Document Trust You Can Prove: Versions, Approvals, and Policy Read Acknowledgements

Webinar Wrap Up 

If your organisation runs on SharePoint, you’ve probably had that small moment of panic when someone asks a deceptively simple question: “Can you prove this is the version we approved?”  

In our latest webinar, Document Trust You Can Prove, WebVine’s Head of Product & Delivery, James Dellow, walked through exactly how to close that gap. Covering the three things that tend to break first in real environments: versions, approvals, and policy reads. 

You can watch the full recording below. If you’d rather read, scroll past the video and we’ve summarised all the key takeaways for you. 

The big message: trust is proven, not promised 

Here’s the line that framed the whole session. SharePoint already gives you versioning, check-in/out, and retention. And yet none of those things actually tell you: 

“This is the version that was formally approved on this date, and is the version of record.” 

The features are switched on. The proof is still missing.  

That gap matters more than ever, because the same documents now feed Copilot, retention policies, and audits.  

As James put it: generative answers are only as defensible as the documents they’re built from. 

The good news? Document trust isn’t a feature you flip on.  

It’s a layer you build. And it’s very achievable on the SharePoint and Microsoft 365 foundation you already have, especially when it’s set up as a well-structured SharePoint intranet. 

Document trust is a layer, not a feature 

James described trust as three layers stacked on top of each other, and the order matters: 

1. Foundation: Information Architecture. Sites, libraries, content types, metadata. Nothing trustworthy lives without it. Think of it as the building’s floor plan: get it wrong and every room above is harder to use. 

1. Today’s focus: Controlled Documents. Versions, approvals, and policy reads, captured against an information architecture you can rely on. 

1. What it unlocks: Gen AI and Data Governance. Copilot grounding, Purview retention, Restricted Content Discovery. These only work properly when the layers below them are sound. 

In other words: document hygiene has quietly become an AI-readiness conversation. You can’t bolt trustworthy AI onto messy content and hope for the best. 

The three pillars of document trust 

Everything in the session sat inside three pillars. Here’s what each one looks like in practice. 

Pillar 1: Versions you can defend 

We’ve all met the dreaded OneDrive folder: with multiple versions of the same file. 

Versioning is enabled, retention is on, and yet the only honest answer to “which one was approved?” is a shrug. 

The fix is a simple, defensible lifecycle categories: 

• Draft: editing in the open, no claims. 

• Approved: captured against a specific version, by a named approver. 

• Published: becomes the version of record (the one Copilot grounds against). 

• Superseded: retired automatically when the next approved version lands. 

In practice: a multi-site diocese.  

A diocese had thousands of documents scattered across sites with no single source of truth. So no one could say for certain which version was the real one.  

WebVine stepped in to bring order to the chaos, building a controlled document structure on Injio Docs. 

Here’s what we put in place: 

• A controlled migration of ~2,500 documents: lifted out of scattered folders and into a single, structured home where every document has a defined place. 

• A three-library model (Working → Published → Archive): drafts live in Working, the live version of record sits in Published, and superseded versions retire cleanly into Archive. 

• Extended major/minor version control in the published libraries: so every change is tracked as a meaningful revision, not just an anonymous save. 

The outcome wasn’t “we have versions”, SharePoint always had those. It was that every document now has one defensible version of record, and everyone knows exactly where it lives. 

Pillar 2: Approvals you can prove 

Where do approvals usually live? Reply-all email chains nobody can find six months later. Teams 1:1s that vanish when someone leaves. Workflow output no one can decode under audit pressure. Or worst of all… In someone’s head, the most expensive single point of failure in any organisation. 

The pattern that works is a structured approval record that captures exactly what an auditor asks for:  

• the approver 

• their role at the time 

• the date 

• the version approved 

• trigger for the next review 

Captured once. Searchable forever. 

In practice: a multi-site diocese.  

A diocese came to us with approvals scattered across email threads and people’s memories, and no reliable way to prove who signed off on what. So WebVine designed and delivered a structured approvals process for them, built on Injio Docs. 

Here’s what we put in place: 

• Multi-level approval workflows by document type: single-level for lighter documents, two-level for the ones that needed extra rigour, so each document got exactly the sign-off it required. 

• Read-only lock during approval: once a document entered the approval flow, it was locked, so nothing could shift underneath the approver while they reviewed it. 

• Approval history captured against the specific version: every sign-off recorded by a named person, against the exact version they approved, ready to stand up under audit. 

• Automatic PDF on publish: the approved version was auto-converted to a PDF version of record, so the final document couldn’t be quietly edited after the fact. 

The result?  

When someone asks “who approved this, and on which version?”, the answer lives in the record. Not in a reply-all chain. The team estimates this approach removed roughly 60% of the manual approval steps and saves on the order of ten hours a month, time that goes straight back into the work that matters. 

