Most organizations can tell you how many Microsoft 365 licenses they hold. Far fewer can tell you who has access to what, or whether that access is still justified. This gap has widened over years of cloud migration, self-service provisioning, and rapid collaboration. And for most enterprises, it never made it onto anyone’s risk register.
Now, with AI tools like Microsoft Copilot being rolled out across the enterprise, that gap is becoming impossible to ignore. Copilot inherits every permission ever granted in your organization. That means every overshared folder, every forgotten external link, every permission granted three years ago and never revoked is suddenly queryable by anyone with access.
Frane Borozan is a Microsoft MVP and Co-Founder of Syskit, a governance and security platform built for the Microsoft 365 ecosystem. Borozan has spent over 17 years working with enterprise IT teams on the challenge of managing permissions, access, and compliance at scale, from the early days of on-prem SharePoint to today’s cloud-first, AI-driven workplace.
We spoke to Borozan about why Microsoft 365 governance has become a board-level concern, how AI is amplifying years of unchecked access sprawl, and what security leaders should be prioritizing right now.
Syskit is a governance and security platform built for the Microsoft ecosystem. The company was founded back in 2009 to solve pain points around Microsoft governance. Can you talk about the founding story and what you set out to build?
It’s interesting timing because SharePoint is celebrating its 25th anniversary, and in many ways, our story has grown alongside that evolution.
When we founded Syskit, IT environments were primarily on-prem. Syskit’s co-founder, Toni Frankola, and I were working directly with enterprise customers and seeing the same pattern: environments growing faster than the ability to control them. IT teams lacked visibility. Permissions were layered and inherited in ways that became difficult to untangle. Basic questions like “Who has access to this content?” were surprisingly hard to answer.
Historically, governance was always treated as something you tidy up later. During a migration. Before an audit. After an incident. It was never designed as a continuous, proactive discipline. Then, the shift to the cloud decentralized control, self-service provisioning multiplied workloads and content, and regulatory expectations became almost impossible to implement. Older governance models, often dependent on manual scripts or the expertise of a few individuals, became fragile and unsustainable. They were too technical for business users, so participation was low, and the processes simply couldn’t scale.
We saw this widening gap between complexity and control.
We didn’t set out to build just another IT platform. We set out to build clarity, visibility, and control in environments that were becoming exponentially more complex. The engineering team at Syskit has always had deep Microsoft expertise. Many of us have spent our careers inside this ecosystem. That matters because Microsoft 365 isn’t a single product; it’s an interconnected platform where permissions, policies, and workloads overlap in complex ways.
That’s the journey we’ve shared with our customers and our community over the past 17 years.
Today, Microsoft 365 is the backbone of the digital workplace for most enterprises. How should organizations be thinking about governance in their M365 environments?
Microsoft 365 has transformed how organizations collaborate. But that flexibility comes with a governance debt.
The biggest issues we see are data sprawl and oversharing. Enterprises have thousands, sometimes tens of thousands of Teams, SharePoint sites, OneDrives, and sharing links. Most organizations don’t actually know what’s shared, how it’s shared, or with whom.
This is the key point: visibility is the foundation of effective governance. You cannot fix what you cannot see. Many organizations don’t realize how over-provisioned their environments are until they map them. Permissions are particularly difficult because they look different across workloads. SharePoint has one model, Teams layers another on top, and OneDrive introduces external sharing nuances. Without a single, unified picture of access, it’s impossible to manage risk.
It’s important to stress that most oversharing is innocent. Employees collaborate quickly, sending links or adding broad access groups to simplify work. There’s rarely malicious intent. But the cumulative effect is a tenant where sensitive content is exposed far more broadly than leadership realizes. This is how governance debt accumulates; quietly and invisibly, until something surfaces it.
The media often focuses on ransomware or nation-state threats. Those are serious risks. But the internal oversharing problem is far more common, and often just as dangerous.
AI adoption has exploded, especially with Microsoft Copilot. Has AI arrived before most organizations have their governance foundations in place?
AI has absolutely accelerated faster than governance maturity. Boards are under enormous pressure to deploy AI tools like Microsoft Copilot. Nobody wants to be seen as falling behind. So implementation is moving fast.
