Now Reading: The Context Advantage for Autonomous Enterprises
-
01
The Context Advantage for Autonomous Enterprises
1
00:00:00,000 –> 00:00:04,080
Most organizations think their AI rollout failed because the model wasn’t smart enough
2
00:00:04,080 –> 00:00:06,800
or because users don’t know how to prompt.
3
00:00:06,800 –> 00:00:09,360
That’s the comforting story. It’s also wrong.
4
00:00:09,360 –> 00:00:12,880
In enterprises, AI fails because context is fragmented.
5
00:00:12,880 –> 00:00:14,940
Identity doesn’t line up with permissions.
6
00:00:14,940 –> 00:00:17,120
Work artifacts don’t line up with decisions,
7
00:00:17,120 –> 00:00:20,520
and nobody can explain what the system is allowed to treat as evidence.
8
00:00:20,520 –> 00:00:25,000
This episode maps context as architecture, memory, state, learning, and control.
9
00:00:25,000 –> 00:00:26,240
Once you see that substrate,
10
00:00:26,240 –> 00:00:31,200
co-pilot stops looking random and starts behaving exactly like the environment you built for it.
11
00:00:31,200 –> 00:00:34,560
The foundational misunderstanding, co-pilot isn’t the system.
12
00:00:34,560 –> 00:00:38,960
The foundational mistake is treating Microsoft 365 co-pilot as the system.
13
00:00:38,960 –> 00:00:41,160
It isn’t co-pilot is an interaction surface,
14
00:00:41,160 –> 00:00:43,400
a very expensive, very persuasive surface.
15
00:00:43,400 –> 00:00:45,320
But the real system is your tenant.
16
00:00:45,320 –> 00:00:47,120
The identity model, the permission graph,
17
00:00:47,120 –> 00:00:49,360
the documents brawl, the metadata discipline,
18
00:00:49,360 –> 00:00:50,920
the lifecycle policies,
19
00:00:50,920 –> 00:00:54,600
and the connectors you’ve allowed to exist with no consistent ownership.
20
00:00:54,600 –> 00:00:58,240
Co-pilot doesn’t create order. It consumes whatever order you already have.
21
00:00:58,240 –> 00:00:59,720
And if what you have is entropy,
22
00:00:59,720 –> 00:01:02,840
co-pilot operationalizes entropy at conversational speed.
23
00:01:02,840 –> 00:01:06,600
That distinction matters because leadership experiences co-pilot as random.
24
00:01:06,600 –> 00:01:09,360
They ask for an answer and they get something that sounds plausible,
25
00:01:09,360 –> 00:01:12,360
sometimes accurate, sometimes irrelevant, occasionally dangerous.
26
00:01:12,360 –> 00:01:16,440
Then everyone debates whether the AI is ready or whether they need better prompts.
27
00:01:16,440 –> 00:01:19,560
Meanwhile, the underlying reality stays untouched.
28
00:01:19,560 –> 00:01:24,800
The organization is running a probabilistic decision engine on top of a messy evidence substrate.
29
00:01:24,800 –> 00:01:26,240
Here’s the uncomfortable truth.
30
00:01:26,240 –> 00:01:28,560
Generative AI isn’t deterministic.
31
00:01:28,560 –> 00:01:30,000
It doesn’t execute a rule set.
32
00:01:30,000 –> 00:01:33,240
It generates a best-fit response to the context window it’s given.
33
00:01:33,240 –> 00:01:38,000
Using patterns learned from training and whatever enterprise data retrieval supplied at runtime.
34
00:01:38,000 –> 00:01:40,400
When that retrieval brings back conflicting documents,
35
00:01:40,400 –> 00:01:42,880
outdated procedures or half-permission fragments,
36
00:01:42,880 –> 00:01:45,000
the model doesn’t refuse out of professional ethics.
37
00:01:45,000 –> 00:01:47,600
It blends, it averages, it fills gaps.
38
00:01:47,600 –> 00:01:49,760
That’s not a bug, that’s how the mechanism works.
39
00:01:49,760 –> 00:01:52,920
So when executives say, it feels like it makes things up.
40
00:01:52,920 –> 00:01:57,720
What they’re noticing is the collision between deterministic intent and probabilistic generation.
41
00:01:57,720 –> 00:02:02,000
Enterprises are built on intent, approval chains, segregation of duties,
42
00:02:02,000 –> 00:02:04,040
policy statements, audit requirements.
43
00:02:04,040 –> 00:02:08,360
Co-pilot is built on likelihood, which next token best fits the prompt,
44
00:02:08,360 –> 00:02:09,760
plus the retrieved context.
45
00:02:09,760 –> 00:02:13,200
You can’t manage that mismatch with training sessions and prompt libraries.
46
00:02:13,200 –> 00:02:15,880
You manage it by engineering the context substrate,
47
00:02:15,880 –> 00:02:19,440
so the model’s probability space collapses toward your actual truth.
48
00:02:19,440 –> 00:02:22,040
Most feature-led rollouts fail for a simple reason.
49
00:02:22,040 –> 00:02:24,080
They don’t enforce design assumptions.
50
00:02:24,080 –> 00:02:27,440
Co-pilot gets deployed like a productivity feature, licenses assigned,
51
00:02:27,440 –> 00:02:29,960
a few champions trained, a dashboard watched,
52
00:02:29,960 –> 00:02:32,960
and none of the architecture that governs context gets corrected.
53
00:02:32,960 –> 00:02:34,920
SharePoint inheritance remains broken,
54
00:02:34,920 –> 00:02:38,240
sites remain overshared, sensitivity labels remain inconsistent,
55
00:02:38,240 –> 00:02:40,920
teams chats remain the de facto system of record,
56
00:02:40,920 –> 00:02:43,640
a dozen final V7 documents remain authoritative
57
00:02:43,640 –> 00:02:46,200
because nobody has the political energy to delete them.
58
00:02:46,200 –> 00:02:50,760
Then co-pilot gets blame for being inconsistent when it’s faithfully reflecting inconsistent context.
59
00:02:50,760 –> 00:02:54,600
This is why the co-pilot is the strategy narrative collapses at scale.
60
00:02:54,600 –> 00:02:55,800
You can’t scale a surface.
61
00:02:55,800 –> 00:02:57,640
You can only scale the system underneath it,
62
00:02:57,640 –> 00:02:59,360
and that system behaves like capital.
63
00:02:59,360 –> 00:03:00,960
Context is enterprise capital.
64
00:03:00,960 –> 00:03:01,840
It compounds.
65
00:03:01,840 –> 00:03:04,800
When context is structured, fresh, and permission correct,
66
00:03:04,800 –> 00:03:08,600
every workflow built on top of it gets cheaper, faster, and more reliable over time.
67
00:03:08,600 –> 00:03:09,760
Retrieval gets cleaner.
68
00:03:09,760 –> 00:03:11,080
Answers get grounded.
69
00:03:11,080 –> 00:03:15,600
Agents become viable because they can see state evidence and constraints without guessing.
70
00:03:15,600 –> 00:03:18,760
You stop paying people to re-litigate decisions that already happened.
71
00:03:18,760 –> 00:03:19,800
That’s compounding.
72
00:03:19,800 –> 00:03:20,640
Return.
73
00:03:20,640 –> 00:03:22,880
When context is sloppy, context also compounds.
74
00:03:22,880 –> 00:03:25,080
Just in the other direction, you get context rot.
75
00:03:25,080 –> 00:03:26,000
You get permission drift.
76
00:03:26,000 –> 00:03:27,960
You get more duplicated sources of truth.
77
00:03:27,960 –> 00:03:30,600
You get more exceptions, entropy generators,
78
00:03:30,600 –> 00:03:32,400
because people can’t find what they need.
79
00:03:32,400 –> 00:03:37,080
So they recreated, and now co-pilot amplifies the rot because its surfaces and recombines it.
80
00:03:37,080 –> 00:03:42,040
You’ve built an engine that accelerates your existing documentation debt into operational debt.
81
00:03:42,040 –> 00:03:45,680
If this sounds abstract, translate it into a simple system law.
82
00:03:45,680 –> 00:03:50,000
Co-pilot cannot be more reliable than the context boundary it operates inside.
83
00:03:50,000 –> 00:03:53,800
So the only responsible way to talk about high-performance autonomy is to stop asking whether
84
00:03:53,800 –> 00:03:57,720
co-pilot is smart and start asking what substrate you’ve built for it to reason over.
85
00:03:57,720 –> 00:03:59,000
What does it treat as memory?
86
00:03:59,000 –> 00:04:00,440
What does it treat as current state?
87
00:04:00,440 –> 00:04:01,800
What does it treat as evidence?
88
00:04:01,800 –> 00:04:03,160
What does it treat as policy?
89
00:04:03,160 –> 00:04:04,880
And what does it do when those are missing?
90
00:04:04,880 –> 00:04:07,040
In other words, what is the underlying engine?
91
00:04:07,040 –> 00:04:11,760
Because once co-pilot becomes the default interface for work, chat, documents, meetings,
92
00:04:11,760 –> 00:04:15,400
analytics, the tenant becomes an authorization and context compiler.
93
00:04:15,400 –> 00:04:19,400
It continuously decides what a given user at a given moment is allowed to see and which
94
00:04:19,400 –> 00:04:22,680
artifacts are eligible to influence the next answer or action.
95
00:04:22,680 –> 00:04:24,800
That’s the real platform, not the UI.
96
00:04:24,800 –> 00:04:27,440
And if you don’t deliberately design that platform, you still get one.
97
00:04:27,440 –> 00:04:32,000
You just get it by accident assembled from years of drift exceptions and unchecked sharing.
98
00:04:32,000 –> 00:04:37,080
So the conversation shifts, not how do we prompt better instead, how do we architect context
99
00:04:37,080 –> 00:04:39,440
so the system can’t plausibly be wrong?
100
00:04:39,440 –> 00:04:43,160
That’s where this episode goes next, defining context like an architect would so you can actually
101
00:04:43,160 –> 00:04:47,600
build it, govern it and stop mistaking surface polish for system integrity.
102
00:04:47,600 –> 00:04:49,680
Context defined like an architect would.
103
00:04:49,680 –> 00:04:51,960
Context is one of those words that gets used like perfume.
104
00:04:51,960 –> 00:04:52,960
Everybody likes the idea.
105
00:04:52,960 –> 00:04:53,960
Nobody can measure it.
106
00:04:53,960 –> 00:04:56,240
And because nobody can measure it, nobody can govern it.
107
00:04:56,240 –> 00:04:58,560
So define it in architectural terms.
108
00:04:58,560 –> 00:05:01,880
Context is the minimal set of signals required to make a decision correctly.
109
00:05:01,880 –> 00:05:06,560
And the organization rules at a specific moment in time, not all the data, not whatever the
110
00:05:06,560 –> 00:05:12,400
user pays it into chat, not everything the tenant can search minimal required correct time
111
00:05:12,400 –> 00:05:13,400
bound.
112
00:05:13,400 –> 00:05:17,080
That definition forces discipline because it immediately raises the real question, what
113
00:05:17,080 –> 00:05:20,400
signals count and who is accountable for their integrity.
114
00:05:20,400 –> 00:05:23,240
In this ecosystem, context is an engineered bundle.
115
00:05:23,240 –> 00:05:28,920
It’s identity plus permissions plus relationships plus state plus evidence plus freshness.
116
00:05:28,920 –> 00:05:32,640
You’ve any one of those and you don’t get slightly worse answers.
117
00:05:32,640 –> 00:05:34,200
You get a different system.
118
00:05:34,200 –> 00:05:38,680
Identity means who is asking in what role under what device in session conditions.
119
00:05:38,680 –> 00:05:40,920
In entra terms, that’s not just a user object.
120
00:05:40,920 –> 00:05:45,560
It’s the authentication event, the token, the conditional access posture, the group memberships
121
00:05:45,560 –> 00:05:50,240
that haven’t drifted and the entitlements that were supposed to expire, but never did.
122
00:05:50,240 –> 00:05:52,920
Permissions means what that identity can actually see.
123
00:05:52,920 –> 00:05:56,600
And more importantly, what the system believes it can see because copilot doesn’t negotiate
124
00:05:56,600 –> 00:05:57,600
permissions.
125
00:05:57,600 –> 00:05:58,600
It inherits them.
126
00:05:58,600 –> 00:06:01,560
The mission model is sloppy, the AI doesn’t become helpful.
127
00:06:01,560 –> 00:06:04,720
It becomes an oversharing assistant with perfect confidence.
128
00:06:04,720 –> 00:06:08,960
Relationships means the graph of work who works with whom, on what and how recently.
129
00:06:08,960 –> 00:06:11,080
This is the piece enterprises keep ignoring.
130
00:06:11,080 –> 00:06:14,040
They treat relationships as nice to have personalization.
131
00:06:14,040 –> 00:06:16,760
In reality, relationships are relevance rooting.
132
00:06:16,760 –> 00:06:20,280
They tell the system which documents are likely to matter which meetings were decision
133
00:06:20,280 –> 00:06:23,000
points and which people are authority sources.
134
00:06:23,000 –> 00:06:25,080
State means what is happening right now.
135
00:06:25,080 –> 00:06:26,720
Not what happened last quarter.
136
00:06:26,720 –> 00:06:28,200
Not what’s in a PDF.
137
00:06:28,200 –> 00:06:30,160
Not what someone promised in a team’s chat.
138
00:06:30,160 –> 00:06:31,160
Current ownership.
139
00:06:31,160 –> 00:06:32,160
Current status.
140
00:06:32,160 –> 00:06:33,160
Current exceptions.
141
00:06:33,160 –> 00:06:37,560
If state isn’t explicit, the system will reconstruct it from artifacts and it will reconstruct
142
00:06:37,560 –> 00:06:38,560
it badly.
143
00:06:38,560 –> 00:06:41,640
Evidence means the source is eligible to influence the output.
144
00:06:41,640 –> 00:06:44,880
A document isn’t evidence just because it exists in SharePoint.
145
00:06:44,880 –> 00:06:45,880
Evidence has lineage.
146
00:06:45,880 –> 00:06:46,880
It has an owner.
147
00:06:46,880 –> 00:06:47,880
It has a version.
148
00:06:47,880 –> 00:06:50,640
It has a reason it should be trusted over the other six documents that say something similar
149
00:06:50,640 –> 00:06:51,640
but not identical.
150
00:06:51,640 –> 00:06:55,080
Freshness means the time boundary where truth expires.
151
00:06:55,080 –> 00:06:58,360
A policy written two years ago might still be binding or it might be dead.
152
00:06:58,360 –> 00:07:01,960
A procedure from last month might be wrong because the tool changed last week without
153
00:07:01,960 –> 00:07:04,520
freshness context becomes archaeology.
154
00:07:04,520 –> 00:07:07,480
Now draw the line that most organizations refuse to draw.
155
00:07:07,480 –> 00:07:08,760
Data is not context.
156
00:07:08,760 –> 00:07:10,200
Data is raw material.
157
00:07:10,200 –> 00:07:14,400
Context is curated, permission correct, relationship aware, time valid material, assembled
158
00:07:14,400 –> 00:07:15,400
for a decision.
159
00:07:15,400 –> 00:07:19,080
If you feed raw data to an AI and call it context, you’ll get outputs that sound plausible
160
00:07:19,080 –> 00:07:20,080
and fail audits.
161
00:07:20,080 –> 00:07:23,040
This is where context windows and relevance windows show up.
162
00:07:23,040 –> 00:07:27,240
The context window is the technical boundary, what the model can see in the prompt plus
163
00:07:27,240 –> 00:07:28,240
retrieved content.
164
00:07:28,240 –> 00:07:31,560
The relevance window is the governance boundary, what the system is allowed to consider
165
00:07:31,560 –> 00:07:32,560
for this decision.
166
00:07:32,560 –> 00:07:33,560
Those are not the same thing.
167
00:07:33,560 –> 00:07:36,880
You can technically retrieve a thousand chunks of text that does not mean a thousand
168
00:07:36,880 –> 00:07:38,120
chunks are eligible.
169
00:07:38,120 –> 00:07:39,840
Bigger context is not better context.
170
00:07:39,840 –> 00:07:44,120
Bigger context is how you dilute signal, increase hallucination probability and create
171
00:07:44,120 –> 00:07:45,840
the worst kind of failure.
172
00:07:45,840 –> 00:07:49,920
Answers that look grounded because they cite something but the something is irrelevant
173
00:07:49,920 –> 00:07:50,920
or outdated.
174
00:07:50,920 –> 00:07:55,520
So measure context quality like an architect measures any substrate.
175
00:07:55,520 –> 00:07:59,400
Authority does this come from the system of record or from a random copy someone saved
176
00:07:59,400 –> 00:08:01,640
to their desktop and uploaded.
177
00:08:01,640 –> 00:08:05,560
Specificity is this the actual procedure for this business unit or a generic guideline
178
00:08:05,560 –> 00:08:07,240
that was never enforceable?
179
00:08:07,240 –> 00:08:08,240
Timeliness.
180
00:08:08,240 –> 00:08:10,960
Is this still true today in this tenant with today’s controls?
181
00:08:10,960 –> 00:08:11,960
Permission correctness.
182
00:08:11,960 –> 00:08:15,880
Is the system allowed to use it for this user for this purpose right now?
183
00:08:15,880 –> 00:08:18,040
And here’s the subtle one, consistency.
184
00:08:18,040 –> 00:08:22,240
If two sources disagree, your system has a decision problem, not an AI problem.
185
00:08:22,240 –> 00:08:25,800
Either you define precedence or the model will average the conflict into something that
186
00:08:25,800 –> 00:08:26,800
never existed.
187
00:08:26,800 –> 00:08:30,480
Once context is defined this way, copilot’s behavior stops being mysterious.
188
00:08:30,480 –> 00:08:33,560
It becomes a deterministic response to a probabilistic input set.
189
00:08:33,560 –> 00:08:38,720
And if the input set is noisy, stale or permission chaotic, you didn’t deploy intelligence.
190
00:08:38,720 –> 00:08:41,440
You deployed a narrative generator attached to your org chart.
191
00:08:41,440 –> 00:08:43,560
This is also why agente workflows break first.
192
00:08:43,560 –> 00:08:44,880
Agents don’t just answer.
193
00:08:44,880 –> 00:08:48,000
They choose tools, take actions and update state.
194
00:08:48,000 –> 00:08:50,360
That means their context isn’t only what should I say.
195
00:08:50,360 –> 00:08:54,600
It’s what is true, what is allowed, what is relevant and what happens next if I’m wrong.
196
00:08:54,600 –> 00:08:58,240
If you don’t engineer context with those constraints, autonomy doesn’t emerge.
197
00:08:58,240 –> 00:08:59,440
It degrades.
198
00:08:59,440 –> 00:09:00,920
And it degrades fast.
199
00:09:00,920 –> 00:09:02,560
Why agents fail first?
200
00:09:02,560 –> 00:09:05,280
Non-determinism meets enterprise entropy.
201
00:09:05,280 –> 00:09:08,280
Agents fail first because they turn ambiguity into motion.
202
00:09:08,280 –> 00:09:11,200
A chat answer can be wrong and still get politely ignored.
203
00:09:11,200 –> 00:09:15,400
Then agent can be wrong and still create tickets, send mail, change records, provision access
204
00:09:15,400 –> 00:09:18,440
or escalate to the wrong person with the wrong evidence attached.
205
00:09:18,440 –> 00:09:21,400
The enterprise doesn’t experience that as AI being fuzzy.
206
00:09:21,400 –> 00:09:25,520
It experiences it as operational damage with a natural language explanation.
207
00:09:25,520 –> 00:09:28,080
That’s the difference between generation and autonomy.
208
00:09:28,080 –> 00:09:31,320
Non-determinism is tolerable when the system only talks.
209
00:09:31,320 –> 00:09:33,680
It becomes unacceptable when the system acts.
210
00:09:33,680 –> 00:09:37,400
An enterprise environments are engineered to produce ambiguity at scale.
211
00:09:37,400 –> 00:09:40,880
Not because people are careless, but because the platform rewards exceptions.
212
00:09:40,880 –> 00:09:43,640
Every time a team can’t find the right policy, it writes a new one.
213
00:09:43,640 –> 00:09:47,840
Every time a workflow doesn’t fit the tool, someone creates a side channel in teams.
214
00:09:47,840 –> 00:09:52,760
Every time permissions are too strict, access gets broadened, temporarily and never tightened.
215
00:09:52,760 –> 00:09:55,880
Over time these pathways accumulate, agents don’t solve that.
216
00:09:55,880 –> 00:09:57,680
Agents amplify it.
217
00:09:57,680 –> 00:09:59,200
Here’s what most people miss.
218
00:09:59,200 –> 00:10:01,520
Agents don’t just need context to answer questions.
219
00:10:01,520 –> 00:10:03,360
They need context to choose the next step.
220
00:10:03,360 –> 00:10:07,800
Two selection, scope selection, escalation selection and stopping conditions.
221
00:10:07,800 –> 00:10:10,960
If any of those are underspecified, the agent will still move forward because its core
222
00:10:10,960 –> 00:10:12,120
function is completion.
223
00:10:12,120 –> 00:10:15,840
It optimizes for finish the task inside the constraints it can see.
224
00:10:15,840 –> 00:10:20,040
When the constraints are missing, it manufactures constraints out of whatever it retrieved.
225
00:10:20,040 –> 00:10:22,600
That’s where entropy wins.
226
00:10:22,600 –> 00:10:26,160
In practical terms, the first failure mode is wrong tool choice.
227
00:10:26,160 –> 00:10:28,720
The agent sees three pathways.
228
00:10:28,720 –> 00:10:33,320
Update a dataverse record, send an email or open a service now ticket through a connector.
229
00:10:33,320 –> 00:10:38,400
The tenant has no explicit policy that says, “Incidents of type X must go to system Y and only
230
00:10:38,400 –> 00:10:40,200
after evidence Z is attached.”
