Project to Platform: How Oreta Helps Customers Operate Cloud, Security & AI at Scale

Most technology work starts as a project — move this workload, deploy that security tool, migrate this tenant, configure that policy, enable this new capability for the business. 

Projects matter. They create movement. They get things delivered. But the real value usually comes after the project. 

In Oreta’s experience, that is the part organisations often struggle with. 

Cloud gets deployed, but governance does not keep up. Security tools get switched on, but no one has time to tune them properly. Microsoft 365 grows quickly, but data becomes overshared. AI gets introduced, but the organisation is not fully sure what information it can see, summarise, or expose. 

This is why the shift from project to platform matters. 

Only 8% of organisations globally qualify as highly cloud-mature, yet those organisations are 62% more likely to say their cloud strategy has helped them achieve their business goals. (HashiCorp / Forrester, 2024) 

Project vs. Platform: What’s the Difference? 

A project delivers an outcome, it is temporary, goal-oriented, and has a specific scope. 

A platform creates an ongoing capability, it is long-term, value-generating, and requires dedicated resources and operational ownership. 

The gap between the two is where most organisations lose momentum. A successful project deployment is not the same as a successfully operated environment. Tools that are installed but not governed, monitored, or maintained become liabilities rather than assets. 

82% of cloud configuration errors originate from manual setup or oversight — not from vendors. (DataStackHub, 2025–2026) 

And the numbers reinforce this. More than 60% of organisations reported security incidents specifically tied to public cloud usage in 2024 — a figure that increased 10% year-over-year. When cloud environments grow without corresponding operational discipline, that gap becomes a material risk. 

The Gap Oreta Helps Close 

There is a meaningful difference between enabling Microsoft Copilot and being ready for AI across your data, identity, and access controls. There is a meaningful difference between standing up Microsoft Defender and building a useful detection and response function. 

That is the space Oreta helps customers move into. 

It is not just about standing up the technology. It is about helping organisations make the technology useful, secure, and sustainable. 

The Modern Microsoft Environment Is Deeply Connected 

The modern Microsoft environment does not operate in silos. Entra controls identity. Intune manages device trust. Defender protects endpoints, identities, email, and cloud workloads. Sentinel brings security signals together. Purview helps govern sensitive information. Copilot and AI services then sit across that entire environment — and rely on the quality of those foundations. 

If the foundations are strong, AI and automation become easier to adopt. 

If the foundations are weak, AI tends to expose the gaps. 

85% of organisations are now using some form of AI in their cloud environments. Yet only 20% of firms feel confident securing generative AI deployments. (Wiz Research, 2025; TotalAssure, 2025) 

That confidence gap is not surprising. AI systems require access to vast datasets, which raises data security and compliance challenges that organisations simply have not had to manage at scale before. Organisations with comprehensive AI governance policies are nearly twice as likely to report confident AI adoption — but only about one in four organisations currently has comprehensive governance in place. 

The Oversharing Problem: Why Data Governance Comes Before Copilot 

One of the most common blockers we see before Copilot deployments is oversharing. Copilot does not bypass permissions, it operates within whatever access the user already has. If SharePoint sites are misconfigured, if files are shared too broadly, or if sensitivity labels have not been applied, Copilot will surface that content. 

A Gartner survey found that data oversharing caused 40% of M365 Copilot rollouts to be delayed by three months or more, while 64% of IT leaders said information governance required significant time and resources to manage during Copilot deployments. (Gartner, 2024) 

Research from Concentric AI found that 16% of an organisation’s business-critical data is overshared, with an average of 802,000 files at risk per organisation. (Concentric AI, 2025–2026) 

This is why using Microsoft Purview to baseline sensitive data exposure before rolling out Copilot is not an optional step, it is foundational. The same applies to identity hygiene, Conditional Access policies, and ensuring that the permission graph reflects how data should actually be accessed, not just how it has accumulated over years of organic collaboration. 

Cloud, Security, and AI Cannot Be Treated as Separate Conversations 

A customer might start with a security uplift, but the real issue may be identity hygiene. Another customer might want Copilot but first needs to understand oversharing in SharePoint and Teams. Another might be moving workloads to Azure, but needs better backup, monitoring, cost control, and operational ownership before the platform can scale. 

These are not separate conversations. They are all connected. 

59% of organisations identify insecure identities and risky permissions as the top security risk to their cloud infrastructure. (Cloud Security Alliance, 2025) 

63% of breached organisations lacked AI governance policies. Among those with policies, fewer than half had approval processes for AI deployments, and 61% lacked the technology to enforce them. (IBM, 2025) 

Identity is the common thread. Whether the risk sits in cloud misconfiguration, Copilot oversharing, Defender alert fatigue, or AI access controls — poor identity and permissions hygiene amplifies every other risk across the environment. 

