Now Reading: Integrate ServiceNow and Microsoft for Success
-
01
Integrate ServiceNow and Microsoft for Success
1
00:00:00,000 –> 00:00:03,680
Most organizations still talk about service now like it’s the ticketing system.
2
00:00:03,680 –> 00:00:04,600
They are wrong.
3
00:00:04,600 –> 00:00:07,200
Ticketing was the entry point, not the destination.
4
00:00:07,200 –> 00:00:09,480
The real enterprise problem isn’t too many tools.
5
00:00:09,480 –> 00:00:14,840
It’s that work has no single state, no owner, and no enforceable path from someone asked to.
6
00:00:14,840 –> 00:00:15,880
It’s done.
7
00:00:15,880 –> 00:00:17,840
Microsoft is where intent shows up.
8
00:00:17,840 –> 00:00:20,200
Chats, emails, meetings, documents.
9
00:00:20,200 –> 00:00:23,080
Service now is where intent becomes execution.
10
00:00:23,080 –> 00:00:26,320
Routing, approvals, evidence, audit.
11
00:00:26,320 –> 00:00:29,440
In the next hour, this will get painfully obvious because workflows
12
00:00:29,440 –> 00:00:30,440
don’t fail in theory.
13
00:00:30,440 –> 00:00:32,400
They fail in your org chart.
14
00:00:32,400 –> 00:00:36,520
The enterprise workflow problem, digitally rich, operationally fragmented.
15
00:00:36,520 –> 00:00:38,080
Enterprises are digitally rich.
16
00:00:38,080 –> 00:00:44,160
They have Microsoft 365, they have an ERP, they have a dozen best of breed tools for security,
17
00:00:44,160 –> 00:00:49,400
HR, facilities, finance, procurement, customer operations, and whatever else someone bought
18
00:00:49,400 –> 00:00:51,400
during the last incident review.
19
00:00:51,400 –> 00:00:55,360
And they’re still operationally fragmented because having systems isn’t the same as having
20
00:00:55,360 –> 00:00:57,360
an operating layer.
21
00:00:57,360 –> 00:01:00,240
What most environments actually have is a collection of queues.
22
00:01:00,240 –> 00:01:05,640
In boxes, teams, channels, portals, ticket forms, Excel trackers, and shared mailboxes.
23
00:01:05,640 –> 00:01:06,920
Each queue has local truth.
24
00:01:06,920 –> 00:01:08,400
None of them have end to end truth.
25
00:01:08,400 –> 00:01:10,160
That distinction matters.
26
00:01:10,160 –> 00:01:12,000
The typical day looks like this.
27
00:01:12,000 –> 00:01:15,360
Someone starts in teams or outlook because that’s where people actually work.
28
00:01:15,360 –> 00:01:19,480
They describe a need, new laptop, new access, purchase approval, urgent security alert,
29
00:01:19,480 –> 00:01:23,200
production outage, intent is created as a message, not a record.
30
00:01:23,200 –> 00:01:24,880
Then the system forces a context switch.
31
00:01:24,880 –> 00:01:29,040
Go to a portal, find the right form, pick the right category, attach the right screenshot,
32
00:01:29,040 –> 00:01:31,760
retype the same story you already wrote in chat.
33
00:01:31,760 –> 00:01:34,320
Submit, wait, follow up, follow up again.
34
00:01:34,320 –> 00:01:37,520
This is not a user experience problem, it’s an execution model problem.
35
00:01:37,520 –> 00:01:41,160
Every time someone jumps from teams to a portal to an email thread to a spreadsheet and
36
00:01:41,160 –> 00:01:43,400
back again, the organization is paying attacks.
37
00:01:43,400 –> 00:01:47,320
It’s not just time, it’s loss of state, loss of accountability, and loss of evidence.
38
00:01:47,320 –> 00:01:48,640
People don’t remember what they did.
39
00:01:48,640 –> 00:01:49,920
They remember where they did it.
40
00:01:49,920 –> 00:01:52,920
And that becomes the root cause of, we don’t know what happened.
41
00:01:52,920 –> 00:01:57,080
The worst part is what happens next, manual handoffs, approvals, escalations, exceptions,
42
00:01:57,080 –> 00:02:00,000
quick favors, side channel decisions in chat.
43
00:02:00,000 –> 00:02:03,400
These are entropy generators that they feel fast in the moment and they’re catastrophic
44
00:02:03,400 –> 00:02:04,400
later.
45
00:02:04,400 –> 00:02:08,640
Because each exception bypasses the thing that makes an enterprise predictable, a controlled
46
00:02:08,640 –> 00:02:13,440
sequence of steps with clear ownership and an ordered trail that survives turnover and
47
00:02:13,440 –> 00:02:14,440
panic.
48
00:02:14,440 –> 00:02:18,040
So you end up with a business that can produce documents, send messages, and host meetings
49
00:02:18,040 –> 00:02:21,480
at industrial scale, but can’t reliably move work across boundaries.
50
00:02:21,480 –> 00:02:24,000
And that’s why visibility fails.
51
00:02:24,000 –> 00:02:25,480
Locally everyone can see their piece.
52
00:02:25,480 –> 00:02:26,920
I sent the email.
53
00:02:26,920 –> 00:02:28,200
I approved in chat.
54
00:02:28,200 –> 00:02:30,000
I deployed the fix.
55
00:02:30,000 –> 00:02:32,000
Procurement is looking at it.
56
00:02:32,000 –> 00:02:33,160
Security said it was fine.
57
00:02:33,160 –> 00:02:34,360
Each team has a story.
58
00:02:34,360 –> 00:02:35,360
End to end.
59
00:02:35,360 –> 00:02:36,360
Nobody has the state machine.
60
00:02:36,360 –> 00:02:39,000
You get status everywhere and progress nowhere.
61
00:02:39,000 –> 00:02:42,160
Now the comfortable objection is, but we have an ERP.
62
00:02:42,160 –> 00:02:43,160
Yes, you do.
63
00:02:43,160 –> 00:02:44,560
It records transactions.
64
00:02:44,560 –> 00:02:45,560
It doesn’t root work.
65
00:02:45,560 –> 00:02:48,640
It’s designed to preserve integrity, not orchestrate humans.
66
00:02:48,640 –> 00:02:50,240
And ERP is a system of record.
67
00:02:50,240 –> 00:02:51,240
That’s not an insult.
68
00:02:51,240 –> 00:02:52,240
That’s the point.
69
00:02:52,240 –> 00:02:55,040
It’s slow by design because correctness matters more than speed.
70
00:02:55,040 –> 00:02:58,080
The next objection is, but we have Microsoft 365.
71
00:02:58,080 –> 00:02:59,080
Yes, you do.
72
00:02:59,080 –> 00:03:02,120
It creates artifacts, emails, documents, meetings, chats, tasks.
73
00:03:02,120 –> 00:03:05,440
It captures intent extremely well, but it doesn’t enforce intent.
74
00:03:05,440 –> 00:03:06,880
It doesn’t guarantee sequence.
75
00:03:06,880 –> 00:03:08,800
It doesn’t decide who owns the next step.
76
00:03:08,800 –> 00:03:10,320
It doesn’t compel evidence.
77
00:03:10,320 –> 00:03:12,680
It’s a productivity surface, not an execution engine.
78
00:03:12,680 –> 00:03:15,680
So organizations try to patch the gap with automation.
79
00:03:15,680 –> 00:03:20,440
They build small flows, post a message, create a task, mirror a notification.
80
00:03:20,440 –> 00:03:24,440
Even those flows multiply, ownership disappears and governance never shows up.
81
00:03:24,440 –> 00:03:25,960
Shadow automation is not innovation.
82
00:03:25,960 –> 00:03:28,360
It’s integration debt with a friendly UI.
83
00:03:28,360 –> 00:03:31,360
And the longer it runs, the worse it gets.
84
00:03:31,360 –> 00:03:33,800
Connectors get overscoped to make it work.
85
00:03:33,800 –> 00:03:37,360
Service accounts become permanent super-users and nobody remembers why.
86
00:03:37,360 –> 00:03:39,320
This is the foundational mistake.
87
00:03:39,320 –> 00:03:42,160
Treating workflows like a side feature of tools.
88
00:03:42,160 –> 00:03:45,520
Instead of treating workflows as the thing the enterprise runs on, because the enterprise
89
00:03:45,520 –> 00:03:47,000
already runs on workflows.
90
00:03:47,000 –> 00:03:48,800
They’re just undocumented and unowned.
91
00:03:48,800 –> 00:03:50,440
And boarding isn’t an HR ticket.
92
00:03:50,440 –> 00:03:52,440
It’s a cross-domain supply chain.
93
00:03:52,440 –> 00:03:56,800
Identity, access, hardware, payroll, compliance and training.
94
00:03:56,800 –> 00:03:58,920
Security incident response isn’t a team’s chat.
95
00:03:58,920 –> 00:04:02,480
It’s a controlled sequence of containment actions with approvals and evidence.
96
00:04:02,480 –> 00:04:04,680
Finance approvals aren’t an email thread.
97
00:04:04,680 –> 00:04:08,080
They’re policy enforcement with segregation of duties and auditability.
98
00:04:08,080 –> 00:04:09,840
Major incidents aren’t a war room.
99
00:04:09,840 –> 00:04:13,800
They’re coordinated human communication plus authoritative execution and change control.
100
00:04:13,800 –> 00:04:16,360
So when people say tools sprawl, they’re not wrong.
101
00:04:16,360 –> 00:04:19,240
But the real problem is workflow fragmentation.
102
00:04:19,240 –> 00:04:23,520
Work starts in one place, gets decided in another, gets executed in the third and gets documented
103
00:04:23,520 –> 00:04:24,840
maybe in a fourth.
104
00:04:24,840 –> 00:04:27,960
And that is the missing operating layer between people and systems.
105
00:04:27,960 –> 00:04:29,600
It is not optional.
106
00:04:29,600 –> 00:04:35,680
It will exist either by design, with governance or by accident, with entropy.
107
00:04:35,680 –> 00:04:37,760
The foundational misunderstanding.
108
00:04:37,760 –> 00:04:40,720
Tickets track pain, workflows control outcomes.
109
00:04:40,720 –> 00:04:42,200
Here’s what most people miss.
110
00:04:42,200 –> 00:04:43,520
A ticket is not a workflow.
111
00:04:43,520 –> 00:04:45,160
A ticket is a container for pain.
112
00:04:45,160 –> 00:04:48,720
It’s a log entry that says something is wrong or someone wants something.
113
00:04:48,720 –> 00:04:51,120
It’s useful because enterprises need triage.
114
00:04:51,120 –> 00:04:52,120
They need cues.
115
00:04:52,120 –> 00:04:53,120
They need assignment.
116
00:04:53,120 –> 00:04:54,440
They need SLA’s.
117
00:04:54,440 –> 00:04:56,600
But tickets don’t control outcomes.
118
00:04:56,600 –> 00:05:00,760
Tickets just describe the problem while humans improvise a path to resolution.
119
00:05:00,760 –> 00:05:02,080
That sounds pedantic.
120
00:05:02,080 –> 00:05:03,080
It isn’t.
121
00:05:03,080 –> 00:05:06,440
Because when an organization believes tickets are the operating model, it starts optimizing
122
00:05:06,440 –> 00:05:07,960
for the wrong things.
123
00:05:07,960 –> 00:05:12,560
Faster logging, better categorization, cleaner fields, nicer dashboards.
124
00:05:12,560 –> 00:05:15,200
Meanwhile, the real failure remains untouched.
125
00:05:15,200 –> 00:05:17,480
Work still moves through side channels.
126
00:05:17,480 –> 00:05:21,200
Approvals still happen in meetings and exceptions still get granted by whoever shouts
127
00:05:21,200 –> 00:05:22,200
loudest in teams.
128
00:05:22,200 –> 00:05:23,440
A workflow is different.
129
00:05:23,440 –> 00:05:25,080
A workflow is a control system.
130
00:05:25,080 –> 00:05:27,360
It defines sequence ownership and evidence.
131
00:05:27,360 –> 00:05:30,160
It makes the path from requested to done repeatable.
132
00:05:30,160 –> 00:05:32,280
It doesn’t just track the thing that happened.
133
00:05:32,280 –> 00:05:34,800
It creates the conditions for the thing to happen predictably.
134
00:05:34,800 –> 00:05:37,160
That’s why, beyond ITSM is not marketing.
135
00:05:37,160 –> 00:05:38,160
It’s a category shift.
136
00:05:38,160 –> 00:05:42,240
ITSM is the first place most enterprises meet workflow discipline because incidents
137
00:05:42,240 –> 00:05:44,280
and requests force the conversation.
138
00:05:44,280 –> 00:05:49,040
But the minute you cross into cross-domain work and HR, security, finance, facilities,
139
00:05:49,040 –> 00:05:50,760
the ticket model starts lying to you.
140
00:05:50,760 –> 00:05:52,840
Take the three classic idle shapes.
141
00:05:52,840 –> 00:05:53,840
Incidents are interruptions.
142
00:05:53,840 –> 00:05:55,960
They demand speed and coordination.
143
00:05:55,960 –> 00:05:57,280
Requests are supply chain.
144
00:05:57,280 –> 00:06:00,360
They need fulfillment, approvals and inventory like thinking.
145
00:06:00,360 –> 00:06:01,840
Changes are risk management.
146
00:06:01,840 –> 00:06:04,320
They exist to prevent you from making a bad day worse.
147
00:06:04,320 –> 00:06:07,440
Now watch what happens when you treat all three like a ticket.
148
00:06:07,440 –> 00:06:11,360
You build one intake form, one queue, one set of statuses, and then you rely on humans
149
00:06:11,360 –> 00:06:13,040
to do the orchestration in their heads.
150
00:06:13,040 –> 00:06:14,240
That’s where drift starts.
151
00:06:14,240 –> 00:06:17,240
Because the moment reality gets messy, onboarding a VP,
152
00:06:17,240 –> 00:06:20,640
responding to an incident trying to buy something before quarter end,
153
00:06:20,640 –> 00:06:23,360
the workflow gets replaced by just do it.
154
00:06:23,360 –> 00:06:24,640
Approvals happen in chat.
155
00:06:24,640 –> 00:06:26,640
Access gets granted temporarily.
156
00:06:26,640 –> 00:06:28,200
Procurement bypasses checks.
157
00:06:28,200 –> 00:06:30,400
Security says, “We’ll document later.”
158
00:06:30,400 –> 00:06:31,920
And later never arrives.
159
00:06:31,920 –> 00:06:33,040
That’s the entropy pattern.
160
00:06:33,040 –> 00:06:35,200
A shortcut under pressure becomes the real process.
