Now Reading: Understanding the Copilot Governance Trap
-
01
Understanding the Copilot Governance Trap
1
00:00:00,000 –> 00:00:02,320
Most organizations treat governance as a gate,
2
00:00:02,320 –> 00:00:03,960
a checkpoint, something you pass through
3
00:00:03,960 –> 00:00:05,360
before progress can continue.
4
00:00:05,360 –> 00:00:07,400
You run and audit, you find problems, you stop.
5
00:00:07,400 –> 00:00:09,000
That’s the instinct.
6
00:00:09,000 –> 00:00:10,960
The LinkedIn case study I want to examine today
7
00:00:10,960 –> 00:00:14,120
is perfect for understanding why that instinct fails.
8
00:00:14,120 –> 00:00:17,800
An organization discovered 847 orphaned SharePoint sites,
9
00:00:17,800 –> 00:00:20,760
zero data classification, and a C-suite commitment
10
00:00:20,760 –> 00:00:22,200
to co-pilot that wasn’t moving.
11
00:00:22,200 –> 00:00:25,120
The governance team’s reaction was immediate and predictable.
12
00:00:25,120 –> 00:00:26,520
Stop, we need to fix this first.
13
00:00:26,520 –> 00:00:28,800
But that reaction reveals something deeper,
14
00:00:28,800 –> 00:00:30,280
a foundational misunderstanding
15
00:00:30,280 –> 00:00:32,680
about how collaboration systems actually evolve.
16
00:00:32,680 –> 00:00:34,520
This episode is about what happens
17
00:00:34,520 –> 00:00:36,560
when you stop treating governance as a gate
18
00:00:36,560 –> 00:00:39,320
and start treating it as the track the deployment runs on,
19
00:00:39,320 –> 00:00:41,440
how you move from not ready to ready enough
20
00:00:41,440 –> 00:00:43,040
by sequencing risk intelligently
21
00:00:43,040 –> 00:00:44,800
instead of waiting for perfect conditions
22
00:00:44,800 –> 00:00:46,640
that will never arrive.
23
00:00:46,640 –> 00:00:48,880
The foundational misunderstanding, organic growth
24
00:00:48,880 –> 00:00:51,560
versus architectural intent, SharePoint and team’s
25
00:00:51,560 –> 00:00:54,440
environments don’t grow according to architectural plans.
26
00:00:54,440 –> 00:00:55,640
They grow organically.
27
00:00:55,640 –> 00:00:57,120
This is not a feature of the system.
28
00:00:57,120 –> 00:00:59,240
It’s a consequence of how work actually happens.
29
00:00:59,240 –> 00:01:01,040
A project starts, someone creates a site.
30
00:01:01,040 –> 00:01:02,840
People collaborate, documents accumulate,
31
00:01:02,840 –> 00:01:04,520
the project ends, the people move on.
32
00:01:04,520 –> 00:01:05,920
The site remains.
33
00:01:05,920 –> 00:01:08,800
Months later, the site’s owner leaves the organization.
34
00:01:08,800 –> 00:01:11,320
Nobody transfers ownership, the site is now orphaned.
35
00:01:11,320 –> 00:01:13,560
But it still exists, it still holds documents.
36
00:01:13,560 –> 00:01:16,240
It still occupies storage, multiply this across years,
37
00:01:16,240 –> 00:01:18,920
across hundreds of projects, across thousands of users
38
00:01:18,920 –> 00:01:20,320
with the ability to create.
39
00:01:20,320 –> 00:01:22,840
You get what the case study showed, 847 sites,
40
00:01:22,840 –> 00:01:26,560
no documentation, no clear ownership, no life cycle.
41
00:01:27,120 –> 00:01:30,360
Most organizations assume this indicates a broken system.
42
00:01:30,360 –> 00:01:32,520
That’s something went wrong, it didn’t.
43
00:01:32,520 –> 00:01:34,800
What it indicates is that the system was never designed
44
00:01:34,800 –> 00:01:36,040
to manage its own evolution.
45
00:01:36,040 –> 00:01:37,520
Nobody built detection mechanisms,
46
00:01:37,520 –> 00:01:39,280
nobody built remediation workflows,
47
00:01:39,280 –> 00:01:42,320
nobody created policies that enforce accountability over time.
48
00:01:42,320 –> 00:01:44,640
The 847 sites weren’t created recklessly.
49
00:01:44,640 –> 00:01:47,240
They were created through normal business processes.
50
00:01:47,240 –> 00:01:50,400
Projects, initiatives, temporary collaborations,
51
00:01:50,400 –> 00:01:51,520
then abandonment.
52
00:01:51,520 –> 00:01:53,040
This is the distinction that matters.
53
00:01:53,040 –> 00:01:55,480
Often sites are not evidence of a governance failure.
54
00:01:55,480 –> 00:01:57,280
They’re evidence that governance systems
55
00:01:57,280 –> 00:01:59,760
were never architected to detect and remediate
56
00:01:59,760 –> 00:02:01,520
often assets in real time.
57
00:02:01,520 –> 00:02:04,640
Many governance teams conflate two very different problems.
58
00:02:04,640 –> 00:02:06,480
The first is the existence of disorder.
59
00:02:06,480 –> 00:02:09,520
Sites exist without owners, data exists without labels.
60
00:02:09,520 –> 00:02:11,160
Access permissions are overly broad.
61
00:02:11,160 –> 00:02:13,280
The second is the ability to manage disorder.
62
00:02:13,280 –> 00:02:14,240
Can you detect it?
63
00:02:14,240 –> 00:02:15,320
Can you remediate it?
64
00:02:15,320 –> 00:02:17,080
Can you enforce policy continuously?
65
00:02:17,080 –> 00:02:19,640
Organizations often assume these are the same problem.
66
00:02:19,640 –> 00:02:21,480
They’re not disorder is inevitable.
67
00:02:21,480 –> 00:02:24,280
It emerges naturally from distributed work.
68
00:02:24,280 –> 00:02:26,280
Thousands of people making independent decisions
69
00:02:26,280 –> 00:02:27,920
about where to store information.
70
00:02:27,920 –> 00:02:30,160
When they leave, that information remains.
71
00:02:30,160 –> 00:02:32,000
The sites remain, the permissions remain.
72
00:02:32,000 –> 00:02:33,880
What matters is not whether disorder exists.
73
00:02:33,880 –> 00:02:35,960
What matters is whether you have mechanisms
74
00:02:35,960 –> 00:02:38,440
to detect, classify, and remediate it at scale.
75
00:02:38,440 –> 00:02:40,360
This is where most governance programs fail.
76
00:02:40,360 –> 00:02:42,080
They assume disorder shouldn’t exist.
77
00:02:42,080 –> 00:02:43,400
So they focus on prevention.
78
00:02:43,400 –> 00:02:45,040
Don’t create sites, don’t create teams,
79
00:02:45,040 –> 00:02:46,600
don’t store data without approval.
80
00:02:46,600 –> 00:02:49,000
This approach trades flexibility for control.
81
00:02:49,000 –> 00:02:51,720
And in the era of distributed work, it’s a losing trade.
82
00:02:51,720 –> 00:02:55,200
The organization that created 847 off-and-sites
83
00:02:55,200 –> 00:02:56,680
didn’t do so through negligence.
84
00:02:56,680 –> 00:02:58,240
They did it through normal operations
85
00:02:58,240 –> 00:02:59,640
because sites are easy to create
86
00:02:59,640 –> 00:03:02,040
because collaboration requires flexibility.
87
00:03:02,040 –> 00:03:03,840
Because approval processes get in the way,
88
00:03:03,840 –> 00:03:05,920
the question isn’t how to prevent sites.
89
00:03:05,920 –> 00:03:07,080
Sites will be created.
90
00:03:07,080 –> 00:03:09,560
The question is how to manage them once they exist.
91
00:03:09,560 –> 00:03:11,600
Can you automatically detect inactive sites?
92
00:03:11,600 –> 00:03:14,440
Yes, SharePoint Advanced Management provides this.
93
00:03:14,440 –> 00:03:16,720
Can you automatically assign temporary ownership
94
00:03:16,720 –> 00:03:18,160
when ownership gaps appear?
95
00:03:18,160 –> 00:03:19,640
Yes, SAM policies can do this.
96
00:03:19,640 –> 00:03:21,840
Can you automatically classify data without
97
00:03:21,840 –> 00:03:23,120
depending on user behavior?
98
00:03:23,120 –> 00:03:26,200
Yes, Microsoft Perview Auto Labeling makes this possible.
99
00:03:26,200 –> 00:03:28,280
Can you enforce these mechanisms continuously
100
00:03:28,280 –> 00:03:29,800
while deployment proceeds?
101
00:03:29,800 –> 00:03:32,360
Yes, this is exactly what parallel governance does.
102
00:03:32,360 –> 00:03:34,400
The 847 off-and-sites weren’t a problem
103
00:03:34,400 –> 00:03:35,320
because they existed.
104
00:03:35,320 –> 00:03:36,960
They were a governance opportunity
105
00:03:36,960 –> 00:03:39,280
because mechanisms didn’t exist to detect
106
00:03:39,280 –> 00:03:40,200
and manage them.
107
00:03:40,200 –> 00:03:41,640
Once those mechanisms are in place,
108
00:03:41,640 –> 00:03:43,960
the number of off-and-sites becomes less important
109
00:03:43,960 –> 00:03:45,680
than the speed and consistency
110
00:03:45,680 –> 00:03:47,600
with which they are detected and remediated.
111
00:03:47,600 –> 00:03:50,720
This is the shift from reactive to deterministic governance
112
00:03:50,720 –> 00:03:53,400
and it’s the foundation for everything that follows.
113
00:03:53,400 –> 00:03:55,960
The architecture of chaos,
114
00:03:55,960 –> 00:03:58,440
why 847 sites went unmanaged,
115
00:03:58,440 –> 00:04:01,440
understanding how you arrive at 847 off-and-sites
116
00:04:01,440 –> 00:04:03,680
requires understanding how SharePoint actually behaves
117
00:04:03,680 –> 00:04:05,960
over time, not how it’s designed to behave,
118
00:04:05,960 –> 00:04:07,360
how it actually behaves.
119
00:04:07,360 –> 00:04:09,560
Year one, a few sites are created,
120
00:04:09,560 –> 00:04:11,840
a pilot project, a department collaboration space.
121
00:04:11,840 –> 00:04:13,480
The work is active, the sites are used,
122
00:04:13,480 –> 00:04:16,840
ownership is clear, year two, new sites appear,
123
00:04:16,840 –> 00:04:18,720
different teams, different initiatives,
124
00:04:18,720 –> 00:04:21,000
still manageable, still visible.
125
00:04:21,000 –> 00:04:23,000
IT still knows what exists.
126
00:04:23,000 –> 00:04:25,440
Year three, dozens of sites, maybe hundreds,
127
00:04:25,440 –> 00:04:27,080
new projects launch constantly,
128
00:04:27,080 –> 00:04:28,080
some finish, some don’t,
129
00:04:28,080 –> 00:04:29,880
some transform into something else.
130
00:04:29,880 –> 00:04:33,800
The documentation lags, ownership lists become incomplete.
131
00:04:33,800 –> 00:04:36,840
Year four, it becomes difficult to enumerate what exists.
132
00:04:36,840 –> 00:04:38,800
Sites are created via teams provisioning,
133
00:04:38,800 –> 00:04:41,040
shared channels, auto-create supporting sites,
134
00:04:41,040 –> 00:04:43,520
sites get created for projects that never launch
135
00:04:43,520 –> 00:04:46,480
for initiatives that get canceled for temporary working
136
00:04:46,480 –> 00:04:48,640
groups that become permanent and then abandoned.
137
00:04:48,640 –> 00:04:50,840
By year five, nobody knows how many sites exist,
138
00:04:50,840 –> 00:04:52,480
nobody knows which ones are active,
139
00:04:52,480 –> 00:04:54,920
and critically, nobody has a process to detect
140
00:04:54,920 –> 00:04:56,240
when ownership disappears.
141
00:04:56,240 –> 00:04:57,920
This is how you get to 847.
142
00:04:57,920 –> 00:04:59,160
Here’s the architectural problem
143
00:04:59,160 –> 00:05:00,480
that makes this inevitable.
144
00:05:00,480 –> 00:05:03,560
SharePoint permissions are hierarchical and inherited.
145
00:05:03,560 –> 00:05:05,440
When a site is created, it has owners.
146
00:05:05,440 –> 00:05:07,200
Those owners manage the site.
147
00:05:07,200 –> 00:05:09,160
Their account contains the access rights,
148
00:05:09,160 –> 00:05:11,080
but access rights are tied to identity.
149
00:05:11,080 –> 00:05:13,120
When that person leaves the organization,
150
00:05:13,120 –> 00:05:14,640
their account gets disabled.
151
00:05:14,640 –> 00:05:15,760
The site doesn’t disappear.
152
00:05:15,760 –> 00:05:17,040
The documents don’t disappear.
153
00:05:17,040 –> 00:05:18,640
The permissions don’t magically revert.
154
00:05:18,640 –> 00:05:20,320
The site simply has no active owners.
155
00:05:20,320 –> 00:05:21,440
It’s orphaned.
156
00:05:21,440 –> 00:05:23,760
Without automated detection, this state is invisible.
157
00:05:23,760 –> 00:05:25,720
The site still exists in your tenant.
158
00:05:25,720 –> 00:05:27,040
It’s still occupied storage.
159
00:05:27,040 –> 00:05:28,400
It still appears in search results,
160
00:05:28,400 –> 00:05:29,600
but nobody is managing it.
161
00:05:29,600 –> 00:05:30,800
Nobody reviews permissions.
162
00:05:30,800 –> 00:05:32,840
Nobody certifies the content is valuable.
163
00:05:32,840 –> 00:05:36,080
This invisibility persists until something forces visibility.
164
00:05:36,080 –> 00:05:39,720
Usually a compliance ordered or a copilot readiness assessment.
165
00:05:39,720 –> 00:05:40,840
And here’s where it compounds.
166
00:05:40,840 –> 00:05:42,360
Microsoft Graph Index is everything.
167
00:05:42,360 –> 00:05:44,440
Copilot’s grounding mechanism pulls context
168
00:05:44,440 –> 00:05:46,240
from sites that users can access.
169
00:05:46,240 –> 00:05:48,560
Inherited permissions mean that even orphan sites
170
00:05:48,560 –> 00:05:50,720
might be accessible to broad user groups.
171
00:05:50,720 –> 00:05:53,640
So copilot surfaces content from orphan sites
172
00:05:53,640 –> 00:05:56,080
unless those sites are explicitly excluded,
173
00:05:56,080 –> 00:05:58,040
unless they’re remediated.
174
00:05:58,040 –> 00:06:00,560
Each unmanaged site represents three separate risks.
175
00:06:00,560 –> 00:06:02,040
First, data exposure.
176
00:06:02,040 –> 00:06:04,440
Content exists without active governance.
177
00:06:04,440 –> 00:06:05,680
Second, compliance risk.
178
00:06:05,680 –> 00:06:07,560
Retention policies might not enforce.
179
00:06:07,560 –> 00:06:09,440
Sensitive data might not be classified.
180
00:06:09,440 –> 00:06:11,200
Third, operational friction.
181
00:06:11,200 –> 00:06:13,880
When copilot surfaces information from an orphan site,
182
00:06:13,880 –> 00:06:14,880
users get confused.
183
00:06:14,880 –> 00:06:16,000
Content might be outdated.
184
00:06:16,000 –> 00:06:17,480
Context might be lost.
185
00:06:17,480 –> 00:06:19,560
The case study organization had no share point
186
00:06:19,560 –> 00:06:20,920
advanced management policies.
187
00:06:20,920 –> 00:06:22,640
No automated life cycle detection.
188
00:06:22,640 –> 00:06:24,360
No mechanisms to assign interim ownership
189
00:06:24,360 –> 00:06:25,920
when original owners departed.
190
00:06:25,920 –> 00:06:27,080
No continuous monitoring.
191
00:06:27,080 –> 00:06:28,520
No enforcement.
192
00:06:28,520 –> 00:06:30,360
Instead, they had manual processes.
193
00:06:30,360 –> 00:06:31,800
Someone occasionally tried to clean up.
194
00:06:31,800 –> 00:06:33,280
Someone checked ownership.
195
00:06:33,280 –> 00:06:36,040
But without scale, without automation, without policy,
196
00:06:36,040 –> 00:06:38,160
this work was sporadic and incomplete.
197
00:06:38,160 –> 00:06:38,920
What’s critical?
198
00:06:38,920 –> 00:06:40,560
This organization isn’t unique.
199
00:06:40,560 –> 00:06:42,560
Most organizations operate exactly this way.
200
00:06:42,560 –> 00:06:44,160
They rely on manual reviews.
201
00:06:44,160 –> 00:06:47,000
Periodic audits hope that governance doesn’t break.
202
00:06:47,000 –> 00:06:48,840
That works fine until you deploy something
203
00:06:48,840 –> 00:06:50,160
requiring clean data.
204
00:06:50,160 –> 00:06:51,200
Then you hit the wall.
205
00:06:51,200 –> 00:06:53,040
Suddenly, governance becomes visible.
206
00:06:53,040 –> 00:06:55,000
Suddenly you ask, how many sites do we have?
207
00:06:55,000 –> 00:06:55,920
Which ones are owned?
208
00:06:55,920 –> 00:06:57,200
Which ones have classified data?
209
00:06:57,200 –> 00:06:59,440
The discovery of 847 orphan sites
210
00:06:59,440 –> 00:07:00,680
felt like a crisis.
211
00:07:00,680 –> 00:07:02,080
The governance team wanted to stop,
212
00:07:02,080 –> 00:07:04,440
remediate first, deploy later.
213
00:07:04,440 –> 00:07:06,440
But there’s a different interpretation of that discovery.
214
00:07:06,440 –> 00:07:08,680
Those 8 and 47 sites were always often.
215
00:07:08,680 –> 00:07:10,320
The organization simply didn’t know it.
216
00:07:10,320 –> 00:07:11,800
Visibility was the first victory.
217
00:07:11,800 –> 00:07:13,960
Visibility proceeds control.
218
00:07:13,960 –> 00:07:16,200
Once you can see the problem, you build mechanisms
219
00:07:16,200 –> 00:07:16,880
to manage it.
220
00:07:16,880 –> 00:07:19,080
That’s the shift from chaos to architecture.
221
00:07:19,080 –> 00:07:22,440
And the false choice, pause versus proceed.
222
00:07:22,440 –> 00:07:25,760
When governance teams discover 847 orphan sites,
223
00:07:25,760 –> 00:07:27,680
the response is almost always the same.
224
00:07:27,680 –> 00:07:28,440
It’s binary.
225
00:07:28,440 –> 00:07:29,920
Pause the co-pilot rollout.
226
00:07:29,920 –> 00:07:31,040
Stop everything.
227
00:07:31,040 –> 00:07:32,480
We need to fix this first.
228
00:07:32,480 –> 00:07:34,000
This response is understandable.
229
00:07:34,000 –> 00:07:36,960
You’ve just learned your tenant is messier than you thought.
230
00:07:36,960 –> 00:07:38,760
The instinct to clean before you deploy
231
00:07:38,760 –> 00:07:39,880
makes intuitive sense.
232
00:07:39,880 –> 00:07:41,920
But it’s architecturally wrong.
233
00:07:41,920 –> 00:07:44,320
The response treats governance as a gate.
234
00:07:44,320 –> 00:07:47,200
A checkpoint you must pass before progress continues.
235
00:07:47,200 –> 00:07:48,840
And it assumes something that isn’t true
236
00:07:48,840 –> 00:07:51,520
that perfect governance must proceed deployment.
237
00:07:51,520 –> 00:07:53,200
This assumption fails in practice.
238
00:07:53,200 –> 00:07:54,960
Deployment pressure actually accelerates
239
00:07:54,960 –> 00:07:57,200
governance improvements, not slows them.
240
00:07:57,200 –> 00:07:59,760
When an organization commits to rolling out co-pilot,
241
00:07:59,760 –> 00:08:01,560
governance suddenly becomes urgent.
242
00:08:01,560 –> 00:08:03,720
Teams that would have deferred remediation for months,
243
00:08:03,720 –> 00:08:04,960
prioritize it in weeks.
244
00:08:04,960 –> 00:08:06,440
The business case becomes visible.
245
00:08:06,440 –> 00:08:07,480
The deadline becomes real.
246
00:08:07,480 –> 00:08:08,600
And the work gets done.
247
00:08:08,600 –> 00:08:10,360
Without that pressure, governance drifts.
248
00:08:10,360 –> 00:08:12,000
Remediation gets deferred.
