Now Reading: Why Copilot Agents Fail: An Architectural Insight
-
01
Why Copilot Agents Fail: An Architectural Insight
1
00:00:00,000 –> 00:00:04,280
Most enterprises blame co-pilot agent failures on early platform chaos.
2
00:00:04,280 –> 00:00:06,280
That story is comforting, it’s also wrong.
3
00:00:06,280 –> 00:00:09,600
Agents fail because teams deploy conversation where they need control,
4
00:00:09,600 –> 00:00:12,080
then act surprised when outcomes aren’t repeatable,
5
00:00:12,080 –> 00:00:13,880
auditable or safe to scale.
6
00:00:13,880 –> 00:00:17,680
In the next hour, this goes from provocation to a Monday morning mandate.
7
00:00:17,680 –> 00:00:20,920
How to design agents like govern systems, not chat experiences.
8
00:00:20,920 –> 00:00:25,440
If you’re building co-pilot studio agents inside a real tenant, identity data,
9
00:00:25,440 –> 00:00:27,640
power platform service, now subscribe.
10
00:00:27,640 –> 00:00:30,360
This channel is where the architecture gets enforced.
11
00:00:30,360 –> 00:00:32,760
Before the sprawl becomes policy.
12
00:00:32,760 –> 00:00:35,560
The foundational misunderstanding a chat is not assisted.
13
00:00:35,560 –> 00:00:37,360
The foundational misunderstanding is simple.
14
00:00:37,360 –> 00:00:39,560
People treat chat like a system interface.
15
00:00:39,560 –> 00:00:42,160
Chat is not a system, it’s a user experience layer.
16
00:00:42,160 –> 00:00:45,800
That distinction matters because enterprises don’t run on friendly conversations.
17
00:00:45,800 –> 00:00:48,560
They run on inputs, state outputs and accountability.
18
00:00:48,560 –> 00:00:49,880
They run on repeatability.
19
00:00:49,880 –> 00:00:53,920
They run on the ability to prove what happened, why it happened and who authorized it.
20
00:00:53,920 –> 00:00:57,440
A chat box gives you none of that by default, it gives you a vibe.
21
00:00:57,440 –> 00:00:59,200
Here’s what chat does architecturally.
22
00:00:59,200 –> 00:01:00,560
It hides the boundaries.
23
00:01:00,560 –> 00:01:05,480
It collapses intent capture, decisioning and execution into one continuous stream of text.
24
00:01:05,480 –> 00:01:08,480
And the moment you do that, you lose the ability to say,
25
00:01:08,480 –> 00:01:10,480
this is the point where the system decided,
26
00:01:10,480 –> 00:01:12,920
and this is the point where the system acted.
27
00:01:12,920 –> 00:01:14,800
In other words, you can’t draw the audit line.
28
00:01:14,800 –> 00:01:16,600
Enterprise systems run on contracts.
29
00:01:16,600 –> 00:01:18,080
A request has a defined shape.
30
00:01:18,080 –> 00:01:19,400
Inputs get validated.
31
00:01:19,400 –> 00:01:21,720
State changes happen inside boundaries.
32
00:01:21,720 –> 00:01:26,200
Outputs have lineage, failures stop, retry or escalate with evidence.
33
00:01:26,200 –> 00:01:28,080
A chat doesn’t do contracts by default.
34
00:01:28,080 –> 00:01:29,240
It does interpretation.
35
00:01:29,240 –> 00:01:33,080
Sometimes useful, sometimes wrong, always harder to reproduce than a workflow.
36
00:01:33,080 –> 00:01:34,840
That’s not a moral critique of AI.
37
00:01:34,840 –> 00:01:36,360
That’s a system behavior description.
38
00:01:36,360 –> 00:01:40,960
The enterprise problem starts when teams mistake fluent language for bounded decision logic.
39
00:01:40,960 –> 00:01:45,000
They assume that if the agent can talk through a process, it can run the process.
40
00:01:45,000 –> 00:01:46,600
But language is not a control plane.
41
00:01:46,600 –> 00:01:48,160
Language is not policy enforcement.
42
00:01:48,160 –> 00:01:49,720
Language is not a transaction boundary.
43
00:01:49,720 –> 00:01:51,320
Language is just output.
44
00:01:51,320 –> 00:01:54,160
The cost of this shows up as friendly ambiguity.
45
00:01:54,160 –> 00:01:57,280
Everyone loves friendly ambiguity in demos because it feels flexible.
46
00:01:57,280 –> 00:02:00,120
In production, it creates three predictable outcomes.
47
00:02:00,120 –> 00:02:04,040
In consistent actions, untraceable rationale and audit discomfort.
48
00:02:04,040 –> 00:02:08,320
In consistent actions happen because the agent doesn’t have a deterministic decision boundary.
49
00:02:08,320 –> 00:02:11,200
The same request from two users becomes two different interpretations.
50
00:02:11,200 –> 00:02:14,880
The same request from the same user on Tuesday becomes a slightly different path on Wednesday
51
00:02:14,880 –> 00:02:18,680
because context changed, the model changed, the connector throttled, or a knowledge source
52
00:02:18,680 –> 00:02:20,160
return different chunks.
53
00:02:20,160 –> 00:02:22,800
And now your process is a probability distribution.
54
00:02:22,800 –> 00:02:26,080
Untraceable rationale happens because chat encourages narrative.
55
00:02:26,080 –> 00:02:27,080
The agent explains.
56
00:02:27,080 –> 00:02:28,080
It justifies.
57
00:02:28,080 –> 00:02:29,080
It sounds reasonable.
58
00:02:29,080 –> 00:02:33,360
But the organization can’t verify which data it used, which policy it applied, which tool
59
00:02:33,360 –> 00:02:34,840
contracted and vote.
60
00:02:34,840 –> 00:02:37,640
And what preconditions were true at the moment of action.
61
00:02:37,640 –> 00:02:38,640
You get a story.
62
00:02:38,640 –> 00:02:39,640
You don’t get evidence.
63
00:02:39,640 –> 00:02:41,560
Audit discomfort is the inevitable end state.
64
00:02:41,560 –> 00:02:43,240
Not because auditors hate AI.
65
00:02:43,240 –> 00:02:44,720
Auditors hate ambiguity.
66
00:02:44,720 –> 00:02:47,520
Outcomes you can’t reconstruct and decisions you can’t attribute.
67
00:02:47,520 –> 00:02:48,760
That’s not a control story.
68
00:02:48,760 –> 00:02:50,280
That’s an incident review waiting to happen.
69
00:02:50,280 –> 00:02:52,440
So what is the real job of an enterprise agent?
70
00:02:52,440 –> 00:02:54,000
It is not answer questions.
71
00:02:54,000 –> 00:02:55,360
That’s a small safe subset.
72
00:02:55,360 –> 00:03:00,040
The real job is delegated decisioning plus delegated execution under constraints.
73
00:03:00,040 –> 00:03:04,400
Delegated decisioning means the agent can choose a path, which workflow to trigger, which record
74
00:03:04,400 –> 00:03:08,480
to retrieve, which policy applies, which exception requires escalation.
75
00:03:08,480 –> 00:03:13,360
Delegated execution means the agent can cause state change, create a ticket, update a record,
76
00:03:13,360 –> 00:03:17,200
submit an approval, notify a user, write to a system of record.
77
00:03:17,200 –> 00:03:20,240
And the phrase under constraints is the entire point.
78
00:03:20,240 –> 00:03:24,320
Constraints are what turn AI from a probabilistic assistant into an operational component.
79
00:03:24,320 –> 00:03:27,800
Most organizations skip constraints because constraints don’t demo well.
80
00:03:27,800 –> 00:03:29,360
Constraints look like friction.
81
00:03:29,360 –> 00:03:30,760
Constraints look like governance.
82
00:03:30,760 –> 00:03:32,480
Constraints look like someone saying no.
83
00:03:32,480 –> 00:03:33,760
But constraints are the design.
84
00:03:33,760 –> 00:03:34,880
They are the architecture.
85
00:03:34,880 –> 00:03:38,960
When you deploy chat first agents, you’re delegating without defining boundaries.
86
00:03:38,960 –> 00:03:43,680
You are handing a conversational interface, a set of tools and saying, be smart.
87
00:03:43,680 –> 00:03:47,240
Then you’re surprised that it behaves like a conversational interface with tools.
88
00:03:47,240 –> 00:03:50,920
And once the agent can act, the consequences stop being theoretical.
89
00:03:50,920 –> 00:03:52,800
The failure mode isn’t it answered wrong.
90
00:03:52,800 –> 00:03:55,760
The failure mode is it updated the wrong thing.
91
00:03:55,760 –> 00:03:57,360
It approved the wrong thing.
92
00:03:57,360 –> 00:03:59,280
It exposed the wrong thing.
93
00:03:59,280 –> 00:04:01,520
Or the quietest failure of all.
94
00:04:01,520 –> 00:04:04,040
People stop trusting it and routed around it.
95
00:04:04,040 –> 00:04:06,360
That’s why more prompts doesn’t fix this.
96
00:04:06,360 –> 00:04:07,480
Prompts can shape tone.
97
00:04:07,480 –> 00:04:09,400
Prompts can reduce some ambiguity.
98
00:04:09,400 –> 00:04:13,080
Prompts can nudge behavior, but prompts cannot manufacture a control plane that doesn’t
99
00:04:13,080 –> 00:04:14,080
exist.
100
00:04:14,080 –> 00:04:15,080
They can’t create missing contracts.
101
00:04:15,080 –> 00:04:17,160
They can’t make identity decisions explicit.
102
00:04:17,160 –> 00:04:20,640
They can’t enforce tool allow lists with preconditions and refusal rules.
103
00:04:20,640 –> 00:04:25,080
They can’t produce an audit trail if the system of record was never part of the design.
104
00:04:25,080 –> 00:04:27,080
So the first mandate is structural.
105
00:04:27,080 –> 00:04:29,080
Stop asking chat to behave like a system.
106
00:04:29,080 –> 00:04:32,080
If you want enterprise outcomes, you need enterprise mechanics.
107
00:04:32,080 –> 00:04:34,000
And that’s where this gets uncomfortable.
108
00:04:34,000 –> 00:04:35,760
Because it means the agent isn’t the product.
109
00:04:35,760 –> 00:04:38,920
The product is the architecture around it.
110
00:04:38,920 –> 00:04:40,240
Truth one.
111
00:04:40,240 –> 00:04:43,120
Most agents fail because they’re too conversational.
112
00:04:43,120 –> 00:04:45,480
Here’s the first truth that gets people defensive.
113
00:04:45,480 –> 00:04:48,520
First co-pilot agents fail because they are too conversational.
114
00:04:48,520 –> 00:04:52,480
Not because conversation is bad, because conversation becomes the center of gravity and everything
115
00:04:52,480 –> 00:04:54,000
else becomes optional.
116
00:04:54,000 –> 00:04:58,840
Identity discipline, input validation, transaction boundaries, evidence, the chat first pattern
117
00:04:58,840 –> 00:05:00,360
looks harmless at the start.
118
00:05:00,360 –> 00:05:04,680
A team opens co-pilot studio, writes friendly instructions, connects knowledge, adds tools
119
00:05:04,680 –> 00:05:06,760
and ships, the demo works.
120
00:05:06,760 –> 00:05:08,080
Then it hits the tenant.
121
00:05:08,080 –> 00:05:13,360
Partial permissions, messy data, throttling edge cases in a decade of just this once exceptions.
122
00:05:13,360 –> 00:05:17,000
And a chat first agent, intent capture is vague by design.
123
00:05:17,000 –> 00:05:20,240
The user asks, “Can you help me with onboarding?”
124
00:05:20,240 –> 00:05:22,760
And the agent has to decide what help means.
125
00:05:22,760 –> 00:05:27,880
Answer questions, create accounts, request equipment, assign training, open tickets, notify
126
00:05:27,880 –> 00:05:28,880
managers.
127
00:05:28,880 –> 00:05:32,760
The user didn’t specify and the agent doesn’t have a contract that forces specificity.
128
00:05:32,760 –> 00:05:33,760
So it improvises.
129
00:05:33,760 –> 00:05:35,400
And improvisation is fine for discovery.
130
00:05:35,400 –> 00:05:36,800
It’s lethal for execution.
131
00:05:36,800 –> 00:05:38,280
The next failure is tool choice.
132
00:05:38,280 –> 00:05:42,880
In a conversational pattern, tool invocation becomes a kind of live improvisational routing.
133
00:05:42,880 –> 00:05:47,000
The model selects what it thinks is the right connector, the right action, the right flow,
134
00:05:47,000 –> 00:05:49,720
based on whatever context it has in that moment.
135
00:05:49,720 –> 00:05:51,520
If two tools overlap, it guesses.
136
00:05:51,520 –> 00:05:53,840
If a tool fails, it tries something adjacent.
137
00:05:53,840 –> 00:05:57,560
If the knowledge source returns an ambiguous chunk, it fills the gap with language.
138
00:05:57,560 –> 00:06:00,640
This is where more prompts becomes the wrong fix.
139
00:06:00,640 –> 00:06:03,720
Teams respond to bad behavior by adding more instructions.
140
00:06:03,720 –> 00:06:04,720
Always do X.
141
00:06:04,720 –> 00:06:05,720
Never do Y.
142
00:06:05,720 –> 00:06:07,040
Ask clarifying questions.
143
00:06:07,040 –> 00:06:08,600
Confirm before you update.
144
00:06:08,600 –> 00:06:13,400
Play stack paragraphs of policy into an 8,000 character text box and call it governance.
145
00:06:13,400 –> 00:06:15,240
But prompts don’t create determinism.
146
00:06:15,240 –> 00:06:16,240
Prompts create persuasion.
147
00:06:16,240 –> 00:06:18,640
They’re an influence layer on a distributed decision engine.
148
00:06:18,640 –> 00:06:23,040
When the system has conflicting signals, user language, retrieved context, tool schemers,
149
00:06:23,040 –> 00:06:26,320
permission failures, connector timeouts, the prompt isn’t a compiler.
150
00:06:26,320 –> 00:06:27,400
It’s a suggestion.
151
00:06:27,400 –> 00:06:29,680
An enterprise is don’t run on suggestions.
152
00:06:29,680 –> 00:06:33,760
This is also why more language doesn’t equal more intelligence.
153
00:06:33,760 –> 00:06:34,760
Vibosities are masking layer.
154
00:06:34,760 –> 00:06:40,000
A chat first agent can produce a long, confident explanation while the underlying decision boundary
155
00:06:40,000 –> 00:06:41,240
remains undefined.
156
00:06:41,240 –> 00:06:42,560
The output sounds like control.
157
00:06:42,560 –> 00:06:45,000
The system behavior is still probabilistic.
158
00:06:45,000 –> 00:06:47,080
Stakeholders notice this in one specific way.
159
00:06:47,080 –> 00:06:49,760
They can’t get the same result twice.
160
00:06:49,760 –> 00:06:51,840
Different wording produces different rooting.
161
00:06:51,840 –> 00:06:53,360
Different day produces different answers.
162
00:06:53,360 –> 00:06:56,400
The same action request assumes different preconditions.
163
00:06:56,400 –> 00:06:59,640
Then IT gets asked what happens when we roll this out to 30,000 people.
164
00:06:59,640 –> 00:07:02,720
A conversational agent can’t answer that reliably.
165
00:07:02,720 –> 00:07:06,320
And when an agent can’t predict its own action path, you’re not deploying automation.
166
00:07:06,320 –> 00:07:07,920
You’re deploying conditional chaos.
167
00:07:07,920 –> 00:07:10,240
Now there is a place where chat works extremely well.
168
00:07:10,240 –> 00:07:11,400
Chat is great at discovery.
169
00:07:11,400 –> 00:07:12,400
Triage.
170
00:07:12,400 –> 00:07:13,400
Clarification.
171
00:07:13,400 –> 00:07:14,400
Samarization.
172
00:07:14,400 –> 00:07:16,360
Help me understand what’s going on.
173
00:07:16,360 –> 00:07:17,840
Show me the options.
174
00:07:17,840 –> 00:07:19,200
Explain the policy.
175
00:07:19,200 –> 00:07:20,880
Which team owns this?
176
00:07:20,880 –> 00:07:25,120
That’s where probabilistic behavior is acceptable because the output is advisory, not state
177
00:07:25,120 –> 00:07:26,120
changing.
178
00:07:26,120 –> 00:07:29,360
Chat is also great at absorbing messy inputs from humans and turning them into structured
179
00:07:29,360 –> 00:07:30,360
parameters.
180
00:07:30,360 –> 00:07:31,360
That’s valuable.
181
00:07:31,360 –> 00:07:32,440
But it’s a front end, not the engine.
182
00:07:32,440 –> 00:07:34,120
And the mistake is asking chat to be the engine.
183
00:07:34,120 –> 00:07:38,600
The moment you let conversation carry the workflow, you’ve made the workflow dependent on
184
00:07:38,600 –> 00:07:39,800
language variance.
185
00:07:39,800 –> 00:07:41,400
And language variance is infinite.
186
00:07:41,400 –> 00:07:43,360
Users will ask the same thing 10 different ways.
187
00:07:43,360 –> 00:07:44,360
They will omit details.
188
00:07:44,360 –> 00:07:45,600
They will paste screenshots.
189
00:07:45,600 –> 00:07:50,040
They will drop half a ticket history into the chat and expect the agent to just know.
190
00:07:50,040 –> 00:07:53,400
So the right design move is not make the agent more conversational.
191
00:07:53,400 –> 00:07:54,400
It’s the opposite.
192
00:07:54,400 –> 00:07:57,320
Make the agent less conversational where it matters.
193
00:07:57,320 –> 00:08:00,800
Shrink the conversation surface to parameter collection and confirmation.
194
00:08:00,800 –> 00:08:03,280
Post-decision boundaries into explicit routing.
195
00:08:03,280 –> 00:08:05,680
Push execution into deterministic systems.
196
00:08:05,680 –> 00:08:09,440
Flows, APIs, orchestration that you can test, version and audit.
197
00:08:09,440 –> 00:08:11,040
Which raises the obvious question.
198
00:08:11,040 –> 00:08:13,480
If chat can’t be the center of gravity, what can?
199
00:08:13,480 –> 00:08:15,120
A control surface.
200
00:08:15,120 –> 00:08:16,200
Delegation with contracts.
201
00:08:16,200 –> 00:08:19,760
An agent designed like an enterprise system, not a personality.
202
00:08:19,760 –> 00:08:20,760
Truth too.
203
00:08:20,760 –> 00:08:23,440
An agent is a delegated control surface.
204
00:08:23,440 –> 00:08:26,360
Truth number two is the one that breaks most org charts.
205
00:08:26,360 –> 00:08:28,480
An agent isn’t an AI employee.
206
00:08:28,480 –> 00:08:30,240
It’s a delegated control surface.
207
00:08:30,240 –> 00:08:34,000
The difference matters because employees come with training, supervision, professional
208
00:08:34,000 –> 00:08:36,920
judgment and critical personal accountability.
209
00:08:36,920 –> 00:08:37,960
Agents come with none of that.
210
00:08:37,960 –> 00:08:42,440
They come with permissions, tools, data pathways and a model that will happily produce a plausible
211
00:08:42,440 –> 00:08:44,920
plan even when the environment is lying to it.
212
00:08:44,920 –> 00:08:48,800
When someone says we’re giving the HR agent access to onboarding systems, what they’re
213
00:08:48,800 –> 00:08:53,800
really saying is we’re exposing a set of execution pathways to a probabilistic decision engine.
214
00:08:53,800 –> 00:08:54,800
That’s not inspirational.
215
00:08:54,800 –> 00:08:56,120
That’s a risk statement.
216
00:08:56,120 –> 00:09:01,120
Capability of an agent equals the sum of what you exposed, not what you wrote in instructions,
217
00:09:01,120 –> 00:09:02,680
not what the demo showed.
218
00:09:02,680 –> 00:09:04,000
Exposed pathways.
