The Context Advantage: Architecting the High-Performance Autonomous Enterprise

1
00:00:00,000 --> 00:00:04,080
Most organizations think their AI rollout failed because the model wasn't smart enough

2
00:00:04,080 --> 00:00:06,800
or because users don't know how to prompt.

3
00:00:06,800 --> 00:00:09,360
That's the comforting story. It's also wrong.

4
00:00:09,360 --> 00:00:12,880
In enterprises, AI fails because context is fragmented.

5
00:00:12,880 --> 00:00:14,940
Identity doesn't line up with permissions.

6
00:00:14,940 --> 00:00:17,120
Work artifacts don't line up with decisions,

7
00:00:17,120 --> 00:00:20,520
and nobody can explain what the system is allowed to treat as evidence.

8
00:00:20,520 --> 00:00:25,000
This episode maps context as architecture, memory, state, learning, and control.

9
00:00:25,000 --> 00:00:26,240
Once you see that substrate,

10
00:00:26,240 --> 00:00:31,200
co-pilot stops looking random and starts behaving exactly like the environment you built for it.

11
00:00:31,200 --> 00:00:34,560
The foundational misunderstanding, co-pilot isn't the system.

12
00:00:34,560 --> 00:00:38,960
The foundational mistake is treating Microsoft 365 co-pilot as the system.

13
00:00:38,960 --> 00:00:41,160
It isn't co-pilot is an interaction surface,

14
00:00:41,160 --> 00:00:43,400
a very expensive, very persuasive surface.

15
00:00:43,400 --> 00:00:45,320
But the real system is your tenant.

16
00:00:45,320 --> 00:00:47,120
The identity model, the permission graph,

17
00:00:47,120 --> 00:00:49,360
the documents brawl, the metadata discipline,

18
00:00:49,360 --> 00:00:50,920
the lifecycle policies,

19
00:00:50,920 --> 00:00:54,600
and the connectors you've allowed to exist with no consistent ownership.

20
00:00:54,600 --> 00:00:58,240
Co-pilot doesn't create order. It consumes whatever order you already have.

21
00:00:58,240 --> 00:00:59,720
And if what you have is entropy,

22
00:00:59,720 --> 00:01:02,840
co-pilot operationalizes entropy at conversational speed.

23
00:01:02,840 --> 00:01:06,600
That distinction matters because leadership experiences co-pilot as random.

24
00:01:06,600 --> 00:01:09,360
They ask for an answer and they get something that sounds plausible,

25
00:01:09,360 --> 00:01:12,360
sometimes accurate, sometimes irrelevant, occasionally dangerous.

26
00:01:12,360 --> 00:01:16,440
Then everyone debates whether the AI is ready or whether they need better prompts.

27
00:01:16,440 --> 00:01:19,560
Meanwhile, the underlying reality stays untouched.

28
00:01:19,560 --> 00:01:24,800
The organization is running a probabilistic decision engine on top of a messy evidence substrate.

29
00:01:24,800 --> 00:01:26,240
Here's the uncomfortable truth.

30
00:01:26,240 --> 00:01:28,560
Generative AI isn't deterministic.

31
00:01:28,560 --> 00:01:30,000
It doesn't execute a rule set.

32
00:01:30,000 --> 00:01:33,240
It generates a best-fit response to the context window it's given.

33
00:01:33,240 --> 00:01:38,000
Using patterns learned from training and whatever enterprise data retrieval supplied at runtime.

34
00:01:38,000 --> 00:01:40,400
When that retrieval brings back conflicting documents,

35
00:01:40,400 --> 00:01:42,880
outdated procedures or half-permission fragments,

36
00:01:42,880 --> 00:01:45,000
the model doesn't refuse out of professional ethics.

37
00:01:45,000 --> 00:01:47,600
It blends, it averages, it fills gaps.

38
00:01:47,600 --> 00:01:49,760
That's not a bug, that's how the mechanism works.

39
00:01:49,760 --> 00:01:52,920
So when executives say, it feels like it makes things up.

40
00:01:52,920 --> 00:01:57,720
What they're noticing is the collision between deterministic intent and probabilistic generation.

41
00:01:57,720 --> 00:02:02,000
Enterprises are built on intent, approval chains, segregation of duties,

42
00:02:02,000 --> 00:02:04,040
policy statements, audit requirements.

43
00:02:04,040 --> 00:02:08,360
Co-pilot is built on likelihood, which next token best fits the prompt,

44
00:02:08,360 --> 00:02:09,760
plus the retrieved context.

45
00:02:09,760 --> 00:02:13,200
You can't manage that mismatch with training sessions and prompt libraries.

46
00:02:13,200 --> 00:02:15,880
You manage it by engineering the context substrate,

47
00:02:15,880 --> 00:02:19,440
so the model's probability space collapses toward your actual truth.

48
00:02:19,440 --> 00:02:22,040
Most feature-led rollouts fail for a simple reason.

49
00:02:22,040 --> 00:02:24,080
They don't enforce design assumptions.

50
00:02:24,080 --> 00:02:27,440
Co-pilot gets deployed like a productivity feature, licenses assigned,

51
00:02:27,440 --> 00:02:29,960
a few champions trained, a dashboard watched,

52
00:02:29,960 --> 00:02:32,960
and none of the architecture that governs context gets corrected.

53
00:02:32,960 --> 00:02:34,920
SharePoint inheritance remains broken,

54
00:02:34,920 --> 00:02:38,240
sites remain overshared, sensitivity labels remain inconsistent,

55
00:02:38,240 --> 00:02:40,920
teams chats remain the de facto system of record,

56
00:02:40,920 --> 00:02:43,640
a dozen final V7 documents remain authoritative

57
00:02:43,640 --> 00:02:46,200
because nobody has the political energy to delete them.

58
00:02:46,200 --> 00:02:50,760
Then co-pilot gets blame for being inconsistent when it's faithfully reflecting inconsistent context.

59
00:02:50,760 --> 00:02:54,600
This is why the co-pilot is the strategy narrative collapses at scale.

60
00:02:54,600 --> 00:02:55,800
You can't scale a surface.

61
00:02:55,800 --> 00:02:57,640
You can only scale the system underneath it,

62
00:02:57,640 --> 00:02:59,360
and that system behaves like capital.

63
00:02:59,360 --> 00:03:00,960
Context is enterprise capital.

64
00:03:00,960 --> 00:03:01,840
It compounds.

65
00:03:01,840 --> 00:03:04,800
When context is structured, fresh, and permission correct,

66
00:03:04,800 --> 00:03:08,600
every workflow built on top of it gets cheaper, faster, and more reliable over time.

67
00:03:08,600 --> 00:03:09,760
Retrieval gets cleaner.

68
00:03:09,760 --> 00:03:11,080
Answers get grounded.

69
00:03:11,080 --> 00:03:15,600
Agents become viable because they can see state evidence and constraints without guessing.

70
00:03:15,600 --> 00:03:18,760
You stop paying people to re-litigate decisions that already happened.

71
00:03:18,760 --> 00:03:19,800
That's compounding.

72
00:03:19,800 --> 00:03:20,640
Return.

73
00:03:20,640 --> 00:03:22,880
When context is sloppy, context also compounds.

74
00:03:22,880 --> 00:03:25,080
Just in the other direction, you get context rot.

75
00:03:25,080 --> 00:03:26,000
You get permission drift.

76
00:03:26,000 --> 00:03:27,960
You get more duplicated sources of truth.

77
00:03:27,960 --> 00:03:30,600
You get more exceptions, entropy generators,

78
00:03:30,600 --> 00:03:32,400
because people can't find what they need.

79
00:03:32,400 --> 00:03:37,080
So they recreated, and now co-pilot amplifies the rot because its surfaces and recombines it.

80
00:03:37,080 --> 00:03:42,040
You've built an engine that accelerates your existing documentation debt into operational debt.

81
00:03:42,040 --> 00:03:45,680
If this sounds abstract, translate it into a simple system law.

82
00:03:45,680 --> 00:03:50,000
Co-pilot cannot be more reliable than the context boundary it operates inside.

83
00:03:50,000 --> 00:03:53,800
So the only responsible way to talk about high-performance autonomy is to stop asking whether

84
00:03:53,800 --> 00:03:57,720
co-pilot is smart and start asking what substrate you've built for it to reason over.

85
00:03:57,720 --> 00:03:59,000
What does it treat as memory?

86
00:03:59,000 --> 00:04:00,440
What does it treat as current state?

87
00:04:00,440 --> 00:04:01,800
What does it treat as evidence?

88
00:04:01,800 --> 00:04:03,160
What does it treat as policy?

89
00:04:03,160 --> 00:04:04,880
And what does it do when those are missing?

90
00:04:04,880 --> 00:04:07,040
In other words, what is the underlying engine?

91
00:04:07,040 --> 00:04:11,760
Because once co-pilot becomes the default interface for work, chat, documents, meetings,

92
00:04:11,760 --> 00:04:15,400
analytics, the tenant becomes an authorization and context compiler.

93
00:04:15,400 --> 00:04:19,400
It continuously decides what a given user at a given moment is allowed to see and which

94
00:04:19,400 --> 00:04:22,680
artifacts are eligible to influence the next answer or action.

95
00:04:22,680 --> 00:04:24,800
That's the real platform, not the UI.

96
00:04:24,800 --> 00:04:27,440
And if you don't deliberately design that platform, you still get one.

97
00:04:27,440 --> 00:04:32,000
You just get it by accident assembled from years of drift exceptions and unchecked sharing.

98
00:04:32,000 --> 00:04:37,080
So the conversation shifts, not how do we prompt better instead, how do we architect context

99
00:04:37,080 --> 00:04:39,440
so the system can't plausibly be wrong?

100
00:04:39,440 --> 00:04:43,160
That's where this episode goes next, defining context like an architect would so you can actually

101
00:04:43,160 --> 00:04:47,600
build it, govern it and stop mistaking surface polish for system integrity.

102
00:04:47,600 --> 00:04:49,680
Context defined like an architect would.

103
00:04:49,680 --> 00:04:51,960
Context is one of those words that gets used like perfume.

104
00:04:51,960 --> 00:04:52,960
Everybody likes the idea.

105
00:04:52,960 --> 00:04:53,960
Nobody can measure it.

106
00:04:53,960 --> 00:04:56,240
And because nobody can measure it, nobody can govern it.

107
00:04:56,240 --> 00:04:58,560
So define it in architectural terms.

108
00:04:58,560 --> 00:05:01,880
Context is the minimal set of signals required to make a decision correctly.

109
00:05:01,880 --> 00:05:06,560
And the organization rules at a specific moment in time, not all the data, not whatever the

110
00:05:06,560 --> 00:05:12,400
user pays it into chat, not everything the tenant can search minimal required correct time

111
00:05:12,400 --> 00:05:13,400
bound.

112
00:05:13,400 --> 00:05:17,080
That definition forces discipline because it immediately raises the real question, what

113
00:05:17,080 --> 00:05:20,400
signals count and who is accountable for their integrity.

114
00:05:20,400 --> 00:05:23,240
In this ecosystem, context is an engineered bundle.

115
00:05:23,240 --> 00:05:28,920
It's identity plus permissions plus relationships plus state plus evidence plus freshness.

116
00:05:28,920 --> 00:05:32,640
You've any one of those and you don't get slightly worse answers.

117
00:05:32,640 --> 00:05:34,200
You get a different system.

118
00:05:34,200 --> 00:05:38,680
Identity means who is asking in what role under what device in session conditions.

119
00:05:38,680 --> 00:05:40,920
In entra terms, that's not just a user object.

120
00:05:40,920 --> 00:05:45,560
It's the authentication event, the token, the conditional access posture, the group memberships

121
00:05:45,560 --> 00:05:50,240
that haven't drifted and the entitlements that were supposed to expire, but never did.

122
00:05:50,240 --> 00:05:52,920
Permissions means what that identity can actually see.

123
00:05:52,920 --> 00:05:56,600
And more importantly, what the system believes it can see because copilot doesn't negotiate

124
00:05:56,600 --> 00:05:57,600
permissions.

125
00:05:57,600 --> 00:05:58,600
It inherits them.

126
00:05:58,600 --> 00:06:01,560
The mission model is sloppy, the AI doesn't become helpful.

127
00:06:01,560 --> 00:06:04,720
It becomes an oversharing assistant with perfect confidence.

128
00:06:04,720 --> 00:06:08,960
Relationships means the graph of work who works with whom, on what and how recently.

129
00:06:08,960 --> 00:06:11,080
This is the piece enterprises keep ignoring.

130
00:06:11,080 --> 00:06:14,040
They treat relationships as nice to have personalization.

131
00:06:14,040 --> 00:06:16,760
In reality, relationships are relevance rooting.

132
00:06:16,760 --> 00:06:20,280
They tell the system which documents are likely to matter which meetings were decision

133
00:06:20,280 --> 00:06:23,000
points and which people are authority sources.

134
00:06:23,000 --> 00:06:25,080
State means what is happening right now.

135
00:06:25,080 --> 00:06:26,720
Not what happened last quarter.

136
00:06:26,720 --> 00:06:28,200
Not what's in a PDF.

137
00:06:28,200 --> 00:06:30,160
Not what someone promised in a team's chat.

138
00:06:30,160 --> 00:06:31,160
Current ownership.

139
00:06:31,160 --> 00:06:32,160
Current status.

140
00:06:32,160 --> 00:06:33,160
Current exceptions.

141
00:06:33,160 --> 00:06:37,560
If state isn't explicit, the system will reconstruct it from artifacts and it will reconstruct

142
00:06:37,560 --> 00:06:38,560
it badly.

143
00:06:38,560 --> 00:06:41,640
Evidence means the source is eligible to influence the output.

144
00:06:41,640 --> 00:06:44,880
A document isn't evidence just because it exists in SharePoint.

145
00:06:44,880 --> 00:06:45,880
Evidence has lineage.

146
00:06:45,880 --> 00:06:46,880
It has an owner.

147
00:06:46,880 --> 00:06:47,880
It has a version.

148
00:06:47,880 --> 00:06:50,640
It has a reason it should be trusted over the other six documents that say something similar

149
00:06:50,640 --> 00:06:51,640
but not identical.

150
00:06:51,640 --> 00:06:55,080
Freshness means the time boundary where truth expires.

151
00:06:55,080 --> 00:06:58,360
A policy written two years ago might still be binding or it might be dead.

152
00:06:58,360 --> 00:07:01,960
A procedure from last month might be wrong because the tool changed last week without

153
00:07:01,960 --> 00:07:04,520
freshness context becomes archaeology.

154
00:07:04,520 --> 00:07:07,480
Now draw the line that most organizations refuse to draw.

155
00:07:07,480 --> 00:07:08,760
Data is not context.

156
00:07:08,760 --> 00:07:10,200
Data is raw material.

157
00:07:10,200 --> 00:07:14,400
Context is curated, permission correct, relationship aware, time valid material, assembled

158
00:07:14,400 --> 00:07:15,400
for a decision.

159
00:07:15,400 --> 00:07:19,080
If you feed raw data to an AI and call it context, you'll get outputs that sound plausible

160
00:07:19,080 --> 00:07:20,080
and fail audits.

161
00:07:20,080 --> 00:07:23,040
This is where context windows and relevance windows show up.

162
00:07:23,040 --> 00:07:27,240
The context window is the technical boundary, what the model can see in the prompt plus

163
00:07:27,240 --> 00:07:28,240
retrieved content.

164
00:07:28,240 --> 00:07:31,560
The relevance window is the governance boundary, what the system is allowed to consider

165
00:07:31,560 --> 00:07:32,560
for this decision.

166
00:07:32,560 --> 00:07:33,560
Those are not the same thing.

167
00:07:33,560 --> 00:07:36,880
You can technically retrieve a thousand chunks of text that does not mean a thousand

168
00:07:36,880 --> 00:07:38,120
chunks are eligible.

169
00:07:38,120 --> 00:07:39,840
Bigger context is not better context.

170
00:07:39,840 --> 00:07:44,120
Bigger context is how you dilute signal, increase hallucination probability and create

171
00:07:44,120 --> 00:07:45,840
the worst kind of failure.

172
00:07:45,840 --> 00:07:49,920
Answers that look grounded because they cite something but the something is irrelevant

173
00:07:49,920 --> 00:07:50,920
or outdated.

174
00:07:50,920 --> 00:07:55,520
So measure context quality like an architect measures any substrate.

175
00:07:55,520 --> 00:07:59,400
Authority does this come from the system of record or from a random copy someone saved

176
00:07:59,400 --> 00:08:01,640
to their desktop and uploaded.

177
00:08:01,640 --> 00:08:05,560
Specificity is this the actual procedure for this business unit or a generic guideline

178
00:08:05,560 --> 00:08:07,240
that was never enforceable?

179
00:08:07,240 --> 00:08:08,240
Timeliness.

180
00:08:08,240 --> 00:08:10,960
Is this still true today in this tenant with today's controls?

181
00:08:10,960 --> 00:08:11,960
Permission correctness.

182
00:08:11,960 --> 00:08:15,880
Is the system allowed to use it for this user for this purpose right now?

183
00:08:15,880 --> 00:08:18,040
And here's the subtle one, consistency.

184
00:08:18,040 --> 00:08:22,240
If two sources disagree, your system has a decision problem, not an AI problem.

185
00:08:22,240 --> 00:08:25,800
Either you define precedence or the model will average the conflict into something that

186
00:08:25,800 --> 00:08:26,800
never existed.

187
00:08:26,800 --> 00:08:30,480
Once context is defined this way, copilot's behavior stops being mysterious.

188
00:08:30,480 --> 00:08:33,560
It becomes a deterministic response to a probabilistic input set.

189
00:08:33,560 --> 00:08:38,720
And if the input set is noisy, stale or permission chaotic, you didn't deploy intelligence.

190
00:08:38,720 --> 00:08:41,440
You deployed a narrative generator attached to your org chart.

191
00:08:41,440 --> 00:08:43,560
This is also why agente workflows break first.

192
00:08:43,560 --> 00:08:44,880
Agents don't just answer.

193
00:08:44,880 --> 00:08:48,000
They choose tools, take actions and update state.

194
00:08:48,000 --> 00:08:50,360
That means their context isn't only what should I say.

195
00:08:50,360 --> 00:08:54,600
It's what is true, what is allowed, what is relevant and what happens next if I'm wrong.

196
00:08:54,600 --> 00:08:58,240
If you don't engineer context with those constraints, autonomy doesn't emerge.

197
00:08:58,240 --> 00:08:59,440
It degrades.

198
00:08:59,440 --> 00:09:00,920
And it degrades fast.

199
00:09:00,920 --> 00:09:02,560
Why agents fail first?

200
00:09:02,560 --> 00:09:05,280
Non-determinism meets enterprise entropy.

201
00:09:05,280 --> 00:09:08,280
Agents fail first because they turn ambiguity into motion.

202
00:09:08,280 --> 00:09:11,200
A chat answer can be wrong and still get politely ignored.

203
00:09:11,200 --> 00:09:15,400
Then agent can be wrong and still create tickets, send mail, change records, provision access

204
00:09:15,400 --> 00:09:18,440
or escalate to the wrong person with the wrong evidence attached.

205
00:09:18,440 --> 00:09:21,400
The enterprise doesn't experience that as AI being fuzzy.

206
00:09:21,400 --> 00:09:25,520
It experiences it as operational damage with a natural language explanation.

207
00:09:25,520 --> 00:09:28,080
That's the difference between generation and autonomy.

208
00:09:28,080 --> 00:09:31,320
Non-determinism is tolerable when the system only talks.

209
00:09:31,320 --> 00:09:33,680
It becomes unacceptable when the system acts.

210
00:09:33,680 --> 00:09:37,400
An enterprise environments are engineered to produce ambiguity at scale.

211
00:09:37,400 --> 00:09:40,880
Not because people are careless, but because the platform rewards exceptions.

212
00:09:40,880 --> 00:09:43,640
Every time a team can't find the right policy, it writes a new one.

213
00:09:43,640 --> 00:09:47,840
Every time a workflow doesn't fit the tool, someone creates a side channel in teams.

214
00:09:47,840 --> 00:09:52,760
Every time permissions are too strict, access gets broadened, temporarily and never tightened.

215
00:09:52,760 --> 00:09:55,880
Over time these pathways accumulate, agents don't solve that.

216
00:09:55,880 --> 00:09:57,680
Agents amplify it.

217
00:09:57,680 --> 00:09:59,200
Here's what most people miss.

218
00:09:59,200 --> 00:10:01,520
Agents don't just need context to answer questions.

219
00:10:01,520 --> 00:10:03,360
They need context to choose the next step.

220
00:10:03,360 --> 00:10:07,800
Two selection, scope selection, escalation selection and stopping conditions.

221
00:10:07,800 --> 00:10:10,960
If any of those are underspecified, the agent will still move forward because its core

222
00:10:10,960 --> 00:10:12,120
function is completion.

223
00:10:12,120 --> 00:10:15,840
It optimizes for finish the task inside the constraints it can see.

224
00:10:15,840 --> 00:10:20,040
When the constraints are missing, it manufactures constraints out of whatever it retrieved.

225
00:10:20,040 --> 00:10:22,600
That's where entropy wins.

226
00:10:22,600 --> 00:10:26,160
In practical terms, the first failure mode is wrong tool choice.

227
00:10:26,160 --> 00:10:28,720
The agent sees three pathways.

228
00:10:28,720 --> 00:10:33,320
Update a dataverse record, send an email or open a service now ticket through a connector.

229
00:10:33,320 --> 00:10:38,400
The tenant has no explicit policy that says, "Incidents of type X must go to system Y and only

230
00:10:38,400 --> 00:10:40,200
after evidence Z is attached."

