1
00:00:00,000 --> 00:00:01,680
This isn't about whether co-pilot works.

2
00:00:01,680 --> 00:00:03,720
It does. This is about what it quietly dissolves.

3
00:00:03,720 --> 00:00:05,200
We can measure acceleration.

4
00:00:05,200 --> 00:00:06,480
We have dashboards for it.

5
00:00:06,480 --> 00:00:07,900
We celebrate it in release notes.

6
00:00:07,900 --> 00:00:09,360
Architectural erosion is different.

7
00:00:09,360 --> 00:00:11,040
It doesn't show up as an error.

8
00:00:11,040 --> 00:00:12,840
It shows up when controls still exist,

9
00:00:12,840 --> 00:00:14,800
but stop meaning what we think they mean.

10
00:00:14,800 --> 00:00:17,240
Today we'll talk about Dynamics 365 co-pilot,

11
00:00:17,240 --> 00:00:19,280
not as a feature or productivity boost,

12
00:00:19,280 --> 00:00:21,840
but as a force acting on enterprise architecture.

13
00:00:21,840 --> 00:00:24,120
Carmly, clinically, without hype.

14
00:00:24,120 --> 00:00:26,520
Because erosion doesn't announce itself, it waits

15
00:00:26,520 --> 00:00:29,520
until the audit, the incident, or the headline.

16
00:00:29,520 --> 00:00:31,000
Framing the conversation.

17
00:00:31,000 --> 00:00:33,080
Let's be clear about what this episode is not.

18
00:00:33,080 --> 00:00:35,320
This is not a rant. This is not fear-selling.

19
00:00:35,320 --> 00:00:38,240
And it isn't a dismissal of Microsoft's engineering capability.

20
00:00:38,240 --> 00:00:39,960
Microsoft has built something impressive.

21
00:00:39,960 --> 00:00:42,520
Co-pilot accelerates work. It reduces friction,

22
00:00:42,520 --> 00:00:44,160
but acceleration is not a neutral force.

23
00:00:44,160 --> 00:00:46,400
In physics, sustained force doesn't just create motion.

24
00:00:46,400 --> 00:00:47,520
It creates stress.

25
00:00:47,520 --> 00:00:49,240
When you increase throughput in the system,

26
00:00:49,240 --> 00:00:51,560
you also increase the load on its joints.

27
00:00:51,560 --> 00:00:53,680
The place is where policy meets behavior,

28
00:00:53,680 --> 00:00:55,440
where documentation meets workflow,

29
00:00:55,440 --> 00:00:57,800
where controls meet the reality of execution.

30
00:00:57,800 --> 00:01:00,760
In organizations, that stress appears as architectural erosion.

31
00:01:00,760 --> 00:01:01,760
Not failure, erosion.

32
00:01:01,760 --> 00:01:02,920
The controls are still there.

33
00:01:02,920 --> 00:01:04,680
The dashboards light up green.

34
00:01:04,680 --> 00:01:07,760
But the behavior that once conform to those controls no longer does.

35
00:01:07,760 --> 00:01:11,200
So the question isn't, does co-pilot help people move faster?

36
00:01:11,200 --> 00:01:13,640
The question is, what assumptions does it quietly invalidate

37
00:01:13,640 --> 00:01:14,440
while it does?

38
00:01:14,440 --> 00:01:16,600
Most organizations treat co-pilot like a tool

39
00:01:16,600 --> 00:01:18,680
that lives inside a single app surface.

40
00:01:18,680 --> 00:01:20,080
Architecturally, it's something else.

41
00:01:20,080 --> 00:01:21,840
A distributed decision engine that

42
00:01:21,840 --> 00:01:24,840
composes actions across dynamics, graph, power, automate,

43
00:01:24,840 --> 00:01:26,320
outlook, and teams.

44
00:01:26,320 --> 00:01:28,480
Your policies are written for discrete systems.

45
00:01:28,480 --> 00:01:29,960
Co-pilot operates across them.

46
00:01:29,960 --> 00:01:31,080
That distinction matters.

47
00:01:31,080 --> 00:01:32,640
Everything clicked when I stopped asking,

48
00:01:32,640 --> 00:01:34,360
is the user allowed to do this?

49
00:01:34,360 --> 00:01:38,200
And started asking, what composite identity actually executed this?

50
00:01:38,200 --> 00:01:39,800
Most enterprises don't have an answer.

51
00:01:39,800 --> 00:01:42,400
They have logs of effects, not lineage of causes,

52
00:01:42,400 --> 00:01:44,000
they have approvals, not knowledge.

53
00:01:44,000 --> 00:01:46,640
They have security models designed for humans acting locally

54
00:01:46,640 --> 00:01:48,920
and they now run agents acting globally.

55
00:01:48,920 --> 00:01:51,280
The result isn't a breach or a misconfiguration.

56
00:01:51,280 --> 00:01:51,880
It's drift.

57
00:01:51,880 --> 00:01:54,320
It's the slow conversion of deterministic governance

58
00:01:54,320 --> 00:01:57,600
into a probabilistic one, conditional chaos with nice UI.

59
00:01:57,600 --> 00:01:59,080
If that sounds abstract, we'll

60
00:01:59,080 --> 00:02:01,480
ground it in the places where erosion hides,

61
00:02:01,480 --> 00:02:05,040
the decision points that used to be human, slow, and accountable.

62
00:02:05,040 --> 00:02:08,240
Finance approvals credit risk overrides, procurement choices,

63
00:02:08,240 --> 00:02:09,240
customer concessions.

64
00:02:09,240 --> 00:02:11,000
These are the joints that carry load.

65
00:02:11,000 --> 00:02:13,080
This is where stress accumulates first.

66
00:02:13,080 --> 00:02:15,280
The four scenarios that quietly reshape control.

67
00:02:15,280 --> 00:02:16,160
Why these domains?

68
00:02:16,160 --> 00:02:19,080
Because business logic, compliance, and human accountability

69
00:02:19,080 --> 00:02:20,000
intersect here.

70
00:02:20,000 --> 00:02:21,360
You won't see erosion in a demo.

71
00:02:21,360 --> 00:02:24,400
You see it in finance, month end, indisputed receivables,

72
00:02:24,400 --> 00:02:27,360
in sourcing audits, in customer recovery budgets.

73
00:02:27,360 --> 00:02:31,080
Let's walk through four concrete dynamics, 365 cases,

74
00:02:31,080 --> 00:02:34,440
and watch what stays the same and what becomes hollow.

75
00:02:34,440 --> 00:02:36,920
Invoice approval on the surface, this looks harmless.

76
00:02:36,920 --> 00:02:40,120
Copilot summarizes invoices, highlights anomalies,

77
00:02:40,120 --> 00:02:42,720
recommends approval, and triggers a workflow.

78
00:02:42,720 --> 00:02:44,880
Same approval path, same audit record.

79
00:02:44,880 --> 00:02:47,840
But the human approver isn't evaluating raw data anymore.

80
00:02:47,840 --> 00:02:49,800
They're validating a compressed narrative.

81
00:02:49,800 --> 00:02:51,720
Fields were selected, weighted, and framed

82
00:02:51,720 --> 00:02:53,280
before the approver even saw them.

83
00:02:53,280 --> 00:02:54,320
The controls still exist.

84
00:02:54,320 --> 00:02:55,800
The signature still happens.

85
00:02:55,800 --> 00:02:58,000
But the Epistemic Foundation, what the approver actually

86
00:02:58,000 --> 00:02:59,400
knows, has shifted.

87
00:02:59,400 --> 00:03:00,480
That isn't automation.

88
00:03:00,480 --> 00:03:01,600
It's mediation.

89
00:03:01,600 --> 00:03:03,680
Over time, approval quality correlates

90
00:03:03,680 --> 00:03:06,200
with narrative quality, not signal quality.

91
00:03:06,200 --> 00:03:08,480
You don't notice until variance titans and outliers

92
00:03:08,480 --> 00:03:09,440
slip through.

93
00:03:09,440 --> 00:03:10,600
Credit hold release.

94
00:03:10,600 --> 00:03:12,240
Here, the blast radius expands.

95
00:03:12,240 --> 00:03:14,600
Copilot evaluates history, payment trends,

96
00:03:14,600 --> 00:03:17,520
open disputes, and recommends overriding a credit hold.

97
00:03:17,520 --> 00:03:19,400
Historically, these exceptions were rare,

98
00:03:19,400 --> 00:03:21,680
deliberate, and heavily scrutinized.

99
00:03:21,680 --> 00:03:24,000
Now they arrive as contextual suggestions accepted

100
00:03:24,000 --> 00:03:26,680
with a click, seasonality, partial histories,

101
00:03:26,680 --> 00:03:29,200
and dispute metadata collapse into a single confidence

102
00:03:29,200 --> 00:03:30,240
statement.

