What does your Rovo pre-activation permission audit actually cover?

Hi @Prashanth

This is an excellent point and one that I believe many organizations underestimate when evaluating AI readiness.

In my experience, the biggest risk isn't necessarily sensitive content itself—it's the years of permission drift that accumulate as organizations grow, reorganize, and migrate platforms. By the time Rovo enters the conversation, many teams have never fully audited who can actually see what across Jira and Confluence.

I particularly like your statement that Atlassian Graph indexes the permission reality rather than the permission intention. That's a distinction many administrators miss. Organizations often assume permissions are operating as designed, when in reality inherited groups, legacy project roles, and historical access decisions have created a very different visibility model.

A few patterns I've encountered during governance reviews include:

• "Browse Project" permissions granted to broad authenticated-user groups

• Confluence spaces that were intended for specific teams but remain open to all licensed users

• Legacy migration groups that nobody owns but still provide access

• Project role assignments that have expanded over time without periodic review

• Archived projects and spaces that still contain discoverable information

One recommendation I often make before enabling AI capabilities is to perform access reviews from the perspective of representative user personas rather than administrators. What a project manager, developer, contractor, executive, or support analyst can access is often very different from what administrators believe they can access.

I would also be interested to hear whether anyone has developed a repeatable methodology for validating permission models at scale before a Rovo rollout. As AI adoption increases, permission governance feels less like a security exercise and more like a foundational requirement for successful AI implementation.