Now Reading: Microsoft Fabric Governance Explained
-
01
Microsoft Fabric Governance Explained
1
00:00:00,000 –> 00:00:02,520
Most organizations treat fabric lineage like governance.
2
00:00:02,520 –> 00:00:03,280
They are wrong.
3
00:00:03,280 –> 00:00:05,640
Lineage is a diagram that makes people feel safe
4
00:00:05,640 –> 00:00:07,200
because it looks like control,
5
00:00:07,200 –> 00:00:09,200
but control requires authority,
6
00:00:09,200 –> 00:00:12,760
and authority requires the power to refuse execution.
7
00:00:12,760 –> 00:00:15,360
Most teams don’t discover this gap during design reviews.
8
00:00:15,360 –> 00:00:16,960
They discover it during audits.
9
00:00:16,960 –> 00:00:18,120
When the questions get sharp,
10
00:00:18,120 –> 00:00:20,160
screenshots and lineage graphs don’t answer them.
11
00:00:20,160 –> 00:00:22,120
So this episode does something different.
12
00:00:22,120 –> 00:00:25,520
No demos, no UI tours, no click here.
13
00:00:25,520 –> 00:00:28,480
Just architecture, five inevitability scenarios,
14
00:00:28,480 –> 00:00:30,280
and a deterministic test you can use
15
00:00:30,280 –> 00:00:33,080
to decide what fabric can and cannot govern.
16
00:00:33,080 –> 00:00:35,680
Governance is a verb, lineage is a noun.
17
00:00:35,680 –> 00:00:38,040
Start with language because marketing always wins
18
00:00:38,040 –> 00:00:39,920
when engineers stop defining words.
19
00:00:39,920 –> 00:00:43,000
Governance is a verb, it’s something a system does to you.
20
00:00:43,000 –> 00:00:45,200
It constrains, it prevents, it refuses,
21
00:00:45,200 –> 00:00:47,480
it expresses intent as enforceable behavior.
22
00:00:47,480 –> 00:00:50,160
Lineage is a noun, it’s something you look at.
23
00:00:50,160 –> 00:00:53,080
It describes, it traces, it reconstructs.
24
00:00:53,080 –> 00:00:54,400
That distinction matters.
25
00:00:55,840 –> 00:00:58,640
A lot of teams conflate these because the output looks similar,
26
00:00:58,640 –> 00:01:01,800
a neat graph of assets, arrows, dependencies, upstream
27
00:01:01,800 –> 00:01:03,400
and downstream impacts.
28
00:01:03,400 –> 00:01:05,840
And in the power BI era, people got used to thinking,
29
00:01:05,840 –> 00:01:07,800
if I can see it, I can control it.
30
00:01:07,800 –> 00:01:09,840
Visibility became a proxy for authority,
31
00:01:09,840 –> 00:01:11,640
but observability is not governance.
32
00:01:11,640 –> 00:01:14,000
Observability answers, what happened, where did it flow,
33
00:01:14,000 –> 00:01:16,920
what depends on what will break if I change this?
34
00:01:16,920 –> 00:01:20,040
Governance answers, what is allowed to happen in the first place?
35
00:01:20,040 –> 00:01:22,720
Measurement versus authority, a speedometer is not a break.
36
00:01:22,720 –> 00:01:24,600
And this speedometer analogy isn’t cute,
37
00:01:24,600 –> 00:01:26,200
it’s the entire failure mode.
38
00:01:26,200 –> 00:01:29,360
Lineage tells you the system was moving fast and where it went.
39
00:01:29,360 –> 00:01:30,960
Governance is the thing that stops it
40
00:01:30,960 –> 00:01:33,080
from crossing the line in the first place.
41
00:01:33,080 –> 00:01:34,760
So if someone tells you we have governance
42
00:01:34,760 –> 00:01:37,640
because we have lineage, ask a single litmus question.
43
00:01:37,640 –> 00:01:39,680
Can the system say no in real time?
44
00:01:39,680 –> 00:01:41,000
Not can we find out later?
45
00:01:41,000 –> 00:01:42,200
Not can we alert?
46
00:01:42,200 –> 00:01:43,760
Not can we open a ticket?
47
00:01:43,760 –> 00:01:47,080
No means deny synchronously before the action completes
48
00:01:47,080 –> 00:01:49,120
with the same reliability as the action itself.
49
00:01:49,120 –> 00:01:51,200
If the platform can’t do that, it isn’t governing,
50
00:01:51,200 –> 00:01:52,520
it is observing.
51
00:01:52,520 –> 00:01:54,640
And most organizations don’t want to admit how much
52
00:01:54,640 –> 00:01:57,640
of their governance is really just post-fact explanations.
53
00:01:57,640 –> 00:02:00,120
Dashboards, diagrams, policies written in word,
54
00:02:00,120 –> 00:02:02,880
screenshots and audit packs, a quarterly review meeting
55
00:02:02,880 –> 00:02:05,280
where everyone agrees this is important,
56
00:02:05,280 –> 00:02:06,920
then grants the exception anyway
57
00:02:06,920 –> 00:02:08,400
because the business needs to ship.
58
00:02:08,400 –> 00:02:09,640
That’s not governance.
59
00:02:09,640 –> 00:02:12,080
That’s entropy management with good intentions.
60
00:02:12,080 –> 00:02:14,200
Here’s why the confusion persists.
61
00:02:14,200 –> 00:02:15,880
Lineage feels like a control plane
62
00:02:15,880 –> 00:02:17,520
because it’s centralized, it’s visual,
63
00:02:17,520 –> 00:02:19,200
and it gives leaders something to point at.
64
00:02:19,200 –> 00:02:20,720
It produces artifacts.
65
00:02:20,720 –> 00:02:22,400
Artifacts create comfort.
66
00:02:22,400 –> 00:02:24,160
Comfort turns into policy.
67
00:02:24,160 –> 00:02:26,160
Then the policy turns into an assumption.
68
00:02:26,160 –> 00:02:27,920
Since we can trace it, we control it.
69
00:02:27,920 –> 00:02:29,320
But tracing is not controlling.
70
00:02:29,320 –> 00:02:31,880
Lineage is a forensic capability, a high quality one
71
00:02:31,880 –> 00:02:32,960
when implemented well.
72
00:02:32,960 –> 00:02:34,080
Forensics are valuable.
73
00:02:34,080 –> 00:02:37,720
They help you debug, do impact analysis and reconstruct flows.
74
00:02:37,720 –> 00:02:39,440
They also help you tell an audit story.
75
00:02:39,440 –> 00:02:41,640
And that audit story matters, but it’s not the same
76
00:02:41,640 –> 00:02:42,480
as reducing risk.
77
00:02:42,480 –> 00:02:44,840
In regulated environments, auditors don’t just ask,
78
00:02:44,840 –> 00:02:46,360
can you explain what happened?
79
00:02:46,360 –> 00:02:49,080
They ask, what prevents it from happening again?
80
00:02:49,080 –> 00:02:50,840
That’s a completely different class of requirement.
81
00:02:50,840 –> 00:02:53,480
One is narrative, the other is system behavior.
82
00:02:53,480 –> 00:02:55,440
And this is where fabric becomes revealing
83
00:02:55,440 –> 00:02:57,720
because fabric is built to reduce friction.
84
00:02:57,720 –> 00:03:00,440
Unification, one lake, easy sharing, fast notebooks,
85
00:03:00,440 –> 00:03:02,160
pipelines that connect everything.
86
00:03:02,160 –> 00:03:04,560
The platform is optimized for execution velocity,
87
00:03:04,560 –> 00:03:05,160
which is fine.
88
00:03:05,160 –> 00:03:06,640
That’s what it was designed for.
89
00:03:06,640 –> 00:03:08,840
But velocity and governance are natural enemies
90
00:03:08,840 –> 00:03:11,200
unless the platform has an enforcement mechanism
91
00:03:11,200 –> 00:03:12,520
that keeps up with that velocity.
92
00:03:12,520 –> 00:03:14,720
So the problem is not that lineage is bad.
93
00:03:14,720 –> 00:03:16,360
The problem is that lineage is being used
94
00:03:16,360 –> 00:03:18,360
as a substitute for authority.
95
00:03:18,360 –> 00:03:19,800
Lineage lives after the action.
96
00:03:19,800 –> 00:03:21,520
Governance lives before the action.
97
00:03:21,520 –> 00:03:24,720
If governance is prevention, then the next question is simple.
98
00:03:24,720 –> 00:03:27,160
Where does prevention live?
99
00:03:27,160 –> 00:03:29,400
The policy enforcement point fabric doesn’t have.
100
00:03:29,400 –> 00:03:31,320
Every governed system answers that question
101
00:03:31,320 –> 00:03:32,680
with a policy enforcement point.
102
00:03:32,680 –> 00:03:33,400
Fabric doesn’t.
103
00:03:33,400 –> 00:03:34,200
That’s not an insult.
104
00:03:34,200 –> 00:03:36,280
It’s an architectural classification.
105
00:03:36,280 –> 00:03:39,240
A policy enforcement point, PEP is the moment a system
106
00:03:39,240 –> 00:03:42,480
evaluates intent and either allows an action or refuses it.
107
00:03:42,480 –> 00:03:44,080
And it has three properties that matter
108
00:03:44,080 –> 00:03:45,880
if you’re serious about governance.
109
00:03:45,880 –> 00:03:46,960
First, it’s synchronous.
110
00:03:46,960 –> 00:03:48,760
The decision happens in line with the request,
111
00:03:48,760 –> 00:03:50,160
not in a background job.
112
00:03:50,160 –> 00:03:51,400
Second, it’s transactional.
113
00:03:51,400 –> 00:03:53,440
The deny happens before the state change commits.
114
00:03:53,440 –> 00:03:55,400
But if the right succeeds, the governance layer failed
115
00:03:55,400 –> 00:03:57,320
even if it logs the event perfectly.
116
00:03:57,320 –> 00:03:58,880
Third, it’s authoritative.
117
00:03:58,880 –> 00:04:00,920
It’s the last gate before execution.
118
00:04:00,920 –> 00:04:02,760
Not an observer attached to the side.
119
00:04:02,760 –> 00:04:04,640
If you want a simple rule, governance
120
00:04:04,640 –> 00:04:06,680
that arrives after execution is paperwork,
121
00:04:06,680 –> 00:04:08,520
useful paperwork but paperwork.
122
00:04:08,520 –> 00:04:10,520
Now look at what fabric lineage actually is.
123
00:04:10,520 –> 00:04:11,920
Lineage is emitted telemetry.
124
00:04:11,920 –> 00:04:15,160
It’s metadata about relationships between items, pipelines,
125
00:04:15,160 –> 00:04:18,200
notebooks, lake houses, warehouses, semantic models, reports.
126
00:04:18,200 –> 00:04:20,640
It’s a reconstruction graph of this used that
127
00:04:20,640 –> 00:04:24,400
and this produced that built from events and metadata extraction.
128
00:04:24,400 –> 00:04:25,600
That’s observability.
129
00:04:25,600 –> 00:04:26,680
That is not a gate.
130
00:04:26,680 –> 00:04:28,680
And the easiest way to prove this without a demo
131
00:04:28,680 –> 00:04:30,000
is to talk about time.
132
00:04:30,000 –> 00:04:34,280
In a govern system, the sequence is request, policy check,
133
00:04:34,280 –> 00:04:36,840
allow or deny execution.
134
00:04:36,840 –> 00:04:40,440
In an observed system, the sequence is execution event emitted,
135
00:04:40,440 –> 00:04:43,120
metadata updated, someone reviews it later.
