AI Agents Are The New Shadow IT

1
00:00:00,000 –> 00:00:02,000
Shadow it didn’t die, it learned to automate.

2
00:00:02,000 –> 00:00:04,500
Your helpful agents are quietly moving data

3
00:00:04,500 –> 00:00:06,200
like interns with keys to the vault.

4
00:00:06,200 –> 00:00:08,920
You think Pervue, Entra and Copilot Studio have you covered?

5
00:00:08,920 –> 00:00:11,240
Sure, so is Wet Cardboard in the Rain.

6
00:00:11,240 –> 00:00:12,400
I’m going to argue both sides.

7
00:00:12,400 –> 00:00:14,080
Agents as real productivity wins,

8
00:00:14,080 –> 00:00:15,680
and agents as governance sinkholes.

9
00:00:15,680 –> 00:00:17,200
Then I’ll hand you a reference architecture

10
00:00:17,200 –> 00:00:20,080
and a blunt risk scoring rubric you can deploy this month.

11
00:00:20,080 –> 00:00:21,920
Stay to the end for the single policy map

12
00:00:21,920 –> 00:00:24,280
that cuts agent blast radius by half.

13
00:00:24,280 –> 00:00:27,160
Let’s define the mess before we argue about how to survive it.

14
00:00:28,120 –> 00:00:30,560
The mess, how agents become shadow.

15
00:00:30,560 –> 00:00:31,720
I’d 2.0.

16
00:00:31,720 –> 00:00:32,560
Here’s the mess.

17
00:00:32,560 –> 00:00:33,880
Speed without structure.

18
00:00:33,880 –> 00:00:35,560
ET backlogs stretch for quarters.

19
00:00:35,560 –> 00:00:37,200
The business wants results by Friday,

20
00:00:37,200 –> 00:00:39,040
so people build bots that talk to everything.

21
00:00:39,040 –> 00:00:40,640
But they aren’t malicious, they’re tired.

22
00:00:40,640 –> 00:00:43,840
So they stitch Copilot Studio bots to power automate flows,

23
00:00:43,840 –> 00:00:45,400
sprinkle generous graph permissions,

24
00:00:45,400 –> 00:00:46,920
and connect to five data sources

25
00:00:46,920 –> 00:00:48,440
with three connectors in a prayer.

26
00:00:48,440 –> 00:00:49,800
Now, what are we actually dealing with?

27
00:00:49,800 –> 00:00:52,000
Copilot Studio bots that run actions,

28
00:00:52,000 –> 00:00:53,720
scrape share point, ping, die diverse,

29
00:00:53,720 –> 00:00:55,200
and call external APIs.

30
00:00:55,200 –> 00:00:57,480
Power automate flows that impersonate users

31
00:00:57,480 –> 00:00:58,920
or run as service principles

32
00:00:58,920 –> 00:01:01,760
with temporary elevated rights that never get revoked.

33
00:01:01,760 –> 00:01:04,240
Graph delegated permissions set to read all the things

34
00:01:04,240 –> 00:01:06,680
because the least privileged version took an extra hour

35
00:01:06,680 –> 00:01:09,120
that hour gets cut and your tenant becomes a buffet.

36
00:01:09,120 –> 00:01:10,520
Unmanaged vectors are everywhere.

37
00:01:10,520 –> 00:01:13,520
Browser-based tools running in edge and chrome.

38
00:01:13,520 –> 00:01:16,880
MCP bridges pulling in third-party agents from Gira or GitHub.

39
00:01:16,880 –> 00:01:18,240
SAS agents you’ve never heard of

40
00:01:18,240 –> 00:01:20,040
because they live in someone’s browser tab

41
00:01:20,040 –> 00:01:22,120
and don’t show up on your legacy allow lists.

42
00:01:22,120 –> 00:01:24,080
Traditional app control sees installers.

43
00:01:24,080 –> 00:01:24,960
These don’t install.

44
00:01:24,960 –> 00:01:27,880
They exfiltrate by form, field, upload, dialog, or paste.

45
00:01:27,880 –> 00:01:29,760
Data exfilt paths are boringly simple.

46
00:01:29,760 –> 00:01:31,480
Copy paste to a web LLM.

47
00:01:31,480 –> 00:01:34,560
File uploads to summarize this with internal forecasts

48
00:01:34,560 –> 00:01:36,560
and HR data writing shotgun.

49
00:01:36,560 –> 00:01:38,640
Worse, agents summarize shadow data

50
00:01:38,640 –> 00:01:41,280
you overshared in SharePoint in one drive years ago.

51
00:01:41,280 –> 00:01:43,040
Those everyone with the link folders

52
00:01:43,040 –> 00:01:44,240
that never got cleaned up.

53
00:01:44,240 –> 00:01:47,200
Copilot is very good at finding the stuff you forgot you exposed.

54
00:01:47,200 –> 00:01:49,880
The attack surface balloons agents run with broad graph scopes,

55
00:01:49,880 –> 00:01:52,600
no human sponsor, no access reviews, no life cycle.

56
00:01:52,600 –> 00:01:54,480
There’s no audit trail for half the steps

57
00:01:54,480 –> 00:01:56,920
because third-party connectors mask the destination.

58
00:01:56,920 –> 00:01:57,880
When something goes wrong,

59
00:01:57,880 –> 00:02:00,040
you’re chasing breadcrumbs across five systems

60
00:02:00,040 –> 00:02:01,760
that log differently or not at all.

61
00:02:01,760 –> 00:02:03,160
Cost, you already feel it.

62
00:02:03,160 –> 00:02:06,280
Shadow it eats 30%, 40% of spend in large enterprises

63
00:02:06,280 –> 00:02:08,360
and breaches involving shadow data cost more

64
00:02:08,360 –> 00:02:09,520
and take longer to contain it.

65
00:02:09,520 –> 00:02:10,520
But that’s not theoretical.

66
00:02:10,520 –> 00:02:11,760
That’s what happens when you discover

67
00:02:11,760 –> 00:02:13,720
the blast radius after the blast.

68
00:02:13,720 –> 00:02:15,600
You lose time mapping, who had access,

69
00:02:15,600 –> 00:02:18,360
who granted it and which agent pulled what from where.

70
00:02:18,360 –> 00:02:19,480
Stakes are simple.

71
00:02:19,480 –> 00:02:22,040
Without identity, DLP and least privilege,

72
00:02:22,040 –> 00:02:24,200
agents become autonomous smuggling tunnels.

73
00:02:24,200 –> 00:02:26,120
You think, but it’s internal.

74
00:02:26,120 –> 00:02:26,960
Except it isn’t.

75
00:02:26,960 –> 00:02:28,960
Not when a browser session pushes label data

76
00:02:28,960 –> 00:02:31,400
to a public endpoint with no control in the middle.

77
00:02:31,400 –> 00:02:34,080
And yes, you can paste block with purview DLP

78
00:02:34,080 –> 00:02:35,440
on endpoints and browsers,

79
00:02:35,440 –> 00:02:36,880
but only if you actually turn it on

80
00:02:36,880 –> 00:02:38,800
and scope the policies to AI domains.

81
00:02:38,800 –> 00:02:39,880
Most of you haven’t.

82
00:02:39,880 –> 00:02:40,720
Let me ground this.

83
00:02:40,720 –> 00:02:43,720
You’ve got a power automate flow created by a project manager.

84
00:02:43,720 –> 00:02:46,440
It uses delegated graph to read all user calendars

85
00:02:46,440 –> 00:02:48,000
just to find meeting windows.

