The Foundations of Intelligence: Why Your AI is Only as Good as Your DAMA Score

There is a quiet but critical misconception at the heart of today’s AI boom. Organizations believe they are investing in artificial intelligence. In reality, they are investing in data and often, that data isn’t ready. AI is a sophisticated engine. But it doesn’t run on innovation, hype, or vendor capability. It runs on data. And if that data is incomplete, inconsistent, poorly understood, or ethically questionable, the outcome isn’t just suboptimal it’s dangerous.

We are starting to see this play out at scale. AI projects stall, models produce biased outputs, and trust erodes. The narrative often focuses on the technology, but the root cause is rarely the model itself. It is almost always the data. Or more precisely: the absence of effective data governance. The uncomfortable truth is this for most AI failures are not AI failures at all. They are data governance failures in disguise. Frameworks like DAMA-DMBOK2 have spent years defining what good looks like in data management. What has changed is not the principles, but the stakes. In a reporting world, weak data might produce a misleading dashboard. In an AI-driven world, it can drive automated decisions at scale. This is why the conversation needs to shift from AI readiness to something far more grounded: data maturity.

The Four DAMA Pillars That Actually Matter for AI

DAMA-DMBOK outlines eleven knowledge areas, but when it comes to AI, four stand out as foundational. These are not optional capabilities. They are prerequisites.

1. Data Quality: Where AI Success Begins (and Ends)

For decades, organizations have lived with the idea of good enough data.

Reports can tolerate missing fields. Dashboards can work around anomalies. Humans are remarkably good at compensating for imperfect information. AI is not. An AI model does not “interpret” data in context—it learns patterns from it. If those patterns are flawed, biased, or inconsistent, the model will embed those flaws into its outputs. Worse, once learned, these patterns are incredibly difficult to remove. Dimensions like accuracy, completeness, and consistency are no longer operational concerns; they are existential ones.  The principle of garbage in, garbage out has never been more relevant. Even the most advanced models will produce unreliable results if the data they are trained on is flawed. This is not theoretical. Organizations are already seeing AI initiatives fail due to poor data quality, with research indicating that only a small fraction of companies believe their data is sufficiently ready for AI. Data Quality is not just a pillar. It is the foundation.

2. Metadata Management: The Missing Layer of Intelligence

If data quality determines whether AI works, metadata determines whether it makes sense. Metadata is often misunderstood as technical documentation, schemas, tables, field names. But for AI, it is far more than that. It is context. AI needs to understand:

• What the data represents (business meaning)
• Where it came from (lineage)
• How it should be used (rules, classifications)
• When it was last updated (timeliness)

Without this context, even the most advanced models become guesswork engines.

This is particularly critical for large language models interacting with enterprise data. These models are powerful, but they struggle with ambiguity and organizational nuance. Without metadata, they cannot distinguish between similar concepts, interpret domain-specific language, or validate the “truth” of a data point. Metadata effectively becomes the translation layer between human intent and machine interpretation. And yet, it is one of the most neglected areas in AI initiatives. Many organizations rush into model development while overlooking metadata strategy only to discover later that their AI cannot scale beyond experimentation. There is a growing recognition that metadata is not just supportive it is determinative. Without it, AI initiatives falter, regardless of model sophistication. 

3. Data Architecture: Designing for Machines, Not Just Reports

Traditional data architectures were designed for people.

Data warehouses centralised structured data for reporting and dashboards slow, stable, and human-interpreted. But AI does not consume data in the same way. It requires real-time access, integration across sources, and the ability to handle both structured and unstructured information. This is where modern architectural patterns come into play. Concepts like Data Fabric and Data Mesh, both explored within DAMA, represent a shift from centralisation to connectivity. Instead of moving data into a single repository, these approaches focus on making data accessible, governed, and usable wherever it resides. A data fabric, for example, creates a unified layer across distributed systems, enabling real-time integration and governance without physically moving data. This matters because AI thrives on:

• Diverse data sources
• Real-time signals
• Context-rich environments

Traditional warehouses, designed for retrospective analysis, struggle to meet these demands. Modern architectures are not just technical upgrades, they are enablers of AI capability. If data cannot flow, AI cannot function.

4. Data Security and Ethics: The Line You Cannot Cross

The final pillar is where data governance transitions into AI governance. AI models do not inherently understand privacy, consent, or regulatory boundaries. They will learn from whatever data they are given. If that data includes sensitive, restricted, or biased information, the consequences can be severe. DAMA has long emphasised data security, privacy, and stewardship. In the AI era, these are no longer compliance exercises—they are ethical imperatives. Regulations like GDPR are not just legal constraints; they define the boundaries of what is acceptable in data usage. If an organization does not have clarity over data ownership, access rights, and usage permissions, it cannot claim to be operating ethical AI. More broadly, this is about trust. Without governance, organizations risk:

• Embedding bias into automated decisions
• Exposing sensitive data through AI outputs
• Losing control over how data is used and reused

Strong governance ensures that AI is not only effective, but also accountable, transparent, and fair. 

The Real Question: How AI-Ready Are You?

For the C-suite, the implication is clear.

AI readiness is not about how many models you have deployed. It is not about how advanced your platform is. It is not even about how much data you hold.

It is about how well that data is governed.

Frameworks like DAMA-DMBOK provide a structured way to assess this. They define maturity across areas like quality, metadata, architecture, and security. And that maturity directly correlates to AI risk. If your organization is:

• Immature in data quality → expect unreliable AI outcomes
• Weak in metadata → expect confusion and inconsistency
• Fragmented in architecture → expect scalability issues
• Unclear on governance → expect ethical and regulatory risk

In other words, your DAMA maturity is your AI readiness. This is not theoretical. Research consistently shows that organizations struggle to make AI work not because of technology limitations, but because they lack the data foundations to support it. 