249
00:08:12,000 –> 00:08:13,840
The organization continues to operate
250
00:08:13,840 –> 00:08:16,320
without the controls that deployment would have forced them
251
00:08:16,320 –> 00:08:16,960
to implement.
252
00:08:16,960 –> 00:08:18,880
Think about the cost structure here.
253
00:08:18,880 –> 00:08:21,520
Microsoft’s research suggests co-pilot delivers
254
00:08:21,520 –> 00:08:23,920
approximately $3.70 of productivity gain
255
00:08:23,920 –> 00:08:25,240
for every dollar invested.
256
00:08:25,240 –> 00:08:27,720
Whether that holds for your organization is less important
257
00:08:27,720 –> 00:08:30,160
than the principle, delay means deferred value.
258
00:08:30,160 –> 00:08:33,680
When you pause co-pilot rollout to remediate governance,
259
00:08:33,680 –> 00:08:35,400
you defer that productivity gain.
260
00:08:35,400 –> 00:08:38,320
One month of delay costs roughly 1.8 million
261
00:08:38,320 –> 00:08:41,760
in deferred value for a PN200 person organization.
262
00:08:41,760 –> 00:08:44,440
Six months costs $10.8 million, but there’s a second cost
263
00:08:44,440 –> 00:08:46,800
that’s less visible, governance debt.
264
00:08:46,800 –> 00:08:48,720
The longer the remediation phase continues,
265
00:08:48,720 –> 00:08:50,800
the more new orphaned sites are created.
266
00:08:50,800 –> 00:08:53,440
More collaboration happens without proper governance.
267
00:08:53,440 –> 00:08:55,720
More data is stored without classification.
268
00:08:55,720 –> 00:08:57,240
More access permissions accumulate.
269
00:08:57,240 –> 00:08:58,640
You’re not fixing a static problem
270
00:08:58,640 –> 00:09:00,080
while the deployment waits.
271
00:09:00,080 –> 00:09:03,160
The problem is growing while you’re trying to fix it.
272
00:09:03,160 –> 00:09:04,240
This creates a paradox.
273
00:09:04,240 –> 00:09:07,080
The longer you wait to deploy the more governance issues you create,
274
00:09:07,080 –> 00:09:10,960
the organization continues to be operated without the controls
275
00:09:10,960 –> 00:09:13,640
that co-pilot deployment would force them to establish.
276
00:09:13,640 –> 00:09:16,040
So the real cost of pause isn’t fixing orphaned sites.
277
00:09:16,040 –> 00:09:17,720
The real cost is deferred productivity
278
00:09:17,720 –> 00:09:19,440
plus compounding governance debt.
279
00:09:19,440 –> 00:09:21,640
Your trading current value for a future state
280
00:09:21,640 –> 00:09:23,200
that never quite arrives.
281
00:09:23,200 –> 00:09:25,320
There’s a third option parallel track remediation.
282
00:09:25,320 –> 00:09:28,280
Fix the foundation while maintaining deployment velocity.
283
00:09:28,280 –> 00:09:29,920
Run governance improvements in parallel
284
00:09:29,920 –> 00:09:32,200
with co-pilot rollout, not before it.
285
00:09:32,200 –> 00:09:35,920
This approach requires accepting one uncomfortable truth.
286
00:09:35,920 –> 00:09:38,920
Governance doesn’t have to be perfect before deployment begins.
287
00:09:38,920 –> 00:09:42,120
It has to be managed intelligently during deployment.
288
00:09:42,120 –> 00:09:43,680
Perfect governance is impossible.
289
00:09:43,680 –> 00:09:46,040
You’ll never eliminate all orphaned sites,
290
00:09:46,040 –> 00:09:48,560
all misclassified data, all access anomalies.
291
00:09:48,560 –> 00:09:51,760
But you can build mechanisms that detect and remediate continuously.
292
00:09:51,760 –> 00:09:53,680
You can enforce policy deterministically.
293
00:09:53,680 –> 00:09:57,200
You can improve the security posture in real-time while value flows.
294
00:09:57,200 –> 00:10:00,640
This is where the distinction between a gate and a track becomes operational.
295
00:10:00,640 –> 00:10:04,120
A gate says you must reach a state of completion before proceeding.
296
00:10:04,120 –> 00:10:07,040
A track says you must have systems in place to manage the journey.
297
00:10:07,040 –> 00:10:10,040
The case study organization faced this exact decision point.
298
00:10:10,040 –> 00:10:13,400
Their governance team saw 8/47 orphaned sites and wanted to pause.
299
00:10:13,400 –> 00:10:16,320
The leadership saw co-pilot’s potential and wanted to proceed.
300
00:10:16,320 –> 00:10:18,080
Neither path alone was right.
301
00:10:18,080 –> 00:10:19,080
So they chose a third.
302
00:10:19,080 –> 00:10:21,480
They split the work into two simultaneous tracks.
303
00:10:21,480 –> 00:10:24,320
Track one would handle rapid triage, scan all sites,
304
00:10:24,320 –> 00:10:27,600
classify sensitive data, assign interim ownership,
305
00:10:27,600 –> 00:10:29,800
use automation to move as fast as possible.
306
00:10:29,800 –> 00:10:31,640
Track two would handle scope deployment,
307
00:10:31,640 –> 00:10:34,720
enable co-pilot for the teams with the cleanest data posture,
308
00:10:34,720 –> 00:10:39,000
prove ROI, build momentum, expand as governance improved.
309
00:10:39,000 –> 00:10:40,520
The two tracks would move in parallel.
310
00:10:40,520 –> 00:10:43,720
Governance would improve during deployment, not before it.
311
00:10:43,720 –> 00:10:46,640
And that parallel motion would accelerate both.
312
00:10:46,640 –> 00:10:50,760
Track one, rapid triage using purview and automated ownership.
313
00:10:50,760 –> 00:10:52,760
The first track focused on one objective,
314
00:10:52,760 –> 00:10:55,960
surface and classify high-risk content at scale.
315
00:10:55,960 –> 00:11:00,560
Not everything, just the content that co-pilot would realistically surface in user queries.
316
00:11:00,560 –> 00:11:02,520
The mechanism was Microsoft purview,
317
00:11:02,520 –> 00:11:05,120
specifically sensitive information types.
318
00:11:05,120 –> 00:11:11,160
SIT’s purview can identify credit card numbers, bank account details, financial data.
319
00:11:11,160 –> 00:11:13,120
Personally identifiable information.
320
00:11:13,120 –> 00:11:14,520
The patterns are well defined.
321
00:11:14,520 –> 00:11:15,800
The detection is reliable.
322
00:11:15,800 –> 00:11:19,120
The organization ran automated scans across all 8/47 sites,
323
00:11:19,120 –> 00:11:21,800
not a manual inspection, not assembling all of them.
324
00:11:21,800 –> 00:11:22,960
In parallel.
325
00:11:22,960 –> 00:11:23,720
Here’s what happened.
326
00:11:23,720 –> 00:11:27,960
Purview scanned, purview classified, assets were tagged with sensitivity levels in real time.
327
00:11:27,960 –> 00:11:34,440
Within 72 hours, the organization had visibility into which sites contain sensitive data and where.
328
00:11:34,440 –> 00:11:37,960
This is critical, that speed was not incidental, it was essential.
329
00:11:37,960 –> 00:11:42,760
72 hours is the window before governance teams lose momentum.
330
00:11:42,760 –> 00:11:44,720
After three days, the project feels real.
331
00:11:44,720 –> 00:11:46,840
After a month, it feels theoretical again.
332
00:11:46,840 –> 00:11:50,360
The case study organization understood this, they kept the pace aggressive.
333
00:11:50,360 –> 00:11:53,160
Concurrent with the scans, they assigned interim site ownership.
334
00:11:53,160 –> 00:11:56,760
And this is where SharePoint Advanced Management became the force multiplier.
335
00:11:56,760 –> 00:12:00,120
Sam policies automatically detect sites lacking minimum owners.
336
00:12:00,120 –> 00:12:01,360
The best practice is 2.
337
00:12:01,360 –> 00:12:05,360
One owner is a single point of failure if that person leaves the site offens again.
338
00:12:05,360 –> 00:12:07,080
Two owners create redundancy.
339
00:12:07,080 –> 00:12:08,760
Sam doesn’t require human intervention.
340
00:12:08,760 –> 00:12:11,080
It runs, it identifies non-compliant sites.
341
00:12:11,080 –> 00:12:14,920
And it assigns temporary administrators from a designated pool.
342
00:12:14,920 –> 00:12:17,360
Those administrators weren’t permanent, they were interim.
343
00:12:17,360 –> 00:12:20,200
The policy explicitly stated this in the notification emails.
344
00:12:20,200 –> 00:12:21,560
These are temporary assignments.
345
00:12:21,560 –> 00:12:23,440
Your role is to identify the real owner.
346
00:12:23,440 –> 00:12:25,920
Find them, document them, then step aside.
347
00:12:25,920 –> 00:12:29,040
This framing matters, it’s not theft of ownership, it’s stewardship.
348
00:12:29,040 –> 00:12:32,200
Someone needs to be responsible while permanent ownership is being recovered.
349
00:12:32,200 –> 00:12:34,320
The notifications went out systematically.
350
00:12:34,320 –> 00:12:37,400
Site members received emails, interim owners received emails.
351
00:12:37,400 –> 00:12:38,800
The process was transparent.
352
00:12:38,800 –> 00:12:41,120
Within two weeks, something remarkable happened.
353
00:12:41,120 –> 00:12:44,400
94% of the 847 sites had documented owners.
354
00:12:44,400 –> 00:12:48,600
And sensitivity labels were applied to the content 94% in 14 days.
355
00:12:48,600 –> 00:12:50,600
This velocity surprised almost everyone.
356
00:12:50,600 –> 00:12:55,000
IT leadership, security teams, the governance folks who had assumed this work would take months.
357
00:12:55,000 –> 00:12:57,160
But it makes sense once you understand the mechanism.
358
00:12:57,160 –> 00:12:58,640
Automation removes the bottleneck.
359
00:12:58,640 –> 00:13:00,840
You don’t wait for humans to make decisions.
360
00:13:00,840 –> 00:13:02,320
The system detects violations.
361
00:13:02,320 –> 00:13:04,040
The system assigns remediation.
362
00:13:04,040 –> 00:13:05,640
The system notifies stakeholders.
363
00:13:05,640 –> 00:13:08,640
Humans respond to notifications, not to abstract requests.
364
00:13:08,640 –> 00:13:12,160
Humans are slow at making proactive decisions in abstract contexts.
365
00:13:12,160 –> 00:13:14,960
But humans are fast at responding to specific directives.
366
00:13:14,960 –> 00:13:16,880
You are now the interim owner of this site.
367
00:13:16,880 –> 00:13:19,520
Please confirm ownership or identify the real owner.
368
00:13:19,520 –> 00:13:20,520
People respond to that.
369
00:13:20,520 –> 00:13:22,440
The classification happened the same way.
370
00:13:22,440 –> 00:13:24,640
Per view didn’t ask users to label their data.
371
00:13:24,640 –> 00:13:26,000
Per view scanned for patterns.
372
00:13:26,000 –> 00:13:29,080
Per view applied labels based on what it detected.
373
00:13:29,080 –> 00:13:34,720
Credit card numbers, confidential label, bank account numbers, confidential label, social security numbers, confidential label.
374
00:13:34,720 –> 00:13:37,480
These decisions are deterministic, not probabilistic.
375
00:13:37,480 –> 00:13:40,160
The system doesn’t hope users will classify correctly.
376
00:13:40,160 –> 00:13:42,360
The system enforces classification automatically.
377
00:13:42,360 –> 00:13:44,040
One detail is worth emphasizing.
378
00:13:44,040 –> 00:13:46,760
The organization didn’t achieve perfect classification in two weeks.
379
00:13:46,760 –> 00:13:48,680
They achieved 94% remediation.
380
00:13:48,680 –> 00:13:51,800
That means 6% of sites still lacked documented owners.
381
00:13:51,800 –> 00:13:54,800
6% of content still lacked sensitivity labels.
382
00:13:54,800 –> 00:13:55,840
This was acceptable.
383
00:13:55,840 –> 00:14:01,960
Not because imperfection is good, but because the mechanism was now in place to continuously detect and remediate the remaining 6%.
384
00:14:01,960 –> 00:14:03,600
The governance system was operational.
385
00:14:03,600 –> 00:14:05,080
It was detecting violations.
386
00:14:05,080 –> 00:14:06,440
It was enforcing policy.
387
00:14:06,440 –> 00:14:09,120
And it was doing this while deployment prepared to proceed.
388
00:14:09,120 –> 00:14:11,800
This is the distinction between perfect and ready enough.
389
00:14:11,800 –> 00:14:14,360
Perfect would mean no often sites exist anywhere.
390
00:14:14,360 –> 00:14:15,960
No data lacks classification.
391
00:14:15,960 –> 00:14:17,440
Every permission is exactly right.
392
00:14:17,440 –> 00:14:22,040
Ready enough means you have systems in place to detect and remediate violations continuously.
393
00:14:22,040 –> 00:14:23,480
You have automated mechanisms.
394
00:14:23,480 –> 00:14:24,680
You have policy enforcement.
395
00:14:24,680 –> 00:14:25,920
You have visibility.
396
00:14:25,920 –> 00:14:30,040
The organization had moved from invisible chaos to visible managed chaos.
397
00:14:30,040 –> 00:14:35,320
And that shift from invisible to visible was the prerequisite for everything that followed.
398
00:14:35,320 –> 00:14:38,000
Understanding sensitivity labels and auto labeling.
399
00:14:38,000 –> 00:14:40,400
Sensitivity labels are not just metadata tags.
400
00:14:40,400 –> 00:14:42,360
That’s the first misconception to discard.
401
00:14:42,360 –> 00:14:43,880
They are enforcement mechanisms.
402
00:14:43,880 –> 00:14:44,880
They control encryption.
403
00:14:44,880 –> 00:14:45,800
They control access.
404
00:14:45,800 –> 00:14:48,240
They control downstream policy application.
405
00:14:48,240 –> 00:14:51,240
When a document gets a sensitivity label, things actually happen.
406
00:14:51,240 –> 00:14:53,280
The document gets encrypted differently.
407
00:14:53,280 –> 00:14:58,600
Sharing restrictions activate DLP policies, trigger retention policies, and force.
408
00:14:58,600 –> 00:15:00,240
This is not about organization.
409
00:15:00,240 –> 00:15:01,520
This is about architecture.
410
00:15:01,520 –> 00:15:06,040
Most organizations assume that sensitivity labels are something users apply.
411
00:15:06,040 –> 00:15:09,240
That someone creates a document and consciously chooses a classification.
412
00:15:09,240 –> 00:15:12,560
Public, internal, confidential, highly confidential.
413
00:15:12,560 –> 00:15:15,240
This approach fails at scale almost universally.
414
00:15:16,200 –> 00:15:19,800
Adoption rates for manual labeling typically remain below 10%.
415
00:15:19,800 –> 00:15:23,320
Not because users are negligent, because classification is not their primary task.
416
00:15:23,320 –> 00:15:26,720
Their task is to write the document, to solve the problem, to move forward.
417
00:15:26,720 –> 00:15:28,320
Classification feels like friction.
418
00:15:28,320 –> 00:15:30,280
So most documents never get classified.
419
00:15:30,280 –> 00:15:31,680
They exist in a liminal state.
420
00:15:31,680 –> 00:15:33,440
Technically, they have a default label.
421
00:15:33,440 –> 00:15:35,320
In practice, they are unclassified.
422
00:15:35,320 –> 00:15:37,160
This breaks downstream controls.
423
00:15:37,160 –> 00:15:40,400
DLP policies can’t protect what they don’t know about.
424
00:15:40,400 –> 00:15:43,520
Retention policies can’t archive what they can’t identify.
425
00:15:43,520 –> 00:15:46,560
Co-pilot can’t respect access controls that don’t exist.
426
00:15:46,560 –> 00:15:48,200
The solution is to reverse the assumption.
427
00:15:48,200 –> 00:15:52,480
Instead of asking users to classify, you build systems that classify automatically.
428
00:15:52,480 –> 00:15:55,680
Microsoft purview supports multiple auto labeling mechanisms.
429
00:15:55,680 –> 00:15:56,760
They’re not sophisticated.
430
00:15:56,760 –> 00:15:59,840
They’re not trying to understand context the way a human would.
431
00:15:59,840 –> 00:16:01,720
They are pattern matching engines.
432
00:16:01,720 –> 00:16:04,040
Exact data match looks for specific values.
433
00:16:04,040 –> 00:16:05,680
A credit card number matches a pattern.
434
00:16:05,680 –> 00:16:07,160
A bank account number matches.
435
00:16:07,160 –> 00:16:08,480
A social security number matches.
436
00:16:08,480 –> 00:16:11,680
The system finds these patterns and applies a label automatically.
437
00:16:11,680 –> 00:16:15,240
Pattern matching, via regular expressions works similarly, but more flexibly.
438
00:16:15,240 –> 00:16:16,240
You define a pattern.
439
00:16:16,240 –> 00:16:17,760
The system scans for matches.
440
00:16:17,760 –> 00:16:19,240
When it finds them, it labels.
441
00:16:19,240 –> 00:16:21,120
Trainable classifiers use machine learning.
442
00:16:21,120 –> 00:16:24,080
You give the system examples of what you want to classify.
443
00:16:24,080 –> 00:16:28,400
Financial documents, proprietary documents, strategic plans, the system learns it generalizes.
444
00:16:28,400 –> 00:16:31,160
It classifies new documents based on what it learned.
445
00:16:31,160 –> 00:16:35,560
In the case study, the organization configured auto labeling rules systematically.
446
00:16:35,560 –> 00:16:38,320
Credit card numbers, triggered a confidential label.
447
00:16:38,320 –> 00:16:40,240
Bank account numbers triggered confidential.
448
00:16:40,240 –> 00:16:41,720
Shift code triggered confidential.
449
00:16:41,720 –> 00:16:43,880
Social security numbers triggered confidential.
450
00:16:43,880 –> 00:16:45,560
Passport numbers triggered confidential.
451
00:16:45,560 –> 00:16:47,520
They also configured proprietary data.
452
00:16:47,520 –> 00:16:48,880
Internal naming patterns.
453
00:16:48,880 –> 00:16:52,520
When documents match those patterns, they got a highly confidential label.
454
00:16:52,520 –> 00:16:53,840
This required some tuning.
455
00:16:53,840 –> 00:16:57,000
The organization had to think about what proprietary meant.
456
00:16:57,000 –> 00:16:59,880
What patterns indicated proprietary information once defined.
457
00:16:59,880 –> 00:17:01,520
The system enforced it automatically.
458
00:17:01,520 –> 00:17:05,080
Once labels are applied, the entire downstream architecture activates.
459
00:17:05,080 –> 00:17:06,920
DLP policies see the label.
460
00:17:06,920 –> 00:17:11,360
If a document labeled highly confidential is about to be shared externally, DLP blocks it.
461
00:17:11,360 –> 00:17:15,240
Or WONs or logs it, depending on configuration.
462
00:17:15,240 –> 00:17:17,160
Retention policies see the label.
463
00:17:17,160 –> 00:17:20,200
Documents labeled financial data might have a retention requirement.
464
00:17:20,200 –> 00:17:23,160
After X years archive them, after Y years delete them.
465
00:17:23,160 –> 00:17:24,640
The label triggers the policy.
466
00:17:24,640 –> 00:17:25,720
Copilot sees the label.
467
00:17:25,720 –> 00:17:29,160
If a user prompts copilot and copilot would normally surface a highly confidential document
468
00:17:29,160 –> 00:17:31,880
from an unauthorized source, the label blocks it.
469
00:17:31,880 –> 00:17:35,520
Access controls enforced by the label restrict what copilot can retrieve.
470
00:17:35,520 –> 00:17:39,000
This is how you move from theoretical governance to operational governance.
471
00:17:39,000 –> 00:17:41,040
The critical insight is this.
472
00:17:41,040 –> 00:17:43,640
Classification does not have to be complete before deployment begins.
473
00:17:43,640 –> 00:17:44,640
It has to be systematic.
474
00:17:44,640 –> 00:17:46,120
It has to be continuous.
475
00:17:46,120 –> 00:17:48,640
But it does not have to be perfect from day one.
476
00:17:48,640 –> 00:17:52,680
As new documents are created, auto labeling applies labels automatically.
477
00:17:52,680 –> 00:17:56,600
The organization gradually improves its classification posture over time.
478
00:17:56,600 –> 00:17:58,920
Without requiring a massive upfront project.
479
00:17:58,920 –> 00:18:02,920
Without waiting for users to become classification conscious, every document written from that point
480
00:18:02,920 –> 00:18:04,320
forward gets classified.
481
00:18:04,320 –> 00:18:07,600
older documents get classified as they’re accessed or modified.
