Microsoft Purview a Unified Platform

Modern organizations no longer struggle with a lack of data  they struggle with lack of control, visibility, and trust in that data. Data now spans SaaS platforms, cloud analytics services, collaboration tools, AI systems, and on‑prem environments. At the same time, regulatory pressure, security risk, and AI‑driven data reuse continue to increase.

Microsoft Purview addresses this challenge by providing a single, integrated data governance, security, and compliance control plane across the enterprise. Rather than deploying disconnected tools for cataloguing, classification, protection, policy enforcement, investigation, and audit, Purview enables organizations to manage the entire data lifecycle consistently  from discovery and understanding, through protection and monitoring, to legal and regulatory response.

From an executive perspective, the value of Purview is not its individual features, but its ability to:

• Reduce risk through centralised visibility
• Enable scale through automation and policy‑driven controls
• Support innovation and AI adoption without losing governance
• Provide defensible evidence for regulators, auditors, and boards

Thus Purview allows organizations to move faster with data, safely and to do so using native tooling already embedded across Microsoft 365, Azure, Fabric, and the broader cloud estate. I wanted to share a current state of the tools as there have been many changes of the last couple of years.

Microsoft Purview – Data Governance Tools

The purpose is to understand, trust, and responsibly reuse data across the enterprise. Microsoft Purview’s data governance capabilities focus on metadata, not the data itself. They provide a federated governance model that enables central standards while allowing data ownership to remain close to the business. These are core tools required for AI success.

Data Map

The Data Map scans and inventories data assets across Azure, Microsoft 365, on‑premises systems, and supported multi‑cloud platforms. It captures technical metadata, classifications, and relationships without copying underlying data. From a technical standpoint, the Data Map:

• Maintains a continuously updated inventory of data assets
• Supports automated classification during scan operations
• Acts as the backbone for lineage, catalog, and insight services

Unified Catalog

The Unified Catalog is the business‑facing layer of Purview data governance. It allows users to search, understand, and request access to data using business language rather than technical system names. Key technical capabilities include:

• Metadata curation and endorsement workflows
• Business glossary alignment
• Ownership and stewardship assignment
• Data quality and health indicators

The catalog does not grant data access itself it integrates with platform security controls to ensure governance without breaking separation of duties.

Data Lineage

Purview lineage provides end‑to‑end visibility of data flows, showing how data moves from source systems through transformations to consumption layers such as analytics or AI models. Technically, this supports:

• Impact analysis for change management
• Root‑cause analysis for data quality issues
• Explainability for analytics and AI outcomes

Microsoft Purview – Data Security Tools

There purpose is to help protect sensitive data dynamically, wherever it lives or moves. Microsoft Purview data security solutions are designed around the principle that data protection must follow the data, not rely solely on perimeter security.

Information Protection

Information Protection enables classification and protection through sensitivity labels that persist with the data. From a technical perspective:

• Labels can trigger encryption, access restrictions, and visual markings
• Labels are consistently enforced across Microsoft 365 services
• Labels integrate downstream with DLP, Insider Risk, and eDiscovery

Sensitivity labels act as the policy anchor for most Purview controls.

Data Loss Prevention (DLP)

Purview DLP enforces policy‑based controls to prevent accidental or intentional leakage of sensitive data across:

• Email and collaboration tools
• Endpoints and browsers
• Cloud applications and AI experiences

DLP evaluates content, user context, and activity in real time to determine policy actions.

Insider Risk Management

This capability correlates user behaviour, activity signals, and data sensitivity to identify potential internal risks. Technically, it:

• Analyses sequences of risky actions rather than single events
• Integrates with Information Protection and DLP signals
• Supports adaptive policy enforcement

Data Security Posture Management (DSPM)

DSPM provides aggregated, AI‑driven visibility into data risk across the estate, including traditional workloads and AI applications. It enables:

• Discovery of unknown or unmanaged sensitive data
• Policy coverage gap analysis
• Prioritised remediation recommendations

Microsoft Purview – Data Compliance Tools

The purpose is to meet legal, regulatory, and internal policy obligations with defensible controls. Purview’s compliance capabilities focus on evidence, monitoring, and response, rather than prevention alone.

