Peabody Energy

M365 Governance & AI Readiness Committee

Implementation Guide for Co-Chairs · DeBois Hill & Jennifer Doak
E-Newbold Technologies, Inc. Alan Newbold | developer@e-newbold.com
For Co-Chairs · Committee Activation Guide

Build the Committee. Govern the Content. Earn AI Readiness.

This guide walks DeBois Hill and Jennifer Doak through standing up the M365 Governance & AI Readiness Committee at Peabody Energy. Four digital pillars — Microsoft Teams, Microsoft Fabric, Microsoft Planner, and Teams meeting transcripts — give the committee a connected operating environment with no new headcount and no external consultant dependency.

Alan Newbold | AI Engineering Architect | E-Newbold Technologies, Inc. | alan.newbold@e-newbold.com

4
Pillars
Teams · Fabric · Planner · Transcripts & GSRC continuity
7
Business Steward Areas
Seaborne Met · PRB / U.S. Thermal · Commercial · HSE · Finance · Legal · Logistics
3
Planner Plans
Committee Ops · Audit & Remediation · GSRC Risk & Mitigation
90
Days to Sprint 1
Launch → Baseline Audit → First Critical Remediation

The Five Risks the Committee Closes

Risk 1

AI Oversharing

Copilot surfaces content based on existing permissions. Legacy or accidental access becomes AI-visible access overnight.

Risk 2

Regulatory & Litigation

MSHA, OSMRE, ASIC, SEC — safety, environmental, contract, and disclosure records require retention, classification, and discoverability.

Risk 3

Commercial Confidentiality

Coal supply agreements, pricing models, and quality specs spread across Teams and OneDrive without sensitivity labels.

Risk 4

Operational Decision Risk

Mine plans, production reports, logistics disruption logs in inconsistent locations — wrong-version-of-truth risk for ops.

Risk 5

Executive Visibility

Leadership cannot govern what it cannot inventory, classify, or measure. The committee delivers the evidence base.

Outcome

AI Readiness Gate

BUs that close governance gaps go first for Microsoft 365 Copilot. Governance becomes the path to AI access.

Leadership Ownership Answer

When DeBois and Jennifer present to IT and Executive leadership, this table directly answers the question leadership always asks: "Who owns this and who is accountable?"

Role Responsibility
IT (DeBois + Jennifer) Platform administration, audit execution, Power BI reporting, technical remediation
Business Stewards (7 BU nominees) Content decisions — classification, access approval, archival — within their functional domain
Committee Coordination, risk escalation, scorecard publishing, AI readiness gate management
IT Leadership / CIO Risk dashboard review, investment decisions, remediation priority approval
No new headcount. No external consultant dependency. Starts with the people already in the building who understand the problem.
Section 1

Committee Structure & Charter

Cross-functional accountability body with IT coordination and business steward ownership. Two-tier membership; clear authority model; predictable cadence.

1.1 Charter Elements

Element Recommendation
Name M365 Governance & AI Readiness Committee
Co-Chairs DeBois Hill + Jennifer Doak
Scope SharePoint, Teams, OneDrive, Microsoft Purview, Microsoft 365 Copilot readiness
Meeting Cadence Monthly steering (Tier 1) + quarterly business steward reviews (Tier 1+2)
Authority Recommendations to IT leadership; escalation path to CIO
Reporting Risk dashboard delivered to IT leadership and business leads monthly

1.2 Two-Tier Membership Model

Tier 1 — Core Committee (IT-Led)

  • DeBois Hill — Co-Chair
  • Jennifer Doak — Co-Chair
  • SharePoint / M365 platform admin
  • Microsoft Purview / compliance admin
  • Security / IAM representative

Tier 2 — Business Steward Network

One BU-nominated non-IT steward per area. Accountable for content decisions in their domain — not for IT execution.

Steward Areas — Why Critical

Business Area Steward Role Primary Risk
Seaborne Metallurgical Operations representative Centurion content, mine plans, quality specs — MNPI
PRB / Other U.S. Thermal Operations representative Utility contracts, production reports — contract confidentiality
Commercial & Marketing Contract / pricing owner Highest MNPI & Oversharing Risk
HSE Safety records lead MSHA retention, permit metadata, incident records
Finance & IR Finance records owner Earnings, board materials, MNPI, eDiscovery, legal hold
Legal & Compliance Legal records owner M&A artifacts, litigation holds, contracts, privilege
Logistics Logistics coordinator Vessel charters, rail nominations, disruption logs

1.3 Authority Model

Authority Level Body Responsibility
Platform & Tooling IT (Co-Chairs) Audit execution, Power BI reporting, SharePoint/Purview admin
Content Ownership Business Stewards Classification decisions, access approvals, archival sign-off
Risk Escalation Committee → IT Leadership → CIO Unresolved Critical/High findings beyond steward authority
Investment Decision IT Leadership / CIO Licensing, tool procurement, headcount, remediation capacity

1.4 Motivational Initiative — Three-Angle Framing

Used consistently when DeBois and Jennifer engage business leaders and stewards. Reframes governance from compliance burden to competitive advantage.

