Now Reading: Debunking the Hire-to-Retire Myth in HR Systems
-
01
Debunking the Hire-to-Retire Myth in HR Systems
1
00:00:00,000 –> 00:00:02,560
Most believe, higher to retire is a smooth life cycle.
2
00:00:02,560 –> 00:00:03,400
It is not.
3
00:00:03,400 –> 00:00:08,160
Architecturally, it’s a transactional relic trying to govern dynamic cross-system reality.
4
00:00:08,160 –> 00:00:12,480
If your HR team debugs power automate flows more than they design policy, this episode
5
00:00:12,480 –> 00:00:13,480
is about you.
6
00:00:13,480 –> 00:00:16,480
Today, we’re diagnosing failure patterns, not symptoms.
7
00:00:16,480 –> 00:00:20,840
You’ll get a new mental model, a diagnostic checklist, and a reference architecture that
8
00:00:20,840 –> 00:00:21,840
survives AI.
9
00:00:21,840 –> 00:00:23,120
Here’s the hard truth.
10
00:00:23,120 –> 00:00:26,400
If the model is wrong, every workflow you build on it decays.
11
00:00:26,400 –> 00:00:27,400
Fast.
12
00:00:27,400 –> 00:00:28,400
And AI won’t fix it.
13
00:00:28,400 –> 00:00:29,400
It will expose it.
14
00:00:29,400 –> 00:00:33,440
Let’s make the underlying system visible, explainable, and finally governable.
15
00:00:33,440 –> 00:00:36,840
The foundational misunderstanding, what higher to retire actually is.
16
00:00:36,840 –> 00:00:38,520
The false belief is simple.
17
00:00:38,520 –> 00:00:40,000
Higher to retire is a process.
18
00:00:40,000 –> 00:00:41,000
It isn’t.
19
00:00:41,000 –> 00:00:44,720
In practice, higher to retire is a story organization’s tell themselves to feel linearity
20
00:00:44,720 –> 00:00:46,040
when none exists.
21
00:00:46,040 –> 00:00:49,480
Architecturally, it’s a narrative overlay sitting on top of heterogeneous systems, each making
22
00:00:49,480 –> 00:00:53,520
decisions for its own reasons at its own cadence, with incomplete context.
23
00:00:53,520 –> 00:00:55,160
That distinction matters.
24
00:00:55,160 –> 00:00:57,840
What actually runs is a distributed decision engine.
25
00:00:57,840 –> 00:00:59,320
HR databases?
26
00:00:59,320 –> 00:01:00,320
Entity services?
27
00:01:00,320 –> 00:01:01,320
Payroll?
28
00:01:01,320 –> 00:01:02,320
Benefits?
29
00:01:02,320 –> 00:01:03,320
Compliance tooling?
30
00:01:03,320 –> 00:01:04,320
Collaboration platforms?
31
00:01:04,320 –> 00:01:05,320
And integration glue?
32
00:01:05,320 –> 00:01:06,920
Each with its own schema?
33
00:01:06,920 –> 00:01:07,920
State machine?
34
00:01:07,920 –> 00:01:08,920
And error semantics?
35
00:01:08,920 –> 00:01:13,400
And need wizard in one system triggers asynchronous updates in others, which recompute
36
00:01:13,400 –> 00:01:17,360
entitlements, create conflicts, and leave artifacts that look final but aren’t.
37
00:01:17,360 –> 00:01:20,480
The process is a stitched timeline of partial truths.
38
00:01:20,480 –> 00:01:25,520
The foundational mistake is enforcing static, form-driven transactions on top of dynamic
39
00:01:25,520 –> 00:01:26,720
obligations.
40
00:01:26,720 –> 00:01:31,920
A higher is not a single event, it’s a burst of obligations, capability provisioning,
41
00:01:31,920 –> 00:01:36,440
legal and policy constraints and identity relationships emitted into multiple systems
42
00:01:36,440 –> 00:01:39,200
that do not agree on timing or definition.
43
00:01:39,200 –> 00:01:41,040
A transfer is not a button.
44
00:01:41,040 –> 00:01:45,480
It’s a renegotiation of entitlements across job, location, risk, posture, and supervision.
45
00:01:45,480 –> 00:01:47,720
A termination is not an off switch.
46
00:01:47,720 –> 00:01:52,360
It’s a tale of residual access, data retention duties, and jurisdictional rules that don’t
47
00:01:52,360 –> 00:01:54,400
align with an HR checkbox.
48
00:01:54,400 –> 00:01:56,200
Once you see this, the friction looks inevitable.
49
00:01:56,200 –> 00:01:57,840
You create a job requisition.
50
00:01:57,840 –> 00:02:02,000
Somewhere else identity waits for a signal to provision access, but the position isn’t fully
51
00:02:02,000 –> 00:02:03,000
defined.
52
00:02:03,000 –> 00:02:07,240
Parallel once cost centers, compliance once at a stations, IT once, device baselines.
53
00:02:07,240 –> 00:02:11,400
None of those systems read the same source at the same time in the same way.
54
00:02:11,400 –> 00:02:15,480
The neat life cycle box is hide that you’re pushing intent into systems that can’t represent
55
00:02:15,480 –> 00:02:16,480
it.
56
00:02:16,480 –> 00:02:17,720
This leads to brittle workflows.
57
00:02:17,720 –> 00:02:18,720
Forms capture snapshots.
58
00:02:18,720 –> 00:02:20,000
Reality is continuous.
59
00:02:20,000 –> 00:02:24,200
You freeze decisions at step boundaries, stage transitions, approvals and status fields
60
00:02:24,200 –> 00:02:27,080
because the tool needs a state, but your obligations move.
61
00:02:27,080 –> 00:02:31,400
People start early, managers change late, exceptions stack up, and edge cases become the
62
00:02:31,400 –> 00:02:32,400
rule.
63
00:02:32,400 –> 00:02:33,400
Hidden state blooms.
64
00:02:33,400 –> 00:02:37,840
Email templates with business logic, screening questions, acting like policy gates, temporary
65
00:02:37,840 –> 00:02:39,880
exception flags that never expire.
66
00:02:39,880 –> 00:02:42,680
The system you operate is not the one you diagrammed.
67
00:02:42,680 –> 00:02:46,240
It’s the one encoded in thousands of small configuration choices.
68
00:02:46,240 –> 00:02:47,560
And here’s the uncomfortable truth.
69
00:02:47,560 –> 00:02:49,240
Policy migrates to the wrong places.
70
00:02:49,240 –> 00:02:53,680
Instead of living in a policy plane as a versioned, testable, human readable corpus,
71
00:02:53,680 –> 00:02:58,400
it gets embedded in workflow definitions, role mappings and connector conditions.
72
00:02:58,400 –> 00:03:02,280
When policy leaves in workflows, every workflow becomes a policy fork.
73
00:03:02,280 –> 00:03:06,520
With every just this once, deterministic intent becomes probabilistic outcome.
74
00:03:06,520 –> 00:03:09,800
The more you optimize locally, the more incoherence you create globally.
75
00:03:09,800 –> 00:03:10,800
Why does this matter now?
76
00:03:10,800 –> 00:03:13,240
Because AI amplifies drift, it doesn’t heal it.
77
00:03:13,240 –> 00:03:14,800
Models learn from artifacts.
78
00:03:14,800 –> 00:03:19,720
If intent is implicit and scattered, AI infers policy from stale templates, inconsistent
79
00:03:19,720 –> 00:03:21,840
labels and noisy histories.
80
00:03:21,840 –> 00:03:26,240
Consider to recommend next steps and it will mirror the chaos you already have only faster.
81
00:03:26,240 –> 00:03:28,520
You gave it anecdotes and told it to generalize.
82
00:03:28,520 –> 00:03:30,560
Consider how this plays out at the edges.
83
00:03:30,560 –> 00:03:35,160
An HR system marks a candidate as ready to hire, but the identity service needs a security
84
00:03:35,160 –> 00:03:37,240
role not present in HR.
85
00:03:37,240 –> 00:03:41,360
So someone adds a manual mapping in an integration flow, then a different jurisdiction introduces
86
00:03:41,360 –> 00:03:45,880
a new leave entitlement, which gets hard coded into a downstream systems workflow.
87
00:03:45,880 –> 00:03:48,320
Then a merger brings duplicate identities.
88
00:03:48,320 –> 00:03:52,560
The least bad path is to reconcile titles in a spreadsheet and push overrides.
89
00:03:52,560 –> 00:03:55,640
Each step solves the local problem while quietly forking policy.
90
00:03:55,640 –> 00:04:00,640
Over time, your life cycle becomes a garden of divergent micro-polices no one can enumerate.
91
00:04:00,640 –> 00:04:02,320
This is not an implementation mistake.
92
00:04:02,320 –> 00:04:06,200
It’s an architectural consequence of using static, stage-based models to govern dynamic
93
00:04:06,200 –> 00:04:07,720
cross-system obligations.
94
00:04:07,720 –> 00:04:11,640
The life cycle narrative encourages you to believe stages are boundaries of truth.
95
00:04:11,640 –> 00:04:15,320
They are not, they are merely UI conveniences, good for forms, weak for enforcement.
96
00:04:15,320 –> 00:04:19,960
And in obligation definitions change because of law, risk or business, your stage logic
97
00:04:19,960 –> 00:04:23,000
lags, your integrations patch and your identity graph diverges.
98
00:04:23,000 –> 00:04:25,840
There’s also the illusion of a single system of record.
99
00:04:25,840 –> 00:04:28,880
In theory, HR is authoritative for worker status.
100
00:04:28,880 –> 00:04:31,160
In practice, the control plane lives elsewhere.
101
00:04:31,160 –> 00:04:35,120
Identity governs access, compliance, governance evidence and collaboration platforms, govern
102
00:04:35,120 –> 00:04:36,360
data sprawl.
103
00:04:36,360 –> 00:04:41,280
When those disagree, the life cycle story breaks in the only place that matters.
104
00:04:41,280 –> 00:04:42,280
Enforcement
105
00:04:42,280 –> 00:04:46,400
The person is terminated in HR but still has residual access because an exception lived
106
00:04:46,400 –> 00:04:47,720
in a connector.
107
00:04:47,720 –> 00:04:50,880
The life cycle said end, the system said later.
108
00:04:50,880 –> 00:04:53,080
So what is higher to retire architecturally?
109
00:04:53,080 –> 00:04:57,560
It’s a stream of facts about people, roles and obligations emitted over time consumed by
110
00:04:57,560 –> 00:04:59,800
systems with different models of truth.
111
00:04:59,800 –> 00:05:03,000
Treat it like a wizard and you’ll keep encoding policy into workflows.
112
00:05:03,000 –> 00:05:06,880
Treat it like an obligation and identity orchestration problem and you can start separating
113
00:05:06,880 –> 00:05:10,920
intent from execution, facts from flows and policy from configuration.
114
00:05:10,920 –> 00:05:13,600
That’s the shift we are making today.
115
00:05:13,600 –> 00:05:14,600
Configuration entropy.
116
00:05:14,600 –> 00:05:16,480
How setup becomes the system.
117
00:05:16,480 –> 00:05:20,840
Okay, so basically, once you accept that higher to retire is an obligation stream, not a
118
00:05:20,840 –> 00:05:25,760
wizard, you can see why configuration becomes the de facto law of the land.
119
00:05:25,760 –> 00:05:29,200
Every template, drop-down stage and connector is a decision node.
120
00:05:29,200 –> 00:05:33,600
They accumulate and the more they accumulate, the less your original intent shows up in
121
00:05:33,600 –> 00:05:34,600
the outcome.
122
00:05:34,600 –> 00:05:35,600
Think of it like this.
123
00:05:35,600 –> 00:05:37,800
You open an admin panel to improve a process.
124
00:05:37,800 –> 00:05:41,800
You add a screening question, you tune an email template with a conditional paragraph.
125
00:05:41,800 –> 00:05:45,880
You insert a hidden stage so a manager can add a node before an offer.
126
00:05:45,880 –> 00:05:47,400
None of that looks like policy.
127
00:05:47,400 –> 00:05:48,760
It looks like helpful setup.
128
00:05:48,760 –> 00:05:52,600
But in a distributed decision engine, each of those toggles becomes a micro-policy.
129
00:05:52,600 –> 00:05:56,280
Do it a hundred times across systems and you’ve created a policy surface area your governance
130
00:05:56,280 –> 00:05:58,880
never proved and your auditors can’t enumerate.
131
00:05:58,880 –> 00:06:00,520
Here’s the weird part.
132
00:06:00,520 –> 00:06:02,600
Configuration entropy isn’t a configuration problem.
133
00:06:02,600 –> 00:06:06,640
It’s an architectural inevitability in systems where policy intent isn’t first class.
134
00:06:06,640 –> 00:06:07,960
The velocity is what hurts you.
135
00:06:07,960 –> 00:06:09,280
The problem isn’t complexity.
136
00:06:09,280 –> 00:06:13,240
It’s the speed at which configuration diverges faster than intent can be reconciled.
137
00:06:13,240 –> 00:06:15,040
You write a policy memo once a quarter.
138
00:06:15,040 –> 00:06:16,640
You create five exceptions a week.
139
00:06:16,640 –> 00:06:18,120
Guess which wins.
140
00:06:18,120 –> 00:06:19,120
Where does it hide?
141
00:06:19,120 –> 00:06:21,600
Everywhere policy can piggyback without being named.
142
00:06:21,600 –> 00:06:25,280
Email templates that use subject lines to encode urgency classes.
143
00:06:25,280 –> 00:06:28,640
Screening logic with preferred answers that silently act as gates.
144
00:06:28,640 –> 00:06:32,880
Stage definitions that imply risk classification because a given step is only available to
145
00:06:32,880 –> 00:06:34,120
certain roles.