231
00:10:40,200 --> 00:10:44,360
So the agent picks the tool that looks semantically compatible with the prompt and the retrieved

232
00:10:44,360 --> 00:10:45,360
artifacts.

233
00:10:45,360 --> 00:10:46,760
That's not intelligence.

234
00:10:46,760 --> 00:10:49,680
That's pattern matching under incomplete specification.

235
00:10:49,680 --> 00:10:51,440
The second failure mode is wrong scope.

236
00:10:51,440 --> 00:10:54,280
This one is more dangerous because it looks like competence.

237
00:10:54,280 --> 00:10:57,360
The agent gets asked clean up stale vendor records.

238
00:10:57,360 --> 00:11:00,400
It retrieves the procurement SOP that uses the word stale.

239
00:11:00,400 --> 00:11:02,400
But it doesn't define what stale means.

240
00:11:02,400 --> 00:11:05,960
Last transaction date, contract end date, risk rating or compliance status.

241
00:11:05,960 --> 00:11:08,360
So the agent applies an implicit definition.

242
00:11:08,360 --> 00:11:12,520
When it acts across a data set, larger than anyone expected because nothing in the context

243
00:11:12,520 --> 00:11:14,360
boundary told it where to stop.

244
00:11:14,360 --> 00:11:17,320
This is how you get irreversible work from reversible language.

245
00:11:17,320 --> 00:11:19,720
The third failure mode is wrong escalation.

246
00:11:19,720 --> 00:11:23,000
In a healthy enterprise, escalation is deterministic.

247
00:11:23,000 --> 00:11:24,160
Ownership is known.

248
00:11:24,160 --> 00:11:27,320
Deputies are defined and exceptions root to named roles.

249
00:11:27,320 --> 00:11:30,000
In most enterprises, escalation is social.

250
00:11:30,000 --> 00:11:32,080
Ask the person who usually knows.

251
00:11:32,080 --> 00:11:34,600
Graph relationships can help, but only if you let them.

252
00:11:34,600 --> 00:11:39,680
If you don't model ownership and decision rights, the agent escalates to whoever appears relevant.

253
00:11:39,680 --> 00:11:41,840
Often the loudest signal, not the correct authority.

254
00:11:41,840 --> 00:11:44,480
And then there's the failure that governance teams hate most.

255
00:11:44,480 --> 00:11:46,080
Hallucination driven decisions.

256
00:11:46,080 --> 00:11:47,960
This is not the model inventing trivia.

257
00:11:47,960 --> 00:11:52,520
This is the system taking action based on plausible synthesis when evidence is incomplete.

258
00:11:52,520 --> 00:11:57,400
An agent can cite a policy that exists, apply it to a context where it doesn't, and generate

259
00:11:57,400 --> 00:12:01,800
a recommendation that looks ordered friendly because it contains words like per procedure

260
00:12:01,800 --> 00:12:04,040
and aligned to policy.

261
00:12:04,040 --> 00:12:06,320
Auditors can't audit vibes.

262
00:12:06,320 --> 00:12:10,520
Auditors ask what evidence drove the decision, who approved it, and what controls prevented

263
00:12:10,520 --> 00:12:12,480
the wrong evidence from being used.

264
00:12:12,480 --> 00:12:16,600
If your agent's evidence is a blended summary of five half related documents and a meeting

265
00:12:16,600 --> 00:12:19,400
transcript from last year, you don't have automation.

266
00:12:19,400 --> 00:12:22,120
You have a liability generator with a friendly tone.

267
00:12:22,120 --> 00:12:26,800
So the principle becomes blunt, autonomy requires context discipline, not optimism.

268
00:12:26,800 --> 00:12:30,960
If a workflow cannot state its evidence standards, its scope boundaries, its stopping conditions

269
00:12:30,960 --> 00:12:33,920
and its escalation rules, it is not ready for agents.

270
00:12:33,920 --> 00:12:38,080
Not because the agent is weak, because the enterprise hasn't defined the decision model the

271
00:12:38,080 --> 00:12:39,840
agent is supposed to obey.

272
00:12:39,840 --> 00:12:43,960
This is also why agent pilots look good in demos and fail in production.

273
00:12:43,960 --> 00:12:47,480
Demo's are clean, the dataset is curated, the permission model is simplified, the workflow

274
00:12:47,480 --> 00:12:51,040
has an implied owner who happens to be in the room.

275
00:12:51,040 --> 00:12:56,640
Production is adversarial by default, stale docs, conflicting versions, inherited access,

276
00:12:56,640 --> 00:13:01,320
and people who will absolutely ask the agent to do something the policy never anticipated.

277
00:13:01,320 --> 00:13:03,400
Agents don't break because they're immature.

278
00:13:03,400 --> 00:13:07,400
They break because the enterprise context substrate is and that brings the conversation to the

279
00:13:07,400 --> 00:13:09,120
practical architecture question.

280
00:13:09,120 --> 00:13:13,480
If agents need disciplined context to act safely, where does that discipline live?

281
00:13:13,480 --> 00:13:17,480
What is the enterprise mechanism that turns scattered work into structured memory?

282
00:13:17,480 --> 00:13:18,640
That's the next layer.

283
00:13:18,640 --> 00:13:21,680
Graph as organizational memory, not plumbing.

284
00:13:21,680 --> 00:13:24,040
Graph as organizational memory, not plumbing.

285
00:13:24,040 --> 00:13:28,360
Most enterprises already own the hardest part of AI context and they still manage to waste

286
00:13:28,360 --> 00:13:29,360
it.

287
00:13:29,360 --> 00:13:30,840
Microsoft Graph is not a set of APIs.

288
00:13:30,840 --> 00:13:36,000
It is not integration plumbing, architecturally, it's the closest thing Microsoft 365 has

289
00:13:36,000 --> 00:13:38,120
to an organizational nervous system.

290
00:13:38,120 --> 00:13:42,880
A living map of people, artifacts, interactions, and the signals that connect them.

291
00:13:42,880 --> 00:13:46,920
That distinction matters because memory in an enterprise isn't where files live, memory

292
00:13:46,920 --> 00:13:50,400
is how the organization refines the truth it already produced.

293
00:13:50,400 --> 00:13:54,400
Graph captures relationships that normal storage can't, who met what they referenced, who

294
00:13:54,400 --> 00:13:59,320
edited what, which threaded decision came from, which people consistently co-author, and

295
00:13:59,320 --> 00:14:03,280
which documents cluster around a project even when nobody bothered to name them well.

296
00:14:03,280 --> 00:14:06,440
Its relational intelligence and relational intelligence is what makes retrieval feel

297
00:14:06,440 --> 00:14:09,320
like understanding instead of scavenger hunting.

298
00:14:09,320 --> 00:14:13,080
Most organizations treat retrieval like keyword search with better marketing.

299
00:14:13,080 --> 00:14:15,200
That's why co-pilot feels random.

300
00:14:15,200 --> 00:14:18,400
The system can only retrieve what the organization made retrievable.

301
00:14:18,400 --> 00:14:22,800
And in a tenant with SharePoint sprawl teams as a shadow record system and naming conventions

302
00:14:22,800 --> 00:14:26,760
that died in 2019, keyword search becomes an archaeology exercise.

303
00:14:26,760 --> 00:14:30,600
Graph changes that, but only if you treat it as memory, not as a connector framework.

304
00:14:30,600 --> 00:14:32,080
Here's the simple version.

305
00:14:32,080 --> 00:14:33,840
Storage holds objects.

306
00:14:33,840 --> 00:14:34,840
Memory holds meaning.

307
00:14:34,840 --> 00:14:36,360
A document library is storage.

308
00:14:36,360 --> 00:14:40,960
It doesn't know why a file mattered, who trusted it, or which meeting made it binding.

309
00:14:40,960 --> 00:14:44,040
Graph at least conceptually can infer those things through connections.

310
00:14:44,040 --> 00:14:45,600
The meeting where it was discussed.

311
00:14:45,600 --> 00:14:47,040
The people who referenced it.

312
00:14:47,040 --> 00:14:49,200
The tasks that got created after it.

313
00:14:49,200 --> 00:14:53,520
The email thread that escalated because it contradicted another artifact.

314
00:14:53,520 --> 00:14:56,800
That's why co-pilot consumes relational intelligence isn't a slogan.

315
00:14:56,800 --> 00:14:58,640
It's the actual dependency chain.

316
00:14:58,640 --> 00:15:02,960
When co-pilot produces a summary that looks like it understands the politics of a decision,

317
00:15:02,960 --> 00:15:03,960
it's not psychic.

318
00:15:03,960 --> 00:15:08,160
It's using the tenant's relationship signals to decide what evidence is likely to matter

319
00:15:08,160 --> 00:15:10,480
to this user in this moment for this work stream.

320
00:15:10,480 --> 00:15:13,320
But enterprises rarely engineer that layer deliberately.

321
00:15:13,320 --> 00:15:17,800
They let it emerge accidentally from behavior, which means it inherits the same biases and

322
00:15:17,800 --> 00:15:19,280
gaps as the behavior.

323
00:15:19,280 --> 00:15:21,960
The loudest teams create the most artifacts.

324
00:15:21,960 --> 00:15:25,080
The most permissive sites generate the most accessible signals.

325
00:15:25,080 --> 00:15:29,920
The people who refuse to document decisions force the system to reconstruct them from fragments.

326
00:15:29,920 --> 00:15:34,080
Graph becomes a mirror of organizational habits and mirrors aren't governance.

327
00:15:34,080 --> 00:15:37,880
So the question becomes what does it mean to engineer graph as organizational memory?

328
00:15:37,880 --> 00:15:41,560
It means you stop treating graph as an output and start treating it as a design input.

329
00:15:41,560 --> 00:15:45,240
You decide which work products are authoritative and make them easy to identify.

330
00:15:45,240 --> 00:15:49,160
Not by telling people to be disciplined, but by structuring where decisions land.

331
00:15:49,160 --> 00:15:52,600
You decide which meetings are decision points and ensure transcripts and artifacts are

332
00:15:52,600 --> 00:15:55,120
stored in predictable locations with predictable access.

333
00:15:55,120 --> 00:15:58,880
You decide which conversations are ephemeral and which are records.

334
00:15:58,880 --> 00:16:03,080
And you create the conditions where the relational signals are high quality because graph doesn't

335
00:16:03,080 --> 00:16:04,080
create meaning.

336
00:16:04,080 --> 00:16:07,000
It indexes the trail your organization leaves.

337
00:16:07,000 --> 00:16:10,240
If the trail is incoherent, memory retrieval becomes probabilistic.

338
00:16:10,240 --> 00:16:13,120
If the trail is coherent, memory retrieval becomes repeatable.

339
00:16:13,120 --> 00:16:14,760
That's the entire autonomy game.

340
00:16:14,760 --> 00:16:18,720
This is also where organizational memory stops being a soft concept and becomes an

341
00:16:18,720 --> 00:16:20,240
operational one.

342
00:16:20,240 --> 00:16:24,280
In a high performance enterprise, the system can answer what was decided when by whom with

343
00:16:24,280 --> 00:16:28,840
what evidence and what changed since then, not because someone wrote a perfect document,

344
00:16:28,840 --> 00:16:32,800
because the architecture made it easier to produce structured traces than to produce chaos.

345
00:16:32,800 --> 00:16:34,440
Now connect this back to agents.

346
00:16:34,440 --> 00:16:36,680
Agents don't just need the latest document.

347
00:16:36,680 --> 00:16:37,960
They need the work graph.

348
00:16:37,960 --> 00:16:41,520
The relationships that indicate which sources are binding, which are drafts, which are

349
00:16:41,520 --> 00:16:45,360
stale and which are politically sensitive but operationally critical.

350
00:16:45,360 --> 00:16:49,240
They need to know the difference between a random file that matches a query and the file

351
00:16:49,240 --> 00:16:53,360
that drove the last two escalations and got referenced in the quarterly review.

352
00:16:53,360 --> 00:16:56,600
That's why graph as memory is the substrate for autonomy.

353
00:16:56,600 --> 00:16:57,600
But here's the catch.

354
00:16:57,600 --> 00:16:59,360
Memory is useless if it can't be trusted.

355
00:16:59,360 --> 00:17:02,800
And in Microsoft 365, trust collapses the moment permissions drift.

356
00:17:02,800 --> 00:17:06,920
If the system can retrieve the right artifact but expose it to the wrong identity, you don't

357
00:17:06,920 --> 00:17:07,920
have intelligence.

358
00:17:07,920 --> 00:17:09,240
You have automated disclosure.

359
00:17:09,240 --> 00:17:13,360
So the next layer is the one everyone postpones until it becomes a headline.

360
00:17:13,360 --> 00:17:15,280
Permissions are the context compiler.

361
00:17:15,280 --> 00:17:21,200
Most organizations talk about permissions like they're a compliance chore, a checkbox, a

362
00:17:21,200 --> 00:17:24,200
quarterly attestation exercise that nobody believes in.

363
00:17:24,200 --> 00:17:26,800
In reality, permissions are the context compiler.

364
00:17:26,800 --> 00:17:31,000
They decide what evidence is even eligible to exist inside the AI's world for a given

365
00:17:31,000 --> 00:17:32,440
user and a given workflow.

366
00:17:32,440 --> 00:17:34,680
That means permissions don't just control access.

367
00:17:34,680 --> 00:17:35,720
They shape intelligence.

368
00:17:35,720 --> 00:17:40,680
They determine whether co-pilot and agents operate on signal or noise, on truth or on accidental

369
00:17:40,680 --> 00:17:41,680
exposure.

370
00:17:41,680 --> 00:17:43,200
And co-pilot doesn't fix your permissions.

371
00:17:43,200 --> 00:17:45,160
It industrializes them.

372
00:17:45,160 --> 00:17:47,680
This is the part executives miss when they ask.

373
00:17:47,680 --> 00:17:49,520
Why did co-pilot show me that?

374
00:17:49,520 --> 00:17:50,880
Co-pilot didn't show anything.

375
00:17:50,880 --> 00:17:53,720
It retrieved content the user could already access then summarized it.

376
00:17:53,720 --> 00:17:56,160
The system followed the rules you already deployed.

377
00:17:56,160 --> 00:18:00,240
If those rules are wrong, the AI becomes a high speed amplifier for a decade of casual

378
00:18:00,240 --> 00:18:01,320
sharing.

379
00:18:01,320 --> 00:18:05,200
Over permissioning creates AI-powered oversharing.

380
00:18:05,200 --> 00:18:07,880
Under permissioning creates AI mediocrity.

381
00:18:07,880 --> 00:18:12,040
And both look like co-pilot quality issues, which is convenient because it lets the

382
00:18:12,040 --> 00:18:14,640
organization avoid the real discussion.

383
00:18:14,640 --> 00:18:17,480
The permission model is not an administrative detail.

384
00:18:17,480 --> 00:18:21,440
It's the boundary of what the organization is willing to let the system treat as truth

385
00:18:21,440 --> 00:18:22,440
for that identity.

386
00:18:22,440 --> 00:18:24,280
Here's the uncomfortable truth.

387
00:18:24,280 --> 00:18:26,880
Most tenants run on permission folklore.

388
00:18:26,880 --> 00:18:29,720
People assume SharePoint inheritance works the way they think it does.

389
00:18:29,720 --> 00:18:33,160
They assume private channel means private in all the ways that matter.

390
00:18:33,160 --> 00:18:36,160
They assume that the folder called HR has HR permissions.

391
00:18:36,160 --> 00:18:39,920
They assume that external sharing was turned off in the places where it should be.

392
00:18:39,920 --> 00:18:43,360
They assume the access review they did last year is still meaningful.

393
00:18:43,360 --> 00:18:45,360
Those assumptions decay.

394
00:18:45,360 --> 00:18:46,360
Always.

395
00:18:46,360 --> 00:18:48,880
Permissions drift because organizations drift.

396
00:18:48,880 --> 00:18:50,200
Re-organizations.

397
00:18:50,200 --> 00:18:51,200
Roll changes.

398
00:18:51,200 --> 00:18:53,560
Projects that end but never get archived.

399
00:18:53,560 --> 00:18:57,560
Guest accounts that outlive the vendor contract and the classic entropy generator.

400
00:18:57,560 --> 00:18:59,720
Someone says, "Just add everyone for now.

401
00:18:59,720 --> 00:19:01,320
We'll fix it later."

402
00:19:01,320 --> 00:19:02,320
Later never arrives.

403
00:19:02,320 --> 00:19:03,800
It metastasizes into default.

404
00:19:03,800 --> 00:19:05,200
Now put co-pilot on top of that.

405
00:19:05,200 --> 00:19:08,760
You've effectively built a natural language interface to your permission dead.

406
00:19:08,760 --> 00:19:10,000
Not just search.

407
00:19:10,000 --> 00:19:11,000
Synthesis.

408
00:19:11,000 --> 00:19:12,800
Correlation.

409
00:19:12,800 --> 00:19:17,160
The system can stitch together artifacts that were never meant to be read side by side.

410
00:19:17,160 --> 00:19:18,400
A budget dock here.

411
00:19:18,400 --> 00:19:19,760
A strategy deck there.

412
00:19:19,760 --> 00:19:22,360
A meeting transcript that shouldn't have been accessible.

413
00:19:22,360 --> 00:19:25,880
Suddenly the user gets an answer that contains information.

414
00:19:25,880 --> 00:19:28,200
The business never intended to be connected.

415
00:19:28,200 --> 00:19:29,880
Not because co-pilot is malicious.

416
00:19:29,880 --> 00:19:31,480
Because your permissions made it possible.

417
00:19:31,480 --> 00:19:33,960
This is why permission trimming is performance tuning.

418
00:19:33,960 --> 00:19:35,280
Not just risk reduction.

419
00:19:35,280 --> 00:19:38,600
When you reduce overbroad access you don't only shrink blast radius.

420
00:19:38,600 --> 00:19:39,840
You reduce retrieval noise.

421
00:19:39,840 --> 00:19:41,000
You improve groundedness.

422
00:19:41,000 --> 00:19:46,480
You make relevance easier because fewer irrelevant artifacts are even eligible to be retrieved in the first place.

423
00:19:46,480 --> 00:19:49,240
Less eligible context often produces better answers.

424
00:19:49,240 --> 00:19:52,360
That sounds backwards until you remember what the model is doing.

425
00:19:52,360 --> 00:19:55,800
It's trying to construct the best narrative from the evidence it can see.

426
00:19:55,800 --> 00:19:58,960
If you give it a landfill you get landfill adjacent output.

427
00:19:58,960 --> 00:20:03,480
If you give it a curated shelf you get something closer to a decision-grade response.

428
00:20:03,480 --> 00:20:06,080
SharePoints Brawl is the classic failure pattern here.

429
00:20:06,080 --> 00:20:08,360
Sites proliferate faster than ownership models.

430
00:20:08,360 --> 00:20:10,320
Broken inheritance becomes a lifestyle.

431
00:20:10,320 --> 00:20:12,080
Everyone accepts permissions multiply.

432
00:20:12,080 --> 00:20:16,480
Sharing links become the real access model because it's easier than fixing groups.

433
00:20:16,480 --> 00:20:20,760
Teams creates artifacts across chats, channels, meeting recaps and loop components.

434
00:20:20,760 --> 00:20:26,360
And the organization loses any coherent sense of what is authoritative and what is incidental.

435
00:20:26,360 --> 00:20:30,320
Every one of those exceptions is a new compilation pathway for context.

436
00:20:30,320 --> 00:20:31,960
That's what permissions are doing at scale.

437
00:20:31,960 --> 00:20:36,440
Compiling a context boundary from a messy, distributed authorization graph.

438
00:20:36,440 --> 00:20:40,120
And if you don't intentionally constrain that compiler it will compile chaos.

439
00:20:40,120 --> 00:20:42,480
Reliably at machine speed.

440
00:20:42,480 --> 00:20:45,200
This is also why least privilege isn't a moral stance.

441
00:20:45,200 --> 00:20:46,680
It's an autonomy prerequisite.

442
00:20:46,680 --> 00:20:53,080
Agents can't be trusted with broad implicit access because their failure mode isn't, they looked at a file.

443
00:20:53,080 --> 00:20:56,520
Their failure mode is, they incorporate that file into an action chain.

444
00:20:56,520 --> 00:21:01,600
They email, they update records, they generate decisions that get forwarded as if they were vetted.

445
00:21:01,600 --> 00:21:05,680
The permission model becomes the blast radius model for autonomous behavior.

446
00:21:05,680 --> 00:21:08,360
So if you want a high performance autonomous enterprise,

447
00:21:08,360 --> 00:21:11,840
you treat permission architecture as a first class design surface.

448
00:21:11,840 --> 00:21:16,840
Scoped access, explicit ownership, exploration, access reviews that actually revoke

449
00:21:16,840 --> 00:21:20,760
and containers that reflect real work boundaries instead of historical accidents.

450
00:21:20,760 --> 00:21:22,600
And once you do that, something important happens.

451
00:21:22,600 --> 00:21:27,680
You stop conflating prompting with grounding because prompts don't control what the system is allowed to know.

452
00:21:27,680 --> 00:21:28,640
Permissions do.

453
00:21:28,640 --> 00:21:32,960
And the next mistake leadership makes is spending a quarter training people to ask better questions

454
00:21:32,960 --> 00:21:35,680
while the evidence pipeline stays polluted.

455
00:21:35,680 --> 00:21:40,240
So the next layer is the real separation, prompt engineering versus grounding architecture.

456
00:21:40,240 --> 00:21:42,680
Prompt engineering versus grounding architecture.

457
00:21:42,680 --> 00:21:47,400
Prompt engineering is the part everybody can see so it gets all the attention, its language, its training,

458
00:21:47,400 --> 00:21:49,200
it's a worksheet with best prompts.