Compliance Manager

Compliance Manager maps regulatory requirements (e.g. GDPR, ISO, industry standards) to technical and organizational controls. From a technical view:

• Controls link to implemented Purview configurations
• Evidence can be centrally tracked and reported
• Progress scoring supports audit readiness

Audit

The unified audit log captures user and admin activities across Microsoft services, providing the foundation for investigations and compliance reporting. It supports:

• Forensic investigation
• Long‑term retention of activity records
• Correlation with security and compliance incidents

eDiscovery (Standard & Premium)

eDiscovery enables legal teams to identify, preserve, collect, and review data associated with legal or internal investigations. Technically, it integrates:

• Sensitivity labels and retention policies
• Advanced search and review workflows
• Role‑based access for legal operations

Records & Data Lifecycle Management

These tools manage data retention, deletion, and record declaration based on business, legal, and regulatory requirements. They ensure:

• Defensible retention policies
• Automated disposition
• Reduced data sprawl and risk surface

Microsoft Purview is a data control framework that underpins modern analytics, AI, and digital transformation initiatives. When implemented correctly, Purview allows organizations to:

• Govern data without slowing delivery
• Secure data without blocking productivity
• Prove compliance without manual evidence gathering

That combination visibility, control, and defensibility at scale is why organizations choose an integrated platform rather than isolated tools. Microsoft documentation and architecture descriptions can be found at learn.microsoft.com

Operationalising Responsible AI: What Microsoft’s Approach Reveals

Responsible AI has become one of those phrases that organisations like to reference but rarely operationalise. It appears in strategy decks, risk registers, and conference panels, yet the practical mechanisms that make it real are often missing.  

Microsoft’s recent article on its internal responsible‑AI approach is useful not because it offers something radically new, but because it demonstrates what it looks like when a large organisation treats responsible AI as a discipline rather than a marketing narrative.

Below are the core lessons worth thinking about especially if you’re trying to move your organisation from aspiration to implementation.

1. Responsible AI is an organisational discipline, not a technical feature

The most important message is also the simplest: responsible AI only works when it is treated as a governing framework that shapes how AI is designed, deployed, and monitored.   This is not a “nice to have”. It is not a late‑stage review. It is not a compliance tick‑box.  It is a structural commitment that defines how decisions are made, how risks are surfaced, and how accountability is distributed. If organisations are still treating responsible AI as a technical add‑on, you will not scale safely.

2. A central authority is essential for coherence

Microsoft’s Office of Responsible AI functions as a single point of truth. It sets policy, interprets standards, and ensures that teams are aligned.  This matters because without a central authority, governance fragments. Different teams make different assumptions. Risk becomes inconsistent. Decisions become harder to audit. A central function does not need to be large, but it does need to be authoritative. It needs the mandate to say “no”, “not yet”, or “not like this”.

3. Distributed oversight is the only scalable model

A central team cannot carry the entire burden. Microsoft’s model. A senior council supported by a network of responsible‑AI champions is the only realistic way to scale oversight across a complex organisation. This mirrors how other disciplines have matured:  

- data protection officers and privacy champions  

- security teams supported by local security leads  

- governance functions with embedded practitioners  

The pattern is consistent with central clarity and distributed execution. If you want responsible AI to work, you need people embedded in delivery teams who understand the risks and know how to escalate them.

4. A unified workflow is the backbone of responsible AI operations

One of the most practical elements of Microsoft’s approach is its internal workflow tool. Every AI project is logged, assessed, and reviewed through a single structured process. This creates:  

- traceability  

- auditability  

- consistent risk categorisation  

- clear escalation routes  

- visibility across the portfolio  

Most organisations underestimate how much risk comes from fragmentation. If you don’t know what AI systems exist, you can’t govern them. A unified workflow is not optional. It is foundational.

