EPC Group, a Houston-based consulting firm, introduced a seven-layer governed AI framework for Microsoft environments on May 27, 2026. The methodology stitches together Microsoft Purview, Fabric, Power BI, and Copilot to give enterprises a ready-made control plane for responsible AI adoption—aiming to close the governance gap that has left many organizations uneasy about deploying generative AI at scale.
The Framework’s Blueprint: Seven Layers That Bridge Tools and Policy
Announced at the firm’s Houston headquarters, the "Governed AI on Microsoft Framework" is a consulting engagement model, not a standalone software product. It layers existing Microsoft security and compliance capabilities into a coherent operational plan. While EPC Group hasn’t published an exhaustive technical breakdown, the layers map closely to the data lifecycle challenges that surface when Copilot for Microsoft 365 sifts through SharePoint sites, Teams chats, and email.
- Layer 1 – Sensitive Data Discovery: Using Microsoft Purview Information Protection and Data Loss Prevention, the methodology scans structured and unstructured data across the tenant to locate sensitive information—financial records, PII, trade secrets—before Copilot can surface it.
- Layer 2 – Classification and Labeling: Automated and manual labeling ensures that documents, emails, and conversations carry machine-readable sensitivity tags. This step leans on Purview’s trainable classifiers and sensitivity label automation.
- Layer 3 – Access Review and Least Privilege: The framework audits SharePoint permissions, Microsoft 365 Groups, Teams membership, and OneDrive sharing links to enforce a least-privilege model, preventing Copilot from surfacing content a user shouldn’t see.
- Layer 4 – Policy Definition in Purview: Data loss prevention policies, information barriers, and communication compliance rules are aligned to the organization’s regulatory obligations. Policies govern what Copilot can and cannot summarize or generate.
- Layer 5 – Fabric and Power BI Lineage Controls: For organizations that rely on Microsoft Fabric and Power BI semantic models, this layer applies tenant-level settings to restrict Copilot’s access to sensitive analytical data. It also maps data lineage so that Copilot’s outputs can be traced back to source assets.
- Layer 6 – Real-Time Monitoring and Alerts: Using Microsoft Defender for Cloud Apps, Purview Activity Explorer, and Microsoft Sentinel, the framework sets up playbooks that detect anomalous Copilot interactions—such as a user repeatedly querying for salary data—and triggers automated responses.
- Layer 7 – User Enablement and Feedback Loops: The human layer includes tailored training, a champion program, and a feedback mechanism where end users flag inaccurate or oversharing Copilot responses. Those signals feed back into policy tuning.
EPC Group pitches the framework as a way to move from ad hoc fear to a governed Copilot rollout in weeks rather than months. The announcement specifically calls out healthcare, financial services, and public sector organizations as early candidates, given their strict compliance requirements.
What It Means for Different Audiences
For IT Administrators and Security Teams
The framework validates what many admins already suspected: Copilot readiness isn’t a one-and-done config switch. It’s a layered overhaul that starts with data hygiene. If your organization rushed to turn on Copilot, chances are oversharing findings from Purview have already landed in your inbox. This methodology gives you a structured way to triage and remediate—without having to design the program from scratch.
Practical take: Even if you don’t hire EPC Group, the seven-layer stack serves as a self-assessment checklist. Start by running the content explorer in Purview to understand what Copilot can see, then prioritize cleaning up legacy permissions in SharePoint and Teams.
For Business Decision-Makers and Line-of-Business Owners
The framework connects the dots between compliance theater and tangible risk reduction. A health system CEO, for instance, can see that Layer 4 policies will block Copilot from summarizing a patient’s medical record during a Teams meeting if that record lacks proper consent labels. This isn’t about locking down innovation; it’s about building guardrails that make innovation defensible.
For Power Users and Early Adopters
Power users who’ve been testing Copilot in Excel or Word will feel the downstream effects. When the framework is in place, they may encounter fewer “I can’t generate that because of a sensitivity label” interruptions, because label inheritance and default policies will be sorted beforehand. But they’ll also need to participate in Layer 7’s feedback loop, flagging errors that refine the models.