459
00:21:49,200 --> 00:21:53,000
It's the illusion that if people just ask nicely enough, the system will behave.

460
00:21:53,000 --> 00:21:55,440
That's not how enterprise AI reliability gets built.

461
00:21:55,440 --> 00:21:56,440
A prompt is a request.

462
00:21:56,440 --> 00:22:02,040
Grounding is the evidence pipeline that decides what the system is allowed to treat as truth when it answers that request.

463
00:22:02,040 --> 00:22:06,920
Prompt operate at the interaction layer, grounding operates at the substrate layer and substrate always wins.

464
00:22:06,920 --> 00:22:08,200
Here's what most people miss.

465
00:22:08,200 --> 00:22:10,120
Prompt engineering tries to control the model.

466
00:22:10,120 --> 00:22:12,280
Grounding architecture tries to control the inputs.

467
00:22:12,280 --> 00:22:17,520
Only one of those scales, prompts don't scale because people drift, workflows drift, vocabulary drifts

468
00:22:17,520 --> 00:22:22,000
and the organization never agrees on one canonical way to ask for the same thing.

469
00:22:22,000 --> 00:22:26,440
One person says incident, another says outage, a third says service degradation

470
00:22:26,440 --> 00:22:28,920
and someone in manufacturing says line down.

471
00:22:28,920 --> 00:22:34,160
The prompt library becomes a museum of last quarter's language, grounding doesn't care what word you used.

472
00:22:34,160 --> 00:22:40,120
Grounding cares what evidence is eligible, what scope applies and what the system should do when the evidence doesn't exist.

473
00:22:40,120 --> 00:22:42,080
That's the strategic distinction.

474
00:22:42,080 --> 00:22:45,480
So the question leadership should ask is not, are our users trained?

475
00:22:45,480 --> 00:22:47,880
It's, do we have grounding primitives?

476
00:22:47,880 --> 00:22:52,680
Grounding primitives are the repeatable mechanics that keep outputs bound to enterprise reality.

477
00:22:52,680 --> 00:22:58,000
Authoritative sources, scope retrieval, freshness constraints, permission correct access,

478
00:22:58,000 --> 00:23:02,800
provenance and the harshest but most necessary behavior, citations or silence.

479
00:23:02,800 --> 00:23:07,840
Citations or silence means the system either shows where it got the claim or it refuses to claim.

480
00:23:07,840 --> 00:23:14,400
Not because refusal is polite, because refusal is the only honest output when the evidence substrate is incomplete.

481
00:23:14,400 --> 00:23:17,920
In an enterprise, sounds right is not a valid confidence level.

482
00:23:17,920 --> 00:23:24,920
This also forces a design decision you can't outsource to copilot, which sources are authoritative for which decisions.

483
00:23:24,920 --> 00:23:28,240
A procedure stored in a random team's file tab is not authoritative.

484
00:23:28,240 --> 00:23:31,360
A policy dog with no owner and no review date is not authoritative.

485
00:23:31,360 --> 00:23:36,720
A deck that says draft but is widely shared is not authoritative even if it's socially influential.

486
00:23:36,720 --> 00:23:40,480
Grounding architecture requires the organization to declare precedence.

487
00:23:40,480 --> 00:23:46,720
System of record beats convenience, current version beats nostalgia, controlled container beats, personal archive.

488
00:23:46,720 --> 00:23:53,160
Now connect this back to Microsoft 365, copilot can ground to tenant data but it can't manufacture governance.

489
00:23:53,160 --> 00:23:57,880
It will pull what's accessible and relevant by its retrieval logic and it will do its best.

490
00:23:57,880 --> 00:24:01,800
If you want something better than its best, you engineer the retrieval environment.

491
00:24:01,800 --> 00:24:06,120
That includes permission trimming which you already established as a context compiler problem

492
00:24:06,120 --> 00:24:11,000
but it also includes retrieval scoping, making sure the system doesn't search the whole tenant.

493
00:24:11,000 --> 00:24:17,320
When the decision only needs a specific project space, a specific knowledge base or a specific business unit procedures.

494
00:24:17,320 --> 00:24:22,360
A relevance window is not optional here, it's the cost control and risk control boundary for AI reasoning

495
00:24:22,360 --> 00:24:27,240
because every extra chunk of context you let into the window isn't neutral, it's an entropy injection.

496
00:24:27,240 --> 00:24:35,560
It increases the chance the system will synthesize across conflicting artifacts and it increases the chance it will side something that is technically true and practically wrong.

497
00:24:35,560 --> 00:24:37,080
That's how you get polished nonsense.

498
00:24:37,080 --> 00:24:40,360
The other grounding boundary most organizations ignore is web grounding.

499
00:24:40,360 --> 00:24:45,080
When web grounding is enabled, part of the request can leave the tenant to perform a public search,

500
00:24:45,080 --> 00:24:48,760
then return results for synthesis, that is not enterprise knowledge.

501
00:24:48,760 --> 00:24:54,280
That is public internet retrieval mediated by Bing, treated like you would treat a user typing into a search engine.

502
00:24:54,280 --> 00:24:59,000
If you wouldn't type it into a public search box, you don't send it through web grounded copilot.

503
00:24:59,000 --> 00:25:01,320
That's not paranoia, that's architectural hygiene.

504
00:25:01,320 --> 00:25:05,720
Now if you want one mental model that makes this simple, here it is.

505
00:25:05,720 --> 00:25:08,120
Prompting is steering a conversation.

506
00:25:08,120 --> 00:25:12,200
Grounding is constraining a decision engine, steering fails when the road is missing.

507
00:25:12,200 --> 00:25:14,600
Constraints hold even when the driver improvises.

508
00:25:14,600 --> 00:25:21,400
So when an executive team asks why copilot outputs vary, the honest answer is, because you build a variable evidence substrate.

509
00:25:21,400 --> 00:25:22,760
The cure is not a better prompt.

510
00:25:22,760 --> 00:25:27,400
The cure is an engineered grounding architecture that makes the right evidence easy to retrieve,

511
00:25:27,400 --> 00:25:29,320
and the wrong evidence, ineligible.

512
00:25:29,320 --> 00:25:32,920
And once grounding is treated as architecture, you stop rewarding fluency.

513
00:25:32,920 --> 00:25:37,160
You reward traceability, you reward abstention when the system can't prove its work,

514
00:25:37,160 --> 00:25:41,720
and you start designing the next thing enterprises avoid, an explicit relevance model.

515
00:25:41,720 --> 00:25:45,880
Because grounding without scoping just becomes high speed retrieval of the entire mess.

516
00:25:45,880 --> 00:25:48,200
That's why the next layer is relevance windows.

517
00:25:48,200 --> 00:25:49,720
The discipline nobody budgets for.

518
00:25:49,720 --> 00:25:51,720
Relevance windows.

519
00:25:51,720 --> 00:25:53,880
The discipline nobody budgets for.

520
00:25:53,880 --> 00:25:57,640
Relevance windows are where most copilot and agent strategies quietly die,

521
00:25:57,640 --> 00:26:02,280
because a relevance window forces the enterprise to answer an uncomfortable question.

522
00:26:02,280 --> 00:26:05,240
What information is allowed to influence this decision,

523
00:26:05,240 --> 00:26:09,400
and what information is explicitly disallowed, even if it's technically available.

524
00:26:09,400 --> 00:26:10,600
That distinction matters.

525
00:26:10,600 --> 00:26:13,000
The context window is what the model can ingest.

526
00:26:13,000 --> 00:26:17,240
The relevance window is what the organization authorizes as decision-grade evidence.

527
00:26:17,240 --> 00:26:21,880
If you don't define a relevance window, the system defaults to whatever retrieval can find,

528
00:26:21,880 --> 00:26:26,520
and retrieval left alone optimizes for match, not meaning, not precedence, not safety.

529
00:26:26,520 --> 00:26:29,080
So the simple definition is this.

530
00:26:29,080 --> 00:26:33,480
A relevance window is the bounded set of evidence eligible for a specific workflow

531
00:26:33,480 --> 00:26:36,520
at a specific step, under a specific policy posture.

532
00:26:36,520 --> 00:26:40,360
It's scoping, but with intent, that means you're not just saying search this site,

533
00:26:40,360 --> 00:26:45,160
you're saying for this decision only these sources count, only these versions count,

534
00:26:45,160 --> 00:26:47,240
and only within this time horizon.

535
00:26:47,240 --> 00:26:51,400
Now the part everyone gets wrong, they assume more context increases accuracy.

536
00:26:51,400 --> 00:26:55,400
It doesn't, not in enterprise work, more context increases surface area,

537
00:26:55,400 --> 00:26:58,200
more contradictions, more stale procedures,

538
00:26:58,200 --> 00:27:02,920
more almost right artifacts that pull the model into a blended answer that never existed.

539
00:27:02,920 --> 00:27:05,480
If you want dependable outputs, you don't widen the window,

540
00:27:05,480 --> 00:27:09,080
you tighten it until the remaining evidence is both relevant and authoritative.

541
00:27:09,080 --> 00:27:11,320
This is also where freshness becomes non-negotiable.

542
00:27:11,320 --> 00:27:14,120
A relevance window without freshness is just a curated archive,

543
00:27:14,120 --> 00:27:16,840
and archives are where outdated truth goes to look official.

544
00:27:16,840 --> 00:27:18,680
Enterprises love that, auditors don't.

545
00:27:18,680 --> 00:27:22,840
Freshness is the policy that says this evidence expires,

546
00:27:22,840 --> 00:27:27,160
not because it's old, but because the organization changes faster than documents get revised.

547
00:27:27,160 --> 00:27:31,080
Processes get updated, tools get renamed, regulatory obligations,

548
00:27:31,080 --> 00:27:34,520
shift, the people who own the procedure leave, and the document stays.

549
00:27:34,520 --> 00:27:36,120
Forever, that's context rot.

550
00:27:36,120 --> 00:27:41,000
And context rot is worse than missing context because it produces confident wrongness with citations.

551
00:27:41,000 --> 00:27:43,080
So you need explicit freshness rules,

552
00:27:43,080 --> 00:27:45,000
review dates that actually mean something,

553
00:27:45,000 --> 00:27:48,840
versioning that preserves lineage and deprecation behaviors that make old artifacts

554
00:27:48,840 --> 00:27:50,360
ineligible by default.

555
00:27:50,360 --> 00:27:51,720
Not hidden, ineligible.

556
00:27:51,720 --> 00:27:52,920
Then you hit the next reality,

557
00:27:52,920 --> 00:27:55,560
versioning isn't a document problem, it's a decision problem.

558
00:27:55,560 --> 00:27:59,560
Enterprises routinely keep multiple truths alive because nobody wants to pick the winner.

559
00:27:59,560 --> 00:28:04,680
Drafts get socially adopted, a slide deck becomes policy because it was presented to leadership ones.

560
00:28:04,680 --> 00:28:07,800
A team's message becomes procedure because it got pinned,

561
00:28:07,800 --> 00:28:11,720
and now you have an evidence conflict that the AI will resolve the only way it can.

562
00:28:11,720 --> 00:28:15,320
By synthesizing, but synthesis isn't governance, it's compromise.

563
00:28:15,320 --> 00:28:17,640
So relevance windows require precedence rules.

564
00:28:17,640 --> 00:28:21,080
When two sources disagree, the system needs a deterministic hierarchy.

565
00:28:21,080 --> 00:28:22,840
System of record beats guidance,

566
00:28:22,840 --> 00:28:26,760
signed policy beats draft, controlled repository beats personal stash,

567
00:28:26,760 --> 00:28:28,440
most recently reviewed beats.

568
00:28:28,440 --> 00:28:29,800
I think this is still right.

569
00:28:29,800 --> 00:28:31,640
If you don't encode precedence,

570
00:28:31,640 --> 00:28:34,840
you're outsourcing policy arbitration to a probabilistic model.

571
00:28:34,840 --> 00:28:35,800
That's not innovation.

572
00:28:35,800 --> 00:28:37,640
That's negligence with better UX.

573
00:28:37,640 --> 00:28:42,200
Now connect this to executive outcomes because that's the only language that changes budgets.

574
00:28:42,200 --> 00:28:44,440
A disciplined relevance window reduces rework.

575
00:28:44,440 --> 00:28:46,040
It shortens review loops.

576
00:28:46,040 --> 00:28:49,800
It prevents looks plausible decisions from entering governance processes

577
00:28:49,800 --> 00:28:51,240
and wasting everybody's time.

578
00:28:51,240 --> 00:28:52,680
It also reduces risk.

579
00:28:52,680 --> 00:28:57,240
Few accidental disclosures, fewer policy contradictions, fewer decisions made on dead procedures.

580
00:28:57,240 --> 00:29:01,400
And it makes autonomy possible because agents can't operate safely on infinite evidence.

581
00:29:01,400 --> 00:29:05,640
They need a bounded arena where the next action is derived from eligible truth.

582
00:29:05,640 --> 00:29:08,280
Not from whatever the retrieval system dredged up.

583
00:29:08,280 --> 00:29:09,960
Here's the practical test.

584
00:29:09,960 --> 00:29:12,360
If the organization can't say it for workflow X,

585
00:29:12,360 --> 00:29:14,280
the eligible evidence is A, B and C,

586
00:29:14,280 --> 00:29:16,440
and everything else is advisory at best.

587
00:29:16,440 --> 00:29:18,920
Then the workflow is not ready for agentic execution.

588
00:29:18,920 --> 00:29:20,920
It's barely ready for conversational advice.

589
00:29:20,920 --> 00:29:22,920
This is also why nobody budgets for it.

590
00:29:22,920 --> 00:29:25,000
Relevance windows aren't a license line item.

591
00:29:25,000 --> 00:29:25,880
They are design work.

592
00:29:25,880 --> 00:29:28,440
They force content owners, security, compliance,

593
00:29:28,440 --> 00:29:31,720
and platform teams into the same room to agree on what counts.

594
00:29:31,720 --> 00:29:35,960
And that agreement exposes every hidden inconsistency the organization has been living with,

595
00:29:35,960 --> 00:29:37,480
which is exactly why it's valuable.

596
00:29:37,480 --> 00:29:39,160
Because once you define relevance windows,

597
00:29:39,160 --> 00:29:40,200
you can finally do something.

598
00:29:40,200 --> 00:29:43,800
Enterprises claim they want reduced noise without reducing capability.

599
00:29:43,800 --> 00:29:47,720
You can make co-pilot an agent smarter by making their world smaller and cleaner.

600
00:29:47,720 --> 00:29:49,560
And you can make refusal a feature.

601
00:29:49,560 --> 00:29:50,520
Not a failure.

602
00:29:50,520 --> 00:29:52,520
If the evidence isn't in the relevance window,

603
00:29:52,520 --> 00:29:54,600
the system escalates instead of guessing.

604
00:29:54,600 --> 00:29:55,960
That's the discipline.

605
00:29:55,960 --> 00:29:59,880
And it's the bridge from good chat to safe execution.

606
00:29:59,880 --> 00:30:02,680
But relevance windows only solve evidence eligibility.

607
00:30:02,680 --> 00:30:05,080
They don't solve the next thing that makes work real.

608
00:30:05,080 --> 00:30:05,560
State.

609
00:30:05,560 --> 00:30:07,880
Because even if the system knows what evidence counts,

610
00:30:07,880 --> 00:30:09,800
it still needs to know what's happening right now,

611
00:30:09,800 --> 00:30:12,040
who owns it, and what step comes next.

612
00:30:12,040 --> 00:30:14,360
That's where the architecture moves next.

613
00:30:14,360 --> 00:30:16,520
From memory and evidence into operational memory,

614
00:30:16,520 --> 00:30:18,680
where state lives and autonomy stops looping.

615
00:30:18,680 --> 00:30:21,320
Dataverse as operational memory.

616
00:30:21,320 --> 00:30:23,240
Graph gives you organizational memory,

617
00:30:23,240 --> 00:30:27,160
what work meant, who was involved, and which artifacts clustered around decisions.

618
00:30:27,160 --> 00:30:29,640
But memory alone doesn't run a business.

619
00:30:29,640 --> 00:30:31,480
Work becomes real when it has state.

620
00:30:31,480 --> 00:30:33,880
State is the part nobody can search their way into.

621
00:30:33,880 --> 00:30:36,520
It's the current truth of a workflow.

622
00:30:36,520 --> 00:30:38,920
What step it's in, who owns it, what's blocked,

623
00:30:38,920 --> 00:30:41,800
what exception was granted, and what the system is waiting on.

624
00:30:41,800 --> 00:30:45,400
If that truth only exists in human heads and scattered teams' messages,

625
00:30:45,400 --> 00:30:46,920
you don't have a workflow.

626
00:30:46,920 --> 00:30:48,440
You have a rumor with attachments.

627
00:30:48,440 --> 00:30:50,520
This is where dataverse earns its place.

628
00:30:50,520 --> 00:30:52,280
Not as power platform storage,

629
00:30:52,280 --> 00:30:54,280
not as tables for citizen devs.

630
00:30:54,280 --> 00:30:57,560
Architecturally, dataverse is operational memory.

631
00:30:57,560 --> 00:31:00,200
A governed place to record what is happening now,

632
00:31:00,200 --> 00:31:02,760
in a form that automation and agents can't misinterpret.

633
00:31:02,760 --> 00:31:05,320
Because an agent without state becomes a loop generator.

634
00:31:05,320 --> 00:31:07,160
It re-ask questions you already answered.

635
00:31:07,160 --> 00:31:10,680
It resends approval requests because it can't confirm they were completed.

636
00:31:10,680 --> 00:31:13,720
It reopens issues because it can't see closure criteria.

637
00:31:13,720 --> 00:31:17,880
It escalates prematurely because it can't distinguish waiting from stuck.

638
00:31:17,880 --> 00:31:20,920
And then leadership calls it immature when the actual problem is that

639
00:31:20,920 --> 00:31:25,400
the enterprise never gave the system an authoritative place to store reality.

640
00:31:25,400 --> 00:31:28,360
Operational memory fixes that by making intent explicit.

641
00:31:28,360 --> 00:31:31,080
In dataverse terms, that means you don't just store records,

642
00:31:31,080 --> 00:31:32,520
you store the decision model.

643
00:31:32,520 --> 00:31:34,680
Entities that represent the work itself.

644
00:31:34,680 --> 00:31:36,280
Not just the data around it.

645
00:31:36,280 --> 00:31:39,080
You define a case and approval and exception,

646
00:31:39,080 --> 00:31:41,800
a controller to station, a vendor on boarding,

647
00:31:41,800 --> 00:31:44,200
an incident review, whatever the workflow is,

648
00:31:44,200 --> 00:31:47,720
the entity becomes the contract between humans, tools, and agents,

649
00:31:47,720 --> 00:31:50,360
and the contract has to contain certain fields.

650
00:31:50,360 --> 00:31:52,040
Whether people like it or not.

651
00:31:52,040 --> 00:31:53,080
Ownership.

652
00:31:53,080 --> 00:31:54,840
Who is accountable right now?

653
00:31:54,840 --> 00:31:57,800
And who is the escalation path if they're unavailable?

654
00:31:57,800 --> 00:31:58,520
Status.

655
00:31:58,520 --> 00:32:00,200
Not a vague in progress,

656
00:32:00,200 --> 00:32:02,760
but a state machine that reflects real gates.

657
00:32:02,760 --> 00:32:07,240
Drafted, submitted, pending approval, approved, executed, verified, closed.

658
00:32:07,240 --> 00:32:08,520
SLA and deadlines.

659
00:32:08,520 --> 00:32:12,360
So the system can differentiate urgent from normal without emotional language.

660
00:32:12,360 --> 00:32:13,320
Scope boundaries.

661
00:32:13,320 --> 00:32:16,840
What the agent is allowed to change and what it must only recommend.

662
00:32:16,840 --> 00:32:21,800
Exception tracking, because exceptions always happen and if you don't record them, you can't govern drift.

663
00:32:21,800 --> 00:32:25,080
This is the point where autonomy stops being a co-pilot conversation

664
00:32:25,080 --> 00:32:27,240
and becomes a control plane conversation.

665
00:32:27,240 --> 00:32:30,680
If data verse holds state, then agents can operate as stateful actors.

666
00:32:30,680 --> 00:32:34,440
Read the current step, retrieve only the evidence relevant to that step,

667
00:32:34,440 --> 00:32:37,880
take a bounded action, update the state, and log what happened.

668
00:32:37,880 --> 00:32:40,680
Without that, you get the enterprise version of Groundhog Day.

669
00:32:40,680 --> 00:32:42,600
Here's the counter-intuitive part.

670
00:32:42,600 --> 00:32:45,560
State reduces hallucinations without touching the model.

671
00:32:45,560 --> 00:32:49,480
Because many hallucinations in enterprise work aren't the model inventing facts.

672
00:32:49,480 --> 00:32:52,440
They are the model improvising missing workflow reality.

673
00:32:52,440 --> 00:32:55,400
If you ask, has procurement approved this vendor?

674
00:32:55,400 --> 00:32:57,320
And the system can't see an approval state.

675
00:32:57,320 --> 00:33:00,600
It will infer from the most recent email thread or a meeting recap

676
00:33:00,600 --> 00:33:02,760
or a spreadsheet someone updated last week.

677
00:33:02,760 --> 00:33:03,800
That's not reasoning.

678
00:33:03,800 --> 00:33:05,560
That's guessing with citations.

679
00:33:05,560 --> 00:33:09,160
If data verse contains the approval record, the question becomes deterministic.

680
00:33:09,160 --> 00:33:10,680
The agent doesn't need to be smart.

681
00:33:10,680 --> 00:33:11,640
It needs to be obedient.

682
00:33:11,640 --> 00:33:15,320
This is also why data verse is the right place to encode refusal conditions.

