Now Reading: 7 Sins of Microsoft Enterprise Architecture
-
01
7 Sins of Microsoft Enterprise Architecture
1
00:00:00,000 –> 00:00:04,280
Most organizations treat Microsoft 365 as a collection of features to be purchased.
2
00:00:04,280 –> 00:00:05,280
They are wrong.
3
00:00:05,280 –> 00:00:07,880
What they’re actually operating is an economic system.
4
00:00:07,880 –> 00:00:10,640
And like all systems, it leaks, not dramatically.
5
00:00:10,640 –> 00:00:12,160
Silently.
6
00:00:12,160 –> 00:00:14,800
Let me walk you through the seven patterns I see over and over.
7
00:00:14,800 –> 00:00:16,960
Each one individually looks manageable.
8
00:00:16,960 –> 00:00:20,040
Together they compound into what I call architectural entropy,
9
00:00:20,040 –> 00:00:23,400
the slow, invisible decay of value in your Microsoft tenant iter.
10
00:00:23,400 –> 00:00:26,440
Sin 1, the myth of procurement as strategy,
11
00:00:26,440 –> 00:00:27,680
the lie sound simple.
12
00:00:27,680 –> 00:00:30,040
Buy the right license, get the right outcome.
13
00:00:30,040 –> 00:00:34,360
Most organizations believe that purchasing e5 licenses equals digital transformation.
14
00:00:34,360 –> 00:00:36,560
They tell their CFO, they are modernizing.
15
00:00:36,560 –> 00:00:38,120
They renew annually.
16
00:00:38,120 –> 00:00:42,040
Nobody questions whether the capability they bought is actually creating value.
17
00:00:42,040 –> 00:00:43,160
Here’s what happens instead.
18
00:00:43,160 –> 00:00:47,240
A global engineering firm with 5,000 seats decides to go digital.
19
00:00:47,240 –> 00:00:49,200
They land on e5 as the standard.
20
00:00:49,200 –> 00:00:52,040
90% adoption across the knowledge worker base.
21
00:00:52,040 –> 00:00:53,440
On paper, perfect.
22
00:00:53,440 –> 00:00:56,840
In reality, only a fraction of users ever touched the premium connectors.
23
00:00:56,840 –> 00:01:00,720
Co-pilot set unused, defender features were never operationalized.
24
00:01:00,720 –> 00:01:04,520
After 18 months, a rationalization audit revealed the truth.
25
00:01:04,520 –> 00:01:08,760
56% of those licenses were either inactive, underutilized,
26
00:01:08,760 –> 00:01:11,400
or completely misaligned with actual work patterns.
27
00:01:11,400 –> 00:01:13,960
Buy roll, buy region, buy function.
28
00:01:13,960 –> 00:01:15,240
The economic leakage?
29
00:01:15,240 –> 00:01:17,600
$1.6 million annually.
30
00:01:17,600 –> 00:01:20,720
They were financing architectural erosion without knowing it.
31
00:01:20,720 –> 00:01:23,320
This is what I mean by procurement masquerading as strategy.
32
00:01:23,320 –> 00:01:24,440
You bought a feature bundle.
33
00:01:24,440 –> 00:01:26,200
You mistook it for an operating model.
34
00:01:26,200 –> 00:01:28,360
The control plane fix is brutally simple.
35
00:01:28,360 –> 00:01:31,920
If you cannot map telemetry to quarterly value realization,
36
00:01:31,920 –> 00:01:34,680
if you cannot prove that the premium capabilities you paid for
37
00:01:34,680 –> 00:01:38,600
are actively driving business outcomes, then you don’t have architecture.
38
00:01:38,600 –> 00:01:39,960
You have procurement.
39
00:01:39,960 –> 00:01:44,640
And procurement by definition has no accountability for the money after the check clears.
40
00:01:44,640 –> 00:01:46,680
Sin 2, permission sprawl.
41
00:01:46,680 –> 00:01:49,080
The authorization compiler nobody built.
42
00:01:49,080 –> 00:01:53,160
The next pattern is permission creep, and it’s more dangerous than most organizations realize.
43
00:01:53,160 –> 00:01:57,040
In Entra ID, there’s a default culture I call ad-only.
44
00:01:57,040 –> 00:01:58,040
Permissions get granted.
45
00:01:58,040 –> 00:01:59,680
They rarely get revoked.
46
00:01:59,680 –> 00:02:00,680
That’s not in competence.
47
00:02:00,680 –> 00:02:01,680
That’s design inertia.
48
00:02:01,680 –> 00:02:02,880
No one owns the life cycle.
49
00:02:02,880 –> 00:02:03,880
No one reviews it.
50
00:02:03,880 –> 00:02:04,880
So it accumulates.
51
00:02:04,880 –> 00:02:07,440
I audited a financial services firm last year.
52
00:02:07,440 –> 00:02:11,600
They discovered 847, often app registrations.
53
00:02:11,600 –> 00:02:15,640
Applications that were granted permissions three years ago for a pilot project that was abandoned.
54
00:02:15,640 –> 00:02:17,320
The permissions were never removed.
55
00:02:17,320 –> 00:02:22,440
The service principles still held Microsoft GraphRides to access tenant data, user information,
56
00:02:22,440 –> 00:02:23,720
mailbox contents.
57
00:02:23,720 –> 00:02:27,560
54% of IT leaders report complex identity and privilege sprawl.
58
00:02:27,560 –> 00:02:32,280
In large tenants, it’s normal to have 200, 300, sometimes 400 privileged applications running
59
00:02:32,280 –> 00:02:35,000
with permissions that nobody can fully account for.
60
00:02:35,000 –> 00:02:36,600
Here’s the economic consequence.
61
00:02:36,600 –> 00:02:37,600
Audit friction.
62
00:02:37,600 –> 00:02:38,920
Breach exposure.
63
00:02:38,920 –> 00:02:40,120
Operational paralysis.
64
00:02:40,120 –> 00:02:42,720
When a compliance team asks who has access to what?
65
00:02:42,720 –> 00:02:44,520
The answer takes weeks to assemble.
66
00:02:44,520 –> 00:02:45,640
And in a breach, you’re blind.
67
00:02:45,640 –> 00:02:48,640
You don’t know what was exposed because you don’t know what permissions existed.
68
00:02:48,640 –> 00:02:53,160
The control plane fixes this treat permissions as entropy generators, not rewards.
69
00:02:53,160 –> 00:02:56,040
Design expiration into every access ground from the start.
70
00:02:56,040 –> 00:02:57,680
Enforced life cycle ownership.
71
00:02:57,680 –> 00:03:01,360
If an application’s purpose has expired, its permissions expire with it.
72
00:03:01,360 –> 00:03:02,840
Automatically, this is not optional.
73
00:03:02,840 –> 00:03:04,360
This is architectural law.
74
00:03:04,360 –> 00:03:05,360
Sin, three.
75
00:03:05,360 –> 00:03:06,760
Tactical governance.
76
00:03:06,760 –> 00:03:08,480
The theater of compliance.
77
00:03:08,480 –> 00:03:10,920
Most organizations claim they have governance.
78
00:03:10,920 –> 00:03:12,360
What they actually have is theater.
79
00:03:12,360 –> 00:03:16,160
I walked into a healthcare organization with 72 teams governance policies.
80
00:03:16,160 –> 00:03:17,320
All of them documented.
81
00:03:17,320 –> 00:03:18,400
None of them automated.
82
00:03:18,400 –> 00:03:20,040
They relied on manual approvals.
83
00:03:20,040 –> 00:03:21,360
On reactive policing.
84
00:03:21,360 –> 00:03:22,600
On human bottlenecks.
85
00:03:22,600 –> 00:03:24,400
On inconsistent enforcement.
86
00:03:24,400 –> 00:03:26,720
How many manual hours went into that every year?
87
00:03:26,720 –> 00:03:27,720
4,000.
88
00:03:27,720 –> 00:03:28,720
Minimum.
89
00:03:28,720 –> 00:03:31,480
Someone’s job was refreshing spreadsheets and sending escalation emails.
90
00:03:31,480 –> 00:03:36,360
72% of organizations cannot enforce full governance policies at scale.
91
00:03:36,360 –> 00:03:37,600
And the reason is always the same.
92
00:03:37,600 –> 00:03:41,120
They build governance as a control function instead of a system’s layer.
93
00:03:41,120 –> 00:03:43,680
The economic consequence is hidden but substantial.
94
00:03:43,680 –> 00:03:46,240
4,000 hours annually per organization.
95
00:03:46,240 –> 00:03:49,120
It’s two full-time employees just maintaining compliance theater.
96
00:03:49,120 –> 00:03:50,120
And it’s fragile.
97
00:03:50,120 –> 00:03:51,160
One person leaves.
98
00:03:51,160 –> 00:03:52,160
The policies drift.
99
00:03:52,160 –> 00:03:53,520
The system decays.
100
00:03:53,520 –> 00:03:55,000
The fix is existential.
101
00:03:55,000 –> 00:03:57,600
Governance that isn’t code is just a suggestion.
102
00:03:57,600 –> 00:04:02,080
If you’re still relying on PDF policies and SharePoint checklists and email approvals,
103
00:04:02,080 –> 00:04:04,520
you have compliance theater, not compliance.
104
00:04:04,520 –> 00:04:05,520
Automated.
105
00:04:05,520 –> 00:04:06,520
Make it part of the system.
106
00:04:06,520 –> 00:04:07,520
Make violations impossible.
107
00:04:07,520 –> 00:04:08,520
Not just monitored.
108
00:04:08,520 –> 00:04:10,920
If you cannot automate it, you don’t actually have governance.
109
00:04:10,920 –> 00:04:11,920
You have hope.
110
00:04:11,920 –> 00:04:12,920
Sin 4.
111
00:04:12,920 –> 00:04:13,920
Appworship.
112
00:04:13,920 –> 00:04:14,920
Confusing output.
113
00:04:14,920 –> 00:04:17,680
Enterprises celebrate app proliferation.
114
00:04:17,680 –> 00:04:19,720
We shipped 50 power apps this year.
115
00:04:19,720 –> 00:04:21,280
Citizen developers are empowered.
116
00:04:21,280 –> 00:04:22,760
Feature velocity is accelerating.
117
00:04:22,760 –> 00:04:24,040
But here’s what actually happened.
118
00:04:24,040 –> 00:04:26,200
You created 50 new maintenance liabilities.
119
00:04:26,200 –> 00:04:28,040
50 new surface area multipliers.
120
00:04:28,040 –> 00:04:30,680
Every app is another piece of code someone has to support.
121
00:04:30,680 –> 00:04:32,240
Another integration that can fail.
122
00:04:32,240 –> 00:04:33,520
Another attack surface to defend.
123
00:04:33,520 –> 00:04:37,200
A mid-market organization had 340 power apps in their tenant.
124
00:04:37,200 –> 00:04:39,760
127 of them had never been used.
125
00:04:39,760 –> 00:04:40,760
Nobody owned them.
126
00:04:40,760 –> 00:04:41,760
Nobody maintained them.
127
00:04:41,760 –> 00:04:42,960
They were digital craft.
128
00:04:42,960 –> 00:04:46,560
Systemic causes structural builders get rewarded for creation.
129
00:04:46,560 –> 00:04:47,560
Architects are invisible.
130
00:04:47,560 –> 00:04:52,120
So the tenant fills up with applications that looked good in isolation, but create a technical
131
00:04:52,120 –> 00:04:53,120
debt at scale.
132
00:04:53,120 –> 00:04:55,880
The economic consequence is support overhead.
133
00:04:55,880 –> 00:04:56,880
Compliance risk.
134
00:04:56,880 –> 00:04:57,880
Vendorsprone.
135
00:04:57,880 –> 00:05:02,120
When you have 340 applications, the complexity of governance becomes overwhelming.
136
00:05:02,120 –> 00:05:03,880
Entitlements multiply.
137
00:05:03,880 –> 00:05:05,080
Integrations tangle.
138
00:05:05,080 –> 00:05:06,680
Security becomes impossible to manage.
139
00:05:06,680 –> 00:05:08,760
The control plane fixes architectural zoning.
140
00:05:08,760 –> 00:05:10,080
Stop counting apps.
141
00:05:10,080 –> 00:05:12,160
Start counting technical debt surface area.
142
00:05:12,160 –> 00:05:13,960
Enforce life cycle ownership.
143
00:05:13,960 –> 00:05:17,960
Decommission anything that doesn’t have a clear owner and a business justification.
144
00:05:17,960 –> 00:05:21,000
Treat app portfolios the way you treat real estate.
145
00:05:21,000 –> 00:05:23,560
Not every building belongs in your district.
146
00:05:23,560 –> 00:05:24,560
Sin 5.
147
00:05:24,560 –> 00:05:25,560
AI chaos.
148
00:05:25,560 –> 00:05:26,920
Agents without boundaries.
149
00:05:26,920 –> 00:05:28,240
This one is still forming.
150
00:05:28,240 –> 00:05:29,920
Most organizations don’t see it yet.
151
00:05:29,920 –> 00:05:31,480
That’s the danger.
152
00:05:31,480 –> 00:05:35,040
Organizations are deploying co-pilot onto flat, unclassified data structures.
153
00:05:35,040 –> 00:05:38,680
They’re standing up co-pilot studio agents without defining what data those agents can
154
00:05:38,680 –> 00:05:39,680
access.
155
00:05:39,680 –> 00:05:42,920
Accelerating AI adoption while data governance lags behind.
156
00:05:42,920 –> 00:05:43,920
Here’s what I mean.
157
00:05:43,920 –> 00:05:48,760
An enterprise co-pilot pilot, six weeks in, discovered that custom agents were accessing
158
00:05:48,760 –> 00:05:52,000
personally identifiable information without classification.
159
00:05:52,000 –> 00:05:55,560
They were reading payroll data, benefit information, address records.
160
00:05:55,560 –> 00:06:00,240
All available because the data was unclassified and the agent permissions were unrestricted,
161
00:06:00,240 –> 00:06:02,760
the economic consequence is immediate and expensive.
162
00:06:02,760 –> 00:06:04,080
Security retrofits.
163
00:06:04,080 –> 00:06:06,880
Co-pilot studio credits burning through the budget.
164
00:06:06,880 –> 00:06:11,840
Every exposure, compliance re-ordered, all because someone deployed AI without architectural
165
00:06:11,840 –> 00:06:12,840
zoning.
166
00:06:12,840 –> 00:06:16,120
49% of AI programs stole due to unclear value.
167
00:06:16,120 –> 00:06:19,560
80% of Fortune 500 use agents without formal governance.
168
00:06:19,560 –> 00:06:24,560
The pattern is familiar, speed first, architecture second, then disaster.
169
00:06:24,560 –> 00:06:26,520
The fix is non-negotiable.
170
00:06:26,520 –> 00:06:29,440
Define data boundaries before deploying agents.
171
00:06:29,440 –> 00:06:33,920
Classified data, tier agents by risk, enforce data access via identity and policy.
172
00:06:33,920 –> 00:06:38,600
Meet AI not as a feature to ship, but as a governance layer that has to sit on top of solid
173
00:06:38,600 –> 00:06:39,840
data architecture.
174
00:06:39,840 –> 00:06:42,840
If your data foundation is weak, AI amplifies the weakness.
175
00:06:42,840 –> 00:06:44,160
It doesn’t fix it.
176
00:06:44,160 –> 00:06:47,000
Since six, builder bias, the architect vacuum.
177
00:06:47,000 –> 00:06:49,480
Here’s a pattern that explains everything else.
178
00:06:49,480 –> 00:06:51,400
Enterprises promote the person who knows the buttons.
179
00:06:51,400 –> 00:06:54,680
They re-roared builders, they celebrate features shipped.
180
00:06:54,680 –> 00:06:58,960
An architect, the people thinking about system resilience, about decay, about integration
181
00:06:58,960 –> 00:06:59,960
costs.
182
00:06:59,960 –> 00:07:01,120
Those people are invisible.
183
00:07:01,120 –> 00:07:06,040
An IT director recently hired a power platform expert and fired the identity architect.
184
00:07:06,040 –> 00:07:07,640
The reasoning was straightforward.
185
00:07:07,640 –> 00:07:09,120
We need builders right now.
186
00:07:09,120 –> 00:07:11,360
Strategy can wait.
187
00:07:11,360 –> 00:07:13,000
What actually happened was structural.
188
00:07:13,000 –> 00:07:16,800
Without architects enforcing design constraints, the platform started accumulating entropy
189
00:07:16,800 –> 00:07:17,800
faster.
190
00:07:17,800 –> 00:07:21,520
Features shipped, systems decayed, technical debt compounded.
191
00:07:21,520 –> 00:07:25,200
The economic consequence is an 18 month productivity wall.
192
00:07:25,200 –> 00:07:28,960
Initial gains from rapid development flatten, then performance degrades, then your managing
193
00:07:28,960 –> 00:07:31,320
technical debt instead of shipping features.
194
00:07:31,320 –> 00:07:33,400
The systemic problem is organizational.
195
00:07:33,400 –> 00:07:38,640
Only 23% of organizations have formal AI agent identity strategy.
196
00:07:38,640 –> 00:07:39,880
Ownership is fragmented.
197
00:07:39,880 –> 00:07:41,600
Seasows, see security risks.
198
00:07:41,600 –> 00:07:42,600
Builders see opportunity.
199
00:07:42,600 –> 00:07:43,600
Finance sees cost.
200
00:07:43,600 –> 00:07:45,440
Nobody is looking at the system as a whole.
201
00:07:45,440 –> 00:07:47,840
The control plane fix requires a mindset shift.
202
00:07:47,840 –> 00:07:50,040
Treat architects as leverage engineers.
203
00:07:50,040 –> 00:07:51,520
Not cost centers.
204
00:07:51,520 –> 00:07:55,160
Measure them by system health, by entropy reduction, by the number of future problems they
205
00:07:55,160 –> 00:07:56,400
prevent.
206
00:07:56,400 –> 00:07:58,120
Builders create visible value.
207
00:07:58,120 –> 00:07:59,600
Builders create invisible value.
208
00:07:59,600 –> 00:08:00,760
Invisible value is just as real.
209
00:08:00,760 –> 00:08:02,480
It’s just harder to see.
210
00:08:02,480 –> 00:08:03,480
Sin 7.
211
00:08:03,480 –> 00:08:04,480
Licensing blindness.
212
00:08:04,480 –> 00:08:05,680
Capacity is strategy.
213
00:08:05,680 –> 00:08:09,200
The final sin is the most expensive because it’s the most normalized.
214
00:08:09,200 –> 00:08:12,120
Organizations renew E5 because it’s what we do.
215
00:08:12,120 –> 00:08:14,560
Not because they’ve mapped capability to value.
216
00:08:14,560 –> 00:08:17,560
Not because they’ve assessed whether users actually need premium features.
217
00:08:17,560 –> 00:08:21,200
Not because they’ve measured adoption of the capabilities they’re already paying for.
218
00:08:21,200 –> 00:08:23,320
Meanwhile, shadow IT thrives.
219
00:08:23,320 –> 00:08:26,040
Users on basic skews accomplish the same roles.
220
00:08:26,040 –> 00:08:27,400
Premium features sit idle.
221
00:08:27,400 –> 00:08:31,560
The licensing strategy becomes a budget line item, not an architectural lever.
222
00:08:31,560 –> 00:08:32,560
Real numbers.
223
00:08:32,560 –> 00:08:37,160
An enterprise paying $2.1 million annually for E5 across the board.
224
00:08:37,160 –> 00:08:41,840
A rationalization audit found that 34% of those users could perform their exact same
225
00:08:41,840 –> 00:08:43,080
role on business standard.
226
00:08:43,080 –> 00:08:45,240
They had no need for the premium connector library.
227
00:08:45,240 –> 00:08:46,440
They didn’t use co-pilot.
228
00:08:46,440 –> 00:08:49,560
They didn’t need advanced threat protection beyond what business standard includes.
229
00:08:49,560 –> 00:08:53,120
The economic consequence is orthogonal to what most organizations see.
230
00:08:53,120 –> 00:08:55,440
It’s not just the cost of unused licenses.
231
00:08:55,440 –> 00:08:59,080
It’s the cost of not using licensing as a behavioral incentive.
232
00:08:59,080 –> 00:09:03,120
If your licensing skew is aligned to roles and capabilities, then it drives adoption.
233
00:09:03,120 –> 00:09:06,040
It forces you to make decisions about what’s actually needed.
