Journals of the Information Entrepreneur - Jacqueline stockwell
Welcome to "The Journals of the Information Entrepreneur"! Hosted by Jacqueline Stockwell, CEO and Founder of Leadership Through Data, this podcast is dedicated to empowering and inspiring information leaders across the globe. Jacqueline shares her expertise in revolutionizing information management training and delivering it in a way that captures the audience's attention and ensures their time is well spent. In each episode, Jacqueline engages with industry experts and thought leaders to discuss the latest trends, challenges, and best practices in information management.
Journals of the Information Entrepreneur - Jacqueline stockwell
042 The AI Readiness Roadmap: Cleaning Your Data House with Purview.
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
How do you keep your company’s information safe in a world full of AI? In this episode, Jacqueline Stockwell talks to Microsoft Purview expert Kunal.
Kunal explains that "Information is Gold," but many companies aren't guarding it the right way. He shares a surprising "spoiler": AI agents can actually be more dangerous to your data security than your own employees.
We talk about:
Smart Tools: How to use Microsoft Purview to automatically protect your files.
Human Behavior: How to spot risky actions before they become big problems.
Handling Change: Why the best technology fails if you don't help your team adapt.
Cleaning Up: How to find and remove old, useless data to lower your risk.
Why listen?If you use Microsoft tools at work or care about data privacy, this episode gives you a simple roadmap to follow.
Guest: Kunal (Microsoft Purview Architect)Host: Jacqueline Stockwell
Keywords: Microsoft Purview, Data Security, AI Risks, Compliance, Simple Tech, Information Management
Hello and welcome to today's show. I'm Jacqueline Stockwell, CEO and founder Leadership Through Data. I inspire and motivate information leaders across the world. Hello and welcome to the show. I'm here today with Canal Kankare. And Canal is a Microsoft Purview Solutions architect and industry thought leader with over 15 years of experience. He's an absolute veteran in information protection space and he's known globally for his technical blogs and his international speaking engagements. Designed and deploys scalable enterprise grade frameworks across the entire purview stack, and he specializes in turning complex compliance requirements into streamlined automated workflows for global organisations. Now, Canal is focused on driving compliance maturity. He aims to move companies beyond basic information security by building long-term strategy roadmaps that align security with his core business goals. Now, Canal, I'm so excited to have you on the show. You're also a trainer for us at Leadership with Data, but you're also a good friend of mine. So it's been too long. We should have found out much earlier. So I appreciate you being with us today. And just to kick us all off, you've helped organizations ranging from 100 to 1000 users. What is the biggest difference in how a scalable framework looks for a global enterprise versus a mid-market company?
SPEAKER_00Okay. Thank you, Jackie. I mean, before I answer this question, thank you for having me here. I know I've been listening to all your previous podcast sessions, roughly 30 minutes each, I guess, and they've all been power-packed. Um, and and you know, very informative. So I would encourage people to go and listen to all the other sessions that you've done in the past as well. There's a lot of information and you've had a variety of speakers. So I think that that adds real value. And coming back to the question that you've asked, yes, I have worked with organizations, you know, with 500 users and also organizations that have 120,000 users plus. Um, and definitely there's a lot of difference, but you know, surprisingly, the biggest difference is not the technical part at all. There are two things that make um, you know, the difference in these purview deployments. One is the impact analysis of um rolling out these purview controls. That makes a difference because you know, in large organizations, it takes a lot of time. So the process is very lengthy. You the sign-off that you get because you have to get approvals from different departments, and large organizations also use a lot of different other tooling mechanisms that they have. So when we do a deployment, you have to do the impact analysis across all the different processes, all the different toolings that they've been using, and which should not break the existing processes that they have. So that's one. The second one is change management and adoption. I think that also makes a lot of difference between a mid-market company and a larger organization. So, for example, in a smaller organization, you would just explain what's happening, you could run a short pilot, and the users adapt quickly because you know the distance between the decision makers and the users is very small in a smaller company. And in large enterprises, adoption is um, you know, is a program in itself. It's not just an announcement that you can make. You're dealing with, you know, multiple regions, you're uh dealing with different regulatory expectations, you have various levels of um um, you know, users with different levels of technical maturity and the user base is is widely varied. So I think that's the difference between when I mean when you deploy for a smaller organization and a larger organization.