"Peabody is moving toward Microsoft 365 Copilot and AI-assisted workflows. The mines and functions that have clean, classified, well-governed content will be first in line for AI tools. Governance is your path to AI access."

Effect: Reframes governance from compliance burden to competitive advantage for each business unit. BUs compete to pass the AI Readiness Gate.

"We are going to run a baseline audit. Every business unit will see their own risk score — overshared files, missing labels, unlabeled contracts, shadow OneDrive content. The goal is not to penalize anyone. The goal is to fix it together."

Effect: Creates urgency without blame. DeBois and Jennifer own the audit, not a vendor or external auditor. Findings are evidence, not accusations.

"Business stewards are not being asked to become IT admins. They are being asked to own the content in their domain — know what exists, approve who has access, and flag when something should be archived or classified."

Effect: Reasonable ask for a mine operations lead, commercial manager, or safety coordinator. IT executes; stewards decide.

1.5 Meeting Cadence

Cadence Audience Purpose Teams Channel
Monthly Core Committee (Tier 1) Audit status, risk dashboard review, escalation triage Committee Operations
Quarterly Full committee (Tier 1 + Tier 2) BU scorecard review, remediation progress, next-cycle priorities Risk Dashboard & Scorecard
Bi-weekly (Phases 1–2) Audit working group Module/pass execution check-in Audit Execution
Ad hoc CIO / IT Leadership Escalation for critical findings or investment decisions Leadership Briefing
Pillar 1 · Section 2

Microsoft Teams Channel Setup

The committee hub. Private team with channel architecture for core operations, BU steward conversations, GSRC review, and leadership briefings.

2.1 Team Configuration

Element Value
Team Name M365 Governance & AI Readiness Committee
Team Type Private (IT + nominated members only)
Description Cross-BU committee driving M365 content governance and Copilot AI readiness across Peabody Energy
Owners DeBois Hill + Jennifer Doak
Members Tier 1 Core Committee + Tier 2 Business Stewards (7 BU nominees)
Guests None — internal only; no external collaboration on this team
Sensitivity Label Confidential — Internal Use
Channel Creation Restricted to Owners (prevents channel sprawl)

2.2 Channel Architecture

📂M365 Governance & AI Readiness Committee (Private Team) ├── 📢General All members · announcements only ├── 📋Committee Operations Tier 1 · monthly steering ├── 🔍Audit Execution Tier 1 · audit run logs ├── 📊Risk Dashboard & Scorecard All members · Power BI tabs ├── 🛠️Remediation Tracking All members · sprint progress ├── 🔒GSRC Review Tier 1 + escalations · transcripts ├── 🤖AI Readiness Gate All members · gate status per BU ├── 🏢Leadership Briefing Co-Chairs + IT Leadership └── 🔐BU STEWARD CHANNELS (Private per BU) ├── 🏭BU — Seaborne Metallurgical ├── BU — PRB & U.S. Thermal ├── 💼BU — Commercial & Marketing ├── 🦺BU — HSE ├── 💰BU — Finance & IR ├── ⚖️BU — Legal & Compliance └── 🚂BU — Logistics
Channel Purpose Pinned Tabs Post Permission
General Charter, membership roster, initiative announcements Charter (SP page), Member Directory Co-Chairs only
Committee Operations Monthly steering meeting notes, agendas, decisions log Planner (Plan 1), OneNote (Meeting Notes) Core Committee
Audit Execution Module 1–4 status, Pass 1–3 run logs, script issues Planner (Plan 2), Fabric workspace link Core Committee
Risk Dashboard & Scorecard Power BI scorecard publish, BU trends Power BI Page 1, Power BI Page 7 Co-Chairs publish
Remediation Tracking Sprint 1/2/3 progress, steward acknowledgements Planner (Plan 2 — Sprints), Power BI Page 6 All members
GSRC Review GSRC risk log, transcript analysis, mitigation plans OneNote GSRC Register, Planner (Plan 3) Core Committee
AI Readiness Gate Gate 1–4 status per BU, Copilot readiness milestones Power BI Page 7 Co-Chairs post status
Leadership Briefing CIO/IT Leadership decks, exec scorecard, ownership narrative SharePoint leadership deck library Co-Chairs only
BU Private Channels BU-specific findings, steward conversation, remediation decisions Planner (BU tasks), filtered scorecard BU Steward + Core Committee
App Where Pinned Purpose
Planner Committee Operations, Audit Execution, Remediation Tracking, GSRC Review Task boards per workstream
Power BI Risk Dashboard & Scorecard, AI Readiness Gate, Remediation Tracking Live report embedding
OneNote Committee Operations, GSRC Review Meeting notes, GSRC risk register notebook
SharePoint General, Leadership Briefing Committee document library
Microsoft Loop Remediation Tracking Collaborative task lists within channel posts
Approvals GSRC Review Steward sign-off on remediation actions