219
00:09:04,000 –> 00:09:08,000
Identity context, connector permissions, action schemers, knowledge sources and whatever
220
00:09:08,000 –> 00:09:10,000
the platform can reach at runtime.
221
00:09:10,000 –> 00:09:11,600
That’s the real surface area.
222
00:09:11,600 –> 00:09:15,960
And in enterprise systems, surface area is destiny because agents don’t amplify your best
223
00:09:15,960 –> 00:09:16,960
process.
224
00:09:16,960 –> 00:09:19,320
They amplify your weakest governance path.
225
00:09:19,320 –> 00:09:23,560
If your tenant already has temporary exceptions over permission service accounts, stale
226
00:09:23,560 –> 00:09:28,480
app registrations, connectors, nobody owns, sharepoint sites that grew like mold and agent
227
00:09:28,480 –> 00:09:29,480
doesn’t fix that.
228
00:09:29,480 –> 00:09:32,640
It automates it at speed with a friendly explanation attached.
229
00:09:32,640 –> 00:09:35,680
This is why the AI employee metaphor is so dangerous.
230
00:09:35,680 –> 00:09:39,240
It tricks leadership into thinking the hard part is adoption and change management, but
231
00:09:39,240 –> 00:09:43,960
architecturally the hard part is delegation mechanics who authorizes who executes and
232
00:09:43,960 –> 00:09:47,560
who owns the outcome when things go wrong start with authorization.
233
00:09:47,560 –> 00:09:50,720
In a real system, an action doesn’t happen because someone asked nicely.
234
00:09:50,720 –> 00:09:54,560
It happens because an identity with the right entitlements invoked a defined operation under
235
00:09:54,560 –> 00:09:55,640
policy.
236
00:09:55,640 –> 00:09:57,480
With agents, people blur that line.
237
00:09:57,480 –> 00:09:59,880
They assume the user’s request is the authorization.
238
00:09:59,880 –> 00:10:00,880
It isn’t.
239
00:10:00,880 –> 00:10:02,720
It’s input.
240
00:10:02,720 –> 00:10:04,280
Authorization is the control plane decision.
241
00:10:04,280 –> 00:10:08,280
Should this user in this context be allowed to cause the state change using this tool right
242
00:10:08,280 –> 00:10:09,280
now?
243
00:10:09,280 –> 00:10:10,520
Then execution.
244
00:10:10,520 –> 00:10:14,800
Execution is where the damage happens because execution changes state outside the chat.
245
00:10:14,800 –> 00:10:17,440
Create update, delete, approve, notify, escalate.
246
00:10:17,440 –> 00:10:22,120
If you let a model choose those operations freely, you’ve moved from assistant to unbounded
247
00:10:22,120 –> 00:10:23,120
operator.
248
00:10:23,120 –> 00:10:25,280
And that’s fine in consumer software.
249
00:10:25,280 –> 00:10:28,920
Enterprises don’t get to do fine and then ownership.
250
00:10:28,920 –> 00:10:32,200
When an agent updates a record incorrectly, who owns that incident?
251
00:10:32,200 –> 00:10:36,400
The maker, the system owner, the identity team, the business sponsor, everyone will point
252
00:10:36,400 –> 00:10:38,920
at everyone else unless you force it into the design.
253
00:10:38,920 –> 00:10:44,280
That’s why agents need an explicit responsibility model, not a vague product owner label in a spreadsheet.
254
00:10:44,280 –> 00:10:46,400
Here’s the uncomfortable truth.
255
00:10:46,400 –> 00:10:49,520
A candidate execution without explicit ownership becomes political debt fast.
256
00:10:49,520 –> 00:10:51,920
Now connect this back to what people actually build.
257
00:10:51,920 –> 00:10:56,080
A copilot agent is a UI that fronts a bundle of integrations.
258
00:10:56,080 –> 00:10:58,000
Each integration has a failure mode.
259
00:10:58,000 –> 00:11:02,400
Permission denied, throttling, schema change, timeout, bad data, partial success.
260
00:11:02,400 –> 00:11:04,720
When those happen, the model will try to be helpful.
261
00:11:04,720 –> 00:11:05,800
It will root around.
262
00:11:05,800 –> 00:11:07,480
It will attempt an alternative.
263
00:11:07,480 –> 00:11:09,000
It will summarize a guess.
264
00:11:09,000 –> 00:11:13,440
And if you didn’t design a refusal rule or an escalation path, it will keep going.
265
00:11:13,440 –> 00:11:15,880
That means your agent is not helping employees.
266
00:11:15,880 –> 00:11:19,880
It is making runtime decisions in a distributed environment you barely control.
267
00:11:19,880 –> 00:11:22,400
So the mandate is not make the agent smarter.
268
00:11:22,400 –> 00:11:25,640
The mandate is make delegation explicit.
269
00:11:25,640 –> 00:11:27,240
Define the identity model.
270
00:11:27,240 –> 00:11:31,280
Run as user, run as service or hybrid with consequences documented.
271
00:11:31,280 –> 00:11:33,040
Define the tool allow list.
272
00:11:33,040 –> 00:11:34,360
Which actions exist?
273
00:11:34,360 –> 00:11:35,800
What inputs they accept?
274
00:11:35,800 –> 00:11:37,320
What outputs they return?
275
00:11:37,320 –> 00:11:38,800
And what errors look like?
276
00:11:38,800 –> 00:11:40,120
Define the decision boundaries.
277
00:11:40,120 –> 00:11:41,520
What the agent may infer?
278
00:11:41,520 –> 00:11:42,720
What it must verify?
279
00:11:42,720 –> 00:11:43,840
And when it must stop?
280
00:11:43,840 –> 00:11:45,680
And define the audit surface?
281
00:11:45,680 –> 00:11:50,000
It gets written to the system of records so the business can reconstruct why something happened.
282
00:11:50,000 –> 00:11:54,400
That’s the difference between an agent as a novelty and an agent as an enterprise-controlled
283
00:11:54,400 –> 00:11:55,400
surface.
284
00:11:55,400 –> 00:11:58,760
And once you accept that framing, enthusiasm becomes irrelevant.
285
00:11:58,760 –> 00:12:00,760
Architecture becomes the product.
286
00:12:00,760 –> 00:12:02,920
Which is exactly where this goes next.
287
00:12:02,920 –> 00:12:07,960
Deterministic ROI only shows up when the design itself is deterministic.
288
00:12:07,960 –> 00:12:10,080
The architectural mandate.
289
00:12:10,080 –> 00:12:12,720
Deterministic ROI requires deterministic design.
290
00:12:12,720 –> 00:12:14,840
So here’s the mandate stated plainly.
291
00:12:14,840 –> 00:12:18,280
The moment an agent can take action, you stop building an agent.
292
00:12:18,280 –> 00:12:19,440
You start building a system.
293
00:12:19,440 –> 00:12:24,120
And systems only produce ROI when they behave predictably under real conditions.
294
00:12:24,120 –> 00:12:28,680
Partial data, partial permissions, outages, policy changes, and users who never read your
295
00:12:28,680 –> 00:12:29,920
documentation.
296
00:12:29,920 –> 00:12:35,360
That distinction matters because most ROI conversations about agents are really demo conversations.
297
00:12:35,360 –> 00:12:39,280
They measure how impressed someone felt, how quickly a pilot team shipped, how many questions
298
00:12:39,280 –> 00:12:41,680
the agent answered without embarrassing itself in a meeting.
299
00:12:41,680 –> 00:12:42,680
That’s not ROI.
300
00:12:42,680 –> 00:12:44,280
That’s novelty with a budget.
301
00:12:44,280 –> 00:12:46,440
Deterministic ROI is different.
302
00:12:46,440 –> 00:12:50,680
Deterministic ROI means you can name the outcome, measure the delta, and trust it will repeat
303
00:12:50,680 –> 00:12:54,160
tomorrow at 10x scale without turning into an incident backlog.
304
00:12:54,160 –> 00:12:58,280
And that only happens when the design is deterministic where it needs to be.
305
00:12:58,280 –> 00:13:01,040
Enterprises tolerate probabilistic behavior in one place.
306
00:13:01,040 –> 00:13:02,040
Interpretation.
307
00:13:02,040 –> 00:13:06,040
They tolerate variance in how a user asks a question, how an agent summarizes information,
308
00:13:06,040 –> 00:13:07,760
how it suggests next steps.
309
00:13:07,760 –> 00:13:08,760
That’s the reasoning layer.
310
00:13:08,760 –> 00:13:09,760
And it’s useful.
311
00:13:09,760 –> 00:13:12,120
They do not tolerate probabilistic behavior and execution.
312
00:13:12,120 –> 00:13:16,320
Not in approvals, not in record updates, not in entitlement changes, not in ticket routing,
313
00:13:16,320 –> 00:13:19,560
not in anything that moves state in a system of record.
314
00:13:19,560 –> 00:13:22,360
So the architectural mandate is a separation of concerns.
315
00:13:22,360 –> 00:13:24,600
Let the model do what models are good at.
316
00:13:24,600 –> 00:13:29,520
Language normalization, intent extraction, ambiguity detection, summarization, and classification.
317
00:13:29,520 –> 00:13:33,320
Then hand execution to what enterprises already trust.
318
00:13:33,320 –> 00:13:38,880
Deterministic workflows, explicit APIs, validated inputs, and governed identities.
319
00:13:38,880 –> 00:13:41,400
The core line is still the simplest one.
320
00:13:41,400 –> 00:13:42,640
Chat is for discovery.
321
00:13:42,640 –> 00:13:44,800
Agents are for execution.
322
00:13:44,800 –> 00:13:46,840
Confuse the two and you automate ambiguity.
323
00:13:46,840 –> 00:13:49,520
And yes, some people will argue, but the model can do tool calling.
324
00:13:49,520 –> 00:13:50,840
They can choose actions.
325
00:13:50,840 –> 00:13:51,840
Of course it can.
326
00:13:51,840 –> 00:13:52,840
That’s not the question.
327
00:13:52,840 –> 00:13:57,240
The question is whether you can prove ahead of time what it will do with a given intent.
328
00:13:57,240 –> 00:14:00,000
If you can’t predict the action path, you can’t govern it.
329
00:14:00,000 –> 00:14:01,680
If you can’t govern it, you can’t scale it.
330
00:14:01,680 –> 00:14:05,680
If you can’t scale it, your ROI is a one time demo artifact.
331
00:14:05,680 –> 00:14:07,400
Determinism isn’t about removing AI.
332
00:14:07,400 –> 00:14:11,240
It’s about placing AI inside a design that can survive entropy.
333
00:14:11,240 –> 00:14:13,720
Because entropy is the default state of every tenant.
334
00:14:13,720 –> 00:14:18,120
Connectors drift, permissions drift, knowledge sources drift, people leave.
335
00:14:18,120 –> 00:14:21,720
Temporary exceptions become permanent, platforms update, models update.
336
00:14:21,720 –> 00:14:24,440
Suddenly the agent behaves differently and no one can explain why.
337
00:14:24,440 –> 00:14:26,640
A deterministic design assumes drift.
338
00:14:26,640 –> 00:14:27,880
It constrains it.
339
00:14:27,880 –> 00:14:31,800
And it creates a stable envelope where change can happen without turning behavior into
340
00:14:31,800 –> 00:14:32,800
roulette.
341
00:14:32,800 –> 00:14:34,240
So what does that actually look like in practice?
342
00:14:34,240 –> 00:14:35,640
It looks like contracts.
343
00:14:35,640 –> 00:14:37,760
Instructions contracts.
344
00:14:37,760 –> 00:14:40,960
A contract says for this intent these are the required inputs.
345
00:14:40,960 –> 00:14:42,360
These are the allowable tools.
346
00:14:42,360 –> 00:14:45,760
These are the preconditions and these are the outcomes we will write back to the system
347
00:14:45,760 –> 00:14:46,760
of record.
348
00:14:46,760 –> 00:14:51,240
If any of those aren’t true, the agent refuses, escalates or roots to a human.
349
00:14:51,240 –> 00:14:52,240
No improvisation.
350
00:14:52,240 –> 00:14:54,680
No best effort updates to production systems.
351
00:14:54,680 –> 00:14:58,040
This is also where people misunderstand deterministic as rigid.
352
00:14:58,040 –> 00:14:59,360
It isn’t.
353
00:14:59,360 –> 00:15:05,040
You can be flexible in how users express intent and strict in how the system executes.
354
00:15:05,040 –> 00:15:07,960
Exactly how mature enterprise software already works.
355
00:15:07,960 –> 00:15:10,320
Humans type messy things into forms all day.
356
00:15:10,320 –> 00:15:12,480
The system doesn’t take the mess literally.
357
00:15:12,480 –> 00:15:15,120
It validates normalizes and enforces policy.
358
00:15:15,120 –> 00:15:16,160
Agents need the same shape.
359
00:15:16,160 –> 00:15:20,920
So when someone asks for proven ROI, the real answer isn’t “build a better prompt”.
360
00:15:20,920 –> 00:15:25,200
The real answer is “design an agent that produces repeatable outcomes”.
361
00:15:25,200 –> 00:15:30,200
Repeatable means the same intent and the same state lead to the same execution path.
362
00:15:30,200 –> 00:15:34,560
Legal means you can track throughput, cycle time, escalation rate and error rates without
363
00:15:34,560 –> 00:15:36,520
arguing about definitions.
364
00:15:36,520 –> 00:15:41,600
Stable means you can operate it, version it, test it, roll it back and audit it.
365
00:15:41,600 –> 00:15:43,520
That’s deterministic ROI.
366
00:15:43,520 –> 00:15:47,200
And it’s the only ROI that survives beyond the pilot phase.
367
00:15:47,200 –> 00:15:49,160
Everything else is the familiar pattern.
368
00:15:49,160 –> 00:15:53,560
Initial excitement then drift, then exceptions, then manual overrides, then quite abandonment.
369
00:15:53,560 –> 00:15:55,680
So the mandate is architectural honesty.
370
00:15:55,680 –> 00:15:59,040
The side where you accept probability and where you demand certainty.
371
00:15:59,040 –> 00:16:03,240
To make this concrete, the next piece is the decision model that replaces chat first agents
372
00:16:03,240 –> 00:16:04,240
entirely.
373
00:16:04,240 –> 00:16:08,280
Because once you see it, you stop designing conversations, you start designing systems that
374
00:16:08,280 –> 00:16:09,680
happen to speak.
375
00:16:09,680 –> 00:16:15,480
The decision model, event, reasoning, orchestration, execution, record.
376
00:16:15,480 –> 00:16:21,120
Here’s the replacement model, not a better chat, a decision system that happens to speak.
377
00:16:21,120 –> 00:16:26,160
Event reasoning, orchestration, execution, record, five stages, clear boundaries, clear ownership,
378
00:16:26,160 –> 00:16:27,360
clear evidence.
379
00:16:27,360 –> 00:16:31,960
Not with the event because enterprises love to pretend an agent just helps people.
380
00:16:31,960 –> 00:16:32,960
It doesn’t.
381
00:16:32,960 –> 00:16:35,240
An enterprise agent should start because something explicit happened.
382
00:16:35,240 –> 00:16:39,680
A user request in teams, a form submission, a service now ticket moved to a new state,
383
00:16:39,680 –> 00:16:42,600
a high risk sign-in event, a scheduled daily run.
384
00:16:42,600 –> 00:16:44,760
You don’t let the agent wake up based on vibes.
385
00:16:44,760 –> 00:16:46,280
An event is the trigger contract.
386
00:16:46,280 –> 00:16:48,080
It answers, “What starts this?
387
00:16:48,080 –> 00:16:49,080
Who started it?
388
00:16:49,080 –> 00:16:51,640
And what context is guaranteed at the start?”
389
00:16:51,640 –> 00:16:54,720
That matters because most agent drift starts at the beginning.
390
00:16:54,720 –> 00:16:58,600
If the start condition is loose, everything downstream becomes interpretive.
391
00:16:58,600 –> 00:17:00,640
Loose triggers create lose outcomes.
392
00:17:00,640 –> 00:17:02,680
Deterministic systems don’t start that way.
393
00:17:02,680 –> 00:17:07,800
Next reasoning, this is where the model earns its keep, but only inside a bounded context.
394
00:17:07,800 –> 00:17:12,760
Reesoning means interpret messy human language, detect ambiguity, extract parameters, classify
395
00:17:12,760 –> 00:17:15,880
intent and decide what must be verified before anything happens.
396
00:17:15,880 –> 00:17:20,240
It’s also where the agent can say, “I can do that, but I need these three inputs.”
397
00:17:20,240 –> 00:17:22,640
Or, “I can’t do that without approval.”
398
00:17:22,640 –> 00:17:27,200
That context means the agent is not allowed to treat the entire tenant as its memory.
399
00:17:27,200 –> 00:17:32,000
It gets a defined set of knowledge sources, a defined set of operational data, and a defined
400
00:17:32,000 –> 00:17:33,880
set of assumptions it may make.
401
00:17:33,880 –> 00:17:36,480
Everything else is either verification or refusal.
402
00:17:36,480 –> 00:17:40,200
This is where a lot of teams get lazy and call retrieval reasoning.
403
00:17:40,200 –> 00:17:41,520
Retrieval is just scavenging.
404
00:17:41,520 –> 00:17:45,320
Reesoning is deciding what to do with what you found and more importantly, what you’re
405
00:17:45,320 –> 00:17:47,400
not allowed to do without stronger evidence.
406
00:17:47,400 –> 00:17:48,720
Then orchestration.
407
00:17:48,720 –> 00:17:53,120
It is policy not creativity.
408
00:17:53,120 –> 00:17:55,440
Orcustration decides which tool is allowed to run for this intent under these conditions
409
00:17:55,440 –> 00:17:56,440
with these inputs.
410
00:17:56,440 –> 00:18:01,520
It is the layer that converts the user, ask the thing, into we are invoking exactly this
411
00:18:01,520 –> 00:18:02,800
contract.
412
00:18:02,800 –> 00:18:05,600
If two tools overlap, orchestration doesn’t guess.
413
00:18:05,600 –> 00:18:06,600
It roots.
414
00:18:06,600 –> 00:18:07,800
This is where the allow list lives.
415
00:18:07,800 –> 00:18:09,320
This is where preconditions live.
416
00:18:09,320 –> 00:18:11,040
This is where refusal rules live.
417
00:18:11,040 –> 00:18:14,840
If the user wants an action that isn’t in the contract, the agent doesn’t improvise.
418
00:18:14,840 –> 00:18:15,840
It stops.
419
00:18:15,840 –> 00:18:19,160
It escalates.
420
00:18:19,160 –> 00:18:23,240
And yes, co-pilot studio can do orchestration in different ways.
421
00:18:23,240 –> 00:18:24,240
Topics.
422
00:18:24,240 –> 00:18:25,240
Generative orchestration.
423
00:18:25,240 –> 00:18:26,240
Tool definitions.
424
00:18:26,240 –> 00:18:27,240
Agent flows.
425
00:18:27,240 –> 00:18:28,240
The mechanism isn’t the point.
426
00:18:28,240 –> 00:18:31,400
The point is that orchestration behaves like an authorization compiler.
427
00:18:31,400 –> 00:18:34,600
It turns intent into permitted operations or it rejects it.
428
00:18:34,600 –> 00:18:36,320
After orchestration comes execution.
429
00:18:36,320 –> 00:18:38,400
And execution should be boring.
430
00:18:38,400 –> 00:18:41,280
Execution is where deterministic systems do deterministic work.
431
00:18:41,280 –> 00:18:42,280
Power automate.
432
00:18:42,280 –> 00:18:43,280
Logic apps.
433
00:18:43,280 –> 00:18:44,920
APIs with typed schemas.
434
00:18:44,920 –> 00:18:49,040
Logic flows with idempotency, so run it again doesn’t duplicate side effects.
435
00:18:49,040 –> 00:18:50,360
Retrieves with timeouts.
436
00:18:50,360 –> 00:18:51,600
Known failure states.
