A few years ago I watched a brand new Power BI report go live. It looked great, clean, quick, exactly what the business had asked for. Within a day, someone in finance noticed a figure that did not match five years of their own reporting. The number on the new report was wrong, and the problem was ours, not theirs.
What happened next is the part that matters. Word got round, with some more "influential" (loud) persons promotingh it. People stopped trusting the report and believe it or not, pushed back heavy on the platform it sat on. Many drifted back to their old spreadsheets, some built their own shadow versions and the governance effort was dead before it had really started. All that from some initial discrepancies.
That is the thing about trust in a BI platform. First impressions count, and a bad one is a long road back. In the overview of my Power BI User Group Leeds talk I listed trust, security and classification as one of the foundations to establish before moving into self-service, and this blog is that factor up close: how you protect trust, and the two things that hold it up.
A note on scope before we go further. This is a blog about why trust matters and how security and classification protect it, not a step-by-step guide to configuring row-level security or Microsoft Purview. It;s not about getting into the technical details, I have other blogs for that. So, where the mechanics matter, I will point you to the deeper how-to blogs, so this one can stay on the part most people skip, the trust itself.
Summary
Trust is the foundation a Power BI and MS Fabric platform stand on, and it is the one thing you cannot easily rebuild once it is gone. I always tell my clients, first impressions matter! If the business stops believing the numbers, they stop using the platform and no feature wins them back. Security and classification are not separate lectures here, they are how that trust is protected and made visible: security decides who sees what and keeps sensitive data safe, while classification tells people which content they can rely on. Reconcile the numbers before go-live, control access sensibly, and signal what is trusted, and the platform earns its place.
Key takeaways
- A BI platform lives or dies on trust. Get the numbers wrong and you have a lot of making up to do.
- Reconcile your key numbers before go-live, and put a named owner on every important measure.
- Security is part of trust: people need to trust they see what they should, and that sensitive data stays safe when a report is shared or exported.
- Treat tenant settings as guardrails, not a fortress. Lockdown pushes people back to spreadsheets.
- Classification makes trust visible. Endorsements say what is trusted, and sensitivity labels keep that signal attached to the data wherever it travels.
Trust is the hardest thing to rebuild
Most things in a Power BI rollout can be fixed after the fact. A slow report, a clumsy layout, a missing filter, all recoverable. Trust is different and is one of those things we give a lot of attention to in Metis BI. Once people decide the numbers cannot be relied on, they quietly stop using what you built and rarely tell you. They just go back to the spreadsheet they trust.
So trust has to be earned before go-live, and in practice that comes down to two unglamorous habits. First, reconcile your key numbers against a source the business already believes, their existing reporting or the finance figures, before anyone sees the new report. If the new number and the trusted number disagree, you want to find that out now, not in front of the finance director. Second, give every important measure a named owner, someone accountable for what it means and whether it is right. A measure nobody owns is a measure nobody will defend when it gets questioned.
This is the reputational side of trust. Whether the underlying data is accurate is a related but separate question, which I cover in The Hidden Pitfall in Power BI Projects: Why Data Quality is Non-Negotiable. Both matter. This one is about whether the business believes you, which is the part that is hardest to win back.
Security: seeing what you should, and nothing you should not
Security usually gets discussed as a technical checklist, but it belongs in a conversation about trust, because people need to trust two more things: that they can see everything they are entitled to and that they cannot see anything they should not. A leader who stumbles onto another region's salary data loses confidence just as fast as one who finds a wrong number.
It helps to start with three questions: who should be able to use what data, how you handle sharing with external users and what happens when someone shares a report or exports data outside the organisation. Answer those and most of the security model follows.
The principle underneath is least privilege: decide who should see what, then enforce it rather than hope. Power BI gives you a stack of levers for this, multi-factor authentication at the front door, controls for external B2B guest users, and inside the model, row-level security to limit which rows a person sees, with column-level and object-level security where whole fields or tables should be hidden from some users. I am not going to rebuild the how-to here as I said earlier, because I have written it separately. For the details, here are some blogs, see How to Configure Row-Level Security in a Microsoft Fabric Data Warehouse, Masking Data in Power BI for protecting sensitive fields and Share Power BI Reports with External Users for getting external access right. Of course, I have not covered everything in these blgos to do with security, so reach out or book a free consutlation if you or your team more help.
The trap to avoid is treating security as lockdown. I sit in a lot of these meetings, and more often than not it is a room of IT people looking at the platform through an IT lens, asking what they can restrict and lock down. I understand the instinct, but a balance is needed. Tenant settings configured with only restriction in mind quietly become a fortress, and that feels safe right up until it pushes people to work around you, exporting and copying and rebuilding elsewhere, which is less secure, not more. The job is to empower people to operate within the right guardrails, not to wall them in. I made that case in full in Power BI Governance: Balancing Control and Self-Service for Adoption.
Classification: making trust visible
Once the numbers are right and access is controlled, there is still a gap. How does a user know which content to trust? In a busy tenant there might be five reports with similar names, one built properly by the BI team and four put together by well-meaning colleagues. Classification closes that gap by making trust visible, and it has two halves.
Endorsements are the first. Marking a semantic model or report as Promoted or Certified tells users it has been reviewed and can be relied on, so they stop guessing which version is the real one. Certified is the stronger signal, usually reserved for content that has passed a proper review, and it is worth restricting to a named group so the badge keeps its meaning.
Sensitivity labels are the second, configured in Microsoft Purview and applied to your content as Public, Internal, Confidential and so on. The useful part is that the label travels with the content, so when a report is exported to Excel or PDF the classification, and any protection attached to it, goes with it. There is real depth here if you want it, mandatory labelling, inheritance from the data source, and downstream inheritance to new content, but the governance point is simple: endorsements tell people what to trust and labels keep sensitive data marked wherever it ends up.
Before go-live: a short checklist
If you take the practical core of this and nothing else, it is short:
- Reconcile your key numbers against the trusted source, before anyone sees the report.
- Put a named owner on every important measure.
- Apply least-privilege access, and test it with a real user from each audience.
- Endorse the content that has been reviewed, and label anything sensitive.
That handles most of the reputational risk before launch, which is the only point at which it is cheap to handle. If you want a fuller pre-launch list to work from, our Power BI checklist is a good place to start.
How Metis BI helps
Getting trust right before go-live is a large part of what we do on a governance engagement. We reconcile the numbers, agree ownership, and set up the security and classification that protect a platform without strangling it. It tends to help two kinds of organisation: those about to launch something important who want to get it right first time, and those who have already lost a little trust and need to win it back. If that sounds like you, our Power BI and Microsoft Fabric governance assessment is the right place to start.
Security and classification matter, but they are in service of one thing. A BI platform is only as valuable as the trust people place in it, and that trust is built or lost in the details: a number that reconciles, an owner who answers for it, and a label that tells you what you are looking at. Get those right and the platform earns its place. Get the numbers wrong, and winning that trust back is the hardest job you will take on.
This blog builds on the foundations I set out in Power BI Governance: The Foundations Matter More Than Ever, the overview of my Leeds talk on Power BI governance, and sits alongside The MS Fabric & Power BI Deployment Approaches.
.png)



.png)
.png)