Playbook
We have sensitive content everywhere and no consistent classification
A CISO is preparing for an audit and discovers the organisation has no consistent way of identifying its sensitive content. M&A documents, customer PII, and HR records live in SharePoint and OneDrive with no labels and no DLP coverage. The CISO has six months to demonstrate a defensible classification baseline.
Trigger — Audit prep; no consistent content classification.
Good outcome — Sensitivity label taxonomy live, DLP policies on key surfaces, automatic classification in pilot.