Governance Policy for the Committee Team

  • Channel creation: Restricted to team Owners (DeBois + Jennifer) — prevents channel sprawl
  • Guest access: Disabled at the team level — no external collaboration
  • Sensitivity label: "Confidential — Internal" applied to team and all SharePoint storage
  • Retention label: "Governance Committee Records — 7 Year Retain" via Purview auto-labeling
  • Recording & transcription: Always ON for all channel meetings
  • External sharing: Disabled on the backing SharePoint site
  • BU private channels: Visible only to BU Steward + Core Committee — protects per-BU findings
  • Membership review: Quarterly Entra ID access review on the team's membership group
Pillar 2 · Section 3

Microsoft Fabric Workspace

The audit and reporting engine. Lakehouse-backed Dataflows execute the four audit modules and three passes; semantic model drives seven Power BI report pages embedded into Teams.

3.1 Workspace Configuration

Element Specification
Workspace Name Peabody Energy — M365 Governance Audit
Workspace Type Premium Per User (PPU) or Fabric Capacity F-SKU
Admin DeBois Hill, Jennifer Doak
Contributor SharePoint / M365 platform admin
Viewer Core Committee members
Sensitivity Label Confidential — Internal Use
Auth Model Azure AD App Registration · certificate credential · app-only · read-only scopes

3.2 Workspace Items

🟦PEABODY ENERGY — M365 GOVERNANCE AUDIT (Fabric Workspace) ├── 📦LAKEHOUSE: GovernanceAuditLakehouse │ ├── /raw/ API response JSON (SP REST + Graph) │ ├── /silver/ cleaned, typed, deduplicated │ └── /gold/ star schema fact/dim tables ├── 🔄DATAFLOWS GEN2 (8) │ ├── DF_Module1_SiteDiscovery │ ├── DF_Module2_LibraryProfiler │ ├── DF_Module3_UserPermissions │ ├── DF_Module4_ClassificationGaps │ ├── DF_Pass1_LibrarySurface │ ├── DF_Pass2_BrokenInheritance │ ├── DF_Pass3_SharingLinkResolution │ └── DF_OneDriveShadowContent ├── 📓NOTEBOOKS (optional, large tenants) │ ├── NB_AuditOrchestrator.ipynb │ ├── NB_RiskScoring.ipynb │ └── NB_ScorecardSnapshot.ipynb ├── 📊SEMANTIC MODEL: GovernanceAudit_SemanticModel │ ├── 5 Fact Tables │ ├── 7 Dim Tables │ └── DAX: Risk Scores, Gate Status, Trend, Steward Ack └── 📄POWER BI REPORTS (7 pages) ├── Page 1 — Executive Governance Summary ├── Page 2 — Site Health Matrix ├── Page 3 — External & Anonymous Sharing ├── Page 4 — OneDrive Shadow Content ├── Page 5 — Broken Inheritance Drill ├── Page 6 — Remediation Tracker └── Page 7 — AI Readiness Gate Dashboard (NEW)
Dataflow Source Output Fact/Dim
DF_Module1_SiteDiscovery SharePoint REST /_api/site, /_api/web FactSiteInventory · DimSite
DF_Module2_LibraryProfiler SharePoint REST /_api/web/lists FactLibraryClassification
DF_Module3_UserPermissions SharePoint REST /_api/web/roleassignments + Entra ID FactItemPermissions · DimUser
DF_Module4_ClassificationGaps Purview labels + joins from Modules 1–3 FactLibraryClassification (gap fields)
DF_Pass1_LibrarySurface Item-level REST scan (priority libraries) FactItemPermissions (item rows)
DF_Pass2_BrokenInheritance Items where HasUniqueRoleAssignments=true FactItemPermissions (broken flag)
DF_Pass3_SharingLinkResolution Graph /drives/{id}/items/{id}/permissions FactExternalShares
DF_OneDriveShadowContent Graph /users/{id}/drive · priority roles first FactOneDriveShadowContent
Execution order: Modules 1 → 2 → 3 → 4, then Passes 1 → 2 → 3, then OneDrive scan. Orchestrate via Fabric Data Pipeline (preferred) or NB_AuditOrchestrator.ipynb.

Fact Tables (5)

Fact Table Grain Source Dataflow
FactSiteInventory One row per site collection DF_Module1
FactLibraryClassification One row per library DF_Module2 + DF_Module4
FactItemPermissions One row per item with unique ACL DF_Module3 + DF_Pass2
FactExternalShares One row per sharing link DF_Pass3
FactOneDriveShadowContent One row per OneDrive file scanned DF_OneDriveShadowContent

Dimension Tables (7)

Dim Table Purpose
DimSite Site metadata, hub association, owner count
DimUser Entra ID user attributes, guest flag, BU mapping
DimBusinessUnit 7 BU steward areas + Corporate
DimMine 12+ Peabody operations (NARM, Centurion, Wilpinjong, etc.)
DimSensitivityLabel Purview label catalog (Public → MNPI Restricted)
DimRiskTier Critical / High / Medium / Low
DimDate Standard date dim for trend analysis

Page 7 — AI Readiness Gate Dashboard NEW

New report page added to support the committee's AI Readiness Gate methodology. Embedded into Teams "AI Readiness Gate" channel as the primary tab.