136
00:04:43,120 –> 00:04:45,880
Lineage sits on the second sequence, which means
137
00:04:45,880 –> 00:04:48,360
lineage can never be the thing that prevented the action
138
00:04:48,360 –> 00:04:49,160
it’s describing.
139
00:04:49,160 –> 00:04:50,840
It can only describe it after the fact.
140
00:04:50,840 –> 00:04:53,400
So when someone says, but purview integrates with fabric
141
00:04:53,400 –> 00:04:55,800
and fabric has labels and we can see everything,
142
00:04:55,800 –> 00:04:57,120
the response is simple.
143
00:04:57,120 –> 00:04:58,800
Where is the synchronous deny?
144
00:04:58,800 –> 00:05:01,360
What component is guaranteed to run before the notebook
145
00:05:01,360 –> 00:05:02,400
reads the data?
146
00:05:02,400 –> 00:05:04,360
Before the pipeline writes the output,
147
00:05:04,360 –> 00:05:07,080
before the shortcut gets created, before the export happens.
148
00:05:07,080 –> 00:05:09,680
If you can’t point to that component, you don’t have governance.
149
00:05:09,680 –> 00:05:11,920
You have an incident narrative generator.
150
00:05:11,920 –> 00:05:13,120
Here’s what most people miss.
151
00:05:13,120 –> 00:05:14,680
A pep is not a feature.
152
00:05:14,680 –> 00:05:16,120
It’s a position in the architecture.
153
00:05:16,120 –> 00:05:18,120
You can ship 100 governance features and still not
154
00:05:18,120 –> 00:05:20,680
have a pep if none of them sit in the execution path.
155
00:05:20,680 –> 00:05:23,360
Tags don’t, endorsements don’t, lineage doesn’t.
156
00:05:23,360 –> 00:05:25,880
Even many security signals don’t because they were designed
157
00:05:25,880 –> 00:05:29,120
as classification and visibility first, enforcement second,
158
00:05:29,120 –> 00:05:31,040
and enforcement only in certain pathways.
159
00:05:31,040 –> 00:05:32,520
And when enforcement is selective,
160
00:05:32,520 –> 00:05:34,480
you’ve already conceded the security model.
161
00:05:34,480 –> 00:05:36,440
You’ve moved from deterministic to probabilistic.
162
00:05:36,440 –> 00:05:37,040
And we’ll get to that.
163
00:05:37,040 –> 00:05:39,640
But remember this detail, partial enforcement
164
00:05:39,640 –> 00:05:41,320
is an entropy generator.
165
00:05:41,320 –> 00:05:43,240
Now to be fair to the platform, fabric is not
166
00:05:43,240 –> 00:05:44,800
pretending to be a data firewall.
167
00:05:44,800 –> 00:05:46,280
It is an execution substrate.
168
00:05:46,280 –> 00:05:49,240
It’s a unified surface area where many workloads run against
169
00:05:49,240 –> 00:05:51,000
one-lake-backed data.
170
00:05:51,000 –> 00:05:52,280
That’s the value proposition.
171
00:05:52,280 –> 00:05:54,400
Reduce integration burden, reduce friction,
172
00:05:54,400 –> 00:05:56,200
accelerate time to insight.
173
00:05:56,200 –> 00:05:58,640
But acceleration changes the governance problem.
174
00:05:58,640 –> 00:06:00,880
It makes after the fact controls less meaningful
175
00:06:00,880 –> 00:06:03,680
because the system can produce more outcomes in an hour
176
00:06:03,680 –> 00:06:06,080
than a governance committee can review in a month.
177
00:06:06,080 –> 00:06:07,800
So what happens in real organizations?
178
00:06:07,800 –> 00:06:09,440
They replace enforcement with process.
179
00:06:09,440 –> 00:06:10,680
They create naming standards.
180
00:06:10,680 –> 00:06:12,160
They create workspace conventions.
181
00:06:12,160 –> 00:06:14,080
They create gold, silver, bronze tagging.
182
00:06:14,080 –> 00:06:15,080
They create review boards.
183
00:06:15,080 –> 00:06:15,880
They create tickets.
184
00:06:15,880 –> 00:06:17,040
They create training decks.
185
00:06:17,040 –> 00:06:19,400
And then a senior analyst needs access by Friday.
186
00:06:19,400 –> 00:06:20,560
So the exception happens.
187
00:06:20,560 –> 00:06:22,080
And the exception becomes permanent.
188
00:06:22,080 –> 00:06:23,280
That is not a people problem.
189
00:06:23,280 –> 00:06:25,520
That is what systems do when architecture
190
00:06:25,520 –> 00:06:27,000
doesn’t enforce intent.
191
00:06:27,000 –> 00:06:28,280
This is the uncomfortable truth.
192
00:06:28,280 –> 00:06:30,800
Without a policy enforcement point, fabric governance
193
00:06:30,800 –> 00:06:31,600
becomes cleaner.
194
00:06:31,600 –> 00:06:34,280
You detect drift, you document drift, you chase drift.
195
00:06:34,280 –> 00:06:36,000
Meanwhile, the platform keeps executing.
196
00:06:36,000 –> 00:06:37,640
Lineage helps you chase.
197
00:06:37,640 –> 00:06:39,200
It does not help you stop.
198
00:06:39,200 –> 00:06:41,040
So when you hear fabric has governance
199
00:06:41,040 –> 00:06:44,320
because it has lineage translated into the real statement,
200
00:06:44,320 –> 00:06:47,120
we can reconstruct what happened after it already happened.
201
00:06:47,120 –> 00:06:48,200
That’s fine for debugging.
202
00:06:48,200 –> 00:06:49,640
It’s even useful for audits.
203
00:06:49,640 –> 00:06:51,080
But it is not prevention.
204
00:06:51,080 –> 00:06:52,840
And if your risk model requires prevention,
205
00:06:52,840 –> 00:06:55,120
the prevention can’t live inside a component
206
00:06:55,120 –> 00:06:57,760
that only knows the outcome after execution.
207
00:06:57,760 –> 00:06:59,560
Now the next step is to stop pretending
208
00:06:59,560 –> 00:07:01,880
this is a missing feature you can toggle on.
209
00:07:01,880 –> 00:07:03,520
It is an architectural boundary.
210
00:07:03,520 –> 00:07:06,000
And once you see fabric as an execution substrate,
211
00:07:06,000 –> 00:07:08,480
the rest of its behavior becomes predictable.
212
00:07:08,480 –> 00:07:10,360
Fabric is a router, not a firewall.
213
00:07:10,360 –> 00:07:12,760
So treat fabric honestly, not as a control plane.
214
00:07:12,760 –> 00:07:15,120
As a forwarding plane, the firewall is a control plane.
215
00:07:15,120 –> 00:07:15,960
A router is not.
216
00:07:15,960 –> 00:07:16,880
Fabric is a router.
217
00:07:16,880 –> 00:07:18,920
That line sounds blunt, but it’s the cleanest way
218
00:07:18,920 –> 00:07:20,680
to stop the governance confusion.
219
00:07:20,680 –> 00:07:22,880
A firewall decides whether traffic is allowed.
220
00:07:22,880 –> 00:07:25,040
A router assumes the traffic is allowed,
221
00:07:25,040 –> 00:07:27,120
then focuses on moving it efficiently.
222
00:07:27,120 –> 00:07:28,960
If you configure a router like a firewall,
223
00:07:28,960 –> 00:07:30,240
you don’t get a better firewall.
224
00:07:30,240 –> 00:07:32,320
You get accidental exposure at scale.
225
00:07:32,320 –> 00:07:35,520
Fabric’s job is to make work happen in jest, transform,
226
00:07:35,520 –> 00:07:36,480
model, serve.
227
00:07:36,480 –> 00:07:37,920
It optimizes for throughput.
228
00:07:37,920 –> 00:07:39,480
It optimizes for reduced friction.
229
00:07:39,480 –> 00:07:41,400
It optimizes for just run the pipeline.
230
00:07:41,400 –> 00:07:42,520
Just connect the notebook.
231
00:07:42,520 –> 00:07:43,840
Just share the semantic model.
232
00:07:43,840 –> 00:07:45,280
Just build the report.
233
00:07:45,280 –> 00:07:48,280
That’s execution substrate behavior.
234
00:07:48,280 –> 00:07:49,360
And once you see it this way,
235
00:07:49,360 –> 00:07:52,240
a lot of confusing design choices stop being confusing.
236
00:07:52,240 –> 00:07:54,840
They’re inevitable because the platform has to keep moving.
237
00:07:54,840 –> 00:07:56,640
Now people will push back and say,
238
00:07:56,640 –> 00:07:58,120
“But fabric has a control plane.
239
00:07:58,120 –> 00:07:59,240
There are tenon settings.
240
00:07:59,240 –> 00:08:00,320
There are work spaces.
241
00:08:00,320 –> 00:08:01,320
There are capacities.
242
00:08:01,320 –> 00:08:02,760
There are roles.”
243
00:08:02,760 –> 00:08:03,680
Sure.
244
00:08:03,680 –> 00:08:06,080
Those exist, but that’s administrative configuration.
245
00:08:06,080 –> 00:08:08,640
That is not an execution time arbiter of intent.
246
00:08:08,640 –> 00:08:12,640
Control plane in architectural terms means a centralized authority
247
00:08:12,640 –> 00:08:15,520
that evaluates requests against policy before forwarding.
248
00:08:15,520 –> 00:08:18,320
It means decisions are compiled into enforcement.
249
00:08:18,320 –> 00:08:20,800
It means there is a single place you can point to
250
00:08:20,800 –> 00:08:23,640
and say, “That component prevented the action.”
251
00:08:23,640 –> 00:08:25,720
Fabric’s boundaries don’t behave that way.
252
00:08:25,720 –> 00:08:26,840
Start with work spaces.
253
00:08:26,840 –> 00:08:29,280
Most teams treat a workspace like a security boundary.
254
00:08:29,280 –> 00:08:30,920
They assume it’s a container that governs
255
00:08:30,920 –> 00:08:32,560
what can happen to data inside it.
256
00:08:32,560 –> 00:08:33,080
It isn’t.
257
00:08:33,080 –> 00:08:36,000
A workspace is an organization boundary for items.
258
00:08:36,000 –> 00:08:37,480
It’s a collaboration boundary.
259
00:08:37,480 –> 00:08:41,080
It’s a place where roles apply consistently to a set of artifacts.
260
00:08:41,080 –> 00:08:43,000
That’s useful, but it is not a data boundary.
261
00:08:43,000 –> 00:08:44,800
It does not guarantee containment
262
00:08:44,800 –> 00:08:47,880
because the platform is designed to connect items across work spaces
263
00:08:47,880 –> 00:08:49,160
and across experiences.
264
00:08:49,160 –> 00:08:51,080
And the more unified the platform becomes,
265
00:08:51,080 –> 00:08:54,640
the less workspace enables containment holds up as a mental model.
266
00:08:54,640 –> 00:08:55,600
Now look at capacities.
267
00:08:55,600 –> 00:08:58,760
Capacities get treated like governed compute.
268
00:08:58,760 –> 00:09:02,200
People assume that if they segregate by capacity, they segregate risk.
269
00:09:02,200 –> 00:09:04,560
But capacities are a resource allocation boundary.
270
00:09:04,560 –> 00:09:07,720
Performance costs throttling blast radius in the operational sense.
271
00:09:07,720 –> 00:09:08,480
Not governance.
272
00:09:08,480 –> 00:09:09,800
They don’t recompile intent.
273
00:09:09,800 –> 00:09:13,200
They don’t evaluate whether a particular data movement should be allowed.
