Terribly lost - what are the basic controlls here?

I would recommend starting with DSPM to get visibility into the data estate. 

DSPM gives you a better starting point by helping identify where sensitive data exists, where it is overshared, which SharePoint/OneDrive locations are risky, what is unlabeled, and what may be exposed to Copilot or other AI experiences. But without premium license DSPM features are limited. 

With E3 license for example, I'll follow these Microsoft recommended steps. 

Remediate Oversharing 

1. Identify high-risk sites and content  ( SharePoint Advanced Management, Purview Content Explorer, DSPM)

3.Apply interim Copilot protections ( SharePoint Advanced Management,  Purview DLP)
2. Fix access and permissions ( SharePoint Advanced Management)

Outcomes:

• High-risk sites are identified, prioritized, and contained
• Copilot exposure is reduced immediately, even before full cleanup
• Foundation is set for durable Guardrails

Setup Guardrails 

1. Establish secure defaults ( SharePoint Advanced Management, Sensitivity Labels) 
2. Establish secure Guardrails (Purview DLP)

3. Continuously Enforce & Optimize Guardrail (Purview DSPM, Purview DLP alerts)

Outcomes:

• Guardrails are enforced by default, not manually remediated
• New content and sites are protected at creation
• Copilot can scale safely without re-introducing Oversharing risk

Meet Regulations
1. Identify and address gaps against Regulations ( Purview Compliance Manager)

2. Define Regulatory Requirements (Purview eDiscovery, Purview Data Lifecycle Managemen)
3. Improve data hygiene ( SharePoint Advanced Management, Purview retention labels) 

Outcomes:

• AI risks and regulatory gaps are identified and tracked

• Copilot usage is auditable, enforceable, and defensible

• Higher-quality Copilot responses and a reduced Oversharing data surface

https://learn.microsoft.com/en-us/microsoft-365/copilot/configure-secure-governed-data-foundation-microsoft-365-copilot 
I hope this helps.