146
00:06:34,120 –> 00:06:35,720
Exception flags with no time to live.
147
00:06:35,720 –> 00:06:40,840
Retention settings in downstream systems that contradict HR’s stated data policy because
148
00:06:40,840 –> 00:06:42,920
the tools default wasn’t reviewed.
149
00:06:42,920 –> 00:06:44,640
Each is small, local and rational.
150
00:06:44,640 –> 00:06:47,040
Together they are your operating model.
151
00:06:47,040 –> 00:06:48,040
And here’s the cost.
152
00:06:48,040 –> 00:06:50,160
Debugging workflows becomes your operating model.
153
00:06:50,160 –> 00:06:53,160
You stop designing policy and start tracing side effects.
154
00:06:53,160 –> 00:06:54,680
Why did this person keep access?
155
00:06:54,680 –> 00:06:58,040
Because a connector masked a terminated event with a retrieval error.
156
00:06:58,040 –> 00:06:59,560
Why did this candidate get rejected?
157
00:06:59,560 –> 00:07:02,920
Because a template overrode the recruiters intent with an old rule about certifications
158
00:07:02,920 –> 00:07:03,920
in one region.
159
00:07:03,920 –> 00:07:05,680
Why did this transfer take three days?
160
00:07:05,680 –> 00:07:10,640
Because a stage named manager approval was actually a risk attestation with a hidden branch
161
00:07:10,640 –> 00:07:12,400
and the attestor changed departments.
162
00:07:12,400 –> 00:07:15,760
You can’t reason about any of this from the life cycle diagram.
163
00:07:15,760 –> 00:07:17,720
You have to read the configuration T-leaves.
164
00:07:17,720 –> 00:07:19,240
AI won’t save you here.
165
00:07:19,240 –> 00:07:20,760
Models infer from artifacts.
166
00:07:20,760 –> 00:07:22,120
Not unspoken intent.
167
00:07:22,120 –> 00:07:26,840
If your policy is scattered across templates, stages and connector conditions, the model
168
00:07:26,840 –> 00:07:28,080
learns the noise.
169
00:07:28,080 –> 00:07:31,120
Ask a copilot to summarize hiring policy.
170
00:07:31,120 –> 00:07:35,120
And it will assemble an answer from email phrasing, stale job at fragments and an
171
00:07:35,120 –> 00:07:37,240
unversioned SharePoint PDF.
172
00:07:37,240 –> 00:07:39,720
Ask an agent to decide ready to hire.
173
00:07:39,720 –> 00:07:44,080
And it will generalize from inconsistent labels, absorbing the bias you buried in one recruiters
174
00:07:44,080 –> 00:07:45,960
qualification steps seven months ago.
175
00:07:45,960 –> 00:07:47,840
You gave it anecdotes and asked for doctrine.
176
00:07:47,840 –> 00:07:49,800
Okay, what about better governance and setup?
177
00:07:49,800 –> 00:07:52,080
Necessary but insufficient.
178
00:07:52,080 –> 00:07:55,440
Centralizing template libraries and enforcing naming standards reduces entropy growth,
179
00:07:55,440 –> 00:07:56,480
but it doesn’t reverse it.
180
00:07:56,480 –> 00:07:57,480
Why?
181
00:07:57,480 –> 00:07:59,640
Because the system still treats policy as configuration.
182
00:07:59,640 –> 00:08:03,080
That means your only levers are review and restrained, which fail under pressure.
183
00:08:03,080 –> 00:08:04,680
A rush hire gets an exception.
184
00:08:04,680 –> 00:08:07,080
A global rollout gets a regional override.
185
00:08:07,080 –> 00:08:10,360
These pile up into new baselines, entropy wins by default.
186
00:08:10,360 –> 00:08:11,880
Let’s make the pattern practical.
187
00:08:11,880 –> 00:08:16,040
Three categories account for most configuration generated policy.
188
00:08:16,040 –> 00:08:18,400
Presentation, masquerading as policy.
189
00:08:18,400 –> 00:08:21,920
Templates, signatures, subject lines, inline guidance.
190
00:08:21,920 –> 00:08:25,560
If it nudges decisions differently by audience or region, it’s policy.
191
00:08:25,560 –> 00:08:29,280
Flow structure as policy, stages, approvals and hidden branches.
192
00:08:29,280 –> 00:08:32,840
If a path exists only for some roles or locations, it’s policy.
193
00:08:32,840 –> 00:08:37,760
Data conditions as policy, field mappings, retries, filters and enrichments.
194
00:08:37,760 –> 00:08:40,960
If data moves or doesn’t based on conditions, it’s policy.
195
00:08:40,960 –> 00:08:45,520
If you can’t answer for each category who owns the intent, who owns the configuration
196
00:08:45,520 –> 00:08:49,680
and how changes are versioned and tested, you’re running a probabilistic model and calling
197
00:08:49,680 –> 00:08:50,680
it deterministic.
198
00:08:50,680 –> 00:08:52,080
That’s why you get surprised.
199
00:08:52,080 –> 00:08:53,280
That’s why incidents repeat.
200
00:08:53,280 –> 00:08:54,960
So how do you make this visible?
201
00:08:54,960 –> 00:08:59,040
You separate intent from configuration and require explanation at the point of decision.
202
00:08:59,040 –> 00:09:00,040
Not in a report.
203
00:09:00,040 –> 00:09:01,040
In the flow.
204
00:09:01,040 –> 00:09:02,800
Why did this branch fire?
205
00:09:02,800 –> 00:09:05,760
Resolve to a policy reference and the facts that matched it.
206
00:09:05,760 –> 00:09:07,560
What would have happened if…
207
00:09:07,560 –> 00:09:10,360
Must be computable from versioned rules, not folklore.
208
00:09:10,360 –> 00:09:14,280
Until you do that, every setup is a new way to be wrong without knowing it.
209
00:09:14,280 –> 00:09:15,280
One last point.
210
00:09:15,280 –> 00:09:17,880
Entropy is not reduced by standardization alone.
211
00:09:17,880 –> 00:09:20,560
Standardizing on the wrong abstraction or suffice error.
212
00:09:20,560 –> 00:09:25,000
Many teams lock down templates in freeze-stage definitions, then bury exceptions in connectors.
213
00:09:25,000 –> 00:09:28,360
The surface looks clean, the mess moves to where you can’t see it.
214
00:09:28,360 –> 00:09:32,280
The only durable reduction comes from moving policy out of configuration and into a policy
215
00:09:32,280 –> 00:09:38,160
layer that systems subscribe to with tests that fail loudly when configuration diverges.
216
00:09:38,160 –> 00:09:41,440
Everything else is discipline-fighting physics and physics will outlast your steering
217
00:09:41,440 –> 00:09:43,000
committee.
218
00:09:43,000 –> 00:09:44,000
Archetype 1.
219
00:09:44,000 –> 00:09:45,000
Dynamics 365.
220
00:09:45,000 –> 00:09:46,000
HR.
221
00:09:46,000 –> 00:09:47,000
Transactual core.
222
00:09:47,000 –> 00:09:48,000
Adaptive debt.
223
00:09:48,000 –> 00:09:49,000
Dynamics 365.
224
00:09:49,000 –> 00:09:51,400
Human resources looks like a life cycle engine.
225
00:09:51,400 –> 00:09:52,680
Architecturally, it’s something else.
226
00:09:52,680 –> 00:09:56,320
A transactional core with configuration scaffolding wrapped around it.
227
00:09:56,320 –> 00:09:58,480
That core is good at state transitions.
228
00:09:58,480 –> 00:09:59,480
Request created.
229
00:09:59,480 –> 00:10:00,480
Job at published.
230
00:10:00,480 –> 00:10:01,480
Applicant advanced.
231
00:10:01,480 –> 00:10:02,480
Worker created.
232
00:10:02,480 –> 00:10:06,680
The scaffolding promises adaptability, templates, stages, screening logic, email libraries
233
00:10:06,680 –> 00:10:07,680
and connectors.
234
00:10:07,680 –> 00:10:10,680
Put them together and you get the appearance of agility.
235
00:10:10,680 –> 00:10:12,440
Under load, it behaves like adaptive debt.
236
00:10:12,440 –> 00:10:14,800
Here’s the architectural choice that sets the trap.
237
00:10:14,800 –> 00:10:19,720
You model hires, transfers and terms as wizard-driven transactions tied to entity records and
238
00:10:19,720 –> 00:10:20,720
stage fields.
239
00:10:20,720 –> 00:10:23,240
That gives clean forms and predictable UI flow.
240
00:10:23,240 –> 00:10:27,720
It also forces policy to ride on top as configuration because the underlying model doesn’t speak
241
00:10:27,720 –> 00:10:29,640
in obligations or identity edges.
242
00:10:29,640 –> 00:10:31,800
You can add infinite stage definitions.
243
00:10:31,800 –> 00:10:36,880
You cannot express this capability requires this control when the risk posture equals x,
244
00:10:36,880 –> 00:10:40,080
so you approximate those approximations stack.
245
00:10:40,080 –> 00:10:41,120
Why it looked good at the time?
246
00:10:41,120 –> 00:10:43,400
The platform lets HR team self serve.
247
00:10:43,400 –> 00:10:47,680
Recruiters can define screening questions, adjust hiring templates, build email sequences
248
00:10:47,680 –> 00:10:51,840
and move candidates across stages without calling IT.
249
00:10:51,840 –> 00:10:55,400
Integration with finance and operations or dataverse sings records downstream.
250
00:10:55,400 –> 00:10:57,120
Power automate fills the gaps.
251
00:10:57,120 –> 00:10:58,120
It feels like progress.
252
00:10:58,120 –> 00:11:00,040
Then the first cross entity conflict appears.
253
00:11:00,040 –> 00:11:03,760
The failure mode is state rigidity with sprawling configuration.
254
00:11:03,760 –> 00:11:05,360
Stages become policy proxies.
255
00:11:05,360 –> 00:11:07,360
A hidden branch doubles as a risk gate.
256
00:11:07,360 –> 00:11:10,800
A screening preferred answer quietly becomes a qualifying condition.
257
00:11:10,800 –> 00:11:14,920
Email templates embed regional guidance that contradicts the central policy PDF.
258
00:11:14,920 –> 00:11:17,800
Each change is rational locally and inconsistent globally.
259
00:11:17,800 –> 00:11:22,120
The more you standardize the template set, the more exceptions migrate into connectors
260
00:11:22,120 –> 00:11:23,760
and virtual entity mappings.
261
00:11:23,760 –> 00:11:26,440
The system looks tidy on the surface and drifts underneath.
262
00:11:26,440 –> 00:11:28,040
Where policy heights is predictable.
263
00:11:28,040 –> 00:11:32,720
In hiring templates, policy heights are stage ordering and step types, interview types,
264
00:11:32,720 –> 00:11:36,960
panel compositions and optional steps that are optional in name only.
265
00:11:36,960 –> 00:11:42,040
In screening libraries, policy heights are required versus preferred answers that play
266
00:11:42,040 –> 00:11:46,960
like allowed in eyelists in email configurations, policy heights as conditional language that
267
00:11:46,960 –> 00:11:49,200
suggests decisions to reviewers.
268
00:11:49,200 –> 00:11:53,120
In integration parameters, policy heights as field mappings, retries and error handling
269
00:11:53,120 –> 00:11:57,280
branches that decide whether a downstream system sees an event at all.
270
00:11:57,280 –> 00:11:58,880
Why AI fails here is specific.
271
00:11:58,880 –> 00:12:03,120
Agents that live inside this environment see states and labels, not obligations.
272
00:12:03,120 –> 00:12:07,000
They can read stage eggs are ready to hire, but they can’t reconstruct the implied policy
273
00:12:07,000 –> 00:12:10,840
across templates, screening decisions and connector logic.
274
00:12:10,840 –> 00:12:12,240
They attempt to reason from history.
275
00:12:12,240 –> 00:12:14,640
Past candidates marked ready shared these labels.
276
00:12:14,640 –> 00:12:18,960
But those labels reflect inconsistent artifacts, template V3 in one business unit V2 in
277
00:12:18,960 –> 00:12:22,080
another, a hidden connector fix after a sync issue.
278
00:12:22,080 –> 00:12:26,960
The agent generalizes from anecdotes because there’s no authoritative policy corpus to
279
00:12:26,960 –> 00:12:27,960
cite.
280
00:12:27,960 –> 00:12:30,080
It cannot explain because the system never encoded intent.
281
00:12:30,080 –> 00:12:33,840
It can only imitate everything you recognize from incident reviews shows up here.
282
00:12:33,840 –> 00:12:39,640
D365HR marks a worker as created, but attachments don’t sync for this version and the connector
283
00:12:39,640 –> 00:12:41,720
silently drops the event.
284
00:12:41,720 –> 00:12:44,640
Identity never sees the entitlement change, so access persists.
285
00:12:44,640 –> 00:12:48,640
A hiring template adds an extra stage for panel review in one legal entity.
286
00:12:48,640 –> 00:12:52,920
Now the author email uses a different template with jurisdictional terms that don’t match benefits
287
00:12:52,920 –> 00:12:54,160
in finance.
288
00:12:54,160 –> 00:12:58,320
A career site update adds screening categories for a region without a synchronized education
289
00:12:58,320 –> 00:12:59,720
catalog.
290
00:12:59,720 –> 00:13:01,960
Preferred answers invert the gate in practice.
291
00:13:01,960 –> 00:13:06,080
Each is a minor tweak, together they redefine the architecture, known integration patterns
292
00:13:06,080 –> 00:13:07,360
add their own gravity.
293
00:13:07,360 –> 00:13:10,720
The finance and operations virtual entities look like a bridge.
294
00:13:10,720 –> 00:13:14,800
In reality, there is a second model with its own consistency semantics.