103
00:03:30,240 --> 00:03:31,560
The control didn't disappear.

104
00:03:31,560 --> 00:03:32,680
Human friction did.

105
00:03:32,680 --> 00:03:33,920
That changed the baseline.

106
00:03:33,920 --> 00:03:36,320
The downstream impact touches revenue recognition,

107
00:03:36,320 --> 00:03:38,480
cash forecasting, and sales compensation.

108
00:03:38,480 --> 00:03:40,200
You'll see the change in your comp disputes

109
00:03:40,200 --> 00:03:42,400
before you see it in your risk model.

110
00:03:42,400 --> 00:03:43,880
Procurement vendor selection.

111
00:03:43,880 --> 00:03:46,280
Copilot compares vendors across opaque waitings

112
00:03:46,280 --> 00:03:49,360
and filtered sources, then surfaces preferred options.

113
00:03:49,360 --> 00:03:52,240
After what ask, which data sources mattered most,

114
00:03:52,240 --> 00:03:54,720
which dimensions were overweighted, which suppliers were

115
00:03:54,720 --> 00:03:56,560
filtered out for missing enrichment,

116
00:03:56,560 --> 00:03:58,480
the recommendation performs neutrality.

117
00:03:58,480 --> 00:03:59,800
The lineage is implicit.

118
00:03:59,800 --> 00:04:03,360
Policy intent, diversity targets, ESG factors,

119
00:04:03,360 --> 00:04:06,720
concentration caps, turns into tool mediated scoring.

120
00:04:06,720 --> 00:04:09,960
Reports show policy compliance, but supplier concentration

121
00:04:09,960 --> 00:04:11,320
risk increases.

122
00:04:11,320 --> 00:04:12,920
The misalignment isn't in the outcome.

123
00:04:12,920 --> 00:04:15,560
It's in the invisible waiting that produced it.

124
00:04:15,560 --> 00:04:17,320
Customer service case resolution.

125
00:04:17,320 --> 00:04:20,040
Copilot drafts responses, proposes refunds,

126
00:04:20,040 --> 00:04:21,560
suggests goodwill credits.

127
00:04:21,560 --> 00:04:22,560
Who made the decision?

128
00:04:22,560 --> 00:04:25,520
The agent, the model, the workflow designer,

129
00:04:25,520 --> 00:04:28,440
the policy author, ownership diffuses.

130
00:04:28,440 --> 00:04:30,800
Escalation thresholds soften because more actions

131
00:04:30,800 --> 00:04:33,440
get resolved at lower levels with higher variance.

132
00:04:33,440 --> 00:04:35,480
Benevolence defaults emerge.

133
00:04:35,480 --> 00:04:40,320
Goodwill, when unsure, partial credits, when confidence dips.

134
00:04:40,320 --> 00:04:42,640
Unmodeled edge cases quietly leak value.

135
00:04:42,640 --> 00:04:45,440
Repeat abusers stacked concessions across channels,

136
00:04:45,440 --> 00:04:47,720
compounding credits with no unified view.

137
00:04:47,720 --> 00:04:49,440
Audit shows definitive event logs.

138
00:04:49,440 --> 00:04:50,920
Decision causality isn't there.

139
00:04:50,920 --> 00:04:52,880
You can see what happened, not why.

140
00:04:52,880 --> 00:04:55,160
In all four, the control exists.

141
00:04:55,160 --> 00:04:58,240
Approvals recorded, workflows fired, audit trails intact.

142
00:04:58,240 --> 00:05:00,480
What's missing is lineage of inputs, waiting,

143
00:05:00,480 --> 00:05:01,640
and decision authorship.

144
00:05:01,640 --> 00:05:03,560
That's architectural erosion.

145
00:05:03,560 --> 00:05:05,000
The joints are still present.

146
00:05:05,000 --> 00:05:07,600
They're no longer carrying the load you think they are.

147
00:05:07,600 --> 00:05:10,120
Scenario one, invoice approval.

148
00:05:10,120 --> 00:05:12,320
When validation becomes mediation.

149
00:05:12,320 --> 00:05:15,600
Invoice approval controls were built for a simple model.

150
00:05:15,600 --> 00:05:18,400
A human looks at structured fields, applies thresholds

151
00:05:18,400 --> 00:05:21,720
in policy, and takes responsibility for the decision.

152
00:05:21,720 --> 00:05:23,720
Copilot changes none of those artifacts.

153
00:05:23,720 --> 00:05:24,920
The approver still approves.

154
00:05:24,920 --> 00:05:26,200
The workflow still roots.

155
00:05:26,200 --> 00:05:28,920
The audit still captures who, when, and what object.

156
00:05:28,920 --> 00:05:32,200
Architecturally, it changes to substrate the human stands on.

157
00:05:32,200 --> 00:05:35,160
OK, so basically, the approver no longer inspects signal.

158
00:05:35,160 --> 00:05:36,600
They validate a story.

159
00:05:36,600 --> 00:05:38,680
Copilot ingests lines, vendors, terms,

160
00:05:38,680 --> 00:05:42,480
PO match status, receipt variances, tax treatments, and historical behavior.

161
00:05:42,480 --> 00:05:46,680
It extracts highlights, ranks, anomalies, and produces a narrative

162
00:05:46,680 --> 00:05:48,160
with a recommended action.

163
00:05:48,160 --> 00:05:49,760
That narrative is the new interface.

164
00:05:49,760 --> 00:05:52,880
Think of it like a view model for risk, pre-selected fields,

165
00:05:52,880 --> 00:05:55,480
pre-weighted features, a compressed explanation.

166
00:05:55,480 --> 00:05:59,520
The human's job shifts from decision author to narrative validator.

167
00:05:59,520 --> 00:06:00,440
Here's the weird part.

168
00:06:00,440 --> 00:06:04,040
The control still fires, but the knowledge behind it becomes probabilistic.

169
00:06:04,040 --> 00:06:08,080
What the approver actually knows is bounded by what the narrative chose to show,

170
00:06:08,080 --> 00:06:10,360
which line variances were ignored as noise,

171
00:06:10,360 --> 00:06:13,520
which suppliers were deemphasized because their enrichment was sparse,

172
00:06:13,520 --> 00:06:16,440
which three-way match exceptions were reframed as resolved

173
00:06:16,440 --> 00:06:18,360
because a confidence threshold tipped.

174
00:06:18,360 --> 00:06:19,880
You won't see that in the approval form.

175
00:06:19,880 --> 00:06:22,800
You'll see a clean recommendation with a confidence band in a button.

176
00:06:22,800 --> 00:06:25,280
In other words, validation becomes mediation.

177
00:06:25,280 --> 00:06:28,440
The system mediates between raw signal and human judgment,

178
00:06:28,440 --> 00:06:31,680
and in doing so, it redefines what review means.

179
00:06:31,680 --> 00:06:34,800
Over time, approvers begin to correlate with narrative quality,

180
00:06:34,800 --> 00:06:36,640
not underlying data quality.

181
00:06:36,640 --> 00:06:39,560
If the summary is coherent and the anomalies look tidy,

182
00:06:39,560 --> 00:06:41,160
approval probability rises.

183
00:06:41,160 --> 00:06:44,640
If the language is cautious and the highlights feel messy, deferral rises,

184
00:06:44,640 --> 00:06:48,040
even when the raw signals are the same, that distinction matters.

185
00:06:48,040 --> 00:06:49,320
Let's make it concrete.

186
00:06:49,320 --> 00:06:53,520
An invoice arrives with a 2.9% variance on a high volume SKU,

187
00:06:53,520 --> 00:06:57,640
a late receipt entry, and a supplier known for seasonal discounts.

188
00:06:57,640 --> 00:06:58,960
Copilot presents,

189
00:06:58,960 --> 00:07:01,600
minor variance within historical tolerance,

190
00:07:01,600 --> 00:07:02,880
late receipt resolved,

191
00:07:02,880 --> 00:07:04,960
supplier discount pattern consistent,

192
00:07:04,960 --> 00:07:06,120
recommend a proof.

193
00:07:06,120 --> 00:07:08,600
The approver faced with dozens of these accepts.

194
00:07:08,600 --> 00:07:12,240
A week later, the model version and retrieval context shift.

195
00:07:12,240 --> 00:07:15,080
The same statistical profile is narrated differently.

196
00:07:15,080 --> 00:07:17,800
Variance exceeds target on non-discounted period,

197
00:07:17,800 --> 00:07:20,960
receipt timing abnormal, flag for buyer review,

198
00:07:20,960 --> 00:07:23,040
same data shape, different narrative,

199
00:07:23,040 --> 00:07:26,520
two different human decisions that both look like valid approval process.