683
00:33:15,640 --> 00:33:18,680
An agent should not guess whether a change is authorized.

684
00:33:18,680 --> 00:33:21,400
It should check whether the approval entity exists,

685
00:33:21,400 --> 00:33:24,440
whether the right role approved it, whether the approval is still valid,

686
00:33:24,440 --> 00:33:25,800
and whether the conditions match.

687
00:33:25,800 --> 00:33:27,720
If any of those fail, the agent escalates.

688
00:33:27,720 --> 00:33:31,000
Not because it's cautious, because it's operating inside an engineered boundary.

689
00:33:31,000 --> 00:33:32,840
And yes, that boundary is annoying to build.

690
00:33:32,840 --> 00:33:37,400
Because it forces the organization to define what it pretends is already defined.

691
00:33:37,400 --> 00:33:38,280
Who owns this?

692
00:33:38,280 --> 00:33:39,320
What does done mean?

693
00:33:39,320 --> 00:33:40,040
What's the SLA?

694
00:33:40,040 --> 00:33:41,320
What counts as an exception?

695
00:33:41,320 --> 00:33:44,040
Which steps are reversible and which are irreversible?

696
00:33:44,040 --> 00:33:46,040
But once you define it, something else happens.

697
00:33:46,040 --> 00:33:48,520
You stop treating teams and email a state storage.

698
00:33:48,520 --> 00:33:50,920
They go back to being communication layers.

699
00:33:50,920 --> 00:33:55,160
Useful, human, and fundamentally unfit to act as a system of record.

700
00:33:55,160 --> 00:33:58,280
Data verse becomes the place where the workflows truth lives,

701
00:33:58,280 --> 00:34:00,920
while graph becomes the place where the workflows context

702
00:34:00,920 --> 00:34:02,840
and supporting evidence can be retrieved.

703
00:34:02,840 --> 00:34:03,720
That split matters.

704
00:34:03,720 --> 00:34:04,920
Memory tells you what happens.

705
00:34:04,920 --> 00:34:07,880
State tells you what is happening, and autonomy requires both.

706
00:34:07,880 --> 00:34:09,720
Because the moment an agent can read state,

707
00:34:09,720 --> 00:34:11,240
it can stop relitigating.

708
00:34:11,240 --> 00:34:12,600
It can stop re-asking.

709
00:34:12,600 --> 00:34:15,240
It can stop re-summarizing the same thread,

710
00:34:15,240 --> 00:34:16,440
like its new information.

711
00:34:16,440 --> 00:34:17,720
It can progress work.

712
00:34:17,720 --> 00:34:20,920
And if you want the enterprise version of high performance, that's it.

713
00:34:20,920 --> 00:34:22,920
Fewer loops, fewer duplicate efforts,

714
00:34:22,920 --> 00:34:24,440
fewer approvals that happen twice,

715
00:34:24,440 --> 00:34:26,200
because nobody could prove the first one happened.

716
00:34:26,200 --> 00:34:28,440
Operational memory isn't glamorous.

717
00:34:28,440 --> 00:34:31,960
It's also the difference between a demo agent and a production system.

718
00:34:31,960 --> 00:34:33,880
Fabric as analytical memory.

719
00:34:33,880 --> 00:34:37,400
Data verse gives the system operational memory, the live state of work,

720
00:34:37,400 --> 00:34:40,120
but operational memory alone doesn't improve the enterprise.

721
00:34:40,120 --> 00:34:41,320
It only stabilizes it.

722
00:34:41,320 --> 00:34:42,840
Stability is not learning.

723
00:34:42,840 --> 00:34:47,400
Learning requires a different kind of memory, analytical memory.

724
00:34:47,400 --> 00:34:50,680
The enterprise needs to remember patterns, not just status.

725
00:34:50,680 --> 00:34:53,640
It needs to know what keeps breaking, where time gets wasted,

726
00:34:53,640 --> 00:34:55,640
which approvals are pure theatre,

727
00:34:55,640 --> 00:35:00,360
and which exceptions are actually permanent workflow branches pretending to be temporary.

728
00:35:00,360 --> 00:35:01,800
That's where Fabric fits.

729
00:35:01,800 --> 00:35:03,720
Not as the place you run reports.

730
00:35:03,720 --> 00:35:06,520
Architecturally, Fabric is the learning layer.

731
00:35:06,520 --> 00:35:09,640
The part of the autonomy stack that turns accumulated execution

732
00:35:09,640 --> 00:35:11,000
into improved design.

733
00:35:11,000 --> 00:35:12,040
Here's the simple version.

734
00:35:12,040 --> 00:35:13,560
Graph tells you how work connects.

735
00:35:13,560 --> 00:35:15,560
Data verse tells you what work is happening.

736
00:35:15,560 --> 00:35:17,560
Fabric tells you why work keeps failing.

737
00:35:17,560 --> 00:35:18,920
And if you don't build that layer,

738
00:35:18,920 --> 00:35:22,200
you're stuck in a loop where the organization keeps automating

739
00:35:22,200 --> 00:35:25,160
yesterday's dysfunction with higher speed and better phrasing.

740
00:35:25,160 --> 00:35:27,400
Analytical memory starts with aggregation.

741
00:35:27,400 --> 00:35:28,520
Not dashboards.

742
00:35:28,520 --> 00:35:31,000
Aggregation of signals that were previously invisible

743
00:35:31,000 --> 00:35:33,080
because they lived in too many places.

744
00:35:33,080 --> 00:35:35,240
Case cycle times, handoff delays,

745
00:35:35,240 --> 00:35:37,720
reopened incidents, repeated escalations,

746
00:35:37,720 --> 00:35:39,400
approval latency by roll,

747
00:35:39,400 --> 00:35:41,800
exception frequency by workflow step,

748
00:35:41,800 --> 00:35:45,640
and the quiet killer rework triggered by missing or conflicting evidence.

749
00:35:45,640 --> 00:35:49,080
Most enterprises can't answer basic questions like

750
00:35:49,080 --> 00:35:50,920
which teams create the most exceptions,

751
00:35:50,920 --> 00:35:53,720
and are those exceptions correlated with missing permissions,

752
00:35:53,720 --> 00:35:55,640
missing templates, or missing ownership?

753
00:35:55,640 --> 00:35:57,800
They can't answer because the raw events exist,

754
00:35:57,800 --> 00:35:59,880
but the system never turned them into a governed,

755
00:35:59,880 --> 00:36:01,000
queriable narrative.

756
00:36:01,000 --> 00:36:03,160
Fabric is how that narrative becomes evidence.

757
00:36:03,160 --> 00:36:07,240
Now, a warning, analytics is where enterprises lie to themselves with math.

758
00:36:07,240 --> 00:36:08,920
Correlation is not causation.

759
00:36:08,920 --> 00:36:10,360
That distinction matters.

760
00:36:10,360 --> 00:36:12,760
If fabric shows that incidents take longer

761
00:36:12,760 --> 00:36:14,120
when a certain team is involved,

762
00:36:14,120 --> 00:36:16,600
the lazy conclusion is that team is slow.

763
00:36:16,600 --> 00:36:19,640
The real cause might be that the team gets the hardest incidents

764
00:36:19,640 --> 00:36:22,200
or that the routing logic dumps chaos on them,

765
00:36:22,200 --> 00:36:24,280
or that the upstream context is incomplete,

766
00:36:24,280 --> 00:36:26,440
so they spend the first six hours reconstructing

767
00:36:26,440 --> 00:36:27,800
what should have been handed to them.

768
00:36:27,800 --> 00:36:30,040
So the guardrail for analytical memories is this.

769
00:36:30,040 --> 00:36:32,440
Treat analytics as hypothesis generation.

770
00:36:32,440 --> 00:36:34,360
Not automatic policy enforcement.

771
00:36:34,360 --> 00:36:36,520
Fabric should inform better orchestration rules,

772
00:36:36,520 --> 00:36:38,920
but it should not auto-legislate them without validation.

773
00:36:38,920 --> 00:36:40,840
Otherwise, you're automating false narratives.

774
00:36:40,840 --> 00:36:43,960
And false narratives are how organizations turn temporary anomalies

775
00:36:43,960 --> 00:36:45,160
into permanent bureaucracy.

776
00:36:45,160 --> 00:36:47,320
When fabric is used correctly, it closes the loop.

777
00:36:47,320 --> 00:36:49,800
It turns operational history into design pressure.

778
00:36:49,800 --> 00:36:53,720
For example, if the system sees that a workflow step consistently stalls

779
00:36:53,720 --> 00:36:56,680
because approvals come from a role that isn't staffed after hours,

780
00:36:56,680 --> 00:36:58,200
that's not a people problem.

781
00:36:58,200 --> 00:36:59,640
That's a state model problem.

782
00:36:59,640 --> 00:37:01,000
The escalation path is wrong.

783
00:37:01,000 --> 00:37:02,520
The authority model is incomplete.

784
00:37:02,520 --> 00:37:05,480
The workflow needs an alternate lane with a defined supervisor,

785
00:37:05,480 --> 00:37:07,960
or it needs time-bound delegation that expires,

786
00:37:07,960 --> 00:37:10,360
or it needs a different gating mechanism entirely.

787
00:37:10,360 --> 00:37:11,240
That's learning.

788
00:37:11,240 --> 00:37:12,120
Not a chart.

789
00:37:12,120 --> 00:37:13,480
Or consider relevance windows.

790
00:37:13,480 --> 00:37:15,400
You can define them, but without telemetry,

791
00:37:15,400 --> 00:37:16,760
you won't know if they're working.

792
00:37:16,760 --> 00:37:19,560
Fabric can show you how often an agent needed to escalate

793
00:37:19,560 --> 00:37:21,000
because evidence was missing,

794
00:37:21,000 --> 00:37:22,760
which sources were used most often,

795
00:37:22,760 --> 00:37:24,440
which sources were frequently retrieved,

796
00:37:24,440 --> 00:37:25,640
but never cited,

797
00:37:25,640 --> 00:37:28,120
and where retrieval produced conflicting guidance.

798
00:37:28,120 --> 00:37:29,240
That's not just usage data.

799
00:37:29,240 --> 00:37:31,480
That's feedback about your context substrate,

800
00:37:31,480 --> 00:37:33,160
and its feedback you can act on.

801
00:37:33,160 --> 00:37:35,880
This is where autonomy stops being a product purchase

802
00:37:35,880 --> 00:37:37,560
and becomes an operating model.

803
00:37:37,560 --> 00:37:40,760
Because an autonomous enterprise is not one where the agent does more things,

804
00:37:40,760 --> 00:37:42,440
it's one where the system becomes better

805
00:37:42,440 --> 00:37:44,440
at deciding what it should do over time,

806
00:37:44,440 --> 00:37:45,720
with fewer human interventions.

807
00:37:45,720 --> 00:37:48,200
That means analytics must change orchestration rules,

808
00:37:48,200 --> 00:37:50,200
not just inform quarterly reviews.

809
00:37:50,200 --> 00:37:52,120
If fabric shows that certain exception types

810
00:37:52,120 --> 00:37:54,280
always lead to the same remediation steps,

811
00:37:54,280 --> 00:37:56,120
then you can codify a lane,

812
00:37:56,120 --> 00:37:58,280
auto-handle within defined boundaries,

813
00:37:58,280 --> 00:38:00,840
log evidence, update dataverse state,

814
00:38:00,840 --> 00:38:03,080
and only escalate when the patent breaks.

815
00:38:03,080 --> 00:38:05,400
If fabric shows that a particular policy source

816
00:38:05,400 --> 00:38:07,640
is constantly contradicted by newer procedures

817
00:38:07,640 --> 00:38:09,160
that's not an AI problem,

818
00:38:09,160 --> 00:38:10,520
that's content governance drift.

819
00:38:10,520 --> 00:38:13,080
The fix is to deprecate the policy or reissue it,

820
00:38:13,080 --> 00:38:15,880
or market as advisory and make the precedence explicit.

821
00:38:15,880 --> 00:38:18,200
Fabric becomes the place where drift is visible,

822
00:38:18,200 --> 00:38:20,040
and drift is the true enemy of autonomy.

823
00:38:20,040 --> 00:38:22,280
Because the moment the environment changes faster

824
00:38:22,280 --> 00:38:23,960
than the context substrate updates,

825
00:38:23,960 --> 00:38:26,680
the agent becomes a historical reenactment tool.

826
00:38:26,680 --> 00:38:28,760
It will keep operating on what used to be true

827
00:38:28,760 --> 00:38:31,560
with perfect confidence and fully logged explanations.

828
00:38:31,560 --> 00:38:33,640
Analytical memories how you prevent that.

829
00:38:33,640 --> 00:38:35,880
It's how you detect where the system's behavior

830
00:38:35,880 --> 00:38:38,760
is diverging from intent, rising exception rates,

831
00:38:38,760 --> 00:38:41,640
growing retry loops, increasing time to decision,

832
00:38:41,640 --> 00:38:43,480
widening variance between teams

833
00:38:43,480 --> 00:38:45,880
and changes in what evidence gets cited.

834
00:38:45,880 --> 00:38:48,440
Then you feed those insights back into the control plane,

835
00:38:48,440 --> 00:38:50,760
update the relevance windows, tighten permissions,

836
00:38:50,760 --> 00:38:53,160
change routing rules, revise the state machine,

837
00:38:53,160 --> 00:38:55,320
or adjust refusal thresholds.

838
00:38:55,320 --> 00:38:57,320
That feedback loop is the difference between

839
00:38:57,320 --> 00:39:01,320
we deployed co-pilot and we built an enterprise that learns.

840
00:39:01,320 --> 00:39:03,000
And once you see fabric this way,

841
00:39:03,000 --> 00:39:04,840
the autonomy stack becomes obvious.

842
00:39:04,840 --> 00:39:07,480
Memory, state, learning, interaction.

843
00:39:07,480 --> 00:39:10,360
Each layer compensates for a failure mode in the others.

844
00:39:10,360 --> 00:39:13,240
Each layer produces signals the next layer depends on.

845
00:39:13,240 --> 00:39:15,880
Remove the learning layer and you don't get autonomy.

846
00:39:15,880 --> 00:39:17,720
You get automation that ruts in place.

847
00:39:17,720 --> 00:39:19,080
The autonomy stack.

848
00:39:19,080 --> 00:39:22,120
Memory, state, learning, interaction.

849
00:39:22,120 --> 00:39:24,920
Now the stack is visible, and it's embarrassingly simple.

850
00:39:24,920 --> 00:39:25,960
Not easy, simple.

851
00:39:25,960 --> 00:39:29,160
Autonomy in Microsoft 365 isn't a feature you toggle on.

852
00:39:29,160 --> 00:39:32,600
It's an emergent property of four layers that either align

853
00:39:32,600 --> 00:39:35,640
or they fight each other until the whole thing feels random.

854
00:39:35,640 --> 00:39:39,800
Memory, state, learning, interaction.

855
00:39:39,800 --> 00:39:42,600
And the order matters because each layer is compensating

856
00:39:42,600 --> 00:39:44,840
for a specific kind of enterprise failure.

857
00:39:44,840 --> 00:39:45,800
Memory is graph.

858
00:39:45,800 --> 00:39:47,240
Not because graph is magical,

859
00:39:47,240 --> 00:39:49,080
but because it encodes relationships.

860
00:39:49,080 --> 00:39:51,560
Who, what, when, and the trail of work signals

861
00:39:51,560 --> 00:39:55,160
that makes retrieval feel like recall instead of search?

862
00:39:55,160 --> 00:39:57,880
Graph is how the system learns what a piece of work meant

863
00:39:57,880 --> 00:39:59,160
inside the organization.

864
00:39:59,160 --> 00:40:02,280
Without that, co-pilot has to treat every request

865
00:40:02,280 --> 00:40:03,720
like it's happening in a vacuum.

866
00:40:03,720 --> 00:40:06,040
You get generic answers, generic summaries,

867
00:40:06,040 --> 00:40:08,280
and the same could you provide more context

868
00:40:08,280 --> 00:40:10,120
but loop that waste's executive time.

869
00:40:10,120 --> 00:40:11,560
State is dataverse.

870
00:40:11,560 --> 00:40:12,680
It's operational truth.

871
00:40:12,680 --> 00:40:14,440
What step the workflow is in right now?

872
00:40:14,440 --> 00:40:15,400
Who owns it?

873
00:40:15,400 --> 00:40:16,280
What is blocked?

874
00:40:16,280 --> 00:40:17,400
What was approved?

875
00:40:17,400 --> 00:40:18,920
What exception was granted?

876
00:40:18,920 --> 00:40:21,960
And what the system must not do without supervision?

877
00:40:21,960 --> 00:40:25,000
Without state agents become polite but unreliable interns.

878
00:40:25,000 --> 00:40:25,720
They ask again.

879
00:40:25,720 --> 00:40:26,600
They resummarize.

880
00:40:26,600 --> 00:40:27,640
They reopen.

881
00:40:27,640 --> 00:40:29,400
They can't tell whether progress happened

882
00:40:29,400 --> 00:40:32,360
so they manufacture progress by talking about progress.

883
00:40:32,360 --> 00:40:33,400
Learning is fabric.

884
00:40:33,400 --> 00:40:36,360
It's the layer that converts a pile of completed workflows

885
00:40:36,360 --> 00:40:38,360
into patterns where approval stall,

886
00:40:38,360 --> 00:40:39,800
where evidence is missing,

887
00:40:39,800 --> 00:40:42,440
where exceptions cluster, where retries spike,

888
00:40:42,440 --> 00:40:44,920
where policies contradict reality.

889
00:40:44,920 --> 00:40:47,240
Without learning, the organization never gets better.

890
00:40:47,240 --> 00:40:49,480
It just runs the same broken process faster

891
00:40:49,480 --> 00:40:53,160
then celebrates adoption while operational drag quietly remains.

892
00:40:53,160 --> 00:40:54,680
Interaction is co-pilot.

893
00:40:54,680 --> 00:40:56,600
Chat embedded assistance in office apps,

894
00:40:56,600 --> 00:40:58,600
teams and whatever agent front and leadership

895
00:40:58,600 --> 00:41:00,120
is currently excited about.

896
00:41:00,120 --> 00:41:02,200
Interaction is where humans meet the system.

897
00:41:02,200 --> 00:41:03,960
It's also the only layer people see,

898
00:41:03,960 --> 00:41:05,560
which is why it gets blamed for everything.

899
00:41:05,560 --> 00:41:07,080
But interaction is downstream.

900
00:41:07,080 --> 00:41:08,840
It cannot fix memory state or learning.

901
00:41:08,840 --> 00:41:10,920
It can only expose their quality.

902
00:41:10,920 --> 00:41:12,360
This is the foundational reframe.

903
00:41:12,360 --> 00:41:13,960
Co-pilot is not intelligence.

904
00:41:13,960 --> 00:41:15,400
Co-pilot is presentation.

905
00:41:15,400 --> 00:41:18,280
An autonomy isn't agents.

906
00:41:18,280 --> 00:41:22,040
Autonomy is what happens when the presentation layer is backed by memory,

907
00:41:22,040 --> 00:41:24,440
anchored in state and corrected by learning.

908
00:41:24,440 --> 00:41:27,160
Here's the system behavior when a layer is missing.

909
00:41:27,160 --> 00:41:28,920
If you have interaction without memory,

910
00:41:28,920 --> 00:41:31,720
you get fluent output with no organizational awareness.

911
00:41:31,720 --> 00:41:35,240
It reads like a smart public chatbot, helpful but detached.

912
00:41:35,240 --> 00:41:36,520
That's where leaders conclude.

913
00:41:36,520 --> 00:41:38,120
It doesn't understand our business.

914
00:41:38,120 --> 00:41:39,640
If you have memory without state,

915
00:41:39,640 --> 00:41:41,480
you get good recall but no execution.

916
00:41:41,480 --> 00:41:43,720
The system can tell you what happened in meetings,

917
00:41:43,720 --> 00:41:46,280
who said what and which documents were involved,

918
00:41:46,280 --> 00:41:48,440
but it can't move the workflow forward reliably.

919
00:41:48,440 --> 00:41:50,840
It becomes a historian, not an operator.

920
00:41:50,840 --> 00:41:52,360
If you have state without memory,

921
00:41:52,360 --> 00:41:56,200
you get deterministic workflow automation with no situational intelligence.

922
00:41:56,200 --> 00:41:58,520
It can progress cases and root approvals,

923
00:41:58,520 --> 00:42:02,440
but it can't explain why something is blocked or which evidence is missing

924
00:42:02,440 --> 00:42:05,000
because it doesn't understand the surrounding work rough.

925
00:42:05,000 --> 00:42:07,480
It becomes a ticketing system with better branding.

926
00:42:07,480 --> 00:42:08,840
If you have learning without control,

927
00:42:08,840 --> 00:42:12,520
you get dashboards that describe failure beautifully while nothing changes.

928
00:42:12,520 --> 00:42:14,440
The system knows where entropy lives,

929
00:42:14,440 --> 00:42:17,080
but it can't enforce corrections, so the drift continues.

930
00:42:17,080 --> 00:42:20,200
And if you try to skip straight to agent features without the stack,

931
00:42:20,200 --> 00:42:21,880
you'll see the predictable symptoms.

932
00:42:21,880 --> 00:42:24,440
Generic answers repeated loops, policy violations,

933
00:42:24,440 --> 00:42:28,200
and the worst one, high confidence outputs built on low integrity evidence.

934
00:42:28,200 --> 00:42:31,240
So autonomy is alignment, not capability.

935
00:42:31,240 --> 00:42:36,200
That alignment depends on a concept most enterprises refuse to formalize the context boundary.

936
00:42:36,200 --> 00:42:39,000
Every workflow needs an explicit boundary that says,

937
00:42:39,000 --> 00:42:42,200
"This is the evidence we will consider, this is the state we will trust.