295
00:13:14,800 –> 00:13:19,800
You get sync asymmetry, HR considers the record authoritative, downstream considers the mapped
296
00:13:19,800 –> 00:13:21,080
shape authoritative.
297
00:13:21,080 –> 00:13:25,160
If the integration flow retreats after transient error, the downstream timestamp wins and
298
00:13:25,160 –> 00:13:29,560
overrides a later HR fix, from the platform’s perspective everything succeeded.
299
00:13:29,560 –> 00:13:34,000
From the control planes perspective, policy forked on Tuesday at 2.14 pm.
300
00:13:34,000 –> 00:13:37,920
The lesson is not configured less, it is a sign it’s stop asking configuration to carry
301
00:13:37,920 –> 00:13:38,920
intent.
302
00:13:38,920 –> 00:13:43,720
In this archetype, every standardization effort that doesn’t move policy out of templates
303
00:13:43,720 –> 00:13:46,680
and stages simply pushes entropy down a level.
304
00:13:46,680 –> 00:13:49,960
Lock the templates and the exceptions migrate into power automate.
305
00:13:49,960 –> 00:13:54,660
Lock the flows and migrate into email phrasing, lock the phrasing and migrate into manual check
306
00:13:54,660 –> 00:13:56,000
list steps.
307
00:13:56,000 –> 00:13:59,040
You can’t paper over an obligation model with more wizard pages.
308
00:13:59,040 –> 00:14:03,680
What works instead even here is treating D365 HR as an event and execution surface, not
309
00:14:03,680 –> 00:14:04,680
the policy plane.
310
00:14:04,680 –> 00:14:09,200
Policy must be human readable and machine-queriable outside the workflow definitions.
311
00:14:09,200 –> 00:14:11,400
Events must be immutable facts.
312
00:14:11,400 –> 00:14:12,560
Candidate past X.
313
00:14:12,560 –> 00:14:16,800
At a station Y collected, not implied by stage names.
314
00:14:16,800 –> 00:14:21,000
Execution must subscribe to those policies and facts, not bury them in per template logic.
315
00:14:21,000 –> 00:14:26,400
Then when an AI agent assists a recruiter or manager, it can cite policy and point to facts.
316
00:14:26,400 –> 00:14:28,360
If the answer is approved, it can say Y.
317
00:14:28,360 –> 00:14:31,520
If the answer is no, it can show the edge that failed.
318
00:14:31,520 –> 00:14:35,240
Without that, the platform’s adaptability is dead at interest.
319
00:14:35,240 –> 00:14:36,440
Archetype 2.
320
00:14:36,440 –> 00:14:37,440
Workday.
321
00:14:37,440 –> 00:14:38,440
Process rigor.
322
00:14:38,440 –> 00:14:40,040
Mistaken for intelligence.
323
00:14:40,040 –> 00:14:42,160
Workday presents a different face of the same problem.
324
00:14:42,160 –> 00:14:46,760
It prioritizes workflow discipline, well-defined business processes, routed approvals, audit
325
00:14:46,760 –> 00:14:51,400
friendly steps, architecturally that yields clean paths, strong controls and a comforting
326
00:14:51,400 –> 00:14:54,480
sense that the process is the intelligence.
327
00:14:54,480 –> 00:14:55,480
It is not.
328
00:14:55,480 –> 00:14:57,560
The system is excellent at enforcing the path.
329
00:14:57,560 –> 00:15:00,480
It is agnostic about whether the path encodes intent.
330
00:15:00,480 –> 00:15:02,120
Here’s the architectural choice that matters.
331
00:15:02,120 –> 00:15:06,840
You harden business processes as the primary abstraction, initiation, routing, conditional
332
00:15:06,840 –> 00:15:08,360
steps, completion.
333
00:15:08,360 –> 00:15:10,720
You gain predictability and auditability.
334
00:15:10,720 –> 00:15:14,280
You also move policy into the flow graph because the graph is the only mechanism you have
335
00:15:14,280 –> 00:15:15,280
at runtime.
336
00:15:15,280 –> 00:15:18,200
A leaf policy becomes a sequence of steps with conditions.
337
00:15:18,200 –> 00:15:21,080
A compensation rule becomes a validation in a task.
338
00:15:21,080 –> 00:15:24,560
A compliance control becomes a required sub-process.
339
00:15:24,560 –> 00:15:27,800
The more complete the graph, the more the graph becomes the policy.
340
00:15:27,800 –> 00:15:29,040
Why it looked good at the time?
341
00:15:29,040 –> 00:15:30,040
Rigger reduces variance.
342
00:15:30,040 –> 00:15:32,840
HR leaders sleep better when exceptions are rare.
343
00:15:32,840 –> 00:15:34,680
Auditors smile when steps are forced.
344
00:15:34,680 –> 00:15:39,640
The platforms reporting reflects tidy cycle times, but exceptions never disappear.
345
00:15:39,640 –> 00:15:41,160
They relocate.
346
00:15:41,160 –> 00:15:45,880
In Workday, exception handling explodes in the exact places policy should have been separate.
347
00:15:45,880 –> 00:15:51,200
Advanced routing, condition rules, calculated fields and tenant specific business processes.
348
00:15:51,200 –> 00:15:54,920
What feels like control is often just complexity wearing a uniform.
349
00:15:54,920 –> 00:15:59,280
The failure mode is exception accretion until the graph is indistinguishable from code.
350
00:15:59,280 –> 00:16:04,040
Every carved out case, new union rules, country-specific attestations, one-off managerial
351
00:16:04,040 –> 00:16:06,760
hierarchies becomes a conditional branch.
352
00:16:06,760 –> 00:16:11,560
Over time, the flow that everyone follows is 20 flows that look similar, share a name and
353
00:16:11,560 –> 00:16:16,000
behave differently by supervisory org, location or job profile.
354
00:16:16,000 –> 00:16:17,880
You haven’t eliminated ambiguity.
355
00:16:17,880 –> 00:16:20,440
You’ve buried it behind process rigor.
356
00:16:20,440 –> 00:16:24,800
Where policy hides is precise, it hides in condition rule libraries that mix legal thresholds
357
00:16:24,800 –> 00:16:26,400
with routing convenience.
358
00:16:26,400 –> 00:16:31,240
It hides in calculated fields that smuggle risk classifications into yes, no gates.
359
00:16:31,240 –> 00:16:36,240
It hides intent configuration where a sub-process is required in some orgs and optional in
360
00:16:36,240 –> 00:16:38,680
others for reasons no one can now articulate.
361
00:16:38,680 –> 00:16:42,600
It hides in localized business processes that were cloned to meet a deadline and never
362
00:16:42,600 –> 00:16:43,600
reconciled.
363
00:16:43,600 –> 00:16:48,120
And critically, it hides in the additional data sections users habitually misused to signal
364
00:16:48,120 –> 00:16:50,000
intent the model couldn’t capture.
365
00:16:50,000 –> 00:16:51,600
Why AI fails here is specific.
366
00:16:51,600 –> 00:16:55,960
AI is confined to recommenders and assistants because the system cannot expose intent in
367
00:16:55,960 –> 00:16:57,640
a form the model can cite.
368
00:16:57,640 –> 00:17:01,720
Ask an agent to explain why this transfer was rooted this way and it sees the path taken
369
00:17:01,720 –> 00:17:04,120
but not the policy logic that demanded it.
370
00:17:04,120 –> 00:17:08,200
Ask it to suggest the next step and it can predict the model path from history but it
371
00:17:08,200 –> 00:17:11,920
cannot assert compliance because the rules are entangled in local configuration.
372
00:17:11,920 –> 00:17:16,480
You end up with co-pilot features, summaries, reminders, suggestions, never with provable
373
00:17:16,480 –> 00:17:17,480
decisions.
374
00:17:17,480 –> 00:17:18,920
The process feels intelligent, it isn’t.
375
00:17:18,920 –> 00:17:22,240
It is merely consistent at executing what you configured.
376
00:17:22,240 –> 00:17:23,840
Everything you’ve seen in review boards fits.
377
00:17:23,840 –> 00:17:28,240
A global mobility process cloned for Asia-Pacific introduces a country-specific consensus
378
00:17:28,240 –> 00:17:29,240
process.
379
00:17:29,240 –> 00:17:34,560
Six months later, legal changes the consent language but only the Emia clone is updated.
380
00:17:34,560 –> 00:17:37,040
Audit finds divergent evidence for the same policy.
381
00:17:37,040 –> 00:17:41,560
A calculated field intended to root high risk roles to a second approver is subtly different
382
00:17:41,560 –> 00:17:45,280
across two supervisory orgs because the original author reused the condition and forgot
383
00:17:45,280 –> 00:17:46,280
a threshold.
384
00:17:46,280 –> 00:17:50,680
And offer approval in one org checks variable pay eligibility that another org encodes
385
00:17:50,680 –> 00:17:54,440
as a validation on compensation grade both looks standardized.
386
00:17:54,440 –> 00:17:56,240
Neither is.
387
00:17:56,240 –> 00:17:57,840
Known fixes add to the debt.
388
00:17:57,840 –> 00:17:59,920
You restrict who can edit business processes.
389
00:17:59,920 –> 00:18:00,920
Good.
390
00:18:00,920 –> 00:18:02,240
You centralize condition rule ownership.
391
00:18:02,240 –> 00:18:03,240
Good.
392
00:18:03,240 –> 00:18:05,320
Then the backlog grows and teams demand responsiveness.
393
00:18:05,320 –> 00:18:08,240
You allow local rule bundles with central templates.
394
00:18:08,240 –> 00:18:12,840
Now you’re running a forked rule set under one brand or you insist everything go through
395
00:18:12,840 –> 00:18:14,360
a center of excellence.
396
00:18:14,360 –> 00:18:19,720
The center encodes intent as best it can but the graph remains the only runtime expression.
397
00:18:19,720 –> 00:18:23,560
And policy changes you schedule a release meanwhile exceptions pile in shared mailboxes and
398
00:18:23,560 –> 00:18:24,480
slack threads.
399
00:18:24,480 –> 00:18:25,480
The graph stays correct.
400
00:18:25,480 –> 00:18:26,680
The reality does not.
401
00:18:26,680 –> 00:18:29,960
The illusion is that auditability equals explainability.
402
00:18:29,960 –> 00:18:33,320
Workday can show you who approved what when and along which path.
403
00:18:33,320 –> 00:18:38,400
It cannot by itself show the clause of policy that required the path or the facts that triggered
404
00:18:38,400 –> 00:18:39,760
it in machine sightable form.
405
00:18:39,760 –> 00:18:43,120
In other words, you can verify the process was followed without verifying the policy was
406
00:18:43,120 –> 00:18:48,280
enforced in a world where AI agents must reason and site that gap is decisive.
407
00:18:48,280 –> 00:18:50,280
The lesson is not loosen control.
408
00:18:50,280 –> 00:18:54,240
It’s separate control from policy use workday is rigor for orchestration and evidence but
409
00:18:54,240 –> 00:18:58,520
stop treating the process graph as the policy corpus move the rules out of condition sets
410
00:18:58,520 –> 00:19:00,280
and into a policy layer.
411
00:19:00,280 –> 00:19:02,000
Human readable and machine queryable.
412
00:19:02,000 –> 00:19:06,760
Then have the process subscribe record immutable events facts about attestations thresholds
413
00:19:06,760 –> 00:19:10,680
met capabilities assigned separate from tasks completed.
414
00:19:10,680 –> 00:19:15,480
When an agent assists it can cite the policy and match it to facts not guess the rule from
415
00:19:15,480 –> 00:19:16,480
a path name.
416
00:19:16,480 –> 00:19:20,880
One more point don’t confuse harmonization with coherence harmonizing business processes
417
00:19:20,880 –> 00:19:25,120
across regions makes the graph pretty it does not align policy if the rules remain hidden
418
00:19:25,120 –> 00:19:30,840
in calculated fields and local clones coherence arrives when the intent is defined once version,
419
00:19:30,840 –> 00:19:35,120
tested and referenced and the process layer is a subscriber with a narrow mandate root
420
00:19:35,120 –> 00:19:40,040
collect evidence everything else is rigor encasing ambiguity and rigor does not make ambiguity
421
00:19:40,040 –> 00:19:43,800
less ambiguous it just makes it harder to see archetype three.
422
00:19:43,800 –> 00:19:50,400
Success factors global complexity local entropy success factors where the global badge proudly
423
00:19:50,400 –> 00:19:55,680
country packs localization frameworks and decades of accumulated compliance architecturally
424
00:19:55,680 –> 00:19:59,760
that’s the tell you’re operating a global orchestration surface whose deepest abstractions
425
00:19:59,760 –> 00:20:03,320
are anchored in jurisdiction specific rules that were frozen into workflows to satisfy
426
00:20:03,320 –> 00:20:07,800
yesterday’s auditors that is not a criticism of the product it is the consequence of solving
427
00:20:07,800 –> 00:20:12,320
for global HR in a world where every country insists on being the center of gravity.
428
00:20:12,320 –> 00:20:16,880
Here’s the architectural choice that matters you codify country specific obligations inside
429
00:20:16,880 –> 00:20:21,360
process variance field sets and rule bundles to guarantee local compliance in line you gain
430
00:20:21,360 –> 00:20:25,920
immediate conformance and auditability per jurisdiction you also convert law into flow
431
00:20:25,920 –> 00:20:30,480
and that converts policy into configuration over time the global design becomes a fossil record
432
00:20:30,480 –> 00:20:36,400
of all the ways countries negotiated exceptions compliance is preserved coherence is not.