Final Thought: The Age of Data Governance Has Arrived

We are entering a phase where data governance is no longer a background function. It is becoming the defining capability of successful AI organizations. The companies that succeed with AI will not be those with the most advanced models. They will be those with the most disciplined data practices, those who understand that intelligence is not created by algorithms, but enabled by trust in data. AI is not a shortcut around governance. It is the ultimate test of it.

Microsoft Purview May 2026 Announcements Explained

May 2026 was one of the most important release moments for Microsoft Purview in recent years. It marked a clear shift from foundational governance tooling into operational, AI-era data governance at scale. Here is a quick summary of what tools became General Availability (GA).

AI governance and security

• Data security and compliance protections for Microsoft Agent 365 (GA) 
• Expanded Purview capabilities to govern AI activity, including agent-based workloads and AI interactions 

Data governance (data quality maturity)

• Standalone data asset data quality scans (GA) 
• Incremental data quality scans (GA)
• Configurable data quality thresholds (GA) 

Data security posture management (DSPM)

• New unified Data Security Posture Management experience (GA rollout in May 2026) 

This wasn’t just feature updates. Microsoft has effectively:

• Turned Purview into the control plane for AI governance
• Matured data quality into an operational, measurable discipline
• Shifted data security from reactive controls to proactive posture management

The conversation as now switched from talking about implementing governance to talking about running governance continuously. This places governance in the age of AI. The most significant announcement in May wasn’t a single feature but was the integration of Purview with Microsoft Agent 365.

At GA, this introduces:

• Centralised visibility of AI agents interacting with enterprise data
• Data loss prevention and sensitivity enforcement applied to AI usage
• Auditability and compliance over AI-driven actions 

This is a fundamental shift. Previously, governance focused on:

• Data at rest
• Data in motion
• Human access patterns

Now, governance must deal with:

• Autonomous agents accessing and acting on data
• AI-generated outputs and derived data
• Decisions made without direct human interaction

Purview is now positioned to govern these.

Data Quality

The data governance updates might look incremental, but they  are actually  significant. With May’s GA releases:

• Data quality can be measured continuously (incremental scans)
• Thresholds can be defined and enforced consistently
• Data assets can be assessed independently at scale 

This moves data quality from periodic profiling exercises to always-on monitoring aligned to business expectations. For organizations, this means:

• Data quality becomes a control, not an insight
• Ownership becomes enforceable (through thresholds)
• Governance shifts closer to operational accountability

This aligns strongly with what many frameworks (DAMA, DCAM) have always pushed. That Data Quality must be actively managed and not passively reported.

Data Security Posture Management (DSPM)

The new DSPM experience reaching GA is arguably the most strategic element of the May release. It introduced:

• Unified visibility across traditional and AI-driven data environments
• Risk-driven prioritisation of data security issues
• Guided workflows to turn insights into action

It also extends beyond Microsoft-native data with integration with third-party data sources and tools and a single view of sensitive data across the estate. This matters because most organizations struggle with:

• Fragmented visibility
• Too many alerts, not enough prioritisation
• Governance that stops at reporting

DSPM changes the conversation to what matters most, and what do we fix first? There was a subtle but important shift: governance of everything, not just Microsoft. 

Another key theme in May’s updates was expanding governance beyond Microsoft workloads. Examples include:

• Visibility into third-party AI tools and environments 
• Integration across broader ecosystems and data sources 

This is critical for real-world governance because the reality is:

• Data does not live in one platform
• AI is not limited to one vendor
• Risk spans the entire digital estate

Purview is increasingly positioned as the normalising layer across that complexity. For organizations like those in housing, local government, or financial services (your typical audience), these updates directly address four growing risks:

1. AI adoption without governance

Agents and copilots are being deployed faster than policies can keep up.

→ Purview now provides policy enforcement and visibility at the AI layer.

2. Lack of data ownership and accountability

Data quality issues remain hidden until failure.

→ Thresholds and continuous scanning make ownership measurable.

3. Fragmented security controls

Tools exist, but there is no unified posture view.

→ DSPM provides a single, prioritised risk lens.

4. Increasing regulatory pressure

Frameworks are evolving faster than implementation capability. Purview now supports continuous compliance monitoring, not point-in-time audit.

The strategic takeaway shows a clear direction from Microsoft that Governance is no longer a framework or a project. It is an always-on operational capability. Purview is evolving into:

• The execution layer for governance
• The control point for AI and data risk
• The bridge between business intent and technical enforcement

For organizations, the implication is equally clear:

• Governance must move from design to operation
• Ownership must move from assumed to measurable
• Risk must move from identified to actively managed

The organizations that succeed with these updates won’t be the ones that deploy Purview fastest. They’ll be the ones that:

• Define clear ownership and accountability first
• Align governance to business outcomes, not tools
• Use Purview to operationalise, not define their governance model

These announcements reinforce that Technology does not create governance. It makes it visible and enforces it.

Reference

What's new in Microsoft Purview | Microsoft Learn

Microsoft Project Solara A New Category: Agent‑First Devices Built for the Enterprise

Project Solara introduces a hardware and software ecosystem where AI agents become the primary interface, not applications. Microsoft demonstrated two reference devices:

• A desk companion that authenticates via facial recognition and acts as a gateway to cloud‑based Windows 365.  
• An AI‑powered corporate badge with a touchscreen, fingerprint sensor, microphone array, and side‑facing camera enabling hands‑free documentation, contextual capture, and workflow automation. 

These devices run on the Microsoft Device Ecosystem Platform (MDEP), an enterprise‑grade OS built on the Android Open Source Project, managed through Intune and secured with Entra ID. 

This is not consumer hardware. It is a deliberate move to support industry‑specific workflows in healthcare, retail, logistics, and field operations with organizations like CVS Health, Levi’s, Target, and AccuWeather already exploring pilots. 

Why Project Solara Matters for Data Governance

Solara is not just a hardware announcement, it is a governance milestone.

1. Identity‑bound, policy driven access

Every Solara device authenticates through Entra ID and Windows Hello for Business, ensuring that AI agents operate within role‑based access controls and enterprise identity boundaries. 

