‍The Myth of "We're Not Ready"

Every enterprise is somewhere different on the governance spectrum. Some have invested years in labels, built classification taxonomies, and trained their workforce. Others have nothing; no labels, no sensitivity markings, sharing blocked by default, and a 10-step manual process every time an engineer needs to get a file to a supplier.

Both are ready for Data-Centric Security. They just start in different places.

The single biggest misconception we encounter is that organizations need their data classification house in perfect order before they can enforce policy on external collaboration. That belief keeps enterprises stuck in a painful status quo; manual processes that create bottlenecks and risk exposure simultaneously. Security teams can't answer the most basic questions: Who are our top external recipients? If a third party is breached, what data do they have? How fast can we revoke access after a compromise?

Traditional governance approaches stall in policy nuance. The taxonomy needs refinement, legal hasn't signed off on the markings, business units can't agree on definitions. Meanwhile, data keeps flowing out through attachments, ad-hoc links, and guest accounts with no controls and no visibility.

The truth is the opposite of what most organizations assume: Data-Centric Security is how we build classification maturity, not what we do after we’ve achieved it. Controls must lead.

‍

The Signal Spectrum is Wide, and That's OK

When we engage with global enterprises, we see the full range of signal maturity. Some have rich attribute stores connected to HR systems, export control license databases, and real-time risk scores. Others have a SharePoint environment where no site has ever been labeled.

The number of signals available today determines where we start, not whether we can start. Every enterprise has some context available to make better policy decisions than "block everything" or "allow everything." The question is which signals to activate first and how to layer in more over time.

This is why we think about DCS adoption as a journey with distinct phases, not a binary switch.

‍

Start With the "Standard 4": A Baseline That Works Everywhere

For organizations with no existing classification, four levels are enough to unlock meaningful policy enforcement immediately. We call it the "Standard 4," and it maps classification directly to containment behavior, because a label without a corresponding control is just metadata.

• Non-Business covers public data and non-proprietary information. Open access, standard logging.

• General Business is the default label for internal communications and standard operational documents. External users must authenticate via OTP or SSO, and no file attachment is sent; only a link. Downloads are allowed but audited.

• Sensitive covers confidential data, PII, financial reports, and strategic planning. Files render in a secure browser viewer only, copy/paste is disabled, and downloads are blocked.

• Highly Sensitive is reserved for crown jewels, such as intellectual property, M&A data, legal privilege. This triggers approval workflows, session watermarking on screen, granular audit capturing time-per-page viewing, and strictly blocked downloads and printing.

The power of this model is simplicity. Set General Business as the default so every document has some classification from day one. Then let the containment policies do the heavy lifting. Users don't need to become classification experts; they need guardrails that activate automatically based on the context that already exists.

This baseline works across industries. A defense contractor can layer CUI and ITAR as sub-labels under Highly Sensitive after the foundation is running. A healthcare organization can add PHI and Clinical Trial Data. A financial services firm can overlay MNPI and PCI. The Standard 4 isn't the final destination; it's the launch pad that gets controls operational while the organization matures.

‍

Crawl, Walk, Run: A Maturity Model That Meets Where We Are

Before DCS: The Status Quo Nobody Wants

No policy signals. Sharing blocked by default. Knowledge workers navigating multi-day approval chains. People find workarounds, shadow IT thrives, and governance is fragmented. Outlook has different rules than SharePoint, which has different rules than Teams, creating gaps that attackers and accidents exploit equally.

Governance is a barrier. It slows the business without meaningfully reducing risk.

‍

Crawl: No Labels, No Problem

The first phase requires no labels, no taxonomy, and no change management. It requires one thing: a conversation with the business about where sensitive data lives.

Most organizations already know which SharePoint sites contain crown jewels; the export-controlled engineering library, the M&A deal room, the clinical trial repository. That institutional knowledge is enough to deploy data-centric controls directly to those sites. Containment policies activate at the site level: external sharing governed through secure links instead of attachments, browser-only viewing for sensitive sites, download restrictions, and continuous access enforcement.

This is the fastest path to value. No user behavior changes. No training rollout. No waiting for legal to finalize a classification taxonomy. The business identifies the sites that matter, IT deploys controls to those specific sites, and governance goes live. Within weeks, the organization has visibility into who is accessing what, external collaboration governed by policy rather than blocked by default, and the ability to revoke access instantly if a third party is compromised.