200
00:07:26,520 --> 00:07:27,640
Now add scale.

201
00:07:27,640 --> 00:07:29,840
Month end, hundreds of invoices.

202
00:07:29,840 --> 00:07:34,240
The human relief valve, I'll click into the lines if something feels off,

203
00:07:34,240 --> 00:07:35,760
is exercised less.

204
00:07:35,760 --> 00:07:38,480
The summarisation layer becomes the control surface,

205
00:07:38,480 --> 00:07:40,000
nobody violated policy.

206
00:07:40,000 --> 00:07:41,440
It just moved.

207
00:07:41,440 --> 00:07:44,200
You're no longer auditing whether the policy was applied to the data,

208
00:07:44,200 --> 00:07:47,360
you're auditing whether the narrative engine presented the right slice of data

209
00:07:47,360 --> 00:07:48,880
to which the policy was then applied.

210
00:07:48,880 --> 00:07:50,640
That's a different control altogether.

211
00:07:50,640 --> 00:07:54,000
What this actually means is your evidence becomes effect, not cause.

212
00:07:54,000 --> 00:07:57,720
ERP logs capture the approval event, the workflow hop, the user identity.

213
00:07:57,720 --> 00:07:59,840
They don't capture which fields were considered,

214
00:07:59,840 --> 00:08:01,440
which thresholds were soft,

215
00:08:01,440 --> 00:08:03,680
which alternate hypotheses were discarded.

216
00:08:03,680 --> 00:08:07,520
The decision lineage, feature weights, tool calls, retrieval sources,

217
00:08:07,520 --> 00:08:10,160
lives outside your audit system if it exists at all.

218
00:08:10,160 --> 00:08:12,720
When an outlier leaks through, you can replay the event.

219
00:08:12,720 --> 00:08:14,080
You cannot replay the reasoning.

220
00:08:14,080 --> 00:08:16,880
Here's what most people miss, mediation changes in sentives.

221
00:08:16,880 --> 00:08:20,480
Approvers optimise for queue clearance under plausible deniability.

222
00:08:20,480 --> 00:08:23,600
If the narrative says low risk and the UI says approve,

223
00:08:23,600 --> 00:08:25,760
resistance becomes the exception pathway.

224
00:08:25,760 --> 00:08:29,520
Over time, variance titans toward whatever the narrative normalises.

225
00:08:29,520 --> 00:08:31,040
Edge cases learn to look average.

226
00:08:31,040 --> 00:08:33,600
Everything clicked when I realised the test is simple.

227
00:08:33,600 --> 00:08:35,840
Take 10 approved invoices from the last close.

228
00:08:35,840 --> 00:08:38,800
For each, list the fields a human actually saw in the narrative,

229
00:08:38,800 --> 00:08:41,600
then list the fields required by your policy documentation.

230
00:08:41,600 --> 00:08:44,720
The gap between those lists is architectural erosion.

231
00:08:44,720 --> 00:08:48,160
If the narrative omitted fields your policy assumes are always reviewed,

232
00:08:48,160 --> 00:08:50,160
your control exists in name only.

233
00:08:50,160 --> 00:08:52,480
The system did not break your approval process.

234
00:08:52,480 --> 00:08:54,400
It made it efficient, and in doing so,

235
00:08:54,400 --> 00:08:58,240
it redefined what approval means without changing a single checkbox.

236
00:08:58,240 --> 00:09:00,480
Scenario 2, credit hold release.

237
00:09:00,480 --> 00:09:03,040
From deliberate exception to suggestible default.

238
00:09:03,040 --> 00:09:05,920
Credit holds were designed as a break, not a steering wheel.

239
00:09:05,920 --> 00:09:08,320
Historically, an override meant you stopped the line,

240
00:09:08,320 --> 00:09:12,080
assembled context, and accepted responsibility for downstream exposure.

241
00:09:12,080 --> 00:09:14,800
Copilot doesn't remove that break, it lubricates it,

242
00:09:14,800 --> 00:09:17,040
the override still requires a human click.

243
00:09:17,040 --> 00:09:19,360
The difference is how often the option presents itself

244
00:09:19,360 --> 00:09:21,200
and how benign it feels when it does.

245
00:09:21,200 --> 00:09:24,800
Okay, so basically the system aggregates balance aging,

246
00:09:24,800 --> 00:09:27,280
dispute flags, promised to pay notes, order backlog,

247
00:09:27,280 --> 00:09:28,880
seasonality and custom adhering.

248
00:09:28,880 --> 00:09:31,520
It produces a risk score with a suggested action,

249
00:09:31,520 --> 00:09:34,080
release, partial release or maintain hold.

250
00:09:34,080 --> 00:09:37,040
The suggestion arrives in the place sales actually lives.

251
00:09:37,040 --> 00:09:39,920
On the opportunity in the order entry pane in the sidecar,

252
00:09:39,920 --> 00:09:44,640
framed as low risk to fulfill with recent payments and sentiment highlights,

253
00:09:44,640 --> 00:09:48,880
the friction that once lived in data collection moves into a single plausible click.

254
00:09:48,880 --> 00:09:52,000
Here's the uncomfortable part, the exception becomes the baseline.

255
00:09:52,000 --> 00:09:54,240
Rare overrides were once social signals,

256
00:09:54,240 --> 00:09:57,280
sales and finance aligned on a bet with memory attached.

257
00:09:57,280 --> 00:09:59,200
Now the pattern looks like good customer.

258
00:09:59,200 --> 00:10:01,120
Pattern consistent, recommend release.

259
00:10:01,120 --> 00:10:04,800
The override path becomes a suggestible default,

260
00:10:04,800 --> 00:10:06,800
the narrative organizes the ambiguity

261
00:10:06,800 --> 00:10:08,560
and the click becomes routine.

262
00:10:08,560 --> 00:10:13,120
In other words, what used to be deliberation turns into acceptance of a model's confidence,

263
00:10:13,120 --> 00:10:15,280
but confidence compresses nuance.

264
00:10:15,280 --> 00:10:19,760
Seasonality matters, a 45 day slip in Q1 looks different than in Q4.

265
00:10:19,760 --> 00:10:23,200
Disputes matter, a billing error note created yesterday

266
00:10:23,200 --> 00:10:26,640
isn't the same as one aging at 58 days with partial credit spending.

267
00:10:26,640 --> 00:10:31,680
Partial histories matter, acquired subsidiaries with fragmented ledgers can mask aggregate risk.

268
00:10:31,680 --> 00:10:36,560
The model will do its best, but its summary will collapse that texture into a score and a sentence.

269
00:10:36,560 --> 00:10:39,280
Over time, humans read the sentence, not the context.

270
00:10:39,280 --> 00:10:43,680
Let's make it concrete, a wholesale customer with a strong 24 month history hits a hold

271
00:10:43,680 --> 00:10:50,000
due to a cluster of 35 to 45 day invoices tied to a pricing dispute after a product transition.

272
00:10:50,000 --> 00:10:54,880
Copilot shows recent on-time payments, highlights a dispute note and tags,

273
00:10:54,880 --> 00:10:56,880
expected resolution by Friday.

274
00:10:56,880 --> 00:11:00,800
It recommends a partial release for the open order because patent-consistent,

275
00:11:00,800 --> 00:11:04,560
low incremental risk to fulfill and sales accepts the shipment leaves,

276
00:11:04,560 --> 00:11:07,760
finance closes the dispute a week later at a 3% concession.

277
00:11:07,760 --> 00:11:12,080
Individually, this looks reasonable, repeated across dozens of customers in a seasonal trough,

278
00:11:12,080 --> 00:11:15,600
and the cumulative exposure shifts your cash forecast by a week

279
00:11:15,600 --> 00:11:17,840
and your revenue recognition by a period.

280
00:11:17,840 --> 00:11:19,360
Your comp plan sees it first.

281
00:11:19,360 --> 00:11:22,320
Here's what most people miss, the narrative presorts accountability.

282
00:11:22,960 --> 00:11:28,080
If the recommendation is released and the user clicks accept, who owns the exposure when the promise to pay fails?

283
00:11:28,080 --> 00:11:30,880
The rep who clicked, the model author who tuned the risk band,

284
00:11:30,880 --> 00:11:33,200
the workflow designer who surfaced the suggestion,

285
00:11:33,200 --> 00:11:35,840
in order to see user-accepted recommendation.

286
00:11:35,840 --> 00:11:38,880
So in practice, the choice architecture created that acceptance,

287
00:11:38,880 --> 00:11:41,840
friction migrated from human judgment to model tuning,

288
00:11:41,840 --> 00:11:46,480
everything clicked when I realized the blast radius isn't just financial, it's semantic.