482
00:18:07,600 –> 00:18:09,720
The classification backlog shrinks continuously.
483
00:18:09,720 –> 00:18:14,680
This is why the case study organization could achieve 94% remediation in two weeks.
484
00:18:14,680 –> 00:18:17,600
Then maintain momentum while deployment proceeded.
485
00:18:17,600 –> 00:18:21,240
The classification mechanism was operational, systematic, continuous, and it required no
486
00:18:21,240 –> 00:18:24,080
human intervention beyond the initial configuration.
487
00:18:24,080 –> 00:18:28,120
The governance system was now enforcing policy, not hoping users would comply.
488
00:18:28,120 –> 00:18:29,120
Track 2.
489
00:18:29,120 –> 00:18:31,000
Scope deployment in clean zones.
490
00:18:31,000 –> 00:18:34,840
While track 1 was running in the background, quietly remediating and classifying, track 2 was
491
00:18:34,840 –> 00:18:37,760
building momentum where conditions were already favorable.
492
00:18:37,760 –> 00:18:41,920
The organization did not wait for full remediation to begin copilot deployment.
493
00:18:41,920 –> 00:18:44,720
They rolled it out to three business units immediately.
494
00:18:44,720 –> 00:18:47,200
Finance, legal, human resources.
495
00:18:47,200 –> 00:18:51,440
These three units were selected deliberately, not randomly, not based on who asked first.
496
00:18:51,440 –> 00:18:54,480
Based on governance maturity, finance had higher baseline governance.
497
00:18:54,480 –> 00:18:56,920
They deal with regulated data constantly.
498
00:18:56,920 –> 00:18:59,120
Financial systems, regulatory compliance.
499
00:18:59,120 –> 00:19:01,360
These teams already used sensitivity labels.
500
00:19:01,360 –> 00:19:03,200
Their data was reasonably well organized.
501
00:19:03,200 –> 00:19:04,960
Their ownership structures were clearer.
502
00:19:04,960 –> 00:19:09,160
Legal operated similarly, sensitive documents, privileged concerns, established processes
503
00:19:09,160 –> 00:19:10,520
for document classification.
504
00:19:10,520 –> 00:19:12,640
They understood what confidentiality meant.
505
00:19:12,640 –> 00:19:14,080
They enforced it rigorously.
506
00:19:14,080 –> 00:19:18,840
Human resources managed personnel data also regulated, also classified, also accustomed
507
00:19:18,840 –> 00:19:21,720
to access controls and retention requirements.
508
00:19:21,720 –> 00:19:24,600
These three units did not represent the entire organization.
509
00:19:24,600 –> 00:19:27,720
They represented approximately ton 200 users.
510
00:19:27,720 –> 00:19:30,120
Nearly 10% of the total employee base.
511
00:19:30,120 –> 00:19:31,120
But here’s what matters.
512
00:19:31,120 –> 00:19:35,520
They were the 10% with the highest value roles, roles where copilot productivity gains
513
00:19:35,520 –> 00:19:37,560
would be most visible.
514
00:19:37,560 –> 00:19:43,760
Report generation, legal analysis, policy research, contract review, HR policy synthesis,
515
00:19:43,760 –> 00:19:46,360
email drafting, communications.
516
00:19:46,360 –> 00:19:49,360
These are the tasks copilot accelerates most visibly.
517
00:19:49,360 –> 00:19:54,000
The pilot was not delayed by the broader governance issues, not postponed until 847
518
00:19:54,000 –> 00:19:58,680
orphan sites were fully remediated, not waiting for 100% classification adoption across
519
00:19:58,680 –> 00:19:59,840
the organization.
520
00:19:59,840 –> 00:20:02,880
It proceeded immediately in parallel with track one.
521
00:20:02,880 –> 00:20:05,240
This parallelism is counterintuitive.
522
00:20:05,240 –> 00:20:09,440
Most organizations believe deployment should follow governance improvement, establish controls
523
00:20:09,440 –> 00:20:11,840
first, then deploy technology.
524
00:20:11,840 –> 00:20:16,160
But the case study organization understood something that architecture reveals.
525
00:20:16,160 –> 00:20:19,360
Governance improves faster when deployment pressure exists.
526
00:20:19,360 –> 00:20:23,440
When you announce copilot is coming suddenly governance becomes real, not theoretical,
527
00:20:23,440 –> 00:20:27,440
teams that would have deferred remediation for months prioritise it in weeks.
528
00:20:27,440 –> 00:20:28,840
The business case becomes visible.
529
00:20:28,840 –> 00:20:30,120
The deadline is concrete.
530
00:20:30,120 –> 00:20:34,800
When IT leadership sees copilot delivering measurable value, they become motivated to extend
531
00:20:34,800 –> 00:20:38,920
governance controls to enable broader rollout, not to prevent rollout, to enable it.
532
00:20:38,920 –> 00:20:40,520
This is not manipulation of process.
533
00:20:40,520 –> 00:20:42,000
This is alignment of incentives.
534
00:20:42,000 –> 00:20:43,720
The technology creates urgency.
535
00:20:43,720 –> 00:20:45,440
The urgency drives governance work.
536
00:20:45,440 –> 00:20:47,880
The governance work enables safe expansion.
537
00:20:47,880 –> 00:20:52,560
Within four weeks, the pilot units generated measurable outcomes, 26 minutes of daily time savings
538
00:20:52,560 –> 00:20:53,560
per user.
539
00:20:53,560 –> 00:20:58,840
Quantified, measured against baselines, not aspirational, actual report generation accelerated,
540
00:20:58,840 –> 00:21:02,760
email drafting accelerated information synthesis became faster.
541
00:21:02,760 –> 00:21:04,760
Users spent less time searching for context.
542
00:21:04,760 –> 00:21:05,960
Copilot provided it.
543
00:21:05,960 –> 00:21:07,760
Users spent less time formatting output.
544
00:21:07,760 –> 00:21:09,160
Copilot handled it.
545
00:21:09,160 –> 00:21:13,480
Users spent less time waiting for approvals on routine communications.
546
00:21:13,480 –> 00:21:17,440
Visible productivity gains in high value roles in controlled environments.
547
00:21:17,440 –> 00:21:21,440
These metrics became the business case, not for pilots, for expansion.
548
00:21:21,440 –> 00:21:26,160
And CFO see that you’re recovering 26 minutes per day for highly compensated employees.
549
00:21:26,160 –> 00:21:27,640
The math becomes obvious.
550
00:21:27,640 –> 00:21:31,400
Four weeks of productive recovery pays for a year of copilot licensing.
551
00:21:31,400 –> 00:21:33,120
The ROI becomes undeniable.
552
00:21:33,120 –> 00:21:35,400
This is where momentum matters architecturally.
553
00:21:35,400 –> 00:21:36,840
The pilots proved concept.
554
00:21:36,840 –> 00:21:38,760
The metrics justified expansion.
555
00:21:38,760 –> 00:21:41,320
The governance controls enabled safe scaling.
556
00:21:41,320 –> 00:21:45,200
By week six, copilot was live for 700 users across three business units.
557
00:21:45,200 –> 00:21:48,200
By week 10, track one had completed its work.
558
00:21:48,200 –> 00:21:51,840
94% of previously often sites had documented ownership.
559
00:21:51,840 –> 00:21:54,360
Sensitivity labels were applied to classified content.
560
00:21:54,360 –> 00:21:56,120
The governance mechanisms were operational.
561
00:21:56,120 –> 00:21:58,040
The two tracks had moved in parallel.
562
00:21:58,040 –> 00:21:59,240
Neither delayed the other.
563
00:21:59,240 –> 00:22:00,640
Both reinforced the other.
564
00:22:00,640 –> 00:22:02,200
Track one improved the foundation.
565
00:22:02,200 –> 00:22:03,400
Track two proved the value.
566
00:22:03,400 –> 00:22:06,040
Together they created momentum that accelerated both.
567
00:22:06,040 –> 00:22:09,800
This is what parallel track governance actually looks like in practice.
568
00:22:09,800 –> 00:22:11,400
Not sequential, synchronized.
569
00:22:11,400 –> 00:22:12,400
Itterative.
570
00:22:12,400 –> 00:22:14,800
Pressure from deployment accelerates governance work.
571
00:22:14,800 –> 00:22:18,240
Success from governance enables faster deployment, the two feed each other.
572
00:22:18,240 –> 00:22:22,440
The organization had converted a governance crisis into a governance acceleration.
573
00:22:22,440 –> 00:22:23,440
The synthesis.
574
00:22:23,440 –> 00:22:26,120
How deployment pressure accelerates governance.
575
00:22:26,120 –> 00:22:30,200
The conventional wisdom in IT leadership is almost universally wrong on this point.
576
00:22:30,200 –> 00:22:33,920
The conventional wisdom says governance improvements must precede deployment.
577
00:22:33,920 –> 00:22:34,760
Establish controls.
578
00:22:34,760 –> 00:22:35,760
Enforce compliance.
579
00:22:35,760 –> 00:22:37,320
Reach a state of readiness.
580
00:22:37,320 –> 00:22:38,800
Then deploy new technology.
581
00:22:38,800 –> 00:22:41,000
The case study demonstrated something different.
582
00:22:41,000 –> 00:22:42,360
The opposite actually.
583
00:22:42,360 –> 00:22:45,760
Governance improvements happened faster because deployment pressure existed.
584
00:22:45,760 –> 00:22:47,040
Not in spite of the pressure.
585
00:22:47,040 –> 00:22:48,040
Because of it.
586
00:22:48,040 –> 00:22:49,040
This is counter intuitive.
587
00:22:49,040 –> 00:22:50,960
But it’s architecturally inevitable.
588
00:22:50,960 –> 00:22:55,240
When an organization commits to a co-pilot rollout, governance suddenly becomes urgent.
589
00:22:55,240 –> 00:22:57,760
Not theoretical, not aspirational, urgent.
590
00:22:57,760 –> 00:23:01,080
Teams that would have deferred remediation work for months, prioritise it in weeks.
591
00:23:01,080 –> 00:23:02,600
The business case becomes visible.
592
00:23:02,600 –> 00:23:04,000
The deadline becomes real.
593
00:23:04,000 –> 00:23:05,320
And the work gets done.
594
00:23:05,320 –> 00:23:07,240
Think about the governance team’s perspective.
595
00:23:07,240 –> 00:23:11,200
Normally they’re asking for time and resources to fix long-standing issues.
596
00:23:11,200 –> 00:23:15,640
Often sites, unclassified data, oversharing, these problems have existed for years.
597
00:23:15,640 –> 00:23:16,640
Why fix them now?
598
00:23:16,640 –> 00:23:19,280
The organization has been operating this way indefinitely.
599
00:23:19,280 –> 00:23:20,280
But introduce co-pilot.
600
00:23:20,280 –> 00:23:21,760
Suddenly there’s a deadline.
601
00:23:21,760 –> 00:23:23,400
There’s executive visibility.
602
00:23:23,400 –> 00:23:24,920
There’s a metric that matters.
603
00:23:24,920 –> 00:23:27,120
Can we deploy safely or not?
604
00:23:27,120 –> 00:23:30,160
Governance becomes a business enabler instead of a compliance constraint.
605
00:23:30,160 –> 00:23:31,840
This alignment is powerful.
606
00:23:31,840 –> 00:23:35,720
The same work that was deferred for years because it felt like maintenance becomes urgent
607
00:23:35,720 –> 00:23:37,360
because it enables innovation.
608
00:23:37,360 –> 00:23:40,880
The governance team isn’t asking for resources to catch up on backlog.
609
00:23:40,880 –> 00:23:44,200
They’re asking for resources to accelerate co-pilot readiness.
610
00:23:44,200 –> 00:23:45,720
And that request gets granted.
611
00:23:45,720 –> 00:23:48,560
The case study organization understood this instinctively.
612
00:23:48,560 –> 00:23:52,480
Their governance team didn’t propose a six-month remediation phase before deployment.
613
00:23:52,480 –> 00:23:54,400
They proposed parallel tracks.
614
00:23:54,400 –> 00:23:56,000
Improve governance while deploying.
615
00:23:56,000 –> 00:23:57,520
Let the two reinforce each other.
616
00:23:57,520 –> 00:23:59,160
And that’s exactly what happened.
617
00:23:59,160 –> 00:24:03,760
Track one ran in the background, scanning, classifying, assigning ownership, applying policies.
618
00:24:03,760 –> 00:24:05,720
Every week the governance metrics improved.
619
00:24:05,720 –> 00:24:07,200
More sites had documented owners.
620
00:24:07,200 –> 00:24:09,120
More content had sensitivity labels.
621
00:24:09,120 –> 00:24:12,040
More policies were in place to enforce controls continuously.
622
00:24:12,040 –> 00:24:15,640
Track two moved forward, pilots, metrics, expansion, visible value.
623
00:24:15,640 –> 00:24:17,280
But here’s what’s critical architecturally.
624
00:24:17,280 –> 00:24:21,000
Track one was not waiting for Track two, and Track two was not delayed by Track one.
625
00:24:21,000 –> 00:24:23,680
The two moved in parallel, and they reinforced each other.
626
00:24:23,680 –> 00:24:24,840
Week one.
627
00:24:24,840 –> 00:24:27,400
Track two pilots launched to three business units.
628
00:24:27,400 –> 00:24:29,480
Track one began scanning the full tenant.
629
00:24:29,480 –> 00:24:30,720
Nothing blocked the other.
630
00:24:30,720 –> 00:24:34,080
Week two, Track two was measuring adoption and productivity gains.
631
00:24:34,080 –> 00:24:36,280
Track one was completing initial classification.
632
00:24:36,280 –> 00:24:39,600
The scans identified eight on four seven orphaned sites.
633
00:24:39,600 –> 00:24:43,080
The discovery felt urgent, not paralyzing because pilots were already running.
634
00:24:43,080 –> 00:24:44,720
The organization had forward momentum.
635
00:24:44,720 –> 00:24:46,720
Week three, Track two released metrics.
636
00:24:46,720 –> 00:24:49,000
Twenty-six minutes per day, measurable, visible.
637
00:24:49,000 –> 00:24:51,280
This became the business case for expansion.
638
00:24:51,280 –> 00:24:54,960
Meanwhile, Track one was assigning interim ownership to non-compliant sites.
639
00:24:54,960 –> 00:24:56,960
Ninety-four percent remediation within two weeks.
640
00:24:56,960 –> 00:24:57,960
Week four.
641
00:24:57,960 –> 00:24:58,960
Momentum.
642
00:24:58,960 –> 00:24:59,960
Business units wanted co-pilot.
643
00:24:59,960 –> 00:25:01,760
Leadership saw ROI.
644
00:25:01,760 –> 00:25:05,400
Governance teams saw their work accelerating the rollout, not delaying it.
645
00:25:05,400 –> 00:25:08,640
Week ten, Track two had expanded to additional business units.
646
00:25:08,640 –> 00:25:10,600
Co-pilot was live for thousands of users.
647
00:25:10,600 –> 00:25:12,520
Track one had completed remediation.
648
00:25:12,520 –> 00:25:14,840
Governance improved measurably across the tenant.
649
00:25:14,840 –> 00:25:18,000
The organization had achieved something most organizations can’t.
650
00:25:18,000 –> 00:25:21,040
They improved governance while deploying new technology, not after.
651
00:25:21,040 –> 00:25:24,040
This is only possible when governance and deployment are aligned.
652
00:25:24,040 –> 00:25:29,040
When governance enables deployment instead of blocking it, urgency accelerates the work.
653
00:25:29,040 –> 00:25:33,120
When IT leaders see co-pilot delivering value, they become motivated to extend governance
654
00:25:33,120 –> 00:25:37,240
controls to enable broader rollout, not to constrain rollout, to accelerate it.
655
00:25:37,240 –> 00:25:38,760
This is the synthesis.
656
00:25:38,760 –> 00:25:40,920
Deployment pressure accelerates governance.
657
00:25:40,920 –> 00:25:42,920
Governance improvements enable safer deployment.
658
00:25:42,920 –> 00:25:44,160
The two feed each other.
659
00:25:44,160 –> 00:25:46,240
They’re not sequential, they’re synchronized.
660
00:25:46,240 –> 00:25:50,920
The organization moved from not ready to ready enough, not by waiting for perfect conditions.
661
00:25:50,920 –> 00:25:54,520
But by moving forward while building the conditions for safe progress, every governance
662
00:25:54,520 –> 00:25:56,520
improvement unlocked more deployment.
663
00:25:56,520 –> 00:25:59,560
Every successful deployment created urgency for more governance.
664
00:25:59,560 –> 00:26:00,560
The two moved together.
665
00:26:00,560 –> 00:26:05,840
This is how you convert governance from a gate that stops progress into a track that enables it.
666
00:26:05,840 –> 00:26:10,240
The metrics that matter, remediation rate, triage speed and ROI.
667
00:26:10,240 –> 00:26:14,720
Three metrics convinced skeptical IT leaders that parallel governance was the right approach.
668
00:26:14,720 –> 00:26:16,880
Not arguments, not architectural philosophy.
669
00:26:16,880 –> 00:26:21,240
Matrix, numbers that aligned with how leadership thinks about money and time and risk.
670
00:26:21,240 –> 00:26:24,080
Remediation rate, the first metric surprised almost everyone.
671
00:26:24,080 –> 00:26:29,240
94% of orphan sites had documented owners and sensitivity labels within 10 weeks.
672
00:26:29,240 –> 00:26:33,560
This outcome shocked people who believed remediation required months, maybe a year.
673
00:26:33,560 –> 00:26:37,360
Some organizations run these projects for 18 months before declaring success.
674
00:26:37,360 –> 00:26:40,000
Not this one, 94% in 10 weeks.
675
00:26:40,000 –> 00:26:41,840
The distinction is important.
676
00:26:41,840 –> 00:26:46,760
Without deployment pressure, similar remediation rates typically require 6 to 12 months.
677
00:26:46,760 –> 00:26:48,040
Manual processes.
678
00:26:48,040 –> 00:26:49,440
Humans inspecting lists.
679
00:26:49,440 –> 00:26:50,800
Human sending notifications.
680
00:26:50,800 –> 00:26:51,960
Humans following up.
681
00:26:51,960 –> 00:26:53,160
Humans categorizing.
682
00:26:53,160 –> 00:26:55,120
The work proceeds at human pace.
683
00:26:55,120 –> 00:27:00,880
It’s deployment pressure that timeline compresses dramatically, same work, same problem, completely different velocity.
684
00:27:00,880 –> 00:27:02,320
Urgency becomes a catalyst.
685
00:27:02,320 –> 00:27:05,680
Suddenly the governance team’s remediation work is not maintenance.
686
00:27:05,680 –> 00:27:06,680
It’s enablement.
687
00:27:06,680 –> 00:27:08,120
It’s unblocking co-pilot.
688
00:27:08,120 –> 00:27:09,800
It gets resourced accordingly.
689
00:27:09,800 –> 00:27:11,320
It gets prioritized accordingly.
690
00:27:11,320 –> 00:27:12,360
It gets done accordingly.
691
00:27:12,360 –> 00:27:16,320
The organization had accelerated remediation by a factor of approximately 6.
692
00:27:16,320 –> 00:27:17,680
That’s not incremental improvement.
693
00:27:17,680 –> 00:27:19,880
That’s a fundamental shift in how the work is done.
694
00:27:19,880 –> 00:27:23,160
SharePoint Advanced Management policies automated much of this.
695
00:27:23,160 –> 00:27:24,640
You don’t wait for humans to decide.
696
00:27:24,640 –> 00:27:26,160
The policy detects violations.
697
00:27:26,160 –> 00:27:27,600
The policy notifies owners.
698
00:27:27,600 –> 00:27:29,520
The policy assigns interim stewards.
699
00:27:29,520 –> 00:27:31,000
Humans respond to notifications.
700
00:27:31,000 –> 00:27:32,160
They provide information.
701
00:27:32,160 –> 00:27:33,520
They confirm decisions.
702
00:27:33,520 –> 00:27:35,880
The system enforces compliance.
703
00:27:35,880 –> 00:27:37,120
Automation removes the bottleneck.
704
00:27:37,120 –> 00:27:38,760
Human judgment doesn’t.
705
00:27:38,760 –> 00:27:40,200
Automation does the systematic work.
706
00:27:40,200 –> 00:27:42,960
Humans make the judgment calls when you structure it that way.
707
00:27:42,960 –> 00:27:44,360
Velocity increases dramatically.
708
00:27:44,360 –> 00:27:45,360
Time to triage.
709
00:27:45,360 –> 00:27:47,560
The second metric was speed in a different dimension.
710
00:27:47,560 –> 00:27:51,960
Initial risk assessment for all 8.47 sites completed in 72 hours.
711
00:27:51,960 –> 00:27:52,960
Three days.