234
00:09:06,040 –> 00:09:09,320
The control plane fix is this licensing skew is a behavioral lever.
235
00:09:09,320 –> 00:09:10,320
Use it.
236
00:09:10,320 –> 00:09:13,800
If you’re paying for E5 across the board, you’ve removed the constraint that forces architectural
237
00:09:13,800 –> 00:09:14,800
discipline.
238
00:09:14,800 –> 00:09:17,360
You’ve said effectively that everyone gets access to everything.
239
00:09:17,360 –> 00:09:18,360
That’s not strategy.
240
00:09:18,360 –> 00:09:20,000
That’s capitulation.
241
00:09:20,000 –> 00:09:22,440
These seven sins are patterns, not anomalies.
242
00:09:22,440 –> 00:09:23,760
They compound.
243
00:09:23,760 –> 00:09:25,400
Permission sprawl feeds abs sprawl.
244
00:09:25,400 –> 00:09:28,280
Conconcing blindness enables governance theatre.
245
00:09:28,280 –> 00:09:30,880
Procurement strategy masks the absence of architecture.
246
00:09:30,880 –> 00:09:33,280
Together they create what I call the leakage model.
247
00:09:33,280 –> 00:09:37,160
Millions of dollars in invisible inefficiency that nobody’s measuring because nobody owns
248
00:09:37,160 –> 00:09:38,160
the outcome.
249
00:09:38,160 –> 00:09:39,160
That’s the diagnosis.
250
00:09:39,160 –> 00:09:41,160
That’s what we’re actually operating here.
251
00:09:41,160 –> 00:09:43,160
The umbrella sin control plane neglect.
252
00:09:43,160 –> 00:09:45,120
These seven sins don’t exist in isolation.
253
00:09:45,120 –> 00:09:46,440
They’re not random failures.
254
00:09:46,440 –> 00:09:49,200
They’re all symptoms of one structural absence.
255
00:09:49,200 –> 00:09:51,600
That absence is what I want to talk about now.
256
00:09:51,600 –> 00:09:55,360
Operating without a system’s layer means entropy becomes your default operating system.
257
00:09:55,360 –> 00:09:56,360
You don’t have governance.
258
00:09:56,360 –> 00:09:58,680
You have chaos with policies written on top of it.
259
00:09:58,680 –> 00:09:59,680
You don’t have architecture.
260
00:09:59,680 –> 00:10:01,680
You have a platform which is something else entirely.
261
00:10:01,680 –> 00:10:03,080
Here is how it manifests.
262
00:10:03,080 –> 00:10:07,720
A 10,000 seat organization I worked with had EntraID governed by one team.
263
00:10:07,720 –> 00:10:09,080
Intune handled by another.
264
00:10:09,080 –> 00:10:11,080
Microsoft Defender managed separately.
265
00:10:11,080 –> 00:10:12,080
Per view.
266
00:10:12,080 –> 00:10:14,320
Data governance owned by compliance.
267
00:10:14,320 –> 00:10:17,280
Teams and SharePoint loosely monitored by service adoption.
268
00:10:17,280 –> 00:10:19,760
Nobody was looking at identity to app orchestration.
269
00:10:19,760 –> 00:10:23,360
Nobody was enforcing zoning and tearing across the entire system.
270
00:10:23,360 –> 00:10:24,880
Every service had its own policies.
271
00:10:24,880 –> 00:10:26,240
Its own approval workflows.
272
00:10:26,240 –> 00:10:27,960
Its own definitions of security baseline.
273
00:10:27,960 –> 00:10:30,920
What that organization actually had wasn’t a security posture.
274
00:10:30,920 –> 00:10:34,240
It was security theater orchestrated across five different teams.
275
00:10:34,240 –> 00:10:35,640
The systemic causes this.
276
00:10:35,640 –> 00:10:39,960
Most organizations treat Microsoft Cloud as a collection of disconnected services.
277
00:10:39,960 –> 00:10:41,120
Identity over here.
278
00:10:41,120 –> 00:10:42,720
Data governance over there.
279
00:10:42,720 –> 00:10:44,120
Application somewhere else.
280
00:10:44,120 –> 00:10:45,280
Compliance in a separate silo.
281
00:10:45,280 –> 00:10:47,680
This creates what I call policy fragmentation.
282
00:10:47,680 –> 00:10:49,840
Each domain solves its own problems locally.
283
00:10:49,840 –> 00:10:53,800
But there’s no layer that decides how those domains interact, how data flows from one
284
00:10:53,800 –> 00:10:55,040
system to another.
285
00:10:55,040 –> 00:10:59,400
How a user’s access in EntraID connects to what they can do in SharePoint, what they can
286
00:10:59,400 –> 00:11:01,080
see in a co-pilot agent.
287
00:11:01,080 –> 00:11:02,800
That connecting layer, that’s the control plane.
288
00:11:02,800 –> 00:11:04,320
And most organizations don’t have one.
289
00:11:04,320 –> 00:11:07,760
The economic consequence of operating without it is staggering.
290
00:11:07,760 –> 00:11:12,400
That 10,000 seat organization, 3.2 million in unrealized productivity benefits over three
291
00:11:12,400 –> 00:11:13,400
years.
292
00:11:13,400 –> 00:11:14,520
Not because they lacked features.
293
00:11:14,520 –> 00:11:16,760
They had every Microsoft feature available.
294
00:11:16,760 –> 00:11:21,520
But because those features weren’t integrated into a system, users couldn’t find information.
295
00:11:21,520 –> 00:11:23,320
Admins couldn’t trust their governance.
296
00:11:23,320 –> 00:11:25,800
They had no way to enforce decisions at scale.
297
00:11:25,800 –> 00:11:28,880
Control plane absence also means security debt accumulates.
298
00:11:28,880 –> 00:11:31,080
When EntraID policies drift, you don’t know it.
299
00:11:31,080 –> 00:11:34,120
When SharePoint permissions exceed your threshold, there’s nobody watching.
300
00:11:34,120 –> 00:11:38,240
When a co-pilot agent is accessing data you never approved, the policy layer doesn’t catch
301
00:11:38,240 –> 00:11:39,240
it.
302
00:11:39,240 –> 00:11:40,240
Each service does its best.
303
00:11:40,240 –> 00:11:43,920
But there’s no circuit breaker, no orchestration, no central place where someone says,
304
00:11:43,920 –> 00:11:46,440
no, that violates our architecture.
305
00:11:46,440 –> 00:11:48,920
The control plane fix requires a foundational shift.
306
00:11:48,920 –> 00:11:51,600
You have to build a unified policy compilation layer.
307
00:11:51,600 –> 00:11:55,200
Create Identity, EntraID as the control plane backbone.
308
00:11:55,200 –> 00:11:58,880
Make it the place where you define not just who can access what, but what that access means
309
00:11:58,880 –> 00:12:00,240
across your entire system.
310
00:12:00,240 –> 00:12:03,480
A user is an employee, a contractor, a vendor, a guest.
311
00:12:03,480 –> 00:12:07,960
Once you make that decision in Identity, every other system, Defender, PerView, Teams, SharePoint
312
00:12:07,960 –> 00:12:09,560
should inherit that context.
313
00:12:09,560 –> 00:12:11,240
Not ask for it separately.
314
00:12:11,240 –> 00:12:13,960
Inherited, then enforce cross-platform orchestration.
315
00:12:13,960 –> 00:12:17,840
If a user’s EntraID role says they’re in finance that determines their default access
316
00:12:17,840 –> 00:12:20,000
to financial data in SharePoint.
317
00:12:20,000 –> 00:12:23,040
If they’re classified as guest, that determines what they see in Teams.
318
00:12:23,040 –> 00:12:27,240
If a co-pilot agent is tagged as accessing customer data, its identity and permissions
319
00:12:27,240 –> 00:12:29,120
flow from a single source of truth.
320
00:12:29,120 –> 00:12:30,480
Let me define this precisely.
321
00:12:30,480 –> 00:12:34,880
A control plane is the system that makes decisions about how other systems behave.
322
00:12:34,880 –> 00:12:36,400
It’s the layer above execution.
323
00:12:36,400 –> 00:12:38,600
It’s where intent is translated into policy.
324
00:12:38,600 –> 00:12:42,720
Without it, you have a platform, individual services, operating independently.
325
00:12:42,720 –> 00:12:43,880
With it, you have architecture.
326
00:12:43,880 –> 00:12:45,120
You have a system.
327
00:12:45,120 –> 00:12:46,640
Most organizations have the first.
328
00:12:46,640 –> 00:12:48,080
Almost none have the second.
329
00:12:48,080 –> 00:12:52,080
And that distinction is the difference between leaking millions invisibly and knowing exactly
330
00:12:52,080 –> 00:12:53,560
where your money is going.
331
00:12:53,560 –> 00:12:57,440
That distinction is the difference between a security posture and security theater.
332
00:12:57,440 –> 00:13:00,480
That distinction is the difference between governance that works and governance that’s
333
00:13:00,480 –> 00:13:01,800
just a suggestion.
334
00:13:01,800 –> 00:13:03,800
People ignore when it inconveniences them.
335
00:13:03,800 –> 00:13:05,880
This is what makes the seven sins actually dangerous.
336
00:13:05,880 –> 00:13:07,560
It’s not that they exist independently.
337
00:13:07,560 –> 00:13:11,280
It’s that they compound because there’s no central control layer catching them, measuring
338
00:13:11,280 –> 00:13:13,480
them, stopping them from spiraling.
339
00:13:13,480 –> 00:13:16,080
Without control plane architecture, you’re not managing a system.
340
00:13:16,080 –> 00:13:18,640
You’re managing a collection of problems.
341
00:13:18,640 –> 00:13:19,640
Sin 2.
342
00:13:19,640 –> 00:13:20,640
Permission sprawl.
343
00:13:20,640 –> 00:13:22,080
The authorization compiler nobody built.
344
00:13:22,080 –> 00:13:24,440
The next pattern I see constantly is permission creep.
345
00:13:24,440 –> 00:13:28,680
And it’s more dangerous than most organizations realize because it operates silently, compounding
346
00:13:28,680 –> 00:13:30,440
over years while nobody’s watching.
347
00:13:30,440 –> 00:13:32,960
In EntraID, there’s a default culture I call ad-only.
348
00:13:32,960 –> 00:13:34,280
And permissions get granted.
349
00:13:34,280 –> 00:13:35,760
They rarely get revoked.
350
00:13:35,760 –> 00:13:36,760
That’s not incompetence.
351
00:13:36,760 –> 00:13:38,560
That’s architectural inertia.
352
00:13:38,560 –> 00:13:39,880
No life cycle ownership.
353
00:13:39,880 –> 00:13:41,320
No systematic review.
354
00:13:41,320 –> 00:13:43,680
No exploration mechanism built into the systems.
355
00:13:43,680 –> 00:13:45,400
So it accumulates.
356
00:13:45,400 –> 00:13:46,400
Here’s how it works.
357
00:13:46,400 –> 00:13:49,680
A developer needs access to a specific Microsoft Graph endpoint.
358
00:13:49,680 –> 00:13:51,080
An application gets registered.
359
00:13:51,080 –> 00:13:52,080
It receives permissions.
360
00:13:52,080 –> 00:13:53,080
The project succeeds.
361
00:13:53,080 –> 00:13:54,480
The developer moves on.
362
00:13:54,480 –> 00:13:58,560
And the application registration sits there still holding permissions because nobody owned
363
00:13:58,560 –> 00:14:00,040
the task of sunsetting it.
364
00:14:00,040 –> 00:14:02,360
I audited a financial services firm last year.
365
00:14:02,360 –> 00:14:07,520
They discovered 847, often app registrations.
366
00:14:07,520 –> 00:14:10,800
Applications that were granted permissions three, four, sometimes five years ago for pilots
367
00:14:10,800 –> 00:14:12,040
that were abandoned.
368
00:14:12,040 –> 00:14:13,520
The permissions were never removed.
369
00:14:13,520 –> 00:14:18,120
The service principle still held Microsoft GraphRites to access tenant data, user information,
370
00:14:18,120 –> 00:14:19,480
mailbox contents.
371
00:14:19,480 –> 00:14:22,200
Some of them had credentials that hadn’t been rotated in years.
372
00:14:22,200 –> 00:14:26,960
54% of IT leaders report complex identity and privilege sprawl in their environments.
373
00:14:26,960 –> 00:14:31,760
In a large tenant, it’s normal to have 200, 300, sometimes 400 privileged applications running
374
00:14:31,760 –> 00:14:35,800
simultaneously with permissions that nobody can fully account for.
375
00:14:35,800 –> 00:14:41,000
Add in the growth of automation, AI agents and custom integrations, and that number explodes.
376
00:14:41,000 –> 00:14:45,320
125 or more apps holding elevator drives is no longer anomalous.
377
00:14:45,320 –> 00:14:46,320
It’s expected.
378
00:14:46,320 –> 00:14:47,560
And here’s what makes it dangerous.
379
00:14:47,560 –> 00:14:51,560
Each of these applications is a potential entry point, not just for attackers, for compliance
380
00:14:51,560 –> 00:14:54,760
violations, for uncontrolled data access.
381
00:14:54,760 –> 00:14:58,160
For mission creep, where an application that was designed to do one thing gradually gets
382
00:14:58,160 –> 00:15:01,560
permissions to do five other things because convenience wins over governance.
383
00:15:01,560 –> 00:15:04,320
The economic consequence manifests in multiple ways.
384
00:15:04,320 –> 00:15:05,600
First, audit friction.
385
00:15:05,600 –> 00:15:09,640
When a compliance team asks who has access to what in your tenant the answer takes weeks
386
00:15:09,640 –> 00:15:10,640
to assemble.
387
00:15:10,640 –> 00:15:12,040
Clearing app registrations.
388
00:15:12,040 –> 00:15:13,600
You’re tracking credential history.
389
00:15:13,600 –> 00:15:16,640
You’re cross referencing permissions against actual usage.
390
00:15:16,640 –> 00:15:19,280
And half the time you find permissions that shouldn’t exist.
391
00:15:19,280 –> 00:15:22,560
And then you have to decide whether removing them will break something nobody remembers
392
00:15:22,560 –> 00:15:23,720
depending on.
393
00:15:23,720 –> 00:15:24,920
Second, breach exposure.
394
00:15:24,920 –> 00:15:28,640
In a breach scenario, you don’t know what was exposed because you don’t know what permissions
395
00:15:28,640 –> 00:15:29,640
actually existed.
396
00:15:29,640 –> 00:15:33,600
You assume an attacker who compromised the service principle can access customer data,
397
00:15:33,600 –> 00:15:35,600
financial records, employee information.
398
00:15:35,600 –> 00:15:36,960
But do they have graph permissions?
399
00:15:36,960 –> 00:15:38,480
Do they have mail delegation?
400
00:15:38,480 –> 00:15:39,720
Can they reset passwords?
401
00:15:39,720 –> 00:15:40,720
No guessing.
402
00:15:40,720 –> 00:15:42,520
And guessing in a breach is expensive.
403
00:15:42,520 –> 00:15:43,720
Third, operational paralysis.
404
00:15:43,720 –> 00:15:48,040
You can’t move forward with security hardening because you don’t understand the dependency graph.
405
00:15:48,040 –> 00:15:52,120
You can’t enforce conditional access because it might break an integration nobody documented.
406
00:15:52,120 –> 00:15:55,200
You can’t implement least privilege because the permission landscape is too sprawling
407
00:15:55,200 –> 00:15:56,200
to untangle.
408
00:15:56,200 –> 00:15:58,000
The systemic cause is architectural.
409
00:15:58,000 –> 00:16:01,200
Most organizations lack entitlement management discipline.
410
00:16:01,200 –> 00:16:03,280
There’s no design lifecycle for applications.
411
00:16:03,280 –> 00:16:04,520
No automatic expiration.
412
00:16:04,520 –> 00:16:06,520
No regular access reviews that have teeth.
413
00:16:06,520 –> 00:16:10,520
No mechanism that says if you don’t explicitly renew this permission every six months it gets
414
00:16:10,520 –> 00:16:11,520
revoked.
415
00:16:11,520 –> 00:16:13,200
The control plane fixes this.
416
00:16:13,200 –> 00:16:15,960
Treat permissions as entropy generators, not rewards.
417
00:16:15,960 –> 00:16:19,000
Every time you grant access, you’re adding entropy to the system.
418
00:16:19,000 –> 00:16:21,520
Design expiration into every access grant from the start.
419
00:16:21,520 –> 00:16:22,520
Make it automatic.
420
00:16:22,520 –> 00:16:26,720
If an application’s purpose has been fulfilled or abandoned, its permissions expire with it.
421
00:16:26,720 –> 00:16:30,600
Don’t require a manual cleanup process that depends on someone remembering.
422
00:16:30,600 –> 00:16:31,920
Make it architectural law.
423
00:16:31,920 –> 00:16:35,920
This means implementing entitlement management that’s not just an audit tool but a governance
424
00:16:35,920 –> 00:16:36,920
engine.
425
00:16:36,920 –> 00:16:41,040
Life cycle workflows that automatically remove permissions based on defined criteria, access
426
00:16:41,040 –> 00:16:42,680
packages that expire.
427
00:16:42,680 –> 00:16:45,520
Service principles with credential rotation enforced.
428
00:16:45,520 –> 00:16:49,080
Regular access reviews that don’t just report on sprawl, they remediate it.
429
00:16:49,080 –> 00:16:51,920
And critically it means assigning life cycle ownership.
430
00:16:51,920 –> 00:16:55,720
Someone has to be accountable for whether an application still serves a business purpose.
431
00:16:55,720 –> 00:16:57,600
If the answer is no, the permissions go.
432
00:16:57,600 –> 00:16:59,520
Not eventually, immediately.
433
00:16:59,520 –> 00:17:01,520
Permission sprawl is the invisible attack surface.
434
00:17:01,520 –> 00:17:03,120
But the real problem is deeper.
435
00:17:03,120 –> 00:17:05,040
Its governance that isn’t automated.
436
00:17:05,040 –> 00:17:08,880
One three, tactical governance, the theatre of compliance.
437
00:17:08,880 –> 00:17:11,400
Most organizations claim they have governance.
438
00:17:11,400 –> 00:17:12,640
What they actually have is theatre.
439
00:17:12,640 –> 00:17:16,800
I walked into a healthcare organization last year with 72 teams governance policies.
440
00:17:16,800 –> 00:17:20,080
All of them documented, beautifully written, signed off by compliance leadership, none
441
00:17:20,080 –> 00:17:21,880
of them automated zero.
442
00:17:21,880 –> 00:17:23,200
What did they rely on instead?
443
00:17:23,200 –> 00:17:24,200
Manual approvals.
444
00:17:24,200 –> 00:17:28,120
Someone had to review new teams requests and decide whether they met policy criteria,
445
00:17:28,120 –> 00:17:29,120
reactive policing.
446
00:17:29,120 –> 00:17:32,440
When someone created a team’s channel without classification, someone else had to send
447
00:17:32,440 –> 00:17:34,360
them an email asking them to fix it.
448
00:17:34,360 –> 00:17:35,600
Human bottlenecks everywhere.
449
00:17:35,600 –> 00:17:36,920
An inconsistent enforcement.
450
00:17:36,920 –> 00:17:38,000
Some teams got corrected.
451
00:17:38,000 –> 00:17:39,000
Others didn’t.
452
00:17:39,000 –> 00:17:40,680
It depended on who noticed and how busy they were.
453
00:17:40,680 –> 00:17:43,400
The real measure of governance isn’t policy documents.
454
00:17:43,400 –> 00:17:44,560
It’s enforcement.
455
00:17:44,560 –> 00:17:46,720
And this organization had no enforcement mechanism.
456
00:17:46,720 –> 00:17:47,720
They had hope.
457
00:17:47,720 –> 00:17:49,400
Here’s how it manifests in practice.
458
00:17:49,400 –> 00:17:52,040
A business unit wants to create a new team’s workspace.
459
00:17:52,040 –> 00:17:53,040
They fill out a form.
460
00:17:53,040 –> 00:17:54,760
It goes into an approval queue.
461
00:17:54,760 –> 00:17:57,920
Someone reviews it against 72 governance policies.
462
00:17:57,920 –> 00:18:00,880
Manually comparing what they’re proposing against written criteria.
463
00:18:00,880 –> 00:18:01,880
This takes time.
464
00:18:01,880 –> 00:18:04,120
The request doesn’t clearly violate a policy.
465
00:18:04,120 –> 00:18:05,120
It gets approved.