161
00:06:35,200 –> 00:06:38,160
And this is where cross-domain work breaks ticket thinking completely.
162
00:06:38,160 –> 00:06:41,840
Onboarding is not an HR ticket plus an IT ticket.
163
00:06:41,840 –> 00:06:43,880
It’s one workflow with dependencies.
164
00:06:43,880 –> 00:06:48,160
Higher date triggers identity, identity triggers access, access triggers device provisioning,
165
00:06:48,160 –> 00:06:51,200
device provisioning triggers security baselines, security baselines,
166
00:06:51,200 –> 00:06:53,080
trigger compliance confirmations.
167
00:06:53,080 –> 00:06:56,800
If that chain isn’t enforced somewhere, you get chaos disguised as productivity,
168
00:06:56,800 –> 00:07:01,160
same with access requests, same with procurement, same with security response.
169
00:07:01,160 –> 00:07:03,720
A ticket can sit in a queue and still be open.
170
00:07:03,720 –> 00:07:05,320
That’s fine for pain tracking.
171
00:07:05,320 –> 00:07:07,960
But it tells you nothing about throughput bottlenecks or risk.
172
00:07:07,960 –> 00:07:10,680
You can close a ticket and still have the wrong access assigned.
173
00:07:10,680 –> 00:07:14,120
You can resolve an incident and still have the same conditions that caused it.
174
00:07:14,120 –> 00:07:18,600
You can implement a change and have zero evidence for why the blast radius was acceptable.
175
00:07:18,600 –> 00:07:20,120
So the reframe is simple.
176
00:07:20,120 –> 00:07:22,080
Ticketing is a visibility tool.
177
00:07:22,080 –> 00:07:23,560
Workflows are an execution tool.
178
00:07:23,560 –> 00:07:26,560
And the enterprise doesn’t get punished for missing visibility.
179
00:07:26,560 –> 00:07:28,520
It gets punished for missing execution.
180
00:07:28,520 –> 00:07:33,440
Because execution is where risk accumulates, who approved, who changed what, what evidence exists,
181
00:07:33,440 –> 00:07:37,600
what controls were bypassed and what is now permanently true in your environment.
182
00:07:37,600 –> 00:07:39,720
Because someone needed it done.
183
00:07:39,720 –> 00:07:45,720
So when leaders say we need to get beyond ITSM, what they usually mean without having the words for it is,
184
00:07:45,720 –> 00:07:48,320
we need enterprise request fulfillment and orchestration.
185
00:07:48,320 –> 00:07:52,880
We need an operating layer that makes work deterministic even when humans are not.
186
00:07:52,880 –> 00:07:55,520
That’s the platform lens executives actually fund.
187
00:07:55,520 –> 00:07:58,160
Not apps, not tickets, operating layers.
188
00:07:58,160 –> 00:08:01,920
And once you see that, the Microsoft and ServiceNow split stops being confusing.
189
00:08:01,920 –> 00:08:03,200
It becomes obvious.
190
00:08:03,200 –> 00:08:06,680
Platform not product, systems of record versus systems of action.
191
00:08:06,680 –> 00:08:08,720
Executives keep buying platforms.
192
00:08:08,720 –> 00:08:13,000
But most of what gets implemented is still treated like a product, a portal, a ticket form,
193
00:08:13,000 –> 00:08:16,280
a reporting dashboard, an AI add-on, a new license tier.
194
00:08:16,280 –> 00:08:19,880
That’s how you end up with expensive tooling and the same operational outcomes.
195
00:08:19,880 –> 00:08:22,240
The useful lens is older and much less exciting.
196
00:08:22,240 –> 00:08:24,640
System of record versus system of action.
197
00:08:24,640 –> 00:08:27,040
A system of record is where truth lives.
198
00:08:27,040 –> 00:08:30,760
It’s authoritative data, governed fields, auditability and retention.
199
00:08:30,760 –> 00:08:33,720
It’s built to be correct, durable and defensible.
200
00:08:33,720 –> 00:08:35,960
The price of that durability is friction.
201
00:08:35,960 –> 00:08:39,080
Approvals, controls and slower change velocity.
202
00:08:39,080 –> 00:08:41,600
ERP is the obvious example, so is your HRS.
203
00:08:41,600 –> 00:08:45,240
And yes, ServiceNow can be a system of record for certain operational data too.
204
00:08:45,240 –> 00:08:47,160
A system of action is where work moves.
205
00:08:47,160 –> 00:08:52,720
It roots tasks, enforces sequencing, captures decisions and produces outcomes with evidence.
206
00:08:52,720 –> 00:08:54,080
It’s designed for throughput.
207
00:08:54,080 –> 00:08:57,840
It has to handle humans, exceptions and time pressure without turning into folklore.
208
00:08:57,840 –> 00:09:01,920
Most organizations try to force their systems of record to behave like systems of action.
209
00:09:01,920 –> 00:09:05,520
They attach a workflow to an ERP transaction and call it orchestration.
210
00:09:05,520 –> 00:09:10,240
Or they treat Microsoft 365 artifacts, emails, planet asks, teams, messages as if they are
211
00:09:10,240 –> 00:09:11,560
a process state.
212
00:09:11,560 –> 00:09:13,080
That mistake doesn’t show up in a demo.
213
00:09:13,080 –> 00:09:15,960
It shows up when the CFO asks who approved this.
214
00:09:15,960 –> 00:09:18,280
And the answer is it was in a chat thread.
215
00:09:18,280 –> 00:09:21,760
Or when security asks who authorized that privilege elevation.
216
00:09:21,760 –> 00:09:23,960
And the answer is we agreed in the war room.
217
00:09:23,960 –> 00:09:25,720
Documents aren’t state chat isn’t governance.
218
00:09:25,720 –> 00:09:27,800
A mailbox is not an audit trail.
219
00:09:27,800 –> 00:09:30,600
And here’s the part that makes architects uncomfortable.
220
00:09:30,600 –> 00:09:33,720
A system of action must behave like a state machine.
221
00:09:33,720 –> 00:09:34,720
That’s not a metaphor.
222
00:09:34,720 –> 00:09:35,720
It’s a requirement.
223
00:09:35,720 –> 00:09:39,480
There has to be an authoritative definition of where this work is.
224
00:09:39,480 –> 00:09:40,840
What happens next?
225
00:09:40,840 –> 00:09:42,200
Who can move it?
226
00:09:42,200 –> 00:09:44,920
And what evidence is required to move it?
227
00:09:44,920 –> 00:09:49,120
If the work can progress by someone typing approved into teams, you do not have a state
228
00:09:49,120 –> 00:09:50,120
machine.
229
00:09:50,120 –> 00:09:51,400
You have conditional chaos.
230
00:09:51,400 –> 00:09:55,040
This is why we have M365 doesn’t solve execution.
231
00:09:55,040 –> 00:09:58,760
Microsoft is exceptional at capturing intent and providing collaboration surfaces.
232
00:09:58,760 –> 00:10:02,760
It is not designed to be the authoritative engine that enforces enterprise sequence,
233
00:10:02,760 –> 00:10:04,560
policy and evidence across domains.
234
00:10:04,560 –> 00:10:07,680
It will happily host the conversation where the bypass decision gets made.
235
00:10:07,680 –> 00:10:09,240
It will not stop you from doing it.
236
00:10:09,240 –> 00:10:12,160
And this is why we have an ERP doesn’t solve execution.
237
00:10:12,160 –> 00:10:16,560
ERP will preserve the transaction after the fact it won’t coordinate the human chain
238
00:10:16,560 –> 00:10:20,640
of approvals, exception handling and downstream tasks that make the transaction legitimate
239
00:10:20,640 –> 00:10:21,640
in the first place.
240
00:10:21,640 –> 00:10:23,640
So enterprises need both layers.
241
00:10:23,640 –> 00:10:25,520
System of record underneath.
242
00:10:25,520 –> 00:10:27,960
Authoritative data, integrity compliance.
243
00:10:27,960 –> 00:10:32,160
System of action above it, orchestration, rooting, enforcement, audit, surface for execution.
244
00:10:32,160 –> 00:10:34,320
The mistake is believing one replaces the other.
245
00:10:34,320 –> 00:10:38,000
It’s also why ServiceNow’s gravity keeps expanding beyond ITSM.
246
00:10:38,000 –> 00:10:39,960
It’s not because IT tickets are exciting.
247
00:10:39,960 –> 00:10:43,280
It’s because the enterprise keeps discovering the same gap.
248
00:10:43,280 –> 00:10:48,160
There is no shared execution layer between people, set a thing and systems change the thing.
249
00:10:48,160 –> 00:10:52,640
ServiceNow fits that gap because it can hold state across domains, tie tasks and approvals
250
00:10:52,640 –> 00:10:55,520
together in force policy gates and produce evidence.
251
00:10:55,520 –> 00:10:59,600
The turns we should into, we did, with a trail you can actually defend.
252
00:10:59,600 –> 00:11:03,240
And Microsoft fits the other half because it owns where humans actually live.
253
00:11:03,240 –> 00:11:08,400
Autlook, SharePoint, Word, Meetings, Calls, that’s where intent shows up, that’s where decisions
254
00:11:08,400 –> 00:11:11,280
get discussed, that’s where people demand status.
255
00:11:11,280 –> 00:11:15,280
So the correct architecture isn’t ServiceNow versus Microsoft.
256
00:11:15,280 –> 00:11:17,920
It’s a split-brain model by design.
257
00:11:17,920 –> 00:11:19,440
Microsoft is the engagement plane.
258
00:11:19,440 –> 00:11:22,760
Capture intent, collaboration, communication, context.
259
00:11:22,760 –> 00:11:25,000
ServiceNow is the execution plane.
260
00:11:25,000 –> 00:11:27,440
Authoritative state, routing, approvals, evidence.
261
00:11:27,440 –> 00:11:31,040
Once you accept that, the rest of the episode stops sounding like theory.
262
00:11:31,040 –> 00:11:32,360
It becomes an operating pattern.
263
00:11:32,360 –> 00:11:37,680
Now the only question worth asking is what happens when those two planes get stitched together correctly,
264
00:11:37,680 –> 00:11:40,760
without letting governance evaporate?
265
00:11:40,760 –> 00:11:44,200
One sentence each, the Microsoft ServiceNow.
266
00:11:44,200 –> 00:11:48,920
PowerSplit, ServiceNow in one sentence, it’s the enterprise execution engine, the place
267
00:11:48,920 –> 00:11:52,800
where work becomes a govern state machine, not a conversation.
268
00:11:52,800 –> 00:11:56,840
Microsoft in one sentence, it’s the productivity and intelligence surface.
269
00:11:56,840 –> 00:12:00,440
The place where humans generate intent, context and pressure, that’s the split and it’s
270
00:12:00,440 –> 00:12:04,520
not philosophical, it’s architectural jurisdiction.
271
00:12:04,520 –> 00:12:09,000
Most organizations keep trying to crown one platform as the single pane of glass.
272
00:12:09,000 –> 00:12:10,400
That instinct is understandable.
273
00:12:10,400 –> 00:12:14,080
It’s also how you end up with a pane of glass full of cracks, because the problem isn’t
274
00:12:14,080 –> 00:12:15,080
visibility.
275
00:12:15,080 –> 00:12:17,200
The problem is ownership of state.
276
00:12:17,200 –> 00:12:21,760
Microsoft owns human behavior, teams chats, outlook threads, meetings, documents, that’s
277
00:12:21,760 –> 00:12:23,320
where intent shows up.
278
00:12:23,320 –> 00:12:27,560
ServiceNow owns operational truth, the current state, the next owner, the approvals, the gates
279
00:12:27,560 –> 00:12:28,640
and the evidence.
280
00:12:28,640 –> 00:12:30,640
That’s execution.
281
00:12:30,640 –> 00:12:34,080
So the partnership story becomes obvious when you strip away the press releases.
282
00:12:34,080 –> 00:12:35,600
The goal isn’t to merge products.
283
00:12:35,600 –> 00:12:39,200
The goal is to reduce context switching without collapsing governance.
284
00:12:39,200 –> 00:12:42,080
Teams is where the request starts because that’s where people are.
285
00:12:42,080 –> 00:12:46,480
ServiceNow is where the request stays coherent because that’s where process lives.
286
00:12:46,480 –> 00:12:48,440
Microsoft gives you the easiest place to ask.
287
00:12:48,440 –> 00:12:51,960
ServiceNow gives you the hardest thing to build, an operating layer that keeps working
288
00:12:51,960 –> 00:12:53,520
after the chat scrolls away.
289
00:12:53,520 –> 00:12:55,120
And here’s the uncomfortable truth.
290
00:12:55,120 –> 00:12:58,800
You can’t lose beat point solutions because entropy scales faster than your org chart.
291
00:12:58,800 –> 00:13:02,880
Every time a team solves their problem with a one off board, a custom form, a flow or a
292
00:13:02,880 –> 00:13:05,320
mailbox rule, they create a local optimum.
293
00:13:05,320 –> 00:13:06,600
Then another team does the same.
294
00:13:06,600 –> 00:13:10,040
You end up with 50 local optima and one global mess.
295
00:13:10,040 –> 00:13:12,560
Central policy doesn’t fail because people are malicious.
296
00:13:12,560 –> 00:13:15,160
It fails because exceptions accumulate.
297
00:13:15,160 –> 00:13:17,560
This is why the Microsoft captures intent.
298
00:13:17,560 –> 00:13:19,680
ServiceNow executes intent line matters.
299
00:13:19,680 –> 00:13:20,680
It’s not a slogan.
300
00:13:20,680 –> 00:13:22,000
It’s an enforcement boundary.
301
00:13:22,000 –> 00:13:27,760
Intent means take human language, human context and human ambiguity and turn it into something
302
00:13:27,760 –> 00:13:29,520
structured enough to act on.
303
00:13:29,520 –> 00:13:34,320
That’s what co-pilot is good at inside M365, summarizing extracting tasks, identifying relevant
304
00:13:34,320 –> 00:13:36,960
files, pulling context from meetings and messages.
305
00:13:36,960 –> 00:13:41,840
It helps humans articulate executing intent means take that structured request and push it
306
00:13:41,840 –> 00:13:49,600
through deterministic gates, approvals, routing, SLA timers, risk decisions and auditable outcomes.
307
00:13:49,600 –> 00:13:52,880
That’s what ServiceNow is built to do, own the workflow state, the policy surface and the
308
00:13:52,880 –> 00:13:53,880
evidence trail.
309
00:13:53,880 –> 00:13:55,960
In other words, Microsoft is your front door.
310
00:13:55,960 –> 00:13:57,400
ServiceNow is the factory floor.