437
00:18:51,600 –> 00:18:53,920
The stuff that incident reviews actually understand.
438
00:18:53,920 –> 00:18:58,560
The agent should not execute by narrating and then doing ad hoc tool calls until it feels
439
00:18:58,560 –> 00:18:59,560
done.
440
00:18:59,560 –> 00:19:01,640
That’s conditional chaos disguised as helpfulness.
441
00:19:01,640 –> 00:19:05,760
Instead execution runs through components you can version, test and observe.
442
00:19:05,760 –> 00:19:07,000
You can run them in isolation.
443
00:19:07,000 –> 00:19:08,080
You can gate releases.
444
00:19:08,080 –> 00:19:09,080
You can roll back.
445
00:19:09,080 –> 00:19:12,040
You can prove exactly what happened when an action mutated state.
446
00:19:12,040 –> 00:19:13,720
And finally, record.
447
00:19:13,720 –> 00:19:17,560
This is the stage most teams skip and its wide trust evaporates.
448
00:19:17,560 –> 00:19:21,320
A system that can’t write its outcomes and rationale to a system of record isn’t an
449
00:19:21,320 –> 00:19:22,320
enterprise system.
450
00:19:22,320 –> 00:19:24,680
It’s a suggestion engine with side effects.
451
00:19:24,680 –> 00:19:28,680
Record means capture the event, the intent, the key inputs, the policy decision, the tools
452
00:19:28,680 –> 00:19:32,120
invoked, the outcome and the handoff if it escalated.
453
00:19:32,120 –> 00:19:34,400
Service now is a common center of gravity here.
454
00:19:34,400 –> 00:19:38,560
Not because it’s magic, but because it already represents state ownership and auditability
455
00:19:38,560 –> 00:19:39,560
for work.
456
00:19:39,560 –> 00:19:40,880
It’s where work becomes accountable.
457
00:19:40,880 –> 00:19:44,120
The record is also how you measure ROI without lying to yourself.
458
00:19:44,120 –> 00:19:46,440
Not users liked it.
459
00:19:46,440 –> 00:19:52,440
Actual deltas, cycle time, escalation reduction, rework rate, exception volume, manual intervention.
460
00:19:52,440 –> 00:19:54,200
So this model does one crucial thing.
461
00:19:54,200 –> 00:19:58,320
It moves the agent from being a conversational blob to being a controlled pipeline.
462
00:19:58,320 –> 00:20:00,120
Humans can still type messy requests.
463
00:20:00,120 –> 00:20:03,840
The model can still reason, but action happens only through contracts and evidence lands
464
00:20:03,840 –> 00:20:06,000
in systems that governance already understands.
465
00:20:06,000 –> 00:20:08,040
Now the uncomfortable part.
466
00:20:08,040 –> 00:20:12,320
Once you build this way, you’ll notice how many popular agent designs are the exact opposite
467
00:20:12,320 –> 00:20:14,520
and they fail in the same three ways every time.
468
00:20:14,520 –> 00:20:18,840
The anti-patterns, three ways enterprises build conditional chaos.
469
00:20:18,840 –> 00:20:22,760
Now you can spot the anti-patterns instantly because they all violate the same law.
470
00:20:22,760 –> 00:20:26,440
They collapse, decisioning and execution back into chat, then pretend governance will catch
471
00:20:26,440 –> 00:20:27,440
up later.
472
00:20:27,440 –> 00:20:29,640
There are three versions of this.
473
00:20:29,640 –> 00:20:32,040
Enterprises rotate through them like it’s a maturity model.
474
00:20:32,040 –> 00:20:33,040
It isn’t.
475
00:20:33,040 –> 00:20:35,440
It’s just three different ways to automate ambiguity.
476
00:20:35,440 –> 00:20:36,440
Anti-pattern 1.
477
00:20:36,440 –> 00:20:37,640
Decide while you talk.
478
00:20:37,640 –> 00:20:40,920
This is the agent that narrates a plan and commits actions in the same breath.
479
00:20:40,920 –> 00:20:44,560
The user asks, can you offboard this contractor?
480
00:20:44,560 –> 00:20:49,600
The agent starts explaining the steps, but while it’s explaining, it’s also calling tools.
481
00:20:49,600 –> 00:20:54,080
Disabling the account, revoking sessions, removing licenses, closing access groups, updating
482
00:20:54,080 –> 00:20:55,240
a ticket.
483
00:20:55,240 –> 00:21:00,720
It feels efficient because it keeps the conversation moving, but architecturally it’s catastrophic.
484
00:21:00,720 –> 00:21:04,080
Because the system has no hard boundary between thinking and doing.
485
00:21:04,080 –> 00:21:05,720
The plan becomes execution.
486
00:21:05,720 –> 00:21:09,480
And once the agent can do partial work, you get the worst possible failure mode, half
487
00:21:09,480 –> 00:21:12,800
completed state change with a polite summary at the end.
488
00:21:12,800 –> 00:21:17,160
In incident terms, this is how you end up with account disabled, but mailbox still accessible
489
00:21:17,160 –> 00:21:22,040
ticket updated, but approvals missing, access removed in one system but not the other.
490
00:21:22,040 –> 00:21:24,840
Then the user asks, wait, did it actually do it?
491
00:21:24,840 –> 00:21:28,800
And no one has a clean answer because the conversation transcript is not an audit log.
492
00:21:28,800 –> 00:21:33,760
The enterprise requires a commit point, a confirmation, a transaction boundary.
493
00:21:33,760 –> 00:21:37,640
If the agent can’t separate, I understand what you want from I am now changing state.
494
00:21:37,640 –> 00:21:38,880
You don’t have automation.
495
00:21:38,880 –> 00:21:41,200
You have a probabilistic operator.
496
00:21:41,200 –> 00:21:43,440
Antipatent 2, retrieval equals reasoning.
497
00:21:43,440 –> 00:21:46,040
This is the agent that gets praised because it knows a lot.
498
00:21:46,040 –> 00:21:50,200
It has SharePoint, it has PDFs, it has a knowledge base, it can search, it can quote internal
499
00:21:50,200 –> 00:21:53,880
docs, and the team assumes that because it can retrieve context, it can make operational
500
00:21:53,880 –> 00:21:54,880
decisions.
501
00:21:54,880 –> 00:21:56,640
But retrieval is not reasoning.
502
00:21:56,640 –> 00:21:58,120
Retrieval is just context scavenging.
503
00:21:58,120 –> 00:22:02,360
In other words, the agent can find text that looks relevant, but it still has to decide
504
00:22:02,360 –> 00:22:06,240
what that text means, whether it applies, whether it’s current, whether the user is allowed
505
00:22:06,240 –> 00:22:11,400
to act on it, and whether the text implies an executable workflow or just a guideline.
506
00:22:11,400 –> 00:22:13,080
And here’s the weird part.
507
00:22:13,080 –> 00:22:17,600
Retrieval makes agents look more confident while being less safe because now the agent can
508
00:22:17,600 –> 00:22:20,240
anchor a wrong decision to a real paragraph.
509
00:22:20,240 –> 00:22:24,640
It can cite a policy snippet that is outdated, incomplete, or scoped to a different business
510
00:22:24,640 –> 00:22:25,640
unit.
511
00:22:25,640 –> 00:22:28,320
The output feels grounded, the decision is still unbounded.
512
00:22:28,320 –> 00:22:32,160
This is where audit risk quietly grows if the organization can’t attribute which source,
513
00:22:32,160 –> 00:22:35,880
which version, which section, and which rule actually govern the action, we retrieved
514
00:22:35,880 –> 00:22:39,560
something becomes a liability, not a control.
515
00:22:39,560 –> 00:22:40,720
Retrieval supports reasoning.
516
00:22:40,720 –> 00:22:43,080
It does not replace it.
517
00:22:43,080 –> 00:22:44,560
Antipatern 3.
518
00:22:44,560 –> 00:22:48,360
Prompt branching logic that nobody can explain after the third exception.
519
00:22:48,360 –> 00:22:52,880
This is the agent that starts as a clean pilot, a few intents, a few flows, a few prompts.
520
00:22:52,880 –> 00:22:55,240
Then reality shows up, someone needs an exception.
521
00:22:55,240 –> 00:22:59,240
Then another, then a special case for one region, then a temporary bypass because a connector
522
00:22:59,240 –> 00:23:02,120
is flaky, then a workaround because the knowledge source isn’t a big deal.
523
00:23:02,120 –> 00:23:05,080
It’s outdated yet, so the team keeps adding conditional text.
524
00:23:05,080 –> 00:23:08,560
More instructions, more if the user says x, do y, unless z.
525
00:23:08,560 –> 00:23:12,240
The logic lives in prompts, topic nodes, and scattered tool descriptions.
526
00:23:12,240 –> 00:23:16,240
It’s not versioned like a workflow, it’s not tested like software, it’s not even readable
527
00:23:16,240 –> 00:23:17,640
as a policy document.
528
00:23:17,640 –> 00:23:20,000
Over time, the agent becomes an entropy museum.
529
00:23:20,000 –> 00:23:21,960
Every workaround preserved forever.
530
00:23:21,960 –> 00:23:25,440
And the symptom pattern is consistent, first, manual overrides.
531
00:23:25,440 –> 00:23:27,880
People rerun the workflow just to be safe.
532
00:23:27,880 –> 00:23:29,800
Second, inconsistent approvals.
533
00:23:29,800 –> 00:23:34,000
The same request goes down different paths because the branching rules depend on phrasing
534
00:23:34,000 –> 00:23:35,320
and context chunks.
535
00:23:35,320 –> 00:23:37,480
Third, silent failure modes.
536
00:23:37,480 –> 00:23:41,800
The agent times out, falls back, or partially completes actions while telling the user it
537
00:23:41,800 –> 00:23:42,960
handled it.
538
00:23:42,960 –> 00:23:45,840
This is how trust dies, not loudly, quietly.
539
00:23:45,840 –> 00:23:49,440
Users stop escalating issues because they stop expecting the agent to behave.
540
00:23:49,440 –> 00:23:53,760
They root around it, they go back to email, teams, messages, and tribal knowledge.
541
00:23:53,760 –> 00:23:55,800
Leadership still thinks there’s an agent program.
542
00:23:55,800 –> 00:23:59,760
In reality, there’s an abandoned chat surface connected to production systems.
543
00:23:59,760 –> 00:24:04,240
If you want a quick diagnostic when an agent fails, ask where the decision boundary lives.
544
00:24:04,240 –> 00:24:07,160
If it lives in conversation, you build conditional chaos.
545
00:24:07,160 –> 00:24:11,960
If it lives in contracts, orchestration, and a system of record, you build something that
546
00:24:11,960 –> 00:24:13,480
can survive scale.
547
00:24:13,480 –> 00:24:17,200
Now it’s time to show what contracts first looks like when a regulated enterprise does
548
00:24:17,200 –> 00:24:18,800
it on purpose.
549
00:24:18,800 –> 00:24:22,400
The success case, regulated enterprise that started with contracts.
550
00:24:22,400 –> 00:24:25,880
A regulated enterprise doesn’t get agents right because they’re smarter.
551
00:24:25,880 –> 00:24:29,000
They get it right because the environment punishes improvisation.
552
00:24:29,000 –> 00:24:32,720
If you’re in financial services, farmer, aerospace, or regulated manufacturing, you don’t get
553
00:24:32,720 –> 00:24:35,640
to hide behind the model did something weird.
554
00:24:35,640 –> 00:24:38,040
You either produce evidence or you produce risk.
555
00:24:38,040 –> 00:24:41,560
So the teams that succeed don’t start by asking what can co-pilot do.
556
00:24:41,560 –> 00:24:45,400
They start by asking, what are we allowed to delegate under what constraints with what
557
00:24:45,400 –> 00:24:46,400
proof?
558
00:24:46,400 –> 00:24:48,920
That distinction matters because it flips the build order.
559
00:24:48,920 –> 00:24:50,880
The success pattern looks boring on purpose.
560
00:24:50,880 –> 00:24:52,920
It starts with contracts and identity.
561
00:24:52,920 –> 00:24:54,480
Only later does it add conversation.
562
00:24:54,480 –> 00:24:58,320
In one program like this, the initial scope wasn’t automate everything.
563
00:24:58,320 –> 00:25:02,480
It was one value stream that already had a system of record in a known escalation path.
564
00:25:02,480 –> 00:25:05,840
Think service requests, approvals, or control changes.
565
00:25:05,840 –> 00:25:08,400
The agent didn’t own the process.
566
00:25:08,400 –> 00:25:09,920
It owned a narrow slice.
567
00:25:09,920 –> 00:25:15,360
Intake normalization, parameter validation, rooting and execution of a fixed set of actions,
568
00:25:15,360 –> 00:25:18,360
and the first architectural decision was the one most pilots ignore.
569
00:25:18,360 –> 00:25:19,840
Who does this run as?
570
00:25:19,840 –> 00:25:22,040
They made the identity model explicit up front.
571
00:25:22,040 –> 00:25:24,400
User delegated actions, state user delegated.
572
00:25:24,400 –> 00:25:27,880
Service executed actions ran under dedicated identities with least privilege.
573
00:25:27,880 –> 00:25:32,320
No shared maker credentials, no temporary admin access because it was faster.
574
00:25:32,320 –> 00:25:36,680
Every permission was treated as a contract, not a convenience, because in regulated environments
575
00:25:36,680 –> 00:25:40,280
identity drift becomes audit drift fast.
576
00:25:40,280 –> 00:25:42,800
The second decision was context architecture.
577
00:25:42,800 –> 00:25:45,520
They didn’t attach share point and pray.
578
00:25:45,520 –> 00:25:49,200
They treated knowledge like a product with owners, life cycle and versioning.
579
00:25:49,200 –> 00:25:50,880
Policies had effective dates.
580
00:25:50,880 –> 00:25:52,880
Operating procedures had controlled revisions.
581
00:25:52,880 –> 00:25:56,640
If the agent referenced content, it had to be attributable to a source that governance
582
00:25:56,640 –> 00:25:58,520
already recognized as authoritative.
583
00:25:58,520 –> 00:26:01,440
That one move eliminated a whole class of failures.
584
00:26:01,440 –> 00:26:04,600
The agent quoting plausible but obsolete guidance.
585
00:26:04,600 –> 00:26:05,760
Then came tools.
586
00:26:05,760 –> 00:26:06,760
And here’s the subtle win.
587
00:26:06,760 –> 00:26:09,720
They separated reasoning from execution by design.
588
00:26:09,720 –> 00:26:11,440
The model did the reasoning in Copilot.
589
00:26:11,440 –> 00:26:15,800
It extracted intent, detected ambiguity and assembled a structured request.
590
00:26:15,800 –> 00:26:20,080
But the actual work, creating records, updating status, rooting approvals, ran through
591
00:26:20,080 –> 00:26:21,920
deterministic workflows.
592
00:26:21,920 –> 00:26:26,360
Power platform handled the execution layer because it already supports the things enterprises
593
00:26:26,360 –> 00:26:28,120
need to stay sane.
594
00:26:28,120 –> 00:26:34,600
Typed inputs, idempotency patterns, retries, timeouts, and predictable failure states.
595
00:26:34,600 –> 00:26:38,600
Copilot didn’t wing it with a string of tool calls until it felt finished.
596
00:26:38,600 –> 00:26:40,680
It invoked defined contracts.
597
00:26:40,680 –> 00:26:43,560
And for the system of record, they didn’t try to make Copilot the ledger.
598
00:26:43,560 –> 00:26:46,560
They used service now or in equivalent as the state authority.
599
00:26:46,560 –> 00:26:49,160
Every agent initiated action wrote an entry.
600
00:26:49,160 –> 00:26:53,240
What was requested, what was executed, which workflow ran, what the outcome was, and
601
00:26:53,240 –> 00:26:57,120
what escalation occurred if something didn’t meet preconditions.
602
00:26:57,120 –> 00:27:00,040
So when someone asked why did this ticket get approved?
603
00:27:00,040 –> 00:27:02,080
The answer wasn’t a chat transcript and a shrug.
604
00:27:02,080 –> 00:27:03,760
It was a reconstructable chain.
605
00:27:03,760 –> 00:27:08,200
Now, the measured outcomes in these environments tend to look unexciting in a keynote and
606
00:27:08,200 –> 00:27:10,840
extremely valuable in operations.
607
00:27:10,840 –> 00:27:14,240
Escalation loops dropped because the agent didn’t bounce between teams based on vibe.
608
00:27:14,240 –> 00:27:16,040
It routed based on contract.
609
00:27:16,040 –> 00:27:19,480
Approvals became predictable because the agent didn’t invent preconditions.
610
00:27:19,480 –> 00:27:21,040
It validated them.
611
00:27:21,040 –> 00:27:25,680
And audits stopped being theatrical because evidence existed by default, not as a retroactive
612
00:27:25,680 –> 00:27:26,680
scramble.
613
00:27:26,680 –> 00:27:28,720
The most important outcome wasn’t time-saved.
614
00:27:28,720 –> 00:27:32,920
It was trust preserved because once users see an agent behave consistently, same intent,
615
00:27:32,920 –> 00:27:35,360
same path, they stop treating it like a novelty.
616
00:27:35,360 –> 00:27:37,240
They start treating it like a service.
617
00:27:37,240 –> 00:27:41,360
And services can be operated, monitored, improved, versioned, and scaled.
618
00:27:41,360 –> 00:27:42,560
Here’s what most people miss.
619
00:27:42,560 –> 00:27:45,120
This wasn’t a Copilot Studio success story.
620
00:27:45,120 –> 00:27:48,240
It was an architecture success story implemented with Copilot Studio.
621
00:27:48,240 –> 00:27:52,600
Same platform, same connectors, same models, different sequence, different constraints, different
622
00:27:52,600 –> 00:27:53,960
definition of done.
623
00:27:53,960 –> 00:27:57,680
And that’s why regulated enterprises often look like they’re moving slower in month one
624
00:27:57,680 –> 00:28:01,720
and then suddenly they’re the only ones with agents that survive month six.
625
00:28:01,720 –> 00:28:06,680
Because they built the boring parts first, contracts, identity boundaries, and systems of
626
00:28:06,680 –> 00:28:08,280
record.
627
00:28:08,280 –> 00:28:09,560
Conversation came last.
628
00:28:09,560 –> 00:28:12,880
Which is exactly why the opposite build order failed so reliably.
629
00:28:12,880 –> 00:28:17,080
Because when you start with chat, you end with a trust problem you can’t patch later.
630
00:28:17,080 –> 00:28:18,560
The failure case.
631
00:28:18,560 –> 00:28:21,120
The chat first agent that lost trust quietly.
632
00:28:21,120 –> 00:28:25,680
Now for the contrast case, same platform, same shiny features, completely different outcome.
633
00:28:25,680 –> 00:28:30,160
This one usually starts with a sentence like, we just need an agent that helps people.
634
00:28:30,160 –> 00:28:34,920
No outcome definition, no bounded scope, no contracts, just a chat surface and optimism.
635
00:28:34,920 –> 00:28:37,800
So a small team spins up an agent in Copilot Studio.
636
00:28:37,800 –> 00:28:40,920
They give it broad instructions, be helpful, be concise, follow policy.
637
00:28:40,920 –> 00:28:45,440
They attach a pile of SharePoint sites because more knowledge is better.
638
00:28:45,440 –> 00:28:49,520
They connect a few tools because the demo needs motion, create a ticket, update a record,
639
00:28:49,520 –> 00:28:50,840
maybe send an email.
640
00:28:50,840 –> 00:28:54,480
And because they want adoption, they deploy it in teams where everyone already lives.
641
00:28:54,480 –> 00:28:57,120
The first week looks great, people ask simple questions.
642
00:28:57,120 –> 00:28:58,160
The agent answers.
643
00:28:58,160 –> 00:28:59,880
It finds the right dog more often than not.
644
00:28:59,880 –> 00:29:01,440
It creates a few tickets.
