In episode 5 of GrailCast Live, DataGrail CEO Daniel Barber sat down with Michael Moore, Vice President & Head of Legal at Glean Technologies, to discuss what it actually takes to govern data access in an AI-powered workplace. Glean builds enterprise search and AI tools, giving Moore a front-row seat to how organizations of every size are wrestling with the same core problem: how do you let AI help your people work smarter without exposing data they should never see?
The conversation covered a lot of ground. Here are the frameworks and practical principles that stood out.
Listen to Michael’s full conversation with Daniel Barber on GrailCast Live.
Clean the house before you invite guests
Moore’s most memorable analogy: deploying an AI tool across an enterprise without auditing your permissions first is like inviting the whole family over for the holidays before making the kids clean up. The mess was always there. AI just moves through it faster.
In most large organizations, permissions have accumulated over years. Employees come and go, service accounts stay open, file-sharing settings go unreviewed. IT teams know about roughly 13% of the cloud apps employees actually use. The rest exists as shadow IT, invisible and unmanaged.
Before rolling out any AI-powered search or knowledge tool, Moore recommends a permissions audit across every system that will be connected. The goal is simple: the data an employee can access through an AI tool should match exactly what they could access without it. No more.
This work also pays off as a security measure. Overly broad permissions are not just a privacy risk. They are a lateral movement risk if a bad actor ever gets inside the perimeter.
Assign ownership before deployment. IT handles system access, HR reviews HR data permissions, Finance locks down financial systems. Document what you find, remediate what needs fixing, and set a cadence to repeat the process.
The Velocity Problem
Privacy and security teams have historically run quarterly or annual access audits. That cadence made sense when humans were the ones finding and using sensitive information. AI changes the math. What used to take days or weeks to surface can now happen in milliseconds.
This is the core tension Moore describes with privacy teams and AI: the instinct to protect often translates to blocking, slowing, or limiting AI adoption. That instinct is not wrong. But in a competitive environment where peer organizations are moving fast, blanket restrictions can become a business liability.
Moore’s recommendation is to resolve this tension through an AI governance committee that brings the right stakeholders together: legal, privacy, security, and the business units whose data is in scope. The committee does not need to approve every use case. It needs to make deliberate, documented decisions about which data categories are cleared for AI access and in what sequence.
Stage your rollout by data sensitivity. Code repositories and product documentation carry relatively low privacy risk and are a reasonable starting point. HR and financial data come later, with tighter scoping and more rigorous review.
A human must be in the loop
The EU AI Act is explicit: for any decision that is consequential to the rights or freedoms of a natural person, a human must be involved. Moore is candid that the current pace of agentic AI deployment is outrunning this requirement in a lot of organizations.
The solution is not to slow down AI. It is to design human checkpoints into the workflow deliberately. For enterprise AI tools specifically, that means building guardrails at the tool level (query restrictions, access boundaries, audit logging) and at the process level (escalation paths, review steps for high-stakes outputs).
If something goes wrong, a regulator will ask what controls you had in place, who oversaw them, and whether there was a process for escalation. Having that documentation is not bureaucracy. It is risk management.
Before deploying an AI tool with access to sensitive data, document your control points. What queries are blocked or flagged? Who reviews exceptions? How are outputs logged and explainable? If you cannot answer these questions, your governance framework is not ready for production.
High-quality context produces high-quality outputs
The technical observation at the center of Moore’s view on enterprise AI is simple: context is everything. The same model will produce radically different outputs depending on the quality and relevance of the data it can access.
Garbage in, garbage out has always been true. The difference with AI is that garbage now produces confident-sounding, well-formatted garbage, which is harder to catch than obvious errors. Organizations that invest in clean, authoritative, well-governed data will get meaningfully better AI outputs than those that feed models everything indiscriminately.
This is also one of the stronger arguments for maintaining a rigorous data map before deploying AI across your tech stack. If you do not know what data you have, where it lives, and how it is classified, you cannot make good decisions about what AI should and should not access.
Data quality and AI governance are not separate workstreams. A complete, accurate data map is the foundation that makes responsible AI deployment possible. DataGrail’s Live Data Map gives privacy and security teams continuous visibility into where personal data lives across their entire system landscape, including the third-party SaaS tools that tend to accumulate outside of IT’s line of sight.
The future of work is role-fluid
Moore closed with an observation about the future of work that is worth sitting with. As AI tools blur the lines between architect, product manager, and software engineer, the individuals who learn to use them well will expand their scope considerably. The people who do not will find their roles narrowing.
This shift is not just about productivity. It is about governance. When individual contributors have significantly more capability, the importance of clear guardrails, good judgment, and ethical frameworks scales up proportionally. The tools can do more. So can the mistakes.
The organizations that get this right will be the ones that invest in both sides of that equation: AI tools with real governance built in, and people who are trained to use them thoughtfully.
Catch the full conversation with Michael Moore on GrailCast Live. Watch the episode here.
Want to understand how DataGrail can help you build the data foundation your AI governance program needs? Talk to an expert.
