Now Reading: Azure AI Infrastructure Architecture
-
01
Azure AI Infrastructure Architecture
1
00:00:00,000 –> 00:00:02,800
Most organizations are making the same comfortable assumption.
2
00:00:02,800 –> 00:00:05,120
AI is just another workload.
3
00:00:05,120 –> 00:00:07,920
They are wrong AI isn’t just compute with a different API,
4
00:00:07,920 –> 00:00:10,720
it is an autonomous probabilistic decision engine running
5
00:00:10,720 –> 00:00:13,120
on deterministic infrastructure that was never built
6
00:00:13,120 –> 00:00:14,280
to understand intent.
7
00:00:14,280 –> 00:00:17,040
Azure will let you deploy it fast, scale it globally,
8
00:00:17,040 –> 00:00:18,320
and integrate it everywhere.
9
00:00:18,320 –> 00:00:21,840
Azure will not stop you from building something you can’t control,
10
00:00:21,840 –> 00:00:23,800
explain, afford, or undo.
11
00:00:23,800 –> 00:00:26,000
In this episode, you’re getting a decision framework,
12
00:00:26,000 –> 00:00:29,200
five inevitability scenarios, the board questions that matter,
13
00:00:29,200 –> 00:00:33,320
and a 30-day review agenda to force enforceable constraints.
14
00:00:33,320 –> 00:00:36,000
The dangerous comfort of familiar infrastructure.
15
00:00:36,000 –> 00:00:39,760
The foundational mistake is treating AI as a new kind of application
16
00:00:39,760 –> 00:00:41,800
instead of a new kind of system behavior.
17
00:00:41,800 –> 00:00:45,360
Azure infrastructure and most enterprise cloud architecture
18
00:00:45,360 –> 00:00:48,480
was optimized for a world where systems behave deterministically,
19
00:00:48,480 –> 00:00:51,040
not perfect, not always stable,
20
00:00:51,040 –> 00:00:53,280
but predictable in the way executives care about.
21
00:00:53,280 –> 00:00:55,960
You can reason about inputs, you can bound failures,
22
00:00:55,960 –> 00:00:58,240
and you can attach ownership to actions.
23
00:00:58,240 –> 00:01:01,120
Traditional enterprise systems follow a simple mental model,
24
00:01:01,120 –> 00:01:02,920
inputs go in, outputs come out.
25
00:01:02,920 –> 00:01:05,000
If the outputs are wrong, you debug the logic,
26
00:01:05,000 –> 00:01:07,600
you patch the code and the system stops doing the wrong thing.
27
00:01:07,600 –> 00:01:09,120
That’s determinism as governance.
28
00:01:09,120 –> 00:01:10,640
It’s not about being correct, yeah.
29
00:01:10,640 –> 00:01:11,880
It’s about being repeatable.
30
00:01:11,880 –> 00:01:13,880
Azure is excellent at serving that model.
31
00:01:13,880 –> 00:01:16,760
It was built for workloads with known shapes, web apps,
32
00:01:16,760 –> 00:01:20,520
APIs, batch jobs, data platforms, identity-driven access,
33
00:01:20,520 –> 00:01:21,760
and human-driven change.
34
00:01:21,760 –> 00:01:24,040
It assumes there’s a team behind the system
35
00:01:24,040 –> 00:01:25,920
that understands what it does, why it does it,
36
00:01:25,920 –> 00:01:28,800
and when it should stop, AI breaks those assumptions quietly.
37
00:01:28,800 –> 00:01:31,680
The simple version is AI introduces non-determinism
38
00:01:31,680 –> 00:01:33,480
as a normal operating condition.
39
00:01:33,480 –> 00:01:35,360
The same prompt can produce a different output.
40
00:01:35,360 –> 00:01:37,280
The same workflow can take a different path.
41
00:01:37,280 –> 00:01:40,160
The same request can become a chain of tool calls,
42
00:01:40,160 –> 00:01:43,000
retrieval, summarization, and follow-up decisions
43
00:01:43,000 –> 00:01:44,840
that nobody explicitly coded.
44
00:01:44,840 –> 00:01:47,360
And because it’s autonomous, it doesn’t just answer questions,
45
00:01:47,360 –> 00:01:49,640
it acts, it triggers, it calls other systems,
46
00:01:49,640 –> 00:01:51,480
it generates artifacts that look real.
47
00:01:51,480 –> 00:01:55,280
It makes decisions that feel plausible, that distinction matters.
48
00:01:55,280 –> 00:01:58,040
Most executive teams still hear AI workload
49
00:01:58,040 –> 00:02:01,160
and map it to a familiar category, something IT deploys,
50
00:02:01,160 –> 00:02:05,120
security reviews, finance budgets, and operations monitors.
51
00:02:05,120 –> 00:02:07,320
That model works for deterministic services.
52
00:02:07,320 –> 00:02:09,200
It fails for probabilistic decision engines
53
00:02:09,200 –> 00:02:11,440
because the uncertainty isn’t a defect.
54
00:02:11,440 –> 00:02:12,920
It’s a feature of the system.
55
00:02:12,920 –> 00:02:14,320
Here’s what most people miss.
56
00:02:14,320 –> 00:02:16,160
Azure scale behavior, not meaning.
57
00:02:16,160 –> 00:02:18,320
Autoscale doesn’t know whether a spike is legitimate
58
00:02:18,320 –> 00:02:19,800
demand or a runaway loop.
59
00:02:19,800 –> 00:02:22,200
Retri logic doesn’t know whether a failure is transient
60
00:02:22,200 –> 00:02:24,080
or a signal that an agent is stuck.
61
00:02:24,080 –> 00:02:26,200
Monitoring doesn’t know whether an output is acceptable,
62
00:02:26,200 –> 00:02:27,720
compliant or dangerous.
63
00:02:27,720 –> 00:02:29,760
The platform will do exactly what you told it to do.
64
00:02:29,760 –> 00:02:32,720
Increase capacity, retry operations, continue execution.
65
00:02:32,720 –> 00:02:33,960
That’s not a Microsoft problem.
66
00:02:33,960 –> 00:02:35,320
That’s an infrastructure truth.
67
00:02:35,320 –> 00:02:37,920
Executives like Azure because it makes delivery easier.
68
00:02:37,920 –> 00:02:39,000
That’s the point of cloud.
69
00:02:39,000 –> 00:02:42,840
But if delivery velocity outpaces intent enforcement,
70
00:02:42,840 –> 00:02:44,120
you don’t get innovation.
71
00:02:44,120 –> 00:02:48,320
You get entropy, unowned behavior pathways, cost drift,
72
00:02:48,320 –> 00:02:51,880
and security debt that appears later as mystery incidents.
73
00:02:51,880 –> 00:02:54,240
This is where the conversation has to get uncomfortable
74
00:02:54,240 –> 00:02:56,600
because the failure mode isn’t a model hallucinating.
75
00:02:56,600 –> 00:02:59,000
The failure mode is leadership deploying autonomy
76
00:02:59,000 –> 00:03:01,560
without constraints and then being surprised
77
00:03:01,560 –> 00:03:03,080
when autonomy behaves like autonomy.
78
00:03:03,080 –> 00:03:04,720
The AI system doesn’t need permission
79
00:03:04,720 –> 00:03:05,560
the way humans do.
80
00:03:05,560 –> 00:03:06,840
It needs authority boundaries.
81
00:03:06,840 –> 00:03:07,840
It needs choke points.
82
00:03:07,840 –> 00:03:10,400
It needs hard stops that exist before execution,
83
00:03:10,400 –> 00:03:12,520
not after the monthly spend report.
84
00:03:12,520 –> 00:03:15,000
And in most organizations, those boundaries don’t exist yet.
85
00:03:15,000 –> 00:03:15,840
Why?
86
00:03:15,840 –> 00:03:17,000
Because the old world didn’t require them.
87
00:03:17,000 –> 00:03:18,480
A human initiated the change.
88
00:03:18,480 –> 00:03:19,920
A human clicked the button.
89
00:03:19,920 –> 00:03:21,600
A human approved the workflow.
90
00:03:21,600 –> 00:03:23,560
The accountability chain was implicit.
91
00:03:23,560 –> 00:03:25,720
You could always find the person who caused the action
92
00:03:25,720 –> 00:03:27,400
even if it took a week of log reviews
93
00:03:27,400 –> 00:03:28,920
and uncomfortable meetings.
94
00:03:28,920 –> 00:03:31,080
AI changes the accountability geometry.
95
00:03:31,080 –> 00:03:33,480
Now, a non-human identity can trigger real world actions
96
00:03:33,480 –> 00:03:34,440
at machine speed.
97
00:03:34,440 –> 00:03:36,240
A chain can execute across services.
98
00:03:36,240 –> 00:03:39,760
A helpful assistant can mutate data, send communications,
99
00:03:39,760 –> 00:03:41,800
or create records that become the new truth.
100
00:03:41,800 –> 00:03:44,480
And the logs will faithfully report that and abdited,
101
00:03:44,480 –> 00:03:47,200
which is technically correct and strategically useless.
102
00:03:47,200 –> 00:03:48,280
This isn’t wrong thinking.
103
00:03:48,280 –> 00:03:49,400
It’s outdated thinking.
104
00:03:49,400 –> 00:03:52,120
And AI punishes outdated assumptions faster.
105
00:03:52,120 –> 00:03:53,440
So Act One has one job.
106
00:03:53,440 –> 00:03:55,760
To pull executives away from workload thinking
107
00:03:55,760 –> 00:03:57,160
and towards system thinking.
108
00:03:57,160 –> 00:03:58,560
A workload is something you host.
109
00:03:58,560 –> 00:04:00,520
A decision engine is something you constrain.
110
00:04:00,520 –> 00:04:03,280
If you keep treating AI like another workload,
111
00:04:03,280 –> 00:04:04,720
the outcome is inevitable.
112
00:04:04,720 –> 00:04:07,440
You will scale uncertainty faster than your organization
113
00:04:07,440 –> 00:04:08,200
can govern it.
114
00:04:08,200 –> 00:04:09,960
And you will discover that problem only
115
00:04:09,960 –> 00:04:12,680
after it has already written emails, moved data,
116
00:04:12,680 –> 00:04:14,400
and spent money.
117
00:04:14,400 –> 00:04:17,480
Next, we need to talk about what determinism used to buy you.
118
00:04:17,480 –> 00:04:19,200
Because that’s the part you’re about to lose
119
00:04:19,200 –> 00:04:20,600
without noticing.
120
00:04:20,600 –> 00:04:22,880
What deterministic, secretly guaranteed.
121
00:04:22,880 –> 00:04:25,520
Determinism was never just an engineering preference.
122
00:04:25,520 –> 00:04:26,920
It was a governance primitive.
123
00:04:26,920 –> 00:04:29,800
It quietly guaranteed four things executives rely on.
124
00:04:29,800 –> 00:04:31,160
Even if they never say the words.
125
00:04:31,160 –> 00:04:34,320
Repetability, auditability, bounded blast radius,
126
00:04:34,320 –> 00:04:35,400
and recoverability.
127
00:04:35,400 –> 00:04:38,200
Repetability meant the organization could run a process today
128
00:04:38,200 –> 00:04:39,920
and tomorrow and get the same outcome,
129
00:04:39,920 –> 00:04:41,360
assuming the inputs didn’t change.
130
00:04:41,360 –> 00:04:43,080
That’s what made KPIs meaningful.
131
00:04:43,080 –> 00:04:44,480
That’s what made ForCars possible.
132
00:04:44,480 –> 00:04:46,880
And that’s what led leadership treat technology
133
00:04:46,880 –> 00:04:50,600
as a controllable system instead of a casino with a user interface.
134
00:04:50,600 –> 00:04:52,600
Auditability came from that same property.
135
00:04:52,600 –> 00:04:55,360
If a system is deterministic, logs aren’t just history.
136
00:04:55,360 –> 00:04:56,440
They’re reconstruction.
137
00:04:56,440 –> 00:04:58,640
You can replay the inputs, trace the code path,
138
00:04:58,640 –> 00:05:00,720
and explain why the decision happened.
139
00:05:00,720 –> 00:05:02,440
Auditors don’t actually want dashboards.
140
00:05:02,440 –> 00:05:03,560
They want causal chains.
141
00:05:03,560 –> 00:05:04,760
They want to hear.
142
00:05:04,760 –> 00:05:07,840
Given this input, the system performed this policy evaluation,
143
00:05:07,840 –> 00:05:09,560
triggered this workflow, wrote this record,
144
00:05:09,560 –> 00:05:11,320
and here is who approved the rule.
145
00:05:11,320 –> 00:05:13,280
Determinism made that story possible.
146
00:05:13,280 –> 00:05:15,280
Bounded blast radius was the hidden one.
147
00:05:15,280 –> 00:05:18,040
Deterministic systems fail in predictable ways.
148
00:05:18,040 –> 00:05:21,160
A bug causes the same wrong behavior until fixed.
149
00:05:21,160 –> 00:05:23,080
A dependency outage causes timeouts.
150
00:05:23,080 –> 00:05:24,520
A bad release causes errors.
151
00:05:24,520 –> 00:05:25,760
All painful but legible.
152
00:05:25,760 –> 00:05:28,000
You can isolate a component, disable a feature,
153
00:05:28,000 –> 00:05:30,280
rollback aversion, and contain the damage.
154
00:05:30,280 –> 00:05:32,280
The blast radius is a function of architecture
155
00:05:32,280 –> 00:05:34,760
and change control, not the imagination of the system.
156
00:05:34,760 –> 00:05:37,640
Recoverability is what executives assume when they say,
157
00:05:37,640 –> 00:05:38,760
just roll it back.
158
00:05:38,760 –> 00:05:40,840
Traditional systems have rollback semantics
159
00:05:40,840 –> 00:05:43,000
because the state changes are explicit.
160
00:05:43,000 –> 00:05:44,680
Databases have transactions.
161
00:05:44,680 –> 00:05:46,160
Deployments have versions.
162
00:05:46,160 –> 00:05:47,880
Config changes have diffs.
163
00:05:47,880 –> 00:05:51,120
Even when rollback is messy, it exists as a concept
164
00:05:51,120 –> 00:05:52,680
because the system is a sequence
165
00:05:52,680 –> 00:05:54,360
of deterministic state transitions.
166
00:05:54,360 –> 00:05:55,800
Now look at the planning assumptions
167
00:05:55,800 –> 00:05:57,680
most azure programs were built on.
168
00:05:57,680 –> 00:05:59,720
The first assumption is input to output.
169
00:05:59,720 –> 00:06:01,600
Request go through known code paths.
170
00:06:01,600 –> 00:06:03,400
The second is scale to cost.
171
00:06:03,400 –> 00:06:05,320
You add instances, you handle more traffic,
172
00:06:05,320 –> 00:06:07,120
you pay more roughly proportionally.
173
00:06:07,120 –> 00:06:09,160
The third is failure to exception.
174
00:06:09,160 –> 00:06:12,560
Errors are anomalies, not a normal part of healthy operation.
175
00:06:12,560 –> 00:06:15,520
That whole model produced a comfortable executive rhythm.
176
00:06:15,520 –> 00:06:19,000
Build, deploy, monitor, optimize, repeat.
177
00:06:19,000 –> 00:06:21,600
And as your operational tooling supports it extremely well,
178
00:06:21,600 –> 00:06:24,120
you can measure CPU memory latency, error rate,
179
00:06:24,120 –> 00:06:26,840
saturation, Q depth, you can attach budgets and alerts,
180
00:06:26,840 –> 00:06:29,760
you can attach ownership to subscriptions and resource groups.
181
00:06:29,760 –> 00:06:32,480
You can run incident reviews and create action items,
182
00:06:32,480 –> 00:06:35,760
but AI removes predictability while leaving the infrastructure
183
00:06:35,760 –> 00:06:37,840
behaving as if predictability still exists.
184
00:06:37,840 –> 00:06:39,640
The output isn’t repeatable in the same way.
185
00:06:39,640 –> 00:06:41,320
The code path isn’t a fixed path.
186
00:06:41,320 –> 00:06:43,080
It’s a set of probabilistic choices,
187
00:06:43,080 –> 00:06:45,400
tool calls, retrieval steps and retries.
188
00:06:45,400 –> 00:06:47,960
The system can behave correctly within its own logic
189
00:06:47,960 –> 00:06:49,720
and still produce an outcome leadership
190
00:06:49,720 –> 00:06:51,920
would consider wrong, risky or unacceptable.
