Engagement Tiers
40-60 hrs senior architect time. Ongoing operations + escalations + policy updates + monthly review.
Project-based remediation sprints. Pick 2-3 domains per quarter to advance.
Dedicated team. Monthly reviews + adoption + Copilot enablement + executive QBR.
The 8 Governance Domains
Auto-classification, owner approval, 90-day inactivity archive policy.
Closed by default, request access workflow, no broken inheritance.
Purview retention labels per content type + jurisdiction.
Autolabeling for regulated content, Copilot guardrails, DLP.
Per-site tier (not tenant-wide), exception approval workflow.
Oversharing remediation, restricted search, DLP for Copilot.
Quarterly owner attestation, site review, role changes.
Viva Insights + Page Analytics, executive reporting.
FAQ
What is SharePoint governance consulting (ongoing) vs a one-time health check?
A SharePoint Governance Health Check is a 3-week productized assessment that produces a maturity report + 90-day remediation plan. SharePoint Governance Consulting is the ongoing engagement that DELIVERS the remediation and operates governance as a managed service. Most clients start with the Health Check, then engage EPC Group for 6-24 months of governance consulting to execute the roadmap and operate steady-state.
What does ongoing SharePoint governance cover?
8 domains: (1) Site provisioning + decommission policies, (2) Permission model (closed default, request access workflow), (3) Content lifecycle (Purview retention labels), (4) Sensitivity labels (autolabeling for regulated content), (5) External sharing tier (per-site policy), (6) Copilot readiness (oversharing remediation, sensitivity cascade), (7) Site review cadence (quarterly owner attestation), (8) Adoption metrics + reporting.
How is this engagement structured?
Three tiers: (a) Monthly governance retainer ($8K-$15K/month, 40-60 hrs senior architect time, ongoing operations), (b) Quarterly engagement ($25K-$45K/quarter, project-based remediation sprints), (c) Annual governance program ($120K-$240K/year, dedicated team, includes monthly reviews + adoption coaching + Copilot enablement).
When do we need SharePoint governance consulting?
Indicators: (1) Tenant has 5+ years of SharePoint history without formal governance, (2) Microsoft 365 Copilot rollout planned in next 12 months, (3) Regulatory exam or audit upcoming (HIPAA, SOC 2, FedRAMP), (4) Oversharing or external sharing incident, (5) Migration from on-prem to SharePoint Online recently completed, (6) Multi-tenant or M&A creating governance drift.
Do you provide governance for Microsoft Teams + OneDrive too?
Yes. SharePoint governance in 2026 IS Microsoft 365 governance because Teams sits on SharePoint (Teams files = SharePoint sites) and OneDrive shares the same Purview/Entra/Defender controls. EPC Group governance engagements cover SharePoint sites + Teams + OneDrive + Loop + Lists as a unified workload.
How does governance enable Microsoft 365 Copilot?
Copilot grounds responses on Microsoft Graph content (SharePoint + OneDrive + Teams + Email + Loop). Without governance: Copilot answers using oversharing exposure (employees see salary tables, M&A docs, executive plans they should not). EPC Group governance engagements include the Copilot-required prerequisites: (1) Oversharing remediation, (2) Sensitivity label cascade with autolabeling, (3) Restricted SharePoint Search for sensitive sites, (4) Purview DLP for Copilot, (5) Copilot prompt audit trail review cadence.
What roles do you fill in an ongoing governance engagement?
EPC Group delivery model: (1) Senior SharePoint Architect (governance design + escalations), (2) Junior consultant (implementation work, policy authoring, audit reports), (3) Quarterly Executive Review with Errin O'Connor or named principal. Client provides: SharePoint admin (1.0 FTE), security stakeholder (0.25 FTE), compliance stakeholder (0.25 FTE).
How do you measure governance success?
Quarterly governance scorecard: (1) % sites with active owner (target 95%+), (2) % sites with sensitivity label coverage (target 80%+ regulated content), (3) Number of orphaned permissions (target 0 net-new per quarter), (4) External sharing exception count, (5) Site review attestation rate, (6) Copilot prompt audit findings (target zero exposed sensitive content), (7) Adoption: Viva Insights + Page Analytics engagement metrics.
Can we do governance ourselves with internal staff?
Some organizations succeed with internal governance staffing. Requires: (a) Senior SharePoint admin with governance experience, (b) Dedicated compliance + security partnership, (c) Executive sponsor with mandate to enforce, (d) Microsoft Purview + Defender + Entra licensing. EPC Group accelerates startup (6-12 months) and provides expertise depth most internal teams lack. Many clients combine internal team + EPC Group fractional architect (lower retainer tier).
Why EPC Group?
29 years SharePoint consulting (since SharePoint 2003 beta team). Errin O'Connor authored 4 Microsoft Press books including SharePoint inside-out and migration volumes. EPC Group is a Microsoft Solutions Partner with all six designations under the Microsoft AI Cloud Partner Program. Hundreds of governance engagements delivered, including HIPAA + FedRAMP environments. Errin coined "SharePoint is the biggest Swiss Army knife in the world" (Infonomics, Jan/Feb 2009).
Related
Schedule Your Governance Engagement
29 years SharePoint governance. Hundreds of Fortune 500 engagements.