RBD. Framework Brief — Summer 2026
Governance Architecture · Companion to the Research Brief

A Decision System for Copilot in Regulated Industries

Microsoft 365 Copilot makes permissions consequential at machine speed. Organizations that govern it with an acceptable-use policy will fail the audit they are trying to avoid. This brief defines the governance architecture: six decision nodes, a risk classification structure, and a three-phase implementation sequence.

Megan C. Starkey | Summer 2026 | RBD. Intelligence Center
01 — The Governance Gap

The Evidence Points to the Same Conclusion

The research brief documents the exposure in detail. The summary that justifies this framework is three numbers.

90%
of sensitive cloud data is open and accessible to AI tools in the typical organization
1 in 10
organizations have applied sensitivity labels to their regulated files
$7.42M
average cost of a healthcare data breach — the costliest sector for the 14th consecutive year

The common factor in all three numbers is the permission state the tool discovered and made searchable at scale. Copilot inherits the access controls already in the tenant, and in most organizations those controls have accumulated years of over-permissioned defaults, stale accounts, and unlabeled regulated data.

An acceptable-use policy addresses behavior. It does not address the structural condition that makes behavior consequential: an unlabeled, over-permissioned tenant with a tool that answers any authorized question at machine speed. The governance problem is architectural, and it requires an architectural response.

02 — Governance Architecture

The Six Nodes of an Adaptive AI Governance System

RBD.’s Band 4 Adaptive Governance framework maps six decision nodes to the Copilot deployment problem. Each node owns a discrete set of decisions. Together, they replace the policy document with an operating system.

The framework is drawn from The Intelligence Organization™ (Megan C. Starkey, 2026), where Band 4 Adaptive Governance is modeled on the architecture of an immune system: a distributed network built to detect threats at the perimeter, adapt to conditions it has never seen before, build memory from each response, and defend without waiting for central authorization. The version below is calibrated to the M365 Copilot deployment question for mid-market and non-profit organizations in healthcare and financial services.

Node 01
Decision Node

Owns approval authority for AI use cases, access-control changes, and policy exceptions. This is the seat that says yes or no — and is accountable if the answer was wrong.

Copilot: authorizes new agent deployments, approves Tier 1 use cases, and signs off on exceptions to the risk classification policy.
Node 02
Committee Node

Owns cross-functional review of proposed use cases. Resolves competing priorities between productivity goals, legal obligations, and access restriction requirements.

Copilot: reviews proposals that span legal, compliance, IT, and business units; escalates to the Decision Node when a use case crosses tiers or requires policy change.
Node 03
Security Node

Owns access controls, identity lifecycle management, and breach response. The technical execution arm of the governance system — configures what the policy prescribes.

Copilot: runs permission audits, configures sensitivity label enforcement and DLP policies, manages ghost account remediation, and owns Restricted Content Discovery settings.
Node 04
Portfolio Node

Owns the registry of authorized AI use cases. Tracks what is approved, what is pending review, and what is denied — and prevents unauthorized use cases from running in parallel.

Copilot: maintains the approved-use register by tier; tracks all Copilot Studio agent deployments; surfaces the registry to the Committee and Decision nodes for review cycles.
Node 05
Compliance Node

Owns regulatory controls, records retention obligations, and audit readiness. The node that answers the regulator’s question about what the organization knew and when.

Copilot: HIPAA minimum-necessary and BAA compliance, financial services retention under 17a-4 and FINRA 4511, classification of AI-generated content as business records, and regulatory change monitoring.
Node 06
Alignment Node

Owns continuous governance review and adaptation. As AI capabilities expand and regulations evolve, the Alignment Node ensures the governance system keeps pace with the environment it governs.

Copilot: quarterly review of agent proliferation, policy updates as Microsoft releases new Copilot capabilities, alignment between current governance posture and regulatory developments.

The six nodes do not require six separate people or six separate functions. In a mid-market organization, several nodes may be held by the same individual or team. What matters is that each node’s decision authority is named, documented, and reviewed on a defined cadence. Anonymous governance — where no one is accountable for a decision — is not a governance system; it is a liability gap.

03 — Risk Classification

Three Tiers, Three Sets of Rules

Sensitivity labeling tied to risk-tiered access is the single most powerful control available for M365 Copilot — and the capability nine organizations in ten have not deployed. Without a classification architecture, every prompt is treated identically: Copilot returns whatever is accessible, regardless of how sensitive the content is.

The three-tier structure below applies to both healthcare organizations under HIPAA and financial services organizations under GLBA and SEC recordkeeping requirements. Organizations subject to both regulatory frameworks (common in behavioral health and mission-driven financial services organizations) should apply the more restrictive tier to any data that touches both.

