Now Reading: The Agent Has A Face. The Lie Is Worse
-
01
The Agent Has A Face. The Lie Is Worse
1
00:00:00,000 –> 00:00:02,640
Most organizations will soon give their agent a face and a voice.
2
00:00:02,640 –> 00:00:03,440
It feels natural.
3
00:00:03,440 –> 00:00:04,680
It signals confidence.
4
00:00:04,680 –> 00:00:06,560
It also hides what the system actually is.
5
00:00:06,560 –> 00:00:10,680
It distributed probabilistic decision engine wire to your most sensitive tools.
6
00:00:10,680 –> 00:00:12,840
This is not a tutorial on building agents.
7
00:00:12,840 –> 00:00:15,560
It’s an autopsy of why they fail quietly.
8
00:00:15,560 –> 00:00:16,840
I’m not anti voice.
9
00:00:16,840 –> 00:00:20,000
I’m anti unverifiable execution and false trust signaling.
10
00:00:20,000 –> 00:00:22,080
We’re going to map, claim to failure pattern,
11
00:00:22,080 –> 00:00:25,080
to architectural cause, to consequence to mitigation.
12
00:00:25,080 –> 00:00:25,880
The lens is simple.
13
00:00:25,880 –> 00:00:27,880
Control plane versus experience plane.
14
00:00:27,880 –> 00:00:30,080
Ordered versus provenance versus a policy gate.
15
00:00:30,080 –> 00:00:31,680
The difference is survival.
16
00:00:31,680 –> 00:00:34,520
What Microsoft gets right and why it’s still insufficient.
17
00:00:34,520 –> 00:00:36,880
Let’s start with the strongest counter argument you’ll hear.
18
00:00:36,880 –> 00:00:38,440
We already have governance.
19
00:00:38,440 –> 00:00:41,400
And to be fair, Microsoft has moved real pieces into place.
20
00:00:41,400 –> 00:00:43,440
Per view captures co-pilot conversation transcripts,
21
00:00:43,440 –> 00:00:45,000
co-pilot studio logs activities.
22
00:00:45,000 –> 00:00:46,600
You can see who asked what was said,
23
00:00:46,600 –> 00:00:49,800
which sources were touched and under which identity that matters.
24
00:00:49,800 –> 00:00:50,880
It gives you forensics.
25
00:00:50,880 –> 00:00:51,960
It gives you timelines.
26
00:00:51,960 –> 00:00:54,600
It turns vague suspicion into a record you can query.
27
00:00:54,600 –> 00:00:55,760
Entra goes further.
28
00:00:55,760 –> 00:00:57,600
The agent ID model acknowledges the obvious.
29
00:00:57,600 –> 00:00:59,160
Agents are non-human identities.
30
00:00:59,160 –> 00:01:02,600
Conditional access can evaluate signals and decide
31
00:01:02,600 –> 00:01:04,960
whether that identity should get a token right now
32
00:01:04,960 –> 00:01:08,000
under this risk posture from this device and location.
33
00:01:08,000 –> 00:01:11,600
The model treats agents as first class citizens in a zero trust world.
34
00:01:11,600 –> 00:01:14,000
Continuous evaluation, short lift credentials,
35
00:01:14,000 –> 00:01:15,200
signals driven gates.
36
00:01:15,200 –> 00:01:16,280
That is the right direction.
37
00:01:16,280 –> 00:01:18,000
But here is the uncomfortable truth.
38
00:01:18,000 –> 00:01:20,600
Those capabilities are necessary and they remain insufficient
39
00:01:20,600 –> 00:01:22,520
for the class of failures agents create.
40
00:01:22,520 –> 00:01:23,040
Why?
41
00:01:23,040 –> 00:01:25,680
Because they are pointed at two different times in the life cycle.
42
00:01:25,680 –> 00:01:27,800
Conditional access is a token time decision.
43
00:01:27,800 –> 00:01:29,600
Per view is a post-incident narrative.
44
00:01:29,600 –> 00:01:32,880
Most harm happens at authorization time during tool execution
45
00:01:32,880 –> 00:01:36,320
when a specific action is about to occur with real blast radius.
46
00:01:36,320 –> 00:01:38,000
The transcript explains the damage.
47
00:01:38,000 –> 00:01:39,040
It does not prevent it.
48
00:01:39,040 –> 00:01:41,000
The token issuance constrained who could act.
49
00:01:41,000 –> 00:01:44,640
It did not constrain what the agent actually did with that token.
50
00:01:44,640 –> 00:01:46,840
Walk the timeline as it exists today.
51
00:01:46,840 –> 00:01:48,480
An agent authenticates.
52
00:01:48,480 –> 00:01:51,520
Conditional access evaluates device, risk and context.
53
00:01:51,520 –> 00:01:52,280
Green light.
54
00:01:52,280 –> 00:01:54,800
A transcript records the prompt and the response.
55
00:01:54,800 –> 00:01:57,800
Citations record which knowledge sources the agent retrieved.
56
00:01:57,800 –> 00:01:58,600
So far so good.
57
00:01:58,600 –> 00:02:00,120
Now the agent chooses a tool.
58
00:02:00,120 –> 00:02:02,680
Does a deterministic policy gait evaluate that tool call
59
00:02:02,680 –> 00:02:05,680
against intent, scope, data class and venue?
60
00:02:05,680 –> 00:02:06,560
Usually not.
61
00:02:06,560 –> 00:02:07,720
The action executes.
62
00:02:07,720 –> 00:02:09,040
Per view logs the result.
63
00:02:09,040 –> 00:02:10,920
The story you will tell later is complete.
64
00:02:10,920 –> 00:02:13,240
The policy you needed earlier never fired.
65
00:02:13,240 –> 00:02:15,240
Every control fired just at the wrong time.
66
00:02:15,240 –> 00:02:17,560
Microsoft’s own framing makes this gap visible
67
00:02:17,560 –> 00:02:19,120
if you read it architecturally.
68
00:02:19,120 –> 00:02:20,400
Activities are the surface.
69
00:02:20,400 –> 00:02:21,680
Turn context is the envelope.
70
00:02:21,680 –> 00:02:22,680
They are not state.
71
00:02:22,680 –> 00:02:24,640
Event-driven systems deliver out of order
72
00:02:24,640 –> 00:02:26,920
but duplicated delayed retried messages.
73
00:02:26,920 –> 00:02:28,400
That’s reality not negligence.
74
00:02:28,400 –> 00:02:30,200
The SDK abstracts the pathway.
75
00:02:30,200 –> 00:02:32,440
It does not convert a probabilistic orchestration
76
00:02:32,440 –> 00:02:34,360
into a deterministic security model.
77
00:02:34,360 –> 00:02:36,800
If you don’t add, identify, and see keys,
78
00:02:36,800 –> 00:02:39,560
an authoritative state store and a deterministic workflow
79
00:02:39,560 –> 00:02:43,080
around tool calls, you inherit conditional chaos by design.
80
00:02:43,080 –> 00:02:44,320
Now apply that to identity.
81
00:02:44,320 –> 00:02:46,800
Entra’s agent ID blocks egregious tenant wide scopes
82
00:02:46,800 –> 00:02:47,680
and high privilege roles.
83
00:02:47,680 –> 00:02:48,440
Good.
84
00:02:48,440 –> 00:02:51,560
But the dominant failure is not a missing global admin role.
85
00:02:51,560 –> 00:02:53,720
It’s an overbroad, convenience driven set
86
00:02:53,720 –> 00:02:55,640
of delegated permissions on a single agent
87
00:02:55,640 –> 00:02:57,760
that can write fast in the wrong place.
88
00:02:57,760 –> 00:02:59,240
Lease privilege is not a slogan.
89
00:02:59,240 –> 00:03:00,080
It’s math.
90
00:03:00,080 –> 00:03:03,320
Right scopes plus ambiguous prompts plus machine speed execution
91
00:03:03,320 –> 00:03:04,640
equals large blast radius.
92
00:03:04,640 –> 00:03:06,480
Conditional access cannot shrink that radius
93
00:03:06,480 –> 00:03:07,880
once the token exists.
94
00:03:07,880 –> 00:03:09,960
Only patrol call policy evaluation can.
95
00:03:09,960 –> 00:03:11,400
What about grounding and connectors?
96
00:03:11,400 –> 00:03:13,760
Microsoft would say we reduce hallucinations.
97
00:03:13,760 –> 00:03:14,560
And they do.
98
00:03:14,560 –> 00:03:15,680
Groundedness helps with answers.
99
00:03:15,680 –> 00:03:17,160
It does not govern actions.
100
00:03:17,160 –> 00:03:19,200
The risky part is not the wrong sentence.
101
00:03:19,200 –> 00:03:22,280
It’s the wrong delete, the wrong post, the wrong share,
102
00:03:22,280 –> 00:03:24,040
executed with valid credentials.
103
00:03:24,040 –> 00:03:25,680
Retrieval grounded on entitlements
104
00:03:25,680 –> 00:03:28,400
and still speaking in the wrong context is a policy failure,
105
00:03:28,400 –> 00:03:29,560
not a search failure.
106
00:03:29,560 –> 00:03:31,360
Speech made it socially acceptable.
107
00:03:31,360 –> 00:03:33,760
Logs made it legible, neither made it safe.
108
00:03:33,760 –> 00:03:36,160
Cost and operations reinforce the same asymmetry.
109
00:03:36,160 –> 00:03:40,200
Azure speech pricing for avatars and voices is transparent.
110
00:03:40,200 –> 00:03:42,120
Regions are documented, you can opt out.
111
00:03:42,120 –> 00:03:43,640
But the architecture still encourages
112
00:03:43,640 –> 00:03:45,480
spend in the experience plane.
113
00:03:45,480 –> 00:03:47,360
Millions of streaming seconds per month
114
00:03:47,360 –> 00:03:50,160
to animate certainty the system didn’t earn.
115
00:03:50,160 –> 00:03:52,440
That spend at zero deterministic control.
116
00:03:52,440 –> 00:03:53,840
At the same time the control plane
117
00:03:53,840 –> 00:03:56,280
where policy must live remains underfunded.
118
00:03:56,280 –> 00:03:58,560
If you want to prove seriousness, redirect budget
119
00:03:58,560 –> 00:03:59,920
from rendering to gating.
120
00:03:59,920 –> 00:04:02,240
So give Microsoft credit for what they got right.
121
00:04:02,240 –> 00:04:04,480
Better forensics, stronger identity models,
122
00:04:04,480 –> 00:04:06,120
real surfaces for events,
123
00:04:06,120 –> 00:04:08,720
and a maturing view of non-human identities.
124
00:04:08,720 –> 00:04:10,080
But be precise about the boundary.
125
00:04:10,080 –> 00:04:11,160
Audit is not provenance.
126
00:04:11,160 –> 00:04:12,640
Provenance is not a policy gait.
127
00:04:12,640 –> 00:04:15,040
You need all three in order at the right time.
128
00:04:15,040 –> 00:04:17,000
Token issuance controls who can show up,
129
00:04:17,000 –> 00:04:19,440
retrieval and transcript capture what was discussed.
130
00:04:19,440 –> 00:04:21,400
A policy gait per tool call decides whether
131
00:04:21,400 –> 00:04:22,760
the next action should be allowed
132
00:04:22,760 –> 00:04:25,160
given intent, scope, data class and venue.
133
00:04:25,160 –> 00:04:26,880
Without that gait your best case outcome
134
00:04:26,880 –> 00:04:28,520
is a beautiful post incident report.
135
00:04:28,520 –> 00:04:30,840
Your worst case is an eloquent outage.
136
00:04:30,840 –> 00:04:32,720
Case study one, miss scoped tool call
137
00:04:32,720 –> 00:04:33,960
deletes the wrong side.
138
00:04:33,960 –> 00:04:35,680
Here’s the failure that never looks dramatic
139
00:04:35,680 –> 00:04:38,320
in real time because every control appears green.
140
00:04:38,320 –> 00:04:40,680
An enterprise rolls out a productivity agent
141
00:04:40,680 –> 00:04:44,160
with SharePoint and Microsoft Graph write scopes.
142
00:04:44,160 –> 00:04:45,480
The brief is banal.
143
00:04:45,480 –> 00:04:47,560
Help clean up obsolete project folders.
144
00:04:47,560 –> 00:04:49,560
The agent is grounded on SharePoint sites
145
00:04:49,560 –> 00:04:51,080
and project metadata.
146
00:04:51,080 –> 00:04:53,320
And it runs under a dedicated agent ID.
147
00:04:53,320 –> 00:04:55,920
Conditional access evaluates device posture and risk,
148
00:04:55,920 –> 00:04:58,520
issues are token and the transcript begins capturing
149
00:04:58,520 –> 00:04:59,160
the dialogue.
150
00:04:59,160 –> 00:05:00,920
So far everything aligns with policy.
151
00:05:00,920 –> 00:05:03,760
A user asks, can you remove old project spaces
152
00:05:03,760 –> 00:05:04,680
from last year?
153
00:05:04,680 –> 00:05:08,120
The active list is in the project’s archive tracker.
154
00:05:08,120 –> 00:05:10,320
The agent retrieves documents, passes titles,
155
00:05:10,320 –> 00:05:11,920
matches string patterns and dates,
156
00:05:11,920 –> 00:05:13,360
then prepares a list of candidates.
157
00:05:13,360 –> 00:05:15,840
The logic is probabilistic and context sensitive.
158
00:05:15,840 –> 00:05:18,560
A naming convention here, a last modified date there,
159
00:05:18,560 –> 00:05:20,680
some weak signals from an outlook thread.
160
00:05:20,680 –> 00:05:22,280
It decides one side qualifies it.
161
00:05:22,280 –> 00:05:24,000
It calls the graph API to delete it.
162
00:05:24,000 –> 00:05:25,000
What actually happened?
163
00:05:25,000 –> 00:05:26,120
The site wasn’t obsolete.
164
00:05:26,120 –> 00:05:28,200
It had been renamed during a live handover.
165
00:05:28,200 –> 00:05:30,840
Its metadata was a week behind and a human had copied
166
00:05:30,840 –> 00:05:32,720
an old acronym into the tracker.
167
00:05:32,720 –> 00:05:35,720
The agent’s retrieval stack produced a plausible shortlist.
168
00:05:35,720 –> 00:05:37,840
The tool call workflow translated that plausibility
169
00:05:37,840 –> 00:05:40,360
into a destructive authenticated action.
170
00:05:40,360 –> 00:05:42,480
No malicious actor, no broken credential,
171
00:05:42,480 –> 00:05:44,880
no prompt injection, a perfectly normal week.
172
00:05:44,880 –> 00:05:45,800
Now look at the logs.
173
00:05:45,800 –> 00:05:48,000
Per view will show an authenticated agent identity
174
00:05:48,000 –> 00:05:49,680
initiating a site delete.
175
00:05:49,680 –> 00:05:51,440
The transcript will show the user’s request
176
00:05:51,440 –> 00:05:54,520
and the agent’s intent to clean up obsolete project folders.
177
00:05:54,520 –> 00:05:56,640
You’ll see which knowledge sources were retrieved.
178
00:05:56,640 –> 00:05:59,200
You’ll see the time and the IP and the user mapping.
179
00:05:59,200 –> 00:06:01,960
You will not see the missing pieces that matter operationally.
180
00:06:01,960 –> 00:06:02,760
Why that site?
181
00:06:02,760 –> 00:06:05,320
Which specific retrieved chunks influence the scoring?
182
00:06:05,320 –> 00:06:07,960
Which candidate sites were considered and rejected?
183
00:06:07,960 –> 00:06:10,160
Was any policy ever evaluated that asked,
184
00:06:10,160 –> 00:06:13,800
is this site eligible to be deleted under today’s constraints?
185
00:06:13,800 –> 00:06:14,800
In other words,
186
00:06:14,800 –> 00:06:16,800
was there a gate between the agent proposes
187
00:06:16,800 –> 00:06:18,120
and the platform disposes?
188
00:06:18,120 –> 00:06:20,000
In most real deployments, the answer is no.
189
00:06:20,000 –> 00:06:21,880
The action pathway is event driven.