SPEAKER_01Amazing. And I love the fact that you've brought up around about change management because it's huge, and I think a lot of organizations just forget about it. And to actually get a really good successful deployment, change management, um, and I always say it's a process for people, and you can't have a successful deployment without people. So I love that you've spoken about that. I'm always in awe of how much you know about Microsoft 365 canal, and I want to touch a little bit on now policies versus labels debate. So you recently wrote about the um nuances between retention policies and retention labels. So, in a whole tempo environment, how do you decide which one should be the workhorse and which one should be the precision tool?
SPEAKER_00Okay, and and um, you know, it's very interesting that you've asked this question. This particular piece of um article that you talked about, the blog post that I wrote, has recently been also published by I IRMS in their IRMS UK in their January bulletin, 2026 bulletin, which is just last month. And they published the entire uh blog post in their bulletin that they send out to their members. Um I think I think it's kind of a hot topic right now. But you know, I actually don't see this as a t-belt at all. Um in the real world, policies and labels aren't competing, they're kind of complementary. And you know, both are built for the same purpose, which is to decide how long an information lives, right? And when that it should be deleted. So the only difference, of course, I wouldn't get too technical because it's all out there and everyone knows about it. Labels also help you mark the file as a record, which also helps achieve immutability. And then you can, of course, uh dispose information after reviewing it, and you also have the proof of disposition. But then the biggest question is if you would ask me that in the real world, where have I actually implemented retention policies is, you know, when there is a design decision that is being made, which is kind of an enterprise-wide design decision. For example, an organization has made clear that okay, we do not want to keep on-business emails um beyond X years, or we do not want to keep uh uh team shed uh after a couple of years. In that, in those scenarios, retention policies are the best fit, right? You do not want um uh labels uh to be applied to um to a scenario uh where um you know it's it's kind of enterprise-wide. So that's how we've been deploying retention policies. But labels, of course, as you know, are used when there is a regulatory requirement, when the um intent is to prove defensibility, right? And in scenarios where regulatory accounting or accountability really matters. So things like you have records or legal artifacts or content that must be reviewed before it gets deleted. So in those scenarios, you would use labels and policies. Yeah, that's that's how I would.
SPEAKER_01Amazing. Amazing. Thank you. So I want to ask you a question about adaptive scopes. Um, but before you ask the question, what is adaptive scopes?
SPEAKER_00Okay, um, thank you for asking. This is one of my favorite features. You can target locations where you want to apply policies, um, specifically retention policies and records management policies. Okay. So, for example, you want to roll out uh a specific policy to all the sites that belong to you know the finance department. Now, there is a way by which you can tag sites to which business function they belong to. Uh it's something it's called some it's it's called property banks. And by the use of that, you can tag sites that okay, this particular site belongs to finance, this site belongs to HR, etc. etc. And the real problem so was that in in before redactive scopes came in, uh we used to have static scopes where you know you really had to manually list down that okay, sites 1 to 10 are finance, and you had to add them to the policy manually. So each time a new site would get created, you would have to go and edit the policy and then add the site back again, right? And if some site gets deleted, then you would have to remove it. Or if if a site moves from finance to let's say um HR for some reason, then you would have to remove it out of the policy. All that was manual. Or the other thing that I did back then was to write scripts to do it. So what Microsoft did was to automate this entire thing, where you can say that okay, I want to apply a policy to all sites that belong to the finance department. Then that policy could be different from a policy that's applied to the HR sites.
SPEAKER_01Nice, amazing. Thank you for that. So you can only advocate for adaptive scopes as a smart way to automate. From um an architecture just starting out, what is the number one pitfall they'll encounter when trying to move from static scoping?
SPEAKER_00For you know, okay, if someone is just trying to switch from static to adaptive scopes, the first thing that they might miss is to, you know, check the quality of the details available. When I say the quality of the details, those details could be in intra, those details could be, you know, how their sites have been tagged already. Because in most of the organizations where I've seen adaptive scopes fail is because their attribute values are all over the place. Right? For example, some uh people in the organization or some users do not even have a department uh value specified in their intra ID attributes. Or if someone belongs to HR and they suddenly move to let's say sales and marketing for some reason, the the data is still stale, right? It still shows HR for them. So in that case, your adaptive scopes will fail. You need to sort that out first. And if adaptive values or if these attribute values are all over the place, of course, adaptive scopes will fail. And in fact, it will also increase the magnitude of the problem. So yeah, you have to be really careful when you start with adaptive scope.
