...
Episode 1

Data Governance in the Age of AI with Microsoft Purview

This episode explores why traditional, policy-driven approaches to data governance are no longer enough in today’s AI-powered enterprise. As sensitive information spreads across cloud platforms, collaboration tools, endpoints, and AI systems, organizations need a smarter, more adaptive way to understand and protect their data.

July 10, 2026
Listen On:
Episode 1
Data Governance in the Age of AI with Microsoft Purview
References
Transcript

Michael Larsen:

Welcome to ThoughtHive. The most valuable insights rarely make headlines. They emerge through experience and the people driving change inside the world’s most influential organizations. In each episode, we sit down with leaders, innovators, and practitioners to explore the ideas, challenges, and lessons shaping the future of business and technology. This is ThoughtHive, where insight meets action.

Matt Heusser:

Welcome to the NuSummit ThoughtHive Podcast. I’m Matt Heusser.

Michael Larsen:

And I am Michael Larsen.

Matt Heusser:

In this episode, we have Gaurav Chhabra, who’s the Vice-President and Global Practice Head for Cybersecurity at NuSummit. Today, we’re going to talk about data governance and protection in this new age of AI, exploring how organizations move beyond traditional compliance to build more adaptive control models. Gaurav, great to have you here.

Gaurav Chhabra:

Thanks, Matt. Thanks, Michael. Thanks for having me here.

Matt Heusser:

Let’s just go ahead and dive into it. For our examples of data governance, we’re going to try to give people concrete reference examples. There are lots of tools. We’re going to talk about Microsoft Purview. What’s really changed in data governance over the past few years?

Gaurav Chhabra:

Well, Matt, I think the biggest shift is wherein the data is no longer sitting where we expect it to. It’s no longer structured. It’s neither centralized nor even fully visible. It’s spread across cloud platforms, collaboration tools, endpoints, and now increasingly feeding into AI systems. Let me give you an example. A client believed that they had strong data controls in place. They had all the policies defined, access reviews happening, all the audits passed, and compliance- all checked. But when we actually looked closer, the data was spread across multiple cloud systems, multiple platforms, multiple collaboration tools, and even the endpoints. More importantly, with the adoption of AI tools, the AI tools had started interacting with their data in ways no one had even imagined. At that point, it became very clear that governance is no longer about what you define. It’s about what is actually happening. And I think that’s the shift we are dealing with today.

Matt Heusser:

So, there’s a strong shift here I’m seeing from defined policies. Anybody can make the policies, adhere to the real behavior of the system. What files can people look at? What files can people download? Where can those files go? Can they be copied? Can they go on a USB stick? Why do you think traditional governance models are struggling to keep up with these new requirements?

Gaurav Chhabra:

Matt, I think the challenge is that traditional governance was designed for a much more predictable environment. Data used to be structured. It used to be centralized. It used to be relatively stable. So, governance models followed the pattern. Policies were defined, controls were applied, and reviews happened periodically. But today I think the data doesn’t behave that way anymore. It’s constantly moving across cloud platforms, collaboration tools, and increasingly through AI systems. And the moment data becomes dynamic, the static governance model starts falling behind. That’s where we see organizations struggling, not because they lack controls, but because those controls are not keeping pace with how the data is actually being used today. What’s needed now is a model that moves with the data, where visibility and controls are continuous.

Michael Larsen:

Okay. So, when an organization, I guess, comes to the realization that they have this problem, they recognize this gap, I guess. What do they need to do? What’s the first practical shift you think they need to make?

Gaurav Chhabra:

Well, the first shift is actually quite simple, but not easy. Moving from an isolated visibility to connected visibility is the ask. Most organizations can see parts of the landscape but not the full picture, and that’s where the issue starts, because governance only becomes effective when discovery, classification, and the access signals start coming together. That’s also where platforms like Microsoft Purview can help. They bring that unified view across the environments, but visibility alone isn’t enough. The real step forward is turning that visibility into action, how controls are applied, who owns what, and how governance actually runs on a day-to-day basis. Otherwise, you end up with insights but not control.

Michael Larsen:

So, this is an area that I have some experience with. I’ve worked with AI governance and, of course, am looking at doing monitoring for models and how you’re able to actually ensure that they’re hitting the notes that they need to. You’re not just, especially in these complex financial systems, you’re not just tracking one model. You might be tracking dozens, hundreds, and you have all these options that are playing with each other and trying to make sure that you’re keeping sensitive data apart from each other, and that you’re updating, and all that goes with that. I guess from this perspective, and especially in the case example we’re looking at, how do you identify those gaps, and what type of gaps do you typically see… if I’m wording that correctly?

