There's a pattern emerging in conversations with South Australian businesses right now. Someone in leadership has decided it's time to roll out Microsoft 365 Copilot. Licences are either purchased or on order. There's genuine enthusiasm. And then someone asks a question that stops the project in its tracks: "Wait, what data can Copilot actually see?"
That question matters more than most organisations realise. And Microsoft, to their credit, has built a tool specifically designed to answer it before you flip the switch on AI. It's called Data Security Posture Management for AI, DSPM for AI, and it's part of the Microsoft Purview compliance suite. If you're planning to deploy Copilot or any other AI tool against your Microsoft 365 data, running DSPM for AI first isn't optional. It's the responsible thing to do.
What Microsoft DSPM for AI Actually Is
Microsoft Purview DSPM for AI is a set of capabilities within the Purview compliance portal that gives you visibility into how AI tools interact with your organisational data. Think of it as a readiness diagnostic. It scans your environment, surfaces potential risks, and tells you what needs to be addressed before your AI deployment goes live.
Specifically, DSPM for AI does four things:
- Data discovery: It identifies where sensitive data lives across your Microsoft 365 environment: SharePoint, OneDrive, Teams, Exchange. Including data that may have been sitting there for years without anyone paying close attention to it.
- Sensitivity labelling: It connects with Microsoft Purview Information Protection to assess whether your data has appropriate sensitivity labels applied, and highlights content that's unlabelled or miscategorised.
- Oversharing detection: It identifies files and sites that are accessible to far more people than they should be. Content shared with "everyone in the organisation" or with open external sharing links that nobody has thought to revoke.
- Copilot readiness reporting: It generates reports that give you a clear picture of your data security posture specifically in the context of AI tool deployment, including recommended remediations.
It doesn't block AI. It doesn't slow your deployment down arbitrarily. It gives you the information you need to make an informed decision about what's safe to proceed with and what needs to be cleaned up first.
The Data Oversharing Problem Is Real, and Most Businesses Have It
Here's an uncomfortable truth: most organisations have years of poorly governed data sitting in their Microsoft 365 environment. Files shared broadly during a project that was never tidied up afterwards. SharePoint sites that were set to "everyone in the organisation" during a rollout and never revisited. Documents containing salary information, HR records, or commercially sensitive details that technically anyone with a company login can access.
In a world without AI, this is a manageable problem. Not ideal, but manageable, because employees generally only find files if they're explicitly looking for them, and most people aren't rummaging through every SharePoint site in the organisation.
Copilot changes that calculus entirely. When a staff member asks Copilot "What are the salaries of our senior team?" or "What were the commercial terms in our last tender submission?", Copilot will search everything that user has access to and synthesise an answer. If the permissions haven't been correctly configured, if those documents are accessible to that user even though they shouldn't be, Copilot will surface that information, fluently, in a direct response.
This isn't a bug. It's Copilot working exactly as designed. The problem is the data governance posture that existed before Copilot arrived. DSPM for AI is the tool that makes those issues visible before they become incidents.
Why This Connects Directly to AI Readiness
We talk a lot about AI readiness: technology fit, licence management, user adoption. The data security dimension is what carries the most direct risk, and it's the one that gets addressed last. You can train your team on how to prompt Copilot and configure your licences correctly, but if the underlying data environment isn't governed, the AI will surface whatever's there, including things that were never meant to be broadly accessible.
DSPM for AI is what moves an AI deployment from aspiration to something defensible. It shifts the conversation from "we think our permissions are okay" to "here is a report showing exactly which content is overexposed, and here is our remediation plan". That's the difference between an AI deployment done properly and one that creates a headline-worthy incident six months later.
The Australian Privacy Law Angle
Australian organisations subject to the Privacy Act 1988, and the Notifiable Data Breaches scheme under Part IIIC, should be paying close attention here. The NDB scheme requires organisations to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach is likely to result in serious harm. AI-driven oversharing scenarios could plausibly create exactly that kind of breach.
Beyond the breach notification question, the Privacy Act requires entities to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access or disclosure. Deploying a powerful AI tool against an ungoverned data estate, without first assessing the data security posture, is difficult to characterise as a reasonable step. DSPM for AI is part of how you demonstrate that you've done the governance work.
This isn't hypothetical. As AI adoption accelerates across Australian business, regulators are going to start asking harder questions about what due diligence organisations undertook before deploying AI tools against personal data. A documented DSPM assessment, remediation plan, and ongoing monitoring posture gives you something concrete to point to, evidence you did the governance work before something went wrong, not after.
What Adelaide and SA Businesses Should Do Right Now
If you're planning an AI deployment, whether that's Copilot, a third-party AI tool integrated with Microsoft 365, or anything else that will access your organisational data, here's the practical sequence we recommend:
- Run a DSPM for AI assessment. Use the Microsoft Purview portal to generate a current-state view of your data security posture. Understand what's exposed, what's unlabelled, and what needs immediate attention.
- Review and remediate oversharing. Work through the oversharing findings systematically. This typically means reviewing broad sharing permissions on SharePoint sites, removing stale external sharing links, and tightening "everyone" access grants that shouldn't be that broad.
- Apply sensitivity labels to key content. Prioritise your highest-risk content categories: HR files, financial records, board papers, commercially sensitive documents. Ensure they carry appropriate sensitivity labels that will influence how Copilot handles and presents that information.
- Then deploy AI, with ongoing monitoring in place. DSPM for AI isn't a one-time exercise. It's an ongoing monitoring capability. Once your AI tools are live, you want continuous visibility into how they're interacting with your data, not just a snapshot taken at deployment time.
My Take: AI Governance Is Now a Pre-Requisite
I've been doing AI strategy work with South Australian businesses for several years, and the conversation has changed significantly in the past twelve months. The businesses getting this right treat AI governance as a foundation requirement, something you sort out before the AI goes live. Not a compliance checkbox to tick once the tool is already running.
Microsoft DSPM for AI is the most practical tool currently available for getting that foundation right in a Microsoft 365 environment. It's not perfect, no tool is, but it gives you visibility, it integrates with the rest of the Purview stack, and it's purpose-built for exactly the situation most Australian businesses find themselves in: years of accumulated data, imperfect governance, and a new generation of AI tools that will surface all of it.
If you're serious about AI readiness, and you want to deploy Microsoft 365 Copilot in a way that's defensible to your leadership team, your clients, and if necessary your regulator. Start with DSPM for AI. Not as an afterthought. Before you go live.