231
00:10:40,200 –> 00:10:44,360
So the agent picks the tool that looks semantically compatible with the prompt and the retrieved
232
00:10:44,360 –> 00:10:45,360
artifacts.
233
00:10:45,360 –> 00:10:46,760
That’s not intelligence.
234
00:10:46,760 –> 00:10:49,680
That’s pattern matching under incomplete specification.
235
00:10:49,680 –> 00:10:51,440
The second failure mode is wrong scope.
236
00:10:51,440 –> 00:10:54,280
This one is more dangerous because it looks like competence.
237
00:10:54,280 –> 00:10:57,360
The agent gets asked clean up stale vendor records.
238
00:10:57,360 –> 00:11:00,400
It retrieves the procurement SOP that uses the word stale.
239
00:11:00,400 –> 00:11:02,400
But it doesn’t define what stale means.
240
00:11:02,400 –> 00:11:05,960
Last transaction date, contract end date, risk rating or compliance status.
241
00:11:05,960 –> 00:11:08,360
So the agent applies an implicit definition.
242
00:11:08,360 –> 00:11:12,520
When it acts across a data set, larger than anyone expected because nothing in the context
243
00:11:12,520 –> 00:11:14,360
boundary told it where to stop.
244
00:11:14,360 –> 00:11:17,320
This is how you get irreversible work from reversible language.
245
00:11:17,320 –> 00:11:19,720
The third failure mode is wrong escalation.
246
00:11:19,720 –> 00:11:23,000
In a healthy enterprise, escalation is deterministic.
247
00:11:23,000 –> 00:11:24,160
Ownership is known.
248
00:11:24,160 –> 00:11:27,320
Deputies are defined and exceptions root to named roles.
249
00:11:27,320 –> 00:11:30,000
In most enterprises, escalation is social.
250
00:11:30,000 –> 00:11:32,080
Ask the person who usually knows.
251
00:11:32,080 –> 00:11:34,600
Graph relationships can help, but only if you let them.
252
00:11:34,600 –> 00:11:39,680
If you don’t model ownership and decision rights, the agent escalates to whoever appears relevant.
253
00:11:39,680 –> 00:11:41,840
Often the loudest signal, not the correct authority.
254
00:11:41,840 –> 00:11:44,480
And then there’s the failure that governance teams hate most.
255
00:11:44,480 –> 00:11:46,080
Hallucination driven decisions.
256
00:11:46,080 –> 00:11:47,960
This is not the model inventing trivia.
257
00:11:47,960 –> 00:11:52,520
This is the system taking action based on plausible synthesis when evidence is incomplete.
258
00:11:52,520 –> 00:11:57,400
An agent can cite a policy that exists, apply it to a context where it doesn’t, and generate
259
00:11:57,400 –> 00:12:01,800
a recommendation that looks ordered friendly because it contains words like per procedure
260
00:12:01,800 –> 00:12:04,040
and aligned to policy.
261
00:12:04,040 –> 00:12:06,320
Auditors can’t audit vibes.
262
00:12:06,320 –> 00:12:10,520
Auditors ask what evidence drove the decision, who approved it, and what controls prevented
263
00:12:10,520 –> 00:12:12,480
the wrong evidence from being used.
264
00:12:12,480 –> 00:12:16,600
If your agent’s evidence is a blended summary of five half related documents and a meeting
265
00:12:16,600 –> 00:12:19,400
transcript from last year, you don’t have automation.
266
00:12:19,400 –> 00:12:22,120
You have a liability generator with a friendly tone.
267
00:12:22,120 –> 00:12:26,800
So the principle becomes blunt, autonomy requires context discipline, not optimism.
268
00:12:26,800 –> 00:12:30,960
If a workflow cannot state its evidence standards, its scope boundaries, its stopping conditions
269
00:12:30,960 –> 00:12:33,920
and its escalation rules, it is not ready for agents.
270
00:12:33,920 –> 00:12:38,080
Not because the agent is weak, because the enterprise hasn’t defined the decision model the
271
00:12:38,080 –> 00:12:39,840
agent is supposed to obey.
272
00:12:39,840 –> 00:12:43,960
This is also why agent pilots look good in demos and fail in production.
273
00:12:43,960 –> 00:12:47,480
Demo’s are clean, the dataset is curated, the permission model is simplified, the workflow
274
00:12:47,480 –> 00:12:51,040
has an implied owner who happens to be in the room.
275
00:12:51,040 –> 00:12:56,640
Production is adversarial by default, stale docs, conflicting versions, inherited access,
276
00:12:56,640 –> 00:13:01,320
and people who will absolutely ask the agent to do something the policy never anticipated.
277
00:13:01,320 –> 00:13:03,400
Agents don’t break because they’re immature.
278
00:13:03,400 –> 00:13:07,400
They break because the enterprise context substrate is and that brings the conversation to the
279
00:13:07,400 –> 00:13:09,120
practical architecture question.
280
00:13:09,120 –> 00:13:13,480
If agents need disciplined context to act safely, where does that discipline live?
281
00:13:13,480 –> 00:13:17,480
What is the enterprise mechanism that turns scattered work into structured memory?
282
00:13:17,480 –> 00:13:18,640
That’s the next layer.
283
00:13:18,640 –> 00:13:21,680
Graph as organizational memory, not plumbing.
284
00:13:21,680 –> 00:13:24,040
Graph as organizational memory, not plumbing.
285
00:13:24,040 –> 00:13:28,360
Most enterprises already own the hardest part of AI context and they still manage to waste
286
00:13:28,360 –> 00:13:29,360
it.
287
00:13:29,360 –> 00:13:30,840
Microsoft Graph is not a set of APIs.
288
00:13:30,840 –> 00:13:36,000
It is not integration plumbing, architecturally, it’s the closest thing Microsoft 365 has
289
00:13:36,000 –> 00:13:38,120
to an organizational nervous system.
290
00:13:38,120 –> 00:13:42,880
A living map of people, artifacts, interactions, and the signals that connect them.
291
00:13:42,880 –> 00:13:46,920
That distinction matters because memory in an enterprise isn’t where files live, memory
292
00:13:46,920 –> 00:13:50,400
is how the organization refines the truth it already produced.
293
00:13:50,400 –> 00:13:54,400
Graph captures relationships that normal storage can’t, who met what they referenced, who
294
00:13:54,400 –> 00:13:59,320
edited what, which threaded decision came from, which people consistently co-author, and
295
00:13:59,320 –> 00:14:03,280
which documents cluster around a project even when nobody bothered to name them well.
296
00:14:03,280 –> 00:14:06,440
Its relational intelligence and relational intelligence is what makes retrieval feel
297
00:14:06,440 –> 00:14:09,320
like understanding instead of scavenger hunting.
298
00:14:09,320 –> 00:14:13,080
Most organizations treat retrieval like keyword search with better marketing.
299
00:14:13,080 –> 00:14:15,200
That’s why co-pilot feels random.
300
00:14:15,200 –> 00:14:18,400
The system can only retrieve what the organization made retrievable.
301
00:14:18,400 –> 00:14:22,800
And in a tenant with SharePoint sprawl teams as a shadow record system and naming conventions
302
00:14:22,800 –> 00:14:26,760
that died in 2019, keyword search becomes an archaeology exercise.
303
00:14:26,760 –> 00:14:30,600
Graph changes that, but only if you treat it as memory, not as a connector framework.
304
00:14:30,600 –> 00:14:32,080
Here’s the simple version.
305
00:14:32,080 –> 00:14:33,840
Storage holds objects.
306
00:14:33,840 –> 00:14:34,840
Memory holds meaning.
307
00:14:34,840 –> 00:14:36,360
A document library is storage.
308
00:14:36,360 –> 00:14:40,960
It doesn’t know why a file mattered, who trusted it, or which meeting made it binding.
309
00:14:40,960 –> 00:14:44,040
Graph at least conceptually can infer those things through connections.
310
00:14:44,040 –> 00:14:45,600
The meeting where it was discussed.
311
00:14:45,600 –> 00:14:47,040
The people who referenced it.
312
00:14:47,040 –> 00:14:49,200
The tasks that got created after it.
313
00:14:49,200 –> 00:14:53,520
The email thread that escalated because it contradicted another artifact.
314
00:14:53,520 –> 00:14:56,800
That’s why co-pilot consumes relational intelligence isn’t a slogan.
315
00:14:56,800 –> 00:14:58,640
It’s the actual dependency chain.
316
00:14:58,640 –> 00:15:02,960
When co-pilot produces a summary that looks like it understands the politics of a decision,
317
00:15:02,960 –> 00:15:03,960
it’s not psychic.
318
00:15:03,960 –> 00:15:08,160
It’s using the tenant’s relationship signals to decide what evidence is likely to matter
319
00:15:08,160 –> 00:15:10,480
to this user in this moment for this work stream.
320
00:15:10,480 –> 00:15:13,320
But enterprises rarely engineer that layer deliberately.
321
00:15:13,320 –> 00:15:17,800
They let it emerge accidentally from behavior, which means it inherits the same biases and
322
00:15:17,800 –> 00:15:19,280
gaps as the behavior.
323
00:15:19,280 –> 00:15:21,960
The loudest teams create the most artifacts.
324
00:15:21,960 –> 00:15:25,080
The most permissive sites generate the most accessible signals.
325
00:15:25,080 –> 00:15:29,920
The people who refuse to document decisions force the system to reconstruct them from fragments.
326
00:15:29,920 –> 00:15:34,080
Graph becomes a mirror of organizational habits and mirrors aren’t governance.
327
00:15:34,080 –> 00:15:37,880
So the question becomes what does it mean to engineer graph as organizational memory?
328
00:15:37,880 –> 00:15:41,560
It means you stop treating graph as an output and start treating it as a design input.
329
00:15:41,560 –> 00:15:45,240
You decide which work products are authoritative and make them easy to identify.
330
00:15:45,240 –> 00:15:49,160
Not by telling people to be disciplined, but by structuring where decisions land.
331
00:15:49,160 –> 00:15:52,600
You decide which meetings are decision points and ensure transcripts and artifacts are
332
00:15:52,600 –> 00:15:55,120
stored in predictable locations with predictable access.
333
00:15:55,120 –> 00:15:58,880
You decide which conversations are ephemeral and which are records.
334
00:15:58,880 –> 00:16:03,080
And you create the conditions where the relational signals are high quality because graph doesn’t
335
00:16:03,080 –> 00:16:04,080
create meaning.
336
00:16:04,080 –> 00:16:07,000
It indexes the trail your organization leaves.
337
00:16:07,000 –> 00:16:10,240
If the trail is incoherent, memory retrieval becomes probabilistic.
338
00:16:10,240 –> 00:16:13,120
If the trail is coherent, memory retrieval becomes repeatable.
339
00:16:13,120 –> 00:16:14,760
That’s the entire autonomy game.
340
00:16:14,760 –> 00:16:18,720
This is also where organizational memory stops being a soft concept and becomes an
341
00:16:18,720 –> 00:16:20,240
operational one.
342
00:16:20,240 –> 00:16:24,280
In a high performance enterprise, the system can answer what was decided when by whom with
343
00:16:24,280 –> 00:16:28,840
what evidence and what changed since then, not because someone wrote a perfect document,
344
00:16:28,840 –> 00:16:32,800
because the architecture made it easier to produce structured traces than to produce chaos.
345
00:16:32,800 –> 00:16:34,440
Now connect this back to agents.
346
00:16:34,440 –> 00:16:36,680
Agents don’t just need the latest document.
347
00:16:36,680 –> 00:16:37,960
They need the work graph.
348
00:16:37,960 –> 00:16:41,520
The relationships that indicate which sources are binding, which are drafts, which are
349
00:16:41,520 –> 00:16:45,360
stale and which are politically sensitive but operationally critical.
350
00:16:45,360 –> 00:16:49,240
They need to know the difference between a random file that matches a query and the file
351
00:16:49,240 –> 00:16:53,360
that drove the last two escalations and got referenced in the quarterly review.
352
00:16:53,360 –> 00:16:56,600
That’s why graph as memory is the substrate for autonomy.
353
00:16:56,600 –> 00:16:57,600
But here’s the catch.
354
00:16:57,600 –> 00:16:59,360
Memory is useless if it can’t be trusted.
355
00:16:59,360 –> 00:17:02,800
And in Microsoft 365, trust collapses the moment permissions drift.
356
00:17:02,800 –> 00:17:06,920
If the system can retrieve the right artifact but expose it to the wrong identity, you don’t
357
00:17:06,920 –> 00:17:07,920
have intelligence.
358
00:17:07,920 –> 00:17:09,240
You have automated disclosure.
359
00:17:09,240 –> 00:17:13,360
So the next layer is the one everyone postpones until it becomes a headline.
360
00:17:13,360 –> 00:17:15,280
Permissions are the context compiler.
361
00:17:15,280 –> 00:17:21,200
Most organizations talk about permissions like they’re a compliance chore, a checkbox, a
362
00:17:21,200 –> 00:17:24,200
quarterly attestation exercise that nobody believes in.
363
00:17:24,200 –> 00:17:26,800
In reality, permissions are the context compiler.
364
00:17:26,800 –> 00:17:31,000
They decide what evidence is even eligible to exist inside the AI’s world for a given
365
00:17:31,000 –> 00:17:32,440
user and a given workflow.
366
00:17:32,440 –> 00:17:34,680
That means permissions don’t just control access.
367
00:17:34,680 –> 00:17:35,720
They shape intelligence.
368
00:17:35,720 –> 00:17:40,680
They determine whether co-pilot and agents operate on signal or noise, on truth or on accidental
369
00:17:40,680 –> 00:17:41,680
exposure.
370
00:17:41,680 –> 00:17:43,200
And co-pilot doesn’t fix your permissions.
371
00:17:43,200 –> 00:17:45,160
It industrializes them.
372
00:17:45,160 –> 00:17:47,680
This is the part executives miss when they ask.
373
00:17:47,680 –> 00:17:49,520
Why did co-pilot show me that?
374
00:17:49,520 –> 00:17:50,880
Co-pilot didn’t show anything.
375
00:17:50,880 –> 00:17:53,720
It retrieved content the user could already access then summarized it.
376
00:17:53,720 –> 00:17:56,160
The system followed the rules you already deployed.
377
00:17:56,160 –> 00:18:00,240
If those rules are wrong, the AI becomes a high speed amplifier for a decade of casual
378
00:18:00,240 –> 00:18:01,320
sharing.
379
00:18:01,320 –> 00:18:05,200
Over permissioning creates AI-powered oversharing.
380
00:18:05,200 –> 00:18:07,880
Under permissioning creates AI mediocrity.
381
00:18:07,880 –> 00:18:12,040
And both look like co-pilot quality issues, which is convenient because it lets the
382
00:18:12,040 –> 00:18:14,640
organization avoid the real discussion.
383
00:18:14,640 –> 00:18:17,480
The permission model is not an administrative detail.
384
00:18:17,480 –> 00:18:21,440
It’s the boundary of what the organization is willing to let the system treat as truth
385
00:18:21,440 –> 00:18:22,440
for that identity.
386
00:18:22,440 –> 00:18:24,280
Here’s the uncomfortable truth.
387
00:18:24,280 –> 00:18:26,880
Most tenants run on permission folklore.
388
00:18:26,880 –> 00:18:29,720
People assume SharePoint inheritance works the way they think it does.
389
00:18:29,720 –> 00:18:33,160
They assume private channel means private in all the ways that matter.
390
00:18:33,160 –> 00:18:36,160
They assume that the folder called HR has HR permissions.
391
00:18:36,160 –> 00:18:39,920
They assume that external sharing was turned off in the places where it should be.
392
00:18:39,920 –> 00:18:43,360
They assume the access review they did last year is still meaningful.
393
00:18:43,360 –> 00:18:45,360
Those assumptions decay.
394
00:18:45,360 –> 00:18:46,360
Always.
395
00:18:46,360 –> 00:18:48,880
Permissions drift because organizations drift.
396
00:18:48,880 –> 00:18:50,200
Re-organizations.
397
00:18:50,200 –> 00:18:51,200
Roll changes.
398
00:18:51,200 –> 00:18:53,560
Projects that end but never get archived.
399
00:18:53,560 –> 00:18:57,560
Guest accounts that outlive the vendor contract and the classic entropy generator.
400
00:18:57,560 –> 00:18:59,720
Someone says, “Just add everyone for now.
401
00:18:59,720 –> 00:19:01,320
We’ll fix it later.”
402
00:19:01,320 –> 00:19:02,320
Later never arrives.
403
00:19:02,320 –> 00:19:03,800
It metastasizes into default.
404
00:19:03,800 –> 00:19:05,200
Now put co-pilot on top of that.
405
00:19:05,200 –> 00:19:08,760
You’ve effectively built a natural language interface to your permission dead.
406
00:19:08,760 –> 00:19:10,000
Not just search.
407
00:19:10,000 –> 00:19:11,000
Synthesis.
408
00:19:11,000 –> 00:19:12,800
Correlation.
409
00:19:12,800 –> 00:19:17,160
The system can stitch together artifacts that were never meant to be read side by side.
410
00:19:17,160 –> 00:19:18,400
A budget dock here.
411
00:19:18,400 –> 00:19:19,760
A strategy deck there.
412
00:19:19,760 –> 00:19:22,360
A meeting transcript that shouldn’t have been accessible.
413
00:19:22,360 –> 00:19:25,880
Suddenly the user gets an answer that contains information.
414
00:19:25,880 –> 00:19:28,200
The business never intended to be connected.
415
00:19:28,200 –> 00:19:29,880
Not because co-pilot is malicious.
416
00:19:29,880 –> 00:19:31,480
Because your permissions made it possible.
417
00:19:31,480 –> 00:19:33,960
This is why permission trimming is performance tuning.
418
00:19:33,960 –> 00:19:35,280
Not just risk reduction.
419
00:19:35,280 –> 00:19:38,600
When you reduce overbroad access you don’t only shrink blast radius.
420
00:19:38,600 –> 00:19:39,840
You reduce retrieval noise.
421
00:19:39,840 –> 00:19:41,000
You improve groundedness.
422
00:19:41,000 –> 00:19:46,480
You make relevance easier because fewer irrelevant artifacts are even eligible to be retrieved in the first place.
423
00:19:46,480 –> 00:19:49,240
Less eligible context often produces better answers.
424
00:19:49,240 –> 00:19:52,360
That sounds backwards until you remember what the model is doing.
425
00:19:52,360 –> 00:19:55,800
It’s trying to construct the best narrative from the evidence it can see.
426
00:19:55,800 –> 00:19:58,960
If you give it a landfill you get landfill adjacent output.
427
00:19:58,960 –> 00:20:03,480
If you give it a curated shelf you get something closer to a decision-grade response.
428
00:20:03,480 –> 00:20:06,080
SharePoints Brawl is the classic failure pattern here.
429
00:20:06,080 –> 00:20:08,360
Sites proliferate faster than ownership models.
430
00:20:08,360 –> 00:20:10,320
Broken inheritance becomes a lifestyle.
431
00:20:10,320 –> 00:20:12,080
Everyone accepts permissions multiply.
432
00:20:12,080 –> 00:20:16,480
Sharing links become the real access model because it’s easier than fixing groups.
433
00:20:16,480 –> 00:20:20,760
Teams creates artifacts across chats, channels, meeting recaps and loop components.
434
00:20:20,760 –> 00:20:26,360
And the organization loses any coherent sense of what is authoritative and what is incidental.
435
00:20:26,360 –> 00:20:30,320
Every one of those exceptions is a new compilation pathway for context.
436
00:20:30,320 –> 00:20:31,960
That’s what permissions are doing at scale.
437
00:20:31,960 –> 00:20:36,440
Compiling a context boundary from a messy, distributed authorization graph.
438
00:20:36,440 –> 00:20:40,120
And if you don’t intentionally constrain that compiler it will compile chaos.
439
00:20:40,120 –> 00:20:42,480
Reliably at machine speed.
440
00:20:42,480 –> 00:20:45,200
This is also why least privilege isn’t a moral stance.
441
00:20:45,200 –> 00:20:46,680
It’s an autonomy prerequisite.
442
00:20:46,680 –> 00:20:53,080
Agents can’t be trusted with broad implicit access because their failure mode isn’t, they looked at a file.
443
00:20:53,080 –> 00:20:56,520
Their failure mode is, they incorporate that file into an action chain.
444
00:20:56,520 –> 00:21:01,600
They email, they update records, they generate decisions that get forwarded as if they were vetted.
445
00:21:01,600 –> 00:21:05,680
The permission model becomes the blast radius model for autonomous behavior.
446
00:21:05,680 –> 00:21:08,360
So if you want a high performance autonomous enterprise,
447
00:21:08,360 –> 00:21:11,840
you treat permission architecture as a first class design surface.
448
00:21:11,840 –> 00:21:16,840
Scoped access, explicit ownership, exploration, access reviews that actually revoke
449
00:21:16,840 –> 00:21:20,760
and containers that reflect real work boundaries instead of historical accidents.
450
00:21:20,760 –> 00:21:22,600
And once you do that, something important happens.
451
00:21:22,600 –> 00:21:27,680
You stop conflating prompting with grounding because prompts don’t control what the system is allowed to know.
452
00:21:27,680 –> 00:21:28,640
Permissions do.
453
00:21:28,640 –> 00:21:32,960
And the next mistake leadership makes is spending a quarter training people to ask better questions
454
00:21:32,960 –> 00:21:35,680
while the evidence pipeline stays polluted.
455
00:21:35,680 –> 00:21:40,240
So the next layer is the real separation, prompt engineering versus grounding architecture.
456
00:21:40,240 –> 00:21:42,680
Prompt engineering versus grounding architecture.
457
00:21:42,680 –> 00:21:47,400
Prompt engineering is the part everybody can see so it gets all the attention, its language, its training,
458
00:21:47,400 –> 00:21:49,200
it’s a worksheet with best prompts.