The tradeoff is that every site requires manual provisioning. IT decides which sites get controls and configures policies individually. For a handful of high-value sites, that's perfectly manageable. But as adoption grows and the business wants broader coverage, that per-site model becomes a bottleneck, which is exactly what drives the transition to Walk.

‍

Walk: Let Labels Drive Policy

The shift from Crawl to Walk isn't about adding more sites; it's about changing what drives policy enforcement. Instead of IT manually provisioning controls on individual sites, the organization deploys the Standard 4 labels in Microsoft Purview and attaches containment policies to the labels themselves.

This is the critical inflection point. Once policies follow labels rather than sites, enforcement scales automatically. Apply a Sensitive label to a SharePoint site and the corresponding containment controls activate without IT configuring anything. As the organization matures and extends labels from sites down to individual files and emails, policies inherit and adapt at every level. A Sensitive document shared via Outlook triggers the same containment behavior as a Sensitive SharePoint site, because the policy is bound to the label, not the container.

We built our Rapid Control Accelerator specifically for this transition: a 90-day engagement designed to move an organization from per-site controls to label-driven enforcement across Outlook, SharePoint, Teams, and OneDrive.

The first four weeks focus on foundation: deploy the Standard 4 labels in Purview and apply site-level classification across the environment. The next four weeks shift to intelligence: identify three to five crown jewel data types with the business and deploy trainable classifiers to detect them automatically. The final four weeks extend classification to the file and email level: set General Business as the default label, introduce sensitivity labeling into user workflows, and deploy analytics dashboards that finally answer those unanswerable questions.

This phased approach eases the business into classification gradually. Site-level labels run quietly in the background while users experience better, faster external collaboration. By the time file-level labeling arrives, the organization already understands the Standard 4 framework and has seen the value of data-centric controls firsthand. Adoption becomes a natural extension rather than a disruptive mandate.

‍

Run: Layer In Attributes and Automate Classification

With standard classification labels operational at both the site and file level, the final phase combines richer context with automated intelligence to reach full maturity.

Attribute-Based Access Control (ABAC) connects signals like user citizenship, department, export control license status, or risk score to the policy engine. Enforcement decisions evolve from "Is this site Sensitive?" to "Is this site Sensitive and is this recipient a US Person and do they have an active export license?" The specific attributes vary by industry. Defense organizations connect to US Person status, clearance, and export licensing. Healthcare pulls in HIPAA training and BAA status. Financial services integrates deal team membership and OFAC sanctions screening. In every case, the classification-based containment policies remain the foundation, and attributes add precision on top.

Simultaneously, trained classifiers identify crown jewels, such as proprietary part numbers, controlled technical data, PII, without relying on humans to tag every document. Labels plus attributes plus classifiers give coverage across the entire ecosystem, including Copilot interactions and PLM systems.

At this stage, governance is fully continuous. Classification happens automatically. Enforcement happens at both share and access time. Observability spans every channel with full attribute context logged for every access decision; not just who accessed what, but why the policy permitted or denied it. For regulated industries, this is the difference between "we have logs" and "we can prove demonstrable least-privilege with continuous enforcement."

And critically, this is the governance foundation for AI, because if we can't control what data humans access, we certainly can't control what data AI agents surface.

‍

Why This Matters Now

Organizations without Data-Centric Security face a compounding problem as AI accelerates. Enforcement is disconnected across applications. Controls are siloed. Observability is decentralized. This was manageable (barely) when humans were the only actors. It is unmanageable when AI copilots can traverse every file, site, and conversation in seconds.

Data-Centric Security, even at the Crawl phase with just the Standard 4, establishes the unified policy layer, centralized observability, and contextual signal architecture that AI governance demands. Organizations that start now are building the foundation. Organizations that wait for perfect classification are building technical debt.

‍

The Bottom Line

We don't need perfect data classification to start enforcing policy on external collaboration. We need four classification levels, site labels, and a policy engine that maps them to containment controls. That's enough to get operational in 90 days, with continuous enforcement across every M365 channel, a unified audit trail, and data that never leaves the organization’s tenant.

Start where we are. Deploy the Standard 4. Enforce on what is known today. Layer in attributes and industry overlays as systems mature. Automate classification when ready. Each phase delivers immediate value while building toward the next.

The enterprises that get this right aren't the ones with the most sophisticated taxonomies on day one. They're the ones that stopped waiting and started enforcing.