Before AI can work for government agencies, your data needs to work for AI. Key insights from our roundtable at the Government Innovation Showcase Victoria.
A question is surfacing in almost every government IT conversation right now. Not which AI tools to adopt, but whether the data those tools will run on is actually ready for them.
This year, Professional Advantage joined the Government Innovation Showcase Victoria for the first time, an event that brought together public sector executives, digital and data leaders, and technologists to explore what's working now and what's needed next. Professional Advantage hosted a roundtable on Content Management and Compliance in an AI-Powered World, drawing IT leaders from across Victorian government agencies. What emerged was a candid picture of where most organisations actually stand.
Over the last 18 months, a clear directional shift has emerged across government. The aspiration is increasingly simple to articulate: one place to file, one place to find things.
Microsoft 365, already embedded in most agencies through Teams, SharePoint, and OneDrive, has become the common consolidation target. The appeal is logical. It's familiar to staff, already funded in most licensing arrangements, and has a maturing compliance platform in Purview covering data loss prevention, sensitivity labelling, retention management, and insider risk.
But as any IT leader who has tried to operationalise this vision will attest, there is a significant distance between a consolidation strategy on paper and one that works at scale, for real users, in real workflows.
The Government Sector’s Challenge Nobody Talks About Enough
The roundtable surfaced a set of challenges that will resonate with anyone navigating this terrain.
Legacy data does not retrofit itself.
Applying metadata, retention schedules, and sensitivity classifications to years, sometimes decades, of unstructured content sitting in file shares and legacy systems is enormously complex. The content does not just need to be migrated; it needs to be understood, classified, and in many cases, disposed of. That last part is where most organisations get stuck.
Compliance and collaboration pull in opposite directions.
The same data that compliance teams want locked down is often the data that operational teams need to share quickly across agencies. The tension between data protection and data sharing is real, and it cannot be resolved by policy statements alone. It has to be designed for.
Microsoft alone does not close all the gaps.
Purview has improved considerably, but challenges remain around compliant content disposal, the ability for business users to self-manage workspaces, and achieving consistent governance at scale, particularly across organisations with varying licensing tiers (E3, E5, Purview Suite and so on).
User behaviour is the hardest variable to control.
This insight from the roundtable is worth pausing on, because it reframes the entire problem:
The most important thing you can do to achieve compliant content management is to make it easy for people to do the right thing.
Technology platforms can be configured correctly, but if the compliant path is also the difficult path, people will find workarounds. Every time. This is not a criticism of government staff. It's a fundamental truth about human behaviour that information management systems have to be designed around, not against. It must be designed in a way where the path of least resistance for staff (the fastest, most intuitive way to do their job) is also the compliant way.
Content classification, sensitivity labelling, and retention tagging should not be decisions that end users have to make in the moment. If they are, compliance will be inconsistent. The system has to carry that cognitive load so that people can focus on their actual work.
And why does this matter more than ever?
AI, whether that’s Microsoft 365 Copilot, emerging agent capabilities, or broader AI tooling, is about to apply a search-on-steroids capability across your organisation’s entire data estate. It will surface content, synthesise it, and present it to staff and potentially to the public, at a speed and scale that no manual process can keep up with.
The age-old principle of garbage in, garbage out applies here with particular force. If your data estate contains records that should have been disposed of years ago, AI will find them and potentially surface them. If sensitive information lacks the labels that would tell AI how it should be treated, AI cannot be expected to make that judgment itself. It is not yet capable of doing so reliably.
The Privacy Act is explicit: data that no longer needs to be retained must be deleted promptly. A data breach involving records that are five, ten, or fifteen years old does not just create legal exposure. It creates a public trust problem that is very difficult to recover from.
Structuring Your Data Estate for an AI-Powered Future
The practical implication for IT leaders is this: AI readiness is not primarily about which AI tools you adopt. It is a question of how well-structured, well-labelled, and well-governed your content is before those tools are turned on. That means:
- Treating disposal as a first-order priority.
Organisations that invest in systematic, compliant content disposal now are reducing risk and improving AI quality simultaneously. Retention schedules that exist only on paper need to be operationalised in your content management platform. - Investing in classification and labelling at scale.
Sensitivity labels and content classifications are not just compliance overhead. They are the metadata layer that allows AI to understand what it can and cannot do with a given piece of information. Without them, AI operates blind. - Designing for ease, not just capability.
The best governance framework in the world fails if your staff work around it. The user experience of content management – how easy it is to save a document in the right place with the right metadata – matters as much as the policy framework behind it. - Enabling self-service governance through trusted roles.
One practical constraint in many organisations is that workspace creation and permissions management fall entirely on IT. This creates bottlenecks and shadow IT as business units find faster workarounds. Enabling business users to manage their own workspaces within defined guardrails (without requiring IT intervention for every change) is a meaningful unlock for both productivity and compliance.
From Copilot to Agents: The Stakes Are Getting Higher
One development discussed at the roundtable that IT leaders should closely track is Microsoft's move toward what it calls Agent 365, a new tier of AI capability that becomes generally available in May 2026 as part of the Microsoft 365 E7 suite.
Unlike Copilot, which responds to queries, agents are persistent, contextual AI workers designed to perform specific business functions – monitoring, acting, escalating, and collaborating, not just answering questions. This represents a genuine shift from asking AI questions to running AI-powered operations.
That distinction matters enormously for information governance. An AI that answers a question occasionally is one thing. An AI agent that is continuously operating across your data, making decisions and triggering actions, amplifies both the opportunity and the risk. The quality of your data governance determines which of those it primarily does.
Conclusion
The roundtable made clear that virtually every government organisation is at a different point in this journey. Some are further along with Microsoft 365 adoption. Some are still untangling file shares. Some are actively wrestling with Purview configuration. None of the challenges presented was unusual, and none were insurmountable.
The organisations making real headway are not necessarily the ones with the biggest budgets or the most technical expertise. More often, they are the ones who stopped treating compliance as a layer on top of how people work and started designing it into the flow of daily work itself.
That shift in thinking is harder than it sounds. But it's the right one.
And it matters now because AI does not wait for your governance to catch up. Once it is running across your data estate, it moves fast: surfacing, synthesising, acting. If the foundations are not there, you will feel it quickly. If they are, that is when AI actually starts delivering on its promise.
