's deciding what the rules are. DLP without a policy authored by the business enforces Microsoft's default idea of sensitivity, not yours.
Retention and lifecycle.
Retention answers the question nobody wants to answer. How long do we keep this, and what happens when the time is up? Most SMBs keep everything forever because deleting feels risky and nobody has the standing to say when something expires. That isn't governance, it's accumulation. A retention program gives every category of content a defensible lifecycle — kept as long as the business or the regulator needs it, released cleanly when that time arrives, provable either way.
The three work because they share a taxonomy and a policy frame. The taxonomy is what the business decides. The frame is what the engagement produces. Neither is something Purview writes for you — and neither is something the portal can compensate for when it's missing.
Governance isn't the work you do for the audit. It's the work that turns the audit into a non-event. On operating under scrutiny
A short arc, in an order that works.
A governance engagement is deliberately compact. Programs that run for a year without producing an enforced policy usually produce neither. The point of the work is to get the posture right quickly, then let the business operate — not to keep ourselves in the room.
The arc is four steps. They happen in order for a reason.
One — the questionnaire. Short, async, completed by the business before we meet. Twenty minutes of structured questions that surface where data actually lives, who has access, what's labelled, what's retained, and which of the existing controls are claimed versus actually enforced. The current state is a fact the business already has. The questionnaire pulls it into a form we can work with.
Two — the working session. Half day or full day, with the people who have the authority to make the calls. We open with a tabletop — three or four realistic scenarios that make the risk visible in the room instead of hypothetical in a briefing. A client asks for their records back. An auditor wants proof of a retention policy. A laptop goes missing. From there we move to the decision work itself — translating business intent into language for labels, DLP, retention, and access.
Three — the remediation and rollout plan. Based on the gaps the questionnaire and tabletop surfaced, a sequenced plan for configuring Purview and rolling out the policies. Quick wins up front. Sensitive workloads sequenced behind so the rollout doesn't itself cause an incident. Realistic dates, not aspirational ones.
Four — deployment and the rhythm. The policies get configured, the labels get applied where they matter, DLP moves from audit mode to enforcement when the business is ready, retention starts running. And a rhythm gets set — a quarterly review that checks what's drifted, what's been triggered, what needs to change. Governance that isn't revisited is governance that will be obsolete by the next audit cycle. This is where we usually stay on as the fractional voice the business doesn't want to hire full-time.
Six ways a governance program hollows out.
The governance programs that fail aren't the ones that never started. They're the ones that launched with the right intent and quietly decayed. These are the six failure modes we look for before we sign off on a program — whether we built it or someone else did.
The quiet failure modes that hollow out a governance program
-
01
SharePoint sites shared with "Everyone"
The most common oversharing pattern is also the most invisible — a site somebody set to "Everyone except external users" during a rushed migration two years ago, now quietly surfacing HR content to the whole company. Nobody remembers doing it. DLP doesn't catch it. The next time Copilot or an auditor looks, it will.
-
02
Sensitivity labels that exist in name only
Many tenants have labels configured but never applied. Labels only constrain anything if the content carries them. A "Confidential" label on one file does nothing for the ten thousand unlabelled files sitting in shared drives alongside it. Auto-labelling, mandatory labelling, and a taxonomy the business understands are what close that gap.
-
03
Draft and superseded content living indefinitely
Old proposals. Pricing from eighteen months ago. Contracts superseded by the version nobody linked back to. Without a retention rule, the stale material stays searchable — and the next auditor, Copilot query, or legal hold treats yesterday's draft as today's record.
-
04
Departed-employee content still accessible
Offboarding is where programs most often leak. An account gets disabled, a mailbox gets converted to shared, OneDrive lingers past the default window, old sharing links still resolve. Months later, content from someone who left in the spring is still being opened by people who never should have had it.
-
05
Policies written but never socialized
A policy the sales team has never heard of isn't a policy, it's a compliance artifact. If the people who touch sensitive content every day can't explain what Confidential means in their own words, the label won't get applied and the control it was meant to trigger won't fire. A short annual session, tailored to the roles that actually handle the data, is what keeps the program from being decorative.
-
06
Nobody has ever walked through a real incident
A subject access request lands in the inbox. A ransomware strain encrypts a file share. A client asks which of their records you hold and where. If the first time anyone has walked through those scenarios is during the live event, the response will be chaotic. One tabletop a year, a quarter before the need, is how a program learns what it's actually capable of.
The configuration is visible. Being answerable is the point.
A governance engagement produces tangible things. A sensitivity label taxonomy written in the business's own language. DLP rules that reflect real risk tolerance instead of Microsoft's defaults. Retention policies the legal contact has actually signed off on. A rollout plan with owners and dates. A tabletop exercise the leadership team has been through, in a room, with the right people watching.
Those things matter. But the outcome the business actually hired us for is less visible. It's the shift in what you can answer, and how quickly. Before the engagement, every data question stalls on the same sentence — "we should probably figure out the governance first." After, it's figured out. A client security questionnaire gets answered in hours instead of a week of fire-drilling. A regulator asking about retention receives a policy, not a scramble. An incident becomes a process with owners, not a conference bridge at midnight.
That is the whole deliverable. The capacity to answer a hard question on a Tuesday afternoon, without turning Wednesday into a bad week. A program that holds up under questioning from outside the company, because everything underneath it was built to be answerable in the first place.
Connected to
Posture & incident response
Security enforces what governance defines. DLP, conditional access, and incident response are two halves of one program.
Microsoft 365 as a workplace
The workplace is where most governable data lives. Labels, DLP, and retention ride on top of it.
AI readiness & Copilot
AI readiness is governance by another name. Copilot reads whatever your labels and permissions let it see.
Three-year direction
A governance program is a strategic commitment, not an audit chore. The roadmap is where the commitment gets made.
Book a call
Audit letter in the inbox?
Or a client demanding SOC 2, a privacy regulator asking questions, a CFO who wants to know why you can't tell them where the customer data lives — or an AI rollout that stopped the moment someone said "wait, who can that read?" Whichever forcing function brought you here, the path forward runs through the same work. Purview configured for the business you actually are, not the one Microsoft assumes you are.
Or reach us directly: info@fouronesixit.ca · (647) 371-0400