459
00:21:49,200 –> 00:21:53,000
It’s the illusion that if people just ask nicely enough, the system will behave.
460
00:21:53,000 –> 00:21:55,440
That’s not how enterprise AI reliability gets built.
461
00:21:55,440 –> 00:21:56,440
A prompt is a request.
462
00:21:56,440 –> 00:22:02,040
Grounding is the evidence pipeline that decides what the system is allowed to treat as truth when it answers that request.
463
00:22:02,040 –> 00:22:06,920
Prompt operate at the interaction layer, grounding operates at the substrate layer and substrate always wins.
464
00:22:06,920 –> 00:22:08,200
Here’s what most people miss.
465
00:22:08,200 –> 00:22:10,120
Prompt engineering tries to control the model.
466
00:22:10,120 –> 00:22:12,280
Grounding architecture tries to control the inputs.
467
00:22:12,280 –> 00:22:17,520
Only one of those scales, prompts don’t scale because people drift, workflows drift, vocabulary drifts
468
00:22:17,520 –> 00:22:22,000
and the organization never agrees on one canonical way to ask for the same thing.
469
00:22:22,000 –> 00:22:26,440
One person says incident, another says outage, a third says service degradation
470
00:22:26,440 –> 00:22:28,920
and someone in manufacturing says line down.
471
00:22:28,920 –> 00:22:34,160
The prompt library becomes a museum of last quarter’s language, grounding doesn’t care what word you used.
472
00:22:34,160 –> 00:22:40,120
Grounding cares what evidence is eligible, what scope applies and what the system should do when the evidence doesn’t exist.
473
00:22:40,120 –> 00:22:42,080
That’s the strategic distinction.
474
00:22:42,080 –> 00:22:45,480
So the question leadership should ask is not, are our users trained?
475
00:22:45,480 –> 00:22:47,880
It’s, do we have grounding primitives?
476
00:22:47,880 –> 00:22:52,680
Grounding primitives are the repeatable mechanics that keep outputs bound to enterprise reality.
477
00:22:52,680 –> 00:22:58,000
Authoritative sources, scope retrieval, freshness constraints, permission correct access,
478
00:22:58,000 –> 00:23:02,800
provenance and the harshest but most necessary behavior, citations or silence.
479
00:23:02,800 –> 00:23:07,840
Citations or silence means the system either shows where it got the claim or it refuses to claim.
480
00:23:07,840 –> 00:23:14,400
Not because refusal is polite, because refusal is the only honest output when the evidence substrate is incomplete.
481
00:23:14,400 –> 00:23:17,920
In an enterprise, sounds right is not a valid confidence level.
482
00:23:17,920 –> 00:23:24,920
This also forces a design decision you can’t outsource to copilot, which sources are authoritative for which decisions.
483
00:23:24,920 –> 00:23:28,240
A procedure stored in a random team’s file tab is not authoritative.
484
00:23:28,240 –> 00:23:31,360
A policy dog with no owner and no review date is not authoritative.
485
00:23:31,360 –> 00:23:36,720
A deck that says draft but is widely shared is not authoritative even if it’s socially influential.
486
00:23:36,720 –> 00:23:40,480
Grounding architecture requires the organization to declare precedence.
487
00:23:40,480 –> 00:23:46,720
System of record beats convenience, current version beats nostalgia, controlled container beats, personal archive.
488
00:23:46,720 –> 00:23:53,160
Now connect this back to Microsoft 365, copilot can ground to tenant data but it can’t manufacture governance.
489
00:23:53,160 –> 00:23:57,880
It will pull what’s accessible and relevant by its retrieval logic and it will do its best.
490
00:23:57,880 –> 00:24:01,800
If you want something better than its best, you engineer the retrieval environment.
491
00:24:01,800 –> 00:24:06,120
That includes permission trimming which you already established as a context compiler problem
492
00:24:06,120 –> 00:24:11,000
but it also includes retrieval scoping, making sure the system doesn’t search the whole tenant.
493
00:24:11,000 –> 00:24:17,320
When the decision only needs a specific project space, a specific knowledge base or a specific business unit procedures.
494
00:24:17,320 –> 00:24:22,360
A relevance window is not optional here, it’s the cost control and risk control boundary for AI reasoning
495
00:24:22,360 –> 00:24:27,240
because every extra chunk of context you let into the window isn’t neutral, it’s an entropy injection.
496
00:24:27,240 –> 00:24:35,560
It increases the chance the system will synthesize across conflicting artifacts and it increases the chance it will side something that is technically true and practically wrong.
497
00:24:35,560 –> 00:24:37,080
That’s how you get polished nonsense.
498
00:24:37,080 –> 00:24:40,360
The other grounding boundary most organizations ignore is web grounding.
499
00:24:40,360 –> 00:24:45,080
When web grounding is enabled, part of the request can leave the tenant to perform a public search,
500
00:24:45,080 –> 00:24:48,760
then return results for synthesis, that is not enterprise knowledge.
501
00:24:48,760 –> 00:24:54,280
That is public internet retrieval mediated by Bing, treated like you would treat a user typing into a search engine.
502
00:24:54,280 –> 00:24:59,000
If you wouldn’t type it into a public search box, you don’t send it through web grounded copilot.
503
00:24:59,000 –> 00:25:01,320
That’s not paranoia, that’s architectural hygiene.
504
00:25:01,320 –> 00:25:05,720
Now if you want one mental model that makes this simple, here it is.
505
00:25:05,720 –> 00:25:08,120
Prompting is steering a conversation.
506
00:25:08,120 –> 00:25:12,200
Grounding is constraining a decision engine, steering fails when the road is missing.
507
00:25:12,200 –> 00:25:14,600
Constraints hold even when the driver improvises.
508
00:25:14,600 –> 00:25:21,400
So when an executive team asks why copilot outputs vary, the honest answer is, because you build a variable evidence substrate.
509
00:25:21,400 –> 00:25:22,760
The cure is not a better prompt.
510
00:25:22,760 –> 00:25:27,400
The cure is an engineered grounding architecture that makes the right evidence easy to retrieve,
511
00:25:27,400 –> 00:25:29,320
and the wrong evidence, ineligible.
512
00:25:29,320 –> 00:25:32,920
And once grounding is treated as architecture, you stop rewarding fluency.
513
00:25:32,920 –> 00:25:37,160
You reward traceability, you reward abstention when the system can’t prove its work,
514
00:25:37,160 –> 00:25:41,720
and you start designing the next thing enterprises avoid, an explicit relevance model.
515
00:25:41,720 –> 00:25:45,880
Because grounding without scoping just becomes high speed retrieval of the entire mess.
516
00:25:45,880 –> 00:25:48,200
That’s why the next layer is relevance windows.
517
00:25:48,200 –> 00:25:49,720
The discipline nobody budgets for.
518
00:25:49,720 –> 00:25:51,720
Relevance windows.
519
00:25:51,720 –> 00:25:53,880
The discipline nobody budgets for.
520
00:25:53,880 –> 00:25:57,640
Relevance windows are where most copilot and agent strategies quietly die,
521
00:25:57,640 –> 00:26:02,280
because a relevance window forces the enterprise to answer an uncomfortable question.
522
00:26:02,280 –> 00:26:05,240
What information is allowed to influence this decision,
523
00:26:05,240 –> 00:26:09,400
and what information is explicitly disallowed, even if it’s technically available.
524
00:26:09,400 –> 00:26:10,600
That distinction matters.
525
00:26:10,600 –> 00:26:13,000
The context window is what the model can ingest.
526
00:26:13,000 –> 00:26:17,240
The relevance window is what the organization authorizes as decision-grade evidence.
527
00:26:17,240 –> 00:26:21,880
If you don’t define a relevance window, the system defaults to whatever retrieval can find,
528
00:26:21,880 –> 00:26:26,520
and retrieval left alone optimizes for match, not meaning, not precedence, not safety.
529
00:26:26,520 –> 00:26:29,080
So the simple definition is this.
530
00:26:29,080 –> 00:26:33,480
A relevance window is the bounded set of evidence eligible for a specific workflow
531
00:26:33,480 –> 00:26:36,520
at a specific step, under a specific policy posture.
532
00:26:36,520 –> 00:26:40,360
It’s scoping, but with intent, that means you’re not just saying search this site,
533
00:26:40,360 –> 00:26:45,160
you’re saying for this decision only these sources count, only these versions count,
534
00:26:45,160 –> 00:26:47,240
and only within this time horizon.
535
00:26:47,240 –> 00:26:51,400
Now the part everyone gets wrong, they assume more context increases accuracy.
536
00:26:51,400 –> 00:26:55,400
It doesn’t, not in enterprise work, more context increases surface area,
537
00:26:55,400 –> 00:26:58,200
more contradictions, more stale procedures,
538
00:26:58,200 –> 00:27:02,920
more almost right artifacts that pull the model into a blended answer that never existed.
539
00:27:02,920 –> 00:27:05,480
If you want dependable outputs, you don’t widen the window,
540
00:27:05,480 –> 00:27:09,080
you tighten it until the remaining evidence is both relevant and authoritative.
541
00:27:09,080 –> 00:27:11,320
This is also where freshness becomes non-negotiable.
542
00:27:11,320 –> 00:27:14,120
A relevance window without freshness is just a curated archive,
543
00:27:14,120 –> 00:27:16,840
and archives are where outdated truth goes to look official.
544
00:27:16,840 –> 00:27:18,680
Enterprises love that, auditors don’t.
545
00:27:18,680 –> 00:27:22,840
Freshness is the policy that says this evidence expires,
546
00:27:22,840 –> 00:27:27,160
not because it’s old, but because the organization changes faster than documents get revised.
547
00:27:27,160 –> 00:27:31,080
Processes get updated, tools get renamed, regulatory obligations,
548
00:27:31,080 –> 00:27:34,520
shift, the people who own the procedure leave, and the document stays.
549
00:27:34,520 –> 00:27:36,120
Forever, that’s context rot.
550
00:27:36,120 –> 00:27:41,000
And context rot is worse than missing context because it produces confident wrongness with citations.
551
00:27:41,000 –> 00:27:43,080
So you need explicit freshness rules,
552
00:27:43,080 –> 00:27:45,000
review dates that actually mean something,
553
00:27:45,000 –> 00:27:48,840
versioning that preserves lineage and deprecation behaviors that make old artifacts
554
00:27:48,840 –> 00:27:50,360
ineligible by default.
555
00:27:50,360 –> 00:27:51,720
Not hidden, ineligible.
556
00:27:51,720 –> 00:27:52,920
Then you hit the next reality,
557
00:27:52,920 –> 00:27:55,560
versioning isn’t a document problem, it’s a decision problem.
558
00:27:55,560 –> 00:27:59,560
Enterprises routinely keep multiple truths alive because nobody wants to pick the winner.
559
00:27:59,560 –> 00:28:04,680
Drafts get socially adopted, a slide deck becomes policy because it was presented to leadership ones.
560
00:28:04,680 –> 00:28:07,800
A team’s message becomes procedure because it got pinned,
561
00:28:07,800 –> 00:28:11,720
and now you have an evidence conflict that the AI will resolve the only way it can.
562
00:28:11,720 –> 00:28:15,320
By synthesizing, but synthesis isn’t governance, it’s compromise.
563
00:28:15,320 –> 00:28:17,640
So relevance windows require precedence rules.
564
00:28:17,640 –> 00:28:21,080
When two sources disagree, the system needs a deterministic hierarchy.
565
00:28:21,080 –> 00:28:22,840
System of record beats guidance,
566
00:28:22,840 –> 00:28:26,760
signed policy beats draft, controlled repository beats personal stash,
567
00:28:26,760 –> 00:28:28,440
most recently reviewed beats.
568
00:28:28,440 –> 00:28:29,800
I think this is still right.
569
00:28:29,800 –> 00:28:31,640
If you don’t encode precedence,
570
00:28:31,640 –> 00:28:34,840
you’re outsourcing policy arbitration to a probabilistic model.
571
00:28:34,840 –> 00:28:35,800
That’s not innovation.
572
00:28:35,800 –> 00:28:37,640
That’s negligence with better UX.
573
00:28:37,640 –> 00:28:42,200
Now connect this to executive outcomes because that’s the only language that changes budgets.
574
00:28:42,200 –> 00:28:44,440
A disciplined relevance window reduces rework.
575
00:28:44,440 –> 00:28:46,040
It shortens review loops.
576
00:28:46,040 –> 00:28:49,800
It prevents looks plausible decisions from entering governance processes
577
00:28:49,800 –> 00:28:51,240
and wasting everybody’s time.
578
00:28:51,240 –> 00:28:52,680
It also reduces risk.
579
00:28:52,680 –> 00:28:57,240
Few accidental disclosures, fewer policy contradictions, fewer decisions made on dead procedures.
580
00:28:57,240 –> 00:29:01,400
And it makes autonomy possible because agents can’t operate safely on infinite evidence.
581
00:29:01,400 –> 00:29:05,640
They need a bounded arena where the next action is derived from eligible truth.
582
00:29:05,640 –> 00:29:08,280
Not from whatever the retrieval system dredged up.
583
00:29:08,280 –> 00:29:09,960
Here’s the practical test.
584
00:29:09,960 –> 00:29:12,360
If the organization can’t say it for workflow X,
585
00:29:12,360 –> 00:29:14,280
the eligible evidence is A, B and C,
586
00:29:14,280 –> 00:29:16,440
and everything else is advisory at best.
587
00:29:16,440 –> 00:29:18,920
Then the workflow is not ready for agentic execution.
588
00:29:18,920 –> 00:29:20,920
It’s barely ready for conversational advice.
589
00:29:20,920 –> 00:29:22,920
This is also why nobody budgets for it.
590
00:29:22,920 –> 00:29:25,000
Relevance windows aren’t a license line item.
591
00:29:25,000 –> 00:29:25,880
They are design work.
592
00:29:25,880 –> 00:29:28,440
They force content owners, security, compliance,
593
00:29:28,440 –> 00:29:31,720
and platform teams into the same room to agree on what counts.
594
00:29:31,720 –> 00:29:35,960
And that agreement exposes every hidden inconsistency the organization has been living with,
595
00:29:35,960 –> 00:29:37,480
which is exactly why it’s valuable.
596
00:29:37,480 –> 00:29:39,160
Because once you define relevance windows,
597
00:29:39,160 –> 00:29:40,200
you can finally do something.
598
00:29:40,200 –> 00:29:43,800
Enterprises claim they want reduced noise without reducing capability.
599
00:29:43,800 –> 00:29:47,720
You can make co-pilot an agent smarter by making their world smaller and cleaner.
600
00:29:47,720 –> 00:29:49,560
And you can make refusal a feature.
601
00:29:49,560 –> 00:29:50,520
Not a failure.
602
00:29:50,520 –> 00:29:52,520
If the evidence isn’t in the relevance window,
603
00:29:52,520 –> 00:29:54,600
the system escalates instead of guessing.
604
00:29:54,600 –> 00:29:55,960
That’s the discipline.
605
00:29:55,960 –> 00:29:59,880
And it’s the bridge from good chat to safe execution.
606
00:29:59,880 –> 00:30:02,680
But relevance windows only solve evidence eligibility.
607
00:30:02,680 –> 00:30:05,080
They don’t solve the next thing that makes work real.
608
00:30:05,080 –> 00:30:05,560
State.
609
00:30:05,560 –> 00:30:07,880
Because even if the system knows what evidence counts,
610
00:30:07,880 –> 00:30:09,800
it still needs to know what’s happening right now,
611
00:30:09,800 –> 00:30:12,040
who owns it, and what step comes next.
612
00:30:12,040 –> 00:30:14,360
That’s where the architecture moves next.
613
00:30:14,360 –> 00:30:16,520
From memory and evidence into operational memory,
614
00:30:16,520 –> 00:30:18,680
where state lives and autonomy stops looping.
615
00:30:18,680 –> 00:30:21,320
Dataverse as operational memory.
616
00:30:21,320 –> 00:30:23,240
Graph gives you organizational memory,
617
00:30:23,240 –> 00:30:27,160
what work meant, who was involved, and which artifacts clustered around decisions.
618
00:30:27,160 –> 00:30:29,640
But memory alone doesn’t run a business.
619
00:30:29,640 –> 00:30:31,480
Work becomes real when it has state.
620
00:30:31,480 –> 00:30:33,880
State is the part nobody can search their way into.
621
00:30:33,880 –> 00:30:36,520
It’s the current truth of a workflow.
622
00:30:36,520 –> 00:30:38,920
What step it’s in, who owns it, what’s blocked,
623
00:30:38,920 –> 00:30:41,800
what exception was granted, and what the system is waiting on.
624
00:30:41,800 –> 00:30:45,400
If that truth only exists in human heads and scattered teams’ messages,
625
00:30:45,400 –> 00:30:46,920
you don’t have a workflow.
626
00:30:46,920 –> 00:30:48,440
You have a rumor with attachments.
627
00:30:48,440 –> 00:30:50,520
This is where dataverse earns its place.
628
00:30:50,520 –> 00:30:52,280
Not as power platform storage,
629
00:30:52,280 –> 00:30:54,280
not as tables for citizen devs.
630
00:30:54,280 –> 00:30:57,560
Architecturally, dataverse is operational memory.
631
00:30:57,560 –> 00:31:00,200
A governed place to record what is happening now,
632
00:31:00,200 –> 00:31:02,760
in a form that automation and agents can’t misinterpret.
633
00:31:02,760 –> 00:31:05,320
Because an agent without state becomes a loop generator.
634
00:31:05,320 –> 00:31:07,160
It re-ask questions you already answered.
635
00:31:07,160 –> 00:31:10,680
It resends approval requests because it can’t confirm they were completed.
636
00:31:10,680 –> 00:31:13,720
It reopens issues because it can’t see closure criteria.
637
00:31:13,720 –> 00:31:17,880
It escalates prematurely because it can’t distinguish waiting from stuck.
638
00:31:17,880 –> 00:31:20,920
And then leadership calls it immature when the actual problem is that
639
00:31:20,920 –> 00:31:25,400
the enterprise never gave the system an authoritative place to store reality.
640
00:31:25,400 –> 00:31:28,360
Operational memory fixes that by making intent explicit.
641
00:31:28,360 –> 00:31:31,080
In dataverse terms, that means you don’t just store records,
642
00:31:31,080 –> 00:31:32,520
you store the decision model.
643
00:31:32,520 –> 00:31:34,680
Entities that represent the work itself.
644
00:31:34,680 –> 00:31:36,280
Not just the data around it.
645
00:31:36,280 –> 00:31:39,080
You define a case and approval and exception,
646
00:31:39,080 –> 00:31:41,800
a controller to station, a vendor on boarding,
647
00:31:41,800 –> 00:31:44,200
an incident review, whatever the workflow is,
648
00:31:44,200 –> 00:31:47,720
the entity becomes the contract between humans, tools, and agents,
649
00:31:47,720 –> 00:31:50,360
and the contract has to contain certain fields.
650
00:31:50,360 –> 00:31:52,040
Whether people like it or not.
651
00:31:52,040 –> 00:31:53,080
Ownership.
652
00:31:53,080 –> 00:31:54,840
Who is accountable right now?
653
00:31:54,840 –> 00:31:57,800
And who is the escalation path if they’re unavailable?
654
00:31:57,800 –> 00:31:58,520
Status.
655
00:31:58,520 –> 00:32:00,200
Not a vague in progress,
656
00:32:00,200 –> 00:32:02,760
but a state machine that reflects real gates.
657
00:32:02,760 –> 00:32:07,240
Drafted, submitted, pending approval, approved, executed, verified, closed.
658
00:32:07,240 –> 00:32:08,520
SLA and deadlines.
659
00:32:08,520 –> 00:32:12,360
So the system can differentiate urgent from normal without emotional language.
660
00:32:12,360 –> 00:32:13,320
Scope boundaries.
661
00:32:13,320 –> 00:32:16,840
What the agent is allowed to change and what it must only recommend.
662
00:32:16,840 –> 00:32:21,800
Exception tracking, because exceptions always happen and if you don’t record them, you can’t govern drift.
663
00:32:21,800 –> 00:32:25,080
This is the point where autonomy stops being a co-pilot conversation
664
00:32:25,080 –> 00:32:27,240
and becomes a control plane conversation.
665
00:32:27,240 –> 00:32:30,680
If data verse holds state, then agents can operate as stateful actors.
666
00:32:30,680 –> 00:32:34,440
Read the current step, retrieve only the evidence relevant to that step,
667
00:32:34,440 –> 00:32:37,880
take a bounded action, update the state, and log what happened.
668
00:32:37,880 –> 00:32:40,680
Without that, you get the enterprise version of Groundhog Day.
669
00:32:40,680 –> 00:32:42,600
Here’s the counter-intuitive part.
670
00:32:42,600 –> 00:32:45,560
State reduces hallucinations without touching the model.
671
00:32:45,560 –> 00:32:49,480
Because many hallucinations in enterprise work aren’t the model inventing facts.
672
00:32:49,480 –> 00:32:52,440
They are the model improvising missing workflow reality.
673
00:32:52,440 –> 00:32:55,400
If you ask, has procurement approved this vendor?
674
00:32:55,400 –> 00:32:57,320
And the system can’t see an approval state.
675
00:32:57,320 –> 00:33:00,600
It will infer from the most recent email thread or a meeting recap
676
00:33:00,600 –> 00:33:02,760
or a spreadsheet someone updated last week.
677
00:33:02,760 –> 00:33:03,800
That’s not reasoning.
678
00:33:03,800 –> 00:33:05,560
That’s guessing with citations.
679
00:33:05,560 –> 00:33:09,160
If data verse contains the approval record, the question becomes deterministic.
680
00:33:09,160 –> 00:33:10,680
The agent doesn’t need to be smart.
681
00:33:10,680 –> 00:33:11,640
It needs to be obedient.
