The Gatepost
Governance Platform

Five integrated modules that enforce, log, and prove AI data governance across your entire Microsoft 365 environment.

01

Permission Intelligence

Know what your agents can reach before they do.

Gatepost continuously maps every SharePoint, OneDrive, and Teams resource against Microsoft Purview sensitivity labels. It surfaces all service accounts, managed identities, and Entra service principals that have access to sensitive content — before an AI agent inherits that access.

Capabilities

  • Full permission graph across SharePoint Online, OneDrive for Business, and Teams
  • Sensitivity label coverage analysis — unlabeled content flagged as risk
  • Service account and managed identity enumeration
  • Overprivilege scoring against least-privilege AI access baselines
  • Drift detection: alert when new service accounts gain sensitive-data access

The Seven-Step
Retrieval Gateway

Every query passes through a deterministic enforcement chain. No retrieval escapes the sequence.

RAG query received
1

Identity Resolution

Resolve agent Entra service principal

2

Policy Lookup

Fetch active policy version for agent

3

Request Validation

Validate query format and scope

4

Classification Check

Evaluate chunk sensitivity labels

5

Ceiling Enforcement

Block chunks above agent ceiling

6

Audit Log Write

Write tamper-evident retrieval record

7

Response Release

Return compliant chunks to agent

compliant response released
gatepost · retrieval-audit.log
live

2026-06-21T09:14:03.221Z retrieval-gateway INFO

agent_id: svc-copilot-finance@contoso.onmicrosoft.com

  query: "Q3 board pack sensitivity analysis"

[01]identity_resolutionPASS
[02]policy_lookupPASS
[03]request_validationPASS
[04]classification_checkPASS
[05]ceiling_enforcementBLOCK
[06]audit_log_writePASS
[07]response_releasePASS
decision: PARTIAL_ALLOW · 11/14 chunks · 3 blocked · 28ms

policy_version: v2.4.1 ·  log_ref: #82941

Deployed inside
your Azure tenant

Gatepost is not a SaaS intermediary. It deploys as Azure resources entirely within your subscription. No data transits Gatepost infrastructure.

  • Gatepost control plane runs in your Azure subscription
  • Audit logs written to your Log Analytics workspace
  • Keys managed in your Azure Key Vault — not ours
  • Identity enforcement via your Entra ID tenant
  • No outbound data paths to Gatepost infrastructure
Full security architecture
YOUR AZURE TENANTEntra IDIdentity & AuthMicrosoft 365SharePoint · TeamsLog AnalyticsAudit trailAI AgentsCopilot · CustomKey VaultSecrets · KeysGatepostRetrieval GatewayPolicy · Enforce · LogZero data egress outside tenant boundary