Now Reading: Why Your Enterprise Architecture is Eroding Under Copilot
-
01
Why Your Enterprise Architecture is Eroding Under Copilot
Agentic AI produces actions. Its failures are authorization failures. Once agents can call tools, trigger workflows, update records, or change permissions, outcomes stop being “mostly correct.” They become binary: authorized or unauthorized, attributable or unprovable, contained or tenant-wide. That’s where the mirage begins. In assistive systems we ask: Did it hallucinate?
In agentic systems we must ask:
- Who executed this?
- By what authority?
- Through which tool path?
- Against which data boundary?
- Can we stop this one agent without freezing the program?
Most organizations never ask those questions early enough because they misclassify agents as UI features. But agents don’t live in the UI. They live in the graph. Every delegated permission, connector, service account, environment exception, and “temporary” workaround becomes reachable authority. Helpful becomes authorized quietly. No approval meeting. No single mistake. Just gradual accumulation. And the more productive agents feel, the more dangerous the drift becomes. Success creates demand. Demand creates replication. Replication creates sprawl. And sprawl is where architecture dies—because the system becomes reactive instead of designed. Failure Mode #1 — Identity Drift Silent accountability loss Identity drift isn’t a bug. It’s designed in. Most agents run as:
- the maker’s identity
- a shared service account
- a vague automation context
All three produce the same outcome: you can’t prove who acted. When the first real incident occurs—a permission change, a record update, an external email—the question isn’t “why did the model hallucinate?” It’s “who executed this action?” If the answer starts with “it depends”, the program is already over. Hallucinations are a quality problem.
Identity drift is a governance failure. Once accountability becomes probabilistic, security pauses the program. Every time. Not out of fear—but because the cost of being wrong is higher than the cost of being late. Failure Mode #2 — Tool & Connector Sprawl Unbounded authority Tools are not accessories.
They are executable authority. When each team wires its own “create ticket,” “grant access,” or “update record” path, the estate stops being an architecture and becomes an accident. Duplicate tools. Divergent permissions. Inconsistent approvals. No shared contracts. No predictable blast radius. Sprawl makes containment politically impossible. Disable one thing and you break five others. So the only safe response becomes the blunt one: freeze the program. That’s how enthusiasm turns into risk aversion. Failure Mode #3 — Obedient Data Leakage Governance theater Agents leak not because they’re malicious—but because they’re obedient. Ground an agent on “everything it can read,” and it will confidently operationalize drafts, stale copies, migration artifacts, and overshared junk. The model didn’t hallucinate. The system hallucinated governance. Compliance doesn’t care that the answer sounded right.
Compliance cares whether it came from an authoritative source—and whether you can prove it. If your answer is “because the user could read it,” you didn’t design boundaries. You delegated human judgment to a non-human actor. The Four Safeguards That Actually Scale 1️⃣ One agent, one non-human identity Agents need first-class Entra identities with owners, sponsors, lifecycle, and a kill-switch that doesn’t disable Copilot for everyone. 2️⃣ Standardized tool contracts Tools are contracts, not connectors. Fewer tools, reused everywhere. Structured outputs. Provenance. Explicit refusal modes. Irreversible actions require approval tokens bound to identity and parameters. 3️⃣ Authoritative data boundaries Agents ground only on curated, approved domains. Humans can roam. Agents cannot. “Readable” is not “authoritative.” 4️⃣ Runtime drift detection Design-time controls aren’t enough. Drift is guaranteed. You need runtime signals and containment playbooks that let security act surgically—without freezing the program. The Minimal Viable Agent Control Plane (MVACP) Not a framework.
A containment system.
- One agent identity
- One curated tool path
- One bounded data domain
- One tested containment playbook
- Provenance as a default, not an add-on
If you can’t isolate one agent, prove one action, and contain one failure, you’re not running a program. You’re accumulating incident debt. Executive Reality Check If your organization can’t answer these with proof, you’re not ready to scale:
- Can we disable one agent without disabling Copilot?
- Can we prove exactly where an answer came from?
- Can we show who authorized an action and which tool executed it?
- Do we know how many tools exist—and which ones duplicate authority?
Narratives don’t pass audit. Evidence does. Conclusion — Control plane or collapse Agents turn Microsoft estates into distributed decision engines. Entropy wins unless identity, tool contracts, data boundaries, and drift detection are enforced by design. In the next episode, we go hands-on: building a Minimal Viable Agent Control Plane for Copilot Studio systems of action. Subscribe.
Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365–6704921/support.
If this clashes with how you’ve seen it play out, I’m always curious. I use LinkedIn for the back-and-forth.
