Now Reading: The Secret Architecture That Makes AI Agents Actually Work
-
01
The Secret Architecture That Makes AI Agents Actually Work
1
00:00:00,000 –> 00:00:03,560
The one validation that prevents smart agents doing dumb things.
2
00:00:03,560 –> 00:00:07,760
There’s one gate that turns clever into competent, the pre-execution contract check.
3
00:00:07,760 –> 00:00:10,960
Before any tool runs, the validator proves three things in order.
4
00:00:10,960 –> 00:00:14,960
In 10 matches are real capability, the caller has permission right now,
5
00:00:14,960 –> 00:00:18,480
and the requested outcome is feasible within the declared data boundaries.
6
00:00:18,480 –> 00:00:21,000
Fail any part, and nothing executes.
7
00:00:21,000 –> 00:00:22,880
Not be careful, not try anyway.
8
00:00:22,880 –> 00:00:24,520
Deny with reasons and alternatives.
9
00:00:24,520 –> 00:00:26,000
Start with capability match.
10
00:00:26,000 –> 00:00:28,200
The plan says update SharePoint list item.
11
00:00:28,200 –> 00:00:32,040
The validator asks which tool, which method, which schema version.
12
00:00:32,040 –> 00:00:37,960
Arguments are checked against the registry, required fields present, types correct, value ranges sane,
13
00:00:37,960 –> 00:00:41,800
and yes, no extra fields smuggled in, hoping someone ignores them.
14
00:00:41,800 –> 00:00:45,240
Tool aliasing is forbidden. Use the canonical name or get rejected.
15
00:00:45,240 –> 00:00:49,160
This kills hallucinated tools and gassy parameters before they can misbehave.
16
00:00:49,160 –> 00:00:51,560
Next, policy compliance.
17
00:00:51,560 –> 00:00:55,240
The policy engine evaluates the proposed call against active policy,
18
00:00:55,240 –> 00:00:59,480
allow lists for tools and domains, RBIAC or ABC checks tied to
19
00:00:59,480 –> 00:01:04,680
enter ID claims and scopes, environment, tier rules, data classification boundaries,
20
00:01:04,680 –> 00:01:06,600
if the agent is scoped to files.
21
00:01:06,600 –> 00:01:10,360
Read for a specific site, an update call or a different site is a hard no.
22
00:01:10,360 –> 00:01:14,920
If the payload dips into restricted classification without a human checkpoint also know,
23
00:01:14,920 –> 00:01:20,040
tokens are verified fresh, scopes are verified exact and privileged escalation by
24
00:01:20,040 –> 00:01:23,560
just this once is treated like what it is, an attempted breach,
25
00:01:23,560 –> 00:01:27,080
then post-conditioned feasibility. It’s not enough to want an outcome.
26
00:01:27,080 –> 00:01:29,320
It has to be achievable and verifiable.
27
00:01:29,320 –> 00:01:33,080
The validator asks, does the destination support idempotency keys?
28
00:01:33,080 –> 00:01:36,520
Will the system emit a durable identifier or ETAC we can check after?
29
00:01:36,520 –> 00:01:39,000
Is there a compensating action if downstream fails?
30
00:01:39,000 –> 00:01:43,400
If the plan can’t produce verifiable post-conditions, it’s rejected or rewritten.
31
00:01:43,400 –> 00:01:47,240
We don’t accept trust me, our logit later. Later is how incidents happen.
32
00:01:47,240 –> 00:01:51,560
Put those together and you get the triogate capability match policy compliance post-conditioned
33
00:01:51,560 –> 00:01:56,200
feasibility, pass all three and the executor proceeds, fail any and the deny with reason
34
00:01:56,200 –> 00:02:00,520
path activates. That path is polite, thorough and unambiguous.
35
00:02:00,520 –> 00:02:05,160
Here’s what you tried, here’s the exact policy or schema you broke, here are safe alternatives.
36
00:02:05,160 –> 00:02:09,560
If the user intent can be repaired, narrow the scope, switch to a read only summary,
37
00:02:09,560 –> 00:02:11,160
root to a permitted site.
38
00:02:11,160 –> 00:02:14,600
The validator proposes a compliant plan and asks for approval.
39
00:02:14,600 –> 00:02:19,000
If it can’t be repaired, escalate to a human checkpoint with full context or stop outright.
40
00:02:19,000 –> 00:02:21,400
No mystery stalls, no silence success.
41
00:02:21,400 –> 00:02:25,320
Quick micro story you’ve lived, even if you didn’t notice.
42
00:02:25,320 –> 00:02:29,720
The agent is asked to summarize all HR docs from last quarter an email legal.
43
00:02:29,720 –> 00:02:33,000
Retrieval proposes graph queries across HR and legal sites.
44
00:02:33,000 –> 00:02:34,920
Validator sees a boundary crossing.
45
00:02:34,920 –> 00:02:37,480
HR is restricted, legal is internal.
46
00:02:37,480 –> 00:02:40,600
The triogate blocks the cross-read and the outbound email.
47
00:02:40,600 –> 00:02:42,360
The deny path returns.
48
00:02:42,360 –> 00:02:44,040
Restricted content detected.
49
00:02:44,040 –> 00:02:47,080
Proposed alternative, summarize internal policy index,
50
00:02:47,080 –> 00:02:50,520
provide a request link for HR summary to authorised reviewers.
51
00:02:50,520 –> 00:02:53,720
User approves the compliant plan, executor runs it,
52
00:02:53,720 –> 00:02:57,560
sites internal content and attaches a permission request for the HR material.
53
00:02:57,560 –> 00:02:59,160
No leak, no drama, still helpful.
54
00:02:59,160 –> 00:03:03,000
Implementation is boring by design, a policy DSL defines who can do what,
55
00:03:03,000 –> 00:03:04,600
where, with which side effects,
56
00:03:04,600 –> 00:03:09,800
a schema registry stores tool contracts, names, versions, argument shapes and post-conditions.
57
00:03:09,800 –> 00:03:14,040
An allow list resolver maps domains, sites and scopes to environment tiers.
58
00:03:14,040 –> 00:03:18,040
The validator composes these, stamps every decision with an audit record inputs,
59
00:03:18,040 –> 00:03:22,920
policy evaluations outcomes and hands either a green light or a repair plan to the executor.
60
00:03:22,920 –> 00:03:27,160
The executor never freelances around a red light, it enforces the decision or stops.
61
00:03:27,160 –> 00:03:31,400
The mental model is clean enough to tattoo on the forehead of your architecture diagram.
62
00:03:31,400 –> 00:03:34,840
Executors enforce, graphs constrain, validators decide.
63
00:03:34,840 –> 00:03:37,880
In that order, the model proposes only within the fenced yard
64
00:03:37,880 –> 00:03:42,360
and the minute it tries to climb over, the validator pulls it back, explains why,
65
00:03:42,360 –> 00:03:43,880
and points to the gate.
66
00:03:43,880 –> 00:03:47,880
Order preserved, safety enforced, progress unblocked, within policy.
67
00:03:47,880 –> 00:03:52,360
You wanted one thing that prevents smart agents from doing dumb things.
68
00:03:52,360 –> 00:03:55,800
This is it a pre-execution contract check that proves capability,
69
00:03:55,800 –> 00:03:59,240
permission and verifiable outcome before any real world mutation.
70
00:03:59,240 –> 00:04:03,400
It turns, I think I can into, I am allowed, I know how and I can prove I did.