Visual Purpose
Gate Status Matrix (BU × Gate) 4 gates × 7 BUs · Pass / Progress / Not Started / Blocked pills
Gate % Complete by BU Stacked bar — % of items meeting each gate criteria per BU
Blockers List Top blockers preventing gate advancement (Steward decision pending, IT action pending, license gap)
Trend — Gate Advancement Over Time Monthly line chart of BUs passed per gate
"First in Line for Copilot" leaderboard Ranked BU list — gamified motivational visual

Teams Integration Points

Teams Channel Embedded Power BI Method
Audit Execution Fabric workspace link (full) Website tab
Risk Dashboard & Scorecard Page 1 (Exec Summary), Page 7 (AI Gate) Power BI tab
Remediation Tracking Page 6 (Remediation Tracker) Power BI tab
AI Readiness Gate Page 7 (AI Gate Dashboard) Power BI tab
BU Private Channels Page 2 filtered (RLS by BU) Power BI tab + RLS role
RLS: Page 2 (Site Health Matrix) uses Power BI Row-Level Security so each BU steward sees only their BU when accessing the report from their private channel.
Pillar 3 · Section 4

Microsoft Planner — 3 Plans

Three Planner plans, each pinned in its primary Teams channel. Buckets organize work; tasks track ownership and due dates; labels surface risk tier and action type.

4.1 Plans Overview

Plan 1 — Committee Operations

Charter, membership, meeting prep, decisions log, stakeholder engagement

Plan 2 — Audit & Remediation

Module/Pass execution buckets + Remediation Sprints 1/2/3 + AI Gate validation

Plan 3 — GSRC Risk & Mitigation

Living risk register: active, in-progress, mitigated, escalated, closed, watchlist

4.2 Plan Details

Buckets

Bucket Purpose Primary Owner
Charter & Governance Charter finalization, steward nomination, membership Both Co-Chairs
Meeting Preparation Agenda, pre-read, scorecard distribution Co-Chairs (alternating)
Decisions & Actions Log Post-meeting action capture, decision ratification Committee Secretary
Stakeholder Engagement Leadership briefing prep, CIO deck Co-Chairs
Continuous Improvement Retrospectives, process changes, cadence adjustments Co-Chairs

Sample Tasks — Charter & Governance Bucket

Task Assigned Due Labels
Draft Governance Committee Charter v1.0 DeBois Hill Day 10 High Priority
Circulate Charter for Tier 1 review Jennifer Doak Day 15 Charter
Ratify Charter in first committee meeting Both Co-Chairs Day 20 Meeting
Send steward nomination request to 7 BU leads Jennifer Doak Day 14 High Priority
Confirm all 7 steward nominations received DeBois Hill Day 28 Membership
Onboard confirmed stewards to Teams team M365 Admin Day 30 IT Action

Buckets — Audit + Remediation Sprints

Bucket Sprint Phase Owner
Module 1 — Site Discovery Days 1–30 DeBois Hill
Module 2 — Library Profiler Days 31–60 IT Admin
Module 3 — User & Permission Auditor Days 31–60 DeBois Hill
Module 4 — Classification Gap Reporter Days 45–60 Jennifer Doak
Pass 1 — Library Surface Scan Days 31–45 IT Admin
Pass 2 — Broken Inheritance Scan Days 45–60 IT Admin
Pass 3 — Sharing Link Resolution Days 50–60 DeBois Hill
OneDrive Shadow Content Scan Days 55–65 IT Admin
Remediation Sprint 1 — CRITICAL Days 61–90 Stewards (decide) + IT (execute)
Remediation Sprint 2 — HIGH Days 91–150 Stewards + IT
Remediation Sprint 3 — MEDIUM Days 151–240 Stewards + IT
AI Readiness Gate Validation Rolling Jennifer Doak

Sample Tasks — Sprint 1 (CRITICAL)

Task Assigned Due Labels
Remove anonymous sharing links — Commercial pricing library M365 Admin Day 70 Critical IT Action
Apply MNPI sensitivity label to Finance board materials Finance Steward → M365 Admin Day 75 Critical Steward Decision
Assign 2nd site owner — Commercial Hub (currently 0) DeBois Hill Day 65 Critical IT Action
Revoke zombie sharing grants — Legal M&A folder (8 found) M365 Admin Day 68 Critical IT Action
Acknowledge HSE findings — steward sign-off HSE Steward Day 72 High Steward Decision