466
00:18:05,120 –> 00:18:06,800
If it’s ambiguous, it gets escalated.
467
00:18:06,800 –> 00:18:10,480
If the escalation path is blocked, it gets approved by default because nobody wants to
468
00:18:10,480 –> 00:18:12,880
be the person blocking business velocity.
469
00:18:12,880 –> 00:18:14,480
Then someone creates the team.
470
00:18:14,480 –> 00:18:17,200
And then someone else has to verify that it was set up correctly.
471
00:18:17,200 –> 00:18:18,920
Check the sensitivity label.
472
00:18:18,920 –> 00:18:20,440
Verify the membership controls.
473
00:18:20,440 –> 00:18:21,600
Confirm the sharing settings.
474
00:18:21,600 –> 00:18:22,600
All manual.
475
00:18:22,600 –> 00:18:24,160
All dependent on discipline and memory.
476
00:18:24,160 –> 00:18:28,880
How many manual hours did that organization spend every year maintaining compliance theater?
477
00:18:28,880 –> 00:18:29,880
4,000.
478
00:18:29,880 –> 00:18:34,160
That’s two full-time employees whose entire job was spreadsheets and escalation emails
479
00:18:34,160 –> 00:18:36,560
and follow-up conversations about policy drift.
480
00:18:36,560 –> 00:18:40,520
And it was fragile when the person maintaining the governance process left the organization
481
00:18:40,520 –> 00:18:42,200
knowledge walked out the door.
482
00:18:42,200 –> 00:18:43,200
Policies drifted.
483
00:18:43,200 –> 00:18:46,840
New teams started getting created without the controls that were supposed to exist.
484
00:18:46,840 –> 00:18:47,840
The system decayed.
485
00:18:47,840 –> 00:18:49,520
This is the fundamental disconnect.
486
00:18:49,520 –> 00:18:54,080
72% of organizations cannot enforce full governance policies at scale.
487
00:18:54,080 –> 00:18:55,360
And the reason is always the same.
488
00:18:55,360 –> 00:18:57,680
They built governance as a control function.
489
00:18:57,680 –> 00:19:00,240
And you do after the fact react to violations.
490
00:19:00,240 –> 00:19:01,240
Remind people to comply.
491
00:19:01,240 –> 00:19:05,040
Instead of building it as a system’s layer, the systemic cause is structural.
492
00:19:05,040 –> 00:19:07,120
Governance is treated as a necessary evil.
493
00:19:07,120 –> 00:19:08,120
Compliance is seen as friction.
494
00:19:08,120 –> 00:19:10,280
So organizations minimize the investment.
495
00:19:10,280 –> 00:19:11,280
They write policies.
496
00:19:11,280 –> 00:19:12,280
They create processes.
497
00:19:12,280 –> 00:19:13,280
They hope people follow them.
498
00:19:13,280 –> 00:19:17,000
And then they’re shocked when the system breaks under the weight of actual organizational
499
00:19:17,000 –> 00:19:18,000
scale.
500
00:19:18,000 –> 00:19:20,120
The economic consequence is hidden, but substantial.
501
00:19:20,120 –> 00:19:22,120
4,000 hours annually per organization.
502
00:19:22,120 –> 00:19:25,400
That’s two full-time people just maintaining governance theater.
503
00:19:25,400 –> 00:19:26,400
And it’s fragile.
504
00:19:26,400 –> 00:19:30,280
And it leaves priorities shift the governance system decays because it was never actually
505
00:19:30,280 –> 00:19:31,480
part of the architecture.
506
00:19:31,480 –> 00:19:35,280
It was bolted on top, dependent on sustained discipline and attention that eventually
507
00:19:35,280 –> 00:19:36,280
withers.
508
00:19:36,280 –> 00:19:39,480
The control plain fix is existential.
509
00:19:39,480 –> 00:19:42,880
Governance that isn’t code is just a suggestion.
510
00:19:42,880 –> 00:19:46,720
If you’re still relying on PDF policies and SharePoint checklists and email approvals,
511
00:19:46,720 –> 00:19:47,880
you have compliance theater.
512
00:19:47,880 –> 00:19:48,880
You don’t have governance.
513
00:19:48,880 –> 00:19:49,880
And here’s why it matters.
514
00:19:49,880 –> 00:19:51,280
Theater scales poorly.
515
00:19:51,280 –> 00:19:53,080
It breaks when you need it most.
516
00:19:53,080 –> 00:19:56,840
It depends on heroic individual effort and it never actually prevents violations.
517
00:19:56,840 –> 00:19:59,040
It just documents them after they happen.
518
00:19:59,040 –> 00:20:00,600
Real governance works differently.
519
00:20:00,600 –> 00:20:04,280
When someone creates a team’s workspace, the system automatically applies the correct
520
00:20:04,280 –> 00:20:05,280
sensitivity label.
521
00:20:05,280 –> 00:20:06,560
The access controls are set.
522
00:20:06,560 –> 00:20:08,520
The membership restrictions are enforced.
523
00:20:08,520 –> 00:20:11,600
The data classification is inherited from the policy layer.
524
00:20:11,600 –> 00:20:15,480
No approval queue, no human review, no gap between intent and execution.
525
00:20:15,480 –> 00:20:16,640
That requires automation.
526
00:20:16,640 –> 00:20:17,640
It requires code.
527
00:20:17,640 –> 00:20:21,360
It requires treating governance as part of the system architecture, not as an external
528
00:20:21,360 –> 00:20:22,360
control function.
529
00:20:22,360 –> 00:20:25,440
If you cannot automate your governance, you don’t actually have governance.
530
00:20:25,440 –> 00:20:26,440
You have hope.
531
00:20:26,440 –> 00:20:27,960
And hope is not a control.
532
00:20:27,960 –> 00:20:33,320
Sin 4, app worship, confusing output with architecture, enterprises celebrate app proliferation.
533
00:20:33,320 –> 00:20:34,880
We shipped 50 power apps this year.
534
00:20:34,880 –> 00:20:36,480
Citizen developers are empowered.
535
00:20:36,480 –> 00:20:37,880
Feature velocities accelerating.
536
00:20:37,880 –> 00:20:39,120
The business is moving faster.
537
00:20:39,120 –> 00:20:40,120
We’re transforming.
538
00:20:40,120 –> 00:20:41,640
But here’s what actually happened.
539
00:20:41,640 –> 00:20:45,560
You created 15 new maintenance liabilities, 15 new surface area multipliers.
540
00:20:45,560 –> 00:20:47,520
Every application is another piece of code.
541
00:20:47,520 –> 00:20:50,160
Someone has to support another integration that can fail.
542
00:20:50,160 –> 00:20:52,240
Another attack surface to defend.
543
00:20:52,240 –> 00:20:53,880
Another permission boundary to govern.
544
00:20:53,880 –> 00:20:57,560
This is where the builder bias I mentioned earlier collides with architectural reality.
545
00:20:57,560 –> 00:20:59,080
Builders get rewarded for shipping.
546
00:20:59,080 –> 00:21:00,520
The organization sees features.
547
00:21:00,520 –> 00:21:02,520
The business celebrates velocity.
548
00:21:02,520 –> 00:21:05,000
And nobody’s counting the cost in technical debt.
549
00:21:05,000 –> 00:21:09,760
A mid market organization I worked with had 340 power apps in their tenant.
550
00:21:09,760 –> 00:21:12,400
340, I asked them how many were actively used.
551
00:21:12,400 –> 00:21:13,400
They didn’t know.
552
00:21:13,400 –> 00:21:14,400
So we audited it.
553
00:21:14,400 –> 00:21:16,760
127 of them had never been used.
554
00:21:16,760 –> 00:21:17,760
Not once.
555
00:21:17,760 –> 00:21:19,640
Nobody ever registered a successful run.
556
00:21:19,640 –> 00:21:21,760
Some of them had been created three years ago.
557
00:21:21,760 –> 00:21:25,360
The original builder had long since moved on or left the organization.
558
00:21:25,360 –> 00:21:26,360
Nobody owned them.
559
00:21:26,360 –> 00:21:27,360
Nobody maintained them.
560
00:21:27,360 –> 00:21:28,680
They were digital craft.
561
00:21:28,680 –> 00:21:32,680
Sitting in the environment, creating governance complexity and compliance risk.
562
00:21:32,680 –> 00:21:37,120
Of the remaining 213 apps that were actually used fewer than half had documented business
563
00:21:37,120 –> 00:21:38,120
owners.
564
00:21:38,120 –> 00:21:40,520
The ones that did, the owners often didn’t realize they owned them.
565
00:21:40,520 –> 00:21:43,720
They inherited the responsibility when they took over a team.
566
00:21:43,720 –> 00:21:46,840
Or the original creator had left it assigned to them without ever asking.
567
00:21:46,840 –> 00:21:48,680
The systemic causes structural.
568
00:21:48,680 –> 00:21:50,880
Builders get promotions for shipping features.
569
00:21:50,880 –> 00:21:54,360
The apps are invisible so the tenant fills up with applications that looked good in isolation
570
00:21:54,360 –> 00:21:56,000
but created technical debt at scale.
571
00:21:56,000 –> 00:21:57,440
There was no gating function.
572
00:21:57,440 –> 00:22:00,640
No architectural review that asked is this app necessary?
573
00:22:00,640 –> 00:22:02,720
Does it duplicate existing capability?
574
00:22:02,720 –> 00:22:03,720
Who owns it?
575
00:22:03,720 –> 00:22:04,720
What happens when the builder leaves?
576
00:22:04,720 –> 00:22:08,120
Instead, the organization operated on optimistic assumptions.
577
00:22:08,120 –> 00:22:09,400
Power apps are low-code.
578
00:22:09,400 –> 00:22:10,400
Citizens can build them.
579
00:22:10,400 –> 00:22:11,400
That’s empowerment.
580
00:22:11,400 –> 00:22:12,400
That’s agility.
581
00:22:12,400 –> 00:22:13,400
And it is.
582
00:22:13,400 –> 00:22:17,600
Until you wake up one day with 340 applications and no idea what most of them do.
583
00:22:17,600 –> 00:22:20,000
Economic consequence is operational paralysis.
584
00:22:20,000 –> 00:22:21,480
Support overhead explodes.
585
00:22:21,480 –> 00:22:23,520
When an application breaks, who fixes it?
586
00:22:23,520 –> 00:22:26,200
If the original builder is gone, nobody knows the code.
587
00:22:26,200 –> 00:22:30,320
So you either let it stay broken or you spend engineering time reverse engineering something
588
00:22:30,320 –> 00:22:32,360
that was never properly documented.
589
00:22:32,360 –> 00:22:33,720
Compliance risk multiplies.
590
00:22:33,720 –> 00:22:38,040
When an auditor asks how many applications access customer data you can’t answer confidently.
591
00:22:38,040 –> 00:22:39,640
Vendors Brawl increases.
592
00:22:39,640 –> 00:22:42,560
Every app might integrate with external SaaS systems.
593
00:22:42,560 –> 00:22:46,680
Every integration is another contract, another permission boundary, another security surface.
594
00:22:46,680 –> 00:22:48,840
And here’s the thing nobody talks about.
595
00:22:48,840 –> 00:22:51,640
Applications Brawl mirrors the sprawl you see in teams and SharePoint.
596
00:22:51,640 –> 00:22:54,160
It’s the same root cause, default permissive settings.
597
00:22:54,160 –> 00:22:56,880
No life cycle governance, no exploration mechanism.
598
00:22:56,880 –> 00:23:01,240
No architecture that says if this application has no owner, it gets decommissioned.
599
00:23:01,240 –> 00:23:03,640
The control plane fix requires a mindset shift.
600
00:23:03,640 –> 00:23:04,640
Stop counting apps.
601
00:23:04,640 –> 00:23:05,640
That’s the wrong metric.
602
00:23:05,640 –> 00:23:07,840
Start counting technical debt surface area.
603
00:23:07,840 –> 00:23:10,320
The real question isn’t how many power apps do we have.
604
00:23:10,320 –> 00:23:14,600
It’s what is the total complexity and maintenance burden we’ve accumulated and is it justified
605
00:23:14,600 –> 00:23:15,840
by business value?
606
00:23:15,840 –> 00:23:17,440
And for zoning laws.
607
00:23:17,440 –> 00:23:19,720
Not every application belongs in the environment.
608
00:23:19,720 –> 00:23:24,040
Some should be built as power platform solutions, governed as infrastructure.
609
00:23:24,040 –> 00:23:26,400
Others should be SaaS products, not custom builds.
610
00:23:26,400 –> 00:23:29,440
Some should be enterprise applications with formal governance.
611
00:23:29,440 –> 00:23:32,840
Some should be a femoral tools that disappear after they solve the problem they were meant
612
00:23:32,840 –> 00:23:33,840
to solve.
613
00:23:33,840 –> 00:23:37,280
And a sign, life cycle ownership, make it architectural law.
614
00:23:37,280 –> 00:23:41,120
An application without an identified accountable owner gets decommissioned.
615
00:23:41,120 –> 00:23:43,920
Not eventually, immediately, that forces discipline.
616
00:23:43,920 –> 00:23:47,760
That forces the organization to ask, do we actually need this instead of accumulating
617
00:23:47,760 –> 00:23:48,760
forever?
618
00:23:48,760 –> 00:23:52,680
This brings us to the most dangerous sin because it’s one thing to have 340 applications
619
00:23:52,680 –> 00:23:54,600
creating support overhead.
620
00:23:54,600 –> 00:23:58,960
It’s another entirely when you deploy AI onto that chaotic sprawling application landscape
621
00:23:58,960 –> 00:24:00,920
without architectural zoning.
622
00:24:00,920 –> 00:24:01,920
Sin 5.
623
00:24:01,920 –> 00:24:02,920
AI chaos.
624
00:24:02,920 –> 00:24:04,280
Agents without boundaries.
625
00:24:04,280 –> 00:24:05,520
This one is still forming.
626
00:24:05,520 –> 00:24:07,120
Most organizations don’t see it yet.
627
00:24:07,120 –> 00:24:08,120
That’s the danger.
628
00:24:08,120 –> 00:24:11,880
Organizations are deploying co-pilot onto flat, unclassified data structures.
629
00:24:11,880 –> 00:24:17,480
They’re standing up co-pilot studio agents without defining what data those agents can access.
630
00:24:17,480 –> 00:24:20,720
They’re accelerating AI adoption while data governance lags behind.
631
00:24:20,720 –> 00:24:22,000
And here’s the architectural truth.
632
00:24:22,000 –> 00:24:23,840
AI doesn’t solve your data problem.
633
00:24:23,840 –> 00:24:25,320
It broadcasts it at scale.
634
00:24:25,320 –> 00:24:26,320
Let me tell you what I mean.
635
00:24:26,320 –> 00:24:29,480
An enterprise co-pilot pilot six weeks in, they were excited.
636
00:24:29,480 –> 00:24:31,280
Initial adoption metrics looked strong.
637
00:24:31,280 –> 00:24:35,360
Users were asking the agent questions about products, customers, internal processes.
638
00:24:35,360 –> 00:24:37,840
And then someone asked it a question about compensation.
639
00:24:37,840 –> 00:24:40,800
The agent answered, it told them salary data benefits information.
640
00:24:40,800 –> 00:24:44,680
payroll details from the HR system, all available because the data was unclassified
641
00:24:44,680 –> 00:24:46,760
and the agent permissions were unrestricted.
642
00:24:46,760 –> 00:24:49,120
Here’s what actually happened architecturally.
643
00:24:49,120 –> 00:24:52,560
The organization deployed co-pilot before they classified their data.
644
00:24:52,560 –> 00:24:56,840
Before they defined what co-pilot agents could access, before they implemented data boundaries.
645
00:24:56,840 –> 00:25:01,120
They treated AI as a feature to ship, not as a governance layer that has to sit on top
646
00:25:01,120 –> 00:25:02,520
of solid data architecture.
647
00:25:02,520 –> 00:25:04,000
The systemic cause is predictable.
648
00:25:04,000 –> 00:25:05,000
AI feels urgent.
649
00:25:05,000 –> 00:25:06,320
Everyone’s talking about it.
650
00:25:06,320 –> 00:25:07,320
Competitors are moving.
651
00:25:07,320 –> 00:25:08,640
So organizations rush.
652
00:25:08,640 –> 00:25:10,240
They want to show value quickly.
653
00:25:10,240 –> 00:25:12,280
co-pilot adoption metrics.
654
00:25:12,280 –> 00:25:13,800
Agent deployment numbers.
655
00:25:13,800 –> 00:25:17,880
Proof of concept turned pilot turned production all before the foundational architecture is
656
00:25:17,880 –> 00:25:18,880
in place.
657
00:25:18,880 –> 00:25:22,280
But here’s what happens when you deploy AI without data architecture.
658
00:25:22,280 –> 00:25:25,200
An agent gets access to everything it needs to do its job.
659
00:25:25,200 –> 00:25:26,200
That’s reasonable.
660
00:25:26,200 –> 00:25:27,440
But everything it needs expands.
661
00:25:27,440 –> 00:25:28,760
It integrates with SharePoint.
662
00:25:28,760 –> 00:25:30,480
Now it’s reading all documents.
663
00:25:30,480 –> 00:25:32,400
It connects to the mailbox system.
664
00:25:32,400 –> 00:25:33,680
Now it’s processing email.
665
00:25:33,680 –> 00:25:35,240
It links to customer data.
666
00:25:35,240 –> 00:25:37,400
Now it’s handling sensitive information.
667
00:25:37,400 –> 00:25:39,320
Each integration makes sense in isolation.
668
00:25:39,320 –> 00:25:43,960
Collectively, they create an unrestricted data access pattern that violates your compliance
669
00:25:43,960 –> 00:25:45,960
requirements and your common sense.
670
00:25:45,960 –> 00:25:48,960
The economic consequence is immediate and expensive.
671
00:25:48,960 –> 00:25:49,960
Security retrofits.
672
00:25:49,960 –> 00:25:50,960
You deployed co-pilot.
673
00:25:50,960 –> 00:25:55,480
Now you’re scrambling to classify data retroactively, define boundaries, restrict agent
674
00:25:55,480 –> 00:25:56,480
access.
675
00:25:56,480 –> 00:25:57,480
That’s rework.
676
00:25:57,480 –> 00:25:58,480
That’s budget you didn’t plan for.
677
00:25:58,480 –> 00:26:00,400
Co-pilot studio credits burning through.
678
00:26:00,400 –> 00:26:02,600
Every agent interaction consumes credits.
679
00:26:02,600 –> 00:26:08,480
At $200 per 25,000 messages at scale, this becomes a line item nobody forecasted.
680
00:26:08,480 –> 00:26:14,600
You’re processing payroll data, customer information, health records through an AI system
681
00:26:14,600 –> 00:26:16,720
that wasn’t designed with compliance in mind.
682
00:26:16,720 –> 00:26:20,680
Auditor’s notice, regulators notice, and then you’re explaining why you deployed AI faster
683
00:26:20,680 –> 00:26:22,640
than you implemented governance.
684
00:26:22,640 –> 00:26:23,640
Real numbers.
685
00:26:23,640 –> 00:26:27,000
49% of AI programs stall due to unclear value.
686
00:26:27,000 –> 00:26:30,840
80% of Fortune 500 use agents without formal governance.
687
00:26:30,840 –> 00:26:32,480
The pattern is universal.
688
00:26:32,480 –> 00:26:36,920
Speed first, architecture second, then disaster.
689
00:26:36,920 –> 00:26:39,880
The control plane fix is non-negotiable.
690
00:26:39,880 –> 00:26:42,800
Define data boundaries before deploying agents.
691
00:26:42,800 –> 00:26:43,880
Not after, before.
692
00:26:43,880 –> 00:26:45,520
This means classifying your data.
693
00:26:45,520 –> 00:26:46,720
Tearing agents by risk.
694
00:26:46,720 –> 00:26:51,320
An agent that answers FAQ questions has different access requirements than an agent that
695
00:26:51,320 –> 00:26:53,280
processes financial transactions.
696
00:26:53,280 –> 00:26:57,040
An agent that reads public documents has different boundaries than an agent that accesses
697
00:26:57,040 –> 00:26:58,520
customer records.
698
00:26:58,520 –> 00:27:01,600
Then enforce data access via identity and policy.
699
00:27:01,600 –> 00:27:03,520
Use agent 365 as a governance layer.
700
00:27:03,520 –> 00:27:06,800
When you deploy an agent, its permissions flow from Entra ID.