191
00:06:51,920 –> 00:06:54,640
And here’s the real shift executives underestimate.
192
00:06:54,640 –> 00:06:57,800
Operations teams lose causality, not just visibility.
193
00:06:57,800 –> 00:06:59,960
They can see the traces, they can see the calls,
194
00:06:59,960 –> 00:07:01,720
they can see the tokens and the latencies
195
00:07:01,720 –> 00:07:03,520
and the downstream API responses,
196
00:07:03,520 –> 00:07:06,120
but they can’t reliably answer the executive question,
197
00:07:06,120 –> 00:07:07,120
why did it do that?
198
00:07:07,120 –> 00:07:08,600
Because the honest answer becomes
199
00:07:08,600 –> 00:07:10,320
because the model selected that action
200
00:07:10,320 –> 00:07:12,080
is the most probable next step.
201
00:07:12,080 –> 00:07:13,320
That’s not a post-mortem.
202
00:07:13,320 –> 00:07:14,800
That’s a shrug with better logging.
203
00:07:14,800 –> 00:07:17,520
This is why optimize it becomes meaningless.
204
00:07:17,520 –> 00:07:19,960
Optimization assumes a stable system you can tune.
205
00:07:19,960 –> 00:07:22,760
If the system isn’t repeatable, you can’t tune behavior.
206
00:07:22,760 –> 00:07:24,280
You can only shape probabilities
207
00:07:24,280 –> 00:07:26,280
and probabilities are not a governance strategy.
208
00:07:26,280 –> 00:07:27,960
They are a risk acceptance strategy.
209
00:07:27,960 –> 00:07:29,920
So when determinism disappears,
210
00:07:29,920 –> 00:07:32,880
a bunch of executive comfort disappears with it.
211
00:07:32,880 –> 00:07:36,520
Forecasts, stop being forecasts, audit, stop being explanations
212
00:07:36,520 –> 00:07:39,840
and rollback stops being a lever you can pull with confidence.
213
00:07:39,840 –> 00:07:42,560
That’s not a moral panic, that’s a design reality.
214
00:07:42,560 –> 00:07:44,160
Next we’re going to talk about what happens
215
00:07:44,160 –> 00:07:45,480
when determinism is gone,
216
00:07:45,480 –> 00:07:47,840
but the infrastructure keeps acting like it isn’t
217
00:07:47,840 –> 00:07:51,200
because that’s where the first real failures show up.
218
00:07:51,200 –> 00:07:52,840
Determinism is gone.
219
00:07:52,840 –> 00:07:55,160
Infrastructure still behaves like it isn’t.
220
00:07:55,160 –> 00:07:57,160
Here’s what most organizations do next.
221
00:07:57,160 –> 00:07:59,480
They accept that AI is a little fuzzy,
222
00:07:59,480 –> 00:08:02,240
then they keep the rest of the architecture exactly the same.
223
00:08:02,240 –> 00:08:04,360
Same scaling model, same retry policies,
224
00:08:04,360 –> 00:08:06,480
same incident playbooks, same cost controls,
225
00:08:06,480 –> 00:08:08,960
same monitoring dashboards, same governance cadence
226
00:08:08,960 –> 00:08:10,320
and that’s the failure.
227
00:08:10,320 –> 00:08:12,120
Because when determinism is gone,
228
00:08:12,120 –> 00:08:14,400
the infrastructure doesn’t suddenly become intelligent.
229
00:08:14,400 –> 00:08:16,640
It remains a deterministic acceleration layer.
230
00:08:16,640 –> 00:08:19,360
It will scale, retry, queue and root
231
00:08:19,360 –> 00:08:22,440
with zero awareness of whether the underlying behavior is safe,
232
00:08:22,440 –> 00:08:24,040
meaningful or even coherent.
233
00:08:24,040 –> 00:08:26,680
Probabilistic behavior means the system can be working
234
00:08:26,680 –> 00:08:28,440
while the outcome is unstable.
235
00:08:28,440 –> 00:08:30,440
The same prompt can produce different outputs.
236
00:08:30,440 –> 00:08:32,120
The same agent can take different paths
237
00:08:32,120 –> 00:08:33,680
to satisfy the same goal.
238
00:08:33,680 –> 00:08:35,560
The difference isn’t noise you can ignore.
239
00:08:35,560 –> 00:08:36,880
It’s the operating model.
240
00:08:36,880 –> 00:08:38,560
So the idea of errors changes.
241
00:08:38,560 –> 00:08:41,160
In traditional systems, an error isn’t anomaly.
242
00:08:41,160 –> 00:08:43,360
An exception thrown, a dependency down,
243
00:08:43,360 –> 00:08:44,880
a timeout, a memory leak.
244
00:08:44,880 –> 00:08:46,760
The system remembers what it was supposed to do,
245
00:08:46,760 –> 00:08:48,560
fails to do it and emits a signal.
246
00:08:48,560 –> 00:08:51,320
In AI systems, a large part of what you will experience
247
00:08:51,320 –> 00:08:53,760
as failure lives in the distribution tails.
248
00:08:53,760 –> 00:08:55,880
The system will do something plausible but wrong.
249
00:08:55,880 –> 00:08:57,480
It will comply with the literal request
250
00:08:57,480 –> 00:08:58,800
while violating intent.
251
00:08:58,800 –> 00:09:02,000
It will follow policy language while breaking policy outcomes.
252
00:09:02,000 –> 00:09:04,960
It will act confidently in ways that are not malicious,
253
00:09:04,960 –> 00:09:06,800
not broken but still unacceptable.
254
00:09:06,800 –> 00:09:09,280
That means your normal guardrails don’t translate.
255
00:09:09,280 –> 00:09:10,840
The most common example is retries.
256
00:09:10,840 –> 00:09:12,640
Retry logic is a rational response
257
00:09:12,640 –> 00:09:15,200
to transient failure in deterministic systems.
258
00:09:15,200 –> 00:09:18,080
A request fails because a dependency was temporarily unavailable
259
00:09:18,080 –> 00:09:19,840
so you back off and try again.
260
00:09:19,840 –> 00:09:22,280
Eventually it works and everyone feels clever.
261
00:09:22,280 –> 00:09:24,440
In probabilistic systems, retries change the meaning
262
00:09:24,440 –> 00:09:25,280
of the system.
263
00:09:25,280 –> 00:09:28,280
If an agent calls a tool, gets an ambiguous response
264
00:09:28,280 –> 00:09:30,360
and retries with slightly different phrasing,
265
00:09:30,360 –> 00:09:33,200
you didn’t just retry, you created a new decision.
266
00:09:33,200 –> 00:09:35,960
And if the agent is orchestrating multiple tools,
267
00:09:35,960 –> 00:09:39,280
search, database queries, ticket updates, email sending,
268
00:09:39,280 –> 00:09:42,320
retries can fork into entirely new execution paths.
269
00:09:42,320 –> 00:09:44,240
Now add Azure’s scaling behaviors,
270
00:09:44,240 –> 00:09:46,680
auto-scale sees pressure and adds capacity,
271
00:09:46,680 –> 00:09:48,720
queues buffer bursts and keep processing,
272
00:09:48,720 –> 00:09:51,760
functions spin up instances, AKS ads nodes,
273
00:09:51,760 –> 00:09:54,040
the platform interprets activity as demand,
274
00:09:54,040 –> 00:09:55,200
not as risk.
275
00:09:55,200 –> 00:09:58,000
It does what it was designed to do, increased throughput.
276
00:09:58,000 –> 00:10:00,040
But in an agentic system, more throughput
277
00:10:00,040 –> 00:10:02,120
can mean more damage per minute.
278
00:10:02,120 –> 00:10:03,880
This is the counterintuitive part.
279
00:10:03,880 –> 00:10:06,320
Deterministic infrastructure patterns can amplify
280
00:10:06,320 –> 00:10:07,680
probabilistic uncertainty.
281
00:10:07,680 –> 00:10:09,840
A runaway loop doesn’t look like a loop at first,
282
00:10:09,840 –> 00:10:12,840
it looks like a busy system, a stuck agent doesn’t look stuck.
283
00:10:12,840 –> 00:10:14,200
It looks active.
284
00:10:14,200 –> 00:10:17,280
A miss-specified tool call doesn’t look like a policy violation.
285
00:10:17,280 –> 00:10:20,000
It looks like traffic, so the platform scales it.
286
00:10:20,000 –> 00:10:21,760
And the organization pays for the privilege
287
00:10:21,760 –> 00:10:24,240
of accelerating behavior, it did not intend.
288
00:10:24,240 –> 00:10:25,760
Observability doesn’t save you here
289
00:10:25,760 –> 00:10:28,360
because observability measures performance, not meaning.
290
00:10:28,360 –> 00:10:30,120
You’ll have traces, you’ll have spans,
291
00:10:30,120 –> 00:10:32,880
you’ll have token counts, you’ll have latency histograms.
292
00:10:32,880 –> 00:10:35,120
And none of that answers the executive question.
293
00:10:35,120 –> 00:10:37,640
Was the system doing the right thing?
294
00:10:37,640 –> 00:10:40,520
Application insights can tell you that a call succeeded.
295
00:10:40,520 –> 00:10:42,720
It cannot tell you that the call should not have been made.
296
00:10:42,720 –> 00:10:44,880
Cost management can tell you that spend increased.
297
00:10:44,880 –> 00:10:46,800
It cannot stop spend from occurring.
298
00:10:46,800 –> 00:10:49,920
Security logging can tell you which identity made the call.
299
00:10:49,920 –> 00:10:51,760
It cannot tell you whether that identity
300
00:10:51,760 –> 00:10:54,400
should ever have had the authority to make that class of call.
301
00:10:54,400 –> 00:10:56,440
So the system behaves as designed,
302
00:10:56,440 –> 00:10:58,960
while governance assumes it behaves as understood.
303
00:10:58,960 –> 00:11:01,640
That mismatch is where the second order incidents come from,
304
00:11:01,640 –> 00:11:03,720
the ones that show up as mystery spend,
305
00:11:03,720 –> 00:11:08,000
unexpected downstream changes, odd emails, unusual access.
306
00:11:08,000 –> 00:11:11,040
Or why is this data set suddenly different?
307
00:11:11,040 –> 00:11:12,480
Not because someone attacked you,
308
00:11:12,480 –> 00:11:14,280
because your architecture gave uncertainty,
309
00:11:14,280 –> 00:11:16,000
a credit card and an API key.
310
00:11:16,000 –> 00:11:18,200
This is the line executives need to internalize,
311
00:11:18,200 –> 00:11:20,360
because it reframes the entire discussion away
312
00:11:20,360 –> 00:11:23,280
from model quality and towards system control.
313
00:11:23,280 –> 00:11:25,280
As your can scale uncertainty faster
314
00:11:25,280 –> 00:11:26,920
than your organization can understand it,
315
00:11:26,920 –> 00:11:28,840
if the only thing stopping an agent is an alert,
316
00:11:28,840 –> 00:11:29,920
you are already late.
317
00:11:29,920 –> 00:11:31,680
Alerts are after the fact narration.
318
00:11:31,680 –> 00:11:32,720
They are not controlled.
319
00:11:32,720 –> 00:11:34,560
So in Act 2, the real question isn’t
320
00:11:34,560 –> 00:11:36,320
how do we make the model better?
321
00:11:36,320 –> 00:11:38,360
The real question is, where do you reintroduce
322
00:11:38,360 –> 00:11:39,840
determinism on purpose?
323
00:11:39,840 –> 00:11:40,960
Not inside the model.
324
00:11:40,960 –> 00:11:43,080
At the boundaries, approval gates, hard limits,
325
00:11:43,080 –> 00:11:44,880
deny before execute choke points
326
00:11:44,880 –> 00:11:47,520
and constraints that fire before an action happens.
327
00:11:47,520 –> 00:11:49,680
Not after it becomes an audit artifact.
328
00:11:49,680 –> 00:11:52,040
Next, we’re going to talk about the most sensitive boundary
329
00:11:52,040 –> 00:11:54,040
of all, identity and authority.
330
00:11:54,040 –> 00:11:55,920
Because once an AI system can act,
331
00:11:55,920 –> 00:11:58,120
the question becomes brutally simple.
332
00:11:58,120 –> 00:12:00,360
Who is allowed to act and who gets blamed when it does
333
00:12:00,360 –> 00:12:04,080
on scenario one cost blowup via auto scale plus retry.
334
00:12:04,080 –> 00:12:05,960
The first inevitability scenario is cost,
335
00:12:05,960 –> 00:12:08,560
because cost is where Azure’s determinism meets AI’s
336
00:12:08,560 –> 00:12:10,920
uncertainty in the most measurable way.
337
00:12:10,920 –> 00:12:12,600
The pattern looks harmless on a whiteboard.
338
00:12:12,600 –> 00:12:15,720
You put an LLM behind an API, you wire it to a workflow engine,
339
00:12:15,720 –> 00:12:18,160
maybe Azure functions, maybe AKS, maybe both.
340
00:12:18,160 –> 00:12:19,960
You add reliability with retries.
341
00:12:19,960 –> 00:12:21,560
You add resilience with auto scale.
342
00:12:21,560 –> 00:12:24,080
You add safety with a few guardrails in the prompt,
343
00:12:24,080 –> 00:12:25,200
then you ship it.
344
00:12:25,200 –> 00:12:27,360
And the system behaves exactly as designed.
345
00:12:27,360 –> 00:12:30,000
A user asks for something that triggers a chain,
346
00:12:30,000 –> 00:12:32,840
call the model retrieve context, call a tool,
347
00:12:32,840 –> 00:12:35,960
call the model again, write output, maybe call another tool.
348
00:12:35,960 –> 00:12:37,200
It’s a normal agent pattern.
349
00:12:37,200 –> 00:12:38,760
The problem isn’t that it’s complex.
350
00:12:38,760 –> 00:12:40,280
The problem is that none of those steps
351
00:12:40,280 –> 00:12:42,000
have a hard financial boundary.
352
00:12:42,000 –> 00:12:45,000
Token billing turns every internal thought into spend.
353
00:12:45,000 –> 00:12:47,960
Context windows turn every extra document into spend.
354
00:12:47,960 –> 00:12:49,960
Tool calls turn every loop into spend.
355
00:12:49,960 –> 00:12:51,920
And when the system gets uncertain,
356
00:12:51,920 –> 00:12:54,880
when a tool times out, when retrieval returns partial results,
357
00:12:54,880 –> 00:12:56,480
when a downstream API limits,
358
00:12:56,480 –> 00:12:58,680
you don’t get one failure, you get a retry storm.
359
00:12:58,680 –> 00:13:01,360
In deterministic systems, retries are a temporary tax.
360
00:13:01,360 –> 00:13:04,680
In probabilistic systems, retries are compounding behavior.
361
00:13:04,680 –> 00:13:06,200
The agent reframes the question.
362
00:13:06,200 –> 00:13:08,320
It tries a different tool, it expands the context.
363
00:13:08,320 –> 00:13:10,240
It asks for more data, it tries again.
364
00:13:10,240 –> 00:13:13,640
And because it’s working, the platform keeps feeding it compute.
365
00:13:13,640 –> 00:13:14,800
Here’s the weird part.
366
00:13:14,800 –> 00:13:16,920
The failure mode often looks like success.
367
00:13:16,920 –> 00:13:20,000
The system is active, CPU is busy, requests are flowing.
368
00:13:20,000 –> 00:13:22,200
Logs are full, the model is returning outputs.
369
00:13:22,200 –> 00:13:24,880
Maybe they’re not good outputs, but they are outputs.
370
00:13:24,880 –> 00:13:26,920
And because you designed for availability,
371
00:13:26,920 –> 00:13:29,080
your infrastructure interprets that as demand.
372
00:13:29,080 –> 00:13:31,960
As your functions adds instances, AKS adds nodes.
373
00:13:31,960 –> 00:13:33,440
Q depth, triggers, scale.
374
00:13:33,440 –> 00:13:34,960
More workers means more model calls.
375
00:13:34,960 –> 00:13:36,640
More model calls means more tokens.
376
00:13:36,640 –> 00:13:38,360
More tokens means more spend.
377
00:13:38,360 –> 00:13:39,880
This is not a finance surprise.
378
00:13:39,880 –> 00:13:41,240
This is an architectural loop.
