May 5, 2026

Invisible until it matters

Data Series
| Part
3

Reading time:

4 min read

Governance doesn’t look like anything when it works. The audit is a calendar item. Five questions governance answers before anyone has to ask.

Author

Dimitri Phalen is the marketing lead at ISM who prefers plain language over big claims. For years, he’s worked behind the scenes, translating messy, complex IT problems into something teams can actually use. If something sounds like it was written by someone with not enough coffee, who’s been sitting too close to the delivery team for too long, that’s probably his fault.

At the University of Waterloo’s Cybersecurity and Privacy Institute, researchers needed audit trails and data controls across cloud and on-premises environments without slowing down their timelines. A Kyndryl-led engagement using Microsoft Purview automated sensitive data discovery, classification, encryption, and access policies. Researchers got clearer audit trails and stronger controls. Nothing slowed down.

That’s governance when it works. It doesn’t look like anything. The audit is a calendar item. The classification happens automatically. The access question has an answer before anyone asks it. Nobody holds a meeting about governance because governance is already running inside the pipeline.

Most organisations are not there. Most organisations have governance on a slide, referenced in a policy binder, enforced by nobody in particular.

The policy didn’t keep up. The behaviour didn’t wait.

KPMG’s 2025 research on the Canadian public sector found that fewer than 1 in 4 public sector organisations have formally adopted AI. Nearly half of public servants are already using AI tools at work, many on publicly available platforms (KPMG, March 2026). That’s not an AI problem. That’s a governance gap. The policy was still being drafted in Ottawa while the behaviour was already running in every regional office from Victoria to St. John’s.

In Canada, where PIPEDA, PHIPA, Quebec’s Law 25, and sector-specific mandates all apply simultaneously, governance is a legal and operational necessity. Not a project you run once. A discipline you maintain.

Five questions governance answers before anyone has to ask

Who owns this data? When something goes wrong, the first question isn’t “how do we fix it?” It’s “whose problem is this?” If the answer takes more than one phone call, nobody owns it. Governance assigns ownership to datasets, not job titles. The owner can say yes, say no, and explain why to an auditor without checking with 3 other departments.

Who approved this access, and is it still valid? Access exceptions accumulate like geological layers. Someone needed a permission 2 years ago, got it, changed roles, and the permission stayed. Multiply that across an organisation and you get an attack surface nobody designed and nobody reviews. Governance builds expiry into access. Review cycles that actually happen. Logs that match reality.

What happens when this person leaves? If a departure triggers a scramble to figure out which systems they had access to and which processes depended on their institutional knowledge, that’s not a handoff. That’s a discovery exercise with a salary attached. Governance documents the dependencies before the resignation letter.

Can we prove what we told the auditor? Gary’s team ran through last quarter’s audit in 2 days. The lineage was in the pipeline. The classifications were in Purview. The access logs matched the policy. The auditor left early. That’s the boring version. The interesting version involves a war room, 4 weeks of retroactive evidence assembly, and a compliance team that aged visibly. Governance makes the boring version possible.

Is this data trustworthy enough to feed a model? AI doesn’t care about your governance maturity. It will train on whatever you give it. Inconsistent, unclassified, sourced from a system that 3 teams use differently: the outputs will reflect every one of those problems. Governance is how data gets consistent enough and traceable enough that AI outputs become decisions people act on instead of suggestions they ignore.

Governance that sticks is governance that ships with the work

Microsoft Purview handles the mapping: metadata, sensitivity levels, ownership, from day one. Not a one-time project somebody adds to a Gantt chart and forgets. An ongoing discipline that updates when the environment changes, which in most organisations is constantly.

Embed governance into operations: cataloguing, access control, data quality workflows, project planning. Not an annual policy review that lives in a SharePoint folder and gets dusted off when the auditor calls.

Wire in the enforcement layer: Microsoft Sentinel for real-time policy enforcement and anomaly detection, Entra ID for identity governance, Defender for threat response. The tools exist. The intent to connect them to the governance framework is the part most organisations skip.

Generate the evidence as work happens. Automated lineage, precise classifications, complete visibility. Audits become routine reviews. Not firefights.

Where this leads

Governance decides the rules. Security enforces them. The data doesn’t care about your firewall covers the architecture that makes governance enforceable.

Governance without a catalogue is policy without evidence. You can’t protect what you can’t find covers the visibility layer governance depends on.

And if your AI initiative is waiting on governance to clear legal and procurement, the AI Readiness service is built around making that happen faster.

Want to understand how we work?

Every conversation starts with your environment. Not our product list.

Get in touch
ArrowArrow

It's not about the technology, or the processes. It's about your clients, your users, and the hard won trust you've built. Every team here keeps that at heart.

Mobile CTA