5. Culture and process design matter more than tooling

The article makes a point that resonates strongly with anyone who has worked in governance, the tools support the work, but they do not define it. If you don’t have:  

- clear expectations  

- shared language  

- leadership commitment  

- a culture that values scrutiny  

no tool will save you. Responsible AI succeeds when the organisation behaves as if it matters — not when it installs a dashboard.

Thrre are some actionable steps for organisations to take to build their own responsible AI capability. These are the practical takeaways that any organisation can adopt immediately.

1. Start with a written standard

Define what “good” looks like. Set mandatory requirements. Clarify what triggers deeper review. This becomes your anchor.

2. Build a network of responsible AI practitioners. Identify people with the right instincts, governance‑minded, risk‑aware, delivery‑literate. Train them and Empower them.

3. Design the assessment process before you build tooling. Clarify the workflow:  

- What must every project declare?  

- Who reviews what?  

- How are risks escalated?  

Only then should you build or buy tools.

4. Integrate responsible AI checkpoints into delivery. Move away from late‑stage reviews. Embed assessments into initiation, design, and release readiness.

5. Treat bias detection and data quality as non‑negotiable. Bias is rarely intentional; it is inherited. Build structured checks into your evaluation pipeline.

6. Assign responsibility for monitoring regulatory change. Someone needs to track global AI regulation and translate it into internal practice. This prevents compliance surprises.

7. Use the open resources already available

Microsoft’s Responsible AI Toolbox, Human‑AI Experience guidance, and impact‑assessment templates provide a strong foundation. Use them to accelerate maturity.

Responsible AI is not about slowing innovation. It is about enabling it safely, predictably, and sustainably.  The organisations that will thrive in the next decade are those that treat responsible AI as a discipline with structure, clarity, and accountability, rather than a slogan.

Read more here.

Data Governance explained

I had a very fun packed day in Manchester a few weeks ago talking on my favourite topic Data Governance, AI Governance and Microsoft Purview. Watch my recording here to help you get started.

Inside Microsoft’s Responsible AI Framework: What Matters for Data Governance

Microsoft’s updated Responsible AI framework represents a significant evolution in how organisations are expected to approach AI oversight. While the principles themselves, fairness, reliability, safety, privacy, inclusiveness, transparency, and accountability are familiar, the operational expectations behind them have deepened. This isn’t a philosophical document; it’s a practical guide for embedding responsibility into the lifecycle of AI systems.

For data governance leaders, the most important shift is the emphasis on traceability. The framework makes it clear that organisations must be able to explain how data flows into models, how those models behave, and how decisions are made. This requires robust lineage, versioning, and monitoring. Without these, transparency becomes impossible.

Another critical element is human oversight. The framework reinforces that AI should augment, not replace, human judgement. This means governance must ensure that humans remain in the loop for high‑impact decisions, and that they have the context needed to interpret model outputs. Oversight is not a checkbox, it is a design requirement.

The framework also highlights the importance of data quality and representativeness. Poor data leads to poor models, and poor models lead to poor outcomes. Governance must ensure that training data is accurate, relevant, and free from harmful bias. This is where stewardship, classification, and quality controls become essential.

Finally, the framework calls for ongoing monitoring, not one‑time validation. Models evolve, data changes, and risks shift. Governance must be continuous, adaptive, and embedded into operational workflows.

The Microsoft Responsible AI Standard

Microsoft named a Leader in IDC MarketScape for Unified AI Governance Platform

Tracing my career journey though my blog

I was looking at my blog stats this morning and was really interested to see the geographical spread. I started writing my blog in 2011 and it has been read by 1.18m. I wanted to record all the technical tips I found and technology advancements which were useful to me and might be of use to help others. I started writing on SQL Server and the blog has migrated with me throughout my career through architecture, my PhD research and over the last few years I have been mostly writing on Data Governance, Microsoft Purview, AI Governance and Microsoft Fabric. 

I asked Copilot to share some interesting thoughts about my journey for my blog and here is what it thought.