701
00:27:06,800 –> 00:27:08,120
It has a defined identity.
702
00:27:08,120 –> 00:27:10,840
It can access only the data it’s authorized to access.
703
00:27:10,840 –> 00:27:12,280
Its interactions are audited.
704
00:27:12,280 –> 00:27:14,240
It can be revoked if it’s misused.
705
00:27:14,240 –> 00:27:15,840
This requires architectural discipline.
706
00:27:15,840 –> 00:27:17,320
It requires saying no to speed.
707
00:27:17,320 –> 00:27:21,360
It requires doing the unglamorous work of data classification and boundary definition
708
00:27:21,360 –> 00:27:23,160
before you ship the next agent.
709
00:27:23,160 –> 00:27:25,400
But without it, AI doesn’t solve your data problems.
710
00:27:25,400 –> 00:27:26,400
It creates new ones.
711
00:27:26,400 –> 00:27:30,320
It takes the sprawl and the governance gaps you already have and amplifies them at scale.
712
00:27:30,320 –> 00:27:32,840
It turns hidden risks into active liabilities.
713
00:27:32,840 –> 00:27:34,040
And here’s the uncomfortable truth.
714
00:27:34,040 –> 00:27:39,720
If your organization has 340 power apps without owners, if you have 700 orphaned app registrations
715
00:27:39,720 –> 00:27:44,160
in Entra ID, if you have governance policies that nobody enforces, then you’re not ready
716
00:27:44,160 –> 00:27:46,000
to deploy AI agents.
717
00:27:46,000 –> 00:27:47,440
Because AI will make all of that worst.
718
00:27:47,440 –> 00:27:51,480
It will inherit all of that chaos and it will operate at a speed that your manual governance
719
00:27:51,480 –> 00:27:53,440
processes can’t keep up with.
720
00:27:53,440 –> 00:27:54,880
This brings us to the root cause.
721
00:27:54,880 –> 00:27:57,040
All these sins don’t exist independently.
722
00:27:57,040 –> 00:27:59,840
They exist because of one structural absence.
723
00:27:59,840 –> 00:28:03,120
Sin 6, Builder Bias, the architect vacuum.
724
00:28:03,120 –> 00:28:05,200
Here’s a pattern that explains everything else.
725
00:28:05,200 –> 00:28:09,800
And its organizational, not technical, enterprises promote the person who knows the buttons.
726
00:28:09,800 –> 00:28:13,760
The person who shipped the feature, the person who delivered on deadline, they reward builders,
727
00:28:13,760 –> 00:28:17,920
they celebrate features shipped, they measure velocity, and architects, the people thinking
728
00:28:17,920 –> 00:28:21,560
about system resilience, about decay, about integration costs, about what happens five
729
00:28:21,560 –> 00:28:24,240
years from now, those people are invisible.
730
00:28:24,240 –> 00:28:27,120
An IT director I worked with recently made a telling decision.
731
00:28:27,120 –> 00:28:30,560
They hired a power platform expert and they fired the identity architect.
732
00:28:30,560 –> 00:28:32,360
The reasoning was straight forward.
733
00:28:32,360 –> 00:28:33,560
We need builders right now.
734
00:28:33,560 –> 00:28:35,080
We need people who can ship.
735
00:28:35,080 –> 00:28:36,080
Strategy can wait.
736
00:28:36,080 –> 00:28:37,080
Modernization can wait.
737
00:28:37,080 –> 00:28:38,960
We need features and we need them fast.
738
00:28:38,960 –> 00:28:40,560
What actually happened was structural.
739
00:28:40,560 –> 00:28:44,400
Without architects enforcing design constraints, without someone saying no, we can’t do it that
740
00:28:44,400 –> 00:28:45,400
way.
741
00:28:45,400 –> 00:28:47,800
The platform started accumulating entropy faster.
742
00:28:47,800 –> 00:28:49,720
Features shipped, systems decayed.
743
00:28:49,720 –> 00:28:50,720
Technical debt compounded.
744
00:28:50,720 –> 00:28:55,280
18 months later, the organization hit what I called the productivity wall.
745
00:28:55,280 –> 00:28:57,520
Initial gains from rapid development flattened.
746
00:28:57,520 –> 00:28:58,520
Performance degraded.
747
00:28:58,520 –> 00:29:00,600
Infrastructure complexity made change harder.
748
00:29:00,600 –> 00:29:03,800
The organization was managing technical debt instead of shipping features.
749
00:29:03,800 –> 00:29:07,160
They’d moved fast initially, but they were moving slowly now because nobody had been thinking
750
00:29:07,160 –> 00:29:08,160
about sustainability.
751
00:29:08,160 –> 00:29:09,480
Here’s how it manifests.
752
00:29:09,480 –> 00:29:14,200
A builder comes to you and says, “I need to integrate with this new SaaS system.”
753
00:29:14,200 –> 00:29:16,480
And builders are great at solving immediate problems.
754
00:29:16,480 –> 00:29:17,760
So they build an integration.
755
00:29:17,760 –> 00:29:18,760
It works.
756
00:29:18,760 –> 00:29:19,760
The business is happy.
757
00:29:19,760 –> 00:29:22,600
But the builder didn’t think about or wasn’t asked to think about what happens when
758
00:29:22,600 –> 00:29:26,720
that SaaS systems API changes, what happens when the password for the service account needs
759
00:29:26,720 –> 00:29:30,560
to be rotated, what happens when you need to audit, who accessed, what?
760
00:29:30,560 –> 00:29:35,000
Who that integration, what happens when three other builders independently build integrations
761
00:29:35,000 –> 00:29:36,000
to the same system?
762
00:29:36,000 –> 00:29:39,200
And now you have three different approaches, three different failure modes, three times
763
00:29:39,200 –> 00:29:40,680
the maintenance burden.
764
00:29:40,680 –> 00:29:44,240
The systemic causes organizational structure, builders create visible value.
765
00:29:44,240 –> 00:29:45,880
They ship, they deliver.
766
00:29:45,880 –> 00:29:47,600
Organizations see progress.
767
00:29:47,600 –> 00:29:49,280
Architects prevent invisible failures.
768
00:29:49,280 –> 00:29:50,280
They say no.
769
00:29:50,280 –> 00:29:51,600
They require documentation.
770
00:29:51,600 –> 00:29:54,160
They ask hard questions about sustainability.
771
00:29:54,160 –> 00:29:56,960
And their value is invisible until something breaks.
772
00:29:56,960 –> 00:30:00,840
By which time the organization has learned the hard way that architecture matters.
773
00:30:00,840 –> 00:30:03,400
The real consequence is fragmented ownership.
774
00:30:03,400 –> 00:30:07,680
Only 23% of organizations have a formal AI agent identity strategy.
775
00:30:07,680 –> 00:30:08,680
Think about that.
776
00:30:08,680 –> 00:30:10,520
AI agents are proliferating.
777
00:30:10,520 –> 00:30:12,560
Most organizations don’t have governance for them.
778
00:30:12,560 –> 00:30:13,560
Why?
779
00:30:13,560 –> 00:30:14,960
Because ownership is fragmented.
780
00:30:14,960 –> 00:30:16,280
Security thinks it’s I’d’s problem.
781
00:30:16,280 –> 00:30:17,760
It thinks it’s the business’s problem.
782
00:30:17,760 –> 00:30:19,640
The business thinks it’s securities problem.
783
00:30:19,640 –> 00:30:23,680
And builders are shipping agents without anyone owning the architectural decision of whether
784
00:30:23,680 –> 00:30:25,920
they should exist or what their boundaries are.
785
00:30:25,920 –> 00:30:28,360
The economic consequence is substantial and usually lagged.
786
00:30:28,360 –> 00:30:29,800
You don’t see it for 18 months.
787
00:30:29,800 –> 00:30:31,640
But when you do it’s expensive.
788
00:30:31,640 –> 00:30:32,640
Technical debt compounds.
789
00:30:32,640 –> 00:30:33,640
Support costs rise.
790
00:30:33,640 –> 00:30:35,040
Security risks accumulate.
791
00:30:35,040 –> 00:30:36,400
Compliance becomes harder.
792
00:30:36,400 –> 00:30:38,880
And the organization realizes it needs architects.
793
00:30:38,880 –> 00:30:40,840
But architects are expensive to retrofit.
794
00:30:40,840 –> 00:30:44,720
You can’t just hire one and expect them to untangle 18 months of architectural decisions
795
00:30:44,720 –> 00:30:46,000
made without their input.
796
00:30:46,000 –> 00:30:48,720
The control plane fix requires a mindset shift.
797
00:30:48,720 –> 00:30:51,760
Reframed architects as leverage engineers not cost centers.
798
00:30:51,760 –> 00:30:54,080
A builder can increase velocity on one project.
799
00:30:54,080 –> 00:30:58,000
An architect can increase velocity across the entire system by making good structural
800
00:30:58,000 –> 00:31:00,360
decisions that everyone benefits from.
801
00:31:00,360 –> 00:31:04,560
An architect can prevent the entire organization from making the same mistake in five different
802
00:31:04,560 –> 00:31:05,560
places.
803
00:31:05,560 –> 00:31:06,960
Measure architects by system health.
804
00:31:06,960 –> 00:31:08,120
By entropy reduction.
805
00:31:08,120 –> 00:31:10,400
By the number of future problems they prevent.
806
00:31:10,400 –> 00:31:12,600
By whether integration patterns are consistent.
807
00:31:12,600 –> 00:31:14,360
By whether governance is enforceable.
808
00:31:14,360 –> 00:31:17,960
By whether new builders inherit a platform that’s easy to build on or swamp they have to
809
00:31:17,960 –> 00:31:18,960
wait through.
810
00:31:18,960 –> 00:31:20,840
Builders create visible value.
811
00:31:20,840 –> 00:31:22,720
Architects create invisible value.
812
00:31:22,720 –> 00:31:24,160
Local value is just as real.
813
00:31:24,160 –> 00:31:25,360
It’s just harder to see.
814
00:31:25,360 –> 00:31:29,000
And organizations that don’t see it are the ones that end up with sprawl with chaos with
815
00:31:29,000 –> 00:31:31,880
technical debt that becomes impossible to manage.
816
00:31:31,880 –> 00:31:33,640
This brings us to the final sin.
817
00:31:33,640 –> 00:31:37,760
Because even good architects fail if the foundational decisions about resources and investment
818
00:31:37,760 –> 00:31:38,760
are wrong.
819
00:31:38,760 –> 00:31:41,480
And that decision is usually made in procurement.
820
00:31:41,480 –> 00:31:43,000
Scene 7.
821
00:31:43,000 –> 00:31:44,000
Licensing blindness.
822
00:31:44,000 –> 00:31:45,480
Capacity as strategy.
823
00:31:45,480 –> 00:31:49,560
The final sin is the most expensive because it’s the most normalized.
824
00:31:49,560 –> 00:31:52,680
Organizations renew E5 because it’s what we do.
825
00:31:52,680 –> 00:31:55,000
Not because they’ve mapped capability to value.
826
00:31:55,000 –> 00:31:58,360
Not because they’ve assessed whether users actually need premium features.
827
00:31:58,360 –> 00:32:01,600
Not because they’ve measured adoption of the premium connectors they’re already paying
828
00:32:01,600 –> 00:32:02,600
for.
829
00:32:02,600 –> 00:32:04,440
They renew because the license was good last year.
830
00:32:04,440 –> 00:32:05,440
So it’s good this year.
831
00:32:05,440 –> 00:32:07,120
And the year after that no one questions it.
832
00:32:07,120 –> 00:32:09,440
Meanwhile shadow IT thrives.
833
00:32:09,440 –> 00:32:13,640
Users on basic skews accomplish the same roles as E5 users.
834
00:32:13,640 –> 00:32:15,120
Premium features sit idle.
835
00:32:15,120 –> 00:32:16,480
Copilot remains unused.
836
00:32:16,480 –> 00:32:20,240
The advanced threat protection that comes with E5 never gets operationalized.
837
00:32:20,240 –> 00:32:21,800
Feature parity is ignored.
838
00:32:21,800 –> 00:32:26,280
What is tracking whether the premium capabilities you paid for are actually driving outcomes.
839
00:32:26,280 –> 00:32:27,520
Here’s a real example.
840
00:32:27,520 –> 00:32:33,160
An enterprise paying 2.1 million dollars annually for E5 across their knowledge worker base.
841
00:32:33,160 –> 00:32:34,760
They’d standardised on it years ago.
842
00:32:34,760 –> 00:32:35,760
E5 for finance.
843
00:32:35,760 –> 00:32:36,760
E5 for engineering.
844
00:32:36,760 –> 00:32:38,240
E5 for operations.
845
00:32:38,240 –> 00:32:39,720
Everyone gets the same license.
846
00:32:39,720 –> 00:32:41,040
In order to reveal the truth.
847
00:32:41,040 –> 00:32:46,760
34% of those users, roughly a third, could perform their exact same role on business standard.
848
00:32:46,760 –> 00:32:48,760
They had no need for the premium connector library.
849
00:32:48,760 –> 00:32:49,960
They didn’t use copilot.
850
00:32:49,960 –> 00:32:53,280
They didn’t need advanced threat protection beyond what business standard includes.
851
00:32:53,280 –> 00:32:55,280
They needed email teams, a document platform.
852
00:32:55,280 –> 00:32:56,280
That’s it.
853
00:32:56,280 –> 00:32:57,800
They were paying for capabilities they would never touch.
854
00:32:57,800 –> 00:33:01,280
The economic consequences are orthogonal to what most organisations see.
855
00:33:01,280 –> 00:33:03,640
It’s not just the cost of unused licenses.
856
00:33:03,640 –> 00:33:04,640
That’s obvious.
857
00:33:04,640 –> 00:33:08,280
The real consequence is the cost of not using licensing as a behavioural incentive.
858
00:33:08,280 –> 00:33:12,560
If your licensing skews are aligned to roles and capabilities then it drives adoption.
859
00:33:12,560 –> 00:33:14,280
It forces architectural decisions.
860
00:33:14,280 –> 00:33:16,320
It makes you think about what people actually need.
861
00:33:16,320 –> 00:33:20,920
When you standardise on E5 across the board you’ve removed the constraint that forces architectural
862
00:33:20,920 –> 00:33:21,920
discipline.
863
00:33:21,920 –> 00:33:24,400
You’ve said effectively that everyone gets access to everything.
864
00:33:24,400 –> 00:33:25,400
That’s not strategy.
865
00:33:25,400 –> 00:33:26,400
That’s capitulation.
866
00:33:26,400 –> 00:33:27,400
It’s budget capitulation.
867
00:33:27,400 –> 00:33:29,240
It’s architectural capitulation.
868
00:33:29,240 –> 00:33:30,640
And it’s expensive.
869
00:33:30,640 –> 00:33:33,040
The 2026 price hikes compound this mistake.
870
00:33:33,040 –> 00:33:38,600
Microsoft is implementing increases ranging from 9 to 33% effective July 1st.
871
00:33:38,600 –> 00:33:41,840
F1 plans jumping from $2.25 to $3.00.
872
00:33:41,840 –> 00:33:45,520
E3 rising from $36.39 per user per month.
873
00:33:45,520 –> 00:33:47,760
That organisation paying 2.1 million?
874
00:33:47,760 –> 00:33:48,760
Next renewal?
875
00:33:48,760 –> 00:33:50,360
That’s closer to 2.4 million.
876
00:33:50,360 –> 00:33:55,200
If they’d rationalised licensing earlier they could have cut that by 20-30% but they didn’t.
877
00:33:55,200 –> 00:33:57,520
And now they’re paying twice for the same mistake.
878
00:33:57,520 –> 00:34:00,440
Here’s what happens when you finally audit your licensing landscape.
879
00:34:00,440 –> 00:34:02,560
You discover premium connectors nobody’s using.
880
00:34:02,560 –> 00:34:06,480
You find copated licenses assigned to roles that have no integration points.
881
00:34:06,480 –> 00:34:10,280
You realise that your premium security features are redundant with network based controls
882
00:34:10,280 –> 00:34:11,960
you already paid for elsewhere.
883
00:34:11,960 –> 00:34:17,000
You uncover the fact that 34% of your e5 investment could be recovered if you had the discipline
884
00:34:17,000 –> 00:34:20,600
to match licensing to actual capability requirements.
885
00:34:20,600 –> 00:34:22,320
The control plane fixes this.
886
00:34:22,320 –> 00:34:24,240
Licensing skyu is a behavioural lever.
887
00:34:24,240 –> 00:34:25,240
Use it.
888
00:34:25,240 –> 00:34:28,880
If you’re paying for e5 across the board you’ve removed the mechanism that forces you to
889
00:34:28,880 –> 00:34:30,440
make architectural decisions.
890
00:34:30,440 –> 00:34:34,720
You’ve optimised for everyone gets everything instead of everyone gets what they need.
891
00:34:34,720 –> 00:34:37,080
Real architecture means saying no to simplicity.
892
00:34:37,080 –> 00:34:38,800
It means matching licensing to roles.
893
00:34:38,800 –> 00:34:44,120
e5 for roles that actually need premium connectors, threat intelligence or advanced governance.
894
00:34:44,120 –> 00:34:48,240
e3 for users who need collaboration and productivity but not advanced security.
895
00:34:48,240 –> 00:34:53,000
Business standard for roles that only need core email and team’s functionality.
896
00:34:53,000 –> 00:34:56,040
And making those decisions forces you to understand your user base.
897
00:34:56,040 –> 00:34:59,320
It forces you to ask why does this person need this capability?
898
00:34:59,320 –> 00:35:02,160
And if you can’t answer that question they don’t get that licence.
899
00:35:02,160 –> 00:35:05,680
This is where the abstraction becomes concrete because when you force licensing alignment
900
00:35:05,680 –> 00:35:06,880
you also force governance.
901
00:35:06,880 –> 00:35:08,400
You have to know who’s in what role.
902
00:35:08,400 –> 00:35:10,040
You have to enforce role definitions.
903
00:35:10,040 –> 00:35:13,880
You have to make sure the business is actually using the features you’re paying for.
904
00:35:13,880 –> 00:35:16,520
And that discipline cascades into everything else.
905
00:35:16,520 –> 00:35:20,760
Better identity governance, better data classification, better understanding of what your
906
00:35:20,760 –> 00:35:22,680
system is actually supposed to do.
907
00:35:22,680 –> 00:35:24,760
All 7Sints point to one diagnosis.
908
00:35:24,760 –> 00:35:26,280
The absence of a control plane.
909
00:35:26,280 –> 00:35:28,400
The umbrella sin control plane neglect.
910
00:35:28,400 –> 00:35:30,400
These 7Sints don’t exist in isolation.
911
00:35:30,400 –> 00:35:31,920
They’re not random failures.
912
00:35:31,920 –> 00:35:35,240
They’re not separate problems that happen to accumulate in the same tenant.
913
00:35:35,240 –> 00:35:37,320
They’re all symptoms of one structural absence.
914
00:35:37,320 –> 00:35:41,520
And that absence is what binds them together into a single architectural failure.
915
00:35:41,520 –> 00:35:44,840
Operating without a system’s layer means entropy becomes your default operating system.
916
00:35:44,840 –> 00:35:45,920
You don’t have governance.
917
00:35:45,920 –> 00:35:48,480
You have chaos with policies written on top of it.
918
00:35:48,480 –> 00:35:52,200
Trying to contain something that was never architecturally constrained in the first place.
919
00:35:52,200 –> 00:35:53,320
You don’t have architecture.
920
00:35:53,320 –> 00:35:54,320
You have a platform.
921
00:35:54,320 –> 00:35:55,920
And a platform is something else entirely.
922
00:35:55,920 –> 00:35:58,080
A platform is a collection of services.
923
00:35:58,080 –> 00:35:59,520
An architecture is a system.
924
00:35:59,520 –> 00:36:01,040
Here’s how it manifests in practice.
925
00:36:01,040 –> 00:36:05,600
A 10,000 seed organisation I worked with had EntraID governed by one team.
926
00:36:05,600 –> 00:36:09,240
They handled identity provisioning conditional access role definitions.
927
00:36:09,240 –> 00:36:10,240
Solid work.
928
00:36:10,240 –> 00:36:11,680
Intune was managed by a separate team.
929
00:36:11,680 –> 00:36:15,240
They owned device management and point security compliance baselines.
930
00:36:15,240 –> 00:36:16,240
Also good.
931
00:36:16,240 –> 00:36:18,000
Microsoft defender handled by another team.