Buckets — Living GSRC Risk Register

Bucket Purpose
Active GSRC Risks Open risks from audit findings or meeting transcripts; not yet mitigated
Mitigation In Progress Risks with assigned mitigation task and owner
Mitigated — Pending Validation Remediation complete; awaiting re-scan confirmation
Closed Risks Validated mitigated; retained for audit trail
Escalated to Leadership Risks exceeding committee authority; CIO/IT leadership decision
Watch List Low-probability, high-impact risks to monitor across cycles

GSRC Categories — Tagging Taxonomy

Code Category Peabody Examples
G Governance Orphaned sites, no owners, missing CTs, scorecard gaps
S Security Anonymous sharing, zombie grants, broken inheritance, guest sprawl
R Risk AI oversharing, MNPI exposure, operational decision gaps
C Compliance Missing retention/sensitivity labels, eDiscovery gaps, legal hold

Plan 2 Label Color Taxonomy

Label Meaning
🔴 Critical Critical risk tier · immediate action
🟠 High High risk tier · 30-day remediation SLA
🟡 Medium Medium risk tier · 90-day remediation SLA
🟢 Completed Verified remediated or gate passed
🔵 IT Action Technical execution required by IT
🟣 Steward Decision Requires business steward approval or decision

GSRC Risk Card Template

Every GSRC risk in Plan 3 follows this card structure. Use as a copy-paste template when creating new Planner tasks.

GSRC-007 — Anonymous Sharing Link on Centurion HCC Quality Specs

Risk CategoryAI Oversharing + Commercial Confidentiality Risk TierCritical GSRC CodeS R Discovery SourcePass 3 — Sharing Link Resolution scan, 2026-05-15 Affected Assetsites/CenturionMet/Shared Documents/QualitySpecs/HCC_2026.xlsx ExposureAnonymous link created 2024-11-12 · no expiry · externally accessible Business ImpactCompetitor access to quality differentiation specs + AI oversharing to internal users without commercial need-to-know Steward (decide)Seaborne Met steward — by Day 65 IT Owner (execute)DeBois Hill — revoke link on steward approval Mitigation Plan1. Revoke anonymous link · 2. Replace with named-user share if external party legitimate · 3. Apply "Confidential — Commercial" sensitivity label
☐ Steward acknowledged (Day 65)
☐ Steward decision recorded in GSRC Review channel (Day 70)
☐ Link revoked by IT (Day 72)
☐ Sensitivity label applied (Day 75)
☐ Re-scan Pass 3 confirms resolution (Day 85)
☐ Card moved to Mitigated — Pending Validation
Critical Steward Decision IT Action S R
Pillar 4 · Section 5

Meeting Transcripts & GSRC Continuity

Closes the loop between monthly cadences. Every committee meeting produces a transcript; Copilot generates a summary; Co-Chairs extract GSRC risks into Planner and update the OneNote register — within 48 hours.

5.1 Meeting Recording & Transcript Configuration

Setting Recommendation
Recording Always ON — auto-record all committee meetings
Transcription Always ON — live transcript enabled
Storage Teams channel Files tab (not individual OneDrive)
Sensitivity Label Auto-applied "Confidential — Internal" via Purview
Retention Label "Governance Committee Records — 7 Year Retain"
Access Restricted to committee members (private channel storage)
Copilot Summary Generated at meeting end · reviewed by Co-Chair

5.2 GSRC Extraction Workflow — From Transcript to Planner

The continuity mechanism between meetings. Ensures no risk or mitigation decision discussed verbally is lost before the next meeting.

1

Transcript Auto-Saved

Teams saves .vtt transcript to GSRC Review > Files within 24 hours of meeting end. Recording .mp4 stored alongside.

2

Copilot Meeting Summary

Microsoft Copilot generates: meeting summary, action item list with suggested assignees, unanswered questions / follow-ups. Co-Chair reviews and posts summary to GSRC Review channel.

3

GSRC Risk Extraction Within 48 hrs

Co-Chair reviews summary + transcript and identifies: new risks → create Planner task in "Active GSRC Risks"; mitigation updates → update existing card; escalations → move to "Escalated" + post Leadership Briefing; closed risks → move to "Closed" with evidence.

4

OneNote Risk Register Update

Update GSRC OneNote notebook in GSRC Review channel: running register, meeting-by-meeting risk delta (new / updated / closed), mitigation evidence links (Planner card → re-scan result).

5

Continuity Briefing Post

48 hrs before next meeting, Co-Chair posts to GSRC Review: open GSRC count by tier; risks added since last meeting; mitigations completed; escalations pending leadership response; agenda items prioritized by risk delta.