86
00:02:48,000 –> 00:02:50,120
Then someone adds a step to export results

87
00:02:50,120 –> 00:02:52,520
to a third-party scheduling bot via webhook.

88
00:02:52,520 –> 00:02:53,800
Logging on the third-party side?

89
00:02:53,800 –> 00:02:54,640
None you can see.

90
00:02:54,640 –> 00:02:55,480
Sponsor for the flow?

91
00:02:55,480 –> 00:02:57,120
That manager left last quarter.

92
00:02:57,120 –> 00:02:59,800
The flow still runs, still reads, still posts.

93
00:02:59,800 –> 00:03:01,880
Congratulations, you’ve built a ghost service account

94
00:03:01,880 –> 00:03:03,160
that never sleeps.

95
00:03:03,160 –> 00:03:04,560
Now here’s where most people mess up.

96
00:03:04,560 –> 00:03:06,960
They think, “Entra conditional access for humans.”

97
00:03:06,960 –> 00:03:08,240
Equals coverage for agents.

98
00:03:08,240 –> 00:03:10,520
It doesn’t, unless the agent has its own identity.

99
00:03:10,520 –> 00:03:11,920
If the bot runs as a human,

100
00:03:11,920 –> 00:03:13,760
your policies think it’s Linda from Finance

101
00:03:13,760 –> 00:03:16,360
at 2 a.m. from an unmanaged device in another country.

102
00:03:16,360 –> 00:03:17,600
Linda’s definitely asleep.

103
00:03:17,600 –> 00:03:19,160
The agent isn’t.

104
00:03:19,160 –> 00:03:20,840
Once you nail that, everything else clicks.

105
00:03:20,840 –> 00:03:23,080
Give every agent its own intro agent ID

106
00:03:23,080 –> 00:03:26,000
or you can’t isolate it, monitor it or kill it fast.

107
00:03:26,000 –> 00:03:28,040
Label your data in SharePoint and OneDrive

108
00:03:28,040 –> 00:03:30,120
so PerView DLP can actually recognize it

109
00:03:30,120 –> 00:03:31,440
at the clipboard and browser.

110
00:03:31,440 –> 00:03:33,240
Use app roles over delegated graph

111
00:03:33,240 –> 00:03:35,400
and scope SharePoint access to specific sites.

112
00:03:35,400 –> 00:03:36,440
Not the tenant.

113
00:03:36,440 –> 00:03:39,240
If you remember nothing else, identity, labels,

114
00:03:39,240 –> 00:03:42,720
least privilege, without those you’re doing security theater.

115
00:03:42,720 –> 00:03:45,160
The game changer nobody talks about is runtime visibility.

116
00:03:45,160 –> 00:03:46,880
If you can’t see where the agent is calling,

117
00:03:46,880 –> 00:03:49,600
URLs, APIs, MCP servers, you can’t stop exfiltration,

118
00:03:49,600 –> 00:03:51,360
you can only write a post-mortem.

119
00:03:51,360 –> 00:03:53,200
Global secure access gives you that view.

120
00:03:53,200 –> 00:03:56,320
Start with logging only so you don’t break the fragile toys.

121
00:03:56,320 –> 00:03:59,040
Then move to allow lists when you see the patterns

122
00:03:59,040 –> 00:04:02,280
and boom, now you have a map instead of a rumor.

123
00:04:02,280 –> 00:04:04,640
The case for agents and where they actually shine.

124
00:04:04,640 –> 00:04:05,960
Okay, sunshine time.

125
00:04:05,960 –> 00:04:08,320
Agents do crush toil when you set the table right.

126
00:04:08,320 –> 00:04:11,400
Query summarize act without a human babysitting every click,

127
00:04:11,400 –> 00:04:14,400
obscliers tickets, finance closes, books, HR processes

128
00:04:14,400 –> 00:04:17,160
on boarding, support triage noise.

129
00:04:17,160 –> 00:04:18,880
You get hours back, not because magic,

130
00:04:18,880 –> 00:04:21,840
but because the repetitive glue work gets handled by something

131
00:04:21,840 –> 00:04:22,920
that never takes lunch.

132
00:04:22,920 –> 00:04:24,680
The thing most people miss is scope.

133
00:04:24,680 –> 00:04:27,160
Narrow beats broad, event-driven beats roaming.

134
00:04:27,160 –> 00:04:29,320
When an agent wakes on a clear trigger,

135
00:04:29,320 –> 00:04:32,920
it touches labeled data and holds only the rights it needs.

136
00:04:32,920 –> 00:04:34,640
It’s fast and boring in the best way.

137
00:04:34,640 –> 00:04:36,680
That’s where you want it, predictably boring.

138
00:04:36,680 –> 00:04:38,400
Work IQ and grounding help here.

139
00:04:38,400 –> 00:04:40,680
Keep answers inside the user’s permission boundary

140
00:04:40,680 –> 00:04:43,280
anchored to your tenant’s data, not the open web.

141
00:04:43,280 –> 00:04:45,320
Now you’re not spraying prompts at random models.

142
00:04:45,320 –> 00:04:47,120
You’re asking, yeah, within what I’m allowed to see,

143
00:04:47,120 –> 00:04:48,640
what’s the right next action that,

144
00:04:48,640 –> 00:04:50,400
that’s safer and it’s faster because you’re not

145
00:04:50,400 –> 00:04:52,280
hauling the whole internet into the room.

146
00:04:52,280 –> 00:04:54,080
Entra agent ID is the quiet hero.

147
00:04:54,080 –> 00:04:55,760
Give each agent a unique identity

148
00:04:55,760 –> 00:04:57,920
that buys you conditional access, risk detection,

149
00:04:57,920 –> 00:04:58,760
and a kill switch.

150
00:04:58,760 –> 00:05:01,240
You tie the identity to a blueprint, same class of agent,

151
00:05:01,240 –> 00:05:02,400
same guardrails.

152
00:05:02,400 –> 00:05:04,920
If the sales follow-up agent starts behaving like a raccoon

153
00:05:04,920 –> 00:05:07,280
in a data center, identity protection flags it.

154
00:05:07,280 –> 00:05:08,840
You can quarantine that one identity

155
00:05:08,840 –> 00:05:10,760
without grounding the whole team.

156
00:05:10,760 –> 00:05:12,480
Per view is your bouncer.

157
00:05:12,480 –> 00:05:16,320
Labels and DLP across M365 apps, endpoints, and browsers

158
00:05:16,320 –> 00:05:18,680
mean sensitive data stays fenced even when someone tries

159
00:05:18,680 –> 00:05:21,200
to paste it into a chat box just to check wording.

160
00:05:21,200 –> 00:05:23,520
And the coachable DLP messages do more than block.

161
00:05:23,520 –> 00:05:26,320
They teach the user why it’s blocked and how to do it right.

162
00:05:26,320 –> 00:05:28,000
Less whack-a-mole, more habit-building,

163
00:05:28,000 –> 00:05:30,600
power automate isn’t the enemy when it’s governed.

164
00:05:30,600 –> 00:05:34,080
User-proof-als, environment DLP, and solution-aware connectors.

165
00:05:34,080 –> 00:05:37,280
That means Dev and prod are separate rooms with separate keys.

166
00:05:37,280 –> 00:05:39,000
The same flow promoted as a solution

167
00:05:39,000 –> 00:05:41,400
inherits the right policies instead of quietly gaining

168
00:05:41,400 –> 00:05:43,120
rights like a souvenir magnet collection.

169
00:05:43,120 –> 00:05:45,280
Now let me show you exactly how this clicks in practice.