932
00:36:18,000 –> 00:36:21,240
They owned threat detection, incident response, security monitoring.
933
00:36:21,240 –> 00:36:26,600
Yet another team owned purview, data governance, sensitivity labels, retention policies.
934
00:36:26,600 –> 00:36:29,880
And teams in SharePoint were loosely monitored by the service adoption team.
935
00:36:29,880 –> 00:36:32,760
They tracked usage metrics and provided training.
936
00:36:32,760 –> 00:36:35,040
Nobody was looking at identity to app orchestration.
937
00:36:35,040 –> 00:36:38,000
Nobody was enforcing zoning and tearing across the entire system.
938
00:36:38,000 –> 00:36:41,560
Every service had its own policies, its own approval workflows, its own definitions of
939
00:36:41,560 –> 00:36:43,080
what security baseline meant.
940
00:36:43,080 –> 00:36:45,360
Each domain solved its own problems locally.
941
00:36:45,360 –> 00:36:49,560
But there was no layer that decided how those domains actually interacted, how data flowed
942
00:36:49,560 –> 00:36:53,800
from one system to another, how users access decisions in EntraID connected to what they
943
00:36:53,800 –> 00:36:57,840
could do in SharePoint, how that related to what they could see in a co-pilot agent,
944
00:36:57,840 –> 00:37:00,520
what that organisation actually had wasn’t a security posture.
945
00:37:00,520 –> 00:37:04,800
It was security theatre orchestrated across five different teams, each performing their
946
00:37:04,800 –> 00:37:06,640
part with no conductor.
947
00:37:06,640 –> 00:37:08,320
The systemic cause is this.
948
00:37:08,320 –> 00:37:12,560
Most organisations treat Microsoft Cloud as a collection of disconnected services.
949
00:37:12,560 –> 00:37:16,240
Identity over here, data governance over there, applications somewhere else, compliance
950
00:37:16,240 –> 00:37:17,520
in a separate silo.
951
00:37:17,520 –> 00:37:19,720
This creates what I call policy fragmentation.
952
00:37:19,720 –> 00:37:21,960
Each domain solves its own problems locally.
953
00:37:21,960 –> 00:37:24,560
But there’s no layer that ensures consistency.
954
00:37:24,560 –> 00:37:29,000
No place that says, when we make an identity decision, what does that mean for data access,
955
00:37:29,000 –> 00:37:32,240
for app permissions, for compliance boundaries?
956
00:37:32,240 –> 00:37:36,320
That connecting layer is the control plane, and most organisations don’t have one.
957
00:37:36,320 –> 00:37:37,320
They think they do.
958
00:37:37,320 –> 00:37:40,680
They point to their EntraID governance, they show you their defender dashboards.
959
00:37:40,680 –> 00:37:43,160
They talk about their purview compliance framework.
960
00:37:43,160 –> 00:37:46,680
But those are individual services responding to local constraints.
961
00:37:46,680 –> 00:37:49,280
Not a unified system making coordinated decisions.
962
00:37:49,280 –> 00:37:52,120
The economic consequence of operating without it is massive.
963
00:37:52,120 –> 00:37:57,600
That 10,000 seat organisation, 3.2 million in unrealised productivity benefits over three
964
00:37:57,600 –> 00:37:58,600
years.
965
00:37:58,600 –> 00:38:01,600
Not because they lacked features, they had every Microsoft feature available.
966
00:38:01,600 –> 00:38:05,080
Because those features weren’t integrated into a system.
967
00:38:05,080 –> 00:38:09,360
Users couldn’t find information because it was classified inconsistently across SharePoint.
968
00:38:09,360 –> 00:38:13,280
Admins couldn’t trust their governance because policies drifted when one team made changes
969
00:38:13,280 –> 00:38:15,840
without checking impact on other teams.
970
00:38:15,840 –> 00:38:20,000
Architects had no way to enforce decisions at scale because there was no mechanism to translate
971
00:38:20,000 –> 00:38:22,240
intent into system-wide behaviour.
972
00:38:22,240 –> 00:38:25,600
Control plane absence also means security debt accumulates invisibly.
973
00:38:25,600 –> 00:38:27,880
When EntraID policies drift, nobody knows it.
974
00:38:27,880 –> 00:38:31,000
When SharePoint permissions exceed your threshold, there’s nobody watching.
975
00:38:31,000 –> 00:38:35,480
When a co-pilot agent is accessing data you never approved, the policy layer doesn’t catch
976
00:38:35,480 –> 00:38:36,480
it.
977
00:38:36,480 –> 00:38:37,480
Each service does its best.
978
00:38:37,480 –> 00:38:38,480
But there’s no circuit breaker.
979
00:38:38,480 –> 00:38:43,400
No orchestration, no central place where someone says no, that violates our architecture.
980
00:38:43,400 –> 00:38:45,520
Real security data backs this up.
981
00:38:45,520 –> 00:38:50,560
63% of M365 tenants face configuration tampering in identity and device management.
982
00:38:50,560 –> 00:38:52,200
And here’s the architectural gap.
983
00:38:52,200 –> 00:38:54,960
Microsoft doesn’t natively back up tenant configurations.
984
00:38:54,960 –> 00:38:56,320
You deploy defender policies.
985
00:38:56,320 –> 00:38:57,600
You configure EntraID.
986
00:38:57,600 –> 00:38:59,000
You set up purview rules.
987
00:38:59,000 –> 00:39:03,160
If something goes catastrophically wrong if an attacker modifies your policies, if someone
988
00:39:03,160 –> 00:39:07,760
accidentally deletes your conditional access rules, you don’t have a native recovery mechanism.
989
00:39:07,760 –> 00:39:10,640
You’re relying on change logs and manual reconstruction.
990
00:39:10,640 –> 00:39:13,560
The control plane fix requires foundational architecture.
991
00:39:13,560 –> 00:39:17,720
You have to build a unified policy compilation layer, a single source of truth where architectural
992
00:39:17,720 –> 00:39:20,800
intent gets translated into system-wide policy.
993
00:39:20,800 –> 00:39:23,840
Treat identity EntraID as the control plane backbone.
994
00:39:23,840 –> 00:39:27,840
Make it the place where you define not just who can access what, but what that access means
995
00:39:27,840 –> 00:39:29,160
across your entire system.
996
00:39:29,160 –> 00:39:32,560
A user is an employee, a contractor, a vendor, a guest.
997
00:39:32,560 –> 00:39:36,760
Once you make that decision in identity, every other system should inherit that context.
998
00:39:36,760 –> 00:39:38,200
Not ask for it separately.
999
00:39:38,200 –> 00:39:39,200
Inherited.
1000
00:39:39,200 –> 00:39:41,160
Then enforce cross-platform orchestration.
1001
00:39:41,160 –> 00:39:45,880
If a user’s EntraID role says finance, that determines their default access to financial
1002
00:39:45,880 –> 00:39:47,320
data in SharePoint.
1003
00:39:47,320 –> 00:39:50,320
If they are classified as guest, that determines what they see in teams.
1004
00:39:50,320 –> 00:39:54,400
If a copilot agent is accessing customer data, its identity and permissions flow from a single
1005
00:39:54,400 –> 00:39:55,400
source of truth.
1006
00:39:55,400 –> 00:39:56,400
Let me define this precisely.
1007
00:39:56,400 –> 00:40:00,560
A control plane is the system that makes decisions about how other systems behave.
1008
00:40:00,560 –> 00:40:02,160
It’s the layer above execution.
1009
00:40:02,160 –> 00:40:04,760
It’s where intent gets translated into policy.
1010
00:40:04,760 –> 00:40:08,480
Without it, you have a platform, individual services operating independently.
1011
00:40:08,480 –> 00:40:10,960
With it, you have architecture, you have a system.
1012
00:40:10,960 –> 00:40:12,720
Most organizations have the first.
1013
00:40:12,720 –> 00:40:14,240
Almost none have the second.
1014
00:40:14,240 –> 00:40:15,600
The leakage model.
1015
00:40:15,600 –> 00:40:17,960
How to calculate your invisible waste.
1016
00:40:17,960 –> 00:40:19,960
Let me walk you through a calculation.
1017
00:40:19,960 –> 00:40:20,960
And I want you to follow along.
1018
00:40:20,960 –> 00:40:23,240
If you have a notebook nearby, now’s the time to grab it.
1019
00:40:23,240 –> 00:40:24,320
This isn’t complicated math.
1020
00:40:24,320 –> 00:40:26,800
And it’s the math most organizations never actually do.
1021
00:40:26,800 –> 00:40:30,480
So they never see how much money is actually flowing out of their tenant invisibly.
1022
00:40:30,480 –> 00:40:31,880
Start with your total seat count.
1023
00:40:31,880 –> 00:40:33,800
Let’s say you’re a mid-sized organization.
1024
00:40:33,800 –> 00:40:36,720
5,000 employees, round number, easy to think about.
1025
00:40:36,720 –> 00:40:41,480
Now assume that roughly 20 to 30% of the advanced Microsoft capabilities you’ve paid for
1026
00:40:41,480 –> 00:40:42,960
are not operationalized.
1027
00:40:42,960 –> 00:40:43,960
Not used.
1028
00:40:43,960 –> 00:40:44,960
Just available.
1029
00:40:44,960 –> 00:40:45,960
This isn’t cynicism.
1030
00:40:45,960 –> 00:40:46,960
This is empirical.
1031
00:40:46,960 –> 00:40:48,120
I’ve ordered a dozens of tenants.
1032
00:40:48,120 –> 00:40:49,120
It’s consistent.
1033
00:40:49,120 –> 00:40:51,200
One in three advanced features sits idle.
1034
00:40:51,200 –> 00:40:56,960
For a 5,000 seat organization on e5, the delta between e5 and e3 is roughly $12 per user per
1035
00:40:56,960 –> 00:40:58,440
month, $12.
1036
00:40:58,440 –> 00:41:04,060
Times 5,000 seats, times 12 months, that’s $720,000 annually that you’re spending on features
1037
00:41:04,060 –> 00:41:05,160
you’re not using.
1038
00:41:05,160 –> 00:41:06,520
But that’s just the beginning.
1039
00:41:06,520 –> 00:41:08,680
Now add the inactive license premium.
1040
00:41:08,680 –> 00:41:13,120
Roughly 10 to 15% of licenses are assigned to accounts that haven’t logged in in 30 days
1041
00:41:13,120 –> 00:41:14,120
or longer.
1042
00:41:14,120 –> 00:41:15,120
Dormant.
1043
00:41:15,120 –> 00:41:16,120
Forgotten.
1044
00:41:16,120 –> 00:41:17,120
Still being built.
1045
00:41:17,120 –> 00:41:21,920
$26 per user for e5 and 15% of your licenses are inactive.
1046
00:41:21,920 –> 00:41:24,560
That’s another $250,000.
1047
00:41:24,560 –> 00:41:25,560
Gone.
1048
00:41:25,560 –> 00:41:26,560
Just evaporated.
1049
00:41:26,560 –> 00:41:27,560
That’s nearly a million right there.
1050
00:41:27,560 –> 00:41:28,560
Now add co-pilot.
1051
00:41:28,560 –> 00:41:31,640
The base cost of co-pilot is $30 per user per month.
1052
00:41:31,640 –> 00:41:32,920
But that’s not the real cost.
1053
00:41:32,920 –> 00:41:34,080
That’s the headline number.
1054
00:41:34,080 –> 00:41:39,640
The real cost includes co-pilot studio credits burning through $200 per 25,000 messages.
1055
00:41:39,640 –> 00:41:44,520
For a tenant of 5,000 employees, if even half of them use co-pilot occasionally, you’re
1056
00:41:44,520 –> 00:41:46,160
burning through credits fast.
1057
00:41:46,160 –> 00:41:49,400
You’re going to get a $250,000 annually for a mid-size deployment.
1058
00:41:49,400 –> 00:41:50,880
Then add the security retrofits.
1059
00:41:50,880 –> 00:41:55,040
When you deploy co-pilot without data boundaries, you have to go back and classify data, define
1060
00:41:55,040 –> 00:41:57,080
agent access, implement DLP policies.
1061
00:41:57,080 –> 00:41:58,080
That’s not a feature.
1062
00:41:58,080 –> 00:41:59,080
That’s remediation.
1063
00:41:59,080 –> 00:42:01,280
Call it $50,000 in unplanned spending.
1064
00:42:01,280 –> 00:42:04,920
So co-pilot alone is consuming $200,000 plus and that’s conservative.
1065
00:42:04,920 –> 00:42:06,320
And then there’s governance labor.
1066
00:42:06,320 –> 00:42:08,000
The hours spend managing sprawl.
1067
00:42:08,000 –> 00:42:09,000
The manual cleanup.
1068
00:42:09,000 –> 00:42:10,000
The spreadsheets.
1069
00:42:10,000 –> 00:42:11,000
The escalation emails.
1070
00:42:11,000 –> 00:42:15,320
For a 5,000 seat tenant, that’s roughly two full-time employees’ worth of effort.
1071
00:42:15,320 –> 00:42:21,040
$150,000 annually minimum added up 720,000 in unused feature capacity.
1072
00:42:21,040 –> 00:42:23,840
$250,000 in inactive licenses.
1073
00:42:23,840 –> 00:42:27,240
$200,000 in co-pilot costs and security retrofits.
1074
00:42:27,240 –> 00:42:29,480
$150,000 in governance labor.
1075
00:42:29,480 –> 00:42:33,280
That’s $1.3 million annually in a mid-sized organization.
1076
00:42:33,280 –> 00:42:35,320
And here’s what the breakdown actually looks like.
1077
00:42:35,320 –> 00:42:36,320
License waste.
1078
00:42:36,320 –> 00:42:38,000
Features you paid for but don’t use.
1079
00:42:38,000 –> 00:42:40,200
Accounts for about 40%.
1080
00:42:40,200 –> 00:42:43,040
Unoptimized connectors and shadow IT, another 20%.
1081
00:42:43,040 –> 00:42:45,120
AI sprawl, 15%.
1082
00:42:45,120 –> 00:42:48,480
Accounts labor that doesn’t actually prevent anything 25%.
1083
00:42:48,480 –> 00:42:53,640
Real organizations implementing software asset management best practices can cut spending
1084
00:42:53,640 –> 00:42:55,880
by 30% in year one.
1085
00:42:55,880 –> 00:42:59,480
30% of 1.3 million is nearly $400,000.
1086
00:42:59,480 –> 00:43:00,480
Recovered.
1087
00:43:00,480 –> 00:43:01,480
Just by paying attention.
1088
00:43:01,480 –> 00:43:02,480
That’s the leakage model.
1089
00:43:02,480 –> 00:43:05,200
That’s what most organizations are bleeding without knowing it.
1090
00:43:05,200 –> 00:43:09,560
And that’s before the July 2026 price increases hit when they do that leak gets worse.
1091
00:43:09,560 –> 00:43:10,560
Not better.
1092
00:43:10,560 –> 00:43:11,640
But these numbers are symptoms.
1093
00:43:11,640 –> 00:43:13,320
The disease is systemic.
1094
00:43:13,320 –> 00:43:14,320
It causes analysis.
1095
00:43:14,320 –> 00:43:15,440
Why this happens?
1096
00:43:15,440 –> 00:43:16,880
The leakage isn’t random.
1097
00:43:16,880 –> 00:43:18,560
The seven sins aren’t coincidences.
1098
00:43:18,560 –> 00:43:21,840
They’re not separate failures that happen to occur in the same organization.
1099
00:43:21,840 –> 00:43:26,200
Their structural outcomes of how enterprises make decisions about Microsoft Cloud.
1100
00:43:26,200 –> 00:43:29,160
And if you understand the structure, you understand why this keeps happening.
1101
00:43:29,160 –> 00:43:31,200
The core problem is an operating model failure.
1102
00:43:31,200 –> 00:43:32,280
Not a technical one.
1103
00:43:32,280 –> 00:43:33,960
An organizational one.
1104
00:43:33,960 –> 00:43:38,600
Architectural decisions about Microsoft 365 are made by procurement, not by architects.
1105
00:43:38,600 –> 00:43:40,120
Let me say that again because it matters.
1106
00:43:40,120 –> 00:43:44,600
The decision about what you’re going to buy, which SKU, how many licenses, what feature
1107
00:43:44,600 –> 00:43:47,240
set, that decision gets made at the procurement level.
1108
00:43:47,240 –> 00:43:52,040
It gets made by someone looking at a spreadsheet comparing price per user across different vendors.
1109
00:43:52,040 –> 00:43:55,160
It gets made by someone asking, what’s the industry standard?
1110
00:43:55,160 –> 00:43:56,320
And then buying that.
1111
00:43:56,320 –> 00:44:00,360
It gets made by someone who’s never been inside an enter ID policy or a conditional access
1112
00:44:00,360 –> 00:44:01,360
rule.
1113
00:44:01,360 –> 00:44:04,400
And then that procurement decision gets treated as an architectural decision.
1114
00:44:04,400 –> 00:44:05,400
We bought E5.
1115
00:44:05,400 –> 00:44:06,960
So E5 is our architecture.
1116
00:44:06,960 –> 00:44:10,160
We standardized on teams, so teams governance is solved.
1117
00:44:10,160 –> 00:44:12,400
We licensed co-pilot, so we have an AI strategy.
1118
00:44:12,400 –> 00:44:13,880
That’s not how architecture works.
1119
00:44:13,880 –> 00:44:16,600
That’s how you end up with a shopping cart instead of a system.
1120
00:44:16,600 –> 00:44:19,320
The second structural problem is an accountability vacuum.
1121
00:44:19,320 –> 00:44:21,000
Nobody owns the economic outcome.
1122
00:44:21,000 –> 00:44:22,000
Budgets get siloed.
1123
00:44:22,000 –> 00:44:24,200
Finance owns the Microsoft licensing budget.
1124
00:44:24,200 –> 00:44:26,680
IT owns the infrastructure operations budget.
1125
00:44:26,680 –> 00:44:31,120
The business owns their departmental software spending, procurement owns vendor contracts.
1126
00:44:31,120 –> 00:44:32,920
And nobody’s looking at the tenant as a whole.
1127
00:44:32,920 –> 00:44:35,120
Nobody’s asking, are we getting value from this?
1128
00:44:35,120 –> 00:44:38,400
Is the money we spent on E5 actually driving business outcomes?
1129
00:44:38,400 –> 00:44:40,880
If the co-pilot pilot stalls, who’s accountable?
1130
00:44:40,880 –> 00:44:43,080
Not the executive who approved the spending.
1131
00:44:43,080 –> 00:44:44,920
Not the business unit who didn’t adopt it.
1132
00:44:44,920 –> 00:44:47,720
It gets blamed on poor change management or lack of training.
1133
00:44:47,720 –> 00:44:50,680
Nobody says we spent 200,000 on this and got nothing.
1134
00:44:50,680 –> 00:44:51,920
Who owns that failure?
1135
00:44:51,920 –> 00:44:53,160
This leads to the third problem.
1136
00:44:53,160 –> 00:44:55,840
Finance is completely absent from architecture decisions.
1137
00:44:55,840 –> 00:44:57,480
The CFO sees the spend line.
1138
00:44:57,480 –> 00:44:59,000
The CIO sees the features.
1139
00:44:59,000 –> 00:45:00,080
They never reconcile.
1140
00:45:00,080 –> 00:45:02,560
The CFO doesn’t know what the premium connectors cost.
1141
00:45:02,560 –> 00:45:05,200
The CIO doesn’t know how many of them are actually used.
1142
00:45:05,200 –> 00:45:07,880
They’re operating in different universes with different success metrics.
1143
00:45:07,880 –> 00:45:09,520
The CFO wants to reduce cost.
1144
00:45:09,520 –> 00:45:11,280
The CIO wants to increase adoption.
1145
00:45:11,280 –> 00:45:12,280
Those aren’t aligned.
1146
00:45:12,280 –> 00:45:13,280
They’re at odds.
1147
00:45:13,280 –> 00:45:14,880
And when they’re at odds neither gets what they want.
1148
00:45:14,880 –> 00:45:18,800
You end up with expensive features that nobody uses and cheap tools that everybody
1149
00:45:18,800 –> 00:45:20,400
re-impliments with Shadow IT.
1150
00:45:20,400 –> 00:45:23,400
This is what I call the procurement lead transformation trap.
1151
00:45:23,400 –> 00:45:25,320
The organization buys the right tools.
1152
00:45:25,320 –> 00:45:27,120
The tools are technically sound.