379
00:13:41,240 –> 00:13:42,880
Budgets and alerts don’t stop it.
380
00:13:42,880 –> 00:13:44,480
They narrate it, they tell you,
381
00:13:44,480 –> 00:13:46,280
after the system has already executed,
382
00:13:46,280 –> 00:13:48,760
that it executed a lot, that’s useful for post mortems
383
00:13:48,760 –> 00:13:49,760
and chargeback politics.
384
00:13:49,760 –> 00:13:51,520
It is useless for prevention.
385
00:13:51,520 –> 00:13:53,920
And executives keep making the same mistake here.
386
00:13:53,920 –> 00:13:56,520
They treat spend as an outcome to be reported,
387
00:13:56,520 –> 00:13:58,320
not authority to be constrained.
388
00:13:58,320 –> 00:14:00,200
The question is not, did we set up budgets?
389
00:14:00,200 –> 00:14:01,760
The question is, where is the hard stop
390
00:14:01,760 –> 00:14:03,320
before the call executes?
391
00:14:03,320 –> 00:14:04,720
Where does a request get denied
392
00:14:04,720 –> 00:14:06,560
because it exceeds a cost class?
393
00:14:06,560 –> 00:14:08,440
Where does a tool call require an approval
394
00:14:08,440 –> 00:14:09,800
because it changes state?
395
00:14:09,800 –> 00:14:11,760
Where does the agent hit a deterministic ceiling
396
00:14:11,760 –> 00:14:14,800
and stop instead of escalating into a larger context window
397
00:14:14,800 –> 00:14:17,360
and a more expensive model because it feels uncertain?
398
00:14:17,360 –> 00:14:18,960
If you can’t point to that choke point,
399
00:14:18,960 –> 00:14:20,520
then your cost control is theater.
400
00:14:20,520 –> 00:14:23,160
It exists in dashboards, not in the execution path.
401
00:14:23,160 –> 00:14:25,920
Now zoom out to why this scenario shows up first.
402
00:14:25,920 –> 00:14:28,120
Cost is the reminder that AI systems
403
00:14:28,120 –> 00:14:30,920
don’t just generate text, they generate transactions.
404
00:14:30,920 –> 00:14:33,200
Every helpful loop is a billing event,
405
00:14:33,200 –> 00:14:34,880
every retry is a multiplier.
406
00:14:34,880 –> 00:14:37,120
And your infrastructure is optimized to keep going,
407
00:14:37,120 –> 00:14:39,320
not to ask whether continuing makes sense.
408
00:14:39,320 –> 00:14:41,800
So you get the executive version of the incident,
409
00:14:41,800 –> 00:14:44,680
the bill spikes, the team explains token usage,
410
00:14:44,680 –> 00:14:46,360
everyone argues about tagging
411
00:14:46,360 –> 00:14:49,840
and the action item becomes improved prompt efficiency.
412
00:14:49,840 –> 00:14:51,520
That’s outdated thinking.
413
00:14:51,520 –> 00:14:54,800
Prompteficiencies optimization, this problem is authority.
414
00:14:54,800 –> 00:14:57,720
If you discover your AI cost problem at the end of the month,
415
00:14:57,720 –> 00:14:59,640
the architecture already failed.
416
00:14:59,640 –> 00:15:02,120
Cost needs a deny before execute boundary,
417
00:15:02,120 –> 00:15:04,760
the same way security needs a deny before access boundary.
418
00:15:04,760 –> 00:15:06,200
Anything else is reporting.
419
00:15:06,200 –> 00:15:08,080
Next we’re going to make this explicit.
420
00:15:08,080 –> 00:15:10,960
Cost isn’t a finance problem that IT can monitor.
421
00:15:10,960 –> 00:15:12,440
Cost is the first system to fail
422
00:15:12,440 –> 00:15:14,040
because it’s the first system you refuse
423
00:15:14,040 –> 00:15:16,280
to put under deterministic control.
424
00:15:16,280 –> 00:15:18,240
Cost is the first system to fail.
425
00:15:18,240 –> 00:15:20,600
Cost fails first because it’s the first constraint
426
00:15:20,600 –> 00:15:22,960
most organizations refuse to enforce a runtime.
427
00:15:22,960 –> 00:15:25,040
They treat cost as a reporting artifact.
428
00:15:25,040 –> 00:15:28,320
Budgets, alerts, charge back tags, monthly variance meetings,
429
00:15:28,320 –> 00:15:30,520
that was tolerable when workloads were deterministic
430
00:15:30,520 –> 00:15:31,360
and bounded.
431
00:15:31,360 –> 00:15:34,040
You could predict usage, you could map spend to capacity
432
00:15:34,040 –> 00:15:36,600
and surprise meant someone deployed something dumb.
433
00:15:36,600 –> 00:15:39,280
AI doesn’t surprise you because someone made a mistake.
434
00:15:39,280 –> 00:15:42,720
AI surprises you because the system is allowed to explore.
435
00:15:42,720 –> 00:15:45,120
Token-based billing makes thinking billable.
436
00:15:45,120 –> 00:15:48,080
Context windows make being thorough, billable.
437
00:15:48,080 –> 00:15:50,400
Multi agent patterns make coordination billable,
438
00:15:50,400 –> 00:15:52,360
tool calls make action billable
439
00:15:52,360 –> 00:15:54,680
and the very behavior you want from an agent
440
00:15:54,680 –> 00:15:56,880
iterating until it’s confident produces
441
00:15:56,880 –> 00:15:58,840
the exact spend profile you didn’t model.
442
00:15:58,840 –> 00:16:01,040
This is why the cost curve stops being linear.
443
00:16:01,040 –> 00:16:04,120
In traditional infrastructure, scale is roughly proportional.
444
00:16:04,120 –> 00:16:06,840
More users means more requests, which means more compute,
445
00:16:06,840 –> 00:16:08,200
which means more cost.
446
00:16:08,200 –> 00:16:10,240
There are spikes but you can reason about them.
447
00:16:10,240 –> 00:16:11,640
You have a capacity model.
448
00:16:11,640 –> 00:16:14,520
In agentic systems, scale becomes combinatorial.
449
00:16:14,520 –> 00:16:16,840
One user request can trigger many model calls.
450
00:16:16,840 –> 00:16:18,560
One model call can trigger retrieval
451
00:16:18,560 –> 00:16:20,080
which triggers more model calls.
452
00:16:20,080 –> 00:16:22,720
One tool call can fail and trigger retries
453
00:16:22,720 –> 00:16:25,800
which triggers new prompts, which triggers larger context,
454
00:16:25,800 –> 00:16:27,760
which triggers higher token consumption.
455
00:16:27,760 –> 00:16:30,160
The spend isn’t tied to how many users.
456
00:16:30,160 –> 00:16:32,560
It’s tied to how much autonomy you gave the system
457
00:16:32,560 –> 00:16:33,760
to keep trying.
458
00:16:33,760 –> 00:16:36,400
And here’s the part executives consistently miss.
459
00:16:36,400 –> 00:16:39,520
Infrastructure utilization is no longer your cost proxy.
460
00:16:39,520 –> 00:16:41,640
You can have a system that looks healthy
461
00:16:41,640 –> 00:16:43,880
from a compute perspective and still burns money
462
00:16:43,880 –> 00:16:46,040
because the expensive part is the model consumption,
463
00:16:46,040 –> 00:16:47,120
not your CPU.
464
00:16:47,120 –> 00:16:49,040
Conversely, you can optimize your cluster
465
00:16:49,040 –> 00:16:51,240
and still have runaway spend because the real bill
466
00:16:51,240 –> 00:16:53,320
is tokens and model routing decisions.
467
00:16:53,320 –> 00:16:55,400
So the executive metric has to change.
468
00:16:55,400 –> 00:16:57,600
Cost per resource is an infrastructure metric.
469
00:16:57,600 –> 00:16:59,920
Cost per outcome is an architecture metric.
470
00:16:59,920 –> 00:17:01,800
If you can’t describe the unit of value
471
00:17:01,800 –> 00:17:03,680
the system produces, resolve ticket,
472
00:17:03,680 –> 00:17:06,880
completed order, validated document, approved workflow,
473
00:17:06,880 –> 00:17:08,920
then you can’t constrain cost meaningfully.
474
00:17:08,920 –> 00:17:10,120
You’re budgeting in the dark
475
00:17:10,120 –> 00:17:12,320
and congratulating yourself for having a dashboard.
476
00:17:12,320 –> 00:17:15,520
Preventive cost governance in AI has exactly one purpose.
477
00:17:15,520 –> 00:17:17,840
Put hard limits in the execution path.
478
00:17:17,840 –> 00:17:20,560
Not suggestions, not alerts, hard limits.
479
00:17:20,560 –> 00:17:23,320
That usually means cost classes, gold, silver, bronze.
480
00:17:23,320 –> 00:17:25,320
You define what each class is allowed to do
481
00:17:25,320 –> 00:17:26,360
before it does it.
482
00:17:26,360 –> 00:17:30,200
Model family, context window size, maximum tokens,
483
00:17:30,200 –> 00:17:32,120
tool permissions, and whether it’s allowed
484
00:17:32,120 –> 00:17:33,960
to use agentic loops at all.
485
00:17:33,960 –> 00:17:36,880
Gold means expensive models and broader context,
486
00:17:36,880 –> 00:17:38,720
but only for outcomes worth paying for.
487
00:17:38,720 –> 00:17:40,280
Silver means constrained context
488
00:17:40,280 –> 00:17:42,280
and cheaper models with tighter caps.
489
00:17:42,280 –> 00:17:44,360
Bronze means no autonomy.
490
00:17:44,360 –> 00:17:48,080
Cheap classification, extraction, routing, nothing more.
491
00:17:48,080 –> 00:17:49,680
This isn’t a Finops maturity project.
492
00:17:49,680 –> 00:17:50,520
This is architecture.
493
00:17:50,520 –> 00:17:53,320
The system should refuse to execute a gold class action
494
00:17:53,320 –> 00:17:55,560
unless it can justify being in that class.
495
00:17:55,560 –> 00:17:57,280
And you don’t get that by buying a tool.
496
00:17:57,280 –> 00:17:59,200
You get it by building a deterministic gate,
497
00:17:59,200 –> 00:18:01,520
a pre-call estimator that predicts token usage
498
00:18:01,520 –> 00:18:04,200
and enforces ceilings, a router that selects models
499
00:18:04,200 –> 00:18:06,960
intentionally and a hard stop when the agent exceeds
500
00:18:06,960 –> 00:18:09,040
its budgeted attempt count.
501
00:18:09,040 –> 00:18:10,720
Azure’s native cost tooling mostly
502
00:18:10,720 –> 00:18:12,680
lives on the visibility side of the line.
503
00:18:12,680 –> 00:18:14,560
It can show you spend trends and anomalies.
504
00:18:14,560 –> 00:18:16,640
It can alert you, but that’s after execution.
505
00:18:16,640 –> 00:18:19,360
Governance requires authority before execution.
506
00:18:19,360 –> 00:18:21,040
So if leadership wants cost stability,
507
00:18:21,040 –> 00:18:23,680
the question to ask isn’t, do we have budgets?
508
00:18:23,680 –> 00:18:25,600
It’s, where is the governor?
509
00:18:25,600 –> 00:18:28,160
Where does the system get denied automatically
510
00:18:28,160 –> 00:18:30,800
at runtime because it exceeded its allowed cost boundary
511
00:18:30,800 –> 00:18:31,800
for that class of outcome?
512
00:18:31,800 –> 00:18:33,480
If that boundary doesn’t exist,
513
00:18:33,480 –> 00:18:36,240
then the organization is operating a probabilistic spend engine
514
00:18:36,240 –> 00:18:38,920
and pretending it’s running a deterministic workload.
515
00:18:38,920 –> 00:18:41,320
There’s also an uncomfortable executive decision here.
516
00:18:41,320 –> 00:18:43,040
Sometimes you buy predictability.
517
00:18:43,040 –> 00:18:45,440
Provisioned capacity can stabilize unit costs
518
00:18:45,440 –> 00:18:46,560
for steady workloads.
519
00:18:46,560 –> 00:18:48,840
Batching can reduce cost for non-urgent work.
520
00:18:48,840 –> 00:18:51,680
Catching can avoid repeated calls for repeated questions.
521
00:18:51,680 –> 00:18:53,200
Those are practical levers.
522
00:18:53,200 –> 00:18:55,360
But none of them matter if you haven’t first decided
523
00:18:55,360 –> 00:18:57,600
what outcomes deserve expensive intelligence.
524
00:18:57,600 –> 00:18:59,720
Because the real failure is not overspend.
525
00:18:59,720 –> 00:19:02,120
The real failure is the absence of intent encoded
526
00:19:02,120 –> 00:19:02,960
as constrained.
527
00:19:02,960 –> 00:19:04,280
And that’s why cost fails first.
528
00:19:04,280 –> 00:19:05,680
It’s the earliest cleanest signal
529
00:19:05,680 –> 00:19:07,560
that you build autonomy without boundaries.
530
00:19:07,560 –> 00:19:09,640
Next, the conversation moves from spend authority
531
00:19:09,640 –> 00:19:12,280
to action authority because once an agent can spend,
532
00:19:12,280 –> 00:19:13,280
it can also do.
533
00:19:13,280 –> 00:19:15,880
Identity, authority, and autonomous action.
534
00:19:15,880 –> 00:19:18,000
Now the conversation moves from spend authority
535
00:19:18,000 –> 00:19:19,000
to action authority.
536
00:19:19,000 –> 00:19:21,800
And this is where most organizations quietly lose the plot.
537
00:19:21,800 –> 00:19:23,640
Because identity in Azure was designed
538
00:19:23,640 –> 00:19:26,160
for two kinds of actors, humans and applications,
539
00:19:26,160 –> 00:19:28,720
humans authenticate and make decisions.
540
00:19:28,720 –> 00:19:30,880
Applications execute predefined logic.
541
00:19:30,880 –> 00:19:32,600
Even when applications are complex,
542
00:19:32,600 –> 00:19:34,440
the assumption is still deterministic.
543
00:19:34,440 –> 00:19:36,200
The app does what it was written to do
544
00:19:36,200 –> 00:19:38,200
and accountability traces back to a team
545
00:19:38,200 –> 00:19:39,440
and a change record.
546
00:19:39,440 –> 00:19:41,080
Agenetic AI breaks that split.
547
00:19:41,080 –> 00:19:42,720
An agent isn’t just executing logic.
548
00:19:42,720 –> 00:19:44,200
It’s selecting actions.
549
00:19:44,200 –> 00:19:47,200
It’s deciding which tool to call, which data to retrieve,
550
00:19:47,200 –> 00:19:49,320
which system to update and when to stop.
551
00:19:49,320 –> 00:19:51,800
That makes it a decision maker, not just a runner.
552
00:19:51,800 –> 00:19:53,560
And the moment you let a decision maker act
553
00:19:53,560 –> 00:19:56,760
with machine speed, identity stops being access plumbing
554
00:19:56,760 –> 00:20:00,160
and becomes the accountability boundary of your enterprise.
555
00:20:00,160 –> 00:20:02,360
Here’s the foundational misunderstanding.
556
00:20:02,360 –> 00:20:05,520
Organizations think identity answers, who are you?
557
00:20:05,520 –> 00:20:07,560
For autonomous systems, the harder question is,
558
00:20:07,560 –> 00:20:09,120
who is allowed to decide?
559
00:20:09,120 –> 00:20:11,720
A managed identity or service principle
560
00:20:11,720 –> 00:20:15,080
can authenticate perfectly and still be the wrong instrument.
561
00:20:15,080 –> 00:20:16,800
It proves the token is valid.
562
00:20:16,800 –> 00:20:18,680
It does not prove the action was intended.
563
00:20:18,680 –> 00:20:20,320
So you get the familiar pattern.
564
00:20:20,320 –> 00:20:22,680
A team needs an agent to do useful work.
565
00:20:22,680 –> 00:20:24,200
They give it a managed identity.
566
00:20:24,200 –> 00:20:27,040
They granted permissions to the target systems and they ship.
567
00:20:27,040 –> 00:20:27,880
The system works.
568
00:20:27,880 –> 00:20:29,440
And now you have a non-human actor
569
00:20:29,440 –> 00:20:31,680
with standing privileges executing decisions
570
00:20:31,680 –> 00:20:34,240
you did not explicitly model inside Blastradia
571
00:20:34,240 –> 00:20:35,960
you did not formally accept.
