Data Governance has Four Jobs
Strong data governance ensures data is:
AI and Governance Go Hand in Hand: Why Data Governance Must Move in Lockstep with AI Adoption
11 Jun, 2026
Every executive conversation about AI eventually arrives at the same realization: the technology is the easy part. The hard part is the data underneath it — and the rules, roles, and controls around how that data is used. AI and governance are not two separate programs. They are two sides of the same investment, and they have to move forward together.
If your data is fragmented, mislabeled, over-shared, or quietly walking out the door through email and external links, AI will not fix any of that. It will amplify it.
Why This Matters Now
Poor data quality has carried a price tag for years. IBM estimated the U.S. economy alone loses $3.1 trillion annually to bad data (IBM). More recent IBM Institute for Business Value research finds that more than a quarter of organizations now lose over $5 million each year to data quality issues, and 7% report losses above $25 million (IBM IBV). Gartner's current benchmark sits at $12.9 million per year on average per organization — and nearly 60% of companies still do not measure that cost at all (Gartner).
Inside the analytics function, the numbers tell the same story: data scientists still spend roughly 60% of their time cleaning and organizing data (Figure Eight), and bad data is estimated to consume 20–30% of operating expense (Pragmatic Works).
Now layer Copilot, Copilot Studio, and a growing portfolio of custom AI agents on top of that foundation. Every gap in classification, ownership, and access becomes a gap in what AI can see, surface, and reuse. Governance is no longer a back-office discipline — it is the control plane for safe AI adoption.
Understood
classified, define, and trusted
Owned
with clear accountability across business and IT
Protected
with appropriate access, retention, and usage controls
Usable
safely leveraged by analytics, Copilot, and AI
Without those four, organizations face higher risk, weaker trust in insights, and limited ability to scale AI responsibly.
A Lean Operating Model: Federated Governance with a Central Stewardship Core
In the field, the model that works best is lean federated governance — central standards and stewardship, with ownership distributed to the business domains that actually use the data. It avoids the two failure modes we see most often: IT carrying the entire load, or stewardship that exists in name only.
Layer | Role |
|---|---|
Data & AI Governance Committee | Executive decision-making body. Sets enterprise data and AI strategy, approves KPI standards, owns risk posture, resolves cross-team disputes. Monthly or bi-monthly. |
Data & AI Governance Working Group | Cross-functional representation from IT, Security, Legal, HR, and business domains. Drives policies, standards, and definitions. Coordinates execution. Bi-weekly or monthly. |
Central Stewardship Core | Day-to-day coordination, RACI maintenance, glossary, adoption tracking, partnership with Compliance on classification and access. |
Domain Stewards | Finance, PMO, HR, IT data stewards accountable for classification, quality, access decisions, and acceptable AI usage within their domain. |
Citizen Developer Community of Practice | Channels bottoms-up AI innovation safely; champions training, enablement, and change. |
This structure does two things at once: it gives leadership a single accountable forum for AI risk, and it gives the business an operational path to participate without standing up a new bureaucracy.
Put a Stage-Gate on Every AI Use Case
The fastest way to convert shadow AI into governed AI is a simple, visible intake and stage-gate process. Every Copilot Studio agent, every custom AI solution, every third-party AI tool moves through the same gates before it touches production data:
The point of the process isn't to slow innovation. It's to make sure value, risk, data sensitivity, and ownership are answered before the solution scales.
Closing the Shadow-AI Gap
Citizen developers are already experimenting. That's a good signal — and a governance risk if it goes unmanaged. We close the gap in three deliberate steps:
- 1
Visibility first.
Enable Microsoft Purview DSPM for AI to see which users are engaging Copilot and other AI tools, which data sources they're touching, and whether sensitive content is being exposed or summarized. DSPM for AI extends to third-party platforms like ChatGPT Enterprise and Gemini, Azure AI apps, Entra-registered agents, and browser-based AI activity.
- 2
Policy next.