2. Intune‑managed, enterprise grade device compliance

Because Solara devices are managed through Microsoft Intune, organizations can enforce:

• Configuration baselines  
• Conditional access  
• Device compliance policies  
• Remote wipe and lifecycle controls  

This brings agent‑first devices into the same governance perimeter as laptops, mobiles, and IoT endpoints.

3. Cloud centric intelligence, not local models

Solara devices intentionally do not run local AI models. All intelligence lives in Azure, reducing:

• Data residency risk  
• Model drift  
• Shadow AI  
• Unmonitored local inference  

This architecture aligns with enterprise governance expectations for centralised oversight and auditability. 

Responsible AI: Embedded in the Platform’s Design

While Microsoft has not yet published a standalone Responsible AI standard for Solara, the announcement and technical framing clearly align with Microsoft’s broader Responsible AI commitments.

1. Privacy first hardware controls

Solara devices include physical privacy features, such as hardware microphone mute switches. 

2. Context aware, role aligned Agent behaviour

In healthcare demonstrations, agents adapt to the user’s role and workflow supporting documentation, scanning medications, and verifying patient data. This reflects principles of:

• Human‑centred design  
• Transparency  
• Safety in high‑risk environments  

3. Multi‑Agent, Open Ecosystem, not a single black box

Solara is explicitly designed as an open multi‑agent system, allowing organisations to integrate their own agents via:

• Copilot Studio  
• Microsoft 365 Agents SDK  
• Azure Agent Framework  

This reduces vendor lock‑in and supports accountability, traceability, and custom governance controls. 

What This Means for Organisations

Project Solara signals a future where AI is:

• Ambient present in every workflow  
• Contextual aware of environment and role  
• Governed bound by enterprise identity, policy, and compliance  
• Responsible designed with privacy and safety in mind  

For data governance and responsible AI leaders, Solara represents the next frontier: governing AI not just in software, but in physical devices that operate across the enterprise landscape.

This is the beginning of a new category of agent‑first hardware and it will reshape how organisations design, deploy, and govern AI at scale.

Seen but Not Heard: The Age of Data Governance

There’s a phrase I remember being told as a child  “seen but not heard.”

At the time, it meant quiet compliance. Something present, something acknowledged, but not something that shaped the room or influenced what happened next. Strangely, that’s exactly how organizations have treated data governance for years. It has always been there, in the background. Policies exist, frameworks have been written, roles have been defined. If you look hard enough, every organization can point to where governance sits. It is visible. It is documented. It is technically present but it hasn’t truly been heard. It hasn’t influenced how systems are designed, how teams deliver, or how decisions are made in the way it should. Instead, governance has often been something that follows behind delivery as a correction, a control, a necessary inconvenience once the “real work” has already been done. That made sense, once but it doesn’t any longer.

What has changed is not governance itself, it is the world around it. We now operate in organizations where data is not a by-product of activity; it is the thing everything depends on. Strategy is built on it, operations are driven by it, and increasingly, decisions are delegated to systems that rely entirely on it. There is no part of a modern organization that sits outside of data anymore and yet, governance is still too often treated as if it does. That tension is becoming impossible to ignore because when every system depends on data, every issue becomes a governance issue. When numbers do not align between reports, when teams cannot agree on definitions, when ownership is unclear, when trust in outputs begins to erode these are not technical failures in isolation. They are symptoms of something deeper: a lack of embedded governance. You can see this play out repeatedly. Organizations invest in platforms, they modernise architectures, they implement analytics solutions, they adopt AI. Each initiative is presented as progress, and in isolation, it often is. But without governance woven into the fabric of these initiatives, complexity accumulates rather than resolves. Data spreads, inconsistency grows, and the ability to explain or trust what is being produced gradually diminishes. Governance, in those moments, has been seen but it was never allowed to shape the outcome.

The emergence of AI has brought this reality into sharper focus. For years, organizations could tolerate a degree of inconsistency in their data. It caused frustration, inefficiency, and occasionally risk, but it remained manageable. AI does not allow for that tolerance. It amplifies whatever it is given. Good data becomes insight at scale. Poor data becomes risk at scale. There is no neutral outcome. The old saying “garbage in, garbage out” still applies, but it now applies faster, at greater scale, and with far more impact than before. When decisions begin to be influenced or even made by systems fed on ungoverned data, the consequences are no longer contained within individual processes. They affect entire organizations. At that point, governance is no longer a supporting capability. It becomes the condition for whether anything works at all.

This is why the idea that governance can be added later no longer holds. It is not something that can sit alongside delivery or follow it. Governance determines what “good” looks like before anything is built. It defines ownership, establishes meaning, sets expectations, and ensures consistency. Without it, delivery moves forward, but coherence does not and that is the subtle but critical shift that is still being missed. We are not entering a stage where governance becomes more important as a standalone discipline. We are entering a stage where governance becomes inseparable from everything else. It is not another workstream to manage it is part of how every workstream operates. Every technology solution carries assumptions about data. Every integration defines how data flows. Every report reflects decisions about meaning, quality, and trust. Every AI model relies on choices about what data is used and how it is interpreted. In all of these cases, governance is already present. The difference is whether it has been made explicit, intentional, and embedded or whether it remains invisible until it fails.

One of the reasons organizations struggle with this shift is that governance has historically been framed in the wrong way. It has been positioned as a control mechanism, something that restricts or slows progress. It has been documented extensively, but lived infrequently. It has often been assigned to a function rather than understood as a shared organizational responsibility. As a result, it has been treated as optional in practice, even when it is mandatory in principle but when governance is embedded properly, it does not slow organizations down. It removes uncertainty. It allows decisions to be made with confidence because there is clarity around ownership, meaning, and quality. It reduces rework because expectations are clear from the outset. It enables innovation because it provides the guardrails that make experimentation safe. In other words, it makes progress sustainable.