274
00:09:13,200 –> 00:09:14,720
They just determine where the work runs
275
00:09:14,720 –> 00:09:16,880
and how much of the shared meter it burns.
276
00:09:16,880 –> 00:09:20,000
So what actually happens as fabric adoption scales is predictable.
277
00:09:20,000 –> 00:09:22,720
Work spaces proliferate because teams want autonomy.
278
00:09:22,720 –> 00:09:26,160
Roads get broadened because delivery pressure beats least privilege.
279
00:09:26,160 –> 00:09:29,520
Artifacts get shared because reuse beats rework.
280
00:09:29,520 –> 00:09:32,600
Shortcuts get created because duplication feels wasteful.
281
00:09:32,600 –> 00:09:34,240
Pipelines get copied because that’s how
282
00:09:34,240 –> 00:09:36,000
humans operate under deadlines.
283
00:09:36,000 –> 00:09:37,560
Each of these is rational locally.
284
00:09:37,560 –> 00:09:39,880
Collectively, they are an entropy engine.
285
00:09:39,880 –> 00:09:41,320
And this is the unification effect.
286
00:09:41,320 –> 00:09:43,680
Reduced friction increases blast radius.
287
00:09:43,680 –> 00:09:45,400
When you make it easy to connect everything,
288
00:09:45,400 –> 00:09:47,720
you also make it easy to propagate mistakes,
289
00:09:47,720 –> 00:09:49,880
oversharing and unintended flows.
290
00:09:49,880 –> 00:09:51,560
The platform doesn’t judge the intent.
291
00:09:51,560 –> 00:09:52,640
It roots the action.
292
00:09:52,640 –> 00:09:54,320
This is why lineage feels so comforting.
293
00:09:54,320 –> 00:09:55,720
It gives you a map of the roots.
294
00:09:55,720 –> 00:09:59,720
But it does not act as the checkpoint that decides whether the root should exist.
295
00:09:59,720 –> 00:10:01,200
So the system law here is simple.
296
00:10:01,200 –> 00:10:04,160
The platform executes faster than humans can govern.
297
00:10:04,160 –> 00:10:06,040
Fabric can produce new data products,
298
00:10:06,040 –> 00:10:07,880
new copies, new downstream derivatives
299
00:10:07,880 –> 00:10:09,680
and new sharing paths continuously.
300
00:10:09,680 –> 00:10:14,560
Meanwhile, governance in most organizations is a meeting, a ticket, a policy PDF,
301
00:10:14,560 –> 00:10:18,040
an annual review, a spreadsheet of approved data sets.
302
00:10:18,040 –> 00:10:20,280
That temple mismatch is not a maturity problem.
303
00:10:20,280 –> 00:10:21,360
It is a physics problem.
304
00:10:21,360 –> 00:10:24,840
If you want deterministic governance, you need deterministic choke points.
305
00:10:24,840 –> 00:10:28,400
Places where data must pass through a gate before it can leave a boundary,
306
00:10:28,400 –> 00:10:32,160
be exported, be copied, be shared, be materialized somewhere else.
307
00:10:32,160 –> 00:10:36,440
Fabric doesn’t give you that by default because Fabric’s core value is removing choke points.
308
00:10:36,440 –> 00:10:39,760
So the right posture is not how do we turn Fabric into a firewall.
309
00:10:39,760 –> 00:10:44,080
The right posture is wish-in-d-where do we place the firewall that Fabric will respect?
310
00:10:44,080 –> 00:10:46,760
And once you accept that, the next problem becomes unavoidable.
311
00:10:46,760 –> 00:10:50,360
If enforcement is partial, if some parts are gated and others aren’t,
312
00:10:50,360 –> 00:10:54,200
security stops being deterministic and becomes probabilistic.
313
00:10:54,200 –> 00:10:57,280
Deterministic versus probabilistic security.
314
00:10:57,280 –> 00:10:58,560
How entropy wins?
315
00:10:58,560 –> 00:11:01,320
This is where most governance programs quietly die.
316
00:11:01,320 –> 00:11:05,680
Not because the team is incompetent, but because the system drifts from deterministic security
317
00:11:05,680 –> 00:11:08,720
into probabilistic security and nobody admits the shift.
318
00:11:08,720 –> 00:11:11,960
Deterministic security means the outcome is predictable.
319
00:11:11,960 –> 00:11:15,400
If you attempt an action that violates policy, the platform refuses it.
320
00:11:15,400 –> 00:11:18,240
Every time the rule is stable, the enforcement is stable,
321
00:11:18,240 –> 00:11:21,480
and the exception path is either impossible or painfully explicit.
322
00:11:21,480 –> 00:11:24,280
That’s what auditors think you mean when you say governance.
323
00:11:24,280 –> 00:11:26,320
Probabilistic security is the opposite.
324
00:11:26,320 –> 00:11:28,200
The system doesn’t guarantee prevention.
325
00:11:28,200 –> 00:11:29,000
It tries.
326
00:11:29,000 –> 00:11:29,840
It signals.
327
00:11:29,840 –> 00:11:30,520
It alerts.
328
00:11:30,520 –> 00:11:31,360
It labels.
329
00:11:31,360 –> 00:11:32,360
It logs.
330
00:11:32,360 –> 00:11:35,280
And then, depending on configuration, timing, identity context,
331
00:11:35,280 –> 00:11:39,560
and which pathway was used, the outcome might be blocked, or it might not.
332
00:11:39,560 –> 00:11:42,600
The organization then calls this governance because it feels governed.
333
00:11:42,600 –> 00:11:46,760
But architecturally, it’s just a detection and response posture wearing a compliance costume.
334
00:11:46,760 –> 00:11:49,360
Here’s the key law, and it’s not optional.
335
00:11:49,360 –> 00:11:53,200
Probabilistic systems always drift toward human exception handling.
336
00:11:53,200 –> 00:11:58,160
Because when the system can’t say no, consistently, humans create the real decision path.
337
00:11:58,160 –> 00:12:00,720
The decision becomes, is this acceptable this time?
338
00:12:00,720 –> 00:12:02,760
And once that decision exists, it gets reused.
339
00:12:02,760 –> 00:12:04,240
Then it gets automated informally.
340
00:12:04,240 –> 00:12:05,240
Then it becomes policy.
341
00:12:05,240 –> 00:12:06,680
Then it becomes technical debt.
342
00:12:06,680 –> 00:12:07,840
Then it becomes permanent.
343
00:12:07,840 –> 00:12:09,880
That is entropy.
344
00:12:09,880 –> 00:12:12,680
And the thing most people miss is what creates the entropy.
345
00:12:12,680 –> 00:12:15,320
It’s not only misconfiguration, it’s design omission.
346
00:12:15,320 –> 00:12:17,920
It’s the absence of a universally enforced gate.
347
00:12:17,920 –> 00:12:21,080
Every time a platform offers an allowed path that bypasses policy,
348
00:12:21,080 –> 00:12:23,160
that path becomes a gravitational wealth.
349
00:12:23,160 –> 00:12:24,440
People fall into it because it works.
350
00:12:24,440 –> 00:12:25,760
They call it pragmatic.
351
00:12:25,760 –> 00:12:27,240
They call it unblocking.
352
00:12:27,240 –> 00:12:28,880
They call it business needs.
353
00:12:28,880 –> 00:12:30,960
In system terms, it’s an entropy generator.
354
00:12:30,960 –> 00:12:34,640
So when you see fabric environments evolve over time, you don’t see one big failure.
355
00:12:34,640 –> 00:12:36,480
You see a thousand small exceptions.
356
00:12:36,480 –> 00:12:38,800
A contributor role granted temporarily.
357
00:12:38,800 –> 00:12:41,000
A workspace shared just for a month.
358
00:12:41,000 –> 00:12:44,440
A data set published broadly, so the exact report doesn’t break.
359
00:12:44,440 –> 00:12:48,920
A notebook that writes a convenient copy because direct lake was slow yesterday.
360
00:12:48,920 –> 00:12:50,960
Each one is defensible in isolation.
361
00:12:50,960 –> 00:12:55,240
Collectively, they convert a deterministic security model into a probabilistic one.
362
00:12:55,240 –> 00:12:58,960
And this is where lineage becomes dangerous, not because it’s wrong, but because it’s comforting.
363
00:12:58,960 –> 00:13:01,960
Lineage makes probabilistic security feel complete.
364
00:13:01,960 –> 00:13:04,000
It produces a graph that implies closure.
365
00:13:04,000 –> 00:13:05,680
The system knows what happened.
366
00:13:05,680 –> 00:13:07,200
The system can show you the path.
367
00:13:07,200 –> 00:13:11,560
The system can prove the flow, but proving the flow is not the same thing as preventing it.
368
00:13:11,560 –> 00:13:14,560
Lineage is often used as psychological debt refinancing.
369
00:13:14,560 –> 00:13:18,640
The organization feels it has reduced risk because it gained visibility.
370
00:13:18,640 –> 00:13:22,200
In reality, it has simply improved its ability to narrate failure.
371
00:13:22,200 –> 00:13:25,200
Now connect this back to the architecture we already established.
372
00:13:25,200 –> 00:13:26,200
The logic is a router.
373
00:13:26,200 –> 00:13:27,200
It roots execution.
374
00:13:27,200 –> 00:13:31,640
It is designed to move data through notebooks, pipelines, lakehouses, warehouses, semantic
375
00:13:31,640 –> 00:13:32,800
models, reports.
376
00:13:32,800 –> 00:13:35,480
The more unified it becomes, the more roots exist.
377
00:13:35,480 –> 00:13:39,960
And if the governance model depends on selectively gating some roots, but not others, the outcome
378
00:13:39,960 –> 00:13:40,960
is pre-decided.
379
00:13:40,960 –> 00:13:43,200
The system becomes probabilistic.
380
00:13:43,200 –> 00:13:46,280
And in probabilistic systems, people start governing by etiquette.
381
00:13:46,280 –> 00:13:47,280
Don’t do that.
382
00:13:47,280 –> 00:13:48,800
Use the certified model.
383
00:13:48,800 –> 00:13:50,320
Follow the naming standard.
384
00:13:50,320 –> 00:13:51,800
Put it in the right domain.
385
00:13:51,800 –> 00:13:53,040
Those are not controlled.
386
00:13:53,040 –> 00:13:54,040
Those are requests.
387
00:13:54,040 –> 00:13:55,600
Those requests do not survive deadlines.
388
00:13:55,600 –> 00:13:58,440
So the question isn’t, does fabric have security features?
389
00:13:58,440 –> 00:13:59,560
You know it does.
390
00:13:59,560 –> 00:14:04,240
The question is whether your governance posture is deterministic, denied by default, consistent
391
00:14:04,240 –> 00:14:07,480
enforcement, stable boundaries, and contained blast radius.
392
00:14:07,480 –> 00:14:08,480
Or probabilistic.
393
00:14:08,480 –> 00:14:13,000
Allow by default with scattered controls, lots of metadata, and the hope that someone
394
00:14:13,000 –> 00:14:15,320
reviews the right dashboard fast enough.
395
00:14:15,320 –> 00:14:18,560
And once you’re in probabilistic mode, the incident pattern is inevitable.
396
00:14:18,560 –> 00:14:21,360
The platform allows an action, the action completes.
397
00:14:21,360 –> 00:14:25,480
When you notice, then you reconstruct, then you promise to tighten controls.
398
00:14:25,480 –> 00:14:28,520
Then you add one more exception because operations cannot stop.
399
00:14:28,520 –> 00:14:30,800
That loop doesn’t end because nobody wants it to.
400
00:14:30,800 –> 00:14:33,720
It ends only when the architecture forces it to end.