Tier Data Types Copilot Access Rule Decision Authority Review Cadence
Tier 1
High
PHI, customer financial records, M&A-sensitive, executive communications, attorney-client privileged Restricted. Requires sensitivity label and DLP enforcement. Copilot and agents cannot surface in response to broad or cross-departmental prompts. AI-generated content classified as a business record. Decision Node + Compliance Node dual approval. Any new use case or agent accessing Tier 1 data requires explicit authorization. Quarterly minimum. New agent deployments require pre-approval before activation.
Tier 2
Medium
Cross-department internal-sensitive, legal documents, financial reports, HR records, board materials Controlled. Sensitivity label required. DLP monitoring active. Visible to explicitly permitted users only; Copilot respects existing access boundaries. Committee Node review required for new use cases. Escalates to Decision Node when a proposed use case would modify access boundaries. Semi-annual. Spot check after each major Microsoft Copilot feature release.
Tier 3
Low
Non-sensitive productivity content, public-facing materials, general operational documents with no regulated data Standard. Baseline Copilot access. Sensitivity label recommended but not required for every file. DLP monitoring passive. Portfolio Node maintains the approved-use registry. No case-by-case approval required for standard use. Annual. Reviewed during the Alignment Node’s standing governance cycle.

The full Decision Rights Matrix — which maps each node’s approval authority by tier, escalation path, and required documentation — is delivered as part of a governance engagement. The table above defines the architecture; the matrix defines the operating procedures.

04 — Implementation Sequence

Three Phases, Overlapping Timeline

Most organizations do not need to pause Copilot deployment to begin governance. Phases 2 and 3 can run in parallel, and much of Phase 1 uses tooling already included in Microsoft 365. The sequence below assumes Copilot is already licensed or actively under evaluation.

Phase 01 Permission Audit Weeks 1–3
  • Run Data Access Governance reports in the Microsoft 365 Admin Center to produce a baseline inventory of over-shared sites and files
  • Identify SharePoint sites shared with “Everyone,” “Everyone except external users,” or via anonymous sharing links
  • Export the list of accounts that have not authenticated in 90+ days but retain active access; prioritize for remediation
  • Inventory SharePoint sites and OneDrive folders that contain regulated data (PHI, customer financial records) but carry no sensitivity label
  • Enable Restricted SharePoint Search as a temporary throttle while Phase 2 and 3 work is underway — and set a target date for removing it
Phase 02 Classification Weeks 2–8
  • Define your three-tier data classification schema using the tier structure in Section 03; document the schema formally as a policy artifact
  • Deploy sensitivity labels for each tier in Microsoft Purview; align label names to the tier schema (not to internal abbreviations auditors will not recognize)
  • Apply Tier 1 labels to PHI-containing SharePoint sites, shared mailboxes, and OneDrive folders; prioritize breadth over perfection in the initial sweep
  • Configure DLP policies to enforce label-based access restrictions within Copilot and Copilot Studio agents
  • Enable Restricted Content Discovery for all Tier 1 sites; verify that Copilot does not surface Tier 1 content in response to broad test prompts before removing the Phase 1 RSS throttle
Phase 03 Governance Standup Weeks 4–10
  • Assign named owners for each of the six governance nodes; document the assignments and distribute to legal, compliance, IT, and executive leadership
  • Define the decision rights matrix: who approves new use cases at each tier, what documentation is required, and what the escalation path is when a use case crosses tiers
  • Build the AI use case registry (Portfolio Node): an approved list, a pending list, and a denied list, with the rationale documented for each
  • Establish records retention rules for AI-generated content that may constitute a business record under HIPAA, 17a-4, FINRA 4511, or applicable state law
  • Circulate the Acceptable Use Policy as a companion artifact to the governance system — written against the tier structure, not as a standalone document
  • Schedule the first quarterly governance review (Alignment Node): current agent inventory, new use cases since last review, regulatory developments, policy gaps
Framework note: The six governance nodes, risk classification structure, and decision rights architecture derive from RBD.’s Band 4 Adaptive Governance framework, documented in The Intelligence Organization (Megan C. Starkey, 2026, patent pending). The implementation sequence above is adapted for M365 Copilot deployment in regulated industries. Full node operating definitions, the Decision Rights Matrix, escalation paths, and AI Acceptable Use Policy template are delivered under engagement.

The architecture is defined. The implementation requires an owner.

RBD. designs and stands up the Adaptive Governance operating model — node assignments, decision rights matrix, risk classification, AI use policy, and the first governance review cycle — for regulated mid-market and non-profit organizations deploying Microsoft 365 Copilot. If the framework above matches what you need to build, we should talk.

Schedule a Governance Assessment