The irony is that most organizations are already feeling the consequences of not doing this, even if they do not describe it in those terms. The questions that surface in meetings about which version of the truth to trust, about who is responsible for a dataset, about whether something can be used safely or compliantly are all governance questions. They just are not recognised as such and because they are not recognised, they are not addressed systematically. Instead, they are solved locally, temporarily, repeatedly. Governance remains visible in theory, but unheard in practice.

We are now at a point where that is no longer viable. If data is the thing that everything depends on, then governance must be the thing that everything contains. Not as an overlay, not as an afterthought, but as a standard, embedded part of how organizations operate. This is the age of data governance — not because governance is new, but because the absence of it is no longer survivable. The organizations that recognise this will not be the ones with the most advanced tools or the largest data estates. They will be the ones that understand their data well enough to trust it, control it, and use it consistently across every part of the business. They will be the ones that stop simply seeing data governance, and finally start listening to what it has been telling them all along.

The Reality of Compliance in the Age of AI

Compliance used to be retrospective. Policies were written, audits were conducted and evidence was gathered after the fact to demonstrate that controls had been followed. That approach is no longer sufficient. AI has introduced a level of complexity where decisions are made faster, data is reused in ways that are difficult to track, and accountability becomes harder to define. Compliance cannot keep up if it remains a reactive process. It has to become something that is designed into how organizations operate.

The problem beneath the surface

Most organizations still treat compliance as a separate function. A team that interprets regulation. A set of policies that sit alongside operations. A series of controls that are checked periodically but the real challenge is not understanding regulation. It is applying it consistently across processes, systems, and increasingly, AI-driven outcomes.

• What data can be used for training
• How decisions are explained
• Where sensitive information is retained or deleted

These are operational questions, not just compliance ones.

Where Purview comes in

Purview Compliance capabilities focus on managing these challenges in a structured way. Data lifecycle management defines how long data should exist and when it should be removed. Records management strengthens that by applying legal and regulatory context. Compliance Manager provides a framework to track controls and measure progress against requirements. More recently, these capabilities are being used to address AI-related concerns. Understanding data usage, managing retention, and demonstrating control are all foundational to responsible AI. The technology does not replace compliance thinking. It enables it to be applied consistently.

The technical layer that matters

Retention labels and policies are often seen as administrative tools. In reality, they directly influence how data is stored, preserved, or deleted across workloads. Records management introduces immutability and defensibility. Compliance Manager maps controls to regulatory standards, providing visibility into gaps and progress. These are not isolated features. They form a system where compliance is codified into policies that operate at scale.

Why this matters now

Regulation is evolving. The EU AI Act, data protection laws, and industry-specific requirements are all pushing organizations towards greater accountability. At the same time, AI is accelerating how data is used. This creates a tension. Organizations want to move quickly, but also need to demonstrate control. Manual processes cannot bridge that gap. Compliance has to become embedded. It has to operate continuously, not periodically.

The reality

In the age of AI, compliance is no longer about proving that controls exist. It is about proving that they are applied, monitored, and effective in a constantly changing environment. Purview provides the mechanisms to do this, but like governance and security, it depends on how it is used. Policies must reflect real business requirements. Controls must be implemented consistently. Ownership must be clear. Otherwise, compliance remains a reporting exercise rather than a capability.

References and learning

https://learn.microsoft.com/en-us/purview/compliance
https://learn.microsoft.com/en-us/purview/data-lifecycle-management-overview

Microsoft Announces Scout: An Always‑On Autonomous Agent for Work

Microsoft has unveiled Scout, its first Autopilot agent, an always‑on, autonomous digital assistant designed to work across Microsoft 365, proactively coordinating tasks, managing workflows, and keeping work moving even when you’re not in the loop. What makes Scout different is its ability to operate with its own identity, act within organisational policies, and build long‑term context through WorkIQ, learning how you work and what matters most. But beneath the excitement, there’s a deeper story for those of us working in data governance and Responsible AI.

Where Scout Meets Data Governance

Microsoft has been explicit: Scout is built with enterprise‑grade security, policy enforcement, and auditability from day one. Key governance‑aligned capabilities include: Policy‑constrained identity Scout acts only within the permissions and boundaries your organisation sets. Execution containers & OS‑level sandboxing  reducing risk when agents access files, run code, or interact with networks. Continuous policy conformance checks every action is validated against organisational guidelines, producing an audit trail. This is a significant shift: AI agents are no longer “black boxes” running in user sessions, they’re governed, monitored, and contained as first‑class enterprise actors.

Responsible AI: Built Into the Foundation

Microsoft has also published Responsible AI documentation for Scout, reinforcing that it is part of a broader commitment to safe, transparent, and accountable AI systems. 

Highlights include:

• Responsible AI FAQs explaining how Scout works, what data it accesses, and how system owners can shape behaviour.  
• Tiered permission systems for file access, shell commands, and browser automation.  
• Human‑in‑the‑loop expectations and environmental considerations for deployment.  

This aligns Scout with Microsoft’s AI principles of fairness, reliability, safety, privacy, security, inclusiveness, transparency, and accountability.

Why This Matters

For organisations already investing in data governance, AI assurance, and operational Responsible AI, Scout represents a new category of enterprise agent:

• Autonomous enough to reduce coordination overhead  
• Governed enough to meet compliance and risk expectations  
• Context‑aware enough to become a durable part of the digital workforce

This is the moment where AI agents stop being assistants and start becoming accountable digital colleagues  operating within the same governance frameworks as humans and systems.

Microsoft Build 2026: The Moment Governance Became the Bottleneck, Not Innovation

If last year’s narrative was about what AI can do, Microsoft Build 2026 marked a noticeable shift: the conversation has moved firmly to what organizations must control.

Across two days of announcements, Microsoft made one thing clear. The next phase of enterprise AI will not be defined by better models or more copilots. It will be defined by whether organizations can operationalise data readiness, governance, and trust at scale.

And that is where the most important announcements sit.