682
00:33:11,640 –> 00:33:15,320
This is also why data verse is the right place to encode refusal conditions.
683
00:33:15,640 –> 00:33:18,680
An agent should not guess whether a change is authorized.
684
00:33:18,680 –> 00:33:21,400
It should check whether the approval entity exists,
685
00:33:21,400 –> 00:33:24,440
whether the right role approved it, whether the approval is still valid,
686
00:33:24,440 –> 00:33:25,800
and whether the conditions match.
687
00:33:25,800 –> 00:33:27,720
If any of those fail, the agent escalates.
688
00:33:27,720 –> 00:33:31,000
Not because it’s cautious, because it’s operating inside an engineered boundary.
689
00:33:31,000 –> 00:33:32,840
And yes, that boundary is annoying to build.
690
00:33:32,840 –> 00:33:37,400
Because it forces the organization to define what it pretends is already defined.
691
00:33:37,400 –> 00:33:38,280
Who owns this?
692
00:33:38,280 –> 00:33:39,320
What does done mean?
693
00:33:39,320 –> 00:33:40,040
What’s the SLA?
694
00:33:40,040 –> 00:33:41,320
What counts as an exception?
695
00:33:41,320 –> 00:33:44,040
Which steps are reversible and which are irreversible?
696
00:33:44,040 –> 00:33:46,040
But once you define it, something else happens.
697
00:33:46,040 –> 00:33:48,520
You stop treating teams and email a state storage.
698
00:33:48,520 –> 00:33:50,920
They go back to being communication layers.
699
00:33:50,920 –> 00:33:55,160
Useful, human, and fundamentally unfit to act as a system of record.
700
00:33:55,160 –> 00:33:58,280
Data verse becomes the place where the workflows truth lives,
701
00:33:58,280 –> 00:34:00,920
while graph becomes the place where the workflows context
702
00:34:00,920 –> 00:34:02,840
and supporting evidence can be retrieved.
703
00:34:02,840 –> 00:34:03,720
That split matters.
704
00:34:03,720 –> 00:34:04,920
Memory tells you what happens.
705
00:34:04,920 –> 00:34:07,880
State tells you what is happening, and autonomy requires both.
706
00:34:07,880 –> 00:34:09,720
Because the moment an agent can read state,
707
00:34:09,720 –> 00:34:11,240
it can stop relitigating.
708
00:34:11,240 –> 00:34:12,600
It can stop re-asking.
709
00:34:12,600 –> 00:34:15,240
It can stop re-summarizing the same thread,
710
00:34:15,240 –> 00:34:16,440
like its new information.
711
00:34:16,440 –> 00:34:17,720
It can progress work.
712
00:34:17,720 –> 00:34:20,920
And if you want the enterprise version of high performance, that’s it.
713
00:34:20,920 –> 00:34:22,920
Fewer loops, fewer duplicate efforts,
714
00:34:22,920 –> 00:34:24,440
fewer approvals that happen twice,
715
00:34:24,440 –> 00:34:26,200
because nobody could prove the first one happened.
716
00:34:26,200 –> 00:34:28,440
Operational memory isn’t glamorous.
717
00:34:28,440 –> 00:34:31,960
It’s also the difference between a demo agent and a production system.
718
00:34:31,960 –> 00:34:33,880
Fabric as analytical memory.
719
00:34:33,880 –> 00:34:37,400
Data verse gives the system operational memory, the live state of work,
720
00:34:37,400 –> 00:34:40,120
but operational memory alone doesn’t improve the enterprise.
721
00:34:40,120 –> 00:34:41,320
It only stabilizes it.
722
00:34:41,320 –> 00:34:42,840
Stability is not learning.
723
00:34:42,840 –> 00:34:47,400
Learning requires a different kind of memory, analytical memory.
724
00:34:47,400 –> 00:34:50,680
The enterprise needs to remember patterns, not just status.
725
00:34:50,680 –> 00:34:53,640
It needs to know what keeps breaking, where time gets wasted,
726
00:34:53,640 –> 00:34:55,640
which approvals are pure theatre,
727
00:34:55,640 –> 00:35:00,360
and which exceptions are actually permanent workflow branches pretending to be temporary.
728
00:35:00,360 –> 00:35:01,800
That’s where Fabric fits.
729
00:35:01,800 –> 00:35:03,720
Not as the place you run reports.
730
00:35:03,720 –> 00:35:06,520
Architecturally, Fabric is the learning layer.
731
00:35:06,520 –> 00:35:09,640
The part of the autonomy stack that turns accumulated execution
732
00:35:09,640 –> 00:35:11,000
into improved design.
733
00:35:11,000 –> 00:35:12,040
Here’s the simple version.
734
00:35:12,040 –> 00:35:13,560
Graph tells you how work connects.
735
00:35:13,560 –> 00:35:15,560
Data verse tells you what work is happening.
736
00:35:15,560 –> 00:35:17,560
Fabric tells you why work keeps failing.
737
00:35:17,560 –> 00:35:18,920
And if you don’t build that layer,
738
00:35:18,920 –> 00:35:22,200
you’re stuck in a loop where the organization keeps automating
739
00:35:22,200 –> 00:35:25,160
yesterday’s dysfunction with higher speed and better phrasing.
740
00:35:25,160 –> 00:35:27,400
Analytical memory starts with aggregation.
741
00:35:27,400 –> 00:35:28,520
Not dashboards.
742
00:35:28,520 –> 00:35:31,000
Aggregation of signals that were previously invisible
743
00:35:31,000 –> 00:35:33,080
because they lived in too many places.
744
00:35:33,080 –> 00:35:35,240
Case cycle times, handoff delays,
745
00:35:35,240 –> 00:35:37,720
reopened incidents, repeated escalations,
746
00:35:37,720 –> 00:35:39,400
approval latency by roll,
747
00:35:39,400 –> 00:35:41,800
exception frequency by workflow step,
748
00:35:41,800 –> 00:35:45,640
and the quiet killer rework triggered by missing or conflicting evidence.
749
00:35:45,640 –> 00:35:49,080
Most enterprises can’t answer basic questions like
750
00:35:49,080 –> 00:35:50,920
which teams create the most exceptions,
751
00:35:50,920 –> 00:35:53,720
and are those exceptions correlated with missing permissions,
752
00:35:53,720 –> 00:35:55,640
missing templates, or missing ownership?
753
00:35:55,640 –> 00:35:57,800
They can’t answer because the raw events exist,
754
00:35:57,800 –> 00:35:59,880
but the system never turned them into a governed,
755
00:35:59,880 –> 00:36:01,000
queriable narrative.
756
00:36:01,000 –> 00:36:03,160
Fabric is how that narrative becomes evidence.
757
00:36:03,160 –> 00:36:07,240
Now, a warning, analytics is where enterprises lie to themselves with math.
758
00:36:07,240 –> 00:36:08,920
Correlation is not causation.
759
00:36:08,920 –> 00:36:10,360
That distinction matters.
760
00:36:10,360 –> 00:36:12,760
If fabric shows that incidents take longer
761
00:36:12,760 –> 00:36:14,120
when a certain team is involved,
762
00:36:14,120 –> 00:36:16,600
the lazy conclusion is that team is slow.
763
00:36:16,600 –> 00:36:19,640
The real cause might be that the team gets the hardest incidents
764
00:36:19,640 –> 00:36:22,200
or that the routing logic dumps chaos on them,
765
00:36:22,200 –> 00:36:24,280
or that the upstream context is incomplete,
766
00:36:24,280 –> 00:36:26,440
so they spend the first six hours reconstructing
767
00:36:26,440 –> 00:36:27,800
what should have been handed to them.
768
00:36:27,800 –> 00:36:30,040
So the guardrail for analytical memories is this.
769
00:36:30,040 –> 00:36:32,440
Treat analytics as hypothesis generation.
770
00:36:32,440 –> 00:36:34,360
Not automatic policy enforcement.
771
00:36:34,360 –> 00:36:36,520
Fabric should inform better orchestration rules,
772
00:36:36,520 –> 00:36:38,920
but it should not auto-legislate them without validation.
773
00:36:38,920 –> 00:36:40,840
Otherwise, you’re automating false narratives.
774
00:36:40,840 –> 00:36:43,960
And false narratives are how organizations turn temporary anomalies
775
00:36:43,960 –> 00:36:45,160
into permanent bureaucracy.
776
00:36:45,160 –> 00:36:47,320
When fabric is used correctly, it closes the loop.
777
00:36:47,320 –> 00:36:49,800
It turns operational history into design pressure.
778
00:36:49,800 –> 00:36:53,720
For example, if the system sees that a workflow step consistently stalls
779
00:36:53,720 –> 00:36:56,680
because approvals come from a role that isn’t staffed after hours,
780
00:36:56,680 –> 00:36:58,200
that’s not a people problem.
781
00:36:58,200 –> 00:36:59,640
That’s a state model problem.
782
00:36:59,640 –> 00:37:01,000
The escalation path is wrong.
783
00:37:01,000 –> 00:37:02,520
The authority model is incomplete.
784
00:37:02,520 –> 00:37:05,480
The workflow needs an alternate lane with a defined supervisor,
785
00:37:05,480 –> 00:37:07,960
or it needs time-bound delegation that expires,
786
00:37:07,960 –> 00:37:10,360
or it needs a different gating mechanism entirely.
787
00:37:10,360 –> 00:37:11,240
That’s learning.
788
00:37:11,240 –> 00:37:12,120
Not a chart.
789
00:37:12,120 –> 00:37:13,480
Or consider relevance windows.
790
00:37:13,480 –> 00:37:15,400
You can define them, but without telemetry,
791
00:37:15,400 –> 00:37:16,760
you won’t know if they’re working.
792
00:37:16,760 –> 00:37:19,560
Fabric can show you how often an agent needed to escalate
793
00:37:19,560 –> 00:37:21,000
because evidence was missing,
794
00:37:21,000 –> 00:37:22,760
which sources were used most often,
795
00:37:22,760 –> 00:37:24,440
which sources were frequently retrieved,
796
00:37:24,440 –> 00:37:25,640
but never cited,
797
00:37:25,640 –> 00:37:28,120
and where retrieval produced conflicting guidance.
798
00:37:28,120 –> 00:37:29,240
That’s not just usage data.
799
00:37:29,240 –> 00:37:31,480
That’s feedback about your context substrate,
800
00:37:31,480 –> 00:37:33,160
and its feedback you can act on.
801
00:37:33,160 –> 00:37:35,880
This is where autonomy stops being a product purchase
802
00:37:35,880 –> 00:37:37,560
and becomes an operating model.
803
00:37:37,560 –> 00:37:40,760
Because an autonomous enterprise is not one where the agent does more things,
804
00:37:40,760 –> 00:37:42,440
it’s one where the system becomes better
805
00:37:42,440 –> 00:37:44,440
at deciding what it should do over time,
806
00:37:44,440 –> 00:37:45,720
with fewer human interventions.
807
00:37:45,720 –> 00:37:48,200
That means analytics must change orchestration rules,
808
00:37:48,200 –> 00:37:50,200
not just inform quarterly reviews.
809
00:37:50,200 –> 00:37:52,120
If fabric shows that certain exception types
810
00:37:52,120 –> 00:37:54,280
always lead to the same remediation steps,
811
00:37:54,280 –> 00:37:56,120
then you can codify a lane,
812
00:37:56,120 –> 00:37:58,280
auto-handle within defined boundaries,
813
00:37:58,280 –> 00:38:00,840
log evidence, update dataverse state,
814
00:38:00,840 –> 00:38:03,080
and only escalate when the patent breaks.
815
00:38:03,080 –> 00:38:05,400
If fabric shows that a particular policy source
816
00:38:05,400 –> 00:38:07,640
is constantly contradicted by newer procedures
817
00:38:07,640 –> 00:38:09,160
that’s not an AI problem,
818
00:38:09,160 –> 00:38:10,520
that’s content governance drift.
819
00:38:10,520 –> 00:38:13,080
The fix is to deprecate the policy or reissue it,
820
00:38:13,080 –> 00:38:15,880
or market as advisory and make the precedence explicit.
821
00:38:15,880 –> 00:38:18,200
Fabric becomes the place where drift is visible,
822
00:38:18,200 –> 00:38:20,040
and drift is the true enemy of autonomy.
823
00:38:20,040 –> 00:38:22,280
Because the moment the environment changes faster
824
00:38:22,280 –> 00:38:23,960
than the context substrate updates,
825
00:38:23,960 –> 00:38:26,680
the agent becomes a historical reenactment tool.
826
00:38:26,680 –> 00:38:28,760
It will keep operating on what used to be true
827
00:38:28,760 –> 00:38:31,560
with perfect confidence and fully logged explanations.
828
00:38:31,560 –> 00:38:33,640
Analytical memories how you prevent that.
829
00:38:33,640 –> 00:38:35,880
It’s how you detect where the system’s behavior
830
00:38:35,880 –> 00:38:38,760
is diverging from intent, rising exception rates,
831
00:38:38,760 –> 00:38:41,640
growing retry loops, increasing time to decision,
832
00:38:41,640 –> 00:38:43,480
widening variance between teams
833
00:38:43,480 –> 00:38:45,880
and changes in what evidence gets cited.
834
00:38:45,880 –> 00:38:48,440
Then you feed those insights back into the control plane,
835
00:38:48,440 –> 00:38:50,760
update the relevance windows, tighten permissions,
836
00:38:50,760 –> 00:38:53,160
change routing rules, revise the state machine,
837
00:38:53,160 –> 00:38:55,320
or adjust refusal thresholds.
838
00:38:55,320 –> 00:38:57,320
That feedback loop is the difference between
839
00:38:57,320 –> 00:39:01,320
we deployed co-pilot and we built an enterprise that learns.
840
00:39:01,320 –> 00:39:03,000
And once you see fabric this way,
841
00:39:03,000 –> 00:39:04,840
the autonomy stack becomes obvious.
842
00:39:04,840 –> 00:39:07,480
Memory, state, learning, interaction.
843
00:39:07,480 –> 00:39:10,360
Each layer compensates for a failure mode in the others.
844
00:39:10,360 –> 00:39:13,240
Each layer produces signals the next layer depends on.
845
00:39:13,240 –> 00:39:15,880
Remove the learning layer and you don’t get autonomy.
846
00:39:15,880 –> 00:39:17,720
You get automation that ruts in place.
847
00:39:17,720 –> 00:39:19,080
The autonomy stack.
848
00:39:19,080 –> 00:39:22,120
Memory, state, learning, interaction.
849
00:39:22,120 –> 00:39:24,920
Now the stack is visible, and it’s embarrassingly simple.
850
00:39:24,920 –> 00:39:25,960
Not easy, simple.
851
00:39:25,960 –> 00:39:29,160
Autonomy in Microsoft 365 isn’t a feature you toggle on.
852
00:39:29,160 –> 00:39:32,600
It’s an emergent property of four layers that either align
853
00:39:32,600 –> 00:39:35,640
or they fight each other until the whole thing feels random.
854
00:39:35,640 –> 00:39:39,800
Memory, state, learning, interaction.
855
00:39:39,800 –> 00:39:42,600
And the order matters because each layer is compensating
856
00:39:42,600 –> 00:39:44,840
for a specific kind of enterprise failure.
857
00:39:44,840 –> 00:39:45,800
Memory is graph.
858
00:39:45,800 –> 00:39:47,240
Not because graph is magical,
859
00:39:47,240 –> 00:39:49,080
but because it encodes relationships.
860
00:39:49,080 –> 00:39:51,560
Who, what, when, and the trail of work signals
861
00:39:51,560 –> 00:39:55,160
that makes retrieval feel like recall instead of search?
862
00:39:55,160 –> 00:39:57,880
Graph is how the system learns what a piece of work meant
863
00:39:57,880 –> 00:39:59,160
inside the organization.
864
00:39:59,160 –> 00:40:02,280
Without that, co-pilot has to treat every request
865
00:40:02,280 –> 00:40:03,720
like it’s happening in a vacuum.
866
00:40:03,720 –> 00:40:06,040
You get generic answers, generic summaries,
867
00:40:06,040 –> 00:40:08,280
and the same could you provide more context
868
00:40:08,280 –> 00:40:10,120
but loop that waste’s executive time.
869
00:40:10,120 –> 00:40:11,560
State is dataverse.
870
00:40:11,560 –> 00:40:12,680
It’s operational truth.
871
00:40:12,680 –> 00:40:14,440
What step the workflow is in right now?
872
00:40:14,440 –> 00:40:15,400
Who owns it?
873
00:40:15,400 –> 00:40:16,280
What is blocked?
874
00:40:16,280 –> 00:40:17,400
What was approved?
875
00:40:17,400 –> 00:40:18,920
What exception was granted?
876
00:40:18,920 –> 00:40:21,960
And what the system must not do without supervision?
877
00:40:21,960 –> 00:40:25,000
Without state agents become polite but unreliable interns.
878
00:40:25,000 –> 00:40:25,720
They ask again.
879
00:40:25,720 –> 00:40:26,600
They resummarize.
880
00:40:26,600 –> 00:40:27,640
They reopen.
881
00:40:27,640 –> 00:40:29,400
They can’t tell whether progress happened
882
00:40:29,400 –> 00:40:32,360
so they manufacture progress by talking about progress.
883
00:40:32,360 –> 00:40:33,400
Learning is fabric.
884
00:40:33,400 –> 00:40:36,360
It’s the layer that converts a pile of completed workflows
885
00:40:36,360 –> 00:40:38,360
into patterns where approval stall,
886
00:40:38,360 –> 00:40:39,800
where evidence is missing,
887
00:40:39,800 –> 00:40:42,440
where exceptions cluster, where retries spike,
888
00:40:42,440 –> 00:40:44,920
where policies contradict reality.
889
00:40:44,920 –> 00:40:47,240
Without learning, the organization never gets better.
890
00:40:47,240 –> 00:40:49,480
It just runs the same broken process faster
891
00:40:49,480 –> 00:40:53,160
then celebrates adoption while operational drag quietly remains.
892
00:40:53,160 –> 00:40:54,680
Interaction is co-pilot.
893
00:40:54,680 –> 00:40:56,600
Chat embedded assistance in office apps,
894
00:40:56,600 –> 00:40:58,600
teams and whatever agent front and leadership
895
00:40:58,600 –> 00:41:00,120
is currently excited about.
896
00:41:00,120 –> 00:41:02,200
Interaction is where humans meet the system.
897
00:41:02,200 –> 00:41:03,960
It’s also the only layer people see,
898
00:41:03,960 –> 00:41:05,560
which is why it gets blamed for everything.
899
00:41:05,560 –> 00:41:07,080
But interaction is downstream.
900
00:41:07,080 –> 00:41:08,840
It cannot fix memory state or learning.
901
00:41:08,840 –> 00:41:10,920
It can only expose their quality.
902
00:41:10,920 –> 00:41:12,360
This is the foundational reframe.
903
00:41:12,360 –> 00:41:13,960
Co-pilot is not intelligence.
904
00:41:13,960 –> 00:41:15,400
Co-pilot is presentation.
905
00:41:15,400 –> 00:41:18,280
An autonomy isn’t agents.
906
00:41:18,280 –> 00:41:22,040
Autonomy is what happens when the presentation layer is backed by memory,
907
00:41:22,040 –> 00:41:24,440
anchored in state and corrected by learning.
908
00:41:24,440 –> 00:41:27,160
Here’s the system behavior when a layer is missing.
909
00:41:27,160 –> 00:41:28,920
If you have interaction without memory,
910
00:41:28,920 –> 00:41:31,720
you get fluent output with no organizational awareness.
911
00:41:31,720 –> 00:41:35,240
It reads like a smart public chatbot, helpful but detached.
912
00:41:35,240 –> 00:41:36,520
That’s where leaders conclude.
913
00:41:36,520 –> 00:41:38,120
It doesn’t understand our business.
914
00:41:38,120 –> 00:41:39,640
If you have memory without state,
915
00:41:39,640 –> 00:41:41,480
you get good recall but no execution.
916
00:41:41,480 –> 00:41:43,720
The system can tell you what happened in meetings,
917
00:41:43,720 –> 00:41:46,280
who said what and which documents were involved,
918
00:41:46,280 –> 00:41:48,440
but it can’t move the workflow forward reliably.
919
00:41:48,440 –> 00:41:50,840
It becomes a historian, not an operator.
920
00:41:50,840 –> 00:41:52,360
If you have state without memory,
921
00:41:52,360 –> 00:41:56,200
you get deterministic workflow automation with no situational intelligence.
922
00:41:56,200 –> 00:41:58,520
It can progress cases and root approvals,
923
00:41:58,520 –> 00:42:02,440
but it can’t explain why something is blocked or which evidence is missing
924
00:42:02,440 –> 00:42:05,000
because it doesn’t understand the surrounding work rough.
925
00:42:05,000 –> 00:42:07,480
It becomes a ticketing system with better branding.
926
00:42:07,480 –> 00:42:08,840
If you have learning without control,
927
00:42:08,840 –> 00:42:12,520
you get dashboards that describe failure beautifully while nothing changes.
928
00:42:12,520 –> 00:42:14,440
The system knows where entropy lives,
929
00:42:14,440 –> 00:42:17,080
but it can’t enforce corrections, so the drift continues.
930
00:42:17,080 –> 00:42:20,200
And if you try to skip straight to agent features without the stack,
931
00:42:20,200 –> 00:42:21,880
you’ll see the predictable symptoms.
932
00:42:21,880 –> 00:42:24,440
Generic answers repeated loops, policy violations,
933
00:42:24,440 –> 00:42:28,200
and the worst one, high confidence outputs built on low integrity evidence.
934
00:42:28,200 –> 00:42:31,240
So autonomy is alignment, not capability.
935
00:42:31,240 –> 00:42:36,200
That alignment depends on a concept most enterprises refuse to formalize the context boundary.
