Get your AI & Cloud Leakage Score

Tirion M365 Company Brain Architecture

M365 Company Brain Architecture

An architecture model for organizations that want to use Microsoft 365 knowledge without ignoring permissions, stale sources or unsupported answers.

Tirion M365 Company Brain Architecture

Framework overview

An M365 Company Brain is not just a chatbot over SharePoint. It needs curated sources, permission hygiene, sensitivity, metadata, secure retrieval, source-backed answers, refusal behavior, evaluation and operations.

Architecture model

The Secure Knowledge Architecture

The framework starts with sources rather than the model: who owns them, who may read them, how fresh they are, which answer may be created and when the system must refuse.

01Source Governance

Sources are limited, assigned to owners and enriched with validity, sensitivity and system-of-record metadata.

02Permission-aware Retrieval

Answers respect permissions at query time or in the index and stay source-backed.

03Operational Feedback

Freshness, wrong answers, access reviews, retention and incidents are treated as operations processes.

Scorecard logic

Each dimension is scored from 0 to 3. A Company Brain is reliable only when sources, rights, metadata, answer behavior and operations are clarified together.

30 to 36 points

Company Brain production-ready for the defined scope.

23 to 29 points

Pilot-ready with limited sources.

16 to 22 points

Preparation phase: curate permissions and sources.

0 to 15 points

Do not index. Repair governance first.

Readiness dimensions0-3
Source Ownership

Does every knowledge source have a business owner?

0-3
Permission Hygiene

Are SharePoint, Teams and Drive permissions cleaned up and group-based?

0-3
Sensitivity

Are confidential, personal and regulated contents marked?

0-3
Ingest Scope

Is it clear which sources enter phase 1 and which do not?

0-3
Metadata Quality

Are URL, owner, date, system of record and validity stored?

0-3
Freshness

Are freshness rules and stale-source handling defined?

0-3
Retrieval Security

Are permissions respected at query time or in the index?

0-3
Source-backed Answers

Are sources, citations and uncertainty visible in the answer?

0-3
Refusal Behavior

Does the system refuse when sources are missing or contradictory?

0-3
Evaluation

Are test questions, gold answers, negative tests and review available?

0-3
Feedback Loop

Can users report wrong, stale or missing answers?

0-3
Operations

Are monitoring, audit, incident, retention and deletion processes defined?

0-3

Hard stop criteria

Hard stop criteria

  • SharePoint or Teams permissions are unclear at broad scale.
  • Answers can appear without sources.
  • No deletion or retention logic.
  • External actions are coupled with knowledge access without a permission model.
  • No process for confidential, personal or regulated data.

Short checklist

Short checklist

  • Phase-1 sources deliberately limited.
  • Owner, URL, date, sensitivity and system of record captured for each source.
  • Permissions, guests and shared links checked.
  • Source requirement and not_enough_sources behavior defined.
  • Prompt injection and RAG poisoning tested.
  • Feedback, freshness report, access review and incident process available.

Where to use this framework

Where to use this framework

Prepare a Company Brain pilot

Cut the first source scope so rights and quality remain testable.

Make M365 knowledge usable for operations

Connect SharePoint, Teams and Drive with owners, metadata and source-backed answers.

Define safe answer boundaries

Specify when the system answers, answers with uncertainty or refuses.

Executive FAQ

Executive FAQ

Author: TirionReviewed by: Tirion M365 Company Brain Architecture

Why is SharePoint search not enough?

A Company Brain creates, summarizes and prioritizes answers. That requires source-backed answers, permission handling and refusal behavior.

Which sources should be indexed first?

Only limited phase-1 sources with an owner, clear validity, cleaned permissions and known use case.

What does not_enough_sources mean?

The system refuses or marks uncertainty when source coverage is not sufficient or contradictory.

Start now

Need this translated into a real decision?

Use the score to identify the strongest AI, cloud or governance leakage before choosing a next step.