71
00:04:03,400 –> 00:04:08,200
You now have the architecture.
72
00:04:08,200 –> 00:04:09,000
Use it.
73
00:04:09,000 –> 00:04:10,840
Key takeaway plus CT.
74
00:04:10,840 –> 00:04:12,840
Key takeaway prompts our opinions,
75
00:04:12,840 –> 00:04:15,400
executors and validated graphs are operations,
76
00:04:15,400 –> 00:04:19,000
and the pre-execution contract check is the guardrail that keeps both honest.
77
00:04:19,000 –> 00:04:22,120
If this saved you time, repay the debt.
78
00:04:22,120 –> 00:04:22,680
Subscribe.
79
00:04:22,680 –> 00:04:28,920
Next, watch the long graph versus Microsoft agent framework breakdown on performance and observability,
80
00:04:28,920 –> 00:04:31,560
actual traces, costs and P95s.
81
00:04:31,560 –> 00:04:35,880
Lock in your upgrade path, follow, enable alerts and get the next episode delivered on schedule.
82
00:04:35,880 –> 00:04:36,520
Proceed.
83
00:04:36,520 –> 00:04:38,920
Most people think better prompts fix flaky agents.
84
00:04:38,920 –> 00:04:42,680
Cute theory, prompt skythodes, they don’t execute operations.
85
00:04:42,680 –> 00:04:46,520
The truth, reliability comes from executors and graph validation.
86
00:04:46,520 –> 00:04:49,560
The spine that keeps agents from face planting when reality shows up.
87
00:04:49,560 –> 00:04:51,560
We’re going to wire this to Microsoft scenarios.
88
00:04:51,560 –> 00:04:55,160
Microsoft 365 Graph Retrieval as your open AI reasoning
89
00:04:55,160 –> 00:04:57,800
and co-pilot studio agents that don’t go rogue.
90
00:04:57,800 –> 00:05:02,920
Stakes are simple, accuracy, latency, cost and auditability.
91
00:05:02,920 –> 00:05:04,680
Measureable, not vibes.
92
00:05:04,680 –> 00:05:07,000
I’ll give you a mental model you can run in your head,
93
00:05:07,000 –> 00:05:12,360
diagrams in words you won’t forget and one validation step that stops smart agents from doing dumb things.
94
00:05:12,360 –> 00:05:14,840
Enter the architecture you should have used day one.
95
00:05:14,840 –> 00:05:18,360
Why prompts fail at operations executors don’t?
96
00:05:18,360 –> 00:05:19,560
Okay, so here’s the thing.
97
00:05:19,560 –> 00:05:21,080
LLM’s handle cognition.
98
00:05:21,080 –> 00:05:23,720
Executors handle operations.
99
00:05:23,720 –> 00:05:25,400
Mixing those is how you get chaos.
100
00:05:25,400 –> 00:05:27,320
The model can propose a plan.
101
00:05:27,320 –> 00:05:32,600
It cannot guarantee that the email was sent, the file was saved or the permission existed.
102
00:05:32,600 –> 00:05:35,880
It speaks in probabilities operations demand guarantees.
103
00:05:35,880 –> 00:05:37,320
Enter the executor.
104
00:05:37,320 –> 00:05:42,520
Think of it as the adult in the room, a policy bound function runner with state constraints and item potency.
105
00:05:42,520 –> 00:05:45,720
It doesn’t believe an action succeeded.
106
00:05:45,720 –> 00:05:46,520
It checks.
107
00:05:46,520 –> 00:05:48,440
It doesn’t assume a tool exists.
108
00:05:48,440 –> 00:05:52,920
It validates capability, parameters and permissions before it even tries.
109
00:05:52,920 –> 00:05:58,200
And when it fails, it fails loudly, classifies the error and takes the prescribed recovery path.
110
00:05:58,200 –> 00:06:01,000
Most prompt only agents fall into three failure modes.
111
00:06:01,000 –> 00:06:03,880
First, hallucinated tools.
112
00:06:03,880 –> 00:06:08,760
The model requests a function that isn’t registered or calls it with fields that don’t exist.
113
00:06:08,760 –> 00:06:10,600
Second, missing preconditions.
114
00:06:10,600 –> 00:06:16,600
It tries to edit a SharePoint file without checking if it can access the site, the list or the item version.
115
00:06:16,600 –> 00:06:21,480
Third, Silent Partials step two fails, but the agent keeps going and declares victory because the text looks confident.
116
00:06:21,480 –> 00:06:22,200
You’ve seen this.
117
00:06:22,200 –> 00:06:23,640
You just called it flaky.
118
00:06:23,640 –> 00:06:26,600
Executors run a loop that looks boring and that’s why it works.
119
00:06:26,600 –> 00:06:27,560
Preconditions.
120
00:06:27,560 –> 00:06:30,040
Verify inputs, permissions and invariants.
121
00:06:30,040 –> 00:06:30,680
Action.
122
00:06:30,680 –> 00:06:34,840
Call the tool with an item potency key so retries won’t double bill or double post.
123
00:06:34,840 –> 00:06:36,600
Post-conditions.
124
00:06:36,600 –> 00:06:38,600
Confirm effects against the source of truth.
125
00:06:38,600 –> 00:06:40,680
Error taxonomy.
126
00:06:40,680 –> 00:06:44,360
Is it validation, transient, rate limit, youth or policy?
127
00:06:44,360 –> 00:06:45,960
Recovery.
128
00:06:45,960 –> 00:06:49,400
Back-off and retry for transient, re-auth or reconsent for oath,
129
00:06:49,400 –> 00:06:53,080
fallbacks for known alternates and hard stops with reasons for policy violations.
130
00:06:53,080 –> 00:06:55,080
Edempotency is non-negotiable.
131
00:06:55,080 –> 00:07:00,360
If an action can be retried, it needs a key that makes the second attempt a no-op or a consistent override.
132
00:07:00,360 –> 00:07:02,120
Timeouts prevent zombie calls.
133
00:07:02,120 –> 00:07:03,720
Back-off respects rate limits.
134
00:07:03,720 –> 00:07:08,520
This is deterministic behavior, governing, inherently, stochastic text generation.
135
00:07:08,520 –> 00:07:11,720
The executor is the gearbox, the LLM is the engine.
136
00:07:11,720 –> 00:07:14,680
You don’t floor the engine and hope the wheels understand.
137
00:07:14,680 –> 00:07:17,800
Contract first outputs are the antidote to best effort paragraphs.
138
00:07:17,800 –> 00:07:20,280
The reasoning model doesn’t get to ramble.
139
00:07:20,280 –> 00:07:24,840
It emits JSON matching a schema, tool name, arguments and expected post-conditions.
140
00:07:24,840 –> 00:07:27,640
Validators check schema compliance before anything runs.
141
00:07:27,640 –> 00:07:30,200
If the shape is wrong, the executor denies with a reason,
142
00:07:30,200 –> 00:07:32,200
requests a corrected plan or escalates.
143
00:07:32,200 –> 00:07:35,240
That’s how you stop noun-salads from becoming production incidents.
144
00:07:35,240 –> 00:07:38,760
Now you might be thinking, can’t I just prompt the model to check its work?
145
00:07:38,760 –> 00:07:41,000
You can ask, it will say yes, it always does.
146
00:07:41,000 –> 00:07:42,680
The average user accepts that.