289
00:11:46,480 --> 00:11:49,360
Credit hold stops meaning stop until risk is resolved.

290
00:11:49,360 --> 00:11:52,080
It starts meaning pause until copilot says it's fine.

291
00:11:52,080 --> 00:11:55,440
Policy intent moves from exception discipline to throughput optimization,

292
00:11:55,440 --> 00:11:56,480
that distinction matters.

293
00:11:56,480 --> 00:11:58,960
Now layer in non-determinism.

294
00:11:58,960 --> 00:12:01,280
Run the same customer pattern two weeks apart

295
00:12:01,280 --> 00:12:04,400
with a slightly different model snapshot or retrieval context.

296
00:12:04,400 --> 00:12:06,160
One run recommends maintain hold,

297
00:12:06,160 --> 00:12:08,400
due to clustered disputes and aging,

298
00:12:08,400 --> 00:12:11,520
the next recommends partial release on positive payment momentum.

299
00:12:11,520 --> 00:12:14,960
Two different human decisions both logged as compliant,

300
00:12:14,960 --> 00:12:19,360
testing and change validation break here because there is no stable decision function to replay.

301
00:12:19,360 --> 00:12:22,560
There is only a probabilistic posture under shifting context.

302
00:12:22,560 --> 00:12:25,360
What this actually means is your control evidence becomes performative.

303
00:12:25,360 --> 00:12:29,280
You can prove that a human approved that policy text exists,

304
00:12:29,280 --> 00:12:30,720
that a score was calculated.

305
00:12:30,720 --> 00:12:33,600
You cannot reconstruct which features tipped the recommendation,

306
00:12:33,600 --> 00:12:35,520
which alternative actions were considered,

307
00:12:35,520 --> 00:12:37,760
or why seasonality was down weighted this week.

308
00:12:37,760 --> 00:12:42,400
You can't tell a regulator or your CFO why the override pattern changed in March.

309
00:12:42,400 --> 00:12:45,680
The test is straightforward, pull the last 50 releases from hold,

310
00:12:45,680 --> 00:12:47,360
for each answer four questions,

311
00:12:47,360 --> 00:12:48,800
which disputes were active.

312
00:12:48,800 --> 00:12:50,400
What was the aging distribution,

313
00:12:50,400 --> 00:12:53,040
what features and weights drove the recommendation,

314
00:12:53,040 --> 00:12:55,760
who explicitly accepted ownership for the exposure.

315
00:12:55,760 --> 00:12:59,360
If you can't answer the third and the fourth without spelunking across dynamics,

316
00:12:59,360 --> 00:13:00,560
automate and outlook,

317
00:13:00,560 --> 00:13:03,600
the hold control has already turned into a suggestible default.

318
00:13:03,600 --> 00:13:05,440
The system didn't remove your break.

319
00:13:05,440 --> 00:13:08,080
It trained your drivers to tap it lightly and trust the dashboard.

320
00:13:08,080 --> 00:13:11,520
Scenario three, procurement vendor selection,

321
00:13:11,520 --> 00:13:13,440
the neutral recommendation that isn't,

322
00:13:13,440 --> 00:13:17,440
procurement controls were built on the fiction that best value is a fixed function.

323
00:13:17,440 --> 00:13:19,280
Documented inputs, transparent weights,

324
00:13:19,280 --> 00:13:20,560
auditable outputs.

325
00:13:20,560 --> 00:13:22,240
Copilot doesn't challenge that fiction.

326
00:13:22,240 --> 00:13:24,080
It performs it beautifully.

327
00:13:24,080 --> 00:13:27,680
It pulls historical PO performance, lead times, defect returns,

328
00:13:27,680 --> 00:13:30,880
SLA breaches, ESG flags, price curves and contract terms.

329
00:13:30,880 --> 00:13:33,680
It produces a side by side, one option is preferred,

330
00:13:33,680 --> 00:13:36,240
the narrative is calm, the interface looks fair,

331
00:13:36,240 --> 00:13:38,480
and yet, architecturally, it is something else.

332
00:13:38,480 --> 00:13:41,200
Okay, so basically, you've replaced policy interpretation

333
00:13:41,200 --> 00:13:42,720
with tool-mediated scoring,

334
00:13:42,720 --> 00:13:45,520
the policy still exists, the report still cites it.

335
00:13:45,520 --> 00:13:47,680
But the recommendation pathway, data coverage,

336
00:13:47,680 --> 00:13:49,840
dimensional weighting, supplier filtering,

337
00:13:49,840 --> 00:13:52,400
now lives inside a reasoning layer you don't see.

338
00:13:52,400 --> 00:13:55,120
Think of it like an authorization compiler for choices.

339
00:13:55,120 --> 00:13:58,480
You provide intent, the system compiles it into feature weights,

340
00:13:58,480 --> 00:13:59,840
and source selections,

341
00:13:59,840 --> 00:14:03,040
and you review the bytecode as a tidy comparison table.

342
00:14:03,040 --> 00:14:04,320
Here's the weird part.

343
00:14:04,320 --> 00:14:05,840
Neutrality is a performance.

344
00:14:05,840 --> 00:14:07,440
Data coverage is not uniform.

345
00:14:07,440 --> 00:14:09,840
Mid-tier vendors often have sparse enrichment,

346
00:14:09,840 --> 00:14:11,600
fewer third-party risk feeds,

347
00:14:11,600 --> 00:14:16,000
less consistent ASN telemetry, inconsistent ESG attestations.

348
00:14:16,000 --> 00:14:19,200
Sparse data looks risky to a model tune to optimize confidence,

349
00:14:19,200 --> 00:14:21,040
but confidence is not the same as performance.

350
00:14:21,040 --> 00:14:24,400
The output reads lower risk better on time record.

351
00:14:24,400 --> 00:14:27,360
What it actually means is denser data, clearer telemetry.

352
00:14:27,360 --> 00:14:29,200
Over time, that becomes a structural bias

353
00:14:29,200 --> 00:14:30,880
for the already integrated supplier.

354
00:14:30,880 --> 00:14:33,360
In other words, selection drift happens without a villain,

355
00:14:33,360 --> 00:14:34,480
weighting sneaks too.

356
00:14:34,480 --> 00:14:37,600
If your sourcing policy says price 40, quality 30,

357
00:14:37,600 --> 00:14:39,520
delivery 20, risk 10,

358
00:14:39,520 --> 00:14:42,240
what happens when the narrative promotes supplier stability

359
00:14:42,240 --> 00:14:44,400
into delivery and risk simultaneously?

360
00:14:44,400 --> 00:14:47,440
The weights now sum to 120 in practice, not 100 on paper.

361
00:14:47,440 --> 00:14:49,600
You don't notice because the table shows four columns

362
00:14:49,600 --> 00:14:52,480
and a friendly recommended concentration creeps.

363
00:14:52,480 --> 00:14:54,560
Your quarterly dashboard still hits diversity

364
00:14:54,560 --> 00:14:57,600
in ESG checkboxes because someone found one secondary vendor

365
00:14:57,600 --> 00:14:58,720
on small awards,

366
00:14:58,720 --> 00:15:00,720
but the blast radius of a primary disruption

367
00:15:00,720 --> 00:15:02,800
grew while reports stayed green.

368
00:15:02,800 --> 00:15:04,000
Let's make it concrete.

369
00:15:04,000 --> 00:15:06,400
A category manager is choosing between vendor A

370
00:15:06,400 --> 00:15:08,480
and vendor B for a critical subassembly.

371
00:15:08,480 --> 00:15:10,000
Vendo A is incumbent,

372
00:15:10,000 --> 00:15:12,000
deeply integrated with standard labels,

373
00:15:12,000 --> 00:15:14,640
EDI mappings and quality metrics.

374
00:15:14,640 --> 00:15:16,320
Vendo B is cheaper by 3%

375
00:15:16,320 --> 00:15:18,400
with comparable defect rates and pilot runs,

376
00:15:18,400 --> 00:15:21,440
but thinner external risk coverage and newer ESG disclosures.

377
00:15:21,440 --> 00:15:24,880
Co-pilot's table highlights A's predictable lead times

378
00:15:24,880 --> 00:15:26,960
and lower supply chain risk footprint,

379
00:15:26,960 --> 00:15:29,040
footnoted to three external sources.

380
00:15:29,040 --> 00:15:30,880
At the emphasizes B's price advantage

381
00:15:30,880 --> 00:15:33,280
behind a potential onboarding cost caveat

382
00:15:33,280 --> 00:15:35,600
sourced to historical category rampups,

383
00:15:35,600 --> 00:15:38,320
none of which share this subassembly's geometry.