712
00:27:52,960 –> 00:27:53,960
Three months.
713
00:27:53,960 –> 00:27:54,960
Not three weeks.
714
00:27:54,960 –> 00:27:57,440
Three days to visibility on the entire estate.
715
00:27:57,440 –> 00:28:01,200
This was only possible because the organization used automated scanning tools.
716
00:28:01,200 –> 00:28:03,720
Per view ran across 8.47 sites in parallel.
717
00:28:03,720 –> 00:28:05,640
Per view identified sensitive data.
718
00:28:05,640 –> 00:28:07,400
Per view applied classifications.
719
00:28:07,400 –> 00:28:08,720
All simultaneously.
720
00:28:08,720 –> 00:28:09,800
Not sequentially.
721
00:28:09,800 –> 00:28:11,560
Not human inspection based.
722
00:28:11,560 –> 00:28:13,320
Manual approaches would have taken months.
723
00:28:13,320 –> 00:28:15,000
You’d need to inspect each site.
724
00:28:15,000 –> 00:28:16,000
Review documents.
725
00:28:16,000 –> 00:28:17,600
Make classification judgments.
726
00:28:17,600 –> 00:28:18,600
Document findings.
727
00:28:18,600 –> 00:28:19,600
Build reports.
728
00:28:19,600 –> 00:28:21,160
Weeks of work for a team of people.
729
00:28:21,160 –> 00:28:25,760
Instead, machines scanned, machines classified, machines reported in 72 hours the organization
730
00:28:25,760 –> 00:28:30,400
had visibility into which sites contained what data and which needed remediation.
731
00:28:30,400 –> 00:28:32,520
This visibility is the prerequisite for management.
732
00:28:32,520 –> 00:28:34,240
You can’t manage what you can’t see.
733
00:28:34,240 –> 00:28:35,720
72 hours.
734
00:28:35,720 –> 00:28:40,200
Transform this organization from invisible chaos to visible measurable risk.
735
00:28:40,200 –> 00:28:42,640
Once triage was complete, decision making became possible.
736
00:28:42,640 –> 00:28:44,800
The organization could prioritize.
737
00:28:44,800 –> 00:28:46,800
Which sites contained the most sensitive data?
738
00:28:46,800 –> 00:28:48,160
Which had the broadest access?
739
00:28:48,160 –> 00:28:49,960
Which posed the highest compliance risk?
740
00:28:49,960 –> 00:28:55,400
These questions had answers now based on data, based on scans, based on automated analysis.
741
00:28:55,400 –> 00:28:57,560
That’s how you move from reactive to strategic governance.
742
00:28:57,560 –> 00:28:58,560
ROI signal.
743
00:28:58,560 –> 00:29:01,200
The third metric connected governance to business value.
744
00:29:01,200 –> 00:29:03,200
This is where leadership actually pays attention.
745
00:29:03,200 –> 00:29:07,800
Microsoft research suggests co-pilot delivers approximately three dawns, 70-yares of productivity
746
00:29:07,800 –> 00:29:09,480
value for every dollar invested.
747
00:29:09,480 –> 00:29:14,040
Whether that exact ratio holds for your organization is less important than the principle.
748
00:29:14,040 –> 00:29:15,600
Co-pilot creates measurable value.
749
00:29:15,600 –> 00:29:18,880
The case study organization measured this directly in their pilot.
750
00:29:18,880 –> 00:29:21,440
26 minutes of daily time savings per user.
751
00:29:21,440 –> 00:29:24,440
At $75 per hour, fully loaded labor cost.
752
00:29:24,440 –> 00:29:27,920
That’s $18,000 in annual productivity value per user.
753
00:29:27,920 –> 00:29:33,320
For one 200 pilot users, that’s $21.6 million in annual productivity gains.
754
00:29:33,320 –> 00:29:36,560
Co-pilot licensing costs $30 per user per month.
755
00:29:36,560 –> 00:29:39,200
The ROI becomes visible within the first month of deployment.
756
00:29:39,200 –> 00:29:40,200
Now reverse it.
757
00:29:40,200 –> 00:29:41,880
Delaying deployment delays these gains.
758
00:29:41,880 –> 00:29:47,080
Every month of delay costs approximately $1.8 million in deferred productivity value for
759
00:29:47,080 –> 00:29:48,840
a done 200 person organization.
760
00:29:48,840 –> 00:29:51,200
These metrics shifted the entire conversation.
761
00:29:51,200 –> 00:29:53,800
The question stopped being, is governance perfect?
762
00:29:53,800 –> 00:29:57,320
It became, are we capturing value while improving governance?
763
00:29:57,320 –> 00:29:59,920
That’s how you move an organization forward.
764
00:29:59,920 –> 00:30:01,280
SharePoint Advanced Management.
765
00:30:01,280 –> 00:30:03,040
The automation layer.
766
00:30:03,040 –> 00:30:07,360
SharePoint Advanced Management is not optional infrastructure for organizations pursuing parallel
767
00:30:07,360 –> 00:30:08,360
governance.
768
00:30:08,360 –> 00:30:09,360
It is the foundation.
769
00:30:09,360 –> 00:30:10,360
Everything else builds on it.
770
00:30:10,360 –> 00:30:14,360
Without SAM, you’re attempting to manage governance through manual processes.
771
00:30:14,360 –> 00:30:17,840
Human inspection, human notification, human follow-up, human escalation.
772
00:30:17,840 –> 00:30:22,920
This approach does not scale, not to 847 sites, not to thousands, not to tens of thousands.
773
00:30:22,920 –> 00:30:27,560
SAM removes humans from the repetitive work and lets them focus on judgment calls.
774
00:30:27,560 –> 00:30:31,520
SAM provides several critical capabilities that make the parallel track approach architecturally
775
00:30:31,520 –> 00:30:32,520
feasible.
776
00:30:32,520 –> 00:30:36,120
They’re not flashy, they’re not innovative, but they’re relentlessly operational.
777
00:30:36,120 –> 00:30:37,760
Site life cycle policies.
778
00:30:37,760 –> 00:30:41,360
These automatically detect inactive sites and enforce expiration rules.
779
00:30:41,360 –> 00:30:42,720
You define inactivity.
780
00:30:42,720 –> 00:30:44,360
90 days without modification.
781
00:30:44,360 –> 00:30:45,680
180 days without a visit.
782
00:30:45,680 –> 00:30:46,680
You choose.
783
00:30:46,680 –> 00:30:48,480
And SAM scans continuously.
784
00:30:48,480 –> 00:30:51,480
Sites that exceed the inactivity threshold trigger notifications.
785
00:30:51,480 –> 00:30:55,000
Not once, monthly for three months, the owner receives email.
786
00:30:55,000 –> 00:30:59,000
This site appears inactive, certifies continued value or it will be archived.
787
00:30:59,000 –> 00:31:01,520
Most owners respond, some ignore it.
788
00:31:01,520 –> 00:31:04,600
After three months of non-response, the policy enforces the action.
789
00:31:04,600 –> 00:31:05,600
Read only mode.
790
00:31:05,600 –> 00:31:07,280
The site stops accepting changes.
791
00:31:07,280 –> 00:31:12,480
Or it gets archived entirely, moved to lower cost storage via Microsoft 365 Archive.
792
00:31:12,480 –> 00:31:16,320
This is deterministic governance, not probabilistic, not dependent on someone remembering to
793
00:31:16,320 –> 00:31:21,440
check the policy runs, the policy notifies the policy enforces, humans respond to notifications.
794
00:31:21,440 –> 00:31:22,440
They make the judgment.
795
00:31:22,440 –> 00:31:25,840
The system executes ownership policies.
796
00:31:25,840 –> 00:31:29,280
These ensure every site has accountable administrators.
797
00:31:29,280 –> 00:31:32,400
And this is where the automation matters most in the case study.
798
00:31:32,400 –> 00:31:37,520
The organization configured ownership policies to require minimum two owners per site.
799
00:31:37,520 –> 00:31:40,320
Redundancy, if one owner leaves, the site doesn’t often.
800
00:31:40,320 –> 00:31:43,280
SAM automatically detects sites failing this requirement.
801
00:31:43,280 –> 00:31:48,240
Every scan, sites with fewer than two owners get flagged, notifications go out, not to generic
802
00:31:48,240 –> 00:31:51,040
IT mailboxes, to specific stakeholders.
803
00:31:51,040 –> 00:31:54,000
Site members, interim administrators, managers.
804
00:31:54,000 –> 00:31:55,440
The notification is specific.
805
00:31:55,440 –> 00:31:57,560
This site currently lacks required ownership.
806
00:31:57,560 –> 00:31:58,840
Please identify an owner.
807
00:31:58,840 –> 00:31:59,840
Please document them.
808
00:31:59,840 –> 00:32:00,840
Please confirm.
809
00:32:00,840 –> 00:32:03,800
Not fix your governance, specific directives.
810
00:32:03,800 –> 00:32:07,920
Within SAM’s architecture, the system can even assign interim administrators automatically.
811
00:32:07,920 –> 00:32:11,520
Not permanent, explicitly interim from a designated pool, people who volunteered for
812
00:32:11,520 –> 00:32:15,840
this role, who understand its temporary, whose job is to stabilize the site, not own it
813
00:32:15,840 –> 00:32:16,840
forever.
814
00:32:16,840 –> 00:32:19,720
This removes the paralysis, someone owns the site immediately.
815
00:32:19,720 –> 00:32:20,720
Not eventually.
816
00:32:20,720 –> 00:32:25,160
Now, that interim owner stabilizes the situation, identifies the real owner, documents them,
817
00:32:25,160 –> 00:32:27,240
escalates, then steps the site.
818
00:32:27,240 –> 00:32:31,480
Restricted access control, this limits co-pilot indexing scope for sensitive environments.
819
00:32:31,480 –> 00:32:35,680
Once the site is remediated, you can control whether co-pilot surfaces its content.
820
00:32:35,680 –> 00:32:37,600
Not all sites need to be co-pilot visible.
821
00:32:37,600 –> 00:32:42,200
Some contain legacy data, some contain experimental content, some contain vendor information that
822
00:32:42,200 –> 00:32:44,560
shouldn’t flow through an AI system.
823
00:32:44,560 –> 00:32:48,000
SAM policies let you exclude specific sites from co-pilot scope.
824
00:32:48,000 –> 00:32:54,160
Not by manual list, by policy, by sensitivity label, by retention status, deterministically,
825
00:32:54,160 –> 00:32:58,000
site access reviews, these ensure permissions remain appropriate over time.
826
00:32:58,000 –> 00:32:59,000
Not once.
827
00:32:59,000 –> 00:33:02,680
Continuously, owners receive notifications on a schedule quarterly annually.
828
00:33:02,680 –> 00:33:04,080
Review who has access.
829
00:33:04,080 –> 00:33:06,880
Confirm these permissions are still needed, remove who shouldn’t be here.
830
00:33:06,880 –> 00:33:11,040
These are not optional, policies enforce them, non-response triggers escalation.
831
00:33:11,040 –> 00:33:15,440
In the case study, the organization configured all four capabilities simultaneously.
832
00:33:15,440 –> 00:33:19,520
The policies ran monthly, they identified non-compliant sites, they sent notifications,
833
00:33:19,520 –> 00:33:21,160
they assigned interim stewards.
834
00:33:21,160 –> 00:33:24,680
They generated reports showing exactly which sites required action.
835
00:33:24,680 –> 00:33:29,000
Here’s the operational detail, SAM policies are not free, they require SharePoint Advanced
836
00:33:29,000 –> 00:33:33,360
Management Licensing, typically $3 to $5 per user per month, but compare that cost to
837
00:33:33,360 –> 00:33:34,800
manual governance.
838
00:33:34,800 –> 00:33:37,440
Someone reviewing 847 sites manually.
839
00:33:37,440 –> 00:33:41,560
Someone sending notifications, someone following up on non-responses, someone escalating,
840
00:33:41,560 –> 00:33:43,080
someone documenting.
841
00:33:43,080 –> 00:33:46,280
That human cost exceeds SAM licensing by a factor of 10 or more.
842
00:33:46,280 –> 00:33:49,280
SAM pays for itself immediately through labor elimination alone.
843
00:33:49,280 –> 00:33:53,560
The case study organization understood this, they invested in SAM, they configured policies
844
00:33:53,560 –> 00:33:57,720
comprehensively, they let the automation run, and that automation was the force multiplier
845
00:33:57,720 –> 00:34:00,880
that made 94% remediation in 10 weeks possible.
846
00:34:00,880 –> 00:34:04,400
Without SAM, those 847 sites would still be unmanaged.
847
00:34:04,400 –> 00:34:09,680
Because humans can’t inspect 847 sites efficiently, machines can, PerView provides the data protection
848
00:34:09,680 –> 00:34:13,960
layer, SAM provides the governance automation layer together they create the foundation
849
00:34:13,960 –> 00:34:17,600
for parallel governance to work.
850
00:34:17,600 –> 00:34:21,880
Microsoft PerView, the data protection layer, Microsoft PerView provides the classification
851
00:34:21,880 –> 00:34:25,400
and protection mechanisms that enable safe copilot deployment.
852
00:34:25,400 –> 00:34:29,360
If SAM is the governance automation layer, PerView is the data protection layer, the two are
853
00:34:29,360 –> 00:34:30,360
complementary.
854
00:34:30,360 –> 00:34:33,000
Without both, parallel governance fails.
855
00:34:33,000 –> 00:34:35,640
You address a problem that SAM doesn’t solve.
856
00:34:35,640 –> 00:34:38,880
What data exists, where it is, and what protection it requires.
857
00:34:38,880 –> 00:34:42,320
SAM and Shores sites have owners, PerView and Shores data is classified.
858
00:34:42,320 –> 00:34:45,720
These are different problems requiring different solutions.
859
00:34:45,720 –> 00:34:50,240
Sensitivity labels form the foundation, they define classification levels, public, internal,
860
00:34:50,240 –> 00:34:51,800
confidential, highly confidential.
861
00:34:51,800 –> 00:34:54,520
Each level carries implications downstream.
862
00:34:54,520 –> 00:34:58,520
When a document receives a confidential label, encryption activates, access restrictions
863
00:34:58,520 –> 00:35:03,080
activate, DLP policies activate, retention policies activate, sharing restrictions activate,
864
00:35:03,080 –> 00:35:04,680
the label is not metadata.
865
00:35:04,680 –> 00:35:06,240
It is an enforcement mechanism.
866
00:35:06,240 –> 00:35:08,760
Autolabling policies are where the operational power resides.
867
00:35:08,760 –> 00:35:13,960
Instead of asking users to classify documents, you build policies that classify automatically.
868
00:35:13,960 –> 00:35:17,840
This removes the dependency on user behavior, which almost always fails at scale.
869
00:35:17,840 –> 00:35:22,320
PerView can identify credit card numbers via pattern matching bank account numbers, swift
870
00:35:22,320 –> 00:35:25,520
codes, social security numbers, passport numbers.
871
00:35:25,520 –> 00:35:29,640
The patterns are well defined, the detection is reliable, when PerView scans a document
872
00:35:29,640 –> 00:35:33,480
and detects credit card numbers, it applies a confidential label automatically.
873
00:35:33,480 –> 00:35:35,080
No human intervention required.
874
00:35:35,080 –> 00:35:40,160
The organization also configured pattern matching via regular expressions for proprietary data,
875
00:35:40,160 –> 00:35:46,360
internal naming conventions, specific identifier formats, once defined, PerView scanned continuously,
876
00:35:46,360 –> 00:35:52,120
when documents match these patterns, they receive the highly confidential label automatically.
877
00:35:52,120 –> 00:35:55,200
Data loss prevention policies work in conjunction with labels.
878
00:35:55,200 –> 00:36:00,960
DLP policies say, if a document with a highly confidential label is about to be shared externally,
879
00:36:00,960 –> 00:36:05,600
block it, or warn the user, or allow it with justification, or simply audit and log the action,
880
00:36:05,600 –> 00:36:08,120
you define the policy, PerView enforces it.
881
00:36:08,120 –> 00:36:12,760
In the case study, the organization configured DLP to block external sharing of highly confidential
882
00:36:12,760 –> 00:36:13,760
content entirely.
883
00:36:13,760 –> 00:36:17,040
No workarounds, no justifications, the boundary was firm.
884
00:36:17,040 –> 00:36:20,000
Inside a risk management detects potentially risky behavior.
885
00:36:20,000 –> 00:36:24,000
Users downloading large amounts of sensitive data, users accessing confidential documents
886
00:36:24,000 –> 00:36:25,800
they normally don’t interact with.
887
00:36:25,800 –> 00:36:28,720
Users forwarding sensitive emails outside the organization.
888
00:36:28,720 –> 00:36:30,200
These actions trigger alerts.
889
00:36:30,200 –> 00:36:32,880
This is particularly important in co-pilot environments.
890
00:36:32,880 –> 00:36:36,040
Co-pilot enables rapid synthesis and reuse of information.
891
00:36:36,040 –> 00:36:41,160
The user can query co-pilot and co-pilot surfaces relevant documents from across the organization.
892
00:36:41,160 –> 00:36:46,080
The user can then copy that synthesis, combine it with other information, and share it widely.
893
00:36:46,080 –> 00:36:47,560
This speed creates risk.
894
00:36:47,560 –> 00:36:49,480
Inside a risk management monitors these patterns.
895
00:36:49,480 –> 00:36:52,840
The case study organization’s PerView configuration was systematic.
896
00:36:52,840 –> 00:36:55,640
They configured auto labeling rules for financial data.
897
00:36:55,640 –> 00:36:57,640
Credit card numbers triggered confidential.
898
00:36:57,640 –> 00:36:59,520
Bank account numbers triggered confidential.
899
00:36:59,520 –> 00:37:01,200
Swift code triggered confidential.
900
00:37:01,200 –> 00:37:04,800
They configured auto labeling for personally identifiable information.
901
00:37:04,800 –> 00:37:06,680
Social security numbers triggered confidential.
902
00:37:06,680 –> 00:37:08,520
Passport numbers triggered confidential.
903
00:37:08,520 –> 00:37:11,520
They configured auto labeling for proprietary information.
904
00:37:11,520 –> 00:37:14,680
Specific internal naming patterns triggered highly confidential.
905
00:37:14,680 –> 00:37:18,360
Trade secrets, strategic plans, competitive data.
906
00:37:18,360 –> 00:37:22,320
Once labelled DLP policies and forced restrictions, highly confidential content could
907
00:37:22,320 –> 00:37:23,800
not be shared externally.
908
00:37:23,800 –> 00:37:24,800
Period.
909
00:37:24,800 –> 00:37:26,800
Confidential content could be shared with approval.
910
00:37:26,800 –> 00:37:31,480
Audit policies logged all co-pilot interactions involving confidential or highly confidential data.
911
00:37:31,480 –> 00:37:34,080
These policies were configured before co-pilot deployment.
912
00:37:34,080 –> 00:37:35,080
They were not perfect.
913
00:37:35,080 –> 00:37:36,400
Some edge cases existed.
914
00:37:36,400 –> 00:37:37,760
Some false positives occurred.
915
00:37:37,760 –> 00:37:39,920
Some documents lacked classification initially.
916
00:37:39,920 –> 00:37:42,240
But the policies were sufficient to manage risk.
917
00:37:42,240 –> 00:37:43,840
And critically, they were systematic.
918
00:37:43,840 –> 00:37:47,440
As the organization learned how co-pilot was being used, they refined policies.
919
00:37:47,440 –> 00:37:50,280
They identified patterns where classification had failed.
920
00:37:50,280 –> 00:37:51,280
They tightened rules.
921
00:37:51,280 –> 00:37:53,000
They expanded sightsees.
922
00:37:53,000 –> 00:37:54,560
Governance improved continuously.
923
00:37:54,560 –> 00:37:58,560
This is the critical insight that separates parallel governance from the gate model.
924
00:37:58,560 –> 00:38:02,000
Perfect classification is not a prerequisite for deployment.
925
00:38:02,000 –> 00:38:03,640
Systematic classification is.
926
00:38:03,640 –> 00:38:08,240
You do not require 100% of data to be perfectly classified before enabling co-pilot.
927
00:38:08,240 –> 00:38:13,680
You require mechanisms in place to classify data automatically, continuously and deterministically.
928
00:38:13,680 –> 00:38:17,400
Pervuse auto labeling ensures new documents get classified automatically.
929
00:38:17,400 –> 00:38:20,240
No manual intervention, no user behavior dependency.
930
00:38:20,240 –> 00:38:22,200
In scan, machines classify.
931
00:38:22,200 –> 00:38:23,200
Machines apply policies.
932
00:38:23,200 –> 00:38:25,680
Humans make judgment calls when policies require them.
933
00:38:25,680 –> 00:38:28,560
Over time, your classification posture improves.