147
00:07:42,680 –> 00:07:47,000
Professionals require proofs, proofs live in post-conditions verified against systems like
148
00:07:47,000 –> 00:07:51,640
Microsoft Graph, SharePoint or Exchange, real sources of truth, not the model’s memory.
149
00:07:51,640 –> 00:07:53,240
But here’s where it gets interesting.
150
00:07:53,240 –> 00:07:54,520
Single steps are fine.
151
00:07:54,520 –> 00:07:58,920
Real workflows have branches, parallelism, compensations and human checkpoints.
152
00:07:58,920 –> 00:08:02,040
You need more than an executor, you need to map the executor can read.
153
00:08:02,040 –> 00:08:03,160
That’s a workflow graph.
154
00:08:03,160 –> 00:08:06,280
In a graph, nodes are tasks or sub-agents with explicit contracts.
155
00:08:06,280 –> 00:08:08,360
Edge is defined, control flow and data flow.
156
00:08:08,360 –> 00:08:09,320
State is first class.
157
00:08:09,320 –> 00:08:11,880
What persists, what’s check-pointed, what’s ephemeral.
158
00:08:11,880 –> 00:08:16,360
The executor walks the graph deterministically honoring allow lists and schemers at each edge.
159
00:08:16,360 –> 00:08:19,880
If a node fails, the graph specifies compensations.
160
00:08:19,880 –> 00:08:22,280
Undo, repair or escalate.
161
00:08:22,280 –> 00:08:25,320
No mystery pipes, no and then the magic happens.
162
00:08:25,320 –> 00:08:27,080
This is the moment reliability flips.
163
00:08:27,080 –> 00:08:28,200
The LLM proposes.
164
00:08:28,200 –> 00:08:32,120
The executor enforces the graph constraints validation decides.
165
00:08:32,120 –> 00:08:33,400
Order, restored.
166
00:08:33,400 –> 00:08:35,800
Once you separate cognition from operations,
167
00:08:35,800 –> 00:08:38,280
your agents stop improvising and start behaving.
168
00:08:38,280 –> 00:08:41,800
And yes, they still feel smart because they are, but now they are supervised.
169
00:08:41,800 –> 00:08:42,920
Blueprint ready.
170
00:08:42,920 –> 00:08:46,920
Let’s wire it to Microsoft 365 without turning your tenant into a buffet.
171
00:08:46,920 –> 00:08:49,080
Graph workflows 101.
172
00:08:49,080 –> 00:08:51,400
Nodes, edges and state that doesn’t leak.
173
00:08:51,400 –> 00:08:52,200
Picture this.
174
00:08:52,200 –> 00:08:54,440
You’ve got a reliable executor but no map.
175
00:08:54,440 –> 00:08:56,680
It will follow orders, but to where?
176
00:08:56,680 –> 00:08:59,240
Enter the workflow graph, your operating manual.
177
00:08:59,240 –> 00:09:02,520
Nodes are tasks or sub-agents with explicit contracts.
178
00:09:02,520 –> 00:09:04,360
Edge is defined, control flow and data flow.
179
00:09:04,360 –> 00:09:06,920
The graph encodes what runs, when it runs,
180
00:09:06,920 –> 00:09:09,080
and what data is allowed to cross boundaries.
181
00:09:09,080 –> 00:09:10,600
No improvisational jazz.
182
00:09:10,600 –> 00:09:11,880
This is sheet music.
183
00:09:11,880 –> 00:09:13,000
Start with the shape.
184
00:09:13,000 –> 00:09:16,360
Most production graphs are DAGs, directed acyclic graphs.
185
00:09:16,360 –> 00:09:19,880
Because cycles invite infinite loops and state corrosion.
186
00:09:19,880 –> 00:09:23,640
You can still have loops, but you mark them intentionally with counters and guards.
187
00:09:23,640 –> 00:09:26,600
Maximum iterations, exit predicates and timeouts.
188
00:09:26,600 –> 00:09:29,320
That’s how you keep think harder from becoming think forever.
189
00:09:29,320 –> 00:09:32,280
Conditional routing is explicit.
190
00:09:32,280 –> 00:09:36,520
If the retrieval confidence is above threshold, branch to synthesis.
191
00:09:36,520 –> 00:09:38,280
If not, branch to requery.
192
00:09:38,280 –> 00:09:40,280
Parallelism is first class.
193
00:09:40,280 –> 00:09:43,400
Run summarization and citation extraction side by side,
194
00:09:43,400 –> 00:09:47,720
then join at a barrier node that verifies both met their post-conditions.
195
00:09:47,720 –> 00:09:49,320
State is not a vibe, it’s a ledger.
196
00:09:49,320 –> 00:09:51,320
You maintain three kinds, persistent state.
197
00:09:51,320 –> 00:09:53,880
Durable checkpoints you can recover from after a crash.
198
00:09:53,880 –> 00:09:55,800
Inputs, decisions, signed actions.
199
00:09:55,800 –> 00:09:58,920
Ephemeral state short-lived buffers like intermediate model outputs
200
00:09:58,920 –> 00:10:00,680
you don’t want to pollute long-term memory.
201
00:10:00,680 –> 00:10:04,520
Derived state, re-computable artifacts like embeddings or filtered results
202
00:10:04,520 –> 00:10:06,040
you can rebuild deterministically.
203
00:10:06,040 –> 00:10:06,920
The rule is simple.
204
00:10:06,920 –> 00:10:09,080
Only persist what you can defend in an audit.
205
00:10:09,080 –> 00:10:10,840
Everything else is disposable on purpose.
206
00:10:10,840 –> 00:10:12,440
Rollback strategy matters.
207
00:10:12,440 –> 00:10:14,440
When a node mutates the outside world,
208
00:10:14,440 –> 00:10:17,320
creates a calendar event, updates a list item,
209
00:10:17,320 –> 00:10:21,560
you record an inverse action if it exists or a compensating plan if it doesn’t.
210
00:10:21,560 –> 00:10:25,960
If a downstream node fails fatally, the graph can walk those compensations in reverse order.
211
00:10:25,960 –> 00:10:27,160
No, this is not overkill.
212
00:10:27,160 –> 00:10:31,480
It’s how you avoid oops, double-booked the CEO becoming oops, we can’t fix it.
213
00:10:31,480 –> 00:10:32,920
Edge is carry contracts.
214
00:10:32,920 –> 00:10:34,680
An edge isn’t a mystery pipe.
215
00:10:34,680 –> 00:10:36,520
It’s an API between nodes.
216
00:10:36,520 –> 00:10:38,120
Define IO schemas.
217
00:10:38,120 –> 00:10:40,280
Types required fields allowed values.
218
00:10:40,280 –> 00:10:43,800
Define allow lists, what tools or domains the next node may call.
219
00:10:43,800 –> 00:10:46,760
Define capability tags, what the receiving node promises to do
220
00:10:46,760 –> 00:10:48,120
and what it will refuse.
221
00:10:48,120 –> 00:10:50,440
The executor enforces those at runtime.
222
00:10:50,440 –> 00:10:53,720
A node can’t smuggle a sharepoint token through a summary edge.
223
00:10:53,720 –> 00:10:55,080
That’s not security theater.
224
00:10:55,080 –> 00:10:58,120
That’s how you prevent lateral movement by your own agent.
225
00:10:58,120 –> 00:11:01,560
Error handling lives in the graph, not in vibes.