311
00:13:57,400 –> 00:14:02,560
You don’t run a factory by letting every employee rewrite the assembly line in chat.
312
00:14:02,560 –> 00:14:05,880
Now the integration implication is where most teams get themselves into trouble.
313
00:14:05,880 –> 00:14:09,040
They hear integrated experience and assume one tool.
314
00:14:09,040 –> 00:14:12,120
What they should hear is one experience, two authorities.
315
00:14:12,120 –> 00:14:16,840
ServiceServiceNow records in teams, reduced context switching, but keep workflow state authoritative
316
00:14:16,840 –> 00:14:20,320
in ServiceNow or your back to screenshots and social approvals.
317
00:14:20,320 –> 00:14:24,000
And yes, AI can answer questions, that’s useful, but answers aren’t outcomes.
318
00:14:24,000 –> 00:14:25,960
AI without workflows creates noise.
319
00:14:25,960 –> 00:14:28,120
AI inside workflows creates outcomes.
320
00:14:28,120 –> 00:14:32,000
So the power play here isn’t that Microsoft and ServiceNow both have assistance.
321
00:14:32,000 –> 00:14:35,400
The power play is that they’re competing for the operating layer and the only sustainable
322
00:14:35,400 –> 00:14:39,680
design is to keep engagement and execution separate, then stitch them together with explicit
323
00:14:39,680 –> 00:14:41,000
controls.
324
00:14:41,000 –> 00:14:44,600
Because if you let the engagement layer right directly into execution without guardrails,
325
00:14:44,600 –> 00:14:45,760
you don’t get automation.
326
00:14:45,760 –> 00:14:52,360
You get accelerated entropy, the operating layer pattern, events, workflows, decisions,
327
00:14:52,360 –> 00:14:53,360
outcomes.
328
00:14:53,360 –> 00:14:57,680
If you want a simple model that explains why we have all the tools still produces chaos,
329
00:14:57,680 –> 00:15:02,040
it’s this chain, events, workflows, decisions, outcomes.
330
00:15:02,040 –> 00:15:06,280
Most enterprises are drowning in events, improvising workflows, outsourcing decisions to side
331
00:15:06,280 –> 00:15:11,440
channels, and then acting surprised when outcomes are inconsistent, the operating layer exists
332
00:15:11,440 –> 00:15:14,680
to make that chain deterministic start with events.
333
00:15:14,680 –> 00:15:18,200
An event is anything that says something changed and work should happen.
334
00:15:18,200 –> 00:15:22,640
A new higher date in the HR system, a security alert from Defender, a manager asking for budget
335
00:15:22,640 –> 00:15:27,160
approval in Teams, a CI pipeline failing, an in-tune device going non-compliant, even a
336
00:15:27,160 –> 00:15:31,680
human sentence like, “Can you get me access by Friday?” is an event, just unstructured.
337
00:15:31,680 –> 00:15:33,240
The problem isn’t that events are missing.
338
00:15:33,240 –> 00:15:36,160
The problem is that events don’t map cleanly to execution.
339
00:15:36,160 –> 00:15:40,520
They land in inboxes, chats and dashboards, and then humans translate them into work by
340
00:15:40,520 –> 00:15:41,520
hand.
341
00:15:41,520 –> 00:15:46,360
This relation is where meaning gets lost, urgency gets distorted, and risk gets ignored.
342
00:15:46,360 –> 00:15:48,120
It’s also where you get the classic failure.
343
00:15:48,120 –> 00:15:51,360
The event is seen, discussed, and then nobody owns the next step.
344
00:15:51,360 –> 00:15:54,200
So the operating layer does something boring and essential.
345
00:15:54,200 –> 00:15:56,280
It converts events into workflows.
346
00:15:56,280 –> 00:15:57,920
A workflow is not a diagram.
347
00:15:57,920 –> 00:16:02,800
It’s an executable state machine, steps, dependencies, ownership, time boundaries, and evidence
348
00:16:02,800 –> 00:16:03,800
requirements.
349
00:16:03,800 –> 00:16:07,840
It turns we should into the system will not proceed until.
350
00:16:07,840 –> 00:16:10,240
This is where the enterprise stops lying to itself.
351
00:16:10,240 –> 00:16:13,360
Because the system can either enforce sequence or it can’t.
352
00:16:13,360 –> 00:16:17,720
And if it can’t, your process is just people with good intentions and bad memory.
353
00:16:17,720 –> 00:16:19,560
Workflows are also where entropy hides.
354
00:16:19,560 –> 00:16:22,120
Approvals are the obvious example, not because approvals are virtuous.
355
00:16:22,120 –> 00:16:23,120
They’re not.
356
00:16:23,120 –> 00:16:25,640
They’re expensive, but approvals are where policy meets pressure.
357
00:16:25,640 –> 00:16:28,520
If approvals happen in the workflow, you get traceability.
358
00:16:28,520 –> 00:16:31,320
If approvals happen in chat, you get plausible deniability.
359
00:16:31,320 –> 00:16:34,040
Next, decisions.
360
00:16:34,040 –> 00:16:36,120
Decisions are not the same as workflow steps.
361
00:16:36,120 –> 00:16:39,320
A workflow step is, request manager approval.
362
00:16:39,320 –> 00:16:45,080
A decision is, is this request eligible under policy and low risk enough to approve?
363
00:16:45,080 –> 00:16:49,560
Enterprises keep trying to remove decisions from the system because decisions create friction.
364
00:16:49,560 –> 00:16:52,000
Then they wonder why risk explodes.
365
00:16:52,000 –> 00:16:53,560
Decisions are where governance lives.
366
00:16:53,560 –> 00:16:58,360
Sagaiation of duties, entitlement boundaries, finance thresholds, change risk scoring, exception
367
00:16:58,360 –> 00:17:00,560
handling, in practical terms.
368
00:17:00,560 –> 00:17:05,080
It’s the difference between deterministic security and probabilistic security.
369
00:17:05,080 –> 00:17:09,160
Socialistic security says, if these conditions are true, the system allows the action and
370
00:17:09,160 –> 00:17:10,800
we can prove it later.
371
00:17:10,800 –> 00:17:14,920
Probabilistic security says, someone said it was fine in a meeting and hopefully that person
372
00:17:14,920 –> 00:17:16,920
still works here during the audit.
373
00:17:16,920 –> 00:17:18,240
That distinction matters.
374
00:17:18,240 –> 00:17:21,000
And this is where identity becomes the enforcement boundary.
375
00:17:21,000 –> 00:17:22,560
Entra ID doesn’t just authenticate.
376
00:17:22,560 –> 00:17:26,800
It defines who the actor is, what roles they have, what conditional access gates apply,
377
00:17:26,800 –> 00:17:30,680
and when you use it correctly, what the blast radius of a bad decision can be.
378
00:17:30,680 –> 00:17:34,520
When you don’t anchor decisions to identity, you end up anchoring them to social authority.
379
00:17:34,520 –> 00:17:36,800
That means the loudest person wins.
380
00:17:36,800 –> 00:17:39,800
Finally, outcomes.
381
00:17:39,800 –> 00:17:41,960
Outcomes aren’t ticket closed.
382
00:17:41,960 –> 00:17:44,000
Outcomes are fulfillment completed.
383
00:17:44,000 –> 00:17:47,840
Access provisioned with evidence, containment executed with approval trail, procurement
384
00:17:47,840 –> 00:17:50,120
posted with policy intact.
385
00:17:50,120 –> 00:17:52,880
Change deployed with roll back path documented.
386
00:17:52,880 –> 00:17:57,440
Outcomes are measurable cycle time, measurable compliance, and measurable throughput.
387
00:17:57,440 –> 00:17:59,480
Here’s the hard reality.
388
00:17:59,480 –> 00:18:01,160
Enterprises don’t fail at planning.
389
00:18:01,160 –> 00:18:02,800
They fail at execution throughput.
390
00:18:02,800 –> 00:18:06,200
They fail because work spends its life in the gaps.
391
00:18:06,200 –> 00:18:09,800
Between systems, between teams, between we agreed and we did.
392
00:18:09,800 –> 00:18:14,280
The operating layer closes those gaps by keeping state authoritative and transitions controlled.
393
00:18:14,280 –> 00:18:16,680
Now AI shows up and tries to be helpful.
394
00:18:16,680 –> 00:18:18,120
Copilot can summarize events.
395
00:18:18,120 –> 00:18:19,680
It can even propose next steps.
396
00:18:19,680 –> 00:18:23,080
Now assist can pull service, now context, and suggest actions.
397
00:18:23,080 –> 00:18:24,320
Useful.
398
00:18:24,320 –> 00:18:28,200
But the operating layer has one law you don’t get to negotiate.
399
00:18:28,200 –> 00:18:30,200
Read can be fast and forgiving.
400
00:18:30,200 –> 00:18:31,840
Right must be governed.
401
00:18:31,840 –> 00:18:36,440
So AI belongs at the event and decision edges interpreting intent, proposing actions,
402
00:18:36,440 –> 00:18:37,440
ranking urgency.
403
00:18:37,440 –> 00:18:40,560
But outcomes still require workflows, approvals, and audit trails.
404
00:18:40,560 –> 00:18:44,760
Otherwise you’ve automated the weakest part of the system, human improvisation.
405
00:18:44,760 –> 00:18:47,560
And that’s how you get what everyone is quietly building right now.
406
00:18:47,560 –> 00:18:48,560
Accelerated entropy.
407
00:18:48,560 –> 00:18:54,240
Scenario one, employee onboarding, HR plus IT plus security without email chains.
408
00:18:54,240 –> 00:18:58,760
Onboarding is the cleanest way to expose enterprise reality because it looks simple until you try
409
00:18:58,760 –> 00:19:00,400
to execute it at scale.
410
00:19:00,400 –> 00:19:05,200
New hire equals laptop, accounts, access, maybe a badge, maybe training, maybe a regulated
411
00:19:05,200 –> 00:19:09,520
role that needs extra approvals, everyone nods, everyone agrees it should be repeatable.
412
00:19:09,520 –> 00:19:10,920
Then it hits the org chart.
413
00:19:10,920 –> 00:19:12,680
Work starts where humans live.
414
00:19:12,680 –> 00:19:14,080
Outlook and teams.
415
00:19:14,080 –> 00:19:17,320
A hiring manager forwards an offer email, HR posts a note.
416
00:19:17,320 –> 00:19:20,280
Someone drops, start date is Monday, into a chat.
417
00:19:20,280 –> 00:19:22,320
Intent exists loudly in human language.
418
00:19:22,320 –> 00:19:23,320
It is not yet work.
419
00:19:23,320 –> 00:19:25,200
It’s just pressure with a calendar attached.
420
00:19:25,200 –> 00:19:30,520
In a 50,000 person global enterprise, the first failure mode shows up immediately.
421
00:19:30,520 –> 00:19:32,520
There is no single owner of the end to end state.
422
00:19:32,520 –> 00:19:37,520
HR owns the employee record, IT owns devices and accounts, security owns access boundaries,
423
00:19:37,520 –> 00:19:41,920
facilities owns physical access, finance owns cost centers, legal might care.
424
00:19:41,920 –> 00:19:43,560
Compliance definitely cares.
425
00:19:43,560 –> 00:19:45,560
So what actually happens is predictable.
426
00:19:45,560 –> 00:19:48,320
People create a chain of messages and call it a process.
427
00:19:48,320 –> 00:19:50,120
One email thread becomes the system.
428
00:19:50,120 –> 00:19:51,960
A team’s chat becomes the hand off.
429
00:19:51,960 –> 00:19:54,320
A spreadsheet becomes the tracker.
430
00:19:54,320 –> 00:19:58,800
And the only reason it works at all is because a few humans remember the tribal sequence.
431
00:19:58,800 –> 00:19:59,800
Until they don’t.
432
00:19:59,800 –> 00:20:03,960
This is where the Microsoft and ServiceNow split becomes useful instead of political.
433
00:20:03,960 –> 00:20:07,560
Microsoft is where the request is born because that’s where the manager already is.
434
00:20:07,560 –> 00:20:11,760
And co-pilot can help at that exact moment in a way that’s actually valuable.
435
00:20:11,760 –> 00:20:13,360
Extract what matters.
436
00:20:13,360 –> 00:20:18,600
Start date, location, role, manager, department, cost center, whether the person is internal,
437
00:20:18,600 –> 00:20:21,840
contractor or vendor, and whether they’re joining a regulated function.
438
00:20:21,840 –> 00:20:25,680
It’s a data capture, normalization, turning a messy message into structured facts, but capturing
439
00:20:25,680 –> 00:20:26,880
intent isn’t the win.
440
00:20:26,880 –> 00:20:30,800
The win is what happens after that when the workflow has to survive the weekend.
441
00:20:30,800 –> 00:20:32,880
ServiceNow has to own the authoritative state.
442
00:20:32,880 –> 00:20:36,200
The onboarding case, its tasks, its dependencies and its gates.
443
00:20:36,200 –> 00:20:38,360
HR triggers the joiner event.
444
00:20:38,360 –> 00:20:40,120
ServiceNow generates the work.
445
00:20:40,120 –> 00:20:44,520
Device requests, identity provisioning, mailbox creation, baseline access, application
446
00:20:44,520 –> 00:20:48,760
entitlements, security training, and whatever region-specific requirements exist.
447
00:20:48,760 –> 00:20:51,680
And every task has an owner, not a someone.
448
00:20:51,680 –> 00:20:57,160
An assignment group, a queue, an SLA and escalation rules that don’t rely on a helpful person noticing
449
00:20:57,160 –> 00:20:58,160
the message.
450
00:20:58,160 –> 00:21:00,160
Here’s what most people miss.
451
00:21:00,160 –> 00:21:01,560
Identity is not a task.
452
00:21:01,560 –> 00:21:03,240
Identity is the enforcement boundary.
453
00:21:03,240 –> 00:21:08,040
In onboarding, enter ID is where the organization decides what the new hire is allowed to become.
454
00:21:08,040 –> 00:21:12,200
It’s the difference between they should have access to these apps and they do.
455
00:21:12,200 –> 00:21:15,920
That means entitlements and group membership can’t be granted through sidechats.
456
00:21:15,920 –> 00:21:18,000
They have to be routed, approved, and auditable.
457
00:21:18,000 –> 00:21:19,360
So the right pattern is boring.
458
00:21:19,360 –> 00:21:20,960
The manager asks in teams.
459
00:21:20,960 –> 00:21:22,640
The workflow runs in ServiceNow.
460
00:21:22,640 –> 00:21:24,360
Identity changes happen under control.
461
00:21:24,360 –> 00:21:28,760
If the organization needs privileged access, the workflow has to force explicit approvals
462
00:21:28,760 –> 00:21:29,760
and time boundaries.