433
00:20:36,400 –> 00:20:41,280
Why it looked good at the time regulators reward concreteness a rule baked into a workflow is
434
00:20:41,280 –> 00:20:46,080
easy to show and hard to ignore implementation partners can point to a pack and say this is
435
00:20:46,080 –> 00:20:51,600
compliant business leaders see one vendor one stack one surface but every localized process
436
00:20:51,600 –> 00:20:56,960
that just needs a small adjustment becomes a fork 10 years later you have a museum of adjustments
437
00:20:56,960 –> 00:21:01,680
with the same label the failure mode is local entropy compounded into global incoherence
438
00:21:01,680 –> 00:21:06,640
country specific flows hard code thresholds notice periods leave definitions and data retention
439
00:21:06,640 –> 00:21:12,160
quirks backward compatibility keeps those branches alive after the law changes because historical
440
00:21:12,160 –> 00:21:17,440
transactions and downstream reporting expect the old shape you stack new rules on top of old variants
441
00:21:17,440 –> 00:21:22,240
to avoid breaking history the result is not a single global model with local overlays its
442
00:21:22,240 –> 00:21:27,440
multiple plausible worlds stitched together by naming with subtle differences that matter in production
443
00:21:27,440 –> 00:21:32,160
where policy hides is predictable it hides in country specific on off toggles that turn into
444
00:21:32,160 –> 00:21:37,440
implied gates on eligibility it hides in business rule catalogs where a global rule checks a country
445
00:21:37,440 –> 00:21:42,480
code and routes to a national subroutine it hides in pick lists where localized labels encode different
446
00:21:42,480 –> 00:21:48,960
semantics probation in one locale means benefits suppression in another it is a reporting tag
447
00:21:48,960 –> 00:21:53,520
it hides in time off schemers where a cruel logic is cloned patched for a union agreement then
448
00:21:53,520 –> 00:21:58,400
copied again for a canton it hides in the international assignment processes that were cloned six times
449
00:21:58,400 –> 00:22:03,840
to manage tax edge cases in specific corridors and now differ only by three check boxes no one will
450
00:22:03,840 –> 00:22:09,280
consolidate why a i fails here is specific the model sees a thicket of near duplicate processes and
451
00:22:09,280 –> 00:22:14,160
rules with country guards it cannot infer the canonical intent because the intent was never recorded
452
00:22:14,160 –> 00:22:19,360
as a single version policy corpus it can summarize the path taken in France for a parental leave
453
00:22:19,360 –> 00:22:24,480
and a different path in Ontario for a similar concept but it cannot assert which obligations apply
454
00:22:24,480 –> 00:22:30,240
to a cross-border transfer because the obligations live as flow logic and cloned a cruel definitions
455
00:22:30,240 –> 00:22:35,520
ask it to recommend the correct leave interpretation for a multinational employee who relocated
456
00:22:35,520 –> 00:22:39,920
mid-year and it will pattern match from inconsistent history ask it to explain the decision
457
00:22:39,920 –> 00:22:45,360
and it will cite a rule id and a path name not the policy clause you wanted a reasoning engine
458
00:22:45,360 –> 00:22:49,920
you gave it a map of ancient roads everything you’ve seen in global governance shows up here
459
00:22:49,920 –> 00:22:54,000
a country pack requires a data retention period that conflicts with corporate policy for
460
00:22:54,000 –> 00:22:59,760
disciplinary records the local rule deletes sooner the global analytics expect longer retention for
461
00:22:59,760 –> 00:23:05,920
trend analysis reporting compensates with derived fields investigations fail because evidence is gone
462
00:23:05,920 –> 00:23:10,720
a localized termination process encodes a mandatory notice period that was updated last year but
463
00:23:10,720 –> 00:23:15,600
the legacy reorg variant didn’t get the patch because it’s rarely used one business unit uses the
464
00:23:15,600 –> 00:23:21,440
legacy variant for a mastery structure grievances cite outdated notices an assignment from Germany to the
465
00:23:21,440 –> 00:23:27,920
u.s. triggers tax equalization steps in one flow and not in a cloned variant used for urgent transfers
466
00:23:27,920 –> 00:23:32,320
because the urgent template removed an intermediate attestation during a pandemic and nobody
467
00:23:32,320 –> 00:23:37,360
restored it all of these irrational decisions in the moment as a system their entropy generators
468
00:23:37,360 –> 00:23:42,960
known global harmonization projects can make this worse you declare a single global process with
469
00:23:42,960 –> 00:23:48,560
local inserts good then you implemented by parameterizing a master flow with country flags and
470
00:23:48,560 –> 00:23:54,000
embedding local rules behind those flags the surface looks unified the logic is still fragmented
471
00:23:54,000 –> 00:23:59,440
when a regulation changes in one jurisdiction you patch a branch instead of updating a policy layer
472
00:23:59,440 –> 00:24:04,800
tests pass locally drift accumulates globally two years later your harmonized process contains a
473
00:24:04,800 –> 00:24:09,760
secret subway of country specific tunnels the facade is clean the roots diverge the illusion here
474
00:24:09,760 –> 00:24:15,200
is that localization equals clarity localized flows deliver evidence for local auditors they don’t
475
00:24:15,200 –> 00:24:19,760
deliver explainability at the global level when identity risk and compliance need to reason
476
00:24:19,760 –> 00:24:24,800
across borders who is entitled what data must be retained which controls apply the answers are
477
00:24:24,800 –> 00:24:29,600
embedded in process forks and rule catalogs keyed by country an agent can’t compute a global
478
00:24:29,600 –> 00:24:34,160
obligation graph from that it can only replay a local path of the lesson is not standardized more
479
00:24:34,160 –> 00:24:39,280
aggressively it’s lift policy out of flow logic and make locality explicit as data not code
480
00:24:40,000 –> 00:24:45,840
write obligations as versioned machine queryable rules with jurisdictional scope emit events as
481
00:24:45,840 –> 00:24:52,000
immutable facts employ relocated from a to be on date leave category x granted under policy y
482
00:24:52,000 –> 00:24:57,280
rather than letting process names imply them drive localized execution by subscribing to those rules
483
00:24:57,280 –> 00:25:02,560
and facts not by hard coding jurisdiction inside flows then an AI assistant can compute what
484
00:25:02,560 –> 00:25:07,600
applies side the source and reconcile conflicts across jurisdictions and when a country changes a
485
00:25:07,600 –> 00:25:13,360
law you change the policy rule rerun tests and watch execution adapt not fork the flow and hope
486
00:25:13,360 –> 00:25:20,240
everyone uses the right tunnel archetype for entry ID HR shadow system of record most organizations
487
00:25:20,240 –> 00:25:25,280
insist HR is the system of record for workers architecturally that’s not how your risk is governed
488
00:25:25,280 –> 00:25:30,080
enter ID your identity plane decides who can do what from where on which device under which
489
00:25:30,080 –> 00:25:34,640
conditions and with what evidence that is the control plane when the control plane diverges
490
00:25:34,640 –> 00:25:40,080
from the HR plane the narrative of higher retire collapses in the only place that matters enforcement
491
00:25:40,080 –> 00:25:44,720
here’s the architectural choice that matters you treat identity as downstream of HR data person
492
00:25:44,720 –> 00:25:50,000
exists in HR identity is provisioned group memberships follow conditional access applies
493
00:25:50,000 –> 00:25:55,840
clean diagram in reality identity accumulates its own graph of entitlements device trust session
494
00:25:55,840 –> 00:26:00,720
signals workloads specific roles and exception controls that graph changes continuously
495
00:26:00,720 –> 00:26:05,680
sometimes because HR changed the record often because security adjusted a policy
496
00:26:05,680 –> 00:26:10,080
IT granted a time bound elevation or an app owner added a direct role
497
00:26:10,080 –> 00:26:17,040
the result is three truths HR worker truth identity access truth and compliance evidence truth
498
00:26:17,040 –> 00:26:21,040
they align only by accident unless you make the alignment and explicit design goal
499
00:26:21,040 –> 00:26:26,880
why it looked good at the time separating concerns HR owns people data IT owns access security
500
00:26:26,880 –> 00:26:32,480
owns policy each side moves at its own cadence but the life cycle narrative masks a hard fact
501
00:26:32,480 –> 00:26:37,440
access is not a derivative of personhood it’s a derivative of risk obligation and capability
502
00:26:37,440 –> 00:26:43,360
those change outside HR entry response in real time HR does not that asynchronous where drift lives
503
00:26:43,360 –> 00:26:48,240
the failure mode is conditional chaos conditional access is powerful signal driven context aware
504
00:26:48,240 –> 00:26:52,800
and granular it’s also an entropy generator when peppered with except for clauses you start with
505
00:26:52,800 –> 00:26:58,560
the deterministic posture MFA device compliance location constraints a business exception arrives
506
00:26:58,560 –> 00:27:03,440
you carve out an exclusion group said to expire in 14 days then another exception needs a slightly
507
00:27:03,440 –> 00:27:08,800
different control you duplicate a policy tweak a condition and add a service principle to a bypass
508
00:27:08,800 –> 00:27:13,920
over time your conditional fabric becomes probabilistic a user’s effective access depends on the
509
00:27:13,920 –> 00:27:19,520
intersection of policy precedents group nesting token claims and legacy app behavior it works until
510
00:27:19,520 –> 00:27:24,000
it doesn’t and your incident response reads like archaeology where policy hides is exact it hides
511
00:27:24,000 –> 00:27:28,560
in group designs that double as entitlement catalogs HR managed departments plus app owner managed
512
00:27:28,560 –> 00:27:33,760
access groups with shadow break glass rolls tucked into nested assignments it hides in access
513
00:27:33,760 –> 00:27:38,480
package rules that encode business logic as eligibility predicates tenure thresholds location
514
00:27:38,480 –> 00:27:43,600
flags managerial status it hides in privileged identity management settings approval lists that
515
00:27:43,600 –> 00:27:48,800
reflect old org charts emergency accounts with no TTL justification fields that evolved into
516
00:27:48,800 –> 00:27:54,160
routing signals that hides in per app role assignments done directly to service principles because
517
00:27:54,160 –> 00:27:59,360
we needed this to work before month end none of that shows up in HR all of that governs reality
518
00:27:59,360 –> 00:28:04,480
why AI fails here is specific ask an agent to explain why does Alex have access to data hub
519
00:28:04,480 –> 00:28:10,160
and it can enumerate groups roles and policies ask it should Alex have access under current policy
520
00:28:10,160 –> 00:28:15,120
and it hits a missing layer the authoritative versioned policy corpus that maps roles to obligations
521
00:28:15,120 –> 00:28:20,080
to controls lacking that the model predicts from patents people in this department usually had
522
00:28:20,080 –> 00:28:25,600
these roles tokens with these claims past these policies it can summarize it cannot assert compliance
523
00:28:25,600 –> 00:28:31,760
and when identity HR and compliance disagree the agent has three graphs with no canonical precedence
524
00:28:31,760 –> 00:28:36,640
model to reconcile them so it picks the loudest source the logs everything you recognize from
525
00:28:36,640 –> 00:28:41,920
post incident reads is here a terminated worker retains residual access because a provisioning flow
526
00:28:41,920 –> 00:28:46,720
failed on a transient error and retried after the HR record flipped to inactive the connector
527
00:28:46,720 –> 00:28:51,120
filtered the event a contractors conditional access exception group never expired because nobody
528
00:28:51,120 –> 00:28:56,720
owned the TTL review their device compliance drifted but a legacy app enforced basic all a
529
00:28:56,720 –> 00:29:01,760
break glass accounts password was rotated but its app secrets weren’t downstream roles persisted
530
00:29:01,760 –> 00:29:07,600
a group based entitlement was replaced by direct app roles during a migration the migration script
531
00:29:07,600 –> 00:29:12,400
missed two finance assistance who were temporarily in a project security group they inherited access
532
00:29:12,400 –> 00:29:17,760
by accident these are not exotic they are the daily shape of drift known fixes introduce new fractures
533
00:29:17,760 –> 00:29:23,120
you centralize group governance good then app teams create local dynamic groups keyed on app metadata
534
00:29:23,120 –> 00:29:28,560
to regain agility you enforce conditional access baselines good then service owners slap trusted
535
00:29:28,560 –> 00:29:34,080
locations on unfamiliar IP ranges to avoid angry calls and your location logic becomes Swiss cheese
536
00:29:34,080 –> 00:29:38,400
you lock down admin elevations with pm approvals good then approvals rubber stamp because
537
00:29:38,400 –> 00:29:42,640
business hours don’t match support windows and the human in the loop becomes a human in name the
538
00:29:42,640 –> 00:29:48,400
illusion is that identity merely reflects HR in practice identity manufactures reality under pressure
539
00:29:48,400 –> 00:29:54,720
HR says transfer identity recomputes entitlements based on group logic app roles and exemptions
540
00:29:54,720 –> 00:29:59,440
if those encode latent policy the transfer manifests as a new access regime that HR didn’t intend
541
00:29:59,440 –> 00:30:04,880
and compliance didn’t test later in audit asks why did this in title happen and you produce logs
542
00:30:04,880 –> 00:30:10,080
not policy citations evidence replaces explanation that’s survivable until AI enters the loop because
543
00:30:10,080 –> 00:30:14,960
agents need rules they can cite not just breadcrumbs they can replay the lesson is not simplified
544
00:30:14,960 –> 00:30:21,360
conditional access or ban exceptions it’s move intent out of antra configuration and into a policy
545
00:30:21,360 –> 00:30:26,560
layer then compile to identity express access policy as human readable machine queryable rules
546
00:30:26,560 –> 00:30:31,920
with clear precedence version them test them against facts generate enter artifacts groups dynamic
547
00:30:31,920 –> 00:30:37,680
queries app role assignments CA policies from the compiler not from admin portals emit events
548
00:30:37,680 –> 00:30:42,880