226
00:11:01,560 –> 00:11:05,400
Every node declares its error taxonomy, validation error,
227
00:11:05,400 –> 00:11:07,880
transient infrastructure, rate limiting,
228
00:11:07,880 –> 00:11:12,200
authentication, authorization, policy violation, and unknown.
229
00:11:12,200 –> 00:11:14,760
For each class, the graph provides a path.
230
00:11:14,760 –> 00:11:17,400
Retry with exponential back-off for transient,
231
00:11:17,400 –> 00:11:20,520
refreshed token for authentication, alternate tool for rate limiting,
232
00:11:20,520 –> 00:11:22,200
deny with reason for policy.
233
00:11:22,200 –> 00:11:24,360
Deadlet accuse exist for the unknowns.
234
00:11:24,360 –> 00:11:27,000
Failed payloads go to quarantine with full context,
235
00:11:27,000 –> 00:11:30,440
so humans can inspect without replaying chaos into production.
236
00:11:30,440 –> 00:11:34,200
Human in the loop check points are nodes, not ad hoc Slack messages.
237
00:11:34,200 –> 00:11:37,320
They freeze the execution, present the proposed action and evidence,
238
00:11:37,320 –> 00:11:40,040
and require an approval or edit that’s logged and signed.
239
00:11:40,040 –> 00:11:41,640
Once approved execution resumes,
240
00:11:41,640 –> 00:11:44,200
if denied the graph routes to a safe fallback.
241
00:11:44,200 –> 00:11:46,680
Congratulations, you’ve just implemented change control
242
00:11:46,680 –> 00:11:48,600
that developers will actually follow
243
00:11:48,600 –> 00:11:49,960
because it’s faster than email.
244
00:11:49,960 –> 00:11:52,120
Memory isolation is non-negotiable.
245
00:11:52,120 –> 00:11:53,880
Each session gets scoped context,
246
00:11:53,880 –> 00:11:57,160
only the documents, tokens, and intermediate results it needs.
247
00:11:57,160 –> 00:12:00,280
Cross-session poisoning, where one conversation’s prompt injection bleeds
248
00:12:00,280 –> 00:12:03,640
into another is how you accidentally ex-filterate data.
249
00:12:03,640 –> 00:12:05,080
The graph enforces boundaries.
250
00:12:05,080 –> 00:12:08,520
No shared mutable memory, only sanctioned reads from a vetted store
251
00:12:08,520 –> 00:12:10,520
with content filters and schema validators.
252
00:12:10,520 –> 00:12:12,280
Yes, you can cache embeddings and summaries,
253
00:12:12,280 –> 00:12:14,200
but you tag them with provenance and permissions
254
00:12:14,200 –> 00:12:16,040
and you evict them on policy changes.
255
00:12:16,040 –> 00:12:18,520
Observability is built in, not bolted on.
256
00:12:18,520 –> 00:12:21,080
Node-level traces show inputs, outputs, durations,
257
00:12:21,080 –> 00:12:22,520
retries, and downstream effects.
258
00:12:22,520 –> 00:12:24,680
You stitch traces into a graph run ID
259
00:12:24,680 –> 00:12:27,880
so you can replay, diagnose, and prove compliance.
260
00:12:27,880 –> 00:12:28,920
Who did what?
261
00:12:28,920 –> 00:12:30,040
When and why?
262
00:12:30,040 –> 00:12:32,440
Anomaly detection flags weird patterns.
263
00:12:32,440 –> 00:12:35,480
Sudden spikes in tool calls, unusual domains, token blowups.
264
00:12:35,480 –> 00:12:36,680
That’s your early warning system
265
00:12:36,680 –> 00:12:38,920
before interesting becomes incident.
266
00:12:38,920 –> 00:12:40,920
Essentially, the graph is the constitution.
267
00:12:40,920 –> 00:12:42,440
The executor is law enforcement.
268
00:12:42,440 –> 00:12:44,360
The LLM is counsel, not judge.
269
00:12:44,360 –> 00:12:47,400
When you encode nodes, edges, and state like this,
270
00:12:47,400 –> 00:12:49,640
you don’t just get workflows that succeed.
271
00:12:49,640 –> 00:12:52,280
You get workflows that fail safely, explain themselves
272
00:12:52,280 –> 00:12:53,800
and recover predictably.
273
00:12:53,800 –> 00:12:57,000
Now, blueprint in hand, we can connect to Microsoft 365
274
00:12:57,000 –> 00:12:59,400
without turning your tenant into a buffer.
275
00:12:59,400 –> 00:13:02,920
Secure by design, graph validation beats chaos engineering.
276
00:13:02,920 –> 00:13:05,800
You don’t prove reliability by throwing chaos at production
277
00:13:05,800 –> 00:13:08,040
and hoping the survivors are resilient.
278
00:13:08,040 –> 00:13:11,400
You prove it by rejecting unsafe workflows before they ever run.
279
00:13:11,400 –> 00:13:12,440
That’s graph validation.
280
00:13:12,440 –> 00:13:14,920
Static checks to keep nonsense out, run time guard rails
281
00:13:14,920 –> 00:13:16,360
to keep danger in a box.
282
00:13:16,360 –> 00:13:18,040
Static validation is the pre-flight.
283
00:13:18,040 –> 00:13:19,800
You check the structure before wheels up.
284
00:13:19,800 –> 00:13:22,120
Cycles that create unbounded loops,
285
00:13:22,120 –> 00:13:24,280
rejected or forced to declare iteration guards,
286
00:13:24,280 –> 00:13:27,640
unreachable nodes, dead code is risk, delete or justify.
287
00:13:27,640 –> 00:13:28,920
Missing contracts?
288
00:13:28,920 –> 00:13:31,400
Every node must declare input and output schemers
289
00:13:31,400 –> 00:13:33,480
required capabilities and side effects.
290
00:13:33,480 –> 00:13:36,760
Privileged boundaries, nodes that mutate external systems
291
00:13:36,760 –> 00:13:39,800
must run in segments with least privileged credentials
292
00:13:39,800 –> 00:13:41,080
and explicit allow lists.
293
00:13:41,080 –> 00:13:43,640
And yes, if your summarized node suddenly requests
294
00:13:43,640 –> 00:13:46,920
right access to SharePoint, the validator says no with prejudice.
295
00:13:46,920 –> 00:13:48,120
Now, run time.
296
00:13:48,120 –> 00:13:49,640
This is where people get sloppy.
297
00:13:49,640 –> 00:13:53,000
A policy engine sits beside the executor, not behind it.
298
00:13:53,000 –> 00:13:55,320
Tool and domain allow lists aren’t documentation
299
00:13:55,320 –> 00:13:56,760
they’re enforced decisions.
300
00:13:56,760 –> 00:13:59,560
At call time, the engine checks R-back or R-back
301
00:13:59,560 –> 00:14:00,920
against the active principle,
302
00:14:00,920 –> 00:14:03,320
Entra ID token, scopes, claims,
303
00:14:03,320 –> 00:14:05,160
and propagates auth correctly down the chain.
304
00:14:05,160 –> 00:14:06,600
No ambient superpowers.
305
00:14:06,600 –> 00:14:08,840
Tokens are scoped, refreshed when permitted,
306
00:14:08,840 –> 00:14:10,760
and never smuggled through friendly edges.
307
00:14:10,760 –> 00:14:13,720
The agent earns access on every call or a doesn’t call.