572
00:20:35,960 –> 00:20:37,200
That distinction matters.
573
00:20:37,600 –> 00:20:39,560
When a human acts, you can revoke the human.
574
00:20:39,560 –> 00:20:40,800
You can discipline the human.
575
00:20:40,800 –> 00:20:42,080
You can retrain the human.
576
00:20:42,080 –> 00:20:44,120
You can put approvals in front of the human.
577
00:20:44,120 –> 00:20:46,120
Humans are governable because their intent
578
00:20:46,120 –> 00:20:48,520
can be constrained socially and contractually.
579
00:20:48,520 –> 00:20:51,840
When an agent acts, you can’t retrain accountability.
580
00:20:51,840 –> 00:20:54,840
You only have three levers, its identity, its permissions
581
00:20:54,840 –> 00:20:56,360
and the enforcement points that sit
582
00:20:56,360 –> 00:20:57,960
between the agent and the action.
583
00:20:57,960 –> 00:21:00,160
And here’s the failure mode executives don’t anticipate
584
00:21:00,160 –> 00:21:02,520
if the agent acts correctly and causes damage.
585
00:21:02,520 –> 00:21:03,400
What do you revoke?
586
00:21:03,400 –> 00:21:04,920
Do you revoke the managed identity?
587
00:21:04,920 –> 00:21:05,600
Great.
588
00:21:05,600 –> 00:21:08,920
You just broke every workflow that identity was quietly used for
589
00:21:08,920 –> 00:21:11,400
because it was never scoped to agent decisions.
590
00:21:11,400 –> 00:21:13,680
It was scoped to make the system work.
591
00:21:13,680 –> 00:21:16,040
Do you keep the identity and reduce permissions?
592
00:21:16,040 –> 00:21:16,880
Also great.
593
00:21:16,880 –> 00:21:19,760
Now your debugging production by subtracting permissions
594
00:21:19,760 –> 00:21:21,560
until the incident stops, which means
595
00:21:21,560 –> 00:21:23,920
you’re discovering your intended authorization model
596
00:21:23,920 –> 00:21:25,880
after the system has already executed.
597
00:21:25,880 –> 00:21:26,960
Do you add more monitoring?
598
00:21:26,960 –> 00:21:29,080
Fine, monitoring can tell you what happened.
599
00:21:29,080 –> 00:21:31,840
It cannot change the fact that the system was allowed to do it.
600
00:21:31,840 –> 00:21:34,560
This is why agent identity is not just an IAM issue.
601
00:21:34,560 –> 00:21:36,040
It’s an authority architecture issue.
602
00:21:36,040 –> 00:21:39,040
Microsoft is acknowledging that reality in the platform itself.
603
00:21:39,040 –> 00:21:41,880
The emergence of first class agent identity concepts in Entra
604
00:21:41,880 –> 00:21:44,200
exists because the old model service principles
605
00:21:44,200 –> 00:21:46,000
are standards for decision makers.
606
00:21:46,000 –> 00:21:47,760
Doesn’t describe what’s happening anymore.
607
00:21:47,760 –> 00:21:51,240
The platform is trying to put a name on a new type of actor,
608
00:21:51,240 –> 00:21:53,120
something that authenticates like an app
609
00:21:53,120 –> 00:21:54,840
but behaves like an operator.
610
00:21:54,840 –> 00:21:56,800
But the existence of a new identity type
611
00:21:56,800 –> 00:21:58,480
doesn’t solve the core problem.
612
00:21:58,480 –> 00:22:00,440
The core problem is intent attribution.
613
00:22:00,440 –> 00:22:02,280
Your logs can say an app called Graph,
614
00:22:02,280 –> 00:22:04,600
a managed identity called a storage API,
615
00:22:04,600 –> 00:22:07,840
an agent executed a tool, a function wrote to a database.
616
00:22:07,840 –> 00:22:09,040
That is technically correct.
617
00:22:09,040 –> 00:22:11,400
It is strategically useless if you can’t answer,
618
00:22:11,400 –> 00:22:13,440
which decision pathway calls that action
619
00:22:13,440 –> 00:22:14,800
under which approved business rule
620
00:22:14,800 –> 00:22:16,520
with which explicit constraints.
621
00:22:16,520 –> 00:22:18,680
Executives should treat non-human identities
622
00:22:18,680 –> 00:22:20,320
as entropy generators.
623
00:22:20,320 –> 00:22:22,640
Every exception created to make it work
624
00:22:22,640 –> 00:22:25,320
accumulates privileges, expands blast radius,
625
00:22:25,320 –> 00:22:27,360
and erodes least privilege over time.
626
00:22:27,360 –> 00:22:29,280
This isn’t because teams are careless.
627
00:22:29,280 –> 00:22:32,320
It’s because delivery pressure beats governance
628
00:22:32,320 –> 00:22:34,840
unless governance is enforced by design.
629
00:22:34,840 –> 00:22:37,400
So the architecture mandate is simple and brutal.
630
00:22:37,400 –> 00:22:40,480
Separate identity for execution from identity for decision.
631
00:22:40,480 –> 00:22:42,120
Execution identities should be scoped
632
00:22:42,120 –> 00:22:44,240
to narrow deterministic operations.
633
00:22:44,240 –> 00:22:45,600
Decision identities.
634
00:22:45,600 –> 00:22:48,480
Agents should be forced through choke points.
635
00:22:48,480 –> 00:22:50,960
Gateways, approval services, policy engines,
636
00:22:50,960 –> 00:22:52,560
and explicit allow denied checks
637
00:22:52,560 –> 00:22:54,680
before state changing actions occur.
638
00:22:54,680 –> 00:22:56,200
If the agent can send an email,
639
00:22:56,200 –> 00:22:59,120
create a ticket, modify a record, or trigger a payment,
640
00:22:59,120 –> 00:23:01,240
that action must have a deterministic gate,
641
00:23:01,240 –> 00:23:03,480
not a prompt, not a guideline, a gate.
642
00:23:03,480 –> 00:23:05,440
Because once you let autonomous systems act
643
00:23:05,440 –> 00:23:08,360
inside your environment, identity is no longer a sign in problem.
644
00:23:08,360 –> 00:23:10,040
It’s your last enforceable boundary
645
00:23:10,040 –> 00:23:13,520
between helpful automation and unknown authority.
646
00:23:13,520 –> 00:23:16,160
Next, we move into the second inevitability scenario.
647
00:23:16,160 –> 00:23:18,680
Agents triggering downstream systems politely,
648
00:23:18,680 –> 00:23:20,160
correctly, and destructively.
649
00:23:20,160 –> 00:23:21,480
Because that’s what autonomy does
650
00:23:21,480 –> 00:23:24,160
when you forget to define where it must stop.
651
00:23:24,160 –> 00:23:26,400
Agent misfire triggering downstream systems.
652
00:23:26,400 –> 00:23:28,280
Scenario two is where the organization learns
653
00:23:28,280 –> 00:23:31,000
the difference between automation and authority.
654
00:23:31,000 –> 00:23:32,240
The pattern is always the same.
655
00:23:32,240 –> 00:23:34,440
When agent gets tools, the tools are convenient.
656
00:23:34,440 –> 00:23:36,080
The tools make the demo work.
657
00:23:36,080 –> 00:23:37,600
The tool permissions are approved
658
00:23:37,600 –> 00:23:39,240
because the use case was approved.
659
00:23:39,240 –> 00:23:41,000
And then the agent does something
660
00:23:41,000 –> 00:23:43,000
that is perfectly consistent with the workflow,
661
00:23:43,000 –> 00:23:45,040
perfectly consistent with the permissions,
662
00:23:45,040 –> 00:23:47,200
and completely inconsistent with what leadership
663
00:23:47,200 –> 00:23:48,840
would call acceptable business behavior.
664
00:23:48,840 –> 00:23:50,720
This is not a hallucination problem.
665
00:23:50,720 –> 00:23:52,040
This is a boundary problem.
666
00:23:52,040 –> 00:23:53,720
Take the common architecture.
667
00:23:53,720 –> 00:23:56,120
An agent sits behind a chat interface,
668
00:23:56,120 –> 00:23:57,600
or inside an internal app,
669
00:23:57,600 –> 00:23:59,960
and it can call downstream systems through APIs.
670
00:23:59,960 –> 00:24:03,480
Logic apps, power automate, line of business APIs,
671
00:24:03,480 –> 00:24:07,200
ITSM systems, email, calendar, data stores.
672
00:24:07,200 –> 00:24:09,720
Sometimes it can even create or modify tickets,
673
00:24:09,720 –> 00:24:12,760
users, entitlements, or records.
674
00:24:12,760 –> 00:24:14,520
The intent is usually reasonable.
675
00:24:14,520 –> 00:24:17,160
Let the agent help by taking actions for the user.
676
00:24:17,160 –> 00:24:19,160
But what actually happens is the system learns
677
00:24:19,160 –> 00:24:23,160
that help equals execute, so it executes.
678
00:24:23,160 –> 00:24:25,520
A user says, can you cancel my order?
679
00:24:25,520 –> 00:24:27,040
The agent calls the order API.
680
00:24:27,040 –> 00:24:29,560
A user says, email the customer with an update.
681
00:24:29,560 –> 00:24:30,800
The agent sends the email.
682
00:24:30,800 –> 00:24:32,400
A user says, clean up this data set.
683
00:24:32,400 –> 00:24:35,200
The agent writes transformations back into the lake.
684
00:24:35,200 –> 00:24:37,080
A user says, disable that account.
685
00:24:37,080 –> 00:24:38,800
The agent calls an identity endpoint.
686
00:24:38,800 –> 00:24:40,720
The organization thinks this is productivity.
687
00:24:40,720 –> 00:24:42,400
It is until the action is wrong.
688
00:24:42,400 –> 00:24:44,440
And the counter intuitive part is that the action
689
00:24:44,440 –> 00:24:46,160
can be wrong without being incorrect,
690
00:24:46,160 –> 00:24:49,120
because the agent can be correct in the narrow technical sense.
691
00:24:49,120 –> 00:24:50,760
It followed the user’s text.
692
00:24:50,760 –> 00:24:52,000
It used the right API.
693
00:24:52,000 –> 00:24:53,480
It received a 200 OK.
694
00:24:53,480 –> 00:24:54,480
It wrote the record.
695
00:24:54,480 –> 00:24:55,840
It worked.
696
00:24:55,840 –> 00:24:57,560
But the action can still be a business failure,
697
00:24:57,560 –> 00:24:59,720
because the system executed without consent,
698
00:24:59,720 –> 00:25:01,880
without confirmation, without context,
699
00:25:01,880 –> 00:25:04,440
and without a deterministic rule that says,
700
00:25:04,440 –> 00:25:07,080
this class of action requires a human gate.
701
00:25:07,080 –> 00:25:09,280
This is where executives keep confusing to approvals.
702
00:25:09,280 –> 00:25:10,680
They approved the use case.
703
00:25:10,680 –> 00:25:13,160
They did not approve every possible execution path
704
00:25:13,160 –> 00:25:15,240
the agent will take inside that use case.
705
00:25:15,240 –> 00:25:16,440
Those are not the same thing.
706
00:25:16,440 –> 00:25:19,360
A traditional system has a narrow execution surface.
707
00:25:19,360 –> 00:25:22,240
An agentic system has an expanding execution surface,
708
00:25:22,240 –> 00:25:25,080
because every new tool is a new way to affect the enterprise.
709
00:25:25,080 –> 00:25:27,240
The moment you attach a tool that mutates state,
710
00:25:27,240 –> 00:25:29,320
you have created an irreversible pathway.
711
00:25:29,320 –> 00:25:31,320
And irreversible pathways are where governance
712
00:25:31,320 –> 00:25:33,960
must be enforced before execution, not after.
713
00:25:33,960 –> 00:25:35,680
The failure mode usually looks polite.
714
00:25:35,680 –> 00:25:36,880
It doesn’t look like an attacker.
715
00:25:36,880 –> 00:25:39,360
It looks like a helpful system being proactive.
716
00:25:39,360 –> 00:25:41,360
It sends an email that should have been reviewed.
717
00:25:41,360 –> 00:25:43,400
It closes a ticket that should have stayed open.
718
00:25:43,400 –> 00:25:46,160
It updates a record that should have required a second approval.
719
00:25:46,160 –> 00:25:47,880
It triggers a workflow that should only
720
00:25:47,880 –> 00:25:49,320
run in a specific context.
721
00:25:49,320 –> 00:25:52,320
Then leadership gets the post-incident briefing.
722
00:25:52,320 –> 00:25:53,920
The engineering team explains the agent
723
00:25:53,920 –> 00:25:55,240
did what it was allowed to do.
724
00:25:55,240 –> 00:25:58,120
Security points out the permissions were technically correct.
725
00:25:58,120 –> 00:25:59,360
Operations shows the logs.
726
00:25:59,360 –> 00:26:02,160
And everyone is frustrated because the system wasn’t broken.
727
00:26:02,160 –> 00:26:03,560
It behaved exactly as designed.
728
00:26:03,560 –> 00:26:06,280
That’s the executive failure exposed in this scenario.
729
00:26:06,280 –> 00:26:09,360
Correct execution against incorrect authority boundaries.
730
00:26:09,360 –> 00:26:10,920
So the question, sea level should ask,
731
00:26:10,920 –> 00:26:14,360
isn’t, did we secure the model or did we validate the prompt?
732
00:26:14,360 –> 00:26:17,240
The question is, where are the choke points before execution?
733
00:26:17,240 –> 00:26:20,160
Where does the agent get stopped and forced to ask for confirmation?
734
00:26:20,160 –> 00:26:22,240
Where does it get forced into a two-step commit?
735
00:26:22,240 –> 00:26:23,240
Where does it get denied?
736
00:26:23,240 –> 00:26:26,160
Because the action crosses a boundary, financial impact,
737
00:26:26,160 –> 00:26:30,240
legal impact, customer impact, data mutation, identity change.
738
00:26:30,240 –> 00:26:32,840
If the only boundary you have is the tool permission itself,
739
00:26:32,840 –> 00:26:33,840
you’ve already lost.
740
00:26:33,840 –> 00:26:35,560
Because tool permission is binary.
741
00:26:35,560 –> 00:26:37,360
It’s can call or can’t call.
742
00:26:37,360 –> 00:26:38,880
Authority is contextual.
743
00:26:38,880 –> 00:26:40,680
It’s can call under these conditions
744
00:26:40,680 –> 00:26:42,480
with these limits, with this approval,
745
00:26:42,480 –> 00:26:44,960
with this audit trail, with this rollback plan.
746
00:26:44,960 –> 00:26:46,320
And yes, rollback plan.
747
00:26:46,320 –> 00:26:48,240
Because the real damage in scenario two
748
00:26:48,240 –> 00:26:49,400
isn’t only the action.
749
00:26:49,400 –> 00:26:50,640
It’s the irreversibility.
750
00:26:50,640 –> 00:26:52,200
An email cannot be unsent.
751
00:26:52,200 –> 00:26:54,360
A customer notification cannot be unread.
752
00:26:54,360 –> 00:26:56,400
A record mutation becomes the new truth.
753
00:26:56,400 –> 00:26:58,440
A workflow triggered in the wrong order
754
00:26:58,440 –> 00:27:01,840
becomes a process violation that looks like compliance failure.
755
00:27:01,840 –> 00:27:03,680
So if an agent can trigger real systems,
756
00:27:03,680 –> 00:27:06,960
you need explicit architecture for consent and containment.
757
00:27:06,960 –> 00:27:09,120
Gateways that enforce allow and deny.
758
00:27:09,120 –> 00:27:12,200
Approval services that create deterministic pauses
759
00:27:12,200 –> 00:27:15,160
and a classification of actions by blast radius.
760
00:27:15,160 –> 00:27:16,760
Some actions are safe to automate.
761
00:27:16,760 –> 00:27:18,480
Some actions must never be autonomous.
762
00:27:18,480 –> 00:27:20,240
And leadership has to decide which is which,
763
00:27:20,240 –> 00:27:23,200
because engineering will always default toward make it work.
764
00:27:23,200 –> 00:27:25,000
That’s what delivery pressure creates.
765
00:27:25,000 –> 00:27:27,320
Scenario two ends with a simple reality.
766
00:27:27,320 –> 00:27:29,840
The agent didn’t misfire because it was dumb.
