AI assistant — not human

The 8 non-negotiable requirements. Purview stack. Compliance framework mapping. Fixed-fee accelerator tiers.
Last updated July 7, 2026 by Errin O'Connor, Founder & Chief AI Architect, EPC Group
Eight non-negotiable data governance requirements before Copilot: sensitivity label taxonomy, auto-labeling PII/PHI/PCI/MNPI, DLP across all workloads, Purview data lineage baseline, retention policies, data classification standards, BYOAI policy, Compliance Manager framework mapping. Microsoft Purview is the unified governance platform. Timeline: 12-20 weeks zero-baseline; 8-14 weeks partial baseline; 4-8 weeks mature program. Compliance frameworks satisfied: HIPAA / SOC 2 / NIST 800-171 / FedRAMP / EU AI Act / state privacy. EPC Group Data Governance Accelerator: $95K/8wk. Full Enterprise Governance: $200K-$400K/16-24wk.
Eight non-negotiable requirements: (1) Sensitivity label taxonomy (Confidential / Highly Confidential / Internal / Public). (2) Auto-labeling policies for PII / PHI / PCI / MNPI patterns. (3) DLP policies covering Exchange + SharePoint + OneDrive + Teams. (4) Purview data lineage baseline (know where data comes from + goes to). (5) Retention policies enforced (legally-required retention preserved). (6) Data classification standards documented + trained. (7) BYOAI policy (approved-tool list + prohibited list). (8) Compliance Manager baseline mapped to your primary framework (HIPAA / SOC 2 / FedRAMP). Missing any of these creates measurable Copilot exposure risk.
Copilot respects sensitivity labels — labeled Confidential+ content is protected from being surfaced to users without proper permissions + is watermarked in Copilot responses. Without a sensitivity label baseline: (1) All content is treated as equally accessible. (2) No downstream DLP + Endpoint DLP + Cloud App Governance controls. (3) No provable audit trail for regulatory compliance. (4) No differentiation between "employee benefits FAQ" and "employee salaries." EPC Group deploys sensitivity label taxonomy (4-tier: Highly Confidential / Confidential / Internal / Public) + auto-labeling for known sensitive patterns as Phase 1 of every Copilot Readiness engagement.
Microsoft Purview is the unified data governance + compliance platform that spans: (1) Information Protection — sensitivity labels + auto-classification + encryption. (2) DLP — data loss prevention across Exchange + SharePoint + OneDrive + Teams + Endpoint + Cloud Apps. (3) Insider Risk Management — detect risky user behavior. (4) Communication Compliance — monitor communications for compliance violations. (5) eDiscovery — legal hold + investigation. (6) Compliance Manager — control mapping + audit evidence. (7) Data Governance — Purview Data Map + Data Catalog for lineage + discovery. Purview is licensed as part of Microsoft 365 E5 + Compliance add-ons. Enterprise Copilot deployment requires Purview foundation.
Timeline depends on maturity + tenant complexity: (1) Zero-baseline enterprise — 12-20 weeks to establish all 8 requirements. (2) Some Purview foundation exists — 8-14 weeks to close remaining gaps. (3) Mature Purview + governance program — 4-8 weeks to add Copilot-specific controls (BYOAI + Insider Risk tuned for AI). Phases: (1) Discovery + design (2-4 weeks). (2) Sensitivity label taxonomy + rollout (4-6 weeks). (3) DLP baseline + tuning (3-5 weeks). (4) Insider Risk + Communication Compliance (3-5 weeks). (5) BYOAI policy + enforcement (2-3 weeks). (6) Compliance Manager mapping (2-4 weeks).
Six frameworks that Copilot data governance satisfies: (1) HIPAA Security Rule — technical safeguards for PHI + audit trails + access controls. (2) SOC 2 Type II — access + change management + monitoring. (3) NIST 800-171 — CUI protection for federal contractors. (4) FedRAMP Moderate / High — federal compliance. (5) EU AI Act — transparency + accountability for high-risk AI. (6) State privacy laws (CCPA / CPRA / CTDPA / VCDPA) — consumer data protection. EPC Group Copilot Readiness engagements include Compliance Manager mapping to your primary framework so the same work satisfies both Copilot readiness AND compliance audit.
EPC Group Data Governance Accelerator ($95K, 8 weeks) delivers Copilot-ready data governance foundation: (1) Sensitivity label taxonomy design + rollout to top 500 sites. (2) DLP baseline across Exchange + SharePoint + OneDrive + Teams for PHI/PII/PCI/MNPI patterns. (3) Purview Data Lineage baseline (Data Map + Catalog). (4) Insider Risk Management deployment with AI-tuned policies. (5) BYOAI policy + approved-tool list draft. (6) Compliance Manager baseline mapped to your primary framework. Prerequisite: Microsoft 365 E5 + Compliance license (or E5 + Insider Risk add-on). Fits alongside Copilot Readiness Assessment.
EPC Group governance portfolio: (1) Copilot Readiness Assessment ($25K, 3 weeks) — 12-gap audit identifies governance gaps + roadmap. (2) Data Governance Accelerator ($95K, 8 weeks) — establishes 8 requirements above. (3) Full Enterprise Governance ($200K-$400K, 16-24 weeks) — Data Governance Accelerator + advanced Insider Risk + Communication Compliance + eDiscovery Premium + Compliance Manager full mapping + ongoing governance runbook. (4) Ongoing Governance Retainer ($15K-$25K/month) — quarterly reviews + policy updates + new-feature evaluation + user education. All led by senior compliance architect + regulated-industry specialist.
$95K/8wk sensitivity labels + DLP + Purview + BYOAI. Fits alongside Copilot Readiness. Call (888) 381-9725.
Monday-Friday, 8 AM - 7 PM CT
We respond to all inquiries within one business day