934
00:38:28,560 –> 00:38:31,640
Not because you launched a massive remediation project.
935
00:38:31,640 –> 00:38:36,640
But because every new document gets classified, every document touched by DLP policies gets reviewed.
936
00:38:36,640 –> 00:38:39,280
Every interaction with co-pilot gets logged and monitored.
937
00:38:39,280 –> 00:38:40,280
Governance is not a project.
938
00:38:40,280 –> 00:38:41,280
It is continuous.
939
00:38:41,280 –> 00:38:45,720
And that continuous operation is what enables safe deployment while progress continues.
940
00:38:45,720 –> 00:38:49,160
Addressing the security objection, co-pilot does not bypass permissions.
941
00:38:49,160 –> 00:38:54,200
The most common objection that surfaces when governance teams encounter co-pilot is immediate and visceral.
942
00:38:54,200 –> 00:38:56,000
Co-pilot will expose sensitive data.
943
00:38:56,000 –> 00:38:57,600
This concern is understandable.
944
00:38:57,600 –> 00:38:59,800
The organization has classified data.
945
00:38:59,800 –> 00:39:03,960
Financial information, personnel records, trade secrets, strategic plans, and now they’re
946
00:39:03,960 –> 00:39:09,240
about to enable an AI system that will synthesize information from across the entire Microsoft 365
947
00:39:09,240 –> 00:39:10,240
estate.
948
00:39:10,240 –> 00:39:11,240
The fear is rational.
949
00:39:11,240 –> 00:39:15,040
But the concern is based on a misunderstanding of how co-pilot actually works.
950
00:39:15,040 –> 00:39:16,800
Co-pilot does not bypass permissions.
951
00:39:16,800 –> 00:39:18,520
This is fundamental to understand.
952
00:39:18,520 –> 00:39:24,040
It respects the same Microsoft Graph Permission model used by every other Microsoft 365 application.
953
00:39:24,040 –> 00:39:27,760
If a user cannot access a document today, co-pilot cannot retrieve it.
954
00:39:27,760 –> 00:39:30,960
This is enforced at the platform level, not at the application level.
955
00:39:30,960 –> 00:39:34,320
The Graph Permission check happens before co-pilot ever sees the document.
956
00:39:34,320 –> 00:39:37,680
If the user lacks access, the document is invisible to co-pilot.
957
00:39:37,680 –> 00:39:38,680
Period.
958
00:39:38,680 –> 00:39:40,440
This is not a feature unique to co-pilot.
959
00:39:40,440 –> 00:39:43,760
Every application in Microsoft 365 works this way.
960
00:39:43,760 –> 00:39:46,800
Outlook does not show emails the user cannot access.
961
00:39:46,800 –> 00:39:48,280
At the point does not display files.
962
00:39:48,280 –> 00:39:50,000
The user has no permission to view.
963
00:39:50,000 –> 00:39:52,320
Teams does not surface channels the user cannot join.
964
00:39:52,320 –> 00:39:55,560
Microsoft Graph enforces permissions uniformly across the platform.
965
00:39:55,560 –> 00:39:58,280
Co-pilot inherits these exact same restrictions.
966
00:39:58,280 –> 00:40:03,720
What co-pilot does differently is surface information faster and synthesize it across sources.
967
00:40:03,720 –> 00:40:08,480
Instead of a user manually opening email, reading context, checking SharePoint, reviewing teams’
968
00:40:08,480 –> 00:40:12,160
messages, and synthesizing conclusions, co-pilot does this in seconds.
969
00:40:12,160 –> 00:40:13,840
The information synthesis is faster.
970
00:40:13,840 –> 00:40:14,920
The scope is broader.
971
00:40:14,920 –> 00:40:17,280
But the permission boundaries remain unchanged.
972
00:40:17,280 –> 00:40:18,800
This is a critical distinction.
973
00:40:18,800 –> 00:40:19,880
Co-pilot does not create risk.
974
00:40:19,880 –> 00:40:21,640
It reveals existing risk posture.
975
00:40:21,640 –> 00:40:26,000
When a security team worries that co-pilot will expose sensitive data, what they’re actually
976
00:40:26,000 –> 00:40:31,200
worried about is that co-pilot will surface data to users who shouldn’t have access.
977
00:40:31,200 –> 00:40:34,440
But if those users don’t have access today, co-pilot can’t surface it.
978
00:40:34,440 –> 00:40:38,280
If those users do have access today, then the risk already exists.
979
00:40:38,280 –> 00:40:41,720
The data already exists in those users’ accessible locations.
980
00:40:41,720 –> 00:40:43,640
In SharePoint sites, they can view.
981
00:40:43,640 –> 00:40:45,440
In Teams conversations, they can read.
982
00:40:45,440 –> 00:40:47,280
In email threads, they can access.
983
00:40:47,280 –> 00:40:49,880
Co-pilot doesn’t move data outside those boundaries.
984
00:40:49,880 –> 00:40:53,240
It surfaces information within existing permissions scopes.
985
00:40:53,240 –> 00:40:57,720
In the case study, the organization’s security team initially resisted co-pilot deployment
986
00:40:57,720 –> 00:40:59,880
due to precisely these concerns.
987
00:40:59,880 –> 00:41:03,360
Data exposure, unintended synthesis, breaches.
988
00:41:03,360 –> 00:41:05,400
But here’s what changed their perspective.
989
00:41:05,400 –> 00:41:09,680
As track one improved governance, assigning owners to often sites, classifying sensitive
990
00:41:09,680 –> 00:41:14,760
data, applying DLP policies, the security team could see governance actually improving.
991
00:41:14,760 –> 00:41:17,080
Not degrading, not hypothetically at risk.
992
00:41:17,080 –> 00:41:19,680
Actively improving sensitivity labels were being applied.
993
00:41:19,680 –> 00:41:21,040
Access was being reviewed.
994
00:41:21,040 –> 00:41:22,200
Permissions were being cleaned.
995
00:41:22,200 –> 00:41:25,320
And none of this happened in reaction to co-pilot concerns.
996
00:41:25,320 –> 00:41:28,720
It happened because the governance infrastructure existed to enforce it.
997
00:41:28,720 –> 00:41:33,280
The security team moved from co-pilot is a risk to co-pilot is a governance accelerator.
998
00:41:33,280 –> 00:41:37,000
Because co-pilot forces organizations to confront governance weaknesses.
999
00:41:37,000 –> 00:41:40,440
When you enable co-pilot, you suddenly care about where sensitive data lives.
1000
00:41:40,440 –> 00:41:42,080
You suddenly care about who can access it.
1001
00:41:42,080 –> 00:41:45,920
You suddenly care about oversharing these problems existed before co-pilot, but co-pilot
1002
00:41:45,920 –> 00:41:48,360
makes them visible and urgent.
1003
00:41:48,360 –> 00:41:51,680
Organizations that would have tolerated permission, drift for years, suddenly prioritize
1004
00:41:51,680 –> 00:41:52,680
it.
1005
00:41:52,680 –> 00:41:54,120
Because co-pilot will surface that drift.
1006
00:41:54,120 –> 00:41:57,560
Because executives understand that co-pilot’s value depends on clean data.
1007
00:41:57,560 –> 00:41:59,400
This exposure is not a vulnerability.
1008
00:41:59,400 –> 00:42:00,400
It’s an opportunity.
1009
00:42:00,400 –> 00:42:02,840
The parallel track approach leverages this.
1010
00:42:02,840 –> 00:42:04,040
Deploy governance controls.
1011
00:42:04,040 –> 00:42:05,280
Enable co-pilot in clean zones.
1012
00:42:05,280 –> 00:42:06,640
Let both improve together.
1013
00:42:06,640 –> 00:42:10,080
Let the urgency of co-pilot deployment accelerate governance work.
1014
00:42:10,080 –> 00:42:14,240
Let the success of governance improvements enable broader co-pilot expansion.
1015
00:42:14,240 –> 00:42:16,600
The case study organization understood this eventually.
1016
00:42:16,600 –> 00:42:19,160
Their security team moved from blocking to enabling.
1017
00:42:19,160 –> 00:42:24,280
Not because co-pilot became less risky, but because governance became more systematic.
1018
00:42:24,280 –> 00:42:29,080
Because the organization now had mechanisms to detect and remediate risk continuously.
1019
00:42:29,080 –> 00:42:32,720
Because they could see co-pilot’s value without accepting governance degradation.
1020
00:42:32,720 –> 00:42:36,040
This is how you move security teams from no to yes.
1021
00:42:36,040 –> 00:42:38,000
Not by proving co-pilot is risk-free.
1022
00:42:38,000 –> 00:42:39,000
It’s not.
1023
00:42:39,000 –> 00:42:40,000
No technology is.
1024
00:42:40,000 –> 00:42:44,040
But by demonstrating that governance actually improves when you deploy with intention.
1025
00:42:44,040 –> 00:42:45,760
The cost of waiting.
1026
00:42:45,760 –> 00:42:48,080
Deferred value and compounding debt.
1027
00:42:48,080 –> 00:42:51,720
Organizations waiting for perfect governance before enabling co-pilot are solving the wrong
1028
00:42:51,720 –> 00:42:52,720
problem.
1029
00:42:52,720 –> 00:42:54,240
They think the problem is data quality.
1030
00:42:54,240 –> 00:42:56,600
They think the problem is classification completeness.
1031
00:42:56,600 –> 00:42:58,840
They think the problem is ownership clarity.
1032
00:42:58,840 –> 00:42:59,840
These are symptoms.
1033
00:42:59,840 –> 00:43:01,880
The actual problem is opportunity cost.
1034
00:43:01,880 –> 00:43:04,680
The real cost of delay is not fixing off-and-sides.
1035
00:43:04,680 –> 00:43:08,120
The real cost is the third productivity plus compounding governance debt.
1036
00:43:08,120 –> 00:43:10,440
Two separate costs that move in opposite directions.
1037
00:43:10,440 –> 00:43:11,800
Let’s quantify the first one.
1038
00:43:11,800 –> 00:43:17,600
The case study organization measured 26 minutes of daily time savings per user in their pilot.
1039
00:43:17,600 –> 00:43:18,600
That’s not hypothetical.
1040
00:43:18,600 –> 00:43:19,600
That’s what they observed.
1041
00:43:19,600 –> 00:43:22,360
Across 1,200 users in high value roles.
1042
00:43:22,360 –> 00:43:23,600
The math is straightforward.
1043
00:43:23,600 –> 00:43:29,480
26 minutes per day times approximately 250 working days per year equals approximately 108
1044
00:43:29,480 –> 00:43:31,480
hours per year per user.
1045
00:43:31,480 –> 00:43:36,440
At 75 dollars per hour fully loaded labor cost, that’s 18,000 dollars in annual productivity
1046
00:43:36,440 –> 00:43:38,880
value per user for 1,200 users.
1047
00:43:38,880 –> 00:43:42,680
That’s 21.6 million dollars in annual productivity gains.
1048
00:43:42,680 –> 00:43:45,920
Co-pilot licensing costs approximately 30 dollars per user per month.
1049
00:43:45,920 –> 00:43:51,520
For 1,200 users, that’s 36,000 dollars per month or 432,000 dollars per year.
1050
00:43:51,520 –> 00:43:53,760
The ROI becomes visible within the first month.
1051
00:43:53,760 –> 00:43:57,520
By month two, the organization has recovered the licensing cost.
1052
00:43:57,520 –> 00:43:59,200
From that point forward, it’s net value.
1053
00:43:59,200 –> 00:44:00,640
Now reverse that timeline.
1054
00:44:00,640 –> 00:44:04,720
An organization that chose to pause co-pilot deployment for six months to remediate governance
1055
00:44:04,720 –> 00:44:06,880
would have deferred all of those gains.
1056
00:44:06,880 –> 00:44:12,720
Six months of delay means no productivity improvement, no time savings, no value capture.
1057
00:44:12,720 –> 00:44:17,880
Six months of 1,200 users, not receiving 26 minutes of daily productivity improvement,
1058
00:44:17,880 –> 00:44:21,160
equals 1.8 million dollars per month in deferred value.
1059
00:44:21,160 –> 00:44:24,440
For six months, that’s 10.8 million dollars in opportunity cost.
1060
00:44:24,440 –> 00:44:25,440
This is not theoretical.
1061
00:44:25,440 –> 00:44:26,600
This is not aspirational.
1062
00:44:26,600 –> 00:44:30,920
This is the actual financial cost of choosing to pause and remediate before deploying.
1063
00:44:30,920 –> 00:44:34,800
But there’s a second cost that’s less visible and more insidious, compounding governance
1064
00:44:34,800 –> 00:44:35,800
debt.
1065
00:44:35,800 –> 00:44:39,840
The longer an organization operates without automated governance controls, the worse governance
1066
00:44:39,840 –> 00:44:40,840
becomes.
1067
00:44:40,840 –> 00:44:43,760
Not stays the same becomes worse.
1068
00:44:43,760 –> 00:44:47,560
Every month without SAM policies, additional often sites are created.
1069
00:44:47,560 –> 00:44:50,040
Projects launch, temporary teams form.
1070
00:44:50,040 –> 00:44:51,440
Collaboration space is emerged.
1071
00:44:51,440 –> 00:44:53,360
Site creation continues at normal velocity.
1072
00:44:53,360 –> 00:44:58,200
But SAM is not there to detect inactivity or enforce ownership, so the often sites accumulate.
1073
00:44:58,200 –> 00:45:02,520
Every month without purview, auto labeling, additional data goes unclassified.
1074
00:45:02,520 –> 00:45:03,680
Documents are written.
1075
00:45:03,680 –> 00:45:04,680
Data is stored.
1076
00:45:04,680 –> 00:45:06,680
And nobody is enforcing classification policy.
1077
00:45:06,680 –> 00:45:08,520
So the unclassified data accumulates.
1078
00:45:08,520 –> 00:45:12,760
Every month without DLP policies enforcing access controls, additional permission drift
1079
00:45:12,760 –> 00:45:13,760
occurs.
1080
00:45:13,760 –> 00:45:15,240
Users gain access to resources.
1081
00:45:15,240 –> 00:45:16,240
They change teams.
1082
00:45:16,240 –> 00:45:17,240
They access lingers.
1083
00:45:17,240 –> 00:45:19,360
They leave the organization entirely.
1084
00:45:19,360 –> 00:45:21,040
Their access remains.
1085
00:45:21,040 –> 00:45:23,800
This becomes increasingly misaligned with current need.
1086
00:45:23,800 –> 00:45:25,600
This is entropy in the architectural sense.
1087
00:45:25,600 –> 00:45:27,320
Not chaos that stands still.
1088
00:45:27,320 –> 00:45:28,480
Chaos that compounds.
1089
00:45:28,480 –> 00:45:32,080
By the time an organization finishes a six month remediation phase and is ready to deploy
1090
00:45:32,080 –> 00:45:35,600
co-pilot, the governance environment has deteriorated further.
1091
00:45:35,600 –> 00:45:38,560
The organization now has not 8M47 often sites.
1092
00:45:38,560 –> 00:45:41,240
It has 1,200, not 90% unclassified data.
1093
00:45:41,240 –> 00:45:42,800
It has 95%.
1094
00:45:42,800 –> 00:45:43,960
Not minor permission drift.
1095
00:45:43,960 –> 00:45:45,720
It has major permissions sprawl.
1096
00:45:45,720 –> 00:45:49,480
The problem you were trying to solve six months ago has become substantially worse.
1097
00:45:49,480 –> 00:45:51,000
This is the paradox of waiting.
1098
00:45:51,000 –> 00:45:55,120
The longer you wait to improve governance, the worse governance becomes.
1099
00:45:55,120 –> 00:45:57,920
The parallel track approach breaks this paradox entirely.
1100
00:45:57,920 –> 00:45:59,720
You improve governance while deploying.
1101
00:45:59,720 –> 00:46:01,920
You don’t choose between governance and productivity.
1102
00:46:01,920 –> 00:46:03,480
You achieve both simultaneously.
1103
00:46:03,480 –> 00:46:05,280
The governance work doesn’t get deferred.
1104
00:46:05,280 –> 00:46:06,400
It runs in parallel.
1105
00:46:06,400 –> 00:46:08,360
The productivity value doesn’t get delayed.
1106
00:46:08,360 –> 00:46:09,840
It flows immediately.
1107
00:46:09,840 –> 00:46:12,640
The case study organization understood this instinctively.
1108
00:46:12,640 –> 00:46:13,640
They did not pause.
1109
00:46:13,640 –> 00:46:14,920
They did not remediate first.
1110
00:46:14,920 –> 00:46:16,280
They deployed while remediating.
1111
00:46:16,280 –> 00:46:17,800
They captured value from day one.
1112
00:46:17,800 –> 00:46:19,600
They improved governance continuously.
1113
00:46:19,600 –> 00:46:24,280
And they moved from not ready to ready enough in 10 weeks instead of 6 months.
1114
00:46:24,280 –> 00:46:29,400
The organization that chose the pause approach would have been $10.8M purer and in worse governance
1115
00:46:29,400 –> 00:46:31,480
shape when they finally deployed.
1116
00:46:31,480 –> 00:46:33,360
That cost differential is not incidental.
1117
00:46:33,360 –> 00:46:34,360
It’s structural.
1118
00:46:34,360 –> 00:46:37,240
It’s the cost of choosing a gate instead of a track.
1119
00:46:37,240 –> 00:46:40,200
Governance as track not gate the architectural principle.
1120
00:46:40,200 –> 00:46:43,920
The core principle of parallel governance is simple but transformative.
1121
00:46:43,920 –> 00:46:44,920
Governance is not a gate.
1122
00:46:44,920 –> 00:46:47,040
Governance is the track the deployment runs on.
1123
00:46:47,040 –> 00:46:50,600
This distinction matters architecturally because it changes everything about how you structure
1124
00:46:50,600 –> 00:46:51,600
the work.
1125
00:46:51,600 –> 00:46:54,280
A gate is a checkpoint, a threshold, a boundary.
1126
00:46:54,280 –> 00:46:57,200
You must reach this state before you can proceed to the next state.
1127
00:46:57,200 –> 00:46:58,680
You must pass through the gate.
1128
00:46:58,680 –> 00:47:02,640
Until you do progress stops, this is how most organizations treat readiness assessments.
1129
00:47:02,640 –> 00:47:03,640
They check off boxes.
1130
00:47:03,640 –> 00:47:05,640
Does the organization have MFA?
1131
00:47:05,640 –> 00:47:06,640
Check.
1132
00:47:06,640 –> 00:47:08,280
Does the organization have DLP policies?
1133
00:47:08,280 –> 00:47:09,280
Check.
1134
00:47:09,280 –> 00:47:11,000
Does the organization have sensitivity labels?
1135
00:47:11,000 –> 00:47:12,000
Check.
1136
00:47:12,000 –> 00:47:13,680
Does the organization have side-life cycle policies?
1137
00:47:13,680 –> 00:47:17,560
Check. Once all boxes are marked complete, the organization passes through the gate.
1138
00:47:17,560 –> 00:47:19,080
Copilot deployment can begin.
1139
00:47:19,080 –> 00:47:21,880
This approach assumes something that’s never true.
1140
00:47:21,880 –> 00:47:24,560
That perfect governance is possible before deployment.
1141
00:47:24,560 –> 00:47:25,560
It is not.
1142
00:47:25,560 –> 00:47:26,560
Governance is never perfect.
1143
00:47:26,560 –> 00:47:27,560
It is never complete.
1144
00:47:27,560 –> 00:47:32,520
It never reaches a final state where all conditions are optimal and all risks are eliminated.
1145
00:47:32,520 –> 00:47:34,600
That state does not exist in operating systems.
1146
00:47:34,600 –> 00:47:35,960
It does not exist in infrastructure.
1147
00:47:35,960 –> 00:47:37,560
It does not exist in organizations.
1148
00:47:37,560 –> 00:47:39,000
Imperfection is not a failure mode.
1149
00:47:39,000 –> 00:47:40,920
It is the natural state of complex systems.
1150
00:47:40,920 –> 00:47:44,920
It matters is whether those systems have mechanisms to detect and remediate imperfection
1151
00:47:44,920 –> 00:47:45,920
continuously.
1152
00:47:45,920 –> 00:47:49,320
The parallel track model accepts that governance will be imperfect.
1153
00:47:49,320 –> 00:47:53,240
It focuses instead on making governance, systematic and continuous.
1154
00:47:53,240 –> 00:47:56,080
Sam policies and per view classification are not gates.
1155
00:47:56,080 –> 00:47:57,080
They are tracks.
1156
00:47:57,080 –> 00:47:58,560
The deployment runs on those tracks.
1157
00:47:58,560 –> 00:48:03,200
As copilot is deployed to users, these governance systems operate continuously.