Pillar 3: Policy reads you can evidence 

This is the one that completes the picture, and it’s especially critical in regulated sectors like healthcare and government.  

“We sent the all-staff email” is not proof. Read receipts are unreliable and don’t show which version someone read. Page views aren’t acknowledgement. Signed PDFs are a paper-trail nightmare to keep current. LMS attestation captures the tick but is detached from the policy itself. 

The pattern that stands up: 

1. Targeted distribution: assigned by group or role. The right people, not “everyone”. 

1. Individual confirmation: each person attests to a specific version on a specific date. 

1. Auto re-attestation: when the policy changes, the loop reopens automatically. 

In practice: a healthcare provider. 

This is the one that completes the picture. Our client, a healthcare provider running clinical services across several centres, needed to prove that the right people had read the right policies, not just hope they had. 

 WebVine delivered that confidence using Injio’s Read & Acknowledge, and it’s live in their environment today. Not sitting on a roadmap. 

Here’s what we put in place: 

• A Policies & Procedures Hub for ~800 controlled documents: a single, structured home for every policy across the organisation, covering around 175 authorised users across multiple centres. 

• Targeted distribution by group and role: policies go to the right people, not “everyone”, so staff only see what’s relevant to them. 

• Per-version individual confirmation: each person attests to a specific version on a specific date, with every acknowledgement evidenced, tracked, and reportable. 

The result? 

 When a regulator or auditor asks “show me that every clinician acknowledged the current infection-control policy,” that’s a report, not a scramble. 

What’s new in the SharePoint world 

James closed with a short list worth getting ahead of: 

• Purview retention enhancements: sharper, more granular controls for records teams. Worth a fresh look at your retention strategy. 

• Restricted Content Discovery (M365): lets you stop Copilot grounding against the wrong content. Pairs naturally with a clean version of record. 

• SharePoint Advanced Management: site lifecycle, conditional access, and oversharing controls. The bits worth turning on first. 

The key takeaway 

If there’s one thing to carry out of this session, it’s this: trust is a layer you build, not a feature you switch on.  

Get your information architecture right, control your documents properly, and the harder stuff (audits, compliance, and AI) stops feeling like a leap and starts feeling like a natural next step. 

Ready to see document trust in action? 

Everything James covered (versions you can defend, approvals you can prove, and policy reads you can evidence) is built into Injio Docs. If you’d like to see how it works on your own content, book a walkthrough with our team. 

Frequently asked questions 

Doesn’t SharePoint already do version control, approvals, and policy acknowledgements out of the box?  

Partly. SharePoint gives you versioning, check-in/out, retention, and basic approval flows. What it doesn’t give you natively is the proof layer. A clear version of record, an audit-ready approval history tied to a specific version, and per-person, per-version read evidence. That’s the gap this webinar focuses on closing with Injio Docs. 

What’s the difference between the “latest version” and the “version of record”?  

The latest version is simply whatever was saved most recently. It might be a half-finished draft.  

The version of record is the one that was formally approved and published, and it’s the one your policies, audits, and AI should all point to. Knowing the difference is the whole game. 

Why does document trust matter for Copilot and AI readiness?  

Copilot grounds its answers in your existing content and respects your existing permissions. If your content is duplicated, outdated, or unapproved, Copilot will reflect that, quickly and visibly.  

Clean versions, clear approvals, and correct classification make AI answers far more defensible. 

Aren’t email read receipts enough to prove someone read a policy?  

Unfortunately, no.  

Read receipts are unreliable, easy to dismiss, and don’t tell you which version of a policy someone read. Genuine evidence means an individual confirming a specific version on a specific date, and re-confirming when that policy changes. 

Do we need to fix our information architecture before any of this works?  

In most cases, yes. At least the foundations.  

Versions, approvals, and policy reads all plug into your underlying structure of sites, libraries, content types, and metadata. The stronger that foundation, the more reliable everything built on top of it becomes. 

What is Restricted Content Discovery?  

It’s a Microsoft 365 capability that helps prevent Copilot from surfacing or grounding against content it shouldn’t. It works best when your content is correctly classified and you already have a clean version of record to rely on. 

About the presenter: James Dellow 

James Dellow is Head of Product & Delivery at WebVine, the Sydney-based digital transformation consultancy behind Injio.  

James and the WebVine team specialise in SharePoint, Microsoft Copilot, and the wider Microsoft 365 platform. Helping organisations turn everyday tools into trustworthy, well-governed digital workplaces. 

A recognised thought leader in the SharePoint and intranet space, James focuses on the practical side of document trust and AI readiness: designing controlled-document patterns, approval workflows, and policy-acknowledgement solutions that hold up under real audit pressure. His approach is refreshingly down-to-earth: start with solid foundations, build trust as a layer, and make SharePoint genuinely easy for the people who use it every day.