SPEAKER_01So let's talk more about purviews.
SPEAKER_00So the inside risk management in purview, Jackie, is that what you asked?
SPEAKER_01Yes. Just a wide summary of what purview is for the listeners that don't know.
SPEAKER_00Okay. So purview is, you know, earlier it was called the compliance center. It is the heart of you know information management, I would say, within the M365 world. So activity and compliance, it's there in purview. So all the workloads like you know, data loss prevention, your retention, records management, your insider risk management, your information barriers, e-discovery, everything is a part of you know the entire purview workload. So the purview workload helps govern and protect information. So all the tooling that's required to, you know, govern protect information sits within purview. And one of the tools, of course, is the insider risk.
SPEAKER_01Implementing insider risk management can be culturally sensitive. How do you advise organizations to balance detecting malicious intent with maintaining employee privacy, especially with purview's uh pseudo-manization features?
SPEAKER_00Okay, now insider risk management has this actually great feature, which is the pseudo-normization feature, right? And one thing to understand when you're starting out with inside or when you're starting with uh insider risk management is that you're chasing risky situations and you're not chasing risky people, right? So by default, you're not looking at, you know, names and faces, you're looking at behaviors, behaviors like you know, large downloads or unusual sharing or access at odd hours. I mean, these are the behaviors that you want to track. And and this particular feature in purview really helps enforce that mindset. And and then the question automatically becomes that, you know, is this activity unusual or dangerous for the business? Or and the question is not who did this. So the moment you start thinking who did this, and I want to really target a specific user, then you are, you know, um risking that privacy violation thing. So the identity ideally should only come into play when there's a clear justified escalation path. So you do not want to unmask your users unless you have, you know, real signal or you have proper approval and you have a documented reason to know who the user is behind that particular, you know, violation. So I I think that's where this particular feature really helps.
SPEAKER_01When you're starting out, you start with that, and then you know, gradually when you have proved that, okay, this was really an activity that needs to be investigated and you really want to involve legal, that's when you want to, you know, find out the name of the Now with the new data security posture management, so DSPM assessments, how should architectures or information managers prioritize remediating overshared items without breaking existence existing business workflows?
SPEAKER_00Uh I I'm glad you asked this question because you know I get this a lot from customers. Because the moment you run assessments, um, DSPM assessment or any assessment that, you know, reveals what is being overshared, um, and usually, more often than not, that report is very huge. Right? We know that people have overshared, we we know permissions are a mess. Um and I think the important piece is how do you then go about remediating for me? The immediate thing would be, you know, to figure out what are the quick weights. So for example, for one organization, we did a similar assessment, and the first thing that we figured out was that okay, there are files that have been sitting in one drive that have been shared using anonymous links outside the organization. Now the problem with that is you will never know who is able to access the file inside or outside the organization for how long, etc. etc. So the first thing that we did was to recommend that we disable that anonymous links feature. And we did that. It was a quick win because we did not have to explain a lot to the users, it was a bare minimum for an organization like that. And then you start looking for, you know, the riskiest locations first. So sites with, you know, external access, sites where you have highly classified information that's sitting in one place. And um you might even have sites uh where you know uh the highly sensitive information that you discover using your assessment um is also revealed in those reports. Um those sites you want to target first, and of course, you may not be able to remediate everything quickly, so prioritization becomes really important. And I would prioritize uh the entire report that comes out of the assessment in this manner.
SPEAKER_01Amazing. Amazing. Uh so let's talk about Copilot. I love Copilot, um, it really helps me with my productivity. Um but there are some other um things that you have to think about uh when you're uh working with copilot. So Microsoft is expanding insider risk management to include AI agents. Do you see AI agents becoming a bigger risk vector for data exfiltration than actual human employees in 2026?