936
00:42:36,200 –> 00:42:39,000
Every workflow needs an explicit boundary that says,
937
00:42:39,000 –> 00:42:42,200
“This is the evidence we will consider, this is the state we will trust.
938
00:42:42,200 –> 00:42:44,600
These are the tools we will allow, and these are the conditions
939
00:42:44,600 –> 00:42:46,200
where the system must refuse to guess.”
940
00:42:46,200 –> 00:42:49,800
Refusal is not a safety feature you bolt on later.
941
00:42:49,800 –> 00:42:52,760
Refusal is a design requirement for any system that will act,
942
00:42:52,760 –> 00:42:55,560
because probabilistic systems will always produce an answer.
943
00:42:55,560 –> 00:42:57,000
They are optimized to complete.
944
00:42:57,000 –> 00:42:59,000
If you don’t engineer stop conditions,
945
00:42:59,000 –> 00:43:03,080
you’re building a machine that will generate plausible motion even when it’s blind.
946
00:43:03,080 –> 00:43:05,320
So the autonomy stack isn’t a maturity model,
947
00:43:05,320 –> 00:43:07,080
it’s a structural dependency chain.
948
00:43:07,080 –> 00:43:09,560
Graph provides memory, so retrieval has meaning.
949
00:43:09,560 –> 00:43:12,440
Dataverse provides state, so action has continuity.
950
00:43:12,440 –> 00:43:15,560
Fabric provides learning so the system improves instead of drifting.
951
00:43:15,560 –> 00:43:19,560
Copilot provides interaction so humans can steer, approve, and supervise.
952
00:43:19,560 –> 00:43:23,320
Get those four layers aligned and the enterprise stops chasing smarter AI.
953
00:43:23,320 –> 00:43:26,200
It starts building evidence bound decisions at scale,
954
00:43:26,200 –> 00:43:31,000
and that is the only definition of autonomy that survives contact with audit, security,
955
00:43:31,000 –> 00:43:32,280
and reality.
956
00:43:32,280 –> 00:43:35,400
Conceptual flow pattern, event reasoning, orchestration.
957
00:43:35,400 –> 00:43:38,360
Once the autonomy stack is clear, the next question is operational.
958
00:43:38,360 –> 00:43:43,240
What does a context-aware system actually do end to end when work happens?
959
00:43:43,240 –> 00:43:47,800
Not in a demo, in a tenant, underdrift, under load, with imperfect humans.
960
00:43:48,600 –> 00:43:53,000
The cleanest mental model is a three-stage flow you can replay in your head.
961
00:43:53,000 –> 00:43:55,560
Event, reasoning, orchestration.
962
00:43:55,560 –> 00:43:59,640
This is not how Microsoft built it, it’s how you should design it because it forces you to
963
00:43:59,640 –> 00:44:05,400
separate signals from decisions and decisions from actions that separation is where control lives.
964
00:44:05,400 –> 00:44:06,360
Start with event.
965
00:44:06,360 –> 00:44:08,760
An event is a trigger that something changed in the work graph,
966
00:44:08,760 –> 00:44:12,360
an email arrives with a request, a meeting ends and produces a transcript,
967
00:44:12,360 –> 00:44:15,880
a document changes state from draft to approved, a ticket is created,
968
00:44:15,880 –> 00:44:20,920
a customer escalates, a procurement request hits a threshold, a user gets added to a sensitive group.
969
00:44:20,920 –> 00:44:26,200
The specifics don’t matter, the pattern does, events are cheap, enterprises generate infinite events.
970
00:44:26,200 –> 00:44:30,680
The mistake is treating every event as a reason to ask co-pilot.
971
00:44:30,680 –> 00:44:35,720
That turns autonomy into a thousand micro-interruptions and it guarantees noise-driven automation.
972
00:44:35,720 –> 00:44:40,840
So, architecturally, the event stage is where you normalize and filter.
973
00:44:40,840 –> 00:44:42,360
What type of event is this?
974
00:44:42,360 –> 00:44:43,960
What workflow does it belong to?
975
00:44:43,960 –> 00:44:45,800
And what context boundary applies?
976
00:44:45,800 –> 00:44:48,440
If you can’t classify the event, you don’t have autonomy.
977
00:44:48,440 –> 00:44:50,280
You have a chatbot waiting for attention.
978
00:44:50,280 –> 00:44:51,160
Then comes reasoning.
979
00:44:51,160 –> 00:44:53,720
Reasoning is where context becomes eligible evidence.
980
00:44:53,720 –> 00:44:57,320
This is the stage that decides what the system is allowed to consider,
981
00:44:57,320 –> 00:45:00,280
what it should ignore and what it must verify before it acts.
982
00:45:00,280 –> 00:45:02,760
It’s also where most agent failures actually occur,
983
00:45:02,760 –> 00:45:05,880
because people assume reasoning is just the LLM thinking harder.
984
00:45:05,880 –> 00:45:06,360
It isn’t.
985
00:45:06,360 –> 00:45:10,120
Reasoning is a pipeline, retrieve, scope, score and check.
986
00:45:10,120 –> 00:45:13,400
Retrieve means pulling candidate evidence from memory and state.
987
00:45:13,400 –> 00:45:16,600
Graph relationships, relevant documents, recent meetings,
988
00:45:16,600 –> 00:45:20,120
and the dataverse record that tells you where the workflow is right now.
989
00:45:20,120 –> 00:45:22,520
If the system can’t find state, it has to guess.
990
00:45:22,520 –> 00:45:24,200
And you already know how that ends.
991
00:45:24,200 –> 00:45:28,040
Scope means applying the relevance window only sources x and y count for this step
992
00:45:28,040 –> 00:45:32,120
only within time horizon z and only under the identity posture of the requester.
993
00:45:32,120 –> 00:45:35,480
This is where permissions and sensitivity labels stop being compliance
994
00:45:35,480 –> 00:45:37,640
theater and become execution constraints.
995
00:45:37,640 –> 00:45:40,200
Score means ranking evidence by authority and freshness,
996
00:45:40,200 –> 00:45:42,440
not by semantic similarity alone.
997
00:45:42,440 –> 00:45:44,760
Similarity retrieves drafts and duplicates.
998
00:45:44,760 –> 00:45:46,840
Authority retrieves decisions.
999
00:45:46,840 –> 00:45:48,520
That distinction matters.
1000
00:45:48,520 –> 00:45:50,200
Check means policy validation.
1001
00:45:50,200 –> 00:45:51,400
Is this action allowed?
1002
00:45:51,400 –> 00:45:52,920
Does it require approval?
1003
00:45:52,920 –> 00:45:55,080
Is the identity trustworthy right now?
1004
00:45:55,080 –> 00:45:56,440
Is the device compliant?
1005
00:45:56,440 –> 00:45:59,560
Does the data classification allow this tool to see it?
1006
00:45:59,560 –> 00:46:03,640
Does continuous access evaluation revoke access mid-flow?
1007
00:46:03,640 –> 00:46:06,200
Reasoning without policy checks is just fast-gassing.
1008
00:46:06,200 –> 00:46:09,400
And here’s the discipline that makes the entire flow survivable.
1009
00:46:09,400 –> 00:46:11,400
Citations or silence?
1010
00:46:11,400 –> 00:46:15,160
If the reasoning stage can’t produce evidence that meets the relevance window,
1011
00:46:15,160 –> 00:46:18,200
the system doesn’t try anyway, it escalates.
1012
00:46:18,200 –> 00:46:20,680
Or it asks a precise question that closes the gap.
1013
00:46:20,680 –> 00:46:22,520
Refusal conditions aren’t politeness.
1014
00:46:22,520 –> 00:46:25,000
They are the only mechanism that prevents plausible nonsense
1015
00:46:25,000 –> 00:46:26,760
from entering the orchestration stage.
1016
00:46:26,760 –> 00:46:28,760
Now the third stage, orchestration.
1017
00:46:28,760 –> 00:46:31,480
Orchestration is tool invocation and state mutation.
1018
00:46:31,480 –> 00:46:34,760
It’s where the system stops talking and starts changing reality,
1019
00:46:34,760 –> 00:46:37,240
creating a ticket, updating data verse,
1020
00:46:37,240 –> 00:46:39,240
generating a document, sending an email,
1021
00:46:39,240 –> 00:46:43,720
scheduling a meeting, posting to teams, or triggering a downstream flow.
1022
00:46:43,720 –> 00:46:45,160
This stage must be boring.
1023
00:46:45,160 –> 00:46:48,280
If orchestration feels creative, you’ve already lost control.
1024
00:46:48,280 –> 00:46:51,000
Orchestration should be deterministic.
1025
00:46:51,000 –> 00:46:57,000
Given evidence set A, state S, and policy posture P invoke tool T with parameters K,
1026
00:46:57,000 –> 00:47:01,320
then write the result back to operational memory with an audit trail that explains
1027
00:47:01,320 –> 00:47:05,000
what evidence was used, what decision was made, what action was taken,
1028
00:47:05,000 –> 00:47:06,360
and what the next state is?
1029
00:47:06,360 –> 00:47:09,000
This is also where you draw the human boundary.
1030
00:47:09,000 –> 00:47:11,720
Humans stay in the loop for irreversible actions,
1031
00:47:11,720 –> 00:47:14,600
payments, terminations, external sharing, privilege changes,
1032
00:47:14,600 –> 00:47:16,520
regulatory submissions, vendor onboarding,
1033
00:47:16,520 –> 00:47:18,600
and anything that creates a compliance obligation.
1034
00:47:18,600 –> 00:47:21,560
The system can prepare, recommend, and assemble evidence.
1035
00:47:21,560 –> 00:47:22,920
It cannot self-approval.
1036
00:47:22,920 –> 00:47:24,440
Approval is not latency.
1037
00:47:24,440 –> 00:47:26,040
Approval is liability transfer.
1038
00:47:26,040 –> 00:47:28,520
Everything else sits on a tiered autonomy lane.
1039
00:47:28,520 –> 00:47:31,720
Low-risk actions can execute automatically,
1040
00:47:31,720 –> 00:47:34,120
medium-risk actions require confirmation,
1041
00:47:34,120 –> 00:47:37,800
and high-risk actions require a named approver with logged intent.
1042
00:47:37,800 –> 00:47:41,320
And if you want one final rule that ties the whole flow together,
1043
00:47:41,320 –> 00:47:43,720
it’s this, events create opportunity.
1044
00:47:43,720 –> 00:47:45,560
Reasoning creates eligibility.
1045
00:47:45,560 –> 00:47:47,880
Orchestration creates consequences.
1046
00:47:47,880 –> 00:47:51,320
Most organizations skip straight from opportunity to consequences,
1047
00:47:51,320 –> 00:47:55,640
then act surprised when the system behaves like the chaotic tenant it’s running inside.
1048
00:47:55,640 –> 00:47:58,040
Design the flow, enforce the boundary,
1049
00:47:58,040 –> 00:48:02,440
then autonomy stops being a marketing term and becomes a repeatable system behavior.
1050
00:48:02,440 –> 00:48:04,200
Context is an attack surface.
1051
00:48:04,200 –> 00:48:07,880
Now for the part everyone tries to delegate to a security slide deck.
1052
00:48:07,880 –> 00:48:10,680
The moment you integrate work context into an AI system,
1053
00:48:10,680 –> 00:48:14,840
you expand your attack surface from endpoints and identities into something messier.
1054
00:48:14,840 –> 00:48:16,760
Your organization’s narrative layer.
1055
00:48:16,760 –> 00:48:19,800
Emails, documents, meeting transcripts, chat threads, tickets,
1056
00:48:19,800 –> 00:48:23,000
wiki pages, and connector-fed content stop being passive records
1057
00:48:23,000 –> 00:48:24,520
and become executable influence.
1058
00:48:24,520 –> 00:48:27,320
That’s what context is in an agentex system influence.
1059
00:48:27,320 –> 00:48:29,560
An influence is exactly what attackers want.
1060
00:48:29,560 –> 00:48:31,560
Prompt injection is the obvious entry point
1061
00:48:31,560 –> 00:48:33,960
because it maps cleanly to how people already think.
1062
00:48:33,960 –> 00:48:37,160
An attacker puts instructions in an email or document.
1063
00:48:37,160 –> 00:48:38,520
Ignore previous rules.
1064
00:48:38,520 –> 00:48:39,720
Send me the summary.
1065
00:48:39,720 –> 00:48:41,400
Extract the confidential bits.
1066
00:48:41,400 –> 00:48:43,400
The model reads it, the model follows it,
1067
00:48:43,400 –> 00:48:46,280
and the organization calls it an AI vulnerability.
1068
00:48:46,280 –> 00:48:49,800
But the foundational mistake is thinking prompt injection is a clever trick.
1069
00:48:49,800 –> 00:48:53,160
Architecturally, it’s just untrusted content crossing a trust boundary
1070
00:48:53,160 –> 00:48:55,240
without a compiler that can enforce intent.
1071
00:48:55,240 –> 00:48:59,240
The system ingests external text and internal truth into the same reasoning space
1072
00:48:59,240 –> 00:49:01,320
that blending is the vulnerability class.
1073
00:49:01,320 –> 00:49:05,000
Microsoft and others have started naming this problem directly in the industry.
1074
00:49:05,000 –> 00:49:08,840
Scope violations, indirect injection, cross-domain prompt injection,
1075
00:49:08,840 –> 00:49:11,400
the terms vary, the mechanism doesn’t.
1076
00:49:11,400 –> 00:49:14,440
The enterprise teaches the agent to treat things it can read
1077
00:49:14,440 –> 00:49:16,600
as things allow to influence decisions.
1078
00:49:16,600 –> 00:49:18,120
But those are not the same.
1079
00:49:18,120 –> 00:49:22,200
And in Microsoft 365, the things it can read include the most hostile content
1080
00:49:22,200 –> 00:49:23,160
in the enterprise.
1081
00:49:23,160 –> 00:49:27,320
Inbound email, shared files from outside, meeting invites from guests,
1082
00:49:27,320 –> 00:49:30,360
and whatever got pasted into a team’s chat at 2am.
1083
00:49:30,360 –> 00:49:33,400
This is why indirect injection matters more than direct injection.
1084
00:49:33,400 –> 00:49:36,440
Direct injection requires the user to do something obviously risky.
1085
00:49:36,440 –> 00:49:39,400
Indirect injection hides inside normal work artifacts.
1086
00:49:39,400 –> 00:49:42,520
A procurement spreadsheet, a design spec in SharePoint,
1087
00:49:42,520 –> 00:49:45,960
a helpful link in a project email, nobody sees it as an attack
1088
00:49:45,960 –> 00:49:47,080
because it looks like work.
1089
00:49:47,080 –> 00:49:48,840
And agents are built to consume work.
1090
00:49:48,840 –> 00:49:51,960
Then there’s the more enterprise-shaped problem, memory poisoning.
1091
00:49:51,960 –> 00:49:54,920
Once the system starts persisting context, summaries, preferences,
1092
00:49:54,920 –> 00:49:57,960
extracted decisions, cash results, you’ve created long term state
1093
00:49:57,960 –> 00:49:59,320
that can be corrupted.
1094
00:49:59,320 –> 00:50:02,680
One poisoned artifact doesn’t just cause one bad answer.
1095
00:50:02,680 –> 00:50:06,120
It becomes a durable bias that quietly affects future reasoning.
1096
00:50:06,120 –> 00:50:08,920
That’s not a one-off incident that’s drift you didn’t authorize.
1097
00:50:08,920 –> 00:50:11,640
The scary part is that poisoning doesn’t need high sophistication.
1098
00:50:11,640 –> 00:50:12,680
It needs persistence.
1099
00:50:12,680 –> 00:50:16,440
If the system stores, this vendor is trusted because it saw that phrase
1100
00:50:16,440 –> 00:50:20,680
in a manipulated email thread, you now have a policy exception embedded in machine memory,
1101
00:50:20,680 –> 00:50:22,440
an entropy generator with a timestamp.
1102
00:50:22,440 –> 00:50:24,600
And because the output still sounds reasonable,
1103
00:50:24,600 –> 00:50:26,600
the human supervisor may never notice.
1104
00:50:26,600 –> 00:50:30,920
They just experience the system as oddly confident about certain decisions.
1105
00:50:30,920 –> 00:50:35,240
Now at the enterprise reality, context sources mix trust levels constantly.
1106
00:50:35,240 –> 00:50:38,120
A single co-pilot response might blend internal policy,
1107
00:50:38,120 –> 00:50:41,160
a meeting transcript, a forwarded email from outside,
1108
00:50:41,160 –> 00:50:43,640
and a web result if web grounding is enabled.
1109
00:50:43,640 –> 00:50:46,200
If the system doesn’t enforce provenance boundaries,
1110
00:50:46,200 –> 00:50:48,840
trusted versus untrusted internal versus external,
1111
00:50:48,840 –> 00:50:50,760
authoritative versus advisory,
1112
00:50:50,760 –> 00:50:54,280
then it will happily treat a hostile artifact as equal weight evidence.
1113
00:50:54,280 –> 00:50:56,760
That is the zero-click conceptual thread,
1114
00:50:56,760 –> 00:50:59,000
not necessarily that the user clicked nothing,
1115
00:50:59,000 –> 00:51:03,400
but that the user didn’t consent to importing hostile instructions into the reasoning space.
1116
00:51:03,400 –> 00:51:06,520
The act of retrieval itself becomes the exploitation path.
1117
00:51:06,520 –> 00:51:07,480
An email arrives.
1118
00:51:07,480 –> 00:51:08,920
It becomes retrievable.
1119
00:51:08,920 –> 00:51:11,320
Later, the user asks an unrelated question.
1120
00:51:11,320 –> 00:51:13,640
Retrieval pulls the email because it matches.
1121
00:51:13,640 –> 00:51:17,640
The payload activates because the model can’t distinguish content to summarize
1122
00:51:17,640 –> 00:51:19,320
from instructions to obey.
1123
00:51:19,320 –> 00:51:22,840
That’s how a normal tenant becomes an adversarial environment by default.
1124
00:51:22,840 –> 00:51:25,560
And notice what this does to your earlier autonomy flow.
1125
00:51:25,560 –> 00:51:26,760
Event happens.
1126
00:51:26,760 –> 00:51:27,960
Reasoning retrieves.
1127
00:51:27,960 –> 00:51:29,400
Orchestration acts.
1128
00:51:29,400 –> 00:51:31,240
Attacters don’t need to break encryption.
1129
00:51:31,240 –> 00:51:32,440
They need to shape retrieval.
1130
00:51:32,440 –> 00:51:34,680
So the defensive principle becomes blunt.
1131
00:51:34,680 –> 00:51:38,280
Treat every context source as hostile until proven otherwise.
1132
00:51:38,280 –> 00:51:39,800
Not external sources.
1133
00:51:39,800 –> 00:51:40,920
Every source.
1134
00:51:40,920 –> 00:51:43,800
Because internal sources are hostile too, just accidentally.
1135
00:51:43,800 –> 00:51:46,760
Outdated procedures, copied policies, contradictory decks,
1136
00:51:46,760 –> 00:51:48,120
orphaned sharepoint sites,
1137
00:51:48,120 –> 00:51:50,280
and meeting transcripts full of speculation.
1138
00:51:50,280 –> 00:51:52,040
Hostile doesn’t only mean malicious.
1139
00:51:52,040 –> 00:51:54,760
It means unfit to drive decisions without validation.
1140
00:51:54,760 –> 00:51:59,400
This is where security and architecture finally stop pretending they’re separate disciplines.
1141
00:51:59,400 –> 00:52:03,000
Context integration expands the blast radius of permission mistakes,
1142
00:52:03,000 –> 00:52:05,640
content hygiene failures, and governance drift.
1143
00:52:05,640 –> 00:52:08,120
And it does it with the worst possible UX.
1144
00:52:08,120 –> 00:52:10,120
Fluent answers that look like competence.
1145
00:52:10,120 –> 00:52:14,680
So if your autonomy strategy doesn’t include provenance, isolation, and refusal conditions,
1146
00:52:14,680 –> 00:52:16,200
it isn’t an autonomy strategy.
1147
00:52:16,200 –> 00:52:19,800
It’s a high-speed social engineering surface that happens to run inside your tenant.
1148
00:52:20,520 –> 00:52:22,200
Guardrails that actually hold.
1149
00:52:22,200 –> 00:52:23,160
Least privilege.
1150
00:52:23,160 –> 00:52:23,960
CAE.
1151
00:52:23,960 –> 00:52:24,840
Provenance.
1152
00:52:24,840 –> 00:52:26,600
So if context is an attack surface,
1153
00:52:26,600 –> 00:52:28,600
guardrails can’t be guidance.
1154
00:52:28,600 –> 00:52:29,800
They have to be mechanics.
1155
00:52:29,800 –> 00:52:33,480
Things the system enforces even when users are tired, rushed, or curious.
1156
00:52:33,480 –> 00:52:36,520
And even when an attacker is deliberately shaping the narrative layer
1157
00:52:36,520 –> 00:52:37,960
to get the agent to misbehave.
1158
00:52:37,960 –> 00:52:41,480
Three guardrails actually hold in Microsoft 365,
1159
00:52:41,480 –> 00:52:45,000
because their structural least-privileged continuous-access evaluation and provenance.
1160
00:52:45,000 –> 00:52:47,160
Least privilege is not a compliance slogan.
1161
00:52:47,160 –> 00:52:49,960
It’s the only way to keep autonomy from turning small mistakes
1162
00:52:49,960 –> 00:52:51,640
into tenant-wide incidents.
1163
00:52:51,640 –> 00:52:54,120
The common enterprise failure is granting broad access
1164
00:52:54,120 –> 00:52:55,720
because it’s operationally convenient.
1165
00:52:55,720 –> 00:52:57,080
Files.
1166
00:52:57,080 –> 00:52:57,800
Read all.
1167
00:52:57,800 –> 00:52:58,200
Sites.