463
00:21:29,760 –> 00:21:31,400
No permanent temporary access.
464
00:21:31,400 –> 00:21:32,400
No informal.
465
00:21:32,400 –> 00:21:33,400
I’ll remove it later.
466
00:21:33,400 –> 00:21:36,360
The system either expires access automatically, or it doesn’t.
467
00:21:36,360 –> 00:21:38,240
And if it doesn’t, you didn’t onboard someone.
468
00:21:38,240 –> 00:21:39,920
You created future incident fuel.
469
00:21:39,920 –> 00:21:43,640
Now let’s talk about where it breaks today because this is where executives recognize
470
00:21:43,640 –> 00:21:44,640
themselves.
471
00:21:44,640 –> 00:21:47,960
First approvals happen in email or chat because it feels faster.
472
00:21:47,960 –> 00:21:50,240
That means the approval isn’t linked to the action.
473
00:21:50,240 –> 00:21:54,320
Having an audit, you can’t prove who approved what only that people talked about it.
474
00:21:54,320 –> 00:21:56,440
Second, exceptions become the default.
475
00:21:56,440 –> 00:21:57,440
Just give them access.
476
00:21:57,440 –> 00:21:58,440
They start tomorrow.
477
00:21:58,440 –> 00:21:59,800
Then tomorrow becomes six months.
478
00:21:59,800 –> 00:22:03,400
Then the person changes roles and keeps the old access because nobody owns deprovisioning
479
00:22:03,400 –> 00:22:04,800
across domains.
480
00:22:04,800 –> 00:22:05,800
Third visibility is fake.
481
00:22:05,800 –> 00:22:09,280
HR says the hire is complete because the HR tasks are complete.
482
00:22:09,280 –> 00:22:11,280
IT says the laptop shipped.
483
00:22:11,280 –> 00:22:12,680
Security says training is assigned.
484
00:22:12,680 –> 00:22:14,720
The new hire says they can’t do their job.
485
00:22:14,720 –> 00:22:16,240
Every system is locally correct.
486
00:22:16,240 –> 00:22:17,280
And to end, it’s a failure.
487
00:22:17,280 –> 00:22:19,320
So what does good look like in this scenario?
488
00:22:19,320 –> 00:22:23,600
It looks like one request thread in teams that never pretends to be the authoritative state.
489
00:22:23,600 –> 00:22:24,600
It’s just the interface.
490
00:22:24,600 –> 00:22:27,800
The same conversation can surface a service now card.
491
00:22:27,800 –> 00:22:31,640
On-boarding case created, current status, blockers, and next steps.
492
00:22:31,640 –> 00:22:33,880
The manager can ask, “What’s holding this up?”
493
00:22:33,880 –> 00:22:37,320
And get an answer that’s derived from workflow state, not someone’s memory.
494
00:22:37,320 –> 00:22:39,600
It also means controlled exception handling.
495
00:22:39,600 –> 00:22:43,680
If someone needs early access, the workflow captures it as an exception with a reason,
496
00:22:43,680 –> 00:22:46,840
an approver, a time limit, and a log change.
497
00:22:46,840 –> 00:22:47,840
It’s hard for bidden.
498
00:22:47,840 –> 00:22:49,560
They’re recorded and constrained.
499
00:22:49,560 –> 00:22:50,720
That’s entropy management.
500
00:22:50,720 –> 00:22:54,120
And the real payoff is off-boarding, even though nobody wants to talk about it during
501
00:22:54,120 –> 00:22:55,120
onboarding.
502
00:22:55,120 –> 00:22:58,600
If you build onboarding as a governed state machine, you can build off-boarding as the
503
00:22:58,600 –> 00:23:00,920
inverse workflow with the same discipline.
504
00:23:00,920 –> 00:23:05,640
That’s how you stop often access from becoming a security incident with a press release
505
00:23:05,640 –> 00:23:06,640
attached.
506
00:23:06,640 –> 00:23:09,320
On-boarding is the happy path, but it’s still a stress test.
507
00:23:09,320 –> 00:23:13,400
It forces you to decide where intent lives, where execution lives, and whether identity
508
00:23:13,400 –> 00:23:16,800
is controlled by policy or by social urgency.
509
00:23:16,800 –> 00:23:19,200
Next, the stress test becomes explicit.
510
00:23:19,200 –> 00:23:23,640
Security incident response where everyone wants speed and governance is always later.
511
00:23:23,640 –> 00:23:29,280
Scenario 2 Security incident response, collaboration in teams, execution in workflows.
512
00:23:29,280 –> 00:23:33,280
Security incident response is where every nice process dies, because under pressure people
513
00:23:33,280 –> 00:23:34,280
don’t follow policy.
514
00:23:34,280 –> 00:23:35,280
They follow urgency.
515
00:23:35,280 –> 00:23:37,000
They spin up a team’s war room.
516
00:23:37,000 –> 00:23:41,880
Tag everyone they can think of and start trading theories, screenshots, and half-finished conclusions.
517
00:23:41,880 –> 00:23:43,440
And that part is fine.
518
00:23:43,440 –> 00:23:44,680
Collaboration is supposed to be messy.
519
00:23:44,680 –> 00:23:48,000
The failure happens when the messy part becomes the control system.
520
00:23:48,000 –> 00:23:51,560
In a regulated enterprise, the first question isn’t, can we fix it?
521
00:23:51,560 –> 00:23:55,040
It’s who is allowed to do what and who approved it?
522
00:23:55,040 –> 00:24:00,120
Containment actions change reality, disabling accounts, revoking sessions, isolating devices,
523
00:24:00,120 –> 00:24:04,200
blocking IPs, rotating secrets, pulling logs, escalating privileges.
524
00:24:04,200 –> 00:24:05,520
Those aren’t chat decisions.
525
00:24:05,520 –> 00:24:07,800
Those are governed operations with blast radius.
526
00:24:07,800 –> 00:24:09,840
So here’s the pattern that actually works.
527
00:24:09,840 –> 00:24:14,040
The alert surfaces in Microsoft, but the execution runs in service now.
528
00:24:14,040 –> 00:24:18,480
The alert might come from Defender, Sentinel, a SOC tool or a third party platform.
529
00:24:18,480 –> 00:24:19,480
Where does it land?
530
00:24:19,480 –> 00:24:20,480
Teams.
531
00:24:20,480 –> 00:24:21,480
Because that’s where humans are.
532
00:24:21,480 –> 00:24:23,000
And that’s where humans coordinate.
533
00:24:23,000 –> 00:24:26,840
You want the incident channel, the pinned context, the running timeline, the stakeholders,
534
00:24:26,840 –> 00:24:29,600
the communications lead, the who’s on point assignments.
535
00:24:29,600 –> 00:24:32,720
Microsoft is the engagement plane doing exactly what it’s built to do.
536
00:24:32,720 –> 00:24:36,040
But the moment you start taking action, the system needs an execution plane.
537
00:24:36,040 –> 00:24:37,040
Service.
538
00:24:37,040 –> 00:24:41,680
Now owns the Security incident record, the workflow state, the tasking, the evidence capture,
539
00:24:41,680 –> 00:24:44,000
and the approvals that you can defend later.
540
00:24:44,000 –> 00:24:46,440
The triage isn’t just, we think it’s fishing.
541
00:24:46,440 –> 00:24:50,560
It’s classification, severity, assignment, SLA triggers, and a controlled flow that can
542
00:24:50,560 –> 00:24:51,960
survive shift changes.
543
00:24:51,960 –> 00:24:54,960
Because the incident doesn’t care that the night team is different people.
544
00:24:54,960 –> 00:24:57,760
This is where the Microsoft captures intent.
545
00:24:57,760 –> 00:25:01,360
Service now executes intent, split becomes operational.
546
00:25:01,360 –> 00:25:04,240
In Teams, someone says, we need to disable this account now.
547
00:25:04,240 –> 00:25:06,320
It’s actively exfiltrating.
548
00:25:06,320 –> 00:25:07,680
That sentence is intent.
549
00:25:07,680 –> 00:25:09,320
It’s also a liability.
550
00:25:09,320 –> 00:25:13,600
In a mature model, that intent becomes an action request, a workflow step in service
551
00:25:13,600 –> 00:25:20,000
now that says disable account X with an approver, a reason, a timestamp, and a recorded outcome.
552
00:25:20,000 –> 00:25:24,480
If the organization uses privileged identity management, the workflow drives that elevation
553
00:25:24,480 –> 00:25:25,920
through controlled gates.
554
00:25:25,920 –> 00:25:30,760
If it doesn’t, the workflow at least forces a documented approval and ties it to the change.
555
00:25:30,760 –> 00:25:35,160
Because the ugly truth is this, the fastest way to create security debt is to let containment
556
00:25:35,160 –> 00:25:37,000
happen through informal authority.
557
00:25:37,000 –> 00:25:38,520
The other failure mode is evidence.
558
00:25:38,520 –> 00:25:41,520
In a security incident, evidence isn’t nice to have.
559
00:25:41,520 –> 00:25:44,840
It’s the difference between a controllable incident and an audit nightmare.
560
00:25:44,840 –> 00:25:46,520
Teams conversations don’t give you evidence.
561
00:25:46,520 –> 00:25:48,000
They give you a transcript.
562
00:25:48,000 –> 00:25:49,920
Service now can force evidence.
563
00:25:49,920 –> 00:25:56,200
Log links, indicators, containment actions, impacted assets, who approved what was changed
564
00:25:56,200 –> 00:25:57,400
and when.
565
00:25:57,400 –> 00:25:59,680
Nobody likes documentation in the middle of a fire.
566
00:25:59,680 –> 00:26:02,880
That’s why it has to be baked into the workflow, not left to human discipline.
567
00:26:02,880 –> 00:26:06,720
Now layer in AI because this is where everyone gets confused and starts building the wrong
568
00:26:06,720 –> 00:26:07,720
thing.
569
00:26:07,720 –> 00:26:11,320
Copilot is great at summarizing teams, threats, pulling key decisions, finding the file
570
00:26:11,320 –> 00:26:16,000
that contains the indicator list and generating a draft comms update.
571
00:26:16,000 –> 00:26:19,000
That’s real value because it reduces cognitive load.
572
00:26:19,000 –> 00:26:23,080
But Copilot doesn’t get to execute containment just because it can write a confident paragraph.
573
00:26:23,080 –> 00:26:25,680
Now assist is great at the service now side.
574
00:26:25,680 –> 00:26:30,160
Summarizing case history, suggesting related incidents, pulling knowledge articles, proposing
575
00:26:30,160 –> 00:26:34,880
next actions based on prior patterns and helping agents write resolution notes.
576
00:26:34,880 –> 00:26:38,120
That’s useful because it speeds decisions inside the execution plane.
577
00:26:38,120 –> 00:26:42,480
And here’s the law, AI can propose workflows decide read operations can be fast, right
578
00:26:42,480 –> 00:26:43,880
operations must be governed.
579
00:26:43,880 –> 00:26:49,040
So the correct flow is AI accelerates triage and decision making, but execution remains
580
00:26:49,040 –> 00:26:50,040
deterministic.
581
00:26:50,040 –> 00:26:55,200
If you let an AI agent just take care of it, you’ve replaced human improvisation with probabilistic
582
00:26:55,200 –> 00:26:57,040
improvisation at machine speed.
583
00:26:57,040 –> 00:26:58,040
That’s not automation.
584
00:26:58,040 –> 00:27:02,200
That’s a faster incident in the composite enterprise 50k employees, multiple regions,
585
00:27:02,200 –> 00:27:03,200
heavy regulation.
586
00:27:03,200 –> 00:27:05,520
This also becomes a communications problem.
587
00:27:05,520 –> 00:27:10,440
The war room needs an external narrative leadership updates, customer comms, legal review and
588
00:27:10,440 –> 00:27:11,920
operational timelines.
589
00:27:11,920 –> 00:27:15,920
Teams is still the best place to coordinate that, but service now needs to remain the authoritative
590
00:27:15,920 –> 00:27:18,040
timeline for what was actually done.
591
00:27:18,040 –> 00:27:22,600
Otherwise the post-incident review becomes a debate about whose memory is correct.
592
00:27:22,600 –> 00:27:27,200
So good in this scenario looks like teams for coordination and shared awareness.
593
00:27:27,200 –> 00:27:30,920
Service now for triage assignment approvals, evidence and outcome tracking identity as
594
00:27:30,920 –> 00:27:33,360
the enforcement boundary for privileged actions.
595
00:27:33,360 –> 00:27:38,160
AI as an accelerant inside the guardrails, not a replacement for them and the payoff is
596
00:27:38,160 –> 00:27:39,160
measurable.
597
00:27:39,160 –> 00:27:43,600
Lower decision latency, fewer manual handoffs, cleaner audit trails and fewer temporary access
598
00:27:43,600 –> 00:27:46,280
grants that survive into the next quarter.
599
00:27:46,280 –> 00:27:47,120
Reflection pause.
600
00:27:47,120 –> 00:27:50,400
If you’re listening to this and thinking, yes, this sounds familiar, that’s the point.
601
00:27:50,400 –> 00:27:51,720
None of this is hypothetical.
602
00:27:51,720 –> 00:27:54,320
This is how your organization already works just without an owner.
603
00:27:54,320 –> 00:27:58,560
Now take that same discipline and move it out of the SOC and into finance where pressure
604
00:27:58,560 –> 00:28:01,800
comes from quarter end instead of attackers.
605
00:28:01,800 –> 00:28:06,480
In our three finance approvals, procure to pay without policy erosion.
606
00:28:06,480 –> 00:28:10,240
Finance is where people finally admit they don’t want better collaboration.
607
00:28:10,240 –> 00:28:13,560
They want enforceable policy because the failure mode isn’t that nobody can request
608
00:28:13,560 –> 00:28:14,560
spend.
609
00:28:14,560 –> 00:28:18,440
The failure mode is that spend gets approved in the least defensible place possible.
610
00:28:18,440 –> 00:28:22,800
An email thread, a team’s message or a hallway conversation that later becomes we all
611
00:28:22,800 –> 00:28:23,800
agreed.
612
00:28:23,800 –> 00:28:27,600
Procure to pay is basically the same pattern as onboarding and security response just
613
00:28:27,600 –> 00:28:28,600
with different nouns.
614
00:28:28,600 –> 00:28:31,600
The work starts in Microsoft because that’s where the pressure lives.
615
00:28:31,600 –> 00:28:34,920
Moving forwards a vendor quote, someone tags a finance lead in teams.
616
00:28:34,920 –> 00:28:36,400
Can we get this approved today?