767
00:27:29,840 –> 00:27:32,200
It misfired because you gave it authority.
768
00:27:32,200 –> 00:27:33,080
You didn’t define.
769
00:27:33,080 –> 00:27:34,240
Next, the problem gets worse.
770
00:27:34,240 –> 00:27:36,120
Because once you have autonomous action,
771
00:27:36,120 –> 00:27:38,200
you need to answer the question nobody wants to answer
772
00:27:38,200 –> 00:27:39,280
during an incident.
773
00:27:39,280 –> 00:27:41,280
Who exactly owns that action?
774
00:27:41,280 –> 00:27:43,760
The identity gap for non-human actors.
775
00:27:43,760 –> 00:27:45,880
Scenario three is where identity stops being
776
00:27:45,880 –> 00:27:48,880
a control plane service and becomes a liability register.
777
00:27:48,880 –> 00:27:51,040
Most organizations already have the pattern.
778
00:27:51,040 –> 00:27:54,280
Non-human work gets done through managed identities
779
00:27:54,280 –> 00:27:55,440
and service principles.
780
00:27:55,440 –> 00:27:56,320
They’re stable.
781
00:27:56,320 –> 00:27:57,520
They’re automatable.
782
00:27:57,520 –> 00:27:58,880
They don’t take vacations.
783
00:27:58,880 –> 00:28:00,480
And on paper, they fit the old model.
784
00:28:00,480 –> 00:28:03,400
An application identity executes deterministic code.
785
00:28:03,400 –> 00:28:04,520
Agents don’t fit that model.
786
00:28:04,520 –> 00:28:06,120
So what happens is predictable.
787
00:28:06,120 –> 00:28:07,720
Teams stand up an agent.
788
00:28:07,720 –> 00:28:10,320
They needed to call storage, search, mail tickets,
789
00:28:10,320 –> 00:28:12,400
or line of business APIs.
790
00:28:12,400 –> 00:28:14,560
And they strap a managed identity or service
791
00:28:14,560 –> 00:28:16,120
principle onto it like a badge.
792
00:28:16,120 –> 00:28:16,880
Now it can act.
793
00:28:16,880 –> 00:28:19,120
That badge becomes the stand-in for decision making.
794
00:28:19,120 –> 00:28:22,000
And the moment you do that, your audit trail collapses.
795
00:28:22,000 –> 00:28:24,760
The logs don’t say the agent decided to do this
796
00:28:24,760 –> 00:28:27,360
because it interpreted the user intent this way.
797
00:28:27,360 –> 00:28:30,080
The logs say this app identity called this API.
798
00:28:30,080 –> 00:28:31,160
That’s accurate and useless.
799
00:28:31,160 –> 00:28:33,920
And it tells you who executed, not who decided.
800
00:28:33,920 –> 00:28:35,800
In an incident, that distinction
801
00:28:35,800 –> 00:28:38,120
is the difference between containment and theater.
802
00:28:38,120 –> 00:28:39,680
Now add the revocation problem.
803
00:28:39,680 –> 00:28:42,880
In a clean world, you revoke the identity and the risk stops.
804
00:28:42,880 –> 00:28:44,840
In the real world, revoking that identity
805
00:28:44,840 –> 00:28:48,280
breaks production processes that quietly accumulated around it.
806
00:28:48,280 –> 00:28:50,640
Because once an identity exists and works,
807
00:28:50,640 –> 00:28:51,680
teams reuse it.
808
00:28:51,680 –> 00:28:53,240
They attach it to new workflows.
809
00:28:53,240 –> 00:28:54,120
They add exceptions.
810
00:28:54,120 –> 00:28:56,520
They broaden permissions to just get it done.
811
00:28:56,520 –> 00:28:58,440
Those exceptions are not misconfigurations.
812
00:28:58,440 –> 00:29:00,000
They are entropy generators.
813
00:29:00,000 –> 00:29:02,920
So when the agent misbehaves, you face an executive grade
814
00:29:02,920 –> 00:29:04,720
trade-off that shouldn’t exist.
815
00:29:04,720 –> 00:29:07,440
Break the business to stop the risk or keep the business
816
00:29:07,440 –> 00:29:09,080
running and keep the risk alive.
817
00:29:09,080 –> 00:29:10,600
That’s what identity debt looks like.
818
00:29:10,600 –> 00:29:12,360
There’s also a segregation problem.
819
00:29:12,360 –> 00:29:13,440
And it’s more subtle.
820
00:29:13,440 –> 00:29:15,640
Least privilege works when people believe permissions
821
00:29:15,640 –> 00:29:17,160
are expensive to grant.
822
00:29:17,160 –> 00:29:19,240
Agent projects make permissions feel cheap
823
00:29:19,240 –> 00:29:22,360
because the friction is in delivery, not in governance.
824
00:29:22,360 –> 00:29:24,120
Someone needs the demo to work, so they
825
00:29:24,120 –> 00:29:27,560
grant the identity broad access temporarily.
826
00:29:27,560 –> 00:29:29,200
Temporary access is a fairy tale.
827
00:29:29,200 –> 00:29:30,400
It never gets removed.
828
00:29:30,400 –> 00:29:32,080
It becomes part of the system’s shape.
829
00:29:32,080 –> 00:29:33,880
Over time, policy drift turns I am
830
00:29:33,880 –> 00:29:36,720
into a probabilistic security model, mostly constrained,
831
00:29:36,720 –> 00:29:38,560
occasionally broad, full of exceptions,
832
00:29:38,560 –> 00:29:40,240
and governed by tribal knowledge.
833
00:29:40,240 –> 00:29:42,400
The organization believes it has a lease privilege
834
00:29:42,400 –> 00:29:43,840
because it has RBAC.
835
00:29:43,840 –> 00:29:45,880
But RBAC with exceptions isn’t lease privilege.
836
00:29:45,880 –> 00:29:47,200
It’s conditional chaos.
837
00:29:47,200 –> 00:29:49,560
And once you attach that chaos to an autonomous system,
838
00:29:49,560 –> 00:29:52,440
you stop governing access and start gambling on outcomes.
839
00:29:52,440 –> 00:29:53,960
Here’s the uncomfortable truth.
840
00:29:53,960 –> 00:29:56,600
Agent identity needs its own accountability model.
841
00:29:56,600 –> 00:29:59,960
Execution identities are for predictable, narrow operations.
842
00:29:59,960 –> 00:30:02,520
Agents require identities that encode
843
00:30:02,520 –> 00:30:05,320
what they are allowed to decide, not just what they are
844
00:30:05,320 –> 00:30:06,040
allowed to call.
845
00:30:06,040 –> 00:30:09,560
That means scoping by action classes, not just by resource.
846
00:30:09,560 –> 00:30:11,160
Read is not the same as write.
847
00:30:11,160 –> 00:30:12,520
Write is not the same as delete.
848
00:30:12,520 –> 00:30:14,280
Notify is not the same as transact.
849
00:30:14,280 –> 00:30:16,680
Identity change is not the same as ticket update.
850
00:30:16,680 –> 00:30:18,840
If those distinctions aren’t explicit,
851
00:30:18,840 –> 00:30:21,360
the identity becomes a universal remote control
852
00:30:21,360 –> 00:30:22,480
with one button.
853
00:30:22,480 –> 00:30:23,120
Allow.
854
00:30:23,120 –> 00:30:25,440
And yes, Microsoft is moving in this direction
855
00:30:25,440 –> 00:30:28,160
with first class agent identity concepts in entra.
856
00:30:28,160 –> 00:30:29,840
That doesn’t magically fix governance.
857
00:30:29,840 –> 00:30:31,720
It’s evidence that the platform is acknowledging
858
00:30:31,720 –> 00:30:32,800
the underlying mismatch.
859
00:30:32,800 –> 00:30:34,600
The system had to invent a new actor type
860
00:30:34,600 –> 00:30:37,000
because the old one couldn’t carry accountability.
861
00:30:37,000 –> 00:30:38,720
But the real fix is still yours.
862
00:30:38,720 –> 00:30:41,040
You need to be able to answer in plain language
863
00:30:41,040 –> 00:30:42,200
during an incident.
864
00:30:42,200 –> 00:30:43,480
What do we revoke?
865
00:30:43,480 –> 00:30:45,760
And what business process stops when we revoke it?
866
00:30:45,760 –> 00:30:48,320
If you can’t answer that, you don’t have control autonomy,
867
00:30:48,320 –> 00:30:49,760
you have disguised privilege.
868
00:30:49,760 –> 00:30:52,680
So scenario three ends with a simple executive rule.
869
00:30:52,680 –> 00:30:56,320
Every non-human identity must map to an owned blast radius,
870
00:30:56,320 –> 00:30:58,400
a named owner, a defined set of actions,
871
00:30:58,400 –> 00:31:01,600
a clear revocation path, and an enforced separation
872
00:31:01,600 –> 00:31:03,800
between this identity runs code
873
00:31:03,800 –> 00:31:05,520
and this identity makes decisions.
874
00:31:05,520 –> 00:31:07,720
If you don’t do that, the incident won’t be the agent
875
00:31:07,720 –> 00:31:09,120
did something.
876
00:31:09,120 –> 00:31:11,680
The incident will be, we don’t know which identity to kill
877
00:31:11,680 –> 00:31:13,840
without killing ourselves.
878
00:31:13,840 –> 00:31:16,520
Next, we move to a more permanent problem than identity,
879
00:31:16,520 –> 00:31:17,400
gravity.
880
00:31:17,400 –> 00:31:20,680
Because once your data models and agents start binding together,
881
00:31:20,680 –> 00:31:22,720
the organization doesn’t just lose control,
882
00:31:22,720 –> 00:31:24,640
it loses the ability to leave.
883
00:31:24,640 –> 00:31:28,240
Data gravity becomes AI gravity, lock-in accelerates.
884
00:31:28,240 –> 00:31:30,360
Now we get to the part nobody budgets for,
885
00:31:30,360 –> 00:31:32,120
because it doesn’t show up as a line item
886
00:31:32,120 –> 00:31:34,400
until it’s too late, gravity.
887
00:31:34,400 –> 00:31:37,240
Most executives understand data gravity in the abstract.
888
00:31:37,240 –> 00:31:39,480
The data gets big, moving it gets expensive,
889
00:31:39,480 –> 00:31:41,120
so applications move closer to it.
890
00:31:41,120 –> 00:31:42,880
That was already true in the cloud era,
891
00:31:42,880 –> 00:31:45,760
but AI changes the direction and the speed of gravity,
892
00:31:45,760 –> 00:31:49,800
because AI doesn’t just sit near data, AI shapes data.
893
00:31:49,800 –> 00:31:53,240
And once AI starts shaping data, what becomes hard to move
894
00:31:53,240 –> 00:31:56,040
isn’t just the storage, it’s the meaning.
895
00:31:56,040 –> 00:31:59,160
Traditional data platforms create lock-in through format,
896
00:31:59,160 –> 00:32:01,160
pipelines, and operational muscle memory.
897
00:32:01,160 –> 00:32:02,800
That’s inconvenient, but survivable.
898
00:32:02,800 –> 00:32:03,880
You can rewrite pipelines.
899
00:32:03,880 –> 00:32:04,920
You can migrate tables.
900
00:32:04,920 –> 00:32:06,400
You can re-platform compute.
901
00:32:06,400 –> 00:32:08,360
It hurts, but it’s mostly engineering.
902
00:32:08,360 –> 00:32:09,800
AI lock-in is different.
903
00:32:09,800 –> 00:32:12,440
AI lock-in is when the organization’s knowledge,
904
00:32:12,440 –> 00:32:14,840
workflows, and decisions become platform-shaped.
905
00:32:14,840 –> 00:32:16,200
Here’s the mechanical reason.
906
00:32:16,200 –> 00:32:18,640
Modern AI systems don’t just query data.
907
00:32:18,640 –> 00:32:21,880
They create intermediate artifacts that become dependencies.
908
00:32:21,880 –> 00:32:23,920
Embedding’s vector index is retrieval layers,
909
00:32:23,920 –> 00:32:26,080
conversation histories, evaluation data sets,
910
00:32:26,080 –> 00:32:28,400
agent policies, tool schemers, prompt templates,
911
00:32:28,400 –> 00:32:30,720
routing logic, and safety filters.
912
00:32:30,720 –> 00:32:32,680
None of these are just configuration.
913
00:32:32,680 –> 00:32:34,360
They are the behavior of your system,
914
00:32:34,360 –> 00:32:35,200
and they accumulate.
915
00:32:35,200 –> 00:32:37,520
In other words, the architecture grows a second brain,
916
00:32:37,520 –> 00:32:39,360
and that second brain is rarely portable
917
00:32:39,360 –> 00:32:42,400
because it’s deeply tied to the services that host it.
918
00:32:42,400 –> 00:32:44,440
Azure amplifies this because it is very good
919
00:32:44,440 –> 00:32:47,600
at making the AI stack feel like one coherent surface.
920
00:32:47,600 –> 00:32:49,320
Data lives in Azure native patterns.
921
00:32:49,320 –> 00:32:51,640
Knowledge gets grounded through managed retrieval.
922
00:32:51,640 –> 00:32:54,000
Pipelines connect to managed model endpoints.
923
00:32:54,000 –> 00:32:56,080
Monitoring flows into platform observability.
924
00:32:56,080 –> 00:32:58,880
Identity hooks into entra, governance hooks into purview.
925
00:32:58,880 –> 00:33:00,000
Everything is composable.
926
00:33:00,000 –> 00:33:01,400
Everything is productive.
927
00:33:01,400 –> 00:33:04,080
And every connection you add becomes one more dependency
928
00:33:04,080 –> 00:33:05,840
chain you’ll have to unwind later.
929
00:33:05,840 –> 00:33:07,160
This is the uncomfortable truth.
930
00:33:07,160 –> 00:33:09,280
Lock-in doesn’t arrive as a big decision.
931
00:33:09,280 –> 00:33:11,800
It arrives as a thousand small integrations
932
00:33:11,800 –> 00:33:15,240
that nobody wants to delete once the productivity narrative starts.
933
00:33:15,240 –> 00:33:18,680
An AI creates political lock-in faster than data platforms
934
00:33:18,680 –> 00:33:21,440
ever did because AI produces visible winds.
935
00:33:21,440 –> 00:33:24,040
It summarizes, it drafts, it answers, it automates.
936
00:33:24,040 –> 00:33:26,160
People build workflows around it immediately.
937
00:33:26,160 –> 00:33:28,560
You don’t just migrate an application at that point.
938
00:33:28,560 –> 00:33:30,080
You migrate an organization’s habits.
939
00:33:30,080 –> 00:33:32,920
Now add the shift from data gravity to AI gravity.
940
00:33:32,920 –> 00:33:34,800
In the old model, data attracted apps.
941
00:33:34,800 –> 00:33:37,560
In the new model, models and agents attract everything else.
942
00:33:37,560 –> 00:33:40,320
Data organization, pipeline design, governance models,
943
00:33:40,320 –> 00:33:41,480
and business process shape.
944
00:33:41,480 –> 00:33:43,280
Because once you build an agent that depends
945
00:33:43,280 –> 00:33:45,960
on a specific retrieval strategy, specific embeddings,
946
00:33:45,960 –> 00:33:48,480
specific indexes, and specific tool contracts,
947
00:33:48,480 –> 00:33:51,600
those components stop being implementation details.
948
00:33:51,600 –> 00:33:52,760
They become the system.
949
00:33:52,760 –> 00:33:54,920
And the system stops being explainable outside
950
00:33:54,920 –> 00:33:56,480
its native platform context.
951
00:33:56,480 –> 00:33:58,440
This is why AI lock-in isn’t about APIs.
952
00:33:58,440 –> 00:34:01,120
It’s about dependency chains you can no longer reason about.
953
00:34:01,120 –> 00:34:03,000
The reason executives should care is simple.
954
00:34:03,000 –> 00:34:05,080
Optionality is a form of risk control.
955
00:34:05,080 –> 00:34:07,080
If you can’t exit, you can’t negotiate.
956
00:34:07,080 –> 00:34:09,080
If you can’t unwind, you can’t correct course.
957
00:34:09,080 –> 00:34:11,600
If you can’t move, a future regulatory requirement
958
00:34:11,600 –> 00:34:12,480
becomes a crisis.