401
00:14:33,720 –> 00:14:36,720
So here’s the uncomfortable setup for the rest of this episode.
402
00:14:36,720 –> 00:14:38,720
The next five scenarios aren’t what ifs.
403
00:14:38,720 –> 00:14:43,640
They are the natural output of probabilistic governance in an execution-first platform.
404
00:14:43,640 –> 00:14:45,640
Scenario one starts with the simplest one.
405
00:14:45,640 –> 00:14:49,640
Cross workspace data exfiltration that the platform will happily execute, and lineage
406
00:14:49,640 –> 00:14:52,280
will dutifully document after the fact.
407
00:14:52,280 –> 00:14:53,280
Scenario one.
408
00:14:53,280 –> 00:14:55,680
Cross workspace data exfiltration.
409
00:14:55,680 –> 00:14:59,560
This scenario is the cleanest proof because it doesn’t require malice, advance tooling,
410
00:14:59,560 –> 00:15:01,840
or some exotic zero-day trick.
411
00:15:01,840 –> 00:15:04,360
It requires two normal things fabric encourages.
412
00:15:04,360 –> 00:15:05,880
Reuse and speed.
413
00:15:05,880 –> 00:15:09,920
Start with a dataset, a lake house table, a warehouse table, pick your poison.
414
00:15:09,920 –> 00:15:14,720
It lives in workspace A, owned by team A, with whatever controls team A, things are good
415
00:15:14,720 –> 00:15:15,720
enough.
416
00:15:15,720 –> 00:15:19,440
Maybe it’s certified, maybe it’s labeled, maybe it has a nice description in a catalog.
417
00:15:19,440 –> 00:15:20,440
One of that matters yet.
418
00:15:20,440 –> 00:15:22,600
Now, team B has a legitimate business need.
419
00:15:22,600 –> 00:15:24,040
They don’t want to rebuild the model.
420
00:15:24,040 –> 00:15:25,600
They don’t want to duplicate pipelines.
421
00:15:25,600 –> 00:15:27,320
They want to consume what already exists.
422
00:15:27,320 –> 00:15:31,560
So the asset gets shared across workspaces, or it gets accessed through whatever sanctioned
423
00:15:31,560 –> 00:15:34,680
cross workspace pathway exists in your environment.
424
00:15:34,680 –> 00:15:37,400
From a governance point of view, the question is simple.
425
00:15:37,400 –> 00:15:42,520
Can fabric evaluate destination context before data becomes resident somewhere else?
426
00:15:42,520 –> 00:15:45,560
Because the exfiltration pattern isn’t someone viewed the data.
427
00:15:45,560 –> 00:15:48,240
It’s someone made a new copy under a different boundary.
428
00:15:48,240 –> 00:15:50,240
And fabric’s execution model makes that easy.
429
00:15:50,240 –> 00:15:54,760
A downstream notebook runs in workspace B, or a pipeline in workspace B writes to a lakehouse
430
00:15:54,760 –> 00:15:56,000
in workspace B.
431
00:15:56,000 –> 00:15:59,560
The data is read from the shared source, then materialized into a new destination that team
432
00:15:59,560 –> 00:16:00,560
B controls.
433
00:16:00,560 –> 00:16:03,000
At that moment, the governance failure has already occurred.
434
00:16:03,000 –> 00:16:05,200
The data is no longer only where it started.
435
00:16:05,200 –> 00:16:10,720
It now exists in a second place governed by a second set of workspace roles, sharing settings,
436
00:16:10,720 –> 00:16:15,200
export behaviors and human practices, and then lineage lights up like a Christmas tree.
437
00:16:15,200 –> 00:16:17,800
It will show you the upstream asset in workspace A.
438
00:16:17,800 –> 00:16:20,680
It will show you the notebook or pipeline in workspace B.
439
00:16:20,680 –> 00:16:24,600
It will show you the downstream lakehouse or warehouse in workspace B. It will do its job
440
00:16:24,600 –> 00:16:28,200
traceability, but traceability isn’t containment.
441
00:16:28,200 –> 00:16:31,080
The architectural proof sits entirely in the timing.
442
00:16:31,080 –> 00:16:32,280
The right succeeded.
443
00:16:32,280 –> 00:16:35,520
If lineage were governance, the data would still be where it started.
444
00:16:35,520 –> 00:16:38,480
Instead, what you get is a beautiful diagram of approved damage.
445
00:16:38,480 –> 00:16:41,640
Now people will object here and say, “But that’s just copying data.
446
00:16:41,640 –> 00:16:42,960
We can control who can do that.”
447
00:16:42,960 –> 00:16:44,440
Yes, with our back.
448
00:16:44,440 –> 00:16:45,600
But our back is not intent.
449
00:16:45,600 –> 00:16:49,880
Our back answers is this identity allowed to perform this category of action.
450
00:16:49,880 –> 00:16:54,560
Not is this action allowed under this policy with this data to this destination right now.
451
00:16:54,560 –> 00:16:58,560
That distinction matters because copy and fabric is not one unified operation.
452
00:16:58,560 –> 00:17:03,040
It’s many operations across notebooks, pipelines, shortcuts, export surfaces and compute
453
00:17:03,040 –> 00:17:04,040
experiences.
454
00:17:04,040 –> 00:17:07,320
If you gate some of them and miss one, the missing path becomes the path.
455
00:17:07,320 –> 00:17:08,960
That’s probabilistic security.
456
00:17:08,960 –> 00:17:12,720
And it gets worse once you consider how organizations actually run fabric.
457
00:17:12,720 –> 00:17:16,800
These spaces represent teams, projects, domains, cost centers and experiments.
458
00:17:16,800 –> 00:17:18,760
They’re not stable security compartments.
459
00:17:18,760 –> 00:17:20,600
They’re organizational convenience.
460
00:17:20,600 –> 00:17:22,560
So the second copy isn’t a rare event.
461
00:17:22,560 –> 00:17:25,640
It is the natural behavior of self-service analytics at scale.
462
00:17:25,640 –> 00:17:27,560
People make local copies for performance.
463
00:17:27,560 –> 00:17:29,680
People make local copies for experimentation.
464
00:17:29,680 –> 00:17:33,960
People make local copies because they don’t want to wait for upstream governance debates.
465
00:17:33,960 –> 00:17:35,520
And the platform helps them do it.
466
00:17:35,520 –> 00:17:38,680
Lineage will faithfully document every one of those flows.
467
00:17:38,680 –> 00:17:40,440
It becomes an exfiltration ledger.
468
00:17:40,440 –> 00:17:42,320
That’s the exact psychological trap.
469
00:17:42,320 –> 00:17:45,920
Leadership sees the ledger and calls it governance because it looks like central visibility.
470
00:17:45,920 –> 00:17:49,360
But governance is the thing that prevents the second copy from being created in the first
471
00:17:49,360 –> 00:17:50,360
place.
472
00:17:50,360 –> 00:17:52,000
Unless the policy explicitly allows it.
473
00:17:52,000 –> 00:17:54,480
So the real test in this scenario is brutally simple.
474
00:17:54,480 –> 00:17:58,080
Where is the deny before right gate tied to destination context?
475
00:17:58,080 –> 00:18:02,320
Where is the control that says you can read this data set but you cannot materialize it into
476
00:18:02,320 –> 00:18:04,520
that workspace or that storage boundary?
477
00:18:04,520 –> 00:18:08,360
If you can’t point to that mechanism as a first-class enforcement step in the execution
478
00:18:08,360 –> 00:18:10,600
path, then this scenario is not a risk.
479
00:18:10,600 –> 00:18:12,680
It is an inevitability.
480
00:18:12,680 –> 00:18:16,920
And once that inevitability exists, every downstream control becomes clean up.
481
00:18:16,920 –> 00:18:21,160
You hunt for copies, you explain copies, you label copies, you try to delete copies.
482
00:18:21,160 –> 00:18:23,480
But you never prevented the moment that mattered.
483
00:18:23,480 –> 00:18:28,120
Now the next scenario makes it even more uncomfortable because in scenario one, the actor at least
484
00:18:28,120 –> 00:18:30,280
needed to run a pipeline or a notebook.
485
00:18:30,280 –> 00:18:34,040
In scenario two, the platform hands them the capability bundle up front.
486
00:18:34,040 –> 00:18:37,760
Scenario two over-privileged workspace, capacity rolls.
487
00:18:37,760 –> 00:18:42,360
Area two is where the governance illusion gets embarrassing because nothing clever happens.
488
00:18:42,360 –> 00:18:47,520
No cross workspace trick, no notebook sorcery, no exotic export path, just rolls.
489
00:18:47,520 –> 00:18:50,000
Fabrics R-Back model is a capability allocator.
490
00:18:50,000 –> 00:18:51,720
It answers who can do things here.
491
00:18:51,720 –> 00:18:57,600
It does not answer, should this thing happen with this data right now to that destination?
492
00:18:57,600 –> 00:19:02,320
So the failure mode is predictable, the organization grants a role to move fast.
493
00:19:02,320 –> 00:19:04,720
And that role becomes the standing exception engine.
494
00:19:04,720 –> 00:19:08,440
And with a workspace under delivery pressure, someone needs to build pipelines, create lake
495
00:19:08,440 –> 00:19:12,480
houses, publish semantic models, share reports, maybe manage a few connections.
496
00:19:12,480 –> 00:19:14,880
The team doesn’t want to be blocked by admin tickets.
497
00:19:14,880 –> 00:19:16,680
So the solution is always the same.
498
00:19:16,680 –> 00:19:18,440
Give them member or contributor.
499
00:19:18,440 –> 00:19:20,440
Sometimes admin because it’s easier.
500
00:19:20,440 –> 00:19:24,600
Those roles are not small, they are bundles.
501
00:19:24,600 –> 00:19:29,200
They include actions that look operationally convenient but are architecturally dangerous.
502
00:19:29,200 –> 00:19:33,960
Creating new items, configuring and running compute, publishing, sharing, exporting, moving
503
00:19:33,960 –> 00:19:37,840
artifacts, and in some cases changing security relevant settings.
504
00:19:37,840 –> 00:19:41,640
Now put a person in that role who isn’t malicious, they’re simply trying to get work done.
505
00:19:41,640 –> 00:19:43,680
They copy a pipeline from another workspace.
506
00:19:43,680 –> 00:19:47,480
They create a lake house to stage data, they publish a data set so the business can build
507
00:19:47,480 –> 00:19:48,880
a report by tomorrow.
508
00:19:48,880 –> 00:19:53,680
They share it broadly because the executive group is large and nobody wants to manage it carefully.
509
00:19:53,680 –> 00:19:56,800
Every one of those actions is allowed because the role allows it.
510
00:19:56,800 –> 00:20:01,160
And the moment the action is allowed, governance has already made its only real decision.
511
00:20:01,160 –> 00:20:03,400
It delegated authority to the user.
512
00:20:03,400 –> 00:20:07,080
That is the point, most organizations refuse to say out loud, they want governance to be
513
00:20:07,080 –> 00:20:09,040
a centralized property of the platform.
514
00:20:09,040 –> 00:20:12,080
But in practice in fabric governance collapses into role assignment.
515
00:20:12,080 –> 00:20:14,960
So lineage shows up again as the regret ledger.
516
00:20:14,960 –> 00:20:16,640
It records what the contributor did.
517
00:20:16,640 –> 00:20:18,320
It records what got created.
518
00:20:18,320 –> 00:20:19,680
It records what got connected.
519
00:20:19,680 –> 00:20:21,320
It records what got shared.
520
00:20:21,320 –> 00:20:25,640
And it makes leadership feel like the system is under control because the map exists.
521
00:20:25,640 –> 00:20:29,160
But ask the only question that matters, did any dashboard prevent the action?
