The Foundational Lie of 'Hire-to-Retire' - Deconstructing the Architectural Debt of Modern HR Systems

1
00:00:00,000 --> 00:00:02,560
Most believe, higher to retire is a smooth life cycle.

2
00:00:02,560 --> 00:00:03,400
It is not.

3
00:00:03,400 --> 00:00:08,160
Architecturally, it's a transactional relic trying to govern dynamic cross-system reality.

4
00:00:08,160 --> 00:00:12,480
If your HR team debugs power automate flows more than they design policy, this episode

5
00:00:12,480 --> 00:00:13,480
is about you.

6
00:00:13,480 --> 00:00:16,480
Today, we're diagnosing failure patterns, not symptoms.

7
00:00:16,480 --> 00:00:20,840
You'll get a new mental model, a diagnostic checklist, and a reference architecture that

8
00:00:20,840 --> 00:00:21,840
survives AI.

9
00:00:21,840 --> 00:00:23,120
Here's the hard truth.

10
00:00:23,120 --> 00:00:26,400
If the model is wrong, every workflow you build on it decays.

11
00:00:26,400 --> 00:00:27,400
Fast.

12
00:00:27,400 --> 00:00:28,400
And AI won't fix it.

13
00:00:28,400 --> 00:00:29,400
It will expose it.

14
00:00:29,400 --> 00:00:33,440
Let's make the underlying system visible, explainable, and finally governable.

15
00:00:33,440 --> 00:00:36,840
The foundational misunderstanding, what higher to retire actually is.

16
00:00:36,840 --> 00:00:38,520
The false belief is simple.

17
00:00:38,520 --> 00:00:40,000
Higher to retire is a process.

18
00:00:40,000 --> 00:00:41,000
It isn't.

19
00:00:41,000 --> 00:00:44,720
In practice, higher to retire is a story organization's tell themselves to feel linearity

20
00:00:44,720 --> 00:00:46,040
when none exists.

21
00:00:46,040 --> 00:00:49,480
Architecturally, it's a narrative overlay sitting on top of heterogeneous systems, each making

22
00:00:49,480 --> 00:00:53,520
decisions for its own reasons at its own cadence, with incomplete context.

23
00:00:53,520 --> 00:00:55,160
That distinction matters.

24
00:00:55,160 --> 00:00:57,840
What actually runs is a distributed decision engine.

25
00:00:57,840 --> 00:00:59,320
HR databases?

26
00:00:59,320 --> 00:01:00,320
Entity services?

27
00:01:00,320 --> 00:01:01,320
Payroll?

28
00:01:01,320 --> 00:01:02,320
Benefits?

29
00:01:02,320 --> 00:01:03,320
Compliance tooling?

30
00:01:03,320 --> 00:01:04,320
Collaboration platforms?

31
00:01:04,320 --> 00:01:05,320
And integration glue?

32
00:01:05,320 --> 00:01:06,920
Each with its own schema?

33
00:01:06,920 --> 00:01:07,920
State machine?

34
00:01:07,920 --> 00:01:08,920
And error semantics?

35
00:01:08,920 --> 00:01:13,400
And need wizard in one system triggers asynchronous updates in others, which recompute

36
00:01:13,400 --> 00:01:17,360
entitlements, create conflicts, and leave artifacts that look final but aren't.

37
00:01:17,360 --> 00:01:20,480
The process is a stitched timeline of partial truths.

38
00:01:20,480 --> 00:01:25,520
The foundational mistake is enforcing static, form-driven transactions on top of dynamic

39
00:01:25,520 --> 00:01:26,720
obligations.

40
00:01:26,720 --> 00:01:31,920
A higher is not a single event, it's a burst of obligations, capability provisioning,

41
00:01:31,920 --> 00:01:36,440
legal and policy constraints and identity relationships emitted into multiple systems

42
00:01:36,440 --> 00:01:39,200
that do not agree on timing or definition.

43
00:01:39,200 --> 00:01:41,040
A transfer is not a button.

44
00:01:41,040 --> 00:01:45,480
It's a renegotiation of entitlements across job, location, risk, posture, and supervision.

45
00:01:45,480 --> 00:01:47,720
A termination is not an off switch.

46
00:01:47,720 --> 00:01:52,360
It's a tale of residual access, data retention duties, and jurisdictional rules that don't

47
00:01:52,360 --> 00:01:54,400
align with an HR checkbox.

48
00:01:54,400 --> 00:01:56,200
Once you see this, the friction looks inevitable.

49
00:01:56,200 --> 00:01:57,840
You create a job requisition.

50
00:01:57,840 --> 00:02:02,000
Somewhere else identity waits for a signal to provision access, but the position isn't fully

51
00:02:02,000 --> 00:02:03,000
defined.

52
00:02:03,000 --> 00:02:07,240
Parallel once cost centers, compliance once at a stations, IT once, device baselines.

53
00:02:07,240 --> 00:02:11,400
None of those systems read the same source at the same time in the same way.

54
00:02:11,400 --> 00:02:15,480
The neat life cycle box is hide that you're pushing intent into systems that can't represent

55
00:02:15,480 --> 00:02:16,480
it.

56
00:02:16,480 --> 00:02:17,720
This leads to brittle workflows.

57
00:02:17,720 --> 00:02:18,720
Forms capture snapshots.

58
00:02:18,720 --> 00:02:20,000
Reality is continuous.

59
00:02:20,000 --> 00:02:24,200
You freeze decisions at step boundaries, stage transitions, approvals and status fields

60
00:02:24,200 --> 00:02:27,080
because the tool needs a state, but your obligations move.

61
00:02:27,080 --> 00:02:31,400
People start early, managers change late, exceptions stack up, and edge cases become the

62
00:02:31,400 --> 00:02:32,400
rule.

63
00:02:32,400 --> 00:02:33,400
Hidden state blooms.

64
00:02:33,400 --> 00:02:37,840
Email templates with business logic, screening questions, acting like policy gates, temporary

65
00:02:37,840 --> 00:02:39,880
exception flags that never expire.

66
00:02:39,880 --> 00:02:42,680
The system you operate is not the one you diagrammed.

67
00:02:42,680 --> 00:02:46,240
It's the one encoded in thousands of small configuration choices.

68
00:02:46,240 --> 00:02:47,560
And here's the uncomfortable truth.

69
00:02:47,560 --> 00:02:49,240
Policy migrates to the wrong places.

70
00:02:49,240 --> 00:02:53,680
Instead of living in a policy plane as a versioned, testable, human readable corpus,

71
00:02:53,680 --> 00:02:58,400
it gets embedded in workflow definitions, role mappings and connector conditions.

72
00:02:58,400 --> 00:03:02,280
When policy leaves in workflows, every workflow becomes a policy fork.

73
00:03:02,280 --> 00:03:06,520
With every just this once, deterministic intent becomes probabilistic outcome.

74
00:03:06,520 --> 00:03:09,800
The more you optimize locally, the more incoherence you create globally.

75
00:03:09,800 --> 00:03:10,800
Why does this matter now?

76
00:03:10,800 --> 00:03:13,240
Because AI amplifies drift, it doesn't heal it.

77
00:03:13,240 --> 00:03:14,800
Models learn from artifacts.

78
00:03:14,800 --> 00:03:19,720
If intent is implicit and scattered, AI infers policy from stale templates, inconsistent

79
00:03:19,720 --> 00:03:21,840
labels and noisy histories.

80
00:03:21,840 --> 00:03:26,240
Consider to recommend next steps and it will mirror the chaos you already have only faster.

81
00:03:26,240 --> 00:03:28,520
You gave it anecdotes and told it to generalize.

82
00:03:28,520 --> 00:03:30,560
Consider how this plays out at the edges.

83
00:03:30,560 --> 00:03:35,160
An HR system marks a candidate as ready to hire, but the identity service needs a security

84
00:03:35,160 --> 00:03:37,240
role not present in HR.

85
00:03:37,240 --> 00:03:41,360
So someone adds a manual mapping in an integration flow, then a different jurisdiction introduces

86
00:03:41,360 --> 00:03:45,880
a new leave entitlement, which gets hard coded into a downstream systems workflow.

87
00:03:45,880 --> 00:03:48,320
Then a merger brings duplicate identities.

88
00:03:48,320 --> 00:03:52,560
The least bad path is to reconcile titles in a spreadsheet and push overrides.

89
00:03:52,560 --> 00:03:55,640
Each step solves the local problem while quietly forking policy.

90
00:03:55,640 --> 00:04:00,640
Over time, your life cycle becomes a garden of divergent micro-polices no one can enumerate.

91
00:04:00,640 --> 00:04:02,320
This is not an implementation mistake.

92
00:04:02,320 --> 00:04:06,200
It's an architectural consequence of using static, stage-based models to govern dynamic

93
00:04:06,200 --> 00:04:07,720
cross-system obligations.

94
00:04:07,720 --> 00:04:11,640
The life cycle narrative encourages you to believe stages are boundaries of truth.

95
00:04:11,640 --> 00:04:15,320
They are not, they are merely UI conveniences, good for forms, weak for enforcement.

96
00:04:15,320 --> 00:04:19,960
And in obligation definitions change because of law, risk or business, your stage logic

97
00:04:19,960 --> 00:04:23,000
lags, your integrations patch and your identity graph diverges.

98
00:04:23,000 --> 00:04:25,840
There's also the illusion of a single system of record.

99
00:04:25,840 --> 00:04:28,880
In theory, HR is authoritative for worker status.

100
00:04:28,880 --> 00:04:31,160
In practice, the control plane lives elsewhere.

101
00:04:31,160 --> 00:04:35,120
Identity governs access, compliance, governance evidence and collaboration platforms, govern

102
00:04:35,120 --> 00:04:36,360
data sprawl.

103
00:04:36,360 --> 00:04:41,280
When those disagree, the life cycle story breaks in the only place that matters.

104
00:04:41,280 --> 00:04:42,280
Enforcement

105
00:04:42,280 --> 00:04:46,400
The person is terminated in HR but still has residual access because an exception lived

106
00:04:46,400 --> 00:04:47,720
in a connector.

107
00:04:47,720 --> 00:04:50,880
The life cycle said end, the system said later.

108
00:04:50,880 --> 00:04:53,080
So what is higher to retire architecturally?

109
00:04:53,080 --> 00:04:57,560
It's a stream of facts about people, roles and obligations emitted over time consumed by

110
00:04:57,560 --> 00:04:59,800
systems with different models of truth.

111
00:04:59,800 --> 00:05:03,000
Treat it like a wizard and you'll keep encoding policy into workflows.

112
00:05:03,000 --> 00:05:06,880
Treat it like an obligation and identity orchestration problem and you can start separating

113
00:05:06,880 --> 00:05:10,920
intent from execution, facts from flows and policy from configuration.

114
00:05:10,920 --> 00:05:13,600
That's the shift we are making today.

115
00:05:13,600 --> 00:05:14,600
Configuration entropy.

116
00:05:14,600 --> 00:05:16,480
How setup becomes the system.

117
00:05:16,480 --> 00:05:20,840
Okay, so basically, once you accept that higher to retire is an obligation stream, not a

118
00:05:20,840 --> 00:05:25,760
wizard, you can see why configuration becomes the de facto law of the land.

119
00:05:25,760 --> 00:05:29,200
Every template, drop-down stage and connector is a decision node.

120
00:05:29,200 --> 00:05:33,600
They accumulate and the more they accumulate, the less your original intent shows up in

121
00:05:33,600 --> 00:05:34,600
the outcome.

122
00:05:34,600 --> 00:05:35,600
Think of it like this.

123
00:05:35,600 --> 00:05:37,800
You open an admin panel to improve a process.

124
00:05:37,800 --> 00:05:41,800
You add a screening question, you tune an email template with a conditional paragraph.

125
00:05:41,800 --> 00:05:45,880
You insert a hidden stage so a manager can add a node before an offer.

126
00:05:45,880 --> 00:05:47,400
None of that looks like policy.

127
00:05:47,400 --> 00:05:48,760
It looks like helpful setup.

128
00:05:48,760 --> 00:05:52,600
But in a distributed decision engine, each of those toggles becomes a micro-policy.

129
00:05:52,600 --> 00:05:56,280
Do it a hundred times across systems and you've created a policy surface area your governance

130
00:05:56,280 --> 00:05:58,880
never proved and your auditors can't enumerate.

131
00:05:58,880 --> 00:06:00,520
Here's the weird part.

132
00:06:00,520 --> 00:06:02,600
Configuration entropy isn't a configuration problem.

133
00:06:02,600 --> 00:06:06,640
It's an architectural inevitability in systems where policy intent isn't first class.

134
00:06:06,640 --> 00:06:07,960
The velocity is what hurts you.

135
00:06:07,960 --> 00:06:09,280
The problem isn't complexity.

136
00:06:09,280 --> 00:06:13,240
It's the speed at which configuration diverges faster than intent can be reconciled.

137
00:06:13,240 --> 00:06:15,040
You write a policy memo once a quarter.

138
00:06:15,040 --> 00:06:16,640
You create five exceptions a week.

139
00:06:16,640 --> 00:06:18,120
Guess which wins.

140
00:06:18,120 --> 00:06:19,120
Where does it hide?

141
00:06:19,120 --> 00:06:21,600
Everywhere policy can piggyback without being named.

142
00:06:21,600 --> 00:06:25,280
Email templates that use subject lines to encode urgency classes.

143
00:06:25,280 --> 00:06:28,640
Screening logic with preferred answers that silently act as gates.

144
00:06:28,640 --> 00:06:32,880
Stage definitions that imply risk classification because a given step is only available to

145
00:06:32,880 --> 00:06:34,120
certain roles.

146
00:06:34,120 --> 00:06:35,720
Exception flags with no time to live.

