Epic IT logo
Contact Us

Data governance for small business: why your AI risk is really a permissions problem

By Greg Markowski / Jun 5, 2026 / Cybersecurity & Compliance

Most small businesses we talk to think they have an AI problem. They have a data governance problem wearing an AI costume.

The fear is real enough. Staff are pasting client information into chatbots, Copilot is surfacing files nobody remembers sharing, and the board wants to know who signed off on any of it. The instinct is to write an AI policy. The better move is to fix who can see what, because AI did not create that exposure. It just made it impossible to ignore.

This is the heart of data governance for small business in 2026: the controls that decide which people, and now which AI tools, can reach which information. Get that right and most of your AI risk disappears. Get it wrong and no policy document will save you.

$56,600

Average loss per cyber incident for an Australian small business

1 in 5

Breaches that trace back to excessive access or accidental sharing

0 trust

An AI agent can inherit, but never exceed, the permissions of the person running it

What data governance actually means

Strip away the jargon and data governance answers four questions. What information do we hold? Where does it live? Who is allowed to touch it? And how do we prove all of that when someone asks?

For a 30-person firm that usually means Microsoft 365: SharePoint sites, Teams channels, shared mailboxes, a CRM, and a few line-of-business apps. The problem is rarely that the data is unprotected. It is that permissions have sprawled. A site shared “just for now” three years ago is still open to the whole company. A departed contractor still has a guest account. Finance records sit in a folder marked “everyone”.

That mess was tolerable when only humans clicked through it, because people generally do not go hunting through folders they have no reason to open. AI does not have that restraint.

Why AI turns a permissions mess into a breach

Here is the mechanism that catches businesses out. When you point an AI assistant at your environment, it does not get special powers. It acts as the person using it and can reach exactly what that person can reach. Ask Copilot to summarise everything it knows about a salary review, and if your permissions are loose, it will happily pull pay data the asker was never meant to see.

The AI did nothing wrong. It followed the access rules you set, or failed to set. This is why the industry has stopped treating AI governance as a separate discipline and started describing it as data governance applied to a faster, more thorough user. The login is no longer the only boundary. What a given identity is allowed to reach is the boundary.

So the order of operations matters. You cannot govern AI on top of broken permissions. You fix the foundation first, then layer the AI rules on top. We wrote more about where that foundation stops at the platform edge in our piece on why AI governance has to extend beyond Microsoft 365.

The five controls that do the real work

Frameworks have many pages. The controls that move the needle for a small business are few, and they are the same ones that make AI safe to switch on.

  1. Know what sensitive data you hold. You cannot protect what you have not found. Identify where client records, financial data, and contracts actually live before anything else.
  2. Set access by role, not by habit. People should reach what their job requires and nothing more. This is the core of good access management, and it is the single highest-value cleanup most firms can do.
  3. Close the gaps that accumulate. Remove stale guest accounts, expired sharing links, and “whole company” permissions that were meant to be temporary.
  4. Classify and label. Tag sensitive content so both staff and AI tools know what is confidential. Labels are what let you stop a tool from surfacing the wrong file.
  5. Log and review. Keep a record of who accessed what, and review access on a schedule. When the regulator or your insurer asks, evidence is the difference between a finding and a fine.

Notice that none of those five are AI controls. They are data governance controls. Once they are in place, governing AI is mostly a matter of pointing the tools at data that is already organised and deciding which tools are approved. That is the bridge: do the old discipline properly and the new one becomes manageable. Our guide to AI governance in Australia covers the policy layer that sits on top.

What this looks like in practice

We typically start with a discovery pass: a map of where sensitive data sits and who can currently reach it. Most businesses are surprised by the answer. From there it is a methodical cleanup of permissions, a sensible labelling scheme, and a review rhythm that keeps the mess from creeping back.

It is not glamorous work and it does not make a good headline. It is also the reason a business can adopt AI with confidence instead of crossing its fingers. The firms getting AI right in Perth are not the ones with the cleverest policy. They are the ones whose cyber security foundations were already in order.

Frequently Asked Questions

What is data governance for a small business?
Data governance is the set of rules and controls that decide what information your business holds, where it lives, who can access it, and how you prove that. For most small businesses it comes down to managing permissions across Microsoft 365 and your key apps so that people, and AI tools, only reach what they should.
How is data governance different from AI governance?
They overlap heavily. AI governance adds rules about acceptable use, approved tools, and human oversight, but the data layer of AI governance is simply data governance: controlling who and what can access which information. An AI assistant inherits the permissions of the person using it, so weak data governance becomes an AI risk automatically.
Why does AI make permission problems worse?
People rarely go looking through files they have no reason to open. AI tools will surface anything the requesting user is allowed to reach, instantly and thoroughly. Loose or stale permissions that went unnoticed for years can suddenly expose sensitive data through a single Copilot prompt.
Where should a business start with data governance?
Start by finding where your sensitive data lives and reviewing who can currently access it. Then tighten access to a role basis, remove stale accounts and sharing links, label confidential content, and set a review schedule. Those steps fix most exposure and make AI adoption far safer.

Not sure who can see what in your business?

We will map where your sensitive data sits and who can reach it, then fix the gaps before AI makes them a problem. Our Perth-based team can help on 1300 EPIC IT.

Book a Free Data Access Review

About the Author
Written by Greg Markowski, Founding Director of Epic IT, a CRN Fast50-recognised Microsoft Solutions Partner managing IT and cybersecurity for Perth businesses since 2003. Greg holds a Degree in Computer Science and a Diploma in Computer Systems Engineering from Edith Cowan University, and is ITIL certified.

Further Reading

Previous

Privacy Act 2026: 12 things every Australian SMB needs to do
Return to News
Back to News
Next

SMB1001 Gold now requires an AI use policy. Here is what goes in it.