From “AI Features” to “AI Systems That Act”

The headline innovation at Build wasn’t just new models, it was the emergence of autonomous AI agents as first-class enterprise actors.

Microsoft introduced Scout, an always-on AI agent capable of continuously operating across enterprise systems, taking actions rather than waiting for prompts.
This marks a fundamental shift from assistive AI to operational AI, software that executes tasks, interacts with systems, and makes decisions within workflows. 

But this also introduces a new governance reality.

When AI moves from generating content to acting on behalf of a business, the questions change:

• Who is accountable for the action?
• What data did the agent access?
• What policies constrained its behaviour?

Microsoft’s answer is not a single tool but an emerging governance architecture for agents.

Governance Is Now Part of the Platform (Not an Add-On)

Across the announcements, governance was not positioned as a compliance afterthought. It was embedded into the core platform.

Three developments stand out.

Agent identity, control, and auditability

Agents are now designed with their own identities, permissions, and audit trails that essentially are becoming governed entities within enterprise systems.
This is a critical shift: governance is no longer about users accessing data, but about non-human actors operating within policy boundaries. 

The rise of the agent control plane

With capabilities such as Agent 365 and broader governance frameworks, Microsoft is building what can only be described as a control layer for AI agents covering access control, visibility, monitoring, and compliance. 

This moves governance from static policies to continuous oversight of autonomous systems.

Built-in safety, evaluation, and testing

The introduction of evaluation frameworks like ASSERT (for testing AI behaviour against policy expectations) signals a shift toward engineering governance into the development lifecycle itself. 

This aligns closely with emerging standards (ISO/IEC 42001, EU AI Act), where governance is expected to be designed, evidenced, tested and not assumed.

Data Governance Quietly Took Centre Stage

While the headlines focused on models and agents, the more important story sits underneath: data is now the limiting factor for AI.

Microsoft’s investment in Fabric including a GPU accelerated data warehouse positioned as an execution layer for AI workloads reflects a deeper truth: organisations don’t lack AI capability, they lack AI-ready data environments. 

This reinforces a theme many of us have been seeing on the ground:

The challenge is no longer can we use AI?
It is can we trust the data, control its usage, and scale it responsibly?

Even outside the keynote announcements, updates across Microsoft Purview continue to evolve around:

• data quality management,
• data loss prevention for AI interactions,
• and governance across expanding AI estates. 

Taken together, this signals a more mature positioning that data governance is not supporting AI, it is enabling it.

A New Stack: AI, Data, and Governance as One System

Perhaps the most important architectural shift is how Microsoft is framing the AI stack.

At Build 2026, governance was explicitly treated as a foundational layer alongside compute, models, and tools. 

This is subtle but significant.

Previously, governance sat outside the stack:

• something imposed after deployment,
• owned by risk or compliance functions,
• often disconnected from engineering.

Now, governance is:

• integrated into runtime environments,
• embedded in agent frameworks,
• and enforced through platform capabilities.

This is a move toward operational governance, not theoretical governance.

What This Means for Businesses

For organizations, these announcements are less about new features and more about a change in expectations.

AI adoption will be constrained by governance maturity

The organizations that succeed will not necessarily be those with the most advanced models but those with:

• clear data ownership,
• defined policies for AI usage,
• and the ability to monitor and control AI behaviour continuously.

Governance becomes a cross-functional discipline

AI governance can no longer sit solely with data teams or compliance functions. It now spans:

• data governance,
• security,
• enterprise architecture,
• and operational risk.

Tools alone will not solve the problem

While Microsoft is building an increasingly comprehensive governance ecosystem, the platform assumes something critical:

Organisations already understand their data, risks, and policies.

In reality, many do not.

This is where the gap and the opportunity sits.

The Real Announcement wasn’t a Product

If you step back, the most important announcement at Build 2026 wasn’t a model, a Copilot update, or even an agent.

It was a shift in narrative.

Microsoft is signaling that:

• AI is no longer experimental.
• Agents will become embedded in everyday business operations.
• And governance is now the primary barrier to scale.

In other words, we’ve moved from the innovation phase of AI to the industrialisation phase.

And industrialisation always introduces the same question:

How do you scale safely, consistently, and with accountability?

That is not a tooling question. It is a Data and AI governance question.

References

forbes.com  dqindia.co  theneuron.ai  microsoft.github.io  pulse2.com 

forbes.com  learn.microsoft.com  theneuron.ai

The Reality of Data Security in M365 (Purview Protection)

Data security has traditionally been viewed as a problem of access. Who can see what. Who can download it. Who can share it. In a world of structured systems and defined boundaries, that was enough. That world no longer exists. Data in M365 is fluid. It moves between emails, Teams chats, SharePoint sites, and endpoints. It is copied, embedded, summarised, and now increasingly, generated by AI. The idea that you can secure it by controlling entry points alone is no longer realistic. Data security has shifted from protecting locations to protecting the data itself.

The problem organizations are actually facing

Most organizations believe they have data security in place because they have policies but when you look closer, those policies are often disconnected from how data is used in practice. Labels are defined but not applied consistently. Data loss prevention rules exist but generate noise rather than insight. Users find workarounds because controls are either too restrictive or not aligned to real workflows. The result is a false sense of security. Controls exist, but coverage is inconsistent. Risks are identified, but not prioritised. Sensitive data continues to move, often without visibility.

What Purview is doing differently

Purview Protection capabilities bring together several controls that are often treated separately. Information Protection classifies and labels data, ideally at creation. Data Loss Prevention applies policies to control how that data moves. Insider Risk adds behavioural context, identifying patterns that indicate potential misuse or compromise. Individually, these are familiar concepts. Together, they form a model where protection is persistent and data-centric. Classification stays with the data. Policies follow it across services. Signals from usage and behaviour start to inform risk in real time. It is not just about blocking actions. It is about understanding how data is used and where risk actually exists.