1153
00:45:27,120 –> 00:45:28,880
Microsoft 365 is a good platform.
1154
00:45:28,880 –> 00:45:31,040
But then procurement declares victory.
1155
00:45:31,040 –> 00:45:32,200
We bought the right tools.
1156
00:45:32,200 –> 00:45:34,000
We have the right strategy.
1157
00:45:34,000 –> 00:45:36,280
Success is now inevitable, except it’s not.
1158
00:45:36,280 –> 00:45:40,120
85% of organizations increased AI investments in the past 12 months.
1159
00:45:40,120 –> 00:45:43,920
Only 5% are what Gardner calls future build leaders.
1160
00:45:43,920 –> 00:45:46,880
Organizations that are actually getting multiplier effects from their AI spending.
1161
00:45:46,880 –> 00:45:48,680
The other 80% bought the tools.
1162
00:45:48,680 –> 00:45:50,160
They didn’t build the architecture.
1163
00:45:50,160 –> 00:45:51,160
Here’s a real story.
1164
00:45:51,160 –> 00:45:55,360
An enterprise spent $4.2 million on Microsoft 365 modernization.
1165
00:45:55,360 –> 00:45:56,360
That’s not a small bet.
1166
00:45:56,360 –> 00:45:57,920
That’s organizational commitment.
1167
00:45:57,920 –> 00:46:00,120
And they measured success by adoption percentage.
1168
00:46:00,120 –> 00:46:01,120
Did people use teams?
1169
00:46:01,120 –> 00:46:02,120
Yes.
1170
00:46:02,120 –> 00:46:03,120
Did usage go up?
1171
00:46:03,120 –> 00:46:04,120
Absolutely.
1172
00:46:04,120 –> 00:46:06,880
But did those tools drive business outcomes?
1173
00:46:06,880 –> 00:46:08,040
Nobody measured that.
1174
00:46:08,040 –> 00:46:11,040
Did the premium capabilities actually reduce support tickets?
1175
00:46:11,040 –> 00:46:12,040
Nobody tracked it?
1176
00:46:12,040 –> 00:46:13,840
Did automation save labor hours?
1177
00:46:13,840 –> 00:46:14,840
Nobody quantified it.
1178
00:46:14,840 –> 00:46:16,000
The only metric was adoption.
1179
00:46:16,000 –> 00:46:17,000
An adoption looked good.
1180
00:46:17,000 –> 00:46:18,600
But adoption isn’t architecture.
1181
00:46:18,600 –> 00:46:20,080
Adoption is visibility.
1182
00:46:20,080 –> 00:46:22,800
Someone using a tool doesn’t mean the tool is solving a problem.
1183
00:46:22,800 –> 00:46:24,120
It just means they’re using it.
1184
00:46:24,120 –> 00:46:25,720
And here’s the final structural problem.
1185
00:46:25,720 –> 00:46:28,080
This is the one most organizations don’t want to hear.
1186
00:46:28,080 –> 00:46:29,960
Microsoft doesn’t enforce governance.
1187
00:46:29,960 –> 00:46:31,800
It enables chaos by default.
1188
00:46:31,800 –> 00:46:35,280
Microsoft 365 assumes you want to be permissive.
1189
00:46:35,280 –> 00:46:36,600
Everyone can create teams.
1190
00:46:36,600 –> 00:46:38,120
Everyone can register apps.
1191
00:46:38,120 –> 00:46:39,640
Everyone can consent to permissions.
1192
00:46:39,640 –> 00:46:40,920
Everyone can share data widely.
1193
00:46:40,920 –> 00:46:41,920
That’s not a bug.
1194
00:46:41,920 –> 00:46:42,920
That’s a feature.
1195
00:46:42,920 –> 00:46:44,320
It makes the product more accessible.
1196
00:46:44,320 –> 00:46:48,080
But that permissiveness cascades into sprawl without intentional architecture to constrain
1197
00:46:48,080 –> 00:46:49,080
it.
1198
00:46:49,080 –> 00:46:50,560
Microsoft doesn’t force you to classify data.
1199
00:46:50,560 –> 00:46:52,800
It doesn’t require approval for co-pilot agents.
1200
00:46:52,800 –> 00:46:54,720
It doesn’t mandate permission life cycles.
1201
00:46:54,720 –> 00:46:56,600
Those are architectural decisions you have to make.
1202
00:46:56,600 –> 00:46:58,120
And most organizations don’t make them.
1203
00:46:58,120 –> 00:46:59,560
So they get the default behavior.
1204
00:46:59,560 –> 00:47:00,560
Which is chaos.
1205
00:47:00,560 –> 00:47:01,600
This is not Microsoft’s failure.
1206
00:47:01,600 –> 00:47:02,600
It’s yours.
1207
00:47:02,600 –> 00:47:03,600
And it’s fixable.
1208
00:47:03,600 –> 00:47:06,040
But fixing it requires a different operating model.
1209
00:47:06,040 –> 00:47:09,840
The compliance wall, CMMC 2.0 and the architects trap.
1210
00:47:09,840 –> 00:47:13,080
Here’s what happens when you don’t architect for tomorrow’s requirements.
1211
00:47:13,080 –> 00:47:15,160
Tomorrow’s requirements architect you instead.
1212
00:47:15,160 –> 00:47:19,400
CMMC 2.0 enforcement became mandatory on November 10, 2025.
1213
00:47:19,400 –> 00:47:20,880
That date has already passed.
1214
00:47:20,880 –> 00:47:23,440
And it caught a lot of organizations flat-footed.
1215
00:47:23,440 –> 00:47:26,600
CMMC is the cybersecurity maturity model certification.
1216
00:47:26,600 –> 00:47:29,840
It’s the Department of Defense’s way of saying that if you want to work with us, if you
1217
00:47:29,840 –> 00:47:33,520
want a government contract, if you want to touch controlled, unclassified information,
1218
00:47:33,520 –> 00:47:38,640
which is what the DOD call CUI, then your security infrastructure has to meet specific standards,
1219
00:47:38,640 –> 00:47:40,240
not guidelines, standards.
1220
00:47:40,240 –> 00:47:43,160
110 controls from NIST SP 871.
1221
00:47:43,160 –> 00:47:44,880
Level 2 compliance is non-negotiable.
1222
00:47:44,880 –> 00:47:47,080
And here’s the architectural detail that matters.
1223
00:47:47,080 –> 00:47:50,840
Microsoft 365 commercial cannot be used for CMMC level 2.
1224
00:47:50,840 –> 00:47:51,840
Full stop.
1225
00:47:51,840 –> 00:47:53,320
The commercial cloud is multi-tenant.
1226
00:47:53,320 –> 00:47:56,560
Data from your organization sits alongside data from other organizations.
1227
00:47:56,560 –> 00:47:58,320
The DOD doesn’t accept that risk boundary.
1228
00:47:58,320 –> 00:48:02,680
So if you’re a defense contractor and you’ve been using Microsoft 365 commercial, which
1229
00:48:02,680 –> 00:48:06,520
is what most organizations do because it’s cheaper and simpler, you cannot use it for
1230
00:48:06,520 –> 00:48:07,520
CUI anymore.
1231
00:48:07,520 –> 00:48:09,280
You have to migrate to GCC High.
1232
00:48:09,280 –> 00:48:13,560
Government community cloud, a separate isolated cloud environment, different infrastructure,
1233
00:48:13,560 –> 00:48:17,360
different data centers, different governance, it’s not a checkbox upgrade.
1234
00:48:17,360 –> 00:48:20,920
It’s a retennanting, it’s an architectural pivot, how it manifests in practice.
1235
00:48:20,920 –> 00:48:24,240
A defense contractor, 2000 seats, running in commercial.
1236
00:48:24,240 –> 00:48:29,000
They’re already using Teams, Exchange, SharePoint, everything’s deployed, integrated working,
1237
00:48:29,000 –> 00:48:30,840
then CMMC enforcement happens.
1238
00:48:30,840 –> 00:48:34,720
And suddenly they learn, usually from their compliance officer or their government customer
1239
00:48:34,720 –> 00:48:38,680
that they need to be in GCC High by a specific date or they lose their contract.
1240
00:48:38,680 –> 00:48:39,680
Now they’re scrambling.
1241
00:48:39,680 –> 00:48:44,240
They have to migrate 2000 users and all their data to a completely different cloud environment.
1242
00:48:44,240 –> 00:48:47,840
They have to revalidate their conditional access policies because GCC High has different
1243
00:48:47,840 –> 00:48:48,840
feature availability.
1244
00:48:48,840 –> 00:48:52,840
They have to retest integrations because third party connectors behave differently in
1245
00:48:52,840 –> 00:48:54,000
government clouds.
1246
00:48:54,000 –> 00:48:58,480
They have to re-architect their governance because the audit logging in GCC High works differently
1247
00:48:58,480 –> 00:48:59,640
than in commercial.
1248
00:48:59,640 –> 00:49:01,600
The systemic cause is straightforward.
1249
00:49:01,600 –> 00:49:04,320
Compliance requirements were not baked into the initial tenant design.
1250
00:49:04,320 –> 00:49:07,440
The organization chose commercial because it was the standard choice.
1251
00:49:07,440 –> 00:49:11,720
Nobody asked if we were a defense contractor what are our long term compliance requirements.
1252
00:49:11,720 –> 00:49:14,560
Nobody mapped that requirement to an architectural decision.
1253
00:49:14,560 –> 00:49:19,080
Nobody said we should build this in GCC High from day one, even though it’s more expensive
1254
00:49:19,080 –> 00:49:21,320
because our business model requires it.
1255
00:49:21,320 –> 00:49:25,520
We had the organization built for cost and simplicity and then when compliance requirements
1256
00:49:25,520 –> 00:49:29,160
arrived they had to re-tenant, which is expensive.
1257
00:49:29,160 –> 00:49:33,600
Real numbers, a defense contractor re-tenanting 2000 users to GCC High.
1258
00:49:33,600 –> 00:49:38,080
Professional services alone, the migration effort, the testing, the validation runs north
1259
00:49:38,080 –> 00:49:39,680
of $500,000.
1260
00:49:39,680 –> 00:49:42,560
Then there’s the period of operational disruption.
1261
00:49:42,560 –> 00:49:45,560
Users relearning systems that work slightly differently.
1262
00:49:45,560 –> 00:49:47,600
Integrations that broke and had to be rebuilt.
1263
00:49:47,600 –> 00:49:50,720
Training for the new environment, audits that have to be repeated.
1264
00:49:50,720 –> 00:49:54,160
In the extended timeline, what should have been a two week migration stretch to three months
1265
00:49:54,160 –> 00:49:55,960
because the architecture wasn’t built for it?
1266
00:49:55,960 –> 00:49:59,040
The economic consequence is layered, the direct cost of migration.
1267
00:49:59,040 –> 00:50:03,120
The opportunity cost of the engineering team’s time diverted to crisis mode.
1268
00:50:03,120 –> 00:50:07,440
The risk of incomplete migration where some data or configurations get missed, discovered
1269
00:50:07,440 –> 00:50:08,520
later in an audit.
1270
00:50:08,520 –> 00:50:13,000
And the ongoing cost, GCC High licensing is more expensive than commercial and you can’t
1271
00:50:13,000 –> 00:50:14,320
easily move back.
1272
00:50:14,320 –> 00:50:16,680
The control plane fix is ruthlessly simple.
1273
00:50:16,680 –> 00:50:19,360
Design your tenant for your compliance requirements from day one.
1274
00:50:19,360 –> 00:50:20,360
Not eventually.
1275
00:50:20,360 –> 00:50:23,720
If you’re a defense contractor, you build in GCC High.
1276
00:50:23,720 –> 00:50:27,440
You accept the higher cost and complexity upfront because your business model requires
1277
00:50:27,440 –> 00:50:28,440
it.
1278
00:50:28,440 –> 00:50:31,400
If you’re in healthcare, you might need HIPAA compliance, which affects data residency
1279
00:50:31,400 –> 00:50:32,720
and audit logging.
1280
00:50:32,720 –> 00:50:36,960
If you’re in financial services, you might need SoC2, which affects who can access what
1281
00:50:36,960 –> 00:50:38,280
these aren’t nice to have.
1282
00:50:38,280 –> 00:50:39,840
These are architectural constraints.
1283
00:50:39,840 –> 00:50:41,880
And here’s the lesson that applies beyond CMMC.
1284
00:50:41,880 –> 00:50:44,680
The window for architectural decisions closes early.
1285
00:50:44,680 –> 00:50:48,560
You make the decision about which cloud to use, about how to classify data, about where
1286
00:50:48,560 –> 00:50:49,800
to store information.
1287
00:50:49,800 –> 00:50:52,760
And then that decision constrains everything that comes after.
1288
00:50:52,760 –> 00:50:56,480
If you make the wrong decision early because you didn’t anticipate compliance requirements,
1289
00:50:56,480 –> 00:50:57,720
you’re rebuilding later.
1290
00:50:57,720 –> 00:50:58,720
That’s expensive.
1291
00:50:58,720 –> 00:51:02,440
If you don’t architect for tomorrow’s requirements, tomorrow’s requirements will architect
1292
00:51:02,440 –> 00:51:03,440
you.
1293
00:51:03,440 –> 00:51:05,760
And by then you’re already operating at a cost disadvantage.
1294
00:51:05,760 –> 00:51:08,080
The recovery path from decay to design.
1295
00:51:08,080 –> 00:51:09,600
Here’s the thing about architecture.
1296
00:51:09,600 –> 00:51:10,800
You can’t fix it all at once.
1297
00:51:10,800 –> 00:51:14,400
You have to fix it deliberately in phases with clear outcomes at each step.
1298
00:51:14,400 –> 00:51:18,640
Otherwise you’ll just be throwing money at problems without solving the structural issues
1299
00:51:18,640 –> 00:51:19,960
that created them.
1300
00:51:19,960 –> 00:51:21,960
Recovery from 10NTK follows a pattern.
1301
00:51:21,960 –> 00:51:22,960
And the pattern works.
1302
00:51:22,960 –> 00:51:24,320
I’ve seen it work dozens of times.
1303
00:51:24,320 –> 00:51:28,280
It takes 90 days to get to a place where you can actually claim you have architecture instead
1304
00:51:28,280 –> 00:51:30,160
of just a platform running unsupervised.
1305
00:51:30,160 –> 00:51:31,560
Phase one is 30 days.
1306
00:51:31,560 –> 00:51:32,560
Audit and inventory.
1307
00:51:32,560 –> 00:51:35,760
You have to see what you’ve actually got before you can change anything.
1308
00:51:35,760 –> 00:51:40,240
This means discovering inactive licenses, running reports on user log in history.
1309
00:51:40,240 –> 00:51:43,400
Finding accounts that haven’t authenticated in 30 days or longer.
1310
00:51:43,400 –> 00:51:44,400
These are your easy wins.
1311
00:51:44,400 –> 00:51:46,040
You reclaim them immediately.
1312
00:51:46,040 –> 00:51:47,720
You also discover often apps.
1313
00:51:47,720 –> 00:51:49,320
The 340 power apps.
1314
00:51:49,320 –> 00:51:52,000
The 847 app registrations.
1315
00:51:52,000 –> 00:51:54,680
The automation flows that nobody remembers creating.
1316
00:51:54,680 –> 00:51:55,680
You don’t delete them yet.
1317
00:51:55,680 –> 00:51:56,960
You just inventory them.
1318
00:51:56,960 –> 00:51:57,960
Who owns this?
1319
00:51:57,960 –> 00:51:58,960
Has it been used?
1320
00:51:58,960 –> 00:52:00,160
Is there a business case for keeping it?
1321
00:52:00,160 –> 00:52:01,600
You also do a permission audit.
1322
00:52:01,600 –> 00:52:02,880
You look at entry-d roles.
1323
00:52:02,880 –> 00:52:04,840
You find the accounts with excessive privilege.
1324
00:52:04,840 –> 00:52:08,480
You find the service principles with credentials that haven’t been rotated.
1325
00:52:08,480 –> 00:52:12,040
You find application permissions that exceed what the application actually needs.
1326
00:52:12,040 –> 00:52:13,680
None of this gets fixed in phase one.
1327
00:52:13,680 –> 00:52:15,840
You just establish what the baseline looks like.
1328
00:52:15,840 –> 00:52:17,640
By the end of 30 days you have clarity.
1329
00:52:17,640 –> 00:52:19,160
You know how much leakage exists.
1330
00:52:19,160 –> 00:52:20,880
You know how many licenses are wasted.
1331
00:52:20,880 –> 00:52:23,640
You know how many often applications are sitting in your environment.
1332
00:52:23,640 –> 00:52:24,640
You have a number.
1333
00:52:24,640 –> 00:52:26,880
And that number becomes your benchmark for recovery.
1334
00:52:26,880 –> 00:52:28,560
Phase two is 60 days.
1335
00:52:28,560 –> 00:52:29,560
Automate governance.
1336
00:52:29,560 –> 00:52:32,440
Now that you know what you have, you start building the systems that will prevent decay
1337
00:52:32,440 –> 00:52:33,600
from happening again.
1338
00:52:33,600 –> 00:52:36,160
You deploy life cycle workflows in Entra ID.
1339
00:52:36,160 –> 00:52:39,400
When a user joins, their access gets provisioned automatically.
1340
00:52:39,400 –> 00:52:42,600
When they leave, their access gets deprovisioned automatically.
1341
00:52:42,600 –> 00:52:43,600
No manual process.
1342
00:52:43,600 –> 00:52:44,600
No spreadsheets.
1343
00:52:44,600 –> 00:52:46,760
No emails asking someone to remember to offboard this person.
1344
00:52:46,760 –> 00:52:47,760
The system does it.
1345
00:52:47,760 –> 00:52:49,080
You implement entitlement management.
1346
00:52:49,080 –> 00:52:52,720
You create access packages that bundle related permissions.
1347
00:52:52,720 –> 00:52:53,960
Employee joins the finance team.
1348
00:52:53,960 –> 00:52:58,080
They automatically get access to the finance shared mailbox, the finance share point side,
1349
00:52:58,080 –> 00:52:59,480
the finance team’s channel.
1350
00:52:59,480 –> 00:53:01,560
All through a single approval workflow.
1351
00:53:01,560 –> 00:53:03,560
Not separate requests to different people.
1352
00:53:03,560 –> 00:53:07,560
Not finding out three weeks later that someone didn’t get access to something they needed.
1353
00:53:07,560 –> 00:53:11,040
You enforce sensitivity labels and data loss prevention at scale.
1354
00:53:11,040 –> 00:53:13,040
Every document in SharePoint gets classified.
1355
00:53:13,040 –> 00:53:14,040
Not manually.
1356
00:53:14,040 –> 00:53:15,040
Automatically.
1357
00:53:15,040 –> 00:53:17,000
Content analysis based on metadata.
1358
00:53:17,000 –> 00:53:21,720
If a document contains sensitive financial information, it gets the finance label automatically.
1359
00:53:21,720 –> 00:53:25,760
And once it’s labeled, DLP policies automatically restrict how it can be shared.
1360
00:53:25,760 –> 00:53:28,480
You can’t email a sensitive financial document externally.
1361
00:53:28,480 –> 00:53:29,480
The policy blocks it.
1362
00:53:29,480 –> 00:53:30,880
Phase three is 90 days.
1363
00:53:30,880 –> 00:53:31,880
Build the control plane.
1364
00:53:31,880 –> 00:53:33,160
This is where you architect.
1365
00:53:33,160 –> 00:53:35,000
You define a policy compilation layer.
1366
00:53:35,000 –> 00:53:40,080
A single system of truth where organizational intent gets translated into platform policy.
1367
00:53:40,080 –> 00:53:42,760
You establish Entra ID as the orchestration backbone.
1368
00:53:42,760 –> 00:53:46,640
Every other system in your tenant inherits authorization decisions from identity.
1369
00:53:46,640 –> 00:53:50,920
A user’s role in Entra ID determines their access to data in SharePoint, their visibility
1370
00:53:50,920 –> 00:53:53,720
in teams, their permissions in co-pilot agents.
1371
00:53:53,720 –> 00:53:55,720
You implement cross-platform governance.
1372
00:53:55,720 –> 00:53:58,360
When you make a decision in one place, it cascades everywhere.
1373
00:53:58,360 –> 00:53:59,360
It doesn’t break systems.
1374
00:53:59,360 –> 00:54:00,640
It doesn’t create exceptions.
1375
00:54:00,640 –> 00:54:02,400
It creates consistency.