190
00:06:21,880 –> 00:06:24,200
An activity arrives, turn context wraps it,
191
00:06:24,200 –> 00:06:26,400
tools are invoked, retries may occur,
192
00:06:26,400 –> 00:06:28,320
and identity is an afterthought.
193
00:06:28,320 –> 00:06:31,080
If messages arrive out of order, if the doop fails,
194
00:06:31,080 –> 00:06:33,480
if a delete is retried on a transient error,
195
00:06:33,480 –> 00:06:35,720
the side effects are permanent because the workflow treats
196
00:06:35,720 –> 00:06:37,720
events as reliable state transitions.
197
00:06:37,720 –> 00:06:40,600
The envelope is standardized, the semantics are not.
198
00:06:40,600 –> 00:06:42,440
Architecturally, this is where entropy enters.
199
00:06:42,440 –> 00:06:44,960
A probabilistic selection created a candidate set.
200
00:06:44,960 –> 00:06:46,480
A convenience driven permission model
201
00:06:46,480 –> 00:06:48,480
made delete available in the same identity
202
00:06:48,480 –> 00:06:50,000
that fetches metadata.
203
00:06:50,000 –> 00:06:52,880
A missing policy gate, let a destructive call execute
204
00:06:52,880 –> 00:06:55,160
because all earlier controls had already fired.
205
00:06:55,160 –> 00:06:57,880
Conditional access had reduced who could hold the token.
206
00:06:57,880 –> 00:07:00,000
It never adjudicated whether this specific delete
207
00:07:00,000 –> 00:07:03,440
should proceed given the site’s venue, data class, or intent.
208
00:07:03,440 –> 00:07:05,440
The post-incident review writes itself.
209
00:07:05,440 –> 00:07:08,080
The agent misinterpreted the user’s request.
210
00:07:08,080 –> 00:07:09,520
Will improve the prompt.
211
00:07:09,520 –> 00:07:10,960
We’ll add a second confirmation step.
212
00:07:10,960 –> 00:07:13,080
These are experienced plane patches.
213
00:07:13,080 –> 00:07:14,560
They do not change the control plane.
214
00:07:14,560 –> 00:07:16,200
The agent still holds write scopes.
215
00:07:16,200 –> 00:07:18,040
The tool still accepts imperative calls.
216
00:07:18,040 –> 00:07:21,280
The workflow still treats a request as a command, not a proposal.
217
00:07:21,280 –> 00:07:23,680
There’s a deterministic alternative.
218
00:07:23,680 –> 00:07:25,800
First, e-dampotency.
219
00:07:25,800 –> 00:07:28,280
Every destructive request carries a unique operation ID
220
00:07:28,280 –> 00:07:30,560
persisted in an authoritative state store.
221
00:07:30,560 –> 00:07:32,560
If the same event replace, the system rejects it
222
00:07:32,560 –> 00:07:33,880
with no side effect.
223
00:07:33,880 –> 00:07:35,560
Second, an allow list.
224
00:07:35,560 –> 00:07:39,400
The eligible deletion set is computed by policy, not inference.
225
00:07:39,400 –> 00:07:41,720
Only sites tagged retired.
226
00:07:41,720 –> 00:07:44,280
True and dormant 90 days and owner approved
227
00:07:44,280 –> 00:07:46,880
true in the authoritative catalog may be deleted.
228
00:07:46,880 –> 00:07:48,520
Third, a policy engine.
229
00:07:48,520 –> 00:07:50,720
Before any tool executes, a decision
230
00:07:50,720 –> 00:07:55,000
is evaluated against intent, scope, data class, and venue.
231
00:07:55,000 –> 00:07:57,000
And the outcome is persisted with the action.
232
00:07:57,000 –> 00:08:00,320
If the policy denies, the tool never sees the request.
233
00:08:00,320 –> 00:08:02,800
Add one more boundary, segmented identities.
234
00:08:02,800 –> 00:08:05,280
Read only discovery runs under a read principle.
235
00:08:05,280 –> 00:08:07,080
Recommendations are written into a queue.
236
00:08:07,080 –> 00:08:09,440
Deletion runs under a separate high friction write
237
00:08:09,440 –> 00:08:12,360
principle with a tightly-scoped app permission.
238
00:08:12,360 –> 00:08:15,360
A failure in one domain cannot instruct the other to act.
239
00:08:15,360 –> 00:08:16,440
The agent proposes.
240
00:08:16,440 –> 00:08:18,040
The control plane disposes.
241
00:08:18,040 –> 00:08:19,800
Re-run the incident with those guardrails.
242
00:08:19,800 –> 00:08:21,320
The agent compiles candidates.
243
00:08:21,320 –> 00:08:23,920
The policy engine evaluates each against the authoritative
244
00:08:23,920 –> 00:08:24,720
catalog.
245
00:08:24,720 –> 00:08:27,880
The renamed active site fails the eligibility rule.
246
00:08:27,880 –> 00:08:30,080
The delet request never reaches the graph API.
247
00:08:30,080 –> 00:08:31,720
The transcript still tells a story.
248
00:08:31,720 –> 00:08:32,840
The logs still show work.
249
00:08:32,840 –> 00:08:34,040
The outage never happens.
250
00:08:34,040 –> 00:08:36,000
That’s the distinction that matters.
251
00:08:36,000 –> 00:08:37,520
Audit explains harm.
252
00:08:37,520 –> 00:08:39,640
A gate prevents it.
253
00:08:39,640 –> 00:08:42,560
Case study 2, correct credentials policy violation.
254
00:08:42,560 –> 00:08:44,680
Now the failure that makes governance uncomfortable
255
00:08:44,680 –> 00:08:47,080
because everything looks compliant on paper.
256
00:08:47,080 –> 00:08:49,600
An HR grounded agent sits in a team’s meeting.
257
00:08:49,600 –> 00:08:53,080
It’s been instructed on policy documents, HR FAQs,
258
00:08:53,080 –> 00:08:55,320
and a curated set of compensation guides.
259
00:08:55,320 –> 00:08:58,400
It runs under an agent ID with delegated read access
260
00:08:58,400 –> 00:09:01,480
to the HR knowledge space and to the SharePoint library
261
00:09:01,480 –> 00:09:04,080
where the compensation team publishes quarterly bands.
262
00:09:04,080 –> 00:09:07,000
Conditional access evaluates signals and issues are token.
263
00:09:07,000 –> 00:09:09,200
Per view is set to capture conversation transcripts
264
00:09:09,200 –> 00:09:10,360
and citations.
265
00:09:10,360 –> 00:09:13,680
The setup is familiar and on audit checklist green.
266
00:09:13,680 –> 00:09:16,720
A director asks, what are the employee trends this quarter?
267
00:09:16,720 –> 00:09:17,680
It sounds harmless.
268
00:09:17,680 –> 00:09:19,960
The agent retrieves semi-sensitive compensation
269
00:09:19,960 –> 00:09:22,080
materials, nothing classified as secret,
270
00:09:22,080 –> 00:09:24,080
but not meant for broad broadcasts,
271
00:09:24,080 –> 00:09:26,240
and a couple of anonymized dashboards.
272
00:09:26,240 –> 00:09:27,280
Grounding works.
273
00:09:27,280 –> 00:09:30,280
The agent sites the right documents, passes the right tables,
274
00:09:30,280 –> 00:09:32,040
and composes a verbal response.
275
00:09:32,040 –> 00:09:35,200
Then it answers out loud to the entire meeting.
276
00:09:35,200 –> 00:09:39,640
Compensation for level six in region A grew 7.4%.
277
00:09:39,640 –> 00:09:42,600
Internal mobility for level five to level six was 3.1%.
278
00:09:42,600 –> 00:09:45,840
The gender, delta, and level four engineering is 5.8%.
279
00:09:45,840 –> 00:09:47,040
The numbers are illustrative.
280
00:09:47,040 –> 00:09:48,800
The problem is not factual error.
281
00:09:48,800 –> 00:09:50,520
It’s venue and aggregation risk.
282
00:09:50,520 –> 00:09:52,320
The agent just verbalized a sensitive slice
283
00:09:52,320 –> 00:09:54,480
of compensation analytics to an audience
284
00:09:54,480 –> 00:09:56,840
that includes vendors and a partner organization,
285
00:09:56,840 –> 00:09:59,880
no role-level breach, no PII, no exfiltration,
286
00:09:59,880 –> 00:10:01,360
a policy violation anyway.
287
00:10:01,360 –> 00:10:02,640
Walk the telemetry.
288
00:10:02,640 –> 00:10:05,200
Per view will show an authenticated agent identity,
289
00:10:05,200 –> 00:10:06,720
a transcript of the question and answer
290
00:10:06,720 –> 00:10:09,080
citations to the HR library and a correct user
291
00:10:09,080 –> 00:10:10,680
to resource mapping.
292
00:10:10,680 –> 00:10:12,080
Entra will show token issuance
293
00:10:12,080 –> 00:10:14,000
under acceptable risk conditions.
294
00:10:14,000 –> 00:10:15,600
From a compliance perspective,
295
00:10:15,600 –> 00:10:18,120
allowed data accessed by an entitled identity
296
00:10:18,120 –> 00:10:19,400
and disclosed in a meeting.
297
00:10:19,400 –> 00:10:21,000
From a governance perspective,
298
00:10:21,000 –> 00:10:24,200
unacceptable aggregation surfaced in an inappropriate venue.
299
00:10:24,200 –> 00:10:25,560
What’s missing is not logging.
300
00:10:25,560 –> 00:10:27,280
What’s missing is intent evaluation
301
00:10:27,280 –> 00:10:29,480
and venue sensitivity at the moment of action.
302
00:10:29,480 –> 00:10:31,200
Nothing in the current path asked.
303
00:10:31,200 –> 00:10:33,480
Is it permissible to verbalize this aggregation
304
00:10:33,480 –> 00:10:35,360
in this context to this audience?
305
00:10:35,360 –> 00:10:36,800
Grounding reduced hallucination.
306
00:10:36,800 –> 00:10:38,520
It did not constrain speech.
307
00:10:38,520 –> 00:10:40,960
The system was compliant and still violated policy.
308
00:10:40,960 –> 00:10:43,880
This is where audit provenance policy gate gets real.
309
00:10:43,880 –> 00:10:45,160
Audit gave you a story.
310
00:10:45,160 –> 00:10:47,240
Who what when from where?
311
00:10:47,240 –> 00:10:50,360
Provenance, if you had it, would add the decision chain,
312
00:10:50,360 –> 00:10:53,080
which chunks were retrieved, which alternatives were considered,
313
00:10:53,080 –> 00:10:55,160
which reasoning tokens weighed venue.
314
00:10:55,160 –> 00:10:57,080
The policy gate would have made the decision
315
00:10:57,080 –> 00:10:58,960
deny disclosure at this granularity
316
00:10:58,960 –> 00:11:00,200
in a mixed audience meeting
317
00:11:00,200 –> 00:11:01,680
or force a safe summary.
318
00:11:01,680 –> 00:11:05,320
Architecturally, the fix is not to hide more data or to band voice.
319
00:11:05,320 –> 00:11:08,360
It’s to move the decision to the right time and the right plane.
320
00:11:08,360 –> 00:11:10,440
Before the agent speaks, treat the utterance
321
00:11:10,440 –> 00:11:12,520
as a tool call with attributes.
322
00:11:12,520 –> 00:11:17,200
Data class equals compensation, aggregation equals cohort,
323
00:11:17,200 –> 00:11:22,640
audience equals mixed, venue equals external participants present.
324
00:11:22,640 –> 00:11:25,760
A policy engine evaluates those attributes against rules.
325
00:11:25,760 –> 00:11:27,960
Compensation cohorts may not be disclosed verbally
326
00:11:27,960 –> 00:11:29,680
in sessions with non-employees,
327
00:11:29,680 –> 00:11:33,400
convert to high-level deltas with no subgroup references.
328
00:11:33,400 –> 00:11:36,600
If the rule fires deny, the speech tool never receives the payload.
329
00:11:36,600 –> 00:11:40,760
If the rule fires transform, the agent speaks a sanitized summary.
330
00:11:40,760 –> 00:11:43,520
High-level compensation remained within target ranges.
331
00:11:43,520 –> 00:11:46,840
Detailed breakdown is available to HR-only audiences.
332
00:11:46,840 –> 00:11:48,280
Two more boundaries make the stable.
333
00:11:48,280 –> 00:11:50,640
First, classify outputs, not just inputs.
334
00:11:50,640 –> 00:11:53,320
Tag the generated content with a sensitivity,
335
00:11:53,320 –> 00:11:55,360
derive from the sources and the aggregation.
336
00:11:55,360 –> 00:11:58,640
That label flows into the speech path and UI surfaces.
337
00:11:58,640 –> 00:12:01,160
Second, segment identities by venue.
338
00:12:01,160 –> 00:12:03,640
Meeting assistant runs under a read-only speak restricted
339
00:12:03,640 –> 00:12:04,640
principle.
340
00:12:04,640 –> 00:12:07,600
Deep-dive HR analysis runs under a separate identity
341
00:12:07,600 –> 00:12:09,160
gated to HR-only channels.
342
00:12:09,160 –> 00:12:11,560
A request in the wrong venue cannot silently escalate
343
00:12:11,560 –> 00:12:12,840
across identities.
344
00:12:12,840 –> 00:12:14,760
Replay the incident with those controls.
345
00:12:14,760 –> 00:12:16,960
The agent composes a detailed response.
346
00:12:16,960 –> 00:12:19,440
The policy engine evaluates venue and aggregation.
347
00:12:19,440 –> 00:12:22,000
The deny rule blocks verbalization and prompts.
348
00:12:22,000 –> 00:12:24,040
I can share a high-level summary now.
349
00:12:24,040 –> 00:12:27,160
Detailed compensation trends are available in the HR channel.
350
00:12:27,160 –> 00:12:28,520
The transcript still exists.
351
00:12:28,520 –> 00:12:30,160
The citations are still recorded.
352
00:12:30,160 –> 00:12:32,880
The policy outcome is persisted alongside the action.
353
00:12:32,880 –> 00:12:35,920
Your post-incident review shows prevention, not explanation.
354
00:12:35,920 –> 00:12:39,400
Compliant systems fail in the gap between entitlement and intent.
355
00:12:39,400 –> 00:12:41,520
Deterministic gates close that gap.
356
00:12:41,520 –> 00:12:42,400
Case study three.
357
00:12:42,400 –> 00:12:45,160
External shadow agent, internal blast radius.
358
00:12:45,160 –> 00:12:47,240
Now the failure you won’t see on any official dashboard
359
00:12:47,240 –> 00:12:48,840
until the damage is baked in.
360
00:12:48,840 –> 00:12:50,680
A developer working against a deadline
361
00:12:50,680 –> 00:12:52,520
publishes an internet-facing agent
362
00:12:52,520 –> 00:12:54,760
to deflect customer tickets.
363
00:12:54,760 –> 00:12:55,720
It’s a quick path.
364
00:12:55,720 –> 00:12:58,960
A public web front-end, a co-pilot style agent behind it,
365
00:12:58,960 –> 00:13:01,520
and an intra-app registration with generous permissions
366
00:13:01,520 –> 00:13:04,240
because the backend knowledge lives inside the tenant.
367
00:13:04,240 –> 00:13:06,200
The agent needs to answer questions.
368
00:13:06,200 –> 00:13:09,080
So it’s given read scopes across several internal systems.
369
00:13:09,080 –> 00:13:13,360
SharePoint sites, a product wiki, a lightly governed knowledge base,
370
00:13:13,360 –> 00:13:15,400
and a support analytics store.
371
00:13:15,400 –> 00:13:18,240
It also receives a couple of write scopes for future features.
372
00:13:18,240 –> 00:13:20,520
No change board, no security review.
373
00:13:20,520 –> 00:13:21,680
It works in staging.
374
00:13:21,680 –> 00:13:23,120
It’s pushed live.
375
00:13:23,120 –> 00:13:25,400
A customer asks a seemingly harmless question.
376
00:13:25,400 –> 00:13:28,680
What’s the work around for the outage on the X-ON-20 firmware?
377
00:13:28,680 –> 00:13:31,920
The agent retrieves internal runbooks, post-mortem fragments,
378
00:13:31,920 –> 00:13:35,640
and draft remediation notes that were never meant to leave the company.