384
00:15:38,320 --> 00:15:39,920
The recommendation points to A.

385
00:15:39,920 --> 00:15:41,760
A month later, a demand spike hits.

386
00:15:41,760 --> 00:15:43,040
A performs as expected.

387
00:15:43,040 --> 00:15:44,400
The choice looks validated.

388
00:15:44,400 --> 00:15:46,880
Repeat that pattern across categories for a year

389
00:15:46,880 --> 00:15:48,240
and you've trained the organization

390
00:15:48,240 --> 00:15:50,640
to equate coverage density with resilience

391
00:15:50,640 --> 00:15:52,720
and integration friction with risk.

392
00:15:52,720 --> 00:15:54,320
Your supply amix calcifies.

393
00:15:54,320 --> 00:15:55,600
Here's what most people miss.

394
00:15:55,600 --> 00:15:56,960
Lineage is the control.

395
00:15:56,960 --> 00:15:59,440
If you can't say which sources were included,

396
00:15:59,440 --> 00:16:01,680
which were excluded, which weights were applied

397
00:16:01,680 --> 00:16:03,120
and which transformations occurred

398
00:16:03,120 --> 00:16:05,440
before two vendors became comparable,

399
00:16:05,440 --> 00:16:07,440
you don't have a control, you have a ceremony.

400
00:16:07,440 --> 00:16:09,760
The audit will show you did a comparison.

401
00:16:09,760 --> 00:16:12,800
It won't show how the comparison defined reality.

402
00:16:12,800 --> 00:16:15,200
Everything clicked when I realized the neutral table

403
00:16:15,200 --> 00:16:17,600
hides three invisible filters.

404
00:16:17,600 --> 00:16:19,200
Data availability.

405
00:16:19,200 --> 00:16:21,360
Vendors with thin enrichment lose on risk,

406
00:16:21,360 --> 00:16:23,520
regardless of real world performance.

407
00:16:23,520 --> 00:16:24,800
Dimensional coupling.

408
00:16:24,800 --> 00:16:27,440
Risk gets smuggled into delivery and quality

409
00:16:27,440 --> 00:16:29,200
overweighting a single theme.

410
00:16:29,200 --> 00:16:30,640
Source selectivity.

411
00:16:30,640 --> 00:16:32,720
External feeds with inconsistent coverage

412
00:16:32,720 --> 00:16:34,080
become de facto policy.

413
00:16:34,080 --> 00:16:36,880
What this actually means is structural misalignment.

414
00:16:36,880 --> 00:16:38,720
Your sourcing policy intense diversification

415
00:16:38,720 --> 00:16:40,080
and long term leverage.

416
00:16:40,080 --> 00:16:42,000
The tool mediated scoring optimizes

417
00:16:42,000 --> 00:16:44,480
for short term throughput and model certainty.

418
00:16:44,480 --> 00:16:46,480
That distinction matters.

419
00:16:46,480 --> 00:16:47,360
The test is blunt.

420
00:16:47,360 --> 00:16:49,520
Take five recent preferred awards.

421
00:16:49,520 --> 00:16:52,080
For each reconstruct all sources consulted

422
00:16:52,080 --> 00:16:53,760
with coverage per supplier.

423
00:16:53,760 --> 00:16:56,720
The exact weights used including any derived dimensions.

424
00:16:56,720 --> 00:16:58,880
The scoring before and after any normalization

425
00:16:58,880 --> 00:17:00,720
or onboarding cost adjustments.

426
00:17:00,720 --> 00:17:02,640
The identity of the person or system

427
00:17:02,640 --> 00:17:04,160
that authored those adjustments.

428
00:17:04,160 --> 00:17:06,400
If you cannot produce that in one place,

429
00:17:06,400 --> 00:17:08,160
the recommendation was not neutral.

430
00:17:08,160 --> 00:17:10,000
It was compiled and the compiler

431
00:17:10,000 --> 00:17:12,560
owns your procurement posture more than your policy does.

432
00:17:12,560 --> 00:17:13,600
Scenario four.

433
00:17:13,600 --> 00:17:15,600
Customer service case resolution.

434
00:17:15,600 --> 00:17:17,600
Ambiguous authority by design.

435
00:17:17,600 --> 00:17:20,240
Service controls were designed around a simple chain.

436
00:17:20,240 --> 00:17:22,560
Intake triage disposition escalation

437
00:17:22,560 --> 00:17:24,160
of thresholds trigger.

438
00:17:24,160 --> 00:17:26,640
With a named person accountable at each step.

439
00:17:26,640 --> 00:17:28,240
Copilot doesn't delete that chain.

440
00:17:28,240 --> 00:17:30,560
It overlays it quietly by drafting responses,

441
00:17:30,560 --> 00:17:32,640
proposing concessions and suggesting goodwill

442
00:17:32,640 --> 00:17:34,080
when uncertainty is high.

443
00:17:34,080 --> 00:17:35,360
The artifacts stay the same.

444
00:17:35,360 --> 00:17:36,400
The case is updated.

445
00:17:36,400 --> 00:17:37,360
The refund posts.

446
00:17:37,360 --> 00:17:38,960
The SLA clock stops.

447
00:17:38,960 --> 00:17:40,560
Architecturally something else happens.

448
00:17:40,560 --> 00:17:42,720
The locus of authority dissolves into a composite

449
00:17:42,720 --> 00:17:44,480
of agent, model and workflow.

450
00:17:44,480 --> 00:17:46,960
Okay, so basically the human no longer originates action.

451
00:17:46,960 --> 00:17:48,160
They curate recommendations.

452
00:17:48,160 --> 00:17:50,400
Copilot ingests, purchase history,

453
00:17:50,400 --> 00:17:52,720
defect codes, prior contacts, sentiment,

454
00:17:52,720 --> 00:17:55,280
warranty terms, social mentions, even channel risk.

455
00:17:55,280 --> 00:17:56,240
It drafts.

456
00:17:56,240 --> 00:17:59,280
Apologize for inconvenience of a 15% credit,

457
00:17:59,280 --> 00:18:00,640
ship replacement.

458
00:18:00,640 --> 00:18:03,120
The rep can edit, escalate or accept.

459
00:18:03,120 --> 00:18:04,240
Acceptance becomes the norm

460
00:18:04,240 --> 00:18:06,480
because queue pressure rewards throughput.

461
00:18:06,480 --> 00:18:08,320
The decision is logged as the reps.

462
00:18:08,320 --> 00:18:11,520
The authorship is shared by a model whose criteria you cannot see

463
00:18:11,520 --> 00:18:13,520
and a workflow designer you've never met.

464
00:18:13,520 --> 00:18:14,880
Here's the uncomfortable part.

465
00:18:14,880 --> 00:18:16,800
Benevolence defaults emerge.

466
00:18:16,800 --> 00:18:19,120
When confidence dips or policies conflict,

467
00:18:19,120 --> 00:18:20,560
the draftleans generous.

468
00:18:20,560 --> 00:18:22,480
Small refunds, expedited shipping,

469
00:18:22,480 --> 00:18:24,560
coupon stacks to restore trust.

470
00:18:24,560 --> 00:18:25,920
One off this looks humane.

471
00:18:25,920 --> 00:18:28,000
At scale, layered across channels,

472
00:18:28,000 --> 00:18:30,240
you create arbitrage surfaces.

473
00:18:30,240 --> 00:18:32,400
Repeat abusers, learn patterns.

474
00:18:32,400 --> 00:18:33,760
Multi-channel stackers,

475
00:18:33,760 --> 00:18:36,000
capture overlapping concessions.

476
00:18:36,000 --> 00:18:37,840
Edge cases, auto resolved,

477
00:18:37,840 --> 00:18:39,920
accumulate into leakage you don't attribute

478
00:18:39,920 --> 00:18:41,520
to any single control.

479
00:18:41,520 --> 00:18:43,520
In other words, ambiguity is a feature.

480
00:18:43,520 --> 00:18:45,200
The system's helpfulness is optimized

481
00:18:45,200 --> 00:18:46,960
to end conversations quickly.

482
00:18:46,960 --> 00:18:49,440
That optimization is not the same as policy intent.

483
00:18:49,440 --> 00:18:51,760
Warranty terms become soft guidance.

484
00:18:51,760 --> 00:18:54,720
Fraud signals that live in another system become footnotes.

485
00:18:54,720 --> 00:18:56,320
Budget caps become suggestions

486
00:18:56,320 --> 00:18:58,400
with override approved by workflow

487
00:18:58,400 --> 00:19:00,000
when queue pressure spikes.

488
00:19:00,000 --> 00:19:02,320
The reps click is the final mile of a path

489
00:19:02,320 --> 00:19:04,880
prepaved by tuning you cannot reconstruct.