522
00:20:29,160 –> 00:20:31,920
No, the action completed because our back allowed it.
523
00:20:31,920 –> 00:20:33,600
It simply documented the outcome.
524
00:20:33,600 –> 00:20:35,880
Now add capacity roles into the mix.
525
00:20:35,880 –> 00:20:41,080
Capacities are often treated like a governed boundary because they feel platform level.
526
00:20:41,080 –> 00:20:45,080
People assume that if the right admins control the capacity the estate is governed.
527
00:20:45,080 –> 00:20:47,400
But capacity administration is still administration.
528
00:20:47,400 –> 00:20:49,200
It’s not an execution time policy engine.
529
00:20:49,200 –> 00:20:53,160
It can’t inspect data context and deny a specific right at the moment of execution.
530
00:20:53,160 –> 00:20:56,320
It can only define who can manage the environment and how resources get allocated.
531
00:20:56,320 –> 00:20:58,280
So over time you get predictable drift.
532
00:20:58,280 –> 00:21:02,480
The capacity admin gets added temporarily to fix a performance issue.
533
00:21:02,480 –> 00:21:07,400
A workspace admin gets added because the original owner left a service principle gets elevated.
534
00:21:07,400 –> 00:21:12,800
So CICD can run a group gets broadened because managing fine grained access is annoying.
535
00:21:12,800 –> 00:21:16,840
Then nobody removes the access because nobody owns the removal that is not misconfiguration.
536
00:21:16,840 –> 00:21:18,680
That is organizational thermodynamics.
537
00:21:18,680 –> 00:21:22,600
And the more fabric is used as the office for data platform, the more pressure exists to
538
00:21:22,600 –> 00:21:23,600
broaden roles.
539
00:21:23,600 –> 00:21:28,000
Arun Ulaag’s framing is explicit reduce products brawl reduce integration burden.
540
00:21:28,000 –> 00:21:31,080
Make it easy for business to move that strategy is coherent.
541
00:21:31,080 –> 00:21:35,040
But when easy meets our back bundles, least privilege collapses because bundles are the
542
00:21:35,040 –> 00:21:40,440
opposite of intent intent is specific bundles are generic governance needs intent.
543
00:21:40,440 –> 00:21:44,080
Now pause here because this is the moment many listeners will try to rescue the story by saying
544
00:21:44,080 –> 00:21:46,000
okay, but we can just tighten roles.
545
00:21:46,000 –> 00:21:47,520
We can just do least privilege.
546
00:21:47,520 –> 00:21:50,400
No you can’t not sustainably not at scale.
547
00:21:50,400 –> 00:21:53,080
In fabric, least privilege is not a default posture.
548
00:21:53,080 –> 00:21:55,200
It’s an ongoing fight against delivery velocity.
549
00:21:55,200 –> 00:21:59,000
The system will always trend toward broader access because broader access reduces friction
550
00:21:59,000 –> 00:22:01,800
and fabric is designed to reward reduced friction.
551
00:22:01,800 –> 00:22:03,680
So scenario two is not a hypothetical.
552
00:22:03,680 –> 00:22:05,040
It’s the default operating model.
553
00:22:05,040 –> 00:22:08,880
You give people the ability to cause impact then you call the impact governed because you
554
00:22:08,880 –> 00:22:10,200
can see it afterward.
555
00:22:10,200 –> 00:22:11,200
That’s not governance.
556
00:22:11,200 –> 00:22:13,960
That’s permission chaos with high quality telemetry.
557
00:22:13,960 –> 00:22:18,120
And once you accept that our back governs capability, not intent, the next illusion becomes
558
00:22:18,120 –> 00:22:23,280
obvious sensitivity labels and DLP like signals because a label that can’t refuse execution
559
00:22:23,280 –> 00:22:29,680
is just metadata theater scenario three sensitivity labels without execution constraint scenario
560
00:22:29,680 –> 00:22:33,520
three is where people confuse classification with control because Microsoft has trained
561
00:22:33,520 –> 00:22:38,440
them to see labels as enforcement in Microsoft 365 sensitivity label can mean something
562
00:22:38,440 –> 00:22:42,680
concrete encryption, watermarks restricted sharing DLP behavior.
563
00:22:42,680 –> 00:22:46,920
It’s reasonable to carry that expectation into fabric and assume if the data is labeled
564
00:22:46,920 –> 00:22:50,800
the platform will block the wrong use of it that assumption fails the same way every
565
00:22:50,800 –> 00:22:53,240
other lineage based governance assumption fails.
566
00:22:53,240 –> 00:22:58,120
Timing a sensitivity label is metadata it describes the data it does not inherently sit
567
00:22:58,120 –> 00:23:03,400
in the execution path as a deny gate and a label that can’t refuse execution is documentation
568
00:23:03,400 –> 00:23:08,800
not control start with the clean setup a table in one lake backed storage is labeled confidential
569
00:23:08,800 –> 00:23:13,480
or highly confidential or whatever your taxonomy is maybe the label is applied manually.
570
00:23:13,480 –> 00:23:17,120
Maybe it’s applied automatically maybe it propagates to downstream items all of that looks
571
00:23:17,120 –> 00:23:21,120
like governance because it looks like intent got attached to the asset but intent is not
572
00:23:21,120 –> 00:23:23,120
the same as enforceable behavior.
573
00:23:23,120 –> 00:23:28,160
Now a notebook reads that labeled data not a malicious notebook a normal one a notebook exists
574
00:23:28,160 –> 00:23:34,480
to transform in rich join aggregate and write that’s what fabric notebooks are for turning
575
00:23:34,480 –> 00:23:39,360
inputs into outputs the notebook reads the label table performs a transformation and
576
00:23:39,360 –> 00:23:44,320
writes the results somewhere else a new lake house a new warehouse a file export a staging
577
00:23:44,320 –> 00:23:49,200
area for a report a temporary data set that becomes permanent pick any destination that
578
00:23:49,200 –> 00:23:52,920
is less controlled than the source or control differently here is the critical
579
00:23:52,920 –> 00:23:57,520
question governance requires does the platform evaluate the label in combination with the
580
00:23:57,520 –> 00:24:02,760
destination and refuse the right not does it show the label not does it propagate the label
581
00:24:02,760 –> 00:24:07,200
not does it record that the label data float into an output refuse means the output cannot
582
00:24:07,200 –> 00:24:12,720
be created and in most real estate nothing in that execution path is guaranteed to say no.
583
00:24:12,720 –> 00:24:16,360
What you get instead is label propagation theater the label travels the metadata updates
584
00:24:16,360 –> 00:24:20,880
and everyone points at the fact that the sensitive content state tagged that is not prevention
585
00:24:20,880 –> 00:24:24,680
because the risk you’re trying to go in is not whether the output is tagged the risk is
586
00:24:24,680 –> 00:24:28,560
whether the output exists in a location where the wrong people can access it or where the
587
00:24:28,560 –> 00:24:33,760
wrong egress paths exist or where export is easier or where sharing is broader a label
588
00:24:33,760 –> 00:24:37,600
can change the physics of access boundaries if the access boundary is a workspace role
589
00:24:37,600 –> 00:24:41,200
assignment and a sharing model and this is where fabrics execution first nature makes
590
00:24:41,200 –> 00:24:44,800
the problem worse notebooks and pipelines are designed to make copies they are copy
591
00:24:44,800 –> 00:24:49,880
engines if your governance posture depends on labels to prevent copying your relying on
592
00:24:49,880 –> 00:24:54,320
a signal to stop a mechanism that was built to ignore signals unless forced so what does
593
00:24:54,320 –> 00:24:58,720
lineage show it shows the labeled input it shows the notebook it shows the output it makes
594
00:24:58,720 –> 00:25:03,720
the flow look responsible because the metadata appears consistent it even makes the organization
595
00:25:03,720 –> 00:25:08,480
feel mature look we have labeling and we can trace it but nothing stopped the right this
596
00:25:08,480 –> 00:25:12,600
is why people get blindsided in audits an auditor doesn’t care that the copied data set
597
00:25:12,600 –> 00:25:16,920
is labeled confidential if it now exists in a workspace where contributors can export
598
00:25:16,920 –> 00:25:21,960
it to excel or share it broadly or connect downstream systems they care that the data moved
599
00:25:21,960 –> 00:25:26,800
into a weaker boundary and the platform did not refuse the move the uncomfortable truth
600
00:25:26,800 –> 00:25:31,400
is that labels are often treated as a substitute for architectural containment organizations label
601
00:25:31,400 –> 00:25:35,000
everything and assume that means the platform is governing but labels are a description
602
00:25:35,000 –> 00:25:39,880
layer without an enforcement layer that is both consistent and positioned before execution
603
00:25:39,880 –> 00:25:43,960
labels become compliance decoration and just like with our back bundles the exception
604
00:25:43,960 –> 00:25:48,760
pattern shows up immediately someone needs the data in another workspace just for analysis
605
00:25:48,760 –> 00:25:53,000
someone needs to stage it just for performance someone needs a copy just for the board
606
00:25:53,000 –> 00:25:57,880
pack the label remains the copy exists the governance team feels satisfied because the
607
00:25:57,880 –> 00:26:03,000
telemetry looks clean meanwhile the risk surface expanded so when you hear we’re safe because
608
00:26:03,000 –> 00:26:07,880
we label our fabric assets translated into the real statement we know what we leaked that’s
609
00:26:07,880 –> 00:26:12,600
not nothing but it’s not governance governance means the platform can say you can’t write
610
00:26:12,600 –> 00:26:17,080
label data into that destination you can’t export it through that path you can’t share it outside
611
00:26:17,080 –> 00:26:21,640
that boundary if the label can’t refuse execution it cannot be your control plane and once you accept
612
00:26:21,640 –> 00:26:27,080
that scenario for becomes obvious adding purview and adding native lineage doesn’t fix the timing
613
00:26:27,080 –> 00:26:32,440
problem it just gives you two observers watching the same failure scenario for purview versus native
614
00:26:32,440 –> 00:26:37,320
fabric lineage scenario for is the one Microsoft quietly benefits from because it turns a missing
615
00:26:37,320 –> 00:26:42,520
control into a perceived upgrade path native lineage is nice but will connect purview as if adding
616
00:26:42,520 –> 00:26:47,240
a second lineage graph upgrades observability into governance it does not purview is better at
617
00:26:47,240 –> 00:26:52,120
a lot of things fabric lineage is better at a few things they overlap they integrate they create
618
00:26:52,120 –> 00:26:57,400
a larger cleaner story but they are still observers and two observers do not equal one enforcer
619
00:26:57,400 –> 00:27:02,200
start with what each tool really is not what the marketing wants it to be fabric lineage is workspace
620
00:27:02,200 –> 00:27:07,720
centric dependency mapping it tells you what items used what other items inside the fabric execution
621
00:27:07,720 –> 00:27:15,000
surface notebooks pipelines lake houses warehouses semantic models reports it’s good for impact analysis
622
00:27:15,000 –> 00:27:19,800
it’s good for debugging it’s good for what changed and what will break purview is an enterprise meta
623
00:27:19,800 –> 00:27:25,080
data platform it builds an inventory it scans it classifies it gives you governance domains data
624
00:27:25,080 –> 00:27:29,960
products business context ownership workflows and critically visibility across systems that aren’t
625
00:27:29,960 –> 00:27:35,160
fabric purview is a catalog of catalogs fabric lineage is a local map but both share the same
626
00:27:35,160 –> 00:27:40,200
structural limitation they operate after the fact look at the execution order again a pipeline runs
627
00:27:40,200 –> 00:27:44,680
a notebook writes a data set gets published a downstream artifact is created then telemetry gets
628
00:27:44,680 –> 00:27:50,040
emitted then the lineage graph updates then purview scans ingest meta data and presents it in a
629
00:27:50,040 –> 00:27:55,640
unified catalog that order matters because anything that requires scanning ingestion mapping and
630
00:27:55,640 –> 00:27:59,880
visualization is not sitting in line with the right operation it is not a gate so in this scenario
631
00:27:59,880 –> 00:28:04,200
the organization does what it always does it takes a weakness and wraps it in a dashboard they