938
00:42:42,200 --> 00:42:44,600
These are the tools we will allow, and these are the conditions

939
00:42:44,600 --> 00:42:46,200
where the system must refuse to guess."

940
00:42:46,200 --> 00:42:49,800
Refusal is not a safety feature you bolt on later.

941
00:42:49,800 --> 00:42:52,760
Refusal is a design requirement for any system that will act,

942
00:42:52,760 --> 00:42:55,560
because probabilistic systems will always produce an answer.

943
00:42:55,560 --> 00:42:57,000
They are optimized to complete.

944
00:42:57,000 --> 00:42:59,000
If you don't engineer stop conditions,

945
00:42:59,000 --> 00:43:03,080
you're building a machine that will generate plausible motion even when it's blind.

946
00:43:03,080 --> 00:43:05,320
So the autonomy stack isn't a maturity model,

947
00:43:05,320 --> 00:43:07,080
it's a structural dependency chain.

948
00:43:07,080 --> 00:43:09,560
Graph provides memory, so retrieval has meaning.

949
00:43:09,560 --> 00:43:12,440
Dataverse provides state, so action has continuity.

950
00:43:12,440 --> 00:43:15,560
Fabric provides learning so the system improves instead of drifting.

951
00:43:15,560 --> 00:43:19,560
Copilot provides interaction so humans can steer, approve, and supervise.

952
00:43:19,560 --> 00:43:23,320
Get those four layers aligned and the enterprise stops chasing smarter AI.

953
00:43:23,320 --> 00:43:26,200
It starts building evidence bound decisions at scale,

954
00:43:26,200 --> 00:43:31,000
and that is the only definition of autonomy that survives contact with audit, security,

955
00:43:31,000 --> 00:43:32,280
and reality.

956
00:43:32,280 --> 00:43:35,400
Conceptual flow pattern, event reasoning, orchestration.

957
00:43:35,400 --> 00:43:38,360
Once the autonomy stack is clear, the next question is operational.

958
00:43:38,360 --> 00:43:43,240
What does a context-aware system actually do end to end when work happens?

959
00:43:43,240 --> 00:43:47,800
Not in a demo, in a tenant, underdrift, under load, with imperfect humans.

960
00:43:48,600 --> 00:43:53,000
The cleanest mental model is a three-stage flow you can replay in your head.

961
00:43:53,000 --> 00:43:55,560
Event, reasoning, orchestration.

962
00:43:55,560 --> 00:43:59,640
This is not how Microsoft built it, it's how you should design it because it forces you to

963
00:43:59,640 --> 00:44:05,400
separate signals from decisions and decisions from actions that separation is where control lives.

964
00:44:05,400 --> 00:44:06,360
Start with event.

965
00:44:06,360 --> 00:44:08,760
An event is a trigger that something changed in the work graph,

966
00:44:08,760 --> 00:44:12,360
an email arrives with a request, a meeting ends and produces a transcript,

967
00:44:12,360 --> 00:44:15,880
a document changes state from draft to approved, a ticket is created,

968
00:44:15,880 --> 00:44:20,920
a customer escalates, a procurement request hits a threshold, a user gets added to a sensitive group.

969
00:44:20,920 --> 00:44:26,200
The specifics don't matter, the pattern does, events are cheap, enterprises generate infinite events.

970
00:44:26,200 --> 00:44:30,680
The mistake is treating every event as a reason to ask co-pilot.

971
00:44:30,680 --> 00:44:35,720
That turns autonomy into a thousand micro-interruptions and it guarantees noise-driven automation.

972
00:44:35,720 --> 00:44:40,840
So, architecturally, the event stage is where you normalize and filter.

973
00:44:40,840 --> 00:44:42,360
What type of event is this?

974
00:44:42,360 --> 00:44:43,960
What workflow does it belong to?

975
00:44:43,960 --> 00:44:45,800
And what context boundary applies?

976
00:44:45,800 --> 00:44:48,440
If you can't classify the event, you don't have autonomy.

977
00:44:48,440 --> 00:44:50,280
You have a chatbot waiting for attention.

978
00:44:50,280 --> 00:44:51,160
Then comes reasoning.

979
00:44:51,160 --> 00:44:53,720
Reasoning is where context becomes eligible evidence.

980
00:44:53,720 --> 00:44:57,320
This is the stage that decides what the system is allowed to consider,

981
00:44:57,320 --> 00:45:00,280
what it should ignore and what it must verify before it acts.

982
00:45:00,280 --> 00:45:02,760
It's also where most agent failures actually occur,

983
00:45:02,760 --> 00:45:05,880
because people assume reasoning is just the LLM thinking harder.

984
00:45:05,880 --> 00:45:06,360
It isn't.

985
00:45:06,360 --> 00:45:10,120
Reasoning is a pipeline, retrieve, scope, score and check.

986
00:45:10,120 --> 00:45:13,400
Retrieve means pulling candidate evidence from memory and state.

987
00:45:13,400 --> 00:45:16,600
Graph relationships, relevant documents, recent meetings,

988
00:45:16,600 --> 00:45:20,120
and the dataverse record that tells you where the workflow is right now.

989
00:45:20,120 --> 00:45:22,520
If the system can't find state, it has to guess.

990
00:45:22,520 --> 00:45:24,200
And you already know how that ends.

991
00:45:24,200 --> 00:45:28,040
Scope means applying the relevance window only sources x and y count for this step

992
00:45:28,040 --> 00:45:32,120
only within time horizon z and only under the identity posture of the requester.

993
00:45:32,120 --> 00:45:35,480
This is where permissions and sensitivity labels stop being compliance

994
00:45:35,480 --> 00:45:37,640
theater and become execution constraints.

995
00:45:37,640 --> 00:45:40,200
Score means ranking evidence by authority and freshness,

996
00:45:40,200 --> 00:45:42,440
not by semantic similarity alone.

997
00:45:42,440 --> 00:45:44,760
Similarity retrieves drafts and duplicates.

998
00:45:44,760 --> 00:45:46,840
Authority retrieves decisions.

999
00:45:46,840 --> 00:45:48,520
That distinction matters.

1000
00:45:48,520 --> 00:45:50,200
Check means policy validation.

1001
00:45:50,200 --> 00:45:51,400
Is this action allowed?

1002
00:45:51,400 --> 00:45:52,920
Does it require approval?

1003
00:45:52,920 --> 00:45:55,080
Is the identity trustworthy right now?

1004
00:45:55,080 --> 00:45:56,440
Is the device compliant?

1005
00:45:56,440 --> 00:45:59,560
Does the data classification allow this tool to see it?

1006
00:45:59,560 --> 00:46:03,640
Does continuous access evaluation revoke access mid-flow?

1007
00:46:03,640 --> 00:46:06,200
Reasoning without policy checks is just fast-gassing.

1008
00:46:06,200 --> 00:46:09,400
And here's the discipline that makes the entire flow survivable.

1009
00:46:09,400 --> 00:46:11,400
Citations or silence?

1010
00:46:11,400 --> 00:46:15,160
If the reasoning stage can't produce evidence that meets the relevance window,

1011
00:46:15,160 --> 00:46:18,200
the system doesn't try anyway, it escalates.

1012
00:46:18,200 --> 00:46:20,680
Or it asks a precise question that closes the gap.

1013
00:46:20,680 --> 00:46:22,520
Refusal conditions aren't politeness.

1014
00:46:22,520 --> 00:46:25,000
They are the only mechanism that prevents plausible nonsense

1015
00:46:25,000 --> 00:46:26,760
from entering the orchestration stage.

1016
00:46:26,760 --> 00:46:28,760
Now the third stage, orchestration.

1017
00:46:28,760 --> 00:46:31,480
Orchestration is tool invocation and state mutation.

1018
00:46:31,480 --> 00:46:34,760
It's where the system stops talking and starts changing reality,

1019
00:46:34,760 --> 00:46:37,240
creating a ticket, updating data verse,

1020
00:46:37,240 --> 00:46:39,240
generating a document, sending an email,

1021
00:46:39,240 --> 00:46:43,720
scheduling a meeting, posting to teams, or triggering a downstream flow.

1022
00:46:43,720 --> 00:46:45,160
This stage must be boring.

1023
00:46:45,160 --> 00:46:48,280
If orchestration feels creative, you've already lost control.

1024
00:46:48,280 --> 00:46:51,000
Orchestration should be deterministic.

1025
00:46:51,000 --> 00:46:57,000
Given evidence set A, state S, and policy posture P invoke tool T with parameters K,

1026
00:46:57,000 --> 00:47:01,320
then write the result back to operational memory with an audit trail that explains

1027
00:47:01,320 --> 00:47:05,000
what evidence was used, what decision was made, what action was taken,

1028
00:47:05,000 --> 00:47:06,360
and what the next state is?

1029
00:47:06,360 --> 00:47:09,000
This is also where you draw the human boundary.

1030
00:47:09,000 --> 00:47:11,720
Humans stay in the loop for irreversible actions,

1031
00:47:11,720 --> 00:47:14,600
payments, terminations, external sharing, privilege changes,

1032
00:47:14,600 --> 00:47:16,520
regulatory submissions, vendor onboarding,

1033
00:47:16,520 --> 00:47:18,600
and anything that creates a compliance obligation.

1034
00:47:18,600 --> 00:47:21,560
The system can prepare, recommend, and assemble evidence.

1035
00:47:21,560 --> 00:47:22,920
It cannot self-approval.

1036
00:47:22,920 --> 00:47:24,440
Approval is not latency.

1037
00:47:24,440 --> 00:47:26,040
Approval is liability transfer.

1038
00:47:26,040 --> 00:47:28,520
Everything else sits on a tiered autonomy lane.

1039
00:47:28,520 --> 00:47:31,720
Low-risk actions can execute automatically,

1040
00:47:31,720 --> 00:47:34,120
medium-risk actions require confirmation,

1041
00:47:34,120 --> 00:47:37,800
and high-risk actions require a named approver with logged intent.

1042
00:47:37,800 --> 00:47:41,320
And if you want one final rule that ties the whole flow together,

1043
00:47:41,320 --> 00:47:43,720
it's this, events create opportunity.

1044
00:47:43,720 --> 00:47:45,560
Reasoning creates eligibility.

1045
00:47:45,560 --> 00:47:47,880
Orchestration creates consequences.

1046
00:47:47,880 --> 00:47:51,320
Most organizations skip straight from opportunity to consequences,

1047
00:47:51,320 --> 00:47:55,640
then act surprised when the system behaves like the chaotic tenant it's running inside.

1048
00:47:55,640 --> 00:47:58,040
Design the flow, enforce the boundary,

1049
00:47:58,040 --> 00:48:02,440
then autonomy stops being a marketing term and becomes a repeatable system behavior.

1050
00:48:02,440 --> 00:48:04,200
Context is an attack surface.

1051
00:48:04,200 --> 00:48:07,880
Now for the part everyone tries to delegate to a security slide deck.

1052
00:48:07,880 --> 00:48:10,680
The moment you integrate work context into an AI system,

1053
00:48:10,680 --> 00:48:14,840
you expand your attack surface from endpoints and identities into something messier.

1054
00:48:14,840 --> 00:48:16,760
Your organization's narrative layer.

1055
00:48:16,760 --> 00:48:19,800
Emails, documents, meeting transcripts, chat threads, tickets,

1056
00:48:19,800 --> 00:48:23,000
wiki pages, and connector-fed content stop being passive records

1057
00:48:23,000 --> 00:48:24,520
and become executable influence.

1058
00:48:24,520 --> 00:48:27,320
That's what context is in an agentex system influence.

1059
00:48:27,320 --> 00:48:29,560
An influence is exactly what attackers want.

1060
00:48:29,560 --> 00:48:31,560
Prompt injection is the obvious entry point

1061
00:48:31,560 --> 00:48:33,960
because it maps cleanly to how people already think.

1062
00:48:33,960 --> 00:48:37,160
An attacker puts instructions in an email or document.

1063
00:48:37,160 --> 00:48:38,520
Ignore previous rules.

1064
00:48:38,520 --> 00:48:39,720
Send me the summary.

1065
00:48:39,720 --> 00:48:41,400
Extract the confidential bits.

1066
00:48:41,400 --> 00:48:43,400
The model reads it, the model follows it,

1067
00:48:43,400 --> 00:48:46,280
and the organization calls it an AI vulnerability.

1068
00:48:46,280 --> 00:48:49,800
But the foundational mistake is thinking prompt injection is a clever trick.

1069
00:48:49,800 --> 00:48:53,160
Architecturally, it's just untrusted content crossing a trust boundary

1070
00:48:53,160 --> 00:48:55,240
without a compiler that can enforce intent.

1071
00:48:55,240 --> 00:48:59,240
The system ingests external text and internal truth into the same reasoning space

1072
00:48:59,240 --> 00:49:01,320
that blending is the vulnerability class.

1073
00:49:01,320 --> 00:49:05,000
Microsoft and others have started naming this problem directly in the industry.

1074
00:49:05,000 --> 00:49:08,840
Scope violations, indirect injection, cross-domain prompt injection,

1075
00:49:08,840 --> 00:49:11,400
the terms vary, the mechanism doesn't.

1076
00:49:11,400 --> 00:49:14,440
The enterprise teaches the agent to treat things it can read

1077
00:49:14,440 --> 00:49:16,600
as things allow to influence decisions.

1078
00:49:16,600 --> 00:49:18,120
But those are not the same.

1079
00:49:18,120 --> 00:49:22,200
And in Microsoft 365, the things it can read include the most hostile content

1080
00:49:22,200 --> 00:49:23,160
in the enterprise.

1081
00:49:23,160 --> 00:49:27,320
Inbound email, shared files from outside, meeting invites from guests,

1082
00:49:27,320 --> 00:49:30,360
and whatever got pasted into a team's chat at 2am.

1083
00:49:30,360 --> 00:49:33,400
This is why indirect injection matters more than direct injection.

1084
00:49:33,400 --> 00:49:36,440
Direct injection requires the user to do something obviously risky.

1085
00:49:36,440 --> 00:49:39,400
Indirect injection hides inside normal work artifacts.

1086
00:49:39,400 --> 00:49:42,520
A procurement spreadsheet, a design spec in SharePoint,

1087
00:49:42,520 --> 00:49:45,960
a helpful link in a project email, nobody sees it as an attack

1088
00:49:45,960 --> 00:49:47,080
because it looks like work.

1089
00:49:47,080 --> 00:49:48,840
And agents are built to consume work.

1090
00:49:48,840 --> 00:49:51,960
Then there's the more enterprise-shaped problem, memory poisoning.

1091
00:49:51,960 --> 00:49:54,920
Once the system starts persisting context, summaries, preferences,

1092
00:49:54,920 --> 00:49:57,960
extracted decisions, cash results, you've created long term state

1093
00:49:57,960 --> 00:49:59,320
that can be corrupted.

1094
00:49:59,320 --> 00:50:02,680
One poisoned artifact doesn't just cause one bad answer.

1095
00:50:02,680 --> 00:50:06,120
It becomes a durable bias that quietly affects future reasoning.

1096
00:50:06,120 --> 00:50:08,920
That's not a one-off incident that's drift you didn't authorize.

1097
00:50:08,920 --> 00:50:11,640
The scary part is that poisoning doesn't need high sophistication.

1098
00:50:11,640 --> 00:50:12,680
It needs persistence.

1099
00:50:12,680 --> 00:50:16,440
If the system stores, this vendor is trusted because it saw that phrase

1100
00:50:16,440 --> 00:50:20,680
in a manipulated email thread, you now have a policy exception embedded in machine memory,

1101
00:50:20,680 --> 00:50:22,440
an entropy generator with a timestamp.

1102
00:50:22,440 --> 00:50:24,600
And because the output still sounds reasonable,

1103
00:50:24,600 --> 00:50:26,600
the human supervisor may never notice.

1104
00:50:26,600 --> 00:50:30,920
They just experience the system as oddly confident about certain decisions.

1105
00:50:30,920 --> 00:50:35,240
Now at the enterprise reality, context sources mix trust levels constantly.

1106
00:50:35,240 --> 00:50:38,120
A single co-pilot response might blend internal policy,

1107
00:50:38,120 --> 00:50:41,160
a meeting transcript, a forwarded email from outside,

1108
00:50:41,160 --> 00:50:43,640
and a web result if web grounding is enabled.

1109
00:50:43,640 --> 00:50:46,200
If the system doesn't enforce provenance boundaries,

1110
00:50:46,200 --> 00:50:48,840
trusted versus untrusted internal versus external,

1111
00:50:48,840 --> 00:50:50,760
authoritative versus advisory,

1112
00:50:50,760 --> 00:50:54,280
then it will happily treat a hostile artifact as equal weight evidence.

1113
00:50:54,280 --> 00:50:56,760
That is the zero-click conceptual thread,

1114
00:50:56,760 --> 00:50:59,000
not necessarily that the user clicked nothing,

1115
00:50:59,000 --> 00:51:03,400
but that the user didn't consent to importing hostile instructions into the reasoning space.

1116
00:51:03,400 --> 00:51:06,520
The act of retrieval itself becomes the exploitation path.

1117
00:51:06,520 --> 00:51:07,480
An email arrives.

1118
00:51:07,480 --> 00:51:08,920
It becomes retrievable.

1119
00:51:08,920 --> 00:51:11,320
Later, the user asks an unrelated question.

1120
00:51:11,320 --> 00:51:13,640
Retrieval pulls the email because it matches.

1121
00:51:13,640 --> 00:51:17,640
The payload activates because the model can't distinguish content to summarize

1122
00:51:17,640 --> 00:51:19,320
from instructions to obey.

1123
00:51:19,320 --> 00:51:22,840
That's how a normal tenant becomes an adversarial environment by default.

1124
00:51:22,840 --> 00:51:25,560
And notice what this does to your earlier autonomy flow.

1125
00:51:25,560 --> 00:51:26,760
Event happens.

1126
00:51:26,760 --> 00:51:27,960
Reasoning retrieves.

1127
00:51:27,960 --> 00:51:29,400
Orchestration acts.

1128
00:51:29,400 --> 00:51:31,240
Attacters don't need to break encryption.

1129
00:51:31,240 --> 00:51:32,440
They need to shape retrieval.

1130
00:51:32,440 --> 00:51:34,680
So the defensive principle becomes blunt.

1131
00:51:34,680 --> 00:51:38,280
Treat every context source as hostile until proven otherwise.

1132
00:51:38,280 --> 00:51:39,800
Not external sources.

1133
00:51:39,800 --> 00:51:40,920
Every source.

1134
00:51:40,920 --> 00:51:43,800
Because internal sources are hostile too, just accidentally.

1135
00:51:43,800 --> 00:51:46,760
Outdated procedures, copied policies, contradictory decks,

1136
00:51:46,760 --> 00:51:48,120
orphaned sharepoint sites,

1137
00:51:48,120 --> 00:51:50,280
and meeting transcripts full of speculation.

1138
00:51:50,280 --> 00:51:52,040
Hostile doesn't only mean malicious.

1139
00:51:52,040 --> 00:51:54,760
It means unfit to drive decisions without validation.

1140
00:51:54,760 --> 00:51:59,400
This is where security and architecture finally stop pretending they're separate disciplines.

1141
00:51:59,400 --> 00:52:03,000
Context integration expands the blast radius of permission mistakes,

1142
00:52:03,000 --> 00:52:05,640
content hygiene failures, and governance drift.

1143
00:52:05,640 --> 00:52:08,120
And it does it with the worst possible UX.

1144
00:52:08,120 --> 00:52:10,120
Fluent answers that look like competence.

1145
00:52:10,120 --> 00:52:14,680
So if your autonomy strategy doesn't include provenance, isolation, and refusal conditions,

1146
00:52:14,680 --> 00:52:16,200
it isn't an autonomy strategy.

1147
00:52:16,200 --> 00:52:19,800
It's a high-speed social engineering surface that happens to run inside your tenant.

1148
00:52:20,520 --> 00:52:22,200
Guardrails that actually hold.

1149
00:52:22,200 --> 00:52:23,160
Least privilege.

1150
00:52:23,160 --> 00:52:23,960
CAE.

1151
00:52:23,960 --> 00:52:24,840
Provenance.

1152
00:52:24,840 --> 00:52:26,600
So if context is an attack surface,

1153
00:52:26,600 --> 00:52:28,600
guardrails can't be guidance.

1154
00:52:28,600 --> 00:52:29,800
They have to be mechanics.

1155
00:52:29,800 --> 00:52:33,480
Things the system enforces even when users are tired, rushed, or curious.

1156
00:52:33,480 --> 00:52:36,520
And even when an attacker is deliberately shaping the narrative layer

1157
00:52:36,520 --> 00:52:37,960
to get the agent to misbehave.

1158
00:52:37,960 --> 00:52:41,480
Three guardrails actually hold in Microsoft 365,

1159
00:52:41,480 --> 00:52:45,000
because their structural least-privileged continuous-access evaluation and provenance.

1160
00:52:45,000 --> 00:52:47,160
Least privilege is not a compliance slogan.

1161
00:52:47,160 --> 00:52:49,960
It's the only way to keep autonomy from turning small mistakes

1162
00:52:49,960 --> 00:52:51,640
into tenant-wide incidents.

1163
00:52:51,640 --> 00:52:54,120
The common enterprise failure is granting broad access

1164
00:52:54,120 --> 00:52:55,720
because it's operationally convenient.

1165
00:52:55,720 --> 00:52:57,080
Files.

1166
00:52:57,080 --> 00:52:57,800
Read all.

1167
00:52:57,800 --> 00:52:58,200
Sites.

1168
00:52:58,200 --> 00:52:58,840
Read all.

1169
00:52:58,840 --> 00:53:00,200
Wide SharePoint membership.