Gaurav Chhabra:

No, you’re absolutely right, Michael. Now, in most of the cases, the assumption is we know our data, but when you actually start asking simple questions, things take a turn. Most organizations don’t fully know what sensitive data they have, where it exists, who has access to it, and how it has been used over time. So, governance becomes reactive. Something goes wrong, and then you trace it back. But the nature of risk has changed. Today, it’s not just about data leakages; it’s about unintended exposure, misuse, and even intelligent inference through AI. So, the issue isn’t always security failing. It’s visibility never being complete to begin with. And in an AI-driven environment, that becomes much more critical. And this is usually where a deeper realization sets in. Most organizations don’t lack capability. They have discovery, they have classification, they have access controls, but those pieces operate in isolation.

And when they don’t connect, you don’t get governance. You get fragmented signals, which then impacts decision-making. Because leaders are effectively working with partial visibility, seeing pieces of the risk, not the whole picture. At that point, it stops being a control problem; it becomes a clarity problem. The real shift happens when those pieces start coming together, and governance begins to operate as a connected system because, without that, you are just reacting to a risk and not managing it.

Matt Heusser:

So now we’ve listed some gaps. We have to address them. What does a better approach look like to do that in practice? Whatever we’re doing before wasn’t working optimally. How do we do better?

Gaurav Chhabra:

Again, very good question, Matt. So, what we need to do today is to break it down into three things. There are platforms available in the market like Purview today, which could help us do a lot of AI security and data governance. But to begin with, I think the first is the continuous discovery and classification. You just cannot rely on periodic scans anymore. Why? The data is constantly being created, it’s being shared, and it’s being duplicated. Classification needs to go beyond the keywords. It has to understand the context, what that data represents, and how sensitive it is really. The second thing, which is very important, is, again, the context of their visibility. They’ve been talking about visibility all day long. It’s not enough to know something is sensitive. We need to understand how it is being accessed. Is it a normal access? Is it excessive? Is it happening from an unusual location?

Is there a pattern to it? Because risk today is often behavioral, not structural. And finally, I think the most important thing where the organizations fall short today is the enforcement, especially policy enforcement. A lot of governance programs start by defining policies, but real governance is when the systems can prevent risky actions, trigger alerts, or even take corrective steps in real time. And that’s the shift from documentation to active control.

Michael Larsen:

So, I guess another question that would be important to throw in here is, of course, again, because of the fact that you have heterogeneous systems, you may have cloud-based systems, you may have on- premise systems, you may have multiple databases that you have to effectively communicate with each other and make sure that the AI agents that you’re working with are aware of where everything is and are being protected from sharing things that they shouldn’t. I guess this seems like it’s got lots of places where failures could be catastrophic, to put it bluntly. Where would something like this typically fall apart? I guess what I’m asking is, how would you temper this, and how would you mitigate some of these risks?

Gaurav Chhabra:

Well, Michael, interestingly, this will definitely not be at the strategy level. It has to be the execution. Most organizations understand what needs to be done, but where it breaks is stitching everything together. What we often see is that the capability exists, the tool exists, but they’re fragmented. Different data sources, different systems, different policies. What tends to work better is when governance is treated as an operating layer, something that connects discovery, classification, monitoring, and response, because otherwise you’re solving parts of the problem and not the problem itself. And this is really where execution becomes the difference because governance at scale isn’t just about enabling capability, it’s about sustaining it. What that means is governance cannot be treated like a one-time initiative. It has to operate more like a system, something that runs continuously and adapts as data changes, and that’s where many organizations struggle. Capabilities get introduced, but they’re not fully embedded.

Ownership isn’t always clear. Processes are loosely defined, and monitoring becomes periodic instead of continuous. So over time, even strong controls start weakening. What works better is when governance becomes part of how the organization operates with clear ownership across security, data, and business teams, because governance doesn’t sit in one function; it cuts across all of them. And when that alignment comes together, you start seeing a shift. Risks are identified earlier, decisions are made with more context, and controls evolve with the data. That’s when the organizations move from reacting to risk to anticipating it.

Michael Larsen:

So, I guess the next thing that I would love to know is, we’ve already talked about, “Where does this fall apart?” And I think many of the people who are here listening are going to probably want to get a better feel as to how you’re actually dealing with this, or under what circumstances might this become a reality. Do you have an example that we might be able to kind of riff on and play around with for a bit?