617
00:28:36,400 –> 00:28:37,400
Quarter end.
618
00:28:37,400 –> 00:28:39,480
Someone drops a spreadsheet link and asks for a thumbs up.
619
00:28:39,480 –> 00:28:40,480
That’s intent.
620
00:28:40,480 –> 00:28:44,040
And it’s also the beginning of policy erosion because finance policy doesn’t fail through
621
00:28:44,040 –> 00:28:45,040
malice.
622
00:28:45,040 –> 00:28:46,040
It fails through impatience.
623
00:28:46,040 –> 00:28:47,640
Approvals get rushed.
624
00:28:47,640 –> 00:28:49,520
Thresholds get ignored.
625
00:28:49,520 –> 00:28:52,960
Segregation of duties becomes, can you just approve it for me?
626
00:28:52,960 –> 00:28:56,760
And once the organization proves it can bypass controls when it’s inconvenient, it will
627
00:28:56,760 –> 00:28:57,760
keep doing it.
628
00:28:57,760 –> 00:28:58,760
That’s not culture.
629
00:28:58,760 –> 00:29:00,120
That’s system behavior.
630
00:29:00,120 –> 00:29:04,320
So in the composite enterprise, 50K employees regulated industry, the operating layer has
631
00:29:04,320 –> 00:29:05,840
to be explicit.
632
00:29:05,840 –> 00:29:09,600
Microsoft captures the request and the context, but service now enforces the gates that
633
00:29:09,600 –> 00:29:11,520
make the request legitimate.
634
00:29:11,520 –> 00:29:13,440
The way it usually breaks is almost boring.
635
00:29:13,440 –> 00:29:14,840
A request lands in teams.
636
00:29:14,840 –> 00:29:16,160
The approver is on mobile.
637
00:29:16,160 –> 00:29:19,760
They reply approved because it’s faster than opening the portal.
638
00:29:19,760 –> 00:29:23,840
Someone screenshots that message and attaches it to something maybe.
639
00:29:23,840 –> 00:29:26,520
Then procurement moves forward because we have approval.
640
00:29:26,520 –> 00:29:31,520
The ERP eventually records the transaction because that’s what ERPs do, but the ERP doesn’t
641
00:29:31,520 –> 00:29:33,080
know whether the approval met policy.
642
00:29:33,080 –> 00:29:35,080
It just knows the transaction exists.
643
00:29:35,080 –> 00:29:39,320
And when audit time arrives, the organization tries to reconstruct governance from scattered
644
00:29:39,320 –> 00:29:40,320
artifacts.
645
00:29:40,320 –> 00:29:42,720
An email, a team’s thread, a PDF, a memory.
646
00:29:42,720 –> 00:29:43,880
That’s not an audit trail.
647
00:29:43,880 –> 00:29:45,120
That’s archaeology.
648
00:29:45,120 –> 00:29:49,280
So what does good look like without turning finance into a bureaucratic museum exhibit?
649
00:29:49,280 –> 00:29:51,640
Good looks like letting teams stay the front door.
650
00:29:51,640 –> 00:29:53,960
Let the requests start where people already work.
651
00:29:53,960 –> 00:29:58,520
It co-pilot help translate the messy human ask into structured fields.
652
00:29:58,520 –> 00:30:02,920
Vendor, amount, cost center, description, urgency, whether it’s capex or opax and which
653
00:30:02,920 –> 00:30:03,920
policy applies.
654
00:30:03,920 –> 00:30:05,520
That’s intent capture.
655
00:30:05,520 –> 00:30:10,720
But the moment the request becomes real money, execution moves to a workflow state machine.
656
00:30:10,720 –> 00:30:14,840
Service now owns the approval workflow because it can enforce sequence, thresholds and separation
657
00:30:14,840 –> 00:30:15,840
of duties.
658
00:30:15,840 –> 00:30:17,240
It can root automatically.
659
00:30:17,240 –> 00:30:21,160
Manager approval under one threshold, finance approval under another, security review
660
00:30:21,160 –> 00:30:25,920
if it touches a risky vendor category procurement review if a preferred vendor exists, legal
661
00:30:25,920 –> 00:30:27,920
review if contract terms trigger it.
662
00:30:27,920 –> 00:30:29,120
The point isn’t complexity.
663
00:30:29,120 –> 00:30:32,400
The point is enforceable branching with an auditable Y.
664
00:30:32,400 –> 00:30:34,720
And the ERP stays exactly where it belongs.
665
00:30:34,720 –> 00:30:35,800
The system of record.
666
00:30:35,800 –> 00:30:37,160
It posts the purchase order.
667
00:30:37,160 –> 00:30:38,160
It pays the invoice.
668
00:30:38,160 –> 00:30:39,800
It preserves the financial truth.
669
00:30:39,800 –> 00:30:42,240
Service now sits above it as the system of action.
670
00:30:42,240 –> 00:30:46,120
It orchestrates the human chain that makes the transaction acceptable, then hands the result
671
00:30:46,120 –> 00:30:48,400
to the ERP with evidence attached.
672
00:30:48,400 –> 00:30:52,120
This is also where executives finally see the cost of quick exceptions.
673
00:30:52,120 –> 00:30:55,160
Every exception to approval policy is an entropy generator.
674
00:30:55,160 –> 00:30:56,160
It feels like speed.
675
00:30:56,160 –> 00:30:57,960
It actually creates ambiguity.
676
00:30:57,960 –> 00:31:01,120
And ambiguity is what auditors charge for, not emotionally.
677
00:31:01,120 –> 00:31:05,200
Financially, in time, remediation and the constant tax of controls that nobody trusts.
678
00:31:05,200 –> 00:31:09,960
So the real value proposition in finance isn’t faster approvals as a vanity metric.
679
00:31:09,960 –> 00:31:12,040
It’s consistent enforcement under pressure.
680
00:31:12,040 –> 00:31:15,920
Because quarter end is basically a recurring incident except itself inflicted and everyone
681
00:31:15,920 –> 00:31:16,920
pretends it’s normal.
682
00:31:16,920 –> 00:31:18,600
Now the integration pattern matters.
683
00:31:18,600 –> 00:31:23,320
If all you do is surface finance requests inside teams as read-only cards you reduce context
684
00:31:23,320 –> 00:31:26,240
switching but you haven’t stopped bypass behavior.
685
00:31:26,240 –> 00:31:28,360
People still approve in chat because it’s convenient.
686
00:31:28,360 –> 00:31:29,640
Retrieval doesn’t fix execution.
687
00:31:29,640 –> 00:31:32,920
So the operating layer has to support actual actions under control.
688
00:31:32,920 –> 00:31:36,560
Approvals can approve from within teams, but the approval must be written into the service
689
00:31:36,560 –> 00:31:40,560
now workflow state tied to identity and locked as a structured decision.
690
00:31:40,560 –> 00:31:44,000
Not as a message, not as a reaction icon, as a control transition.
691
00:31:44,000 –> 00:31:49,000
And because finance is a right heavy domain, approvals, rooting, updates, the read fast,
692
00:31:49,000 –> 00:31:51,160
right governed rule becomes non-negotiable.
693
00:31:51,160 –> 00:31:53,880
You start with assisted drafting and summarization, sure.
694
00:31:53,880 –> 00:31:55,800
But you keep rights supervised and auditable.
695
00:31:55,800 –> 00:31:58,720
Otherwise you’ve just built a faster way to create non-compliance.
696
00:31:58,720 –> 00:32:01,640
If you want the executive version of this scenario, it’s simple.
697
00:32:01,640 –> 00:32:03,640
Microsoft is where spend pressure gets expressed.
698
00:32:03,640 –> 00:32:05,880
Service now is where spend policy gets enforced.
699
00:32:05,880 –> 00:32:07,600
ERP is where spend gets recorded.
700
00:32:07,600 –> 00:32:11,880
When those three roles stay clean, cycle time improves, audit findings drop and nobody
701
00:32:11,880 –> 00:32:13,600
has to ask who approved this.
702
00:32:13,600 –> 00:32:17,800
Like it’s a mystery novel and once finance works this way, it becomes impossible to keep pretending
703
00:32:17,800 –> 00:32:19,720
service now is just eat.
704
00:32:19,720 –> 00:32:21,280
It’s the enterprise execution layer.
705
00:32:21,280 –> 00:32:25,840
Next, take the same pattern back to the place most organizations think they understand.
706
00:32:25,840 –> 00:32:30,480
The major incident war room, where teams feels like the whole story, until change control
707
00:32:30,480 –> 00:32:31,720
shows up.
708
00:32:31,720 –> 00:32:36,880
Scenario 4, major IT incident plus change, the war room versus the control system.
709
00:32:36,880 –> 00:32:40,800
Major incidents are where organizations confuse adrenaline with control.
710
00:32:40,800 –> 00:32:44,880
The war room spins up in teams because that’s where humans can coordinate at speed.
711
00:32:44,880 –> 00:32:48,680
Voice, chat, screen shares, a running narrative and the one thing people actually need in the
712
00:32:48,680 –> 00:32:50,080
first 10 minutes.
713
00:32:50,080 –> 00:32:51,600
Shared situational awareness.
714
00:32:51,600 –> 00:32:52,840
Who’s on what’s impacted?
715
00:32:52,840 –> 00:32:53,920
What’s the latest signal?
716
00:32:53,920 –> 00:32:54,920
What are we trying next?
717
00:32:54,920 –> 00:32:55,920
Teams is perfect for that.
718
00:32:55,920 –> 00:33:00,040
It’s also the place where most enterprises accidentally move, change control into a chat
719
00:33:00,040 –> 00:33:01,880
thread and call it agility.
720
00:33:01,880 –> 00:33:03,360
Here’s the uncomfortable truth.
721
00:33:03,360 –> 00:33:06,320
A major incident is not just fix it fast.
722
00:33:06,320 –> 00:33:09,200
It’s fix it fast without making the blast radius worse.
723
00:33:09,200 –> 00:33:13,560
The only mechanism enterprises have for controlling blast radius is change management.
724
00:33:13,560 –> 00:33:15,480
Not because key Airbnb meetings are fun.
725
00:33:15,480 –> 00:33:17,440
Because production doesn’t care about feelings.
726
00:33:17,440 –> 00:33:20,960
So this scenario is the cleanest proof of the split brain model.
727
00:33:20,960 –> 00:33:22,240
Teams is the war room.
728
00:33:22,240 –> 00:33:23,600
Service now is the control system.
729
00:33:23,600 –> 00:33:27,720
In the composite enterprise, a major incident usually starts with a flood of symptoms.
730
00:33:27,720 –> 00:33:28,720
Users can’t log in.
731
00:33:28,720 –> 00:33:29,720
An API is timing out.
732
00:33:29,720 –> 00:33:33,600
A region is degraded or a minor change from earlier in the day quietly becomes the root
733
00:33:33,600 –> 00:33:35,480
cause of a widespread outage.
734
00:33:35,480 –> 00:33:38,240
The first job is triage and coms that belongs in Microsoft.
735
00:33:38,240 –> 00:33:42,400
You want incident channels, stay-coulder coms and the ability to brief leadership without
736
00:33:42,400 –> 00:33:43,800
digging through 10 portals.
737
00:33:43,800 –> 00:33:46,760
But the second job, the dangerous one is execution.
738
00:33:46,760 –> 00:33:52,160
Execution is assigned tasks with owners and time boundaries, coordinate remediation steps,
739
00:33:52,160 –> 00:33:57,120
create emergency changes, capture approvals, record what was done, and preserve enough evidence
740
00:33:57,120 –> 00:34:00,240
that the post-incident review isn’t a religious argument.
741
00:34:00,240 –> 00:34:02,240
That work needs an authoritative state machine.
742
00:34:02,240 –> 00:34:03,880
This is where service now earns its keep.
743
00:34:03,880 –> 00:34:05,600
A team’s war room can tell a story.
744
00:34:05,600 –> 00:34:06,600
It cannot enforce one.
745
00:34:06,600 –> 00:34:09,720
A team’s thread can say we agreed to reboot the database.
746
00:34:09,720 –> 00:34:14,440
It cannot prove who authorized it, whether the rollback plan existed, or whether that reboot
747
00:34:14,440 –> 00:34:16,520
was part of a control change sequence.
748
00:34:16,520 –> 00:34:19,400
And in a regulated environment, we agreed it’s not governance.
749
00:34:19,400 –> 00:34:20,400
It’s a liability.
750
00:34:20,400 –> 00:34:22,720
So the right design is boring and strict.
751
00:34:22,720 –> 00:34:25,480
The major incident record lives in service now.
752
00:34:25,480 –> 00:34:30,480
It owns the timeline, the tasks, the coms artifacts, and the dependency map between actions.
753
00:34:30,480 –> 00:34:35,840
The team’s channel is linked to the major incident record, not treated as a parallel universe.
754
00:34:35,840 –> 00:34:37,440
And the problem happens in teams.
755
00:34:37,440 –> 00:34:38,760
Authorities stays in service now.
756
00:34:38,760 –> 00:34:42,600
Now the part that always collapses under pressure, emergency change in the war room, someone
757
00:34:42,600 –> 00:34:45,240
says we need to push a conflict change right now.
758
00:34:45,240 –> 00:34:47,640
Another person says just do it, we’ll backfill later.
759
00:34:47,640 –> 00:34:51,400
And this is exactly how temporary bypass becomes permanent policy decay.
760
00:34:51,400 –> 00:34:52,920
Because the bypass isn’t the outage.
761
00:34:52,920 –> 00:34:54,440
The bypass is the future outage.
762
00:34:54,440 –> 00:34:58,440
If you let major incidents teach your teams that controls are optional, you don’t get
763
00:34:58,440 –> 00:34:59,640
faster recovery.
764
00:34:59,640 –> 00:35:01,160
You get repeatable chaos.
765
00:35:01,160 –> 00:35:05,560
So emergency change has to be a first-class workflow, not an apology.
766
00:35:05,560 –> 00:35:06,680
Now can do that.
767
00:35:06,680 –> 00:35:10,360
Create the emergency change record as part of the major incident workflow.
768
00:35:10,360 –> 00:35:12,720
Enforced the minimum approvals required.
769
00:35:12,720 –> 00:35:14,840
Capture the reason for urgency.
770
00:35:14,840 –> 00:35:16,520
Link the impacted services.
771
00:35:16,520 –> 00:35:19,400
And record the implementation and rollback steps.
772
00:35:19,400 –> 00:35:23,000
It can keep the blast radius bounded even when humans are improvising.
773
00:35:23,000 –> 00:35:24,000
And yes, it adds friction.
774
00:35:24,000 –> 00:35:25,000
That’s the point.
