Microsoft Purview Information Protection: Sensitivity Labels, Auto-Labeling, and Encryption

An enterprise deploys Purview sensitivity labels. The IT team creates a taxonomy: Public, Internal, Confidential, Highly Confidential, plus sub-labels for each business unit. The taxonomy has 23 label options. Users see a dropdown with 23 choices every time they create or save a document. Within two weeks, the pattern is clear — users select 'Internal' for everything regardless of content because it's the middle option and nothing bad seems to happen. The labeling program produces coverage metrics (95% of documents labeled) but no protection (95% of documents have the wrong label). The CISO reviews and realizes the taxonomy was designed by IT without user research, the labels don't match how people think about data sensitivity, and the enforcement policies are either too aggressive (blocking legitimate work) or too permissive (allowing everything through). The program is technically deployed but functionally useless.

Information protection that works starts with taxonomy design that matches how the organization actually handles sensitive data — not how IT categorizes it. Three to five sensitivity levels maximum, with names users recognize from their daily work. Auto-labeling policies that classify the obvious cases (documents containing credit card numbers, health records, financial statements) without user intervention. Recommended labeling for the ambiguous cases with the user training that explains why it matters. Mandatory labeling for the document types where classification is non-negotiable. Encryption and access restrictions applied through labels so protection follows the document outside the organization. With the adoption measurement that shows actual classification accuracy — not just label coverage. Done with this discipline, information protection works. Done as an IT project without user research, it produces metrics that mask failure.