632
00:28:04,200 –> 00:28:08,920
connect fabric to purview they enable the admin apis they run scans they create collections they
633
00:28:08,920 –> 00:28:13,720
build governance domains they assign owners they see their assets they see their lineage they see
634
00:28:13,720 –> 00:28:18,120
their classifications and then the data still moves because none of that changed the execution pathway
635
00:28:18,120 –> 00:28:22,440
purview can tell you that sensitive data exists in a lake house it can tell you that it flowed
636
00:28:22,440 –> 00:28:26,360
through a notebook it can show you that a report depends on it it can even show you the approval
637
00:28:26,360 –> 00:28:30,920
workflow for requesting access to a data product but if someone already has the ability to run the
638
00:28:30,920 –> 00:28:35,720
notebook and write the output purview did not prevent anything it simply improved the quality of
639
00:28:35,720 –> 00:28:40,360
the narrative this is why the purview will fix governance belief is so persistent purview feels
640
00:28:40,360 –> 00:28:44,920
like governance because it uses governance language domains policies data products access requests
641
00:28:44,920 –> 00:28:49,080
stewardship quality scores it gives you formal structures it gives you process it looks like
642
00:28:49,080 –> 00:28:54,120
authority but process is not authority unless the process is bound to an enforcement point otherwise
643
00:28:54,120 –> 00:28:59,080
it’s a request and requests do not survive deadlines here’s the counter intuitive part purview
644
00:28:59,080 –> 00:29:04,040
integration can actually increase false confidence because now you have two layers of visibility when
645
00:29:04,040 –> 00:29:08,120
something goes wrong you can open fabric lineage and explain the local flow then you can open
646
00:29:08,120 –> 00:29:12,520
purview and explain the broader flow you can show labels you can show classifications you can show
647
00:29:12,520 –> 00:29:17,800
who owns what and because the story’s richer leadership feels the system is more governed meanwhile
648
00:29:17,800 –> 00:29:22,600
the actual gating decision still lives where it always lived in role assignment and in whatever
649
00:29:22,600 –> 00:29:28,200
egress controls exist outside fabric so the real test for scenario four isn’t can purview show
650
00:29:28,200 –> 00:29:34,280
me the lineage of course it can the test is can purview refuse the notebook right right now before
651
00:29:34,280 –> 00:29:39,320
the output exists because the destination violates policy if the answer is no purview is not your
652
00:29:39,320 –> 00:29:43,800
enforcement layer it is your observability layer a valuable one but not the one you needed this
653
00:29:43,800 –> 00:29:49,320
scenario ends with the same uncomfortable line every scenario ends with visibility is not authority
654
00:29:49,320 –> 00:29:54,920
purview plus fabric lineage equals better visibility it does not equal governance and once you accept
655
00:29:54,920 –> 00:30:00,200
that you can finally see why the illusion exists at all Microsoft sells unification as safety and
656
00:30:00,200 –> 00:30:06,200
that is the next problem the office for data story creates control plane illusions Microsoft didn’t
657
00:30:06,200 –> 00:30:11,560
accidentally create this confusion the platform story trains people to expect governance because it
658
00:30:11,560 –> 00:30:17,480
borrows the most emotionally persuasive analogy in enterprise software office Arun Ulaag says it
659
00:30:17,480 –> 00:30:23,640
plainly in interviews customers were drowning in complexity too many products too much integration
660
00:30:23,640 –> 00:30:29,400
burden and the goal was to do for data what office did for productivity one suite one surface one
661
00:30:29,400 –> 00:30:34,360
lake one place to work and for adoption that’s brilliant but office never promised control it promised
662
00:30:34,360 –> 00:30:40,440
convenience the illusion happens when organizations translate unified experience into unified authority
663
00:30:40,440 –> 00:30:45,000
they they assume that because everything is in one place the platform must also be the place where
664
00:30:45,000 –> 00:30:49,880
policy is enforced they assume the unification layer is the control plane it isn’t office is not a
665
00:30:49,880 –> 00:30:54,280
firewall it’s a productivity surface people can still paste secrets into a document they can
666
00:30:54,280 –> 00:30:58,680
still forward an attachment they can still save something to the wrong place Microsoft added purview
667
00:30:58,680 –> 00:31:03,240
dLP labels and retention over time because the base product was about creating and sharing not
668
00:31:03,240 –> 00:31:08,120
enforcing intent fabric is following the same pattern it is a productivity surface for data and when
669
00:31:08,120 –> 00:31:13,080
you hear one lake is one drive for data you should translate it into the real architectural implication
670
00:31:13,080 –> 00:31:18,120
this is a shared substrate optimized for movement movement is the point friction is the enemy that
671
00:31:18,120 –> 00:31:23,240
is white cells now add the slogan that gets repeated in governance discussions discipline at the
672
00:31:23,240 –> 00:31:29,000
core flexibility at the edge it sounds responsible it sounds like a mature federated model it is also
673
00:31:29,000 –> 00:31:34,120
a perfect description of how entropy gets invited in because flexibility at the edge is where execution
674
00:31:34,120 –> 00:31:39,080
happens edge teams create notebooks pipelines and data products under deadline they copy artifacts
675
00:31:39,080 –> 00:31:44,120
they share shortcuts they publish models they materialize outputs and if the platform does not
676
00:31:44,120 –> 00:31:49,160
have a hard enforcement point that forces discipline into those actions discipline at the core becomes
677
00:31:49,160 –> 00:31:54,120
a documentation exercise central teams write standards edge teams root around them everyone calls
678
00:31:54,120 –> 00:31:57,960
it balance this is the uncomfortable truth federated governance without enforcement is just
679
00:31:57,960 –> 00:32:03,080
distributed exception handling and Microsoft’s incentive structure reinforces it the platform
680
00:32:03,080 –> 00:32:08,440
succeeds when it reduces friction and increases usage it succeeds when teams can onboard quickly build
681
00:32:08,440 –> 00:32:13,400
quickly and iterate without waiting for a central counsel to approve every move so the product pushes
682
00:32:13,400 –> 00:32:18,120
power outward more capabilities in workspaces more self service creation more integration between
683
00:32:18,120 –> 00:32:23,240
experiences and more pathways to get data from here to there that is not a bug that is the
684
00:32:23,240 –> 00:32:27,880
business model which means the platform will always bias toward enabling actions first and
685
00:32:27,880 –> 00:32:32,760
documenting them second control shows up later as overlays labeling cataloging scanning dashboards
686
00:32:32,760 –> 00:32:39,240
and governance hubs useful overlays but overlays the psychological trap is predictable unification
687
00:32:39,240 –> 00:32:44,760
produces visibility visibility feels like control leaders see domains catalogs endorsements labels
688
00:32:44,760 –> 00:32:49,000
and lineage graphs and assume the platform is governing because it looks orderly orderliness is
689
00:32:49,000 –> 00:32:54,200
not authority and the more the platform integrates the stronger the illusion gets when fabric integrates
690
00:32:54,200 –> 00:32:58,920
with purview and purview integrates with the Microsoft 365 compliance stack and governance
691
00:32:58,920 –> 00:33:04,040
language becomes ubiquitous people stop asking the only question that matters where is the deny
692
00:33:04,040 –> 00:33:08,440
they start asking softer questions do we have a dashboard do we have ownership do we have labels
693
00:33:08,440 –> 00:33:13,240
do we have lineage those are observability questions they are not enforcement questions so the office
694
00:33:13,240 –> 00:33:18,040
for data story creates a specific kind of organizational failure it convinces executives that buying
695
00:33:18,040 –> 00:33:23,080
unification board control it convinces architects that a single platform implies a single policy
696
00:33:23,080 –> 00:33:28,440
plane it convinces governance teams that adding more metadata will eventually become enforcement
697
00:33:28,440 –> 00:33:34,200
and then reality shows up on a timeline not a diagram a timeline an incident happens a breach
698
00:33:34,200 –> 00:33:39,400
an overshare a regulatory exposure how did this data get here moment and the organization learns
699
00:33:39,400 –> 00:33:44,360
in the most expensive way possible that the platform can explain what happened it cannot reverse it
700
00:33:44,360 –> 00:33:49,320
that’s the next scenario because nothing closes the gap between observability and governance like
701
00:33:49,320 –> 00:33:55,480
incident response scenario five incident response timeline incident response is where the lineage lie
702
00:33:55,480 –> 00:34:00,600
stops being philosophical and becomes a calendar because governance is measured in timing not in
703
00:34:00,600 –> 00:34:05,880
diagrams here’s the standard timeline every regulated organization eventually lives through something
704
00:34:05,880 –> 00:34:11,400
happens data shows up somewhere it shouldn’t a report gets shared too broadly a data set gets exported
705
00:34:11,400 –> 00:34:15,720
a lake house copy appears in the wrong workspace sometimes it’s malicious most of the time it’s
706
00:34:15,720 –> 00:34:21,320
just normal work moving faster than policy that’s moment one impact then comes moment two detection
707
00:34:21,320 –> 00:34:25,960
maybe it’s a DLP alert maybe it’s an insider risk signal maybe it’s a user saying why can I see
708
00:34:25,960 –> 00:34:30,520
this maybe it’s an auditor asking for evidence you can’t produce the important part is that
709
00:34:30,520 –> 00:34:36,120
detection is downstream of impact then comes moment three the scramble for narrative this is when
710
00:34:36,120 –> 00:34:41,800
everyone opens the same set of tools activity logs audit logs lineage graphs catalog entries workspace
711
00:34:41,800 –> 00:34:47,160
permissions people start reconstructing and yes lineage is useful here it tells you which items used
712
00:34:47,160 –> 00:34:51,960
which sources it gives you a dependency chain it helps you answer how did the data travel but notice
713
00:34:51,960 –> 00:34:56,440
what just happened lineage entered the story after the outcome existed which means lineage is
714
00:34:56,440 –> 00:35:02,120
participating in forensics not prevention now moment four containment this is where the organization
715
00:35:02,120 –> 00:35:06,840
tries to stop further damage they remove access they lock down sharing they revoke tokens they
716
00:35:06,840 –> 00:35:11,960
disable exports they rotate secrets they update a policy they create a new security group they
717
00:35:11,960 –> 00:35:16,360
rename a workspace they move an artifact they tell everyone to stop using the old thing and use the
718
00:35:16,360 –> 00:35:21,480
new thing containment is messy because fabric is unified the same convenience that accelerates
719
00:35:21,480 –> 00:35:26,440
delivery also accelerates blast radius if a data set has been reused widely you now have to unwind
720
00:35:26,440 –> 00:35:31,560
reuse if a pipeline has been copied you now have multiple copies if a notebook wrote a derivative
721
00:35:31,560 –> 00:35:35,880
you now have derivative assets with their own downstream consumers you’re no longer fixing one
722
00:35:35,880 –> 00:35:40,760
thing you’re negotiating with a dependency graph that grew without you then moment five reconstruction
723
00:35:40,760 –> 00:35:45,240
this is the part auditors love and engineers hate you build an incident report you export logs you
724
00:35:45,240 –> 00:35:50,040
annotate lineage screenshots you write the story what happened when who did it what systems were
725
00:35:50,040 –> 00:35:56,040
involved what data was exposed what controls existed what controls failed what remediation you applied
726
00:35:56,040 –> 00:36:00,520
that report feels like governance because it produces artifacts it produces process output it
727
00:36:00,520 –> 00:36:05,320