490
00:19:04,880 --> 00:19:06,000
Let's make it concrete.

491
00:19:06,000 --> 00:19:08,720
A customer reports a defective accessory outside warranty

492
00:19:08,720 --> 00:19:10,000
by 17 days,

493
00:19:10,000 --> 00:19:11,680
sites safety language in a blog

494
00:19:11,680 --> 00:19:13,200
and complains on Twitter.

495
00:19:13,200 --> 00:19:15,840
Copilot assembles context, detect social heat,

496
00:19:15,840 --> 00:19:17,520
drafts an apology with a full refund

497
00:19:17,520 --> 00:19:19,600
and bonus credit to acknowledge inconvenience,

498
00:19:19,600 --> 00:19:20,480
the rep accepts,

499
00:19:20,480 --> 00:19:22,320
the case closes within SLA.

500
00:19:22,320 --> 00:19:24,240
A month later, finance notices a rise

501
00:19:24,240 --> 00:19:25,920
in post-waranty concessions.

502
00:19:25,920 --> 00:19:28,480
Every case is within policy in the audit.

503
00:19:28,480 --> 00:19:30,240
The patent isn't a violation.

504
00:19:30,240 --> 00:19:32,480
It's the emergent behavior of a recommendation engine

505
00:19:32,480 --> 00:19:34,240
tuned to prevent escalation,

506
00:19:34,240 --> 00:19:37,680
reinforced by dashboards that celebrate first contact resolution.

507
00:19:37,680 --> 00:19:39,280
Here's what most people miss.

508
00:19:39,280 --> 00:19:42,320
Escalation logic erodes from thresholds to narratives.

509
00:19:42,320 --> 00:19:44,960
Escalate when refund exceeds X is replaced by

510
00:19:44,960 --> 00:19:47,440
recommend goodwill when risk of churn is high,

511
00:19:47,440 --> 00:19:49,040
where churn risk is a black box

512
00:19:49,040 --> 00:19:50,800
that overweights recent sentiment

513
00:19:50,800 --> 00:19:54,160
and underweights lifetime value beyond the visible window.

514
00:19:54,160 --> 00:19:56,160
Supervisors see fewer escalations,

515
00:19:56,160 --> 00:19:57,520
not because risk decreased

516
00:19:57,520 --> 00:20:00,160
but because the tools solved with concessions earlier

517
00:20:00,160 --> 00:20:02,480
quality review samples, the tidy case is not the ones

518
00:20:02,480 --> 00:20:04,000
that never escalated because the model

519
00:20:04,000 --> 00:20:05,360
rooted around friction.

520
00:20:05,360 --> 00:20:07,520
Everything clicked when I asked three blunt questions

521
00:20:07,520 --> 00:20:08,800
on a service floor.

522
00:20:08,800 --> 00:20:11,360
Which policy paragraph did this refund rely on?

523
00:20:11,360 --> 00:20:13,680
Which fraud features were considered and discarded?

524
00:20:13,680 --> 00:20:15,680
Who owns the concession budget after hours

525
00:20:15,680 --> 00:20:17,680
when the supervisor queue is overloaded?

526
00:20:17,680 --> 00:20:20,000
Three different people gave three different answers.

527
00:20:20,000 --> 00:20:21,520
The rep pointed to the draft,

528
00:20:21,520 --> 00:20:23,600
the supervisor to a rule in a share point

529
00:20:23,600 --> 00:20:27,120
and the workflow owner to an automate flow with escape hatches.

530
00:20:27,120 --> 00:20:28,880
That is ambiguous authority by design.

531
00:20:28,880 --> 00:20:31,600
What this actually means is your evidence shows closure

532
00:20:31,600 --> 00:20:32,400
not stewardship.

533
00:20:32,400 --> 00:20:34,640
You can prove that a customer got help quickly.

534
00:20:34,640 --> 00:20:37,360
You cannot prove that the concession ladder matched intent

535
00:20:37,360 --> 00:20:38,800
that fraud signals were honored

536
00:20:38,800 --> 00:20:41,120
or that budget guardrails held under load.

537
00:20:41,120 --> 00:20:44,080
Non-determinism compounds it the same case pattern tomorrow

538
00:20:44,080 --> 00:20:46,240
might draft a partial refund with a stern tone

539
00:20:46,240 --> 00:20:47,920
because the models snapshot shifted

540
00:20:47,920 --> 00:20:49,600
or the channel vector changed.

541
00:20:49,600 --> 00:20:52,000
Two different outcomes, both compliant on paper,

542
00:20:52,000 --> 00:20:53,120
the test is simple.

543
00:20:53,120 --> 00:20:54,960
Pro-50 auto resolved concessions

544
00:20:54,960 --> 00:20:57,200
under a certain dollar threshold from last quarter.

545
00:20:57,200 --> 00:20:59,600
For each reconstruct, the policy clause cited

546
00:20:59,600 --> 00:21:01,360
the fraud signals present at decision time

547
00:21:01,360 --> 00:21:03,520
the recommended versus final amount

548
00:21:03,520 --> 00:21:05,840
and the identity of the personal system

549
00:21:05,840 --> 00:21:07,520
that authorized variance.

550
00:21:07,520 --> 00:21:09,360
If you need to stitch dynamics case notes,

551
00:21:09,360 --> 00:21:12,160
outlook drafts, teams, chats, and automate runs to answer,

552
00:21:12,160 --> 00:21:13,840
authorities already ambiguous.

553
00:21:13,840 --> 00:21:15,680
The system didn't break your service process.

554
00:21:15,680 --> 00:21:16,800
It made it faster.

555
00:21:16,800 --> 00:21:19,120
And in doing so, it converted accountability

556
00:21:19,120 --> 00:21:22,160
into a shared blur, no audit can meaningfully assign.

557
00:21:22,160 --> 00:21:25,680
What architectural erosion looks like in practice?

558
00:21:25,680 --> 00:21:28,080
Let's move from storyline to system behavior.

559
00:21:28,080 --> 00:21:29,360
Not theory, mechanics.

560
00:21:29,360 --> 00:21:32,640
When co-pilot acts as a distributed decision engine

561
00:21:32,640 --> 00:21:35,520
across dynamics, graph, automate, outlook, and teams,

562
00:21:35,520 --> 00:21:38,080
five failure patterns show up consistently.

563
00:21:38,080 --> 00:21:39,200
They don't trigger red lights.

564
00:21:39,200 --> 00:21:41,520
They bend assumptions until controls keep existing

565
00:21:41,520 --> 00:21:42,960
while behavior stops matching intent.

566
00:21:42,960 --> 00:21:45,680
First, object bypass by composition.

567
00:21:45,680 --> 00:21:47,840
You think in roles, duties, and privileges bound

568
00:21:47,840 --> 00:21:51,440
to a user in dynamics agents don't respect that mental model.

569
00:21:51,440 --> 00:21:53,760
A single help me complete this action

570
00:21:53,760 --> 00:21:56,800
can traverse dynamics data, call a power automate flow

571
00:21:56,800 --> 00:21:58,800
that invokes graph to fetch messages,

572
00:21:58,800 --> 00:22:01,280
draft an email in outlook, post in teams,

573
00:22:01,280 --> 00:22:02,880
and write records back.

574
00:22:02,880 --> 00:22:04,880
Each hop is authorized in isolation.

575
00:22:04,880 --> 00:22:07,040
Together, they form a composite identity,

576
00:22:07,040 --> 00:22:08,720
nobody designed, or reviewed.

577
00:22:08,720 --> 00:22:10,800
No single role assignment is excessive.

578
00:22:10,800 --> 00:22:11,920
The orchestration is.

579
00:22:11,920 --> 00:22:13,760
Your authorization model is local.

580
00:22:13,760 --> 00:22:15,200
The agent pathway is global.

581
00:22:15,200 --> 00:22:16,240
That is not a violation.

582
00:22:16,240 --> 00:22:18,400
It's a side door created by integration

583
00:22:18,400 --> 00:22:20,400
where small, individually reasonable grants

584
00:22:20,400 --> 00:22:21,840
accumulate into action authority.

585
00:22:21,840 --> 00:22:23,600
You never intended to exist as a unit.

586
00:22:23,600 --> 00:22:26,400
Second, data lineage loss.

587
00:22:26,400 --> 00:22:27,760
After an agent assisted decision,

588
00:22:27,760 --> 00:22:29,680
try to answer three blunt questions,

589
00:22:29,680 --> 00:22:32,240
which tables and entities were actually consulted,

590
00:22:32,240 --> 00:22:34,160
which fields influenced the outcome

591
00:22:34,160 --> 00:22:35,840
and what transformations were applied

592
00:22:35,840 --> 00:22:37,360
before the recommendation appeared.