959
00:34:12,480 –> 00:34:14,800
If you can’t reproduce your agent behavior elsewhere,
960
00:34:14,800 –> 00:34:16,160
you don’t have portability.
961
00:34:16,160 –> 00:34:17,760
You have captivity with a roadmap.
962
00:34:17,760 –> 00:34:19,520
So the architectural decision in this act
963
00:34:19,520 –> 00:34:21,640
isn’t, should we use Azure Data Services
964
00:34:21,640 –> 00:34:23,040
or should we use a lake house?
965
00:34:23,040 –> 00:34:26,080
The decision is, what must remain portable by design?
966
00:34:26,080 –> 00:34:28,920
Some assets should be treated as portable on day one.
967
00:34:28,920 –> 00:34:31,300
Raw Data, Core Business Definitions,
968
00:34:31,300 –> 00:34:33,720
Critical Decision Logs Evaluation Data Sets,
969
00:34:33,720 –> 00:34:35,240
and the policy layer that determines
970
00:34:35,240 –> 00:34:37,320
what actions an agent is allowed to take.
971
00:34:37,320 –> 00:34:38,760
Those are the things you will need
972
00:34:38,760 –> 00:34:41,680
if you ever have to reconstitute trust somewhere else.
973
00:34:41,680 –> 00:34:44,240
And some assets will be allowed to be platform-shaped,
974
00:34:44,240 –> 00:34:47,320
convenience indexes, transient caches, accelerators,
975
00:34:47,320 –> 00:34:48,880
and non-critical automations.
976
00:34:48,880 –> 00:34:51,560
But you need to label that distinction intentionally
977
00:34:51,560 –> 00:34:53,680
because Azure will not label it for you.
978
00:34:53,680 –> 00:34:55,680
The platform will happily let you bind your business
979
00:34:55,680 –> 00:34:57,440
semantics into managed services
980
00:34:57,440 –> 00:34:59,320
until the only way to reproduce outcomes
981
00:34:59,320 –> 00:35:00,760
is to stay where you are.
982
00:35:00,760 –> 00:35:03,680
So Act Five lands on a simple executive posture.
983
00:35:03,680 –> 00:35:06,560
Velocity versus optionality is a choice you make once
984
00:35:06,560 –> 00:35:07,960
then pay for forever.
985
00:35:07,960 –> 00:35:09,680
If leadership doesn’t explicitly decide
986
00:35:09,680 –> 00:35:12,280
which parts of the AI system must remain portable,
987
00:35:12,280 –> 00:35:13,880
the system will decide for you
988
00:35:13,880 –> 00:35:17,040
and it will decide in the direction of maximum coupling.
989
00:35:17,040 –> 00:35:20,160
Unplanned Lock-In via Data plus Model plus agent dependency
990
00:35:20,160 –> 00:35:20,880
chains.
991
00:35:20,880 –> 00:35:23,120
Scenario four is the lock-in you didn’t choose on paper,
992
00:35:23,120 –> 00:35:24,960
but you absolutely chose in behavior.
993
00:35:24,960 –> 00:35:26,280
It starts innocently.
994
00:35:26,280 –> 00:35:27,920
We’ll put our data in the lake house,
995
00:35:27,920 –> 00:35:31,000
then we’ll add embedding so the assistant can find answers,
996
00:35:31,000 –> 00:35:34,160
then we’ll orchestrate a few agents so it can take actions,
997
00:35:34,160 –> 00:35:36,960
then we’ll connect it to Microsoft 365
998
00:35:36,960 –> 00:35:38,840
and our line of business systems because that’s where
999
00:35:38,840 –> 00:35:39,880
the work is.
1000
00:35:39,880 –> 00:35:42,040
And somewhere around that fourth, then,
1001
00:35:42,040 –> 00:35:44,280
the organization crosses a line it doesn’t recognize
1002
00:35:44,280 –> 00:35:46,720
at the time because the lock-in isn’t a service,
1003
00:35:46,720 –> 00:35:47,600
it’s the chain.
1004
00:35:47,600 –> 00:35:50,880
One lake or any lake house pattern is not by itself the trap.
1005
00:35:50,880 –> 00:35:53,920
The trap is what happens after you bind three things together,
1006
00:35:53,920 –> 00:35:56,960
the data plane, the reasoning plane and the execution plane.
1007
00:35:56,960 –> 00:35:58,520
The data plane is where facts live,
1008
00:35:58,520 –> 00:36:00,880
the reasoning plane is where meaning gets inferred,
1009
00:36:00,880 –> 00:36:03,120
the execution plane is where actions happen.
1010
00:36:03,120 –> 00:36:04,560
When those three are tightly coupled,
1011
00:36:04,560 –> 00:36:06,960
you’ve built something that looks like an application
1012
00:36:06,960 –> 00:36:08,720
but behaves like a small platform.
1013
00:36:08,720 –> 00:36:11,480
That distinction matters because platforms don’t migrate.
1014
00:36:11,480 –> 00:36:13,600
They metastasize.
1015
00:36:13,600 –> 00:36:16,600
Here’s the irreversible step most executives miss.
1016
00:36:16,600 –> 00:36:19,400
The moment AI generated transformations and enrichments
1017
00:36:19,400 –> 00:36:21,520
become accepted as the source of truth.
1018
00:36:21,520 –> 00:36:23,640
Not the raw data, the enriched data,
1019
00:36:23,640 –> 00:36:25,640
the summarized data, the classified data,
1020
00:36:25,640 –> 00:36:28,280
the extracted entities, the inferred relationships,
1021
00:36:28,280 –> 00:36:30,800
that this looks right artifacts that show up in dashboards
1022
00:36:30,800 –> 00:36:32,800
and reports and tickets and emails,
1023
00:36:32,800 –> 00:36:34,520
those outputs start driving decisions,
1024
00:36:34,520 –> 00:36:36,840
then people stop asking where they came from,
1025
00:36:36,840 –> 00:36:38,960
then they become operational reality.
1026
00:36:38,960 –> 00:36:41,680
And once the organization treats AI-shaped outputs
1027
00:36:41,680 –> 00:36:44,640
as authoritative, you can’t just move the data later.
1028
00:36:44,640 –> 00:36:47,040
You would have to reproduce the behavior that shaped it,
1029
00:36:47,040 –> 00:36:48,600
now add embeddings and retrieval.
1030
00:36:48,600 –> 00:36:50,560
Embeddings aren’t just indexes.
1031
00:36:50,560 –> 00:36:54,440
They are interpretations of your data encoded into a vector space.
1032
00:36:54,440 –> 00:36:56,240
If you rebuild them with a different model,
1033
00:36:56,240 –> 00:36:58,800
a different tokenizer, a different chunking strategy,
1034
00:36:58,800 –> 00:37:01,800
or even different normalization retrieval changes,
1035
00:37:01,800 –> 00:37:04,640
answer quality changes, agent decisions change.
1036
00:37:04,640 –> 00:37:06,640
That means the knowledge your organization thinks
1037
00:37:06,640 –> 00:37:08,640
it has embedded becomes platform-shaped,
1038
00:37:08,640 –> 00:37:10,480
not because Microsoft wants it to be,
1039
00:37:10,480 –> 00:37:12,120
because the semantics are now a product
1040
00:37:12,120 –> 00:37:15,480
of the full chain, not the raw data, then add orchestration.
1041
00:37:15,480 –> 00:37:17,840
As soon as you orchestrate multi-agent flows,
1042
00:37:17,840 –> 00:37:21,120
researcher, writer, reviewer, sender, whatever your enterprise
1043
00:37:21,120 –> 00:37:23,800
version is, you’ve created a behavior graph.
1044
00:37:23,800 –> 00:37:26,440
That graph isn’t documented in architecture diagrams.
1045
00:37:26,440 –> 00:37:29,880
It’s encoded in prompts, tool schemers, evaluation thresholds,
1046
00:37:29,880 –> 00:37:32,080
routing rules, and a pile of small exceptions
1047
00:37:32,080 –> 00:37:33,640
that got added to make it work.
1048
00:37:33,640 –> 00:37:36,800
Over time, nobody can reason about the system end to end.
1049
00:37:36,800 –> 00:37:38,720
They can only reason about components.
1050
00:37:38,720 –> 00:37:39,960
That’s the hidden lock-in.
1051
00:37:39,960 –> 00:37:41,960
Dependency chains you can’t reason about
1052
00:37:41,960 –> 00:37:43,320
can’t be rewritten safely.
1053
00:37:43,320 –> 00:37:46,160
So when leadership eventually asks, can we move this?
1054
00:37:46,160 –> 00:37:47,600
The honest answer becomes,
1055
00:37:47,600 –> 00:37:48,680
we can move the data.
1056
00:37:48,680 –> 00:37:50,880
We can’t reproduce the outcomes without rebuilding
1057
00:37:50,880 –> 00:37:52,600
the entire decision in action system.
1058
00:37:52,600 –> 00:37:55,160
That’s not migration, that’s reinvention under pressure.
1059
00:37:55,160 –> 00:37:57,560
And the worst part is that reversal becomes politically
1060
00:37:57,560 –> 00:37:59,920
impossible, because by then, the productivity narrative
1061
00:37:59,920 –> 00:38:01,200
has already won.
1062
00:38:01,200 –> 00:38:03,120
The AI system is saving time.
1063
00:38:03,120 –> 00:38:04,240
Teams rely on it.
1064
00:38:04,240 –> 00:38:05,800
Executives have told the board about it.
1065
00:38:05,800 –> 00:38:07,880
People have built KPIs around it.
1066
00:38:07,880 –> 00:38:10,400
There are head-count plans that assume it exists.
1067
00:38:10,400 –> 00:38:12,400
And when you propose decoupling or redesigning,
1068
00:38:12,400 –> 00:38:13,840
it sounds like sabotage.
1069
00:38:13,840 –> 00:38:16,160
So the organization keeps stacking more dependencies
1070
00:38:16,160 –> 00:38:17,320
on the same chain.
1071
00:38:17,320 –> 00:38:20,000
This scenario exposes the executive failure mode.
1072
00:38:20,000 –> 00:38:22,640
Short-term velocity traded for long-term optionality
1073
00:38:22,640 –> 00:38:23,960
without naming the trade.
1074
00:38:23,960 –> 00:38:26,320
The architectural question isn’t, are we locked in?
1075
00:38:26,320 –> 00:38:27,280
That’s too late.
1076
00:38:27,280 –> 00:38:29,920
The question is, what must remain portable by design,
1077
00:38:29,920 –> 00:38:32,280
even if everything else becomes convenient?
1078
00:38:32,280 –> 00:38:33,600
That typically means four things.
1079
00:38:33,600 –> 00:38:36,080
First, raw data, preserved, immutable,
1080
00:38:36,080 –> 00:38:38,240
and accessible outside the AI layer.
1081
00:38:38,240 –> 00:38:40,480
Second, the policy layer, the explicit rules
1082
00:38:40,480 –> 00:38:42,800
that define what the agent is allowed to do.
1083
00:38:42,800 –> 00:38:45,400
Third, the decision log, the trace of why actions
1084
00:38:45,400 –> 00:38:48,160
happened in business terms, not just API calls.
1085
00:38:48,160 –> 00:38:50,480
Fourth, the evaluation set, the test
1086
00:38:50,480 –> 00:38:52,280
that defined good enough behavior.
1087
00:38:52,280 –> 00:38:55,200
So you can validate a new stack if you ever have to rebuild.
1088
00:38:55,200 –> 00:38:57,520
If you don’t preserve those as portable assets,
1089
00:38:57,520 –> 00:38:58,680
you’re not buying a platform.
1090
00:38:58,680 –> 00:39:00,560
You’re buying a dependency you can’t unwind.
1091
00:39:00,560 –> 00:39:02,840
And as you will not warn you when you cross that line,
1092
00:39:02,840 –> 00:39:05,520
it will simply keep making the chain easier to extend.
1093
00:39:05,520 –> 00:39:07,760
Governance after the fact is not governance.
1094
00:39:07,760 –> 00:39:09,760
This is where most enterprises comfort themselves
1095
00:39:09,760 –> 00:39:10,520
with dashboards.
1096
00:39:10,520 –> 00:39:13,040
They have logs, they have lineage, they have workbooks,
1097
00:39:13,040 –> 00:39:15,640
they have incident post mortems with clean timelines
1098
00:39:15,640 –> 00:39:16,720
and lots of screenshots.
1099
00:39:16,720 –> 00:39:20,160
They can explain what happened in exquisite technical detail.
1100
00:39:20,160 –> 00:39:21,280
And none of that is governance.
1101
00:39:21,280 –> 00:39:23,040
Governance is not visibility.
1102
00:39:23,040 –> 00:39:24,480
Governance is authority.
1103
00:39:24,480 –> 00:39:26,320
Visibility tells you what the system did.
1104
00:39:26,320 –> 00:39:28,560
Authority decides what the system is allowed to do.
1105
00:39:28,560 –> 00:39:30,760
That distinction matters because AI doesn’t wait
1106
00:39:30,760 –> 00:39:32,280
for humans to catch up.
1107
00:39:32,280 –> 00:39:34,440
Agentex systems execute at compute speed
1108
00:39:34,440 –> 00:39:37,200
and your governance model still executes at meeting speed.
1109
00:39:37,200 –> 00:39:40,040
That time mismatch is not a process problem you can fix
1110
00:39:40,040 –> 00:39:41,080
with better calendars.
1111
00:39:41,080 –> 00:39:42,280
It’s an architectural gap.
1112
00:39:42,280 –> 00:39:44,280
Most organizations build cloud governance
1113
00:39:44,280 –> 00:39:45,400
around three assumptions.
1114
00:39:45,400 –> 00:39:48,080
Humans deploy changes, humans approve access
1115
00:39:48,080 –> 00:39:49,640
and humans review outcomes.
1116
00:39:49,640 –> 00:39:51,360
So the control loop looks like this.
1117
00:39:51,360 –> 00:39:55,080
Ship something, observe it, detect drift, meet about drift,
1118
00:39:55,080 –> 00:39:56,960
create tickets, then maybe fix drift.
1119
00:39:56,960 –> 00:39:58,440
That works when drift happens slowly
1120
00:39:58,440 –> 00:40:00,280
and the system isn’t acting autonomously.
1121
00:40:00,280 –> 00:40:03,080
In AI systems, drift can happen inside a single session.
1122
00:40:03,080 –> 00:40:04,640
An agent can pull new context,
1123
00:40:04,640 –> 00:40:06,400
reinterpret intent, call a different tool
1124
00:40:06,400 –> 00:40:08,800
and mutate data before anyone has a chance
1125
00:40:08,800 –> 00:40:09,800
to review anything.
1126
00:40:09,800 –> 00:40:11,760
The operational reality becomes
1127
00:40:11,760 –> 00:40:14,120
the organization can explain harm after the fact
1128
00:40:14,120 –> 00:40:16,880
but it can’t prevent recurrence at the moment it matters.
1129
00:40:16,880 –> 00:40:19,080
An auditors don’t care that you can explain harm.
1130
00:40:19,080 –> 00:40:20,600
They care that you can prevent it.
1131
00:40:20,600 –> 00:40:22,880
This is where executives confuse compliance artifacts
1132
00:40:22,880 –> 00:40:24,480
with control plane design.
1133
00:40:24,480 –> 00:40:26,200
Lineage is useful, logs are useful.
1134
00:40:26,200 –> 00:40:27,760
They help you reconstruct history
1135
00:40:27,760 –> 00:40:29,760
but they don’t stop a bad action from executing.
1136
00:40:29,760 –> 00:40:31,400
They don’t stop a sensitive data set
1137
00:40:31,400 –> 00:40:33,120
from being copied into the wrong place.
1138
00:40:33,120 –> 00:40:35,440
They don’t stop an agent from emailing a customer
1139
00:40:35,440 –> 00:40:36,360
with the wrong language.
1140
00:40:36,360 –> 00:40:39,200
They don’t stop a runaway loop from consuming tokens
1141
00:40:39,200 –> 00:40:41,000
and cash so governance has to move closer
1142
00:40:41,000 –> 00:40:42,280
to the execution path,
1143
00:40:42,280 –> 00:40:44,600
not as a new committee as choke points.
1144
00:40:44,600 –> 00:40:49,880
A choke point is a pre-execution enforcement mechanism
1145
00:40:49,880 –> 00:40:52,560
that can say no, not log it, not alert it,
1146
00:40:52,560 –> 00:40:54,040
not review it later.
