Assessment
M365 AI Governance Gap Analysis
A scoped assessment that maps where the chain of custody over corporate data breaks
What We Find
Common chain-of-custody breaks
Illustrative findings from M365 AI governance gap analyses. Actual results vary by environment.
Shadow AI Apps with Mail Access
Third-party AI applications with OAuth consent to read corporate email, granted by individual employees without admin approval, persisting in the tenant until someone revokes them. Chain of custody break: data leaves the authorized boundary through a consent grant IT never reviewed.
Copilot Oversharing via SharePoint
Microsoft 365 Copilot surfacing documents from SharePoint sites with no access restrictions. HR, finance, and legal folders readable by any licensed user through Copilot search. Chain of custody break: the AI surfaces content that permission structures failed to protect.
Unmanaged Devices Accessing AI Services
AI tool sign-ins originating from personal devices with no MDM enrollment. Conditional Access policies that do not distinguish managed from unmanaged device access to AI-connected services. Chain of custody break: corporate data accessed from devices outside organizational control.
No Acceptable Use Policy for AI
No written AI acceptable use policy distributed to employees. No acknowledgment tracking. Chain of custody break: no documented governance standard for employees to follow or auditors to verify.
How It Works
Three steps from posture to report
Read-only, non-invasive, and documented.
Score
Start with our free scorecard to identify your governance posture. 10 questions, 2 minutes. See where the gaps are before we touch the environment.
Map
Read-only Graph API access maps OAuth applications, Copilot licensing, conditional access, and device compliance. We catalog which AI tools have access, which identities authorized it, and where controls break. No agents installed. No disruption.
Document
Receive a comprehensive report with inventory, flow analysis, gap identification, and remediation considerations. Findings mapped to your applicable regulatory framework. A documented record that demonstrates governance diligence.
How we access the environment
Application permissions via app registration in Entra ID. The admin grants access and can revoke it at any time.
We read sign-in logs, consent records, access policies, service principal configurations, and SharePoint permission structures. We do not read email content, files, or chat messages. No software installed on endpoints. No access to network infrastructure.
Deliverables
What the report includes
AI Tool Inventory
AI applications discovered through Graph API sign-in and consent analysis, including shadow AI. Enterprise apps, third-party integrations, and user-consented applications cataloged with permission scopes and consent origins.
Data Flow Analysis
Where corporate data flows based on permission grants and access patterns for each discovered AI tool. Inferred from consent scopes, sign-in activity, and service principal configurations. Not observed network traffic.
Governance Gap Report
Gaps mapped to the applicable regulatory framework (HIPAA, FINRA, SOC 2, CMMC, or state privacy laws), with risk prioritization and specific remediation steps the IT team can act on immediately.
Executive Summary
Board-ready overview for leadership decision-making. Written so a compliance officer or CFO can understand the findings without technical translation.
Engagement Model
Scoped professional engagement
This is a scoped professional engagement, not a free scan. 2–3 weeks from access to report. Pricing may vary based on environment scope.
The scorecard tells you where to look. The assessment shows you what is there: documented evidence, not opinion.