308
00:14:13,720 –> 00:14:16,680
Input and output sanitization is hygiene, not optional.
309
00:14:16,680 –> 00:14:18,440
Prompt injection isn’t clever.
310
00:14:18,440 –> 00:14:19,720
It’s predictable.
311
00:14:19,720 –> 00:14:22,520
Every inbound content source passes through content filters,
312
00:14:22,520 –> 00:14:24,200
HTML’s, markdown scrubbers,
313
00:14:24,200 –> 00:14:27,560
and instruction firewalls that strip ignore previous nonsense.
314
00:14:27,560 –> 00:14:30,040
Output passes schema validators.
315
00:14:30,040 –> 00:14:31,800
If a node promised Jason,
316
00:14:31,800 –> 00:14:34,840
the executor rejects pros and requests a repair.
317
00:14:34,840 –> 00:14:36,120
The model can argue,
318
00:14:36,120 –> 00:14:37,720
the validator doesn’t negotiate.
319
00:14:37,720 –> 00:14:40,440
It enforces types, ranges, and invariants.
320
00:14:40,440 –> 00:14:43,320
Sandboxing and segmentation contain the blast radius.
321
00:14:43,320 –> 00:14:46,440
Notes that call external code or untrusted connectors
322
00:14:46,440 –> 00:14:47,880
run in constrained environments.
323
00:14:47,880 –> 00:14:50,920
API gateways with rate limits and out-of-there network policies
324
00:14:50,920 –> 00:14:53,800
that prevent lateral movement and egress controls
325
00:14:53,800 –> 00:14:56,600
that only permit traffic to vetted domains.
326
00:14:56,600 –> 00:15:01,000
You don’t let a retrieval node discover a new data source in production.
327
00:15:01,000 –> 00:15:02,440
Discovery happens in dev,
328
00:15:02,440 –> 00:15:05,240
behind tests with signed updates to the allow list.
329
00:15:05,240 –> 00:15:07,880
Observability isn’t log somewhere, it’s surgical.
330
00:15:07,880 –> 00:15:10,040
Node-level tracing records, inputs, outputs,
331
00:15:10,040 –> 00:15:12,680
durations, retries, and decisions from the policy engine.
332
00:15:12,680 –> 00:15:15,000
You correlate everything under a run ID.
333
00:15:15,000 –> 00:15:17,160
Audit logs are immutable and attributed,
334
00:15:17,160 –> 00:15:18,440
which principle authorized,
335
00:15:18,440 –> 00:15:20,760
which action with what scopes at what time
336
00:15:20,760 –> 00:15:22,280
and why the policy allowed it.
337
00:15:22,280 –> 00:15:24,120
When a regulator asks who did what,
338
00:15:24,120 –> 00:15:25,560
you don’t shrug, you search.
339
00:15:25,560 –> 00:15:28,600
Compliance ready means your evidence is boring and complete.
340
00:15:28,600 –> 00:15:31,000
Patch and third party risk are supply chain problems.
341
00:15:31,000 –> 00:15:32,040
Treat them like it.
342
00:15:32,040 –> 00:15:33,960
Dependency scanning runs on every build.
343
00:15:33,960 –> 00:15:35,560
Connectors and plugins are audited,
344
00:15:35,560 –> 00:15:37,800
version pinned, and reviewed for permission creep.
345
00:15:37,800 –> 00:15:41,000
If you import an MCP or open API spec,
346
00:15:41,000 –> 00:15:43,000
you validate that the declared methods
347
00:15:43,000 –> 00:15:45,000
match the least privileged policy you expect.
348
00:15:45,000 –> 00:15:47,240
No wildcard endpoints,
349
00:15:47,240 –> 00:15:49,320
no hidden right paths pretending to be red.
350
00:15:49,320 –> 00:15:51,640
Hygiene isn’t glamorous,
351
00:15:51,640 –> 00:15:53,240
it is however the reason you sleep.
352
00:15:53,240 –> 00:15:56,520
The truth, graph validation, outperforms chaos engineering
353
00:15:56,520 –> 00:15:58,440
because it prevents classes of incidents
354
00:15:58,440 –> 00:16:00,120
rather than documenting their fallout.
355
00:16:00,120 –> 00:16:01,320
You still test failure modes,
356
00:16:01,320 –> 00:16:02,920
but you do it to confirm guardrails
357
00:16:02,920 –> 00:16:04,840
not to discover that you forgot to install them.
358
00:16:04,840 –> 00:16:06,520
Let’s stitch this back to the mental model.
359
00:16:06,520 –> 00:16:09,080
Static checks keep the blueprint sane.
360
00:16:09,080 –> 00:16:12,200
No impossible paths, no orphaned work,
361
00:16:12,200 –> 00:16:13,240
no privileged leaks.
362
00:16:13,240 –> 00:16:16,120
Runtime guardrails keep behavior sane.
363
00:16:16,120 –> 00:16:17,560
Every call authenticated,
364
00:16:17,560 –> 00:16:19,880
authorized, sanitized, and observed.
365
00:16:19,880 –> 00:16:22,040
The executor enforces the graph constraints
366
00:16:22,040 –> 00:16:23,880
the validator decides the model,
367
00:16:23,880 –> 00:16:25,560
it proposes within boundaries
368
00:16:25,560 –> 00:16:27,240
and gets clipped when it wonders.
369
00:16:27,240 –> 00:16:28,520
Isn’t this heavy?
370
00:16:28,520 –> 00:16:30,280
Only if you enjoy breaches.
371
00:16:30,280 –> 00:16:32,520
The overhead is mechanical and automated.
372
00:16:32,520 –> 00:16:35,640
Static validation runs at build time and deploy time.
373
00:16:35,640 –> 00:16:37,160
Runtime policy is a sidecar,
374
00:16:37,160 –> 00:16:38,200
fast and local.
375
00:16:38,200 –> 00:16:39,880
Schema checks are milliseconds.
376
00:16:39,880 –> 00:16:42,680
The cost you remove, incidents, manual reviews,
377
00:16:42,680 –> 00:16:45,720
retrofits, dwarfs the micro latency you add.
378
00:16:45,720 –> 00:16:47,240
And the payoff is measurable,
379
00:16:47,240 –> 00:16:49,080
fewer unauthorized calls,
380
00:16:49,080 –> 00:16:50,600
fewer token blowups,
381
00:16:50,600 –> 00:16:52,600
and far fewer why did it do that?
382
00:16:52,600 –> 00:16:53,400
Post mortems.
383
00:16:53,400 –> 00:16:56,440
One more point, the average user misses.
384
00:16:56,440 –> 00:16:58,600
Validation is composable.
385
00:16:58,600 –> 00:17:01,000
You can wrap third party tools with proxy nodes
386
00:17:01,000 –> 00:17:03,080
that enforce contracts and policies
387
00:17:03,080 –> 00:17:04,520
without trusting the tool itself.
388
00:17:04,520 –> 00:17:06,760
You can segment graphs by sensitivity,
389
00:17:06,760 –> 00:17:08,840
public, internal, restricted,
390
00:17:08,840 –> 00:17:10,680
and promote workflows between tiers
391
00:17:10,680 –> 00:17:13,240
only after validation passes for the new boundary.
392
00:17:13,240 –> 00:17:14,760
That’s how you scale safely.
393
00:17:14,760 –> 00:17:16,360
Secure by design isn’t a slogan,
394
00:17:16,360 –> 00:17:17,800
it’s a workflow property.