645
00:29:01,440 –> 00:29:02,480
Leadership gets a screenshot.
646
00:29:02,480 –> 00:29:04,160
The project gets declared a win.
647
00:29:04,160 –> 00:29:05,400
Then the environment shows up.
648
00:29:05,400 –> 00:29:07,920
A user asks the same question in a slightly different way.
649
00:29:07,920 –> 00:29:09,760
The agent roots to a different topic.
650
00:29:09,760 –> 00:29:13,480
Or it doesn’t root at all and falls back to a generative answer that sounds plausible.
651
00:29:13,480 –> 00:29:17,160
Someone pests a ticket thread into the chat and the agent quietly times out.
652
00:29:17,160 –> 00:29:19,960
Someone else asks for an action that should be allowed.
653
00:29:19,960 –> 00:29:23,440
But the connector runs under a different identity model than anyone documented.
654
00:29:23,440 –> 00:29:24,520
So it fails.
655
00:29:24,520 –> 00:29:26,640
And the agent masks it with language.
656
00:29:26,640 –> 00:29:28,960
This is where trust starts eroding.
657
00:29:28,960 –> 00:29:33,280
Not from one catastrophic incident, but from tiny inconsistencies that accumulate it.
658
00:29:33,280 –> 00:29:36,080
The most damaging moments are the ones that look like success.
659
00:29:36,080 –> 00:29:38,960
The agent says done, but the record didn’t change.
660
00:29:38,960 –> 00:29:42,880
Or it created the record, but missed a required field, so downstream automation didn’t
661
00:29:42,880 –> 00:29:43,880
run.
662
00:29:43,880 –> 00:29:47,560
Or it updated the wrong object because two systems have similar names and the tool schema
663
00:29:47,560 –> 00:29:49,000
wasn’t explicit enough.
664
00:29:49,000 –> 00:29:51,000
In a chat interface, that’s just one more message.
665
00:29:51,000 –> 00:29:52,800
In operations, it’s rework.
666
00:29:52,800 –> 00:29:54,080
So humans compensate.
667
00:29:54,080 –> 00:29:56,240
They start double checking everything the agent does.
668
00:29:56,240 –> 00:29:57,560
They rerun steps manually.
669
00:29:57,560 –> 00:30:01,640
They keep the agent open as a suggestion box, but they stop letting it touch systems.
670
00:30:01,640 –> 00:30:04,240
The intervention rate climbs, but nobody measures it.
671
00:30:04,240 –> 00:30:08,080
The agent’s usage metric looks fine for a while because people still chat with it.
672
00:30:08,080 –> 00:30:09,560
They just don’t trust it.
673
00:30:09,560 –> 00:30:11,080
Then comes the second phase.
674
00:30:11,080 –> 00:30:12,080
Drift.
675
00:30:12,080 –> 00:30:13,080
Drift.
676
00:30:13,080 –> 00:30:14,080
Drift.
677
00:30:14,080 –> 00:30:15,080
Drift.
678
00:30:15,080 –> 00:30:16,080
Drift.
679
00:30:16,080 –> 00:30:17,080
Drift.
680
00:30:17,080 –> 00:30:18,080
Drift.
681
00:30:18,080 –> 00:30:19,080
Drift.
682
00:30:19,080 –> 00:30:20,080
Drift.
683
00:30:20,080 –> 00:30:21,080
Drift.
684
00:30:21,080 –> 00:30:22,080
Drift.
685
00:30:22,080 –> 00:30:23,080
Drift.
686
00:30:23,080 –> 00:30:24,080
Drift.
687
00:30:24,080 –> 00:30:25,080
Drift.
688
00:30:25,080 –> 00:30:26,080
Drift.
689
00:30:26,080 –> 00:30:27,080
Drift.
690
00:30:27,080 –> 00:30:28,080
Drift.
691
00:30:28,080 –> 00:30:29,080
Drift.
692
00:30:29,080 –> 00:30:30,080
Drift.
693
00:30:30,080 –> 00:30:33,920
Over a couple months, the agent becomes harder to predict even for its builders.
694
00:30:33,920 –> 00:30:36,280
Now add normal platform reality.
695
00:30:36,280 –> 00:30:41,600
Connector throttling, model updates, content indexing changes, permission adjustments, conditional
696
00:30:41,600 –> 00:30:43,080
access shifts.
697
00:30:43,080 –> 00:30:45,720
Nothing dramatic, just the slow churn of a real tenant.
698
00:30:45,720 –> 00:30:49,720
The agent starts behaving differently on Mondays than it did on Fridays, and the team can’t
699
00:30:49,720 –> 00:30:54,320
tell if that’s AI being AI or a dependency drifting underneath it.
700
00:30:54,320 –> 00:30:56,120
Users don’t file bug reports for that.
701
00:30:56,120 –> 00:30:57,360
They root around it.
702
00:30:57,360 –> 00:31:00,080
And this is the quiet death that most agent programs misread.
703
00:31:00,080 –> 00:31:01,560
The agent doesn’t fail loudly.
704
00:31:01,560 –> 00:31:02,720
It becomes optional.
705
00:31:02,720 –> 00:31:04,480
People stop recommending it to new hires.
706
00:31:04,480 –> 00:31:05,880
Managers stop pointing teams to it.
707
00:31:05,880 –> 00:31:07,360
The team’s channel gets less traffic.
708
00:31:07,360 –> 00:31:08,600
The agent still exists.
709
00:31:08,600 –> 00:31:11,000
The organization tells itself it’s early days.
710
00:31:11,000 –> 00:31:12,560
What actually happened is simpler.
711
00:31:12,560 –> 00:31:17,120
The system never earned the right to be trusted because its design never made outcomes repeatable.
712
00:31:17,120 –> 00:31:21,440
And if you ask the team afterward what went wrong, you’ll hear the comforting story again.
713
00:31:21,440 –> 00:31:23,160
The platform is immature.
714
00:31:23,160 –> 00:31:24,800
Or users weren’t trained.
715
00:31:24,800 –> 00:31:26,080
Or we need better prompts.
716
00:31:26,080 –> 00:31:27,560
But the pattern is architectural.
717
00:31:27,560 –> 00:31:30,560
They deployed conversation where they needed a control plane.
718
00:31:30,560 –> 00:31:31,920
They let intense day vague.
719
00:31:31,920 –> 00:31:34,520
They let tool selection be improvisational.
720
00:31:34,520 –> 00:31:36,720
They treated knowledge sprawl as context.
721
00:31:36,720 –> 00:31:39,720
They skipped a system of record for decisions and outcomes.
722
00:31:39,720 –> 00:31:41,440
They built a chat-shaped workflow.
723
00:31:41,440 –> 00:31:43,560
Then acted surprised when it behaved like one.
724
00:31:43,560 –> 00:31:46,800
So the contrast case isn’t a warning about co-pilot studio.
725
00:31:46,800 –> 00:31:48,440
It’s a warning about build order.
726
00:31:48,440 –> 00:31:51,640
Chat first feels fast because it ships a surface.
727
00:31:51,640 –> 00:31:54,200
Architecture first feels slower because it ships constraints.
728
00:31:54,200 –> 00:31:58,840
But only one of those survives contact with 30,000 users, three business units and a security
729
00:31:58,840 –> 00:32:02,720
team that eventually notices you automated the weakest path in the tenant.
730
00:32:02,720 –> 00:32:03,720
And that’s the lesson.
731
00:32:03,720 –> 00:32:04,720
Same tools.
732
00:32:04,720 –> 00:32:05,720
Different architecture.
733
00:32:05,720 –> 00:32:06,520
Different reality.
734
00:32:06,520 –> 00:32:08,200
The question becomes actionable.
735
00:32:08,200 –> 00:32:11,440
If Monday morning is real, where does an enterprise start?
736
00:32:11,440 –> 00:32:16,080
Before the next helpful agent becomes another quietly abandoned teams tab.
737
00:32:16,080 –> 00:32:17,720
Monday mandate part one.
738
00:32:17,720 –> 00:32:18,720
Start with outcomes.
739
00:32:18,720 –> 00:32:19,720
Not use cases.
740
00:32:19,720 –> 00:32:23,320
So Monday morning if you want this to stop being theater, you start with outcomes.
741
00:32:23,320 –> 00:32:24,320
Not use cases.
742
00:32:24,320 –> 00:32:25,320
Not ideas.
743
00:32:25,320 –> 00:32:27,320
Not what co-pilot studio can do.
744
00:32:27,320 –> 00:32:28,320
Outcomes.
745
00:32:28,320 –> 00:32:31,320
Because use cases are how organizations hide from accountability.
746
00:32:31,320 –> 00:32:32,320
A use case can be anything.
747
00:32:32,320 –> 00:32:33,320
It can be a demo.
748
00:32:33,320 –> 00:32:34,320
It can be a chatbot.
749
00:32:34,320 –> 00:32:37,320
It can be a sharepoint search box with better manners.
750
00:32:37,320 –> 00:32:41,880
And it can still produce exactly zero operational improvement while everyone nods like progress
751
00:32:41,880 –> 00:32:42,880
happened.
752
00:32:42,880 –> 00:32:43,880
An outcome is different.
753
00:32:43,880 –> 00:32:46,040
An outcome forces a before and after.
754
00:32:46,040 –> 00:32:47,400
Cycle time moves.
755
00:32:47,400 –> 00:32:48,960
Escalation rate drops.
756
00:32:48,960 –> 00:32:49,960
Thruput increases.
757
00:32:49,960 –> 00:32:51,760
Rework decreases.
758
00:32:51,760 –> 00:32:53,960
Compliance evidence becomes easier to produce.
759
00:32:53,960 –> 00:32:54,960
Those are outcomes.
760
00:32:54,960 –> 00:32:58,640
They’re measurable deltas that survive outside the agent teams slide deck.
761
00:32:58,640 –> 00:33:00,640
And the first thing leadership has to accept is this.
762
00:33:00,640 –> 00:33:03,200
If the outcome can’t be measured, the agent isn’t a product.
763
00:33:03,200 –> 00:33:04,600
It’s a distraction.
764
00:33:04,600 –> 00:33:08,120
So define the outcome in the language the business already understands.
765
00:33:08,120 –> 00:33:12,920
For service and operations, mean time to resolution, first contact resolution, deflection
766
00:33:12,920 –> 00:33:17,920
rate with strict definitions, ticket reopen rate, approval time, exception volume.
767
00:33:17,920 –> 00:33:24,800
For sales, qualified opportunities, time to quote, proposal cycle time, RFP throughput.
768
00:33:24,800 –> 00:33:30,040
For HR onboarding completion time, case backlog, handoff count, error rate in payroll or benefits
769
00:33:30,040 –> 00:33:35,160
changes, not vanity metrics like number of conversations, and not sentiment metrics like
770
00:33:35,160 –> 00:33:39,640
users said it was helpful, unless helpful is tied to a measured operational delta.
771
00:33:39,640 –> 00:33:42,800
Next map the value stream, not the tool chain, the value stream.
772
00:33:42,800 –> 00:33:44,440
Where does the decision actually happen?
773
00:33:44,440 –> 00:33:46,160
Where does state actually change?
774
00:33:46,160 –> 00:33:47,560
Where does risk concentrate?
775
00:33:47,560 –> 00:33:49,000
Where do humans get pulled into loops?
776
00:33:49,000 –> 00:33:50,480
Because the system doesn’t know what to do.
777
00:33:50,480 –> 00:33:52,680
This is where most agent programs get exposed.
778
00:33:52,680 –> 00:33:56,520
They pick the most visible pain point, not the most architecturally leverageable one.
779
00:33:56,520 –> 00:33:58,800
They automate questions because questions are easy.
780
00:33:58,800 –> 00:34:02,920
They avoid decisions because decisions create accountability, but ROI lives in decisions,
781
00:34:02,920 –> 00:34:05,960
specifically repeatable decisions with bounded variation.
782
00:34:05,960 –> 00:34:08,520
So you’re looking for work that has three properties.
783
00:34:08,520 –> 00:34:11,640
First repeatable intent, the request shows up in recognizable forms.
784
00:34:11,640 –> 00:34:15,800
Users ask it a hundred times a week, it’s not a one off, solve my unique situation.
785
00:34:15,800 –> 00:34:17,400
It’s a recurring demand signal.
786
00:34:17,400 –> 00:34:19,000
Second bounded variation.
787
00:34:19,000 –> 00:34:23,040
There are edge cases, but the majority of requests fall into a small number of shapes.
788
00:34:23,040 –> 00:34:25,920
You can enumerate them, you can define what normal looks like.
789
00:34:25,920 –> 00:34:29,920
If every request is a snowflake, you don’t have an agent opportunity, you have a consulting
790
00:34:29,920 –> 00:34:30,920
practice.
791
00:34:30,920 –> 00:34:32,680
Third, clear success criteria.
792
00:34:32,680 –> 00:34:34,800
You can say what done means without a meeting.
793
00:34:34,800 –> 00:34:36,720
The ticket is created with these fields.
794
00:34:36,720 –> 00:34:38,880
The approval is captured with these conditions.
795
00:34:38,880 –> 00:34:41,800
The record is updated and the downstream automation ran.
796
00:34:41,800 –> 00:34:44,840
If success is subjective, you’ll get subjective behavior.
797
00:34:44,840 –> 00:34:48,720
And subjective behavior is just another name for non-determinism.
798
00:34:48,720 –> 00:34:50,360
Now once you’ve done that, you make a decision.
799
00:34:50,360 –> 00:34:54,560
Most teams avoid, are you building a discovery experience or an execution experience?
800
00:34:54,560 –> 00:34:56,480
Different experiences optimize for understanding.
801
00:34:56,480 –> 00:34:57,720
They tolerate ambiguity.
802
00:34:57,720 –> 00:35:01,400
They help users find the right policy, the right owner, the right option, the right next
803
00:35:01,400 –> 00:35:02,400
step.
804
00:35:02,400 –> 00:35:06,800
They can live in chat with, relatively, low risk because the output is guidance.
805
00:35:06,800 –> 00:35:09,000
Execution experiences optimize for changing state.
806
00:35:09,000 –> 00:35:11,920
They require contracts, validation, and systems of record.
807
00:35:11,920 –> 00:35:15,520
They can still use chat as an interface, but the design is dominated by control.
808
00:35:15,520 –> 00:35:16,840
You don’t mix these casually.
809
00:35:16,840 –> 00:35:21,200
If you do, you’ll end up with an agent that helps users and occasionally performs actions,
810
00:35:21,200 –> 00:35:22,960
which is the worst possible positioning.
811
00:35:22,960 –> 00:35:26,360
The actions will be blamed when they’re wrong and the help will be ignored when it’s
812
00:35:26,360 –> 00:35:27,360
right.
813
00:35:27,360 –> 00:35:28,360
So pick one per workflow.
814
00:35:28,360 –> 00:35:32,240
If the goal is execution, design the conversation to collect missing parameters and confirm
815
00:35:32,240 –> 00:35:33,240
intent.
816
00:35:33,240 –> 00:35:37,760
If the goal is discovery explicitly refused action and wrote to the appropriate system,
817
00:35:37,760 –> 00:35:42,120
then you tie the outcome to an operating rhythm who owns the metric, who reviews it weekly,
818
00:35:42,120 –> 00:35:45,400
who decides what changes when the metric drifts, because the agent will drift.
819
00:35:45,400 –> 00:35:49,680
The only question is whether drift becomes silent decay or managed iteration.
820
00:35:49,680 –> 00:35:52,160
This is why starting with outcomes is not bureaucratic.
821
00:35:52,160 –> 00:35:54,600
As a control mechanism, it forces bounded scope.
822
00:35:54,600 –> 00:35:55,600
It forces measurement.
823
00:35:55,600 –> 00:35:57,160
It forces a system of record.
824
00:35:57,160 –> 00:36:00,960
It forces you to admit what you’re delegating and once outcomes are clear, the next part
825
00:36:00,960 –> 00:36:02,720
becomes non-negotiable.
826
00:36:02,720 –> 00:36:03,720
Boundaries.
827
00:36:03,720 –> 00:36:05,040
Not best practices.
828
00:36:05,040 –> 00:36:06,880
Not guidelines.
829
00:36:06,880 –> 00:36:10,920
Boundaries that define what the agent is allowed to do, what must be true before it does
830
00:36:10,920 –> 00:36:13,760
it and exactly where it must stop.
831
00:36:13,760 –> 00:36:15,480
Monday mandate part two.
832
00:36:15,480 –> 00:36:17,960
Intent contracts and decision boundaries.
833
00:36:17,960 –> 00:36:20,840
Once you’ve picked outcomes, you don’t brainstorm prompts.
834
00:36:20,840 –> 00:36:24,160
You write contracts because the agent doesn’t need permission to talk.
835
00:36:24,160 –> 00:36:25,640
It needs permission to act.
836
00:36:25,640 –> 00:36:29,600
An intent contract is the simplest artifact that forces that discipline.
837
00:36:29,600 –> 00:36:34,440
It’s a plain language definition of one intent with a machine enforceable boundary behind
838
00:36:34,440 –> 00:36:35,440
it.
839
00:36:35,440 –> 00:36:36,880
It answers five questions.
840
00:36:36,880 –> 00:36:38,080
What the intent is.
841
00:36:38,080 –> 00:36:39,720
What the agent is allowed to do.
842
00:36:39,720 –> 00:36:41,280
What inputs are required.
843
00:36:41,280 –> 00:36:44,120
What systems it may touch and what evidence it must produce.
844
00:36:44,120 –> 00:36:48,240
But if that sounds like paperwork, good paperwork is what keeps state change from becoming
845
00:36:48,240 –> 00:36:49,240
folklore.
846
00:36:49,240 –> 00:36:50,640
Start with the intent itself.
847
00:36:50,640 –> 00:36:55,240
Let’s say it’s a system operation, not like a marketing feature, create service request,
848
00:36:55,240 –> 00:37:01,720
reset MFA method, generate RFP draft, submit onboarding task, update incident status.
849
00:37:01,720 –> 00:37:03,920
If you can’t name it crisply, it’s not an intent.
850
00:37:03,920 –> 00:37:05,480
It’s a category of vibes.
851
00:37:05,480 –> 00:37:08,600
Then define the allowed actions and write them like an allow list.
852
00:37:08,600 –> 00:37:10,360
Not help with onboarding it does.
853
00:37:10,360 –> 00:37:13,760
Instead create a service now request using catalog item X.
854
00:37:13,760 –> 00:37:16,920
Assign the request to group Y based on parameter Z.
855
00:37:16,920 –> 00:37:20,240
Send notification to manager via teams using template T.
856
00:37:20,240 –> 00:37:22,440
The agent can only do what’s enumerated.
857
00:37:22,440 –> 00:37:24,880
Everything else becomes refusal or escalation by design.
858
00:37:24,880 –> 00:37:28,800
This is where teams usually push back with, but users won’t know what to ask for.
859
00:37:28,800 –> 00:37:29,800
That’s fine.
860
00:37:29,800 –> 00:37:33,800
The model can translate messy language into a known intent, but translation is not authorization.
861
00:37:33,800 –> 00:37:36,120
The intent contract is authorization.
862
00:37:36,120 –> 00:37:37,520
Next required inputs.
863
00:37:37,520 –> 00:37:40,720
Every action capable intent has a minimum parameter set.
864
00:37:40,720 –> 00:37:43,360
If the parameters aren’t present, the agent doesn’t guess.
865
00:37:43,360 –> 00:37:48,680
It asks and it asks narrowly, for example, which user, which system, which effective date,
866
00:37:48,680 –> 00:37:49,960
which costs center.
867
00:37:49,960 –> 00:37:52,640
Which approver, these aren’t conversational flourishes.
868
00:37:52,640 –> 00:37:55,080
They are preconditions for safe execution.
869
00:37:55,080 –> 00:37:56,920
And the design move here is subtle.
870
00:37:56,920 –> 00:38:00,840
The agent should never request information it can deterministically retrieve.