for entitlements granted and controls applied as immutable facts then require explainability at
549
00:30:42,880 –> 00:30:47,680
decision time which policy which version matched which facts when a divergence is necessary give it
550
00:30:47,680 –> 00:30:53,120
a TTL and evidence by default and treat enter as the enforcement graph it already is authoritative
551
00:30:53,120 –> 00:30:57,920
for access accountable to policy observable for compliance without that identity will continue
552
00:30:57,920 –> 00:31:04,480
being your shadow system of record writing history faster than HR can correct it archetype 5
553
00:31:04,480 –> 00:31:10,880
power automate plus HR integrations the debugging economy power automate is where good intentions go
554
00:31:10,880 –> 00:31:16,640
to become operating models architecturally it’s a glue fabric event subscriptions triggers conditions
555
00:31:16,640 –> 00:31:21,120
mapping stitched between systems that weren’t designed to share intent that role is valuable
556
00:31:21,120 –> 00:31:26,160
it is also where policy goes feral when the upstream abstractions are wrong the more quick wins you stack
557
00:31:26,160 –> 00:31:31,120
the more your business becomes a flow debugging practice here’s the architectural choice that matters
558
00:31:31,120 –> 00:31:37,120
you decide to use flows as the place where the last mile lives transform the payload in richer record
559
00:31:37,120 –> 00:31:43,200
catch a miss root a notification retry a failed sync each choice is rational collectively they become
560
00:31:43,200 –> 00:31:49,040
your de facto policy compiler accepted unversion untestable at intent level and visible only to the
561
00:31:49,040 –> 00:31:54,160
person who authored the platform reward speed it does not enforce design why it looked good at the
562
00:31:54,160 –> 00:32:00,240
time autonomy h r ops can connect d 365 h r to f and o to data verse to a power pages portal to
563
00:32:00,240 –> 00:32:05,040
share point to email no enterprise backlog required a new screening flag needs to map into a
564
00:32:05,040 –> 00:32:10,160
different downstream field at a condition a candidate ready to hire needs to create a worker
565
00:32:10,160 –> 00:32:15,840
and trigger it provisioning at a chain of actions with configure run after a sync error needs
566
00:32:15,840 –> 00:32:20,800
resilience add retries at a dead letter list at a manual approval as a safety valve you shipped
567
00:32:20,800 –> 00:32:25,840
it worked it also became the only place truth moved reliably the failure mode is sprawl with
568
00:32:25,840 –> 00:32:32,560
silent failure flows multiply by org by business unit by region by author names drift owners leave
569
00:32:32,560 –> 00:32:38,720
connections expire configure run after swallows exceptions to keep the path green a connector gets
570
00:32:38,720 –> 00:32:43,520
upgraded the schema shifts a condition never fires again because a label changed upstream nothing
571
00:32:43,520 –> 00:32:48,640
screams until an auditor or an outage finds the missing entitlement or worse the extra one where
572
00:32:48,640 –> 00:32:53,440
policy hides is exact it hides in trigger filters that decide which events count as hires it hides
573
00:32:53,440 –> 00:32:58,960
in condition blocks that encode eligibility logic no system of record ever captured 10 year thresholds
574
00:32:58,960 –> 00:33:04,400
union flags location specific overrides it hides in field maps that quietly normalize values to make
575
00:33:04,400 –> 00:33:10,000
downstream reports consistent it hides in temporary bypasses hard coded to a group ID added during a
576
00:33:10,000 –> 00:33:15,120
cut over and never removed it hides in concurrency controls that serialize updates to avoid race
577
00:33:15,120 –> 00:33:20,160
conditions at the cost of reordering facts none of this is documented as policy it governs outcomes
578
00:33:20,160 –> 00:33:27,040
why AI fails here is specific ask an agent to explain why this worker still has access
579
00:33:27,040 –> 00:33:32,000
and it sees a flow run that succeeded with an action that skipped because a condition matched yesterday
580
00:33:32,000 –> 00:33:36,560
and not today ask it to fix the mapping and it can adjust the field name but it cannot assert
581
00:33:36,560 –> 00:33:42,160
that the mapping expresses policy because policy never lived anywhere but inside the flow ask it to
582
00:33:42,160 –> 00:33:47,520
diagnose dropped events and it will summarize retreats it will not reconstruct the intent behind a
583
00:33:47,520 –> 00:33:52,560
dead letter queue that a human drain last week to keep things moving everything you’ve seen in
584
00:33:52,560 –> 00:33:57,920
integrator war rooms plays out here a flow that publishes job ads to a portal silently stops because
585
00:33:57,920 –> 00:34:03,200
a pagination token expired after an API change the hiring team blames the career site
586
00:34:03,200 –> 00:34:08,000
a ready to hire orchestrator tries to create a worker fails on a mandatory field not present for
587
00:34:08,000 –> 00:34:12,880
a jurisdiction the author adds a default in the mapping six months later a region’s benefit
588
00:34:12,880 –> 00:34:18,800
eligibility is wrong for a cohort an identity provisioning flow filters out inactive updates
589
00:34:18,800 –> 00:34:26,160
to avoid churn during transfer bursts a termination at 503 p.m misses the window access persists overnight
590
00:34:26,160 –> 00:34:31,280
the incident review discovers a run only uses list that contains one person who was on leave
591
00:34:32,000 –> 00:34:37,600
known fixes trade one risk for another you centralize flows and introduce a naming convention good
592
00:34:37,600 –> 00:34:41,680
then every exception request becomes a new branch with hidden policy you add solution alem and
593
00:34:41,680 –> 00:34:46,560
code review via pull requests good then emergency edits happen in production because someone
594
00:34:46,560 –> 00:34:51,920
must unblock payroll you enforce environment isolation and manage connectors good then shadow
595
00:34:51,920 –> 00:34:56,560
flows appear in personal environments to regain agility and their outputs are manually copied into
596
00:34:56,560 –> 00:35:03,440
official systems when they work the friction moves the dead remains the illusion is that flows are
597
00:35:03,440 –> 00:35:09,200
just plumbing in reality they are your most active policy surface when upstream models cannot express
598
00:35:09,200 –> 00:35:14,400
obligations the faster you add plumbing the more water finds that path over time the connectors
599
00:35:14,400 –> 00:35:19,520
encode your company that’s why incidents feel uncanny the logic that mattered lived when nobody
600
00:35:19,520 –> 00:35:25,280
expected policy to live the lesson is not band power automate it’s stopletting glue decide policy
601
00:35:25,280 –> 00:35:29,760
flows should subscribe to immutable events apply compiled rules and emit facts with every decision
602
00:35:29,760 –> 00:35:35,120
citing the rule version and inputs if a fact is missing the flow should fail loud and early if an
603
00:35:35,120 –> 00:35:40,320
exception is needed it should be a policy change with a TTL not a connector tweak ownership
604
00:35:40,320 –> 00:35:47,360
must reflect intent one team owns rules another owns flows both own tests that run on every change
605
00:35:47,360 –> 00:35:53,280
and observability must be first class event lineage rule evaluation traces decision logs not
606
00:35:53,280 –> 00:35:57,680
just run histories one last point in a healthy architecture power automate is a transport and
607
00:35:57,680 –> 00:36:02,320
coordination layer in an unhealthy one it’s the brain you don’t fix that by writing better flows
608
00:36:02,320 –> 00:36:07,760
you fix it by moving policy out of flows moving facts out of labels and making every integration
609
00:36:07,760 –> 00:36:13,040
a subscriber to policy and events then glue does what glue does best connect while the system
610
00:36:13,040 –> 00:36:18,160
becomes something you can finally explain why AI pilots fail in HR the intent extraction problem
611
00:36:18,160 –> 00:36:23,840
we’ve diagnosed the damage now the midpoint why AI exposes it so quickly the short answer is brutal
612
00:36:23,840 –> 00:36:29,200
models aren’t the issue implicit policy is in HR most policy isn’t a policy at all it’s a
613
00:36:29,200 –> 00:36:33,840
collage of templates stages connector branches and condition rules you call it processed the model
614
00:36:33,840 –> 00:36:39,040
calls it data when you ask an AI to reason it searches for intent what it finds are artifacts so it
615
00:36:39,040 –> 00:36:43,600
infers doctrine from anecdotes and fails with confidence okay so basically intent lives in three
616
00:36:43,600 –> 00:36:48,880
places it should not first in workflows step names condition blocks and path choices that look
617
00:36:48,880 –> 00:36:54,400
like rigor but are really embedded rules second in integration glue field maps trigger filters and
618
00:36:54,400 –> 00:37:00,240
retry logic that decide whether an event even exists third in presentation email phrasing
619
00:37:00,240 –> 00:37:05,440
preferred answers or pick list labels that quietly alter behavior none of that is versioned as policy
620
00:37:05,440 –> 00:37:10,640
all of it is what the model sees think of rag the go-to approach retrieval augmented generation
621
00:37:10,640 –> 00:37:15,920
works when there’s a corpus worth retrieving authoritative current and scoped in HR retrieval
622
00:37:15,920 –> 00:37:20,480
fetches the last posted handbook a regional addendum three job ad templates with contradictory
623
00:37:20,480 –> 00:37:26,320
clauses and a six month old email thread the model grounds its answer in exactly what you published
624
00:37:26,320 –> 00:37:31,280
drift you wanted a legal citation with scope and precedence you get a well-written synthesis of
625
00:37:31,280 –> 00:37:36,240
your contradictions here’s the weird part the more historical data you give the model the worst
626
00:37:36,240 –> 00:37:41,120
it gets when intent is implicit history contains your local optimizations your exceptions turned
627
00:37:41,120 –> 00:37:46,320
baselines your undocumented connector detours the model faithfully learns your entropy ask it for
628
00:37:46,320 –> 00:37:51,920
next best action and it predicts the model detour not the intended rule ask it why and it sights
629
00:37:51,920 –> 00:37:56,800
an artifact path names email language because that’s all there is now layer in explainability in a
630
00:37:56,800 –> 00:38:02,160
deterministic system explanation is citation which rule which version matched which facts in your
631
00:38:02,160 –> 00:38:07,920
current stack explanation is archaeology which flow ran which branch skipped which label mapped which
632
00:38:07,920 –> 00:38:12,880
email hinted that’s not explainability that storytelling you can narrate a path after the fact
633
00:38:12,880 –> 00:38:17,600
you cannot prove intent at decision time agents need proofs not parables this is why co-pilot
634
00:38:17,600 –> 00:38:22,720
experiences plateau summaries and reminders are safe because they don’t require authority autonomy
635
00:38:22,720 –> 00:38:26,880
requires authority without a policy plane there’s nothing to authorize so you get assistance
636
00:38:26,880 –> 00:38:32,320
that draft job descriptions propose interview questions and remind approvals useful but always
637
00:38:32,320 –> 00:38:37,200
advisory never deciding you didn’t fail a pilot because the model was weak you failed because the
638
00:38:37,200 –> 00:38:42,560
system couldn’t supply constraints the model could cite consider the classic pilot sequence step one
639
00:38:42,560 –> 00:38:49,120
index policy the indexing job finds pdf’s wiki pages and change emails step two wire to signals
640
00:38:49,120 –> 00:38:54,400
life cycle events approvals role updates good step three add a small action surface suggest next steps
641
00:38:54,400 –> 00:38:59,680
pre-fill forms the first week looks magical week four an edge case arrives the agent recommends a path
642
00:38:59,680 –> 00:39:04,720
that matched history but violated a recent compliance change post-mortem asks why did it do that
643
00:39:04,720 –> 00:39:10,160
the answer because that’s what your corpus said the real question is why didn’t the system own intent
644
00:39:10,160 –> 00:39:15,200
separately from history because it never did let’s draw the boundary cleanly AI fails in HR when
645
00:39:15,200 –> 00:39:20,720
five conditions coexist policy is implicit in workflow graphs not explicit in a rules layer facts
646
00:39:20,720 –> 00:39:26,880
are implicit in state labels not emitted as immutable events execution is imperative do these steps
647
00:39:26,880 –> 00:39:33,760
not declarative subscribe to rules identity is permissive by default via exceptions not compiled
648
00:39:33,760 –> 00:39:39,200
from policy with ttls evidence is log replay not decision time explanation flip any one of those
649
00:39:39,200 –> 00:39:43,520
and things improve flip all five and autonomy becomes possible okay so how do you make intent
650
00:39:43,520 –> 00:39:47,840
extractable you don’t you stop extracting it you author it that means writing obligations as
651
00:39:47,840 –> 00:39:52,320
human readable machine queryable rules scoped versioned and testable outside the workflow
652
00:39:52,320 –> 00:39:57,360
it means emitting events as facts with enough context to evaluate rules later it means making
653
00:39:57,360 –> 00:40:01,840
execution subscribe to rules instead of embedding them it means treating identity as the enforcement
654
00:40:01,840 –> 00:40:07,440
graph compiled from policy not a parallel universe of exceptions and it means requiring explanation
655
00:40:07,440 –> 00:40:12,720
at decision time not often incident one last point many pilots fail quietly not catastrophically
656
00:40:12,720 –> 00:40:19,040
teams downgrade scope from decide to assist that feels prudent it’s actually an admission the system
657
00:40:19,040 –> 00:40:24,160
can’t supply guardrails if you hear recommendation only in perpetuity you’re not being cautious you’re
658
00:40:24,160 –> 00:40:29,520
confessing architecture the fix is upstream of the model put in tent where it belongs then only then
659
00:40:29,520 –> 00:40:36,800
let the model reason site and act mental model shift from life cycle to capability obligation identity
660
00:40:36,800 –> 00:40:41,920
everything so far has been a diagnosis your life cycle story encodes policy into workflows hide
661
00:40:41,920 –> 00:40:46,960
state and drifts the fix isn’t a cleaner wizard it’s a different unit of design replace stage thinking
662
00:40:46,960 –> 00:40:52,480
with three primitives that systems can actually enforce capability obligation and identity start