593
00:22:37,360 --> 00:22:39,920
You'll find logs of effects, workflow fired,

594
00:22:39,920 --> 00:22:41,200
email sent, record updated.

595
00:22:41,200 --> 00:22:42,960
You will not find cross-service,

596
00:22:42,960 --> 00:22:45,280
stitched causality, feature weights,

597
00:22:45,280 --> 00:22:47,440
tool calls, retrieval sources,

598
00:22:47,440 --> 00:22:49,520
and the order in which they informed judgment.

599
00:22:50,000 --> 00:22:51,840
The event logs are faithful to what happened.

600
00:22:51,840 --> 00:22:53,280
They are silent on why.

601
00:22:53,280 --> 00:22:54,880
That silence forces your auditors

602
00:22:54,880 --> 00:22:57,040
to certify ceremonies instead of decisions.

603
00:22:57,040 --> 00:22:58,720
It also means post-incident analysis

604
00:22:58,720 --> 00:23:00,960
becomes a fishing expedition across five systems,

605
00:23:00,960 --> 00:23:02,000
not a replay.

606
00:23:02,000 --> 00:23:05,040
Third, non-determinism embedded in deterministic workflows.

607
00:23:05,040 --> 00:23:07,200
The invoice approval workflow is deterministic.

608
00:23:07,200 --> 00:23:09,280
The narrative it now depends on is not.

609
00:23:09,280 --> 00:23:10,800
Run the same prompt on the same data

610
00:23:10,800 --> 00:23:12,560
under a slightly different model snapshot,

611
00:23:12,560 --> 00:23:14,640
retrieval window, or tool timeout.

612
00:23:14,640 --> 00:23:16,240
And you get a different recommendation

613
00:23:16,240 --> 00:23:17,680
with a different confidence band.

614
00:23:18,320 --> 00:23:20,720
Testing breaks, change validation breaks.

615
00:23:20,720 --> 00:23:22,640
You cannot freeze behavior without freezing

616
00:23:22,640 --> 00:23:24,240
the entire orchestration stack.

617
00:23:24,240 --> 00:23:26,800
Models, prompts, connectors, even time bound grounding.

618
00:23:26,800 --> 00:23:27,760
That's not a bug.

619
00:23:27,760 --> 00:23:30,000
It is the nature of probabilistic reasoning

620
00:23:30,000 --> 00:23:32,000
threaded through deterministic rails.

621
00:23:32,000 --> 00:23:34,640
And it quietly invalidates regression testing strategies

622
00:23:34,640 --> 00:23:36,640
that assume stable decision functions.

623
00:23:36,640 --> 00:23:38,400
Fourth, blast radius growth.

624
00:23:38,400 --> 00:23:40,960
Agents are helpful precisely because they act in context

625
00:23:40,960 --> 00:23:43,360
and propagate helpfulness across surfaces.

626
00:23:43,360 --> 00:23:46,000
Close the loop, follow up, update the record,

627
00:23:46,000 --> 00:23:48,640
notify the team. That is convenience for the operator

628
00:23:48,640 --> 00:23:50,720
and an expansion for the system boundary.

629
00:23:50,720 --> 00:23:52,720
An assist that began as approved this invoice

630
00:23:52,720 --> 00:23:54,480
becomes updates to finance,

631
00:23:54,480 --> 00:23:55,840
a templated supplier email,

632
00:23:55,840 --> 00:23:57,440
a team's message to the buyer,

633
00:23:57,440 --> 00:23:58,880
and a follow-up task.

634
00:23:58,880 --> 00:24:01,840
You didn't authorize that multi-surface cascade as a policy.

635
00:24:01,840 --> 00:24:04,800
You licensed it by enabling connectors and praising throughput.

636
00:24:04,800 --> 00:24:06,400
When behavior spans surfaces,

637
00:24:06,400 --> 00:24:09,760
incidents gopes from a record to a thread of side effects.

638
00:24:09,760 --> 00:24:11,440
Containment plans written for one app

639
00:24:11,440 --> 00:24:13,200
become insufficient for the chain.

640
00:24:13,200 --> 00:24:14,880
Fifth, accountability diffusion.

641
00:24:14,880 --> 00:24:16,960
When something drifts, who owns the decision?

642
00:24:16,960 --> 00:24:18,800
In the logs, a human clicked.

643
00:24:18,800 --> 00:24:21,760
In the reality, a model framed, a workflow offered,

644
00:24:21,760 --> 00:24:25,040
a designer configured, a policy text set in SharePoint,

645
00:24:25,040 --> 00:24:27,040
and an agent stitched it together.

646
00:24:27,040 --> 00:24:28,320
Everyone influenced the outcome.

647
00:24:28,320 --> 00:24:31,200
Nobody authored it in a way that maps to your ratsy.

648
00:24:31,200 --> 00:24:34,160
Post-factor ownership collapses into the system.

649
00:24:34,160 --> 00:24:36,960
That feels safe until you need to remediate root causes.

650
00:24:36,960 --> 00:24:38,160
Where do you change the behavior?

651
00:24:38,160 --> 00:24:40,480
The prompt, the tool map, the weight, the connector?

652
00:24:40,480 --> 00:24:43,360
You will learn the answer only after three steering committee meetings

653
00:24:43,360 --> 00:24:45,520
and a week of hunting across run histories.

654
00:24:45,520 --> 00:24:47,600
Here's how these five combine in practice.

655
00:24:47,600 --> 00:24:50,800
A procurement analyst accepts a preferred supplier recommendation.

656
00:24:50,800 --> 00:24:53,280
The agent composes a tidy summary in dynamics,

657
00:24:53,280 --> 00:24:55,520
adds on boarding steps via automate,

658
00:24:55,520 --> 00:24:57,680
emails the vendor a template via outlook

659
00:24:57,680 --> 00:24:59,840
and posts a notification in teams.

660
00:24:59,840 --> 00:25:01,760
A week later, a supply disruption hits.

661
00:25:01,760 --> 00:25:04,560
You try to reconstruct why preferred skewed that way.

662
00:25:04,560 --> 00:25:06,560
Or it says the analyst accepted a suggestion?

663
00:25:06,560 --> 00:25:08,320
Security says least privilege held.

664
00:25:08,320 --> 00:25:10,080
DLP says no exfiltration.

665
00:25:10,080 --> 00:25:12,240
Conditional access says the session was compliant.

666
00:25:12,240 --> 00:25:14,080
Every control is green and yet the choice

667
00:25:14,080 --> 00:25:16,800
leaned toward the incumbent because data coverage was denser.

668
00:25:16,800 --> 00:25:18,000
That lineage is absent.

669
00:25:18,000 --> 00:25:20,000
The blast radius includes a purchase order

670
00:25:20,000 --> 00:25:21,680
and email thread and a project channel.

671
00:25:21,680 --> 00:25:23,840
You can see the effects and you cannot change the cause

672
00:25:23,840 --> 00:25:26,160
without guessing which layer to tweak.

673
00:25:26,160 --> 00:25:29,040
Everything clicked when I watch teams run tabletop exercises.

674
00:25:29,040 --> 00:25:32,320
Not what if the model is wrong but what if the model is unexplainable?

675
00:25:32,320 --> 00:25:34,240
The answers were procedural, escalate,

676
00:25:34,240 --> 00:25:37,440
revert, rollback until they hit orchestration reality.

677
00:25:37,440 --> 00:25:40,480
There is no rollback for a prompt string that lives in production,

678
00:25:40,480 --> 00:25:43,360
no revert for a connector weight change last Tuesday,

679
00:25:43,360 --> 00:25:45,920
no single place where Y is captured.

680
00:25:45,920 --> 00:25:48,800
That is architectural erosion as a lived experience.

681
00:25:48,800 --> 00:25:50,160
Controls exist.

682
00:25:50,160 --> 00:25:52,640
Outcomes deviate from their intent in ways the controls

683
00:25:52,640 --> 00:25:55,440
were never designed to express, observe or correct.

684
00:25:55,440 --> 00:25:57,840
Controls you believe you have and where they fray.

685
00:25:57,840 --> 00:25:59,840
Let's benchmark the comfort blankets.

686
00:25:59,840 --> 00:26:02,000
The policies you point to in board decks,

687
00:26:02,000 --> 00:26:03,760
the ones auditors sample and bless.

688
00:26:03,760 --> 00:26:06,560
They still exist, they just don't constrain what you think they do.

689
00:26:06,560 --> 00:26:09,520
Once co-pilot operates as a distributed decision engine.

690
00:26:09,520 --> 00:26:11,200
Start with data loss prevention.