1376
00:54:02,400 –> 00:54:05,040
A global firm I worked with followed this path.
1377
00:54:05,040 –> 00:54:06,160
Five thousand seats.
1378
00:54:06,160 –> 00:54:10,280
They recovered $1.2 million in year one through systematic rationalization.
1379
00:54:10,280 –> 00:54:14,800
They reclaimed $130,000 in unused licenses in month one.
1380
00:54:14,800 –> 00:54:17,960
They decommissioned 78 orphaned power apps in month two.
1381
00:54:17,960 –> 00:54:22,880
By month three, they’d reduced their password reset volume by 86% through automated entitlement
1382
00:54:22,880 –> 00:54:23,880
management.
1383
00:54:23,880 –> 00:54:24,880
The research is consistent.
1384
00:54:24,880 –> 00:54:30,400
The break-even point for technology investment in M365 is 54 minutes of time savings per employee
1385
00:54:30,400 –> 00:54:31,400
per month.
1386
00:54:31,400 –> 00:54:34,720
This organization achieved that in the first 30 days.
1387
00:54:34,720 –> 00:54:36,600
Everything after that was pure recovery.
1388
00:54:36,600 –> 00:54:40,480
All outcomes matter.
1389
00:54:40,480 –> 00:54:43,640
Help desk tickets for access requests basically disappeared.
1390
00:54:43,640 –> 00:54:45,960
Compliance audits became routine instead of crisis.
1391
00:54:45,960 –> 00:54:49,800
They could prove they had governance because governance was built into the platform, but
1392
00:54:49,800 –> 00:54:53,160
recovery requires something else beyond process.
1393
00:54:53,160 –> 00:54:54,400
The mindset shift.
1394
00:54:54,400 –> 00:54:58,600
From procurement to architecture, recovery requires a mindset shift.
1395
00:54:58,600 –> 00:55:02,800
And mindset shifts are harder than process changes because they require executives to change
1396
00:55:02,800 –> 00:55:04,760
how they think about what they’re doing.
1397
00:55:04,760 –> 00:55:08,280
The shift sounds simple when you say it, but it reshapes everything.
1398
00:55:08,280 –> 00:55:10,280
Stop asking what tools should we buy?
1399
00:55:10,280 –> 00:55:12,120
Start asking what system do we need?
1400
00:55:12,120 –> 00:55:13,720
This is the fundamental reframe.
1401
00:55:13,720 –> 00:55:16,880
Most organizations approach Microsoft 365 like they’re shopping.
1402
00:55:16,880 –> 00:55:17,880
What features do we need?
1403
00:55:17,880 –> 00:55:19,160
What’s the industry standard?
1404
00:55:19,160 –> 00:55:20,560
What are competitors using?
1405
00:55:20,560 –> 00:55:21,760
What’s the price per user?
1406
00:55:21,760 –> 00:55:22,760
And then they buy?
1407
00:55:22,760 –> 00:55:25,320
They’ve solved the problem by acquiring the product.
1408
00:55:25,320 –> 00:55:27,000
But tools and systems are different things.
1409
00:55:27,000 –> 00:55:28,760
A tool is something you buy and deploy.
1410
00:55:28,760 –> 00:55:30,400
A system is something you architect.
1411
00:55:30,400 –> 00:55:32,080
A tool solves isolated problems.
1412
00:55:32,080 –> 00:55:33,800
A system solves interconnected problems.
1413
00:55:33,800 –> 00:55:34,800
You can buy a co-pilot.
1414
00:55:34,800 –> 00:55:37,280
That’s a tool, but you can’t buy a co-pilot system.
1415
00:55:37,280 –> 00:55:38,280
You have to architect it.
1416
00:55:38,280 –> 00:55:40,120
You have to decide what data it accesses.
1417
00:55:40,120 –> 00:55:41,480
You have to define its boundaries.
1418
00:55:41,480 –> 00:55:43,880
You have to think about how it integrates with governance.
1419
00:55:43,880 –> 00:55:45,600
You have to measure what it actually delivers.
1420
00:55:45,600 –> 00:55:50,240
The shift from tools to systems changes everything because now the question isn’t, how do we buy
1421
00:55:50,240 –> 00:55:51,240
this faster?
1422
00:55:51,240 –> 00:55:53,480
It’s, what are we trying to accomplish?
1423
00:55:53,480 –> 00:55:56,480
And how does this tool fit into the larger system we need?
1424
00:55:56,480 –> 00:55:58,320
Stop measuring by adoption percentage.
1425
00:55:58,320 –> 00:56:00,280
Start measuring by economic realization.
1426
00:56:00,280 –> 00:56:02,680
Most organizations track adoption because it’s visible.
1427
00:56:02,680 –> 00:56:04,360
How many users logged into co-pilot?
1428
00:56:04,360 –> 00:56:05,920
How many teams channels got created?
1429
00:56:05,920 –> 00:56:07,320
How many people attended training?
1430
00:56:07,320 –> 00:56:10,120
These metrics feel like success because they’re easy to see.
1431
00:56:10,120 –> 00:56:11,120
And they’re useless.
1432
00:56:11,120 –> 00:56:13,480
A user logged into co-pilot once and never returned.
1433
00:56:13,480 –> 00:56:14,480
Is that adoption?
1434
00:56:14,480 –> 00:56:15,480
Technically yes.
1435
00:56:15,480 –> 00:56:17,120
But economically, it’s a failure.
1436
00:56:17,120 –> 00:56:20,520
You spend $30 a month on a license that delivered zero value.
1437
00:56:20,520 –> 00:56:21,520
That’s not adoption.
1438
00:56:21,520 –> 00:56:22,840
That’s waste measured in percentages.
1439
00:56:22,840 –> 00:56:23,920
Real metrics are different.
1440
00:56:23,920 –> 00:56:26,640
Did co-pilot reduce the time it takes to write a report?
1441
00:56:26,640 –> 00:56:28,240
By how much can you quantify that?
1442
00:56:28,240 –> 00:56:30,080
Did it reduce password reset calls?
1443
00:56:30,080 –> 00:56:31,560
How many fewer calls per month?
1444
00:56:31,560 –> 00:56:33,440
Did it accelerate on boarding by how long?
1445
00:56:33,440 –> 00:56:34,440
These are economic metrics.
1446
00:56:34,440 –> 00:56:36,600
They connect tool usage to business outcome.
1447
00:56:36,600 –> 00:56:37,920
And they’re much harder to achieve.
1448
00:56:37,920 –> 00:56:39,680
So organizations don’t measure them.
1449
00:56:39,680 –> 00:56:41,360
They measure adoption instead.
1450
00:56:41,360 –> 00:56:43,360
Stop treating architects as cost centers.
1451
00:56:43,360 –> 00:56:45,080
Start treating them as leverage multipliers.
1452
00:56:45,080 –> 00:56:49,000
This is the hardest mindset shift because it requires the organization to value something
1453
00:56:49,000 –> 00:56:50,960
that’s invisible until something breaks.
1454
00:56:50,960 –> 00:56:52,520
A builder creates a feature.
1455
00:56:52,520 –> 00:56:53,520
Everyone sees it.
1456
00:56:53,520 –> 00:56:54,880
The business sees value immediately.
1457
00:56:54,880 –> 00:56:58,480
An architect prevents a problem that would have cost millions to fix later.
1458
00:56:58,480 –> 00:57:00,720
Nobody sees it because the problem never happened.
1459
00:57:00,720 –> 00:57:02,160
But invisibility is dangerous.
1460
00:57:02,160 –> 00:57:05,000
It gets architects fired and builders promoted.
1461
00:57:05,000 –> 00:57:06,360
But here’s the arithmetic.
1462
00:57:06,360 –> 00:57:09,640
One architect can set standards that affect hundreds of builders.
1463
00:57:09,640 –> 00:57:13,680
One architectural decision about how to handle data boundaries can prevent thousands of hours
1464
00:57:13,680 –> 00:57:14,840
of rework later.
1465
00:57:14,840 –> 00:57:19,160
One governance framework that automates entitlement management can reclaim hundreds of thousands
1466
00:57:19,160 –> 00:57:21,160
of dollars in license waste and labor.
1467
00:57:21,160 –> 00:57:22,160
That’s leverage.
1468
00:57:22,160 –> 00:57:25,280
Stop treating licensing as a budget line item.
1469
00:57:25,280 –> 00:57:27,400
Start treating it as a behavioral incentive.
1470
00:57:27,400 –> 00:57:28,800
Licensing SKU drives behavior.
1471
00:57:28,800 –> 00:57:32,400
If you assign everyone E5, you’re saying everyone gets access to everything that removes
1472
00:57:32,400 –> 00:57:33,400
all constraints.
1473
00:57:33,400 –> 00:57:34,560
It removes all discipline.
1474
00:57:34,560 –> 00:57:38,640
It removes the mechanism that forces you to make hard architectural decisions about what
1475
00:57:38,640 –> 00:57:39,840
people actually need.
1476
00:57:39,840 –> 00:57:44,120
But if you intentionally align licensing to roles, then the organization has to know what
1477
00:57:44,120 –> 00:57:45,120
roles are.
1478
00:57:45,120 –> 00:57:46,320
It has to enforce role definitions.
1479
00:57:46,320 –> 00:57:49,920
It has to ask why does this person need this capability?
1480
00:57:49,920 –> 00:57:53,520
And in asking that question, it starts building architecture instead of buying features.
1481
00:57:53,520 –> 00:57:56,200
A CIO I worked with made this shift explicitly.
1482
00:57:56,200 –> 00:57:58,520
They’d been trying to drive co-pilot adoption.
1483
00:57:58,520 –> 00:58:03,680
Doing it out to everyone, measuring usage metrics, adoption wasn’t happening, usage was low,
1484
00:58:03,680 –> 00:58:05,400
value was unclear.
1485
00:58:05,400 –> 00:58:06,840
So they reframed it.
1486
00:58:06,840 –> 00:58:11,940
Instead of co-pilot is a productivity tool, they said co-pilot is a data governance accelerator.
1487
00:58:11,940 –> 00:58:13,440
And they changed who got licenses.
1488
00:58:13,440 –> 00:58:18,480
Not everyone, teams that had high data governance maturity, teams that had classified their data,
1489
00:58:18,480 –> 00:58:20,600
teams that understood their compliance requirements.
1490
00:58:20,600 –> 00:58:25,120
Suddenly, co-pilot became an incentive for doing the unglomerious work of data classification
1491
00:58:25,120 –> 00:58:26,120
first.
1492
00:58:26,120 –> 00:58:31,000
But reframing looks like in practice, not different tools, different intent, different alignment,
1493
00:58:31,000 –> 00:58:32,200
different outcomes.
1494
00:58:32,200 –> 00:58:33,320
And here’s the final refram.
1495
00:58:33,320 –> 00:58:35,880
Your Microsoft tenant is not a collection of applications.
1496
00:58:35,880 –> 00:58:37,840
It is not a set of services you subscribe to.
1497
00:58:37,840 –> 00:58:39,080
It is an economic system.
1498
00:58:39,080 –> 00:58:41,080
Every decision has an economic consequence.
1499
00:58:41,080 –> 00:58:43,120
Every sprawl you tolerate costs money.
1500
00:58:43,120 –> 00:58:45,620
Every governance gap you ignore compounds into debt.
1501
00:58:45,620 –> 00:58:48,400
The question isn’t, do we have Microsoft 365?
1502
00:58:48,400 –> 00:58:50,960
The question is, are we managing it as a system?
1503
00:58:50,960 –> 00:58:53,840
The governance operating model, how to sustain it?
1504
00:58:53,840 –> 00:58:55,280
Recovery is the easy part.
1505
00:58:55,280 –> 00:58:57,600
Making it is where most organizations fail.
1506
00:58:57,600 –> 00:58:59,440
You’ll go through the 90 day recovery.
1507
00:58:59,440 –> 00:59:00,680
You’ll reclaim licenses.
1508
00:59:00,680 –> 00:59:02,640
You’ll decommission orfant applications.
1509
00:59:02,640 –> 00:59:04,120
You’ll implement automation.
1510
00:59:04,120 –> 00:59:06,840
And for about six months, the organization will feel good about it.
1511
00:59:06,840 –> 00:59:07,840
We fixed it.
1512
00:59:07,840 –> 00:59:08,840
We’re more efficient.
1513
00:59:08,840 –> 00:59:09,840
We have governance.
1514
00:59:09,840 –> 00:59:11,600
Then slowly entropy returns.
1515
00:59:11,600 –> 00:59:16,240
A new business unit wants to deploy a co-pilot agent without following the approval workflow.
1516
00:59:16,240 –> 00:59:19,960
Someone creates a teams channel for a project and assigns permissions to broadly.
1517
00:59:19,960 –> 00:59:24,440
A new integration gets built because the standard integration points are documented poorly.
1518
00:59:24,440 –> 00:59:26,200
And the builder doesn’t know they exist.
1519
00:59:26,200 –> 00:59:28,000
The control plane drifts.
1520
00:59:28,000 –> 00:59:29,600
Policies become suggestions again.
1521
00:59:29,600 –> 00:59:32,040
This is why governance requires an operating model.
1522
00:59:32,040 –> 00:59:35,280
Not a one time intervention, not a checklist you complete and then ignore.
1523
00:59:35,280 –> 00:59:39,000
An ongoing system that sustains architectural discipline.
1524
00:59:39,000 –> 00:59:40,880
Governance operating models have three components.
1525
00:59:40,880 –> 00:59:44,440
Ownership, decision rights, cadence.
1526
00:59:44,440 –> 00:59:45,440
First ownership.
1527
00:59:45,440 –> 00:59:46,720
Somebody has to own the control plane.
1528
00:59:46,720 –> 00:59:47,720
Not everyone.
1529
00:59:47,720 –> 00:59:51,800
Not a committee that meets quarterly, one accountable person or a small office that
1530
00:59:51,800 –> 00:59:55,440
owns architectural intent and policy, consistency.
1531
00:59:55,440 –> 00:59:58,120
At many organizations, this gets assigned to the CIO.
1532
00:59:58,120 –> 01:00:02,920
But if your CIO is spread across a hundred initiatives, ownership becomes meaningless.
1533
01:00:02,920 –> 01:00:05,160
Effective models establish a distinct role.
1534
01:00:05,160 –> 01:00:08,480
Chief architect or office of architecture or governance council lead.
1535
01:00:08,480 –> 01:00:13,320
Someone whose primary responsibility, not secondary, not among other things, is ensuring
1536
01:00:13,320 –> 01:00:15,320
the control plane stays intact.
1537
01:00:15,320 –> 01:00:16,520
This ownership is active.
1538
01:00:16,520 –> 01:00:17,920
It’s not theoretical.
1539
01:00:17,920 –> 01:00:21,760
It’s weekly staff meetings where the architecture team reviews what’s being requested.
1540
01:00:21,760 –> 01:00:26,960
New applications, new integrations, new data classifications, new governance exceptions.
1541
01:00:26,960 –> 01:00:28,960
Every request flows through this office.
1542
01:00:28,960 –> 01:00:33,080
And the office has the authority to say no, not to obstruct, to enforce standards.
1543
01:00:33,080 –> 01:00:34,960
Second, decision rights.
1544
01:00:34,960 –> 01:00:36,600
Define explicitly who decides what.
1545
01:00:36,600 –> 01:00:39,360
This prevents the diffusion of responsibility that kills governance.
1546
01:00:39,360 –> 01:00:41,800
Who approves new applications, not the business.
1547
01:00:41,800 –> 01:00:43,760
Specifically, the application review board.
1548
01:00:43,760 –> 01:00:47,240
Who has authority to create co-pilot agents, the AI governance council.
1549
01:00:47,240 –> 01:00:50,560
Who decides data classifications, the data owner with IT validation.
1550
01:00:50,560 –> 01:00:53,640
Who can request exceptions to conditional access policies.
1551
01:00:53,640 –> 01:00:57,840
The executive sponsor with the CISO sign off, write these down, make them clear.
1552
01:00:57,840 –> 01:00:59,640
And then enforce them without exception.
1553
01:00:59,640 –> 01:01:01,640
Real exceptions happen, legitimate ones.
1554
01:01:01,640 –> 01:01:06,680
But if you grant exceptions without requiring explicit approval and documented business justification,
1555
01:01:06,680 –> 01:01:07,760
exceptions become the rule.
1556
01:01:07,760 –> 01:01:09,080
And rules become irrelevant.
1557
01:01:09,080 –> 01:01:10,680
Third, cadence.
1558
01:01:10,680 –> 01:01:13,400
Governance that operates only in crisis mode isn’t governance.
1559
01:01:13,400 –> 01:01:14,880
It’s damage control.
1560
01:01:14,880 –> 01:01:16,320
Establish three levels of rhythm.
1561
01:01:16,320 –> 01:01:17,320
Weekly operational.
1562
01:01:17,320 –> 01:01:22,080
The governance team meeting to review requests, approve standard decisions, identify anomalies.
1563
01:01:22,080 –> 01:01:23,600
Not long meetings, 30 minutes.
1564
01:01:23,600 –> 01:01:24,600
What came in this week?
1565
01:01:24,600 –> 01:01:25,600
Are we seeing drift?
1566
01:01:25,600 –> 01:01:26,920
Do we need to escalate anything?
1567
01:01:26,920 –> 01:01:27,920
Monthly tactical.
1568
01:01:27,920 –> 01:01:28,920
This is the broader review.
1569
01:01:28,920 –> 01:01:30,240
How are policies performing?
1570
01:01:30,240 –> 01:01:31,440
What did automation catch?
1571
01:01:31,440 –> 01:01:33,040
What required manual intervention?
1572
01:01:33,040 –> 01:01:34,520
Are there patterns we should address?
1573
01:01:34,520 –> 01:01:36,960
Are there new threats we need to govern against?
1574
01:01:36,960 –> 01:01:37,960
Quaternary strategic.
1575
01:01:37,960 –> 01:01:39,800
This is alignment with business outcomes.
1576
01:01:39,800 –> 01:01:42,480
Are our governance decisions supporting business goals?
1577
01:01:42,480 –> 01:01:44,920
Are we over-controlling and blocking innovation?
1578
01:01:44,920 –> 01:01:46,640
Are we under-controlling and exposing risk?
1579
01:01:46,640 –> 01:01:49,320
Do we need to adjust policies based on what we’ve learned?
1580
01:01:49,320 –> 01:01:51,960
This is the meeting that connects governance to business impact.
1581
01:01:51,960 –> 01:01:54,120
Tide this to outcomes.
1582
01:01:54,120 –> 01:01:59,000
Organizations with formal governance operating models achieve 130% or higher ROI in year
1583
01:01:59,000 –> 01:02:00,000
one.
1584
01:02:00,000 –> 01:02:04,000
Not through cost savings alone, through the compounding effect of consistent decision making,
1585
01:02:04,000 –> 01:02:08,160
of reduced rework, of architects preventing problems instead of engineers fixing them
1586
01:02:08,160 –> 01:02:09,160
after the fact.
1587
01:02:09,160 –> 01:02:12,840
A global enterprise established an architecture council.
1588
01:02:12,840 –> 01:02:16,520
Representatives from IT, finance, security, business, met quarterly.
1589
01:02:16,520 –> 01:02:20,040
And all new initiatives evaluated them against architectural standards.
1590
01:02:20,040 –> 01:02:21,240
Court problems early.
1591
01:02:21,240 –> 01:02:25,560
Within two years, they had reduced infrastructure change failures by 70%.
1592
01:02:25,560 –> 01:02:28,800
Because architectural intent was clear and decisions were coordinated.
1593
01:02:28,800 –> 01:02:29,880
Track metrics that matter.
1594
01:02:29,880 –> 01:02:33,000
Not adoption, cost per seat, feature utilization percentage.
1595
01:02:33,000 –> 01:02:35,280
Audit readiness score, breach risk score.
1596
01:02:35,280 –> 01:02:37,360
These connect governance to business reality.
1597
01:02:37,360 –> 01:02:39,040
Is your co-pilot adoption tracking?
1598
01:02:39,040 –> 01:02:41,360
Measure actual time saved, not just login events.
1599
01:02:41,360 –> 01:02:43,000
Are your license cost predictable?
1600
01:02:43,000 –> 01:02:44,760
Track cost per user by role?
1601
01:02:44,760 –> 01:02:46,840
Is your security post your hardening?
1602
01:02:46,840 –> 01:02:51,360
Measure your conditional access coverage, your MFA adoption rate, your unmanaged device exposure?