147
00:06:35,720 --> 00:06:40,840
Retention settings in downstream systems that contradict HR's stated data policy because

148
00:06:40,840 --> 00:06:42,920
the tools default wasn't reviewed.

149
00:06:42,920 --> 00:06:44,640
Each is small, local and rational.

150
00:06:44,640 --> 00:06:47,040
Together they are your operating model.

151
00:06:47,040 --> 00:06:48,040
And here's the cost.

152
00:06:48,040 --> 00:06:50,160
Debugging workflows becomes your operating model.

153
00:06:50,160 --> 00:06:53,160
You stop designing policy and start tracing side effects.

154
00:06:53,160 --> 00:06:54,680
Why did this person keep access?

155
00:06:54,680 --> 00:06:58,040
Because a connector masked a terminated event with a retrieval error.

156
00:06:58,040 --> 00:06:59,560
Why did this candidate get rejected?

157
00:06:59,560 --> 00:07:02,920
Because a template overrode the recruiters intent with an old rule about certifications

158
00:07:02,920 --> 00:07:03,920
in one region.

159
00:07:03,920 --> 00:07:05,680
Why did this transfer take three days?

160
00:07:05,680 --> 00:07:10,640
Because a stage named manager approval was actually a risk attestation with a hidden branch

161
00:07:10,640 --> 00:07:12,400
and the attestor changed departments.

162
00:07:12,400 --> 00:07:15,760
You can't reason about any of this from the life cycle diagram.

163
00:07:15,760 --> 00:07:17,720
You have to read the configuration T-leaves.

164
00:07:17,720 --> 00:07:19,240
AI won't save you here.

165
00:07:19,240 --> 00:07:20,760
Models infer from artifacts.

166
00:07:20,760 --> 00:07:22,120
Not unspoken intent.

167
00:07:22,120 --> 00:07:26,840
If your policy is scattered across templates, stages and connector conditions, the model

168
00:07:26,840 --> 00:07:28,080
learns the noise.

169
00:07:28,080 --> 00:07:31,120
Ask a copilot to summarize hiring policy.

170
00:07:31,120 --> 00:07:35,120
And it will assemble an answer from email phrasing, stale job at fragments and an

171
00:07:35,120 --> 00:07:37,240
unversioned SharePoint PDF.

172
00:07:37,240 --> 00:07:39,720
Ask an agent to decide ready to hire.

173
00:07:39,720 --> 00:07:44,080
And it will generalize from inconsistent labels, absorbing the bias you buried in one recruiters

174
00:07:44,080 --> 00:07:45,960
qualification steps seven months ago.

175
00:07:45,960 --> 00:07:47,840
You gave it anecdotes and asked for doctrine.

176
00:07:47,840 --> 00:07:49,800
Okay, what about better governance and setup?

177
00:07:49,800 --> 00:07:52,080
Necessary but insufficient.

178
00:07:52,080 --> 00:07:55,440
Centralizing template libraries and enforcing naming standards reduces entropy growth,

179
00:07:55,440 --> 00:07:56,480
but it doesn't reverse it.

180
00:07:56,480 --> 00:07:57,480
Why?

181
00:07:57,480 --> 00:07:59,640
Because the system still treats policy as configuration.

182
00:07:59,640 --> 00:08:03,080
That means your only levers are review and restrained, which fail under pressure.

183
00:08:03,080 --> 00:08:04,680
A rush hire gets an exception.

184
00:08:04,680 --> 00:08:07,080
A global rollout gets a regional override.

185
00:08:07,080 --> 00:08:10,360
These pile up into new baselines, entropy wins by default.

186
00:08:10,360 --> 00:08:11,880
Let's make the pattern practical.

187
00:08:11,880 --> 00:08:16,040
Three categories account for most configuration generated policy.

188
00:08:16,040 --> 00:08:18,400
Presentation, masquerading as policy.

189
00:08:18,400 --> 00:08:21,920
Templates, signatures, subject lines, inline guidance.

190
00:08:21,920 --> 00:08:25,560
If it nudges decisions differently by audience or region, it's policy.

191
00:08:25,560 --> 00:08:29,280
Flow structure as policy, stages, approvals and hidden branches.

192
00:08:29,280 --> 00:08:32,840
If a path exists only for some roles or locations, it's policy.

193
00:08:32,840 --> 00:08:37,760
Data conditions as policy, field mappings, retries, filters and enrichments.

194
00:08:37,760 --> 00:08:40,960
If data moves or doesn't based on conditions, it's policy.

195
00:08:40,960 --> 00:08:45,520
If you can't answer for each category who owns the intent, who owns the configuration

196
00:08:45,520 --> 00:08:49,680
and how changes are versioned and tested, you're running a probabilistic model and calling

197
00:08:49,680 --> 00:08:50,680
it deterministic.

198
00:08:50,680 --> 00:08:52,080
That's why you get surprised.

199
00:08:52,080 --> 00:08:53,280
That's why incidents repeat.

200
00:08:53,280 --> 00:08:54,960
So how do you make this visible?

201
00:08:54,960 --> 00:08:59,040
You separate intent from configuration and require explanation at the point of decision.

202
00:08:59,040 --> 00:09:00,040
Not in a report.

203
00:09:00,040 --> 00:09:01,040
In the flow.

204
00:09:01,040 --> 00:09:02,800
Why did this branch fire?

205
00:09:02,800 --> 00:09:05,760
Resolve to a policy reference and the facts that matched it.

206
00:09:05,760 --> 00:09:07,560
What would have happened if...

207
00:09:07,560 --> 00:09:10,360
Must be computable from versioned rules, not folklore.

208
00:09:10,360 --> 00:09:14,280
Until you do that, every setup is a new way to be wrong without knowing it.

209
00:09:14,280 --> 00:09:15,280
One last point.

210
00:09:15,280 --> 00:09:17,880
Entropy is not reduced by standardization alone.

211
00:09:17,880 --> 00:09:20,560
Standardizing on the wrong abstraction or suffice error.

212
00:09:20,560 --> 00:09:25,000
Many teams lock down templates in freeze-stage definitions, then bury exceptions in connectors.

213
00:09:25,000 --> 00:09:28,360
The surface looks clean, the mess moves to where you can't see it.

214
00:09:28,360 --> 00:09:32,280
The only durable reduction comes from moving policy out of configuration and into a policy

215
00:09:32,280 --> 00:09:38,160
layer that systems subscribe to with tests that fail loudly when configuration diverges.

216
00:09:38,160 --> 00:09:41,440
Everything else is discipline-fighting physics and physics will outlast your steering

217
00:09:41,440 --> 00:09:43,000
committee.

218
00:09:43,000 --> 00:09:44,000
Archetype 1.

219
00:09:44,000 --> 00:09:45,000
Dynamics 365.

220
00:09:45,000 --> 00:09:46,000
HR.

221
00:09:46,000 --> 00:09:47,000
Transactual core.

222
00:09:47,000 --> 00:09:48,000
Adaptive debt.

223
00:09:48,000 --> 00:09:49,000
Dynamics 365.

224
00:09:49,000 --> 00:09:51,400
Human resources looks like a life cycle engine.

225
00:09:51,400 --> 00:09:52,680
Architecturally, it's something else.

226
00:09:52,680 --> 00:09:56,320
A transactional core with configuration scaffolding wrapped around it.

227
00:09:56,320 --> 00:09:58,480
That core is good at state transitions.

228
00:09:58,480 --> 00:09:59,480
Request created.

229
00:09:59,480 --> 00:10:00,480
Job at published.

230
00:10:00,480 --> 00:10:01,480
Applicant advanced.

231
00:10:01,480 --> 00:10:02,480
Worker created.

232
00:10:02,480 --> 00:10:06,680
The scaffolding promises adaptability, templates, stages, screening logic, email libraries

233
00:10:06,680 --> 00:10:07,680
and connectors.

234
00:10:07,680 --> 00:10:10,680
Put them together and you get the appearance of agility.

235
00:10:10,680 --> 00:10:12,440
Under load, it behaves like adaptive debt.

236
00:10:12,440 --> 00:10:14,800
Here's the architectural choice that sets the trap.

237
00:10:14,800 --> 00:10:19,720
You model hires, transfers and terms as wizard-driven transactions tied to entity records and

238
00:10:19,720 --> 00:10:20,720
stage fields.

239
00:10:20,720 --> 00:10:23,240
That gives clean forms and predictable UI flow.

240
00:10:23,240 --> 00:10:27,720
It also forces policy to ride on top as configuration because the underlying model doesn't speak

241
00:10:27,720 --> 00:10:29,640
in obligations or identity edges.

242
00:10:29,640 --> 00:10:31,800
You can add infinite stage definitions.

243
00:10:31,800 --> 00:10:36,880
You cannot express this capability requires this control when the risk posture equals x,

244
00:10:36,880 --> 00:10:40,080
so you approximate those approximations stack.

245
00:10:40,080 --> 00:10:41,120
Why it looked good at the time?

246
00:10:41,120 --> 00:10:43,400
The platform lets HR team self serve.

247
00:10:43,400 --> 00:10:47,680
Recruiters can define screening questions, adjust hiring templates, build email sequences

248
00:10:47,680 --> 00:10:51,840
and move candidates across stages without calling IT.

249
00:10:51,840 --> 00:10:55,400
Integration with finance and operations or dataverse sings records downstream.

250
00:10:55,400 --> 00:10:57,120
Power automate fills the gaps.

251
00:10:57,120 --> 00:10:58,120
It feels like progress.

252
00:10:58,120 --> 00:11:00,040
Then the first cross entity conflict appears.

253
00:11:00,040 --> 00:11:03,760
The failure mode is state rigidity with sprawling configuration.

254
00:11:03,760 --> 00:11:05,360
Stages become policy proxies.

255
00:11:05,360 --> 00:11:07,360
A hidden branch doubles as a risk gate.

256
00:11:07,360 --> 00:11:10,800
A screening preferred answer quietly becomes a qualifying condition.

257
00:11:10,800 --> 00:11:14,920
Email templates embed regional guidance that contradicts the central policy PDF.

258
00:11:14,920 --> 00:11:17,800
Each change is rational locally and inconsistent globally.

259
00:11:17,800 --> 00:11:22,120
The more you standardize the template set, the more exceptions migrate into connectors

260
00:11:22,120 --> 00:11:23,760
and virtual entity mappings.

261
00:11:23,760 --> 00:11:26,440
The system looks tidy on the surface and drifts underneath.

262
00:11:26,440 --> 00:11:28,040
Where policy heights is predictable.

263
00:11:28,040 --> 00:11:32,720
In hiring templates, policy heights are stage ordering and step types, interview types,

264
00:11:32,720 --> 00:11:36,960
panel compositions and optional steps that are optional in name only.

265
00:11:36,960 --> 00:11:42,040
In screening libraries, policy heights are required versus preferred answers that play

266
00:11:42,040 --> 00:11:46,960
like allowed in eyelists in email configurations, policy heights as conditional language that

267
00:11:46,960 --> 00:11:49,200
suggests decisions to reviewers.

268
00:11:49,200 --> 00:11:53,120
In integration parameters, policy heights as field mappings, retries and error handling

269
00:11:53,120 --> 00:11:57,280
branches that decide whether a downstream system sees an event at all.

270
00:11:57,280 --> 00:11:58,880
Why AI fails here is specific.

271
00:11:58,880 --> 00:12:03,120
Agents that live inside this environment see states and labels, not obligations.

272
00:12:03,120 --> 00:12:07,000
They can read stage eggs are ready to hire, but they can't reconstruct the implied policy

273
00:12:07,000 --> 00:12:10,840
across templates, screening decisions and connector logic.

274
00:12:10,840 --> 00:12:12,240
They attempt to reason from history.

275
00:12:12,240 --> 00:12:14,640
Past candidates marked ready shared these labels.

276
00:12:14,640 --> 00:12:18,960
But those labels reflect inconsistent artifacts, template V3 in one business unit V2 in

277
00:12:18,960 --> 00:12:22,080
another, a hidden connector fix after a sync issue.

278
00:12:22,080 --> 00:12:26,960
The agent generalizes from anecdotes because there's no authoritative policy corpus to

279
00:12:26,960 --> 00:12:27,960
cite.

280
00:12:27,960 --> 00:12:30,080
It cannot explain because the system never encoded intent.

281
00:12:30,080 --> 00:12:33,840
It can only imitate everything you recognize from incident reviews shows up here.

282
00:12:33,840 --> 00:12:39,640
D365HR marks a worker as created, but attachments don't sync for this version and the connector

283
00:12:39,640 --> 00:12:41,720
silently drops the event.

284
00:12:41,720 --> 00:12:44,640
Identity never sees the entitlement change, so access persists.

285
00:12:44,640 --> 00:12:48,640
A hiring template adds an extra stage for panel review in one legal entity.

286
00:12:48,640 --> 00:12:52,920
Now the author email uses a different template with jurisdictional terms that don't match benefits

287
00:12:52,920 --> 00:12:54,160
in finance.

288
00:12:54,160 --> 00:12:58,320
A career site update adds screening categories for a region without a synchronized education

289
00:12:58,320 --> 00:12:59,720
catalog.

290
00:12:59,720 --> 00:13:01,960
Preferred answers invert the gate in practice.

291
00:13:01,960 --> 00:13:06,080
Each is a minor tweak, together they redefine the architecture, known integration patterns

292
00:13:06,080 --> 00:13:07,360
add their own gravity.

293
00:13:07,360 --> 00:13:10,720
The finance and operations virtual entities look like a bridge.

294
00:13:10,720 --> 00:13:14,800
In reality, there is a second model with its own consistency semantics.

295
00:13:14,800 --> 00:13:19,800
You get sync asymmetry, HR considers the record authoritative, downstream considers the mapped

296
00:13:19,800 --> 00:13:21,080
shape authoritative.