170
00:05:45,280 –> 00:05:48,240
Take a finance-close agent trigger when a labeled invoice

171
00:05:48,240 –> 00:05:51,040
arrives in a designated SharePoint library.

172
00:05:51,040 –> 00:05:53,880
What it needs, read on that site, write to a review list,

173
00:05:53,880 –> 00:05:56,040
post to a team’s channel, identity,

174
00:05:56,040 –> 00:05:59,160
entra-agent ID under the finance intake blueprint,

175
00:05:59,160 –> 00:06:01,280
access app roles over delegated graph,

176
00:06:01,280 –> 00:06:04,120
site scope permissions only, guardrails,

177
00:06:04,120 –> 00:06:07,600
per view blocks uploads of labeled data to AI domains,

178
00:06:07,600 –> 00:06:09,960
endpoints in force paste blocks.

179
00:06:09,960 –> 00:06:12,760
Network global secure access in logging mode for a week

180
00:06:12,760 –> 00:06:15,200
then allow list the few APIs it actually calls,

181
00:06:15,200 –> 00:06:16,960
common mistakes to avoid.

182
00:06:16,960 –> 00:06:19,720
Letting the agent use a human’s delegated scope,

183
00:06:19,720 –> 00:06:21,080
just to test.

184
00:06:21,080 –> 00:06:23,360
Skipping labels because we’ll tag later

185
00:06:23,360 –> 00:06:26,240
and wiring a connector to an opaque third-party endpoint

186
00:06:26,240 –> 00:06:27,560
you can’t audit.

187
00:06:27,560 –> 00:06:30,440
Also, don’t let dev agents live forever in prod,

188
00:06:30,440 –> 00:06:32,520
promote the solution, retire the prototype,

189
00:06:32,520 –> 00:06:33,520
keep the identity.

190
00:06:33,520 –> 00:06:36,320
A quick win you can ship this week, pick one support queue.

191
00:06:36,320 –> 00:06:38,360
Build a Copilot Studio bot that pulls

192
00:06:38,360 –> 00:06:41,200
from a labeled knowledge base, answers within the user’s

193
00:06:41,200 –> 00:06:43,640
rights and escalates with a power automate flow

194
00:06:43,640 –> 00:06:44,920
that logs every step.

195
00:06:44,920 –> 00:06:47,040
Give it an agent ID, apply conditional access

196
00:06:47,040 –> 00:06:51,040
to compliant devices and turn on DLP coaching for AI sites.

197
00:06:51,040 –> 00:06:53,120
You’ll cut first response time and sleep better

198
00:06:53,120 –> 00:06:55,280
because the blast radius is measured.

199
00:06:55,280 –> 00:06:58,920
Bottom line, agents work when identity, data classification,

200
00:06:58,920 –> 00:07:00,640
and runtime policies move together.

201
00:07:00,640 –> 00:07:02,760
Do that and they stop feeling like shadow IT

202
00:07:02,760 –> 00:07:05,120
and start behaving like reliable junior staff

203
00:07:05,120 –> 00:07:06,360
except they don’t quit.

204
00:07:06,360 –> 00:07:09,040
The case against agents where it breaks in the real world.

205
00:07:09,040 –> 00:07:10,240
Now for the hailstorm.

206
00:07:10,240 –> 00:07:12,280
Identity drift is the first failure.

207
00:07:12,280 –> 00:07:14,920
Someone just tests a bot with their own creds.

208
00:07:14,920 –> 00:07:15,680
Then they leave.

209
00:07:15,680 –> 00:07:18,400
The bot keeps those rights like a raccoon hoarding shiny things.

210
00:07:18,400 –> 00:07:21,160
No sponsor, no access reviews, no rotation,

211
00:07:21,160 –> 00:07:23,000
and no way to prove who approved what.

212
00:07:23,000 –> 00:07:24,840
You can’t quarantine Karen’s calendar bot

213
00:07:24,840 –> 00:07:26,280
when it’s impersonating Karen.

214
00:07:26,280 –> 00:07:27,600
You can only disable Karen.

215
00:07:27,600 –> 00:07:29,360
That breaks work so nobody does it.

216
00:07:29,360 –> 00:07:30,480
And the ghost keeps walking.

217
00:07:30,480 –> 00:07:32,760
ScopeCREEP is next, delegated graph is easier,

218
00:07:32,760 –> 00:07:35,760
so folks grant mail, read files, read all, sites,

219
00:07:35,760 –> 00:07:38,080
read all, and user read basic all

220
00:07:38,080 –> 00:07:39,640
because a connector complained once.

221
00:07:39,640 –> 00:07:41,800
Sure, so is leaving the server room door wedged open

222
00:07:41,800 –> 00:07:42,440
with a chair.

223
00:07:42,440 –> 00:07:44,480
App rolls with resource scoping take thought.

224
00:07:44,480 –> 00:07:46,240
Delegated is one click and a shrug.

225
00:07:46,240 –> 00:07:47,000
The result?

226
00:07:47,000 –> 00:07:48,520
Agents that can sweep through SharePoint

227
00:07:48,520 –> 00:07:51,240
like a Roomba with a crowbar, touching sites they never needed.

228
00:07:51,240 –> 00:07:53,800
Shadow Data turns mild errors into masses.

229
00:07:53,800 –> 00:07:55,280
Overshared HR folders.

230
00:07:55,280 –> 00:07:57,040
Finance archives from a migration

231
00:07:57,040 –> 00:07:58,840
that never got permissions fixed.

232
00:07:58,840 –> 00:08:00,760
Copilot, doing exactly what you asked,

233
00:08:00,760 –> 00:08:02,840
helpfully surfaces relevant files.

234
00:08:02,840 –> 00:08:05,120
The agent outputs summaries that leak context

235
00:08:05,120 –> 00:08:06,560
no one realized was exposed.

236
00:08:06,560 –> 00:08:08,400
You don’t see a download, so it slips past alarms.

237
00:08:08,400 –> 00:08:10,080
But the summaries carry the same damage.

238
00:08:10,080 –> 00:08:13,000
It’s leakage by inference, DLP gaps are the quiet killers.

239
00:08:13,000 –> 00:08:14,960
Labels aren’t applied or they’re inconsistent.

240
00:08:14,960 –> 00:08:18,560
Endpoint and browser DLP policies aren’t scoped to AI domains.

241
00:08:18,560 –> 00:08:20,400
Unmany browsers bypass everything.

242
00:08:20,400 –> 00:08:22,960
Users copy text into a web prompt, get blocked in edge,

243
00:08:22,960 –> 00:08:25,240
then open Chrome personal, and try again.

244
00:08:25,240 –> 00:08:27,760
Policy says don’t, the browser says sure.

245
00:08:27,760 –> 00:08:29,520
If your controls don’t meet people

246
00:08:29,520 –> 00:08:31,800
where they actually work, your controls are theater.

247
00:08:31,800 –> 00:08:33,520
Monitoring blind spots finish the job.

248
00:08:33,520 –> 00:08:35,560
Third party steps mask destinations.

249
00:08:35,560 –> 00:08:36,720
Webhook is all you get.

250
00:08:36,720 –> 00:08:37,720
Know your L in the log.

251
00:08:37,720 –> 00:08:40,160
MCP bridges root calls through a server you didn’t allow

252
00:08:40,160 –> 00:08:43,760
list, zero network inspection, so you’re blind to the egress.