1170
00:53:00,200 --> 00:53:04,280
Or that classic move where one security group becomes the default audience for everything,

1171
00:53:04,280 --> 00:53:06,040
because nobody wants to manage boundaries.

1172
00:53:06,040 --> 00:53:07,080
And then copilot arrives.

1173
00:53:07,080 --> 00:53:07,960
Then agents arrive.

1174
00:53:07,960 --> 00:53:10,120
And suddenly broad access isn't just broad access.

1175
00:53:10,120 --> 00:53:12,600
It's broad retrieval plus synthesis plus action.

1176
00:53:12,600 --> 00:53:13,640
That's the difference.

1177
00:53:13,640 --> 00:53:16,520
When an agent can read widely, it can also act widely,

1178
00:53:16,520 --> 00:53:19,320
because tool invocation chains across whatever it can see.

1179
00:53:19,320 --> 00:53:22,360
So least privilege has two benefits at the same time.

1180
00:53:22,360 --> 00:53:25,080
It shrinks blast radius and it improves relevance.

1181
00:53:25,080 --> 00:53:28,680
Fewer eligible artifacts means less noise for retrieval,

1182
00:53:28,680 --> 00:53:30,440
less accidental contradiction,

1183
00:53:30,440 --> 00:53:34,360
and fewer opportunities for an injected document to get pulled into the reasoning space.

1184
00:53:34,360 --> 00:53:37,400
But least privilege also has a second requirement that people avoid.

1185
00:53:37,400 --> 00:53:38,920
You need explicit toolgating.

1186
00:53:38,920 --> 00:53:41,560
It's not enough to say the agent has read only access.

1187
00:53:41,560 --> 00:53:44,680
If the agent can call a connector that can send mail,

1188
00:53:44,680 --> 00:53:48,040
create sharing links, update dataverse or open tickets,

1189
00:53:48,040 --> 00:53:51,240
then read access becomes right impact through in direction.

1190
00:53:51,240 --> 00:53:52,760
So the design law is simple.

1191
00:53:52,760 --> 00:53:56,440
Separate read scopes from action scopes and keep action scopes narrow,

1192
00:53:56,440 --> 00:53:58,120
time bound and workflow specific.

1193
00:53:58,120 --> 00:54:00,440
That's where entry becomes more than sign in.

1194
00:54:00,440 --> 00:54:04,520
It's where identity starts behaving like a control plane for agentic systems.

1195
00:54:04,520 --> 00:54:07,880
Scoped permissions, conditional access and lifecycle governance

1196
00:54:07,880 --> 00:54:10,680
for the non-human identities you're about to create.

1197
00:54:10,680 --> 00:54:13,880
Service principles, managed identities, agent identities,

1198
00:54:13,880 --> 00:54:15,880
whatever your architecture calls them.

1199
00:54:15,880 --> 00:54:19,320
Then comes continuous access evaluation and this is the one most architects under use

1200
00:54:19,320 --> 00:54:21,160
because it sounds like an orth detail.

1201
00:54:21,160 --> 00:54:23,400
CIE is operational hygiene for autonomy.

1202
00:54:23,400 --> 00:54:27,160
In a static system you can tolerate the gap between access was valid

1203
00:54:27,160 --> 00:54:29,320
and access should no longer be valid.

1204
00:54:29,320 --> 00:54:32,680
In an agentic system that gap becomes an exploitation window.

1205
00:54:32,680 --> 00:54:35,480
If a user gets disabled, if a session is marked risky,

1206
00:54:35,480 --> 00:54:37,720
if a conditional access policy changes,

1207
00:54:37,720 --> 00:54:41,320
or if device compliance fails, you need access to collapse immediately,

1208
00:54:41,320 --> 00:54:42,680
not a token expiry.

1209
00:54:42,680 --> 00:54:43,880
That's what CIE is doing.

1210
00:54:43,880 --> 00:54:46,440
It turns revocation into a runtime control

1211
00:54:46,440 --> 00:54:49,160
and it changes the architecture of your agent execution.

1212
00:54:49,160 --> 00:54:51,640
Your agent has to handle claims challenges.

1213
00:54:51,640 --> 00:54:54,840
It has to expect that a long running task can lose authority mid-flight.

1214
00:54:54,840 --> 00:54:56,920
It has to fail closed, not fail forward,

1215
00:54:56,920 --> 00:54:59,400
no caching because it worked five minutes ago.

1216
00:54:59,400 --> 00:55:02,440
No background retreats that keep pushing until the platform relents.

1217
00:55:02,440 --> 00:55:03,960
If the identity posture changes,

1218
00:55:03,960 --> 00:55:06,440
the agent stops, records state and escalates

1219
00:55:06,440 --> 00:55:10,200
because autonomy without real-time revocation is just deferred breach response.

1220
00:55:10,200 --> 00:55:11,000
Now provenance.

1221
00:55:11,000 --> 00:55:13,560
Provenance is the guardrail that makes audits possible

1222
00:55:13,560 --> 00:55:16,280
and makes incident response not feel like archaeology.

1223
00:55:16,280 --> 00:55:19,880
Provenance means the system can show what sources influence the output,

1224
00:55:19,880 --> 00:55:22,200
which ones were authoritative versus advisory,

1225
00:55:22,200 --> 00:55:23,880
what was retrieved but rejected,

1226
00:55:23,880 --> 00:55:26,680
and which policy checks allowed the action to proceed.

1227
00:55:26,680 --> 00:55:29,560
Not a poetic summary of, I looked at several documents,

1228
00:55:29,560 --> 00:55:30,440
an evidence trail.

1229
00:55:30,440 --> 00:55:33,320
This is how citations or silence evolves

1230
00:55:33,320 --> 00:55:36,040
from an answer quality tactic into a governance control.

1231
00:55:36,040 --> 00:55:37,720
If the system can't name its sources,

1232
00:55:37,720 --> 00:55:39,000
it can't be trusted to act.

1233
00:55:39,000 --> 00:55:41,640
If it can name its sources but can't classify them,

1234
00:55:41,640 --> 00:55:44,760
internal versus external labeled versus unlabelled,

1235
00:55:44,760 --> 00:55:46,360
current versus stale,

1236
00:55:46,360 --> 00:55:50,280
then you still can't trust it because you can't tell whether it respected the boundary.

1237
00:55:50,280 --> 00:55:55,480
Provenance also enables something leadership always asks for and rarely funds.

1238
00:55:55,480 --> 00:55:56,360
Rollback.

1239
00:55:56,360 --> 00:55:59,240
If an agent took an action chain based on poisoned context,

1240
00:55:59,240 --> 00:56:00,920
you need to know which records it touched,

1241
00:56:00,920 --> 00:56:03,640
which tools it invoked and which evidence it relied on

1242
00:56:03,640 --> 00:56:06,360
so you can unwind the change and quarantine the source.

1243
00:56:06,360 --> 00:56:07,640
That's not nice to have that.

1244
00:56:07,640 --> 00:56:12,280
That's the minimum requirement for letting a probabilistic system mutate enterprise state,

1245
00:56:12,280 --> 00:56:14,600
so the combined Godrail model is blunt.

1246
00:56:14,600 --> 00:56:17,720
Least privilege defines what the system is allowed to see and do.

1247
00:56:17,720 --> 00:56:20,600
CIE defines when that permission evaporates in real time.

1248
00:56:20,600 --> 00:56:22,360
Provenance proves what actually happened

1249
00:56:22,360 --> 00:56:24,520
so you can govern drift and recover from failure.

1250
00:56:24,520 --> 00:56:26,200
Everything else is suggestion

1251
00:56:26,200 --> 00:56:29,400
and suggestion is how context attacks become headlines.

1252
00:56:29,400 --> 00:56:31,640
Drift.

1253
00:56:31,640 --> 00:56:33,400
The slow decay of intent.

1254
00:56:33,400 --> 00:56:36,200
Drift is the part of enterprise AI that nobody demos

1255
00:56:36,200 --> 00:56:37,480
because it doesn't fail loudly.

1256
00:56:37,480 --> 00:56:38,520
It fails politely.

1257
00:56:38,520 --> 00:56:40,200
Week by week, decision by decision,

1258
00:56:40,200 --> 00:56:43,800
until the output still sounds competent but no longer matches intent.

1259
00:56:43,800 --> 00:56:47,000
That distinction matters because drift isn't the model getting worse.

1260
00:56:47,000 --> 00:56:48,840
Drift is the system environment moving

1261
00:56:48,840 --> 00:56:50,760
while your assumptions stay frozen.

1262
00:56:50,760 --> 00:56:53,720
And in Microsoft 365, the environment moves constantly.

1263
00:56:53,720 --> 00:56:56,440
Teams reorganize, owners change, sites sprawl,

1264
00:56:56,440 --> 00:56:59,640
labels get applied inconsistently, policies get rewritten,

1265
00:56:59,640 --> 00:57:02,440
and the people who knew why a control existed leave.

1266
00:57:02,440 --> 00:57:03,720
The tenant keeps working.

1267
00:57:03,720 --> 00:57:05,160
The governance story doesn't.

1268
00:57:05,160 --> 00:57:07,880
This is why it worked in the pilot is meaningless.

1269
00:57:07,880 --> 00:57:11,240
Pilots run on handheld context, curated sites,

1270
00:57:11,240 --> 00:57:13,640
known participants, clean permissions,

1271
00:57:13,640 --> 00:57:15,880
and a small slice of organizational reality.

1272
00:57:15,880 --> 00:57:17,320
Production runs on entropy.

1273
00:57:17,320 --> 00:57:20,520
Production is where every undocumented exception shows up

1274
00:57:20,520 --> 00:57:23,160
and where every temporary workaround becomes permanent.

1275
00:57:23,160 --> 00:57:24,840
Drift comes in multiple flavors

1276
00:57:24,840 --> 00:57:26,520
and the dangerous part is that they compound.

1277
00:57:26,520 --> 00:57:28,680
Context drift is the obvious one.

1278
00:57:28,680 --> 00:57:30,920
The sources the system retrieves become stale,

1279
00:57:30,920 --> 00:57:32,600
duplicated or contradictory.

1280
00:57:32,600 --> 00:57:33,800
The procedure got updated

1281
00:57:33,800 --> 00:57:35,720
but the old version still ranks higher

1282
00:57:35,720 --> 00:57:37,320
because it has more engagement.

1283
00:57:37,320 --> 00:57:39,320
The final deck is buried under three drafts

1284
00:57:39,320 --> 00:57:41,000
that got shared more widely.

1285
00:57:41,000 --> 00:57:42,440
The decision happened in a meeting,

1286
00:57:42,440 --> 00:57:44,920
but the meeting artifact got stored somewhere random,

1287
00:57:44,920 --> 00:57:47,960
so the system reconstructs it from email fragments.

1288
00:57:47,960 --> 00:57:49,320
Policy drift is subtler.

1289
00:57:49,320 --> 00:57:50,920
Conditional access evolves.

1290
00:57:50,920 --> 00:57:53,400
Data loss prevention rules get exceptions.

1291
00:57:53,400 --> 00:57:55,400
External sharing gets loosened for a project

1292
00:57:55,400 --> 00:57:56,680
then never tightened.

1293
00:57:56,680 --> 00:57:58,520
Sensitivity labels get introduced,

1294
00:57:58,520 --> 00:58:00,520
then half the organization ignores them

1295
00:58:00,520 --> 00:58:02,760
because nobody enforced defaults.

1296
00:58:02,760 --> 00:58:05,320
Eventually the same question asked by two users

1297
00:58:05,320 --> 00:58:06,520
yields different results

1298
00:58:06,520 --> 00:58:08,920
because the policy substrate is no longer coherent,

1299
00:58:08,920 --> 00:58:11,400
naming drift sounds petty until it breaks retrieval.

1300
00:58:11,400 --> 00:58:13,880
Teams rename projects, channels get repurposed,

1301
00:58:13,880 --> 00:58:15,320
acronyms change.

1302
00:58:15,320 --> 00:58:17,000
Incident becomes major incident,

1303
00:58:17,000 --> 00:58:18,440
becomes service interruption

1304
00:58:18,440 --> 00:58:20,680
because someone wanted better optics.

1305
00:58:20,680 --> 00:58:23,720
Retrieval and relevance windows depend on stable vocabulary

1306
00:58:23,720 --> 00:58:26,680
but enterprises treat vocabulary like personal expression.

1307
00:58:26,680 --> 00:58:28,920
Ownership drift is the one that kills governance.

1308
00:58:28,920 --> 00:58:32,200
Sites have owners in theory and abandoned permissions in reality.

1309
00:58:32,200 --> 00:58:35,720
Dataverse tables exist but no one owns the state model as a contract.

1310
00:58:35,720 --> 00:58:38,520
Fabric reports exist but no one owns the feedback loop

1311
00:58:38,520 --> 00:58:40,520
that turns analytics into policy changes.

1312
00:58:40,520 --> 00:58:42,680
So the system accumulates intelligence

1313
00:58:42,680 --> 00:58:44,680
but nobody has authority to act on it.

1314
00:58:44,680 --> 00:58:47,400
This is why output checking doesn't work as a drift strategy.

1315
00:58:47,400 --> 00:58:50,360
Enterprises keep trying to govern by sampling outputs,

1316
00:58:50,360 --> 00:58:52,360
review a few copilot responses,

1317
00:58:52,360 --> 00:58:53,880
spot check a few agent runs,

1318
00:58:53,880 --> 00:58:56,200
and declare it acceptable.

1319
00:58:56,200 --> 00:58:57,640
That's governance theatre.

1320
00:58:57,640 --> 00:58:59,800
Drift doesn't show up consistently in outputs.

1321
00:58:59,800 --> 00:59:02,360
It shows up in behavior, what the system retrieved,

1322
00:59:02,360 --> 00:59:04,840
what it ignored, what it attempted to do,

1323
00:59:04,840 --> 00:59:06,120
how often it escalated,

1324
00:59:06,120 --> 00:59:08,680
how often it retried and where it wrote it work.

1325
00:59:08,680 --> 00:59:11,240
Behavioral evaluation is the only thing that scales.

1326
00:59:11,240 --> 00:59:14,520
You measure the system like you would measure a distributed service.

1327
00:59:14,520 --> 00:59:16,680
Exception rates, time to resolution,

1328
00:59:16,680 --> 00:59:19,240
escalation frequency, evidence coverage,

1329
00:59:19,240 --> 00:59:22,040
tool invocation patterns and permission faults.

1330
00:59:22,040 --> 00:59:26,920
Not did it sound right but did it act within the context boundary we designed.

1331
00:59:26,920 --> 00:59:28,600
Now the uncomfortable truth.

1332
00:59:28,600 --> 00:59:33,160
Drift accelerates when you treat prompts, policies and connectors as informal artifacts.

1333
00:59:33,160 --> 00:59:35,320
If you don't version them you can't control change.

1334
00:59:35,320 --> 00:59:37,240
If you can't control change you can't roll back.

1335
00:59:37,240 --> 00:59:40,360
And if you can't roll back every improvement becomes a one-way door.

1336
00:59:40,360 --> 00:59:42,840
So versioning becomes a first class capability.

1337
00:59:42,840 --> 00:59:45,720
Prompts, grounding rules, relevance windows,

1338
00:59:45,720 --> 00:59:49,560
connector configurations and orchestration policies need explicit versions

1339
00:59:49,560 --> 00:59:52,680
with owners, with change logs, and with roll back parts.

1340
00:59:52,680 --> 00:59:54,040
Not because it's elegant.

1341
00:59:54,040 --> 00:59:57,960
Because the alternative is debugging a living system with no memory of who changed what.

1342
00:59:57,960 --> 01:00:02,200
This is also where audit stops being a compliance exercise and becomes a drift detector.

1343
01:00:02,200 --> 01:00:07,320
If you can trace which sources influence decisions over time you can see when the system starts

1344
01:00:07,320 --> 01:00:08,520
leaning on different evidence.

1345
01:00:08,520 --> 01:00:13,400
If you can trace which identities access which context you can see when permissions drift

1346
01:00:13,400 --> 01:00:14,680
expands eligibility.

1347
01:00:14,680 --> 01:00:20,040
If you can trace which workflows generate the most exceptions you can see where state models no longer

1348
01:00:20,040 --> 01:00:21,000
match reality.

1349
01:00:21,000 --> 01:00:23,560
And once you can see drift you can govern it.

1350
01:00:23,560 --> 01:00:27,720
Not by freezing the system but by accepting that autonomy is entropy management.

1351
01:00:27,720 --> 01:00:30,200
You don't eliminate drift, you detect it early,

1352
01:00:30,200 --> 01:00:33,160
constrain its blast radius and correct it with control changes.

1353
01:00:33,160 --> 01:00:36,840
Because in an autonomous enterprise the most dangerous system is not the one that fails.

1354
01:00:36,840 --> 01:00:40,120
It's the one that keeps working while it slowly stops obeying you.

1355
01:00:40,120 --> 01:00:41,240
Context governance.

1356
01:00:41,240 --> 01:00:43,320
Turning trust into an operating model.

1357
01:00:43,320 --> 01:00:44,360
Drift is inevitable.

1358
01:00:44,360 --> 01:00:45,240
That's not pessimism.

1359
01:00:45,240 --> 01:00:49,960
That's how tenants behave once they scale past a few discipline teams and a few passionate owners.

1360
01:00:49,960 --> 01:00:52,600
So the only serious question is whether the organization governs

1361
01:00:52,600 --> 01:00:56,120
context like an operating model or whether it governs it like a project.

1362
01:00:56,120 --> 01:00:59,800
A burst of effort, a set of slides and a slow slide back into entropy.

1363
01:00:59,800 --> 01:01:03,960
Context governance is not a committee that reviews AI outputs.

1364
01:01:03,960 --> 01:01:08,920
It is the set of enforcement mechanisms that keep your context substrate trustworthy over time.

1365
01:01:08,920 --> 01:01:10,360
Freshness.

1366
01:01:10,360 --> 01:01:12,280
Permission correctness.

1367
01:01:12,280 --> 01:01:13,720
Providence.

1368
01:01:13,720 --> 01:01:15,160
Drift detection.

1369
01:01:15,160 --> 01:01:16,520
And escalation.

1370
01:01:16,520 --> 01:01:22,280
When the system encounters ambiguity it is not allowed to solve with creativity.

1371
01:01:23,240 --> 01:01:26,360
The first move is to stop treating context as a single thing.

1372
01:01:26,360 --> 01:01:29,480
Governance has to map to the same layer boundaries you're building.

1373
01:01:29,480 --> 01:01:33,960
If you can't name the owners of memory state learning and interaction you don't have governance.

1374
01:01:33,960 --> 01:01:35,800
You have vibes plus an admin portal.

1375
01:01:35,800 --> 01:01:37,800
So governance starts with ownership.

1376
01:01:37,800 --> 01:01:41,000
Graph memory needs an owner model that is accountable for.

1377
01:01:41,000 --> 01:01:46,200
Content container hygiene, life cycle policies and what authoritative means in each domain.

1378
01:01:46,200 --> 01:01:47,240
Not at a global level.

1379
01:01:47,240 --> 01:01:50,200
At the workflow level who owns the incident knowledge base,

1380
01:01:50,200 --> 01:01:52,120
who owns the procurement procedure library,

1381
01:01:52,120 --> 01:01:54,040
who owns the HR policy corpus.

1382
01:01:54,040 --> 01:01:57,000
If the answer is everyone then the system is onerless.

1383
01:01:57,000 --> 01:01:58,120
That means it will rot.

1384
01:01:58,120 --> 01:02:01,400
Dataverse state needs a product owner because state is a contract.

1385
01:02:01,400 --> 01:02:04,600
Somebody has to own the entity model, the status transitions,

1386
01:02:04,600 --> 01:02:07,240
the refusal conditions and the approval gates.

1387
01:02:07,240 --> 01:02:13,000
If the state machine can change without review you've just created a silent bypass for autonomy.

1388
01:02:13,000 --> 01:02:16,440
Fabric learning needs an owner that is responsible for closing loops.

1389
01:02:16,440 --> 01:02:19,000
Turning analytics into updated relevance windows,

1390
01:02:19,000 --> 01:02:21,000
rooting rules and exception handling.

1391
01:02:21,000 --> 01:02:23,640
If fabric only produces dashboards, it's not a learning layer,

1392
01:02:23,640 --> 01:02:27,960
it's a reporting cost and co-pilot interaction needs an owner who is responsible

1393
01:02:27,960 --> 01:02:29,240
for the human boundary.

1394
01:02:29,240 --> 01:02:31,240
What the system can do automatically.

1395
01:02:31,240 --> 01:02:34,200
What requires confirmation, what requires approval,

1396
01:02:34,200 --> 01:02:35,880
and what must be blocked by design.

1397
01:02:35,880 --> 01:02:41,000
This is where AI policy becomes real because it becomes enforceable behaviors,

1398
01:02:41,000 --> 01:02:42,040
not training posters.

1399
01:02:42,040 --> 01:02:45,480
Now, once ownership exists governance becomes a set of lanes.

1400
01:02:45,480 --> 01:02:48,840
You define tiered autonomy lanes that match risk, not ambition.

1401
01:02:48,840 --> 01:02:53,000
A low-risk lane is where the system can draft, summarize, classify and root.

1402
01:02:53,000 --> 01:02:55,720
With auditable logs and no irreversible actions,

1403
01:02:55,720 --> 01:02:59,400
a medium-risk lane is where the system can execute bounded actions,

1404
01:02:59,400 --> 01:03:01,640
create tickets, update-known fields,

1405
01:03:01,640 --> 01:03:05,720
notify stakeholders under explicit scoping and rollback capability.