Gaurav Chhabra:

Absolutely. We have been doing this for a lot of our customers, and most of the organizations tend to fall apart when we talk about what needs to be done. They know they have solutions; they have platforms in place. There was this customer of mine that had all the bills and visits. They have all the number of tools that they wanted to have in there to strengthen the security portion of their organization, but different systems, different data storage, and different rules, but they did not have a unified view. So, every time, when there was a requirement for them to understand and tie things together to come out with the exact compliance status, or there was a need for them to understand what the exact risk was that they’re trying to mitigate, or they would want to prioritize the risk that they should be mitigating in the first place.

They did not have that single view. So what they should have been doing is they should have been focusing on bringing all those things together, bring them together into an operating layer where they connect the discovery, they disconnect the classification of the data, the monitoring, the response of whatever activities, solutions that they have because they were trying to solve parts of the problem but not the problem itself.

Matt Heusser:

Let’s talk in a little more detail. Say, for instance, a typical company, they’ve got SQL Server, they’ve got Snowflake, they’ve got Databricks, they’ve got SharePoint, they’ve got Salesforce. They may have some data in the cloud through some third-party app. They may have, I don’t know, Jira or something. We’re using Purview. Purview is going to scan the data, identify it, give it context and meaning. How else is AI changing this? Is this making it easier because now it can use large language models to generate insight into data, meaning into data, or is it harder because now any marketing intern can go write their own applications?

Gaurav Chhabra:

What we are trying to say or understand is how AI is actually playing their role while we do all of that, what we have been doing all this while. While AI has been brought into picture, it is kind of playing two roles. It is increasing the complexity, more data accesses, more data usages, faster decision cycles, but on the other side, it’s also enabling smarter governance. Unlike earlier, we can now detect unusual patterns faster, refine classification over time, and identify potential risk before they even materialize. So what we are doing today is we are moving towards what I would call an adaptive governance, where systems are not just enforcing rules, but learning and improving too.

Michael Larsen:

Okay. So, to make it a point that Microsoft Purview is a platform that you’ve utilized for this. So how would an organization actually use Purview to enable this? How do organizations actually use this, I guess, is really trying to get at.

Gaurav Chhabra:

Well, you rightly picked up the clues. We are definitely talking about Microsoft Purview being one of the enablers for whatever governance AI security that we are speaking about. Now, what this platform does is it helps us, or it enables us to discover the data across different data environments. It helps us with intelligent classification. It gives us visibility into the access patterns, and it also helps us with policy enforcement. But more importantly, it gives the organization a single control plane for governance, which is what’s really needed at scale today.

Matt Heusser:

Okay. So we like to do our final thought. I’ll throw one out to both Gaurav and Michael. Gaurav, what should leaders be focusing on right now? We’ve covered a whole lot of different technologies, tools, and processes. Where do we start?

Gaurav Chhabra:

We should start with the visibility, as always. So we should start with the visibility, not to try and solve everything at once, understand the high-risk data, build controls around it, and evolve from there. So, we are moving towards what I would call an adapted governance, where systems are not just enforcing rules, but learning and improving. And when you combine that with the right implementation approach and the operating model, that’s when the governance actually starts working, not just existing. Organizations begin to recognize that governance is not just about control; it’s about consistency, consistency in how data is understood. Access is managed, and risk is evaluated, and achieving that at a scale requires two things: a platform layer and a strong operating model around it. In our experience at NuSummit, that’s where the real transformation happens. When governance becomes part of how the organization operates, and not just a checkpoint.

And once that foundation is in place, that’s when the platform actually starts delivering at scale.

Matt Heusser:

Okay. Thank you. And Michael, I’m going to give one to you. Where can people go to learn more about this?

Michael Larsen:

Well, of course, they actually have a repository for all the information that we’re talking about here. There are insights, AMAs, customer stories, et cetera. We will make sure that those details are in the show notes. And with that, we want to say thank you to everybody for joining us for NuSummit’s ThoughtHive Podcast. We look forward to talking with you very soon on topics that are pressing and interesting, especially in this wild and crazy AI world. Thanks for joining us.

Matt Heusser:

Thanks, everybody.

Gaurav Chhabra:

Thanks, everyone.

Michael Larsen:

You’ve been listening to ThoughtHive, a platform built for those who lead. For more conversations, expert perspectives, and practical insights on enterprise transformation, visit ThoughtHive by NuSummit. Thanks for listening. We’ll see you in the next conversation.

Share On Twitter
Share On Linkedin
Contact us
Hide Buttons