Make your Microsoft data safe for AI.
AI reads everything a user can reach. Before you connect Copilot, ChatGPT Enterprise, Claude or any AI to your corporate data, we assess your SharePoint, OneDrive and Microsoft 365 tenant against seven gates and show you exactly what to fix, in what order.
AI does not create new access. It exposes the access you already have.
Microsoft 365 Copilot inherits the permissions of the person using it. ChatGPT Enterprise, Claude and other tools reach the same content through connectors and sync. Any of them can read a SharePoint site, a OneDrive file or a Teams message the user can already reach. Every over-shared site, stale permission and ownerless drive becomes a one-question discovery.
The risk is not the AI. It is turning it on over content that was never governed for AI-scale search. We fix the foundation first, so any AI tool surfaces only what a person is entitled to see.
SharePoint
Sites, sharing links, external access and search exposure across every workspace Copilot can index.
OneDrive
Active and orphaned drives, departed-staff content and links that stay live long after people leave.
AI tools
What Copilot, ChatGPT Enterprise, Claude or a connected tool would surface today, and the controls that keep sensitive content out of their answers.
Purview
Labels, data loss prevention and residency controls that enforce your data protection model inside AI responses.
Seven gates to safe AI.
We reframe Microsoft's own deployment guidance into seven sequential gates, so you track readiness against one model instead of five separate blueprints. Each gate is a readiness domain. We assess it against evidence from your tenant and score it independently. The gates hold whether you enable Copilot, ChatGPT Enterprise, Claude or a connector.
Tenant and identity baseline
Confirm the licensing, identity and network conditions AI needs to operate inside your risk appetite.
We check: licensing, Conditional Access, MFA coverage, guest and B2B model.
Content lifecycle and ownership
Establish that the SharePoint and OneDrive estate is current, owned and governed before AI indexes it.
We check: inactive and ownerless sites, orphaned drives, retention and disposition.
Oversharing remediation
Reduce the surface area AI can ground on by closing broad sharing and search exposure.
We check: Anyone links, default sharing, broad audiences, restricted search.
Data classification and protection
Apply sensitivity labels, encryption and data loss prevention so AI honours your protection model.
We check: label taxonomy, auto-labelling, DLP covering Copilot, encryption.
Interaction guardrails and insider risk
Make AI interactions inherit your data protections, observed for risky use and insider risk.
We check: label inheritance, DSPM for AI, communication compliance, insider risk.
Regulatory, audit and residency
Prove AI operates inside your regulatory, evidentiary and data residency commitments.
We check: audit logging, eDiscovery for prompts, retention for AI, residency.
Adoption, measurement and operations
Confirm the operating model and change capability to turn a rollout into sustained value.
We check: pilot cohort, scenario backlog, dashboards, KPIs, training, reassessment.
Every gate is rated on evidence, not opinion: not started, foundational, operational, optimised. A gate cannot rate above not started without an artefact from your environment.
Three stages of AI. Each one builds on the stage below.
This assessment covers Stage 1, Productivity AI. It is where almost every organisation starts, and the foundation the later stages depend on. Stage 2 and Stage 3 are scoped separately, once your use cases are defined.
Productivity AI (consume)
Copilot, ChatGPT Enterprise or Claude for everyday work: summarise, draft, search. AI runs inside the user's existing identity and permissions. Readiness depends on access, classification and data protection.
Connected AI (integrate)
AI joined to external tools and connectors, where data can move outside the tenant. Adds governance of third-party AI and inspection of data going to and from AI services.
Agentic AI (build)
Custom agents and workflows that act on their own and call other systems, often as non-human identities. Adds identity, lifecycle and monitoring controls for machine actors.
A decision-ready report, not a wall of red.
You get a High-Level Design that names the risk, rates it two ways, and sequences the fix. Every finding carries a risk level, a separate AI deployment impact and a recommended action. You can hand it to your IT team and start Monday.
- ✓An executive summary and seven-gate scorecard your board can read in five minutes.
- ✓Prioritised findings with a risk level and a separate Copilot deployment impact.
- ✓A phased remediation roadmap, from critical fixes to steady-state governance.
- ✓A target architecture for SharePoint, access and Copilot readiness.
Redacted sample. Client, third parties and figures altered. Deep implementation detail held back.
Assess, plan, build and hand over.
The assessment is the first step, not the whole job. It gives you the map. From there we plan the fix with you, build the controls, and hand the operating model back to your team. We reassess on a defined cadence as your estate changes.
Assess
Score the seven gates against evidence from your tenant. Deliver the High-Level Design.
Plan
Sequence the fix into phases, from critical exposure to governance foundation.
Build
Put the access, classification and Copilot controls in place, gate by gate.
Hand over
Return the operating model to your team, with a reassessment cadence to hold the line.
A clear yes, no or not yet on enabling AI, backed by evidence.
The two or three fixes that matter most, named and costed to sequence.
A view of what AI would surface today, before your users find it.
A plan your own IT team can execute, with no lock-in to us.