663
00:40:52,480 –> 00:40:57,760
with capability provisioning this is not onboarding is it’s the explicit set of capabilities a role
664
00:40:57,760 –> 00:41:03,760
requires to perform a function under a defined risk posture capabilities are granular query ledger
665
00:41:03,760 –> 00:41:10,720
approve offers access customer p i provision devices deploy to production capabilities are never
666
00:41:10,720 –> 00:41:15,760
job titles they are edges between people and systems guarded by controls when a person is hired what
667
00:41:15,760 –> 00:41:20,880
actually happens is capability assignment when a person transfers capability edges change when a
668
00:41:20,880 –> 00:41:26,160
person terminates capability edges are removed designer on capabilities not stages and you stop
669
00:41:26,160 –> 00:41:31,680
inferring access from stories now obligation tracking obligation isn’t a task checklist is the set
670
00:41:31,680 –> 00:41:37,120
of duties that attached to a role a jurisdiction or an event with scope precedence and expiration
671
00:41:37,120 –> 00:41:42,880
examples collect associate station within 30 days retain disciplinary records for three years in
672
00:41:42,880 –> 00:41:48,640
country x run fit and proper check for regulated entities require re-auth every 12 hours for privileged
673
00:41:48,640 –> 00:41:54,000
sessions obligations are not embedded steps they are rules with conditions and time they bind to
674
00:41:54,000 –> 00:41:59,520
facts events like role granted by location change or device posture dropped when an obligation
675
00:41:59,520 –> 00:42:04,320
exists the system should know it tested and evidence it when it expires the system should emit
676
00:42:04,320 –> 00:42:09,280
effect that is enforcement not folklore then identity orchestration identity isn’t a person record
677
00:42:09,280 –> 00:42:13,120
it’s the enforcement graph who under which claims can traverse which edges to reach which
678
00:42:13,120 –> 00:42:17,920
capabilities under which conditions identity orchestration compiles capabilities and obligations
679
00:42:17,920 –> 00:42:22,800
into controls group membership app roles conditional access policies session lifetimes device
680
00:42:22,800 –> 00:42:29,520
requirements with explicit TTLs and evidence when HR says transfer identity recalculates the graph
681
00:42:29,520 –> 00:42:35,760
from policy it does not replay a wizard when compliance changes an obligation identity compiles
682
00:42:35,760 –> 00:42:40,880
different controls and tests them against facts when an exception exists identity holds a timer
683
00:42:40,880 –> 00:42:45,440
not a memory this is not a semantic shift this is a structural shift it changes who owns what
684
00:42:45,440 –> 00:42:52,400
how you measure success and why AI can finally reason about your system life cycles describe stories
685
00:42:52,400 –> 00:42:58,080
systems need contracts in practice capability provisioning means defining capability catalogs independent
686
00:42:58,080 –> 00:43:03,200
of job titles a job is now a capability bundle plus a risk posture a project assignment is a
687
00:43:03,200 –> 00:43:08,240
temporary capability grant with a TTL a matrix role is a second bundle with separate obligations
688
00:43:08,240 –> 00:43:13,440
provisioning becomes a sign bundle X under policy Y not complete onboarding step Z
689
00:43:13,440 –> 00:43:18,800
deprovisioning becomes revoke bundle and close obligations not flip status to inactive and
690
00:43:18,800 –> 00:43:24,800
hope flows fire managers stop asking for access like Sam they request named capability bundles bound
691
00:43:24,800 –> 00:43:30,720
to policy obligation tracking means writing obligations as rules with scope and version if capability
692
00:43:30,720 –> 00:43:38,000
X was approve offers and location X was EU require remuneration transparency attestation every 12 months
693
00:43:38,000 –> 00:43:43,120
if role X financial controller require dual approval for ledger queries and log retention of seven
694
00:43:43,120 –> 00:43:49,040
years these are not flow steps they are rules that trigger computable checks evidence becomes policy
695
00:43:49,040 –> 00:43:56,320
v4 matched facts a b c on date d obligation satisfied not task completed by jane at 3 p m when
696
00:43:56,320 –> 00:44:02,080
obligations conflict global versus local precedence is explicit tests catch drift before incidents do
697
00:44:02,080 –> 00:44:07,200
identity orchestration means the graph is generated not hand built groups dynamic queries app roles
698
00:44:07,200 –> 00:44:12,720
and conditional access derive from policy compilation not hero admin work exceptions are first class
699
00:44:12,720 –> 00:44:18,080
artifacts with justification TTL and reviewer when the TTL ends the compiler removes the edge
700
00:44:18,080 –> 00:44:23,600
animates an event when a device falls out of compliance the session policy changes evidence records why
701
00:44:23,600 –> 00:44:29,440
when a merger happens identities are reconciled against capability bundles and obligations duplicated
702
00:44:29,440 –> 00:44:36,800
titles don’t matter edges do this shift clarifies ownership h r owns intent capability definitions
703
00:44:36,800 –> 00:44:41,760
and obligation rules platforms own execution compilers enforcement and evidence security owns
704
00:44:41,760 –> 00:44:46,080
constraints and presidents compliance owns tests and audits nobody owns the flow because flow
705
00:44:46,080 –> 00:44:51,520
stop being where policy lives they are subscribers that move facts between systems it also clarifies
706
00:44:51,520 –> 00:44:56,880
metrics you stop tracking onboarding cycle time as if speed equals correctness you start tracking
707
00:44:56,880 –> 00:45:02,720
capability assignment accuracy obligation satisfaction rate exception half-life and identity
708
00:45:02,720 –> 00:45:08,240
drift delta you ask how many capability edges exist without matching obligations how many exceptions
709
00:45:08,240 –> 00:45:13,840
exceeded TTL last quarter where did policy compilation fail those numbers explain risk stage counts
710
00:45:13,840 –> 00:45:22,480
don’t finally it unlocks AI an agent can compute under policy v7 bundle finance approver requires
711
00:45:22,480 –> 00:45:30,480
attestation x and control y facts show x satisfied y missing recommend apply y here are the implications
712
00:45:30,480 –> 00:45:35,680
it can explain because the rules exist it can act because execution subscribes to rules
713
00:45:35,680 –> 00:45:40,320
it can decline because evidence is absent that’s autonomy with accountability not automation by
714
00:45:40,320 –> 00:45:46,320
imitation the h r entropy diagnostic a checklist you can run tomorrow you don’t fix entropy with
715
00:45:46,320 –> 00:45:51,680
motivation you fix it with visibility so here’s a diagnostic you can run tomorrow three clusters six
716
00:45:51,680 –> 00:45:57,440
questions if you can’t answer them with evidence not anecdotes your AI will fail not might will
717
00:45:57,440 –> 00:46:03,760
cluster one policy location start with a simple inventory question where does policy live today
718
00:46:03,760 –> 00:46:09,280
data workflow or documentation don’t accept we have a handbook as an answer you need a map for
719
00:46:09,280 –> 00:46:14,080
each hiring transfer and termination obligation point to the artifact that actually governs behavior
720
00:46:14,080 –> 00:46:19,520
a condition rule a connector filter a stage definition a pick list label a calculated field a
721
00:46:19,520 –> 00:46:25,120
pdf clause if you can’t enumerate the artifact per obligation policy is aspirational configuration runs
722
00:46:25,120 –> 00:46:30,960
the company next count conditional branches per life cycle event in production not in design docs
723
00:46:30,960 –> 00:46:37,760
for hire how many yes no forks fire across h r identity payroll compliance and glue count the ones
724
00:46:37,760 –> 00:46:42,800
in business process graphs power automate flows condition libraries calculated fields access packages
725
00:46:42,800 –> 00:46:48,160
and conditional access don’t average find the maximum path length and the total branch count those
726
00:46:48,160 –> 00:46:52,960
two numbers are your entropy multiplier high branch count plus long paths equals hidden policy and
727
00:46:52,960 –> 00:47:00,080
non deterministic outcomes you’re not running a process your rolling dice cluster two explainability
728
00:47:00,080 –> 00:47:05,040
can an a i agent explain why a decision happened at the point of decision with citations not we think
729
00:47:05,040 –> 00:47:10,560
not historically ask for the rule version its scope and the facts that matched it then ask what
730
00:47:10,560 –> 00:47:15,600
would have happened under policy v one if you can’t replay the decision against the prior rule set
731
00:47:15,600 –> 00:47:20,240
you don’t have explainability you have folklore what’s the source of truth for that explanation
732
00:47:20,240 –> 00:47:25,040
acceptable answers a version policy corpus and immutable events unacceptable answers business
733
00:47:25,040 –> 00:47:30,880
process names stage labels email templates or flow run histories if your explanation references a
734
00:47:30,880 –> 00:47:37,200
path name like global transfer v three or a connector condition like if status equals terminated
735
00:47:37,200 –> 00:47:42,400
your citing configuration not policy models can summarize configuration they cannot prove compliance
736
00:47:42,400 –> 00:47:47,840
from it cluster three cross system disagreement where do identity compliance and h r disagree today
737
00:47:47,840 –> 00:47:52,560
list a dozen real cases from the last quarter terminated in h r but retained access due to a retry
738
00:47:52,560 –> 00:47:57,680
filter eligible for benefit in payroll but excluded in a cloned business process transfer
739
00:47:57,680 –> 00:48:02,080
rooted one way in work day and another way in success factors because a calculated field differed
740
00:48:02,080 –> 00:48:06,560
then ask the only question that matters which one wins in practice don’t say it depends
741
00:48:06,560 –> 00:48:11,280
name the precedence model if identity wins sometimes an h r wins other times and compliance wins
742
00:48:11,280 –> 00:48:15,920
when someone yells loudest you’re operating a probabilistic control plane agents can’t certify
743
00:48:15,920 –> 00:48:20,800
risk in a system that doesn’t know who’s authoritative when and for what now tighten the screws
744
00:48:20,800 –> 00:48:25,680
for each cluster assigned owners policy location who owns intent for capability definitions and
745
00:48:25,680 –> 00:48:30,640
obligations who owns configuration surfaces where policy currently hides are they the same person
746
00:48:30,640 –> 00:48:35,840
they shouldn’t be explainability who owns the policy corpus and event models who writes tests
747
00:48:35,840 –> 00:48:40,720
that fail when configuration diverges from policy disagreement who owns the precedence model
748
00:48:40,720 –> 00:48:45,600
and the reconciliation mechanism is a documented versioned and testable next at time what’s the half
749
00:48:45,600 –> 00:48:51,520
life of exceptions pick five exceptions identity bypasses process skips manual attestations
750
00:48:51,520 –> 00:48:55,440
and measure how long they live if you can’t compute a half life because nothing expires by
751
00:48:55,440 –> 00:49:00,320
default you’re a crewing permanent debt exceptions must be policy changes with TTLs anything else
752
00:49:00,320 –> 00:49:05,280
is drift wearing a badge at visibility can you produce an event lineage for a random worker from
753
00:49:05,280 –> 00:49:11,440
ready to hire to identity the provisioned across systems with every decision annotated by rule in fact
754
00:49:11,440 –> 00:49:15,520
if you need four teams three exports and a war room your design is telling you the truth you’re
755
00:49:15,520 –> 00:49:20,240
running archaeology not governance at scale how many capability edges exist without matching
756
00:49:20,240 –> 00:49:26,480
obligations for example people with approve offers who lack current remuneration transparency attestations
757
00:49:26,480 –> 00:49:32,480
that ratio unconstrained capability to obligation satisfied is your quietly growing blast radius
758
00:49:32,480 –> 00:49:37,680
AI will amplify it finally at friction where does the system fail out by design and where does it
759
00:49:37,680 –> 00:49:43,280
fail silent by convenience if your flows configure run after on failure if your processes skip when
760
00:49:43,280 –> 00:49:48,640
data is missing if your provisioning cues swallow dead letters you’ve optimized for green dashboards
761
00:49:48,640 –> 00:49:53,760
over truthful systems flip it fail early loudly and with a rule citation if the rule is missing
762
00:49:53,760 –> 00:49:59,680
that’s the failure you want six questions three owners four measurements run it tomorrow if the
763
00:49:59,680 –> 00:50:04,880
answers hurt good that’s the system introducing itself reference architecture separation of concerns
764
00:50:04,880 –> 00:50:10,480
that survives AI here’s the counter model four layers each with one job no layer guesses no layer
765
00:50:10,480 –> 00:50:16,240
compensates for another and every decision sides its source layer one the policy layer this is where
766
00:50:16,240 –> 00:50:21,920
intent lives human readable machine queryable version like code and testable before deployment it is
767
00:50:21,920 –> 00:50:27,120
not a pdf it’s a set of rules expressed in a formal syntax your systems can evaluate and your
768
00:50:27,120 –> 00:50:33,920
auditors can read scope is explicit global regional organizational precedence is explicit what wins when
769
00:50:33,920 –> 00:50:40,240
rules collide each rule has an owner a version a change log and a test suite you don’t document policy
770
00:50:40,240 –> 00:50:45,040
you publish it as an artifact you can ask it questions you can run it against data and when it
771
00:50:45,040 –> 00:50:51,040
changes you know what breaks before anything ships layer two the event layer facts not workflows
772
00:50:51,040 –> 00:50:56,800
immutable append only records that describe what happened capability bundle x requested obligation
773
00:50:56,800 –> 00:51:03,520
y satisfied employee relocated from a to b device posture dropped below threshold each event
774
00:51:03,520 –> 00:51:08,480
carries rich context who when where under which attributes so the policy layer can evaluate
775
00:51:08,480 –> 00:51:13,600
obligations later without reverse engineering labels events are never implied by a stage name they
776
00:51:13,600 –> 00:51:18,640
are emitted by systems at the moment of truth and preserved with lineage if a fact is missing we
777
00:51:18,640 –> 00:51:24,560