1168
00:52:58,200 –> 00:52:58,840
Read all.
1169
00:52:58,840 –> 00:53:00,200
Wide SharePoint membership.
1170
00:53:00,200 –> 00:53:04,280
Or that classic move where one security group becomes the default audience for everything,
1171
00:53:04,280 –> 00:53:06,040
because nobody wants to manage boundaries.
1172
00:53:06,040 –> 00:53:07,080
And then copilot arrives.
1173
00:53:07,080 –> 00:53:07,960
Then agents arrive.
1174
00:53:07,960 –> 00:53:10,120
And suddenly broad access isn’t just broad access.
1175
00:53:10,120 –> 00:53:12,600
It’s broad retrieval plus synthesis plus action.
1176
00:53:12,600 –> 00:53:13,640
That’s the difference.
1177
00:53:13,640 –> 00:53:16,520
When an agent can read widely, it can also act widely,
1178
00:53:16,520 –> 00:53:19,320
because tool invocation chains across whatever it can see.
1179
00:53:19,320 –> 00:53:22,360
So least privilege has two benefits at the same time.
1180
00:53:22,360 –> 00:53:25,080
It shrinks blast radius and it improves relevance.
1181
00:53:25,080 –> 00:53:28,680
Fewer eligible artifacts means less noise for retrieval,
1182
00:53:28,680 –> 00:53:30,440
less accidental contradiction,
1183
00:53:30,440 –> 00:53:34,360
and fewer opportunities for an injected document to get pulled into the reasoning space.
1184
00:53:34,360 –> 00:53:37,400
But least privilege also has a second requirement that people avoid.
1185
00:53:37,400 –> 00:53:38,920
You need explicit toolgating.
1186
00:53:38,920 –> 00:53:41,560
It’s not enough to say the agent has read only access.
1187
00:53:41,560 –> 00:53:44,680
If the agent can call a connector that can send mail,
1188
00:53:44,680 –> 00:53:48,040
create sharing links, update dataverse or open tickets,
1189
00:53:48,040 –> 00:53:51,240
then read access becomes right impact through in direction.
1190
00:53:51,240 –> 00:53:52,760
So the design law is simple.
1191
00:53:52,760 –> 00:53:56,440
Separate read scopes from action scopes and keep action scopes narrow,
1192
00:53:56,440 –> 00:53:58,120
time bound and workflow specific.
1193
00:53:58,120 –> 00:54:00,440
That’s where entry becomes more than sign in.
1194
00:54:00,440 –> 00:54:04,520
It’s where identity starts behaving like a control plane for agentic systems.
1195
00:54:04,520 –> 00:54:07,880
Scoped permissions, conditional access and lifecycle governance
1196
00:54:07,880 –> 00:54:10,680
for the non-human identities you’re about to create.
1197
00:54:10,680 –> 00:54:13,880
Service principles, managed identities, agent identities,
1198
00:54:13,880 –> 00:54:15,880
whatever your architecture calls them.
1199
00:54:15,880 –> 00:54:19,320
Then comes continuous access evaluation and this is the one most architects under use
1200
00:54:19,320 –> 00:54:21,160
because it sounds like an orth detail.
1201
00:54:21,160 –> 00:54:23,400
CIE is operational hygiene for autonomy.
1202
00:54:23,400 –> 00:54:27,160
In a static system you can tolerate the gap between access was valid
1203
00:54:27,160 –> 00:54:29,320
and access should no longer be valid.
1204
00:54:29,320 –> 00:54:32,680
In an agentic system that gap becomes an exploitation window.
1205
00:54:32,680 –> 00:54:35,480
If a user gets disabled, if a session is marked risky,
1206
00:54:35,480 –> 00:54:37,720
if a conditional access policy changes,
1207
00:54:37,720 –> 00:54:41,320
or if device compliance fails, you need access to collapse immediately,
1208
00:54:41,320 –> 00:54:42,680
not a token expiry.
1209
00:54:42,680 –> 00:54:43,880
That’s what CIE is doing.
1210
00:54:43,880 –> 00:54:46,440
It turns revocation into a runtime control
1211
00:54:46,440 –> 00:54:49,160
and it changes the architecture of your agent execution.
1212
00:54:49,160 –> 00:54:51,640
Your agent has to handle claims challenges.
1213
00:54:51,640 –> 00:54:54,840
It has to expect that a long running task can lose authority mid-flight.
1214
00:54:54,840 –> 00:54:56,920
It has to fail closed, not fail forward,
1215
00:54:56,920 –> 00:54:59,400
no caching because it worked five minutes ago.
1216
00:54:59,400 –> 00:55:02,440
No background retreats that keep pushing until the platform relents.
1217
00:55:02,440 –> 00:55:03,960
If the identity posture changes,
1218
00:55:03,960 –> 00:55:06,440
the agent stops, records state and escalates
1219
00:55:06,440 –> 00:55:10,200
because autonomy without real-time revocation is just deferred breach response.
1220
00:55:10,200 –> 00:55:11,000
Now provenance.
1221
00:55:11,000 –> 00:55:13,560
Provenance is the guardrail that makes audits possible
1222
00:55:13,560 –> 00:55:16,280
and makes incident response not feel like archaeology.
1223
00:55:16,280 –> 00:55:19,880
Provenance means the system can show what sources influence the output,
1224
00:55:19,880 –> 00:55:22,200
which ones were authoritative versus advisory,
1225
00:55:22,200 –> 00:55:23,880
what was retrieved but rejected,
1226
00:55:23,880 –> 00:55:26,680
and which policy checks allowed the action to proceed.
1227
00:55:26,680 –> 00:55:29,560
Not a poetic summary of, I looked at several documents,
1228
00:55:29,560 –> 00:55:30,440
an evidence trail.
1229
00:55:30,440 –> 00:55:33,320
This is how citations or silence evolves
1230
00:55:33,320 –> 00:55:36,040
from an answer quality tactic into a governance control.
1231
00:55:36,040 –> 00:55:37,720
If the system can’t name its sources,
1232
00:55:37,720 –> 00:55:39,000
it can’t be trusted to act.
1233
00:55:39,000 –> 00:55:41,640
If it can name its sources but can’t classify them,
1234
00:55:41,640 –> 00:55:44,760
internal versus external labeled versus unlabelled,
1235
00:55:44,760 –> 00:55:46,360
current versus stale,
1236
00:55:46,360 –> 00:55:50,280
then you still can’t trust it because you can’t tell whether it respected the boundary.
1237
00:55:50,280 –> 00:55:55,480
Provenance also enables something leadership always asks for and rarely funds.
1238
00:55:55,480 –> 00:55:56,360
Rollback.
1239
00:55:56,360 –> 00:55:59,240
If an agent took an action chain based on poisoned context,
1240
00:55:59,240 –> 00:56:00,920
you need to know which records it touched,
1241
00:56:00,920 –> 00:56:03,640
which tools it invoked and which evidence it relied on
1242
00:56:03,640 –> 00:56:06,360
so you can unwind the change and quarantine the source.
1243
00:56:06,360 –> 00:56:07,640
That’s not nice to have that.
1244
00:56:07,640 –> 00:56:12,280
That’s the minimum requirement for letting a probabilistic system mutate enterprise state,
1245
00:56:12,280 –> 00:56:14,600
so the combined Godrail model is blunt.
1246
00:56:14,600 –> 00:56:17,720
Least privilege defines what the system is allowed to see and do.
1247
00:56:17,720 –> 00:56:20,600
CIE defines when that permission evaporates in real time.
1248
00:56:20,600 –> 00:56:22,360
Provenance proves what actually happened
1249
00:56:22,360 –> 00:56:24,520
so you can govern drift and recover from failure.
1250
00:56:24,520 –> 00:56:26,200
Everything else is suggestion
1251
00:56:26,200 –> 00:56:29,400
and suggestion is how context attacks become headlines.
1252
00:56:29,400 –> 00:56:31,640
Drift.
1253
00:56:31,640 –> 00:56:33,400
The slow decay of intent.
1254
00:56:33,400 –> 00:56:36,200
Drift is the part of enterprise AI that nobody demos
1255
00:56:36,200 –> 00:56:37,480
because it doesn’t fail loudly.
1256
00:56:37,480 –> 00:56:38,520
It fails politely.
1257
00:56:38,520 –> 00:56:40,200
Week by week, decision by decision,
1258
00:56:40,200 –> 00:56:43,800
until the output still sounds competent but no longer matches intent.
1259
00:56:43,800 –> 00:56:47,000
That distinction matters because drift isn’t the model getting worse.
1260
00:56:47,000 –> 00:56:48,840
Drift is the system environment moving
1261
00:56:48,840 –> 00:56:50,760
while your assumptions stay frozen.
1262
00:56:50,760 –> 00:56:53,720
And in Microsoft 365, the environment moves constantly.
1263
00:56:53,720 –> 00:56:56,440
Teams reorganize, owners change, sites sprawl,
1264
00:56:56,440 –> 00:56:59,640
labels get applied inconsistently, policies get rewritten,
1265
00:56:59,640 –> 00:57:02,440
and the people who knew why a control existed leave.
1266
00:57:02,440 –> 00:57:03,720
The tenant keeps working.
1267
00:57:03,720 –> 00:57:05,160
The governance story doesn’t.
1268
00:57:05,160 –> 00:57:07,880
This is why it worked in the pilot is meaningless.
1269
00:57:07,880 –> 00:57:11,240
Pilots run on handheld context, curated sites,
1270
00:57:11,240 –> 00:57:13,640
known participants, clean permissions,
1271
00:57:13,640 –> 00:57:15,880
and a small slice of organizational reality.
1272
00:57:15,880 –> 00:57:17,320
Production runs on entropy.
1273
00:57:17,320 –> 00:57:20,520
Production is where every undocumented exception shows up
1274
00:57:20,520 –> 00:57:23,160
and where every temporary workaround becomes permanent.
1275
00:57:23,160 –> 00:57:24,840
Drift comes in multiple flavors
1276
00:57:24,840 –> 00:57:26,520
and the dangerous part is that they compound.
1277
00:57:26,520 –> 00:57:28,680
Context drift is the obvious one.
1278
00:57:28,680 –> 00:57:30,920
The sources the system retrieves become stale,
1279
00:57:30,920 –> 00:57:32,600
duplicated or contradictory.
1280
00:57:32,600 –> 00:57:33,800
The procedure got updated
1281
00:57:33,800 –> 00:57:35,720
but the old version still ranks higher
1282
00:57:35,720 –> 00:57:37,320
because it has more engagement.
1283
00:57:37,320 –> 00:57:39,320
The final deck is buried under three drafts
1284
00:57:39,320 –> 00:57:41,000
that got shared more widely.
1285
00:57:41,000 –> 00:57:42,440
The decision happened in a meeting,
1286
00:57:42,440 –> 00:57:44,920
but the meeting artifact got stored somewhere random,
1287
00:57:44,920 –> 00:57:47,960
so the system reconstructs it from email fragments.
1288
00:57:47,960 –> 00:57:49,320
Policy drift is subtler.
1289
00:57:49,320 –> 00:57:50,920
Conditional access evolves.
1290
00:57:50,920 –> 00:57:53,400
Data loss prevention rules get exceptions.
1291
00:57:53,400 –> 00:57:55,400
External sharing gets loosened for a project
1292
00:57:55,400 –> 00:57:56,680
then never tightened.
1293
00:57:56,680 –> 00:57:58,520
Sensitivity labels get introduced,
1294
00:57:58,520 –> 00:58:00,520
then half the organization ignores them
1295
00:58:00,520 –> 00:58:02,760
because nobody enforced defaults.
1296
00:58:02,760 –> 00:58:05,320
Eventually the same question asked by two users
1297
00:58:05,320 –> 00:58:06,520
yields different results
1298
00:58:06,520 –> 00:58:08,920
because the policy substrate is no longer coherent,
1299
00:58:08,920 –> 00:58:11,400
naming drift sounds petty until it breaks retrieval.
1300
00:58:11,400 –> 00:58:13,880
Teams rename projects, channels get repurposed,
1301
00:58:13,880 –> 00:58:15,320
acronyms change.
1302
00:58:15,320 –> 00:58:17,000
Incident becomes major incident,
1303
00:58:17,000 –> 00:58:18,440
becomes service interruption
1304
00:58:18,440 –> 00:58:20,680
because someone wanted better optics.
1305
00:58:20,680 –> 00:58:23,720
Retrieval and relevance windows depend on stable vocabulary
1306
00:58:23,720 –> 00:58:26,680
but enterprises treat vocabulary like personal expression.
1307
00:58:26,680 –> 00:58:28,920
Ownership drift is the one that kills governance.
1308
00:58:28,920 –> 00:58:32,200
Sites have owners in theory and abandoned permissions in reality.
1309
00:58:32,200 –> 00:58:35,720
Dataverse tables exist but no one owns the state model as a contract.
1310
00:58:35,720 –> 00:58:38,520
Fabric reports exist but no one owns the feedback loop
1311
00:58:38,520 –> 00:58:40,520
that turns analytics into policy changes.
1312
00:58:40,520 –> 00:58:42,680
So the system accumulates intelligence
1313
00:58:42,680 –> 00:58:44,680
but nobody has authority to act on it.
1314
00:58:44,680 –> 00:58:47,400
This is why output checking doesn’t work as a drift strategy.
1315
00:58:47,400 –> 00:58:50,360
Enterprises keep trying to govern by sampling outputs,
1316
00:58:50,360 –> 00:58:52,360
review a few copilot responses,
1317
00:58:52,360 –> 00:58:53,880
spot check a few agent runs,
1318
00:58:53,880 –> 00:58:56,200
and declare it acceptable.
1319
00:58:56,200 –> 00:58:57,640
That’s governance theatre.
1320
00:58:57,640 –> 00:58:59,800
Drift doesn’t show up consistently in outputs.
1321
00:58:59,800 –> 00:59:02,360
It shows up in behavior, what the system retrieved,
1322
00:59:02,360 –> 00:59:04,840
what it ignored, what it attempted to do,
1323
00:59:04,840 –> 00:59:06,120
how often it escalated,
1324
00:59:06,120 –> 00:59:08,680
how often it retried and where it wrote it work.
1325
00:59:08,680 –> 00:59:11,240
Behavioral evaluation is the only thing that scales.
1326
00:59:11,240 –> 00:59:14,520
You measure the system like you would measure a distributed service.
1327
00:59:14,520 –> 00:59:16,680
Exception rates, time to resolution,
1328
00:59:16,680 –> 00:59:19,240
escalation frequency, evidence coverage,
1329
00:59:19,240 –> 00:59:22,040
tool invocation patterns and permission faults.
1330
00:59:22,040 –> 00:59:26,920
Not did it sound right but did it act within the context boundary we designed.
1331
00:59:26,920 –> 00:59:28,600
Now the uncomfortable truth.
1332
00:59:28,600 –> 00:59:33,160
Drift accelerates when you treat prompts, policies and connectors as informal artifacts.
1333
00:59:33,160 –> 00:59:35,320
If you don’t version them you can’t control change.
1334
00:59:35,320 –> 00:59:37,240
If you can’t control change you can’t roll back.
1335
00:59:37,240 –> 00:59:40,360
And if you can’t roll back every improvement becomes a one-way door.
1336
00:59:40,360 –> 00:59:42,840
So versioning becomes a first class capability.
1337
00:59:42,840 –> 00:59:45,720
Prompts, grounding rules, relevance windows,
1338
00:59:45,720 –> 00:59:49,560
connector configurations and orchestration policies need explicit versions
1339
00:59:49,560 –> 00:59:52,680
with owners, with change logs, and with roll back parts.
1340
00:59:52,680 –> 00:59:54,040
Not because it’s elegant.
1341
00:59:54,040 –> 00:59:57,960
Because the alternative is debugging a living system with no memory of who changed what.
1342
00:59:57,960 –> 01:00:02,200
This is also where audit stops being a compliance exercise and becomes a drift detector.
1343
01:00:02,200 –> 01:00:07,320
If you can trace which sources influence decisions over time you can see when the system starts
1344
01:00:07,320 –> 01:00:08,520
leaning on different evidence.
1345
01:00:08,520 –> 01:00:13,400
If you can trace which identities access which context you can see when permissions drift
1346
01:00:13,400 –> 01:00:14,680
expands eligibility.
1347
01:00:14,680 –> 01:00:20,040
If you can trace which workflows generate the most exceptions you can see where state models no longer
1348
01:00:20,040 –> 01:00:21,000
match reality.
1349
01:00:21,000 –> 01:00:23,560
And once you can see drift you can govern it.
1350
01:00:23,560 –> 01:00:27,720
Not by freezing the system but by accepting that autonomy is entropy management.
1351
01:00:27,720 –> 01:00:30,200
You don’t eliminate drift, you detect it early,
1352
01:00:30,200 –> 01:00:33,160
constrain its blast radius and correct it with control changes.
1353
01:00:33,160 –> 01:00:36,840
Because in an autonomous enterprise the most dangerous system is not the one that fails.
1354
01:00:36,840 –> 01:00:40,120
It’s the one that keeps working while it slowly stops obeying you.
1355
01:00:40,120 –> 01:00:41,240
Context governance.
1356
01:00:41,240 –> 01:00:43,320
Turning trust into an operating model.
1357
01:00:43,320 –> 01:00:44,360
Drift is inevitable.
1358
01:00:44,360 –> 01:00:45,240
That’s not pessimism.
1359
01:00:45,240 –> 01:00:49,960
That’s how tenants behave once they scale past a few discipline teams and a few passionate owners.
1360
01:00:49,960 –> 01:00:52,600
So the only serious question is whether the organization governs
1361
01:00:52,600 –> 01:00:56,120
context like an operating model or whether it governs it like a project.
1362
01:00:56,120 –> 01:00:59,800
A burst of effort, a set of slides and a slow slide back into entropy.
1363
01:00:59,800 –> 01:01:03,960
Context governance is not a committee that reviews AI outputs.
1364
01:01:03,960 –> 01:01:08,920
It is the set of enforcement mechanisms that keep your context substrate trustworthy over time.
1365
01:01:08,920 –> 01:01:10,360
Freshness.
1366
01:01:10,360 –> 01:01:12,280
Permission correctness.
1367
01:01:12,280 –> 01:01:13,720
Providence.
1368
01:01:13,720 –> 01:01:15,160
Drift detection.
1369
01:01:15,160 –> 01:01:16,520
And escalation.
1370
01:01:16,520 –> 01:01:22,280
When the system encounters ambiguity it is not allowed to solve with creativity.
1371
01:01:23,240 –> 01:01:26,360
The first move is to stop treating context as a single thing.
1372
01:01:26,360 –> 01:01:29,480
Governance has to map to the same layer boundaries you’re building.
1373
01:01:29,480 –> 01:01:33,960
If you can’t name the owners of memory state learning and interaction you don’t have governance.
1374
01:01:33,960 –> 01:01:35,800
You have vibes plus an admin portal.
1375
01:01:35,800 –> 01:01:37,800
So governance starts with ownership.
1376
01:01:37,800 –> 01:01:41,000
Graph memory needs an owner model that is accountable for.
1377
01:01:41,000 –> 01:01:46,200
Content container hygiene, life cycle policies and what authoritative means in each domain.
1378
01:01:46,200 –> 01:01:47,240
Not at a global level.
1379
01:01:47,240 –> 01:01:50,200
At the workflow level who owns the incident knowledge base,
1380
01:01:50,200 –> 01:01:52,120
who owns the procurement procedure library,
1381
01:01:52,120 –> 01:01:54,040
who owns the HR policy corpus.
1382
01:01:54,040 –> 01:01:57,000
If the answer is everyone then the system is onerless.
1383
01:01:57,000 –> 01:01:58,120
That means it will rot.
1384
01:01:58,120 –> 01:02:01,400
Dataverse state needs a product owner because state is a contract.
1385
01:02:01,400 –> 01:02:04,600
Somebody has to own the entity model, the status transitions,
1386
01:02:04,600 –> 01:02:07,240
the refusal conditions and the approval gates.
1387
01:02:07,240 –> 01:02:13,000
If the state machine can change without review you’ve just created a silent bypass for autonomy.
1388
01:02:13,000 –> 01:02:16,440
Fabric learning needs an owner that is responsible for closing loops.
1389
01:02:16,440 –> 01:02:19,000
Turning analytics into updated relevance windows,
1390
01:02:19,000 –> 01:02:21,000
rooting rules and exception handling.
1391
01:02:21,000 –> 01:02:23,640
If fabric only produces dashboards, it’s not a learning layer,
1392
01:02:23,640 –> 01:02:27,960
it’s a reporting cost and co-pilot interaction needs an owner who is responsible
1393
01:02:27,960 –> 01:02:29,240
for the human boundary.
1394
01:02:29,240 –> 01:02:31,240
What the system can do automatically.
1395
01:02:31,240 –> 01:02:34,200
What requires confirmation, what requires approval,
1396
01:02:34,200 –> 01:02:35,880
and what must be blocked by design.
1397
01:02:35,880 –> 01:02:41,000
This is where AI policy becomes real because it becomes enforceable behaviors,
1398
01:02:41,000 –> 01:02:42,040
not training posters.
1399
01:02:42,040 –> 01:02:45,480
Now, once ownership exists governance becomes a set of lanes.
1400
01:02:45,480 –> 01:02:48,840
You define tiered autonomy lanes that match risk, not ambition.
1401
01:02:48,840 –> 01:02:53,000
A low-risk lane is where the system can draft, summarize, classify and root.
1402
01:02:53,000 –> 01:02:55,720
With auditable logs and no irreversible actions,
1403
01:02:55,720 –> 01:02:59,400
a medium-risk lane is where the system can execute bounded actions,
1404
01:02:59,400 –> 01:03:01,640
create tickets, update-known fields,
1405
01:03:01,640 –> 01:03:05,720
notify stakeholders under explicit scoping and rollback capability.