379
00:13:35,640 –> 00:13:39,440
It composes a clean, confident answer and publishes it to the public chat.
380
00:13:39,440 –> 00:13:41,960
There is no malicious actor in this story,
381
00:13:41,960 –> 00:13:45,000
only a public agent with broad scopes and a good retrieval stack.
382
00:13:45,000 –> 00:13:46,160
The logs look clean.
383
00:13:46,160 –> 00:13:49,880
Entra shows valid token issuance under a client credentials flow.
384
00:13:49,880 –> 00:13:51,720
Conditional access, if configured,
385
00:13:51,720 –> 00:13:53,680
evaluates the workload identity
386
00:13:53,680 –> 00:13:55,960
and grants access based on expected signals.
387
00:13:55,960 –> 00:13:58,880
Per view records, internal documents reads by the agent identity.
388
00:13:58,880 –> 00:14:00,760
From a compliance lens, it’s all legitimate,
389
00:14:00,760 –> 00:14:03,720
a registered app, an allowed scope, a permitted retrieval.
390
00:14:03,720 –> 00:14:05,720
What’s missing is the part you needed most.
391
00:14:05,720 –> 00:14:09,040
There is no record of why this tool was selected over a public knowledge source.
392
00:14:09,040 –> 00:14:11,440
There is no captured decision chain
393
00:14:11,440 –> 00:14:14,680
tying the external query to the specific internal chunks.
394
00:14:14,680 –> 00:14:16,880
There is no policy evaluation artifact that says
395
00:14:16,880 –> 00:14:20,480
the external agent request venue equals internet,
396
00:14:20,480 –> 00:14:23,600
data class equals internal only, deny disclosure.
397
00:14:23,600 –> 00:14:27,480
There is no approval trail that this agent should have been exposed publicly at all.
398
00:14:27,480 –> 00:14:30,400
The transcripts, if they exist, tell you what was said.
399
00:14:30,400 –> 00:14:33,400
They do not tell you what the control plane failed to prevent.
400
00:14:33,400 –> 00:14:35,400
Blastradius is not only about delete operations,
401
00:14:35,400 –> 00:14:37,680
it’s about speed, reach and replication.
402
00:14:37,680 –> 00:14:41,200
A public agent with internal read scopes creates machine speed egress.
403
00:14:41,200 –> 00:14:42,600
One question becomes 10.
404
00:14:42,600 –> 00:14:45,200
Screen shots proliferate, aggregators scrape.
405
00:14:45,200 –> 00:14:47,800
The operational week is over before anyone sees the pattern.
406
00:14:47,800 –> 00:14:49,600
Security teams pivot to forensics.
407
00:14:49,600 –> 00:14:51,320
The transcripts confirm the obvious.
408
00:14:51,320 –> 00:14:53,200
The architecture, not the user, did this.
409
00:14:53,200 –> 00:14:56,000
This is where non-human identity meets failure domains.
410
00:14:56,000 –> 00:14:59,600
A single over-permissioned NHI served two incompatible roles.
411
00:14:59,600 –> 00:15:01,600
Public responder and internal reader.
412
00:15:01,600 –> 00:15:03,200
A bug in governance, not code.
413
00:15:03,200 –> 00:15:06,200
Least privilege was treated as an aspiration, not a boundary.
414
00:15:06,200 –> 00:15:08,600
The identity had no egress aware policy gate.
415
00:15:08,600 –> 00:15:10,600
The retrieval path had no venue filter.
416
00:15:10,600 –> 00:15:14,800
The speech path, or in this case, the public response path had no classification guard.
417
00:15:14,800 –> 00:15:18,200
Everything that followed was deterministic propagation of an earlier omission.
418
00:15:18,200 –> 00:15:22,000
There is a deterministic alternative that closes the hole without killing the use case.
419
00:15:22,000 –> 00:15:24,400
Start by splitting the agent into domains.
420
00:15:24,400 –> 00:15:27,600
The public facing responder runs under an external identity
421
00:15:27,600 –> 00:15:30,200
with zero access to internal core data planes.
422
00:15:30,200 –> 00:15:33,800
Its only backend is a curated, published approved public knowledge base.
423
00:15:33,800 –> 00:15:39,600
Internal retrieval runs under a separate internal only identity gated by network and policy.
424
00:15:39,600 –> 00:15:42,600
The two do not share tokens, keys, or scopes.
425
00:15:42,600 –> 00:15:45,600
The external identity can ask the internal one to propose an answer
426
00:15:45,600 –> 00:15:49,600
only through a policy-controlled broker that evaluates venue and data class.
427
00:15:49,600 –> 00:15:51,200
Most requests never crossed the boundary.
428
00:15:51,200 –> 00:15:53,600
Next, put a gate in the path where it matters.
429
00:15:53,600 –> 00:15:57,000
Treat every candidate response as a content item with attributes.
430
00:15:57,000 –> 00:16:00,400
Source classifications, aggregation level, audience, venue.
431
00:16:00,400 –> 00:16:03,800
A policy engine evaluates those attributes against egress rules.
432
00:16:03,800 –> 00:16:07,400
Internal only content may not be disclosed to unauthenticated users.
433
00:16:07,400 –> 00:16:10,800
Drafts and post mortems are never eligible for external responses.
434
00:16:10,800 –> 00:16:16,000
Aggregations derived from internal sources must map to a pre-approved external template or be denied.
435
00:16:16,000 –> 00:16:19,400
If the rule denies, the broker returns no eligible content found
436
00:16:19,400 –> 00:16:22,200
and the public agent politely defers to support escalation.
437
00:16:22,200 –> 00:16:28,800
If the rule transforms, the broker returns a sanitized, externally approved snippet with citations to public docs.
438
00:16:28,800 –> 00:16:31,400
Add one more guard that makes incident response boring.
439
00:16:31,400 –> 00:16:33,400
Persist policy outcomes with the action.
440
00:16:33,400 –> 00:16:37,200
When a response goes out, you retain not only the transcript and retrieval citations
441
00:16:37,200 –> 00:16:39,200
but the policy decision that allowed it.
442
00:16:39,200 –> 00:16:40,000
Allowed.
443
00:16:40,000 –> 00:16:43,600
Rule X201, source set, PUB docs, 2024 Q2.
444
00:16:43,600 –> 00:16:45,600
Now your audit becomes proof, not prose.
445
00:16:45,600 –> 00:16:48,000
And your prevention becomes visible, not assumed.
446
00:16:48,000 –> 00:16:49,200
Replay the incident.
447
00:16:49,200 –> 00:16:51,000
The customer asks about firmware.
448
00:16:51,000 –> 00:16:53,200
The public agent searches the approved external corpus.
449
00:16:53,200 –> 00:16:55,600
It finds nothing precise. It asks the broker.
450
00:16:55,600 –> 00:16:58,400
The broker evaluates the internal candidate against egress rules.
451
00:16:58,400 –> 00:16:59,200
Deny.
452
00:16:59,200 –> 00:17:04,600
The public agent replies, “I can’t share internal remediation notes here, but I can connect you with support.”
453
00:17:04,600 –> 00:17:07,600
The screenshot that circulates is a refusal, not a leak.
454
00:17:07,600 –> 00:17:12,400
That is what it looks like when the control plane, not the interface, decides the blast radius.
455
00:17:12,400 –> 00:17:14,000
Event-driven entropy.
456
00:17:14,000 –> 00:17:15,400
Activities aren’t state.
457
00:17:15,400 –> 00:17:18,600
Microsoft is right about one thing that most teams misread.
458
00:17:18,600 –> 00:17:21,200
Activities and turn context are the intended surface.
459
00:17:21,200 –> 00:17:22,400
They’re not hacks, they’re envelopes.
460
00:17:22,400 –> 00:17:23,800
The mistake isn’t using events.
461
00:17:23,800 –> 00:17:26,800
Its pretending events are reliable state transitions.
462
00:17:26,800 –> 00:17:29,600
Architecturally, it is something else, an event is a proposal.
463
00:17:29,600 –> 00:17:32,200
State is authority.
464
00:17:32,200 –> 00:17:36,200
In an event-driven system, four realities stack whether you acknowledge them or not.
465
00:17:36,200 –> 00:17:38,400
Duplication, delay, reordering and loss.
466
00:17:38,400 –> 00:17:39,400
They are not edge cases.
467
00:17:39,400 –> 00:17:44,200
They are the environment, a retry duplicates an activity, a congested link delays it,
468
00:17:44,200 –> 00:17:46,600
two workers pull from the same queue and reorder it.
469
00:17:46,600 –> 00:17:48,200
A transient broker fault drops it.
470
00:17:48,200 –> 00:17:51,000
Your code can be perfect and still experience conditional chaos
471
00:17:51,000 –> 00:17:53,600
because the system did what distributed systems do.
472
00:17:53,600 –> 00:17:55,000
That distinction matters.
473
00:17:55,000 –> 00:17:58,000
If a delete request is retried after a transient 502
474
00:17:58,000 –> 00:18:01,800
and you don’t carry an id-impotency key to an authoritative state store,
475
00:18:01,800 –> 00:18:03,200
you haven’t retried a conversation.
476
00:18:03,200 –> 00:18:05,200
You’ve scheduled another deletion.
477
00:18:05,200 –> 00:18:09,600
If a “mark complete” activity arrives before the create task activity
478
00:18:09,600 –> 00:18:12,200
due to reordering and you treat activities as truth
479
00:18:12,200 –> 00:18:14,200
you’ve encoded a time machine.
480
00:18:14,200 –> 00:18:17,200
And if you did you by best effort, without a persisted operation ID,
481
00:18:17,200 –> 00:18:21,000
your diagnostics will swear nothing happened while your data plane shows damage.
482
00:18:21,000 –> 00:18:22,800
Turncontext is an envelope not a ledger.
483
00:18:22,800 –> 00:18:25,200
You can read claims, channel data and prior to a state.
484
00:18:25,200 –> 00:18:29,000
But none of that is authoritative outside the process boundary unless you anchor it.
485
00:18:29,000 –> 00:18:30,800
Activities carry evidence of intent.
486
00:18:30,800 –> 00:18:31,800
They do not carry permission.
487
00:18:31,800 –> 00:18:35,000
The control plane must reconcile intent with authority every single time.
488
00:18:35,000 –> 00:18:40,000
Once you accept that mitigation stops being optional ceremony and become system law.
489
00:18:40,000 –> 00:18:41,600
First, item potency keys.
490
00:18:41,600 –> 00:18:45,800
Every tool reaching request carries a unique collision-resistant operation ID.
491
00:18:45,800 –> 00:18:49,200
You persisted in a store that outlives the process, queryable in 01.
492
00:18:49,200 –> 00:18:52,400
If you see the same ID, you return the prior decision and effect.
493
00:18:52,400 –> 00:18:54,000
No side effects repeat.
494
00:18:54,000 –> 00:18:56,600
No at least once surprise becomes twice.
495
00:18:56,600 –> 00:18:59,200
Second, an authoritative state store.
496
00:18:59,200 –> 00:19:01,800
Not the transient in memory turn state.
497
00:19:01,800 –> 00:19:04,000
Not a cache with weak guarantees.
498
00:19:04,000 –> 00:19:08,800
A durable store that defines the source of truth for workflow position and resource eligibility.
499
00:19:08,800 –> 00:19:11,200
Task 8473 exists.
500
00:19:11,200 –> 00:19:13,000
Site X is eligible false.
501
00:19:13,000 –> 00:19:15,000
Operation Y is decided, deny.
502
00:19:15,000 –> 00:19:16,600
The event stream can be noisy.
503
00:19:16,600 –> 00:19:17,800
The state store is not.
504
00:19:17,800 –> 00:19:20,000
Third, deterministic workflows for tool calls.
505
00:19:20,000 –> 00:19:21,800
The agent never issues an imperative.
506
00:19:21,800 –> 00:19:23,600
It submits a request structure.
507
00:19:23,600 –> 00:19:27,400
Actor, intent, scope, data class, venue, operation ID.
508
00:19:27,400 –> 00:19:31,600
A policy engine evaluates that structure against rules and authoritative state
509
00:19:31,600 –> 00:19:34,200
and returns and allow deny transform outcome.
510
00:19:34,200 –> 00:19:38,000
Tools only accept decisions from the policy engine, scope to the operation ID.
511
00:19:38,000 –> 00:19:39,200
The agent proposes.
512
00:19:39,200 –> 00:19:40,400
The control plane disposes.
513
00:19:40,400 –> 00:19:42,400
Now layer in the realities you can’t prevent.
514
00:19:42,400 –> 00:19:44,000
Reordering?
515
00:19:44,000 –> 00:19:48,000
The policy engine evaluates against current authoritative state each time.
516
00:19:48,000 –> 00:19:52,800
If the complete arrives before create, the request fails deterministically as invalid
517
00:19:52,800 –> 00:19:55,400
because the state says the resource doesn’t exist.
518
00:19:55,400 –> 00:19:56,400
Duplication?
519
00:19:56,400 –> 00:19:58,600
The operation ID short circuits repeats.
520
00:19:58,600 –> 00:19:59,600
Delay?
521
00:19:59,600 –> 00:20:03,800
Decisions cache by operation ID for bounded time with explicit expiry.
522
00:20:03,800 –> 00:20:05,600
Late arrivals get the same outcome.
523
00:20:05,600 –> 00:20:06,800
Not a fresh guess.
524
00:20:06,800 –> 00:20:07,800
Loss?
525
00:20:07,800 –> 00:20:11,000
You design workflows to be resilient to missing intermediate activities.
526
00:20:11,000 –> 00:20:14,200
The state store, not the event stream, drives reconciliation.
527
00:20:14,200 –> 00:20:19,000
This is why direct line and channel events feel brittle when teams wire them as state machines.
528
00:20:19,000 –> 00:20:20,800
You build a control plane out of envelopes.
529
00:20:20,800 –> 00:20:22,200
It will flex like paper.
530
00:20:22,200 –> 00:20:24,200
The fix is not to abandon events.
531
00:20:24,200 –> 00:20:25,800
It’s to demote them to what they are.
532
00:20:25,800 –> 00:20:27,600
Proposals and telemetry.
533
00:20:27,600 –> 00:20:29,200
Authority lives elsewhere.
534
00:20:29,200 –> 00:20:31,200
Weapon cooks and streaming don’t change this.
535
00:20:31,200 –> 00:20:33,800
A streaming partial response is still an event.
536
00:20:33,800 –> 00:20:35,800
A web hook from SharePoint is still an event.
537
00:20:35,800 –> 00:20:38,000
Both can be duplicated, delayed or dropped.
538
00:20:38,000 –> 00:20:40,000
Your safety depends on the same spine.
539
00:20:40,000 –> 00:20:41,000
Ident potency keys.
540
00:20:41,000 –> 00:20:43,000
An authoritative state store.
541
00:20:43,000 –> 00:20:45,800
And a deterministic policy decision before side effects.
542
00:20:45,800 –> 00:20:47,800
Here’s the operating rule you enforce everywhere.
543
00:20:47,800 –> 00:20:50,800
If an event can’t be safely replayed, it shouldn’t control state.
544
00:20:50,800 –> 00:20:56,000
That applies to deletes, emails, shares, payments and anything with a blast radius.
545
00:20:56,000 –> 00:21:02,000
Safe replay means the same operation ID yields the same decision and the same effect, regardless of arrival, count or order.
546
00:21:02,000 –> 00:21:05,400
If you can’t guarantee that, you haven’t built a reliable system.
547
00:21:05,400 –> 00:21:07,800
You’ve built a roulette table with nice transcripts.
548
00:21:07,800 –> 00:21:11,400
When you adopt this model, your incident reviews change tone.
549
00:21:11,400 –> 00:21:14,600
You stop explaining how a rare timing glitch produced a bad outcome
550
00:21:14,600 –> 00:21:18,600
and start showing a denied decision artifact attached to a prevented action.
551
00:21:18,600 –> 00:21:20,200
The experience plane still narrates.
552
00:21:20,200 –> 00:21:23,200
The control plane finally governs the experience plane tax.
553
00:21:23,200 –> 00:21:25,400
Web RTC speech regions cost.
554
00:21:25,400 –> 00:21:28,400
Now the part nobody budgets for until it’s embedded in the demo.