1158
00:48:03,200 –> 00:48:04,200
They detect issues.
1159
00:48:04,200 –> 00:48:05,200
They apply controls.
1160
00:48:05,200 –> 00:48:08,000
They improve the security posture in real time.
1161
00:48:08,000 –> 00:48:11,560
This is fundamentally different from the gate model which would require all governance systems
1162
00:48:11,560 –> 00:48:13,480
to be perfect before deployment begins.
1163
00:48:13,480 –> 00:48:15,040
Here is the operational distinction.
1164
00:48:15,040 –> 00:48:17,120
In the gate model, you run a readiness assessment.
1165
00:48:17,120 –> 00:48:18,120
You identify gaps.
1166
00:48:18,120 –> 00:48:19,280
You remediate gaps.
1167
00:48:19,280 –> 00:48:21,080
Once all gaps are filled, you move forward.
1168
00:48:21,080 –> 00:48:22,440
The assessment is a moment.
1169
00:48:22,440 –> 00:48:24,200
The remediation is a project.
1170
00:48:24,200 –> 00:48:25,640
The deployment is the next phase.
1171
00:48:25,640 –> 00:48:28,160
In the track model, you deploy while improving.
1172
00:48:28,160 –> 00:48:29,800
Governance systems run continuously.
1173
00:48:29,800 –> 00:48:31,800
They detect new issues as they emerge.
1174
00:48:31,800 –> 00:48:33,360
They remediate automatically.
1175
00:48:33,360 –> 00:48:34,720
The assessment is not a moment.
1176
00:48:34,720 –> 00:48:35,840
It is continuous.
1177
00:48:35,840 –> 00:48:37,360
The remediation is not a project.
1178
00:48:37,360 –> 00:48:38,360
It is operational.
1179
00:48:38,360 –> 00:48:40,280
The deployment is not the next phase.
1180
00:48:40,280 –> 00:48:43,040
It is happening now while governance improves.
1181
00:48:43,040 –> 00:48:47,040
The case study organization implemented this principle by design, not accident.
1182
00:48:47,040 –> 00:48:51,440
They ran automated governance scans continuously, monthly, weekly.
1183
00:48:51,440 –> 00:48:53,720
These scans detected non-compliant sites.
1184
00:48:53,720 –> 00:48:55,400
The scans triggered ownership policies.
1185
00:48:55,400 –> 00:49:00,120
The policies assigned interim stewards, the governance system, enforced compliance in real-time.
1186
00:49:00,120 –> 00:49:03,040
The organization didn’t wait to fix everything and then deployed.
1187
00:49:03,040 –> 00:49:05,080
They deployed while the fixes were happening.
1188
00:49:05,080 –> 00:49:09,560
Sam policies and purview classification are the mechanical expression of this principle.
1189
00:49:09,560 –> 00:49:12,240
Sam policies run deterministically.
1190
00:49:12,240 –> 00:49:14,920
Every month they detect sites failing ownership requirements.
1191
00:49:14,920 –> 00:49:16,240
They send notifications.
1192
00:49:16,240 –> 00:49:18,040
They assign interim administrators.
1193
00:49:18,040 –> 00:49:19,960
They don’t wait for humans to remember.
1194
00:49:19,960 –> 00:49:21,400
The system enforces policy.
1195
00:49:21,400 –> 00:49:22,680
Humans respond to enforcement.
1196
00:49:22,680 –> 00:49:23,680
The work gets done.
1197
00:49:23,680 –> 00:49:25,800
Purview classification works similarly.
1198
00:49:25,800 –> 00:49:30,480
As documents are created or modified, auto labeling applies labels automatically.
1199
00:49:30,480 –> 00:49:33,720
Classification improves continuously, not because humans decide to classify.
1200
00:49:33,720 –> 00:49:36,520
Because the system enforces classification policy.
1201
00:49:36,520 –> 00:49:38,880
Every document that matches a pattern gets labeled.
1202
00:49:38,880 –> 00:49:41,120
Over time, the classification posture improves.
1203
00:49:41,120 –> 00:49:45,240
This is the distinction between a probabilistic governance model and a deterministic one.
1204
00:49:45,240 –> 00:49:48,080
In a probabilistic model, governance might work or it might not,
1205
00:49:48,080 –> 00:49:50,440
depending on user behavior and manual processes.
1206
00:49:50,440 –> 00:49:51,960
Some users classify documents.
1207
00:49:51,960 –> 00:49:52,680
Others don’t.
1208
00:49:52,680 –> 00:49:54,120
Some owners manage their sites.
1209
00:49:54,120 –> 00:49:54,760
Others don’t.
1210
00:49:54,760 –> 00:49:56,640
Some access reviews occur on schedule.
1211
00:49:56,640 –> 00:49:57,600
Others get deferred.
1212
00:49:57,600 –> 00:49:59,160
The outcome is uncertain.
1213
00:49:59,160 –> 00:50:03,160
In a deterministic model, governance will work because it is enforced by policy.
1214
00:50:03,160 –> 00:50:05,280
Not by hoping users will do the right thing.
1215
00:50:05,280 –> 00:50:08,120
Every site will have owners because Sam enforces it.
1216
00:50:08,120 –> 00:50:11,360
Every document will be classified because Purview enforces it.
1217
00:50:11,360 –> 00:50:14,360
Every access review will occur because policies enforce it.
1218
00:50:14,360 –> 00:50:18,280
The parallel track approach shifts from probabilistic to deterministic governance.
1219
00:50:18,280 –> 00:50:22,600
This shift requires investment, Sam licenses, purview licenses, configuration work.
1220
00:50:22,600 –> 00:50:24,760
But the investment eliminates uncertainty.
1221
00:50:24,760 –> 00:50:28,120
When governance is deterministic, organizations can deploy with confidence.
1222
00:50:28,120 –> 00:50:29,520
They know controls are in place.
1223
00:50:29,520 –> 00:50:31,080
They know controls are being enforced.
1224
00:50:31,080 –> 00:50:33,320
The case study organization made this investment.
1225
00:50:33,320 –> 00:50:34,320
They paid for Sam.
1226
00:50:34,320 –> 00:50:36,000
They paid for Purview auto labeling.
1227
00:50:36,000 –> 00:50:38,160
They configured both comprehensively.
1228
00:50:38,160 –> 00:50:40,920
And they deployed while that infrastructure operated.
1229
00:50:40,920 –> 00:50:44,680
This is how you move from viewing governance as a constraint on innovation
1230
00:50:44,680 –> 00:50:47,120
to viewing governance as an enabler of innovation.
1231
00:50:47,120 –> 00:50:48,840
Not by eliminating governance.
1232
00:50:48,840 –> 00:50:53,160
By making governance operational and continuous instead of episodic and gate-like.
1233
00:50:53,160 –> 00:50:56,120
Deterministic versus probabilistic governance models.
1234
00:50:56,120 –> 00:51:00,480
Most organizations operate with what might be called a probabilistic governance model.
1235
00:51:00,480 –> 00:51:01,480
They don’t call it that.
1236
00:51:01,480 –> 00:51:02,840
But that’s what it is.
1237
00:51:02,840 –> 00:51:06,120
In a probabilistic governance model governance controls exist.
1238
00:51:06,120 –> 00:51:07,800
But they are not enforced uniformly.
1239
00:51:07,800 –> 00:51:09,040
They depend on user behavior.
1240
00:51:09,040 –> 00:51:10,640
They depend on manual processes.
1241
00:51:10,640 –> 00:51:14,320
They depend on periodic audits that may or may not occur on schedule.
1242
00:51:14,320 –> 00:51:16,200
The outcome is unpredictable.
1243
00:51:16,200 –> 00:51:19,400
Some users apply sensitivity labels to their documents.
1244
00:51:19,400 –> 00:51:20,040
Others don’t.
1245
00:51:20,040 –> 00:51:22,960
Some site owners actively manage their site’s permissions.
1246
00:51:22,960 –> 00:51:25,160
Others ignore the responsibility entirely.
1247
00:51:25,160 –> 00:51:27,760
Some access reviews are completed when they’re scheduled.
1248
00:51:27,760 –> 00:51:29,400
Others get deferred month after month.
1249
00:51:29,400 –> 00:51:31,520
Because there’s no enforcement mechanism.
1250
00:51:31,520 –> 00:51:35,720
The probability that governance will work depends on the accumulated sum of individual decisions
1251
00:51:35,720 –> 00:51:37,240
made by thousands of people.
1252
00:51:37,240 –> 00:51:41,960
When you have 5,000 users and governance depends on those users doing the right thing consistently
1253
00:51:41,960 –> 00:51:44,240
you’re betting on something that never happens.
1254
00:51:44,240 –> 00:51:46,400
Probability of compliance is not determinism.
1255
00:51:46,400 –> 00:51:47,400
It is hope.
1256
00:51:47,400 –> 00:51:49,320
And hope is not an architectural principle.
1257
00:51:49,320 –> 00:51:53,840
As organizations scale, the probability of governance failure increases exponentially.
1258
00:51:53,840 –> 00:51:56,360
You don’t need all 5,000 users to fail.
1259
00:51:56,360 –> 00:51:59,360
You need enough of them to fail that risk becomes unmanageable.
1260
00:51:59,360 –> 00:52:00,720
And you will get enough failures.
1261
00:52:00,720 –> 00:52:02,320
You will always get enough failures.
1262
00:52:02,320 –> 00:52:05,160
This is why large organizations have continuous governance crises.
1263
00:52:05,160 –> 00:52:06,640
It’s not because people are incompetent.
1264
00:52:06,640 –> 00:52:08,560
It’s because the model is structurally broken.
1265
00:52:08,560 –> 00:52:11,400
The model assumes humans will enforce governance consistently.
1266
00:52:11,400 –> 00:52:12,320
Humans won’t.
1267
00:52:12,320 –> 00:52:13,280
Humans can’t.
1268
00:52:13,280 –> 00:52:16,800
Governance that depends on consistent human behavior at scale will fail.
1269
00:52:16,800 –> 00:52:21,080
The parallel track approach shifts to what might be called a deterministic governance model.
1270
00:52:21,080 –> 00:52:24,760
In a deterministic model, governance controls are enforced automatically through policy.
1271
00:52:24,760 –> 00:52:26,520
Not hopefully, not eventually.
1272
00:52:26,520 –> 00:52:27,560
Automatically.
1273
00:52:27,560 –> 00:52:32,280
Every site is required to have minimum owners, not encouraged, not suggested, required,
1274
00:52:32,280 –> 00:52:34,800
Sam policies enforce this, the policy runs.
1275
00:52:34,800 –> 00:52:36,840
It detects sites with insufficient owners.
1276
00:52:36,840 –> 00:52:38,080
It notifies stakeholders.
1277
00:52:38,080 –> 00:52:39,400
It assigns interim stewards.
1278
00:52:39,400 –> 00:52:41,080
It doesn’t wait for humans to remember.
1279
00:52:41,080 –> 00:52:42,520
It enforces the requirement.
1280
00:52:42,520 –> 00:52:47,120
Every document is classified automatically, not by user choice, not by manual review.
1281
00:52:47,120 –> 00:52:48,120
Automatically.
1282
00:52:48,120 –> 00:52:50,000
Per view policies scan for patterns.
1283
00:52:50,000 –> 00:52:54,920
When patterns match labels apply, every document written from that moment forward gets classified.
1284
00:52:54,920 –> 00:52:56,080
Not some documents.
1285
00:52:56,080 –> 00:52:58,040
All documents, deterministically.
1286
00:52:58,040 –> 00:53:02,560
Every access review is triggered on schedule, not if an administrator remembers, not if resources
1287
00:53:02,560 –> 00:53:03,840
permit on schedule.
1288
00:53:03,840 –> 00:53:07,600
The policy says owners certify their site’s access every 90 days.
1289
00:53:07,600 –> 00:53:09,800
The notification goes out on day 89.
1290
00:53:09,800 –> 00:53:11,360
The policy enforces the requirement.
1291
00:53:11,360 –> 00:53:12,760
The outcome is deterministic.
1292
00:53:12,760 –> 00:53:14,000
Governance will work.
1293
00:53:14,000 –> 00:53:15,480
Not because people are diligent.
1294
00:53:15,480 –> 00:53:18,680
Not because compliance culture is strong, because the system enforces it.
1295
00:53:18,680 –> 00:53:21,280
The case study organization made this shift deliberately.
1296
00:53:21,280 –> 00:53:24,680
They moved from hoping governance would happen to ensuring it would happen.
1297
00:53:24,680 –> 00:53:29,880
From probabilistic to deterministic, this shift cost money, Sam licenses, per view licensing,
1298
00:53:29,880 –> 00:53:33,680
premium features, configuration work, it required investment.
1299
00:53:33,680 –> 00:53:35,800
But the investment eliminated uncertainty.
1300
00:53:35,800 –> 00:53:39,160
Once policies were in place, the organization knew sites would have owners.
1301
00:53:39,160 –> 00:53:40,640
Their new data would be classified.
1302
00:53:40,640 –> 00:53:43,880
Their new access would be reviewed, not hoped, new.
1303
00:53:43,880 –> 00:53:47,160
This is the architectural advantage that made parallel governance possible.
1304
00:53:47,160 –> 00:53:50,720
When governance is probabilistic, you cannot deploy safely until you’ve addressed every
1305
00:53:50,720 –> 00:53:51,800
known issue.
1306
00:53:51,800 –> 00:53:55,640
You must fix the known problems because you cannot be certain the governance system will
1307
00:53:55,640 –> 00:53:56,640
prevent new ones.
1308
00:53:56,640 –> 00:53:57,840
You must pause deployment.
1309
00:53:57,840 –> 00:53:59,120
You must remediate first.
1310
00:53:59,120 –> 00:54:02,160
When governance is deterministic, you can deploy while improving.
1311
00:54:02,160 –> 00:54:04,200
The governance system will detect new issues.
1312
00:54:04,200 –> 00:54:06,840
The governance system will enforce controls.
1313
00:54:06,840 –> 00:54:08,760
You do not need to fix everything in advance.
1314
00:54:08,760 –> 00:54:11,840
You need to ensure the enforcement mechanisms are operational.
1315
00:54:11,840 –> 00:54:14,280
And you can do that while deployment proceeds.
1316
00:54:14,280 –> 00:54:17,120
The case study organization understood this instinctively.
1317
00:54:17,120 –> 00:54:18,920
They invested in deterministic governance.
1318
00:54:18,920 –> 00:54:21,120
They deployed while policies enforced compliance.
1319
00:54:21,120 –> 00:54:25,040
And they moved faster than any probabilistic approach could have achieved.
1320
00:54:25,040 –> 00:54:29,760
This is what architectural certainty enables, not confidence, certainty, sequencing risk
1321
00:54:29,760 –> 00:54:32,600
intelligently, pilot expand operate.
1322
00:54:32,600 –> 00:54:34,960
The parallel track approach is not a single deployment.
1323
00:54:34,960 –> 00:54:37,000
It is a sequenced series of deployments.
1324
00:54:37,000 –> 00:54:38,640
Each phase builds on the previous one.
1325
00:54:38,640 –> 00:54:41,880
Each phase provides evidence that conditions support moving forward.
1326
00:54:41,880 –> 00:54:43,440
This sequencing is not arbitrary.
1327
00:54:43,440 –> 00:54:47,120
It is how you manage risk in a system where perfect conditions do not exist.
1328
00:54:47,120 –> 00:54:51,800
The case study organization structured their deployment in three explicit phases.
1329
00:54:51,800 –> 00:54:59,000
Phase one, pilot, weeks one through four, deployed to 1,200 users in three business units.
1330
00:54:59,000 –> 00:55:02,760
Finance, legal human resources, these units had higher baseline governance maturity.
1331
00:55:02,760 –> 00:55:04,280
They understood sensitive data.
1332
00:55:04,280 –> 00:55:06,200
They had existing classification practices.
1333
00:55:06,200 –> 00:55:07,440
They were not random choices.
1334
00:55:07,440 –> 00:55:08,760
They were strategic.
1335
00:55:08,760 –> 00:55:12,120
This phase serves multiple purposes simultaneously.
1336
00:55:12,120 –> 00:55:13,120
It proves ROI.
1337
00:55:13,120 –> 00:55:15,480
It identifies integration issues before scaling.
1338
00:55:15,480 –> 00:55:17,120
It builds organizational momentum.
1339
00:55:17,120 –> 00:55:20,360
It provides evidence that co-pilot works in controlled environments.
1340
00:55:20,360 –> 00:55:23,600
By the end of week four, the organization had measurable outcomes.
1341
00:55:23,600 –> 00:55:26,520
26 minutes of daily time savings per user.
1342
00:55:26,520 –> 00:55:28,960
Visible productivity gains in report generation.
1343
00:55:28,960 –> 00:55:30,560
Visible gains in email drafting.
1344
00:55:30,560 –> 00:55:32,400
Visible gains in legal document analysis.
1345
00:55:32,400 –> 00:55:34,240
These metrics were not aspirational.
1346
00:55:34,240 –> 00:55:35,280
They were observed.
1347
00:55:35,280 –> 00:55:37,240
The pilot phase also revealed issues.
1348
00:55:37,240 –> 00:55:40,640
What worked for finance might not work for other departments.
1349
00:55:40,640 –> 00:55:42,800
Co-pilot integration challenges emerged.
1350
00:55:42,800 –> 00:55:45,880
After training gaps appeared, adoption patterns became visible.
1351
00:55:45,880 –> 00:55:48,680
All of this was captured in a controlled environment.
1352
00:55:48,680 –> 00:55:50,080
Three business units.
1353
00:55:50,080 –> 00:55:51,600
1,400 users.
1354
00:55:51,600 –> 00:55:52,600
Manageable scope.
1355
00:55:52,600 –> 00:55:53,600
Phase two.
1356
00:55:53,600 –> 00:55:54,600
Expand.
1357
00:55:54,600 –> 00:55:55,600
Weeks five through ten.
1358
00:55:55,600 –> 00:55:59,560
Deploy to additional business units while continuing to improve governance in the broader
1359
00:55:59,560 –> 00:56:00,560
environment.
1360
00:56:00,560 –> 00:56:02,520
This is where momentum matters architecturally.
1361
00:56:02,520 –> 00:56:08,600
By week ten, 94% of often sites had documented owners and sensitivity labels applied.
1362
00:56:08,600 –> 00:56:11,760
The governance work that was running in the background had produced results.
1363
00:56:11,760 –> 00:56:16,320
The organization now had evidence that governance was improving in parallel with deployment,
1364
00:56:16,320 –> 00:56:19,960
not been constrained by deployment, accelerated by it.
1365
00:56:19,960 –> 00:56:24,080
Security and compliance teams could see the governance posture strengthening, not weakening,
1366
00:56:24,080 –> 00:56:25,840
not stagnant, strengthening.
1367
00:56:25,840 –> 00:56:29,720
This visibility is what shifts security teams from blocking to enabling.
1368
00:56:29,720 –> 00:56:35,120
The organization expanded co-pilot to additional business units, not all, but more than the pilot.
1369
00:56:35,120 –> 00:56:37,720
Additional departments began seeing productivity gains.
1370
00:56:37,720 –> 00:56:39,000
Additional teams began adopting.
1371
00:56:39,000 –> 00:56:41,440
The organization generated internal champions.
1372
00:56:41,440 –> 00:56:42,760
Who had adopted co-pilot?
1373
00:56:42,760 –> 00:56:43,920
Who understood its value?
1374
00:56:43,920 –> 00:56:45,920
Who could evangelize it to colleagues?
1375
00:56:45,920 –> 00:56:46,920
Phase three.
1376
00:56:46,920 –> 00:56:47,920
Operate.
1377
00:56:47,920 –> 00:56:48,920
Weeks eleven onward.
1378
00:56:48,920 –> 00:56:50,800
Co-pilot is available organization wide.
1379
00:56:50,800 –> 00:56:52,640
This is not the end of the sequence.
1380
00:56:52,640 –> 00:56:55,280
It is the transition from deployment to operations.
1381
00:56:55,280 –> 00:56:56,520
But governance does not stop.
1382
00:56:56,520 –> 00:56:57,520
It shifts.
1383
00:56:57,520 –> 00:57:01,320
Instead of running remediation projects, SAM policies run continuously.
1384
00:57:01,320 –> 00:57:03,560
Every month they detect new, often sites.
1385
00:57:03,560 –> 00:57:04,560
They identify them.
1386
00:57:04,560 –> 00:57:05,760
They assign interim stewards.
1387
00:57:05,760 –> 00:57:06,760
They enforce policies.
1388
00:57:06,760 –> 00:57:09,960
The organization doesn’t remediate these sites once and declare success.
1389
00:57:09,960 –> 00:57:13,120
The organization manages them systematically, continuously.
1390
00:57:13,120 –> 00:57:14,760
Pervue policies continue to run.