775
00:35:25,000 –> 00:35:29,200
Friction is what turns someone push the thing into the organization can defend why it push
776
00:35:29,200 –> 00:35:30,200
the thing.
777
00:35:30,200 –> 00:35:34,080
This is also where good looks counterintuitive to teams first organizations.
778
00:35:34,080 –> 00:35:36,520
It does not mean forcing everyone out of teams.
779
00:35:36,520 –> 00:35:40,840
Good means letting teams be the interface while refusing to let it become the system of record
780
00:35:40,840 –> 00:35:42,040
for execution.
781
00:35:42,040 –> 00:35:46,440
The incident commander can run comms in teams, but the tasks are created, owned and closed
782
00:35:46,440 –> 00:35:47,440
in service now.
783
00:35:47,440 –> 00:35:50,760
The approvals can be surfaced in teams, but the approval state must be written to the
784
00:35:50,760 –> 00:35:53,520
change record tied to identity with an audit trail.
785
00:35:53,520 –> 00:35:56,160
This is where AI tempts people into the wrong move.
786
00:35:56,160 –> 00:35:58,960
Copilot can summarize the war room and draft status updates.
787
00:35:58,960 –> 00:35:59,960
Great.
788
00:35:59,960 –> 00:36:04,600
Assist can generate post-incident review drafts and resolution notes, also useful, but
789
00:36:04,600 –> 00:36:09,280
AI cannot be allowed to convert we think into we changed without controls, because right
790
00:36:09,280 –> 00:36:11,560
operations are blast radius multipliers.
791
00:36:11,560 –> 00:36:14,400
So the measurable outcome isn’t, we had a great war room.
792
00:36:14,400 –> 00:36:17,840
It’s, did the incident produce a clean authoritative timeline?
793
00:36:17,840 –> 00:36:19,160
Did every action have an owner?
794
00:36:19,160 –> 00:36:22,080
Did emergency changes have approvals and rollback paths?
795
00:36:22,080 –> 00:36:27,200
Did the organization avoid creating new security and compliance debt while restoring service?
796
00:36:27,200 –> 00:36:28,760
Teams makes the war room fast.
797
00:36:28,760 –> 00:36:30,800
Now makes the recovery defensible.
798
00:36:30,800 –> 00:36:33,920
And if those two responsibilities blur, you don’t get resilience.
799
00:36:33,920 –> 00:36:36,320
You get a group chat with production permissions?
800
00:36:36,320 –> 00:36:37,320
Integration.
801
00:36:37,320 –> 00:36:38,320
Reality.
802
00:36:38,320 –> 00:36:39,800
Connectors give answers.
803
00:36:39,800 –> 00:36:40,960
Orchestration gets outcomes.
804
00:36:40,960 –> 00:36:44,640
Now take those four scenarios and ask the only question that matters once you leave
805
00:36:44,640 –> 00:36:45,640
the whiteboard.
806
00:36:45,640 –> 00:36:49,840
How do these two worlds actually connect without creating a new category of failure?
807
00:36:49,840 –> 00:36:52,520
Because integration gets marketed like it’s a single thing.
808
00:36:52,520 –> 00:36:53,520
It isn’t.
809
00:36:53,520 –> 00:36:57,500
In practice, there are two modes and confusing them is how organizations end up with a shiny
810
00:36:57,500 –> 00:36:59,500
demo and unchanged throughput.
811
00:36:59,500 –> 00:37:03,660
Mode one is red, mode two is right, read integration is about answers.
812
00:37:03,660 –> 00:37:06,740
It’s search, indexing, summaries and quick lookups.
813
00:37:06,740 –> 00:37:08,260
Microsoft has a clean story here.
814
00:37:08,260 –> 00:37:12,660
Microsoft Graph Connectors can index service now content, so co-pilot can retrieve it in
815
00:37:12,660 –> 00:37:14,340
the flow of work.
816
00:37:14,340 –> 00:37:16,820
Incidents, knowledge articles, catalog items.
817
00:37:16,820 –> 00:37:18,500
Those are common connector patterns.
818
00:37:18,500 –> 00:37:22,660
People ask in teams, co-pilot answers with the relevant service now context, and nobody
819
00:37:22,660 –> 00:37:26,340
has to alt tab into another portal just to find a link that is real value.
820
00:37:26,340 –> 00:37:27,780
But it is not orchestration.
821
00:37:27,780 –> 00:37:28,780
It’s an information plane.
822
00:37:28,780 –> 00:37:30,340
It reduces context switching.
823
00:37:30,340 –> 00:37:31,780
It reduces time to knowledge.
824
00:37:31,780 –> 00:37:36,900
It reduces the, where do I even find this friction that burns hours across large companies?
825
00:37:36,900 –> 00:37:40,300
And for early adoption, read only is politically easy.
826
00:37:40,300 –> 00:37:45,220
Lower risk, minimal change control, fewer permission arguments and far less blast radius if
827
00:37:45,220 –> 00:37:46,660
something is mis-scoped.
828
00:37:46,660 –> 00:37:50,580
This is why read only wins first, because everyone can agree that finding answers faster
829
00:37:50,580 –> 00:37:55,060
is good, and almost nobody wants to be the executive who approved letting an AI write
830
00:37:55,060 –> 00:37:56,740
to production systems.
831
00:37:56,740 –> 00:37:58,620
Now mode two, write integration.
832
00:37:58,620 –> 00:38:02,820
Write integration is about outcomes, creating the request, updating the record, approving
833
00:38:02,820 –> 00:38:07,220
the step, executing the workflow transition, triggering the containment task, posting the
834
00:38:07,220 –> 00:38:10,620
approval decision, calling the API that changes reality.
835
00:38:10,620 –> 00:38:14,860
Write is orchestration, and orchestration is where governance lives or dies.
836
00:38:14,860 –> 00:38:18,780
Microsoft’s path to write typically runs through controlled action frameworks.
837
00:38:18,780 –> 00:38:23,860
Co-pilot studio connectors, approved plugins, explicit API calls, and tooling that can be
838
00:38:23,860 –> 00:38:25,620
governed and monitored.
839
00:38:25,620 –> 00:38:28,060
ServiceNow’s side runs through its workflow engine.
840
00:38:28,060 –> 00:38:32,260
Flow designer, integration hub, approval engines, and the record state machine that actually
841
00:38:32,260 –> 00:38:33,260
owns the process.
842
00:38:33,260 –> 00:38:35,220
The architectural point is simple.
843
00:38:35,220 –> 00:38:36,940
Connectors can tell you what’s happening.
844
00:38:36,940 –> 00:38:38,260
Orchestration makes something happen.
845
00:38:38,260 –> 00:38:41,540
If you stop at read integration, you’ll build what looks like progress, but behaves like
846
00:38:41,540 –> 00:38:42,540
theater.
847
00:38:42,540 –> 00:38:44,860
Co-pilot can summarize an incident, great.
848
00:38:44,860 –> 00:38:49,140
Someone still has to open service now, create tasks, chase approvals and record evidence.
849
00:38:49,140 –> 00:38:51,140
Co-pilot can find the right knowledge article.
850
00:38:51,140 –> 00:38:52,140
Great.
851
00:38:52,140 –> 00:38:55,580
First, to execute the onboarding workflow and enforce identit gates.
852
00:38:55,580 –> 00:38:57,860
Retrieval without execution is just faster browsing.
853
00:38:57,860 –> 00:39:02,380
This is the line where most enterprises get stuck, because moving from read to write forces
854
00:39:02,380 –> 00:39:04,420
three ugly conversations.
855
00:39:04,420 –> 00:39:07,820
First permissions read can tolerate broad access patterns, write cannot.
856
00:39:07,820 –> 00:39:11,540
When you let something create or update records, you are delegating authority.
857
00:39:11,540 –> 00:39:15,340
An authority needs least privilege, explicit scope, and revocation parts.
858
00:39:15,340 –> 00:39:19,180
Otherwise the integration account becomes a permanent super user, and you’ve created a
859
00:39:19,180 –> 00:39:21,340
bot-shaped insider threat.
860
00:39:21,340 –> 00:39:22,340
You need audit.
861
00:39:22,340 –> 00:39:26,300
If a workflow step gets approved from teams, you need to know who approved it under what
862
00:39:26,300 –> 00:39:29,860
identity with what context and what record state changed as a result.
863
00:39:29,860 –> 00:39:34,740
If you can’t prove that, you didn’t automate approvals, you created an un-auditable bypass
864
00:39:34,740 –> 00:39:36,340
with a nicer interface.
865
00:39:36,340 –> 00:39:38,980
Third, change control and blast radius.
866
00:39:38,980 –> 00:39:41,900
Read failures are annoying, write failures are incidents.
867
00:39:41,900 –> 00:39:45,420
The moment actions can be triggered from the engagement layer, you need to think like
868
00:39:45,420 –> 00:39:46,820
an architect.
869
00:39:46,820 –> 00:39:51,300
How do you limit scope, monitor behavior, roll back mistakes, and keep the system
870
00:39:51,300 –> 00:39:52,300
deterministic?
871
00:39:52,300 –> 00:39:55,060
So the same operating stance is phased.
872
00:39:55,060 –> 00:39:59,300
Start with search and read only surfaces to reduce context switching and prove adoption.
873
00:39:59,300 –> 00:40:04,780
Clean up knowledge hygiene because AI search will amplify whatever mess you already have.
874
00:40:04,780 –> 00:40:09,300
Then graduate to governed actions, a limited set of requests, updates, and approvals where
875
00:40:09,300 –> 00:40:12,700
workflow state remains authoritative in service now.
876
00:40:12,700 –> 00:40:16,820
Rites are supervised at first because supervised rights are entropy control.
877
00:40:16,820 –> 00:40:19,580
Only then do you talk about agentic execution.
878
00:40:19,580 –> 00:40:22,980
Those agents that can write without guardrails aren’t helpful.
879
00:40:22,980 –> 00:40:24,460
They are probabilistic operators.
880
00:40:24,460 –> 00:40:28,060
The integration reality stripped of the sales gloss is this.
881
00:40:28,060 –> 00:40:31,660
Microsoft can be the best front end your enterprise has ever had.
882
00:40:31,660 –> 00:40:35,340
Service now has to remain the execution engine your enterprise can defend.
883
00:40:35,340 –> 00:40:39,700
If you can’t separate answering from acting, you will automate, but you’ll automate the
884
00:40:39,700 –> 00:40:41,900
wrong thing.
885
00:40:41,900 –> 00:40:45,660
Copilot plus now assist, two brains, two jurisdictions.
886
00:40:45,660 –> 00:40:49,860
Now we get to the part everyone wants to skip to, copilot and now assist, two assistance,
887
00:40:49,860 –> 00:40:53,820
two brands, two demos where someone types a sentence and the system politely pretends
888
00:40:53,820 –> 00:40:55,620
enterprise execution is simple.
889
00:40:55,620 –> 00:40:56,700
Here’s the correct framing.
890
00:40:56,700 –> 00:40:58,940
These are two brains with two jurisdictions.
891
00:40:58,940 –> 00:41:03,460
And if you don’t define jurisdiction, you get a constitutional crisis at scale.
892
00:41:03,460 –> 00:41:06,580
Copilot’s jurisdiction is the Microsoft productivity estate.
893
00:41:06,580 –> 00:41:10,740
It understands meetings, mail chats, files, calendars, and the messy human context that
894
00:41:10,740 –> 00:41:12,500
lives inside M365.
895
00:41:12,500 –> 00:41:16,380
It’s good at turning unstructured intent into something coherent.
896
00:41:16,380 –> 00:41:20,380
Summaries, action items, drafts, and what did we decide in that meeting it?
897
00:41:20,380 –> 00:41:22,300
It reduces the cost of thinking and searching.
898
00:41:22,300 –> 00:41:25,780
Now assists jurisdiction is service now operational reality.
899
00:41:25,780 –> 00:41:30,620
It understands records, workflows, knowledge bases, catalog items, case history, assignment
900
00:41:30,620 –> 00:41:34,100
groups, SLAs and the govern state machine that actually moves work.
901
00:41:34,100 –> 00:41:37,940
It’s good at turning operational context into controlled next steps.
902
00:41:37,940 –> 00:41:43,180
Occasion, routing, suggested actions, response drafting, and workflow aware assistance for agents.
903
00:41:43,180 –> 00:41:47,100
So if you want a single sentence that doesn’t lie, copilot is fluent in human context.
904
00:41:47,100 –> 00:41:49,260
Now assist is fluent in operational state.
905
00:41:49,260 –> 00:41:52,700
That’s why two assistance is not redundancy, it’s separation of concerns.
906
00:41:52,700 –> 00:41:55,140
But it’s also where organizations make a classic mistake.
907
00:41:55,140 –> 00:41:58,100
They assume the assistant that can talk should also be allowed to write.
908
00:41:58,100 –> 00:42:02,380
That’s how you get AI actions that are really just permission drift wearing a lab coat.
909
00:42:02,380 –> 00:42:05,900
The integration pattern that actually survives audit is a handoff model.
910
00:42:05,900 –> 00:42:08,660
It operates in teams as the engagement surface.
911
00:42:08,660 –> 00:42:13,660
It captures the request in human terms, pulls relevant Microsoft context, and then hands
912
00:42:13,660 –> 00:42:17,100
off to service now when the next step requires workflow state.
913
00:42:17,100 –> 00:42:20,820
That handoff can look like a service now card, a linked record, or a guided request flow
914
00:42:20,820 –> 00:42:23,980
that lands inside the service now workflow engine.
915
00:42:23,980 –> 00:42:26,060
Now assist does the inverse when needed.
916
00:42:26,060 –> 00:42:30,820
From inside service now it can call Microsoft context to help with communication artifacts,
917
00:42:30,820 –> 00:42:35,820
drafting an incident update email, generating a PowerPoint summary for leadership, or pulling
918
00:42:35,820 –> 00:42:37,700
relevant meeting notes.
919
00:42:37,700 –> 00:42:42,580
Without pretending that the Microsoft artifact is the authoritative record of the incident.
920
00:42:42,580 –> 00:42:44,940
This is not one AI to rule them all.
921
00:42:44,940 –> 00:42:46,660
It’s two assistance that delegate properly.
922
00:42:46,660 –> 00:42:50,460
Now the hidden complexity is not the models, it’s grounding and permissions.
923
00:42:50,460 –> 00:42:53,540
Grounding is the question of what the assistant is allowed to know.
924
00:42:53,540 –> 00:42:56,060
And what sources it uses to generate an answer.
925
00:42:56,060 –> 00:43:00,220
Copilot is grounded in Microsoft Graph, and whatever your tenant exposes through permissions
926
00:43:00,220 –> 00:43:01,220
and connectors.