555
00:21:28,400 –> 00:21:29,600
The experience plane tax.
556
00:21:29,600 –> 00:21:32,200
When you add a face in a voice, you don’t just add delight.
557
00:21:32,200 –> 00:21:34,800
You add networks, regions and meter seconds.
558
00:21:34,800 –> 00:21:37,800
Each one is a new failure domain with no control value.
559
00:21:37,800 –> 00:21:39,400
Start with Web RTC.
560
00:21:39,400 –> 00:21:40,800
In a lab, it looks perfect.
561
00:21:40,800 –> 00:21:43,400
Peer to peer low latency by directional media.
562
00:21:43,400 –> 00:21:46,600
In an enterprise, it runs headlong into reality.
563
00:21:46,600 –> 00:21:53,600
NAT traversal, VPN hairpins, deep packet inspection, split tunnel policies and compliance proxies.
564
00:21:53,600 –> 00:21:58,200
Turn relays become mandatory because most corporate firewalls won’t allow UDP to the wild.
565
00:21:58,200 –> 00:21:59,600
That adds hops and jitter.
566
00:21:59,600 –> 00:22:03,600
Your real-time avatar now rides a path with unpredictable queuing delay.
567
00:22:03,600 –> 00:22:05,800
Sub 150 milliseconds is ideal.
568
00:22:05,800 –> 00:22:08,200
150 to 300 is barely tolerable.
569
00:22:08,200 –> 00:22:11,600
Beyond 300, users experience talk over and clipped phrases.
570
00:22:11,600 –> 00:22:12,800
This isn’t negligence.
571
00:22:12,800 –> 00:22:15,400
It’s the physics of a network you don’t control.
572
00:22:15,400 –> 00:22:16,800
And those relays aren’t free.
573
00:22:16,800 –> 00:22:18,200
Turn bandwidth costs money.
574
00:22:18,200 –> 00:22:20,000
CP on media service cost money.
575
00:22:20,000 –> 00:22:25,600
Diagnostics to explain why a subset of users in one region have 400 millisecond roundtrip
576
00:22:25,600 –> 00:22:28,000
when everyone else has 120 costs money.
577
00:22:28,000 –> 00:22:32,400
Each mitigation you bolt on, adaptive bitrate, FEC, jitter buffers,
578
00:22:32,400 –> 00:22:35,600
rescues the illusion while increasing operational entropy.
579
00:22:35,600 –> 00:22:37,200
None of it makes your two-called safer.
580
00:22:37,200 –> 00:22:39,400
All of it must be run monitored and paid for.
581
00:22:39,400 –> 00:22:40,600
Now look at speech.
582
00:22:40,600 –> 00:22:45,800
Asiatized speech resources to regions by design, that’s a compliance virtue and an architectural cost.
583
00:22:45,800 –> 00:22:49,200
A resource in West Europe can’t authenticate with a key from East US.
584
00:22:49,200 –> 00:22:53,600
If you serve multiple geographies, you’re running multiple speech resources
585
00:22:53,600 –> 00:22:57,200
with separate keys, quotas, failover plans and incident playbooks.
586
00:22:57,200 –> 00:23:00,800
China is segregated again with China East too or China North to endpoints.
587
00:23:00,800 –> 00:23:05,200
The illusion of one global persona is propped up by a farm of regional services
588
00:23:05,200 –> 00:23:07,000
and routing logic you maintain.
589
00:23:07,000 –> 00:23:09,800
When a region blips, your avatar loses its voice,
590
00:23:09,800 –> 00:23:15,400
not because your agent is down, but because one of the many required regions is rate limiting or having an incident.
591
00:23:15,400 –> 00:23:18,400
Again, higher blast radius, no increase in determinism.
592
00:23:18,400 –> 00:23:20,200
Billing is honest and relentless.
593
00:23:20,200 –> 00:23:22,400
Text to speech and avatars are built per second.
594
00:23:22,400 –> 00:23:26,000
If you need a number that lands in executive ears, keep it simple.
595
00:23:26,000 –> 00:23:30,400
50 concurrent sessions, 6 peak hours per day, 22 work days per month.
596
00:23:30,400 –> 00:23:35,600
That’s 50, 6, 3, 622, 23.7 million streaming seconds.
597
00:23:35,600 –> 00:23:37,600
You can do your local rate card math later.
598
00:23:37,600 –> 00:23:38,600
The point is the unit.
599
00:23:38,600 –> 00:23:42,600
Second, you are now financing human certainty at video game economics.
600
00:23:42,600 –> 00:23:46,400
Metered to the second, across relays and regions you must keep upright.
601
00:23:46,400 –> 00:23:47,600
Add the rest of the stack.
602
00:23:47,600 –> 00:23:52,000
Speech to text on the inbound path, with accents, crosstalk and meeting noise.
603
00:23:52,000 –> 00:23:53,600
Egress from your media relays.
604
00:23:53,600 –> 00:23:58,200
Storage for transcripts and audio snippets if your compliance team requires retention.
605
00:23:58,200 –> 00:24:03,800
Monitoring that can attribute failures to the right layer, network, relay, browser, speech region, avatars synth.
606
00:24:03,800 –> 00:24:09,200
Support tickets from one business unit that can’t get under 250 milliseconds on their MPLS to cloud route.
607
00:24:09,200 –> 00:24:11,400
Every piece is necessary for the illusion.
608
00:24:11,400 –> 00:24:13,000
None of it is a policy gate.
609
00:24:13,000 –> 00:24:16,000
And this is where the experience plain tax becomes a strategy problem.
610
00:24:16,000 –> 00:24:20,600
It diverts budget and engineering energy toward rendering trust rather than enforcing it.
611
00:24:20,600 –> 00:24:22,600
The avatar doesn’t enforce least privilege.
612
00:24:22,600 –> 00:24:24,200
The voice doesn’t evaluate intent.
613
00:24:24,200 –> 00:24:26,400
The WebRTC pipeline doesn’t classify outputs.
614
00:24:26,400 –> 00:24:30,000
You are scaling the surface that convinces humans they can rely on the system,
615
00:24:30,000 –> 00:24:33,200
while leaving the plane that actually prevents harm underfunded.
616
00:24:33,200 –> 00:24:36,200
There is a clean trade available if you care about outcomes.
617
00:24:36,200 –> 00:24:38,400
Keep UI and voice strictly optional.
618
00:24:38,400 –> 00:24:41,600
Treat them as adapters on the edge, not dependencies in the core.
619
00:24:41,600 –> 00:24:47,200
Route the same dollars you would spend on avatars, turn, and regional speech sprawl into the control plane,
620
00:24:47,200 –> 00:24:50,400
per tool call policy engines, idempotency guarantees,
621
00:24:50,400 –> 00:24:53,600
authoritative state stores and segmented agent identities.
622
00:24:53,600 –> 00:24:58,400
Fund negative space in retrieval, so silence is the default when evidence is missing.
623
00:24:58,400 –> 00:25:02,400
Instrument policy outcomes so every action carries a proof, not a story.
624
00:25:02,400 –> 00:25:04,400
Because here’s the blunt operational truth.
625
00:25:04,400 –> 00:25:08,000
If the avatar drops for 30 minutes, you have an irritated business unit.
626
00:25:08,000 –> 00:25:11,800
If a destructive tool call executes without a gate for 30 milliseconds,
627
00:25:11,800 –> 00:25:13,600
you have an outage and a board packet.
628
00:25:13,600 –> 00:25:15,600
The experience plain tax buys applause.
629
00:25:15,600 –> 00:25:17,600
The control plane spend buys survivability.
630
00:25:17,600 –> 00:25:20,400
One makes the demo smooth, the other makes the incident brief.
631
00:25:20,400 –> 00:25:26,400
Redirect budget from rendering to gating and you’ll feel it the first time a denied decision replaces a post-mortem.
632
00:25:26,400 –> 00:25:31,200
NHIs as super users, where real risk lives, treat the agent as what it is.
633
00:25:31,200 –> 00:25:36,800
A non-human identity with machine speed privileges, it doesn’t get bored, it doesn’t hesitate and it never fad fingers.
634
00:25:36,800 –> 00:25:42,400
When you wire tools to it, you’ve built a super user that acts faster than any human admin ever could.
635
00:25:42,400 –> 00:25:46,800
That is the center of gravity, not hallucinations, not avatars.
636
00:25:46,800 –> 00:25:50,000
Identity and authorization define the blast radius.
637
00:25:50,000 –> 00:25:54,400
Microsoft’s Entra agent ID is progress because it acknowledges this explicitly.
638
00:25:54,400 –> 00:26:00,800
Agents are first class identities, but acknowledging the category doesn’t neutralize the risk pattern that dominates real incidents.
639
00:26:00,800 –> 00:26:04,800
The pattern is simple and NHIs granted standing scopes to keep development smooth.
640
00:26:04,800 –> 00:26:07,200
It accumulates permissions as features are create.
641
00:26:07,200 –> 00:26:12,800
Then an ambiguous prompt, a brittle retrieval or a subtle orchestration bug routes that power into the wrong place.
642
00:26:12,800 –> 00:26:18,000
Nothing exotic, no escalation chain, just valid credentials used at the speed of regret.
643
00:26:18,000 –> 00:26:20,000
There are three sins you see on repeat.
644
00:26:20,000 –> 00:26:28,000
First, broad data plane scopes like files, read right one all, sites full control, all, or tenant level application permissions that never expire.
645
00:26:28,000 –> 00:26:31,200
They exist because developers optimize for works in staging.
646
00:26:31,200 –> 00:26:38,000
Second, single identity design, one agent, one principle, one token that does everything read, write external calls across domains.
647
00:26:38,000 –> 00:26:39,600
That merges failure modes.
648
00:26:39,600 –> 00:26:47,200
Third, no time boundedness, persistent secrets and long-lived app permissions that keep working after the feature they justify the sunset.
649
00:26:47,200 –> 00:26:52,400
Now, layer machine speed on those sins, a human with too much access can delete a site in 30 seconds.
650
00:26:52,400 –> 00:26:56,400
An NHI can delete 100 in the time it takes a monitor to ship its first alert.
651
00:26:56,400 –> 00:26:59,200
A human can paste one report to the wrong channel.
652
00:26:59,200 –> 00:27:02,800
An NHI can mirror a library to an external venue before anyone notices.
653
00:27:02,800 –> 00:27:06,400
Speed isn’t just a multiplier, it changes the shape of the incident.
654
00:27:06,400 –> 00:27:08,400
You don’t get the warning shots you’re used to.
655
00:27:08,400 –> 00:27:14,800
You get completion, conditional access trims who gets a token, it does not by itself constrain what that token can do once granted.
656
00:27:14,800 –> 00:27:22,400
That’s why you segregate privilege by capability and venue and you do it at the identity boundary, not as a polite intention inside an orchestrator.
657
00:27:22,400 –> 00:27:25,600
Read only discovery runs under a read principle that cannot write.
658
00:27:25,600 –> 00:27:30,400
Write actions run under a separate principle with minimal resource-scoped app permissions.
659
00:27:30,400 –> 00:27:33,600
Key vaulted, short-lived and minted just in time.
660
00:27:33,600 –> 00:27:39,600
External interactions run under an egress aware principle that cannot see internal core data planes.
661
00:27:39,600 –> 00:27:43,200
One agent can own three identities, that’s not overhead, that’s a break.
662
00:27:43,200 –> 00:27:46,000
This is where a per tool called policy gates earn their keep.
663
00:27:46,000 –> 00:27:48,000
You don’t depend on the agent knows not to do this.
664
00:27:48,000 –> 00:27:54,000
How dare you make it structurally impossible without an allow decision?
665
00:27:54,000 –> 00:27:56,000
The agent constructs a request.
666
00:27:56,000 –> 00:28:05,600
Actor is right principle, intent, egos delete, scope egos resource x, data class, exo else internal venue is tenent.
667
00:28:05,600 –> 00:28:10,000
The policy engine evaluates that tuples against rules and authoritative state.
668
00:28:10,000 –> 00:28:13,600
Allow with constraints, transform to a safe queue or deny.
669
00:28:13,600 –> 00:28:16,400
Tools accept decisions, not free form imperatives.
670
00:28:16,400 –> 00:28:19,200
Your logs now contain policy outcomes next to actions.
671
00:28:19,200 –> 00:28:24,400
Your incident reviews shift from why did it do that to who changed the rule that allows this?
672
00:28:24,400 –> 00:28:27,600
Least privilege is not only about breadth, it’s also about time.
673
00:28:27,600 –> 00:28:30,600
The right to act should be the exception, not the baseline.
674
00:28:30,600 –> 00:28:38,000
Time-bounded tokens, short-lived app-only permissions, and on behalf of flows that inherit the caller’s maximum reduce the window of loss.
675
00:28:38,000 –> 00:28:40,800
A right identity that goes idle should lose its teeth.
676
00:28:40,800 –> 00:28:44,000
A secret that never rotates is a future outage with a clock.
677
00:28:44,000 –> 00:28:47,200
You also need negative space around retrieval and speech.
678
00:28:47,200 –> 00:28:50,400
A read principle should fail closed when evidence is thin.
679
00:28:50,400 –> 00:28:53,600
No eligible content is a safety feature, not a UX bug.
680
00:28:53,600 –> 00:28:57,200
It’s how you prevent a read identity from turning into a super-spreader by proxy,
681
00:28:57,200 –> 00:29:03,200
retrieving broadly, synthesizing confidently, and publishing to the wrong venue because nothing said it couldn’t.
682
00:29:03,200 –> 00:29:06,400
Finally, design failure domains as if compromise is inevitable.
683
00:29:06,400 –> 00:29:08,800
Assume the external facing identity will be fished.
684
00:29:08,800 –> 00:29:12,000
Assume a developer will publish a sample with a lingering scope.
685
00:29:12,000 –> 00:29:14,800
Assume an orchestrator will misroot and intent.
686
00:29:14,800 –> 00:29:16,400
When? Not if.
687
00:29:16,400 –> 00:29:19,600
That’s why you keep read, write, and address independent compartments.
688
00:29:19,600 –> 00:29:22,400
Why you gate tool calls with a deterministic engine.
689
00:29:22,400 –> 00:29:26,000
Why you store authoritative state outside the event stream.
690
00:29:26,000 –> 00:29:29,200
And why you persist policy outcomes with actions.
691
00:29:29,200 –> 00:29:33,000
Compromise then looks like a denied decision and a constrained blast radius,
692
00:29:33,000 –> 00:29:34,800
not a weak long archaeology project.
693
00:29:34,800 –> 00:29:37,600
The avatar won’t save you here. The transcript won’t save you here.
694
00:29:37,600 –> 00:29:38,800
Only boundaries do.
695
00:29:38,800 –> 00:29:43,200
Treat NHIs like super users in waiting and build the breaks into the plane that actually moves.
696
00:29:43,200 –> 00:29:44,800
Audit provenance policy gate.
697
00:29:44,800 –> 00:29:47,600
Here’s the line that separates reassurance from control.
698
00:29:47,600 –> 00:29:48,800
Audit tells you what happened.
699
00:29:48,800 –> 00:29:50,800
Provenance tells you why you think it happened.
700
00:29:50,800 –> 00:29:54,000
A policy gate decides whether it’s allowed to happen at all.
701
00:29:54,000 –> 00:29:56,600
You need all three in that order at the right time.
702
00:29:56,600 –> 00:30:00,600
Most enterprises have only the first, a partial version of the second and almost none of the third.
703
00:30:00,600 –> 00:30:01,600
Start with audit.
704
00:30:01,600 –> 00:30:03,600
Microsoft has improved this meaningfully.
705
00:30:03,600 –> 00:30:05,800
Copilot conversation transcripts can land in purview.
706
00:30:05,800 –> 00:30:07,800
Copilot studio locks activities.
707
00:30:07,800 –> 00:30:13,000
You can correlate who asked what was said which knowledge sources were touched and under which identity.
708
00:30:13,000 –> 00:30:14,400
That matters after an incident.
709
00:30:14,400 –> 00:30:19,000
It gives you a spine for forensics, a timeline for council and a way to separate rumor from record.
710
00:30:19,000 –> 00:30:20,600
But audit is always retrospective.
711
00:30:20,600 –> 00:30:23,800
It is the story the system can tell about itself after the fact.