1406
01:03:05,720 --> 01:03:08,680
A high-risk lane is where the system can only recommend,

1407
01:03:08,680 --> 01:03:11,880
assemble evidence and escalate to a named approver.

1408
01:03:11,880 --> 01:03:15,640
This matters because autonomous enterprise does not mean everything automated.

1409
01:03:15,640 --> 01:03:17,720
It means automation is proportional to liability.

1410
01:03:17,720 --> 01:03:20,920
Then you define evidence standards because trust isn't a feeling.

1411
01:03:20,920 --> 01:03:21,960
It's a rule set.

1412
01:03:21,960 --> 01:03:25,480
For certain workflows, the system must side sources or abstain.

1413
01:03:25,480 --> 01:03:29,240
For others, it can act on state alone because the state is the source of truth.

1414
01:03:29,240 --> 01:03:34,040
For still others, it can only proceed if evidence is both authoritative and fresh.

1415
01:03:34,040 --> 01:03:36,920
Reviewed within a declared window, labeled correctly,

1416
01:03:36,920 --> 01:03:38,920
and retrieved from the governed container.

1417
01:03:38,920 --> 01:03:42,440
And you make that standard explicit when the system cannot meet the standard,

1418
01:03:42,440 --> 01:03:46,680
it refuses and escalates, not because it's safe, because it is controlled.

1419
01:03:46,680 --> 01:03:49,400
The next piece is drift detection as a continuous control.

1420
01:03:49,400 --> 01:03:54,040
You don't wait for a quarterly review to discover that permissions sprawl expanded eligibility

1421
01:03:54,040 --> 01:03:58,680
or that your relevance window quietly widened because new content sources appeared.

1422
01:03:58,680 --> 01:04:03,000
You instrument it, permission fault rates, exception rates, escalation frequency,

1423
01:04:03,000 --> 01:04:04,840
evidence coverage and provenance gaps.

1424
01:04:04,840 --> 01:04:06,360
Those aren't AI metrics.

1425
01:04:06,360 --> 01:04:08,120
Those are context integrity metrics.

1426
01:04:08,120 --> 01:04:10,520
And the final piece is the escalation model,

1427
01:04:10,520 --> 01:04:13,960
because governance without escalation is just documentation.

1428
01:04:13,960 --> 01:04:18,600
Escalation needs named paths, who gets notified when a workflow hits missing evidence,

1429
01:04:18,600 --> 01:04:22,280
conflicting evidence or policy violations, and escalation needs time.

1430
01:04:22,280 --> 01:04:26,680
If nobody responds, the system must either pause safely or root to an alternate approver.

1431
01:04:26,680 --> 01:04:31,880
Otherwise, the agent becomes a nagging bot and humans root around it and governance collapses.

1432
01:04:31,880 --> 01:04:36,200
This is the operating model, clear ownership, tiered lanes, explicit evidence standards,

1433
01:04:36,200 --> 01:04:39,400
continuous drift detection and enforced escalation.

1434
01:04:39,400 --> 01:04:42,600
And once you have that, trust stops being an argument about whether

1435
01:04:42,600 --> 01:04:45,880
co-pilot is good, trust becomes a property of the architecture,

1436
01:04:45,880 --> 01:04:49,160
which is the only kind of trust an enterprise can defend in an audit.

1437
01:04:49,160 --> 01:04:54,520
Case study, industrial manufacturing, reframed as context redesign,

1438
01:04:54,520 --> 01:04:58,760
take a global industrial manufacturing organization with a familiar symptom,

1439
01:04:58,760 --> 01:05:01,560
average issue resolution sat at 72 hours.

1440
01:05:01,560 --> 01:05:05,480
Not because the engineers were slow, because the enterprise ran the workflow

1441
01:05:05,480 --> 01:05:08,360
through human memory, email archaeology and team's thread roulette,

1442
01:05:08,360 --> 01:05:11,960
a line went down, someone opened a ticket, then the real work started.

1443
01:05:12,440 --> 01:05:14,680
Who owns this system? What changed?

1444
01:05:14,680 --> 01:05:17,160
What was the last approved configuration?

1445
01:05:17,160 --> 01:05:19,240
Which vendor is on the hook?

1446
01:05:19,240 --> 01:05:21,240
What did we decide the last time this happened?

1447
01:05:21,240 --> 01:05:22,520
None of that lived in one place.

1448
01:05:22,520 --> 01:05:25,000
It lived in people, in inboxes, in a spreadsheet,

1449
01:05:25,000 --> 01:05:26,600
someone trusted until they retired.

1450
01:05:26,600 --> 01:05:30,440
Leadership saw this and concluded they needed AI for faster troubleshooting.

1451
01:05:30,440 --> 01:05:31,160
And they were wrong.

1452
01:05:31,160 --> 01:05:32,840
They needed context architecture,

1453
01:05:32,840 --> 01:05:34,920
so troubleshooting had a substrate to stand on.

1454
01:05:34,920 --> 01:05:37,560
The intervention wasn't framed as deploy co-pilot.

1455
01:05:37,560 --> 01:05:40,440
It was framed as unify identity context,

1456
01:05:40,440 --> 01:05:42,360
engineer organizational memory,

1457
01:05:42,360 --> 01:05:44,840
track operational state, then add a learning loop.

1458
01:05:44,840 --> 01:05:47,560
Only after that do you add an interaction surface.

1459
01:05:47,560 --> 01:05:49,320
Start with identity and memory.

1460
01:05:49,320 --> 01:05:50,680
Entra plus graph.

1461
01:05:50,680 --> 01:05:54,680
The organization didn't have a single reliable mapping between a production line incident

1462
01:05:54,680 --> 01:05:57,240
and the humans, systems, documents,

1463
01:05:57,240 --> 01:05:58,760
and prior decisions that mattered.

1464
01:05:58,760 --> 01:06:01,240
Graph already contained signals.

1465
01:06:01,240 --> 01:06:04,360
Maintenance meetings, shift hand-over notes, files,

1466
01:06:04,360 --> 01:06:06,040
work orders attached to emails,

1467
01:06:06,040 --> 01:06:09,800
recurring team's chats and the real social structure of who asks who,

1468
01:06:09,800 --> 01:06:11,080
when the line is down.

1469
01:06:11,080 --> 01:06:13,720
But those signals were not being treated as an engineered asset.

1470
01:06:13,720 --> 01:06:17,000
So the first redesign move was to collapse the scattered work artifacts

1471
01:06:17,000 --> 01:06:19,480
into governed containers with stable ownership

1472
01:06:19,480 --> 01:06:23,000
and then let graph reflect reality with fewer broken edges,

1473
01:06:23,000 --> 01:06:26,600
fewer orphaned sites, fewer everyone has access groups,

1474
01:06:26,600 --> 01:06:30,120
fewer random shares that made retrieval noisy and dangerous.

1475
01:06:30,120 --> 01:06:32,120
Then they treated permissions like a compiler.

1476
01:06:32,120 --> 01:06:35,640
They ran permission trimming specifically for the incident response domain,

1477
01:06:35,640 --> 01:06:39,320
reduce overshared libraries, fix inheritance where it had drifted,

1478
01:06:39,320 --> 01:06:43,320
and eliminate the classic pattern where a broad operational group had read access

1479
01:06:43,320 --> 01:06:45,240
to everything just in case.

1480
01:06:45,240 --> 01:06:49,000
That single decision did two things at once.

1481
01:06:49,000 --> 01:06:52,200
Reduced AI oversharing risk and improved groundedness

1482
01:06:52,200 --> 01:06:53,800
by reducing eligible noise.

1483
01:06:53,800 --> 01:06:55,560
Next operational state in Dytiverse.

1484
01:06:55,560 --> 01:06:59,240
Before Dytiverse, state lived in a ticketing system plus human coordination.

1485
01:06:59,240 --> 01:07:01,000
The ticket told you a status.

1486
01:07:01,000 --> 01:07:02,600
It didn't tell you the real truth,

1487
01:07:02,600 --> 01:07:05,080
which approvals were granted, which exception was active,

1488
01:07:05,080 --> 01:07:06,840
which vendor response was pending,

1489
01:07:06,840 --> 01:07:10,120
which workaround was authorized and who was accountable right now.

1490
01:07:10,120 --> 01:07:12,040
So they built a simple state contract,

1491
01:07:12,040 --> 01:07:13,560
not a giant transformation program.

1492
01:07:13,560 --> 01:07:16,760
A state model with the minimum entities required to stop the loop.

1493
01:07:16,760 --> 01:07:19,720
Incident, impacted asset, owner, current step,

1494
01:07:19,720 --> 01:07:22,440
SLA approval gates, exceptions, and escalation path.

1495
01:07:22,440 --> 01:07:24,840
Now the workflow could be replayed deterministically,

1496
01:07:24,840 --> 01:07:27,400
the system didn't need to infer whether an approval happened.

1497
01:07:27,400 --> 01:07:29,480
It could check, it didn't need to guess who owned the next step,

1498
01:07:29,480 --> 01:07:30,200
it could read it.

1499
01:07:30,200 --> 01:07:32,600
And when the workflow hit a refusal condition,

1500
01:07:32,600 --> 01:07:34,760
missing evidence, conflicting procedure versions,

1501
01:07:34,760 --> 01:07:37,160
or an action that required a human signature,

1502
01:07:37,160 --> 01:07:39,320
the system escalated instead of improvising.

1503
01:07:39,320 --> 01:07:42,040
Then analytical memory and fabric,

1504
01:07:42,040 --> 01:07:44,520
they captured the signals the business never had.

1505
01:07:44,520 --> 01:07:46,520
Time spent in each workflow state,

1506
01:07:46,520 --> 01:07:48,680
which steps produced the most exceptions,

1507
01:07:48,680 --> 01:07:50,280
which incidents reopened,

1508
01:07:50,280 --> 01:07:53,880
which evidence sources were repeatedly retrieved but never cited,

1509
01:07:53,880 --> 01:07:56,360
and where the same problem reappeared with different labels.

1510
01:07:56,360 --> 01:07:58,520
Fabric didn't optimize the plant,

1511
01:07:58,520 --> 01:08:01,320
though it exposed where the organization was lying to itself.

1512
01:08:01,320 --> 01:08:02,280
It showed, for example,

1513
01:08:02,280 --> 01:08:04,200
that certain approvals were pure theatre,

1514
01:08:04,200 --> 01:08:05,960
always granted, always late,

1515
01:08:05,960 --> 01:08:07,080
and always the bottleneck.

1516
01:08:07,080 --> 01:08:09,720
It showed that a specific set of procedures caused delays

1517
01:08:09,720 --> 01:08:10,760
because they were stale,

1518
01:08:10,760 --> 01:08:13,640
contradicted by newer practices and still socially dominant.

1519
01:08:13,640 --> 01:08:16,680
Those insights fed back into the relevance windows and governance.

1520
01:08:16,680 --> 01:08:19,160
Old procedures became ineligible by default.

1521
01:08:19,160 --> 01:08:21,560
Ownership got assigned, review dates became real.

1522
01:08:21,560 --> 01:08:24,520
The system stopped treating archives as decision-grade evidence,

1523
01:08:24,520 --> 01:08:27,640
only after all of that did co-pilot enter the narrative.

1524
01:08:27,640 --> 01:08:30,040
Co-pilot's role was deliberately constrained.

1525
01:08:30,040 --> 01:08:31,640
Synthesis, recommendation,

1526
01:08:31,640 --> 01:08:33,880
evidence assembly, and escalation prompts.

1527
01:08:33,880 --> 01:08:37,000
Not final decisions, not autonomous actions on production systems.

1528
01:08:37,000 --> 01:08:40,040
The interaction layer served the humans supervising the flow,

1529
01:08:40,040 --> 01:08:41,320
not the other way around.

1530
01:08:41,320 --> 01:08:43,080
The result was not better answers.

1531
01:08:43,080 --> 01:08:44,280
It was fewer loops,

1532
01:08:44,280 --> 01:08:47,800
average resolution time dropped from 72 hours to 28.

1533
01:08:47,800 --> 01:08:50,120
Coordination threads dropped by roughly 40%

1534
01:08:50,120 --> 01:08:52,840
because people stopped re-asking basic state questions.

1535
01:08:52,840 --> 01:08:55,560
Duplicated workflows dropped by about 30%

1536
01:08:55,560 --> 01:08:58,440
because the system could see existing cases in their status,

1537
01:08:58,440 --> 01:09:00,520
and audit preparation time was cut in half

1538
01:09:00,520 --> 01:09:02,680
because provenance and state were already recorded

1539
01:09:02,680 --> 01:09:04,280
as part of normal execution,

1540
01:09:04,280 --> 01:09:06,120
not reconstructed during panic week.

1541
01:09:06,120 --> 01:09:08,040
The outcome wasn't a smarter enterprise.

1542
01:09:08,040 --> 01:09:09,560
There was a less ambiguous one.

1543
01:09:09,560 --> 01:09:11,320
Autonomy didn't remove humans.

1544
01:09:11,320 --> 01:09:12,840
It moved them up the stack,

1545
01:09:12,840 --> 01:09:15,960
from context reconstruction to context supervision.

1546
01:09:15,960 --> 01:09:18,520
What leaders get wrong when they scale co-pilot?

1547
01:09:18,520 --> 01:09:20,920
Leaders usually don't fail at scaling co-pilot

1548
01:09:20,920 --> 01:09:22,280
because they lack ambition.

1549
01:09:22,280 --> 01:09:24,440
They fail because they scale the visible layer

1550
01:09:24,440 --> 01:09:26,760
and ignore the substrate that makes it behave.

1551
01:09:26,760 --> 01:09:29,480
The first mistake is treating licensing as strategy.

1552
01:09:29,480 --> 01:09:30,920
Procurement loves this mistake.

1553
01:09:30,920 --> 01:09:32,680
It feels decisive by more seats,

1554
01:09:32,680 --> 01:09:34,840
watch usage climb, declare momentum,

1555
01:09:34,840 --> 01:09:36,920
but licensing only changes who can ask questions.

1556
01:09:36,920 --> 01:09:39,000
It doesn't change whether the tenant can answer them

1557
01:09:39,000 --> 01:09:40,920
with evidence, with permission, correctness,

1558
01:09:40,920 --> 01:09:42,440
and with stable definitions.

1559
01:09:42,440 --> 01:09:43,960
So leaders end up measuring adoption

1560
01:09:43,960 --> 01:09:46,120
while the organization quietly trains itself

1561
01:09:46,120 --> 01:09:47,480
to work around the system.

1562
01:09:47,480 --> 01:09:50,360
Co-pilot's fine for drafts, but don't trust it.

1563
01:09:50,360 --> 01:09:51,160
That's not success.

1564
01:09:51,160 --> 01:09:52,920
That's normalized distrust with a renewal.

1565
01:09:52,920 --> 01:09:54,840
The second mistake is treating prompt training

1566
01:09:54,840 --> 01:09:56,120
as the primary lever,

1567
01:09:56,120 --> 01:09:58,520
prompting looks like leverage because it's immediate.

1568
01:09:58,520 --> 01:10:00,520
Run workshops, publish templates,

1569
01:10:00,520 --> 01:10:02,520
share top prompts for managers.

1570
01:10:02,520 --> 01:10:04,600
And yes, it helps people communicate intent,

1571
01:10:04,600 --> 01:10:06,520
but it doesn't fix context fragmentation.

1572
01:10:06,520 --> 01:10:07,960
It doesn't fix stale procedures.

1573
01:10:07,960 --> 01:10:09,720
It doesn't fix overshared libraries.

1574
01:10:09,720 --> 01:10:11,480
It doesn't fix broken inheritance.

1575
01:10:11,480 --> 01:10:14,120
It doesn't fix the fact that half the organization stores

1576
01:10:14,120 --> 01:10:17,480
decision-grade work in personal one drive with ambiguous naming.

1577
01:10:17,480 --> 01:10:19,400
So prompt programs become a mask.

1578
01:10:19,400 --> 01:10:22,120
The enterprise gets slightly better at asking for answers.

1579
01:10:22,120 --> 01:10:25,160
It does not get better at making those answers defensible.

1580
01:10:25,160 --> 01:10:28,600
The third mistake is scaling agents before scoping tools.

1581
01:10:28,600 --> 01:10:31,400
Executives here agent and assume automation,

1582
01:10:31,400 --> 01:10:33,400
then ask why the organization isn't using it

1583
01:10:33,400 --> 01:10:35,960
for approvals on boarding procurement, incident response,

1584
01:10:35,960 --> 01:10:37,080
and customer coms.

1585
01:10:37,080 --> 01:10:39,240
The problem is that tool access is where autonomy

1586
01:10:39,240 --> 01:10:40,600
becomes liability.

1587
01:10:40,600 --> 01:10:42,840
If an agent can read broadly and act broadly,

1588
01:10:42,840 --> 01:10:44,360
you've built a high-speed pathway

1589
01:10:44,360 --> 01:10:47,160
from retrieval mistakes to real-world consequences.

1590
01:10:47,160 --> 01:10:49,320
The enterprise then reacts the way it always reacts.

1591
01:10:49,320 --> 01:10:50,520
It adds exceptions.

1592
01:10:50,520 --> 01:10:51,720
Entropy generators.

1593
01:10:51,720 --> 01:10:53,480
This one team needs broad access.

1594
01:10:53,480 --> 01:10:57,560
This workflow can bypass the approval in emergencies.

1595
01:10:57,560 --> 01:11:00,440
This connector is fine because the vendor is trusted.

1596
01:11:00,440 --> 01:11:03,480
Over time, the autonomy layer becomes conditional chaos.

1597
01:11:03,480 --> 01:11:04,520
Lots of rules.

1598
01:11:04,520 --> 01:11:05,880
No enforceable intent.

1599
01:11:05,880 --> 01:11:08,600
And an execution surface that's impossible to audit.

1600
01:11:08,600 --> 01:11:10,440
The fourth mistake is ignoring oversharing

1601
01:11:10,440 --> 01:11:11,880
until it becomes a headline.

1602
01:11:11,880 --> 01:11:15,160
Most copilot security incidents are not copilot incidents.

1603
01:11:15,160 --> 01:11:17,320
Their permission reality made observable.

1604
01:11:17,320 --> 01:11:20,280
Copilot simply retrieves what the user can already access.

1605
01:11:20,280 --> 01:11:21,320
That's the design.

1606
01:11:21,320 --> 01:11:24,680
So when leadership discovers copilot surface something embarrassing,

1607
01:11:24,680 --> 01:11:27,880
they tend to blame the assistant instead of the access model.

1608
01:11:27,880 --> 01:11:29,080
Then they overcorrect.

1609
01:11:29,080 --> 01:11:31,480
Block features disable web grounding everywhere,

1610
01:11:31,480 --> 01:11:33,160
restrict everything indiscriminately,

1611
01:11:33,160 --> 01:11:35,960
and kill value for the teams that could safely use it.

1612
01:11:35,960 --> 01:11:37,320
The stable move is boring.

1613
01:11:37,320 --> 01:11:39,400
Permission hygiene and relevant scoping.

1614
01:11:39,400 --> 01:11:40,600
Reduce eligibility.

1615
01:11:40,600 --> 01:11:41,400
Raise authority.

1616
01:11:41,400 --> 01:11:43,160
Make fewer things retrievable by default.

1617
01:11:43,160 --> 01:11:44,360
Not because secrecy is good,

1618
01:11:44,360 --> 01:11:45,960
but because noise is dangerous.

1619
01:11:45,960 --> 01:11:48,600
The fifth mistake is using the wrong success metrics.

1620
01:11:48,600 --> 01:11:50,520
Number of chats is not a business metric.

1621
01:11:50,520 --> 01:11:53,560
Neither is ours saved reported through self-assessment surveys.

1622
01:11:53,560 --> 01:11:54,760
Those are adoption signals.

1623
01:11:54,760 --> 01:11:56,120
They're not integrity signals.

1624
01:11:56,120 --> 01:11:58,680
If leaders want to scale copilot into autonomy,

1625
01:11:58,680 --> 01:12:00,840
the metrics have to shift to system behavior.

1626
01:12:00,840 --> 01:12:03,160
Reduction in rework, fewer approval loops,

1627
01:12:03,160 --> 01:12:05,560
lower exception rates, fewer duplicated workflows,

1628
01:12:05,560 --> 01:12:08,520
shorter cycle times, and quietly the most important,

1629
01:12:08,520 --> 01:12:11,720
fewer permission faults discovered in the act of using the system.

1630
01:12:11,720 --> 01:12:13,320
When those move value is real,

1631
01:12:13,320 --> 01:12:15,160
because the enterprise is less ambiguous,

1632
01:12:15,160 --> 01:12:17,240
not because the assistant is more charming.

1633
01:12:17,240 --> 01:12:19,960
And there's one mistake that sits under all the others.

1634
01:12:19,960 --> 01:12:22,680
Leaders assume scaling is a rollout problem.

1635
01:12:22,680 --> 01:12:24,680
It isn't scaling is an architecture problem.

1636
01:12:24,680 --> 01:12:27,160
It's about whether the organization can keep intent stable

1637
01:12:27,160 --> 01:12:28,520
as the environment shifts,

1638
01:12:28,520 --> 01:12:30,520
whether it can maintain freshness rules,

1639
01:12:30,520 --> 01:12:32,200
whether it can version evidence standards,

1640
01:12:32,200 --> 01:12:33,400
whether it can detect drift,

1641
01:12:33,400 --> 01:12:35,160
whether it can enforce refusal conditions

1642
01:12:35,160 --> 01:12:36,200
when evidence is missing.

1643
01:12:36,200 --> 01:12:38,200
Because if the system can't refuse, it will guess.

1644
01:12:38,200 --> 01:12:40,840
And in an enterprise, guessing doesn't just create wrong answers.