297
00:13:21,080 --> 00:13:25,160
If the integration flow retreats after transient error, the downstream timestamp wins and

298
00:13:25,160 --> 00:13:29,560
overrides a later HR fix, from the platform's perspective everything succeeded.

299
00:13:29,560 --> 00:13:34,000
From the control planes perspective, policy forked on Tuesday at 2.14 pm.

300
00:13:34,000 --> 00:13:37,920
The lesson is not configured less, it is a sign it's stop asking configuration to carry

301
00:13:37,920 --> 00:13:38,920
intent.

302
00:13:38,920 --> 00:13:43,720
In this archetype, every standardization effort that doesn't move policy out of templates

303
00:13:43,720 --> 00:13:46,680
and stages simply pushes entropy down a level.

304
00:13:46,680 --> 00:13:49,960
Lock the templates and the exceptions migrate into power automate.

305
00:13:49,960 --> 00:13:54,660
Lock the flows and migrate into email phrasing, lock the phrasing and migrate into manual check

306
00:13:54,660 --> 00:13:56,000
list steps.

307
00:13:56,000 --> 00:13:59,040
You can't paper over an obligation model with more wizard pages.

308
00:13:59,040 --> 00:14:03,680
What works instead even here is treating D365 HR as an event and execution surface, not

309
00:14:03,680 --> 00:14:04,680
the policy plane.

310
00:14:04,680 --> 00:14:09,200
Policy must be human readable and machine-queriable outside the workflow definitions.

311
00:14:09,200 --> 00:14:11,400
Events must be immutable facts.

312
00:14:11,400 --> 00:14:12,560
Candidate past X.

313
00:14:12,560 --> 00:14:16,800
At a station Y collected, not implied by stage names.

314
00:14:16,800 --> 00:14:21,000
Execution must subscribe to those policies and facts, not bury them in per template logic.

315
00:14:21,000 --> 00:14:26,400
Then when an AI agent assists a recruiter or manager, it can cite policy and point to facts.

316
00:14:26,400 --> 00:14:28,360
If the answer is approved, it can say Y.

317
00:14:28,360 --> 00:14:31,520
If the answer is no, it can show the edge that failed.

318
00:14:31,520 --> 00:14:35,240
Without that, the platform's adaptability is dead at interest.

319
00:14:35,240 --> 00:14:36,440
Archetype 2.

320
00:14:36,440 --> 00:14:37,440
Workday.

321
00:14:37,440 --> 00:14:38,440
Process rigor.

322
00:14:38,440 --> 00:14:40,040
Mistaken for intelligence.

323
00:14:40,040 --> 00:14:42,160
Workday presents a different face of the same problem.

324
00:14:42,160 --> 00:14:46,760
It prioritizes workflow discipline, well-defined business processes, routed approvals, audit

325
00:14:46,760 --> 00:14:51,400
friendly steps, architecturally that yields clean paths, strong controls and a comforting

326
00:14:51,400 --> 00:14:54,480
sense that the process is the intelligence.

327
00:14:54,480 --> 00:14:55,480
It is not.

328
00:14:55,480 --> 00:14:57,560
The system is excellent at enforcing the path.

329
00:14:57,560 --> 00:15:00,480
It is agnostic about whether the path encodes intent.

330
00:15:00,480 --> 00:15:02,120
Here's the architectural choice that matters.

331
00:15:02,120 --> 00:15:06,840
You harden business processes as the primary abstraction, initiation, routing, conditional

332
00:15:06,840 --> 00:15:08,360
steps, completion.

333
00:15:08,360 --> 00:15:10,720
You gain predictability and auditability.

334
00:15:10,720 --> 00:15:14,280
You also move policy into the flow graph because the graph is the only mechanism you have

335
00:15:14,280 --> 00:15:15,280
at runtime.

336
00:15:15,280 --> 00:15:18,200
A leaf policy becomes a sequence of steps with conditions.

337
00:15:18,200 --> 00:15:21,080
A compensation rule becomes a validation in a task.

338
00:15:21,080 --> 00:15:24,560
A compliance control becomes a required sub-process.

339
00:15:24,560 --> 00:15:27,800
The more complete the graph, the more the graph becomes the policy.

340
00:15:27,800 --> 00:15:29,040
Why it looked good at the time?

341
00:15:29,040 --> 00:15:30,040
Rigger reduces variance.

342
00:15:30,040 --> 00:15:32,840
HR leaders sleep better when exceptions are rare.

343
00:15:32,840 --> 00:15:34,680
Auditors smile when steps are forced.

344
00:15:34,680 --> 00:15:39,640
The platforms reporting reflects tidy cycle times, but exceptions never disappear.

345
00:15:39,640 --> 00:15:41,160
They relocate.

346
00:15:41,160 --> 00:15:45,880
In Workday, exception handling explodes in the exact places policy should have been separate.

347
00:15:45,880 --> 00:15:51,200
Advanced routing, condition rules, calculated fields and tenant specific business processes.

348
00:15:51,200 --> 00:15:54,920
What feels like control is often just complexity wearing a uniform.

349
00:15:54,920 --> 00:15:59,280
The failure mode is exception accretion until the graph is indistinguishable from code.

350
00:15:59,280 --> 00:16:04,040
Every carved out case, new union rules, country-specific attestations, one-off managerial

351
00:16:04,040 --> 00:16:06,760
hierarchies becomes a conditional branch.

352
00:16:06,760 --> 00:16:11,560
Over time, the flow that everyone follows is 20 flows that look similar, share a name and

353
00:16:11,560 --> 00:16:16,000
behave differently by supervisory org, location or job profile.

354
00:16:16,000 --> 00:16:17,880
You haven't eliminated ambiguity.

355
00:16:17,880 --> 00:16:20,440
You've buried it behind process rigor.

356
00:16:20,440 --> 00:16:24,800
Where policy hides is precise, it hides in condition rule libraries that mix legal thresholds

357
00:16:24,800 --> 00:16:26,400
with routing convenience.

358
00:16:26,400 --> 00:16:31,240
It hides in calculated fields that smuggle risk classifications into yes, no gates.

359
00:16:31,240 --> 00:16:36,240
It hides intent configuration where a sub-process is required in some orgs and optional in

360
00:16:36,240 --> 00:16:38,680
others for reasons no one can now articulate.

361
00:16:38,680 --> 00:16:42,600
It hides in localized business processes that were cloned to meet a deadline and never

362
00:16:42,600 --> 00:16:43,600
reconciled.

363
00:16:43,600 --> 00:16:48,120
And critically, it hides in the additional data sections users habitually misused to signal

364
00:16:48,120 --> 00:16:50,000
intent the model couldn't capture.

365
00:16:50,000 --> 00:16:51,600
Why AI fails here is specific.

366
00:16:51,600 --> 00:16:55,960
AI is confined to recommenders and assistants because the system cannot expose intent in

367
00:16:55,960 --> 00:16:57,640
a form the model can cite.

368
00:16:57,640 --> 00:17:01,720
Ask an agent to explain why this transfer was rooted this way and it sees the path taken

369
00:17:01,720 --> 00:17:04,120
but not the policy logic that demanded it.

370
00:17:04,120 --> 00:17:08,200
Ask it to suggest the next step and it can predict the model path from history but it

371
00:17:08,200 --> 00:17:11,920
cannot assert compliance because the rules are entangled in local configuration.

372
00:17:11,920 --> 00:17:16,480
You end up with co-pilot features, summaries, reminders, suggestions, never with provable

373
00:17:16,480 --> 00:17:17,480
decisions.

374
00:17:17,480 --> 00:17:18,920
The process feels intelligent, it isn't.

375
00:17:18,920 --> 00:17:22,240
It is merely consistent at executing what you configured.

376
00:17:22,240 --> 00:17:23,840
Everything you've seen in review boards fits.

377
00:17:23,840 --> 00:17:28,240
A global mobility process cloned for Asia-Pacific introduces a country-specific consensus

378
00:17:28,240 --> 00:17:29,240
process.

379
00:17:29,240 --> 00:17:34,560
Six months later, legal changes the consent language but only the Emia clone is updated.

380
00:17:34,560 --> 00:17:37,040
Audit finds divergent evidence for the same policy.

381
00:17:37,040 --> 00:17:41,560
A calculated field intended to root high risk roles to a second approver is subtly different

382
00:17:41,560 --> 00:17:45,280
across two supervisory orgs because the original author reused the condition and forgot

383
00:17:45,280 --> 00:17:46,280
a threshold.

384
00:17:46,280 --> 00:17:50,680
And offer approval in one org checks variable pay eligibility that another org encodes

385
00:17:50,680 --> 00:17:54,440
as a validation on compensation grade both looks standardized.

386
00:17:54,440 --> 00:17:56,240
Neither is.

387
00:17:56,240 --> 00:17:57,840
Known fixes add to the debt.

388
00:17:57,840 --> 00:17:59,920
You restrict who can edit business processes.

389
00:17:59,920 --> 00:18:00,920
Good.

390
00:18:00,920 --> 00:18:02,240
You centralize condition rule ownership.

391
00:18:02,240 --> 00:18:03,240
Good.

392
00:18:03,240 --> 00:18:05,320
Then the backlog grows and teams demand responsiveness.

393
00:18:05,320 --> 00:18:08,240
You allow local rule bundles with central templates.

394
00:18:08,240 --> 00:18:12,840
Now you're running a forked rule set under one brand or you insist everything go through

395
00:18:12,840 --> 00:18:14,360
a center of excellence.

396
00:18:14,360 --> 00:18:19,720
The center encodes intent as best it can but the graph remains the only runtime expression.

397
00:18:19,720 --> 00:18:23,560
And policy changes you schedule a release meanwhile exceptions pile in shared mailboxes and

398
00:18:23,560 --> 00:18:24,480
slack threads.

399
00:18:24,480 --> 00:18:25,480
The graph stays correct.

400
00:18:25,480 --> 00:18:26,680
The reality does not.

401
00:18:26,680 --> 00:18:29,960
The illusion is that auditability equals explainability.

402
00:18:29,960 --> 00:18:33,320
Workday can show you who approved what when and along which path.

403
00:18:33,320 --> 00:18:38,400
It cannot by itself show the clause of policy that required the path or the facts that triggered

404
00:18:38,400 --> 00:18:39,760
it in machine sightable form.

405
00:18:39,760 --> 00:18:43,120
In other words, you can verify the process was followed without verifying the policy was

406
00:18:43,120 --> 00:18:48,280
enforced in a world where AI agents must reason and site that gap is decisive.

407
00:18:48,280 --> 00:18:50,280
The lesson is not loosen control.

408
00:18:50,280 --> 00:18:54,240
It's separate control from policy use workday is rigor for orchestration and evidence but

409
00:18:54,240 --> 00:18:58,520
stop treating the process graph as the policy corpus move the rules out of condition sets

410
00:18:58,520 --> 00:19:00,280
and into a policy layer.

411
00:19:00,280 --> 00:19:02,000
Human readable and machine queryable.

412
00:19:02,000 --> 00:19:06,760
Then have the process subscribe record immutable events facts about attestations thresholds

413
00:19:06,760 --> 00:19:10,680
met capabilities assigned separate from tasks completed.

414
00:19:10,680 --> 00:19:15,480
When an agent assists it can cite the policy and match it to facts not guess the rule from

415
00:19:15,480 --> 00:19:16,480
a path name.

416
00:19:16,480 --> 00:19:20,880
One more point don't confuse harmonization with coherence harmonizing business processes

417
00:19:20,880 --> 00:19:25,120
across regions makes the graph pretty it does not align policy if the rules remain hidden

418
00:19:25,120 --> 00:19:30,840
in calculated fields and local clones coherence arrives when the intent is defined once version,

419
00:19:30,840 --> 00:19:35,120
tested and referenced and the process layer is a subscriber with a narrow mandate root

420
00:19:35,120 --> 00:19:40,040
collect evidence everything else is rigor encasing ambiguity and rigor does not make ambiguity

421
00:19:40,040 --> 00:19:43,800
less ambiguous it just makes it harder to see archetype three.

422
00:19:43,800 --> 00:19:50,400
Success factors global complexity local entropy success factors where the global badge proudly

423
00:19:50,400 --> 00:19:55,680
country packs localization frameworks and decades of accumulated compliance architecturally

424
00:19:55,680 --> 00:19:59,760
that's the tell you're operating a global orchestration surface whose deepest abstractions

425
00:19:59,760 --> 00:20:03,320
are anchored in jurisdiction specific rules that were frozen into workflows to satisfy

426
00:20:03,320 --> 00:20:07,800
yesterday's auditors that is not a criticism of the product it is the consequence of solving

427
00:20:07,800 --> 00:20:12,320
for global HR in a world where every country insists on being the center of gravity.

428
00:20:12,320 --> 00:20:16,880
Here's the architectural choice that matters you codify country specific obligations inside

429
00:20:16,880 --> 00:20:21,360
process variance field sets and rule bundles to guarantee local compliance in line you gain

430
00:20:21,360 --> 00:20:25,920
immediate conformance and auditability per jurisdiction you also convert law into flow

431
00:20:25,920 --> 00:20:30,480
and that converts policy into configuration over time the global design becomes a fossil record

432
00:20:30,480 --> 00:20:36,400
of all the ways countries negotiated exceptions compliance is preserved coherence is not.