712
00:30:23,800 –> 00:30:25,200
Provenance goes a level deeper.
713
00:30:25,200 –> 00:30:26,400
It’s not just what and when.
714
00:30:26,400 –> 00:30:31,400
It’s the decision chain which chunks were retrieved, which candidates were considered and rejected,
715
00:30:31,400 –> 00:30:36,000
which tool options the orchestrator surfaced, which constraints the agent claimed to respect,
716
00:30:36,000 –> 00:30:38,400
and which signals tipped the final selection.
717
00:30:38,400 –> 00:30:44,800
Provenance is an explanation graph, not a log line without it analysts infer causality from flat events and transcripts,
718
00:30:44,800 –> 00:30:47,000
which is how post mortems turn into fan fiction.
719
00:30:47,000 –> 00:30:49,800
Now the part that actually changes outcomes, a policy gate.
720
00:30:49,800 –> 00:30:51,600
A gate is not a guideline in a prompt.
721
00:30:51,600 –> 00:30:55,400
It is a deterministic decision point that evaluates a structured request.
722
00:30:55,400 –> 00:31:03,400
Actor, intent, scope, data class, venue against rules and authoritative state and returns allow deny or transform before any tool executes.
723
00:31:03,400 –> 00:31:08,800
The agent proposes the control plane disposes, the decision outcome is persisted with the action.
724
00:31:08,800 –> 00:31:14,200
That’s the difference between we saw a delete and we can prove why this delete was permitted under rule D104.
725
00:31:14,200 –> 00:31:18,200
Watch how the three diverge on the same timeline, an agent authenticates.
726
00:31:18,200 –> 00:31:21,800
Conditional access evaluates token time signals and issues are token.
727
00:31:21,800 –> 00:31:24,000
Good control, wrong time for authorization.
728
00:31:24,000 –> 00:31:30,000
The user asks a question, audit starts capturing the agent retrieves documents and candidate resources.
729
00:31:30,000 –> 00:31:34,000
Provenance should record retrieval IDs, ranking and alternative parts.
730
00:31:34,000 –> 00:31:38,000
The agent prepares to call a tool, a policy gate must evaluate that proposed action.
731
00:31:38,000 –> 00:31:42,000
If it allows, the tool executes and the policy outcome is attached.
732
00:31:42,000 –> 00:31:46,200
If it denies, the tool never sees the request and the denial is attached instead.
733
00:31:46,200 –> 00:31:50,800
Afterward audit captures the effect and provenance links decision to consequence.
734
00:31:50,800 –> 00:31:53,800
In most enterprises today, two things are missing at this moment.
735
00:31:53,800 –> 00:31:57,600
First, the gate itself, tool calls are executed, imperatively not adjudicated.
736
00:31:57,600 –> 00:31:59,600
Second, the policy evaluation artifacts.
737
00:31:59,600 –> 00:32:04,600
No persisted proof that this was reviewed by a machine policy and approved under constrained X.
738
00:32:04,600 –> 00:32:07,200
That’s why transcripts feel like progress and still fail you.
739
00:32:07,200 –> 00:32:10,800
They narrate the accident, they don’t show you the red light that should have been there.
740
00:32:10,800 –> 00:32:13,400
There’s a second gap that matters, negative space.
741
00:32:13,400 –> 00:32:17,600
Provenance must include what did not happen, which sides were considered and rejected,
742
00:32:17,600 –> 00:32:23,200
which internal chunks were excluded by egress rules, which tool options were presented and disallowed by policy.
743
00:32:23,200 –> 00:32:27,000
Without that shadow, you can’t distinguish the agent found only one path from.
744
00:32:27,000 –> 00:32:29,000
The agent took the only unconstrained path.
745
00:32:29,000 –> 00:32:30,800
Now tie this back to retrieval.
746
00:32:30,800 –> 00:32:36,000
Grounding reduces hallucination, but only a gate can enforce sight or silent behavior.
747
00:32:36,000 –> 00:32:38,600
Pre-retrieval filters bound the candidate set.
748
00:32:38,600 –> 00:32:43,000
Post-retrieval policy evaluates whether this audience and venue permit verbalisation
749
00:32:43,000 –> 00:32:44,600
at the requested granularity.
750
00:32:44,600 –> 00:32:46,600
If the rule denies, the agent says less.
751
00:32:46,600 –> 00:32:48,200
Audit will show a polite refusal.
752
00:32:48,200 –> 00:32:51,000
Provenance will show denial under rule V302.
753
00:32:51,000 –> 00:32:54,200
The policy gate will stand in front of the speech tool and take the heat.
754
00:32:54,200 –> 00:32:56,600
You can implement this without boiling the ocean.
755
00:32:56,600 –> 00:33:01,200
Start with your highest blast radius tools, delete, share, post, email payment.
756
00:33:01,200 –> 00:33:04,560
Wrap them with a decision service that accepts structured requests, checks,
757
00:33:04,560 –> 00:33:09,400
idempotency, queries, authoritative state, evaluates rules and returns outcomes.
758
00:33:09,400 –> 00:33:11,200
Persist those outcomes alongside actions.
759
00:33:11,200 –> 00:33:14,400
Instrument retrieval to lock chunk IDs and reasons for exclusion
760
00:33:14,400 –> 00:33:16,600
then turn your audit from a diary into evidence.
761
00:33:16,600 –> 00:33:20,000
Action, source, decision, rule, constraint.
762
00:33:20,000 –> 00:33:23,200
Audit explains provenance convinces, the gate prevents.
763
00:33:23,200 –> 00:33:27,400
Without that ordering, your best capability remains writing eloquent post-incident reports
764
00:33:27,400 –> 00:33:30,200
about failures you could have denied in 30 milliseconds.
765
00:33:30,200 –> 00:33:34,400
Anthropomorphic trust bias and governance optics give the agent a face and a voice
766
00:33:34,400 –> 00:33:36,400
and you get an automatic upgrade in credibility.
767
00:33:36,400 –> 00:33:39,400
That’s human interface trust bias doing what it always does.
768
00:33:39,400 –> 00:33:43,800
A steady tone, eye contact and low response latency signal competence.
769
00:33:43,800 –> 00:33:45,600
Our brains mistake for reliability.
770
00:33:45,600 –> 00:33:47,400
Architecturally, it is something else.
771
00:33:47,400 –> 00:33:52,400
A probabilistic decision engine performing inside an event driven envelope now wearing a suit.
772
00:33:52,400 –> 00:33:53,800
This is the uncomfortable truth.
773
00:33:53,800 –> 00:33:56,800
Embodiment shifts scrutiny from the system to the performance.
774
00:33:56,800 –> 00:33:59,800
Users stop asking what policy approved this action.
775
00:33:59,800 –> 00:34:00,400
Let’s see.
776
00:34:00,400 –> 00:34:04,400
And start saying it could sound at certain that the persona becomes a confidence amplifier
777
00:34:04,400 –> 00:34:05,800
and confidence is not control.
778
00:34:05,800 –> 00:34:07,800
Watch how that bias infects governance.
779
00:34:07,800 –> 00:34:09,800
A transcript makes the interaction legible.
780
00:34:09,800 –> 00:34:11,400
Leaders read it and feel informed.
781
00:34:11,400 –> 00:34:16,200
A video snippet of the avatar, handling a tricky exchange, looks like operational maturity,
782
00:34:16,200 –> 00:34:18,400
the optics improve, the control plane did not.
783
00:34:18,400 –> 00:34:22,200
Without a gate, the same agent can perform a polished refusal in one case
784
00:34:22,200 –> 00:34:24,200
and a polished violation in the next.
785
00:34:24,200 –> 00:34:25,400
The difference is not style.
786
00:34:25,400 –> 00:34:28,800
It’s whether a deterministic decision occurred before the tool executed.
787
00:34:28,800 –> 00:34:31,400
Embodiment also muddies responsibility.
788
00:34:31,400 –> 00:34:33,400
When the agent speaks in the first person,
789
00:34:33,400 –> 00:34:36,800
teams unconsciously relocate agency into the interface.
790
00:34:36,800 –> 00:34:38,000
It misunderstood.
791
00:34:38,000 –> 00:34:39,200
It made a choice.
792
00:34:39,200 –> 00:34:41,200
No, your orchestration made a choice,
793
00:34:41,200 –> 00:34:44,200
based on retrieval and prompts, with credentials you issued.
794
00:34:44,200 –> 00:34:48,000
The more human the agent seems, the easier it is to indicate architectural responsibility
795
00:34:48,000 –> 00:34:50,600
and reach for training tweaks instead of enforcement.
796
00:34:50,600 –> 00:34:55,000
Now look at meeting culture, put a speaking agent into a live session and you widen the bias.
797
00:34:55,000 –> 00:34:57,200
Real-time answers carry social momentum.
798
00:34:57,200 –> 00:35:00,200
Participants accept the output to keep the conversation moving.
799
00:35:00,200 –> 00:35:01,800
Few will pause a call to ask,
800
00:35:01,800 –> 00:35:04,200
“Was that aggregation allowed in this venue?”
801
00:35:04,200 –> 00:35:06,000
The voice pushed them past the question.
802
00:35:06,000 –> 00:35:09,400
Afterward, governance reviews a clean transcript and a tidy set of citations.
803
00:35:09,400 –> 00:35:10,400
They see diligence.
804
00:35:10,400 –> 00:35:14,200
What they don’t see is the missing policy outcome that should have constrained speech.
805
00:35:14,200 –> 00:35:16,000
This is how you end up with governance theatre.
806
00:35:16,000 –> 00:35:19,600
Dashboards fill with transcripts, activity logs and grounding indicators.
807
00:35:19,600 –> 00:35:21,400
You can search, correlate and export.
808
00:35:21,400 –> 00:35:22,200
Impressive.
809
00:35:22,200 –> 00:35:29,400
But none of those artifacts by themselves prove that a policy engine adjudicated in tent, scope, data class and venue before each action.
810
00:35:29,400 –> 00:35:33,200
The optics of oversight rise while the entropy in the authorization path remains.
811
00:35:33,200 –> 00:35:35,800
The fix is not to strip the face or mute the voice.
812
00:35:35,800 –> 00:35:39,000
It’s to make the interface optional and the control plane decisive.
813
00:35:39,000 –> 00:35:41,400
Replace trust by persona with trust by proof.
814
00:35:41,400 –> 00:35:44,600
The proof is a policy decision persisted next to every action.
815
00:35:44,600 –> 00:35:51,600
Allow, deny, transform, under rule R217 with the source set S841 at time T
816
00:35:51,600 –> 00:35:55,000
that artifact defeats bias because it’s legible without performance.
817
00:35:55,000 –> 00:35:56,200
It also survives the meeting.
818
00:35:56,200 –> 00:35:58,200
When someone asks, “Why did it say that?”
819
00:35:58,200 –> 00:36:00,600
You don’t replay the avatar, you show the gate.
820
00:36:00,600 –> 00:36:03,400
Two operational habits counter the optics trap.
821
00:36:03,400 –> 00:36:05,000
First, invert demos.
822
00:36:05,000 –> 00:36:07,600
Lead with the gate, not the avatar.
823
00:36:07,600 –> 00:36:10,000
Here’s the deny firing under venue policy.
824
00:36:10,000 –> 00:36:11,800
Here’s the transform outcome.
825
00:36:11,800 –> 00:36:15,200
Here’s the idempotent replay returning the same decision.
826
00:36:15,200 –> 00:36:17,200
Then if you must show the face.
827
00:36:17,200 –> 00:36:18,800
Second, instrument negative space.
828
00:36:18,800 –> 00:36:20,800
Capture what the system refused to do.
829
00:36:20,800 –> 00:36:21,800
And why?
830
00:36:21,800 –> 00:36:25,800
Excluded chunks, disallowed tools, suppressed utterances.
831
00:36:25,800 –> 00:36:28,800
Without negative space, governance optics read like a highlight reel.
832
00:36:28,800 –> 00:36:30,800
With it, they read like evidence of restraint.
833
00:36:30,800 –> 00:36:33,800
This is also where budget choices expose priorities.
834
00:36:33,800 –> 00:36:38,000
If your spend concentrates on turn, speech regions and avatar seconds,
835
00:36:38,000 –> 00:36:39,200
you’re investing in persuasion.
836
00:36:39,200 –> 00:36:41,600
If your spend concentrates on per tool called policy,
837
00:36:41,600 –> 00:36:44,000
authoritative state and segmented identities,
838
00:36:44,000 –> 00:36:45,600
you’re investing in control.
839
00:36:45,600 –> 00:36:47,200
One buys a clause in a demo.
840
00:36:47,200 –> 00:36:50,200
The other buys safety at R2213 on a Wednesday.
841
00:36:50,200 –> 00:36:52,400
Finally, set the rule in language everyone can repeat.
842
00:36:52,400 –> 00:36:54,000
Personification is optional.
843
00:36:54,000 –> 00:36:55,800
Determinism at the control plane is not.
844
00:36:55,800 –> 00:36:57,600
Bias thrives where proof is absent.
845
00:36:57,600 –> 00:36:59,000
Kill the bias with proof.
846
00:36:59,000 –> 00:37:00,200
Logs tell stories.
847
00:37:00,200 –> 00:37:01,600
Providence shows reasoning.
848
00:37:01,600 –> 00:37:03,000
Gates prevent incidents.
849
00:37:03,000 –> 00:37:04,600
Put the gate before the story.
850
00:37:04,600 –> 00:37:07,800
And the optics will finally match reality.
851
00:37:07,800 –> 00:37:09,800
Deterministic patterns that actually work.
852
00:37:09,800 –> 00:37:13,200
If you want agents that don’t quietly widen your blast radius,
853
00:37:13,200 –> 00:37:16,400
stop tuning prompts and start replacing chance with proof.
854
00:37:16,400 –> 00:37:19,800
There are five patterns that hold under stress and make incidents boring.
855
00:37:19,800 –> 00:37:23,400
Pattern one, identity with authoritative state spine.
856
00:37:23,400 –> 00:37:26,000
Every tool reaching action carries a unique operation ID,
857
00:37:26,000 –> 00:37:29,400
generated once collision resistant and persisted before any side effect.
858
00:37:29,400 –> 00:37:32,800
The policy engine and the tool both read and write against that spine.
859
00:37:32,800 –> 00:37:35,000
Replays return the original decision in effect.
860
00:37:35,000 –> 00:37:36,800
Duplicates die without impact.
861
00:37:36,800 –> 00:37:40,800
Reordering becomes harmless because state not arrival order determines eligibility.
862
00:37:40,800 –> 00:37:43,600
If create hasn’t materialized in the state store,
863
00:37:43,600 –> 00:37:45,600
complete fails deterministically.
864
00:37:45,600 –> 00:37:48,200
If delete already succeeded for R223,
865
00:37:48,200 –> 00:37:51,200
a retry returns the same outcome and no second deletion occurs.
866
00:37:51,200 –> 00:37:52,800
The rule that matters is this.
867
00:37:52,800 –> 00:37:56,000
If an event can’t be safely replayed, it shouldn’t control state.
868
00:37:56,000 –> 00:37:59,200
Pattern two, per tool call policy evaluation.
869
00:37:59,200 –> 00:38:02,600
Treat every call as a structured request never an imperative.
870
00:38:02,600 –> 00:38:08,800
The agent proposes a tuple, actor, intent, scope, data class, venue, operation ID.
871
00:38:08,800 –> 00:38:12,600
A policy engine evaluates that tuple against rules and authoritative state
872
00:38:12,600 –> 00:38:17,600
then returns allow deny or transform plus constraints and a decision ID.
873
00:38:17,600 –> 00:38:20,400
Tools accept only decisions, not free form commands.
874
00:38:20,400 –> 00:38:22,600
And only for the matching operation ID,
875
00:38:22,600 –> 00:38:24,800
you persist the outcome next to the action.
876
00:38:24,800 –> 00:38:26,800
This is the difference between we saw an action
877
00:38:26,800 –> 00:38:31,800
and we can prove why this action was allowed under rule D104 with constraints C17.
878
00:38:31,800 –> 00:38:34,200
The agent proposes the control plane disposes.
879
00:38:34,200 –> 00:38:39,400
Pattern three, segmented agent identities, read write and address each in its own failure domain.
