23 September 2025
In today’s modern workplace, Microsoft Copilot is gaining popularity as a new personal assistant—a must-have service for staff to boost productivity and complete tasks efficiently and effectively.
The problem
Almost all organisations are excited about Copilot and are actively planning how to implement it. As they prepare for this rollout, each organisation sets measures to protect their information, allowing them to deploy Copilot / AI tools without worrying about data leaks. I come across articles, blog posts, and videos focused on information security, particularly Data Loss Prevention and Information classification. Unfortunately, they don’t realise what’s really beneath the surface, which is the quality of their information.
Two Foundations
Copilot is essentially a window into your information, and the quality of the output it generates depends entirely on the quality of your data and the data it can access.
Organisations should prioritise two areas alongside information protection.
- Information Architecture – ensures only relevant, authorised information is visible to the right people at the right time, so Copilot surfaces what’s intended.
- Information Governance – content lifecycle management ensures Copilot always provides users with output based on current and accurate information.
One of my engagements involved working with one of the largest mining organisations, which has over 1000 policies, procedures, and manuals covering various mining sites, projects, vendors, vehicles, and machinery. Without clear boundaries, the power of Copilot is such that it can blend content from multiple sites the user has access to, leading to contradictory guidance and summarising the wrong policy when the user assumes it only accessed information from the mining site they are working on.
Poor information architecture, in this case, causes Copilot’s output to be based on data from all mining sites, resulting in it providing completely different information about policies or procedures. Therefore, a well-organised information architecture with proper access permissions is essential for a successful Copilot rollout.
I recently spoke with a sales executive at a large manufacturing organisation, and he shared his disappointing recent experience with Copilot. He was new to the company and needed to respond to a customer’s enquiry about a product. He used Copilot to generate detailed information about the product. After reviewing and refining this output, he sent it to the client. Unfortunately, it turned out to be a discontinued product, and he had to apologise to the client for providing outdated information. This issue was due to a lack of information governance in managing the information lifecycle. As soon as the data becomes irrelevant or outdated, organisations must take steps to archive it, so Copilot does not display obsolete information.
Such experiences for a user result in:
- Lack of trust in Copilot, as outdated information can cause poor decisions, errors, or damage to reputation.
- Manually verifying the information Copilot generates becomes a waste of time when assessing how much relevant content it provides.
So, what does good look like?
Consider the following when deploying Copilot for your organisation:
- Develop an Information architecture
• Review your content/ sites and define a proper Information architecture.
• Define and maintain proper access controls. - Implement Information governance
• Define Purview retention, disposal, and archiving with review cadences.
• Automate your content lifecycle and remove outdated or irrelevant data. - Enhance Data classification
• Use metadata and tagging to find and rank relevant, current files.
• Keep archived data separate from current resources. - Identify ROT information and take the necessary actions.
• Use AI-powered content analysis tools like Microsoft Document Processing Service, SAM, Knowledge Agent in SharePoint, or third-party tools such as AvePoint to examine content for duplicates, outdated versions, or trivial material.
• Apply Microsoft Purview retention labels to classify and handle ROT data. - Educate users
• Educate staff on proper data storage practices and the importance of data hygiene.
• Promote regular cleaning of personal and shared storage spaces. - Next Steps
• Include a one-page RACI for content ownership and review cycles.
• Start with a simple maturity model – As-Is → Structured → Governed → Optimised.
• Have a 30/60/90-day plan.
Takeaway
Let me leave you with this thought: Perimeter defences matter, but a weak foundation collapses from within.
techcollab365.com 