433
00:20:36,400 --> 00:20:41,280
Why it looked good at the time regulators reward concreteness a rule baked into a workflow is

434
00:20:41,280 --> 00:20:46,080
easy to show and hard to ignore implementation partners can point to a pack and say this is

435
00:20:46,080 --> 00:20:51,600
compliant business leaders see one vendor one stack one surface but every localized process

436
00:20:51,600 --> 00:20:56,960
that just needs a small adjustment becomes a fork 10 years later you have a museum of adjustments

437
00:20:56,960 --> 00:21:01,680
with the same label the failure mode is local entropy compounded into global incoherence

438
00:21:01,680 --> 00:21:06,640
country specific flows hard code thresholds notice periods leave definitions and data retention

439
00:21:06,640 --> 00:21:12,160
quirks backward compatibility keeps those branches alive after the law changes because historical

440
00:21:12,160 --> 00:21:17,440
transactions and downstream reporting expect the old shape you stack new rules on top of old variants

441
00:21:17,440 --> 00:21:22,240
to avoid breaking history the result is not a single global model with local overlays its

442
00:21:22,240 --> 00:21:27,440
multiple plausible worlds stitched together by naming with subtle differences that matter in production

443
00:21:27,440 --> 00:21:32,160
where policy hides is predictable it hides in country specific on off toggles that turn into

444
00:21:32,160 --> 00:21:37,440
implied gates on eligibility it hides in business rule catalogs where a global rule checks a country

445
00:21:37,440 --> 00:21:42,480
code and routes to a national subroutine it hides in pick lists where localized labels encode different

446
00:21:42,480 --> 00:21:48,960
semantics probation in one locale means benefits suppression in another it is a reporting tag

447
00:21:48,960 --> 00:21:53,520
it hides in time off schemers where a cruel logic is cloned patched for a union agreement then

448
00:21:53,520 --> 00:21:58,400
copied again for a canton it hides in the international assignment processes that were cloned six times

449
00:21:58,400 --> 00:22:03,840
to manage tax edge cases in specific corridors and now differ only by three check boxes no one will

450
00:22:03,840 --> 00:22:09,280
consolidate why a i fails here is specific the model sees a thicket of near duplicate processes and

451
00:22:09,280 --> 00:22:14,160
rules with country guards it cannot infer the canonical intent because the intent was never recorded

452
00:22:14,160 --> 00:22:19,360
as a single version policy corpus it can summarize the path taken in France for a parental leave

453
00:22:19,360 --> 00:22:24,480
and a different path in Ontario for a similar concept but it cannot assert which obligations apply

454
00:22:24,480 --> 00:22:30,240
to a cross-border transfer because the obligations live as flow logic and cloned a cruel definitions

455
00:22:30,240 --> 00:22:35,520
ask it to recommend the correct leave interpretation for a multinational employee who relocated

456
00:22:35,520 --> 00:22:39,920
mid-year and it will pattern match from inconsistent history ask it to explain the decision

457
00:22:39,920 --> 00:22:45,360
and it will cite a rule id and a path name not the policy clause you wanted a reasoning engine

458
00:22:45,360 --> 00:22:49,920
you gave it a map of ancient roads everything you've seen in global governance shows up here

459
00:22:49,920 --> 00:22:54,000
a country pack requires a data retention period that conflicts with corporate policy for

460
00:22:54,000 --> 00:22:59,760
disciplinary records the local rule deletes sooner the global analytics expect longer retention for

461
00:22:59,760 --> 00:23:05,920
trend analysis reporting compensates with derived fields investigations fail because evidence is gone

462
00:23:05,920 --> 00:23:10,720
a localized termination process encodes a mandatory notice period that was updated last year but

463
00:23:10,720 --> 00:23:15,600
the legacy reorg variant didn't get the patch because it's rarely used one business unit uses the

464
00:23:15,600 --> 00:23:21,440
legacy variant for a mastery structure grievances cite outdated notices an assignment from Germany to the

465
00:23:21,440 --> 00:23:27,920
u.s. triggers tax equalization steps in one flow and not in a cloned variant used for urgent transfers

466
00:23:27,920 --> 00:23:32,320
because the urgent template removed an intermediate attestation during a pandemic and nobody

467
00:23:32,320 --> 00:23:37,360
restored it all of these irrational decisions in the moment as a system their entropy generators

468
00:23:37,360 --> 00:23:42,960
known global harmonization projects can make this worse you declare a single global process with

469
00:23:42,960 --> 00:23:48,560
local inserts good then you implemented by parameterizing a master flow with country flags and

470
00:23:48,560 --> 00:23:54,000
embedding local rules behind those flags the surface looks unified the logic is still fragmented

471
00:23:54,000 --> 00:23:59,440
when a regulation changes in one jurisdiction you patch a branch instead of updating a policy layer

472
00:23:59,440 --> 00:24:04,800
tests pass locally drift accumulates globally two years later your harmonized process contains a

473
00:24:04,800 --> 00:24:09,760
secret subway of country specific tunnels the facade is clean the roots diverge the illusion here

474
00:24:09,760 --> 00:24:15,200
is that localization equals clarity localized flows deliver evidence for local auditors they don't

475
00:24:15,200 --> 00:24:19,760
deliver explainability at the global level when identity risk and compliance need to reason

476
00:24:19,760 --> 00:24:24,800
across borders who is entitled what data must be retained which controls apply the answers are

477
00:24:24,800 --> 00:24:29,600
embedded in process forks and rule catalogs keyed by country an agent can't compute a global

478
00:24:29,600 --> 00:24:34,160
obligation graph from that it can only replay a local path of the lesson is not standardized more

479
00:24:34,160 --> 00:24:39,280
aggressively it's lift policy out of flow logic and make locality explicit as data not code

480
00:24:40,000 --> 00:24:45,840
write obligations as versioned machine queryable rules with jurisdictional scope emit events as

481
00:24:45,840 --> 00:24:52,000
immutable facts employ relocated from a to be on date leave category x granted under policy y

482
00:24:52,000 --> 00:24:57,280
rather than letting process names imply them drive localized execution by subscribing to those rules

483
00:24:57,280 --> 00:25:02,560
and facts not by hard coding jurisdiction inside flows then an AI assistant can compute what

484
00:25:02,560 --> 00:25:07,600
applies side the source and reconcile conflicts across jurisdictions and when a country changes a

485
00:25:07,600 --> 00:25:13,360
law you change the policy rule rerun tests and watch execution adapt not fork the flow and hope

486
00:25:13,360 --> 00:25:20,240
everyone uses the right tunnel archetype for entry ID HR shadow system of record most organizations

487
00:25:20,240 --> 00:25:25,280
insist HR is the system of record for workers architecturally that's not how your risk is governed

488
00:25:25,280 --> 00:25:30,080
enter ID your identity plane decides who can do what from where on which device under which

489
00:25:30,080 --> 00:25:34,640
conditions and with what evidence that is the control plane when the control plane diverges

490
00:25:34,640 --> 00:25:40,080
from the HR plane the narrative of higher retire collapses in the only place that matters enforcement

491
00:25:40,080 --> 00:25:44,720
here's the architectural choice that matters you treat identity as downstream of HR data person

492
00:25:44,720 --> 00:25:50,000
exists in HR identity is provisioned group memberships follow conditional access applies

493
00:25:50,000 --> 00:25:55,840
clean diagram in reality identity accumulates its own graph of entitlements device trust session

494
00:25:55,840 --> 00:26:00,720
signals workloads specific roles and exception controls that graph changes continuously

495
00:26:00,720 --> 00:26:05,680
sometimes because HR changed the record often because security adjusted a policy

496
00:26:05,680 --> 00:26:10,080
IT granted a time bound elevation or an app owner added a direct role

497
00:26:10,080 --> 00:26:17,040
the result is three truths HR worker truth identity access truth and compliance evidence truth

498
00:26:17,040 --> 00:26:21,040
they align only by accident unless you make the alignment and explicit design goal

499
00:26:21,040 --> 00:26:26,880
why it looked good at the time separating concerns HR owns people data IT owns access security

500
00:26:26,880 --> 00:26:32,480
owns policy each side moves at its own cadence but the life cycle narrative masks a hard fact

501
00:26:32,480 --> 00:26:37,440
access is not a derivative of personhood it's a derivative of risk obligation and capability

502
00:26:37,440 --> 00:26:43,360
those change outside HR entry response in real time HR does not that asynchronous where drift lives

503
00:26:43,360 --> 00:26:48,240
the failure mode is conditional chaos conditional access is powerful signal driven context aware

504
00:26:48,240 --> 00:26:52,800
and granular it's also an entropy generator when peppered with except for clauses you start with

505
00:26:52,800 --> 00:26:58,560
the deterministic posture MFA device compliance location constraints a business exception arrives

506
00:26:58,560 --> 00:27:03,440
you carve out an exclusion group said to expire in 14 days then another exception needs a slightly

507
00:27:03,440 --> 00:27:08,800
different control you duplicate a policy tweak a condition and add a service principle to a bypass

508
00:27:08,800 --> 00:27:13,920
over time your conditional fabric becomes probabilistic a user's effective access depends on the

509
00:27:13,920 --> 00:27:19,520
intersection of policy precedents group nesting token claims and legacy app behavior it works until

510
00:27:19,520 --> 00:27:24,000
it doesn't and your incident response reads like archaeology where policy hides is exact it hides

511
00:27:24,000 --> 00:27:28,560
in group designs that double as entitlement catalogs HR managed departments plus app owner managed

512
00:27:28,560 --> 00:27:33,760
access groups with shadow break glass rolls tucked into nested assignments it hides in access

513
00:27:33,760 --> 00:27:38,480
package rules that encode business logic as eligibility predicates tenure thresholds location

514
00:27:38,480 --> 00:27:43,600
flags managerial status it hides in privileged identity management settings approval lists that

515
00:27:43,600 --> 00:27:48,800
reflect old org charts emergency accounts with no TTL justification fields that evolved into

516
00:27:48,800 --> 00:27:54,160
routing signals that hides in per app role assignments done directly to service principles because

517
00:27:54,160 --> 00:27:59,360
we needed this to work before month end none of that shows up in HR all of that governs reality

518
00:27:59,360 --> 00:28:04,480
why AI fails here is specific ask an agent to explain why does Alex have access to data hub

519
00:28:04,480 --> 00:28:10,160
and it can enumerate groups roles and policies ask it should Alex have access under current policy

520
00:28:10,160 --> 00:28:15,120
and it hits a missing layer the authoritative versioned policy corpus that maps roles to obligations

521
00:28:15,120 --> 00:28:20,080
to controls lacking that the model predicts from patents people in this department usually had

522
00:28:20,080 --> 00:28:25,600
these roles tokens with these claims past these policies it can summarize it cannot assert compliance

523
00:28:25,600 --> 00:28:31,760
and when identity HR and compliance disagree the agent has three graphs with no canonical precedence

524
00:28:31,760 --> 00:28:36,640
model to reconcile them so it picks the loudest source the logs everything you recognize from

525
00:28:36,640 --> 00:28:41,920
post incident reads is here a terminated worker retains residual access because a provisioning flow

526
00:28:41,920 --> 00:28:46,720
failed on a transient error and retried after the HR record flipped to inactive the connector

527
00:28:46,720 --> 00:28:51,120
filtered the event a contractors conditional access exception group never expired because nobody

528
00:28:51,120 --> 00:28:56,720
owned the TTL review their device compliance drifted but a legacy app enforced basic all a

529
00:28:56,720 --> 00:29:01,760
break glass accounts password was rotated but its app secrets weren't downstream roles persisted

530
00:29:01,760 --> 00:29:07,600
a group based entitlement was replaced by direct app roles during a migration the migration script

531
00:29:07,600 --> 00:29:12,400
missed two finance assistance who were temporarily in a project security group they inherited access

532
00:29:12,400 --> 00:29:17,760
by accident these are not exotic they are the daily shape of drift known fixes introduce new fractures

533
00:29:17,760 --> 00:29:23,120
you centralize group governance good then app teams create local dynamic groups keyed on app metadata

534
00:29:23,120 --> 00:29:28,560
to regain agility you enforce conditional access baselines good then service owners slap trusted

535
00:29:28,560 --> 00:29:34,080
locations on unfamiliar IP ranges to avoid angry calls and your location logic becomes Swiss cheese

536
00:29:34,080 --> 00:29:38,400
you lock down admin elevations with pm approvals good then approvals rubber stamp because

537
00:29:38,400 --> 00:29:42,640
business hours don't match support windows and the human in the loop becomes a human in name the

538
00:29:42,640 --> 00:29:48,400
illusion is that identity merely reflects HR in practice identity manufactures reality under pressure

539
00:29:48,400 --> 00:29:54,720
HR says transfer identity recomputes entitlements based on group logic app roles and exemptions

540
00:29:54,720 --> 00:29:59,440
if those encode latent policy the transfer manifests as a new access regime that HR didn't intend

541
00:29:59,440 --> 00:30:04,880
and compliance didn't test later in audit asks why did this in title happen and you produce logs

542
00:30:04,880 --> 00:30:10,080
not policy citations evidence replaces explanation that's survivable until AI enters the loop because

543
00:30:10,080 --> 00:30:14,960
agents need rules they can cite not just breadcrumbs they can replay the lesson is not simplified

544
00:30:14,960 --> 00:30:21,360
conditional access or ban exceptions it's move intent out of antra configuration and into a policy

545
00:30:21,360 --> 00:30:26,560
layer then compile to identity express access policy as human readable machine queryable rules

546
00:30:26,560 --> 00:30:31,920
with clear precedence version them test them against facts generate enter artifacts groups dynamic

547
00:30:31,920 --> 00:30:37,680
queries app role assignments CA policies from the compiler not from admin portals emit events

548
00:30:37,680 --> 00:30:42,880
for entitlements granted and controls applied as immutable facts then require explainability at

549
00:30:42,880 --> 00:30:47,680
decision time which policy which version matched which facts when a divergence is necessary give it

550
00:30:47,680 --> 00:30:53,120
a TTL and evidence by default and treat enter as the enforcement graph it already is authoritative

