After auditing Notion workspaces for dozens of VC teams and startups, I've discovered that almost no one has a data governance plan. And the ones who think they do? They're usually not following it.

This isn't sexy work. It doesn't screenshot well. Nobody's posting "just set up cascading permissions" on LinkedIn. But this is where real risk lives—and where Notion consultants can deliver massive value.

Connect your email, and you’ll instantly get a CRM with enriched customer insights and a platform that grows with your business.

With AI at the core, Attio lets you:

Join industry leaders like Granola, Taskrabbit, Flatfile and more.

👉 Try Attio Pro for free

Here's the pattern I see over and over: teams are excited about workflows, databases, and automations.

They want deal flow trackers, project management systems, and AI integrations.

Governance?

That's the thing they'll "figure out later."

The problem is, "later" usually comes after something goes wrong.

Governance feels like overhead rather than value. There's no immediate visible benefit, no dopamine hit from checking it off the list.

Nobody's asking for it until something breaks. It requires uncomfortable conversationdis about access and trust—conversations most teams would rather avoid. And here's the kicker: Notion's default settings are permissive by design. Everything "just works" until it doesn't.

I've walked into workspaces where confidential pitch decks were shared with the entire company by default.

Team members had created shadow Notion workspaces, inviting colleagues to individual pages without any oversight. Deal data and startup financials were being uploaded into personal AI tool accounts. Everyone had "Full Access," meaning any team member could invite people outside the organization without approval.

One VC firm I worked with had no idea where their data was living. It was impossible to audit or track. That's a governance nightmare—and it's far more common than anyone wants to admit.

Let's be clear about what's actually at stake.

Confidential data could get into the wrong hands. Deal memos, financials, internal strategy docs, founder information—shared with the wrong person or exported without anyone knowing.

One bad share can unravel years of trust. I've seen it happen, and the fallout is never pretty.

Then there's the AI variable.

You're uploading data to third-party tools, and it's not always clear whether those tools are training on your data. Most free AI tools don't have enterprise-grade data retention policies. Your sensitive information could be feeding models you have no control over, models that might surface your confidential information to other users down the line.

And perhaps most concerning: it's nearly impossible to maintain a secure, private workspace if there's little to no visibility into what workflows actually look like. Shadow tools proliferate. Personal accounts get used for work. Unapproved integrations multiply. You can't govern what you can't see.

The risk isn't theoretical. It's happening right now, in workspaces that look perfectly organized on the surface.

Here's what's changed in the past year: AI tools have made data governance urgent in a way it never was before.

This isn’t a warning to avoid AI tools. I want teams to leverage the latest and greatest AI tools and features. The productivity gains are real, and the competitive advantage is significant. But they need to do it in a controlled way, with clear boundaries and explicit policies.

If your team doesn't have clear guidelines on what data can be shared where, employees will figure it out themselves. They'll copy sensitive information into ChatGPT prompts on personal accounts. They'll use whatever AI tool is convenient without thinking about where that data goes or how long it's retained. They'll paste confidential LP information into AI assistants to help draft an email. They'll share founders' financials across multiple unmonitored platforms to generate a quick analysis.

The intention is never malicious. People are just trying to work faster, to be more productive, to deliver better results. But without a governance framework, they're creating invisible risk—risk that compounds with every copy-paste, every shared prompt, every "helpful" AI interaction.

Here's the honest truth: most teams haven't prioritized governance work. Which is exactly why it's valuable.

For workspace admins and Notion consultants working with VCs, startups, or any team handling confidential data, governance represents a massive opportunity. Governance audits can be a standalone project or a natural add-on to system builds.

It positions you as a strategic partner, not just someone who builds pretty databases. More importantly, it solves a real problem that teams often don't know they have until you show them.

Governance work also requires ongoing review. Unlike a one-time database build, governance isn't one-and-done. It requires periodic reviews, updates as the team grows, adjustments as new tools enter the stack. For consultants, that's recurring revenue and long-term relationships. For internal admins, that's sustained impact and job security.

For organizations, the value is immediate and tangible. A governance review reveals hidden risks before they become crises—before the confidential deal memo ends up in the wrong inbox, before the LP data gets scraped into an AI training set. Clear permission structures actually save time in the long run, eliminating the constant stream of access requests and reducing the mistakes that come from unclear boundaries. And perhaps most importantly, it builds confidence that sensitive information is protected, which matters enormously when you're handling other people's money and trust.

The teams that need this most are often the ones who haven't thought about it. Whether you're an internal admin or an external consultant, that's your opening.

Here's a quick gut-check for your workspace. If you can't confidently answer "yes" to these, you've got work to do:

Want the full breakdown? Get the complete Data Governance Checklist with detailed questions, red flags, and implementation steps:

👉 Download the Free Governance Checklist Template

The pushback I hear most often: "This sounds like bureaucracy that will slow us down."

Here's the reframe: clear governance actually speeds things up.

When everyone knows where information lives, what can be shared and with whom, and who to ask when there's a question, you eliminate the constant back-and-forth of access requests. You eliminate the duplicate documents created "just in case" because someone wasn't sure if they'd lose access. You eliminate the anxiety about whether something should or shouldn't be shared, which leads to either over-sharing or information hoarding—both of which slow teams down.

This approach is deliberately pragmatic. Start with an audit using the framework above, which usually takes a few hours and reveals patterns immediately. Then identify the highest-risk gaps—the things that could cause a crisis tomorrow if left unaddressed. Permission defaults get fixed first because this has the biggest immediate impact with the least effort.

Next, I create simple, written guidelines. I'm talking one page, not a policy manual. Something that fits on a single Notion page that people will actually read. These guidelines cover the basics: who can invite guests, what information can be shared externally, which AI tools are approved for what types of data, and who to ask if you're unsure.

Then comes the critical step: assign a governance owner. This is someone internal who will maintain the system, field questions, conduct periodic reviews, and update guidelines as the team and tools evolve. Without this owner, governance becomes another abandoned initiative.

Finally, schedule quarterly reviews. Fifteen minutes every three months to check for drift, update the team on any changes, and address emerging issues before they become crises.

Every successful governance implementation I've seen has one thing in common: someone internal owns it.

This person doesn't need to be technical. They don't need to be a Notion expert or understand database relations. What they need is to care about the problem, to have authority to make decisions, to be willing to have uncomfortable conversations when guidelines aren't being followed, and to follow up consistently.

I've seen governance initiatives fail in organizations with all the right tools, perfect documentation, and clear policies. The reason? No one owned it. No one was responsible for noticing when a new team member was granted Full Access by default. No one checked whether guests were being removed after projects ended. No one updated the AI policy when a new tool entered the stack.

Without this owner, governance becomes another abandoned initiative. The cost isn't just the wasted effort of setting it up—it's the erosion of trust in future process improvements. If you roll out governance with fanfare and it falls apart in three months, good luck getting people to take the next initiative seriously.

Whether you're a startup founder realizing you have no idea who can see your cap table, a VC partner wondering where your deal data is actually living, or a Notion consultant looking for ways to deliver more strategic value—governance is the work that prevents crises.

It's not glamorous. It won't generate the engagement that a beautiful dashboard screenshot will. But the teams that take it seriously sleep better at night. They move faster because they're not paralyzed by uncertainty. They build trust with LPs, with founders, with each other.

Two questions to ask yourself:

If the answer to either is "no" or "I'm not sure"—that's where to start. Not next quarter, not after the next fundraise, not when you have more bandwidth. Start now, while the stakes are still manageable.

Until next time,
Dave

ps. if you’ve noticed a different look, it’s because we’ve moved to Beehiiv!