880
00:38:39,400 –> 00:38:42,400
Read only discovery runs under a principle that cannot write.
881
00:38:42,400 –> 00:38:46,800
Write operations execute under a separate principle with minimal resource-bounded app permissions
882
00:38:46,800 –> 00:38:48,800
minted just in time and short-lived.
883
00:38:48,800 –> 00:38:54,200
External communication runs under an egress aware principle with zero access to internal core data planes.
884
00:38:54,200 –> 00:38:56,800
The same agent can coordinate three identities.
885
00:38:56,800 –> 00:38:59,600
That’s not theoretical purity, it’s blast radius math.
886
00:38:59,600 –> 00:39:05,400
A failure in one domain doesn’t cascade across the others because tokens, scopes and network paths do not overlap.
887
00:39:05,400 –> 00:39:08,800
Pattern four, retrieval constraint generation with negative space.
888
00:39:08,800 –> 00:39:13,400
Prefilter retrieval by user and agent entitlements data class and venue before the model ever sees it,
889
00:39:13,400 –> 00:39:16,000
then force, site or silent behavior.
890
00:39:16,000 –> 00:39:20,400
If eligible evidence is absent, the agent must say less.
891
00:39:20,400 –> 00:39:24,400
For outputs, attached derived sensitivity based on sources and aggregation
892
00:39:24,400 –> 00:39:28,000
and root speech or publishing through the same policy engine that gates tools.
893
00:39:28,000 –> 00:39:33,600
Audience mixed, data class, compensation cohort should yield a deny or transform before anything is verbalized.
894
00:39:33,600 –> 00:39:35,600
Grounding reduces hallucination.
895
00:39:35,600 –> 00:39:39,200
Negative space makes silence the safety fault when proof is thin.
896
00:39:39,200 –> 00:39:42,800
Pattern five, policy as code outcomes persisted with action.
897
00:39:42,800 –> 00:39:44,600
It’s not enough to evaluate a rule.
898
00:39:44,600 –> 00:39:51,200
You must persist the decision artifact including the rule ID, constraints, input attributes and the link to authoritative state.
899
00:39:51,200 –> 00:39:53,800
That record travels with the action into your logs.
900
00:39:53,800 –> 00:39:57,200
In post-incident review, you don’t infer intent from transcripts.
901
00:39:57,200 –> 00:39:59,200
You show the policy that allowed or denied.
902
00:39:59,200 –> 00:40:04,200
Over time, you get denial analytics, transform rates and hotspots by venue or tool.
903
00:40:04,200 –> 00:40:07,200
Governance stops being theater and starts being telemetry.
904
00:40:07,200 –> 00:40:08,400
These patterns interlock.
905
00:40:08,400 –> 00:40:13,000
I’d impotency an authoritative state prevent the event stream from becoming your source of truth.
906
00:40:13,000 –> 00:40:17,000
Per tool call gates move authorization to the only moment that matters.
907
00:40:17,000 –> 00:40:20,400
Segmented identities constrain what a compromised token can reach.
908
00:40:20,400 –> 00:40:26,400
Retrieval constraints and negative space prevent speech from becoming an unmanaged egress path.
909
00:40:26,400 –> 00:40:30,200
Persisted policy outcomes turn audit into evidence and provenance into proof.
910
00:40:30,200 –> 00:40:32,400
None of this requires exotic infrastructure.
911
00:40:32,400 –> 00:40:35,600
You can start at the line where harm originates the tools.
912
00:40:35,600 –> 00:40:40,400
Wrap your highest risk tools, delete share, post email payment with a thin decision service.
913
00:40:40,400 –> 00:40:47,600
Require operation IDs, check for duplicates, look up authoritative state, evaluate codified rules, return outcomes and persist them.
914
00:40:47,600 –> 00:40:51,600
Then ratchet identity, carve read from right and right from egress.
915
00:40:51,600 –> 00:40:56,600
Then clamp retrieval, tag sources, enforce eligibility, log denials and exclusions.
916
00:40:56,600 –> 00:40:59,600
The avatar will still smile, the transcript will still read well.
917
00:40:59,600 –> 00:41:02,600
The difference is that the plane that matters will finally be deterministic.
918
00:41:02,600 –> 00:41:04,600
If you remember nothing else, keep this sentence.
919
00:41:04,600 –> 00:41:07,200
The agent proposes the control plane disposes.
920
00:41:07,200 –> 00:41:10,200
That’s how you turn eloquent outages into quiet non-events.
921
00:41:10,200 –> 00:41:12,800
Conditional access necessary, not sufficient.
922
00:41:12,800 –> 00:41:15,600
Conditional access is the strongest front gate you have.
923
00:41:15,600 –> 00:41:21,400
It evaluates signals, scores risk, and decides whether an identity, human or non-human
924
00:41:21,400 –> 00:41:24,200
should receive a token under current conditions.
925
00:41:24,200 –> 00:41:28,600
Device posture, sign-in-risk, location, workload identity context, all-in scope.
926
00:41:28,600 –> 00:41:33,000
For agents that matter, it shrinks the population that can even attempt to act, treat it as mandatory.
927
00:41:33,000 –> 00:41:35,000
But here’s the boundary you can’t cross with it.
928
00:41:35,000 –> 00:41:37,000
Conditional access is a token time controller.
929
00:41:37,000 –> 00:41:39,200
It answers who can show up now.
930
00:41:39,200 –> 00:41:42,000
It does not answer what should this identity be allowed to do next?
931
00:41:42,000 –> 00:41:45,200
In this venue, with this data, at this moment.
932
00:41:45,200 –> 00:41:49,200
The failures we just walk through live at authorization time, per tool call.
933
00:41:49,200 –> 00:41:52,400
That’s a different plane, say it in a sequence you can audit.
934
00:41:52,400 –> 00:41:54,000
The agent requests a token.
935
00:41:54,000 –> 00:41:57,400
Conditional access evaluates and if satisfied, issues it.
936
00:41:57,400 –> 00:42:00,600
Good. The agent retrieves eligible data under its scopes.
937
00:42:00,600 –> 00:42:03,000
Logged. The agent proposes an action.
938
00:42:03,000 –> 00:42:05,800
Delete, share, post, email, pay.
939
00:42:05,800 –> 00:42:11,600
That proposal must hit a deterministic policy gate that evaluates actor, intent, scope, data class,
940
00:42:11,600 –> 00:42:13,400
and venue before any tool executes.
941
00:42:13,400 –> 00:42:17,000
If you stop at the first two steps, you have identity hygiene and good forensics.
942
00:42:17,000 –> 00:42:18,200
You do not have control.
943
00:42:18,200 –> 00:42:21,200
So you design the system as a braid, not a blunt instrument.
944
00:42:21,200 –> 00:42:23,400
Pair conditional access with least privilege.
945
00:42:23,400 –> 00:42:26,400
Trim scopes to the smallest set that lets a capability work.
946
00:42:26,400 –> 00:42:29,200
Then split those capabilities across segmented identities.
947
00:42:29,200 –> 00:42:32,000
Read only discovery runs under a read principle that can’t write.
948
00:42:32,000 –> 00:42:36,200
Rides run under a separate principle with minimal resource scoped app permissions
949
00:42:36,200 –> 00:42:39,000
and short-lived credentials minted just in time.
950
00:42:39,000 –> 00:42:44,000
External communication runs under an egress aware principle with no visibility into internal core planes.
951
00:42:44,000 –> 00:42:46,600
One agent orchestrates three identities act.
952
00:42:46,600 –> 00:42:48,000
None can impersonate the others.
953
00:42:48,000 –> 00:42:50,600
That’s how you shrink blast radius after the token exists.
954
00:42:50,600 –> 00:42:55,200
Then bolt a gate in front of every high-risk tool, not a prompt guideline, a real gate.
955
00:42:55,200 –> 00:42:57,800
The agent never sends a verb, it sends a request.
956
00:42:57,800 –> 00:43:02,000
Actor, intent, scope, data class, venue, operation ID.
957
00:43:02,000 –> 00:43:05,800
A policy engine evaluates that structure against rules and authoritative state
958
00:43:05,800 –> 00:43:10,000
returns allow deny transform and persists the decision with the action.
959
00:43:10,000 –> 00:43:12,800
Tools accept decisions, not free form imperatives.
960
00:43:12,800 –> 00:43:14,600
Now you have proof, not promises.
961
00:43:14,600 –> 00:43:17,200
Make monitoring pull its weight without becoming noise.
962
00:43:17,200 –> 00:43:21,200
A normally detection belongs in two places, the identity plane and the action plane.
963
00:43:21,200 –> 00:43:26,200
At identity, watch for unusual token issuance patterns on your agent principles.
964
00:43:26,200 –> 00:43:31,000
New locations, odd cadences, bursts outside normal schedules.
965
00:43:31,000 –> 00:43:34,400
At action, watch for tool call shapes that don’t fit the baseline.
966
00:43:34,400 –> 00:43:39,000
Spikes and deletes, sudden egress, novel venues, alerts are routed to policy, not panic.
967
00:43:39,000 –> 00:43:42,000
If you see drift, you tighten rules or discope identities.
968
00:43:42,000 –> 00:43:46,200
The system behaves deterministically under stress because the control points are explicit.
969
00:43:46,200 –> 00:43:48,400
There’s a pragmatic design cadence teams can follow.
970
00:43:48,400 –> 00:43:51,400
Start by enumerating capabilities, not personas.
971
00:43:51,400 –> 00:43:55,200
Discover sites, compile candidates, delete, share, speak.
972
00:43:55,200 –> 00:43:59,600
For each capability, define the minimum scopes required, then assign an identity.
973
00:43:59,600 –> 00:44:03,400
Apply conditional access to each identity with the strictest feasible policies.
974
00:44:03,400 –> 00:44:05,900
Device compliance, sign in risk, network bounds.
975
00:44:05,900 –> 00:44:08,600
Next, codify the rules that govern those capabilities.
976
00:44:08,600 –> 00:44:13,200
Eligibility rules live in the state spine, venue and data class rules live in the gate.
977
00:44:13,200 –> 00:44:17,900
Finally, wire tools to accept only decisions with matching operation IDs from the gate.
978
00:44:17,900 –> 00:44:20,800
That’s the difference between a guardrail you hope the model respects
979
00:44:20,800 –> 00:44:23,200
and an enforcement point the model can’t bypass.
980
00:44:23,200 –> 00:44:25,800
What you get is an end-to-end chain you can read and defend.
981
00:44:25,800 –> 00:44:27,600
Token issuance proves who could show up.
982
00:44:27,600 –> 00:44:29,800
Retriever logs prove what was considered.
983
00:44:29,800 –> 00:44:33,000
Policy outcomes prove why an action was or wasn’t permitted.
984
00:44:33,000 –> 00:44:34,600
Tool effects prove what changed.
985
00:44:34,600 –> 00:44:36,500
Conditional access made presence conditional.
986
00:44:36,500 –> 00:44:38,400
The gate made action conditional.
987
00:44:38,400 –> 00:44:41,600
Together they move you from, we authenticated the problem too.
988
00:44:41,600 –> 00:44:43,000
We prevented it.
989
00:44:43,000 –> 00:44:45,800
Keep repeating the sentence that keeps teams honest.
990
00:44:45,800 –> 00:44:48,200
Conditional access decides who may try.
991
00:44:48,200 –> 00:44:50,400
A policy gate decides what may happen.
992
00:44:50,400 –> 00:44:53,300
Treat one as necessary the other as non-negotiable.
993
00:44:53,300 –> 00:44:59,100
Without both, you’re still writing eloquent reports about incidents you could have denied in 30 milliseconds.
994
00:44:59,100 –> 00:45:02,500
Rage as a security boundary, not a knowledge feature.
995
00:45:02,500 –> 00:45:05,000
Most teams treat rag like a search plug-in.
996
00:45:05,000 –> 00:45:08,200
Toss vectors in a database, fetch the closest chunks,
997
00:45:08,200 –> 00:45:10,500
and hope the model grounds its answer.
998
00:45:10,500 –> 00:45:11,800
That is a knowledge feature.
999
00:45:11,800 –> 00:45:13,400
It reduces hallucination.
1000
00:45:13,400 –> 00:45:15,100
It does not create a boundary.
1001
00:45:15,100 –> 00:45:18,500
A boundary is something you can enforce, measure, and prove under stress.
1002
00:45:18,500 –> 00:45:21,200
Start with the first principle that flips the mental model.
1003
00:45:21,200 –> 00:45:24,300
Retriever is an authorization event, not a convenience step.
1004
00:45:24,300 –> 00:45:29,300
If a chunk is not eligible for this actor, in this venue, at this moment, it does not exist.
1005
00:45:29,300 –> 00:45:32,500
Eligibility is computed before similarity, not after generation.
1006
00:45:32,500 –> 00:45:35,800
That’s how you stop nearest neighbor from outrunning policy.
1007
00:45:35,800 –> 00:45:37,600
Make the filters explicit and early.
1008
00:45:37,600 –> 00:45:40,300
Before any vector search, apply metadata constraints
1009
00:45:40,300 –> 00:45:43,100
that bind the candidate’s set to entitlements and context.
1010
00:45:43,100 –> 00:45:46,000
The minimum set looks like this, user-eat-or-agent principle,
1011
00:45:46,000 –> 00:45:50,900
access scope, the authority that grants visibility, confidentiality, data class,
1012
00:45:50,900 –> 00:45:54,300
and venue where the answer will be consumed.
1013
00:45:54,300 –> 00:45:58,500
Your retrieval query is not, give me the top five semantically similar.
1014
00:45:58,500 –> 00:46:02,800
It is give me candidates where user id allowed access scope allowed confidentiality
1015
00:46:02,800 –> 00:46:05,100
allowed for venue ordered by similarity.
1016
00:46:05,100 –> 00:46:08,800
If the filter returns nothing, the model must prefer silence over speculation
1017
00:46:08,800 –> 00:46:10,300
that silence is a feature.
1018
00:46:10,300 –> 00:46:12,300
It’s the negative space that prevents leaks.
1019
00:46:12,300 –> 00:46:14,200
Now, constrain generation to evidence.
1020
00:46:14,200 –> 00:46:17,500
Retrieval constrained generation forces sight or silent behavior.
1021
00:46:17,500 –> 00:46:20,500
The model can only state what is supported by eligible chunks
1022
00:46:20,500 –> 00:46:24,000
and it must attach citations that map to those chunk IDs.
1023
00:46:24,000 –> 00:46:26,700
If the instruction asks for synthesis beyond the retrieved set,
1024
00:46:26,700 –> 00:46:29,700
the policy is refused or degraded with a safe summary template.
1025
00:46:29,700 –> 00:46:31,100
Your goal is not eloquence.
1026
00:46:31,100 –> 00:46:32,500
It is verifiability.
1027
00:46:32,500 –> 00:46:35,200
Provenance sits alongside this path, not behind it.
1028
00:46:35,200 –> 00:46:37,800
Lock the retrieval transaction as a first class object.
1029
00:46:37,800 –> 00:46:42,300
Query hash, filter predicates, returned chunk IDs and reasons for exclusion.
1030
00:46:42,300 –> 00:46:44,800
Persist the generation decision which citations were used,
1031
00:46:44,800 –> 00:46:48,100
which claims were unsupported and dropped, which template was applied
1032
00:46:48,100 –> 00:46:50,400
and the derived sensitivity of the output.
1033
00:46:50,400 –> 00:46:52,100
Provenance is not an afterthought.
1034
00:46:52,100 –> 00:46:54,300
It is the proof that the boundary held.
1035
00:46:54,300 –> 00:46:56,700
Treat denial as a positive outcome and recorded.
1036
00:46:56,700 –> 00:47:01,200
When filters excluded chunk because confidentiality internal and venue external
1037
00:47:01,200 –> 00:47:04,200
lock excluded C201 reason venue.
1038
00:47:04,200 –> 00:47:10,000
When no eligible evidence exists, lock denial R404 reason empty candidate set.
1039
00:47:10,000 –> 00:47:13,900
Those denials are what you show a regulator, a security reviewer or an auditor
1040
00:47:13,900 –> 00:47:16,000
when they ask why the agent did not answer.