395
00:17:17,800 –> 00:17:19,640
You don’t hope agents behave.
396
00:17:19,640 –> 00:17:21,800
You make misbehavior structurally hard
397
00:17:21,800 –> 00:17:23,720
and operationally visible.
398
00:17:23,720 –> 00:17:24,760
With the rails in place,
399
00:17:24,760 –> 00:17:27,480
plugging in Microsoft 365 Graph and Azure OpenAI
400
00:17:27,480 –> 00:17:28,520
isn’t roulette.
401
00:17:28,520 –> 00:17:30,360
It’s controlled power on your terms.
402
00:17:30,360 –> 00:17:32,920
Now we can talk about wiring, not firefighting.
403
00:17:32,920 –> 00:17:34,520
The Microsoft scenario,
404
00:17:34,520 –> 00:17:38,920
M365 Graph plus Azure OpenAI plus Copilot Studio.
405
00:17:38,920 –> 00:17:40,360
Let’s assemble the cast.
406
00:17:40,360 –> 00:17:42,600
Retrieval agent, disciplined librarian
407
00:17:42,600 –> 00:17:45,320
that only fetches from Microsoft Graph with least privilege.
408
00:17:45,320 –> 00:17:47,160
Reasoning agent,
409
00:17:47,160 –> 00:17:49,080
Azure OpenAI model that plans,
410
00:17:49,080 –> 00:17:51,160
sites, and never freelancers past its brief.
411
00:17:51,160 –> 00:17:53,960
Executor, policy bound operator
412
00:17:53,960 –> 00:17:55,960
that runs tools with idempotency
413
00:17:55,960 –> 00:17:57,320
and post-conditioned checks.
414
00:17:57,960 –> 00:18:00,920
Valley data, the bouncer, schema, policy,
415
00:18:00,920 –> 00:18:02,360
and boundary enforcement.
416
00:18:02,360 –> 00:18:04,120
Policy guard, runtime site card
417
00:18:04,120 –> 00:18:06,920
that ties everything to enter id scopes and R-Back.
418
00:18:06,920 –> 00:18:08,920
Together, they behave like a competent team
419
00:18:08,920 –> 00:18:10,440
instead of a committee thread.
420
00:18:10,440 –> 00:18:12,360
Data access starts with Graph, not guesswork.
421
00:18:12,360 –> 00:18:14,200
The retrieval agent holds an app registration
422
00:18:14,200 –> 00:18:16,280
with granular scopes, files.
423
00:18:16,280 –> 00:18:17,880
Read for a specific site, mail.
424
00:18:17,880 –> 00:18:20,280
Read basic for a confined mailbox calendars.
425
00:18:20,280 –> 00:18:21,880
Read for a resource calendar.
426
00:18:21,880 –> 00:18:24,360
No graph read right all heroics.
427
00:18:24,360 –> 00:18:26,200
Queries use delta and selective fields
428
00:18:26,200 –> 00:18:27,400
to keep payloads thin.
429
00:18:27,960 –> 00:18:28,920
Paging is first class.
430
00:18:28,920 –> 00:18:31,160
The executor follows next links deterministically
431
00:18:31,160 –> 00:18:33,480
with timeouts, honoring service throttling.
432
00:18:33,480 –> 00:18:35,000
And when 429s happen,
433
00:18:35,000 –> 00:18:36,360
back off is mathematical.
434
00:18:36,360 –> 00:18:39,000
No tantrums, just exponential patience.
435
00:18:39,000 –> 00:18:40,760
Grounding isn’t a vibe, it’s a pipeline.
436
00:18:40,760 –> 00:18:44,200
Retrieve candidate documents via graph search or list queries.
437
00:18:44,200 –> 00:18:46,520
The dupe by item id and version ETAC
438
00:18:46,520 –> 00:18:48,360
so you don’t blend stale and current.
439
00:18:48,360 –> 00:18:50,280
Chunk by semantic boundaries,
440
00:18:50,280 –> 00:18:52,040
section headers, slide breaks,
441
00:18:52,040 –> 00:18:53,400
then attach provenance,
442
00:18:53,400 –> 00:18:55,720
drive, site, path, item id,
443
00:18:55,720 –> 00:18:57,400
last modified and assigned hash.
444
00:18:57,400 –> 00:19:00,200
The reasoning agent only sees chunks plus metadata
445
00:19:00,200 –> 00:19:03,480
and is required to output citations mapped back to those IDs.
446
00:19:03,480 –> 00:19:04,840
No citation no claim.
447
00:19:04,840 –> 00:19:06,840
The executor enforces that as a post-condition
448
00:19:06,840 –> 00:19:08,520
before any outward action.
449
00:19:08,520 –> 00:19:10,600
Enter co-pilot studio for orchestration.
450
00:19:10,600 –> 00:19:12,120
You define declarative tools,
451
00:19:12,120 –> 00:19:14,520
graph query packs, sharepoint write actions,
452
00:19:14,520 –> 00:19:16,200
teams posts, outlook sends,
453
00:19:16,200 –> 00:19:19,160
each behind a proxy with explicit schemas and allow lists.
454
00:19:19,160 –> 00:19:21,240
Agent to agent coordination is structured.
455
00:19:21,240 –> 00:19:23,880
The retrieval agent exposes a ground tool.
456
00:19:23,880 –> 00:19:26,440
The reasoning agent requests it with parameters.
457
00:19:26,440 –> 00:19:28,680
The executor mediates, validates,
458
00:19:28,680 –> 00:19:30,280
and returns grounded context.
459
00:19:30,280 –> 00:19:33,080
Human checkpoints are native.
460
00:19:33,080 –> 00:19:35,640
A proposed action node pauses the run,
461
00:19:35,640 –> 00:19:39,080
presents the plan plus citations and requires approval.
462
00:19:39,080 –> 00:19:40,440
Approval is signed and logged,
463
00:19:40,440 –> 00:19:43,160
denial routes to a safe alternative or escalation.
464
00:19:43,160 –> 00:19:46,120
Tokens and latency are managed, not wished away.
465
00:19:46,120 –> 00:19:49,080
Selective context means you feed only the relevant chunks,
466
00:19:49,080 –> 00:19:50,600
not your entire tenant.
467
00:19:50,600 –> 00:19:52,280
Summaries are pre-computed and cached
468
00:19:52,280 –> 00:19:55,160
with embeddings keyed by content hash and permissions.
469
00:19:55,160 –> 00:19:56,760
Change the dock, change the key,
470
00:19:56,760 –> 00:19:58,440
miss the cache, recompute.
471
00:19:58,440 –> 00:20:00,440
Streaming responses keep the UI alive
472
00:20:00,440 –> 00:20:02,280
while the executor handles side effects
473
00:20:02,280 –> 00:20:04,840
only after the full schema valid plan arrives.
474
00:20:04,840 –> 00:20:07,240
Early exit conditions stop the reasoning loop
475
00:20:07,240 –> 00:20:09,400
when confidence plus coverage hits threshold.
476
00:20:09,400 –> 00:20:12,120
No extra thinking because the model felt poetic.
477
00:20:12,120 –> 00:20:13,960
Auditability is baked in.
478
00:20:13,960 –> 00:20:16,280
Every action is signed by the service principle
479
00:20:16,280 –> 00:20:19,480
or delegated user and stamped with run ID,
480
00:20:19,480 –> 00:20:24,120
tool, parameters, redactedware necessary, scopes and result.