For Home Users
This framework targets enterprise tenants. Home and small business users on Microsoft 365 Family or Business Basic won’t directly engage with a seven-layer consulting project. However, the principles—label your sensitive files, audit who has access—are equally relevant for anyone using Copilot Pro or the free Copilot in Windows. If you store tax documents in OneDrive, applying a sensitivity label manually can prevent them from being summarized unintentionally.
How We Got Here: The Copilot Governance Gap
When Microsoft launched Copilot for Microsoft 365 in November 2023, the productivity promise was immense. But within weeks, reports surfaced of users discovering that Copilot could surface confidential emails, HR documents, and salary spreadsheets that had been left with overly broad sharing permissions. The problem wasn’t a software bug; it was a data governance shortfall. Microsoft responded with a series of tools: SharePoint Advanced Management, restricted access control for SharePoint sites, and tighter integration between Copilot and Purview sensitivity labels.
Yet, assembling those tools into a coherent defense-in-depth strategy remained a consultant’s domain. In 2024, Microsoft published its own guidance, “Securing Microsoft 365 Copilot: Data Protection and Compliance,” but business leaders complained it read like a 200-page white paper, not a deployable plan. Independent consultancies began filling the void. EPC Group’s announcement is the latest—and most holistic—attempt to package a full Copilot control plane.
The timing of the May 27, 2026 release aligns with a wave of regulatory moves. The EU AI Act’s high-risk AI obligations took effect earlier that year, and U.S. agencies have tightened procurement rules requiring documented AI governance frameworks. For organizations already steeped in Microsoft 365 E5 licensing, a framework that leverages existing investments in Purview and Defender is a pragmatic sales pitch.
What to Do Now: An Actionable Five-Step Plan
Whether or not you engage EPC Group, the framework’s logic can jumpstart your own Copilot governance. Here’s a step-by-step path that mirrors the methodology.
Step 1: Inventory Copilot-Accessible Data Sources
Log into the Microsoft Purview compliance portal and run the Content Explorer report. Filter by sensitive info types relevant to your industry—HIPAA, PCI-DSS, GDPR, or custom trainable classifiers. Take note of locations (SharePoint sites, Teams, OneDrive) with the highest density of unlabeled or overexposed files.
Step 2: Remediate Legacy Permissions
Use the SharePoint Admin Center’s “Recent permission changes” report and the “Sites with most external sharing” dashboard. For Teams, review team membership and guest access. Implement “Restricted SharePoint Search” (still in preview as of May 2026) to limit what Copilot can index during the transition.
Step 3: Apply Sensitivity Labels with Auto labeling
Turn on Purview’s auto labeling for known sensitive patterns. Start with a pilot of the “Confidential” and “Highly Confidential” labels, and monitor label adoption. Ensure that “Encrypt” and “Content marking” are configured for the most sensitive labels, as Copilot respects these protections.
Step 4: Configure Copilot-Specific DLP Policies
In Purview, define DLP policies that target Copilot interactions. For example, prevent copying or summarizing content that contains “Employee ID” combined with “Salary” in Teams channels where external guests are present. Make use of Purview’s “Adaptive protection” to apply differentiated policies based on user risk level.
Step 5: Enable Audit Logging and Alerting
Switch on Microsoft 365 unified audit logs if you haven’t already. Create alerts in Sentinel or Defender for Cloud Apps that fire when a user runs a high volume of Copilot prompts against protected repositories in a short window. Feed these alerts into your SOC’s standard runbook.
For organizations that lack the in-house bandwidth, EPC Group’s framework could trim the implementation to a focused 6–8 week project. The company says its governance-as-a-service retainer then provides ongoing tuning.
Outlook: The Next Phase of the Control Plane
EPC Group’s framework enters a market where AI governance is quickly becoming table-stakes. Microsoft is expected to deepen native governance controls in Purview—auto-labeling policies that dynamically adjust based on content risk, and tighter integration between Copilot and compliance boundaries (formerly information barriers). The framework’s real test will be whether it can adapt when those native tools ship.
Watch for Microsoft’s Copilot Governance dashboard, reportedly in private preview, which may mirror some of the monitoring layers EPC Group has built with Sentinel and Defender. When that dashboard goes public, frameworks like this one will either become streamlined complements or face redundancy. Either way, the days of treating Copilot governance as an afterthought are over.