Catalight Foundation
Eighteen departments migrated onto a governed M365 environment with content lifecycle management designed for sensitive health data.
Read the Catalight Foundation story Microsoft 365 Optimization · Healthcare
Healthcare professional society · National scope
A secure route to AI readiness. Built on a cleaner Microsoft 365 estate.
A Purview-piloted, Teams-standardized foundation ready for Copilot.
The situation
The situation we walked into.
The American College of Radiology had been on Microsoft 365 since the Covid shift to remote work, but the way the environment had been adopted under pressure was now a liability. Personal OneDrive storage had become the default for collaborative content. Network drives still held much of what staff produced day-to-day. The Information Risk Management group could see the path to Copilot but not how to get the data layer ready for it. The question driving the engagement was specific: what does ACR need to do, in what order, so that document retention, collaboration, and AI tooling all work together without compromising the information risk posture.
What we did
What we did.
We started with a structured discovery to map the current state. We catalogued where collaborative content actually lived, where governance was thin, and where the gap between policy and practice was widest. Personal OneDrive usage and legacy network drives surfaced quickly as the two most consequential issues. Both were obstacles to a defensible AI rollout.
We made the case for going back to basics with the Microsoft 365 estate before adding new tooling. The technology haircut, named explicitly in the recommendations. We reviewed and culled unused SharePoint sites. We moved collaboration off OneDrive and into Teams and SharePoint where it belonged. We reduced the number and complexity of existing teams and channels and introduced naming conventions that made the environment legible to anyone navigating it for the first time. We wrote guidelines for consistent file storage, labeling, and organization that the IRM and IT teams could enforce.
For the legacy file shares, we proposed a structured migration. Pilot departments selected for immediate Purview retention needs. Migration support staff with the right administrative access. An appropriate migration tool and process. Pre-migration consultations, post-migration training, and follow-up to address the friction that inevitably surfaces. We wanted minimal disruption and durable habits, which meant the migration could not just be a technical lift.
The Purview pilot was the centerpiece. We piloted information protection and data loss prevention tools, including sensitivity labels and auto-detection of sensitive information types, with end users in selected departments. We wanted to know whether the tools would land in real workflows before we recommended an org-wide deployment. They did. Pilot users found the prompts useful for raising awareness of how they were handling sensitive information.
Alongside the rollout we outlined optimal settings for SharePoint, OneDrive, and Teams: permissions structures, dynamic membership, policies for site creation and external sharing, guidelines for team and channel creation that prevent sprawl. The implementation plan is the bridge from pilot to org-wide.
What changed
What changed.
ACR now has a streamlined Microsoft 365 environment ready to support advanced tooling, including Microsoft Purview and Microsoft 365 Copilot. The pilot departments transitioned successfully to the new content management practices and are the template for the broader rollout. The ACR compliance and IT teams have the documented implementation plan they need to extend the work across the organization without us. The information risk posture is materially stronger than it was at the start of the engagement, and the staff using the pilot environment are reporting the tools as useful, not punitive.
The human moment
Ideal State’s approach to optimizing Teams and SharePoint, combined with their guidance on aligning Purview capabilities to our policies and user needs, is positioning us to take full advantage of AI-driven tools in the near future.Dan Reardon, Chief Compliance Officer, American College of Radiology
What sticks
What sticks.
The implementation plan we left behind is the document the ACR compliance and IT teams are working from now. The pilot departments are the proof-of-concept that the broader rollout is patterned after. The naming conventions, the Teams and SharePoint configurations, the Purview sensitivity labels, and the file storage guidelines are all documented and owned internally. ACR’s compliance team has the rhythm and the language to make governance decisions on its own as new content classes and new tools enter the environment. The work compounds because the ACR team can extend it.
Lessons we carried forward
Lessons we carried forward.
The ACR engagement clarified how we sequence Purview rollouts in regulated environments. The instinct of most organizations is to deploy sensitivity labels and data loss prevention policies broadly and fast. The instinct gets the technical change in place quickly and the cultural change wrong. We now pilot every Purview deployment with the user group that will produce the most signal first, then refine the labels and the notifications before expanding. The ACR Information Risk Management team helped us see how much that initial pilot shapes the durability of the rollout that follows.
Connect with us
Need a defensible route to Copilot?
ACR started with a discovery call about information risk and ended with a Purview pilot and a cleaner Microsoft 365 estate. A 30-minute conversation with one of our co-founders is a useful place to start if you are working through the same set of questions. No deck. No consultant-speak. No pressure.
Or take the free AI Readiness Assessment first.