927
00:43:01,220 –> 00:43:03,020
Now assist is grounded in service.
928
00:43:03,020 –> 00:43:07,620
Now records and knowledge sources governed by service now access controls and user criteria.
929
00:43:07,620 –> 00:43:12,820
If you blur those boundaries, you get confident nonsense or worse, confident data leakage.
930
00:43:12,820 –> 00:43:14,060
Permissions are the harder landmine.
931
00:43:14,060 –> 00:43:18,220
Copilot can only act within the permissions of the user and the configured connectors.
932
00:43:18,220 –> 00:43:19,540
Same story with now assist.
933
00:43:19,540 –> 00:43:23,380
That sounds comforting until someone fixes a failing integration by giving the connector
934
00:43:23,380 –> 00:43:24,700
account broad access.
935
00:43:24,700 –> 00:43:26,340
Then it works, then nobody reduces it.
936
00:43:26,340 –> 00:43:29,740
Then you’ve created a silent super user that will outlive the project.
937
00:43:29,740 –> 00:43:32,540
That’s not misconfiguration, that’s design omission.
938
00:43:32,540 –> 00:43:35,740
This is where jurisdiction becomes a security control, not a diagram.
939
00:43:35,740 –> 00:43:40,060
The assistance can only be as safe as the identity and authorization model they operate under.
940
00:43:40,060 –> 00:43:42,500
And that brings you right back to the operating layer law.
941
00:43:42,500 –> 00:43:44,780
Read can be generous, right must be governed.
942
00:43:44,780 –> 00:43:46,260
So a same design looks like this.
943
00:43:46,260 –> 00:43:50,580
Copilot can read service now contacts through connectors and summarize it for the user in teams,
944
00:43:50,580 –> 00:43:52,460
low blast radius, high adoption.
945
00:43:52,460 –> 00:43:57,380
When the user wants to do something, create a request, approve a change, trigger containment.
946
00:43:57,380 –> 00:44:02,460
The system routes that into service now as a workflow step with explicit identity, logging
947
00:44:02,460 –> 00:44:03,980
and approval state.
948
00:44:03,980 –> 00:44:06,380
Rights are either supervised or constrained by policy.
949
00:44:06,380 –> 00:44:09,420
And if someone wants fully agentic behavior, just take care of it.
950
00:44:09,420 –> 00:44:10,860
The answer is still no.
951
00:44:10,860 –> 00:44:15,100
Not because AI is bad, because enterprises run on constrained authority, not vibes.
952
00:44:15,100 –> 00:44:18,220
So the power play isn’t Microsoft versus service now assistance.
953
00:44:18,220 –> 00:44:21,740
The power play is who owns the next step when the assistant finishes talking.
954
00:44:21,740 –> 00:44:26,620
If Copilot closes a conversation but no workflow change state, you created a nicer chat experience.
955
00:44:26,620 –> 00:44:31,060
If now assist proposes an action, but it can’t execute it under governance, you created
956
00:44:31,060 –> 00:44:32,340
better suggestions.
957
00:44:32,340 –> 00:44:36,660
The operating layer only exists when the state machine moves with evidence, two brains,
958
00:44:36,660 –> 00:44:38,140
two jurisdictions.
959
00:44:38,140 –> 00:44:42,220
And one non-negotiable boundary, the assistant can speak anywhere, but it can only write
960
00:44:42,220 –> 00:44:43,940
where you can audit it.
961
00:44:43,940 –> 00:44:49,380
AI changes who executes work, deterministic workflows versus probabilistic agents.
962
00:44:49,380 –> 00:44:53,940
Now the uncomfortable part, AI doesn’t just change how work is requested, it changes who
963
00:44:53,940 –> 00:44:55,220
is executing work.
964
00:44:55,220 –> 00:44:59,660
And enterprises are about to learn the difference between deterministic systems and probabilistic
965
00:44:59,660 –> 00:45:00,660
ones the hard way.
966
00:45:00,660 –> 00:45:03,220
A deterministic workflow is boring on purpose.
967
00:45:03,220 –> 00:45:06,220
Given the same inputs, it produces the same outcome.
968
00:45:06,220 –> 00:45:11,820
Same rooting, same approvals, same evidence requirements, same SLA timers, same escalation
969
00:45:11,820 –> 00:45:12,820
paths.
970
00:45:12,820 –> 00:45:14,260
It behaves like an authorization compiler.
971
00:45:14,260 –> 00:45:17,700
You feed it policy and state and it decides what’s allowed next.
972
00:45:17,700 –> 00:45:19,420
A probabilistic agent is different.
973
00:45:19,420 –> 00:45:23,780
It interprets, it guesses, it ranks options, it can be right for the wrong reasons and
974
00:45:23,780 –> 00:45:25,540
it can be wrong with high confidence.
975
00:45:25,540 –> 00:45:26,540
That’s not a flaw.
976
00:45:26,540 –> 00:45:28,260
That’s the nature of LL-em based systems.
977
00:45:28,260 –> 00:45:31,220
They generate plausible output, not guaranteed truth.
978
00:45:31,220 –> 00:45:34,260
So the enterprise decision isn’t AI or workflows.
979
00:45:34,260 –> 00:45:38,100
It’s where does probabilistic behavior belong and where is it forbidden?
980
00:45:38,100 –> 00:45:41,300
AI belongs at the edges of the operating layer.
981
00:45:41,300 –> 00:45:46,180
Intake, summarization, classification suggestions, prioritization and drafting.
982
00:45:46,180 –> 00:45:49,500
It belongs anywhere the primary job is to reduce human cognitive load.
983
00:45:49,500 –> 00:45:53,620
AI does not belong as an unconstrained writer into your execution plane.
984
00:45:53,620 –> 00:45:56,740
Because once an agent can write, it can create state transitions.
985
00:45:56,740 –> 00:46:00,940
It can approve, it can provision access, it can close an incident, it can trigger containment,
986
00:46:00,940 –> 00:46:04,940
it can move money, it can change reality and that’s the exact moment your organization
987
00:46:04,940 –> 00:46:06,580
stops being deterministic.
988
00:46:06,580 –> 00:46:08,220
You become probabilistic by design.
989
00:46:08,220 –> 00:46:11,180
This is why human in the loop isn’t a temporary phase.
990
00:46:11,180 –> 00:46:14,700
It’s the only sustainable operating model for write operations at scale.
991
00:46:14,700 –> 00:46:17,020
Read operations can move autonomous earlier.
992
00:46:17,020 –> 00:46:22,260
Let the assistant fetch records, summarize threads, draft responses and propose the next step.
993
00:46:22,260 –> 00:46:24,220
Read failures are annoying but survivable.
994
00:46:24,220 –> 00:46:26,260
They create confusion, not catastrophe.
995
00:46:26,260 –> 00:46:28,500
Read operations must start supervised.
996
00:46:28,500 –> 00:46:32,140
Every write needs an approval boundary, a logged identity and a rollback story.
997
00:46:32,140 –> 00:46:36,220
Not because compliance people are mean, because entropy is real and write access is the fastest
998
00:46:36,220 –> 00:46:37,540
way to manufacture it.
999
00:46:37,540 –> 00:46:42,620
So the pattern is simple, AI proposes, a workflow enforces, a human authorizes, the system
1000
00:46:42,620 –> 00:46:43,620
records.
1001
00:46:43,620 –> 00:46:45,980
Over time some writes can become more autonomous.
1002
00:46:45,980 –> 00:46:51,020
But only when you can prove that the action is low risk, reversible and observable.
1003
00:46:51,020 –> 00:46:53,620
That’s not optimism, that’s engineering discipline.
1004
00:46:53,620 –> 00:46:55,820
And this is where governance beats model quality.
1005
00:46:55,820 –> 00:46:57,980
People keep asking, is the model good enough?
1006
00:46:57,980 –> 00:46:59,700
Wrong question, models will improve.
1007
00:46:59,700 –> 00:47:01,180
Your governance won’t fix itself.
1008
00:47:01,180 –> 00:47:05,060
If you don’t build the guard rails now, you’ll just accelerate your existing dysfunction
1009
00:47:05,060 –> 00:47:06,060
later.
1010
00:47:06,060 –> 00:47:10,380
Governance means, least privilege for connectors and agents, explicit scopes, approval gates
1011
00:47:10,380 –> 00:47:13,820
for state changes and audit trails that survive executive turnover.
1012
00:47:13,820 –> 00:47:17,060
It also means you can answer the only question auditors care about.
1013
00:47:17,060 –> 00:47:19,900
Who did what, under what authority and why?
1014
00:47:19,900 –> 00:47:23,060
Rollback paths matter here more than anyone wants to admit.
1015
00:47:23,060 –> 00:47:27,300
If an agent creates a service now, change record and schedules work, can you stop it?
1016
00:47:27,300 –> 00:47:29,980
If it grants access, can you revoke it automatically?
1017
00:47:29,980 –> 00:47:33,980
If it updates a security incident, can you reconstruct the exact sequence of actions without
1018
00:47:33,980 –> 00:47:35,220
relying on chat logs?
1019
00:47:35,220 –> 00:47:36,820
If you can’t, you don’t have automation.
1020
00:47:36,820 –> 00:47:38,940
You have accelerated risk.
1021
00:47:38,940 –> 00:47:42,140
This is why AI inside workflows creates outcomes.
1022
00:47:42,140 –> 00:47:45,100
Isn’t a motivational line, it’s an architectural constraint.
1023
00:47:45,100 –> 00:47:49,180
AI should live inside the workflow state machine, not beside it.
1024
00:47:49,180 –> 00:47:51,420
The workflow provides determinism.
1025
00:47:51,420 –> 00:47:54,140
Steps, gates, evidence and ownership.
1026
00:47:54,140 –> 00:47:58,180
AI provides judgment support, summarized, recommend and draft.
1027
00:47:58,180 –> 00:48:01,100
Together you get throughput without losing control.
1028
00:48:01,100 –> 00:48:04,260
Without the workflow, AI becomes a noise generator.
1029
00:48:04,260 –> 00:48:09,220
More suggestions, more messages, more help and no authoritative state change.
1030
00:48:09,220 –> 00:48:11,460
People feel busy, nothing finishes.
1031
00:48:11,460 –> 00:48:14,860
And when AI does start finishing things without workflows, it finishes them in whatever
1032
00:48:14,860 –> 00:48:16,740
way seems plausible at the time.
1033
00:48:16,740 –> 00:48:18,580
That’s conditional chaos with better grammar.
1034
00:48:18,580 –> 00:48:22,940
So the strategic move for the enterprise isn’t a chase fully autonomous agents.
1035
00:48:22,940 –> 00:48:27,780
The strategic move is to redesign execution so that autonomy is a controlled gradient.
1036
00:48:27,780 –> 00:48:32,540
Read first autonomy, supervised rights, then selective automation where risk is bounded.
1037
00:48:32,540 –> 00:48:36,100
The system doesn’t care about your intent, it only respects what you enforce.
1038
00:48:36,100 –> 00:48:40,180
Failure modes, workflow, entropy, shadow automation and permission drift.
1039
00:48:40,180 –> 00:48:44,060
Every integration story sounds clean until it hits the three forces that always win in
1040
00:48:44,060 –> 00:48:45,460
the real enterprise.
1041
00:48:45,460 –> 00:48:47,700
Urgency, convenience and forgetting.
1042
00:48:47,700 –> 00:48:50,980
Those forces don’t break platforms, they break your assumptions.
1043
00:48:50,980 –> 00:48:53,020
And they always express themselves the same way.
1044
00:48:53,020 –> 00:48:55,900
Workflow, entropy, shadow automation and permission drift.
1045
00:48:55,900 –> 00:48:58,220
Workflow, entropy is the quiet killer.
1046
00:48:58,220 –> 00:49:00,100
It starts as a temporary exception.
1047
00:49:00,100 –> 00:49:01,540
A manager needs access today.
1048
00:49:01,540 –> 00:49:05,660
A procurement approval gets rushed because quarter end, a change gets pushed without the
1049
00:49:05,660 –> 00:49:08,020
formal step because the outage clock is running.
1050
00:49:08,020 –> 00:49:09,820
Nobody thinks they’re undermining governance.
1051
00:49:09,820 –> 00:49:11,420
They think they’re being helpful.
1052
00:49:11,420 –> 00:49:13,820
Then that exception becomes the actual process.
1053
00:49:13,820 –> 00:49:17,260
Not because anyone chose it but because the exception path is faster than the policy
1054
00:49:17,260 –> 00:49:18,260
path.
1055
00:49:18,260 –> 00:49:21,460
People root around friction the same way water roots around rocks.
1056
00:49:21,460 –> 00:49:26,500
Over time your documented workflow becomes ceremonial and your real workflow becomes DM the
1057
00:49:26,500 –> 00:49:28,740
right person, get a thumbs up, move on.
1058
00:49:28,740 –> 00:49:33,220
That’s why conditional access exceptions, emergency approvals and bypass routes are entropy
1059
00:49:33,220 –> 00:49:34,220
generators.
1060
00:49:34,220 –> 00:49:35,460
They don’t just create one gap.
1061
00:49:35,460 –> 00:49:38,980
They teach the organization that state transitions are optional.
1062
00:49:38,980 –> 00:49:43,020
Once state transitions are optional, your system of action becomes a logging tool.
1063
00:49:43,020 –> 00:49:46,100
It records the mess after the fact it doesn’t control it.
1064
00:49:46,100 –> 00:49:48,220
The second failure mode is shadow automation.
1065
00:49:48,220 –> 00:49:51,340
This is where teams and power automate become a parallel universe.
1066
00:49:51,340 –> 00:49:55,140
Someone builds a flow that posts a message to a channel when an email arrives.
1067
00:49:55,140 –> 00:49:58,260
Someone builds a form that creates a task list in planner.
1068
00:49:58,260 –> 00:50:01,020
Someone wires up approvals and chat because it’s just easier.
1069
00:50:01,020 –> 00:50:02,180
And on day one it works.
1070
00:50:02,180 –> 00:50:03,180
Of course it works.
1071
00:50:03,180 –> 00:50:04,860
Local automation always works locally.
1072
00:50:04,860 –> 00:50:07,940
The problem is what it displaces, governed orchestration.
1073
00:50:07,940 –> 00:50:09,940
Shadow automation doesn’t fail because it’s malicious.
1074
00:50:09,940 –> 00:50:11,420
It fails because it’s unowned.
1075
00:50:11,420 –> 00:50:14,820
No life cycle, no audit story, no defined blast radius.
1076
00:50:14,820 –> 00:50:19,420
The builder leaves, the flow keeps running and the next incident response includes.