871
00:38:00,840 –> 00:38:04,680
If Entra can provide the user’s ID, the agent shouldn’t ask the user to type it.
872
00:38:04,680 –> 00:38:09,560
If service now can return the ticket number from context, don’t make the user restate it.
873
00:38:09,560 –> 00:38:13,760
The only questions the agent asks are the missing fields required to execute the contract.
874
00:38:13,760 –> 00:38:18,200
That keeps the conversation surface minimal and keeps the system boundary explicit.
875
00:38:18,200 –> 00:38:19,520
Now define preconditions.
876
00:38:19,520 –> 00:38:23,120
Pre-conditions are the must be true before tool invocation rules.
877
00:38:23,120 –> 00:38:27,560
This is where most agent programs silently fail because they treat policies as documentation
878
00:38:27,560 –> 00:38:29,920
instead of runtime gates.
879
00:38:29,920 –> 00:38:32,040
Pre-conditions are executable checks.
880
00:38:32,040 –> 00:38:33,400
User has role X.
881
00:38:33,400 –> 00:38:34,960
Ticket is in state Y.
882
00:38:34,960 –> 00:38:37,640
Record exists and is owned by this business unit.
883
00:38:37,640 –> 00:38:42,200
MFA reset allowed only if identity risk score is below threshold.
884
00:38:42,200 –> 00:38:45,240
Approval must be present before status change.
885
00:38:45,240 –> 00:38:48,760
In a deterministic design, preconditions run before any state change.
886
00:38:48,760 –> 00:38:50,600
If a precondition fails, the agent stops.
887
00:38:50,600 –> 00:38:52,000
It does not attempt to work around.
888
00:38:52,000 –> 00:38:53,480
It does not pick an adjacent tool.
889
00:38:53,480 –> 00:38:57,160
It does not rewrite the policy in friendly language and proceed anyway.
890
00:38:57,160 –> 00:38:59,560
It escalates, which means you need refusal rules.
891
00:38:59,560 –> 00:39:00,560
Refusal rules aren’t.
892
00:39:00,560 –> 00:39:02,520
The agent says no sometimes.
893
00:39:02,520 –> 00:39:04,000
They are explicit boundaries.
894
00:39:04,000 –> 00:39:07,960
If the request touches privileged access, refuse and root to human approval.
895
00:39:07,960 –> 00:39:12,160
If the user lacks entitlement, refuse and provide the self-service path.
896
00:39:12,160 –> 00:39:15,600
If the context is ambiguous, refuse and ask for clarification.
897
00:39:15,600 –> 00:39:20,160
If the system of record is unavailable, refuse and create a fallback ticket.
898
00:39:20,160 –> 00:39:21,160
Refusal is a feature.
899
00:39:21,160 –> 00:39:23,160
It’s the control plane proving it exists.
900
00:39:23,160 –> 00:39:27,720
Then comes separation of concerns because contracts only work when the architecture respects
901
00:39:27,720 –> 00:39:28,720
them.
902
00:39:28,720 –> 00:39:30,840
Intent capture lives in the conversation layer.
903
00:39:30,840 –> 00:39:32,880
Decisioning lives in the orchestration layer.
904
00:39:32,880 –> 00:39:34,680
Execution lives in deterministic tools.
905
00:39:34,680 –> 00:39:36,120
Recording lives in the system of record.
906
00:39:36,120 –> 00:39:40,360
If you collapse those layers back into a chat transcript, you’ll get the same failure again,
907
00:39:40,360 –> 00:39:41,640
just with nicer phrasing.
908
00:39:41,640 –> 00:39:44,480
So on Monday, you don’t start by improving the agent.
909
00:39:44,480 –> 00:39:48,680
You start by writing three to five intent contracts for one outcome and you enforce them
910
00:39:48,680 –> 00:39:52,600
with decision boundaries, the model cannot talk its way around.
911
00:39:52,600 –> 00:39:54,400
And you’ll notice something immediately.
912
00:39:54,400 –> 00:39:58,480
The agent becomes less magical and more useful because it becomes predictable.
913
00:39:58,480 –> 00:40:02,600
Now contracts alone still don’t save you because contracts without identity discipline
914
00:40:02,600 –> 00:40:04,280
are just aspirational text.
915
00:40:04,280 –> 00:40:06,680
So the next question isn’t what can the agent do.
916
00:40:06,680 –> 00:40:09,360
It’s the one nobody wants to answer in a steering committee.
917
00:40:09,360 –> 00:40:11,120
Who does the agent run as?
918
00:40:11,120 –> 00:40:12,440
Identity as control plane.
919
00:40:12,440 –> 00:40:14,080
Who does the agent run as?
920
00:40:14,080 –> 00:40:18,880
If you want one question that exposes whether an agent program is real or just a pilot hobby,
921
00:40:18,880 –> 00:40:19,880
it’s this.
922
00:40:19,880 –> 00:40:20,880
Who does the agent run as?
923
00:40:20,880 –> 00:40:21,880
Not who built it?
924
00:40:21,880 –> 00:40:23,840
Not who owns the team’s channel?
925
00:40:23,840 –> 00:40:25,560
Not who pays for the license.
926
00:40:25,560 –> 00:40:30,520
At runtime, what identity actually calls the tool touches the data and changes state?
927
00:40:30,520 –> 00:40:32,520
Because the agent doesn’t act as a concept.
928
00:40:32,520 –> 00:40:33,520
It acts as a token.
929
00:40:33,520 –> 00:40:38,760
And tokens obey the rules of entra, conditional access, connector, or whatever accidental
930
00:40:38,760 –> 00:40:41,800
privilege you left lying around in the tenant.
931
00:40:41,800 –> 00:40:45,680
There are two dominant execution models and both come with consequences you don’t get
932
00:40:45,680 –> 00:40:46,920
to negotiate.
933
00:40:46,920 –> 00:40:49,480
Model one, user delegated execution.
934
00:40:49,480 –> 00:40:52,760
That means the agent calls tools using the signed in user’s permissions.
935
00:40:52,760 –> 00:40:54,560
It can only retrieve what they can retrieve.
936
00:40:54,560 –> 00:40:56,600
It can only update what they can update.
937
00:40:56,600 –> 00:41:00,520
In enterprise terms, this is the least surprising model because it preserves the existing access
938
00:41:00,520 –> 00:41:01,520
graph.
939
00:41:01,520 –> 00:41:03,480
It also gives you the cleanest accountability story.
940
00:41:03,480 –> 00:41:08,160
The user asked the user had access the action happened, but the cost is operational fragility.
941
00:41:08,160 –> 00:41:11,800
User delegated execution inherits every problem in human identity.
942
00:41:11,800 –> 00:41:16,960
MFA prompts, session expiry, conditional access changes, device compliance, role changes
943
00:41:16,960 –> 00:41:17,960
and licensing mismatches.
944
00:41:17,960 –> 00:41:22,080
And it also means two users can get two different outcomes from the same request because
945
00:41:22,080 –> 00:41:23,560
their entitlements differ.
946
00:41:23,560 –> 00:41:25,520
That’s not AI in consistency.
947
00:41:25,520 –> 00:41:26,920
That’s identity truth.
948
00:41:26,920 –> 00:41:30,840
And when people complain that an agent is unreliable, half the time they’re describing
949
00:41:30,840 –> 00:41:32,960
authorization variability.
950
00:41:32,960 –> 00:41:35,840
Model two, service executed execution.
951
00:41:35,840 –> 00:41:38,920
That means the agent calls tools under a non-human identity.
952
00:41:38,920 –> 00:41:43,520
A service principle managed identity or a dedicated run is account with fixed permissions.
953
00:41:43,520 –> 00:41:48,000
This is the model teams choose when they want consistent behavior across users or when
954
00:41:48,000 –> 00:41:51,240
the workflow must run without a specific person present.
955
00:41:51,240 –> 00:41:55,560
It is also the model that quietly creates the biggest blast radius in your environment.
956
00:41:55,560 –> 00:41:59,920
Because now the agent has a stable reusable identity with standing privileged.
957
00:41:59,920 –> 00:42:02,520
If you overscope it, you didn’t just create an agent.
958
00:42:02,520 –> 00:42:05,640
You created an automation back door with a chat interface.
959
00:42:05,640 –> 00:42:09,800
And once that exists, the question shifts from can the user do this to can the agent do
960
00:42:09,800 –> 00:42:12,440
this, which is exactly the wrong direction for governance.
961
00:42:12,440 –> 00:42:13,840
So the rule is simple.
962
00:42:13,840 –> 00:42:15,880
Least privilege isn’t a policy document.
963
00:42:15,880 –> 00:42:19,000
It’s an architectural boundary enforced by identity design.
964
00:42:19,000 –> 00:42:22,240
Every tool you expose has to bind to an identity model intentionally.
965
00:42:22,240 –> 00:42:25,440
If it runs as the user, you accept variance and you design for it.
966
00:42:25,440 –> 00:42:29,080
If it runs as a service, you constrain permissions to the minimum contract set and you treat
967
00:42:29,080 –> 00:42:30,440
changes like code.
968
00:42:30,440 –> 00:42:33,840
Now layer entra on top of this because entra is not a branding exercise.
969
00:42:33,840 –> 00:42:39,280
It is the policy engine that decides whether your architecture exists at runtime.
970
00:42:39,280 –> 00:42:43,960
Conditional access policies will shape agent behavior in ways builders often don’t predict.
971
00:42:43,960 –> 00:42:45,840
Step up or sign in risk.
972
00:42:45,840 –> 00:42:47,160
Device posture.
973
00:42:47,160 –> 00:42:48,360
Location constraints.
974
00:42:48,360 –> 00:42:49,360
Session lifetime.
975
00:42:49,360 –> 00:42:50,880
Token issuance controls.
976
00:42:50,880 –> 00:42:53,680
The agent doesn’t get exceptions because the maker is excited.
977
00:42:53,680 –> 00:42:58,480
If your action path depends on a token that CA will sometimes deny, your agent is probabilistic
978
00:42:58,480 –> 00:43:00,200
before the model even speaks.
979
00:43:00,200 –> 00:43:02,000
And then there’s the slow killer.
980
00:43:02,000 –> 00:43:03,000
Identity drift.
981
00:43:03,000 –> 00:43:05,520
Over time, access reviews don’t happen.
982
00:43:05,520 –> 00:43:07,600
People get added to groups temporarily.
983
00:43:07,600 –> 00:43:10,640
App registrations accumulate permissions because it unblocked a project.
984
00:43:10,640 –> 00:43:11,640
Owners leave.
985
00:43:11,640 –> 00:43:13,040
Secrets expire.
986
00:43:13,040 –> 00:43:14,360
Service accounts get reused.
987
00:43:14,360 –> 00:43:16,680
You don’t notice because the system still mostly works.
988
00:43:16,680 –> 00:43:20,080
Then you add an agent and it starts traversing those pathways at scale.
989
00:43:20,080 –> 00:43:22,040
The agent doesn’t introduce new entropy.
990
00:43:22,040 –> 00:43:23,640
It operationalizes the entropy.
991
00:43:23,640 –> 00:43:24,640
You already tolerated.
992
00:43:24,640 –> 00:43:26,960
So Monday morning identity work is brutally specific.
993
00:43:26,960 –> 00:43:29,200
You decide the runners model per intent contract.
994
00:43:29,200 –> 00:43:32,000
You document it as part of the contract, not as tribal knowledge.
995
00:43:32,000 –> 00:43:36,280
You prove it with testing under different user profiles because works for me is not an
996
00:43:36,280 –> 00:43:37,760
identity strategy.
997
00:43:37,760 –> 00:43:41,880
And you establish and access review cadence for the identities that matter because agents
998
00:43:41,880 –> 00:43:44,160
don’t stay inside the boundaries you hoped for.
999
00:43:44,160 –> 00:43:46,520
They stay inside the boundaries you enforced.
1000
00:43:46,520 –> 00:43:50,280
Once you answer who does it run as, a second truth becomes obvious.
1001
00:43:50,280 –> 00:43:53,800
Access determines what knowledge is even possible for the agent to retrieve.
1002
00:43:53,800 –> 00:43:57,720
And that’s where context architecture stops being a content project and becomes an engineering
1003
00:43:57,720 –> 00:43:59,000
discipline.
1004
00:43:59,000 –> 00:44:04,920
And architecture manage knowledge beats attach SharePoint and pray once identity is explicit
1005
00:44:04,920 –> 00:44:08,840
context becomes the next point of failure not because models can’t retrieve information
1006
00:44:08,840 –> 00:44:09,840
they can.
1007
00:44:09,840 –> 00:44:14,120
The failure is that enterprises treat knowledge as an attachment, not as a managed product
1008
00:44:14,120 –> 00:44:17,840
and that mistake scales beautifully because the fastest way to ship an agent is to point
1009
00:44:17,840 –> 00:44:21,280
at SharePoint dump in a few PDFs at a site or two and call it done.
1010
00:44:21,280 –> 00:44:22,280
It feels like progress.
1011
00:44:22,280 –> 00:44:26,800
The agent starts answering questions people see citations everyone relaxes.
1012
00:44:26,800 –> 00:44:30,880
And the boring questions arrive which version of that policy did it use who owns that page
1013
00:44:30,880 –> 00:44:32,240
what changed last week.
1014
00:44:32,240 –> 00:44:35,280
Why did the agent quote something that was replaced three months ago?
1015
00:44:35,280 –> 00:44:38,200
Why does it contradict what the service desk tells users?
1016
00:44:38,200 –> 00:44:39,520
This is the uncomfortable truth.
1017
00:44:39,520 –> 00:44:42,520
Retrieval is only as safe as the knowledge lifecycle behind it.
1018
00:44:42,520 –> 00:44:45,200
So context architecture starts with a redefinition.
1019
00:44:45,200 –> 00:44:46,520
Knowledge sources aren’t sources.
1020
00:44:46,520 –> 00:44:50,720
Their dependencies and dependencies require ownership, life cycle, change control and version
1021
00:44:50,720 –> 00:44:51,720
discipline.
1022
00:44:51,720 –> 00:44:55,960
Without those, an agent becomes a high speed amplifier for outdated guidance.
1023
00:44:56,960 –> 00:44:59,040
The first design rule is separation.
1024
00:44:59,040 –> 00:45:01,280
Static knowledge is not operational data.
1025
00:45:01,280 –> 00:45:04,800
Static knowledge is policy, procedures, FAQs and reference material.
1026
00:45:04,800 –> 00:45:06,760
It changes but it changes relatively slowly.
1027
00:45:06,760 –> 00:45:09,280
It should be curated, reviewed and attributable.
1028
00:45:09,280 –> 00:45:13,080
It should have a defined effective date concept even if it’s informal.
1029
00:45:13,080 –> 00:45:17,360
Most importantly, it should be treated as a product with an owner who cares when it’s wrong.
1030
00:45:17,360 –> 00:45:22,400
Operational data is tickets, approvals, user records, asset state, entitlements and anything
1031
00:45:22,400 –> 00:45:24,000
that represents current truth.
1032
00:45:24,000 –> 00:45:25,920
You don’t want that as documents.
1033
00:45:25,920 –> 00:45:31,320
You want it through deterministic tools with schema, with validation and with authorization
1034
00:45:31,320 –> 00:45:32,320
boundaries.
1035
00:45:32,320 –> 00:45:36,120
Operational data belongs in the execution and record layers, not in a pile of files the
1036
00:45:36,120 –> 00:45:37,320
model rummages through.
1037
00:45:37,320 –> 00:45:41,720
When teams mix these, they get an agent that confidently answers with yesterday’s reality
1038
00:45:41,720 –> 00:45:44,040
and then executes against today’s systems.
1039
00:45:44,040 –> 00:45:45,280
That gap creates incidents.
1040
00:45:45,280 –> 00:45:46,880
The second rule is bounding.
1041
00:45:46,880 –> 00:45:48,240
Context has to be intentionally narrow.
1042
00:45:48,240 –> 00:45:51,360
The human impulse is to say, “Give it everything so it has the best chance.”
1043
00:45:51,360 –> 00:45:56,680
That’s exactly backwards. Overbroad context increases ambiguity and latency and it drives
1044
00:45:56,680 –> 00:46:00,520
the model into probabilistic selection, which chunk matters, which policy applies, which
1045
00:46:00,520 –> 00:46:02,320
document is authoritative.
1046
00:46:02,320 –> 00:46:04,160
More context doesn’t mean more accuracy.
1047
00:46:04,160 –> 00:46:06,360
It means more opportunities to be wrong with confidence.
1048
00:46:06,360 –> 00:46:12,280
So instead of HR SharePoint, context needs to look like this policy set, these procedures,
1049
00:46:12,280 –> 00:46:17,000
these approved templates, this set of known definitions, this glossary of terms, bounded,
1050
00:46:17,000 –> 00:46:18,320
versioned and attributable.
1051
00:46:18,320 –> 00:46:22,080
That’s also how you prevent cross-business unit contamination, where one group’s process
1052
00:46:22,080 –> 00:46:26,040
becomes the answer for everyone because the agent found it first.
1053
00:46:26,040 –> 00:46:27,440
The third rule is life cycle.
1054
00:46:27,440 –> 00:46:29,680
If the agent can cite it, someone has to maintain it.
1055
00:46:29,680 –> 00:46:34,040
That means when a policy changes, the knowledge artifact is updated, the old one is archived
1056
00:46:34,040 –> 00:46:38,520
or marked clearly and the agent is re-evaluated against the intents that depend on it, not as
1057
00:46:38,520 –> 00:46:40,280
a nice to have it as a release step.
1058
00:46:40,280 –> 00:46:42,080
If that sounds heavy, good.
1059
00:46:42,080 –> 00:46:43,920
Enterprises already do this for code.
1060
00:46:43,920 –> 00:46:45,560
Context is now part of the runtime.
1061
00:46:45,560 –> 00:46:46,760
Therefore it gets the same discipline.
1062
00:46:46,760 –> 00:46:48,440
Now, a practical warning.
1063
00:46:48,440 –> 00:46:51,520
PDF-heavy approaches are a performance and reliability tax.
1064
00:46:51,520 –> 00:46:56,160
PDFs tend to be long, inconsistent in structure and full of duplicated sections.
1065
00:46:56,160 –> 00:46:58,680
Retrieval becomes slow, chunking becomes sloppy.
1066
00:46:58,680 –> 00:47:02,440
The model retrieves partial paragraphs that lose the conditions and exceptions that made
1067
00:47:02,440 –> 00:47:03,840
the policy safe.
1068
00:47:03,840 –> 00:47:07,960
And when response latency increases, you hit the exact failure modes, people are seeing
1069
00:47:07,960 –> 00:47:12,840
in real deployments, timeouts, non-responses, fallback behavior and users resending the same
1070
00:47:12,840 –> 00:47:15,880
request until the agent does something twice.
1071
00:47:15,880 –> 00:47:20,840
So if the context is important enough to govern behavior, it’s important enough to structure,
1072
00:47:20,840 –> 00:47:25,900
convert key guidance into stable pages, structured content, or curated knowledge entries with
1073
00:47:25,900 –> 00:47:27,760
clear titles and scope.
1074
00:47:27,760 –> 00:47:30,920
Treat the source of truth as a design choice, not an accident.
1075
00:47:30,920 –> 00:47:32,480
The last rule is attribution.
1076
00:47:32,480 –> 00:47:36,200
The agent must be able to say where it got the answer and the organization must be able
1077
00:47:36,200 –> 00:47:38,800
to trace that source back to an owner and a version.
1078
00:47:38,800 –> 00:47:40,320
Otherwise, you don’t have knowledge.
1079
00:47:40,320 –> 00:47:41,520
You have plausible text.
1080
00:47:41,520 –> 00:47:46,760
This is how context becomes an architectural asset instead of an embarrassment in audit meetings.
1081
00:47:46,760 –> 00:47:48,600
So the Monday move is simple.
1082
00:47:48,600 –> 00:47:53,320
Stop thinking about knowledge as things we attach and start thinking about it as managed
1083
00:47:53,320 –> 00:47:55,120
context with boundaries.