produces a sense of closure but closure is not control it’s documentation of failure now here’s
728
00:36:05,320 –> 00:36:11,640
the part most organizations don’t say out loud the timeline proves what layer you actually govern with
729
00:36:11,640 –> 00:36:15,880
if the first time you can govern the event is after the right completed you didn’t govern it you
730
00:36:15,880 –> 00:36:20,200
observed it if the first time you can apply policy is after the export happened you didn’t prevent
731
00:36:20,200 –> 00:36:24,920
anything if the first time you can classify the asset is after it already moved the classification
732
00:36:24,920 –> 00:36:30,120
is just metadata about a new problem you now have governance that arrives after impact is not
733
00:36:30,120 –> 00:36:35,000
governance it is incident response an incident response is necessary but it is not an acceptable
734
00:36:35,000 –> 00:36:39,480
substitute for a policy enforcement point when your risk model requires prevention so when someone
735
00:36:39,480 –> 00:36:44,280
claims fabric lineage gives us governance the incident response timeline is the clean rebuttal
736
00:36:44,280 –> 00:36:49,720
ask them in order when did the system refuse the action not when did it show it now not when did it
737
00:36:49,720 –> 00:36:55,000
alerted not when did we notice when did it deny because if the answer is we saw it in lineage you’ve
738
00:36:55,000 –> 00:36:59,800
already lost lineage is what you open when the outcome exists you are now doing forensics you are
739
00:36:59,800 –> 00:37:04,280
now explaining damage that was permitted by design this is why the platform feels safe right up
740
00:37:04,280 –> 00:37:09,000
until it doesn’t everything looks controlled until an event forces the only question that matters
741
00:37:09,000 –> 00:37:13,800
what prevented this and if the honest answer is nothing prevented it but we can explain it then you
742
00:37:13,800 –> 00:37:18,600
don’t have governance you have observability plus meetings plus hope so stop blaming lineage for
743
00:37:18,600 –> 00:37:23,000
not being a gate that’s not its job the actual failure is blaming the wrong layer for the right
744
00:37:23,000 –> 00:37:28,040
problem and that takes us to the responsibility map who answers who who answers what happened who
745
00:37:28,040 –> 00:37:33,400
answers can it run and who is supposed to answer should it run here now with this data the
746
00:37:33,400 –> 00:37:38,440
responsibility map stop miss assigning blame most governance failures happen because the wrong
747
00:37:38,440 –> 00:37:43,320
layer is blamed for the right failure people blame fabric for not governing they blame purview
748
00:37:43,320 –> 00:37:49,320
for not enforcing they blame entra for not being granular then they add more policies more dashboards
749
00:37:49,320 –> 00:37:54,040
more committees and they wonder why nothing gets safer the system did exactly what you asked it to do
750
00:37:54,040 –> 00:37:59,080
you just ask the wrong layer so here’s the responsibility map stated the way systems actually behave
751
00:37:59,080 –> 00:38:04,440
not the way product pages describe them start with Microsoft entra and entra answers who are you
752
00:38:04,440 –> 00:38:10,360
and at a course level are you allowed into the surface area authentication token issuance conditional
753
00:38:10,360 –> 00:38:14,680
access conditions group membership role assignments that decide whether the user can even reach the
754
00:38:14,680 –> 00:38:19,960
workload entra is identity it is not a data control plane it does not understand the semantics of
755
00:38:19,960 –> 00:38:24,600
this table is sensitive and cannot be written into that workspace because entra doesn’t see
756
00:38:24,600 –> 00:38:29,720
tables and workspaces as policy objects in the way your auditors imagine entra enforces identity
757
00:38:29,720 –> 00:38:34,840
posture it doesn’t compile data intent into execution time denies so when governance teams keep
758
00:38:34,840 –> 00:38:40,040
saying will fix fabric governance in entra what they mean is will restrict who can get in that
759
00:38:40,040 –> 00:38:45,160
helps it will not solve intent then there’s Microsoft fabric fabric answers can this run it’s an
760
00:38:45,160 –> 00:38:49,240
execution substrate a distributed decision engine for running workloads but not a centralized
761
00:38:49,240 –> 00:38:54,120
policy arbiter for evaluating whether an outcome should exist it will happily run a notebook run
762
00:38:54,120 –> 00:39:00,120
a pipeline materialize an output publish a model generate a report fabrics core job is to execute
763
00:39:00,120 –> 00:39:04,360
within the permissions already granted so when you say fabric should have blocked that you are
764
00:39:04,360 –> 00:39:09,960
trying to retrofit should into a layer design to answer can fabric does not do morals it does mechanics
765
00:39:10,280 –> 00:39:15,640
then there’s Microsoft purview purview answers what happened and what is this data it catalogs it
766
00:39:15,640 –> 00:39:20,760
classifies it builds lineage across systems it supports audits and investigations it can make data
767
00:39:20,760 –> 00:39:25,720
discoverable with ownership domains and workflows which is valuable because most organizations have
768
00:39:25,720 –> 00:39:30,440
no idea what they own until something goes wrong but purview is still not your inline gate purview
769
00:39:30,440 –> 00:39:35,240
excels at describing reality it does not sit inside every execution path and refuse every
770
00:39:35,240 –> 00:39:39,880
prohibited action before the state change commits if you treat purview as an enforcement layer
771
00:39:39,880 –> 00:39:44,920
you will build a program that looks governed and behaves permissively and this is where people get
772
00:39:44,920 –> 00:39:50,760
confused because Microsoft uses governance language for visibility products domains data products
773
00:39:50,760 –> 00:39:56,600
quality scores risk assessments all useful still not an execution time deny so what’s missing
774
00:39:56,600 –> 00:40:02,200
a layer that answers the only question governance actually requires should this run here now with
775
00:40:02,200 –> 00:40:06,680
this data to that destination under these conditions that’s the policy decision point and it’s
776
00:40:06,680 –> 00:40:11,320
sibling the policy enforcement point call it a data control plane if you want but the definition is
777
00:40:11,320 –> 00:40:16,360
the same centralized intent compiled into deterministic enforcement placed before execution not
778
00:40:16,360 –> 00:40:22,040
after if that layer doesn’t exist governance becomes a cultural program instead of a system behavior
779
00:40:22,040 –> 00:40:27,160
and cultural programs degrade under pressure now to be clear this missing layer doesn’t have to be
780
00:40:27,160 –> 00:40:33,080
a single Microsoft product it rarely is in most enterprises it’s a combination of architecture choices
781
00:40:33,080 –> 00:40:39,320
constrained egress restricted destinations pre-approved pathways and explicit deny conditions
782
00:40:39,320 –> 00:40:45,400
it is designed that makes the unsafe path impossible not a policy that asks people politely so
783
00:40:45,400 –> 00:40:53,000
the responsibility map is brutal but liberating enter who fabric can it run purview what happened
784
00:40:53,000 –> 00:40:58,200
missing layer should it run once you assign responsibility correctly you stop trying to squeeze
785
00:40:58,200 –> 00:41:03,960
governance out of lineage you stop asking observability tools to behave like enforcement tools and you
786
00:41:03,960 –> 00:41:09,400
stop assuming that unified means governed then the rest becomes mechanical you can test any governance
787
00:41:09,400 –> 00:41:14,440
feature by asking where it lives in this map if it’s identity it won’t govern data intent if it’s
788
00:41:14,440 –> 00:41:19,160
metadata it won’t prevent execution if it’s execution it will not judge outcomes that distinction
789
00:41:19,160 –> 00:41:23,960
matters because once you stop misassigning blame you can finally define governance in a way that
790
00:41:23,960 –> 00:41:29,480
survives reality the four question governance litmus test so if the responsibility map is correct
791
00:41:29,480 –> 00:41:34,360
the next move is to stop arguing about features and start testing architecture most governance
792
00:41:34,360 –> 00:41:39,800
conversations stay vague on purpose vague language protects bad assumptions we have controls
793
00:41:39,800 –> 00:41:45,800
we have visibility we have purview we have policies none of those statements mean anything until
794
00:41:45,800 –> 00:41:51,880
you can answer one question can the system stop the outcome to make this practical user litmus test
795
00:41:51,880 –> 00:41:56,840
four questions if you can’t answer yes to all four for a given control then it’s not governance it
796
00:41:56,840 –> 00:42:01,720
might be useful it might be necessary but it’s not governance question one can the system say no
797
00:42:01,720 –> 00:42:07,800
not can it warn not can it alert not can it log not can it show me a report can it refuse the action
798
00:42:07,800 –> 00:42:12,120
if a user can still copy the data export it materialize it or share it and the systems
799
00:42:12,120 –> 00:42:16,280
contribution is that it documented the action then the system did not say no it said good luck
800
00:42:16,280 –> 00:42:21,240
and then wrote a receipt question two can it say no before execution this is where most tools die
801
00:42:21,240 –> 00:42:25,960
before execution means the denial occurs prior to state change before the notebook write commits
802
00:42:25,960 –> 00:42:30,840
before the pipeline output exists before the shortcut resolves into accessible data before the
803
00:42:30,840 –> 00:42:35,640
export lands in someone’s downloads folder if the deny happens after execution its incident
804
00:42:35,640 –> 00:42:41,400
response maybe automated incident response still incident response governance that arrives after
805
00:42:41,400 –> 00:42:47,960
impact is paperwork useful paperwork not governance question three can it enforce centrally
806
00:42:47,960 –> 00:42:53,080
centrally doesn’t mean there’s a portal centrally means there is one place where intent is expressed
807
00:42:53,080 –> 00:42:58,920
and consistently enforced across the estate across workspaces across domains across teams across
808
00:42:58,920 –> 00:43:04,440
workloads if the enforcement depends on every workspace admin remembering to configure the same
809
00:43:04,440 –> 00:43:09,720
settings you don’t have a control plane you have distributed hope and hope as a governance strategy
810
00:43:09,720 –> 00:43:15,720
has a short half-life question four can it fail safely a govern system fails closed deny by default
811
00:43:15,720 –> 00:43:21,000
contained blast radius the safe failure mode is nothing happened not something happened and will
812
00:43:21,000 –> 00:43:25,960
clean it up if a system fails open because a dependency is down a scan didn’t run a label didn’t
813
00:43:25,960 –> 00:43:30,280
propagate an exception got added then you’re operating a probabilistic security model you’re betting
814
00:43:30,280 –> 00:43:34,600
your compliance posture on uptime timing and human discipline that is not a bet you get to make
815
00:43:34,600 –> 00:43:38,840
forever now take those four questions and apply them to the things people commonly call fabric
816
00:43:38,840 –> 00:43:44,440
governance lineage can it say no no can it say no before execution no can it enforce centrally
817
00:43:44,440 –> 00:43:49,000
it can centralize visibility not enforcement can it fail safely it fails is incomplete telemetry not
818
00:43:49,000 –> 00:43:54,360
as a deny gate that’s not governance tags and endorsements can they say no no they’re metadata
819
00:43:54,360 –> 00:44:00,520
and trust signals useful not enforcement purview catalogs and scans can they say no they can
820
00:44:00,520 –> 00:44:05,800
drive workflows and classifications but unless a policy is enforced in line scans do not stop rights
821
00:44:05,800 –> 00:44:10,760
and scans by definition occur after something exists to be scanned even many security features people
822
00:44:10,760 –> 00:44:15,640
assume our governance collapse under this test because they only apply to specific egress parts
823
00:44:15,640 –> 00:44:20,680
specific workloads or specific user experiences selective enforcement is still not deterministic