Activate the Acceptable Use Policy, Data Classification Policy, DLP and Sharing Policy, Access Control Policy, Incident Response Policy, and AI Risk Management Policy. Move DLP and AI-block policies from simulation into enforcement for Tier 1 data.
- 3
Data security last — and continuously. Sensitivity
Sensitivity labels, auto-labeling, oversharing audits, Copilot data-access controls, and Purview audit logs are the operational backbone that keep the policies real.
Anchor Policies to Recognize Frameworks
Policies don't need to be invented from scratch. The stack we recommend maps directly to NIST AI RMF, NIST CSF, ISO 27001, and GDPR, so internal audit, legal, and external assessors all recognize the controls. A reasonable foundation includes:
Acceptable Use Policy for AI and Copilot.
Data Classification Policy with explicit handling rules per tier.
AI Risk Management Policy covering pre- and post-deployment risk.
DLP and Sharing Policy for internal and external data flows.
Access Control and Identity Management Policy (least privilege, PIM, MFA, access review cadence).
Incident Response Policy with P1–P4 severity, SLAs, and post-incident review.
AI Use Case Intake and Governance Policy that formalizes the stage-gate.
Data Retention and Lifecycle Policy covering AI interaction logs and audit records.
AI Ethics Policy and Third-Party / Vendor Risk Policy as the program matures.
Governance Only Sticks When Leadership Sees it Monthly
A governance program without executive visibility quietly drifts. The fix is a single, one-page executive scorecard reviewed monthly by the Governance Committee. The scorecard we recommend covers four domains:
Domain | Example KPIs |
|---|---|
Copilot Adoption | % licensed users active this month; 30-day retention rate; average Copilot-enabled apps per active user. |
Copilot Studio & Agent Governance | % of agents in production with full approval; number of shadow agents found in monthly audit; intake submissions per month. |
Data Classification & Labeling | Overall sensitivity-label coverage; Copilot-accessible data classified; oversharing findings (critical, open); BU data inventories complete. |
Risk & Compliance | DLP alerts per 1,000 Copilot interactions; open DLP exceptions over 30 days; open high or critical risk items; working group attendance. |
A Pragmatic Now–Next–Later Path
Governance is rarely a single project; it's a phased program. The cleanest sequence we've seen organizations execute against is:
Now (0–3 months)
Stabilize & Control. Stand up the governance working group, ratify foundational policies, contain top security risks, put guardrails on Copilot and shadow agents, deploy baseline DLP.
Next (3-6 months)
Embed & Scale. Activate business data owners and stewards, advance metadata and labeling, operationalize AI risk scoring, strengthen monitoring and exception handling.
Later (6+ months)
Optimize & Mature. Advanced policy coverage, predictive risk and continuous improvement, audit and regulatory readiness, DSPM-driven dynamic policy refinement.
The HSO Governance-First Path
If you take one thing from this piece, take this sequence:
- 1
Define ownership
Stand up the committee, working group, and stewardship core.
- 2
Classify data
Activate sensitivity labels, close oversharing, and align DLP to the classification scheme.
- 3
Gate AI use cases
Run every Copilot Studio agent and custom AI solution through intake.
- 4
Monitor continuously
One scorecard, one cadence, one accountable forum.
AI is moving faster than most governance programs are built for. The organizations that pull ahead won't be the ones with the most advanced models — they'll be the ones whose governance, security, and data foundations move at the same speed. AI and governance, hand in hand, from day one.
About the Author
Asad Mahmood is a visionary leader in enterprise data transformation with over 25 years of experience driving innovation at the intersection of ERP and AI. As Vice President of Data & AI at HSO, he leads global teams in designing intelligent data platforms that leverage Microsoft Azure, Microsoft Fabric, Copilot, and the Power Platform to drive enterprise transformation. He brings a strategic perspective on how to embed AI and advanced analytics into Microsoft Dynamics 365 and other ERP systems, unlocking business value and accelerating innovation.
Asad Mahmood Vice President, Data & AI