253
00:08:43,760 –> 00:08:46,520
You’re left correlating graph activity with guest timestamps

254
00:08:46,520 –> 00:08:48,320
and hoping your CM found a breadcrumb

255
00:08:48,320 –> 00:08:50,240
that wasn’t overwritten by the Bose debug

256
00:08:50,240 –> 00:08:51,960
from something chatty.

257
00:08:51,960 –> 00:08:53,480
Life cycle chaos ties it together.

258
00:08:53,480 –> 00:08:56,280
Dev agents get copied into prod with temporary elevated rights.

259
00:08:56,280 –> 00:08:58,560
Temporary becomes until after the quarter, which

260
00:08:58,560 –> 00:08:59,560
becomes forever.

261
00:08:59,560 –> 00:09:02,440
No deprovision path, no owner SLA, no access reviews.

262
00:09:02,440 –> 00:09:04,280
Zombie flows chug along at 2 a.m.

263
00:09:04,280 –> 00:09:06,720
Failing silently until a rate limit trips and support

264
00:09:06,720 –> 00:09:08,760
gets paged for mystery they didn’t create.

265
00:09:08,760 –> 00:09:11,480
Outcome, longer time to detect, longer to contain,

266
00:09:11,480 –> 00:09:13,920
compliance violations, duplicate spend, and cleanup

267
00:09:13,920 –> 00:09:15,880
that feels like rewiring a rack while it’s powered.

268
00:09:15,880 –> 00:09:18,920
IBM and others have shown shadow data breaches cost more

269
00:09:18,920 –> 00:09:20,080
and drag on longer.

270
00:09:20,080 –> 00:09:20,880
You know why now?

271
00:09:20,880 –> 00:09:22,040
You can’t fix what you can’t see,

272
00:09:22,040 –> 00:09:23,920
and you can’t see what you never registered.

273
00:09:23,920 –> 00:09:25,240
Common mistake I still see.

274
00:09:25,240 –> 00:09:27,480
Believing tenant wide conditional access quietly

275
00:09:27,480 –> 00:09:29,120
wraps agents running as humans.

276
00:09:29,120 –> 00:09:30,920
It doesn’t protect what it can’t identify.

277
00:09:30,920 –> 00:09:32,920
Another trusting connector defaults.

278
00:09:32,920 –> 00:09:35,120
Enterprise connector does not mean least privilege.

279
00:09:35,120 –> 00:09:36,920
It means works out of the box.

280
00:09:36,920 –> 00:09:38,800
Out of the box is also how everything escapes.

281
00:09:38,800 –> 00:09:40,320
So what actually reduces pain?

282
00:09:40,320 –> 00:09:43,480
Give every agent an entra agent ID and attach it to a blueprint

283
00:09:43,480 –> 00:09:46,000
that buys you sponsor, kill switch, access reviews,

284
00:09:46,000 –> 00:09:47,960
and conditional access per kind.

285
00:09:47,960 –> 00:09:49,920
Replace delegated graph with app roles.

286
00:09:49,920 –> 00:09:52,640
Scope share point access to name sites.

287
00:09:52,640 –> 00:09:54,880
Turn on purview auto labeling so data isn’t

288
00:09:54,880 –> 00:09:56,600
maybe sensitive in someone’s head.

289
00:09:56,600 –> 00:09:58,880
It’s tagged at rest and enforced at runtime.

290
00:09:58,880 –> 00:10:00,480
Push DLP to endpoints and browsers

291
00:10:00,480 –> 00:10:02,680
with paste and upload rules for AI domains.

292
00:10:02,680 –> 00:10:04,560
Start global secure access in audit mode,

293
00:10:04,560 –> 00:10:06,480
collect a week of URL and API calls,

294
00:10:06,480 –> 00:10:08,640
and then allow list the handful that matter.

295
00:10:08,640 –> 00:10:10,280
You’ll break less and see more.

296
00:10:10,280 –> 00:10:12,520
Let me anchor this with a tiny pressure test.

297
00:10:12,520 –> 00:10:15,520
A support triage agent needs mailbox access.

298
00:10:15,520 –> 00:10:18,080
Delegated mail read turns into tenant mail crawl

299
00:10:18,080 –> 00:10:19,560
instead assign app role mail.

300
00:10:19,560 –> 00:10:21,080
Read for a shared mailbox only,

301
00:10:21,080 –> 00:10:23,640
constrained by conditional access to compliant devices,

302
00:10:23,640 –> 00:10:25,280
and log every graph call.

303
00:10:25,280 –> 00:10:27,680
Pay that with a DLP policy that blocks label data

304
00:10:27,680 –> 00:10:29,200
from leaving via browser forms.

305
00:10:29,200 –> 00:10:30,640
Same outcome for the business.

306
00:10:30,640 –> 00:10:32,200
Massive reduction in blast radius.

307
00:10:32,200 –> 00:10:34,640
Not perfect, but now you can prove who approved it,

308
00:10:34,640 –> 00:10:36,240
what it can touch and where it talks.

309
00:10:36,240 –> 00:10:39,320
That’s the difference between an incident and an anecdote.

310
00:10:39,320 –> 00:10:43,040
Reference architecture governed agents on Microsoft 365.

311
00:10:43,040 –> 00:10:44,600
Architecture is the skeleton.

312
00:10:44,600 –> 00:10:46,040
We’re going to bolt on enough bones

313
00:10:46,040 –> 00:10:49,840
that the thing stands up without duct tape identity first.

314
00:10:49,840 –> 00:10:51,880
Every agent gets an entraagent ID.

315
00:10:51,880 –> 00:10:54,240
No shared identities, no runs as Linda.

316
00:10:54,240 –> 00:10:57,200
You create a blueprint per agent type, intake bot,

317
00:10:57,200 –> 00:10:59,520
triage bot, finance closed bot.

318
00:10:59,520 –> 00:11:01,720
The blueprint captures sponsor required app roles

319
00:11:01,720 –> 00:11:04,280
allowed connectors, network profile and review cadence.

320
00:11:04,280 –> 00:11:05,480
If you remember nothing else,

321
00:11:05,480 –> 00:11:07,120
blueprints give you herd control.

322
00:11:07,120 –> 00:11:10,000
You can quarantine a kind, not chase one off snowflakes.

323
00:11:10,000 –> 00:11:11,320
Sponsors aren’t decoration.

324
00:11:11,320 –> 00:11:13,960
The sponsor is accountable for scope, access reviews,

325
00:11:13,960 –> 00:11:15,040
and deprivisioning.

326
00:11:15,040 –> 00:11:17,560
If the sponsor leaves lifecycle policy disables the agent,

327
00:11:17,560 –> 00:11:19,000
no sponsor, no agent.

328
00:11:19,000 –> 00:11:20,760
That single rule kills half your zombies.

329
00:11:20,760 –> 00:11:22,680
Conditional access ties to the blueprint

330
00:11:22,680 –> 00:11:24,160
require compliant runtime,

331
00:11:24,160 –> 00:11:26,480
restricted by trusted locations, block high-risk

332
00:11:26,480 –> 00:11:28,480
sign-ins and enforce sign-in frequency.

333
00:11:28,480 –> 00:11:31,000
For headless agents, use managed identities where possible.

334
00:11:31,000 –> 00:11:33,560
For anything that needs a token from outside Azure,

335
00:11:33,560 –> 00:11:36,320
use federated credentials with narrow trust.

336
00:11:36,320 –> 00:11:38,800
If identity protection flags risky behavior,

337
00:11:38,800 –> 00:11:40,920
quarantine that agent identity automatically

338
00:11:40,920 –> 00:11:42,120
and page the sponsor.

339
00:11:42,120 –> 00:11:43,720
Lease privilege is non-negotiable.