824
00:44:20,680 –> 00:44:25,960
governance now keep this distinction clean this litmus test is not saying fabric is insecure it is
825
00:44:25,960 –> 00:44:30,440
saying something more uncomfortable fabric is an execution platform execution platforms do not
826
00:44:30,440 –> 00:44:35,240
govern by default they execute by default so if your governance requirement is prevention you
827
00:44:35,240 –> 00:44:40,360
must place prevention where prevention can exist at the point of decision and enforcement before
828
00:44:40,360 –> 00:44:45,720
execution consistently and with safe failure modes say the four questions slowly because you will
829
00:44:45,720 –> 00:44:52,040
reuse them in meetings can the system say no can it say no before execution can it enforce centrally
830
00:44:52,040 –> 00:44:57,960
can it fail safely and now say them faster because this is how you spot the lie in real time no before
831
00:44:57,960 –> 00:45:02,520
central safe if any one of those is missing you don’t have governance you have observability plus
832
00:45:02,520 –> 00:45:06,760
process the next step is turning this into a decision tree because architects don’t need more
833
00:45:06,760 –> 00:45:11,640
principles they need a rooting rule when to treat something as prevention and when to treat it as
834
00:45:11,640 –> 00:45:18,440
telemetry the decision tree prevention versus observability now take the litmus test and weaponize it
835
00:45:18,440 –> 00:45:23,160
not as philosophy as a routing decision because in real enterprises you don’t get to implement
836
00:45:23,160 –> 00:45:27,720
governance you choose where you’re going to spend constraint and where you’re going to accept
837
00:45:27,720 –> 00:45:32,760
drift so here’s the decision tree first branch do you need prevention or do you need observability
838
00:45:32,760 –> 00:45:37,880
that sounds obvious but most organizations never answer it explicitly they just buy tools enable
839
00:45:37,880 –> 00:45:43,080
features and assume it all adds up to governed it doesn’t if you need prevention the rule is simple
840
00:45:43,080 –> 00:45:47,560
you must design for enforcement before execution that means you don’t start with lineage you start
841
00:45:47,560 –> 00:45:53,400
with choke points you identify the actions that create irreversible risk data leaving a boundary
842
00:45:53,400 –> 00:45:59,800
new copies being created exports external sharing downstream materialization into less trusted zones
843
00:45:59,800 –> 00:46:04,360
then you force those actions through a limited number of pathways you reduce the number of ways a
844
00:46:04,360 –> 00:46:09,000
human can accomplish the same outcome because in a distributed execution platform multiple pathways
845
00:46:09,000 –> 00:46:13,560
is the enemy every extra pathways and extra policy surface and every policy surface becomes
846
00:46:13,560 –> 00:46:19,000
inconsistent over time so prevention mode looks like this you don’t ask can we track it you ask where
847
00:46:19,000 –> 00:46:24,680
can we deny it pre execution gates controlled egress explicit destinations a model that fails closed
848
00:46:24,680 –> 00:46:29,320
a model where the unsafe outcome is impossible without deliberately breaking glass and in
849
00:46:29,320 –> 00:46:34,040
fabric terms this usually means you stop treating the workspace as your containment boundary
850
00:46:34,040 –> 00:46:39,240
you treat it as collaboration the actual containment lives outside it in network egress controls
851
00:46:39,240 –> 00:46:44,680
in storage boundaries in pre-approved publishing parts in external policy engines in whatever mechanism
852
00:46:44,680 –> 00:46:49,480
your architecture can force fabric to respect second branch if you need observability then stop
853
00:46:49,480 –> 00:46:54,120
pretending your building gates build sensors this is where lineage is excellent audit logs are
854
00:46:54,120 –> 00:46:59,880
excellent purview is excellent monitoring hubs activity logs inventory classification ownership
855
00:46:59,880 –> 00:47:05,480
workflows this is the real world where observability wins observability mode looks like this you accept
856
00:47:05,480 –> 00:47:09,880
that the platform will execute therefore you maximize your ability to understand troubleshoot
857
00:47:09,880 –> 00:47:15,000
and explain you optimize for impact analysis not containment you treat lineage as a dependency
858
00:47:15,000 –> 00:47:19,880
graph not a safety boundary and you use that visibility to reduce mean time to detection reduce
859
00:47:19,880 –> 00:47:25,400
mean time to response and improve your ability to answer regulators with evidence that’s valuable
860
00:47:25,400 –> 00:47:30,120
it’s just not prevention now the third branch is the one nobody admits the mixed mode most
861
00:47:30,120 –> 00:47:35,480
organizations end up here they have a few prevention controls in a few places and observability
862
00:47:35,480 –> 00:47:40,440
everywhere else this is the default because it feels balanced but mixed mode is where probabilistic
863
00:47:40,440 –> 00:47:45,400
security is born because the moment you have some parts are blocked some parts are just logged
864
00:47:45,400 –> 00:47:50,600
people root around the blocked parts not maliciously operationally they pick the path that works
865
00:47:50,600 –> 00:47:55,320
so if you’re in mixed mode you have exactly one job make sure the un gated paths do not exist
866
00:47:55,320 –> 00:47:59,480
for high impact outcomes if you can’t do that then stop calling the system governed call it
867
00:47:59,480 –> 00:48:04,760
monitored and design incident response like you mean it now apply the decision tree to the artifacts
868
00:48:04,760 –> 00:48:10,440
people love to cite lineage observability always treated as forensic telemetry purview catalog
869
00:48:10,440 –> 00:48:16,200
observability and process useful for discovery ownership and audit trails still not your inline gate
870
00:48:16,200 –> 00:48:21,240
are back access control it constraints who can act it does not constrain whether the act is acceptable
871
00:48:21,240 –> 00:48:26,440
for the data and destination so the decision tree becomes a practical meeting tool when someone says
872
00:48:26,440 –> 00:48:31,560
we’ll use lineage for governance you respond with one question are we trying to prevent an outcome
873
00:48:31,560 –> 00:48:36,440
or are we trying to explain it if they say prevent you ask where is the deny before execution gate
874
00:48:36,440 –> 00:48:40,440
if they can’t answer the conversation ends not because you’re being difficult but because the
875
00:48:40,440 –> 00:48:45,480
architecture already decided and if they say explain then fine turn on lineage integrate purview
876
00:48:45,480 –> 00:48:50,120
improve the catalog instrument everything build the best forensic story you can just don’t confuse
877
00:48:50,120 –> 00:48:54,280
that with authority now here’s the part that actually changes behavior repeat the routing rule
878
00:48:54,280 –> 00:48:59,240
in one line prevention lives above fabric observability lives after fabric and if you confuse the two you
879
00:48:59,240 –> 00:49:04,680
don’t get better governance you get audit failure with better diagrams which is why the next section
880
00:49:04,680 –> 00:49:10,120
matters a governance model that doesn’t depend on hope and doesn’t require a product shopping spree
881
00:49:10,120 –> 00:49:16,120
30 to 60 day governance model that doesn’t depend on hope now the obvious question what does an
882
00:49:16,120 –> 00:49:21,480
actual governance posture look like if fabric lineage is telemetry not authority it looks like
883
00:49:21,480 –> 00:49:27,160
governance subtraction not addition most teams try to govern by piling on artifacts more tags more
884
00:49:27,160 –> 00:49:31,720
domains more documentation more meetings that increases the narrative quality it does not reduce the
885
00:49:31,720 –> 00:49:37,560
number of ways data can escape so the 30 60 day model starts with one ruthless move remove pathways
886
00:49:37,560 –> 00:49:43,080
not educate people to behave and remove the ability to bypass intent week one and two define explicit
887
00:49:43,080 –> 00:49:47,720
deny conditions this is not a policy document this is a set of outcomes that are architecturally
888
00:49:47,720 –> 00:49:53,880
unacceptable sensitive data materialized outside approved workspaces data exported to unmanaged
889
00:49:53,880 –> 00:50:00,600
endpoints data shared externally high risk assets copied into personal or exploratory zones
890
00:50:00,600 –> 00:50:05,960
workloads running with identities that cannot be traced to accountable owners write them as deny
891
00:50:05,960 –> 00:50:11,720
statements because that forces clarity this must not happen week three and four externalize enforcement
892
00:50:11,720 –> 00:50:17,560
if you need a deny before execution gate put it where a deny can exist in the parts that create new
893
00:50:17,560 –> 00:50:22,680
state in practice that means you pick controlled egress points and make them boring publishing pipelines
894
00:50:22,680 –> 00:50:27,720
that are the only allowed route into curated zones approved destinations that are the only allowed
895
00:50:27,720 –> 00:50:33,080
place sensitive outputs can land network constraints that make just right at somewhere else fail this is
896
00:50:33,080 –> 00:50:38,200
the part people hate because it reduces freedom good governance is the deliberate reduction of freedom
897
00:50:38,200 –> 00:50:43,160
for high impact actions week five and six reduce fabric privileges stop treating contributor
898
00:50:43,160 –> 00:50:48,760
and member as default developer roles their capability bundles bundles create entropy so you shrink
899
00:50:48,760 –> 00:50:54,120
who can create new items who can publish widely who can share who can export who can manage connections
900
00:50:54,120 –> 00:50:58,840
you do it with groups not people because people move and groups are the only scalable unit of intent
901
00:50:58,840 –> 00:51:03,880
and when someone says we need admin just for this one thing you treat that as a break glass event
902
00:51:03,880 –> 00:51:09,480
with an owner a time limit and an audit trail not because you love bureaucracy but because temporary
903
00:51:09,480 –> 00:51:14,680
admin is the most common permanent condition in Microsoft estates week seven and eight formalize
904
00:51:14,680 –> 00:51:19,880
lineage as audit only telemetry this is a psychological change not a technical one you stop using lineage
905
00:51:19,880 –> 00:51:24,760
to argue that your governed you use lineage to answer three things what depends on what what changed
906
00:51:24,760 –> 00:51:29,080
and what happened you align lineage with incident response and operational troubleshooting not
907
00:51:29,080 –> 00:51:34,440
prevention that keeps the tool honest and keeps your governance posture from turning into theater now
908
00:51:34,440 –> 00:51:38,840
notice what I didn’t say I didn’t say go buy more governance products I didn’t say turn on every
909
00:51:38,840 –> 00:51:43,240
feature I didn’t say build a bigger catalog because the core issue wasn’t a missing dashboard it was
910
00:51:43,240 –> 00:51:47,640
a missing enforcement layer and too many allowed parts around intent when you subtract pathways and
911
00:51:47,640 –> 00:51:52,920
you constrain high impact actions into narrow enforceable routes the platform becomes calmer the blast
912
00:51:52,920 –> 00:51:58,120
radius shrinks the number of exceptions drops and the system starts behaving deterministically again
913
00:51:58,120 –> 00:52:02,280
then lineage becomes what it should have been all along a forensic graph that helps you operate not
914
00:52:02,280 –> 00:52:07,480
a comfort blanket that helps you pretend and once you do that the final reframe lands cleanly fabric
915
00:52:07,480 –> 00:52:12,520
didn’t fail at governance your assumption did fabric lineage explains what happened governance
916
00:52:12,520 –> 00:52:17,480
prevents what’s allowed to happen confusing them turns your data estate into conditional chaos
917
00:52:17,480 –> 00:52:21,960
if you want the next step the next episode designs an actual data control plane and explains why
918
00:52:21,960 –> 00:52:27,720
Microsoft doesn’t ship one by default subscribe and send this to the person who keeps calling dashboards controls