551
00:30:53,120 --> 00:30:57,920
for access accountable to policy observable for compliance without that identity will continue

552
00:30:57,920 --> 00:31:04,480
being your shadow system of record writing history faster than HR can correct it archetype 5

553
00:31:04,480 --> 00:31:10,880
power automate plus HR integrations the debugging economy power automate is where good intentions go

554
00:31:10,880 --> 00:31:16,640
to become operating models architecturally it's a glue fabric event subscriptions triggers conditions

555
00:31:16,640 --> 00:31:21,120
mapping stitched between systems that weren't designed to share intent that role is valuable

556
00:31:21,120 --> 00:31:26,160
it is also where policy goes feral when the upstream abstractions are wrong the more quick wins you stack

557
00:31:26,160 --> 00:31:31,120
the more your business becomes a flow debugging practice here's the architectural choice that matters

558
00:31:31,120 --> 00:31:37,120
you decide to use flows as the place where the last mile lives transform the payload in richer record

559
00:31:37,120 --> 00:31:43,200
catch a miss root a notification retry a failed sync each choice is rational collectively they become

560
00:31:43,200 --> 00:31:49,040
your de facto policy compiler accepted unversion untestable at intent level and visible only to the

561
00:31:49,040 --> 00:31:54,160
person who authored the platform reward speed it does not enforce design why it looked good at the

562
00:31:54,160 --> 00:32:00,240
time autonomy h r ops can connect d 365 h r to f and o to data verse to a power pages portal to

563
00:32:00,240 --> 00:32:05,040
share point to email no enterprise backlog required a new screening flag needs to map into a

564
00:32:05,040 --> 00:32:10,160
different downstream field at a condition a candidate ready to hire needs to create a worker

565
00:32:10,160 --> 00:32:15,840
and trigger it provisioning at a chain of actions with configure run after a sync error needs

566
00:32:15,840 --> 00:32:20,800
resilience add retries at a dead letter list at a manual approval as a safety valve you shipped

567
00:32:20,800 --> 00:32:25,840
it worked it also became the only place truth moved reliably the failure mode is sprawl with

568
00:32:25,840 --> 00:32:32,560
silent failure flows multiply by org by business unit by region by author names drift owners leave

569
00:32:32,560 --> 00:32:38,720
connections expire configure run after swallows exceptions to keep the path green a connector gets

570
00:32:38,720 --> 00:32:43,520
upgraded the schema shifts a condition never fires again because a label changed upstream nothing

571
00:32:43,520 --> 00:32:48,640
screams until an auditor or an outage finds the missing entitlement or worse the extra one where

572
00:32:48,640 --> 00:32:53,440
policy hides is exact it hides in trigger filters that decide which events count as hires it hides

573
00:32:53,440 --> 00:32:58,960
in condition blocks that encode eligibility logic no system of record ever captured 10 year thresholds

574
00:32:58,960 --> 00:33:04,400
union flags location specific overrides it hides in field maps that quietly normalize values to make

575
00:33:04,400 --> 00:33:10,000
downstream reports consistent it hides in temporary bypasses hard coded to a group ID added during a

576
00:33:10,000 --> 00:33:15,120
cut over and never removed it hides in concurrency controls that serialize updates to avoid race

577
00:33:15,120 --> 00:33:20,160
conditions at the cost of reordering facts none of this is documented as policy it governs outcomes

578
00:33:20,160 --> 00:33:27,040
why AI fails here is specific ask an agent to explain why this worker still has access

579
00:33:27,040 --> 00:33:32,000
and it sees a flow run that succeeded with an action that skipped because a condition matched yesterday

580
00:33:32,000 --> 00:33:36,560
and not today ask it to fix the mapping and it can adjust the field name but it cannot assert

581
00:33:36,560 --> 00:33:42,160
that the mapping expresses policy because policy never lived anywhere but inside the flow ask it to

582
00:33:42,160 --> 00:33:47,520
diagnose dropped events and it will summarize retreats it will not reconstruct the intent behind a

583
00:33:47,520 --> 00:33:52,560
dead letter queue that a human drain last week to keep things moving everything you've seen in

584
00:33:52,560 --> 00:33:57,920
integrator war rooms plays out here a flow that publishes job ads to a portal silently stops because

585
00:33:57,920 --> 00:34:03,200
a pagination token expired after an API change the hiring team blames the career site

586
00:34:03,200 --> 00:34:08,000
a ready to hire orchestrator tries to create a worker fails on a mandatory field not present for

587
00:34:08,000 --> 00:34:12,880
a jurisdiction the author adds a default in the mapping six months later a region's benefit

588
00:34:12,880 --> 00:34:18,800
eligibility is wrong for a cohort an identity provisioning flow filters out inactive updates

589
00:34:18,800 --> 00:34:26,160
to avoid churn during transfer bursts a termination at 503 p.m misses the window access persists overnight

590
00:34:26,160 --> 00:34:31,280
the incident review discovers a run only uses list that contains one person who was on leave

591
00:34:32,000 --> 00:34:37,600
known fixes trade one risk for another you centralize flows and introduce a naming convention good

592
00:34:37,600 --> 00:34:41,680
then every exception request becomes a new branch with hidden policy you add solution alem and

593
00:34:41,680 --> 00:34:46,560
code review via pull requests good then emergency edits happen in production because someone

594
00:34:46,560 --> 00:34:51,920
must unblock payroll you enforce environment isolation and manage connectors good then shadow

595
00:34:51,920 --> 00:34:56,560
flows appear in personal environments to regain agility and their outputs are manually copied into

596
00:34:56,560 --> 00:35:03,440
official systems when they work the friction moves the dead remains the illusion is that flows are

597
00:35:03,440 --> 00:35:09,200
just plumbing in reality they are your most active policy surface when upstream models cannot express

598
00:35:09,200 --> 00:35:14,400
obligations the faster you add plumbing the more water finds that path over time the connectors

599
00:35:14,400 --> 00:35:19,520
encode your company that's why incidents feel uncanny the logic that mattered lived when nobody

600
00:35:19,520 --> 00:35:25,280
expected policy to live the lesson is not band power automate it's stopletting glue decide policy

601
00:35:25,280 --> 00:35:29,760
flows should subscribe to immutable events apply compiled rules and emit facts with every decision

602
00:35:29,760 --> 00:35:35,120
citing the rule version and inputs if a fact is missing the flow should fail loud and early if an

603
00:35:35,120 --> 00:35:40,320
exception is needed it should be a policy change with a TTL not a connector tweak ownership

604
00:35:40,320 --> 00:35:47,360
must reflect intent one team owns rules another owns flows both own tests that run on every change

605
00:35:47,360 --> 00:35:53,280
and observability must be first class event lineage rule evaluation traces decision logs not

606
00:35:53,280 --> 00:35:57,680
just run histories one last point in a healthy architecture power automate is a transport and

607
00:35:57,680 --> 00:36:02,320
coordination layer in an unhealthy one it's the brain you don't fix that by writing better flows

608
00:36:02,320 --> 00:36:07,760
you fix it by moving policy out of flows moving facts out of labels and making every integration

609
00:36:07,760 --> 00:36:13,040
a subscriber to policy and events then glue does what glue does best connect while the system

610
00:36:13,040 --> 00:36:18,160
becomes something you can finally explain why AI pilots fail in HR the intent extraction problem

611
00:36:18,160 --> 00:36:23,840
we've diagnosed the damage now the midpoint why AI exposes it so quickly the short answer is brutal

612
00:36:23,840 --> 00:36:29,200
models aren't the issue implicit policy is in HR most policy isn't a policy at all it's a

613
00:36:29,200 --> 00:36:33,840
collage of templates stages connector branches and condition rules you call it processed the model

614
00:36:33,840 --> 00:36:39,040
calls it data when you ask an AI to reason it searches for intent what it finds are artifacts so it

615
00:36:39,040 --> 00:36:43,600
infers doctrine from anecdotes and fails with confidence okay so basically intent lives in three

616
00:36:43,600 --> 00:36:48,880
places it should not first in workflows step names condition blocks and path choices that look

617
00:36:48,880 --> 00:36:54,400
like rigor but are really embedded rules second in integration glue field maps trigger filters and

618
00:36:54,400 --> 00:37:00,240
retry logic that decide whether an event even exists third in presentation email phrasing

619
00:37:00,240 --> 00:37:05,440
preferred answers or pick list labels that quietly alter behavior none of that is versioned as policy

620
00:37:05,440 --> 00:37:10,640
all of it is what the model sees think of rag the go-to approach retrieval augmented generation

621
00:37:10,640 --> 00:37:15,920
works when there's a corpus worth retrieving authoritative current and scoped in HR retrieval

622
00:37:15,920 --> 00:37:20,480
fetches the last posted handbook a regional addendum three job ad templates with contradictory

623
00:37:20,480 --> 00:37:26,320
clauses and a six month old email thread the model grounds its answer in exactly what you published

624
00:37:26,320 --> 00:37:31,280
drift you wanted a legal citation with scope and precedence you get a well-written synthesis of

625
00:37:31,280 --> 00:37:36,240
your contradictions here's the weird part the more historical data you give the model the worst

626
00:37:36,240 --> 00:37:41,120
it gets when intent is implicit history contains your local optimizations your exceptions turned

627
00:37:41,120 --> 00:37:46,320
baselines your undocumented connector detours the model faithfully learns your entropy ask it for

628
00:37:46,320 --> 00:37:51,920
next best action and it predicts the model detour not the intended rule ask it why and it sights

629
00:37:51,920 --> 00:37:56,800
an artifact path names email language because that's all there is now layer in explainability in a

630
00:37:56,800 --> 00:38:02,160
deterministic system explanation is citation which rule which version matched which facts in your

631
00:38:02,160 --> 00:38:07,920
current stack explanation is archaeology which flow ran which branch skipped which label mapped which

632
00:38:07,920 --> 00:38:12,880
email hinted that's not explainability that storytelling you can narrate a path after the fact

633
00:38:12,880 --> 00:38:17,600
you cannot prove intent at decision time agents need proofs not parables this is why co-pilot

634
00:38:17,600 --> 00:38:22,720
experiences plateau summaries and reminders are safe because they don't require authority autonomy

635
00:38:22,720 --> 00:38:26,880
requires authority without a policy plane there's nothing to authorize so you get assistance

636
00:38:26,880 --> 00:38:32,320
that draft job descriptions propose interview questions and remind approvals useful but always

637
00:38:32,320 --> 00:38:37,200
advisory never deciding you didn't fail a pilot because the model was weak you failed because the

638
00:38:37,200 --> 00:38:42,560
system couldn't supply constraints the model could cite consider the classic pilot sequence step one

639
00:38:42,560 --> 00:38:49,120
index policy the indexing job finds pdf's wiki pages and change emails step two wire to signals

640
00:38:49,120 --> 00:38:54,400
life cycle events approvals role updates good step three add a small action surface suggest next steps

641
00:38:54,400 --> 00:38:59,680
pre-fill forms the first week looks magical week four an edge case arrives the agent recommends a path

642
00:38:59,680 --> 00:39:04,720
that matched history but violated a recent compliance change post-mortem asks why did it do that

643
00:39:04,720 --> 00:39:10,160
the answer because that's what your corpus said the real question is why didn't the system own intent

644
00:39:10,160 --> 00:39:15,200
separately from history because it never did let's draw the boundary cleanly AI fails in HR when

645
00:39:15,200 --> 00:39:20,720
five conditions coexist policy is implicit in workflow graphs not explicit in a rules layer facts

646
00:39:20,720 --> 00:39:26,880
are implicit in state labels not emitted as immutable events execution is imperative do these steps

647
00:39:26,880 --> 00:39:33,760
not declarative subscribe to rules identity is permissive by default via exceptions not compiled

648
00:39:33,760 --> 00:39:39,200
from policy with ttls evidence is log replay not decision time explanation flip any one of those

649
00:39:39,200 --> 00:39:43,520
and things improve flip all five and autonomy becomes possible okay so how do you make intent

650
00:39:43,520 --> 00:39:47,840
extractable you don't you stop extracting it you author it that means writing obligations as

651
00:39:47,840 --> 00:39:52,320
human readable machine queryable rules scoped versioned and testable outside the workflow

652
00:39:52,320 --> 00:39:57,360
it means emitting events as facts with enough context to evaluate rules later it means making

653
00:39:57,360 --> 00:40:01,840
execution subscribe to rules instead of embedding them it means treating identity as the enforcement

654
00:40:01,840 --> 00:40:07,440
graph compiled from policy not a parallel universe of exceptions and it means requiring explanation

655
00:40:07,440 --> 00:40:12,720
at decision time not often incident one last point many pilots fail quietly not catastrophically

656
00:40:12,720 --> 00:40:19,040
teams downgrade scope from decide to assist that feels prudent it's actually an admission the system

657
00:40:19,040 --> 00:40:24,160
can't supply guardrails if you hear recommendation only in perpetuity you're not being cautious you're

658
00:40:24,160 --> 00:40:29,520
confessing architecture the fix is upstream of the model put in tent where it belongs then only then

659
00:40:29,520 --> 00:40:36,800
let the model reason site and act mental model shift from life cycle to capability obligation identity

660
00:40:36,800 --> 00:40:41,920
everything so far has been a diagnosis your life cycle story encodes policy into workflows hide

661
00:40:41,920 --> 00:40:46,960
state and drifts the fix isn't a cleaner wizard it's a different unit of design replace stage thinking

662
00:40:46,960 --> 00:40:52,480
with three primitives that systems can actually enforce capability obligation and identity start

663
00:40:52,480 --> 00:40:57,760
with capability provisioning this is not onboarding is it's the explicit set of capabilities a role