481
00:20:24,120 –> 00:20:26,520
Immutable logs live in your observability stack,
482
00:20:26,520 –> 00:20:28,600
pick your favorite so you can replay a run
483
00:20:28,600 –> 00:20:30,680
without re-executing side effects.
484
00:20:30,680 –> 00:20:31,960
Who did what when and why?
485
00:20:31,960 –> 00:20:33,480
Becomes a query, not a witch hunt.
486
00:20:33,480 –> 00:20:35,480
And yes, the citations survive intact
487
00:20:35,480 –> 00:20:37,480
so you can verify that the answer traced
488
00:20:37,480 –> 00:20:39,800
to actual tenant content, not model lore.
489
00:20:39,800 –> 00:20:41,400
Failure is normalized and boring.
490
00:20:41,400 –> 00:20:44,200
429s, the executor retrieves with jitter
491
00:20:44,200 –> 00:20:47,320
then falls back to a lower cost query or reduced page size.
492
00:20:47,320 –> 00:20:50,200
Stale cache, the validator detects mismatched e-tags
493
00:20:50,200 –> 00:20:51,640
and forces a refresh.
494
00:20:51,640 –> 00:20:54,040
Permission denial, the policy guard denies with reason
495
00:20:54,040 –> 00:20:56,120
proposes a consent request path or roots
496
00:20:56,120 –> 00:20:58,440
to a redacted summary that doesn’t leak.
497
00:20:58,440 –> 00:21:00,680
Tool outage, the graph declares alternates
498
00:21:00,680 –> 00:21:02,520
or parks the run in a dead letter queue
499
00:21:02,520 –> 00:21:04,920
with full context for human remediation.
500
00:21:04,920 –> 00:21:08,200
Deterministic fallbacks turn incident into ticket.
501
00:21:08,200 –> 00:21:10,760
Now a very short walkthrough, user asks,
502
00:21:10,760 –> 00:21:14,040
draft a summary of last quarter’s roadmap decisions with links.
503
00:21:14,040 –> 00:21:15,400
Reasoning agent proposes,
504
00:21:15,400 –> 00:21:17,720
use graph search across a specific sharepoint site
505
00:21:17,720 –> 00:21:20,040
and a team’s channel filter by last quarter,
506
00:21:20,040 –> 00:21:22,040
then synthesize validator checks
507
00:21:22,040 –> 00:21:24,760
that the requested scopes match the agent’s role.
508
00:21:24,760 –> 00:21:25,640
They do.
509
00:21:25,640 –> 00:21:28,440
executor issues graph calls with paging and field selection,
510
00:21:28,440 –> 00:21:31,880
dedupes by item ID, chunks and returns context with provenance.
511
00:21:31,880 –> 00:21:35,480
Reasoning produces a summary with inline citations mapped to item IDs.
512
00:21:35,480 –> 00:21:39,080
Validator checks schema and citations, passes.
513
00:21:39,080 –> 00:21:41,400
Human checkpoint appears with summary and evidence.
514
00:21:41,400 –> 00:21:43,320
Approver clicks, okay.
515
00:21:43,320 –> 00:21:46,200
executor posts the result in teams and emails stakeholders,
516
00:21:46,200 –> 00:21:47,880
each action using idempotency keys,
517
00:21:47,880 –> 00:21:49,320
so retries don’t double post.
518
00:21:49,320 –> 00:21:51,800
Note the discipline, no agent invents a tool,
519
00:21:51,800 –> 00:21:54,760
no note crosses a domain outside its allow list.
520
00:21:54,760 –> 00:21:58,200
Tokens are scoped and propagated correctly via Entra ID,
521
00:21:58,200 –> 00:22:00,360
not copy pasted between nodes.
522
00:22:00,360 –> 00:22:02,360
The model never concludes success.
523
00:22:02,360 –> 00:22:05,000
The executor proves it with graph post conditions.
524
00:22:05,000 –> 00:22:07,960
Created message ID, updated item ETag calendar event ID,
525
00:22:07,960 –> 00:22:09,320
then stamps the run complete.
526
00:22:09,320 –> 00:22:11,000
And yes, you can extend this safely,
527
00:22:11,000 –> 00:22:15,000
bring in planner, viva or third party services via mcp or open api,
528
00:22:15,000 –> 00:22:18,680
but only behind proxy tools with strict schemas and network egress controls.
529
00:22:18,680 –> 00:22:21,640
Wrap every connector with the same validator logic and policy guard.
530
00:22:21,640 –> 00:22:24,360
Promotion between environments requires validation passes
531
00:22:24,360 –> 00:22:26,920
that match the new boundary, dev to test to prod,
532
00:22:26,920 –> 00:22:28,920
with scope increases reviewed, not assumed.
533
00:22:28,920 –> 00:22:31,320
That’s Microsoft’s architecture done properly.
534
00:22:31,320 –> 00:22:32,440
Graph for truth.
535
00:22:32,440 –> 00:22:34,200
As your open AI for thinking,
536
00:22:34,200 –> 00:22:36,280
co-pilot studio for orchestration,
537
00:22:36,280 –> 00:22:37,960
executors for operations,
538
00:22:37,960 –> 00:22:39,960
validators and policy for safety,
539
00:22:39,960 –> 00:22:41,800
and observability for proof.
540
00:22:41,800 –> 00:22:42,920
Numbers next.
541
00:22:42,920 –> 00:22:43,880
Not vibes.
542
00:22:43,880 –> 00:22:45,160
Before after metrics.
543
00:22:45,160 –> 00:22:48,440
Accuracy, latency, cost, admin, overhead.
544
00:22:48,440 –> 00:22:49,560
Nice architecture.
545
00:22:49,560 –> 00:22:50,280
Prove it.
546
00:22:50,280 –> 00:22:51,720
Numbers, not vibes.
547
00:22:51,720 –> 00:22:54,440
Baseline first, prompt only agents are drama queens.
548
00:22:54,440 –> 00:22:58,600
Accuracy is inconsistent because they invent sources and forget citations.
549
00:22:58,600 –> 00:23:01,640
Without grounding, you get confident pros that points to nowhere.
550
00:23:01,640 –> 00:23:03,800
Tail latency is brutal.
551
00:23:03,800 –> 00:23:06,440
One long chain of serial think harder calls,
552
00:23:06,440 –> 00:23:08,760
each bloated with redundant context.
553
00:23:08,760 –> 00:23:10,840
Cost spirals because every turn,
554
00:23:10,840 –> 00:23:13,720
ships full transcripts and raw documents back to the model
555
00:23:13,720 –> 00:23:15,400
like an overpaid courier service.
556
00:23:15,400 –> 00:23:16,760
Admin overhead?
557
00:23:16,760 –> 00:23:17,880
High.
558
00:23:17,880 –> 00:23:20,040
Incidents, hotfixes, mystery failures,
559
00:23:20,040 –> 00:23:22,680
and audits that feel like archaeology with a blindfold.
560
00:23:22,680 –> 00:23:25,560
Now the after-state with executors and validated graphs.
561
00:23:25,560 –> 00:23:27,880
Accuracy jumps because claims require receipts.
562
00:23:27,880 –> 00:23:30,840
Grounded citations tied to graph item IDs,
563
00:23:30,840 –> 00:23:32,920
e-tags and signed hashes mean an answer
564
00:23:32,920 –> 00:23:35,480
that lacks provenance simply doesn’t pass the validator.