5.3 GSRC OneNote Risk Register Structure

M365 Governance & AI Readiness — GSRC Risk Register ├── 📑 Risk Register (Master) │ └── Page: All Open Risks · Risk ID, Tier, BU, Category, Owner, Status ├── 📑 Meeting Transcripts & Summaries │ ├── Page: 2026-05-15 Monthly Steering — Summary + Actions │ └── Page per meeting: transcript link + Copilot summary paste ├── 📑 Mitigation Evidence │ └── Page per closed risk: GSRC-001 ... GSRC-nnn │ — before state · action · re-scan result · closed date ├── 📑 Escalation Log │ └── Page: Risks escalated to CIO/IT Leadership with decision record └── 📑 GSRC Risk Trend Analysis └── Page: Monthly count trend · new / mitigated / open by tier

5.4 Cadence Workflow Summary

Meeting Type Frequency Channel Planner Active Transcript → GSRC
Monthly Steering Monthly Committee Operations Plan 1 + Plan 3 Yes · 48h extraction
Quarterly BU Steward Review Quarterly Risk Dashboard & Scorecard Plan 2 — Sprints Yes · BU action extraction
Audit Execution Check-In Bi-weekly (Phases 1–2) Audit Execution Plan 2 — Modules Optional · summary post
Leadership Briefing Pre-CIO presentation Leadership Briefing Plan 1 — Stakeholder Yes · Escalation Log
GSRC Escalation Review Ad hoc — Critical findings GSRC Review Plan 3 — Escalated Mandatory
Section 6

30/60/90-Day Implementation Timeline

Three phases from launch through first remediation sprint. Week-by-week actions tied to owners.

1

Week 1 — Provision Digital Environment

Create Teams team + channels · provision Fabric workspace · connect app-only auth · create 3 Planner plans · create GSRC OneNote notebook. Owners: DeBois (Teams + Fabric), Jennifer (Planner + OneNote).

2

Week 2 — Charter & Steward Nomination

Draft Committee Charter; post to General channel · send steward nomination request to 7 BU leads · publish initiative announcement to Tier 1 members. Owners: Both Co-Chairs.

3

Week 3 — Onboard Stewards · First Audit Run

Onboard confirmed stewards to Teams team and BU private channels · run Module 1 (Site Discovery) Dataflow · validate first lakehouse data load. Owners: M365 Admin, DeBois.

4

Week 4 — First Committee Meeting

Hold first monthly steering meeting · record + transcribe · Copilot summary · extract initial GSRC items to Planner Plan 3. Ratify Charter v1.0. Owners: Both Co-Chairs.

5

Weeks 5–6 — Modules 2–4 Execution

Run DF_Module2 (Library Profiler), DF_Module3 (User & Permissions), DF_Module4 (Classification Gaps). Validate row counts. Owner: DeBois Hill.

6

Weeks 6–7 — Passes 1, 2, 3 + OneDrive Scan

Item-level surface scan · broken inheritance scan · sharing link resolution via Graph · OneDrive shadow content scan (priority roles: Commercial, Finance, Legal). Owners: IT Admin + DeBois.

7

Week 8 — First BU Scorecard Published

Publish Power BI Page 1 (Exec Summary) and Page 7 (AI Readiness Gate) to Risk Dashboard channel · distribute BU-specific findings to private channels via RLS-filtered Page 2 · populate Plan 3 GSRC register with audit-identified risks. Owner: Jennifer Doak.

8

End of Week 8 — Quarterly BU Steward Review

First full-committee quarterly review · BU stewards walk through their scorecard · agree Sprint 1 priorities. Record + transcribe · 48h GSRC extraction. Owners: Both Co-Chairs.

9

Weeks 9–10 — Sprint 1 Critical Remediation

All CRITICAL items active in Plan 2 — Sprint 1 bucket: anonymous link removal, MNPI sensitivity labeling, orphan-site owner assignment, zombie grant revocation. Owners: Stewards decide, IT executes.

10

Week 11 — GSRC Workflow Steady-State

GSRC extraction workflow operational after each monthly meeting · OneNote register kept current · Planner cards moved through buckets as risks progress. Owner: DeBois Hill.

11

Week 12 — First AI Readiness Gate Assessments

Publish first Gate 1 (Inventory) and Gate 2 (Classification) status per BU on Page 7 · BUs that pass gates publicly recognized in AI Readiness Gate channel. Owner: Jennifer Doak.

12

End of Day 90 — Leadership Briefing

CIO presentation using first 90-day evidence base · ownership answer narrative · risk dashboard walk-through · investment ask if licensing gaps blocking remediation. Owners: Both Co-Chairs.

90-Day Success Targets: Teams team active with all stewards onboarded · Fabric running all modules + passes · first BU scorecard published · ≥10 GSRC risk cards in Plan 3 · all CRITICAL findings have owners · first transcript through GSRC workflow · zero anonymous sharing links remain · ≥2 BUs at Gate 1 passed.
Section 7

AI Readiness Gate Tracker

Four gates control when each BU is authorized for Microsoft 365 Copilot deployment. Governance becomes the BU's path to AI access.