1645
01:12:40,840 --> 01:12:43,240
It creates wrong actions, wrong approvals,

1646
01:12:43,240 --> 01:12:45,400
and wrong records that live forever.

1647
01:12:45,400 --> 01:12:47,960
So when a leader says we want to scale copilot,

1648
01:12:47,960 --> 01:12:50,280
the only responsible response is to translate that

1649
01:12:50,280 --> 01:12:53,000
into an architectural commitment, scale memory quality,

1650
01:12:53,000 --> 01:12:55,000
scale state discipline, scale learning loops,

1651
01:12:55,000 --> 01:12:58,040
scale control planes, copilot scales naturally after that.

1652
01:12:58,040 --> 01:13:01,240
Before that, it scales confusion faster than it scales work.

1653
01:13:01,240 --> 01:13:03,240
The seven day context inventory.

1654
01:13:03,240 --> 01:13:05,000
So here's the part leaders usually skip

1655
01:13:05,000 --> 01:13:08,040
because it feels unglamerous, a context inventory.

1656
01:13:08,040 --> 01:13:11,240
Not a data inventory, not a we have share point inventory,

1657
01:13:11,240 --> 01:13:12,440
a context inventory.

1658
01:13:12,440 --> 01:13:15,240
Where does the enterprise actually store identity, evidence,

1659
01:13:15,240 --> 01:13:18,520
state, and learning in a way an agent can use without guessing?

1660
01:13:18,520 --> 01:13:21,160
And it has to be a seven day exercise for one reason.

1661
01:13:21,160 --> 01:13:23,000
If you can't get clarity in a week,

1662
01:13:23,000 --> 01:13:24,360
you're not doing architecture.

1663
01:13:24,360 --> 01:13:25,560
You're doing therapy.

1664
01:13:25,560 --> 01:13:28,440
You're collecting opinions until the calendar saves you

1665
01:13:28,440 --> 01:13:30,840
from making decisions.

1666
01:13:30,840 --> 01:13:33,000
This inventory has one goal.

1667
01:13:33,000 --> 01:13:37,080
Expose the top three context breaks where work loses continuity,

1668
01:13:37,080 --> 01:13:40,600
where it drops state, loses authority, or loses control.

1669
01:13:40,600 --> 01:13:42,760
Those breaks are where copilot looks random.

1670
01:13:42,760 --> 01:13:45,240
Those breaks are also where agents become dangerous.

1671
01:13:45,240 --> 01:13:46,360
Start with the first question,

1672
01:13:46,360 --> 01:13:47,880
where does identity context live?

1673
01:13:47,880 --> 01:13:50,760
Not we use Entra, everyone uses Entra.

1674
01:13:50,760 --> 01:13:54,920
Identity context means where is the current enforceable truth of who can do what,

1675
01:13:54,920 --> 01:13:56,920
from an access and risk posture perspective?

1676
01:13:56,920 --> 01:14:00,280
Which groups actually govern access to decision-grade content?

1677
01:14:00,280 --> 01:14:03,160
Which conditional access policies define the boundary conditions

1678
01:14:03,160 --> 01:14:04,680
for sensitive workflows?

1679
01:14:04,680 --> 01:14:06,360
Which roles exist in name only?

1680
01:14:06,360 --> 01:14:09,080
Which users carry historic privilege they no longer need?

1681
01:14:09,080 --> 01:14:12,200
And which non-human identities, apps, service principles,

1682
01:14:12,200 --> 01:14:15,160
connectors have permissions that nobody can justify anymore?

1683
01:14:15,160 --> 01:14:18,920
If you can't name the owner of your authorization model per workflow domain,

1684
01:14:18,920 --> 01:14:22,920
you don't have identity context, you have a directory and a pile of entitlements.

1685
01:14:22,920 --> 01:14:25,560
Second question, where is workflow state tracked?

1686
01:14:25,560 --> 01:14:26,600
Not in tickets.

1687
01:14:26,600 --> 01:14:27,960
Ticket status is not state.

1688
01:14:27,960 --> 01:14:28,600
It's a label.

1689
01:14:28,600 --> 01:14:33,000
State means the contract that proves the workflow's reality.

1690
01:14:33,000 --> 01:14:35,880
Approvals, exceptions, ownership,

1691
01:14:35,880 --> 01:14:39,320
SLA, gates, and refusal conditions.

1692
01:14:39,320 --> 01:14:42,520
If a critical workflow can't answer what step are we in?

1693
01:14:42,520 --> 01:14:45,560
Who owns it and what is allowed next without reading a team's thread?

1694
01:14:45,560 --> 01:14:46,520
You don't have state.

1695
01:14:46,520 --> 01:14:49,720
You have coordination and coordination can't be automated safely.

1696
01:14:49,720 --> 01:14:52,680
Third question, where does historical intelligence live?

1697
01:14:52,680 --> 01:14:55,560
This is where organizations fool themselves with storage.

1698
01:14:55,560 --> 01:14:58,360
Historical intelligence isn't, we have archives.

1699
01:14:58,360 --> 01:15:01,960
Do you have an analytical layer that can tell you what keeps repeating,

1700
01:15:01,960 --> 01:15:04,920
what keeps stalling and what keeps generating exceptions?

1701
01:15:04,920 --> 01:15:07,080
Can you quantify rework and permission faults?

1702
01:15:07,080 --> 01:15:11,400
Can you see where evidence conflicts and where policy drift creates ambiguity?

1703
01:15:11,400 --> 01:15:13,880
And can you feed those signals back into governance?

1704
01:15:13,880 --> 01:15:16,520
Or do they die as dashboards that nobody trusts?

1705
01:15:16,520 --> 01:15:18,520
If you can't answer that, you don't have learning.

1706
01:15:18,520 --> 01:15:20,120
You have telemetry exhaust.

1707
01:15:20,120 --> 01:15:23,080
Fourth question, where are permissions actually enforced?

1708
01:15:23,080 --> 01:15:24,680
This sounds like identity again.

1709
01:15:24,680 --> 01:15:25,160
It isn't.

1710
01:15:25,160 --> 01:15:31,160
Permissions enforcement means where is the boundary that copilot and agents will inherit

1711
01:15:31,160 --> 01:15:32,360
and is it coherent?

1712
01:15:32,360 --> 01:15:34,120
Which SharePoint sites are overshared?

1713
01:15:34,120 --> 01:15:35,720
Where inheritance is broken?

1714
01:15:35,720 --> 01:15:39,560
Which teams have guests and external sharing but store decision-grade content?

1715
01:15:39,560 --> 01:15:41,160
Which containers have no owner?

1716
01:15:41,160 --> 01:15:42,600
Which content lacks labels?

1717
01:15:42,600 --> 01:15:43,800
So DLP can't act.

1718
01:15:43,800 --> 01:15:46,920
In other words, where is the tenant poorest and are you pretending it's fine?

1719
01:15:46,920 --> 01:15:48,120
Because nobody complained yet.

1720
01:15:48,120 --> 01:15:51,320
Because copilot will complain for you publicly in a meeting.

1721
01:15:51,320 --> 01:15:55,640
Fifth question, where is your signal telemetry centralized?

1722
01:15:55,640 --> 01:15:59,000
If the organization can't observe behavior, it can't govern drift.

1723
01:15:59,000 --> 01:16:01,640
You need to know what evidence sources get retrieved most,

1724
01:16:01,640 --> 01:16:04,760
where citations fail, where refusal conditions trigger,

1725
01:16:04,760 --> 01:16:06,760
which workflows escalate constantly,

1726
01:16:06,760 --> 01:16:10,040
which identities experience CAE revocations midrun.

1727
01:16:10,040 --> 01:16:12,680
And where tool invocation patterns look abnormal.

1728
01:16:12,680 --> 01:16:14,520
That's not AI monitoring.

1729
01:16:14,520 --> 01:16:19,640
That's the control feedback required to run a probabilistic system without lying to yourself.

1730
01:16:19,640 --> 01:16:22,920
Now, the deliverable from the seven day inventory is not a report.

1731
01:16:22,920 --> 01:16:24,440
It's three decisions.

1732
01:16:24,440 --> 01:16:26,440
Decision one, map owners.

1733
01:16:26,440 --> 01:16:30,360
For each context domain, memory, state, learning, interaction,

1734
01:16:30,360 --> 01:16:33,480
assign a named owner with authority to enforce standards.

1735
01:16:33,480 --> 01:16:35,640
Not a steering committee, a person.

1736
01:16:35,640 --> 01:16:38,280
If you can't assign an owner, you've learned the most important truth.

1737
01:16:38,280 --> 01:16:42,360
Autonomy will collapse into exception handling because nobody can enforce intent.

1738
01:16:42,360 --> 01:16:44,840
Decision two, identify the top three context breaks.

1739
01:16:44,840 --> 01:16:48,200
These are the points where work loses its spine.

1740
01:16:48,200 --> 01:16:49,080
Common examples.

1741
01:16:49,080 --> 01:16:50,920
Approvals tracked in email only.

1742
01:16:50,920 --> 01:16:55,560
Policy stored in ungoverned wikis, incident artifacts scattered across personal drives,

1743
01:16:55,560 --> 01:16:57,560
vendor onboarding, living in spreadsheets,

1744
01:16:57,560 --> 01:17:00,360
or sensitive content stored in teams with guest access.

1745
01:17:00,360 --> 01:17:02,040
Because it's easier.

1746
01:17:02,040 --> 01:17:02,840
Write them down.

1747
01:17:02,840 --> 01:17:03,560
Don't debate them.

1748
01:17:03,560 --> 01:17:05,400
Context breaks aren't philosophical.

1749
01:17:05,400 --> 01:17:06,600
They're observable.

1750
01:17:06,600 --> 01:17:07,640
Decision three.

1751
01:17:07,640 --> 01:17:10,040
Pick one workflow for a 30-day pilot.

1752
01:17:10,040 --> 01:17:13,160
One, not enterprise-wide, not all-knowledge work.

1753
01:17:13,160 --> 01:17:16,040
One workflow with visible pain and manageable blast radius

1754
01:17:16,040 --> 01:17:17,960
where you can implement the four layers.

1755
01:17:17,960 --> 01:17:20,920
Graph memory, dataverse state, fabric learning,

1756
01:17:20,920 --> 01:17:24,360
co-pilot interaction with explicit refusal conditions.

1757
01:17:24,360 --> 01:17:26,200
If leadership can't choose one workflow,

1758
01:17:26,200 --> 01:17:27,480
they're not blocked by technology.

1759
01:17:27,480 --> 01:17:29,080
They're blocked by accountability.

1760
01:17:29,080 --> 01:17:31,880
And that's what the seven day context inventory really does.

1761
01:17:31,880 --> 01:17:34,520
It forces the enterprise to admit where reality lives,

1762
01:17:34,520 --> 01:17:36,920
where it doesn't and where the system will be forced to guess.

1763
01:17:36,920 --> 01:17:38,600
Because once you see where guessing happens,

1764
01:17:38,600 --> 01:17:40,200
the architecture stops being abstract.

1765
01:17:40,200 --> 01:17:41,480
It becomes unavoidable.

1766
01:17:41,480 --> 01:17:43,080
The 30-day pilot pattern.

1767
01:17:43,080 --> 01:17:45,880
One workflow, four layers, enforced assumptions.

1768
01:17:45,880 --> 01:17:49,400
Pick one workflow where failure is visible, frequent, and expensive.

1769
01:17:49,400 --> 01:17:52,680
Approvals, incident response, onboarding, procurement.

1770
01:17:52,680 --> 01:17:55,080
Anything with handoffs, delays, and a paper trail,

1771
01:17:55,080 --> 01:17:56,760
you can't reliably reconstruct

1772
01:17:56,760 --> 01:17:59,720
without begging three inbox owners for screenshots.

1773
01:17:59,720 --> 01:18:01,560
Then do the one thing enterprises avoid?

1774
01:18:01,560 --> 01:18:04,360
Define the assumptions upfront and make the system enforce them.

1775
01:18:04,360 --> 01:18:06,680
Because the pilot isn't about proving co-pilot works.

1776
01:18:06,680 --> 01:18:08,040
Co-pilot always works.

1777
01:18:08,040 --> 01:18:09,880
It produces words on demand.

1778
01:18:09,880 --> 01:18:12,040
The pilot is about proving your context substrate

1779
01:18:12,040 --> 01:18:15,000
can support evidence bound decisions without improvisation.

1780
01:18:15,000 --> 01:18:17,800
Start by defining the workflow boundary in plain language.

1781
01:18:17,800 --> 01:18:18,680
What triggers it?

1782
01:18:18,680 --> 01:18:19,800
What done means?

1783
01:18:19,800 --> 01:18:22,120
And what irreversible actions exist inside it?

1784
01:18:22,120 --> 01:18:23,480
If done isn't defined,

1785
01:18:23,480 --> 01:18:25,800
the agent will keep acting until someone stops it.

1786
01:18:25,800 --> 01:18:26,840
That's not autonomy.

1787
01:18:26,840 --> 01:18:28,280
That's entropy with good grammar.

1788
01:18:28,280 --> 01:18:29,640
Now implement the four layers,

1789
01:18:29,640 --> 01:18:31,400
but keep them deliberately small.

1790
01:18:31,400 --> 01:18:32,520
First, graph memory.

1791
01:18:32,520 --> 01:18:35,320
This is where you stop treating M365 as file storage

1792
01:18:35,320 --> 01:18:37,560
and start treating it as organizational recall.

1793
01:18:37,560 --> 01:18:39,960
Choose the authoritative containers for the workflow,

1794
01:18:39,960 --> 01:18:41,960
the SharePoint site, the Teams channel,

1795
01:18:41,960 --> 01:18:44,280
the policy library, the decision log,

1796
01:18:44,280 --> 01:18:45,800
then fix the obvious garbage,

1797
01:18:45,800 --> 01:18:47,800
broken inheritance, abandoned owners,

1798
01:18:47,800 --> 01:18:50,440
and the everyone group that turns retrieval into noise.

1799
01:18:50,440 --> 01:18:51,800
Don't boil the ocean.

1800
01:18:51,800 --> 01:18:53,480
Just make one domain coherent enough

1801
01:18:53,480 --> 01:18:55,400
that retrieval can be precise.

1802
01:18:55,400 --> 01:18:57,480
Second, Dataverse state.

1803
01:18:57,480 --> 01:18:58,840
Create the minimum state machine

1804
01:18:58,840 --> 01:19:00,600
that prevents relitigating work.

1805
01:19:00,600 --> 01:19:02,840
Request record status owner, SLA,

1806
01:19:02,840 --> 01:19:04,200
approver exception flag,

1807
01:19:04,200 --> 01:19:06,680
and a small set of explicit transitions.

1808
01:19:06,680 --> 01:19:08,680
The point isn't to model reality perfectly.

1809
01:19:08,680 --> 01:19:10,840
It's to give the system a place to store truth

1810
01:19:10,840 --> 01:19:12,200
that isn't buried in narrative.

1811
01:19:12,200 --> 01:19:13,400
When the agent asks,

1812
01:19:13,400 --> 01:19:14,760
has this been approved?

1813
01:19:14,760 --> 01:19:16,840
It should query state not guess based on tone

1814
01:19:16,840 --> 01:19:18,200
in a Teams message.

1815
01:19:18,200 --> 01:19:19,320
Third, fabric learning.

1816
01:19:19,320 --> 01:19:20,920
Instrument the workflow from day one.

1817
01:19:20,920 --> 01:19:22,280
Track cycle time per state,

1818
01:19:22,280 --> 01:19:24,280
number of escalations, number of retries,

1819
01:19:24,280 --> 01:19:25,160
evidence coverage,

1820
01:19:25,160 --> 01:19:26,680
and the top reasons for refusal.

1821
01:19:26,680 --> 01:19:29,240
You're not building a dashboard for leadership theater.

1822
01:19:29,240 --> 01:19:30,520
You're building a feedback loop

1823
01:19:30,520 --> 01:19:32,280
that tells you where context broke.

1824
01:19:32,280 --> 01:19:34,440
Missing sources, conflicting sources,

1825
01:19:34,440 --> 01:19:37,400
permission faults, or state transitions, nobody owns.

1826
01:19:37,400 --> 01:19:39,160
Fourth, co-pilot interaction.

1827
01:19:39,160 --> 01:19:41,000
Put co-pilot where humans already work

1828
01:19:41,000 --> 01:19:42,440
and constrain its role.

1829
01:19:42,440 --> 01:19:43,640
It should assemble evidence,

1830
01:19:43,640 --> 01:19:45,720
summarize state, draft responses,

1831
01:19:45,720 --> 01:19:47,000
propose next steps,

1832
01:19:47,000 --> 01:19:48,520
and generate the audit narrative.

1833
01:19:48,520 --> 01:19:50,680
It should not execute irreversible actions.

1834
01:19:50,680 --> 01:19:52,120
It should not decide policy.

1835
01:19:52,120 --> 01:19:54,040
And it should not have silent tool access

1836
01:19:54,040 --> 01:19:55,880
that can change systems without a gate.

1837
01:19:55,880 --> 01:19:58,040
Now the critical part, enforce assumptions.

1838
01:19:58,040 --> 01:20:00,440
Define refusal conditions like you mean it.

1839
01:20:00,440 --> 01:20:03,400
If required evidence isn't found in the authoritative container,

1840
01:20:03,400 --> 01:20:04,840
the system escalates.

1841
01:20:04,840 --> 01:20:06,920
If the user's permission posture is inconsistent,

1842
01:20:06,920 --> 01:20:08,040
the system refuses.

1843
01:20:08,040 --> 01:20:09,960
If the request crosses an external boundary,

1844
01:20:09,960 --> 01:20:11,800
the system requires confirmation.

1845
01:20:11,800 --> 01:20:13,320
If the workflow state is ambiguous,

1846
01:20:13,320 --> 01:20:15,720
the system asks a single targeted question,

1847
01:20:15,720 --> 01:20:17,720
then writes the answer back to dataverse,

1848
01:20:17,720 --> 01:20:19,240
so it never asks again.

1849
01:20:19,240 --> 01:20:21,720
This is where you learn whether you have an autonomy problem

1850
01:20:21,720 --> 01:20:23,080
or an accountability problem.

1851
01:20:23,080 --> 01:20:25,000
Because refusal conditions force ownership,

1852
01:20:25,000 --> 01:20:27,160
someone has to decide what counts as evidence,

1853
01:20:27,160 --> 01:20:28,440
what counts as stale,

1854
01:20:28,440 --> 01:20:30,040
and who approves exceptions.

1855
01:20:30,040 --> 01:20:33,080
Without that, the pilot becomes another demo environment

1856
01:20:33,080 --> 01:20:35,880
where the only reason it works is because smart people babysat it,

1857
01:20:35,880 --> 01:20:37,800
measure four things for 30 days,

1858
01:20:37,800 --> 01:20:39,400
and ignore the rest.

1859
01:20:39,400 --> 01:20:40,840
Cycle time.

1860
01:20:40,840 --> 01:20:42,600
Did it actually get faster?

1861
01:20:42,600 --> 01:20:43,560
End to end?

1862
01:20:43,560 --> 01:20:46,040
Not just in drafting email?

1863
01:20:46,040 --> 01:20:47,000
Rework.

1864
01:20:47,000 --> 01:20:48,760
Did people stop repeating the same steps,

1865
01:20:48,760 --> 01:20:50,760
the same approvals, the same clarifications?

1866
01:20:50,760 --> 01:20:52,600
Exception rate.

1867
01:20:52,600 --> 01:20:54,440
Did the system have to escalate constantly

1868
01:20:54,440 --> 01:20:56,040
because the process is undefined

1869
01:20:56,040 --> 01:20:57,720
or because the context is dirty?

1870
01:20:57,720 --> 01:20:58,760
Permission faults.

1871
01:20:58,760 --> 01:21:01,240
How often did retrieval fail because access is wrong?

1872
01:21:01,240 --> 01:21:02,760
And how often did retrieval succeed?

1873
01:21:02,760 --> 01:21:04,920
Because access is dangerously broad.

1874
01:21:04,920 --> 01:21:05,960
If those metrics improve,

1875
01:21:05,960 --> 01:21:07,480
you don't just have a successful pilot,

1876
01:21:07,480 --> 01:21:08,920
you have a repeatable pattern.

1877
01:21:08,920 --> 01:21:10,040
Then you clone it,

1878
01:21:10,040 --> 01:21:11,160
not by copying flows,

1879
01:21:11,160 --> 01:21:12,600
by copying architecture.

1880
01:21:12,600 --> 01:21:13,640
The same four layers,

1881
01:21:13,640 --> 01:21:14,920
the same boundary discipline,

1882
01:21:14,920 --> 01:21:16,200
the same refusal mechanics,

1883
01:21:16,200 --> 01:21:17,560
the same telemetry loop,

1884
01:21:17,560 --> 01:21:19,000
and the same ownership model.

1885
01:21:19,000 --> 01:21:21,240
That's how you scale without turning autonomy

1886
01:21:21,240 --> 01:21:22,520
into a tenant-wide rumor,

1887
01:21:22,520 --> 01:21:25,240
and AI won't transform your enterprise.

1888
01:21:25,240 --> 01:21:26,760
Context architecture will,

1889
01:21:26,760 --> 01:21:28,680
because it forces probabilistic outputs

1890
01:21:28,680 --> 01:21:31,080
to stay bound to evidence, state, and control.

1891
01:21:31,080 --> 01:21:34,040
If this landed, leave a review for M365FM,

1892
01:21:34,040 --> 01:21:35,880
connect with mecopeters on LinkedIn,

1893
01:21:35,880 --> 01:21:37,160
and message the one context,

1894
01:21:37,160 --> 01:21:38,840
break you want, dissect it next.

1895
01:21:38,840 --> 01:21:41,320
Copilot, graph, governance, or agents.