1406
01:03:05,720 –> 01:03:08,680
A high-risk lane is where the system can only recommend,
1407
01:03:08,680 –> 01:03:11,880
assemble evidence and escalate to a named approver.
1408
01:03:11,880 –> 01:03:15,640
This matters because autonomous enterprise does not mean everything automated.
1409
01:03:15,640 –> 01:03:17,720
It means automation is proportional to liability.
1410
01:03:17,720 –> 01:03:20,920
Then you define evidence standards because trust isn’t a feeling.
1411
01:03:20,920 –> 01:03:21,960
It’s a rule set.
1412
01:03:21,960 –> 01:03:25,480
For certain workflows, the system must side sources or abstain.
1413
01:03:25,480 –> 01:03:29,240
For others, it can act on state alone because the state is the source of truth.
1414
01:03:29,240 –> 01:03:34,040
For still others, it can only proceed if evidence is both authoritative and fresh.
1415
01:03:34,040 –> 01:03:36,920
Reviewed within a declared window, labeled correctly,
1416
01:03:36,920 –> 01:03:38,920
and retrieved from the governed container.
1417
01:03:38,920 –> 01:03:42,440
And you make that standard explicit when the system cannot meet the standard,
1418
01:03:42,440 –> 01:03:46,680
it refuses and escalates, not because it’s safe, because it is controlled.
1419
01:03:46,680 –> 01:03:49,400
The next piece is drift detection as a continuous control.
1420
01:03:49,400 –> 01:03:54,040
You don’t wait for a quarterly review to discover that permissions sprawl expanded eligibility
1421
01:03:54,040 –> 01:03:58,680
or that your relevance window quietly widened because new content sources appeared.
1422
01:03:58,680 –> 01:04:03,000
You instrument it, permission fault rates, exception rates, escalation frequency,
1423
01:04:03,000 –> 01:04:04,840
evidence coverage and provenance gaps.
1424
01:04:04,840 –> 01:04:06,360
Those aren’t AI metrics.
1425
01:04:06,360 –> 01:04:08,120
Those are context integrity metrics.
1426
01:04:08,120 –> 01:04:10,520
And the final piece is the escalation model,
1427
01:04:10,520 –> 01:04:13,960
because governance without escalation is just documentation.
1428
01:04:13,960 –> 01:04:18,600
Escalation needs named paths, who gets notified when a workflow hits missing evidence,
1429
01:04:18,600 –> 01:04:22,280
conflicting evidence or policy violations, and escalation needs time.
1430
01:04:22,280 –> 01:04:26,680
If nobody responds, the system must either pause safely or root to an alternate approver.
1431
01:04:26,680 –> 01:04:31,880
Otherwise, the agent becomes a nagging bot and humans root around it and governance collapses.
1432
01:04:31,880 –> 01:04:36,200
This is the operating model, clear ownership, tiered lanes, explicit evidence standards,
1433
01:04:36,200 –> 01:04:39,400
continuous drift detection and enforced escalation.
1434
01:04:39,400 –> 01:04:42,600
And once you have that, trust stops being an argument about whether
1435
01:04:42,600 –> 01:04:45,880
co-pilot is good, trust becomes a property of the architecture,
1436
01:04:45,880 –> 01:04:49,160
which is the only kind of trust an enterprise can defend in an audit.
1437
01:04:49,160 –> 01:04:54,520
Case study, industrial manufacturing, reframed as context redesign,
1438
01:04:54,520 –> 01:04:58,760
take a global industrial manufacturing organization with a familiar symptom,
1439
01:04:58,760 –> 01:05:01,560
average issue resolution sat at 72 hours.
1440
01:05:01,560 –> 01:05:05,480
Not because the engineers were slow, because the enterprise ran the workflow
1441
01:05:05,480 –> 01:05:08,360
through human memory, email archaeology and team’s thread roulette,
1442
01:05:08,360 –> 01:05:11,960
a line went down, someone opened a ticket, then the real work started.
1443
01:05:12,440 –> 01:05:14,680
Who owns this system? What changed?
1444
01:05:14,680 –> 01:05:17,160
What was the last approved configuration?
1445
01:05:17,160 –> 01:05:19,240
Which vendor is on the hook?
1446
01:05:19,240 –> 01:05:21,240
What did we decide the last time this happened?
1447
01:05:21,240 –> 01:05:22,520
None of that lived in one place.
1448
01:05:22,520 –> 01:05:25,000
It lived in people, in inboxes, in a spreadsheet,
1449
01:05:25,000 –> 01:05:26,600
someone trusted until they retired.
1450
01:05:26,600 –> 01:05:30,440
Leadership saw this and concluded they needed AI for faster troubleshooting.
1451
01:05:30,440 –> 01:05:31,160
And they were wrong.
1452
01:05:31,160 –> 01:05:32,840
They needed context architecture,
1453
01:05:32,840 –> 01:05:34,920
so troubleshooting had a substrate to stand on.
1454
01:05:34,920 –> 01:05:37,560
The intervention wasn’t framed as deploy co-pilot.
1455
01:05:37,560 –> 01:05:40,440
It was framed as unify identity context,
1456
01:05:40,440 –> 01:05:42,360
engineer organizational memory,
1457
01:05:42,360 –> 01:05:44,840
track operational state, then add a learning loop.
1458
01:05:44,840 –> 01:05:47,560
Only after that do you add an interaction surface.
1459
01:05:47,560 –> 01:05:49,320
Start with identity and memory.
1460
01:05:49,320 –> 01:05:50,680
Entra plus graph.
1461
01:05:50,680 –> 01:05:54,680
The organization didn’t have a single reliable mapping between a production line incident
1462
01:05:54,680 –> 01:05:57,240
and the humans, systems, documents,
1463
01:05:57,240 –> 01:05:58,760
and prior decisions that mattered.
1464
01:05:58,760 –> 01:06:01,240
Graph already contained signals.
1465
01:06:01,240 –> 01:06:04,360
Maintenance meetings, shift hand-over notes, files,
1466
01:06:04,360 –> 01:06:06,040
work orders attached to emails,
1467
01:06:06,040 –> 01:06:09,800
recurring team’s chats and the real social structure of who asks who,
1468
01:06:09,800 –> 01:06:11,080
when the line is down.
1469
01:06:11,080 –> 01:06:13,720
But those signals were not being treated as an engineered asset.
1470
01:06:13,720 –> 01:06:17,000
So the first redesign move was to collapse the scattered work artifacts
1471
01:06:17,000 –> 01:06:19,480
into governed containers with stable ownership
1472
01:06:19,480 –> 01:06:23,000
and then let graph reflect reality with fewer broken edges,
1473
01:06:23,000 –> 01:06:26,600
fewer orphaned sites, fewer everyone has access groups,
1474
01:06:26,600 –> 01:06:30,120
fewer random shares that made retrieval noisy and dangerous.
1475
01:06:30,120 –> 01:06:32,120
Then they treated permissions like a compiler.
1476
01:06:32,120 –> 01:06:35,640
They ran permission trimming specifically for the incident response domain,
1477
01:06:35,640 –> 01:06:39,320
reduce overshared libraries, fix inheritance where it had drifted,
1478
01:06:39,320 –> 01:06:43,320
and eliminate the classic pattern where a broad operational group had read access
1479
01:06:43,320 –> 01:06:45,240
to everything just in case.
1480
01:06:45,240 –> 01:06:49,000
That single decision did two things at once.
1481
01:06:49,000 –> 01:06:52,200
Reduced AI oversharing risk and improved groundedness
1482
01:06:52,200 –> 01:06:53,800
by reducing eligible noise.
1483
01:06:53,800 –> 01:06:55,560
Next operational state in Dytiverse.
1484
01:06:55,560 –> 01:06:59,240
Before Dytiverse, state lived in a ticketing system plus human coordination.
1485
01:06:59,240 –> 01:07:01,000
The ticket told you a status.
1486
01:07:01,000 –> 01:07:02,600
It didn’t tell you the real truth,
1487
01:07:02,600 –> 01:07:05,080
which approvals were granted, which exception was active,
1488
01:07:05,080 –> 01:07:06,840
which vendor response was pending,
1489
01:07:06,840 –> 01:07:10,120
which workaround was authorized and who was accountable right now.
1490
01:07:10,120 –> 01:07:12,040
So they built a simple state contract,
1491
01:07:12,040 –> 01:07:13,560
not a giant transformation program.
1492
01:07:13,560 –> 01:07:16,760
A state model with the minimum entities required to stop the loop.
1493
01:07:16,760 –> 01:07:19,720
Incident, impacted asset, owner, current step,
1494
01:07:19,720 –> 01:07:22,440
SLA approval gates, exceptions, and escalation path.
1495
01:07:22,440 –> 01:07:24,840
Now the workflow could be replayed deterministically,
1496
01:07:24,840 –> 01:07:27,400
the system didn’t need to infer whether an approval happened.
1497
01:07:27,400 –> 01:07:29,480
It could check, it didn’t need to guess who owned the next step,
1498
01:07:29,480 –> 01:07:30,200
it could read it.
1499
01:07:30,200 –> 01:07:32,600
And when the workflow hit a refusal condition,
1500
01:07:32,600 –> 01:07:34,760
missing evidence, conflicting procedure versions,
1501
01:07:34,760 –> 01:07:37,160
or an action that required a human signature,
1502
01:07:37,160 –> 01:07:39,320
the system escalated instead of improvising.
1503
01:07:39,320 –> 01:07:42,040
Then analytical memory and fabric,
1504
01:07:42,040 –> 01:07:44,520
they captured the signals the business never had.
1505
01:07:44,520 –> 01:07:46,520
Time spent in each workflow state,
1506
01:07:46,520 –> 01:07:48,680
which steps produced the most exceptions,
1507
01:07:48,680 –> 01:07:50,280
which incidents reopened,
1508
01:07:50,280 –> 01:07:53,880
which evidence sources were repeatedly retrieved but never cited,
1509
01:07:53,880 –> 01:07:56,360
and where the same problem reappeared with different labels.
1510
01:07:56,360 –> 01:07:58,520
Fabric didn’t optimize the plant,
1511
01:07:58,520 –> 01:08:01,320
though it exposed where the organization was lying to itself.
1512
01:08:01,320 –> 01:08:02,280
It showed, for example,
1513
01:08:02,280 –> 01:08:04,200
that certain approvals were pure theatre,
1514
01:08:04,200 –> 01:08:05,960
always granted, always late,
1515
01:08:05,960 –> 01:08:07,080
and always the bottleneck.
1516
01:08:07,080 –> 01:08:09,720
It showed that a specific set of procedures caused delays
1517
01:08:09,720 –> 01:08:10,760
because they were stale,
1518
01:08:10,760 –> 01:08:13,640
contradicted by newer practices and still socially dominant.
1519
01:08:13,640 –> 01:08:16,680
Those insights fed back into the relevance windows and governance.
1520
01:08:16,680 –> 01:08:19,160
Old procedures became ineligible by default.
1521
01:08:19,160 –> 01:08:21,560
Ownership got assigned, review dates became real.
1522
01:08:21,560 –> 01:08:24,520
The system stopped treating archives as decision-grade evidence,
1523
01:08:24,520 –> 01:08:27,640
only after all of that did co-pilot enter the narrative.
1524
01:08:27,640 –> 01:08:30,040
Co-pilot’s role was deliberately constrained.
1525
01:08:30,040 –> 01:08:31,640
Synthesis, recommendation,
1526
01:08:31,640 –> 01:08:33,880
evidence assembly, and escalation prompts.
1527
01:08:33,880 –> 01:08:37,000
Not final decisions, not autonomous actions on production systems.
1528
01:08:37,000 –> 01:08:40,040
The interaction layer served the humans supervising the flow,
1529
01:08:40,040 –> 01:08:41,320
not the other way around.
1530
01:08:41,320 –> 01:08:43,080
The result was not better answers.
1531
01:08:43,080 –> 01:08:44,280
It was fewer loops,
1532
01:08:44,280 –> 01:08:47,800
average resolution time dropped from 72 hours to 28.
1533
01:08:47,800 –> 01:08:50,120
Coordination threads dropped by roughly 40%
1534
01:08:50,120 –> 01:08:52,840
because people stopped re-asking basic state questions.
1535
01:08:52,840 –> 01:08:55,560
Duplicated workflows dropped by about 30%
1536
01:08:55,560 –> 01:08:58,440
because the system could see existing cases in their status,
1537
01:08:58,440 –> 01:09:00,520
and audit preparation time was cut in half
1538
01:09:00,520 –> 01:09:02,680
because provenance and state were already recorded
1539
01:09:02,680 –> 01:09:04,280
as part of normal execution,
1540
01:09:04,280 –> 01:09:06,120
not reconstructed during panic week.
1541
01:09:06,120 –> 01:09:08,040
The outcome wasn’t a smarter enterprise.
1542
01:09:08,040 –> 01:09:09,560
There was a less ambiguous one.
1543
01:09:09,560 –> 01:09:11,320
Autonomy didn’t remove humans.
1544
01:09:11,320 –> 01:09:12,840
It moved them up the stack,
1545
01:09:12,840 –> 01:09:15,960
from context reconstruction to context supervision.
1546
01:09:15,960 –> 01:09:18,520
What leaders get wrong when they scale co-pilot?
1547
01:09:18,520 –> 01:09:20,920
Leaders usually don’t fail at scaling co-pilot
1548
01:09:20,920 –> 01:09:22,280
because they lack ambition.
1549
01:09:22,280 –> 01:09:24,440
They fail because they scale the visible layer
1550
01:09:24,440 –> 01:09:26,760
and ignore the substrate that makes it behave.
1551
01:09:26,760 –> 01:09:29,480
The first mistake is treating licensing as strategy.
1552
01:09:29,480 –> 01:09:30,920
Procurement loves this mistake.
1553
01:09:30,920 –> 01:09:32,680
It feels decisive by more seats,
1554
01:09:32,680 –> 01:09:34,840
watch usage climb, declare momentum,
1555
01:09:34,840 –> 01:09:36,920
but licensing only changes who can ask questions.
1556
01:09:36,920 –> 01:09:39,000
It doesn’t change whether the tenant can answer them
1557
01:09:39,000 –> 01:09:40,920
with evidence, with permission, correctness,
1558
01:09:40,920 –> 01:09:42,440
and with stable definitions.
1559
01:09:42,440 –> 01:09:43,960
So leaders end up measuring adoption
1560
01:09:43,960 –> 01:09:46,120
while the organization quietly trains itself
1561
01:09:46,120 –> 01:09:47,480
to work around the system.
1562
01:09:47,480 –> 01:09:50,360
Co-pilot’s fine for drafts, but don’t trust it.
1563
01:09:50,360 –> 01:09:51,160
That’s not success.
1564
01:09:51,160 –> 01:09:52,920
That’s normalized distrust with a renewal.
1565
01:09:52,920 –> 01:09:54,840
The second mistake is treating prompt training
1566
01:09:54,840 –> 01:09:56,120
as the primary lever,
1567
01:09:56,120 –> 01:09:58,520
prompting looks like leverage because it’s immediate.
1568
01:09:58,520 –> 01:10:00,520
Run workshops, publish templates,
1569
01:10:00,520 –> 01:10:02,520
share top prompts for managers.
1570
01:10:02,520 –> 01:10:04,600
And yes, it helps people communicate intent,
1571
01:10:04,600 –> 01:10:06,520
but it doesn’t fix context fragmentation.
1572
01:10:06,520 –> 01:10:07,960
It doesn’t fix stale procedures.
1573
01:10:07,960 –> 01:10:09,720
It doesn’t fix overshared libraries.
1574
01:10:09,720 –> 01:10:11,480
It doesn’t fix broken inheritance.
1575
01:10:11,480 –> 01:10:14,120
It doesn’t fix the fact that half the organization stores
1576
01:10:14,120 –> 01:10:17,480
decision-grade work in personal one drive with ambiguous naming.
1577
01:10:17,480 –> 01:10:19,400
So prompt programs become a mask.
1578
01:10:19,400 –> 01:10:22,120
The enterprise gets slightly better at asking for answers.
1579
01:10:22,120 –> 01:10:25,160
It does not get better at making those answers defensible.
1580
01:10:25,160 –> 01:10:28,600
The third mistake is scaling agents before scoping tools.
1581
01:10:28,600 –> 01:10:31,400
Executives here agent and assume automation,
1582
01:10:31,400 –> 01:10:33,400
then ask why the organization isn’t using it
1583
01:10:33,400 –> 01:10:35,960
for approvals on boarding procurement, incident response,
1584
01:10:35,960 –> 01:10:37,080
and customer coms.
1585
01:10:37,080 –> 01:10:39,240
The problem is that tool access is where autonomy
1586
01:10:39,240 –> 01:10:40,600
becomes liability.
1587
01:10:40,600 –> 01:10:42,840
If an agent can read broadly and act broadly,
1588
01:10:42,840 –> 01:10:44,360
you’ve built a high-speed pathway
1589
01:10:44,360 –> 01:10:47,160
from retrieval mistakes to real-world consequences.
1590
01:10:47,160 –> 01:10:49,320
The enterprise then reacts the way it always reacts.
1591
01:10:49,320 –> 01:10:50,520
It adds exceptions.
1592
01:10:50,520 –> 01:10:51,720
Entropy generators.
1593
01:10:51,720 –> 01:10:53,480
This one team needs broad access.
1594
01:10:53,480 –> 01:10:57,560
This workflow can bypass the approval in emergencies.
1595
01:10:57,560 –> 01:11:00,440
This connector is fine because the vendor is trusted.
1596
01:11:00,440 –> 01:11:03,480
Over time, the autonomy layer becomes conditional chaos.
1597
01:11:03,480 –> 01:11:04,520
Lots of rules.
1598
01:11:04,520 –> 01:11:05,880
No enforceable intent.
1599
01:11:05,880 –> 01:11:08,600
And an execution surface that’s impossible to audit.
1600
01:11:08,600 –> 01:11:10,440
The fourth mistake is ignoring oversharing
1601
01:11:10,440 –> 01:11:11,880
until it becomes a headline.
1602
01:11:11,880 –> 01:11:15,160
Most copilot security incidents are not copilot incidents.
1603
01:11:15,160 –> 01:11:17,320
Their permission reality made observable.
1604
01:11:17,320 –> 01:11:20,280
Copilot simply retrieves what the user can already access.
1605
01:11:20,280 –> 01:11:21,320
That’s the design.
1606
01:11:21,320 –> 01:11:24,680
So when leadership discovers copilot surface something embarrassing,
1607
01:11:24,680 –> 01:11:27,880
they tend to blame the assistant instead of the access model.
1608
01:11:27,880 –> 01:11:29,080
Then they overcorrect.
1609
01:11:29,080 –> 01:11:31,480
Block features disable web grounding everywhere,
1610
01:11:31,480 –> 01:11:33,160
restrict everything indiscriminately,
1611
01:11:33,160 –> 01:11:35,960
and kill value for the teams that could safely use it.
1612
01:11:35,960 –> 01:11:37,320
The stable move is boring.
1613
01:11:37,320 –> 01:11:39,400
Permission hygiene and relevant scoping.
1614
01:11:39,400 –> 01:11:40,600
Reduce eligibility.
1615
01:11:40,600 –> 01:11:41,400
Raise authority.
1616
01:11:41,400 –> 01:11:43,160
Make fewer things retrievable by default.
1617
01:11:43,160 –> 01:11:44,360
Not because secrecy is good,
1618
01:11:44,360 –> 01:11:45,960
but because noise is dangerous.
1619
01:11:45,960 –> 01:11:48,600
The fifth mistake is using the wrong success metrics.
1620
01:11:48,600 –> 01:11:50,520
Number of chats is not a business metric.
1621
01:11:50,520 –> 01:11:53,560
Neither is ours saved reported through self-assessment surveys.
1622
01:11:53,560 –> 01:11:54,760
Those are adoption signals.
1623
01:11:54,760 –> 01:11:56,120
They’re not integrity signals.
1624
01:11:56,120 –> 01:11:58,680
If leaders want to scale copilot into autonomy,
1625
01:11:58,680 –> 01:12:00,840
the metrics have to shift to system behavior.
1626
01:12:00,840 –> 01:12:03,160
Reduction in rework, fewer approval loops,
1627
01:12:03,160 –> 01:12:05,560
lower exception rates, fewer duplicated workflows,
1628
01:12:05,560 –> 01:12:08,520
shorter cycle times, and quietly the most important,
1629
01:12:08,520 –> 01:12:11,720
fewer permission faults discovered in the act of using the system.
1630
01:12:11,720 –> 01:12:13,320
When those move value is real,
1631
01:12:13,320 –> 01:12:15,160
because the enterprise is less ambiguous,
1632
01:12:15,160 –> 01:12:17,240
not because the assistant is more charming.
1633
01:12:17,240 –> 01:12:19,960
And there’s one mistake that sits under all the others.
1634
01:12:19,960 –> 01:12:22,680
Leaders assume scaling is a rollout problem.
1635
01:12:22,680 –> 01:12:24,680
It isn’t scaling is an architecture problem.
1636
01:12:24,680 –> 01:12:27,160
It’s about whether the organization can keep intent stable
1637
01:12:27,160 –> 01:12:28,520
as the environment shifts,
1638
01:12:28,520 –> 01:12:30,520
whether it can maintain freshness rules,
1639
01:12:30,520 –> 01:12:32,200
whether it can version evidence standards,
1640
01:12:32,200 –> 01:12:33,400
whether it can detect drift,
1641
01:12:33,400 –> 01:12:35,160
whether it can enforce refusal conditions
1642
01:12:35,160 –> 01:12:36,200
when evidence is missing.
1643
01:12:36,200 –> 01:12:38,200
Because if the system can’t refuse, it will guess.
1644
01:12:38,200 –> 01:12:40,840
And in an enterprise, guessing doesn’t just create wrong answers.