7.1 Gate Criteria

Gate Criteria Measurement Source
Gate 1 — Inventory ≥95% of known SharePoint sites inventoried and hub-associated Module 1 scorecard
Gate 2 — Classification ≥80% of document libraries have enterprise content types and base columns applied Module 2 + Module 4
Gate 3 — Access Hygiene Zero anonymous links · zero zombie external grants · all sites ≥2 owners Module 3 + Pass 3
Gate 4 — Labeling ≥90% of library content has sensitivity labels · all MNPI/legal labeled Critical or Restricted Purview label coverage

7.2 Per-BU Gate Status — Sample Snapshot

This is the live data shown on Power BI Page 7. Updated nightly via the Fabric semantic model refresh.

Business Unit Gate 1 Gate 2 Gate 3 Gate 4 Copilot Eligible
HSE Passed Passed Passed 90% Imminent
PRB / U.S. Thermal Passed 80% 2 grants 75% In Progress
Seaborne Metallurgical 67% 60% 3 anon Blocked
Commercial & Marketing 50% 0% 5 anon Blocked
Finance & IR Not Started
Legal & Compliance Not Started
Logistics Not Started

7.3 Per-BU Gate Detail

  • Gate 1 ✓ All 3 HSE sites inventoried and hub-associated
  • Gate 2 ✓ 90% of HSE libraries have enterprise content types (Incident, Permit, Inspection)
  • Gate 3 ✓ Zero anonymous links · all sites have multiple owners
  • Gate 4 ⏱ 90% sensitivity labeled — final 10% is the 2024 incident archive · steward decision pending on retention category

Action to gate eligibility: HSE Steward to approve archive retention label by next monthly meeting.

  • Gate 1 ⏱ 2 of 4 Commercial sites inventoried · 2 hub-association pending
  • Gate 2 ✗ Pricing model libraries have no enterprise content types · base columns missing
  • Gate 3 ✗ 5 anonymous sharing links on coal supply agreement libraries — all CRITICAL Sprint 1 items
  • Gate 4 ✗ Zero MNPI labels applied to commercial pricing folders

Action to gate eligibility: Sprint 1 critical remediation must close all 5 anonymous links · Commercial Steward must approve MNPI labeling rollout · ETA Day 90.

  • Gate 1 ⏱ 4 of 6 sites inventoried · Centurion project sites still being mapped
  • Gate 2 ⏱ 60% libraries have CTs · Quality Specs library missing enterprise CT
  • Gate 3 ✗ 3 anonymous links on Centurion HCC quality specs (GSRC-007 through GSRC-009)
  • Gate 4 ⏱ Sensitivity labeling not yet rolled out

Action to gate eligibility: Seaborne Met Steward to approve link revocation by Day 65 · Quality Specs library CT rollout in Sprint 2.

  • Gate 1 ✓ All 3 PRB sites inventoried (NARM, Caballo, Rawhide)
  • Gate 2 ⏱ 80% libraries with CTs · Utility Contract library needs schema update
  • Gate 3 ⏱ 2 stale external grants to retired BNSF logistics contacts · pending steward approval to revoke
  • Gate 4 ⏱ 75% sensitivity labels applied · Mining Reclamation library remaining

Action to gate eligibility: PRB Steward to approve revocation of 2 stale grants and complete Reclamation library labeling · ETA Day 110.

🤖Motivational lever: Page 7 is the most powerful artifact the committee owns. Publish gate advancement publicly in the AI Readiness Gate channel — celebrate BUs that pass gates, name the blockers (without blame) for those that haven't. Healthy peer pressure replaces top-down enforcement.
Section 8

Master Implementation Checklist

Track every implementation task. Progress persists in your browser via local storage. Click checkboxes; reopen the page anytime to resume.