The technical reality that matters

There is a level of technical depth that is often overlooked. Sensitivity labels are not just tags. They drive encryption, access control, and downstream policy enforcement. DLP is not just rule matching. It combines classification, conditions, and contextual signals. Insider Risk does not operate in isolation. It correlates activity across multiple workloads. These capabilities rely on integration. They rely on consistency. They rely on governance decisions being made upfront. Without that, the tooling becomes fragmented. With it, you start to see a unified security posture that is driven by data, not systems.

Why this matters now

The introduction of AI into everyday tools has changed the risk landscape. Content can be summarised, transformed, and shared at scale. Sensitive information can surface in places it was never intended to be. Traditional controls do not always detect these patterns because they were not designed for this level of fluidity. This is where data-centric security becomes essential. Not as an additional layer, but as the foundation for allowing organizations to use these tools with confidence.

The reality

Security is no longer about stopping access. It is about enabling the right use of data while reducing risk. Purview provides the controls to do this, but only when it is implemented as part of a coherent approach. Labels, policies, and signals must align. Business context must inform technical controls. Otherwise, organizations end up with visibility but no clarity, and policies but no control.

References and learning

https://learn.microsoft.com/en-us/purview/information-protection
https://learn.microsoft.com/en-us/training/paths/implement-data-loss-prevention/

An holistic view of how Microsoft Purview Connects to other tools in Microsoft Purview.

The Reality of Data Governance in 2026 (Purview Governance)

There is still a belief that data governance is something you implement. A programme. A tool. A project that runs for twelve months, delivers a catalogue, assigns a few owners, and quietly dissolves once the funding runs out. In 2026, that belief is not just outdated. It is actively holding organizations back. Data governance has become something else entirely. It is no longer a layer that sits on top of data. It is the condition that determines whether organizations can operate, scale, or even trust what they know. The shift is subtle, but critical. Governance is no longer about control. It is about confidence at scale.

A different kind of problem

Most organizations are not struggling because they do not have governance tools. They are struggling because they do not have governance embedded into the way data is created, moved, and used. The result is predictable. Data exists, but ownership does not. Definitions are documented, but not agreed. Catalogues are populated, but not used and AI initiatives start with optimism and quickly run into questions no one can answer.

• What does this dataset actually represent
• Who is accountable for its quality
• Can we trust it enough to base decisions on it

These are not technical questions. They are governance failures.

Where Purview actually fits

Microsoft Purview, particularly the governance capabilities, is often positioned as a catalogue. A place to discover and classify data. That framing is too narrow. At its core, Purview Governance is about creating visibility, accountability, and context across the data estate. Scanning brings assets into view. Classification starts to describe them. Business glossaries and domains begin to connect them to meaning but the technology alone does not create governance. It exposes the gaps. If there is no ownership model, the catalogue becomes a list. If definitions are not agreed, the glossary becomes a dictionary with multiple interpretations. If governance is not embedded in delivery, the platform reflects fragmentation rather than resolving it. Used properly, Purview forces the right conversations. It highlights where business ownership is missing. It shows where critical data is unmanaged. It provides a structure to align people, process and technology.

Why this matters now

The pressure is not coming from governance programmes. It is coming from AI. Organizations are trying to move faster. They are trying to reuse data, combine it, expose it to models and automation. What they are discovering is that speed without control creates risk, and control without clarity creates friction. This is where governance has to evolve. Not as a retrospective exercise, but as something that is designed into the operating model from the start. Purview becomes valuable at that point, not because it catalogues data, but because it supports a model where governance is continuous, visible, and owned by the business.

The reality

In 2026, organizations that treat governance as optional will struggle to scale anything that depends on data. Those that embed it will not talk about governance as a separate function. It will simply be part of how they manage their products, their processes, and increasingly, their AI. The technology is ready. The frameworks are well understood. The challenge is no longer knowing what to do. It is choosing to do it properly.

References and learning

https://learn.microsoft.com/en-us/purview/data-governance
https://learn.microsoft.com/en-us/training/paths/manage-data-estate-purview/

For all 3 areas, see the full realities of data governance, data security and data compliance.

When AI Becomes an Employee, Governance Becomes Strategy

 Two recent pieces got me thinking about where AI is really heading:

👉 AI in the agentic workplace (WEF)
👉 AI is becoming the new employee

Both challenge a core assumption many organisations are still holding on to:

AI is no longer just a tool.
It’s becoming part of the workforce.

The WEF describes AI as a new colleague, embedded into workflows, reshaping how work is done and how organisations are structured. The AI as employee view goes further positioning agents as digital workers that can own tasks, make decisions, and contribute to outcomes. There is a gap I don’t see enough people talking about are we accelerating adoption faster than we are defining governance.

If AI starts to behave like a workforce participant, then the questions shift:

• What data is it allowed to access and under what controls?
• How do we ensure decisions are explainable, auditable, and fair?
• Who is accountable when an AI employee gets it wrong?
• How do we assign roles, permissions, and boundaries to non-human actors?

This is where data governance and Responsible AI stop being supporting disciplines and become the foundation of the operating model. Because the future isn’t just AI-enabled teams, it’s human + AI workforce design:

• AI agents operating across governed data domains
• Decisions driven by data that must be trusted, lineage-tracked, and policy-controlled
• Hybrid teams where accountability, not just capability, must be clearly defined

And this is the real shift:

• From AI as capability → AI as organisational entity
• From model governance → workforce governance
• From policies on paper → operationalised controls across data, AI, and people

The organisations that get ahead won’t be the ones who deploy the most AI. They’ll be the ones who:

• Treat AI access to data as a governed privilege, not an entitlement
• Design AI roles with the same rigour as human roles
• Embed responsible AI principles into day-to-day execution not just frameworks

Because if AI is becoming the new employee then governance is no longer optional. It’s how you stay in control.

