IM BLOG: When Easy Becomes Risk: Governing Information in an AI-Enabled Workplace

Microsoft 365 has become the default work environment for many organisations. It is familiar, accessible and deeply embedded in day-to-day business activity. At the same time, AI capabilities are being layered into that environment at speed, promising productivity gains and new ways of working. On the surface this looks like progress made simple.

However, the reality is more complicated. Convenience, accessibility and speed are precisely the conditions under which information governance fails if it is not deliberately designed in. In an AI-enabled Microsoft 365 environment the question is no longer whether information can be found or shared, but whether it should be and under what conditions.

The ASAP problem: when everything must be accessible

One of the defining tensions in modern information environments is the push to make content accessible as soon as possible. Productivity, collaboration and responsiveness are rewarded, while friction is seen as inefficiency. In an AI context, this pressure intensifies. AI tools work best when they can see more information, not less.

This creates what might be called an ASAP problem: accessibility, speed and productivity are prioritised, often ahead of security, privacy and accountability. Instead of information that should no longer exist being restricted or protected it is left broadly available because that is the easiest path operationally.

When something goes wrong, the response is often to look for an individual error, the person who overshared, the team that stored content in the wrong place, the system that was misconfigured. These are symptoms of a deeper design problem. Information environments that rely on perfect user behaviour are not governance frameworks; they are risk engines.

Information management didn’t disappear, it resurfaced

There has been a long-running narrative that modern platforms made information management less relevant. Search would solve classification. Storage would solve retention. Automation would solve compliance. AI has exposed how fragile those assumptions were – and still are.

In an AI-enabled environment, unmanaged content does not just sit quietly in the background. It is surfaced, summarised, correlated and reused. Content that should have been disposed of, protected or contextualised becomes active again, sometimes in ways that were never anticipated.

This is why information management is experiencing a resurgence. Not because the principles changed but because the consequences of ignoring them are now immediate and visible. AI does not tolerate ambiguity well. It highlights whatever structure, or lack of structure, already exists.

Structure is not about control, it is about safety

A recurring theme in modern Microsoft 365 environments is the absence of reliable structure at scale. Content lives across OneDrive, Teams, SharePoint sites, email and legacy repositories, often with inconsistent metadata, retention and access controls. From a user perspective, this feels flexible. From a governance perspective, it is opaque.

Records and information managers understand that structure is not about limiting work; it is about making safe behaviour the default. Structured workspaces, consistent metadata and inherited controls reduce the need for constant decision-making by users. When the right thing is also the easy thing, compliance becomes sustainable rather than aspirational.

This matters even more in an AI context. AI systems draw heavily on structured signals (labels, metadata, permissions, retention rules) to determine what content can be accessed and how it is used. Where those signals are weak or inconsistent, AI cannot distinguish between content that is private, restricted, sensitive or out of date. Governance failures become automated.

The quiet risk of information hoarding disposal

Most organisations keep far more information than they need. Some of this is deliberate caution, much of it is inertia. Disposal is uncomfortable, especially in environments where information is distributed and ownership is unclear. The result is information hoarding disguised as risk management.

In an AI-enabled environment, hoarding becomes a liability. The more information retained without purpose, the larger the surface area for privacy breaches, inappropriate access and misuse. AI systems trained or assisted by that content inherit its risk profile.

Systematic disposal is therefore no longer just a cost-management exercise. It is a privacy and AI risk control. Records and information managers are uniquely placed to make that case, because they can connect retention decisions to real exposure rather than abstract policy. Modern platforms such as Microsoft 365 now make systematic, defensible disposal achievable at scale.

Guardrails, not heroics

A consistent message emerging from modern governance practice is that guardrails matter more than heroics. Expecting users to remember what is sensitive, what is restricted and what should not be used by AI is unrealistic at scale. Governance has to be embedded into the environment itself.

Signals such as sensitivity labels, metadata and clearly defined exclusions (not for AI, restricted, private) are how organisations teach systems and people what not to touch. This is not about blocking innovation, it is about directing it responsibly.

The emphasis has shifted. The work is less about enforcing rules after the fact and more about shaping environments so that compliance is the default state. That is a design challenge as much as a policy one.

The limits of platforms and the role of judgement

Microsoft 365 and its associated compliance tools are powerful but they are not neutral. Pattern-based retention, complex configuration options and gaps in user-level governance all require careful oversight. Without informed judgement, configuration complexity can itself become a source of risk.

This is where records and information management expertise remains essential. Platform capabilities do not replace professional judgement, they depend on it. Decisions about classification, retention, disposal and access cannot be fully automated without context. Someone still has to decide what matters, what is sensitive and what should no longer exist.

As AI becomes more embedded in everyday work that judgement becomes more visible and more valuable.

Asking better questions, earlier

One of the most practical shifts records and information managers can make is to change the questions they ask. Not can we do this in Microsoft 365?, but should we and under what conditions?. Not is AI enabled?, but what information will it be able to access and why?.

These are governance questions not technical ones. They require an understanding of business purpose, legal obligations, privacy expectations and organisational risk appetite. They also require confidence to engage with IT and digital teams as peers not downstream implementers.

The real work of making it easy

The promise of modern platforms is that they make work easier. The risk is assuming that ease and safety are the same thing. In an AI world, they are not.

The real work for records and information managers is not resisting change but shaping it, ensuring that simplicity does not come at the cost of accountability. That means designing environments where structure is invisible but effective, where disposal is routine rather than exceptional and where AI operates within clearly defined boundaries.

Information governance in a Microsoft 365 world is no longer about locking things down. It is about making responsible use scalable.

This blog is based on the RIMPA Live 2025 presentation Content Management and Compliance Made easy in Microsoft 365 for an AI World by Andrew MacKenzie  

Meet your blog author:

 

Andrew Mackenzie, Modern Work, Security and Governance Lead, Professional Advantage

Andrew has over 25 years experience in helping business's optimise IT operations, increase staff productivity, improve governance and reduce risk for better business outcomes.