340
00:11:43,720 –> 00:11:46,720
Favour graph application roles over delegated scopes.

341
00:11:46,720 –> 00:11:49,400
If the agent needs SharePoint grant site-scoped permissions

342
00:11:49,400 –> 00:11:51,480
to named sites only, for exchange,

343
00:11:51,480 –> 00:11:53,680
assign access to specific shared mailboxes

344
00:11:53,680 –> 00:11:56,000
or resource mailboxes, not tenant-wide mail.

345
00:11:56,000 –> 00:11:56,520
Read.

346
00:11:56,520 –> 00:11:59,040
For teams, scope channels explicitly.

347
00:11:59,040 –> 00:12:01,240
Treatment all permissions like a fire extinguisher,

348
00:12:01,240 –> 00:12:03,560
break glass, document, expire,

349
00:12:03,560 –> 00:12:06,320
per connector access packages control the rest of the sprawl.

350
00:12:06,320 –> 00:12:08,160
If the blueprint says it can call dataverse

351
00:12:08,160 –> 00:12:10,080
and a specific external API, that’s it.

352
00:12:10,080 –> 00:12:12,280
Anything else gets blocked at the connector policy level,

353
00:12:12,280 –> 00:12:13,720
opaque web hooks don’t qualify.

354
00:12:13,720 –> 00:12:16,000
You either log the destination URL API

355
00:12:16,000 –> 00:12:17,160
or you don’t connect it.

356
00:12:17,160 –> 00:12:18,120
Data layer next.

357
00:12:18,120 –> 00:12:20,600
Per view auto labeling runs across SharePoint and OneDrive,

358
00:12:20,600 –> 00:12:22,800
so sensitive files aren’t a guessing game.

359
00:12:22,800 –> 00:12:24,600
Sensitivity labels travel with the file

360
00:12:24,600 –> 00:12:26,480
and enforce encryption where needed.

361
00:12:26,480 –> 00:12:29,040
You block unlabeled uploads to AI chat endpoints

362
00:12:29,040 –> 00:12:30,640
at the browser and endpoint level.

363
00:12:30,640 –> 00:12:33,680
If it’s unlabeled, it stays inside until it’s tagged.

364
00:12:33,680 –> 00:12:36,720
This pushes the work to where it belongs, close to the data.

365
00:12:36,720 –> 00:12:38,080
DLP is your runtime bouncer.

366
00:12:38,080 –> 00:12:40,240
Deploy endpoint DLP to Windows and Mac OS.

367
00:12:40,240 –> 00:12:42,800
Extend to edge and Chrome with paste and upload rules

368
00:12:42,800 –> 00:12:45,800
targeted at AI domains and generic chat sites.

369
00:12:45,800 –> 00:12:48,400
Use coachable messages so users learn the boundary

370
00:12:48,400 –> 00:12:50,040
instead of just slamming into it.

371
00:12:50,040 –> 00:12:52,560
Tie DLP incidents to inside a risk policies

372
00:12:52,560 –> 00:12:54,080
that look for repeated violations

373
00:12:54,080 –> 00:12:56,920
or odd spikes in copy export behavior.

374
00:12:56,920 –> 00:12:59,040
Environment design in power platform matters.

375
00:12:59,040 –> 00:13:00,680
Put dev in one managed environment,

376
00:13:00,680 –> 00:13:02,200
test in another, Proto-Lone,

377
00:13:02,200 –> 00:13:03,800
apply data loss prevention policies

378
00:13:03,800 –> 00:13:06,000
so risky connectors don’t exist in Proto.

379
00:13:06,000 –> 00:13:07,800
Solution segmentation forces promotion

380
00:13:07,800 –> 00:13:09,880
with reviews, versioning and rollbacks.

381
00:13:09,880 –> 00:13:11,320
Flows and bots in Proto-reginate

382
00:13:11,320 –> 00:13:14,160
from solutions not from random personal workspaces,

383
00:13:14,160 –> 00:13:15,880
monitoring and audit aren’t optional.

384
00:13:15,880 –> 00:13:18,440
Turn on sign-in logs and audit logs for agent identities.

385
00:13:18,440 –> 00:13:19,520
Export to your CM,

386
00:13:19,520 –> 00:13:21,880
baseline normal graph call patterns for each blueprint,

387
00:13:21,880 –> 00:13:23,520
alert on high volume reads,

388
00:13:23,520 –> 00:13:25,560
wide enumerations and cross-tenant calls.

389
00:13:25,560 –> 00:13:27,280
If you can’t describe what normal looks like,

390
00:13:27,280 –> 00:13:29,320
you won’t spot weird until it burns.

391
00:13:29,320 –> 00:13:31,160
Network guard rails close the loop.

392
00:13:31,160 –> 00:13:33,480
Root agent egress through global secure access.

393
00:13:33,480 –> 00:13:36,000
Start in logging only to map URLs and APIs

394
00:13:36,000 –> 00:13:37,560
at MCP server allow lists

395
00:13:37,560 –> 00:13:40,200
so agents can only talk to approved brokers.

396
00:13:40,200 –> 00:13:41,880
Create policies that quarantine

397
00:13:41,880 –> 00:13:43,880
when an agent reaches unknown destinations

398
00:13:43,880 –> 00:13:45,680
or tries to exfiltrate labelled content.

399
00:13:45,680 –> 00:13:48,240
You want line of sight from identity to packet.

400
00:13:48,240 –> 00:13:50,160
Here’s the mental model identity is who,

401
00:13:50,160 –> 00:13:52,400
permissions are what, per view is what kind.

402
00:13:52,400 –> 00:13:53,560
DLP is how it moves.

403
00:13:53,560 –> 00:13:57,120
Network is where blueprint stitches them into a single fabric

404
00:13:57,120 –> 00:13:58,120
you can actually operate.

405
00:13:58,120 –> 00:13:59,960
Let me show you a reference instantiation

406
00:13:59,960 –> 00:14:01,880
for a support triage agent.

407
00:14:01,880 –> 00:14:04,160
Blueprint support triaged for one sponsor,

408
00:14:04,160 –> 00:14:07,040
support ops manager reviews, quarterly identity,

409
00:14:07,040 –> 00:14:09,080
Entra agent ID with managed identity,

410
00:14:09,080 –> 00:14:11,200
conditional access requires compliant runtime

411
00:14:11,200 –> 00:14:12,480
and trusted network.

412
00:14:12,480 –> 00:14:13,640
Permissions?

413
00:14:13,640 –> 00:14:16,360
Graph app roles for reading a shared mailbox,

414
00:14:16,360 –> 00:14:19,200
site scoped SharePoint read on KB published,

415
00:14:19,200 –> 00:14:21,680
team send message to support escalations.

416
00:14:21,680 –> 00:14:23,840
Connectors, data verse allowed external webhook

417
00:14:23,840 –> 00:14:26,240
blocked on list destination is registered and audited.

418
00:14:26,240 –> 00:14:28,920
Data layer KB is labelled internal,

419
00:14:28,920 –> 00:14:31,720
case exports labelled confidential support.

420
00:14:31,720 –> 00:14:33,880
DLP endpoint and browser block

421
00:14:33,880 –> 00:14:37,920
paced upload of labelled data to AI chat domains,

422
00:14:37,920 –> 00:14:40,560
coach messages enabled, network.