1147
00:40:54,040 –> 00:40:57,720
EGIA is key, so Netinthe art, no.
1148
00:40:57,720 –> 00:41:00,720
In a deterministic system, you already have these.
1149
00:41:00,720 –> 00:41:03,560
Transaction constraints, schema enforcement,
1150
00:41:03,560 –> 00:41:06,440
network segmentation, privileged access workflows.
1151
00:41:06,440 –> 00:41:07,960
They are boring and they are effective
1152
00:41:07,960 –> 00:41:09,320
because they fail closed.
1153
00:41:09,320 –> 00:41:11,240
AI systems need the same kind of boredom.
1154
00:41:11,240 –> 00:41:13,080
They need deterministic boundaries around
1155
00:41:13,080 –> 00:41:14,280
probabilistic decisions.
1156
00:41:14,280 –> 00:41:16,400
That means you define classes of actions
1157
00:41:16,400 –> 00:41:18,200
and you put gates in front of those classes.
1158
00:41:18,200 –> 00:41:21,240
State changes need gates, data mutation needs gates,
1159
00:41:21,240 –> 00:41:25,000
identity changes need gates, external communications needs gates,
1160
00:41:25,000 –> 00:41:26,760
spend above a threshold needs gates,
1161
00:41:26,760 –> 00:41:28,480
anything irreversible needs gates.
1162
00:41:28,480 –> 00:41:30,200
And gate doesn’t mean a policy document.
1163
00:41:30,200 –> 00:41:32,800
It means a system component, API gateways,
1164
00:41:32,800 –> 00:41:35,560
tool brokers, approval services, allow lists,
1165
00:41:35,560 –> 00:41:38,040
deny rules and explicit human in the loop steps
1166
00:41:38,040 –> 00:41:39,680
for defined categories of action.
1167
00:41:39,680 –> 00:41:40,560
Here’s the problem.
1168
00:41:40,560 –> 00:41:42,280
Most Azure governance tools were built
1169
00:41:42,280 –> 00:41:44,120
to manage posture, not behavior.
1170
00:41:44,120 –> 00:41:47,560
Azure policy can restrict deployments and enforce configurations.
1171
00:41:47,560 –> 00:41:49,920
Defender can detect threats and raise alerts,
1172
00:41:49,920 –> 00:41:52,440
purview can classify data, show lineage,
1173
00:41:52,440 –> 00:41:53,720
and help with investigations.
1174
00:41:53,720 –> 00:41:55,400
These are strong capabilities,
1175
00:41:55,400 –> 00:41:57,800
but they do not, by default, evaluate the meaning
1176
00:41:57,800 –> 00:41:59,840
of an agent’s next action in real time
1177
00:41:59,840 –> 00:42:01,320
and deny it before execution.
1178
00:42:01,320 –> 00:42:04,680
So if leadership asks, can Azure governance stop an AI system?
1179
00:42:04,680 –> 00:42:07,800
The honest answer is it can often explain it.
1180
00:42:07,800 –> 00:42:10,480
It can sometimes constrain the environment around it.
1181
00:42:10,480 –> 00:42:12,680
It rarely stops behavior inside the loop
1182
00:42:12,680 –> 00:42:15,200
unless you deliberately design enforcement into the loop.
1183
00:42:15,200 –> 00:42:17,360
That’s why observability isn’t authority.
1184
00:42:17,360 –> 00:42:20,320
Observability is narration, authority is prevention.
1185
00:42:20,320 –> 00:42:21,960
And if your governance story depends on,
1186
00:42:21,960 –> 00:42:23,480
we’ll see it in the logs.
1187
00:42:23,480 –> 00:42:25,240
You have already accepted that the first time
1188
00:42:25,240 –> 00:42:28,120
you learn about a harmful action is after it happened.
1189
00:42:28,120 –> 00:42:29,480
That is not a governance model.
1190
00:42:29,480 –> 00:42:30,720
That is a forensic model.
1191
00:42:30,720 –> 00:42:33,400
So the executive mandate in this act is simple.
1192
00:42:33,400 –> 00:42:35,560
Move governance from after the fact review
1193
00:42:35,560 –> 00:42:37,280
to deny before execute control,
1194
00:42:37,280 –> 00:42:38,920
put enforcement into the control plane,
1195
00:42:38,920 –> 00:42:40,320
not into the slide deck.
1196
00:42:40,320 –> 00:42:42,640
Because AI doesn’t require better dashboards,
1197
00:42:42,640 –> 00:42:45,560
it requires fewer permissions, fewer autonomous paths,
1198
00:42:45,560 –> 00:42:47,720
and more deterministic refusal points.
1199
00:42:47,720 –> 00:42:49,280
Next is the uncomfortable part.
1200
00:42:49,280 –> 00:42:51,760
What happens when you don’t build those refusal points?
1201
00:42:51,760 –> 00:42:53,240
And an audit forces you to admit
1202
00:42:53,240 –> 00:42:55,560
that your governance program can describe the system
1203
00:42:55,560 –> 00:42:57,280
but cannot stop it.
1204
00:42:57,280 –> 00:42:59,640
Governance misdiscovered during audit.
1205
00:42:59,640 –> 00:43:02,040
Scenario five is where the organization
1206
00:43:02,040 –> 00:43:05,320
discovers the difference between, we can show you what happened,
1207
00:43:05,320 –> 00:43:08,000
and we can prove it couldn’t happen again.
1208
00:43:08,000 –> 00:43:09,520
It doesn’t start with an outage.
1209
00:43:09,520 –> 00:43:11,440
It starts with a request, an auditor,
1210
00:43:11,440 –> 00:43:14,000
an internal risk committee, a regulator,
1211
00:43:14,000 –> 00:43:16,880
sometimes a major customer doing due diligence.
1212
00:43:16,880 –> 00:43:18,440
They ask for a simple thing.
1213
00:43:18,440 –> 00:43:21,080
Evidence that the organization prevents certain classes
1214
00:43:21,080 –> 00:43:24,360
of AI-driven actions, not detects them, prevents them.
1215
00:43:24,360 –> 00:43:27,040
And this is where the comfort of dashboards collapses.
1216
00:43:27,040 –> 00:43:29,760
Because the organization usually responds with what it has.
1217
00:43:29,760 –> 00:43:32,520
Logs, lineage, traces, and policy documents,
1218
00:43:32,520 –> 00:43:34,160
it can show that actions were recorded.
1219
00:43:34,160 –> 00:43:35,520
It can show who authenticated.
1220
00:43:35,520 –> 00:43:36,840
It can show where data moved.
1221
00:43:36,840 –> 00:43:39,760
It can even show that content filters flagged things sometimes.
1222
00:43:39,760 –> 00:43:42,600
But the question the auditor keeps asking in different words
1223
00:43:42,600 –> 00:43:44,000
is brutally narrow.
1224
00:43:44,000 –> 00:43:47,160
Where is the control that stops the action before it executes?
1225
00:43:47,160 –> 00:43:49,760
If the answer is, we would have seen it and responded.
1226
00:43:49,760 –> 00:43:50,840
That’s not a control.
1227
00:43:50,840 –> 00:43:53,040
That’s a hope backed by incident management.
1228
00:43:53,040 –> 00:43:54,240
Audits don’t reward hope.
1229
00:43:54,240 –> 00:43:56,040
They reward enforced constraints.
1230
00:43:56,040 –> 00:43:57,720
This is the moment executives realize
1231
00:43:57,720 –> 00:44:00,160
that governance latency is not just inconvenient.
1232
00:44:00,160 –> 00:44:01,360
It is disqualifying.
1233
00:44:01,360 –> 00:44:04,000
Your governance process might operate on daily reviews.
1234
00:44:04,000 –> 00:44:05,560
Weekly meetings, monthly access,
1235
00:44:05,560 –> 00:44:07,800
certifications, quarterly risk reporting,
1236
00:44:07,800 –> 00:44:09,560
agentex systems operate on seconds.
1237
00:44:09,560 –> 00:44:11,400
So you end up with an uncomfortable exchange.
1238
00:44:11,400 –> 00:44:13,920
The auditor says, show me how you prevent an agent
1239
00:44:13,920 –> 00:44:16,840
from sending regulated data to an external party.
1240
00:44:16,840 –> 00:44:20,240
The team says, we have DLP, we have logs, we have purview labels,
1241
00:44:20,240 –> 00:44:22,200
and we monitor exfiltration.
1242
00:44:22,200 –> 00:44:24,200
The auditor says, that describes detection.
1243
00:44:24,200 –> 00:44:26,280
Where is the pre-execution deny?
1244
00:44:26,280 –> 00:44:29,120
Or the auditor asks, show me that an autonomous system cannot
1245
00:44:29,120 –> 00:44:31,920
modify a system of record without explicit approval.
1246
00:44:31,920 –> 00:44:34,520
And the organization replies, only specific identities
1247
00:44:34,520 –> 00:44:36,880
have access and we have change management.
1248
00:44:36,880 –> 00:44:39,120
And the auditor says, the identity did have access.
1249
00:44:39,120 –> 00:44:40,360
The change did occur.
1250
00:44:40,360 –> 00:44:42,040
How do you stop it next time at runtime
1251
00:44:42,040 –> 00:44:44,120
without relying on a human noticing?
1252
00:44:44,120 –> 00:44:47,280
This is why governance treated as observability fails audits
1253
00:44:47,280 –> 00:44:48,760
because you can explain the harm,
1254
00:44:48,760 –> 00:44:50,920
but you can’t demonstrate that the system will refuse
1255
00:44:50,920 –> 00:44:52,760
the same action under the same conditions.
1256
00:44:52,760 –> 00:44:55,040
And AI makes this worse because same conditions
1257
00:44:55,040 –> 00:44:56,440
doesn’t mean the same output.
1258
00:44:56,440 –> 00:44:58,000
The agent can take a different path
1259
00:44:58,000 –> 00:44:59,800
and still reach the same harmful end state.
1260
00:44:59,800 –> 00:45:02,160
So, auditor stop caring about your intentions
1261
00:45:02,160 –> 00:45:04,600
and start caring about your enforcement surface.
1262
00:45:04,600 –> 00:45:06,400
The real failure mode in this scenario
1263
00:45:06,400 –> 00:45:09,520
is that the organization cannot produce a deterministic answer
1264
00:45:09,520 –> 00:45:10,720
to a deterministic question.
1265
00:45:10,720 –> 00:45:12,440
It cannot point to a choke point.
1266
00:45:12,440 –> 00:45:14,400
It cannot show a deny rule firing.
1267
00:45:14,400 –> 00:45:17,200
It cannot show a mandatory approval gate being invoked.
1268
00:45:17,200 –> 00:45:18,880
It can only show retrospective artifacts.
1269
00:45:18,880 –> 00:45:20,160
And here’s the political problem.
1270
00:45:20,160 –> 00:45:22,600
The organization is usually proud of those artifacts.
1271
00:45:22,600 –> 00:45:24,840
It invested in logging, it invested in dashboards,
1272
00:45:24,840 –> 00:45:26,440
it invested in governance tooling,
1273
00:45:26,440 –> 00:45:28,840
it created policies and training and committee structures.
1274
00:45:28,840 –> 00:45:30,360
So when the audit exposes the gap,
1275
00:45:30,360 –> 00:45:32,280
leadership hears it as we did nothing.
1276
00:45:32,280 –> 00:45:34,200
Even though what it really means is we did things
1277
00:45:34,200 –> 00:45:36,280
that don’t control execution.
1278
00:45:36,280 –> 00:45:38,360
The audit outcome is predictable.
1279
00:45:38,360 –> 00:45:40,520
Findings that read like missing controls,
1280
00:45:40,520 –> 00:45:41,760
not missing visibility,
1281
00:45:41,760 –> 00:45:43,880
not enough separation between agent identities
1282
00:45:43,880 –> 00:45:46,200
and execution permissions, no hard stop
1283
00:45:46,200 –> 00:45:48,240
on certain categories of tool calls,
1284
00:45:48,240 –> 00:45:50,760
no enforced human approval for state mutation
1285
00:45:50,760 –> 00:45:53,280
in defined systems, no runtime constraint
1286
00:45:53,280 –> 00:45:55,720
on cost and consumption for autonomous loops,
1287
00:45:55,720 –> 00:45:58,000
no clear evidence that data cannot be copied
1288
00:45:58,000 –> 00:46:01,120
or transformed outside defined boundaries.
1289
00:46:01,120 –> 00:46:03,640
And the painful part is that none of these are bugs.
1290
00:46:03,640 –> 00:46:05,160
They’re design emissions.
1291
00:46:05,160 –> 00:46:07,320
They are the inevitable result of treating governance
1292
00:46:07,320 –> 00:46:10,280
as something you layer on top of the system after it works.
1293
00:46:10,280 –> 00:46:13,440
Auditors don’t care that you can explain why it happened.
1294
00:46:13,440 –> 00:46:16,160
They care that you can guarantee where it cannot happen.
1295
00:46:16,160 –> 00:46:18,520
So the executive question that closes this scenario
1296
00:46:18,520 –> 00:46:19,720
is the only one that matters.
1297
00:46:19,720 –> 00:46:22,080
Where is enforcement guaranteed pre-execution?
1298
00:46:22,080 –> 00:46:25,040
If the answer is our people, that is not a guarantee.
1299
00:46:25,040 –> 00:46:27,640
If the answer is a review meeting, that is not a guarantee.
1300
00:46:27,640 –> 00:46:30,640
If the answer is will detected, that is not a guarantee.
1301
00:46:30,640 –> 00:46:34,080
A guarantee is a component that denies before execute.
1302
00:46:34,080 –> 00:46:36,880
And until leadership demands that as a design property,
1303
00:46:36,880 –> 00:46:39,120
every audit will be the same story.
1304
00:46:39,120 –> 00:46:41,560
Confident visibility, week authority,
1305
00:46:41,560 –> 00:46:43,200
and a system that can act faster
1306
00:46:43,200 –> 00:46:45,840
than the organization can govern it well.
1307
00:46:45,840 –> 00:46:48,680
The executive architecture questions that actually matter.
1308
00:46:48,680 –> 00:46:50,960
Audit surfaced the absence of enforcement,
1309
00:46:50,960 –> 00:46:53,320
incident surfaced the absence of boundaries,
1310
00:46:53,320 –> 00:46:55,800
cost overruns surfaced the absence of intent.
1311
00:46:55,800 –> 00:46:58,240
And every one of those shows up downstream
1312
00:46:58,240 –> 00:47:00,040
when the organization is already committed.
1313
00:47:00,040 –> 00:47:02,160
So act seven is where leadership stops asking
1314
00:47:02,160 –> 00:47:04,760
for status updates and starts asking architecture questions
1315
00:47:04,760 –> 00:47:06,760
that force ownership, not checklists.
1316
00:47:06,760 –> 00:47:07,880
Checklists get delegated.
1317
00:47:07,880 –> 00:47:10,000
These are questions that make the room uncomfortable
1318
00:47:10,000 –> 00:47:12,040
because the answers are either we don’t know
1319
00:47:12,040 –> 00:47:13,200
or we don’t control it.
1320
00:47:13,200 –> 00:47:15,160
Here’s the framing executives should adopt.
1321
00:47:15,160 –> 00:47:17,680
AI systems are distributed decision engines
1322
00:47:17,680 –> 00:47:20,320
operating inside a deterministic control plane.
1323
00:47:20,320 –> 00:47:22,480
If leadership does not explicitly constrain
1324
00:47:22,480 –> 00:47:25,440
decision authority, the platform will operationalize
1325
00:47:25,440 –> 00:47:27,000
whatever permissions exist.
1326
00:47:27,000 –> 00:47:29,600
That means every serious question starts with where.
1327
00:47:29,600 –> 00:47:30,680
Where can the system act?
1328
00:47:30,680 –> 00:47:31,680
Where can it spend?
1329
00:47:31,680 –> 00:47:33,680
Where can it move or transform data?
1330
00:47:33,680 –> 00:47:35,680
Where can it trigger downstream systems?
1331
00:47:35,680 –> 00:47:38,160
And where does enforcement happen before execution?
1332
00:47:38,160 –> 00:47:39,600
Start with action authority.
1333
00:47:39,600 –> 00:47:41,360
Because action is where harm becomes real.
1334
00:47:41,360 –> 00:47:43,840
Where can an agent execute a state changing action
1335
00:47:43,840 –> 00:47:44,880
without a human gate?