565
00:23:35,480 –> 00:23:36,600
The effect is immediate.
566
00:23:36,600 –> 00:23:37,960
Fewer wrong answers shipped.
567
00:23:37,960 –> 00:23:42,280
Fewer rework loops and a measurable lift in task success rates on e-valtzets.
568
00:23:42,280 –> 00:23:43,800
When a claim can’t be supported,
569
00:23:43,800 –> 00:23:47,000
the agent denies with reason or requests human approval,
570
00:23:47,000 –> 00:23:49,320
predictable, reviewable, safe.
571
00:23:49,320 –> 00:23:51,320
Latency compresses for three reasons.
572
00:23:51,320 –> 00:23:53,560
First, parallelism, retrieval, re-ranking,
573
00:23:53,560 –> 00:23:55,640
and citation extraction run side by side,
574
00:23:55,640 –> 00:23:57,320
then synchronize at a barrier note.
575
00:23:57,320 –> 00:23:59,160
Second, caching, embeddings and summaries
576
00:23:59,160 –> 00:24:00,920
keyed by content hash and permission scope
577
00:24:00,920 –> 00:24:03,400
avoid recomputing what hasn’t changed.
578
00:24:03,400 –> 00:24:04,760
Third, early exit.
579
00:24:04,760 –> 00:24:07,960
Once coverage and confidence hit threshold, the graph stops the loop.
580
00:24:07,960 –> 00:24:09,640
Compare that to serial prompting,
581
00:24:09,640 –> 00:24:11,640
where the model reflects for a paragraph
582
00:24:11,640 –> 00:24:13,080
and your users reflect on quitting.
583
00:24:13,080 –> 00:24:16,280
Cost drops because token discipline is enforced, not begged.
584
00:24:16,280 –> 00:24:18,680
Schema-constrained outputs prevent rambling.
585
00:24:18,680 –> 00:24:21,000
Selective context feeds only the relevant chunks
586
00:24:21,000 –> 00:24:23,720
with metadata, not entire sites.
587
00:24:23,720 –> 00:24:26,440
Short or prompt, smaller responses, fewer retries.
588
00:24:26,440 –> 00:24:28,600
The executors’ identity and back-off logic
589
00:24:28,600 –> 00:24:31,320
avoid duplicate calls and wasted cycles.
590
00:24:31,320 –> 00:24:34,040
The net effect is fewer tokens per successful outcome
591
00:24:34,040 –> 00:24:37,080
and far less variance, finance likes, variance reduction.
592
00:24:37,080 –> 00:24:39,560
Admin overhead shrinks because observability is engineered,
593
00:24:39,560 –> 00:24:40,680
not improvised.
594
00:24:40,680 –> 00:24:42,360
Note-level traces and immutable logs
595
00:24:42,360 –> 00:24:44,520
collapse incident time to diagnose.
596
00:24:44,520 –> 00:24:47,240
You see which note failed, why the policy engine denied,
597
00:24:47,240 –> 00:24:49,480
and what the executor tried next.
598
00:24:49,480 –> 00:24:52,680
Repeatable deployments cut works on my machine theater.
599
00:24:52,680 –> 00:24:54,600
Compliance stops being a seasonal crisis
600
00:24:54,600 –> 00:24:58,680
because every run already contains who, what, when, and why.
601
00:24:58,680 –> 00:25:00,440
Let’s make this concrete with a measurement rig
602
00:25:00,440 –> 00:25:01,880
you can actually run.
603
00:25:01,880 –> 00:25:03,800
Build an evil set of representative tasks,
604
00:25:03,800 –> 00:25:06,760
Q&A with citations, summary with links and action proposals
605
00:25:06,760 –> 00:25:07,720
with approvals.
606
00:25:07,720 –> 00:25:11,160
For each defined golden answers or acceptance criteria,
607
00:25:11,160 –> 00:25:13,240
correct facts with mapped item IDs,
608
00:25:13,240 –> 00:25:15,720
citation coverage, and allowed variance.
609
00:25:15,720 –> 00:25:18,840
Instrument SLOs, P50 and P95, end-to-end latency,
610
00:25:18,840 –> 00:25:21,560
tokens spend per successful task and policy deny rates.
611
00:25:21,560 –> 00:25:23,880
Link every metric to traces, so any regression
612
00:25:23,880 –> 00:25:25,240
has a breadcrumb trail.
613
00:25:25,240 –> 00:25:27,880
Results you should expect if you follow the architecture,
614
00:25:27,880 –> 00:25:29,080
not improvised.
615
00:25:29,080 –> 00:25:31,560
Higher answer validity because unsupported claims
616
00:25:31,560 –> 00:25:33,320
never leave staging.
617
00:25:33,320 –> 00:25:36,840
Lower P95 latency because long tails get sliced
618
00:25:36,840 –> 00:25:39,240
by parallel nodes and early exits.
619
00:25:39,240 –> 00:25:41,720
Lower token spend because you stop shipping novels
620
00:25:41,720 –> 00:25:44,040
and start shipping relevant snippets.
621
00:25:44,040 –> 00:25:46,280
Fewer pages to admins because most failures
622
00:25:46,280 –> 00:25:48,520
get handled by deterministic fallbacks.
623
00:25:48,520 –> 00:25:51,240
And yes, the boring metric everyone forgets.
624
00:25:51,240 –> 00:25:53,240
Successful first pass completion ratio,
625
00:25:53,240 –> 00:25:55,160
more runs finish without human rescue.
626
00:25:55,160 –> 00:25:56,840
Business impact faster resolutions mean
627
00:25:56,840 –> 00:25:58,680
user stop opening duplicate tickets.
628
00:25:58,680 –> 00:26:00,360
Predictable spend means budgeting
629
00:26:00,360 –> 00:26:01,880
without surprise token hangovers.
630
00:26:01,880 –> 00:26:04,120
Compliance confidence means fewer audit cycles
631
00:26:04,120 –> 00:26:05,720
hijacking your roadmap.
632
00:26:05,720 –> 00:26:08,440
The non-obvious win is reputational.
633
00:26:08,440 –> 00:26:10,840
When the agents answers site tenant content
634
00:26:10,840 –> 00:26:14,120
and the links work, people trusted, use it,
635
00:26:14,120 –> 00:26:16,600
and stop forwarding screenshots that begin with
636
00:26:16,600 –> 00:26:18,120
why did it say this?
637
00:26:18,120 –> 00:26:21,320
Direct imperative advice, measure, trace to metric linkage
638
00:26:21,320 –> 00:26:22,680
or you’re flying on opinion.
639
00:26:22,680 –> 00:26:25,000
If you can’t open a run and see exactly
640
00:26:25,000 –> 00:26:27,480
which node inflated tokens or stalled latency,
641
00:26:27,480 –> 00:26:30,360
you don’t have observability, you have vibes with timestamps.
642
00:26:30,360 –> 00:26:32,520
Everything changes when the validator sits between
643
00:26:32,520 –> 00:26:34,840
nice plan and real action.
644
00:26:34,840 –> 00:26:37,480
Accuracy stabilizes latency narrows,
645
00:26:37,480 –> 00:26:40,040
cost flattens, admins sleep, that’s not magic,
646
00:26:40,040 –> 00:26:42,920
that’s executors, graphs and validation
647
00:26:42,920 –> 00:26:45,640
doing the work you incorrectly assigned to prompts.