664
00:40:57,760 --> 00:41:03,760
requires to perform a function under a defined risk posture capabilities are granular query ledger

665
00:41:03,760 --> 00:41:10,720
approve offers access customer p i provision devices deploy to production capabilities are never

666
00:41:10,720 --> 00:41:15,760
job titles they are edges between people and systems guarded by controls when a person is hired what

667
00:41:15,760 --> 00:41:20,880
actually happens is capability assignment when a person transfers capability edges change when a

668
00:41:20,880 --> 00:41:26,160
person terminates capability edges are removed designer on capabilities not stages and you stop

669
00:41:26,160 --> 00:41:31,680
inferring access from stories now obligation tracking obligation isn't a task checklist is the set

670
00:41:31,680 --> 00:41:37,120
of duties that attached to a role a jurisdiction or an event with scope precedence and expiration

671
00:41:37,120 --> 00:41:42,880
examples collect associate station within 30 days retain disciplinary records for three years in

672
00:41:42,880 --> 00:41:48,640
country x run fit and proper check for regulated entities require re-auth every 12 hours for privileged

673
00:41:48,640 --> 00:41:54,000
sessions obligations are not embedded steps they are rules with conditions and time they bind to

674
00:41:54,000 --> 00:41:59,520
facts events like role granted by location change or device posture dropped when an obligation

675
00:41:59,520 --> 00:42:04,320
exists the system should know it tested and evidence it when it expires the system should emit

676
00:42:04,320 --> 00:42:09,280
effect that is enforcement not folklore then identity orchestration identity isn't a person record

677
00:42:09,280 --> 00:42:13,120
it's the enforcement graph who under which claims can traverse which edges to reach which

678
00:42:13,120 --> 00:42:17,920
capabilities under which conditions identity orchestration compiles capabilities and obligations

679
00:42:17,920 --> 00:42:22,800
into controls group membership app roles conditional access policies session lifetimes device

680
00:42:22,800 --> 00:42:29,520
requirements with explicit TTLs and evidence when HR says transfer identity recalculates the graph

681
00:42:29,520 --> 00:42:35,760
from policy it does not replay a wizard when compliance changes an obligation identity compiles

682
00:42:35,760 --> 00:42:40,880
different controls and tests them against facts when an exception exists identity holds a timer

683
00:42:40,880 --> 00:42:45,440
not a memory this is not a semantic shift this is a structural shift it changes who owns what

684
00:42:45,440 --> 00:42:52,400
how you measure success and why AI can finally reason about your system life cycles describe stories

685
00:42:52,400 --> 00:42:58,080
systems need contracts in practice capability provisioning means defining capability catalogs independent

686
00:42:58,080 --> 00:43:03,200
of job titles a job is now a capability bundle plus a risk posture a project assignment is a

687
00:43:03,200 --> 00:43:08,240
temporary capability grant with a TTL a matrix role is a second bundle with separate obligations

688
00:43:08,240 --> 00:43:13,440
provisioning becomes a sign bundle X under policy Y not complete onboarding step Z

689
00:43:13,440 --> 00:43:18,800
deprovisioning becomes revoke bundle and close obligations not flip status to inactive and

690
00:43:18,800 --> 00:43:24,800
hope flows fire managers stop asking for access like Sam they request named capability bundles bound

691
00:43:24,800 --> 00:43:30,720
to policy obligation tracking means writing obligations as rules with scope and version if capability

692
00:43:30,720 --> 00:43:38,000
X was approve offers and location X was EU require remuneration transparency attestation every 12 months

693
00:43:38,000 --> 00:43:43,120
if role X financial controller require dual approval for ledger queries and log retention of seven

694
00:43:43,120 --> 00:43:49,040
years these are not flow steps they are rules that trigger computable checks evidence becomes policy

695
00:43:49,040 --> 00:43:56,320
v4 matched facts a b c on date d obligation satisfied not task completed by jane at 3 p m when

696
00:43:56,320 --> 00:44:02,080
obligations conflict global versus local precedence is explicit tests catch drift before incidents do

697
00:44:02,080 --> 00:44:07,200
identity orchestration means the graph is generated not hand built groups dynamic queries app roles

698
00:44:07,200 --> 00:44:12,720
and conditional access derive from policy compilation not hero admin work exceptions are first class

699
00:44:12,720 --> 00:44:18,080
artifacts with justification TTL and reviewer when the TTL ends the compiler removes the edge

700
00:44:18,080 --> 00:44:23,600
animates an event when a device falls out of compliance the session policy changes evidence records why

701
00:44:23,600 --> 00:44:29,440
when a merger happens identities are reconciled against capability bundles and obligations duplicated

702
00:44:29,440 --> 00:44:36,800
titles don't matter edges do this shift clarifies ownership h r owns intent capability definitions

703
00:44:36,800 --> 00:44:41,760
and obligation rules platforms own execution compilers enforcement and evidence security owns

704
00:44:41,760 --> 00:44:46,080
constraints and presidents compliance owns tests and audits nobody owns the flow because flow

705
00:44:46,080 --> 00:44:51,520
stop being where policy lives they are subscribers that move facts between systems it also clarifies

706
00:44:51,520 --> 00:44:56,880
metrics you stop tracking onboarding cycle time as if speed equals correctness you start tracking

707
00:44:56,880 --> 00:45:02,720
capability assignment accuracy obligation satisfaction rate exception half-life and identity

708
00:45:02,720 --> 00:45:08,240
drift delta you ask how many capability edges exist without matching obligations how many exceptions

709
00:45:08,240 --> 00:45:13,840
exceeded TTL last quarter where did policy compilation fail those numbers explain risk stage counts

710
00:45:13,840 --> 00:45:22,480
don't finally it unlocks AI an agent can compute under policy v7 bundle finance approver requires

711
00:45:22,480 --> 00:45:30,480
attestation x and control y facts show x satisfied y missing recommend apply y here are the implications

712
00:45:30,480 --> 00:45:35,680
it can explain because the rules exist it can act because execution subscribes to rules

713
00:45:35,680 --> 00:45:40,320
it can decline because evidence is absent that's autonomy with accountability not automation by

714
00:45:40,320 --> 00:45:46,320
imitation the h r entropy diagnostic a checklist you can run tomorrow you don't fix entropy with

715
00:45:46,320 --> 00:45:51,680
motivation you fix it with visibility so here's a diagnostic you can run tomorrow three clusters six

716
00:45:51,680 --> 00:45:57,440
questions if you can't answer them with evidence not anecdotes your AI will fail not might will

717
00:45:57,440 --> 00:46:03,760
cluster one policy location start with a simple inventory question where does policy live today

718
00:46:03,760 --> 00:46:09,280
data workflow or documentation don't accept we have a handbook as an answer you need a map for

719
00:46:09,280 --> 00:46:14,080
each hiring transfer and termination obligation point to the artifact that actually governs behavior

720
00:46:14,080 --> 00:46:19,520
a condition rule a connector filter a stage definition a pick list label a calculated field a

721
00:46:19,520 --> 00:46:25,120
pdf clause if you can't enumerate the artifact per obligation policy is aspirational configuration runs

722
00:46:25,120 --> 00:46:30,960
the company next count conditional branches per life cycle event in production not in design docs

723
00:46:30,960 --> 00:46:37,760
for hire how many yes no forks fire across h r identity payroll compliance and glue count the ones

724
00:46:37,760 --> 00:46:42,800
in business process graphs power automate flows condition libraries calculated fields access packages

725
00:46:42,800 --> 00:46:48,160
and conditional access don't average find the maximum path length and the total branch count those

726
00:46:48,160 --> 00:46:52,960
two numbers are your entropy multiplier high branch count plus long paths equals hidden policy and

727
00:46:52,960 --> 00:47:00,080
non deterministic outcomes you're not running a process your rolling dice cluster two explainability

728
00:47:00,080 --> 00:47:05,040
can an a i agent explain why a decision happened at the point of decision with citations not we think

729
00:47:05,040 --> 00:47:10,560
not historically ask for the rule version its scope and the facts that matched it then ask what

730
00:47:10,560 --> 00:47:15,600
would have happened under policy v one if you can't replay the decision against the prior rule set

731
00:47:15,600 --> 00:47:20,240
you don't have explainability you have folklore what's the source of truth for that explanation

732
00:47:20,240 --> 00:47:25,040
acceptable answers a version policy corpus and immutable events unacceptable answers business

733
00:47:25,040 --> 00:47:30,880
process names stage labels email templates or flow run histories if your explanation references a

734
00:47:30,880 --> 00:47:37,200
path name like global transfer v three or a connector condition like if status equals terminated

735
00:47:37,200 --> 00:47:42,400
your citing configuration not policy models can summarize configuration they cannot prove compliance

736
00:47:42,400 --> 00:47:47,840
from it cluster three cross system disagreement where do identity compliance and h r disagree today

737
00:47:47,840 --> 00:47:52,560
list a dozen real cases from the last quarter terminated in h r but retained access due to a retry

738
00:47:52,560 --> 00:47:57,680
filter eligible for benefit in payroll but excluded in a cloned business process transfer

739
00:47:57,680 --> 00:48:02,080
rooted one way in work day and another way in success factors because a calculated field differed

740
00:48:02,080 --> 00:48:06,560
then ask the only question that matters which one wins in practice don't say it depends

741
00:48:06,560 --> 00:48:11,280
name the precedence model if identity wins sometimes an h r wins other times and compliance wins

742
00:48:11,280 --> 00:48:15,920
when someone yells loudest you're operating a probabilistic control plane agents can't certify

743
00:48:15,920 --> 00:48:20,800
risk in a system that doesn't know who's authoritative when and for what now tighten the screws

744
00:48:20,800 --> 00:48:25,680
for each cluster assigned owners policy location who owns intent for capability definitions and

745
00:48:25,680 --> 00:48:30,640
obligations who owns configuration surfaces where policy currently hides are they the same person

746
00:48:30,640 --> 00:48:35,840
they shouldn't be explainability who owns the policy corpus and event models who writes tests

747
00:48:35,840 --> 00:48:40,720
that fail when configuration diverges from policy disagreement who owns the precedence model

748
00:48:40,720 --> 00:48:45,600
and the reconciliation mechanism is a documented versioned and testable next at time what's the half

749
00:48:45,600 --> 00:48:51,520
life of exceptions pick five exceptions identity bypasses process skips manual attestations

750
00:48:51,520 --> 00:48:55,440
and measure how long they live if you can't compute a half life because nothing expires by

751
00:48:55,440 --> 00:49:00,320
default you're a crewing permanent debt exceptions must be policy changes with TTLs anything else

752
00:49:00,320 --> 00:49:05,280
is drift wearing a badge at visibility can you produce an event lineage for a random worker from

753
00:49:05,280 --> 00:49:11,440
ready to hire to identity the provisioned across systems with every decision annotated by rule in fact

754
00:49:11,440 --> 00:49:15,520
if you need four teams three exports and a war room your design is telling you the truth you're

755
00:49:15,520 --> 00:49:20,240
running archaeology not governance at scale how many capability edges exist without matching

756
00:49:20,240 --> 00:49:26,480
obligations for example people with approve offers who lack current remuneration transparency attestations

757
00:49:26,480 --> 00:49:32,480
that ratio unconstrained capability to obligation satisfied is your quietly growing blast radius

758
00:49:32,480 --> 00:49:37,680
AI will amplify it finally at friction where does the system fail out by design and where does it

759
00:49:37,680 --> 00:49:43,280
fail silent by convenience if your flows configure run after on failure if your processes skip when

760
00:49:43,280 --> 00:49:48,640
data is missing if your provisioning cues swallow dead letters you've optimized for green dashboards

761
00:49:48,640 --> 00:49:53,760
over truthful systems flip it fail early loudly and with a rule citation if the rule is missing

762
00:49:53,760 --> 00:49:59,680
that's the failure you want six questions three owners four measurements run it tomorrow if the

763
00:49:59,680 --> 00:50:04,880
answers hurt good that's the system introducing itself reference architecture separation of concerns

764
00:50:04,880 --> 00:50:10,480
that survives AI here's the counter model four layers each with one job no layer guesses no layer

765
00:50:10,480 --> 00:50:16,240
compensates for another and every decision sides its source layer one the policy layer this is where

766
00:50:16,240 --> 00:50:21,920
intent lives human readable machine queryable version like code and testable before deployment it is

767
00:50:21,920 --> 00:50:27,120
not a pdf it's a set of rules expressed in a formal syntax your systems can evaluate and your

768
00:50:27,120 --> 00:50:33,920
auditors can read scope is explicit global regional organizational precedence is explicit what wins when

769
00:50:33,920 --> 00:50:40,240
rules collide each rule has an owner a version a change log and a test suite you don't document policy

770
00:50:40,240 --> 00:50:45,040
you publish it as an artifact you can ask it questions you can run it against data and when it

771
00:50:45,040 --> 00:50:51,040
changes you know what breaks before anything ships layer two the event layer facts not workflows

772
00:50:51,040 --> 00:50:56,800
immutable append only records that describe what happened capability bundle x requested obligation

773
00:50:56,800 --> 00:51:03,520
y satisfied employee relocated from a to b device posture dropped below threshold each event

774
00:51:03,520 --> 00:51:08,480
carries rich context who when where under which attributes so the policy layer can evaluate

775
00:51:08,480 --> 00:51:13,600
obligations later without reverse engineering labels events are never implied by a stage name they

776
00:51:13,600 --> 00:51:18,640
are emitted by systems at the moment of truth and preserved with lineage if a fact is missing we

777
00:51:18,640 --> 00:51:24,560
don't infer it we fail loud and early layer three the execution layer replaceable automation subscribe

778
00:51:24,560 --> 00:51:29,600
to rules and facts orchestrations workflows and connectors live here but they do not embed policy