1041
00:47:16,000 –> 00:47:19,400
Without that negative space, you are back to transcripts and faith.
1042
00:47:19,400 –> 00:47:22,400
This is also where you separate the data plane from the boundary.
1043
00:47:22,400 –> 00:47:26,000
A governed data plane gives you lineage, classification and residency.
1044
00:47:26,000 –> 00:47:28,600
The boundary enforces those properties at retrieval and speech.
1045
00:47:28,600 –> 00:47:31,900
You do not trust the model to remember a sensitivity label.
1046
00:47:31,900 –> 00:47:35,500
You pass sensitivity into the policy engine and make the speech tool require
1047
00:47:35,500 –> 00:47:36,800
an allow decision.
1048
00:47:36,800 –> 00:47:40,400
If the outputs derived sensitivity exceeds the venue’s allowance,
1049
00:47:40,400 –> 00:47:42,400
the path ends before a mouth opens.
1050
00:47:42,400 –> 00:47:43,900
Now bring connectors into the picture.
1051
00:47:43,900 –> 00:47:45,400
Connectors expand sources.
1052
00:47:45,400 –> 00:47:47,000
They do not expand entitlements.
1053
00:47:47,000 –> 00:47:51,000
Each connector must surface metadata that the boundary can evaluate.
1054
00:47:51,000 –> 00:47:56,200
Tenant, container, owner, classification, data region and any legal holds.
1055
00:47:56,200 –> 00:47:59,600
If the connector can’t produce those fields, it can’t participate in RAC
1056
00:47:59,600 –> 00:48:01,600
for venues that require enforcement.
1057
00:48:01,600 –> 00:48:04,700
Grounded without governance is just a larger leak domain.
1058
00:48:04,700 –> 00:48:08,500
There are two implementation details that make this practical at scale.
1059
00:48:08,500 –> 00:48:10,300
First, push eligibility into the index.
1060
00:48:10,300 –> 00:48:14,300
Store access, last scope, confidentiality and allowed venues
1061
00:48:14,300 –> 00:48:19,000
as filterable fields alongside embeddings refreshed from the authoritative catalog.
1062
00:48:19,000 –> 00:48:22,700
Your retrieval call remains O-log and PusK not an after-the-fact join.
1063
00:48:22,700 –> 00:48:25,900
Second, standardize refusal templates per data class and venue
1064
00:48:25,900 –> 00:48:28,200
so the agents know is predictable and fast.
1065
00:48:28,200 –> 00:48:32,200
A refusal that takes two seconds and cites the policy is better than a confused digression
1066
00:48:32,200 –> 00:48:34,100
that burns tokens to say nothing.
1067
00:48:34,100 –> 00:48:36,200
Edge cases are where boundaries prove themselves.
1068
00:48:36,200 –> 00:48:39,200
A mixed audience meeting asks for a sensitive cohort trend,
1069
00:48:39,200 –> 00:48:42,600
filters return eligible chunks but policy forbids verbalization.
1070
00:48:42,600 –> 00:48:45,600
The generation path downgrades to a high-level summary template
1071
00:48:45,600 –> 00:48:47,600
with no subgroup references.
1072
00:48:47,600 –> 00:48:51,300
The speech tool receives the transformed output only if the gate allows.
1073
00:48:51,300 –> 00:48:53,800
Providence attaches transform V302.
1074
00:48:53,800 –> 00:48:56,000
A follow-up asks in a private HR channel.
1075
00:48:56,000 –> 00:48:57,400
Same retrieval different venues.
1076
00:48:57,400 –> 00:49:00,000
The gate allows the detailed text answer, not speech.
1077
00:49:00,000 –> 00:49:01,400
The boundary did not change facts.
1078
00:49:01,400 –> 00:49:03,700
It changed exposure.
1079
00:49:03,700 –> 00:49:06,900
Finally, measure the boundary as a product of its own.
1080
00:49:06,900 –> 00:49:10,900
Track denial rates by venue and data class, transform rates by audience
1081
00:49:10,900 –> 00:49:14,800
and incidents avoided, policy denies that replaced what would previously have been
1082
00:49:14,800 –> 00:49:16,800
after-the-fact investigations.
1083
00:49:16,800 –> 00:49:18,800
Report those numbers. They are your ROI.
1084
00:49:18,800 –> 00:49:21,100
Then repeat the sentence that keeps teams honest.
1085
00:49:21,100 –> 00:49:23,100
Rags is not there to make the model smarter.
1086
00:49:23,100 –> 00:49:25,000
It is there to make the system safer.
1087
00:49:25,000 –> 00:49:29,200
When retrieval becomes authorization and generation becomes site or silent,
1088
00:49:29,200 –> 00:49:32,300
your knowledge feature turns into a security boundary you can prove.
1089
00:49:32,300 –> 00:49:37,600
The autopsy cadence, claim, failure, cause, consequence, fix, claim one.
1090
00:49:37,600 –> 00:49:39,900
Miss scoped delete is not an edge case.
1091
00:49:39,900 –> 00:49:42,900
It’s a deterministic outcome of missing gates.
1092
00:49:42,900 –> 00:49:43,800
Failure.
1093
00:49:43,800 –> 00:49:46,600
An agent task to clean up obsolete project folders,
1094
00:49:46,600 –> 00:49:48,200
deletes an active site.
1095
00:49:48,200 –> 00:49:51,100
Cause event-driven ambiguity plus overbroad scopes.
1096
00:49:51,100 –> 00:49:54,100
A retry, a duplicate activity or a stale eligibility check
1097
00:49:54,100 –> 00:49:58,500
pushes a destructive tool call without an identity key or an authoritative state read.
1098
00:49:58,500 –> 00:50:02,300
Consequence, a business outage with transcripts that explain the narrative,
1099
00:50:02,300 –> 00:50:03,600
not the permission.
1100
00:50:03,600 –> 00:50:05,900
Fix, move authority out of envelopes.
1101
00:50:05,900 –> 00:50:08,700
Every destructive request carries an operation ID,
1102
00:50:08,700 –> 00:50:13,800
hits a policy engine with actor, intent, scope, data class and venue
1103
00:50:13,800 –> 00:50:16,300
and is adjudicated before the tool executes.
1104
00:50:16,300 –> 00:50:18,600
The agent proposes, the control plane disposes,
1105
00:50:18,600 –> 00:50:21,800
persists the decision with the action so prevention becomes provable.
1106
00:50:21,800 –> 00:50:25,200
Claim 2, compliant can still mean violates policy.
1107
00:50:25,200 –> 00:50:30,700
Failure, an HR grounded agent verbalizes cohort compensation in a mixed audience meeting.
1108
00:50:30,700 –> 00:50:36,000
Cause, grounding reduced hallucination but never evaluated venue or aggregation at the moment of speech.
1109
00:50:36,000 –> 00:50:40,900
Logs are green, entitled identity, eligible documents, correct citations,
1110
00:50:40,900 –> 00:50:42,900
yet the utterance is unacceptable.
1111
00:50:42,900 –> 00:50:46,400
Consequence, reputational and regulatory exposure without a classic breach
1112
00:50:46,400 –> 00:50:49,100
plus governance theatre where transcripts substitute for proof,
1113
00:50:49,100 –> 00:50:51,500
fix, treat speech as a tool call.
1114
00:50:51,500 –> 00:50:55,100
Pass output attributes, source sensitivity, aggregation level,
1115
00:50:55,100 –> 00:51:00,100
audience venue into a policy engine that either denies or transforms before audio synthesis,
1116
00:51:00,100 –> 00:51:07,100
classify outputs not only inputs, segment identities so the meeting assistant cannot escalate into the analyst’s channel.
1117
00:51:07,100 –> 00:51:11,600
Claim 3, shadow agents are a blast radius amplifier, failure.
1118
00:51:11,600 –> 00:51:17,400
A public agent with broad internal read scopes answers external questions with internal runbooks.
1119
00:51:17,400 –> 00:51:20,100
Cause, a single non-human identity
1120
00:51:20,100 –> 00:51:24,400
served two incompatible roles, external responder and internal reader,
1121
00:51:24,400 –> 00:51:26,200
without an egress aware gate.
1122
00:51:26,200 –> 00:51:29,200
No capture decision chain, no policy artifact,
1123
00:51:29,200 –> 00:51:32,400
no approval that it should have been internet facing at all.
1124
00:51:32,400 –> 00:51:36,800
Consequence, machines be data egress that looks legitimate in every system of record
1125
00:51:36,800 –> 00:51:40,200
followed by a week of screenshots and apologies, fix, split the roles.
1126
00:51:40,200 –> 00:51:43,300
The public identity sees only a curated external corpus,
1127
00:51:43,300 –> 00:51:46,200
any request to the internal plane routes through a broker
1128
00:51:46,200 –> 00:51:49,800
that evaluates venue, data class and template constraints.
1129
00:51:49,800 –> 00:51:53,200
Persist allow deny outcomes with response IDs.
1130
00:51:53,200 –> 00:51:57,300
The safest answer in the wrong venue is a refusal you can cite.
1131
00:51:57,300 –> 00:52:01,800
Claim 4, events aren’t state, treating them as such fabricates incidents.
1132
00:52:01,800 –> 00:52:05,100
Failure, out of order complete, arrives before create
1133
00:52:05,100 –> 00:52:07,800
or a retry duplicates an irreversible action.
1134
00:52:07,800 –> 00:52:12,800
Cause, activities are envelope subject to duplication, delay, reordering and loss.
1135
00:52:12,800 –> 00:52:15,800
Without idempotency keys and an authoritative state spine,
1136
00:52:15,800 –> 00:52:18,200
every transient multiplies entropy.
1137
00:52:18,200 –> 00:52:22,600
Consequence, it only happened once in logs and it happened twice in the data plane.
1138
00:52:22,600 –> 00:52:24,900
Fix, idempotency everywhere.
1139
00:52:24,900 –> 00:52:27,600
Authoritative state outside the event stream.
1140
00:52:27,600 –> 00:52:32,900
Deterministic workflows that bind tool execution to a policy decision tied to an operation ID.
1141
00:52:32,900 –> 00:52:35,900
If an event can’t be safely replayed, it shouldn’t control state.
1142
00:52:35,900 –> 00:52:39,400
Claim 5, experience plane spend buys a clause, not control.
1143
00:52:39,400 –> 00:52:43,400
Failure, budget strain into turn relays, avatar seconds,
1144
00:52:43,400 –> 00:52:46,700
and regional speech sprawl while policy remains aspirational.
1145
00:52:46,700 –> 00:52:50,700
Cause incentives favor demos over gates, consequence, higher cost,
1146
00:52:50,700 –> 00:52:54,500
more failure domains, unchanged authorization entropy.
1147
00:52:54,500 –> 00:52:57,700
Fix, make UI optional, fund the control plane,
1148
00:52:57,700 –> 00:53:00,300
swap avatar seconds for per tool call decisions,
1149
00:53:00,300 –> 00:53:02,900
negative space in retrieval and segmented identities.
1150
00:53:02,900 –> 00:53:06,300
Your first denied decision will outperform any standing ovation.
1151
00:53:06,300 –> 00:53:09,200
Claim 6, conditional access is necessary, not sufficient.
1152
00:53:09,200 –> 00:53:12,900
Failure, token time excellence paired with tool time ambiguity.
1153
00:53:12,900 –> 00:53:17,700
Cause authentication and authorization conflated, no per action adjudication.
1154
00:53:17,700 –> 00:53:20,900
Consequence, who may try, solved, what may happen,
1155
00:53:20,900 –> 00:53:22,500
left to prompts and hope.
1156
00:53:22,500 –> 00:53:27,300
Fix, pair CA with least privilege and a policy gate in front of high-risk tools.
1157
00:53:27,300 –> 00:53:31,300
Require structured requests evaluate deterministically persist outcomes.
1158
00:53:31,300 –> 00:53:35,200
Now, allowed and denied are artifacts, not interpretations.
1159
00:53:35,200 –> 00:53:38,300
Claim 7, rag must be a boundary, not a feature.
1160
00:53:38,300 –> 00:53:42,800
Failure, nearest neighbor outruns entitlements and speech becomes a grass.
1161
00:53:42,800 –> 00:53:47,700
Cause similarity first, eligibility later and generation unconstrained by evidence.
1162
00:53:47,700 –> 00:53:51,100
Consequence, confident answers that leaked by design.
1163
00:53:51,100 –> 00:53:56,700
Fix, pre-filter retrieval by user ID, access, scope, confidentiality and venue.
1164
00:53:56,700 –> 00:54:00,500
Enforced site or silent generation, treat refusal as success,
1165
00:54:00,500 –> 00:54:02,900
log excluded chunks and denial reasons.
1166
00:54:02,900 –> 00:54:05,900
The safest knowledge system prefers silence when proof is thin.
1167
00:54:05,900 –> 00:54:07,200
The pattern is the point.
1168
00:54:07,200 –> 00:54:11,700
Each failure begins with intent ambiguity, travels through non-deterministic orchestration,
1169
00:54:11,700 –> 00:54:15,600
borrows too much identity and ends in an unbounded action.
1170
00:54:15,600 –> 00:54:19,400
Each fix relocates authority, from envelopes to state,
1171
00:54:19,400 –> 00:54:22,100
from prompts to policy, from personas to proofs.
1172
00:54:22,100 –> 00:54:25,300
The autopsy cadence never changes, claim failure, cause consequence,
1173
00:54:25,300 –> 00:54:27,100
fix because the system never does.
1174
00:54:27,100 –> 00:54:30,600
You are not misconfiguring events, you are misplacing control.
1175
00:54:30,600 –> 00:54:32,900
Five question governance audit, do it Monday.
1176
00:54:32,900 –> 00:54:35,300
Here’s the Monday audit that turns philosophy into action.
1177
00:54:35,300 –> 00:54:39,100
Five questions, no slideware and each one returns a red, yellow or green you can defend.
1178
00:54:39,100 –> 00:54:42,500
One, does any agent have standing right or delete to production?
1179
00:54:42,500 –> 00:54:45,000
Not in theory, in entra, in scopes right now.
1180
00:54:45,000 –> 00:54:48,300
If the answer is yes, replace it with just in time grants,
1181
00:54:48,300 –> 00:54:51,700
tied to short-lived credentials and per tool policy gates.
1182
00:54:51,700 –> 00:54:55,300
Standing right is not convenience, it’s unbounded blast radius.
1183
00:54:55,300 –> 00:54:58,700
Mark red until the scope is trimmed, the identity is segmented
1184
00:54:58,700 –> 00:55:01,500
and the gate returns are persisted allow for each action.
1185
00:55:01,500 –> 00:55:04,500
Two, do you persist per tool policy outcomes alongside actions?
1186
00:55:04,500 –> 00:55:06,700
Transcripts and activity logs don’t count.
1187
00:55:06,700 –> 00:55:10,700
You want an artifact that reads allow rule D104, op ID,
1188
00:55:10,700 –> 00:55:14,300
app 73, constraints C17 attached to the tool effect.
1189
00:55:14,300 –> 00:55:18,500
If you can’t show the decision that approved the action, you don’t have proof only narrative.
1190
00:55:18,500 –> 00:55:21,500
Red if policy is prompt based, yellow if a gate exists,
1191
00:55:21,500 –> 00:55:27,500
but outcomes aren’t persisted, green when every high-risk tool call has an adjudicated record tied to authoritative state.
1192
00:55:27,500 –> 00:55:30,500
Three, does your rack path enforce negative space?
1193
00:55:30,500 –> 00:55:34,300
That means pre retrieval filters on user ID, access our scope,
1194
00:55:34,300 –> 00:55:39,900
confidentiality and venue and site or silent generation that prefers no eligible content over speculation.
1195
00:55:39,900 –> 00:55:43,100
If your nearest neighbor query ignores venue, you leak by default.
1196
00:55:43,100 –> 00:55:46,900
Red if retrieval is similarity only, yellow if you filter after generation.
1197
00:55:46,900 –> 00:55:51,900
Green when filters bind the candidate set and denials are logged with reasons for exclusion.
1198
00:55:51,900 –> 00:55:55,500
Four, our agent identities segmented by capability and venue.