423
00:14:40,560 –> 00:14:42,800
Global secure access logs, week one,

424
00:14:42,800 –> 00:14:45,120
allow list graph, SharePoint, Teams,

425
00:14:45,120 –> 00:14:48,840
Dataverse, registered MCP servers alert on unknown egress,

426
00:14:48,840 –> 00:14:50,840
monitoring, CME alerts on mailbox,

427
00:14:50,840 –> 00:14:54,360
red bursts and SharePoint enumerations beyond KB scope.

428
00:14:54,360 –> 00:14:57,040
Life cycle, disable on sponsor departure,

429
00:14:57,040 –> 00:15:00,080
access reviews every quarter, solution promotion gates,

430
00:15:00,080 –> 00:15:01,600
rollback plan documented.

431
00:15:01,600 –> 00:15:04,080
Now the finance equivalent swaps mail for document libraries

432
00:15:04,080 –> 00:15:05,960
and ads encryption required labels,

433
00:15:05,960 –> 00:15:08,080
same pattern, different bones, common pitfalls

434
00:15:08,080 –> 00:15:11,040
to avoid in this architecture, leaving delegated permissions

435
00:15:11,040 –> 00:15:13,280
in just for testing, forgetting to register

436
00:15:13,280 –> 00:15:16,240
third party destinations and skipping auto labeling

437
00:15:16,240 –> 00:15:18,520
because the library only has invoices.

438
00:15:18,520 –> 00:15:21,360
It doesn’t, it has whatever migrated last summer at 3AM,

439
00:15:21,360 –> 00:15:23,000
you don’t need perfection on day one,

440
00:15:23,000 –> 00:15:25,480
stand up blueprints for your top three agent types,

441
00:15:25,480 –> 00:15:28,640
issue identities, apply baseline conditional access,

442
00:15:28,640 –> 00:15:30,680
turn on auto labeling for the loudest libraries,

443
00:15:30,680 –> 00:15:32,360
push DLP to endpoints and browsers

444
00:15:32,360 –> 00:15:35,360
with AI domain controls, put network in audit mode,

445
00:15:35,360 –> 00:15:38,280
after a week you’ll have enough signal to tighten safely.

446
00:15:38,280 –> 00:15:40,120
Do this and agents stop being tunnels.

447
00:15:40,120 –> 00:15:42,600
They become lanes with speed limits, cameras and brakes,

448
00:15:42,600 –> 00:15:44,120
not glamorous, but you’ll sleep.

449
00:15:44,120 –> 00:15:46,320
On operational playbook policies, auditing

450
00:15:46,320 –> 00:15:48,280
and incident flow, operations keep

451
00:15:48,280 –> 00:15:49,560
the skeleton upright.

452
00:15:49,560 –> 00:15:51,960
Start with discovery, use Defender for Cloud Apps

453
00:15:51,960 –> 00:15:55,280
to inventory AI usage from network logs and endpoint agents.

454
00:15:55,280 –> 00:15:56,840
Build a simple registry name,

455
00:15:56,840 –> 00:15:59,600
enter agent ID, blueprint, sponsor, connectors,

456
00:15:59,600 –> 00:16:02,200
graph scopes, data touchpoints, egress profile,

457
00:16:02,200 –> 00:16:04,880
reconcile weekly, anything without an agent ID

458
00:16:04,880 –> 00:16:07,360
gets flagged as a shadow agent and put in isolation

459
00:16:07,360 –> 00:16:08,760
until it’s registered or killed.

460
00:16:08,760 –> 00:16:11,280
Policy map next, decide who can create agents,

461
00:16:11,280 –> 00:16:13,480
which blueprints exist, which connectors are allowed

462
00:16:13,480 –> 00:16:15,600
and which graph scopes are banned outright.

463
00:16:15,600 –> 00:16:17,240
Publish it where people can see it,

464
00:16:17,240 –> 00:16:19,000
if someone needs a banned scope,

465
00:16:19,000 –> 00:16:22,160
they submit an exception with expiry and a rollback plan.

466
00:16:22,160 –> 00:16:23,000
Sure, it’s annoying.

467
00:16:23,000 –> 00:16:24,680
So is breach cleanup at 3a?

468
00:16:24,680 –> 00:16:26,880
M ordered baselines are non-negotiable,

469
00:16:26,880 –> 00:16:28,560
turn on sign-in and activity logs

470
00:16:28,560 –> 00:16:31,160
for every agent identity, export to your SIM.

471
00:16:31,160 –> 00:16:34,040
Baseline normal, average graph calls per hour,

472
00:16:34,040 –> 00:16:36,000
typical SharePoint sites, expected mailboxes,

473
00:16:36,000 –> 00:16:38,400
usual MCP servers, alert on high volume reads,

474
00:16:38,400 –> 00:16:40,880
site enumerations outside scope, cross tenant calls

475
00:16:40,880 –> 00:16:42,080
and unknown destinations.

476
00:16:42,080 –> 00:16:44,600
If you don’t define normal, weird will look normal

477
00:16:44,600 –> 00:16:45,840
until it hurts.

478
00:16:45,840 –> 00:16:48,920
Change control, peer review flows and bots before promotion.

479
00:16:48,920 –> 00:16:52,360
Solutions only in prod, version tag and keep a rollback artifact.

480
00:16:52,360 –> 00:16:54,080
Type promotions to blueprint checks,

481
00:16:54,080 –> 00:16:55,960
are permissions still least privileged?

482
00:16:55,960 –> 00:16:57,600
Are destinations still allow listed?

483
00:16:57,600 –> 00:16:59,600
Sponsor signs off, you want friction here.

484
00:16:59,600 –> 00:17:02,280
It saves you from, will fix it later, which you won’t.

485
00:17:02,280 –> 00:17:04,400
Deprovisioning is a workflow, not a hope.

486
00:17:04,400 –> 00:17:06,320
Life cycle automation disables agents

487
00:17:06,320 –> 00:17:09,600
when the sponsor departs or on inactivity thresholds.

488
00:17:09,600 –> 00:17:11,680
Quarterly access reviews force the question,

489
00:17:11,680 –> 00:17:13,800
does this agent still need these rights?

490
00:17:13,800 –> 00:17:15,240
If the answer is we don’t know,

491
00:17:15,240 –> 00:17:16,960
the correct action is no.

492
00:17:16,960 –> 00:17:18,680
Incident path needs muscle memory.

493
00:17:18,680 –> 00:17:21,760
Trigger, DLP hit, see minimally or risky agent flag.

494
00:17:21,760 –> 00:17:24,640
First, IRM triage is it a pattern or a one off?

495
00:17:24,640 –> 00:17:25,800
Then risky agent review.

496
00:17:25,800 –> 00:17:27,200
Confirm compromise or dismiss.

497
00:17:27,200 –> 00:17:29,560
If risky, isolate by conditional access,

498
00:17:29,560 –> 00:17:31,920
block sign-ins or restrict to a staging network,

499
00:17:31,920 –> 00:17:34,800
purge or reissue credentials, rotate keys,

500
00:17:34,800 –> 00:17:36,680
revoke consent grants.

501
00:17:36,680 –> 00:17:39,160
Pull a short post-mortem within 48 hours.

502
00:17:39,160 –> 00:17:42,080
Root calls, controls that failed, blueprint changes required.

503
00:17:42,080 –> 00:17:43,600
Hygiene sprints keep rot down,

504
00:17:43,600 –> 00:17:46,640
monthly, hunt shadow data in SharePoint OneDrive,

505
00:17:46,640 –> 00:17:48,560
fix oversharing, kill zombie flows,

506
00:17:48,560 –> 00:17:50,640
retire duplicate agents doing the same job,

507
00:17:50,640 –> 00:17:52,360
research five permissions on your top agents.