779
00:51:29,600 --> 00:51:34,320
they evaluate rules from the policy layer against events from the event layer and perform actions

780
00:51:34,320 --> 00:51:39,600
assigned capabilities apply controls collected stations notify humans they are stateless in principle

781
00:51:39,600 --> 00:51:44,880
and observable in practice every decision the execution layer makes includes a citation which policy

782
00:51:44,880 --> 00:51:50,320
version matched which facts if the layer can't produce a citation it doesn't act layer four the

783
00:51:50,320 --> 00:51:55,360
a i reasoning layer explanation first by design agents and co pilots ask the policy layer what

784
00:51:55,360 --> 00:52:00,880
should happen ask the event layer what did happen and propose or perform actions through the execution

785
00:52:00,880 --> 00:52:07,040
layer the outputs are justified not merely plausible under policy v7 with facts a b c the required

786
00:52:07,040 --> 00:52:14,160
controls are y and z y exists that is missing recommend apply z when they decline they show their working

787
00:52:14,160 --> 00:52:20,160
policy v4 conflicts with v6 in jurisdiction k escalation required they don't hallucinate authorities

788
00:52:20,160 --> 00:52:24,880
they reference it if this layer fails here's what breaks if the policy layer fails you're back to

789
00:52:24,880 --> 00:52:30,640
folklore workflows guessing intent a i guessing harder if the event layer fails you're narrating state

790
00:52:30,640 --> 00:52:36,800
rather than proving facts tests become theater if the execution layer fails you're encoding rules

791
00:52:36,800 --> 00:52:41,600
into plumbing entropy returns wearing power automate badges if the a i layer fails you're stuck

792
00:52:41,600 --> 00:52:46,400
with assistance that summarized drift rather than enforce design two crosscutting concerns bind

793
00:52:46,400 --> 00:52:52,160
the four layers into a system governance and observability governance is not a steering committee

794
00:52:52,160 --> 00:52:58,720
it's an authorization compiler policy controls tests evidence it ensures only one place to write

795
00:52:58,720 --> 00:53:03,760
intent a predictable way to generate enforcement and a standard for proving outcomes observability is

796
00:53:03,760 --> 00:53:09,520
not a dashboard it's end-to-end lineage events with chain of custody rule evaluations with inputs

797
00:53:09,520 --> 00:53:14,640
and outputs control applications with timestamps and ownership without both separation is theory

798
00:53:14,640 --> 00:53:19,280
okay so basically how does this reduce entropy it moves policy out of configuration a screening

799
00:53:19,280 --> 00:53:24,720
template can't gate eligibility the rule does a connector can't redefine a termination the event

800
00:53:24,720 --> 00:53:30,560
does a conditional access exception can't live forever the compiler emits an edge with a ttl and the

801
00:53:30,560 --> 00:53:35,840
evidence to prove it exception stop being just this once changes buried in setup they become policy

802
00:53:35,840 --> 00:53:41,760
changes with scope version and expiry entropy still exists it always will but it has nowhere to hide

803
00:53:41,760 --> 00:53:46,800
how does this enable a i it gives the model constraints it can cite and facts it can trust a co-pilot

804
00:53:46,800 --> 00:53:52,160
can answer why at decision time because the policy layer is source not suggestion it can simulate

805
00:53:52,160 --> 00:53:57,040
what if across policy versions because rules are versioned and events are immutable it can reason

806
00:53:57,040 --> 00:54:02,560
across jurisdictions because locality is data not code branches and when it acts it produces a proof

807
00:54:02,560 --> 00:54:08,560
policy clause version matched facts what about change this structure is changed friendly by design

808
00:54:08,560 --> 00:54:13,280
you can update a policy run its test suite against recorded events and see the blast radius

809
00:54:13,280 --> 00:54:17,920
before rollout you can replay events under a new rule set to validate migration plans you can

810
00:54:17,920 --> 00:54:23,120
replace an execution component without altering the rules it subscribes to you can add a new AI

811
00:54:23,120 --> 00:54:27,440
capability without retraining it on drift because the truth it relies on is intentionally authored

812
00:54:27,440 --> 00:54:32,080
and consistently recorded a few hard lines keep it honest no rule without tests no action without

813
00:54:32,080 --> 00:54:37,200
a citation no event without context no exception without ttl no configuration without ownership mapped

814
00:54:37,200 --> 00:54:42,240
to intent not convenience and one more no silent failure if a fact is missing or a rule cannot be

815
00:54:42,240 --> 00:54:47,600
evaluated fail now loudly with enough detail for a human to fix policy or data green dashboards are

816
00:54:47,600 --> 00:54:52,720
not the goal truthful systems are this is separation of concerns that survives AI it's not more

817
00:54:52,720 --> 00:54:57,520
rigor for its own sake it's rigor where it belongs intent facts execution explanation distinct

818
00:54:57,520 --> 00:55:02,080
composable and observable put them in that order and the system behaves like a system keep them

819
00:55:02,080 --> 00:55:05,680
entangled and you'll keep telling life cycle stories while the control plane writes a different

820
00:55:05,680 --> 00:55:11,040
history applying the architecture in Microsoft 365 and power platform these are examples not

821
00:55:11,040 --> 00:55:16,720
prescriptions your stack may differ the principle holds start with the policy layer put intent where

822
00:55:16,720 --> 00:55:21,440
humans can read it and machines can query it practically that means a policy catalog in sharepoint

823
00:55:21,440 --> 00:55:26,560
or data verse with three non-negotiables scope version and tests scope names the jurisdiction

824
00:55:26,560 --> 00:55:31,680
and organizational unit version is immutable once published tests are executable examples

825
00:55:31,680 --> 00:55:36,480
given facts x and y the expected outcome is the use data verse tables for policy entities

826
00:55:36,480 --> 00:55:41,440
capability rules obligation rules precedence tables and expose them with a simple model driven

827
00:55:41,440 --> 00:55:46,160
up for authorship and review the catalog is not a wiki it's a rules registry with ownership and

828
00:55:46,160 --> 00:55:52,000
change control purview can hold the life cycle policy around the registry itself retention access

829
00:55:52,000 --> 00:55:57,520
and lineage of changes now the event layer facts not workflows use data verse of fabric to ingest

830
00:55:57,520 --> 00:56:03,520
and store immutable events with rich context from d 365 hr or workday don't map stages emit events

831
00:56:03,520 --> 00:56:09,200
like candidate past screen v2 with timestamps actor jurisdiction role and attributes from success

832
00:56:09,200 --> 00:56:14,960
factors emit leave granted under policy x home from entra emit capability edge assigned conditional

833
00:56:14,960 --> 00:56:21,200
access applied an exception created with ttl and justification standardize a minimal envelope event

834
00:56:21,200 --> 00:56:26,320
name version actor subject attributes correlation ID store the stream in data verse for operational

835
00:56:26,320 --> 00:56:30,480
subscribers and mirror it into fabric for analytics and replay purview registers the domains

836
00:56:30,480 --> 00:56:37,040
and tracks lineage across sources execution subscribes power automate flows logic apps or functions

837
00:56:37,040 --> 00:56:42,160
listen to events query the policy api evaluate then act assigned capability bundles trigger

838
00:56:42,160 --> 00:56:47,920
attestations apply entra group or app role changes open a case but execution does not embed rules

839
00:56:47,920 --> 00:56:54,080
every decision carries a citation policy ID version and the facts used if a required fact is missing

840
00:56:54,080 --> 00:56:58,400
fail loud post to a team's incident channel with the policy reference and the missing attribute

841
00:56:58,400 --> 00:57:05,200
don't configure run after and keep the path green alarm is mandatory manage solutions source control

842
00:57:05,200 --> 00:57:10,720
for flow definitions and automated tests that run on every change flows are subscribers and transport

843
00:57:10,720 --> 00:57:16,320
not the brain identity is the enforcement graph treat entra as a compiler target generate dynamic

844
00:57:16,320 --> 00:57:21,360
group queries access packages and conditional access artifacts from the policy layer not from the

845
00:57:21,360 --> 00:57:26,960
portal use entra entitlement management for capability bundles each package maps to a named

846
00:57:26,960 --> 00:57:32,480
capability set with eligibility derived from policy approvals constrained by obligation rules

847
00:57:32,480 --> 00:57:38,400
and ttl enforced by default pin enforces elevation windows justification fields reference

848
00:57:38,400 --> 00:57:43,680
policy IDs approvers are bound to roles in the policy registry not ad hoc names exceptions are first

849
00:57:43,680 --> 00:57:49,600
class their records in the policy catalog with scope and expiry compiled into entra as time bound

850
00:57:49,600 --> 00:57:54,720
edges and surfaced in purview as high sensitivity artifacts with reviewers and audit schedules

851
00:57:54,720 --> 00:57:59,520
evidence is not an export it's the byproduct of the system doing its job every time execution

852
00:57:59,520 --> 00:58:04,560
applies a control it emits control applied with the policy citation and the entry object IDs

853
00:58:04,560 --> 00:58:09,840
affected every time an obligation is satisfied it emits obligation satisfied with the rule and

854
00:58:09,840 --> 00:58:14,640
the evidence artifact link fabric consumes these streams for dashboards that matter capability

855
00:58:14,640 --> 00:58:21,040
assignment accuracy obligation satisfaction rate exception half life identity drift delta without

856
00:58:21,040 --> 00:58:26,240
scraping logs purview holds the catalog of evidence with lineage from source events through rule

857
00:58:26,240 --> 00:58:31,680
evaluation to control application observability binds this together use application insights or your

858
00:58:31,680 --> 00:58:37,120
cm to capture rule evaluations as traces policy version inputs outcome and subscriber actions

859
00:58:37,120 --> 00:58:42,400
when something goes wrong you don't pass flow histories hoping to infer intent you read the trace

860
00:58:42,400 --> 00:58:47,760
that shows which rule missed whether because a fact was absent or a conflict existed health

861
00:58:47,760 --> 00:58:54,160
isn't no failure health is failures are early loud and attributable how does m365 help the AI layer

862
00:58:54,160 --> 00:58:58,960
copilot studio lets you build agents that don't hallucinate authority point agents to the policy

863
00:58:58,960 --> 00:59:03,840
API not to handbooks give them a read only view of the event stream and the evidence catalog when they

864
00:59:03,840 --> 00:59:09,440
propose an action assign a bundle request an attestation they attach the policy citation automatically

865
00:59:09,440 --> 00:59:14,320
when they decline they cite conflicts their power comes from constraints governance is the authorization

866
00:59:14,320 --> 00:59:20,480
compiler in practice a small service function app API management or a power platform custom connector

867
00:59:20,480 --> 00:59:25,840
takes policies compiles controls emits tests and publishes artifacts change in policy triggers test

868
00:59:25,840 --> 00:59:31,760
runs against recorded events in fabric failures block release exceptions are requested through a power

869
00:59:31,760 --> 00:59:38,000
app approve per policy encoded with ttl compiled and constantly reported no temporary connector tweak

870
00:59:38,000 --> 00:59:43,440
survives without a clock one hard line no silent workarounds if a flow must default a value to pass

871
00:59:43,440 --> 00:59:47,840
an API that default is a policy change with scope and expiry not a mapping trick if a country pack

872
00:59:47,840 --> 00:59:52,320
requires a special rule that's a policy record with jurisdiction not a hidden branch if an identity

873
00:59:52,320 --> 00:59:58,080
edge persists that's a missed ttl not we forgot the to the familiar the discipline is new put intent

874
00:59:58,080 --> 01:00:02,640
where it belongs facts where they can't be argued with execution where it can be replaced and

875
01:00:02,640 --> 01:00:07,040
explanation where the decision happens then your Microsoft stack stops telling stories and starts

876
01:00:07,040 --> 01:00:13,600
behaving like a system governance reframe hr owns intent platforms execute governance fails when

877
01:00:13,600 --> 01:00:18,960
ownership is vague so draw the line where the system actually changes hr owns intent platforms execute

878
01:00:18,960 --> 01:00:24,800
security constraints compliance verifies identity enforces each role has one job with artifacts that

879
01:00:24,800 --> 01:00:31,120
prove it start with hr owns intent means hr defines capability catalogs and obligation rules in a

880
01:00:31,120 --> 01:00:36,800
policy layer human readable machine queryable scoped versioned and testable hr does not diagram workflows

881
01:00:36,800 --> 01:00:43,360
to make it so hr publishes rules that say what must be true who is in scope what takes precedence

882
01:00:43,360 --> 01:00:48,800
and when exceptions expire if a rule cannot be read aloud to an auditor and compiled into controls

883
01:00:48,800 --> 01:00:54,560
it is not policy it's a meeting note platforms execute that means engineering administrators and

884
01:00:54,560 --> 01:00:59,280
integrators build compilers subscribers and evidence pipelines that turn policy into enforcement

885
01:00:59,280 --> 01:01:04,000
and facts into lineage they do not interpret intent they evaluate rules against events and apply

886
01:01:04,000 --> 01:01:09,200
controls emitting decision time citations by default the platform team success is measured by

887
01:01:09,200 --> 01:01:14,720
replaceability and observability can any component be swapped without losing policy fidelity

888
01:01:14,720 --> 01:01:20,080
and can every decision produce a proof without a war room security constraints they define risk

889
01:01:20,080 --> 01:01:24,640
postures global guardrails and precedence models that limit what any policy may demand they don't

890
01:01:24,640 --> 01:01:29,200
write hr policy they bound it they choose the cryptographic strength the session lifetimes the

891
01:01:29,200 --> 01:01:34,560
device requirements the break last doctrine the default deny when policy and security collide

892
01:01:34,560 --> 01:01:39,840
the precedence is explicit versioned and testable security is not a veto in email it is a constraint in