don’t infer it we fail loud and early layer three the execution layer replaceable automation subscribe
778
00:51:24,560 –> 00:51:29,600
to rules and facts orchestrations workflows and connectors live here but they do not embed policy
779
00:51:29,600 –> 00:51:34,320
they evaluate rules from the policy layer against events from the event layer and perform actions
780
00:51:34,320 –> 00:51:39,600
assigned capabilities apply controls collected stations notify humans they are stateless in principle
781
00:51:39,600 –> 00:51:44,880
and observable in practice every decision the execution layer makes includes a citation which policy
782
00:51:44,880 –> 00:51:50,320
version matched which facts if the layer can’t produce a citation it doesn’t act layer four the
783
00:51:50,320 –> 00:51:55,360
a i reasoning layer explanation first by design agents and co pilots ask the policy layer what
784
00:51:55,360 –> 00:52:00,880
should happen ask the event layer what did happen and propose or perform actions through the execution
785
00:52:00,880 –> 00:52:07,040
layer the outputs are justified not merely plausible under policy v7 with facts a b c the required
786
00:52:07,040 –> 00:52:14,160
controls are y and z y exists that is missing recommend apply z when they decline they show their working
787
00:52:14,160 –> 00:52:20,160
policy v4 conflicts with v6 in jurisdiction k escalation required they don’t hallucinate authorities
788
00:52:20,160 –> 00:52:24,880
they reference it if this layer fails here’s what breaks if the policy layer fails you’re back to
789
00:52:24,880 –> 00:52:30,640
folklore workflows guessing intent a i guessing harder if the event layer fails you’re narrating state
790
00:52:30,640 –> 00:52:36,800
rather than proving facts tests become theater if the execution layer fails you’re encoding rules
791
00:52:36,800 –> 00:52:41,600
into plumbing entropy returns wearing power automate badges if the a i layer fails you’re stuck
792
00:52:41,600 –> 00:52:46,400
with assistance that summarized drift rather than enforce design two crosscutting concerns bind
793
00:52:46,400 –> 00:52:52,160
the four layers into a system governance and observability governance is not a steering committee
794
00:52:52,160 –> 00:52:58,720
it’s an authorization compiler policy controls tests evidence it ensures only one place to write
795
00:52:58,720 –> 00:53:03,760
intent a predictable way to generate enforcement and a standard for proving outcomes observability is
796
00:53:03,760 –> 00:53:09,520
not a dashboard it’s end-to-end lineage events with chain of custody rule evaluations with inputs
797
00:53:09,520 –> 00:53:14,640
and outputs control applications with timestamps and ownership without both separation is theory
798
00:53:14,640 –> 00:53:19,280
okay so basically how does this reduce entropy it moves policy out of configuration a screening
799
00:53:19,280 –> 00:53:24,720
template can’t gate eligibility the rule does a connector can’t redefine a termination the event
800
00:53:24,720 –> 00:53:30,560
does a conditional access exception can’t live forever the compiler emits an edge with a ttl and the
801
00:53:30,560 –> 00:53:35,840
evidence to prove it exception stop being just this once changes buried in setup they become policy
802
00:53:35,840 –> 00:53:41,760
changes with scope version and expiry entropy still exists it always will but it has nowhere to hide
803
00:53:41,760 –> 00:53:46,800
how does this enable a i it gives the model constraints it can cite and facts it can trust a co-pilot
804
00:53:46,800 –> 00:53:52,160
can answer why at decision time because the policy layer is source not suggestion it can simulate
805
00:53:52,160 –> 00:53:57,040
what if across policy versions because rules are versioned and events are immutable it can reason
806
00:53:57,040 –> 00:54:02,560
across jurisdictions because locality is data not code branches and when it acts it produces a proof
807
00:54:02,560 –> 00:54:08,560
policy clause version matched facts what about change this structure is changed friendly by design
808
00:54:08,560 –> 00:54:13,280
you can update a policy run its test suite against recorded events and see the blast radius
809
00:54:13,280 –> 00:54:17,920
before rollout you can replay events under a new rule set to validate migration plans you can
810
00:54:17,920 –> 00:54:23,120
replace an execution component without altering the rules it subscribes to you can add a new AI
811
00:54:23,120 –> 00:54:27,440
capability without retraining it on drift because the truth it relies on is intentionally authored
812
00:54:27,440 –> 00:54:32,080
and consistently recorded a few hard lines keep it honest no rule without tests no action without
813
00:54:32,080 –> 00:54:37,200
a citation no event without context no exception without ttl no configuration without ownership mapped
814
00:54:37,200 –> 00:54:42,240
to intent not convenience and one more no silent failure if a fact is missing or a rule cannot be
815
00:54:42,240 –> 00:54:47,600
evaluated fail now loudly with enough detail for a human to fix policy or data green dashboards are
816
00:54:47,600 –> 00:54:52,720
not the goal truthful systems are this is separation of concerns that survives AI it’s not more
817
00:54:52,720 –> 00:54:57,520
rigor for its own sake it’s rigor where it belongs intent facts execution explanation distinct
818
00:54:57,520 –> 00:55:02,080
composable and observable put them in that order and the system behaves like a system keep them
819
00:55:02,080 –> 00:55:05,680
entangled and you’ll keep telling life cycle stories while the control plane writes a different
820
00:55:05,680 –> 00:55:11,040
history applying the architecture in Microsoft 365 and power platform these are examples not
821
00:55:11,040 –> 00:55:16,720
prescriptions your stack may differ the principle holds start with the policy layer put intent where
822
00:55:16,720 –> 00:55:21,440
humans can read it and machines can query it practically that means a policy catalog in sharepoint
823
00:55:21,440 –> 00:55:26,560
or data verse with three non-negotiables scope version and tests scope names the jurisdiction
824
00:55:26,560 –> 00:55:31,680
and organizational unit version is immutable once published tests are executable examples
825
00:55:31,680 –> 00:55:36,480
given facts x and y the expected outcome is the use data verse tables for policy entities
826
00:55:36,480 –> 00:55:41,440
capability rules obligation rules precedence tables and expose them with a simple model driven
827
00:55:41,440 –> 00:55:46,160
up for authorship and review the catalog is not a wiki it’s a rules registry with ownership and
828
00:55:46,160 –> 00:55:52,000
change control purview can hold the life cycle policy around the registry itself retention access
829
00:55:52,000 –> 00:55:57,520
and lineage of changes now the event layer facts not workflows use data verse of fabric to ingest
830
00:55:57,520 –> 00:56:03,520
and store immutable events with rich context from d 365 hr or workday don’t map stages emit events
831
00:56:03,520 –> 00:56:09,200
like candidate past screen v2 with timestamps actor jurisdiction role and attributes from success
832
00:56:09,200 –> 00:56:14,960
factors emit leave granted under policy x home from entra emit capability edge assigned conditional
833
00:56:14,960 –> 00:56:21,200
access applied an exception created with ttl and justification standardize a minimal envelope event
834
00:56:21,200 –> 00:56:26,320
name version actor subject attributes correlation ID store the stream in data verse for operational
835
00:56:26,320 –> 00:56:30,480
subscribers and mirror it into fabric for analytics and replay purview registers the domains
836
00:56:30,480 –> 00:56:37,040
and tracks lineage across sources execution subscribes power automate flows logic apps or functions
837
00:56:37,040 –> 00:56:42,160
listen to events query the policy api evaluate then act assigned capability bundles trigger
838
00:56:42,160 –> 00:56:47,920
attestations apply entra group or app role changes open a case but execution does not embed rules
839
00:56:47,920 –> 00:56:54,080
every decision carries a citation policy ID version and the facts used if a required fact is missing
840
00:56:54,080 –> 00:56:58,400
fail loud post to a team’s incident channel with the policy reference and the missing attribute
841
00:56:58,400 –> 00:57:05,200
don’t configure run after and keep the path green alarm is mandatory manage solutions source control
842
00:57:05,200 –> 00:57:10,720
for flow definitions and automated tests that run on every change flows are subscribers and transport
843
00:57:10,720 –> 00:57:16,320
not the brain identity is the enforcement graph treat entra as a compiler target generate dynamic
844
00:57:16,320 –> 00:57:21,360
group queries access packages and conditional access artifacts from the policy layer not from the
845
00:57:21,360 –> 00:57:26,960
portal use entra entitlement management for capability bundles each package maps to a named
846
00:57:26,960 –> 00:57:32,480
capability set with eligibility derived from policy approvals constrained by obligation rules
847
00:57:32,480 –> 00:57:38,400
and ttl enforced by default pin enforces elevation windows justification fields reference
848
00:57:38,400 –> 00:57:43,680
policy IDs approvers are bound to roles in the policy registry not ad hoc names exceptions are first
849
00:57:43,680 –> 00:57:49,600
class their records in the policy catalog with scope and expiry compiled into entra as time bound
850
00:57:49,600 –> 00:57:54,720
edges and surfaced in purview as high sensitivity artifacts with reviewers and audit schedules
851
00:57:54,720 –> 00:57:59,520
evidence is not an export it’s the byproduct of the system doing its job every time execution
852
00:57:59,520 –> 00:58:04,560
applies a control it emits control applied with the policy citation and the entry object IDs
853
00:58:04,560 –> 00:58:09,840
affected every time an obligation is satisfied it emits obligation satisfied with the rule and
854
00:58:09,840 –> 00:58:14,640
the evidence artifact link fabric consumes these streams for dashboards that matter capability
855
00:58:14,640 –> 00:58:21,040
assignment accuracy obligation satisfaction rate exception half life identity drift delta without
856
00:58:21,040 –> 00:58:26,240
scraping logs purview holds the catalog of evidence with lineage from source events through rule
857
00:58:26,240 –> 00:58:31,680
evaluation to control application observability binds this together use application insights or your
858
00:58:31,680 –> 00:58:37,120
cm to capture rule evaluations as traces policy version inputs outcome and subscriber actions
859
00:58:37,120 –> 00:58:42,400
when something goes wrong you don’t pass flow histories hoping to infer intent you read the trace
860
00:58:42,400 –> 00:58:47,760
that shows which rule missed whether because a fact was absent or a conflict existed health
861
00:58:47,760 –> 00:58:54,160
isn’t no failure health is failures are early loud and attributable how does m365 help the AI layer
862
00:58:54,160 –> 00:58:58,960
copilot studio lets you build agents that don’t hallucinate authority point agents to the policy
863
00:58:58,960 –> 00:59:03,840
API not to handbooks give them a read only view of the event stream and the evidence catalog when they
864
00:59:03,840 –> 00:59:09,440
propose an action assign a bundle request an attestation they attach the policy citation automatically
865
00:59:09,440 –> 00:59:14,320
when they decline they cite conflicts their power comes from constraints governance is the authorization
866
00:59:14,320 –> 00:59:20,480
compiler in practice a small service function app API management or a power platform custom connector
867
00:59:20,480 –> 00:59:25,840
takes policies compiles controls emits tests and publishes artifacts change in policy triggers test
868
00:59:25,840 –> 00:59:31,760
runs against recorded events in fabric failures block release exceptions are requested through a power
869
00:59:31,760 –> 00:59:38,000
app approve per policy encoded with ttl compiled and constantly reported no temporary connector tweak
870
00:59:38,000 –> 00:59:43,440
survives without a clock one hard line no silent workarounds if a flow must default a value to pass
871
00:59:43,440 –> 00:59:47,840
an API that default is a policy change with scope and expiry not a mapping trick if a country pack
872
00:59:47,840 –> 00:59:52,320
requires a special rule that’s a policy record with jurisdiction not a hidden branch if an identity
873
00:59:52,320 –> 00:59:58,080
edge persists that’s a missed ttl not we forgot the to the familiar the discipline is new put intent
874
00:59:58,080 –> 01:00:02,640
where it belongs facts where they can’t be argued with execution where it can be replaced and
875
01:00:02,640 –> 01:00:07,040
explanation where the decision happens then your Microsoft stack stops telling stories and starts
876
01:00:07,040 –> 01:00:13,600
behaving like a system governance reframe hr owns intent platforms execute governance fails when
877
01:00:13,600 –> 01:00:18,960
ownership is vague so draw the line where the system actually changes hr owns intent platforms execute
878
01:00:18,960 –> 01:00:24,800
security constraints compliance verifies identity enforces each role has one job with artifacts that
879
01:00:24,800 –> 01:00:31,120
prove it start with hr owns intent means hr defines capability catalogs and obligation rules in a
880
01:00:31,120 –> 01:00:36,800
policy layer human readable machine queryable scoped versioned and testable hr does not diagram workflows
881
01:00:36,800 –> 01:00:43,360
to make it so hr publishes rules that say what must be true who is in scope what takes precedence
882
01:00:43,360 –> 01:00:48,800
and when exceptions expire if a rule cannot be read aloud to an auditor and compiled into controls
883
01:00:48,800 –> 01:00:54,560
it is not policy it’s a meeting note platforms execute that means engineering administrators and
884
01:00:54,560 –> 01:00:59,280
integrators build compilers subscribers and evidence pipelines that turn policy into enforcement
885
01:00:59,280 –> 01:01:04,000
and facts into lineage they do not interpret intent they evaluate rules against events and apply
886
01:01:04,000 –> 01:01:09,200
controls emitting decision time citations by default the platform team success is measured by
887
01:01:09,200 –> 01:01:14,720
replaceability and observability can any component be swapped without losing policy fidelity
888
01:01:14,720 –> 01:01:20,080
and can every decision produce a proof without a war room security constraints they define risk
889
01:01:20,080 –> 01:01:24,640
postures global guardrails and precedence models that limit what any policy may demand they don’t
890
01:01:24,640 –> 01:01:29,200
write hr policy they bound it they choose the cryptographic strength the session lifetimes the
891
01:01:29,200 –> 01:01:34,560
