There’s a question I ask organisations early in every data security engagement: can you tell me, right now, where your sensitive data lives, who can access it, and whether any risky behaviour is happening around it?
In almost every engagement I’ve led, organisations struggle to answer all three and often rely on manual reporting that’s already out of date.
That gap between what organisations think their data estate looks like and what it actually looks like is where significant risk quietly accumulates. It’s the gap that data security posture management (DSPM) is designed to close. The best thing about DSPM is that it works to keep that gap closed not just periodically, but continuously.
In this blog, we examine why organisations struggle to secure data they cannot see, and how continuous data security helps close the gap between assumed and actual risk.
Five years ago, a lot of data risk lived inside systems with relatively predictable perimeters. Today, data is created, shared, synced and copied across collaboration tools, SaaS platforms, personal devices, synced folders, browser sessions and AI-enabled workflows. This often happens simultaneously and often without anyone tracking the movement.
In one afternoon, a file shared in SharePoint can get synced to a laptop, emailed as an attachment, pasted into a Teams conversation, and referenced in a Copilot query. The new exposure points are less about perimeter compromise and more about oversharing, unmanaged storage, stale identities, external collaboration links and AI-accessible content. In AI-enabled environments, that same exposure can be surfaced and amplified in seconds
You can see how a quarterly audit just doesn’t cut it as a risk management strategy.
In a healthy hybrid environment, you can see where your data is, what it is, and how it’s handled. It’s classified and governed, with a current view of sensitive data, clear ownership, and the right protections in place. Access stays at least privilege, activity is monitored, and issues are addressed through repeatable remediation.
Microsoft Purview’s DSPM capability provides exactly this: a centralised view that tracks sensitive assets, user activity, trends and recommendations, updated continuously rather than on a reporting cycle. It quickly answers practical questions about where sensitive data lives, who can access it, and what risky behaviour is occurring around it.
If an organisation currently depends on manual work or periodic exports to address these questions, then the posture is already falling behind the environment it’s meant to protect.
When I ask security leaders what keeps them awake at night, they tend to worry less about known risks and more about what sits outside their line of sight. The most alarming finding in a DSPM assessment is usually unknown exposure rather than exposed data. It’s sensitive content sitting in places the business didn’t expect, with permissions broader than anyone intended.
Role creep is a good example. Access builds up over time through projects, Teams, SharePoint sites and group membership, and when the work ends, that access often stays in place because no one is clearly responsible for removing it. Multiply that pattern across hundreds of users over several years and you end up with an access model that no longer reflects reality. You also get an incident response capability that can’t trust the access model when it matters most.
The consequence is broader than audit pain. Overexposed data, stale access and unclear ownership is the combination that turns a minor misconfiguration into a reportable breach, regulatory exposure, or an AI-driven data leakage event. Critically, ownership of sensitive data must be clearly defined, because without it, governance and remediation efforts quickly stall. Your controls should follow your data. DSPM works as a continuous architectural control, not a quarterly audit, which gives teams ongoing visibility into sensitive data, how it’s exposed, and what needs attention, so issues can be addressed before they turn into incidents.
One concern I hear regularly is that continuous monitoring means continuous alerts. Security teams are already stretched, and the prospect of adding yet another feed of low-context notifications is understandably unappealing.
The answer is to treat DSPM as a prioritisation engine rather than a firehose. Purview’s DSPM model is built around analytics, trends and actionable recommendations, so attention stays on the highest‑risk data, the most excessive permissions and the most meaningful activity patterns. When it’s working well, the result is fewer alerts and clearer actions. That might be a data loss prevention policy to stop sensitive data being exfiltrated, a lifecycle action to remove content that no longer has value, or a sensitivity label applied to data that has been sitting unprotected.
Critically, those recommendations don’t stay inside Purview. DSPM findings flow into Microsoft Sentinel for correlation with broader threat telemetry, surface in Defender XDR’s unified incident queue and can be queried through Security Copilot. This gives security professionals data context alongside threat context when they need it most.
Data#3 not only deploys Purview but operationalises it, bringing the advisory expertise to establish the ownership, governance workflows, and remediation pathways that persist beyond initial configuration
There is an important distinction to make here: Microsoft secures the platform and infrastructure which holds the responsibility for how data is classified, who can access it, how long it is retained and how AI tools are scoped sits with the customer. The gap between what Purview can do out of the box and what most organisations have configured is where most data risk lives, and where Data#3 adds value.
Our advisory and architecture-led approach to DSPM begins with the workload that carries the highest concentration of sensitive and collaborative data, which for most organisations is Microsoft 365. That gives immediate visibility into file sharing, oversharing, stale permissions and user activity across the core collaboration layer. From there, coverage expands into additional SaaS and cloud workloads as the operating model matures.
The result is a data estate that can answer the three questions I listed at the beginning of this article: where is the sensitive data, who can access it, and what risky behaviour is happening around it. And it can answer them not just once a quarter, but at any given time.
If your organisation can’t confidently say where sensitive data resides, who can access it, and what is happening around it in real time, it’s already operating with risk.
A structured starting point is essential. The Data#3 Data Security Envisioning Workshop is designed to help organisations establish this baseline and define a practical roadmap to continuous data security.
Contact a Data#3 Microsoft Security Specialist about your environment today.
Information provided within this form will be handled in accordance with our privacy statement.