SPEAKER_00Well, one thing is that when whenever Microsoft makes huge investments into a specific technology, which is co-pilot in this instance, you know, there are always risks of information leakage. And especially with um now, you know, earlier when we used to do purview before the copilot era and before the entire AI, generative AI era as well, we have always focused on humans, right? We've always focused on humans making mistakes, they send the wrong file, they click the wrong link. But you know, it has always been episodic. It's it's never been, you know, very rampant. Because when a human does it, there's always a friction, there's always a hesitation, right? Or they do it by mistake. Now, with AI agents, that friction disappears, right? The agent can, you know, query, summarize, export that data to hundreds of sources and all that within seconds and minutes. So if you do not manage your permissions tightly before even rolling out co-pilot, um, you know, your blast radius is very huge. So by 2026, uh at least by the end of 2026, I would see that um AI agents become a bigger, you know, vector for these unintended data exposure than humans because you know, of course, they will the scale at which the AI agents can operate, right? That's going to be indefinitely greater than what humans can do. So if your governance and your risk controls aren't ready for that velocity, um you won't be able to catch that problem until it's already happened. So that's why, you know, when Microsoft announced that various Furview workloads will start including AI agents as a as a as a location to target, I think it that was essential, it was required. And um, you know, it will start forcing organizations to think in terms of behaviors at scale, right? It was not just like we are just watching this particular person. The earlier organizations start treating AI agents as actors in the risk model, the better positioned they will be to, you know, stop exfiltration before it becomes true.
SPEAKER_01Yeah. And the big thing that I have can now is that everyone's talking about AI and they're talking about the tech, but they're not actually talking about all the stuff that AI runs off, which is information. And if us as information managers, records managers, kind of information leaders aren't there to be able to support the business to do the tech, then you're going to end up in a right mess. But still, nobody's still talking about what we do as a profession, which I find highly frustrating. Um, because actually, you know, it's rubbish in, rubbish out, or the saying goes, isn't it? That you can't, you know, and then you're opening your information to security issues and information is gold. Why aren't, oh, why aren't information leaders golden? You know, we should be golden nuggets in every organization.
SPEAKER_00No, I completely agree. I think um AI readiness is going to be a topic that, you know, information leaders um or CESOs of the organization will have to start thinking about before they start deploying these controls within the organization.
SPEAKER_01Yeah, a thousand percent. And I think it just needs to go up higher, it needs to go up to government, and everybody needs to be talking about it, and that's my mission anyway.
SPEAKER_00We are just we are just one breach away before that happens.
SPEAKER_01Uh so just to touch a little bit more on purview. So, how does Purview Architect keep a repeatable framework for becoming obsolete when Microsoft releases major roadmaps at which update every few weeks or every few days or every few hours Microsoft puts an update in?
SPEAKER_00Oh my god, this is a real problem for even you know for consultants like us because every day there's something new. There is something new that Microsoft is rolling out within the entire Microsoft team. I think purview seems to be the biggest, hottest piece. And there is always a new feature. Either they rename things or, you know, they just move things around. And the simplest way to tackle this, this is the one thing that I tell before we start an engagement, is that we will never build, you know, the blueprint or the framework based on configurations or buttons. So we will not look at features and then derive this is what we want, right? We will look at the real use cases first, what an organization wants in terms of use cases. Let's leave the tech aside. We do not want to look at the tech. It could be purview, it could be something else later on. But what what does the what are the actual use cases for the organization? What are the design principles that we want to adhere to? I mean, it could be purview, it could be some other tool as well, but the principles should remain the same, right? Those could be the sharing principles, those those could be our retention principles or any of those. And then you know, you start breaking down, breaking them down into use cases, and then you you know write what is the acceptance criteria for each of that. When do we consider this use case dissolved or solved? So once you have that list, that becomes your fundamental base. And and these are the things that do not change, right? The technology changes, yes, your buttons might go, or that particular toggle in that particular portal might move here and there, it could be renamed. So, you know, if your entire framework depends on this kind of there's a toggle here in the portal, and we turned it on, that framework will have a very short shelf life. So Microsoft will move that toggle, rename it, replace it, and your design will break. So you don't do that, you stick to fundamentals and you answer some fundamental questions. And you know, you should be asking when a new feature gets released later on. The question should be very simple. Does this feature help us enforce the same principle in a better way? And an example of that was all always adaptive scopes, right? The principle was always the same that we want to automate. We do not want to go and you know add sites manually to the policies. So we started writing scripts. That was one technical way to achieve that. But then Microsoft rolled out adaptive scopes, which was a technical feature, but you know, the principle still remained the same that we want to roll out this particular determination to all finance sites. So that's one. The other thing I also do is I, of course, have worked with, you know, many of my technical colleagues as well and mentored them. So I asked these architects, you know, to write down why they made a specific decision and not just how. So architects or technical people usually focus on, you know, how that particular feature was configured, and that's what is there in the design document. But when we deploy Perview, it's not like any other software. You also need to write down what made you, you know, arrive at that decision. Why has a policy been configured in a specific manner? That's really important because when a new admin comes in later on and looks at the policy and asks, why is this so strict? The answer should not be because that was the only or that's how the portal worked back then. The answer should be because this data carries, you know, more regulatory risk or something along those lines. So the interface will change, that's guaranteed. But the reasoning behind your governance blueprint should not change.