Where Project Thinking Falls Short 

A project might get the tool deployed. 

A platform approach asks better questions: 

1. Who owns it? 
2. How is it monitored? 
3. What happens when something breaks? 
4. How are risks reported? 
5. How does the business know it is getting value? 
6. How does it improve over time? 

 These are operational questions, not project questions. And they are the questions that determine whether technology investments actually deliver sustained value to the business. 

Among highly cloud-mature organisations, 89% report their cloud strategy has helped them achieve their business goals, compared to just 55% of low-maturity organisations. (HashiCorp / Forrester, 2024) 

Connecting the Dots: The Oreta Approach 

For Oreta, the value is in helping customers connect the dots. Not just “here is your cloud environment” or “here is your security tool”, but “here is how this becomes an operating model you can actually run.” 

In practice, that might mean: 

1. Designing the right Microsoft security architecture for your environment 
2. Helping operational teams understand what to do with Defender alerts 
3. Building executive reporting that gives leaders meaningful visibility into risk 
4. Using Purview to baseline sensitive data exposure before rolling out Copilot 
5. Aligning cloud, endpoint, and identity decisions so the environment is easier to secure and operate 
6. Establishing ongoing governance that grows with your organisation rather than falling behind it 

  The outcome is not more complexity. 

The outcome should be clarity. 

A good platform gives the business confidence. It gives IT teams structure. It gives security teams visibility. It gives leaders a better understanding of risk. And it gives the organisation a stronger foundation for whatever comes next — whether that is AI adoption, regulatory pressure, cyber resilience, or continued cloud growth. 

The Organisations That Will Win Are the Ones That Operate Well 

The organisations that will get the most value from cloud, security, and AI are not the ones that simply deploy the most tools. 

They are the ones that can operate them well. 

AI adoption is accelerating faster than governance frameworks can keep pace. Security threats are compressing the window between compromise and impact. Cloud environments are becoming more complex and more interconnected. The gap between “deployed” and “operating well” has never been more consequential. 

Oreta helps organisations close that gap — turning cloud, security, governance, and AI from a collection of projects into a repeatable, operational capability. 

Key Takeaway 

Technology projects are important, but they are only the starting point. The real maturity comes when organisations turn cloud, security, governance, and AI into repeatable, operational capability and when they have the right partner to help them get there. 

References 

1. Cloud Security Alliance. (2025). The state of cloud and AI security 2025. https://cloudsecurityalliance.org/artifacts/the-state-of-cloud-and-ai-security-2025 
2. Cloud Security Alliance & Google Cloud. (2025, December 18). Governance maturity is strongest predictor of AI readiness. https://cloudsecurityalliance.org/press-releases/2025/12/18/csa-and-google-cloud-study-finds-governance-maturity-is-strongest-predictor-of-ai-readiness 
3. Concentric AI. (2025–2026). Microsoft Copilot security: Risks, controls & best practices. https://concentric.ai/too-much-access-microsoft-copilot-data-risks-explained/ 
4. DataStackHub. (2025–2026). 50 cloud misconfiguration statistics for 2025–2026. https://www.datastackhub.com/insights/cloud-misconfiguration-statistics/ 
5. Gartner. (2024). Cited in: Novet, J. Microsoft moves to stop M365 Copilot from ‘oversharing’ data. Computerworld. https://www.computerworld.com/article/3616459/microsoft-moves-to-stop-m365-copilot-from-oversharing-data.html 
6. HashiCorp & Forrester Consulting. (2024). 2024 HashiCorp state of cloud strategy survey. https://www.hashicorp.com/en/state-of-the-cloud 
7. IBM. (2025). Cost of a data breach report 2025. Cited in: The Network Installers. (2026). 35+ cloud security statistics, data & trends for 2026. https://thenetworkinstallers.com/blog/cloud-security-statistics/ 
8. Microsoft. (2025, November 18). Mitigate oversharing to govern Microsoft 365 Copilot and agents. Microsoft Community Hub. https://techcommunity.microsoft.com/blog/microsoft365copilotblog/mitigate-oversharing-to-govern-microsoft-365-copilot-and-agents/4448744 
9. TotalAssure. (2025, January). AI cybersecurity statistics in 2025: Comprehensive data on threats, detection, and defense. https://www.totalassure.com/blog/ai-cybersecurity-stats-2025 
10. Wiz Research. (2025). The state of AI in the cloud 2025. https://www.wiz.io/reports/the-state-of-ai-in-the-cloud-2025