508
00:17:52,360 –> 00:17:53,280
Yes, it’s tedious.

509
00:17:53,280 –> 00:17:55,320
Back in my day, we de-fragged discs and prayed,

510
00:17:55,320 –> 00:17:56,160
this is better.

511
00:17:56,160 –> 00:17:57,160
One micro story.

512
00:17:57,160 –> 00:17:59,960
Last quarter, a team temporarily allowed a web hook

513
00:17:59,960 –> 00:18:01,760
to an opaque third-party endpoint.

514
00:18:01,760 –> 00:18:04,720
No URL logging, a week later, mailbox reads, spike that night.

515
00:18:04,720 –> 00:18:07,080
Seem lit up, we couldn’t trace the egress cleanly.

516
00:18:07,080 –> 00:18:09,720
We tightened connectors, forced destination registration

517
00:18:09,720 –> 00:18:11,760
and added MCP allow lists.

518
00:18:11,760 –> 00:18:12,680
Problem stopped.

519
00:18:12,680 –> 00:18:14,680
Proof that logging only first, then allow lists

520
00:18:14,680 –> 00:18:16,760
keeps the toys working while you build a map.

521
00:18:16,760 –> 00:18:19,840
Risk scoring, rubric, prioritize what to fix first.

522
00:18:19,840 –> 00:18:22,280
Now you need a scoreboard, six inputs, identity,

523
00:18:22,280 –> 00:18:24,840
data permissions, network, monitoring, lifecycle,

524
00:18:24,840 –> 00:18:27,680
zero to five each, add them up, fix by heat, identity,

525
00:18:27,680 –> 00:18:30,320
started zero, add one if it uses Entra agent ID,

526
00:18:30,320 –> 00:18:32,960
add one for a blueprint, add one for conditional access,

527
00:18:32,960 –> 00:18:36,160
add one for a named sponsor, add one for periodic access reviews,

528
00:18:36,160 –> 00:18:37,840
shared creds or runs as human,

529
00:18:37,840 –> 00:18:39,560
that’s zero and it jumps the queue.

530
00:18:39,560 –> 00:18:42,640
Data, started zero, add two if sources are labeled

531
00:18:42,640 –> 00:18:46,120
with purview, add one if endpoint and browser DLP are deployed,

532
00:18:46,120 –> 00:18:48,880
add one if uploads to AI chat domains are blocked,

533
00:18:48,880 –> 00:18:51,760
add one if co-pilot processing guardrails are enabled.

534
00:18:51,760 –> 00:18:54,080
Unlabeled sources keep you in the danger bucket.

535
00:18:54,080 –> 00:18:57,640
Permissions started zero, add two if graph app roles are used,

536
00:18:57,640 –> 00:18:59,400
add one for site resource scoping,

537
00:18:59,400 –> 00:19:01,080
add one for per connector least privilege,

538
00:19:01,080 –> 00:19:02,760
add one for periodic recertification

539
00:19:02,760 –> 00:19:04,320
with expiry on exceptions.

540
00:19:04,320 –> 00:19:07,040
Delegated all anywhere, lose your weekend.

541
00:19:07,040 –> 00:19:09,960
Network started zero, add two if global secure access

542
00:19:09,960 –> 00:19:12,600
governs agent traffic, add one for MCP allow lists,

543
00:19:12,600 –> 00:19:15,960
add one for URL API auditing, add one for normally alerts

544
00:19:15,960 –> 00:19:18,920
on unknown egress, unknown egress equals unknown risk,

545
00:19:18,920 –> 00:19:21,720
which equals priority one monitoring started zero,

546
00:19:21,720 –> 00:19:25,400
add two if logs export to seam, add one for a risky agent report

547
00:19:25,400 –> 00:19:28,320
review cadence, add one for insider risk policies tied

548
00:19:28,320 –> 00:19:31,560
to AI events, add one if the incident playbook has been tested

549
00:19:31,560 –> 00:19:33,840
in the last quarter, no logs, no help,

550
00:19:33,840 –> 00:19:37,280
life cycle started zero, add one for blueprint lifecycle controls,

551
00:19:37,280 –> 00:19:40,600
add one for sponsor SLA, add one for automated deprovisioning

552
00:19:40,600 –> 00:19:42,520
on inactivity or sponsor departure,

553
00:19:42,520 –> 00:19:45,400
add one for change control, add one for zombie detection jobs,

554
00:19:45,400 –> 00:19:47,800
if you don’t turn things off, they’ll turn on you.

555
00:19:47,800 –> 00:19:49,880
Triage bands, eight high risk fix now,

556
00:19:49,880 –> 00:19:53,920
nine 16 medium 30 day sprint 1725 low quarterly,

557
00:19:53,920 –> 00:19:56,040
20 6 30 model agents template these,

558
00:19:56,040 –> 00:19:58,960
run this on your top 10 agents this week, then weaponize it,

559
00:19:58,960 –> 00:20:01,720
make the score visible next to each agent in the registry,

560
00:20:01,720 –> 00:20:03,680
you’ll get fewer arguments and faster fixes.

561
00:20:03,680 –> 00:20:06,720
Sure, people love arguing numbers and the meeting,

562
00:20:06,720 –> 00:20:08,520
counterpoints and rebuttals,

563
00:20:08,520 –> 00:20:11,560
the debate you’ll have in the room will innovate slower.

564
00:20:11,560 –> 00:20:13,640
Sure, you’ll also recover slower from a breach,

565
00:20:13,640 –> 00:20:15,480
the trick isn’t a break, it’s lanes.

566
00:20:15,480 –> 00:20:18,600
Blueprints and managed environments give you pre-approved patterns.

567
00:20:18,600 –> 00:20:21,160
Builders pick a blueprint, get the right identity,

568
00:20:21,160 –> 00:20:23,320
least privilege scopes, allowed connectors

569
00:20:23,320 –> 00:20:24,920
and a sponsor in 10 minutes.

570
00:20:24,920 –> 00:20:27,280
That’s faster than a ticket ping pong with security.

571
00:20:27,280 –> 00:20:29,840
If speed matters, remove bespoke reviews

572
00:20:29,840 –> 00:20:31,320
and standardize the boring parts.

573
00:20:31,320 –> 00:20:34,680
You’ll ship faster because you stopped re-arguing first principles.

574
00:20:34,680 –> 00:20:37,200
Per view labels slow collaboration, they slow leaks,

575
00:20:37,200 –> 00:20:39,000
auto labeling does the heavy lifting

576
00:20:39,000 –> 00:20:42,640
and coachable DLP messages teach users the boundary in the moment.

577
00:20:42,640 –> 00:20:44,640
People learn faster when the tool says

578
00:20:44,640 –> 00:20:46,680
you can share this inside, not outside,

579
00:20:46,680 –> 00:20:47,880
right where they’re working.

580
00:20:47,880 –> 00:20:50,600
Back in my day, we sent policy PDFs, no one read.

581
00:20:50,600 –> 00:20:52,120
Now the policy shows up when it matters

582
00:20:52,120 –> 00:20:53,880
and quietly fixes habits.

583
00:20:53,880 –> 00:20:55,440
Delegated graph is simpler,

584
00:20:55,440 –> 00:20:58,360
so is propping the data center door open with a trash can.

585
00:20:58,360 –> 00:21:00,520
Delegated turns every agent into the user,

586
00:21:00,520 –> 00:21:03,160
it borrowed, app roles take an extra beat to set up,

587
00:21:03,160 –> 00:21:05,880
but you get scope, you can prove and a blast radius you can measure.