1391
00:57:14,760 –> 00:57:16,720
New documents are classified automatically.
1392
00:57:16,720 –> 00:57:18,800
New data patterns trigger new labels.
1393
00:57:18,800 –> 00:57:22,120
The organization’s classification posture continues to improve.
1394
00:57:22,120 –> 00:57:26,080
Not because of a massive remediation project, but because the system enforces classification
1395
00:57:26,080 –> 00:57:28,720
on every document written from that moment forward.
1396
00:57:28,720 –> 00:57:31,680
Insider risk policies monitor co-pilot interactions.
1397
00:57:31,680 –> 00:57:33,480
Unusual patterns trigger alerts.
1398
00:57:33,480 –> 00:57:35,800
The organization doesn’t wait for security incidents.
1399
00:57:35,800 –> 00:57:37,400
They detect potential issues early.
1400
00:57:37,400 –> 00:57:41,520
The organization has shifted from deploying co-pilot to operating co-pilot.
1401
00:57:41,520 –> 00:57:42,880
Governance is no longer a project.
1402
00:57:42,880 –> 00:57:43,880
It is continuous.
1403
00:57:43,880 –> 00:57:46,760
It is operational, moving between phases.
1404
00:57:46,760 –> 00:57:49,400
The sequencing is not based on arbitrary timelines.
1405
00:57:49,400 –> 00:57:52,080
Each phase builds on evidence from the previous one.
1406
00:57:52,080 –> 00:57:56,160
The organization does not move to expand until pilot metrics are positive.
1407
00:57:56,160 –> 00:57:59,240
They do not move to operate until governance metrics support it.
1408
00:57:59,240 –> 00:58:01,120
This is evidence-based progression.
1409
00:58:01,120 –> 00:58:02,120
Not hope.
1410
00:58:02,120 –> 00:58:03,120
Not aspiration.
1411
00:58:03,120 –> 00:58:04,120
Evidence.
1412
00:58:04,120 –> 00:58:08,800
A study organization set explicit criteria for phase advancement.
1413
00:58:08,800 –> 00:58:13,680
Adoption rate exceeds 70%, sensitivity label coverage exceeds 85%.
1414
00:58:13,680 –> 00:58:16,200
Often site remediation exceeds 90%.
1415
00:58:16,200 –> 00:58:17,560
No security incidents.
1416
00:58:17,560 –> 00:58:18,840
Productivity gains are measurable.
1417
00:58:18,840 –> 00:58:20,320
Meet these criteria advance.
1418
00:58:20,320 –> 00:58:21,320
Miss them?
1419
00:58:21,320 –> 00:58:22,320
Investigate.
1420
00:58:22,320 –> 00:58:24,360
This removes subjectivity from the process.
1421
00:58:24,360 –> 00:58:25,480
Decisions are based on data.
1422
00:58:25,480 –> 00:58:26,480
Not opinions.
1423
00:58:26,480 –> 00:58:28,480
Not organizational politics.
1424
00:58:28,480 –> 00:58:29,480
Data.
1425
00:58:29,480 –> 00:58:32,880
This sequencing approach is fundamentally different from the gate model.
1426
00:58:32,880 –> 00:58:35,800
It requires everything to be perfect before proceeding.
1427
00:58:35,800 –> 00:58:39,000
Sequencing requires evidence that conditions support moving forward.
1428
00:58:39,000 –> 00:58:40,320
Evidence of what’s actually happening.
1429
00:58:40,320 –> 00:58:41,320
Not perfection.
1430
00:58:41,320 –> 00:58:42,320
Progress.
1431
00:58:42,320 –> 00:58:46,160
The organization progressed through all three phases because at each phase transition,
1432
00:58:46,160 –> 00:58:47,560
evidence supported advancing.
1433
00:58:47,560 –> 00:58:48,560
They never paused.
1434
00:58:48,560 –> 00:58:49,560
They never deferred.
1435
00:58:49,560 –> 00:58:52,840
They moved forward with confidence because the data justified it.
1436
00:58:52,840 –> 00:58:54,960
Matrix and decision points went to move forward.
1437
00:58:54,960 –> 00:58:58,360
The parallel track approach requires clear metrics and decision points to determine when
1438
00:58:58,360 –> 00:59:00,480
to move from one phase to the next.
1439
00:59:00,480 –> 00:59:02,000
These are not arbitrary thresholds.
1440
00:59:02,000 –> 00:59:03,000
These are not opinions.
1441
00:59:03,000 –> 00:59:06,880
These are measurable outcomes based on governance and adoption data.
1442
00:59:06,880 –> 00:59:10,280
Without explicit metrics, phase advancement becomes subjective.
1443
00:59:10,280 –> 00:59:11,960
Someone’s opinion about readiness.
1444
00:59:11,960 –> 00:59:13,520
Someone’s gut feeling about risk.
1445
00:59:13,520 –> 00:59:15,920
Someone’s organizational politics about timing.
1446
00:59:15,920 –> 00:59:18,000
Subjectivity is how deployment stall.
1447
00:59:18,000 –> 00:59:20,000
Organizations debate whether conditions are adequate.
1448
00:59:20,000 –> 00:59:21,600
They extend pilots indefinitely.
1449
00:59:21,600 –> 00:59:25,200
They delay expansion waiting for perfect conditions that never arrive.
1450
00:59:25,200 –> 00:59:26,880
Explicit metrics eliminate this debate.
1451
00:59:26,880 –> 00:59:29,920
The data either supports advancing or it does not.
1452
00:59:29,920 –> 00:59:30,920
Simple as that.
1453
00:59:30,920 –> 00:59:32,040
It makes it criteria.
1454
00:59:32,040 –> 00:59:35,720
The transition from pilot to expand requires meeting specific thresholds.
1455
00:59:35,720 –> 00:59:36,720
These are the criteria.
1456
00:59:36,720 –> 00:59:41,600
The case study organization established adoption rate in pilot units exceeds 70%.
1457
00:59:41,600 –> 00:59:43,320
Measured as weekly active users.
1458
00:59:43,320 –> 00:59:45,680
Not total licensed users, weekly active users.
1459
00:59:45,680 –> 00:59:47,040
The distinction matters.
1460
00:59:47,040 –> 00:59:49,000
You can license co-pilot to everyone.
1461
00:59:49,000 –> 00:59:50,400
Not everyone will use it.
1462
00:59:50,400 –> 00:59:52,360
Weekly active adoption measures actual engagement.
1463
00:59:52,360 –> 00:59:57,640
If 70% of pilot users are actively using co-pilot every week, the technology is gaining traction.
1464
00:59:57,640 –> 01:00:00,560
If adoption is below 50%, something is wrong.
1465
01:00:00,560 –> 01:00:01,560
Information is inadequate.
1466
01:00:01,560 –> 01:00:03,000
Integration is broken.
1467
01:00:03,000 –> 01:00:04,520
User expectations are unmet.
1468
01:00:04,520 –> 01:00:08,960
The organization needs to investigate before expanding sensitivity label coverage exceeds
1469
01:00:08,960 –> 01:00:10,800
85%.
1470
01:00:10,800 –> 01:00:12,840
Measured as percentage of documents with labels.
1471
01:00:12,840 –> 01:00:15,560
This indicates the classification infrastructure is working.
1472
01:00:15,560 –> 01:00:16,720
Auto labeling is functioning.
1473
01:00:16,720 –> 01:00:20,880
The organization is achieving systematic classification, not relying on user choice.
1474
01:00:20,880 –> 01:00:25,320
85% coverage means the organization has high confidence that sensitive data is identified
1475
01:00:25,320 –> 01:00:26,320
and protected.
1476
01:00:26,320 –> 01:00:29,280
Often site remediation rate exceeds 80%.
1477
01:00:29,280 –> 01:00:31,560
It is a percentage of sites with documented owners.
1478
01:00:31,560 –> 01:00:34,160
This indicates governance policies are functioning.
1479
01:00:34,160 –> 01:00:35,880
Sites have owners.
1480
01:00:35,880 –> 01:00:36,880
Accountability exists.
1481
01:00:36,880 –> 01:00:41,400
The organization can expand co-pilot knowing that governance is improving, not deteriorating.
1482
01:00:41,400 –> 01:00:43,960
No security incidents related to co-pilot usage.
1483
01:00:43,960 –> 01:00:44,960
This is binary.
1484
01:00:44,960 –> 01:00:47,200
Either incidents occurred or they did not.
1485
01:00:47,200 –> 01:00:51,800
If co-pilot interactions triggered data leaks or unauthorized access or compliance violations,
1486
01:00:51,800 –> 01:00:53,440
expansion is premature.
1487
01:00:53,440 –> 01:00:54,440
Investigation is required.
1488
01:00:54,440 –> 01:00:57,480
If no incidents occurred, the security posture is holding.
1489
01:00:57,480 –> 01:00:59,560
Security gains are measurable and positive.
1490
01:00:59,560 –> 01:01:01,680
Minimum 15 minutes per user per day.
1491
01:01:01,680 –> 01:01:03,840
This ensures the technology is delivering value.
1492
01:01:03,840 –> 01:01:07,720
If users are spending time with co-pilot but not gaining productivity, the business case
1493
01:01:07,720 –> 01:01:08,720
is weak.
1494
01:01:08,720 –> 01:01:13,320
But if they’re recovering 15 minutes daily or more, the ROI becomes visible.
1495
01:01:13,320 –> 01:01:15,120
The technology works.
1496
01:01:15,120 –> 01:01:18,560
In the case study, all these criteria were met by week 4.
1497
01:01:18,560 –> 01:01:20,440
Phase 2 exit criteria.
1498
01:01:20,440 –> 01:01:24,040
The transition from expand to operate requires additional thresholds.
1499
01:01:24,040 –> 01:01:27,600
An increase in rate across all deployed units exceeds 60%.
1500
01:01:27,600 –> 01:01:31,280
Lower than the pilot threshold because you’re now measuring a broader population, pilots
1501
01:01:31,280 –> 01:01:32,760
attract earlier adopters.
1502
01:01:32,760 –> 01:01:34,320
Browder deployment includes skeptics.
1503
01:01:34,320 –> 01:01:38,680
60% adoption across all units indicates the organization is moving beyond evangelists
1504
01:01:38,680 –> 01:01:40,640
to what mainstream adoption.
1505
01:01:40,640 –> 01:01:43,960
Sensitivity label coverage exceeds 90% higher than Phase 1.
1506
01:01:43,960 –> 01:01:47,760
This indicates the organization is maturing its classification approach.
1507
01:01:47,760 –> 01:01:49,040
Most data is now labeled.
1508
01:01:49,040 –> 01:01:51,520
The infrastructure has reached scale and reliability.
1509
01:01:51,520 –> 01:01:55,000
Often, side remediation rate exceeds 90% higher than Phase 1.
1510
01:01:55,000 –> 01:01:56,600
The governance work has matured.
1511
01:01:56,600 –> 01:01:59,200
90% of sites now have documented owners.
1512
01:01:59,200 –> 01:02:03,320
The organization has moved from crisis response to normal governance operations.
1513
01:02:03,320 –> 01:02:05,280
No critical security incidents.
1514
01:02:05,280 –> 01:02:09,040
The threshold shifts from any incident to critical incidents.
1515
01:02:09,040 –> 01:02:12,680
Minor issues may occur, but nothing that threatens organizational security.
1516
01:02:12,680 –> 01:02:14,160
Nothing that would hold deployment.
1517
01:02:14,160 –> 01:02:15,720
This distinction reflects maturity.
1518
01:02:15,720 –> 01:02:17,840
You tolerate minor issues in operating systems.
1519
01:02:17,840 –> 01:02:22,040
To prevent critical ones, productivity gains are sustained across all deployed units.
1520
01:02:22,040 –> 01:02:23,360
Not initial gains.
1521
01:02:23,360 –> 01:02:24,360
Sustained gains.
1522
01:02:24,360 –> 01:02:27,080
Users continue using co-pilot weeks after launch.
1523
01:02:27,080 –> 01:02:28,560
Usage doesn’t spike and then decline.
1524
01:02:28,560 –> 01:02:31,240
This indicates adoption is real, not novelty.
1525
01:02:31,240 –> 01:02:34,640
In the case study, these criteria were met by Week 10.
1526
01:02:34,640 –> 01:02:35,640
The principle.
1527
01:02:35,640 –> 01:02:37,000
These metrics are not arbitrary.
1528
01:02:37,000 –> 01:02:40,880
They are based on industry benchmarks and the organization’s risk tolerance.
1529
01:02:40,880 –> 01:02:45,120
An organization with higher risk tolerance might move forward with lower thresholds.
1530
01:02:45,120 –> 01:02:48,200
An organization with lower risk tolerance might set higher bars.
1531
01:02:48,200 –> 01:02:53,200
The key principle is that metrics are established before deployment, not during, not after before.
1532
01:02:53,200 –> 01:02:55,560
This removes subjectivity from the process.
1533
01:02:55,560 –> 01:02:57,400
Decisions are based on evidence, not opinions.
1534
01:02:57,400 –> 01:02:58,760
You establish criteria.
1535
01:02:58,760 –> 01:03:00,200
You measure outcomes.
1536
01:03:00,200 –> 01:03:01,200
You compare.
1537
01:03:01,200 –> 01:03:02,200
You decide.
1538
01:03:02,200 –> 01:03:03,480
Data drives the decision.
1539
01:03:03,480 –> 01:03:06,240
The metrics also serve as early warning signals.
1540
01:03:06,240 –> 01:03:10,520
If adoption is below 50% after four weeks, training might be inadequate.
1541
01:03:10,520 –> 01:03:15,320
If label coverage is below 70%, the classification infrastructure might have gaps.
1542
01:03:15,320 –> 01:03:19,640
If remediation rate is below 70%, governance policies might need adjustment.
1543
01:03:19,640 –> 01:03:22,840
The organization can then address these issues before expanding.
1544
01:03:22,840 –> 01:03:24,240
Course correct early.
1545
01:03:24,240 –> 01:03:25,800
Prevent downstream problems.
1546
01:03:25,800 –> 01:03:28,640
This is sequential deployment done correctly.
1547
01:03:28,640 –> 01:03:29,960
Building the business case.
1548
01:03:29,960 –> 01:03:32,920
ROI, risk reduction and competitive advantage.
1549
01:03:32,920 –> 01:03:36,160
The parallel track approach is not just a technical strategy.
1550
01:03:36,160 –> 01:03:40,480
It is a business strategy and this distinction matters when you’re pitching it to leadership.
1551
01:03:40,480 –> 01:03:45,960
The recommendations that successfully execute parallel governance capture three types of value simultaneously.
1552
01:03:45,960 –> 01:03:48,160
ROI, risk reduction, competitive advantage.
1553
01:03:48,160 –> 01:03:49,400
These are not theoretical.
1554
01:03:49,400 –> 01:03:52,760
These are business outcomes that executives understand and care about.
1555
01:03:52,760 –> 01:03:54,480
Start with ROI.
1556
01:03:54,480 –> 01:04:01,400
Microsoft’s research suggests Copilot delivers approximately $3.70 of productivity value for every dollar invested.
1557
01:04:01,400 –> 01:04:05,880
Whether that exact ratio holds for your organization is less important than the principle,
1558
01:04:05,880 –> 01:04:07,480
Copilot creates measurable value.
1559
01:04:07,480 –> 01:04:10,400
The question is whether you capture that value now or defer it.
1560
01:04:10,400 –> 01:04:12,920
Study organization measured this directly in their pilot.
1561
01:04:12,920 –> 01:04:15,280
26 minutes of daily time savings per user.
1562
01:04:15,280 –> 01:04:16,760
That’s not theoretical modeling.
1563
01:04:16,760 –> 01:04:17,880
That’s what they observed.
1564
01:04:17,880 –> 01:04:18,920
Actual users.
1565
01:04:18,920 –> 01:04:19,760
Actual tasks.
1566
01:04:19,760 –> 01:04:21,680
Actual time recovered.
1567
01:04:21,680 –> 01:04:27,920
At a fully loaded labor cost of $75 per hour, those 26 minutes equal approximately $18,000
1568
01:04:27,920 –> 01:04:29,960
in annual productivity value per user.
1569
01:04:29,960 –> 01:04:35,080
For the one 200 pilot users, that’s $21.6 million annually.
1570
01:04:35,080 –> 01:04:38,240
Copilot licensing costs $30 per user per month.
1571
01:04:38,240 –> 01:04:42,160
For 1,200 users, that’s $432,000 annually.
1572
01:04:42,160 –> 01:04:44,880
The ROI is approximately 50 to 1 in the first year.
1573
01:04:44,880 –> 01:04:46,040
This is not aspirational.
1574
01:04:46,040 –> 01:04:47,080
This is the business case.
1575
01:04:47,080 –> 01:04:49,840
Now think about what happens if you defer deployment.
1576
01:04:49,840 –> 01:04:55,160
Every month of delay costs approximately $1.8 million in deferred productivity value for
1577
01:04:55,160 –> 01:04:56,960
one 200 person organization.
1578
01:04:56,960 –> 01:05:00,280
Six months of delay, $10.8 million in opportunity cost.
1579
01:05:00,280 –> 01:05:01,520
That number is not recovered.
1580
01:05:01,520 –> 01:05:02,240
It is simply gone.
1581
01:05:02,240 –> 01:05:05,240
This is how you move CFOs from why are we spending money on this?
1582
01:05:05,240 –> 01:05:07,280
To why aren’t we deploying this faster?
1583
01:05:07,280 –> 01:05:08,920
But ROI alone is incomplete.
1584
01:05:08,920 –> 01:05:12,360
It assumes the deployment succeeds and governance doesn’t collapse.
1585
01:05:12,360 –> 01:05:14,960
The second value proposition is risk reduction.
1586
01:05:14,960 –> 01:05:18,400
Organizations waiting for perfect governance before enabling copilot assume that deferring
1587
01:05:18,400 –> 01:05:20,000
deployment reduces risk.
1588
01:05:20,000 –> 01:05:22,480
In reality, the opposite is true.
1589
01:05:22,480 –> 01:05:26,040
Organizations that wait for perfect governance continue to operate with orphaned sites,
1590
01:05:26,040 –> 01:05:28,240
unclassified data and unmanaged access.
1591
01:05:28,240 –> 01:05:29,520
These risks compound.
1592
01:05:29,520 –> 01:05:32,920
Every month that passes without automated governance controls, additional orphaned
1593
01:05:32,920 –> 01:05:34,320
sites are created.
1594
01:05:34,320 –> 01:05:38,200
Additional data goes unclassified.
1595
01:05:38,200 –> 01:05:40,200
The risk posture doesn’t stay the same.
1596
01:05:40,200 –> 01:05:41,200
It deteriorates.
1597
01:05:41,200 –> 01:05:44,800
Organizations that deploy with parallel governance improve their risk posture in real time.
1598
01:05:44,800 –> 01:05:46,600
Sam policies run continuously.
1599
01:05:46,600 –> 01:05:48,080
Governance improves measurably.
1600
01:05:48,080 –> 01:05:51,560
By the time full deployment occurs, governance has improved significantly.
1601
01:05:51,560 –> 01:05:55,200
This is lower risk than waiting for perfect governance while the organization’s governance
1602
01:05:55,200 –> 01:05:57,320
posture deteriorates in the background.
1603
01:05:57,320 –> 01:06:02,000
This reframes risk for executives, not as we are taking on new risk by deploying copilot.
1604
01:06:02,000 –> 01:06:07,680
But as we are reducing existing risk by deploying copilot with systematic governance, the case
1605
01:06:07,680 –> 01:06:13,240
study organization achieved 94% remediation of orphaned sites in 10 weeks.
1606
01:06:13,240 –> 01:06:17,560
An organization that chose to defer deployment would have worse governance at month 6 than
1607
01:06:17,560 –> 01:06:20,520
the case study organization had at week 10.
1608
01:06:20,520 –> 01:06:21,880
That’s the cost of waiting.
1609
01:06:21,880 –> 01:06:24,360
Increased risk, not decreased.
1610
01:06:24,360 –> 01:06:27,960
The third value proposition is competitive advantage.
1611
01:06:27,960 –> 01:06:31,120
Organizations that deploy copilot early gain competitive advantage.
1612
01:06:31,120 –> 01:06:33,480
They capture productivity gains before competitors.
1613
01:06:33,480 –> 01:06:35,560
They learn how to use copilot effectively.
1614
01:06:35,560 –> 01:06:39,600
They build organizational capability in AI-driven productivity.
1615
01:06:39,600 –> 01:06:42,640
Organizations that wait for perfect governance seed this advantage.
1616
01:06:42,640 –> 01:06:43,640
Competitors deploy.
1617
01:06:43,640 –> 01:06:44,640
Competitors learn.