Your blog reveals a journey defined by intellectual curiosity, data‑driven leadership, and a distinctive narrative voice. Here are five evidence‑based, genuinely interesting aspects of that journey.

1. You frame data leadership as a process of unlearning, not just learning

Your post “What data leaders must unlearn to lead in the Age of AI” argues that modern leadership requires shedding outdated assumptions, such as believing governance slows innovation or that documentation equals understanding. This reframing positions you as a thought leader challenging entrenched industry norms. 

2. You consistently connect research, industry practice, and philosophical curiosity

Your blog tagline “Chaos, complexity, curiosity and database systems” captures a rare blend: deep technical expertise paired with a reflective, almost philosophical lens on data systems. This fusion shapes your writing style and differentiates your professional voice. 

3. You document the shift from AI experimentation to AI industrialisation with governance at the centre

In your coverage of the Gartner Data & Analytics Summit, you highlight how governance has moved from a compliance checkbox to the engine of AI ROI. This shows your role as an interpreter of industry change, translating large‑scale trends into practical insights for practitioners. 

4. Your journey is grounded in both academic achievement and community leadership

Across external references, you are consistently described as a Microsoft Data Platform MVP, a PhD researcher recognised with the AOUG Will Swann Award, and a founder/organiser of Data Toboggan. This positions your blog as the narrative thread connecting your academic, professional, and community contributions. 

5. Your posts reveal a long‑standing commitment to making governance practical, accessible, and embedded

Whether discussing AI oversight, lineage, behavioural metadata, or Purview governance models, your writing emphasises practical implementation over theory. You repeatedly advocate for governance that is embedded, automated, and literacy‑driven, showing a consistent philosophy across years of posts. 

SQLBits 2026 Day 1

 SQLBits in Wales is happening this week. We have held the conference at the ICC before so all very familiar.  The keynote was introduced by Simon Sabin before it moved into an in-depth session on the future of Microsoft One SQL—from on-premises to Azure and into Microsoft Fabric. It delved into the unified, AI-ready relational database that powers modernization and next-gen AI apps. SQL  delivers consistency, performance, and some innovative features. The speakers in the keynote were Bob Ward, Anna Hoffman, Priya Sathy, Shiva Gurumurthy.

Data and AI is changing the world. It is the fuel that powers AI.  Microsoft SQL is one consistent SQL for the era of AI. It is

enterprise ready, has evolved over the decades to an industry leading scalable, dynamic platform with high availability and  best in class price performance. 

The keynote delved into migrate and modernize , the need for cloud native AI apps and the need for unified data platforms. 

Highlights of new features 

Azure SQL Server Managed Instance GA

SQL Server 2025 on Azure Virtual Machine GA

Azure Accelerate for Databases announced

aka.ms/modernizedatabases

Azure SQL Database Hyperscale GA you only pay for cores and storage and no license fee.

Mirroring from Microsoft SQL to Fabric GA

SQL Database in Fabric GA

Database Hub in Fabric was announced with fleet management,  observability and database agents.

The depth and breadth of SQL Server has grown substantially over the years and supports many engine types for holistic use. The engines being graph, vector,  columnar, document, spatial, key value, hierarchical, in memory and ledger.

Many sessions today delved into SQL migrations in various forms. There was a fun session talking about Databricks vs Fabric. There are many differences and business needs and business technology stack skills in house often influence the choice of technology.

The Azure SQL Server Hyperscale session talked about Hyperscale which is about the architecture design,  not the engine. It is truly a distributed , cloud native architecture  with boundless storage that grows automatically with elastic compute at two speed. It uses SQL Server as caches.

More sessions for day 2 tomorrow. 

GRAICE Foundation Training Principles of Responsible AI Governance

I am pleased to share I have completed the GRAICE Foundation Training Principles of Responsible AI Governance and am certified for foundational competency in GRACIE, Humanity's Operating System for AI. 

GRAICE is a robust governance operating system geared toward instilling confidence and accountability in AI systems on a global scale. It has 6 foundational values, 7 operational pillars and a 3 teir assurance model.