588
00:21:05,880 –> 00:21:07,880
If your exception really needs all,

589
00:21:07,880 –> 00:21:09,680
put an expiry on it and log the calls.

590
00:21:09,680 –> 00:21:11,360
If it’s permanent, it wasn’t an exception.

591
00:21:11,360 –> 00:21:12,800
It was laziness.

592
00:21:12,800 –> 00:21:14,960
Network inspection breaks agents.

593
00:21:14,960 –> 00:21:17,880
Start in logging only one week of global secure access

594
00:21:17,880 –> 00:21:20,480
telemetry gives you the URL and API map.

595
00:21:20,480 –> 00:21:22,040
Then allow list the five destinations

596
00:21:22,040 –> 00:21:23,840
that matter and quarantine the unknowns.

597
00:21:23,840 –> 00:21:26,160
If an agent shatters because it needed mystery egress,

598
00:21:26,160 –> 00:21:27,600
that wasn’t a reliable agent,

599
00:21:27,600 –> 00:21:29,880
it was a duct tape macro with better marketing.

600
00:21:29,880 –> 00:21:31,200
We can’t staff this.

601
00:21:31,200 –> 00:21:33,080
You can’t staff bespoke chaos either.

602
00:21:33,080 –> 00:21:34,400
Shift left with blueprints,

603
00:21:34,400 –> 00:21:37,240
environment DLP and periodic access reviews.

604
00:21:37,240 –> 00:21:39,440
Sponsors carry ownership, security supplies,

605
00:21:39,440 –> 00:21:41,080
guard rails, not babysitting.

606
00:21:41,080 –> 00:21:43,160
The registry and risk scores cut the noise,

607
00:21:43,160 –> 00:21:46,000
so your team chases hotspots, not vibes.

608
00:21:46,000 –> 00:21:47,680
This is the difference between mowing the lawn

609
00:21:47,680 –> 00:21:49,560
and hunting for snakes and tall grass.

610
00:21:49,560 –> 00:21:51,320
Third party agents won’t integrate.

611
00:21:51,320 –> 00:21:52,560
Then they don’t run in prod.

612
00:21:52,560 –> 00:21:54,040
Registry first or isolation,

613
00:21:54,040 –> 00:21:55,400
if they want access to your data,

614
00:21:55,400 –> 00:21:58,200
they get an intra agent ID, show destinations

615
00:21:58,200 –> 00:22:00,360
and accept your DLP and network rules.

616
00:22:00,360 –> 00:22:02,640
If they can’t find, segment them on a sandbox

617
00:22:02,640 –> 00:22:05,440
with no sensitive sources and no outbound to unknowns.

618
00:22:05,440 –> 00:22:07,080
Interoperability doesn’t mean no rules,

619
00:22:07,080 –> 00:22:10,040
it means clear terms, multi-tenant makes it impossible,

620
00:22:10,040 –> 00:22:12,520
it makes it annoying, consolidate where you can.

621
00:22:12,520 –> 00:22:14,520
Where you can’t mirror the blueprints,

622
00:22:14,520 –> 00:22:17,200
centralize logs and enforce cross-tenant boundaries.

623
00:22:17,200 –> 00:22:18,880
The hard part is agreeing on the patterns,

624
00:22:18,880 –> 00:22:20,160
not copy-pasting them.

625
00:22:20,160 –> 00:22:22,080
One set of templates, many tenants,

626
00:22:22,080 –> 00:22:24,240
you’ve done worse with exchange resource forests,

627
00:22:24,240 –> 00:22:25,920
this is just Jason and patience.

628
00:22:25,920 –> 00:22:27,840
Users will root around controls,

629
00:22:27,840 –> 00:22:29,960
some will, that’s why endpoint and browser DLP

630
00:22:29,960 –> 00:22:31,920
sit where they work, not where you wish they worked.

631
00:22:31,920 –> 00:22:33,600
Coachable messages reduce rebellion

632
00:22:33,600 –> 00:22:36,040
because they explain the why and offer the alternative.

633
00:22:36,040 –> 00:22:37,600
And yes, you still need consequences,

634
00:22:37,600 –> 00:22:39,640
policy without enforcement is a screensaver.

635
00:22:39,640 –> 00:22:43,320
Agent 365 will solve it for us, helpful, not magic.

636
00:22:43,320 –> 00:22:46,240
A control plane with no labeled data, no least privilege

637
00:22:46,240 –> 00:22:49,480
and no network signal is a shiny dashboard of bad defaults.

638
00:22:49,480 –> 00:22:51,520
Use Agent 365 as the pane of glass

639
00:22:51,520 –> 00:22:53,600
after you’ve set identity labels and DLP.

640
00:22:53,600 –> 00:22:56,520
Observability without opinionated guardrails is just a mirror.

641
00:22:56,520 –> 00:22:59,480
Can we just trust co-pilot to respect permissions?

642
00:22:59,480 –> 00:23:00,720
It already does, that’s the point.

643
00:23:00,720 –> 00:23:02,400
The mess isn’t co-pilot misbehaving,

644
00:23:02,400 –> 00:23:04,480
it’s your overshared data and sloppy scopes,

645
00:23:04,480 –> 00:23:06,640
fix those and the answers stay inside the lines,

646
00:23:06,640 –> 00:23:08,840
don’t fix them and co-pilot will faithfully surface

647
00:23:08,840 –> 00:23:10,480
whatever you left lying around.

648
00:23:10,480 –> 00:23:12,520
One policies kill the small wins?

649
00:23:12,520 –> 00:23:15,720
Not if you separate dev and prod and give dev an on-ramp.

650
00:23:15,720 –> 00:23:18,480
Managed environments with relaxed connectors in dev,

651
00:23:18,480 –> 00:23:20,640
tighter in test, locked in prod,

652
00:23:20,640 –> 00:23:23,080
promotion forces the conversation before the mess hits

653
00:23:23,080 –> 00:23:24,920
real data, builder still build,

654
00:23:24,920 –> 00:23:28,000
you just stop letting prototypes become production by inertia.

655
00:23:28,000 –> 00:23:31,760
Final push, every objection boils down to fear of friction.

656
00:23:31,760 –> 00:23:33,200
Add smart friction upfront,

657
00:23:33,200 –> 00:23:35,000
blueprints labels scoped permissions

658
00:23:35,000 –> 00:23:37,000
and you remove catastrophic friction later.

659
00:23:37,000 –> 00:23:38,440
Incidents, audits, rework,

660
00:23:38,440 –> 00:23:39,760
you choose where to feel the pain,

661
00:23:39,760 –> 00:23:41,400
pick predictable and shorter than…

662
00:23:41,400 –> 00:23:43,200
Key takeaway, agents aren’t the threat,

663
00:23:43,200 –> 00:23:46,040
unaccountable access is and identity labels

664
00:23:46,040 –> 00:23:47,880
and least privilege are the three bolts

665
00:23:47,880 –> 00:23:49,920
that stop the wheels coming off.

666
00:23:49,920 –> 00:23:52,560
Do this next, stand up your first three blueprints,

667
00:23:52,560 –> 00:23:55,200
push DLP to endpoints and browsers

668
00:23:55,200 –> 00:23:56,960
and run the risk scoring rubric

669
00:23:56,960 –> 00:23:59,000
on your top 10 agents this week.

670
00:23:59,000 –> 00:24:00,920
Want the policy map in the scoring template?

671
00:24:00,920 –> 00:24:02,760
Subscribe and catch the next episode

672
00:24:02,760 –> 00:24:05,140
I’ll tear down a real agent and rebuild it the right way.