1618
01:06:44,640 –> 01:06:46,240
Competitors build capability.
1619
01:06:46,240 –> 01:06:50,280
By the time a delayed organization catches up, the competitive gap has widened.
1620
01:06:50,280 –> 01:06:54,440
In a rapidly evolving technology landscape, first mover advantage is significant.
1621
01:06:54,440 –> 01:06:56,320
It is not permanent, but it is valuable.
1622
01:06:56,320 –> 01:06:59,560
Your organization either captures it now or watches competitors capture it.
1623
01:06:59,560 –> 01:07:02,920
The business case for parallel governance is not primarily about risk management.
1624
01:07:02,920 –> 01:07:07,840
It is about capturing value and competitive advantage while governance improves in parallel.
1625
01:07:07,840 –> 01:07:11,640
This is why C-suite executives should understand and support the parallel track approach.
1626
01:07:11,640 –> 01:07:13,240
It is not a technical recommendation.
1627
01:07:13,240 –> 01:07:14,560
It is a business recommendation.
1628
01:07:14,560 –> 01:07:15,560
Deploy now.
1629
01:07:15,560 –> 01:07:17,280
Improve governance continuously.
1630
01:07:17,280 –> 01:07:18,280
Capture value.
1631
01:07:18,280 –> 01:07:19,280
Reduce risk.
1632
01:07:19,280 –> 01:07:20,280
Build competitive capability.
1633
01:07:20,280 –> 01:07:22,840
The organization that understands this moves faster.
1634
01:07:22,840 –> 01:07:24,560
Organizations that don’t understand it wait.
1635
01:07:24,560 –> 01:07:27,360
And waiting is a choice that compounds regret.
1636
01:07:27,360 –> 01:07:29,520
Common objections and how to address them.
1637
01:07:29,520 –> 01:07:33,720
No common objection surface when organizations consider the parallel track approach.
1638
01:07:33,720 –> 01:07:35,040
These are not stupid objections.
1639
01:07:35,040 –> 01:07:39,360
They are reasonable concerns rooted in past experiences and legitimate risk awareness.
1640
01:07:39,360 –> 01:07:42,960
But they are objections based on misunderstandings about what parallel governance actually is
1641
01:07:42,960 –> 01:07:44,360
and how it functions.
1642
01:07:44,360 –> 01:07:48,400
Addressing them requires clear communication about the approach itself.
1643
01:07:48,400 –> 01:07:49,400
Objection one.
1644
01:07:49,400 –> 01:07:51,520
We do not have time for parallel remediation.
1645
01:07:51,520 –> 01:07:56,120
This objection misunderstands the fundamental mechanics of the parallel track model.
1646
01:07:56,120 –> 01:07:59,240
Organizations think they must choose between remediation and deployment.
1647
01:07:59,240 –> 01:08:02,360
If there is everything first then deploy or deploy now and deal with chaos later.
1648
01:08:02,360 –> 01:08:04,520
The parallel track approach is neither.
1649
01:08:04,520 –> 01:08:07,720
Remediation happens during deployment not before it, not instead of it.
1650
01:08:07,720 –> 01:08:11,480
During it the organization does not need to choose between remediation and deployment.
1651
01:08:11,480 –> 01:08:12,800
They do both simultaneously.
1652
01:08:12,800 –> 01:08:17,080
In fact parallel remediation is faster than sequential remediation, not slower.
1653
01:08:17,080 –> 01:08:18,080
Faster.
1654
01:08:18,080 –> 01:08:21,400
The case study organization achieved 94% remediation in 10 weeks.
1655
01:08:21,400 –> 01:08:25,200
An organization pursuing sequential remediation would require 6 months or longer.
1656
01:08:25,200 –> 01:08:26,200
Why?
1657
01:08:26,200 –> 01:08:28,280
Deployment pressure accelerates governance work.
1658
01:08:28,280 –> 01:08:29,880
Security becomes a force multiplier.
1659
01:08:29,880 –> 01:08:33,800
Teams suddenly resource governance improvements when co-pilot deployment is scheduled.
1660
01:08:33,800 –> 01:08:36,600
They deprioritize when deployment is deferred.
1661
01:08:36,600 –> 01:08:37,600
Objection two.
1662
01:08:37,600 –> 01:08:39,560
Our security team will never approve this.
1663
01:08:39,560 –> 01:08:44,240
This objection is usually rooted in a misunderstanding of how co-pilot works or what governance controls
1664
01:08:44,240 –> 01:08:45,480
are in place.
1665
01:08:45,480 –> 01:08:50,520
Security teams fear that parallel deployment means launching a risky system without guardrails.
1666
01:08:50,520 –> 01:08:55,240
But the parallel track approach includes specific governance controls before deployment.
1667
01:08:55,240 –> 01:08:59,680
Some policies, per view classification, DLP policies, insider risk monitoring, these are
1668
01:08:59,680 –> 01:09:01,400
not added after the fact.
1669
01:09:01,400 –> 01:09:04,600
They are operational before co-pilot users gain access.
1670
01:09:04,600 –> 01:09:09,120
The key is involving security teams early and demonstrating that governance is improving
1671
01:09:09,120 –> 01:09:10,120
in real time.
1672
01:09:10,120 –> 01:09:11,280
Not hypothetically improving.
1673
01:09:11,280 –> 01:09:12,280
Actually improving.
1674
01:09:12,280 –> 01:09:14,480
Show measurable progress on governance metrics.
1675
01:09:14,480 –> 01:09:17,120
94% of often sites now have owners.
1676
01:09:17,120 –> 01:09:18,920
85% of documents are classified.
1677
01:09:18,920 –> 01:09:20,640
DLP policies are active.
1678
01:09:20,640 –> 01:09:24,440
By showing tangible progress, security teams see that the approach is working.
1679
01:09:24,440 –> 01:09:27,400
They move from blocking to enabling.
1680
01:09:27,400 –> 01:09:28,400
Objection three.
1681
01:09:28,400 –> 01:09:31,720
We have tried parallel approaches before and they did not work.
1682
01:09:31,720 –> 01:09:35,680
This objection reflects past experiences with poorly executed initiatives.
1683
01:09:35,680 –> 01:09:39,080
The key difference with the parallel track approach is automation.
1684
01:09:39,080 –> 01:09:41,080
Governance is not enforced through exhortation.
1685
01:09:41,080 –> 01:09:42,600
It is enforced through policy.
1686
01:09:42,600 –> 01:09:44,720
Sam and per view policies run continuously.
1687
01:09:44,720 –> 01:09:46,280
They do not depend on human effort.
1688
01:09:46,280 –> 01:09:48,160
They do not depend on organizational discipline.
1689
01:09:48,160 –> 01:09:51,120
They do not depend on people remembering to do the right thing.
1690
01:09:51,120 –> 01:09:52,160
Machines and force policy.
1691
01:09:52,160 –> 01:09:53,560
Humans respond to enforcement.
1692
01:09:53,560 –> 01:09:56,320
When you structure it that way, the approach works at scale.
1693
01:09:56,320 –> 01:10:00,400
Previous parallel initiatives may have failed because they relied on manual processes.
1694
01:10:00,400 –> 01:10:04,200
This one succeeds because it relies on automated enforcement.
1695
01:10:04,200 –> 01:10:05,200
Objection four.
1696
01:10:05,200 –> 01:10:07,400
We need perfect data before we can deploy co-pilot.
1697
01:10:07,400 –> 01:10:11,000
This objection reveals a fundamental misunderstanding of readiness.
1698
01:10:11,000 –> 01:10:12,240
Ready does not mean perfect.
1699
01:10:12,240 –> 01:10:15,600
Ready means governance is systematic, measurable and improving.
1700
01:10:15,600 –> 01:10:17,080
Perfect data is impossible.
1701
01:10:17,080 –> 01:10:19,080
There will always be unclassified documents.
1702
01:10:19,080 –> 01:10:20,560
There will always be often sites.
1703
01:10:20,560 –> 01:10:21,880
There will always be access issues.
1704
01:10:21,880 –> 01:10:24,080
The question is not whether imperfection exists.
1705
01:10:24,080 –> 01:10:27,480
The question is whether you have mechanisms to detect and remediate it.
1706
01:10:27,480 –> 01:10:30,200
The parallel track approach answers affirmatively.
1707
01:10:30,200 –> 01:10:31,800
Governance mechanisms are in place.
1708
01:10:31,800 –> 01:10:32,800
Sam is running.
1709
01:10:32,800 –> 01:10:33,800
Per view is scanning.
1710
01:10:33,800 –> 01:10:35,160
DLP is enforcing.
1711
01:10:35,160 –> 01:10:39,800
The organization has mechanisms to manage risk while deployment proceeds.
1712
01:10:39,800 –> 01:10:40,800
Objection five.
1713
01:10:40,800 –> 01:10:42,160
This approach is too risky.
1714
01:10:42,160 –> 01:10:46,320
This objection comes from risk-averse organizations that view delay as safety.
1715
01:10:46,320 –> 01:10:47,560
But delay is not safe.
1716
01:10:47,560 –> 01:10:50,080
Delay compounds governance that delay differs value.
1717
01:10:50,080 –> 01:10:51,680
Delay allows risk to accumulate.
1718
01:10:51,680 –> 01:10:54,120
The parallel track approach is actually lower risk.
1719
01:10:54,120 –> 01:10:56,640
It improves governance posture in real time.
1720
01:10:56,640 –> 01:11:00,000
Organizations that deploy with parallel governance have better governance at deployment
1721
01:11:00,000 –> 01:11:05,520
than organizations that delay for six months while governance deteriorates in the background.
1722
01:11:05,520 –> 01:11:09,320
Addressing these objections requires clarity, not reassurance.
1723
01:11:09,320 –> 01:11:13,600
Clarity about what the approach is, how it works and why it is more effective than the alternatives.
1724
01:11:13,600 –> 01:11:18,520
When organizations understand the mechanics, the objections usually resolve themselves.
1725
01:11:18,520 –> 01:11:22,080
And co-pilot, applying parallel governance to other cloud initiatives.
1726
01:11:22,080 –> 01:11:24,600
The parallel track approach is not specific to co-pilot.
1727
01:11:24,600 –> 01:11:29,080
This matters architecturally because it means the principle is not dependent on one technology.
1728
01:11:29,080 –> 01:11:30,480
It is a governance principle.
1729
01:11:30,480 –> 01:11:32,040
Generalize it.
1730
01:11:32,040 –> 01:11:35,200
Organizations can apply the same approach to power platform adoption.
1731
01:11:35,200 –> 01:11:37,640
Power platform requires governance controls.
1732
01:11:37,640 –> 01:11:42,440
Data governance, environment governance, app governance, shadow IT governance, instead
1733
01:11:42,440 –> 01:11:46,840
of waiting for perfect power platform governance before expanding adoption.
1734
01:11:46,840 –> 01:11:48,840
It is deployed while improving governance.
1735
01:11:48,840 –> 01:11:51,440
The principle is identical, applied to teams migration.
1736
01:11:51,440 –> 01:11:54,000
Teams migration requires similar governance controls.
1737
01:11:54,000 –> 01:11:57,960
Data classification, access management, channel governance, ownership policies, instead of
1738
01:11:57,960 –> 01:12:01,040
waiting for perfect teams governance during migration.
1739
01:12:01,040 –> 01:12:02,640
Organizations migrate while improving governance.
1740
01:12:02,640 –> 01:12:04,120
The mechanics are the same.
1741
01:12:04,120 –> 01:12:05,960
Applied to cloud data migration.
1742
01:12:05,960 –> 01:12:08,600
Data migration requires governance and compliance controls.
1743
01:12:08,600 –> 01:12:09,600
Data residency.
1744
01:12:09,600 –> 01:12:12,280
Encryption, retention, access policies.
1745
01:12:12,280 –> 01:12:16,160
Instead of waiting for perfect controls before migrating data, organizations migrate while
1746
01:12:16,160 –> 01:12:17,600
improving controls.
1747
01:12:17,600 –> 01:12:19,120
The architecture is parallel.
1748
01:12:19,120 –> 01:12:20,760
The core principle is invariant.
1749
01:12:20,760 –> 01:12:21,880
Governance is the track.
1750
01:12:21,880 –> 01:12:22,880
Deployment runs on that track.
1751
01:12:22,880 –> 01:12:24,400
This is not a co-pilot principle.
1752
01:12:24,400 –> 01:12:27,040
This is a cloud governance principle.
1753
01:12:27,040 –> 01:12:30,720
Organizations can apply this approach to any initiative requiring governance improvements.
1754
01:12:30,720 –> 01:12:33,200
The pattern is first identify the automation layer.
1755
01:12:33,200 –> 01:12:34,840
What tools enforce governance.
1756
01:12:34,840 –> 01:12:36,480
What policies run continuously.
1757
01:12:36,480 –> 01:12:38,160
What mechanisms detect non-compliance.
1758
01:12:38,160 –> 01:12:40,600
For co-pilot those tools are a Sam and Perview.
1759
01:12:40,600 –> 01:12:42,240
For other initiatives different tools.
1760
01:12:42,240 –> 01:12:44,120
But the architecture is the same.
1761
01:12:44,120 –> 01:12:46,120
Data-driven enforcement.
1762
01:12:46,120 –> 01:12:48,120
Continuous operation.
1763
01:12:48,120 –> 01:12:49,680
Second, establish metrics and decision points.
1764
01:12:49,680 –> 01:12:51,840
What outcomes must be achieved before expanding.
1765
01:12:51,840 –> 01:12:53,640
What evidence justify advancing.
1766
01:12:53,640 –> 01:12:57,080
For co-pilot we discussed adoption rate and classification coverage.
1767
01:12:57,080 –> 01:12:59,000
For other initiatives different metrics.
1768
01:12:59,000 –> 01:13:00,360
But the principle is identical.
1769
01:13:00,360 –> 01:13:01,360
Data-driven decisions.
1770
01:13:01,360 –> 01:13:02,360
Not opinions.
1771
01:13:02,360 –> 01:13:04,440
Third, sequence deployment in waves.
1772
01:13:04,440 –> 01:13:06,920
Start and control environments where conditions are favorable.
1773
01:13:06,920 –> 01:13:07,920
Build momentum.
1774
01:13:07,920 –> 01:13:09,160
Expand as evidence supports it.
1775
01:13:09,160 –> 01:13:10,720
This is not unique to co-pilot.
1776
01:13:10,720 –> 01:13:14,080
This is how you manage risk in any deployment at scale.
1777
01:13:14,080 –> 01:13:17,480
The reasons that master this approach gain substantial competitive advantage.
1778
01:13:17,480 –> 01:13:19,520
They deploy technology faster than competitors.
1779
01:13:19,520 –> 01:13:23,560
They improve governance while competitors debate whether conditions are adequate.
1780
01:13:23,560 –> 01:13:28,080
They build organizational capability while competitors wait for perfect conditions.
1781
01:13:28,080 –> 01:13:30,160
This is the essence of modern cloud governance.
1782
01:13:30,160 –> 01:13:31,160
Not preventing change.
1783
01:13:31,160 –> 01:13:32,720
Managing change intelligently.
1784
01:13:32,720 –> 01:13:35,400
Not treating governance as a constraint on innovation.
1785
01:13:35,400 –> 01:13:37,960
Treating governance as an enabler of innovation.
1786
01:13:37,960 –> 01:13:42,480
The traditional governance model views governance and innovation as opposing forces.
1787
01:13:42,480 –> 01:13:44,760
You can have safe systems or fast innovation.
1788
01:13:44,760 –> 01:13:45,760
But not both.
1789
01:13:45,760 –> 01:13:46,760
You choose.
1790
01:13:46,760 –> 01:13:48,800
This creates false dichotomies that slow organizations.
1791
01:13:48,800 –> 01:13:51,440
The parallel track model rejects that dichotomy.
1792
01:13:51,440 –> 01:13:54,480
When governance is the track, innovation moves safely and quickly.
1793
01:13:54,480 –> 01:13:55,760
The track carries the train.
1794
01:13:55,760 –> 01:13:57,640
The train does not wait for a perfect track.
1795
01:13:57,640 –> 01:13:59,400
The track improves as the train runs.
1796
01:13:59,400 –> 01:14:01,440
Both move together.
1797
01:14:01,440 –> 01:14:04,440
Organizations that understand this principle will lead their industries.
1798
01:14:04,440 –> 01:14:06,960
Not because they are smarter, but because they are faster.
1799
01:14:06,960 –> 01:14:09,240
They capture value while governance improves.
1800
01:14:09,240 –> 01:14:11,760
They build capability while competitors debate.
1801
01:14:11,760 –> 01:14:16,560
They move safely because governance is systematic and continuous, not episodic and gate-like.
1802
01:14:16,560 –> 01:14:18,080
The future of governance.
1803
01:14:18,080 –> 01:14:19,360
Track, not gate.
1804
01:14:19,360 –> 01:14:22,120
The core message is simple but powerful.
1805
01:14:22,120 –> 01:14:25,360
Organizations waiting for perfect governance before enabling co-pilot are solving the wrong
1806
01:14:25,360 –> 01:14:26,360
problem.
1807
01:14:26,360 –> 01:14:28,400
The real challenge is not to eliminate imperfection.
1808
01:14:28,400 –> 01:14:32,200
It is to build governance systems that operate while the platform evolves.
1809
01:14:32,200 –> 01:14:35,480
Governance is not a gate that stops progress until conditions are perfect.
1810
01:14:35,480 –> 01:14:38,520
Governance is the track that allows progress to move safely.
1811
01:14:38,520 –> 01:14:41,240
When governance and deployment move together.
1812
01:14:41,240 –> 01:14:43,960
It moves from not ready to ready enough.
1813
01:14:43,960 –> 01:14:47,760
The case study organization did not have perfect governance when they deployed co-pilot.
1814
01:14:47,760 –> 01:14:50,880
They had systematic governance that was improving in real time.
1815
01:14:50,880 –> 01:14:54,360
By accepting, ready enough, instead of waiting for perfect.
1816
01:14:54,360 –> 01:15:00,360
They captured 21.6 million dollars in annual productivity gains while improving their governance
1817
01:15:00,360 –> 01:15:02,120
posture by 94%.
1818
01:15:02,120 –> 01:15:03,840
This is the future of governance.
1819
01:15:03,840 –> 01:15:05,680
Not preventing innovation.
1820
01:15:05,680 –> 01:15:08,680
Engineering systems that allow innovation to move safely.
1821
01:15:08,680 –> 01:15:11,200
Organizations that understand this principle will lead their industries.
1822
01:15:11,200 –> 01:15:13,840
Organizations that wait for perfect conditions will fall behind.
1823
01:15:13,840 –> 01:15:16,920
The question for your organization is not, are we ready?
1824
01:15:16,920 –> 01:15:20,600
The question is, do we have mechanisms to manage risk while we deploy?
1825
01:15:20,600 –> 01:15:22,600
If the answer is yes, move forward.
1826
01:15:22,600 –> 01:15:23,840
Governance will improve along the way.
1827
01:15:23,840 –> 01:15:26,400
If the answer is no, build those mechanisms now.
1828
01:15:26,400 –> 01:15:28,000
Not as a prerequisite to deployment.
1829
01:15:28,000 –> 01:15:29,960
As the foundation that enables deployment.
1830
01:15:29,960 –> 01:15:34,480
If this episode helped you rethink how co-pilot governance should work, please leave a review
1831
01:15:34,480 –> 01:15:37,400
for the M365 FM podcast.
1832
01:15:37,400 –> 01:15:41,640
Your feedback helps other IT professionals and architects find content that matters.
1833
01:15:41,640 –> 01:15:47,120
Share this episode with a colleague responsible for Microsoft 365 governance or cloud adoption.
1834
01:15:47,120 –> 01:15:49,960
The conversation about parallel governance is just beginning.
1835
01:15:49,960 –> 01:15:51,840
Your peers need to hear this perspective.
1836
01:15:51,840 –> 01:15:55,480
If you want to continue the conversation, connect with Milco Peters on LinkedIn.
1837
01:15:55,480 –> 01:15:59,000
Milco is actively exploring the next topics for the podcast.
1838
01:15:59,000 –> 01:16:01,160
Your input shapes the direction of this show.
1839
01:16:01,160 –> 01:16:03,720
The future of governance is not about slowing innovation.
1840
01:16:03,720 –> 01:16:07,480
It is about engineering systems that allow innovation to move safely.
1841
01:16:07,480 –> 01:16:09,200
That is what this podcast is about.
1842
01:16:09,200 –> 01:16:13,080
Turning complex technology into real business value through intelligent architecture and
1843
01:16:13,080 –> 01:16:14,520
continuous governance.
1844
01:16:14,520 –> 01:16:17,080
Thank you for listening to the M365 FM podcast.
1845
01:16:17,080 –> 01:16:18,160
We will see you next episode.