References

https://www.weforum.org/stories/2026/01/ai-agentic-workplace-human-resources/ https://open.substack.com/pub/nidgguy/p/ai-is-becoming-the-new-employee?utm_campaign=post-expanded-share&utm_medium=web

assets.kpmg.com

Governing the agents not just the AI

The current wave of agentic AI is not just another iteration of automation, it is a shift from models that advise to systems that act. In the Fortune piece summarised via Yale Insights, the central risk is not capability but placement: where agents are deployed in the business and how close they operate to customers, decisions and trust. The “proximity framework” highlights that the closer an agent gets to irreversible, customer-facing decisions, the greater the governance burden becomes, with failures having disproportionate reputational impact. What is emerging consistently across follow-on work in banking, healthcare, retail and supply chain is that governance is lagging deployment, with organizations actively running agents across operations while still relying on fragmented or incomplete control models. This reinforces a point you often make in governance conversations: the problem is no longer whether AI works, but whether organizations can safely operationalise decision rights at scale. 

When you bring data governance into this, the conversation sharpens significantly. Multiple recent articles move beyond model governance and focus specifically on how agents access and use data, often autonomously and continuously. Agent Access Management reframes governance as a data problem, not just identity, because agents inherit permissions dynamically across APIs, workflows and services, often without visibility into what they can actually reach. Traditional access governance breaks here because it assumes static roles and human review cycles, whereas agents operate continuously and at machine speed, creating access patterns that are technically authorised but contextually inappropriate. This is why newer guidance emphasises data-aware controls, real-time monitoring and understanding not just who the agent is, but what data it is using and why. It aligns strongly with emerging audit expectations, where organizations must evidence which agents exist, what data they access, and how decisions are controlled and explained. 

What is becoming clear across the literature is that governance for agents is not an extension of traditional AI governance, it is a redesign of enterprise control models. Firms like IBM and McKinsey point out that governance needs to move from validating outputs to controlling actions, defining scope, ownership and accountability for autonomous decision-making. At the same time, platform and vendor ecosystems are converging on concepts like control planes, agent registries and data-centric governance layers to ensure visibility and enforce policy at runtime. The consistent thread across all of this is that trust in agentic AI is not built at the model layer, it is built at the data access and execution layer. That is where governance now has to operate, and it is where most organisations are still weakest. 

References

Fortune / Yale source 

• A Guide to Getting Agentic AI Right 
• Agentic AI governance framework

Supporting governance and agentic AI articles

• Anthropic’s most powerful AI model just exposed a crisis in corporate governance (Fortune summary) 
• Agentic AI governance lags deployment across industries (Yale study summary) 
• Agentic AI poses new governance challenges (LinkedIn News)

Agent governance frameworks and operating model shifts

• Agentic AI governance playbook (IBM) 
• Trust in the age of agents (McKinsey) 
• Building agent-first governance and security (MIT Technology Review) 
• Governance and security for AI agents (Microsoft) 

Data access governance and agent-specific governance

• Agent Access Management (AAM) – data-first governance for AI agents (Cloud Security Alliance) 
• AI Agent Data Governance Enterprise Playbook 2026 
• The rise of AI agents is breaking access governance (Security Today) 
• Data governance frameworks for managing AI agent data access (Agentplace) 

Audit, compliance and enterprise deployment considerations

• Your auditor is about to ask about AI agents (Vanta summary) 
• ServiceNow expands AI agent governance control layer (Forbes) 

From governance frameworks to enforceable control capabilities

For many organizations, the challenge is not a lack of data governance frameworks, but a gap between principles and practice. Discussions around Microsoft Purview often focus on individual features, while governance frameworks such as DAMA, ISO, or emerging AI regulations describe what should exist at a conceptual level. What organizations actually need is a capability‑led view: a clear map that shows which governance needs exist, how those needs are implemented through concrete Purview capabilities, and where accountability typically sits across the business. This capability perspective bridges strategy, regulation, and day‑to‑day delivery turning governance intent into enforceable, operational controls.

The difference in views:

• Most Purview discussions list features.
• Most governance frameworks describe principles.

What organizations actually need is a capability map showing:

• Which governance need exists
• Which Purview capability supports it
• Who typically owns it

This table‑driven view bridges strategy, regulation, and day‑to‑day operations.

Microsoft Purview Capability Mapping Table

Governance Capability	Purview Tooling	Primary Framework Alignment	Typical Accountable Role
Enterprise data discovery	Data Map	DAMA – Metadata Mgmt	Data Governance Office
Business data understanding	Unified Catalog	DAMA – Data Governance	Data Owners / Stewards
Metadata management	Unified Catalog	DAMA / ISO 38505	Data Governance
Data lineage	Lineage	DAMA / AI Act Art.10	Data Engineering
Data quality signals	Data Estate Insights	DAMA / ISO 8000	Data Quality Lead
Sensitive data classification	Information Protection	ISO / AI Act	Security & Privacy
Persistent protection	Sensitivity Labels	ISO / GDPR / AI Act	Security
Data loss prevention	DLP	ISO / Regulatory	Security Operations
Insider risk monitoring	Insider Risk Mgmt	ISO accountability	Security & HR
AI data risk visibility	DSPM	AI Act	Security & Governance
Audit logging	Audit	ISO / AI Act	Legal & Compliance
Regulatory control mapping	Compliance Manager	ISO / AI Act	Risk & Compliance
Legal investigations	eDiscovery	ISO / Regulatory	Legal
Retention & disposal	Records Mgmt	ISO / GDPR	Information Management

Why this matters for AI governance

The AI Act does not introduce new governance concepts, it enforces existing ones at AI scale.

Purview’s strength is that:

• The same sensitivity labels used in email
• Also govern datasets
• Also constrain AI interactions
• Also support legal discovery

This continuity is exactly what auditors and regulators expect.

Common implementation mistake to avoid

Treating Purview as a security tool
Treating governance as policy documentation
Treating AI governance as separate

Treat governance as a cross‑functional operating model and use Purview as the control fabric beneath it.  Thinking of 

• Frameworks that define intent.
• Regulation that demands proof.
• Tools that deliver evidence.