1084
00:47:55,120 –> 00:47:59,920
Curated, version it, own it, test it because once context is bounded and trustworthy, tool
1085
00:47:59,920 –> 00:48:04,600
design becomes the real enforcement layer and tools are where determinism either exists
1086
00:48:04,600 –> 00:48:07,080
or collapses back into improvisation.
1087
00:48:07,080 –> 00:48:08,720
Tool first rooting.
1088
00:48:08,720 –> 00:48:10,880
Tools are contracts, not features.
1089
00:48:10,880 –> 00:48:14,160
Once context is bounded, the next failure point is predictable.
1090
00:48:14,160 –> 00:48:15,160
Tools.
1091
00:48:15,160 –> 00:48:16,760
Most teams treat tools like features.
1092
00:48:16,760 –> 00:48:18,520
Let’s connect outlook.
1093
00:48:18,520 –> 00:48:20,520
Let’s add service now.
1094
00:48:20,520 –> 00:48:21,920
Let’s give it dataverse.
1095
00:48:21,920 –> 00:48:25,120
As if the agent is collecting plugins like a browser.
1096
00:48:25,120 –> 00:48:27,480
That thinking is why agents drift into chaos.
1097
00:48:27,480 –> 00:48:29,800
In an enterprise, a tool is not a capability.
1098
00:48:29,800 –> 00:48:30,800
It’s a contract.
1099
00:48:30,800 –> 00:48:35,000
It is an explicitly exposed pathway to change state in a system you already struggle to
1100
00:48:35,000 –> 00:48:36,000
govern.
1101
00:48:36,000 –> 00:48:37,000
So tool first rooting means this.
1102
00:48:37,000 –> 00:48:40,360
You design the tool surface area before you design the conversation.
1103
00:48:40,360 –> 00:48:43,400
Because the conversation is just how users request contracts.
1104
00:48:43,400 –> 00:48:44,960
The contracts are what actually happen.
1105
00:48:44,960 –> 00:48:47,200
A tool contract has four parts.
1106
00:48:47,200 –> 00:48:50,440
Purpose, inputs, outputs and failure modes.
1107
00:48:50,440 –> 00:48:52,600
Purpose is not integrates with service now.
1108
00:48:52,600 –> 00:48:56,880
Purpose is create incident with these required fields in these assignment groups under these
1109
00:48:56,880 –> 00:48:57,880
conditions.
1110
00:48:57,880 –> 00:48:59,880
Inputs are typed parameters.
1111
00:48:59,880 –> 00:49:05,120
Ticket category, affected service, urgency, request identity, business unit.
1112
00:49:05,120 –> 00:49:06,440
Outputs are not success.
1113
00:49:06,440 –> 00:49:10,360
Purpose are record ID, state, timestamps and any downstream workflow status.
1114
00:49:10,360 –> 00:49:15,000
And failure modes are where adult architecture lives, permission denied, validation error,
1115
00:49:15,000 –> 00:49:20,200
throttling, timeout, duplicate detection, partial success and system unavailable.
1116
00:49:20,200 –> 00:49:23,760
If you can’t name the failure modes, you can’t operate the agent.
1117
00:49:23,760 –> 00:49:24,760
You’re just hoping.
1118
00:49:24,760 –> 00:49:27,880
This is also where deterministic execution actually gets enforced.
1119
00:49:27,880 –> 00:49:29,200
The model can reason all day.
1120
00:49:29,200 –> 00:49:33,000
The only thing that matters is whether the action layer accepts or rejects the request
1121
00:49:33,000 –> 00:49:34,400
based on explicit rules.
1122
00:49:34,400 –> 00:49:38,080
That’s why power automate logic apps and API backed actions belong here.
1123
00:49:38,080 –> 00:49:43,240
They validate inputs, they apply fixed mappings, they return structured errors and they can be
1124
00:49:43,240 –> 00:49:45,200
wrapped in idempotent patterns.
1125
00:49:45,200 –> 00:49:48,160
So retries don’t create duplicate side effects.
1126
00:49:48,160 –> 00:49:50,640
An agent calling a tool is not automation.
1127
00:49:50,640 –> 00:49:54,120
It’s invoking a contract so the allow list matters more than the prompt.
1128
00:49:54,120 –> 00:49:57,080
Tool first routing starts by shrinking the surface area.
1129
00:49:57,080 –> 00:49:59,520
Enterprises love broad tools because they feel flexible.
1130
00:49:59,520 –> 00:50:02,320
Let the agent read and write anything in dataverse.
1131
00:50:02,320 –> 00:50:04,760
Give it access to all sharepoint sites.
1132
00:50:04,760 –> 00:50:07,040
Allow create update delete so it can help.
1133
00:50:07,040 –> 00:50:09,480
That flexibility is just unpriced risk.
1134
00:50:09,480 –> 00:50:11,280
The principle is simple.
1135
00:50:11,280 –> 00:50:15,680
Prohibit create, update and delete unless the business sponsor can explain the exact
1136
00:50:15,680 –> 00:50:19,560
outcome metric it supports and the exact audit evidence it will produce.
1137
00:50:19,560 –> 00:50:21,280
Read only tools are your default.
1138
00:50:21,280 –> 00:50:22,600
Write tools are exceptions.
1139
00:50:22,600 –> 00:50:24,560
Delete tools are almost never defensible.
1140
00:50:24,560 –> 00:50:29,600
And when you do allow write actions, you split them into narrow single purpose operations.
1141
00:50:29,600 –> 00:50:33,440
Add update ticket instead set ticket state from new to in progress.
1142
00:50:33,440 –> 00:50:35,560
Add work note with a required template.
1143
00:50:35,560 –> 00:50:37,680
Assign to group from an approved list.
1144
00:50:37,680 –> 00:50:38,840
Each one becomes governable.
1145
00:50:38,840 –> 00:50:40,400
Now tool selection policy.
1146
00:50:40,400 –> 00:50:44,360
This is the part everyone hand waves with the model will choose the right action.
1147
00:50:44,360 –> 00:50:45,360
That’s not governance.
1148
00:50:45,360 –> 00:50:47,360
That’s gambling with a nicer UI.
1149
00:50:47,360 –> 00:50:50,480
Tool selection has to be deterministic from the organization’s point of view.
1150
00:50:50,480 –> 00:50:54,280
Which means you either root based on intent contracts and preconditions or you don’t
1151
00:50:54,280 –> 00:50:55,280
root at all.
1152
00:50:55,280 –> 00:50:58,000
If two tools can satisfy the same intent you pick one.
1153
00:50:58,000 –> 00:51:01,520
We don’t let the agent improvise between them based on wording.
1154
00:51:01,520 –> 00:51:05,400
This is why the orchestration layer should behave like a policy router.
1155
00:51:05,400 –> 00:51:10,540
Given intent x and verified context y call tool z with payload schema s.
1156
00:51:10,540 –> 00:51:14,720
If the context doesn’t satisfy the preconditions the router doesn’t try something else.
1157
00:51:14,720 –> 00:51:16,040
It refuses or escalates.
1158
00:51:16,040 –> 00:51:19,840
And yes, co pilot studio gives you multiple ways to implement this.
1159
00:51:19,840 –> 00:51:25,840
Topics, tool definitions, agent flows and emerging protocols like mcp for control tool invocation.
1160
00:51:25,840 –> 00:51:27,440
The mechanism isn’t the point.
1161
00:51:27,440 –> 00:51:31,320
The point is that tool invocation is a governed decision, not a creative act.
1162
00:51:31,320 –> 00:51:33,560
Now at guardrails that people pretend are optional.
1163
00:51:33,560 –> 00:51:36,600
First require confirmation for high impact actions.
1164
00:51:36,600 –> 00:51:37,600
Not are you sure?
1165
00:51:37,600 –> 00:51:38,840
See you in a friendly sentence.
1166
00:51:38,840 –> 00:51:42,600
A structured confirmation that restates the action in precise terms.
1167
00:51:42,600 –> 00:51:43,600
What will change?
1168
00:51:43,600 –> 00:51:44,600
Where?
1169
00:51:44,600 –> 00:51:46,960
Under which identity and what record will be written?
1170
00:51:46,960 –> 00:51:49,080
Second, separate preparation from commit.
1171
00:51:49,080 –> 00:51:53,400
Let the model assemble the request, validate the parameters and present the plan.
1172
00:51:53,400 –> 00:51:56,880
Then commit through deterministic execution only after preconditions and confirmations
1173
00:51:56,880 –> 00:51:57,880
are satisfied.
1174
00:51:57,880 –> 00:52:02,560
Third, log every tool call with enough detail to reconstruct reality later.
1175
00:52:02,560 –> 00:52:06,880
If you can’t answer what happened without rereading a chat transcript you didn’t log.
1176
00:52:06,880 –> 00:52:08,640
You performed theater.
1177
00:52:08,640 –> 00:52:10,960
Tool first routing is how you keep the agent honest.
1178
00:52:10,960 –> 00:52:15,560
You stop asking what can it do and start asking what contracts are we willing to expose under
1179
00:52:15,560 –> 00:52:17,640
which identities with which evidence.
1180
00:52:17,640 –> 00:52:21,320
That’s how you build an agent that can act without becoming a liability.
1181
00:52:21,320 –> 00:52:26,360
And once the tool surface is explicit, orchestration stops being a vague agent flow.
1182
00:52:26,360 –> 00:52:30,960
It becomes a structure you can test, version and keep small on purpose.
1183
00:52:30,960 –> 00:52:31,960
Orchestration design.
1184
00:52:31,960 –> 00:52:35,120
Topics, flows and the minimal conversation surface.
1185
00:52:35,120 –> 00:52:38,760
Once tools are contracts, orchestration is the thing that prevents those contracts from
1186
00:52:38,760 –> 00:52:43,560
turning into a bucket of sharp objects sitting on a desk labeled AI.
1187
00:52:43,560 –> 00:52:47,760
Orchestration is how you decide repeatedly which contract is allowed to run in which order,
1188
00:52:47,760 –> 00:52:49,840
with which inputs and with what commit points.
1189
00:52:49,840 –> 00:52:53,800
It’s the difference between a governed service and a chat session that happens to touch production.
1190
00:52:53,800 –> 00:52:57,120
In co-pilot studio terms people will argue about mechanisms.
1191
00:52:57,120 –> 00:53:01,800
Topics versus generative orchestration, agent flows versus power automate, actions versus
1192
00:53:01,800 –> 00:53:05,040
prompts, MCP versus connectors.
1193
00:53:05,040 –> 00:53:07,040
Mechanisms are implementation details.
1194
00:53:07,040 –> 00:53:11,040
Orchestration is the structure you impose so the mechanism can’t drift into improvisation.
1195
00:53:11,040 –> 00:53:15,520
Start with topics because topics are still the cleanest way to make a path repeatable when
1196
00:53:15,520 –> 00:53:16,840
the outcome matters.
1197
00:53:16,840 –> 00:53:18,960
A topic is not old school bot design.
1198
00:53:18,960 –> 00:53:21,880
It’s a deterministic route through a known decision boundary.
1199
00:53:21,880 –> 00:53:26,520
If the intent triggers a state change, you want the predictable container, trigger, parameter
1200
00:53:26,520 –> 00:53:32,920
collection, validation, tool invocation, confirmation, record update, and a final response that reflects
1201
00:53:32,920 –> 00:53:34,400
the actual outcome.
1202
00:53:34,400 –> 00:53:38,080
And the design rule is simple, structured topics for execution paths.
1203
00:53:38,080 –> 00:53:42,600
Use freeform conversation where you can tolerate variance, clarifying questions, knowledge, lookup
1204
00:53:42,600 –> 00:53:43,600
and triage.
1205
00:53:43,600 –> 00:53:46,960
But don’t let freeform language drive execution branching because that’s how you get the
1206
00:53:46,960 –> 00:53:50,680
same request going down different paths depending on phrasing, context, chunks or which
1207
00:53:50,680 –> 00:53:52,440
prompt got edited last week.
1208
00:53:52,440 –> 00:53:55,880
So the conversation surface becomes minimal on purpose.
1209
00:53:55,880 –> 00:54:01,360
The agent should ask only for missing parameters, not for storytelling, not for help me understand,
1210
00:54:01,360 –> 00:54:04,760
not for open and a dialogue that makes the user feel heard while the system collects
1211
00:54:04,760 –> 00:54:06,360
unreliable inputs.
1212
00:54:06,360 –> 00:54:09,360
Minimal conversation means if a parameter is required ask for it.
1213
00:54:09,360 –> 00:54:10,560
If it isn’t required don’t.
1214
00:54:10,560 –> 00:54:13,760
If a parameter can be derived deterministically, derive it.
1215
00:54:13,760 –> 00:54:14,760
Don’t ask.
1216
00:54:14,760 –> 00:54:19,040
If ambiguity exists, the agent should say so explicitly and force this ambiguity before
1217
00:54:19,040 –> 00:54:20,040
it touches tools.
1218
00:54:20,040 –> 00:54:23,480
That sounds strict because it is execution needs strictness.
1219
00:54:23,480 –> 00:54:24,480
Now flows.
1220
00:54:24,480 –> 00:54:28,440
Flow is where long running work stops being a chat problem and becomes a systems problem,
1221
00:54:28,440 –> 00:54:29,960
which is where it belongs.
1222
00:54:29,960 –> 00:54:34,080
If the action takes more than a few seconds, document generation multi-system updates approvals
1223
00:54:34,080 –> 00:54:36,520
provisioning don’t trap it inside a conversational loop.
1224
00:54:36,520 –> 00:54:40,600
Kick off a flow, return a receipt, provide a status check, and the turn.
1225
00:54:40,600 –> 00:54:42,480
And the hidden benefit is operational.
1226
00:54:42,480 –> 00:54:46,680
Flow can be built with id-impotency patterns, correlation IDs, retries and timeouts that
1227
00:54:46,680 –> 00:54:47,760
chat cannot give you.
1228
00:54:47,760 –> 00:54:51,880
If the user asks twice, the system should detect same request already in progress and return
1229
00:54:51,880 –> 00:54:53,840
status, not run the action twice.
1230
00:54:53,840 –> 00:54:57,480
That’s not an optimization, that’s how you avoid double execution incidents.
1231
00:54:57,480 –> 00:55:01,840
So, orchestration should treat long running execution as asynchronous by default, the agent
1232
00:55:01,840 –> 00:55:05,680
becomes the interface, the workflow becomes the engine, the system of record becomes the
1233
00:55:05,680 –> 00:55:10,120
truth, which leads to the next design rule, status updates aren’t politeness, they’re
1234
00:55:10,120 –> 00:55:11,640
control.
1235
00:55:11,640 –> 00:55:17,000
If execution takes time, the agent must report state transitions, accepted, validating,
1236
00:55:17,000 –> 00:55:22,240
awaiting approval, executing, completed, failed, escalated, those aren’t progress messages,
1237
00:55:22,240 –> 00:55:27,920
they are how you prevent users from resubmitting, how you preserve trust, and how you make operations
1238
00:55:27,920 –> 00:55:28,920
debuggable.
1239
00:55:28,920 –> 00:55:33,120
And yes, you want retries, but you want id-impotent retries, not try again and hope.
1240
00:55:33,120 –> 00:55:36,840
If the workflow can safely retry a step, it should, if it can’t, it should stop and
1241
00:55:36,840 –> 00:55:38,560
hand off with the evidence captured.
1242
00:55:38,560 –> 00:55:42,680
Now, escalation, escalation isn’t a fallback topic with a generic apology.
1243
00:55:42,680 –> 00:55:45,120
Escalation is a designed hand off where state is preserved.
1244
00:55:45,120 –> 00:55:49,400
If the agent can’t proceed missing entitlement failed precondition and big US input system
1245
00:55:49,400 –> 00:55:54,400
down, it should produce a structured package, what the user asked, what it verified, what
1246
00:55:54,400 –> 00:55:58,600
failed, what it attempted, and what a human needs to complete the work.
1247
00:55:58,600 –> 00:56:01,880
Then root that package into the right queue with ownership and SLA.
1248
00:56:01,880 –> 00:56:05,720
That’s how you avoid the most common operational dead end.
1249
00:56:05,720 –> 00:56:06,880
Try again later.
1250
00:56:06,880 –> 00:56:10,760
Try again later is how you create duplicate tickets in consistent records and user work
1251
00:56:10,760 –> 00:56:16,160
around. So the orchestration structure you want is almost boring, a small set of execution
1252
00:56:16,160 –> 00:56:20,400
topics with strict parameter collection, a deterministic tool invocation policy, asynchronous
1253
00:56:20,400 –> 00:56:25,920
flows for real work, explicit status transitions, id-impotent retries, designed escalation with
1254
00:56:25,920 –> 00:56:29,720
state, not a shrug, and here’s the part that will bother people who want agents to feel
1255
00:56:29,720 –> 00:56:30,800
magical.
1256
00:56:30,800 –> 00:56:34,760
When orchestration is done correctly, the conversation gets smaller, not bigger.
1257
00:56:34,760 –> 00:56:38,560
Because the goal isn’t to simulate a helpful colleague, the goal is to run a controlled system
1258
00:56:38,560 –> 00:56:40,680
through a human-friendly interface.
1259
00:56:40,680 –> 00:56:44,600
Once you accept that, the architecture becomes obvious, and you can finally do the thing
1260
00:56:44,600 –> 00:56:47,160
most agent programs avoid until it’s too late.
1261
00:56:47,160 –> 00:56:51,840
You can manage agents like a portfolio, not like a craft project.
1262
00:56:51,840 –> 00:56:55,320
Governance, agent portfolio management, not one off botcraft.
1263
00:56:55,320 –> 00:56:57,600
Here’s what happens after the first agentships.
1264
00:56:57,600 –> 00:56:58,960
Nothing stays the first agent.
1265
00:56:58,960 –> 00:57:02,200
It becomes a template, a precedent, and an excuse.
1266
00:57:02,200 –> 00:57:06,400
And if governance doesn’t exist as an operating system, you don’t get an agent program.
1267
00:57:06,400 –> 00:57:08,040
You get agents sprawl.
1268
00:57:08,040 –> 00:57:11,040
Examples of semi-owned chat surfaces wired into production systems.
1269
00:57:11,040 –> 00:57:12,120
Each one, temporary.
1270
00:57:12,120 –> 00:57:14,120
Each one, carrying a little more security debt.
1271
00:57:14,120 –> 00:57:18,040
So governance, in agent terms, isn’t a committee, its portfolio management.
1272
00:57:18,040 –> 00:57:23,360
A portfolio means an inventory, an owner, a life cycle, and a repeatable way to decide what
1273
00:57:23,360 –> 00:57:27,360
gets built, what gets promoted, what gets retired, and what gets blocked.
1274
00:57:27,360 –> 00:57:28,360
And it needs a loop.
1275
00:57:28,360 –> 00:57:32,320
A real one, plan implement, manage, improve, extend, not as a slide, as an operating rhythm
1276
00:57:32,320 –> 00:57:35,760
that survives maker turnover and leadership attention drift.
1277
00:57:35,760 –> 00:57:38,880
One is where the organization forces discipline.
1278
00:57:38,880 –> 00:57:43,160
Outcomes, scoped intents, risk tier, and the non-negotiables.
1279
00:57:43,160 –> 00:57:46,560
Identity model, system of record, audit requirement, and refusal rules.
1280
00:57:46,560 –> 00:57:48,680
This is also where you classify the agent.
1281
00:57:48,680 –> 00:57:50,720
Because not every agent deserves the same controls.
1282
00:57:50,720 –> 00:57:55,560
A discovery agent that only retrieves curated policy guidance isn’t governed like an execution
1283
00:57:55,560 –> 00:57:57,320
agent that can mutate records.
1284
00:57:57,320 –> 00:58:00,640
If you govern them the same, you’ll either suffocate harmless agents or under-governed
1285
00:58:00,640 –> 00:58:01,800
dangerous ones.