Implementation Progress

Total Tasks
0
Completed
0
% Complete
0%
01
Create Teams team — "M365 Governance & AI Readiness Committee"
Private · DeBois + Jennifer as Owners · sensitivity label "Confidential — Internal"
02
Create all 8 standard channels
General, Committee Operations, Audit Execution, Risk Dashboard, Remediation Tracking, GSRC Review, AI Readiness Gate, Leadership Briefing
03
Create 7 BU private channels
One per steward area · BU Steward + Core Committee membership only
04
Configure team governance policies
Channel creation = Owners only · guests disabled · auto-record + transcribe ON · external sharing OFF on backing site
05
Provision Fabric workspace — "Peabody Energy — M365 Governance Audit"
Premium PPU or Fabric F-SKU · DeBois + Jennifer as Admin
06
Create Azure AD app registration with certificate credential
App-only · scopes: Sites.Read.All, Files.Read.All, User.Read.All · grant tenant consent
07
Connect Fabric workspace to M365 tenant via app-only auth
08
Create GovernanceAuditLakehouse with raw / silver / gold zones
09
Create 3 Planner plans
Plan 1 Committee Ops · Plan 2 Audit & Remediation · Plan 3 GSRC Risk · pin to respective Teams channels
10
Build all bucket structures across 3 plans
Plan 1: 5 buckets · Plan 2: 12 buckets · Plan 3: 6 buckets
11
Configure label color taxonomy in Plan 2
Critical · High · Medium · Completed · IT Action · Steward Decision
12
Create GSRC OneNote notebook in GSRC Review channel
5 sections: Risk Register · Transcripts & Summaries · Mitigation Evidence · Escalation Log · Trend Analysis
13
Pin apps to channels per pinning matrix
Planner · Power BI · OneNote · SharePoint · Loop · Approvals
14
Configure Purview retention label "Governance Committee Records — 7 Year"
Auto-apply to Teams team backing SharePoint site
15
Draft Governance Committee Charter v1.0
Name · scope · co-chair roles · membership tiers · cadence · authority · escalation path
16
Post Charter to General channel for Tier 1 review
17
Send steward nomination request to all 7 BU leads
Brief email or Forms template · include role description and time commitment
18
Confirm all 7 steward nominations received
Seaborne Met · PRB · Commercial · HSE · Finance · Legal · Logistics
19
Onboard confirmed stewards to Teams team
Add to Tier 2 membership group · invite to BU private channel
20
Conduct steward orientation session
Walk through scorecard concept · GSRC workflow · accountability model
21
Hold first monthly steering meeting (Tier 1)
Record + transcribe · ratify Charter v1.0 · agree audit kickoff
22
Post first Copilot meeting summary to GSRC Review channel
23
Build & execute DF_Module1_SiteDiscovery
Output FactSiteInventory · validate row counts
24
Build & execute DF_Module2_LibraryProfiler
Output FactLibraryClassification · CT presence + base column check
25
Build & execute DF_Module3_UserPermissions
Site users + role assignments + guest detection
26
Build & execute DF_Module4_ClassificationGaps
Join Modules 1–3 with Purview labels
27
Execute DF_Pass1_LibrarySurface
Item-level scan on priority libraries
28
Execute DF_Pass2_BrokenInheritance
HasUniqueRoleAssignments=true · capture broken-ACL items
29
Execute DF_Pass3_SharingLinkResolution via Graph
Detect anonymous links, zombie grants, external domain shares
30
Execute DF_OneDriveShadowContent for priority roles
Commercial · Finance · Legal first; org-wide in baseline pass
31
Build semantic model — fact + dim tables, relationships, DAX
32
Build Power BI Pages 1–7
Including new Page 7 — AI Readiness Gate Dashboard
33
Configure RLS roles — BU Owner, IT Admin, Executive, Legal & Compliance
Map to Entra ID groups · test "View as Role"
34
Embed Power BI tabs into Teams channels
Page 1+7 → Risk Dashboard · Page 6 → Remediation Tracking · Page 7 → AI Readiness Gate · Page 2 (RLS) → BU private channels
35
Publish first per-BU scorecard to Risk Dashboard channel
36
Distribute BU-specific findings to private channels (RLS-filtered)
37
Populate Plan 3 GSRC register with audit-identified risks
Use risk card template · tag G/S/R/C codes · assign tier and owner
38
Publish initial Gate 1 + Gate 2 status per BU on Page 7
39
Hold first Quarterly BU Steward Review
All Tier 1 + Tier 2 · record + transcribe · agree Sprint 1 priorities
40
Run GSRC extraction workflow on quarterly meeting transcript
48-hour SLA · update Plan 3 + OneNote register
41
Activate all CRITICAL items in Plan 2 — Sprint 1 bucket
42
Steward acknowledgement of all CRITICAL findings (5-day SLA)
43
Remove all anonymous sharing links on Commercial, Legal, Finance content
44
Apply MNPI sensitivity labels — Finance board materials, M&A artifacts
45
Assign 2nd site owner to all orphaned sites
46
Revoke all zombie external sharing grants
Guest accounts no longer active in Entra ID
47
Re-run Pass 3 to validate critical sharing links closed
48
Move closed risks in Plan 3 to "Mitigated — Pending Validation" then "Closed"
49
Update OneNote Mitigation Evidence section with closure records
50
Validate Gate 1 (Inventory) per BU — ≥95% threshold
51
Validate Gate 2 (Classification) per BU — ≥80% threshold
52
Validate Gate 3 (Access Hygiene) per BU — zero anonymous + multi-owner sites
53
Validate Gate 4 (Labeling) per BU — ≥90% sensitivity coverage
54
Publicly recognize first-passing BUs in AI Readiness Gate channel
Healthy peer pressure · motivational reward
55
Prepare Leadership Briefing deck with 90-day evidence base
Use ownership answer narrative: IT = platform · Stewards = content · Committee = coordination · Leadership = dashboard
56
Conduct CIO / IT Leadership briefing
Investment ask if licensing gaps blocking remediation · approve Sprint 2 priorities
Press Ctrl + K anytime to open search