1077
00:50:19,420 –> 00:50:22,820
Nobody knows what triggers this but it’s been doing it for months.
1078
00:50:22,820 –> 00:50:26,100
That’s what happens when you treat the engagement plane as the execution plane.
1079
00:50:26,100 –> 00:50:30,340
Now the third failure mode is the one that makes security teams tired permission drift.
1080
00:50:30,340 –> 00:50:35,340
Integrations require permissions, AI assistance require permissions, connectors require permissions.
1081
00:50:35,340 –> 00:50:39,380
And when something fails during setup, the quickest fix is always the same.
1082
00:50:39,380 –> 00:50:40,700
Just give it more access.
1083
00:50:40,700 –> 00:50:43,900
So you create an integration account, you grant board graph permissions,
1084
00:50:43,900 –> 00:50:47,540
you grant broad service, now roles, you get the demo working, everyone claps,
1085
00:50:47,540 –> 00:50:49,780
then nobody goes back and reduces scope.
1086
00:50:49,780 –> 00:50:52,620
Six months later that account has more access than most humans.
1087
00:50:52,620 –> 00:50:56,900
It’s a permanent super user with no human manager, no quarterly access review,
1088
00:50:56,900 –> 00:50:59,300
and no business owner who can explain why it exists.
1089
00:50:59,300 –> 00:51:02,860
That’s not misconfiguration, that’s architectural erosion.
1090
00:51:02,860 –> 00:51:04,820
And permission drift doesn’t stay in one place.
1091
00:51:04,820 –> 00:51:05,540
It spreads.
1092
00:51:05,540 –> 00:51:08,540
A second connector gets deployed and reuses the same account.
1093
00:51:08,540 –> 00:51:09,860
A third flow depends on it.
1094
00:51:09,860 –> 00:51:12,940
Now you can’t fix it without breaking business critical automation.
1095
00:51:12,940 –> 00:51:15,820
That’s how security that becomes operational dependency.
1096
00:51:15,820 –> 00:51:16,820
Here’s the weird part.
1097
00:51:16,820 –> 00:51:19,500
AI accelerates all three failure modes.
1098
00:51:19,500 –> 00:51:24,300
Workflow entropy gets faster because AI makes it easier to justify exceptions.
1099
00:51:24,300 –> 00:51:25,900
Copilot says it’s low risk.
1100
00:51:25,900 –> 00:51:31,700
Shadow automation gets faster because AI makes it easier to build flows without understanding the governance model.
1101
00:51:31,700 –> 00:51:35,340
Permission drift gets faster because agents that can act need permissions
1102
00:51:35,340 –> 00:51:37,620
and people will overscope them to avoid friction.
1103
00:51:37,620 –> 00:51:40,140
That’s why AI without workflows creates noise.
1104
00:51:40,140 –> 00:51:42,380
But AI with bad workflows creates damage.
1105
00:51:42,380 –> 00:51:44,500
So the prevention strategy is not a checklist.
1106
00:51:44,500 –> 00:51:46,060
It’s an operating stance you enforce.
1107
00:51:46,060 –> 00:51:48,540
First, treat exceptions as first class objects.
1108
00:51:48,540 –> 00:51:52,940
If someone needs a bypass, capture it as an exception in the workflow with a reason,
1109
00:51:52,940 –> 00:51:54,980
an approver, and an expiration.
1110
00:51:54,980 –> 00:51:56,900
No expiration means it’s not an exception.
1111
00:51:56,900 –> 00:51:58,500
It’s a hidden policy change.
1112
00:51:58,500 –> 00:52:02,100
Second, treat automations as production assets.
1113
00:52:02,100 –> 00:52:06,020
If it can write, it needs ownership, life cycle management, and controls.
1114
00:52:06,020 –> 00:52:07,580
Otherwise, it’s a ghost system.
1115
00:52:07,580 –> 00:52:10,780
Third, treat permissions as temporary until proven otherwise.
1116
00:52:10,780 –> 00:52:12,300
These privileges are not a principle.
1117
00:52:12,300 –> 00:52:13,620
It’s entropy management.
1118
00:52:13,620 –> 00:52:17,540
If you don’t continuously pull scope back, it will only expand.
1119
00:52:17,540 –> 00:52:19,580
The workflow first operating model,
1120
00:52:19,580 –> 00:52:21,820
re-platform execution in phases.
1121
00:52:21,820 –> 00:52:24,660
So if the diagnosis is workflow fragmentation,
1122
00:52:24,660 –> 00:52:26,820
the treatment isn’t by more apps.
1123
00:52:26,820 –> 00:52:30,180
It’s re-platforming execution, not migrating tickets,
1124
00:52:30,180 –> 00:52:32,020
not rolling out another chatbot,
1125
00:52:32,020 –> 00:52:34,060
re-platforming the operating layer,
1126
00:52:34,060 –> 00:52:37,500
where work starts, how it moves, who can change state,
1127
00:52:37,500 –> 00:52:40,060
and how the organization proves what happened later.
1128
00:52:40,060 –> 00:52:43,140
And the first step is the one everyone skips because it’s not glamorous.
1129
00:52:43,140 –> 00:52:44,340
Mapping execution.
1130
00:52:44,340 –> 00:52:46,340
Not processing mapping as a PowerPoint hobby.
1131
00:52:46,340 –> 00:52:47,420
Execution mapping.
1132
00:52:47,420 –> 00:52:48,900
Where does work actually begin?
1133
00:52:48,900 –> 00:52:50,300
What are the real approval gates?
1134
00:52:50,300 –> 00:52:51,500
What systems change state?
1135
00:52:51,500 –> 00:52:54,500
And what metrics define done across domains?
1136
00:52:54,500 –> 00:52:57,100
If you can’t draw the end-to-end chain for onboarding,
1137
00:52:57,100 –> 00:53:00,180
incident containment, finance approvals, and emergency change,
1138
00:53:00,180 –> 00:53:01,300
you don’t have processes.
1139
00:53:01,300 –> 00:53:02,060
You have traditions.
1140
00:53:02,060 –> 00:53:04,380
Now the split of ownership is non-negotiable.
1141
00:53:04,380 –> 00:53:07,500
Service now owns workflow state, routing, audit, enforcement,
1142
00:53:07,500 –> 00:53:10,540
Microsoft owns collaboration, content, intent, capture,
1143
00:53:10,540 –> 00:53:12,140
and the surfaces where humans live.
1144
00:53:12,140 –> 00:53:13,180
This is not a preference.
1145
00:53:13,180 –> 00:53:15,220
It’s how you prevent authority drift.
1146
00:53:15,220 –> 00:53:17,620
Because the moment teams becomes the authoritative system
1147
00:53:17,620 –> 00:53:21,220
for approvals or changes, you’ve turned chat into a control plane.
1148
00:53:21,220 –> 00:53:22,540
And chat is not a control plane.
1149
00:53:22,540 –> 00:53:23,460
It is not.
1150
00:53:23,460 –> 00:53:25,860
So the operating model is faced because enterprises
1151
00:53:25,860 –> 00:53:27,580
don’t change in one cutover.
1152
00:53:27,580 –> 00:53:29,420
They degrade and improve ingredients.
1153
00:53:29,420 –> 00:53:31,380
Phase one is about reducing context switching
1154
00:53:31,380 –> 00:53:32,740
without moving authority.
1155
00:53:32,740 –> 00:53:35,100
This is where you embed service now into teams,
1156
00:53:35,100 –> 00:53:37,100
service records, and use search connectors
1157
00:53:37,100 –> 00:53:39,860
so people can find knowledge, incidents, and catalog items
1158
00:53:39,860 –> 00:53:41,060
from where they already work.
1159
00:53:41,060 –> 00:53:42,620
It’s intentionally read heavy.
1160
00:53:42,620 –> 00:53:44,780
The goal is adoption and friction removal.
1161
00:53:44,780 –> 00:53:45,940
Fewer portals.
1162
00:53:45,940 –> 00:53:47,300
Fewer, where do I do this?
1163
00:53:47,300 –> 00:53:49,860
Fewer screenshots as status updates.
1164
00:53:49,860 –> 00:53:52,060
But it’s also where you clean your knowledge hygiene.
1165
00:53:52,060 –> 00:53:54,700
Because AI search will amplify whatever mess you’ve allowed
1166
00:53:54,700 –> 00:53:55,420
to accumulate.
1167
00:53:55,420 –> 00:53:58,340
If the knowledge base is stale, your new AI assistant
1168
00:53:58,340 –> 00:54:01,020
will simply produce confident stale answers at scale.
1169
00:54:01,020 –> 00:54:02,060
That’s not transformation.
1170
00:54:02,060 –> 00:54:04,420
That’s automated misinformation.
1171
00:54:04,420 –> 00:54:06,300
Phase two is governed actions.
1172
00:54:06,300 –> 00:54:09,660
This is where you stop pretending that retrieval equals execution.
1173
00:54:09,660 –> 00:54:11,260
Pick a small set of right paths that
1174
00:54:11,260 –> 00:54:12,940
map cleanly to workflows.
1175
00:54:12,940 –> 00:54:15,340
Submit a catalog request, update an incident,
1176
00:54:15,340 –> 00:54:18,100
approve a step, escalate a case, open a change.
1177
00:54:18,100 –> 00:54:20,300
Then make those rights flow through service now
1178
00:54:20,300 –> 00:54:22,180
as authoritative state transitions.
1179
00:54:22,180 –> 00:54:24,020
The user can click approve in teams.
1180
00:54:24,020 –> 00:54:24,700
Fine.
1181
00:54:24,700 –> 00:54:27,180
But the approval must land as a workflow transition
1182
00:54:27,180 –> 00:54:29,180
in service now tied to identity,
1183
00:54:29,180 –> 00:54:30,860
logged, and constrained by policy.
1184
00:54:30,860 –> 00:54:32,780
The engagement plane can host the button.
1185
00:54:32,780 –> 00:54:34,460
The execution plane owns the truth.
1186
00:54:34,460 –> 00:54:36,900
This is also where you enforce least privilege, like you mean it.
1187
00:54:36,900 –> 00:54:39,180
Integration accounts don’t get broad access
1188
00:54:39,180 –> 00:54:40,660
because someone had a demo deadline.
1189
00:54:40,660 –> 00:54:43,780
Agents don’t get right scope, just because it’s easier.
1190
00:54:43,780 –> 00:54:45,860
Every connector and assistant get scoped
1191
00:54:45,860 –> 00:54:47,820
to the minimum set of actions required.
1192
00:54:47,820 –> 00:54:50,620
And it gets reviewed like any other privileged identity.
1193
00:54:50,620 –> 00:54:52,580
Because permissions are not a set-up step.
1194
00:54:52,580 –> 00:54:54,100
They are an operational liability.
1195
00:54:54,100 –> 00:54:56,220
Phase three is a genetic execution.
1196
00:54:56,220 –> 00:54:57,940
And it’s where most organizations rush
1197
00:54:57,940 –> 00:54:59,660
because the demos look magical.
1198
00:54:59,660 –> 00:55:01,260
But a genetic execution only works
1199
00:55:01,260 –> 00:55:02,940
when two conditions are already true.
1200
00:55:02,940 –> 00:55:04,500
The workflow state machine is clean
1201
00:55:04,500 –> 00:55:06,140
and the right controls are enforceable.
1202
00:55:06,140 –> 00:55:07,620
Otherwise, you’re not deploying agents.
1203
00:55:07,620 –> 00:55:09,340
You’re deploying entropy accelerators.
1204
00:55:09,340 –> 00:55:10,380
So the rule is simple.
1205
00:55:10,380 –> 00:55:12,500
Autonomous reads can expand quickly.
1206
00:55:12,500 –> 00:55:14,460
Supervised rights expands slowly.
1207
00:55:14,460 –> 00:55:16,700
And only after you’ve proven that an action is low risk,
1208
00:55:16,700 –> 00:55:19,220
reversible and observable does it earn more autonomy.
1209
00:55:19,220 –> 00:55:22,060
This is also where observability stops being optional.
1210
00:55:22,060 –> 00:55:24,420
If an agent can propose actions, you need to see what it
1211
00:55:24,420 –> 00:55:26,660
proposed, what was approved, what it executed,
1212
00:55:26,660 –> 00:55:27,900
and what changed as a result.
1213
00:55:27,900 –> 00:55:30,540
You need traceability across Microsoft and ServiceNow,
1214
00:55:30,540 –> 00:55:33,260
the intent source, the workflow state and the outcome record.
1215
00:55:33,260 –> 00:55:35,780
If you can’t reconstruct the chain, you have no governance.
1216
00:55:35,780 –> 00:55:37,020
You have vibes.
1217
00:55:37,020 –> 00:55:38,580
And the biggest architectural discipline
1218
00:55:38,580 –> 00:55:39,980
in this whole model is rollback.
1219
00:55:39,980 –> 00:55:43,140
Workflows without rollback are just scripted confidence.
1220
00:55:43,140 –> 00:55:46,340
Every right path needs an undue story, revoke access,
1221
00:55:46,340 –> 00:55:49,820
canceled procurement, rollback a change, reopen the incident,
1222
00:55:49,820 –> 00:55:50,980
restore the prior state.
1223
00:55:50,980 –> 00:55:53,700
Otherwise, your automation becomes a one-way door.
1224
00:55:53,700 –> 00:55:56,580
And one-way doors are how incidents become outages.
1225
00:55:56,580 –> 00:55:58,420
So the workflow first operating model
1226
00:55:58,420 –> 00:56:00,900
is basically enterprise humility formalized,
1227
00:56:00,900 –> 00:56:04,300
humans generate intent in Microsoft, systems execute intent
1228
00:56:04,300 –> 00:56:07,020
in ServiceNow, AI accelerates the edges, not the center,
1229
00:56:07,020 –> 00:56:08,740
and control is what survives pressure.
1230
00:56:08,740 –> 00:56:11,820
That’s the point, not convenience, not novelty.
1231
00:56:11,820 –> 00:56:14,380
Control that still works when people are tired, urgent,
1232
00:56:14,380 –> 00:56:15,700
and improvising.
1233
00:56:15,700 –> 00:56:18,660
Execution throughput is the actual power play.
1234
00:56:18,660 –> 00:56:21,500
The power play isn’t copilot versus now assist.
1235
00:56:21,500 –> 00:56:23,140
It’s building an operating layer
1236
00:56:23,140 –> 00:56:26,300
where intent becomes governed execution every time.
1237
00:56:26,300 –> 00:56:29,220
If you want the next episode, it’s on where governance fails first,
1238
00:56:29,220 –> 00:56:32,540
identity connectors or quick exceptions that become policy.
1239
00:56:32,540 –> 00:56:34,740
Subscribe and watch that one next.