1336
00:47:44,880 –> 00:47:47,160
Not where does it usually get reviewed?
1337
00:47:47,160 –> 00:47:49,040
Where can it execute right now?
1338
00:47:49,040 –> 00:47:50,120
In production.
1339
00:47:50,120 –> 00:47:53,840
At 2am, with a valid token and a plausible reason.
1340
00:47:53,840 –> 00:47:55,640
List the actions that matter.
1341
00:47:55,640 –> 00:47:57,480
Send external communications?
1342
00:47:57,480 –> 00:47:59,920
Modify systems of record, approve workflows,
1343
00:47:59,920 –> 00:48:02,680
disable accounts, change entitlements, trigger payments,
1344
00:48:02,680 –> 00:48:05,000
or initiate irreversible processes.
1345
00:48:05,000 –> 00:48:06,960
Then ask the only follow-up that matters.
1346
00:48:06,960 –> 00:48:09,840
For each of those actions, what is the deterministic choke
1347
00:48:09,840 –> 00:48:11,000
point that can deny it?
1348
00:48:11,000 –> 00:48:13,560
If the answer is the agent’s instructions,
1349
00:48:13,560 –> 00:48:15,000
that is not a choke point.
1350
00:48:15,000 –> 00:48:16,280
Prompts are not controls.
1351
00:48:16,280 –> 00:48:17,640
They’re preferences.
1352
00:48:17,640 –> 00:48:19,800
If the answer is, we’ll see it in the logs
1353
00:48:19,800 –> 00:48:21,120
that is not a choke point.
1354
00:48:21,120 –> 00:48:22,240
That’s narration.
1355
00:48:22,240 –> 00:48:24,160
Next is spend authority.
1356
00:48:24,160 –> 00:48:27,080
Because spend is just action expressed as money.
1357
00:48:27,080 –> 00:48:29,800
Where can an AI system incur cost without a hard stop?
1358
00:48:29,800 –> 00:48:31,040
Not do we have budgets?
1359
00:48:31,040 –> 00:48:32,360
Budgets are alerts.
1360
00:48:32,360 –> 00:48:34,320
This is about pre-execution refusal.
1361
00:48:34,320 –> 00:48:35,560
Where does a request get denied?
1362
00:48:35,560 –> 00:48:37,240
Because it exceeds a cost class.
1363
00:48:37,240 –> 00:48:38,160
Where is the call blocked?
1364
00:48:38,160 –> 00:48:39,600
Because it would exceed max tokens,
1365
00:48:39,600 –> 00:48:42,080
exceed a retry ceiling, exceed a tool call quota,
1366
00:48:42,080 –> 00:48:45,120
or route to a premium model without justification.
1367
00:48:45,120 –> 00:48:46,880
If leadership can’t point to that governor,
1368
00:48:46,880 –> 00:48:48,960
then finance is funding an autonomous loop
1369
00:48:48,960 –> 00:48:50,320
and calling it innovation.
1370
00:48:50,320 –> 00:48:52,840
Third is data mutation and data copying,
1371
00:48:52,840 –> 00:48:55,000
because data is the slowest moving asset
1372
00:48:55,000 –> 00:48:57,040
and the easiest to damage permanently.
1373
00:48:57,040 –> 00:49:00,240
Where can AI copy sensitive data into a new location
1374
00:49:00,240 –> 00:49:02,320
or transform it into a new truth?
1375
00:49:02,320 –> 00:49:05,240
Without a reversible workflow, this includes embeddings,
1376
00:49:05,240 –> 00:49:08,160
summaries, extracted entities, and enriched data sets
1377
00:49:08,160 –> 00:49:09,720
that start driving decisions.
1378
00:49:09,720 –> 00:49:12,360
Executives should force a simple classification.
1379
00:49:12,360 –> 00:49:15,080
Which data sets are allowed to be mutated by AI
1380
00:49:15,080 –> 00:49:17,920
and which data sets are right protected by design?
1381
00:49:17,920 –> 00:49:19,880
If the answer is we have purview labels,
1382
00:49:19,880 –> 00:49:21,400
that’s a classification mechanism.
1383
00:49:21,400 –> 00:49:23,480
It is not enforcement unless it blocks the action.
1384
00:49:23,480 –> 00:49:25,080
Force is downstream triggering
1385
00:49:25,080 –> 00:49:28,240
because the blast radius is rarely inside the AI system.
1386
00:49:28,240 –> 00:49:31,040
It’s in what the AI system can cause other systems to do.
1387
00:49:31,040 –> 00:49:33,280
Where can an agent trigger external workflows?
1388
00:49:33,280 –> 00:49:35,960
Where can it call logic apps, power automate flows,
1389
00:49:35,960 –> 00:49:38,720
ITSM actions, email sending, ticket closure,
1390
00:49:38,720 –> 00:49:40,840
user provisioning, or order modification?
1391
00:49:40,840 –> 00:49:43,680
Then ask the ownership question, most teams avoid.
1392
00:49:43,680 –> 00:49:45,200
For each downstream trigger,
1393
00:49:45,200 –> 00:49:47,280
who is accountable for the business impact
1394
00:49:47,280 –> 00:49:48,840
of that automation path?
1395
00:49:48,840 –> 00:49:50,520
Not the team that built the agent.
1396
00:49:50,520 –> 00:49:52,600
The executive owner who accepts the risk
1397
00:49:52,600 –> 00:49:54,920
of autonomous execution in that pathway
1398
00:49:54,920 –> 00:49:56,640
because without named ownership,
1399
00:49:56,640 –> 00:49:58,880
every incident becomes a routing exercise.
1400
00:49:58,880 –> 00:50:01,800
Security blames engineering, engineering blames product,
1401
00:50:01,800 –> 00:50:05,200
product blames the model, and leadership learns nothing.
1402
00:50:05,200 –> 00:50:07,640
Fifth is identity because identity is the last
1403
00:50:07,640 –> 00:50:10,520
enforceable boundary between autonomy and chaos.
1404
00:50:10,520 –> 00:50:12,960
Which non-human identity is represent decision-making
1405
00:50:12,960 –> 00:50:14,240
not just execution?
1406
00:50:14,240 –> 00:50:16,480
If the organization answers service principles,
1407
00:50:16,480 –> 00:50:17,640
that’s the old world.
1408
00:50:17,640 –> 00:50:20,440
That’s execution identity pretending to be authority.
1409
00:50:20,440 –> 00:50:22,760
Then ask if we revoke that identity today?
1410
00:50:22,760 –> 00:50:23,600
What breaks?
1411
00:50:23,600 –> 00:50:24,840
If revocation breaks the business,
1412
00:50:24,840 –> 00:50:26,640
you don’t have identity governance,
1413
00:50:26,640 –> 00:50:28,160
you have identity dependency.
1414
00:50:28,160 –> 00:50:29,840
And finally, the question that collapses
1415
00:50:29,840 –> 00:50:31,920
all the others into a leadership posture.
1416
00:50:31,920 –> 00:50:34,360
Where must we reintroduce determinism on purpose,
1417
00:50:34,360 –> 00:50:37,000
not inside the model, at the boundaries?
1418
00:50:37,000 –> 00:50:39,160
Which classes of actions are forbidden by default
1419
00:50:39,160 –> 00:50:40,800
and only granted explicitly?
1420
00:50:40,800 –> 00:50:43,440
Because this is what executives actually control,
1421
00:50:43,440 –> 00:50:45,480
the default posture of the enterprise.
1422
00:50:45,480 –> 00:50:47,440
If leadership makes autonomy the default,
1423
00:50:47,440 –> 00:50:49,280
the organization will spend the next two years
1424
00:50:49,280 –> 00:50:51,440
adding constraints in the middle of incidents.
1425
00:50:51,440 –> 00:50:53,560
If leadership makes determinism the default
1426
00:50:53,560 –> 00:50:55,120
at defined choke points,
1427
00:50:55,120 –> 00:50:57,360
then autonomy becomes a controlled capability
1428
00:50:57,360 –> 00:50:59,000
rather than a spreading condition.
1429
00:50:59,000 –> 00:51:01,160
This is what AI readiness actually means,
1430
00:51:01,160 –> 00:51:04,120
not more pilots, not more dashboards.
1431
00:51:04,120 –> 00:51:06,480
A control plane that refuses unsafe outcomes
1432
00:51:06,480 –> 00:51:08,600
before they become explainable tragedies,
1433
00:51:08,600 –> 00:51:09,360
let alone.
1434
00:51:09,360 –> 00:51:11,480
The 30-day architectural review agenda,
1435
00:51:11,480 –> 00:51:13,640
plus AI red team framing.
1436
00:51:13,640 –> 00:51:15,520
If Act VII gave you the questions,
1437
00:51:15,520 –> 00:51:17,360
this section gives you the mandate.
1438
00:51:17,360 –> 00:51:19,680
Not a transformation program, not a backlog,
1439
00:51:19,680 –> 00:51:22,080
a 30-day review that produces one artifact,
1440
00:51:22,080 –> 00:51:24,920
a constraint map owned by an executive, not a team.
1441
00:51:24,920 –> 00:51:26,920
Week one is autonomous execution paths.
1442
00:51:26,920 –> 00:51:29,280
Map every place AI can initiate action
1443
00:51:29,280 –> 00:51:30,840
without a human gate.
1444
00:51:30,840 –> 00:51:34,120
Not where AI exists, where AI can cause state change,
1445
00:51:34,120 –> 00:51:36,880
include every tool, every connector, every downstream API,
1446
00:51:36,880 –> 00:51:38,040
every workflow trigger.
1447
00:51:38,040 –> 00:51:39,720
If you don’t know, that’s the point.
1448
00:51:39,720 –> 00:51:41,480
Discovery is the first control.
1449
00:51:41,480 –> 00:51:44,480
The output of week one is a list of autonomous pathways,
1450
00:51:44,480 –> 00:51:46,240
each tagged by blast radius,
1451
00:51:46,240 –> 00:51:50,400
financial, customer, legal, data integrity, identity.
1452
00:51:50,400 –> 00:51:52,280
Week two is uncontrolled cost pathways.
1453
00:51:52,280 –> 00:51:54,240
Map where spend can occur without a hard stop,
1454
00:51:54,240 –> 00:51:57,040
that means every model call path, every retry path,
1455
00:51:57,040 –> 00:51:59,320
every agent loop, every retrieval expansion,
1456
00:51:59,320 –> 00:52:01,440
every routing decision to a premium model.
1457
00:52:01,440 –> 00:52:03,240
You’re not asking finance for reports.
1458
00:52:03,240 –> 00:52:05,480
You’re asking engineering to show where denial occurs
1459
00:52:05,480 –> 00:52:06,440
before execution.
1460
00:52:06,440 –> 00:52:08,400
If the only answer is budgets and alerts,
1461
00:52:08,400 –> 00:52:09,960
market is uncontrolled.
1462
00:52:09,960 –> 00:52:13,120
The output of week two is the cost authority map,
1463
00:52:13,120 –> 00:52:15,400
where the system can spend, who owns it,
1464
00:52:15,400 –> 00:52:16,880
and what enforces ceilings.
1465
00:52:16,880 –> 00:52:19,080
Week three is non-human identity reality.
1466
00:52:19,080 –> 00:52:21,440
Inventory service principles manage identities
1467
00:52:21,440 –> 00:52:23,240
and any agent identity constructs,
1468
00:52:23,240 –> 00:52:24,760
then map who they can impersonate,
1469
00:52:24,760 –> 00:52:27,400
what they can touch, and what breaks if they’re revoked.
1470
00:52:27,400 –> 00:52:30,120
That last part matters because revocation is your emergency break.
1471
00:52:30,120 –> 00:52:32,200
If revocation breaks core processes,
1472
00:52:32,200 –> 00:52:34,760
the identity is not governed, it is embedded.
1473
00:52:34,760 –> 00:52:37,640
The output of week three is an accountability map.
1474
00:52:37,640 –> 00:52:40,480
Each non-human identity tied to an owner,
1475
00:52:40,480 –> 00:52:41,800
a defined action scope,
1476
00:52:41,800 –> 00:52:44,040
and a revocation plan that doesn’t require an incident
1477
00:52:44,040 –> 00:52:45,080
to discover.
1478
00:52:45,080 –> 00:52:47,040
Week four is denied before execute gaps.
1479
00:52:47,040 –> 00:52:49,160
This is where governance stops being a slide
1480
00:52:49,160 –> 00:52:50,600
and becomes a system.
1481
00:52:50,600 –> 00:52:53,160
For every high-risk path from weeks one through three,
1482
00:52:53,160 –> 00:52:54,680
identify the missing choke point.
1483
00:52:54,680 –> 00:52:56,640
Where would you put the gate that can say no?
1484
00:52:56,640 –> 00:52:59,680
API gateway, toolbroker, approval service,
1485
00:52:59,680 –> 00:53:02,440
allow list, quota, policy engine, human in loop,
1486
00:53:02,440 –> 00:53:04,160
the implementation details vary.
1487
00:53:04,160 –> 00:53:05,160
The principle doesn’t.
1488
00:53:05,160 –> 00:53:07,960
If the path can execute without a deterministic refusal point,
1489
00:53:07,960 –> 00:53:08,880
it is not governed.
1490
00:53:08,880 –> 00:53:11,280
The output of week four is the enforcement gap list,
1491
00:53:11,280 –> 00:53:13,160
prioritized by irreversible harm.
1492
00:53:13,160 –> 00:53:14,960
Now layer on the red team framing,
1493
00:53:14,960 –> 00:53:17,080
because polite failure is the default mode
1494
00:53:17,080 –> 00:53:18,040
of agentic systems.
1495
00:53:18,040 –> 00:53:19,440
You are not looking for attackers,
1496
00:53:19,440 –> 00:53:22,120
you are looking for correct behavior that still harms you.
1497
00:53:22,120 –> 00:53:23,400
Ask three questions.
1498
00:53:23,400 –> 00:53:25,240
How would this system fail politely?
1499
00:53:25,240 –> 00:53:28,120
Where could it behave correctly and still cause business damage?
1500
00:53:28,120 –> 00:53:30,600
Where would you only learn about the failure later?
1501
00:53:30,600 –> 00:53:33,400
Then run those questions against your constraint map.
1502
00:53:33,400 –> 00:53:36,960
Every polite failure should point to a missing gate,
1503
00:53:36,960 –> 00:53:38,800
a place where the system should have been forced
1504
00:53:38,800 –> 00:53:40,680
to stop and ask or denied outright,
1505
00:53:40,680 –> 00:53:42,920
and don’t turn this into a hundred action items.
1506
00:53:42,920 –> 00:53:45,600
Executives love to outsource discomfort into backlogs.
1507
00:53:45,600 –> 00:53:47,120
Backlox are how risk survives.
1508
00:53:47,120 –> 00:53:49,400
The only acceptable output is a single map
1509
00:53:49,400 –> 00:53:52,120
with named owners and explicit constraints.
1510
00:53:52,120 –> 00:53:54,880
Plus the decision log, what is forbidden by default,
1511
00:53:54,880 –> 00:53:56,280
what is allowed with gates,
1512
00:53:56,280 –> 00:53:58,000
and what is never autonomous.
1513
00:53:58,000 –> 00:53:59,200
That’s the real shift.
1514
00:53:59,200 –> 00:54:01,240
You are not building an AI project.
1515
00:54:01,240 –> 00:54:03,600
You are defining what kinds of autonomy
1516
00:54:03,600 –> 00:54:05,840
your enterprise will tolerate.
1517
00:54:05,840 –> 00:54:06,880
Conclusion.
1518
00:54:06,880 –> 00:54:09,920
As you won’t stop you from building the uncontrollable system,
1519
00:54:09,920 –> 00:54:11,800
AI doesn’t need smarter models.
1520
00:54:11,800 –> 00:54:13,720
It needs leadership that turns intent
1521
00:54:13,720 –> 00:54:16,600
into enforced constraints before execution.
1522
00:54:16,600 –> 00:54:17,960
If this framing is useful,
1523
00:54:17,960 –> 00:54:19,920
subscribe and listen to the next episode
1524
00:54:19,920 –> 00:54:23,880
on designing choke points, cost governors, tool brokers,
1525
00:54:23,880 –> 00:54:26,120
and deny-by-default patterns that keep
1526
00:54:26,120 –> 00:54:28,560
agentic systems controllable as they scale.