1199
00:55:55,500 –> 00:55:58,900
One agent should not equal one super identity, read only discovery,
1200
00:55:58,900 –> 00:56:03,900
write operations and egress live under independent principles with minimal resource scoped permissions
1201
00:56:03,900 –> 00:56:05,500
and short-lived tokens.
1202
00:56:05,500 –> 00:56:08,300
If any identity can both read broadly and right externally,
1203
00:56:08,300 –> 00:56:11,700
you’ve merged failure domains, red if one principle does everything,
1204
00:56:11,700 –> 00:56:14,500
yellow if scopes are minimized but rolled still overlap,
1205
00:56:14,500 –> 00:56:17,500
green when compromised in one lane doesn’t cross into the others.
1206
00:56:17,500 –> 00:56:19,700
Five, is voice UI optional.
1207
00:56:19,700 –> 00:56:22,700
If the face or the spoken layer is required for core safety,
1208
00:56:22,700 –> 00:56:25,300
you’ve tied control to the most fragile plane.
1209
00:56:25,300 –> 00:56:31,100
The experience path can drop, jitter or regionalize without changing whether a delete is allowed.
1210
00:56:31,100 –> 00:56:33,900
Make the interface an adapter, not an authority.
1211
00:56:33,900 –> 00:56:36,700
Red if any safety control lives only in the UI.
1212
00:56:36,700 –> 00:56:38,900
Yellow if you gait some actions in policy,
1213
00:56:38,900 –> 00:56:42,300
but depend on the agent knowing when to refuse.
1214
00:56:42,300 –> 00:56:45,300
Green when the control plane decides outcomes before rendering
1215
00:56:45,300 –> 00:56:47,900
and the interface can vanish without changing decisions.
1216
00:56:47,900 –> 00:56:51,500
Score each question, red, yellow, green, publish the results
1217
00:56:51,500 –> 00:56:53,900
and commit to sprint level improvements.
1218
00:56:53,900 –> 00:56:57,100
For reds set a concrete remediation, remove standing right,
1219
00:56:57,100 –> 00:57:01,100
wrap tools with a gait, push eligibility into the index, split identities,
1220
00:57:01,100 –> 00:57:04,900
move refusal into policy, for yellows define the artifact,
1221
00:57:04,900 –> 00:57:09,900
decision ID persisted, denial reasons captured, token TTL reduced.
1222
00:57:09,900 –> 00:57:13,700
For greens, ad monitoring, anomaly detection on tool call shapes,
1223
00:57:13,700 –> 00:57:17,100
denial rate trends by venue and drift alerts when scopes creep.
1224
00:57:17,100 –> 00:57:21,100
Then add one program metric executives understand, policy gait coverage.
1225
00:57:21,100 –> 00:57:25,100
What percentage of high risk tool calls flow through an adjudicating engine
1226
00:57:25,100 –> 00:57:26,900
with persisted outcomes?
1227
00:57:26,900 –> 00:57:29,300
Publish that number, raise it every quarter and trade experience,
1228
00:57:29,300 –> 00:57:31,300
plane spend for control plane coverage.
1229
00:57:31,300 –> 00:57:32,500
You don’t need a crusade.
1230
00:57:32,500 –> 00:57:36,900
You need a ledger that shows fewer eloquent post mortems and more denied decisions.
1231
00:57:36,900 –> 00:57:40,500
Assume the faces lying in force your intent, the voice ads trust,
1232
00:57:40,500 –> 00:57:43,300
the system did not earn it, built for proof, not performance,
1233
00:57:43,300 –> 00:57:45,700
treat events as proposals not state, split identities,
1234
00:57:45,700 –> 00:57:49,500
so agents fail small, put a gait in front of every tool that matters
1235
00:57:49,500 –> 00:57:51,500
and persist the decision with the action.
1236
00:57:51,500 –> 00:57:57,100
Do one thing next, run the five question audit and mark anything read that depends on persona instead of policy.
1237
00:57:57,100 –> 00:58:00,700
Then redirect budget from avatars and relays into gates and state.
1238
00:58:00,700 –> 00:58:04,100
Subscribe if you want the deeper walkthrough on turning those reds green.
1239
00:58:04,100 –> 00:58:06,100
Spoken cost model for avatars.
1240
00:58:06,100 –> 00:58:09,100
Here’s the cost model you can say out loud without a spreadsheet.
1241
00:58:09,100 –> 00:58:11,500
Start with concurrency, not monthly totals.
1242
00:58:11,500 –> 00:58:13,900
50 concurrent sessions during peak,
1243
00:58:13,900 –> 00:58:17,900
6 peak hours per business day, 22 workdays per month.
1244
00:58:17,900 –> 00:58:23,900
The arithmetic is simple, 50 part 1 6 plus and 3 600 and a 22 23.7 million streaming seconds.
1245
00:58:23,900 –> 00:58:28,500
Avatars and neural TTS build per second speech to text on the inbound pass builds per minute.
1246
00:58:28,500 –> 00:58:30,500
Turn relays at egress and compute.
1247
00:58:30,500 –> 00:58:33,500
Each second you render has at least three meters running.
1248
00:58:33,500 –> 00:58:34,700
Now stack the overhead.
1249
00:58:34,700 –> 00:58:37,700
Regional speech segregation means multiple resources,
1250
00:58:37,700 –> 00:58:39,700
multiple quotas and multiple keys.
1251
00:58:39,700 –> 00:58:41,100
Failover doubles that.
1252
00:58:41,100 –> 00:58:44,100
Monitoring for per leg web RTC health adds another line item.
1253
00:58:44,100 –> 00:58:47,100
Turn allocation, ice failures, mean opinion scores,
1254
00:58:47,100 –> 00:58:51,500
compliance retention, store transcripts and audio snippets in duplicate for discovery.
1255
00:58:51,500 –> 00:58:56,700
Every nice to have becomes an always on spend because the illusion must be steady to maintain trust.
1256
00:58:56,700 –> 00:58:58,100
Translate that back to risk,
1257
00:58:58,100 –> 00:59:01,700
those same dollars could fund per tool policy evaluation at scale.
1258
00:59:01,700 –> 00:59:04,500
If you diverted the avatar budget into a decision engine,
1259
00:59:04,500 –> 00:59:08,100
you could adjudicate millions of high risk calls monthly with proofs attached.
1260
00:59:08,100 –> 00:59:11,900
One buys applause, one buys prevention, finance doesn’t need a rate card,
1261
00:59:11,900 –> 00:59:12,900
they need the unit.
1262
00:59:12,900 –> 00:59:16,700
Seconds of compute for persuasion versus decisions per action for control.
1263
00:59:16,700 –> 00:59:19,100
When budgets tighten, the cut line gets obvious.
1264
00:59:19,100 –> 00:59:20,900
Use this line to close the loop.
1265
00:59:20,900 –> 00:59:25,500
Avatar seconds are a variable cost tied to peak behavior you don’t fully control.
1266
00:59:25,500 –> 00:59:30,700
Policy decisions are a fixed deterministic control tied to the actions that actually cause incidents.
1267
00:59:30,700 –> 00:59:32,500
Spent where causality lives.
1268
00:59:32,500 –> 00:59:35,500
Protocol standardizes the envelope not the guarantees.
1269
00:59:35,500 –> 00:59:36,900
Events are envelopes.
1270
00:59:36,900 –> 00:59:42,100
The activity schema, turn context, direct line, these define shape, not destiny.
1271
00:59:42,100 –> 00:59:44,500
In production, you assume four failure modes.
1272
00:59:44,500 –> 00:59:47,900
Duplication, delay, reordering and loss.
1273
00:59:47,900 –> 00:59:51,700
If your logic treats an envelope as authority, you’ve already conceded unpredictability.
1274
00:59:51,700 –> 00:59:52,900
The fix is boring and strong.
1275
00:59:52,900 –> 00:59:55,300
I’d import and see keys on every operation.
1276
00:59:55,300 –> 00:59:58,700
An authoritative state store that snapshots eligibility and progression.
1277
00:59:58,700 –> 01:00:03,700
Deterministic workflows that bind tool execution to a policy decision referencing the operation ID.
1278
01:00:03,700 –> 01:00:07,100
Replay becomes harmless because state not arrival time controls effect.
1279
01:00:07,100 –> 01:00:08,900
Add sequencing rules at the gate.
1280
01:00:08,900 –> 01:00:11,500
Complete without create committed returns.
1281
01:00:11,500 –> 01:00:12,300
A deny.
1282
01:00:12,300 –> 01:00:15,300
Delete after delete committed returns the prior outcome.
1283
01:00:15,300 –> 01:00:16,500
Events propose.
1284
01:00:16,500 –> 01:00:17,700
State decides.
1285
01:00:17,700 –> 01:00:19,300
Tools accept decisions.
1286
01:00:19,300 –> 01:00:21,100
Not narrative imperatives.
1287
01:00:21,100 –> 01:00:22,900
And document the negative space.
1288
01:00:22,900 –> 01:00:24,500
Persist ignored duplicate.
1289
01:00:24,500 –> 01:00:25,500
Drops stale.
1290
01:00:25,500 –> 01:00:28,700
And reordered but safe alongside a loud deny.
1291
01:00:28,700 –> 01:00:33,100
You’ll stop arguing with ghosts in post-incident review because the guarantees live where they belong.
1292
01:00:33,100 –> 01:00:39,500
In state and policy, not in an envelope that made it through a VPN happen at 197 milliseconds.
1293
01:00:39,500 –> 01:00:46,900
Verbal diagram of the control plane path picture the path as five gates in sequence each doing a different job and none of them substituting for the others.
1294
01:00:46,900 –> 01:00:49,500
Gate one is authentication with conditional access.
1295
01:00:49,500 –> 01:00:50,500
This is token time.
1296
01:00:50,500 –> 01:00:51,700
The question here is simple.
1297
01:00:51,700 –> 01:01:01,100
Who or what is this signals come in workload identity device posture if applicable risk level network boundaries and conditional access either issues a token or it doesn’t.
1298
01:01:01,100 –> 01:01:03,900
If it does, you’ve proven presence under current risk.
1299
01:01:03,900 –> 01:01:06,300
You have not proven anything about the next action.
1300
01:01:06,300 –> 01:01:13,300
That distinction matters. Gate two is retrieval pre filtering treat retrieval as authorization not a convenience before any vector look up.
1301
01:01:13,300 –> 01:01:18,300
You filter by user ID or agent principle access scope confidentiality and venue.
1302
01:01:18,300 –> 01:01:20,300
These are hard predicates, not suggestions.
1303
01:01:20,300 –> 01:01:23,900
The candidate set is bound to entitlements and context.
1304
01:01:23,900 –> 01:01:26,500
If nothing passes that emptiness is a safe outcome.
1305
01:01:26,500 –> 01:01:28,900
Sight or silence starts here.
1306
01:01:28,900 –> 01:01:31,100
Gate three is the policy gate for tools.
1307
01:01:31,100 –> 01:01:38,500
The agent never sends a verb. It sends a structured request actor intent scope data class venue and an operation ID.
1308
01:01:38,500 –> 01:01:45,900
The policy engine evaluates that tuple against rules and authoritative state then returns allowed deny or transform with constraints and a decision ID.
1309
01:01:45,900 –> 01:01:48,700
Tools accept decisions, not free form imperatives.
1310
01:01:48,700 –> 01:01:50,700
This is where determinism enters the system.
1311
01:01:50,700 –> 01:01:56,700
The agent proposes the control plane disposes gate four is execution with item potency and authoritative state.
1312
01:01:56,700 –> 01:02:02,100
The tool binds the operation to state enforces the dampency by operation ID and applies the decision exactly once.
1313
01:02:02,100 –> 01:02:08,300
Replace return the same outcome out of order arrivals don’t materialize because state not timing governs effect.
1314
01:02:08,300 –> 01:02:14,300
If complete shows up before create committed the gate denies if delete repeats the prior outcome is returned.
1315
01:02:14,300 –> 01:02:22,100
Events are enveloped status authority gate five is forensics with purview plus policy artifacts and provenance audit captures what happened.
1316
01:02:22,100 –> 01:02:34,700
Provenance captures why it happened the retrieval transaction candidate ranking exclusions decision graph and the policy outcome is persisted alongside the action rule ID constraints inputs links to authoritative state afterward.
1317
01:02:34,700 –> 01:02:41,100
You can tell a story but you also have proof audit explains provenance convinces policy artifacts prevent arguments.
1318
01:02:41,100 –> 01:02:50,900
Now stitch the gates into a single sentence you can replay in a review token issued under conditional access retrieval filtered by entitlement and venue action proposed to the policy engine with operation ID.
1319
01:02:50,900 –> 01:03:01,100
Decision returned and persisted tool executed identitly against authoritative state audit and provenance captured including denials and exclusions the negative space is part of the record.
1320
01:03:01,100 –> 01:03:13,300
What was considered and rejected what was excluded by policy what was transformed to meet venue constraints if you ever find yourself missing one of these gates name the failure mode out loud no conditional access anyone can show up.
1321
01:03:13,300 –> 01:03:31,100
No pre filtered retrieval nearest neighbor out runs policy no per tool policy gate prompt become your only guard rail no important execution retries become incidents no artifacts and provenance post mortems become speculation the verbal diagram is simple on purpose it lets you spot the missing control just by walking the path in order.
1322
01:03:31,100 –> 01:03:42,700
Language for executive policy give leader sentences they can approve repeat and enforce start with the standard the agent proposes the control plane disposes that is not a slogan it is an architectural requirement.
1323
01:03:42,700 –> 01:04:12,500
Every high risk action must be adjudicated by a policy engine before execution with the decision persisted alongside the effect set the mandate in measurable terms policy gate coverage for high risk tools will be at least 95% this quarter and 100% next quarter define high risk as delete share post email payment publish and speech of sensitive classes coverage means every call flows through an adjudicating engine and produces an artifact allow deny or transfer.
1324
01:04:12,500 –> 01:04:18,340
form tied to an operation ID, add the KPI that makes a segmentation real. Each agent capability
1325
01:04:18,340 –> 01:04:23,620
will operate under a distinct identity, with minimal scopes, read, write and egress, are
1326
01:04:23,620 –> 01:04:28,580
separate failure domains. Our blast radius score goes down when compromise in one domain
1327
01:04:28,580 –> 01:04:33,300
cannot cross into the others. Report the number of segmented agent identities per domain,
1328
01:04:33,300 –> 01:04:36,260
and the percentage with just in time short-lived credentials.
1329
01:04:36,260 –> 01:04:41,620
State the prohibition clearly. No mandatory reliance on experience plain features for safety
1330
01:04:41,620 –> 01:04:47,140
controls. That means avatars, UI or prompts cannot be your only protection. Safety lives in
1331
01:04:47,140 –> 01:04:51,940
the control plane. The interface is optional if the face disappears decisions must remain identical.
1332
01:04:51,940 –> 01:04:56,180
Define reporting that turns governance from theatre to telemetry. Quarantly decision
1333
01:04:56,180 –> 01:05:01,140
provenance reviews will sample allowed, denied and transformed actions by venue and data class.
1334
01:05:01,140 –> 01:05:05,780
Denial rate analytics will be published, and refusal templates will be standardized by policy.
1335
01:05:05,780 –> 01:05:09,860
Executives should see denials as evidence of restraint, not friction to remove,
1336
01:05:09,860 –> 01:05:14,420
close the loop with a budget rule. We will trade experience plain spend for control plane coverage.
1337
01:05:14,420 –> 01:05:20,340
If a line item funds turn avatars seconds or speech regions, it must tie to a control plane metric
1338
01:05:20,340 –> 01:05:24,420
we’re missing. Otherwise we divert those dollars to per tool policy authoritative state
1339
01:05:24,420 –> 01:05:29,140
and segmented identities. Spent where causality lives. Finally write the sentence that survives
1340
01:05:29,140 –> 01:05:34,980
escalation. Logs tell stories. Provenance shows reasoning. Gates prevent incidents.
1341
01:05:34,980 –> 01:05:40,500
Approve it, repeat it and hold teams to it. When an incident occurs ask for the policy artifact.
1342
01:05:40,500 –> 01:05:44,980
When a demo runs, ask to see the deny fire under venue rules. When a budget comes up,
1343
01:05:44,980 –> 01:05:50,180
ask which metric improves. Policy is not a document. It is a set of decisions the system cannot bypass.