1286
00:58:01,800 –> 00:58:03,040
Both outcomes are common.
1287
00:58:03,040 –> 00:58:04,520
Both are failures.
1288
00:58:04,520 –> 00:58:07,320
Agent is where teams prove they can build within constraints.
1289
00:58:07,320 –> 00:58:10,400
Tool allow lists, environment strategy, and release gates.
1290
00:58:10,400 –> 00:58:14,120
This is where you prevent the most predictable architecture erosion.
1291
00:58:14,120 –> 00:58:17,040
Building in production because it’s just a small change.
1292
00:58:17,040 –> 00:58:20,360
Agents degrade that way faster than apps because prompt edits feel harmless.
1293
00:58:20,360 –> 00:58:21,360
They aren’t.
1294
00:58:21,360 –> 00:58:22,720
Their behavior changes.
1295
00:58:22,720 –> 00:58:26,200
Manage is where organizations stop pretending ownership is implicit.
1296
00:58:26,200 –> 00:58:29,360
Every agent needs an accountable owner and a technical owner.
1297
00:58:29,360 –> 00:58:33,560
Accountable means they take the heat when the agent causes rework, risk, or reputation
1298
00:58:33,560 –> 00:58:34,560
or damage.
1299
00:58:34,560 –> 00:58:37,560
Technical means they can actually change the thing when it drifts.
1300
00:58:37,560 –> 00:58:39,920
If those aren’t named, the agent is already orphaned.
1301
00:58:39,920 –> 00:58:41,680
It just hasn’t been discovered yet.
1302
00:58:41,680 –> 00:58:43,400
Inventory is the other half of manage.
1303
00:58:43,400 –> 00:58:45,040
You need a tenant-wide list.
1304
00:58:45,040 –> 00:58:46,360
What agents exist.
1305
00:58:46,360 –> 00:58:47,520
Where they’re deployed.
1306
00:58:47,520 –> 00:58:48,600
What channels they run in.
1307
00:58:48,600 –> 00:58:49,600
What data they touch.
1308
00:58:49,600 –> 00:58:53,280
What tools they can invoke and which identities they run as.
1309
00:58:53,280 –> 00:58:54,720
Without that you don’t have governance.
1310
00:58:54,720 –> 00:58:57,240
You have hope.
1311
00:58:57,240 –> 00:59:00,240
Improve is where the feedback loop gets operational.
1312
00:59:00,240 –> 00:59:02,160
Not users said it was cool.
1313
00:59:02,160 –> 00:59:03,440
No signals.
1314
00:59:03,440 –> 00:59:04,440
Escalation patterns.
1315
00:59:04,440 –> 00:59:05,440
Failure modes.
1316
00:59:05,440 –> 00:59:06,440
Intervention rates.
1317
00:59:06,440 –> 00:59:08,320
And which intents produce exceptions.
1318
00:59:08,320 –> 00:59:10,640
And yes, this is where you do the boring work.
1319
00:59:10,640 –> 00:59:11,640
Titan contracts.
1320
00:59:11,640 –> 00:59:12,800
Prune knowledge.
1321
00:59:12,800 –> 00:59:13,800
Remove tools.
1322
00:59:13,800 –> 00:59:14,800
Split topics.
1323
00:59:14,800 –> 00:59:15,800
Adjust refusal paths.
1324
00:59:15,800 –> 00:59:18,520
And fix the things that keep creating human cleanup.
1325
00:59:18,520 –> 00:59:22,160
Extend is where scale happens without repeating the same mistakes.
1326
00:59:22,160 –> 00:59:24,760
Standardized patterns become reusable assets.
1327
00:59:24,760 –> 00:59:26,520
Intent contract templates.
1328
00:59:26,520 –> 00:59:28,400
Tool contract patterns.
1329
00:59:28,400 –> 00:59:29,400
Environment setups.
1330
00:59:29,400 –> 00:59:30,640
And testing baselines.
1331
00:59:30,640 –> 00:59:35,520
This is also where you decide when to add advanced capability, new connectors, new channels,
1332
00:59:35,520 –> 00:59:40,000
autonomous triggers, without turning the platform into an uncontrolled feature buffet.
1333
00:59:40,000 –> 00:59:43,920
Now the governance mechanics enterprises always underestimate environments, DLP and
1334
00:59:43,920 –> 00:59:45,400
release gates.
1335
00:59:45,400 –> 00:59:46,680
Environments aren’t bureaucracy.
1336
00:59:46,680 –> 00:59:48,280
They are blast radius control.
1337
00:59:48,280 –> 00:59:51,560
If makers can build anywhere they will, if they can publish anywhere they will.
1338
00:59:51,560 –> 00:59:52,560
That’s not malice.
1339
00:59:52,560 –> 00:59:54,360
That’s entropy.
1340
00:59:54,360 –> 00:59:56,960
So you need a clear environment strategy.
1341
00:59:56,960 –> 00:59:58,160
Development for building.
1342
00:59:58,160 –> 00:59:59,360
Test for validation.
1343
00:59:59,360 –> 01:00:00,360
Production for runtime.
1344
01:00:00,360 –> 01:00:04,760
Promotions happen through solutions and pipelines, not through copy paste and I changed one line
1345
01:00:04,760 –> 01:00:05,960
of instructions.
1346
01:00:05,960 –> 01:00:07,520
And the gating rule is simple.
1347
01:00:07,520 –> 01:00:11,960
If the agent can act it needs a release gate that includes testing and an owner sign off.
1348
01:00:11,960 –> 01:00:13,440
Then DLP.
1349
01:00:13,440 –> 01:00:17,120
Not as a checkbox but as a constraint on connectors, triggers and knowledge sources.
1350
01:00:17,120 –> 01:00:21,920
You don’t allow any connector that works that you allow the ones that match the contracts.
1351
01:00:21,920 –> 01:00:24,560
DLP is where you prevent the classic drift.
1352
01:00:24,560 –> 01:00:28,640
Someone adds a new connector to solve a one-off problem and suddenly the agent can exfiltrate
1353
01:00:28,640 –> 01:00:31,840
data to a place governance doesn’t monitor.
1354
01:00:31,840 –> 01:00:37,000
And finally the part most programs skip until the incident change control that survives
1355
01:00:37,000 –> 01:00:38,560
people leaving.
1356
01:00:38,560 –> 01:00:39,560
Agents are easy to build.
1357
01:00:39,560 –> 01:00:40,560
That’s the point.
1358
01:00:40,560 –> 01:00:41,560
It’s also the problem.
1359
01:00:41,560 –> 01:00:45,400
If the only person who understands an agent is the maker who built it at 2am, it isn’t
1360
01:00:45,400 –> 01:00:46,560
an enterprise asset.
1361
01:00:46,560 –> 01:00:47,560
It’s a pending outage.
1362
01:00:47,560 –> 01:00:49,880
So governance has to enforce three realities.
1363
01:00:49,880 –> 01:00:52,200
Ownership, inventory and release discipline.
1364
01:00:52,200 –> 01:00:55,760
Because once you operate agents as a portfolio, a second truth shows up.
1365
01:00:55,760 –> 01:01:00,280
You can stop arguing about AI quality in abstract terms and start measuring whether the architecture
1366
01:01:00,280 –> 01:01:01,280
is holding.
1367
01:01:01,280 –> 01:01:05,120
And measurement is where governance becomes real or becomes theatre.
1368
01:01:05,120 –> 01:01:07,760
Metrics that matter, measuring architecture, not sentiment.
1369
01:01:07,760 –> 01:01:11,200
If governance is portfolio management, metrics are how you prove the portfolio isn’t
1370
01:01:11,200 –> 01:01:12,360
quietly rotting.
1371
01:01:12,360 –> 01:01:15,520
And the first thing to accept is that most agent metrics are comfort metrics.
1372
01:01:15,520 –> 01:01:17,400
They tell you the agent is being talked to.
1373
01:01:17,400 –> 01:01:20,440
They don’t tell you the agent is doing the job you delegated.
1374
01:01:20,440 –> 01:01:23,560
Session counts, conversation volume, thumbs up ratios.
1375
01:01:23,560 –> 01:01:24,560
Nice to have.
1376
01:01:24,560 –> 01:01:27,360
I don’t answer the only question that matters in an enterprise.
1377
01:01:27,360 –> 01:01:31,640
Did the system behave predictably under control and with evidence so the metric set has to
1378
01:01:31,640 –> 01:01:33,760
measure architecture, not sentiment?
1379
01:01:33,760 –> 01:01:39,040
It has to expose where your design is probabilistic, where it’s deterministic, and where humans
1380
01:01:39,040 –> 01:01:41,560
are doing cleanup work you didn’t admit existed.
1381
01:01:41,560 –> 01:01:44,760
Start with the most honest metric in the entire program.
1382
01:01:44,760 –> 01:01:45,760
Intervention rate.
1383
01:01:45,760 –> 01:01:50,440
Intervention rate is how often a human overrides, red does or corrects what the agent produced.
1384
01:01:50,440 –> 01:01:52,400
Not escalations as a concept.
1385
01:01:52,400 –> 01:01:56,880
Local interventions, users say is never mind, reopens the ticket, changes fields after the
1386
01:01:56,880 –> 01:02:01,880
agent created the record, reruns the flow manually, or asks a human to validate before they
1387
01:02:01,880 –> 01:02:02,880
trusted.
1388
01:02:02,880 –> 01:02:07,440
A high intervention rate means your agent is producing work-shaped output that still requires
1389
01:02:07,440 –> 01:02:11,440
human verification, that is not automation, that is outsourced uncertainty.
1390
01:02:11,440 –> 01:02:15,800
And the enterprise tends to fund that for months because the agent looks busy.
1391
01:02:15,800 –> 01:02:18,240
Intervention rate is how you stop funding theatre.
1392
01:02:18,240 –> 01:02:20,160
Second, determinism score.
1393
01:02:20,160 –> 01:02:24,720
This is the metric most people don’t measure because it forces uncomfortable design changes.
1394
01:02:24,720 –> 01:02:26,320
The definition is simple.
1395
01:02:26,320 –> 01:02:30,240
Given the same intent and the same context, does the agent take the same action path?
1396
01:02:30,240 –> 01:02:34,440
Not, does it respond similarly, does it root to the same topic, call the same tool, validate
1397
01:02:34,440 –> 01:02:37,280
the same preconditions and produce the same state transition?
1398
01:02:37,280 –> 01:02:42,520
If the action path changes based on phrasing, random retrieval chunks or prompt drift,
1399
01:02:42,520 –> 01:02:43,720
determinism is low.
1400
01:02:43,720 –> 01:02:48,280
And low determinism is the root cause of operational distrust because humans can’t build stable
1401
01:02:48,280 –> 01:02:51,520
expectations around something that behaves differently every time.
1402
01:02:51,520 –> 01:02:55,680
So the practical way to measure determinism is to maintain a fixed test set of canonical
1403
01:02:55,680 –> 01:03:00,040
requests, 10 to 50 high value intents, and rerun them after every change.
1404
01:03:00,040 –> 01:03:03,440
Same user profile, same data conditions where possible, same environment.
1405
01:03:03,440 –> 01:03:05,520
Measure whether the root and tool cause remains stable.
1406
01:03:05,520 –> 01:03:09,360
If you can’t keep the path stable, the solution isn’t trained users.
1407
01:03:09,360 –> 01:03:12,240
The solution is tighter contracts and smaller tool surfaces.
1408
01:03:12,240 –> 01:03:14,520
Third, audit completeness.
1409
01:03:14,520 –> 01:03:17,200
Audit completeness is not, we have a transcript.
1410
01:03:17,200 –> 01:03:18,200
Transcripts are narrative.
1411
01:03:18,200 –> 01:03:20,600
Audits require reconstructable evidence.
1412
01:03:20,600 –> 01:03:22,120
Audit completeness asks.
1413
01:03:22,120 –> 01:03:26,800
For every agent initiated action, can the organization show what was requested, what identity
1414
01:03:26,800 –> 01:03:32,480
executed it, what tool or workflow ran, what record changed, what preconditions were checked,
1415
01:03:32,480 –> 01:03:35,040
what approval occurred and what the outcome was?
1416
01:03:35,040 –> 01:03:37,760
If the answer is kind of, you don’t have an agent system.
1417
01:03:37,760 –> 01:03:40,240
You have a conversational interface with side effects.
1418
01:03:40,240 –> 01:03:44,240
This is where a system of record stops being an integration detail and becomes the core
1419
01:03:44,240 –> 01:03:45,240
control.
1420
01:03:45,240 –> 01:03:48,800
If you’re not writing structured entries into the system of record for agent actions,
1421
01:03:48,800 –> 01:03:51,840
you are building an unorditable automation layer.
1422
01:03:51,840 –> 01:03:54,480
That will end exactly how you think it will end.
1423
01:03:54,480 –> 01:03:58,560
Now add operational KPIs, but tie them to strict definitions.
1424
01:03:58,560 –> 01:04:02,320
Resolution rate only matters if resolved means the workflow reached a defined terminal
1425
01:04:02,320 –> 01:04:03,320
state.
1426
01:04:03,320 –> 01:04:07,680
Deflection rate only matters if deflection means no human head to intervene later.
1427
01:04:07,680 –> 01:04:11,840
Mean time to resolution only matters if you measure it from request to verified state change,
1428
01:04:11,840 –> 01:04:13,560
not from chat start to chat end.
1429
01:04:13,560 –> 01:04:17,640
Otherwise you can improve the metric by ending sessions faster while pushing work downstream.
1430
01:04:17,640 –> 01:04:22,480
The last metric that separates mature programs from pilot programs is refusal quality.
1431
01:04:22,480 –> 01:04:24,840
If refusal is a feature, it should be measurable.
1432
01:04:24,840 –> 01:04:29,200
How often the agent refuses, why it refuses and whether refusal roots users into a clean
1433
01:04:29,200 –> 01:04:31,600
escalation path with preserved state.
1434
01:04:31,600 –> 01:04:34,840
A refusal that creates a usable ticket with context is a control.
1435
01:04:34,840 –> 01:04:38,960
A refusal that tells the user to try again later is just a delayed failure.
1436
01:04:38,960 –> 01:04:42,360
So the metric set becomes a dashboard of architectural truth.
1437
01:04:42,360 –> 01:04:47,040
A convention rate, determinism score, audit completeness, operational KPIs with real definitions
1438
01:04:47,040 –> 01:04:48,640
and refusal quality.
1439
01:04:48,640 –> 01:04:50,960
And once you track those, two things happen.
1440
01:04:50,960 –> 01:04:54,160
First, you stop arguing about whether the agent is good.
1441
01:04:54,160 –> 01:04:56,360
You start seeing where the system is uncontrolled.
1442
01:04:56,360 –> 01:05:01,240
Second, you realize metrics without testing discipline are just forensic reports after trust
1443
01:05:01,240 –> 01:05:02,240
is already damaged.
1444
01:05:02,240 –> 01:05:06,360
So the next mandate is evidence test like software because you are shipping a system,
1445
01:05:06,360 –> 01:05:08,000
not a personality.
1446
01:05:08,000 –> 01:05:09,000
Testing discipline.
1447
01:05:09,000 –> 01:05:11,320
From try it out to evidence.
1448
01:05:11,320 –> 01:05:15,480
Once you start measuring determinism and intervention, you run into a problem that can’t be solved
1449
01:05:15,480 –> 01:05:16,640
with optimism.
1450
01:05:16,640 –> 01:05:18,640
You can’t manage what you can’t reproduce.
1451
01:05:18,640 –> 01:05:23,280
And most co-pilot agent programs are built on the least reproducible testing method in enterprise
1452
01:05:23,280 –> 01:05:24,280
IT.
1453
01:05:24,280 –> 01:05:28,840
Someone trying it out in a chat pane, getting a decent answer once and shipping.
1454
01:05:28,840 –> 01:05:29,840
That’s not testing.
1455
01:05:29,840 –> 01:05:30,840
That’s a vibe check.
1456
01:05:30,840 –> 01:05:31,920
Agents don’t need more encouragement.
1457
01:05:31,920 –> 01:05:33,120
They need evidence.
1458
01:05:33,120 –> 01:05:37,160
So the testing discipline has to look like software discipline adapted for a probabilistic
1459
01:05:37,160 –> 01:05:39,680
component, not because the platform is broken.
1460
01:05:39,680 –> 01:05:43,360
Because the platform is doing exactly what probabilistic systems do, they vary.
1461
01:05:43,360 –> 01:05:47,280
Your job is to bound that variance until it becomes operationally acceptable.
1462
01:05:47,280 –> 01:05:48,800
The first shift is simple.
1463
01:05:48,800 –> 01:05:50,120
Move testing left.
1464
01:05:50,120 –> 01:05:53,840
Early, repeatable and tied to the intents you actually care about.
1465
01:05:53,840 –> 01:05:56,960
Before anything goes near production, you define a core scenario set.
1466
01:05:56,960 –> 01:06:00,200
10 to 50 scenarios that represent the real outcomes you’re delegating.
1467
01:06:00,200 –> 01:06:03,320
Not edge cases, not fun prompts, not clever demos.
1468
01:06:03,320 –> 01:06:07,400
The boring high frequency paths that will generate tickets, approvals, changes and audit
1469
01:06:07,400 –> 01:06:08,400
questions.
1470
01:06:08,400 –> 01:06:12,040
And you test them every time you change anything that can alter behavior.
1471
01:06:12,040 –> 01:06:17,120
Instructions, topic triggers, two definitions, knowledge sources, connector auth, models,
1472
01:06:17,120 –> 01:06:18,640
even environment policies.
1473
01:06:18,640 –> 01:06:20,320
Because those are all behavior changes.
1474
01:06:20,320 –> 01:06:22,120
Some are just disguised as configuration.
1475
01:06:22,120 –> 01:06:24,600
Copilot Studio gives you multiple ways to do this.
1476
01:06:24,600 –> 01:06:26,800
And the point isn’t which feature is best.
1477
01:06:26,800 –> 01:06:30,640
The point is you stop relying on memory and start relying on repeatable runs.
1478
01:06:30,640 –> 01:06:33,520
Use the built-in evaluation capability when it fits.
1479
01:06:33,520 –> 01:06:36,440
Single turn checks for quality, groundedness and completeness.
1480
01:06:36,440 –> 01:06:39,800
It’s useful for quickly catching regressions in generative answers.
1481
01:06:39,800 –> 01:06:44,120
And it can generate test sets based on your agent metadata, knowledge sources or past
1482
01:06:44,120 –> 01:06:45,120
chats.
1483
01:06:45,120 –> 01:06:46,120
That’s fine for breadth.
1484
01:06:46,120 –> 01:06:48,400
But don’t confuse that with end-to-end proof.
1485
01:06:48,400 –> 01:06:52,120
Single turn evaluation won’t tell you whether a multi-turn execution path collects parameters
1486
01:06:52,120 –> 01:06:57,200
correctly, validates preconditions, calls the right tool and writes to the system of record.
1487
01:06:57,200 –> 01:06:59,040
It won’t show you item potency failures.
1488
01:06:59,040 –> 01:07:04,320
It won’t show you what happens when a connector throws an HTTP error halfway through a workflow.
1489
01:07:04,320 –> 01:07:07,840
So for execution scenarios you need multi-turn automated testing.
1490
01:07:07,840 –> 01:07:12,080
That’s where bulk testing approaches like the Copilot Studio Kit become the adult option.
1491
01:07:12,080 –> 01:07:16,640
You run test conversations that include the messy user request, the clarification turns,
1492
01:07:16,640 –> 01:07:20,520
the confirmation steps, the tool invocation, the error path and the escalation path.
1493
01:07:20,520 –> 01:07:23,800
And you run them at scale because non-determinism hides in volume.
1494
01:07:23,800 –> 01:07:25,680
The goal isn’t to prove it works.
1495
01:07:25,680 –> 01:07:29,080
The goal is to discover where it fails before users do.
1496
01:07:29,080 –> 01:07:31,480
Now add the most ignored part of agent testing.