SPEAKER_01Amazing. Thank you. Um, and last question. So if you could add one feature to Microsoft Purview that doesn't exist yet, what would it be?
SPEAKER_00A bit difficult to answer because you know there are plenty that I could ask for. But you know, the one that sits right at the top of my list, and I always think about it as because, and in fact, I've you know many a times thought about developing my own product, solve that particular problem. So the problem is that I want or or the one thing that I want for you to tell me with confidence is that which data is wrong, which data is redundant, obsolete, and trivial, and it is safe to remove. Now, this comes up all the time with especially with large customers, right? For example, one of the organizations that we work with, 300,000 SharePoint sites, billions of files, information in SharePoint in in petabytes, SharePoint and OneDrive in petabytes. And their ask was very simple. We want to label everything, right? We want to apply a sensitivity label to all our files. And we're talking about billions of files, right? At that scale, these limits don't really help you, the limits that Microsoft has. And I usually push back with the basic question I mean, why are we even spending effort on governing data that shouldn't exist in the first place? So, in many cases, that data is useless. And what we did was we did a sample, uh, you know, we took 100 sites and we found out that you only need to really label 30% of the data, and 70% is something that does not have any business value. And in fact, you shouldn't be even be holding that data because it's increasing your legal and regulatory risk. So, one thing that Purview does not have now is how to identify that sort of data that does not have any business value. So, and in fact, with the advancements that we now have in AI, we have uh, you know, duplicate detection, duplicate files, you have behavior-based signals. We are well past the point where all of this should be, you know, guesswork. In law in large organizations today, it is really a guesswork, right? Nobody is able to identify what is rot and what is information of honey. So purview should be able to say that these files haven't been accessed or they are duplicates and they don't carry any business value, and there's no real regulatory or legal reason for you to keep them. And then you know, let us design the policies to remove that data, of course, with audit and proof. Now there are the benefits are threefold, right? One, the entire purview scales better, as I told you, less things to label, less things to govern. So all your uh the technology starts working, right? One second, the biggest problem right now that large customers are facing is storage. So you save real money on storage, and the third is of course the the thing that we've been talking about, Jackie, which is co-pilot, you know, becomes dramatically safer because you know it's it will start reasoning over current and relevant data and it's not looking at any 10-year-old junk. Um, because if co-pilot has access even to that 10-year-old junk data, it's going to include that in the results if it's relevant. All in all, governance governance is isn't just about you know protecting data. Sometimes, you know, it's about having the discipline to even get rid of information, and I think that's what most of the customers make.
SPEAKER_01Amazing. Thank you so much. Um, that's been absolutely sensational. How can listeners reach out to you if they want to know any more?
SPEAKER_00Uh of course I'm on LinkedIn. Um, I have my own uh blog that I run, which is kksimprevise.com. All the data is all the information about me is there on the blog. And of course, I'm on LinkedIn as well. And Jackie, if if someone reaches out to you, yeah, please share my contact details, you'll know better.
SPEAKER_01A hundred percent. And you can also be seen on any leadership through data course. Um so thank you so much for your time, Canal. It's been absolutely sensational.
SPEAKER_00Oh, thank you. The pleasure is all mine, Jackie. It's fantastic doing this with you. Thank you.
SPEAKER_01Thank you for listening to the journals of the information entrepreneur with me, Jacqueline Stockwell. I hope you found this episode inspiring and helpful and have some takeaway tips that can be useful to you. If you liked this episode, please like, review, and share it with your friends. Your support helps us reach more information leaders to stay inspired and listen to great content. Want to test out your strengths and weaknesses and measure it against our empowered framework? Please complete the scorecard. It's a great way to improve and evaluate your skills. You can find the scorecard at the end of the description of this podcast. Stay tuned for a new podcast every Thursday and remember to be bold, be brave, and be beautiful.