893
01:01:39,840 --> 01:01:44,400
code compliance verifies they don't write policy or workflows they validate that rules exist that

894
01:01:44,400 --> 01:01:49,040
they are versioned that tests cover obligations and that evidence is generated at decision time

895
01:01:49,040 --> 01:01:54,160
with chain of custody their questions are simple where is the rule where are the facts where is

896
01:01:54,160 --> 01:01:59,520
the proof if the answer is in a path name or in a flow run the verdict is drift identity and

897
01:01:59,520 --> 01:02:05,520
forces entra is the control plane that converts compiled policy into edges groups roles access

898
01:02:05,520 --> 01:02:11,520
packages conditional access identity is accountable to the policy layer and visible to compliance

899
01:02:11,520 --> 01:02:16,640
it is not downstream of hr narratives it is downstream of compiled rules any entitlement without a

900
01:02:16,640 --> 01:02:22,800
policy citation and ttl is a defect not a convenience align incentives to these roles hr is measured

901
01:02:22,800 --> 01:02:28,000
by policy coverage clarity and change half-life how long exceptions live before being codified or

902
01:02:28,000 --> 01:02:33,840
retired platforms are measured by time to proof not time to green by rule evaluation latency and

903
01:02:33,840 --> 01:02:38,720
trace completeness not dashboard vanity security is measured by conflict detection and blast radius

904
01:02:38,720 --> 01:02:43,840
simulations before production not severity of advisories after incidents compliance is measured by

905
01:02:43,840 --> 01:02:48,960
audit throughput with fewer escalations because proofs are generated not reconstructed identity is

906
01:02:48,960 --> 01:02:53,360
measured by drift delta and exception half-life not ticket closure translate this into working

907
01:02:53,360 --> 01:02:58,560
agreements no rule without tests no execution without citation no exception without ttl and owner

908
01:02:58,560 --> 01:03:03,440
no configuration without mapped intent no silent failures if a platform needs a default to pass

909
01:03:03,440 --> 01:03:08,880
an api policy must say so if a country requires a local step the rule must declare scope if an

910
01:03:08,880 --> 01:03:14,160
exception is necessary it lives in the policy registry with expiry not in a connector if a system

911
01:03:14,160 --> 01:03:19,280
cannot produce a proof it cannot act distribute ownership where entropy starts hr authors the

912
01:03:19,280 --> 01:03:24,960
capability catalog named bundles with risk postures and prerequisite obligations security

913
01:03:24,960 --> 01:03:31,200
approves global constraints session device location platforms expose a policy api and compile artifacts

914
01:03:31,200 --> 01:03:36,800
identity consumes compiled outputs no portal heroics compliance enforces change control on the policy

915
01:03:36,800 --> 01:03:42,000
registry and the compiler not on templated workflows if someone asks who changes hiring stages

916
01:03:42,000 --> 01:03:46,400
the answer is nobody stages don't carry policy anymore replace committees with compilers

917
01:03:46,400 --> 01:03:51,040
governance is not monthly steering its automated gates a policy change runs tests against recorded

918
01:03:51,040 --> 01:03:56,720
events failures block release a compiler change runs static checks for control equivalence

919
01:03:56,720 --> 01:04:02,480
deviations require security sign off an exception request is a record with scope ttl and reviewer

920
01:04:02,480 --> 01:04:08,160
the compiler emits the edge and the evidence automatically reports are streams not spreadsheets move

921
01:04:08,160 --> 01:04:13,680
escalation out of inboxes when a conflict arises global versus local security versus hr the president's

922
01:04:13,680 --> 01:04:18,640
rule executes produces a denial with citations and opens a case that references both rules

923
01:04:18,640 --> 01:04:23,840
and the failing facts humans adjudicate policy not plumbing remediation is a rule added not a flow

924
01:04:23,840 --> 01:04:30,160
tweak write one last sentence on the wall where people can see it age our own policy intent platforms

925
01:04:30,160 --> 01:04:35,600
executed everything else is entropy generators arguing over whose template matters anonymized failure

926
01:04:35,600 --> 01:04:41,040
modes composite scenarios you already recognize large enterprise transfer on paper it's simple a

927
01:04:41,040 --> 01:04:46,400
senior analyst moves from business unit a to business unit b same country similar role in workday

928
01:04:46,400 --> 01:04:51,760
the transfer triggers two clones of the global mobility process one harmonized one legacy the b

929
01:04:51,760 --> 01:04:56,720
you never retired the harmonized process checks a calculated field that roots high risk finance roles

930
01:04:56,720 --> 01:05:02,480
to a second approver the legacy clone encodes the same intent as a validation on compensation grade

931
01:05:02,480 --> 01:05:07,440
the analyst job profile changed the grade didn't hr thinks the second approver occurred because

932
01:05:07,440 --> 01:05:12,560
the path turned green it didn't in entra capability bundles recompute via dynamic groups tied to

933
01:05:12,560 --> 01:05:17,440
department and location one group is policy compiled the other is a hand-built artifact from last

934
01:05:17,440 --> 01:05:23,040
years reogh conditional access sees both claims so the analyst now has ledger query and contract

935
01:05:23,040 --> 01:05:28,080
approval two edges never intended together evidence exists everywhere explanation exists nowhere

936
01:05:28,080 --> 01:05:34,080
global jurisdictional conflict a manager in Germany relocates to Ontario mid-year success factors

937
01:05:34,080 --> 01:05:38,720
time off schemers grant parental leave under a German pack that encodes awaiting period

938
01:05:38,720 --> 01:05:43,280
Ontario requires an immediate entitlement with different accrual math the relocation event was

939
01:05:43,280 --> 01:05:47,920
emitted as a stage change in hr not as an immutable fact with jurisdictional scope the localized

940
01:05:47,920 --> 01:05:53,200
Canadian flow patched the waiting period six months ago the international assignment urgent variant

941
01:05:53,200 --> 01:05:57,760
removed the attestation step during the pandemic and never restored it payroll runs two different

942
01:05:57,760 --> 01:06:03,360
eligibility checks key to country code in different places one in a business rule catalog one in a

943
01:06:03,360 --> 01:06:08,800
pick list mapping so accruals start under one interpretation and retroactively adjust under another

944
01:06:08,800 --> 01:06:13,200
meanwhile the company's global retention policy expects disciplinary records to persist

945
01:06:13,200 --> 01:06:19,040
three years germany's country pack forks a data retention sub-process that purges certain categories

946
01:06:19,040 --> 01:06:24,320
earlier analytics compensate with derive fields to keep dashboards consistent an investigation

947
01:06:24,320 --> 01:06:30,080
arrives later evidence is gone by design local compliance past global coherence didn't exist

948
01:06:30,080 --> 01:06:35,920
mna identity merge two directories two hr systems one deal timeline the integration team maps

949
01:06:35,920 --> 01:06:41,040
titles departments and locations they don't map capability bundles because those don't exist as

950
01:06:41,040 --> 01:06:46,800
first class artifacts entitlement reconciliation happens via access like sam direct app roll assignments

951
01:06:46,800 --> 01:06:51,760
copied by script to speed day one productivity privileged identity management approvals reference

952
01:06:51,760 --> 01:06:57,280
old org charts approvals rubber stamp at odd hours to meet cutovers conditional access baselines

953
01:06:57,280 --> 01:07:03,440
collide one tenant white listed data centers during a vendor issue the other relies on device compliance

954
01:07:03,440 --> 01:07:07,680
a shadow trusted location remains in a test policy duplicated for temporary relief

955
01:07:08,320 --> 01:07:13,280
three months later a terminated contractor still has access through a service principle assigned to

956
01:07:13,280 --> 01:07:18,080
a project finance group that migrated as a dynamic group with a stale query hr shows a clean

957
01:07:18,080 --> 01:07:23,280
termination date and russhoes token claims compliance shows an audit trail of approvals none of them

958
01:07:23,280 --> 01:07:28,400
show policy that would have prevented the edge seasonal hiring surge recruiting spins up power

959
01:07:28,400 --> 01:07:33,680
automate flows to bulk post job ads and orchestrate ready to hire a pagination change in a connector

960
01:07:33,680 --> 01:07:38,960
silently stops posting in two regions the hiring team assumes low interest and manually duplicates

961
01:07:38,960 --> 01:07:44,640
requisitions in the portal now duplicate candidates land in data verse with slight profile differences

962
01:07:44,640 --> 01:07:49,360
a ready to hire orchestrator fills a mandatory field for one jurisdiction with a default to keep

963
01:07:49,360 --> 01:07:54,880
the pipeline moving benefits eligibility is wrong for an entire cohort until q3 to reduce churn

964
01:07:54,880 --> 01:08:00,560
a flow filters out in active updates during transfer bursts terminations at 5 p.m. Mr.

965
01:08:00,560 --> 01:08:05,840
the window and persist access overnight the exception group created for seasonal supervisors has a ttl

966
01:08:05,840 --> 01:08:11,920
of 14 days nobody owns the q that renews them in october a break glass accounts password rotated

967
01:08:11,920 --> 01:08:17,120
its app secret didn't incidents are unusual only to people who don't read run histories

968
01:08:17,120 --> 01:08:22,720
remediation sprint often incident leadership declares one global process and no local clones

969
01:08:22,720 --> 01:08:26,400
implementation parameterizes a master flow with country flags

970
01:08:27,040 --> 01:08:32,800
and embeds the rule differences behind those flags the facade is clean the logic is still fragmented

971
01:08:32,800 --> 01:08:37,840
a center of excellence controls business process edits and condition rule libraries

972
01:08:37,840 --> 01:08:42,720
backlogs grow local teams deliver central templates with just a few variations

973
01:08:42,720 --> 01:08:47,040
exceptions become email approvals with file attachments that nobody re encodes as policy

974
01:08:47,040 --> 01:08:53,440
the compiler concept is discussed instead the team publishes a confluence page with rules

975
01:08:53,440 --> 01:08:58,720
by country and calls it a corpus a i pilots are announced co pilot summarized the page and

976
01:08:58,720 --> 01:09:04,000
propose actions consistent with history not with intent everyone agrees adoption is recommendation

977
01:09:04,000 --> 01:09:10,080
only until comfort grows comfort never grows because nothing changed where it mattered the point

978
01:09:10,080 --> 01:09:16,000
of these scenarios isn't drama its inevitability transfers multiply graphs jurisdictions multiply

979
01:09:16,000 --> 01:09:22,480
forks mergers multiply histories surges multiply glue remediation multiplies facades if policy

980
01:09:22,480 --> 01:09:28,560
leaves in workflows labels and connectors a i will mirror drift not meaning and your control plane

981
01:09:28,560 --> 01:09:34,480
will keep writing history faster than your narrative can catch it immediate moves 90 day

982
01:09:34,480 --> 01:09:39,360
repayments on architectural debt none of this requires new tools you already have everything you need

983
01:09:39,360 --> 01:09:46,240
day 15 inventory intent stand up a lightweight policy catalog in sharepoint or data verse with

984
01:09:46,240 --> 01:09:52,400
three required fields per entry scope version owner seated with five obligations and five capability

985
01:09:52,400 --> 01:09:58,000
bundles you actually enforce for each at two executable tests given facts expect outcome stop after

986
01:09:58,000 --> 01:10:04,960
10 depth beats volume in parallel instrument facts pick three life cycle events and emit them

987
01:10:04,960 --> 01:10:11,040
as immutable records capability bundle assigned an obligation satisfied identity edge removed

988
01:10:11,040 --> 01:10:17,360
setter include timestamps subject jurisdiction and correlation IDs pipe to data verse now mirror

989
01:10:17,360 --> 01:10:23,280
to fabric later day 16 30 pull policy out of plumbing choose one noisy flow strip embedded rules

990
01:10:23,280 --> 01:10:29,280
replace with subscribe to event query policy API start with a simple table act side rule version

991
01:10:29,280 --> 01:10:35,120
emit control applied fail loud on missing facts merge via a lm not the portal identity pick one

992
01:10:35,120 --> 01:10:41,280
capability bundle generate enter artifacts from the catalog dynamic groups access package PM settings

993
01:10:41,280 --> 01:10:46,480
with a default TTL for exceptions add a weekly job that reports exceptions approaching expiry

994
01:10:46,480 --> 01:10:52,800
do not auto renew their 31 60 establish precedence and drift detection write one precedence rule

995
01:10:52,800 --> 01:10:58,640
global verse local beats email threads forever add a reconciliation job that compares HR worker truth

996
01:10:58,640 --> 01:11:03,520
enter access truth and evidence truth for a random cohort report disagreements with a named winner

997
01:11:03,520 --> 01:11:10,160
and a link to policy observability add rule evaluation traces to application insights policy ID

998
01:11:10,160 --> 01:11:15,920
inputs outcome subscriber build a simple fabric dashboard capability accuracy obligation

999
01:11:15,920 --> 01:11:22,560
satisfaction exception half life identity drift delta day 61 90 make it default require a policy

1000
01:11:22,560 --> 01:11:28,160
citation for any new entitlement require TTL for any exception require tests for any policy change

1001
01:11:28,160 --> 01:11:34,240
turn on fail fast inflows no configure run after hiding red parts publish a standing rule no configuration

1002
01:11:34,240 --> 01:11:41,120
without mapped intent enforce with pull requests not pep talks the takeaway life cycles are stories

1003
01:11:41,120 --> 01:11:46,720
systems need contracts intent as rules facts as events identity as the enforcement graph if you want

1004
01:11:46,720 --> 01:11:52,080
autonomy that sides policy not history start the 90 day repayment today subscribe for the deep dive

1005
01:11:52,080 --> 01:11:56,320
on the authorization compiler next and share this with the person still fixing flows instead of

1006
01:11:56,320 --> 01:11:58,480
moving policy out of them