1497
01:07:31,480 –> 01:07:32,720
Identity profiles.
1498
01:07:32,720 –> 01:07:35,440
An agent that works under a maker account proves nothing.
1499
01:07:35,440 –> 01:07:40,640
You test with designated user profiles that reflect real entitlements, standard employee,
1500
01:07:40,640 –> 01:07:45,520
privileged operator, regional user, contractor, service desk, analyst, same intent, different
1501
01:07:45,520 –> 01:07:47,280
identity, different access graph.
1502
01:07:47,280 –> 01:07:48,440
That’s not a corner case.
1503
01:07:48,440 –> 01:07:50,600
That’s the system.
1504
01:07:50,600 –> 01:07:55,040
Because many agent failures are just authorization reality finally becoming visible.
1505
01:07:55,040 –> 01:07:59,240
The test discipline has to surface that deliberately, not by surprise in a team’s channel.
1506
01:07:59,240 –> 01:08:01,560
Then you treat tests as architecture artifacts.
1507
01:08:01,560 –> 01:08:02,560
They are versioned.
1508
01:08:02,560 –> 01:08:03,560
They are owned.
1509
01:08:03,560 –> 01:08:04,560
They live with the solution.
1510
01:08:04,560 –> 01:08:05,560
They run in pipelines.
1511
01:08:05,560 –> 01:08:06,560
And they gate releases.
1512
01:08:06,560 –> 01:08:10,320
If you can’t describe your release gate in one sentence, we won’t promote this agent unless
1513
01:08:10,320 –> 01:08:15,560
core scenarios pass under these identities and tool calls produce these records.
1514
01:08:15,560 –> 01:08:17,240
You don’t have a release process.
1515
01:08:17,240 –> 01:08:19,360
You have hope with deployment permissions.
1516
01:08:19,360 –> 01:08:21,880
And yes, you need regression after every change.
1517
01:08:21,880 –> 01:08:27,280
Agents drift from small edits, knowledge updates, connector changes, model updates, capacity
1518
01:08:27,280 –> 01:08:28,280
limits.
1519
01:08:28,280 –> 01:08:29,280
Those aren’t hypothetical.
1520
01:08:29,280 –> 01:08:31,320
They’re routine platform reality.
1521
01:08:31,320 –> 01:08:35,200
So the discipline is same test set, same thresholds, rerun continuously.
1522
01:08:35,200 –> 01:08:39,480
Finally, testing has to include failure path design, not just success path validation.
1523
01:08:39,480 –> 01:08:40,960
Force the tool to fail.
1524
01:08:40,960 –> 01:08:45,960
Remove permissions, break the dependency, exceed the token limit with oversized inputs.
1525
01:08:45,960 –> 01:08:46,960
Trigger throttling.
1526
01:08:46,960 –> 01:08:48,320
Watch what the agent does.
1527
01:08:48,320 –> 01:08:51,280
If it masks the failure with language, that’s a defect.
1528
01:08:51,280 –> 01:08:55,080
If it escalates with state preserved and evidence attached, that’s architecture.
1529
01:08:55,080 –> 01:08:57,320
This is what enterprise grade actually means.
1530
01:08:57,320 –> 01:09:00,920
Not fewer failures, but failures that are predictable, explainable and containable.
1531
01:09:00,920 –> 01:09:04,640
Once you have that evidence loop, you stop debating whether the agent is ready.
1532
01:09:04,640 –> 01:09:05,640
You know.
1533
01:09:05,640 –> 01:09:08,360
And that’s when operations becomes the next inevitability.
1534
01:09:08,360 –> 01:09:10,240
Drift doesn’t stop because you tested once.
1535
01:09:10,240 –> 01:09:12,080
It just becomes visible sooner.
1536
01:09:12,080 –> 01:09:15,160
Agent ops, drift, incidents and platform reality.
1537
01:09:15,160 –> 01:09:17,520
Now take that testing discipline and assume it worked.
1538
01:09:17,520 –> 01:09:18,800
You shipped.
1539
01:09:18,800 –> 01:09:20,320
Core scenarios pass.
1540
01:09:20,320 –> 01:09:22,000
The agent behaves.
1541
01:09:22,000 –> 01:09:23,920
Everyone celebrates.
1542
01:09:23,920 –> 01:09:25,960
Then the real system starts operating.
1543
01:09:25,960 –> 01:09:30,400
The one made of people, policies, connectors, models and monthly platform updates.
1544
01:09:30,400 –> 01:09:34,280
This is where agent ops stops being optional and becomes the only thing between successful
1545
01:09:34,280 –> 01:09:36,960
pilot and quiet abandonment.
1546
01:09:36,960 –> 01:09:39,880
Agent ops is just the operational truth of agents.
1547
01:09:39,880 –> 01:09:42,840
These systems drift and drift creates incidents.
1548
01:09:42,840 –> 01:09:44,960
And drift does not require malice or incompetence.
1549
01:09:44,960 –> 01:09:46,160
It only requires time.
1550
01:09:46,160 –> 01:09:47,640
Drift shows up in three places.
1551
01:09:47,640 –> 01:09:49,520
First you change the agent.
1552
01:09:49,520 –> 01:09:51,640
Instructions, triggers, prompts, knowledge, tools.
1553
01:09:51,640 –> 01:09:54,040
That’s a behavior change wearing a friendly UI.
1554
01:09:54,040 –> 01:09:56,320
Second, dependencies changed.
1555
01:09:56,320 –> 01:10:02,040
Access, schemers, catalogs, choice values, conditional access, DLP, tokens, secrets, licensing,
1556
01:10:02,040 –> 01:10:03,040
capacity.
1557
01:10:03,040 –> 01:10:04,840
Third, the platform moved.
1558
01:10:04,840 –> 01:10:09,880
Models update, retrieval indexing shifts, throttling changes, preview features, sunset.
1559
01:10:09,880 –> 01:10:11,560
The agent didn’t get weird yet.
1560
01:10:11,560 –> 01:10:13,040
Your runtime changed.
1561
01:10:13,040 –> 01:10:14,280
So the mandate is simple.
1562
01:10:14,280 –> 01:10:15,920
Treat agents like services.
1563
01:10:15,920 –> 01:10:16,920
Services have runbooks.
1564
01:10:16,920 –> 01:10:17,920
They have telemetry.
1565
01:10:17,920 –> 01:10:19,080
They have incident reviews.
1566
01:10:19,080 –> 01:10:20,080
They have backlogs.
1567
01:10:20,080 –> 01:10:23,520
They have owners who get paged when reality disagrees with the demo.
1568
01:10:23,520 –> 01:10:28,320
But with reliability patterns, because most agent incidents are boring in the same way.
1569
01:10:28,320 –> 01:10:34,080
Timeouts, partial completions, duplicate execution, silent tool failures, inconsistent routing,
1570
01:10:34,080 –> 01:10:37,280
users resubmitting the same request because the agent went quiet.
1571
01:10:37,280 –> 01:10:38,280
So you design for that.
1572
01:10:38,280 –> 01:10:41,280
Retrieves exist, but only where the operation is idempotent.
1573
01:10:41,280 –> 01:10:45,720
If a create ticket action can run twice and create two incidents, you don’t retry.
1574
01:10:45,720 –> 01:10:50,400
You add a correlation ID and a deduplication check in the execution layer, then retry becomes
1575
01:10:50,400 –> 01:10:52,200
resume, not repeat.
1576
01:10:52,200 –> 01:10:53,200
Timeouts exist.
1577
01:10:53,200 –> 01:10:58,080
So every long-running action needs explicit time budgets and user-visible state transitions,
1578
01:10:58,080 –> 01:11:01,520
accepted, queued, awaiting approval, executing, completed.
1579
01:11:01,520 –> 01:11:07,080
If it fails, the agent returns a receipt with a record ID or escalation artifact, not a paragraph.
1580
01:11:07,080 –> 01:11:09,160
Fallbacks exist, but fallbacks must be engineered.
1581
01:11:09,160 –> 01:11:13,480
If the model can’t confidently root, it should ask a disambiguation question or escalate
1582
01:11:13,480 –> 01:11:14,480
with context.
1583
01:11:14,480 –> 01:11:17,800
A fallback that produces plausible text is not resilience.
1584
01:11:17,800 –> 01:11:19,160
It’s fraud with better grammar.
1585
01:11:19,160 –> 01:11:21,360
And human in the loop checkpoints aren’t a concession.
1586
01:11:21,360 –> 01:11:22,360
There are control points.
1587
01:11:22,360 –> 01:11:27,040
High-impact changes require a human approval gate, even if the agent did everything else.
1588
01:11:27,040 –> 01:11:29,680
That’s how you keep autonomy from turning into liability.
1589
01:11:29,680 –> 01:11:34,160
Now observability, this is where most agent programs collapse because they rely on chat
1590
01:11:34,160 –> 01:11:35,960
transcripts like their logs.
1591
01:11:35,960 –> 01:11:36,960
They’re not.
1592
01:11:36,960 –> 01:11:38,720
Transcripts are narrative, not telemetry.
1593
01:11:38,720 –> 01:11:43,560
You need instrumentation for, which intent fired, which topic ran, which tools were invoked,
1594
01:11:43,560 –> 01:11:48,000
which identity executed them, how long each step took, what errors returned, how often
1595
01:11:48,000 –> 01:11:51,760
users abandoned, and how often escalation happened.
1596
01:11:51,760 –> 01:11:54,640
Uncalled telemetry matters more than the agent said something.
1597
01:11:54,640 –> 01:11:57,800
And you need to capture latency because latency creates user behavior.
1598
01:11:57,800 –> 01:12:02,080
When agents take too long, users resubmit, resubmission creates duplicates.
1599
01:12:02,080 –> 01:12:03,600
Duplicates create rework.
1600
01:12:03,600 –> 01:12:05,000
Rework destroys trust.
1601
01:12:05,000 –> 01:12:06,680
This is not user training.
1602
01:12:06,680 –> 01:12:08,000
This is system behavior.
1603
01:12:08,000 –> 01:12:09,920
Then you need an operational posture.
1604
01:12:09,920 –> 01:12:12,680
Weekly review, not quarterly post-mortems.
1605
01:12:12,680 –> 01:12:17,600
Look for drift signals, rising intervention rate, rising fallback rate, increased unrecognized
1606
01:12:17,600 –> 01:12:21,720
utterances, increased tool call failures, rising latency, more escalating.
1607
01:12:21,720 –> 01:12:24,760
In the specific intent, those are leading indicators.
1608
01:12:24,760 –> 01:12:27,160
If you wait for the incident, you’ve already lost adoption.
1609
01:12:27,160 –> 01:12:32,080
When an incident does happen, the review has to be brutally specific, not the model hallucinated.
1610
01:12:32,080 –> 01:12:33,080
That’s not a root cause.
1611
01:12:33,080 –> 01:12:35,320
The root cause is always architectural.
1612
01:12:35,320 –> 01:12:40,480
Missing precondition checks, ambiguous rooting, overbroad tool surface, unowned knowledge, identity
1613
01:12:40,480 –> 01:12:42,640
mismatch, or inadequate logging.
1614
01:12:42,640 –> 01:12:46,200
And every incident produces a backlog item that hardens the system.
1615
01:12:46,200 –> 01:12:50,640
Titer contracts, better validation, narrower tools, improved escalation artifacts, additional
1616
01:12:50,640 –> 01:12:52,520
tests, and clearer runbooks.
1617
01:12:52,520 –> 01:12:54,160
That’s the real promise of agent ops.
1618
01:12:54,160 –> 01:12:55,520
Not that incidents disappear.
1619
01:12:55,520 –> 01:12:59,480
That incidents become containable, explainable, and less frequent over time.
1620
01:12:59,480 –> 01:13:02,480
Because the uncomfortable truth is that platforms will keep moving.
1621
01:13:02,480 –> 01:13:03,720
The tenant will keep changing.
1622
01:13:03,720 –> 01:13:06,200
Your organization will keep accumulating entropy.
1623
01:13:06,200 –> 01:13:11,120
The question is whether your agent program treats that as AI being AI or whether you run
1624
01:13:11,120 –> 01:13:12,120
it like production.
1625
01:13:12,120 –> 01:13:15,200
If you choose production, drift becomes a managed cost.
1626
01:13:15,200 –> 01:13:19,800
If you choose vibes, drift becomes your entire story, where it’s in the executive playbook.
1627
01:13:19,800 –> 01:13:22,280
The five decisions leadership must force.
1628
01:13:22,280 –> 01:13:24,320
At this point, the pattern should be obvious.
1629
01:13:24,320 –> 01:13:26,160
Agent failure isn’t a tooling problem.
1630
01:13:26,160 –> 01:13:28,880
It’s a leadership problem disguised as a maker problem.
1631
01:13:28,880 –> 01:13:31,920
Because agents sit at the intersection of accountability and automation.
1632
01:13:31,920 –> 01:13:35,640
And if leadership doesn’t force a few hard decisions up front, the system will make those
1633
01:13:35,640 –> 01:13:37,040
decisions for you.
1634
01:13:37,040 –> 01:13:41,360
Accidentally, inconsistently, and usually during an incident review.
1635
01:13:41,360 –> 01:13:43,840
So here are the five decisions leadership has to force.
1636
01:13:43,840 –> 01:13:46,640
Not suggest, not encourage, force.
1637
01:13:46,640 –> 01:13:47,640
Decision one.
1638
01:13:47,640 –> 01:13:50,040
The agent owns end to end and what stays human.
1639
01:13:50,040 –> 01:13:52,720
This is the boundary between assistance and delegation.
1640
01:13:52,720 –> 01:13:58,000
If the agent owns an outcome, it owns the workflow path, the tool calls, and the evidence.
1641
01:13:58,000 –> 01:14:02,720
If a human owns it, the agent can guide, summarize, and prepare, but it does not commit.
1642
01:14:02,720 –> 01:14:05,920
Leadership has to pick because ambiguity here creates blame later.
1643
01:14:05,920 –> 01:14:09,720
And the fastest way to kill adoption is to ship an agent that sometimes acts and sometimes
1644
01:14:09,720 –> 01:14:12,120
doesn’t with no reliable rule behind it.
1645
01:14:12,120 –> 01:14:13,120
Decision two.
1646
01:14:13,120 –> 01:14:16,360
The identity model and the least privileged boundary.
1647
01:14:16,360 –> 01:14:22,120
Leadership has to decide whether execution runs as the user or as a service identity per intent.
1648
01:14:22,120 –> 01:14:25,880
Then enforce least privilege as a design constraint, not a security aspiration.
1649
01:14:25,880 –> 01:14:29,200
This is also where leaders stop tolerating temporary access.
1650
01:14:29,200 –> 01:14:32,480
Agents will operationalize whatever access that you’ve accumulated.
1651
01:14:32,480 –> 01:14:37,120
If the business wants action-capable agents, the business funds, identity hygiene, access
1652
01:14:37,120 –> 01:14:42,960
reviews, app permission discipline, and a clear run as pattern that survives staff turnover.
1653
01:14:42,960 –> 01:14:43,960
Decision three.
1654
01:14:43,960 –> 01:14:47,960
This record and the audit requirement, an agent that acts without writing to a system of record
1655
01:14:47,960 –> 01:14:50,040
is not an enterprise system.
1656
01:14:50,040 –> 01:14:52,960
It’s an opinionated chat session with side effects.
1657
01:14:52,960 –> 01:14:56,720
Leadership has to name the record authority per workflow, service now dynamics a line of
1658
01:14:56,720 –> 01:15:02,000
business system, and make it non-negotiable that agent actions produce reconstructable evidence.
1659
01:15:02,000 –> 01:15:06,520
Request, identity, preconditions, approvals, tool invocation outcome.
1660
01:15:06,520 –> 01:15:10,000
If that evidence doesn’t exist, the agent isn’t allowed to execute.
1661
01:15:10,000 –> 01:15:11,000
Simple rule.
1662
01:15:11,000 –> 01:15:12,720
Massive impact.
1663
01:15:12,720 –> 01:15:13,720
Section four.
1664
01:15:13,720 –> 01:15:14,720
Release gates.
1665
01:15:14,720 –> 01:15:16,600
Testing thresholds and rollback expectations.
1666
01:15:16,600 –> 01:15:21,480
If leadership wants deterministic ROI, leadership forces deterministic release discipline.
1667
01:15:21,480 –> 01:15:27,000
That means pre-production environments, version changes, test sets that cover core intents
1668
01:15:27,000 –> 01:15:30,760
under real identity profiles and a past threshold that blocks promotion.
1669
01:15:30,760 –> 01:15:34,000
It also means rollback is designed, not improvised.
1670
01:15:34,000 –> 01:15:38,600
When the platform shifts under you, and it will, you need a way to revert behavior quickly
1671
01:15:38,600 –> 01:15:41,360
without a late night prompt edit in production.
1672
01:15:41,360 –> 01:15:42,360
Decision five.
1673
01:15:42,360 –> 01:15:45,320
Decision metrics tied to outcomes, not democquality.
1674
01:15:45,320 –> 01:15:47,640
Leadership has to kill vanity metrics early.
1675
01:15:47,640 –> 01:15:49,040
Session volume is not success.
1676
01:15:49,040 –> 01:15:50,720
Positive reactions are not success.
1677
01:15:50,720 –> 01:15:54,960
Success is an operational delta that survives outside the agent team.
1678
01:15:54,960 –> 01:15:59,400
Reduced escalations with strict definitions, reduced rework, faster approvals with preserved
1679
01:15:59,400 –> 01:16:04,060
compliance, measurable cycle time reduction, improved throughput and intervention rates
1680
01:16:04,060 –> 01:16:05,800
trending down over time.
1681
01:16:05,800 –> 01:16:07,920
And leaders have to assign metric ownership.
1682
01:16:07,920 –> 01:16:10,600
If nobody owns the metric, the agent doesn’t have a goal.
1683
01:16:10,600 –> 01:16:11,800
It has a launch date.
1684
01:16:11,800 –> 01:16:16,800
When these five decisions are explicit, the rest becomes execution, contracts, tools,
1685
01:16:16,800 –> 01:16:20,280
context, orchestration, governance, measurement and operations.
1686
01:16:20,280 –> 01:16:23,360
And when they’re not explicit, what you get is predictable too.
1687
01:16:23,360 –> 01:16:28,680
Chat first agents with broad permissions, unclear boundaries and an AI is unpredictable
1688
01:16:28,680 –> 01:16:33,200
narrative that conveniently avoids the actual root cause.
1689
01:16:33,200 –> 01:16:36,120
This is what thought leadership should really do in this space.
1690
01:16:36,120 –> 01:16:41,080
Stop arguing about whether agents are ready and start forcing architectural honesty.
1691
01:16:41,080 –> 01:16:43,240
Because the platform will keep improving.
1692
01:16:43,240 –> 01:16:44,440
Models will keep changing.
1693
01:16:44,440 –> 01:16:45,520
Features will keep shipping.
1694
01:16:45,520 –> 01:16:46,520
That’s not your constraint.
1695
01:16:46,520 –> 01:16:51,640
Your constraint is whether you can turn probabilistic reasoning into deterministic operations.
1696
01:16:51,640 –> 01:16:55,280
And that only happens when leadership decides what gets enforced.
1697
01:16:55,280 –> 01:16:56,280
Conclusion.
1698
01:16:56,280 –> 01:16:57,760
Agents don’t fail because they’re dumb.
1699
01:16:57,760 –> 01:17:01,200
They fail because you ask them to act without a control plane.
1700
01:17:01,200 –> 01:17:05,240
An architecture is what turns probabilistic reasoning into governed execution.
1701
01:17:05,240 –> 01:17:09,800
If this helped, leave a review so fewer teams keep funding chat-shaped risk.
1702
01:17:09,800 –> 01:17:13,080
Just put your computer on LinkedIn and tell them what you’re building and send the next
1703
01:17:13,080 –> 01:17:15,560
failure pattern you’re seeing so it becomes the next episode.