1645
01:12:40,840 –> 01:12:43,240
It creates wrong actions, wrong approvals,
1646
01:12:43,240 –> 01:12:45,400
and wrong records that live forever.
1647
01:12:45,400 –> 01:12:47,960
So when a leader says we want to scale copilot,
1648
01:12:47,960 –> 01:12:50,280
the only responsible response is to translate that
1649
01:12:50,280 –> 01:12:53,000
into an architectural commitment, scale memory quality,
1650
01:12:53,000 –> 01:12:55,000
scale state discipline, scale learning loops,
1651
01:12:55,000 –> 01:12:58,040
scale control planes, copilot scales naturally after that.
1652
01:12:58,040 –> 01:13:01,240
Before that, it scales confusion faster than it scales work.
1653
01:13:01,240 –> 01:13:03,240
The seven day context inventory.
1654
01:13:03,240 –> 01:13:05,000
So here’s the part leaders usually skip
1655
01:13:05,000 –> 01:13:08,040
because it feels unglamerous, a context inventory.
1656
01:13:08,040 –> 01:13:11,240
Not a data inventory, not a we have share point inventory,
1657
01:13:11,240 –> 01:13:12,440
a context inventory.
1658
01:13:12,440 –> 01:13:15,240
Where does the enterprise actually store identity, evidence,
1659
01:13:15,240 –> 01:13:18,520
state, and learning in a way an agent can use without guessing?
1660
01:13:18,520 –> 01:13:21,160
And it has to be a seven day exercise for one reason.
1661
01:13:21,160 –> 01:13:23,000
If you can’t get clarity in a week,
1662
01:13:23,000 –> 01:13:24,360
you’re not doing architecture.
1663
01:13:24,360 –> 01:13:25,560
You’re doing therapy.
1664
01:13:25,560 –> 01:13:28,440
You’re collecting opinions until the calendar saves you
1665
01:13:28,440 –> 01:13:30,840
from making decisions.
1666
01:13:30,840 –> 01:13:33,000
This inventory has one goal.
1667
01:13:33,000 –> 01:13:37,080
Expose the top three context breaks where work loses continuity,
1668
01:13:37,080 –> 01:13:40,600
where it drops state, loses authority, or loses control.
1669
01:13:40,600 –> 01:13:42,760
Those breaks are where copilot looks random.
1670
01:13:42,760 –> 01:13:45,240
Those breaks are also where agents become dangerous.
1671
01:13:45,240 –> 01:13:46,360
Start with the first question,
1672
01:13:46,360 –> 01:13:47,880
where does identity context live?
1673
01:13:47,880 –> 01:13:50,760
Not we use Entra, everyone uses Entra.
1674
01:13:50,760 –> 01:13:54,920
Identity context means where is the current enforceable truth of who can do what,
1675
01:13:54,920 –> 01:13:56,920
from an access and risk posture perspective?
1676
01:13:56,920 –> 01:14:00,280
Which groups actually govern access to decision-grade content?
1677
01:14:00,280 –> 01:14:03,160
Which conditional access policies define the boundary conditions
1678
01:14:03,160 –> 01:14:04,680
for sensitive workflows?
1679
01:14:04,680 –> 01:14:06,360
Which roles exist in name only?
1680
01:14:06,360 –> 01:14:09,080
Which users carry historic privilege they no longer need?
1681
01:14:09,080 –> 01:14:12,200
And which non-human identities, apps, service principles,
1682
01:14:12,200 –> 01:14:15,160
connectors have permissions that nobody can justify anymore?
1683
01:14:15,160 –> 01:14:18,920
If you can’t name the owner of your authorization model per workflow domain,
1684
01:14:18,920 –> 01:14:22,920
you don’t have identity context, you have a directory and a pile of entitlements.
1685
01:14:22,920 –> 01:14:25,560
Second question, where is workflow state tracked?
1686
01:14:25,560 –> 01:14:26,600
Not in tickets.
1687
01:14:26,600 –> 01:14:27,960
Ticket status is not state.
1688
01:14:27,960 –> 01:14:28,600
It’s a label.
1689
01:14:28,600 –> 01:14:33,000
State means the contract that proves the workflow’s reality.
1690
01:14:33,000 –> 01:14:35,880
Approvals, exceptions, ownership,
1691
01:14:35,880 –> 01:14:39,320
SLA, gates, and refusal conditions.
1692
01:14:39,320 –> 01:14:42,520
If a critical workflow can’t answer what step are we in?
1693
01:14:42,520 –> 01:14:45,560
Who owns it and what is allowed next without reading a team’s thread?
1694
01:14:45,560 –> 01:14:46,520
You don’t have state.
1695
01:14:46,520 –> 01:14:49,720
You have coordination and coordination can’t be automated safely.
1696
01:14:49,720 –> 01:14:52,680
Third question, where does historical intelligence live?
1697
01:14:52,680 –> 01:14:55,560
This is where organizations fool themselves with storage.
1698
01:14:55,560 –> 01:14:58,360
Historical intelligence isn’t, we have archives.
1699
01:14:58,360 –> 01:15:01,960
Do you have an analytical layer that can tell you what keeps repeating,
1700
01:15:01,960 –> 01:15:04,920
what keeps stalling and what keeps generating exceptions?
1701
01:15:04,920 –> 01:15:07,080
Can you quantify rework and permission faults?
1702
01:15:07,080 –> 01:15:11,400
Can you see where evidence conflicts and where policy drift creates ambiguity?
1703
01:15:11,400 –> 01:15:13,880
And can you feed those signals back into governance?
1704
01:15:13,880 –> 01:15:16,520
Or do they die as dashboards that nobody trusts?
1705
01:15:16,520 –> 01:15:18,520
If you can’t answer that, you don’t have learning.
1706
01:15:18,520 –> 01:15:20,120
You have telemetry exhaust.
1707
01:15:20,120 –> 01:15:23,080
Fourth question, where are permissions actually enforced?
1708
01:15:23,080 –> 01:15:24,680
This sounds like identity again.
1709
01:15:24,680 –> 01:15:25,160
It isn’t.
1710
01:15:25,160 –> 01:15:31,160
Permissions enforcement means where is the boundary that copilot and agents will inherit
1711
01:15:31,160 –> 01:15:32,360
and is it coherent?
1712
01:15:32,360 –> 01:15:34,120
Which SharePoint sites are overshared?
1713
01:15:34,120 –> 01:15:35,720
Where inheritance is broken?
1714
01:15:35,720 –> 01:15:39,560
Which teams have guests and external sharing but store decision-grade content?
1715
01:15:39,560 –> 01:15:41,160
Which containers have no owner?
1716
01:15:41,160 –> 01:15:42,600
Which content lacks labels?
1717
01:15:42,600 –> 01:15:43,800
So DLP can’t act.
1718
01:15:43,800 –> 01:15:46,920
In other words, where is the tenant poorest and are you pretending it’s fine?
1719
01:15:46,920 –> 01:15:48,120
Because nobody complained yet.
1720
01:15:48,120 –> 01:15:51,320
Because copilot will complain for you publicly in a meeting.
1721
01:15:51,320 –> 01:15:55,640
Fifth question, where is your signal telemetry centralized?
1722
01:15:55,640 –> 01:15:59,000
If the organization can’t observe behavior, it can’t govern drift.
1723
01:15:59,000 –> 01:16:01,640
You need to know what evidence sources get retrieved most,
1724
01:16:01,640 –> 01:16:04,760
where citations fail, where refusal conditions trigger,
1725
01:16:04,760 –> 01:16:06,760
which workflows escalate constantly,
1726
01:16:06,760 –> 01:16:10,040
which identities experience CAE revocations midrun.
1727
01:16:10,040 –> 01:16:12,680
And where tool invocation patterns look abnormal.
1728
01:16:12,680 –> 01:16:14,520
That’s not AI monitoring.
1729
01:16:14,520 –> 01:16:19,640
That’s the control feedback required to run a probabilistic system without lying to yourself.
1730
01:16:19,640 –> 01:16:22,920
Now, the deliverable from the seven day inventory is not a report.
1731
01:16:22,920 –> 01:16:24,440
It’s three decisions.
1732
01:16:24,440 –> 01:16:26,440
Decision one, map owners.
1733
01:16:26,440 –> 01:16:30,360
For each context domain, memory, state, learning, interaction,
1734
01:16:30,360 –> 01:16:33,480
assign a named owner with authority to enforce standards.
1735
01:16:33,480 –> 01:16:35,640
Not a steering committee, a person.
1736
01:16:35,640 –> 01:16:38,280
If you can’t assign an owner, you’ve learned the most important truth.
1737
01:16:38,280 –> 01:16:42,360
Autonomy will collapse into exception handling because nobody can enforce intent.
1738
01:16:42,360 –> 01:16:44,840
Decision two, identify the top three context breaks.
1739
01:16:44,840 –> 01:16:48,200
These are the points where work loses its spine.
1740
01:16:48,200 –> 01:16:49,080
Common examples.
1741
01:16:49,080 –> 01:16:50,920
Approvals tracked in email only.
1742
01:16:50,920 –> 01:16:55,560
Policy stored in ungoverned wikis, incident artifacts scattered across personal drives,
1743
01:16:55,560 –> 01:16:57,560
vendor onboarding, living in spreadsheets,
1744
01:16:57,560 –> 01:17:00,360
or sensitive content stored in teams with guest access.
1745
01:17:00,360 –> 01:17:02,040
Because it’s easier.
1746
01:17:02,040 –> 01:17:02,840
Write them down.
1747
01:17:02,840 –> 01:17:03,560
Don’t debate them.
1748
01:17:03,560 –> 01:17:05,400
Context breaks aren’t philosophical.
1749
01:17:05,400 –> 01:17:06,600
They’re observable.
1750
01:17:06,600 –> 01:17:07,640
Decision three.
1751
01:17:07,640 –> 01:17:10,040
Pick one workflow for a 30-day pilot.
1752
01:17:10,040 –> 01:17:13,160
One, not enterprise-wide, not all-knowledge work.
1753
01:17:13,160 –> 01:17:16,040
One workflow with visible pain and manageable blast radius
1754
01:17:16,040 –> 01:17:17,960
where you can implement the four layers.
1755
01:17:17,960 –> 01:17:20,920
Graph memory, dataverse state, fabric learning,
1756
01:17:20,920 –> 01:17:24,360
co-pilot interaction with explicit refusal conditions.
1757
01:17:24,360 –> 01:17:26,200
If leadership can’t choose one workflow,
1758
01:17:26,200 –> 01:17:27,480
they’re not blocked by technology.
1759
01:17:27,480 –> 01:17:29,080
They’re blocked by accountability.
1760
01:17:29,080 –> 01:17:31,880
And that’s what the seven day context inventory really does.
1761
01:17:31,880 –> 01:17:34,520
It forces the enterprise to admit where reality lives,
1762
01:17:34,520 –> 01:17:36,920
where it doesn’t and where the system will be forced to guess.
1763
01:17:36,920 –> 01:17:38,600
Because once you see where guessing happens,
1764
01:17:38,600 –> 01:17:40,200
the architecture stops being abstract.
1765
01:17:40,200 –> 01:17:41,480
It becomes unavoidable.
1766
01:17:41,480 –> 01:17:43,080
The 30-day pilot pattern.
1767
01:17:43,080 –> 01:17:45,880
One workflow, four layers, enforced assumptions.
1768
01:17:45,880 –> 01:17:49,400
Pick one workflow where failure is visible, frequent, and expensive.
1769
01:17:49,400 –> 01:17:52,680
Approvals, incident response, onboarding, procurement.
1770
01:17:52,680 –> 01:17:55,080
Anything with handoffs, delays, and a paper trail,
1771
01:17:55,080 –> 01:17:56,760
you can’t reliably reconstruct
1772
01:17:56,760 –> 01:17:59,720
without begging three inbox owners for screenshots.
1773
01:17:59,720 –> 01:18:01,560
Then do the one thing enterprises avoid?
1774
01:18:01,560 –> 01:18:04,360
Define the assumptions upfront and make the system enforce them.
1775
01:18:04,360 –> 01:18:06,680
Because the pilot isn’t about proving co-pilot works.
1776
01:18:06,680 –> 01:18:08,040
Co-pilot always works.
1777
01:18:08,040 –> 01:18:09,880
It produces words on demand.
1778
01:18:09,880 –> 01:18:12,040
The pilot is about proving your context substrate
1779
01:18:12,040 –> 01:18:15,000
can support evidence bound decisions without improvisation.
1780
01:18:15,000 –> 01:18:17,800
Start by defining the workflow boundary in plain language.
1781
01:18:17,800 –> 01:18:18,680
What triggers it?
1782
01:18:18,680 –> 01:18:19,800
What done means?
1783
01:18:19,800 –> 01:18:22,120
And what irreversible actions exist inside it?
1784
01:18:22,120 –> 01:18:23,480
If done isn’t defined,
1785
01:18:23,480 –> 01:18:25,800
the agent will keep acting until someone stops it.
1786
01:18:25,800 –> 01:18:26,840
That’s not autonomy.
1787
01:18:26,840 –> 01:18:28,280
That’s entropy with good grammar.
1788
01:18:28,280 –> 01:18:29,640
Now implement the four layers,
1789
01:18:29,640 –> 01:18:31,400
but keep them deliberately small.
1790
01:18:31,400 –> 01:18:32,520
First, graph memory.
1791
01:18:32,520 –> 01:18:35,320
This is where you stop treating M365 as file storage
1792
01:18:35,320 –> 01:18:37,560
and start treating it as organizational recall.
1793
01:18:37,560 –> 01:18:39,960
Choose the authoritative containers for the workflow,
1794
01:18:39,960 –> 01:18:41,960
the SharePoint site, the Teams channel,
1795
01:18:41,960 –> 01:18:44,280
the policy library, the decision log,
1796
01:18:44,280 –> 01:18:45,800
then fix the obvious garbage,
1797
01:18:45,800 –> 01:18:47,800
broken inheritance, abandoned owners,
1798
01:18:47,800 –> 01:18:50,440
and the everyone group that turns retrieval into noise.
1799
01:18:50,440 –> 01:18:51,800
Don’t boil the ocean.
1800
01:18:51,800 –> 01:18:53,480
Just make one domain coherent enough
1801
01:18:53,480 –> 01:18:55,400
that retrieval can be precise.
1802
01:18:55,400 –> 01:18:57,480
Second, Dataverse state.
1803
01:18:57,480 –> 01:18:58,840
Create the minimum state machine
1804
01:18:58,840 –> 01:19:00,600
that prevents relitigating work.
1805
01:19:00,600 –> 01:19:02,840
Request record status owner, SLA,
1806
01:19:02,840 –> 01:19:04,200
approver exception flag,
1807
01:19:04,200 –> 01:19:06,680
and a small set of explicit transitions.
1808
01:19:06,680 –> 01:19:08,680
The point isn’t to model reality perfectly.
1809
01:19:08,680 –> 01:19:10,840
It’s to give the system a place to store truth
1810
01:19:10,840 –> 01:19:12,200
that isn’t buried in narrative.
1811
01:19:12,200 –> 01:19:13,400
When the agent asks,
1812
01:19:13,400 –> 01:19:14,760
has this been approved?
1813
01:19:14,760 –> 01:19:16,840
It should query state not guess based on tone
1814
01:19:16,840 –> 01:19:18,200
in a Teams message.
1815
01:19:18,200 –> 01:19:19,320
Third, fabric learning.
1816
01:19:19,320 –> 01:19:20,920
Instrument the workflow from day one.
1817
01:19:20,920 –> 01:19:22,280
Track cycle time per state,
1818
01:19:22,280 –> 01:19:24,280
number of escalations, number of retries,
1819
01:19:24,280 –> 01:19:25,160
evidence coverage,
1820
01:19:25,160 –> 01:19:26,680
and the top reasons for refusal.
1821
01:19:26,680 –> 01:19:29,240
You’re not building a dashboard for leadership theater.
1822
01:19:29,240 –> 01:19:30,520
You’re building a feedback loop
1823
01:19:30,520 –> 01:19:32,280
that tells you where context broke.
1824
01:19:32,280 –> 01:19:34,440
Missing sources, conflicting sources,
1825
01:19:34,440 –> 01:19:37,400
permission faults, or state transitions, nobody owns.
1826
01:19:37,400 –> 01:19:39,160
Fourth, co-pilot interaction.
1827
01:19:39,160 –> 01:19:41,000
Put co-pilot where humans already work
1828
01:19:41,000 –> 01:19:42,440
and constrain its role.
1829
01:19:42,440 –> 01:19:43,640
It should assemble evidence,
1830
01:19:43,640 –> 01:19:45,720
summarize state, draft responses,
1831
01:19:45,720 –> 01:19:47,000
propose next steps,
1832
01:19:47,000 –> 01:19:48,520
and generate the audit narrative.
1833
01:19:48,520 –> 01:19:50,680
It should not execute irreversible actions.
1834
01:19:50,680 –> 01:19:52,120
It should not decide policy.
1835
01:19:52,120 –> 01:19:54,040
And it should not have silent tool access
1836
01:19:54,040 –> 01:19:55,880
that can change systems without a gate.
1837
01:19:55,880 –> 01:19:58,040
Now the critical part, enforce assumptions.
1838
01:19:58,040 –> 01:20:00,440
Define refusal conditions like you mean it.
1839
01:20:00,440 –> 01:20:03,400
If required evidence isn’t found in the authoritative container,
1840
01:20:03,400 –> 01:20:04,840
the system escalates.
1841
01:20:04,840 –> 01:20:06,920
If the user’s permission posture is inconsistent,
1842
01:20:06,920 –> 01:20:08,040
the system refuses.
1843
01:20:08,040 –> 01:20:09,960
If the request crosses an external boundary,
1844
01:20:09,960 –> 01:20:11,800
the system requires confirmation.
1845
01:20:11,800 –> 01:20:13,320
If the workflow state is ambiguous,
1846
01:20:13,320 –> 01:20:15,720
the system asks a single targeted question,
1847
01:20:15,720 –> 01:20:17,720
then writes the answer back to dataverse,
1848
01:20:17,720 –> 01:20:19,240
so it never asks again.
1849
01:20:19,240 –> 01:20:21,720
This is where you learn whether you have an autonomy problem
1850
01:20:21,720 –> 01:20:23,080
or an accountability problem.
1851
01:20:23,080 –> 01:20:25,000
Because refusal conditions force ownership,
1852
01:20:25,000 –> 01:20:27,160
someone has to decide what counts as evidence,
1853
01:20:27,160 –> 01:20:28,440
what counts as stale,
1854
01:20:28,440 –> 01:20:30,040
and who approves exceptions.
1855
01:20:30,040 –> 01:20:33,080
Without that, the pilot becomes another demo environment
1856
01:20:33,080 –> 01:20:35,880
where the only reason it works is because smart people babysat it,
1857
01:20:35,880 –> 01:20:37,800
measure four things for 30 days,
1858
01:20:37,800 –> 01:20:39,400
and ignore the rest.
1859
01:20:39,400 –> 01:20:40,840
Cycle time.
1860
01:20:40,840 –> 01:20:42,600
Did it actually get faster?
1861
01:20:42,600 –> 01:20:43,560
End to end?
1862
01:20:43,560 –> 01:20:46,040
Not just in drafting email?
1863
01:20:46,040 –> 01:20:47,000
Rework.
1864
01:20:47,000 –> 01:20:48,760
Did people stop repeating the same steps,
1865
01:20:48,760 –> 01:20:50,760
the same approvals, the same clarifications?
1866
01:20:50,760 –> 01:20:52,600
Exception rate.
1867
01:20:52,600 –> 01:20:54,440
Did the system have to escalate constantly
1868
01:20:54,440 –> 01:20:56,040
because the process is undefined
1869
01:20:56,040 –> 01:20:57,720
or because the context is dirty?
1870
01:20:57,720 –> 01:20:58,760
Permission faults.
1871
01:20:58,760 –> 01:21:01,240
How often did retrieval fail because access is wrong?
1872
01:21:01,240 –> 01:21:02,760
And how often did retrieval succeed?
1873
01:21:02,760 –> 01:21:04,920
Because access is dangerously broad.
1874
01:21:04,920 –> 01:21:05,960
If those metrics improve,
1875
01:21:05,960 –> 01:21:07,480
you don’t just have a successful pilot,
1876
01:21:07,480 –> 01:21:08,920
you have a repeatable pattern.
1877
01:21:08,920 –> 01:21:10,040
Then you clone it,
1878
01:21:10,040 –> 01:21:11,160
not by copying flows,
1879
01:21:11,160 –> 01:21:12,600
by copying architecture.
1880
01:21:12,600 –> 01:21:13,640
The same four layers,
1881
01:21:13,640 –> 01:21:14,920
the same boundary discipline,
1882
01:21:14,920 –> 01:21:16,200
the same refusal mechanics,
1883
01:21:16,200 –> 01:21:17,560
the same telemetry loop,
1884
01:21:17,560 –> 01:21:19,000
and the same ownership model.
1885
01:21:19,000 –> 01:21:21,240
That’s how you scale without turning autonomy
1886
01:21:21,240 –> 01:21:22,520
into a tenant-wide rumor,
1887
01:21:22,520 –> 01:21:25,240
and AI won’t transform your enterprise.
1888
01:21:25,240 –> 01:21:26,760
Context architecture will,
1889
01:21:26,760 –> 01:21:28,680
because it forces probabilistic outputs
1890
01:21:28,680 –> 01:21:31,080
to stay bound to evidence, state, and control.
1891
01:21:31,080 –> 01:21:34,040
If this landed, leave a review for M365FM,
1892
01:21:34,040 –> 01:21:35,880
connect with mecopeters on LinkedIn,
1893
01:21:35,880 –> 01:21:37,160
and message the one context,
1894
01:21:37,160 –> 01:21:38,840
break you want, dissect it next.
1895
01:21:38,840 –> 01:21:41,320
Copilot, graph, governance, or agents.