device requirements the break last doctrine the default deny when policy and security collide
892
01:01:34,560 –> 01:01:39,840
the precedence is explicit versioned and testable security is not a veto in email it is a constraint in
893
01:01:39,840 –> 01:01:44,400
code compliance verifies they don’t write policy or workflows they validate that rules exist that
894
01:01:44,400 –> 01:01:49,040
they are versioned that tests cover obligations and that evidence is generated at decision time
895
01:01:49,040 –> 01:01:54,160
with chain of custody their questions are simple where is the rule where are the facts where is
896
01:01:54,160 –> 01:01:59,520
the proof if the answer is in a path name or in a flow run the verdict is drift identity and
897
01:01:59,520 –> 01:02:05,520
forces entra is the control plane that converts compiled policy into edges groups roles access
898
01:02:05,520 –> 01:02:11,520
packages conditional access identity is accountable to the policy layer and visible to compliance
899
01:02:11,520 –> 01:02:16,640
it is not downstream of hr narratives it is downstream of compiled rules any entitlement without a
900
01:02:16,640 –> 01:02:22,800
policy citation and ttl is a defect not a convenience align incentives to these roles hr is measured
901
01:02:22,800 –> 01:02:28,000
by policy coverage clarity and change half-life how long exceptions live before being codified or
902
01:02:28,000 –> 01:02:33,840
retired platforms are measured by time to proof not time to green by rule evaluation latency and
903
01:02:33,840 –> 01:02:38,720
trace completeness not dashboard vanity security is measured by conflict detection and blast radius
904
01:02:38,720 –> 01:02:43,840
simulations before production not severity of advisories after incidents compliance is measured by
905
01:02:43,840 –> 01:02:48,960
audit throughput with fewer escalations because proofs are generated not reconstructed identity is
906
01:02:48,960 –> 01:02:53,360
measured by drift delta and exception half-life not ticket closure translate this into working
907
01:02:53,360 –> 01:02:58,560
agreements no rule without tests no execution without citation no exception without ttl and owner
908
01:02:58,560 –> 01:03:03,440
no configuration without mapped intent no silent failures if a platform needs a default to pass
909
01:03:03,440 –> 01:03:08,880
an api policy must say so if a country requires a local step the rule must declare scope if an
910
01:03:08,880 –> 01:03:14,160
exception is necessary it lives in the policy registry with expiry not in a connector if a system
911
01:03:14,160 –> 01:03:19,280
cannot produce a proof it cannot act distribute ownership where entropy starts hr authors the
912
01:03:19,280 –> 01:03:24,960
capability catalog named bundles with risk postures and prerequisite obligations security
913
01:03:24,960 –> 01:03:31,200
approves global constraints session device location platforms expose a policy api and compile artifacts
914
01:03:31,200 –> 01:03:36,800
identity consumes compiled outputs no portal heroics compliance enforces change control on the policy
915
01:03:36,800 –> 01:03:42,000
registry and the compiler not on templated workflows if someone asks who changes hiring stages
916
01:03:42,000 –> 01:03:46,400
the answer is nobody stages don’t carry policy anymore replace committees with compilers
917
01:03:46,400 –> 01:03:51,040
governance is not monthly steering its automated gates a policy change runs tests against recorded
918
01:03:51,040 –> 01:03:56,720
events failures block release a compiler change runs static checks for control equivalence
919
01:03:56,720 –> 01:04:02,480
deviations require security sign off an exception request is a record with scope ttl and reviewer
920
01:04:02,480 –> 01:04:08,160
the compiler emits the edge and the evidence automatically reports are streams not spreadsheets move
921
01:04:08,160 –> 01:04:13,680
escalation out of inboxes when a conflict arises global versus local security versus hr the president’s
922
01:04:13,680 –> 01:04:18,640
rule executes produces a denial with citations and opens a case that references both rules
923
01:04:18,640 –> 01:04:23,840
and the failing facts humans adjudicate policy not plumbing remediation is a rule added not a flow
924
01:04:23,840 –> 01:04:30,160
tweak write one last sentence on the wall where people can see it age our own policy intent platforms
925
01:04:30,160 –> 01:04:35,600
executed everything else is entropy generators arguing over whose template matters anonymized failure
926
01:04:35,600 –> 01:04:41,040
modes composite scenarios you already recognize large enterprise transfer on paper it’s simple a
927
01:04:41,040 –> 01:04:46,400
senior analyst moves from business unit a to business unit b same country similar role in workday
928
01:04:46,400 –> 01:04:51,760
the transfer triggers two clones of the global mobility process one harmonized one legacy the b
929
01:04:51,760 –> 01:04:56,720
you never retired the harmonized process checks a calculated field that roots high risk finance roles
930
01:04:56,720 –> 01:05:02,480
to a second approver the legacy clone encodes the same intent as a validation on compensation grade
931
01:05:02,480 –> 01:05:07,440
the analyst job profile changed the grade didn’t hr thinks the second approver occurred because
932
01:05:07,440 –> 01:05:12,560
the path turned green it didn’t in entra capability bundles recompute via dynamic groups tied to
933
01:05:12,560 –> 01:05:17,440
department and location one group is policy compiled the other is a hand-built artifact from last
934
01:05:17,440 –> 01:05:23,040
years reogh conditional access sees both claims so the analyst now has ledger query and contract
935
01:05:23,040 –> 01:05:28,080
approval two edges never intended together evidence exists everywhere explanation exists nowhere
936
01:05:28,080 –> 01:05:34,080
global jurisdictional conflict a manager in Germany relocates to Ontario mid-year success factors
937
01:05:34,080 –> 01:05:38,720
time off schemers grant parental leave under a German pack that encodes awaiting period
938
01:05:38,720 –> 01:05:43,280
Ontario requires an immediate entitlement with different accrual math the relocation event was
939
01:05:43,280 –> 01:05:47,920
emitted as a stage change in hr not as an immutable fact with jurisdictional scope the localized
940
01:05:47,920 –> 01:05:53,200
Canadian flow patched the waiting period six months ago the international assignment urgent variant
941
01:05:53,200 –> 01:05:57,760
removed the attestation step during the pandemic and never restored it payroll runs two different
942
01:05:57,760 –> 01:06:03,360
eligibility checks key to country code in different places one in a business rule catalog one in a
943
01:06:03,360 –> 01:06:08,800
pick list mapping so accruals start under one interpretation and retroactively adjust under another
944
01:06:08,800 –> 01:06:13,200
meanwhile the company’s global retention policy expects disciplinary records to persist
945
01:06:13,200 –> 01:06:19,040
three years germany’s country pack forks a data retention sub-process that purges certain categories
946
01:06:19,040 –> 01:06:24,320
earlier analytics compensate with derive fields to keep dashboards consistent an investigation
947
01:06:24,320 –> 01:06:30,080
arrives later evidence is gone by design local compliance past global coherence didn’t exist
948
01:06:30,080 –> 01:06:35,920
mna identity merge two directories two hr systems one deal timeline the integration team maps
949
01:06:35,920 –> 01:06:41,040
titles departments and locations they don’t map capability bundles because those don’t exist as
950
01:06:41,040 –> 01:06:46,800
first class artifacts entitlement reconciliation happens via access like sam direct app roll assignments
951
01:06:46,800 –> 01:06:51,760
copied by script to speed day one productivity privileged identity management approvals reference
952
01:06:51,760 –> 01:06:57,280
old org charts approvals rubber stamp at odd hours to meet cutovers conditional access baselines
953
01:06:57,280 –> 01:07:03,440
collide one tenant white listed data centers during a vendor issue the other relies on device compliance
954
01:07:03,440 –> 01:07:07,680
a shadow trusted location remains in a test policy duplicated for temporary relief
955
01:07:08,320 –> 01:07:13,280
three months later a terminated contractor still has access through a service principle assigned to
956
01:07:13,280 –> 01:07:18,080
a project finance group that migrated as a dynamic group with a stale query hr shows a clean
957
01:07:18,080 –> 01:07:23,280
termination date and russhoes token claims compliance shows an audit trail of approvals none of them
958
01:07:23,280 –> 01:07:28,400
show policy that would have prevented the edge seasonal hiring surge recruiting spins up power
959
01:07:28,400 –> 01:07:33,680
automate flows to bulk post job ads and orchestrate ready to hire a pagination change in a connector
960
01:07:33,680 –> 01:07:38,960
silently stops posting in two regions the hiring team assumes low interest and manually duplicates
961
01:07:38,960 –> 01:07:44,640
requisitions in the portal now duplicate candidates land in data verse with slight profile differences
962
01:07:44,640 –> 01:07:49,360
a ready to hire orchestrator fills a mandatory field for one jurisdiction with a default to keep
963
01:07:49,360 –> 01:07:54,880
the pipeline moving benefits eligibility is wrong for an entire cohort until q3 to reduce churn
964
01:07:54,880 –> 01:08:00,560
a flow filters out in active updates during transfer bursts terminations at 5 p.m. Mr.
965
01:08:00,560 –> 01:08:05,840
the window and persist access overnight the exception group created for seasonal supervisors has a ttl
966
01:08:05,840 –> 01:08:11,920
of 14 days nobody owns the q that renews them in october a break glass accounts password rotated
967
01:08:11,920 –> 01:08:17,120
its app secret didn’t incidents are unusual only to people who don’t read run histories
968
01:08:17,120 –> 01:08:22,720
remediation sprint often incident leadership declares one global process and no local clones
969
01:08:22,720 –> 01:08:26,400
implementation parameterizes a master flow with country flags
970
01:08:27,040 –> 01:08:32,800
and embeds the rule differences behind those flags the facade is clean the logic is still fragmented
971
01:08:32,800 –> 01:08:37,840
a center of excellence controls business process edits and condition rule libraries
972
01:08:37,840 –> 01:08:42,720
backlogs grow local teams deliver central templates with just a few variations
973
01:08:42,720 –> 01:08:47,040
exceptions become email approvals with file attachments that nobody re encodes as policy
974
01:08:47,040 –> 01:08:53,440
the compiler concept is discussed instead the team publishes a confluence page with rules
975
01:08:53,440 –> 01:08:58,720
by country and calls it a corpus a i pilots are announced co pilot summarized the page and
976
01:08:58,720 –> 01:09:04,000
propose actions consistent with history not with intent everyone agrees adoption is recommendation
977
01:09:04,000 –> 01:09:10,080
only until comfort grows comfort never grows because nothing changed where it mattered the point
978
01:09:10,080 –> 01:09:16,000
of these scenarios isn’t drama its inevitability transfers multiply graphs jurisdictions multiply
979
01:09:16,000 –> 01:09:22,480
forks mergers multiply histories surges multiply glue remediation multiplies facades if policy
980
01:09:22,480 –> 01:09:28,560
leaves in workflows labels and connectors a i will mirror drift not meaning and your control plane
981
01:09:28,560 –> 01:09:34,480
will keep writing history faster than your narrative can catch it immediate moves 90 day
982
01:09:34,480 –> 01:09:39,360
repayments on architectural debt none of this requires new tools you already have everything you need
983
01:09:39,360 –> 01:09:46,240
day 15 inventory intent stand up a lightweight policy catalog in sharepoint or data verse with
984
01:09:46,240 –> 01:09:52,400
three required fields per entry scope version owner seated with five obligations and five capability
985
01:09:52,400 –> 01:09:58,000
bundles you actually enforce for each at two executable tests given facts expect outcome stop after
986
01:09:58,000 –> 01:10:04,960
10 depth beats volume in parallel instrument facts pick three life cycle events and emit them
987
01:10:04,960 –> 01:10:11,040
as immutable records capability bundle assigned an obligation satisfied identity edge removed
988
01:10:11,040 –> 01:10:17,360
setter include timestamps subject jurisdiction and correlation IDs pipe to data verse now mirror
989
01:10:17,360 –> 01:10:23,280
to fabric later day 16 30 pull policy out of plumbing choose one noisy flow strip embedded rules
990
01:10:23,280 –> 01:10:29,280
replace with subscribe to event query policy API start with a simple table act side rule version
991
01:10:29,280 –> 01:10:35,120
emit control applied fail loud on missing facts merge via a lm not the portal identity pick one
992
01:10:35,120 –> 01:10:41,280
capability bundle generate enter artifacts from the catalog dynamic groups access package PM settings
993
01:10:41,280 –> 01:10:46,480
with a default TTL for exceptions add a weekly job that reports exceptions approaching expiry
994
01:10:46,480 –> 01:10:52,800
do not auto renew their 31 60 establish precedence and drift detection write one precedence rule
995
01:10:52,800 –> 01:10:58,640
global verse local beats email threads forever add a reconciliation job that compares HR worker truth
996
01:10:58,640 –> 01:11:03,520
enter access truth and evidence truth for a random cohort report disagreements with a named winner
997
01:11:03,520 –> 01:11:10,160
and a link to policy observability add rule evaluation traces to application insights policy ID
998
01:11:10,160 –> 01:11:15,920
inputs outcome subscriber build a simple fabric dashboard capability accuracy obligation
999
01:11:15,920 –> 01:11:22,560
satisfaction exception half life identity drift delta day 61 90 make it default require a policy
1000
01:11:22,560 –> 01:11:28,160
citation for any new entitlement require TTL for any exception require tests for any policy change
1001
01:11:28,160 –> 01:11:34,240
turn on fail fast inflows no configure run after hiding red parts publish a standing rule no configuration
1002
01:11:34,240 –> 01:11:41,120
without mapped intent enforce with pull requests not pep talks the takeaway life cycles are stories
1003
01:11:41,120 –> 01:11:46,720
systems need contracts intent as rules facts as events identity as the enforcement graph if you want
1004
01:11:46,720 –> 01:11:52,080
autonomy that sides policy not history start the 90 day repayment today subscribe for the deep dive
1005
01:11:52,080 –> 01:11:56,320
on the authorization compiler next and share this with the person still fixing flows instead of
1006
01:11:56,320 –> 01:11:58,480
moving policy out of them