1603
01:02:51,360 –> 01:02:53,120
These metrics create accountability.
1604
01:02:53,120 –> 01:02:54,600
The governance team owns them.
1605
01:02:54,600 –> 01:02:56,000
They report quarterly.
1606
01:02:56,000 –> 01:02:59,840
When metrics drift, someone has to explain why and what they’re doing to fix it.
1607
01:02:59,840 –> 01:03:01,040
This is not optional.
1608
01:03:01,040 –> 01:03:02,960
This is foundational.
1609
01:03:02,960 –> 01:03:06,160
Without an operating model to sustain it, your recovery becomes temporary.
1610
01:03:06,160 –> 01:03:08,640
Within 18 months, your back where you started.
1611
01:03:08,640 –> 01:03:11,720
Slightly more expensive, but fundamentally unchanged.
1612
01:03:11,720 –> 01:03:14,280
With it, governance becomes a permanent capability.
1613
01:03:14,280 –> 01:03:17,840
Having the organization does not something it periodically attempts.
1614
01:03:17,840 –> 01:03:20,720
The executive prescription, what leadership must do.
1615
01:03:20,720 –> 01:03:22,120
Here is what needs to happen.
1616
01:03:22,120 –> 01:03:23,120
Not eventually.
1617
01:03:23,120 –> 01:03:27,360
Before your next renewal, before the July 2026 price increases, force your hand.
1618
01:03:27,360 –> 01:03:30,080
Demand an architecture audit before your next license renewal.
1619
01:03:30,080 –> 01:03:31,080
Not a vendor assessment.
1620
01:03:31,080 –> 01:03:32,400
Not a feature comparison.
1621
01:03:32,400 –> 01:03:33,560
An actual audit.
1622
01:03:33,560 –> 01:03:37,360
Someone independent, not your infrastructure team, they have incentive to minimize problems.
1623
01:03:37,360 –> 01:03:38,880
Comes in and maps your tenant.
1624
01:03:38,880 –> 01:03:39,880
What’s actually running?
1625
01:03:39,880 –> 01:03:40,880
What’s being used?
1626
01:03:40,880 –> 01:03:41,880
What’s decaying?
1627
01:03:41,880 –> 01:03:42,880
What’s the compliance posture?
1628
01:03:42,880 –> 01:03:44,240
What’s the governance maturity?
1629
01:03:44,240 –> 01:03:45,240
What’s the secondary?
1630
01:03:45,240 –> 01:03:46,800
Truth is primary.
1631
01:03:46,800 –> 01:03:50,240
This audit produces three artifacts, first a baseline of where you are.
1632
01:03:50,240 –> 01:03:51,360
What’s the current leakage?
1633
01:03:51,360 –> 01:03:52,880
How much license waste exists?
1634
01:03:52,880 –> 01:03:53,880
What’s your security debt?
1635
01:03:53,880 –> 01:03:55,040
Second, a gap analysis.
1636
01:03:55,040 –> 01:03:59,640
If you want to achieve a specific level of governance maturity, what do you need to change?
1637
01:03:59,640 –> 01:04:01,280
Third, a recovery roadmap.
1638
01:04:01,280 –> 01:04:02,280
90 days.
1639
01:04:02,280 –> 01:04:03,280
Minimum.
1640
01:04:03,280 –> 01:04:04,280
Clear milestones.
1641
01:04:04,280 –> 01:04:05,280
Economic outcomes measured.
1642
01:04:05,280 –> 01:04:06,600
This audit is not free.
1643
01:04:06,600 –> 01:04:09,960
Plan for 50,000 to 150,000 depending on size.
1644
01:04:09,960 –> 01:04:10,960
That’s not an expense.
1645
01:04:10,960 –> 01:04:14,960
Insurance.
1646
01:04:14,960 –> 01:04:17,560
Your assumptions are wrong.
1647
01:04:17,560 –> 01:04:19,160
Everyone’s assumptions are wrong.
1648
01:04:19,160 –> 01:04:23,000
Require a quarterly economic outcome reporting tied to your Microsoft spend.
1649
01:04:23,000 –> 01:04:28,480
Your CFO shouldn’t see a line item that says Microsoft 365 3.2 million dollars.
1650
01:04:28,480 –> 01:04:31,880
Your CFO should see Microsoft 365 3.2 million.
1651
01:04:31,880 –> 01:04:33,280
ROI outcomes.
1652
01:04:33,280 –> 01:04:36,040
Reduce time to onboard by 25%.
1653
01:04:36,040 –> 01:04:40,280
Automated 86% of access requests prevented four compliance failures.
1654
01:04:40,280 –> 01:04:41,280
That’s a conversation.
1655
01:04:41,280 –> 01:04:42,280
That’s governance.
1656
01:04:42,280 –> 01:04:44,440
Establish a control plane governance model with clear ownership.
1657
01:04:44,440 –> 01:04:45,920
Assign someone.
1658
01:04:45,920 –> 01:04:46,920
Explicitly.
1659
01:04:46,920 –> 01:04:49,000
Not a committee, not a part-time responsibilities.
1660
01:04:49,000 –> 01:04:52,600
Someone whose primary job is ensuring architectural intent gets enforced.
1661
01:04:52,600 –> 01:04:55,120
Give them authority to approve or reject requests.
1662
01:04:55,120 –> 01:04:56,120
Give them budget.
1663
01:04:56,120 –> 01:04:57,440
Measure them by system health.
1664
01:04:57,440 –> 01:04:59,080
Not by features shipped.
1665
01:04:59,080 –> 01:05:02,120
Map licensing SKU to organizational roles and capabilities.
1666
01:05:02,120 –> 01:05:04,360
This is unglamorous work, but it’s mandatory.
1667
01:05:04,360 –> 01:05:05,360
You need a matrix.
1668
01:05:05,360 –> 01:05:09,480
Finance roles require E5 because they need advanced threat intelligence and premium
1669
01:05:09,480 –> 01:05:10,880
connectors.
1670
01:05:10,880 –> 01:05:15,360
Engineering roles require E3 because they need collaboration but not premium security.
1671
01:05:15,360 –> 01:05:18,720
Support roles require business standard because they need email and teams and nothing
1672
01:05:18,720 –> 01:05:19,720
else.
1673
01:05:19,720 –> 01:05:20,720
Write this down.
1674
01:05:20,720 –> 01:05:22,840
Make it policy and force it.
1675
01:05:22,840 –> 01:05:25,960
Implement automated compliance monitoring for regulatory requirements.
1676
01:05:25,960 –> 01:05:29,480
If you’re a defense contractor, you need to know continuously whether you’re maintaining
1677
01:05:29,480 –> 01:05:31,160
CMMC compliance.
1678
01:05:31,160 –> 01:05:32,160
Not at audit time.
1679
01:05:32,160 –> 01:05:33,160
Continuously.
1680
01:05:33,160 –> 01:05:37,160
If you’re in health care, you need to know whether your HIPAA controls are intact, automated
1681
01:05:37,160 –> 01:05:38,160
real-time.
1682
01:05:38,160 –> 01:05:39,160
It requires tooling.
1683
01:05:39,160 –> 01:05:40,160
It requires investment.
1684
01:05:40,160 –> 01:05:41,160
It’s non-negotiable.
1685
01:05:41,160 –> 01:05:42,160
Real story.
1686
01:05:42,160 –> 01:05:46,680
A CFO at a mid-market organization demanded an ROI model before approving the co-pilot rollout.
1687
01:05:46,680 –> 01:05:47,680
The team pushed back.
1688
01:05:47,680 –> 01:05:48,680
Just let us pilot it.
1689
01:05:48,680 –> 01:05:49,680
See how adoption goes.
1690
01:05:49,680 –> 01:05:50,680
The CFO said no.
1691
01:05:50,680 –> 01:05:51,680
Show me the model.
1692
01:05:51,680 –> 01:05:53,400
Show me what time savings will achieve.
1693
01:05:53,400 –> 01:05:55,400
Show me how that translates to economic value.
1694
01:05:55,400 –> 01:05:58,280
They built the model and they discovered something.
1695
01:05:58,280 –> 01:06:03,240
40% of existing E5 licenses could be downgraded to E3 because users weren’t using the premium
1696
01:06:03,240 –> 01:06:05,480
connectors or the advanced security features.
1697
01:06:05,480 –> 01:06:08,200
They were just using the basic collaboration tools.
1698
01:06:08,200 –> 01:06:12,520
40% that’s hundreds of thousands of dollars recovered before they spent a dime on co-pilot.
1699
01:06:12,520 –> 01:06:15,560
The CFO’s insistence on economic modeling exposed the real problem.
1700
01:06:15,560 –> 01:06:16,880
Here’s the conversation starter.
1701
01:06:16,880 –> 01:06:21,640
If you cannot explain your Microsoft strategy in economic terms, you don’t have a strategy.
1702
01:06:21,640 –> 01:06:22,640
You have a shopping list.
1703
01:06:22,640 –> 01:06:25,680
A strategy connects technical decisions to business outcomes.
1704
01:06:25,680 –> 01:06:29,840
The strategy says we’re implementing this control because it reduces risk.
1705
01:06:29,840 –> 01:06:32,480
Or we’re decommissioning that because it’s not driving value.
1706
01:06:32,480 –> 01:06:36,360
Or we’re investing in governance because the savings from automation exceed the cost
1707
01:06:36,360 –> 01:06:37,600
by 5 to 1.
1708
01:06:37,600 –> 01:06:40,320
If you can’t say those things, you don’t have a strategy.
1709
01:06:40,320 –> 01:06:41,840
And here’s the non-negotiable.
1710
01:06:41,840 –> 01:06:43,640
Procurement is not transformation.
1711
01:06:43,640 –> 01:06:44,640
Architecture is.
1712
01:06:44,640 –> 01:06:45,640
Stop conflating the two.
1713
01:06:45,640 –> 01:06:46,640
Buying tools is easy.
1714
01:06:46,640 –> 01:06:47,640
Building systems is hard.
1715
01:06:47,640 –> 01:06:48,640
One is a transaction.
1716
01:06:48,640 –> 01:06:49,920
The other is a capability.
1717
01:06:49,920 –> 01:06:51,240
One generates a purchase order.
1718
01:06:51,240 –> 01:06:53,080
The other generates economic value.
1719
01:06:53,080 –> 01:06:56,640
Your job as a leader is to demand architecture, not procurement.
1720
01:06:56,640 –> 01:07:00,320
Demand that before you renew, someone explains to you how your Microsoft tenant is actually
1721
01:07:00,320 –> 01:07:04,680
organized, what the control plane looks like, how decisions are enforced, what’s working,
1722
01:07:04,680 –> 01:07:07,280
what’s decaying, what the economics actually are.
1723
01:07:07,280 –> 01:07:08,280
That’s leadership.
1724
01:07:08,280 –> 01:07:09,960
Everything else is just spending money.
1725
01:07:09,960 –> 01:07:10,960
The uncomfortable truth.
1726
01:07:10,960 –> 01:07:12,280
Why this matters now?
1727
01:07:12,280 –> 01:07:13,760
This is not a 2027 problem.
1728
01:07:13,760 –> 01:07:15,080
This is a 26 problem.
1729
01:07:15,080 –> 01:07:16,080
And it’s already here.
1730
01:07:16,080 –> 01:07:21,160
Microsoft is increasing prices 9 to 33% effective July 1, 2026.
1731
01:07:21,160 –> 01:07:22,200
That date is approaching.
1732
01:07:22,200 –> 01:07:25,160
For most organizations, that’s your next renewal window.
1733
01:07:25,160 –> 01:07:27,320
The question isn’t whether prices are going up.
1734
01:07:27,320 –> 01:07:31,320
The question is whether you’ll be paying higher prices on a rationalized tenant or a
1735
01:07:31,320 –> 01:07:32,360
decayed one.
1736
01:07:32,360 –> 01:07:36,760
If you rationalize now, before renewal, you recover license waste while you’re still paying
1737
01:07:36,760 –> 01:07:37,760
current pricing.
1738
01:07:37,760 –> 01:07:43,040
A 30% cost reduction on your E5 mix locked in at today’s rates survives the July increase.
1739
01:07:43,040 –> 01:07:47,440
If you wait until after the increase, you’re recovering 30% over higher base.
1740
01:07:47,440 –> 01:07:49,160
You’re optimizing at a disadvantage.
1741
01:07:49,160 –> 01:07:52,440
The arithmetic is stock, a global firm delayed rationalization.
1742
01:07:52,440 –> 01:07:54,960
They told themselves they’d address it after their renewal.
1743
01:07:54,960 –> 01:07:57,720
They renewal landed two weeks after the price increase.
1744
01:07:57,720 –> 01:07:59,360
They tried to write size licenses then.
1745
01:07:59,360 –> 01:08:01,800
They recovered 100,000 in quarterly waste.
1746
01:08:01,800 –> 01:08:05,680
But they were recovering it from a base that had already increased by 300,000.
1747
01:08:05,680 –> 01:08:06,680
They optimized too late.
1748
01:08:06,680 –> 01:08:11,200
They’re now paying 200,000 more annually than if they had acted before the increase.
1749
01:08:11,200 –> 01:08:12,680
The second pressure is regulatory.
1750
01:08:12,680 –> 01:08:14,840
The compliance landscape is tightening, not loosening.
1751
01:08:14,840 –> 01:08:16,960
CMMC 2.0 enforcement is not optional.
1752
01:08:16,960 –> 01:08:18,600
It’s not something to handle eventually.
1753
01:08:18,600 –> 01:08:19,600
It’s here.
1754
01:08:19,600 –> 01:08:22,800
And if you’re a defense contractor and you’re not already in GCC high, you’re operating
1755
01:08:22,800 –> 01:08:23,800
on borrowed time.
1756
01:08:23,800 –> 01:08:25,320
The customer will enforce it.
1757
01:08:25,320 –> 01:08:26,720
Your contract depends on it.
1758
01:08:26,720 –> 01:08:28,760
Waiting until you lose the contract is expensive.
1759
01:08:28,760 –> 01:08:32,400
Beyond CMMC, state level AI regulation is accelerating.
1760
01:08:32,400 –> 01:08:36,800
38 US states enacted roughly 100 AI measures in 2025.
1761
01:08:36,800 –> 01:08:39,480
The number is growing and regulations require governance.
1762
01:08:39,480 –> 01:08:41,680
Real governance, not policies written in English.
1763
01:08:41,680 –> 01:08:44,600
Automated enforcement, audit trails, human oversight.
1764
01:08:44,600 –> 01:08:46,320
These are not optional nice to have.
1765
01:08:46,320 –> 01:08:48,960
These are requirements and they’re expensive to retrofit.
1766
01:08:48,960 –> 01:08:50,960
The third pressure is threat velocity.
1767
01:08:50,960 –> 01:08:53,320
Tenant level attacks are becoming more sophisticated.
1768
01:08:53,320 –> 01:08:56,840
63% of M365 tenants face configuration tampering.
1769
01:08:56,840 –> 01:08:58,440
And here’s the architectural consequence.
1770
01:08:58,440 –> 01:09:01,560
Microsoft doesn’t natively back up tenant configurations.
1771
01:09:01,560 –> 01:09:04,560
You deploy a conditional access policy and attacker modifies it.
1772
01:09:04,560 –> 01:09:06,000
You have no recovery point.
1773
01:09:06,000 –> 01:09:07,000
No native rollback.
1774
01:09:07,000 –> 01:09:09,000
You’re reconstructing from logs if you’re lucky.
1775
01:09:09,000 –> 01:09:10,520
If you’re not, you’re rebuilding.
1776
01:09:10,520 –> 01:09:11,840
That’s not a theoretical risk.
1777
01:09:11,840 –> 01:09:15,920
That’s your architecture exposing you to extended downtime with no recovery path.
1778
01:09:15,920 –> 01:09:17,960
The fourth pressure is AI sprawl.
1779
01:09:17,960 –> 01:09:20,200
And this one’s moving faster than you can see it.
1780
01:09:20,200 –> 01:09:25,440
80% of Fortune 500 companies are using active AI agents, 80% and most of them have no formal
1781
01:09:25,440 –> 01:09:28,080
strategy for agent identity management.
1782
01:09:28,080 –> 01:09:29,680
No governance, no boundaries.
1783
01:09:29,680 –> 01:09:34,160
Agents are proliferating, consuming credits, accessing data, operating without oversight.
1784
01:09:34,160 –> 01:09:35,920
Co-pilot itself burns tokens fast.
1785
01:09:35,920 –> 01:09:37,440
The cost model isn’t linear.
1786
01:09:37,440 –> 01:09:39,280
Popular agents accelerate consumption.
1787
01:09:39,280 –> 01:09:43,240
And without capacity planning, without governance, without boundaries, your co-pilot budget becomes
1788
01:09:43,240 –> 01:09:44,240
unpredictable.
1789
01:09:44,240 –> 01:09:48,040
The tenant debt of unmanaged agents is real and it’s compounding faster than cleanup can
1790
01:09:48,040 –> 01:09:49,040
address it.
1791
01:09:49,040 –> 01:09:53,360
Your ties all for pressures together, the window for proactive architecture is closing.
1792
01:09:53,360 –> 01:09:57,920
Every month you delay recovery, your storing up compound problems, more orphaned applications
1793
01:09:57,920 –> 01:10:01,960
accumulate, more permissions drift, more inactive licenses get built, more technical debt
1794
01:10:01,960 –> 01:10:05,440
accrues and every month the cost of fixing it later increases.
1795
01:10:05,440 –> 01:10:08,360
Organizations that act now in the next 90 days have leveraged.
1796
01:10:08,360 –> 01:10:10,760
You can recover licenses before the price increase.
1797
01:10:10,760 –> 01:10:14,520
You can rationalize co-pilot costs before agent sprawl becomes unmanageable.
1798
01:10:14,520 –> 01:10:18,080
You can implement governance frameworks before regulatory audits expose gaps.
1799
01:10:18,080 –> 01:10:22,560
You can build a control plane while you still have the organizational bandwidth to do it.
1800
01:10:22,560 –> 01:10:24,400
Organizations that wait face a different arithmetic.
1801
01:10:24,400 –> 01:10:26,840
They’ll pay higher prices on misaligned licenses.
1802
01:10:26,840 –> 01:10:29,440
They’ll face compliance fines because governance wasn’t in place.
1803
01:10:29,440 –> 01:10:33,200
They’ll have security incidents from unmanaged agents and permissions sprawl.
1804
01:10:33,200 –> 01:10:35,800
And they’ll pay crisis premiums to fix all of it at once.
1805
01:10:35,800 –> 01:10:36,800
This is not doom.
1806
01:10:36,800 –> 01:10:38,280
This is inevitability.
1807
01:10:38,280 –> 01:10:40,080
This is what happens when debt compounds.
1808
01:10:40,080 –> 01:10:41,840
The question isn’t whether it will happen.
1809
01:10:41,840 –> 01:10:45,280
It’s whether you’ll address it proactively or reactively.
1810
01:10:45,280 –> 01:10:46,640
The final diagnosis.
1811
01:10:46,640 –> 01:10:47,680
Here’s what I know.
1812
01:10:47,680 –> 01:10:49,560
Your Microsoft tenant is leaking millions.
1813
01:10:49,560 –> 01:10:51,280
Your financing your own decay.
1814
01:10:51,280 –> 01:10:52,280
And you can stop it.
1815
01:10:52,280 –> 01:10:53,280
The problem is not Microsoft.
1816
01:10:53,280 –> 01:10:56,440
It is the absence of economic ownership in your architecture.
1817
01:10:56,440 –> 01:10:58,160
The solution is not more tools.
1818
01:10:58,160 –> 01:10:59,160
It is a control plane.
1819
01:10:59,160 –> 01:11:00,640
The timeline is not eventually.
1820
01:11:00,640 –> 01:11:01,640
It is now.
1821
01:11:01,640 –> 01:11:02,640
Remember this.
1822
01:11:02,640 –> 01:11:03,640
This is not about tools.
1823
01:11:03,640 –> 01:11:04,640
This is about economic ownership.
1824
01:11:04,640 –> 01:11:05,640
Ordered your tenant.
1825
01:11:05,640 –> 01:11:06,640
Established governance ownership.
1826
01:11:06,640 –> 01:11:07,640
Measure economic outcomes.
1827
01:11:07,640 –> 01:11:09,320
Do it in the next 90 days.
1828
01:11:09,320 –> 01:11:10,360
Your margins depend on it.