Microsoft Purview sits at the intersection not as a framework replacement, but as the mechanism that allows modern data governance to function at scale.

Microsoft's Agentic Transformation Patterns Playbook.

Microsoft has released an Agentic Transformation Patterns Playbook.

The Agentic Transformation Patterns Playbook A practical guide to choosing, scaling, and operating AI agents across your organization. It helps with understanding the landscape and identifying patterns. It is a well defined playbook on how to progress well with Agentic AI.

The Agentic Transformation Patterns Playbook sets out practical patterns for moving from isolated AI experiments to governed, enterprise‑scale AI agents that can plan, act, and collaborate across systems. Its core message is that agentic AI is not a tooling challenge but an operating‑model shift, requiring clear accountability, proportionate governance, and risk‑based controls as autonomy increases. Used well, the patterns help organisations scale AI safely by design embedding oversight, auditability, and human control without slowing down adoption.

The maturity model shared helps prioritize action by looking at AI Strategy & Experience, Business Strategy, AI Governance & Security, Technology & Data  and Organization & Culture. These capability drivers:

• AI Strategy & Experience: How deliberately you plan, invest in, and evolve AI across the organization
• Business Strategy: How deeply AI is integrated into business processes and outcome measurement
• AI Governance & Security: How well you manage risk, compliance, monitoring, and responsible AI
• Technology & Data: How mature your platforms, architecture, data quality, and telemetry are
• Organization & Culture: How effectively you enable adoption, build skills, and foster AI-positive culture

The maturity model is described: https://aka.ms/AgentMaturityModel

The Agentic  Center of Excellence (CoE) has 4 functions, governs, enables, optimizes and scales. Governs has those release gates to ensure nothing goes to production  without review. The audit logs taking on a key governance roll tracking who built and approved it and what it does. There are a set of 6 roles identified that must work together to scale agents. Compliance is continuous and is not a one time check. An important message Won't let anyone ship until governance is 'complete.' Governance is never complete.

The Agentic CoE adds agent-specific capabilities to existing governance, security & Compliance, Cloud/IT Governance, Low Code/ Power Platform CoE, Microsoft 365 Governance and Responsible AI Council. It does not replace what works — it fills the gaps that agents create (ownership, lifecycle, decision rights, monitoring).

How Data Governance Frameworks Converge

From DAMA to ISO to the EU AI Act how Data Governance frameworks converge and how Microsoft Purview operationalises them is important to understand. Organizations rarely struggle because they lack frameworks. They struggle because frameworks remain theoretical while data, AI and regulation operate at scale.

DAMA‑DMBOK, ISO data governance standards, and the EU AI Act all address the same core problem from different angles:

• DAMA defines what good data management looks like
• ISO defines how governance should be assured and audited
• The AI Act defines where governance becomes legally mandatory

Understanding where these overlap and how tooling like Microsoft Purview can operationalise them is now essential for any organization deploying analytics, automation, or AI in production.

DAMA‑DMBOK: The authoritative body of knowledge

DAMA‑DMBOK is a vendor‑neutral reference framework that defines data management as an enterprise capability, with Data Governance at its core. It establishes what must exist, without prescribing technology. [dama.org]

Key DAMA governance expectations

• Ownership and accountability for data assets
• Enterprise metadata and lineage
• Data quality management
• Security, privacy, and ethical data use
• Stewardship and domain governance

Critically, DAMA positions metadata, lineage, and quality as foundational the same elements now required by AI regulation and ISO assurance.

ISO standards: Governing data as an accountable asset

ISO standards translate governance principles into assurable controls.

Key standards relevant to data & AI governance

• ISO/IEC 38505‑1: Governance of data within IT governance
• ISO 8000: Data quality management
• ISO/IEC 25642: Data collaboration and controlled data reuse

ISO explicitly frames data as a managed, governed organizational asset that should consider value, risk, and compliance. 

Where DAMA explains what to govern, ISO defines:

• Who is accountable
• How governance is monitored
• How conformance is evidenced

This distinction becomes critical for regulatory audits.

The EU AI Act is when governance becomes mandatory

The EU AI Act, particularly Article 10, legally mandates data governance for high‑risk AI systems. 

Article 10 explicitly requires:

• Documented data sources and provenance
• Training, validation, and test data quality controls
• Bias detection and mitigation
• Dataset representativeness and contextual relevance
• Ongoing governance across the AI lifecycle

In effect, the AI Act codifies long‑standing DAMA and ISO principles into law. Non‑compliance now carries legal, financial, and reputational risk.

There is an update to the EU AI Act where EU leaders have agreed to amendments.  The official regulation it is hoped will be passed before the 2 August 2026. A delay of enforcement date has been shared for high-risk AI systems from 2 August 2026 to 2 December 2027 for AI systems listed in Annex III and 2 August 2028 for AI systems covered by Annex I). 

Where the frameworks align

Governance Concern	DAMA‑DMBOK	ISO	EU AI Act
Data ownership & accountability	✔	✔	✔
Metadata & lineage	✔	✔	✔ (Article 10)
Data quality management	✔	✔ (ISO 8000)	✔
Bias & ethical use	Emerging	Partial	✔ Explicit
Audit & assurance	Indirect	✔ Core	✔ Mandatory
Lifecycle governance	✔	✔	✔

This convergence means organizations no longer need separate governance programs, they need one operating model that satisfies all three.

Where Microsoft Purview fits

Microsoft Purview does not replace DAMA, ISO, or the AI Act. It operationalises them.

Purview provides:

• Metadata capture and lineage at scale
• Policy‑driven classification and protection
• Evidence‑based compliance reporting
• Continuous monitoring across data and AI usage

This allows governance teams to move from declared compliance to demonstrable control. DAMA tells you what good looks like. ISO tells auditors how you prove it. The AI Act tells regulators what you must do. The future of data governance is not choosing between these, it is designing one governance model that satisfies all three.