The problem is that AI is being layered on top of environments where governance was never properly implemented in the first place. AI doesn’t magically create new permissions. It inherits the permissions that already exist. This is the critical shift: the governance shortcuts tolerated for the last decade are no longer abstract risks. They are queryable. If your tenant is overshared, AI tools will surface that content to anyone who technically has access, even if that access was granted years ago and forgotten. A user might ask Copilot a question and receive information about leadership discussions, financial projections, or HR investigations, simply because the permissions were never tightened.
There’s a lot of AI enthusiasm in the market, but not enough honest conversation about tackling the information leakage risk that comes with it. AI amplifies existing access issues at machine speed, making strong governance an immediate and critical priority.
For IT leaders reviewing their governance posture in the context of AI, what should they focus on now?
I’d think of it as a logical sequence. It has to start with comprehensive visibility, not just a snapshot, but a real-time understanding of permissions, sharing, and ownership across all your collaboration tools. That visibility lets you understand the potential blast radius of an AI query.
From there, you can begin to identify the specific exposure paths for your most sensitive data. It’s not enough to know a file is sensitive; you have to map exactly how it could be exposed, whether through a direct share, an inherited permission, or a forgotten public link. This is how you move from being reactive to proactive.
All of this work is in service of one goal: ensuring least-privilege access. Whether you’re cleaning up before an AI deployment or remediating after the fact, the process is the same: use what you can now see to systematically remove excessive access. That’s how governance becomes a sustainable, ongoing discipline.
You’ve described governance as “a team game.” How does Syskit Point put that philosophy into practice?
In large organizations, IT teams are small relative to the scale of collaboration. They cannot know the business context behind every file or workspace. Governance works best when responsibilities are shared. With Syskit Point, IT defines policy and maintains oversight, while workspace owners review access and confirm relevance. Tasks such as access recertification are delegated to those who understand the content.
Automation reduces the manual effort. Reviews are triggered systematically, and exceptions are highlighted clearly. We focused on making governance tasks understandable so business stakeholders can act without friction. When governance becomes part of routine operations, risk decreases steadily instead of spiking during audits. We also provide IT teams with dashboards to track how security risks decrease as owners engage in these reviews.
Your customers often operate in highly regulated industries. How does this connect to executive accountability?
Poor governance is a business risk that impacts compliance, brand reputation, and strategic operations. For a long time, it was treated as a purely technical issue, but the introduction of AI has elevated it to a board-level concern. Governance is now a matter of fiduciary responsibility.
Boards and executives are facing three key pressures.
First, data accountability. Organizations must demonstrate who can access sensitive information, why they have access, and whether that access is still justified. This applies across jurisdictions, where data sovereignty and residency obligations may differ.
Second, operational resilience. Regulators increasingly view access governance as part of broader operational risk. Excessive access, unmanaged workspaces, and a lack of ownership are not seen as technical oversights. They are control failures.
Third, AI oversight. As AI systems gain the ability to surface information instantly, the tolerance for uncontrolled data exposure decreases. Executives are expected to show that governance foundations are strong enough to support AI adoption responsibly.
From a leadership perspective, the question is: can you defend your collaboration environment under scrutiny? With Syskit Point, governance moves from a fragmented administrative activity to structured oversight, giving executives clear reporting, documented review cycles, and an auditable trail of decisions. It’s about creating defensibility.
What should regulated organizations look for in M365 governance platform?
For many smaller environments, native M365 capabilities may be sufficient. The challenge grows with scale and regulatory complexity. Large organizations operate across multiple workloads and jurisdictions, and governance quickly becomes fragmented and inconsistent. That fragmentation creates risk.
Executives should look for centralization and consistency. Governance needs to be visible across the entire collaboration environment, not isolated within individual tools. Depth also matters. Highly regulated organizations require more granular control and stronger documentation. Finally, operational sustainability is key. A governance platform should reduce dependency on individual administrators and replace it with structured, repeatable processes. At scale, governance cannot rely on patchwork solutions; it requires cohesion and clarity.
Looking ahead, what trends should security leaders prepare for?
AI will only accelerate. Organizations already have hundreds of AI agents interacting with corporate data, and most aren’t thinking about how those agents are governed. The role of the Microsoft 365 admin is becoming more security-centric, as governance and security converge into a single discipline.
We’ll also see increasing regulatory pressure, specifically around AI governance, layered on top of existing data protection rules. As environments become more complex, governance will become a strategic differentiator. Organizations that treat governance as an enabler of safe collaboration, rather than a restriction, will move faster and innovate more confidently.