691
00:26:11,200 --> 00:26:12,640
DLP is boundary centric.

692
00:26:12,640 --> 00:26:15,120
It watches for payloads crossing egress lines.

693
00:26:15,120 --> 00:26:16,720
Agents do something subtly different.

694
00:26:16,720 --> 00:26:19,360
They recombine data inside the boundary into outputs.

695
00:26:19,360 --> 00:26:22,080
Your policies never conceived as exfiltration.

696
00:26:22,080 --> 00:26:25,520
A narrative that blends payment terms, dispute notes, sentiment snippets

697
00:26:25,520 --> 00:26:28,480
and supplier variance history is in a copy of any one data set.

698
00:26:28,480 --> 00:26:31,280
It's a synthesis that can reconstruct the very signals DLP

699
00:26:31,280 --> 00:26:33,120
was supposed to keep compartmentalized.

700
00:26:33,120 --> 00:26:34,160
No rule fires.

701
00:26:34,160 --> 00:26:37,200
Yet sensitive conclusions leave the system through email drafts.

702
00:26:37,200 --> 00:26:39,600
Teams posts or API calls the agent triggered.

703
00:26:39,600 --> 00:26:40,640
You didn't leak data.

704
00:26:40,640 --> 00:26:41,520
You leaked meaning.

705
00:26:41,520 --> 00:26:42,720
DLP wasn't violated.

706
00:26:42,720 --> 00:26:43,920
It was outflanked.

707
00:26:43,920 --> 00:26:45,600
Conditional access next.

708
00:26:45,600 --> 00:26:49,440
Conditional access answers who got in under what conditions.

709
00:26:49,440 --> 00:26:51,920
Useful but orthogonal to agent behavior.

710
00:26:51,920 --> 00:26:55,280
The decision chain that matters spans post sign-in actions,

711
00:26:55,280 --> 00:26:58,720
tool calls, connector hops, downstream automations.

712
00:26:58,720 --> 00:27:02,560
Sessions remain compliant while agents continue acting as context shifts.

713
00:27:02,560 --> 00:27:05,520
New device posture, new network path, new risk signal.

714
00:27:05,520 --> 00:27:08,640
Conditional access evaluates an event, agents express a process.

715
00:27:08,640 --> 00:27:10,960
By the time your condition would have blocked a human,

716
00:27:10,960 --> 00:27:14,880
the agent already queued emails, posted messages and wrote records back.

717
00:27:14,880 --> 00:27:18,960
Your session control is a front door light in a facility with internal monorails.

718
00:27:18,960 --> 00:27:20,560
Least privilege feels like a bedrock.

719
00:27:20,560 --> 00:27:21,760
For humans it can be.

720
00:27:21,760 --> 00:27:23,440
For agents it's a composition problem.

721
00:27:23,440 --> 00:27:25,200
Each connector is reasonably permissioned.

722
00:27:25,200 --> 00:27:26,880
Each app has a narrow scope.

723
00:27:26,880 --> 00:27:30,480
Together the orchestration becomes functionally over-privileged.

724
00:27:30,480 --> 00:27:32,400
No one granted that power explicitly.

725
00:27:32,400 --> 00:27:33,120
It emerged.

726
00:27:33,120 --> 00:27:37,040
A dynamics read here, a graph fetch there, a power automate runners with a service principle

727
00:27:37,040 --> 00:27:40,480
that can write just this table and suddenly a narrative can trigger

728
00:27:40,480 --> 00:27:44,880
an end-to-end state change your RBIG diagram never modeled as a single unit.

729
00:27:44,880 --> 00:27:49,360
You pass every entitlement review and still enable composite authority no control owner

730
00:27:49,360 --> 00:27:51,440
ever intended to exist in one click path.

731
00:27:51,440 --> 00:27:57,680
Application lifecycle management and change are where most teams flinch when they see the reality.

732
00:27:57,680 --> 00:28:01,440
You treat prompt toolmaps and grounding sources like configuration.

733
00:28:01,440 --> 00:28:05,760
They are logic when they change production behavior changes without gates,

734
00:28:05,760 --> 00:28:09,840
without rollbacks, without diffs you can explain to a cab, a new model snapshot,

735
00:28:09,840 --> 00:28:13,760
a re-ordered grounding source, a prompt edit to tighten risk language

736
00:28:13,760 --> 00:28:17,920
and your invoice narratives shift tone, tipping human decisions in aggregate.

737
00:28:17,920 --> 00:28:21,520
ALM artifacts don't capture this because your pipeline doesn't know its code.

738
00:28:21,520 --> 00:28:26,240
Your mutating production decision functions live and calling it configuration hygiene.

739
00:28:26,800 --> 00:28:30,720
Segregation of duties is the paper shield that looks strongest and fails quietest.

740
00:28:30,720 --> 00:28:34,480
On paper rolls are separated in behavior agents observe,

741
00:28:34,480 --> 00:28:38,560
recommend and execute across those rolls under the banner of assistance.

742
00:28:38,560 --> 00:28:41,120
The analyst reviews the recommendation.

743
00:28:41,120 --> 00:28:43,840
The same persona accepts a templated outreach.

744
00:28:43,840 --> 00:28:48,400
The flow executes the transaction no single actor violated SOD, the path did.

745
00:28:48,400 --> 00:28:51,600
The observation that used to be a distinct person is now a featureweight.

746
00:28:51,600 --> 00:28:55,040
The recommendation that used to be a meeting is now a sidecar suggestion.

747
00:28:55,040 --> 00:28:58,720
The execution that used to require a separate session is now a connected tool.

748
00:28:58,720 --> 00:29:01,600
Your SOD matrix is accurate, it's also inert.

749
00:29:01,600 --> 00:29:02,720
There are other seams.

750
00:29:02,720 --> 00:29:05,040
Information barriers assume static channels.

751
00:29:05,040 --> 00:29:08,160
Agents thread across channels to keep stakeholders informed,

752
00:29:08,160 --> 00:29:10,240
washing barriers with good intentions.

753
00:29:10,240 --> 00:29:12,480
Retention policies assume documents.

754
00:29:12,480 --> 00:29:16,000
Agents synthesize ephemeral outputs that live in chats and drafts,

755
00:29:16,000 --> 00:29:17,680
then regenerate on demand,

756
00:29:17,680 --> 00:29:20,640
evading retention by never being a canonical artifact.

757
00:29:20,640 --> 00:29:22,960
Incident response assumes a system boundary.

758
00:29:22,960 --> 00:29:26,480
Agents widen that boundary with every helpful cross-appnudge,

759
00:29:26,480 --> 00:29:30,880
multiplying scope while your runbook still expects a single application to isolate.

760
00:29:30,880 --> 00:29:34,320
Here's the pattern controls that bind events struggle against processes,

761
00:29:34,320 --> 00:29:36,000
controls that assume locality,

762
00:29:36,000 --> 00:29:40,640
falter, under composition, controls that enforce syntax, crumble, under semantics.

763
00:29:40,640 --> 00:29:42,720
And in every case the agent doesn't break the rule,

764
00:29:42,720 --> 00:29:45,440
it roots around it with cooperative components you enabled.

765
00:29:45,440 --> 00:29:46,160
So what survives?

766
00:29:46,160 --> 00:29:48,480
Intent enforced as design, not as paper,

767
00:29:48,480 --> 00:29:51,680
least privileged that models composite pathways not isolated grants.

768
00:29:51,680 --> 00:29:54,560
DLP that understands synthesis not just strings.

769
00:29:54,560 --> 00:29:58,560
Conditional access that ties to step up on sensitive tool invocation,

770
00:29:58,560 --> 00:29:59,920
not merely login.

771
00:29:59,920 --> 00:30:01,920
ALM that treats prompts, connectors,

772
00:30:01,920 --> 00:30:05,600
and model selections as code with gates, rollbacks, and impactives.

773
00:30:05,600 --> 00:30:08,240
SOD that enforces separation across observe,

774
00:30:08,240 --> 00:30:10,960
recommend execute, not just who clicked submit.

775
00:30:10,960 --> 00:30:12,640
If that sounds like new work, it is.

776
00:30:12,640 --> 00:30:14,560
The alternative is pretending these controls

777
00:30:14,560 --> 00:30:16,880
still carry the same load while dashboards stay green.

778
00:30:16,880 --> 00:30:17,600
They don't.

779
00:30:17,600 --> 00:30:21,120
In this architecture green means no single event broke a rule.

780
00:30:21,120 --> 00:30:23,440
It does not mean the system behaved as intended.

781
00:30:23,440 --> 00:30:25,760
You don't need to rebuild the enterprise tomorrow.

782
00:30:25,760 --> 00:30:27,440
You need to stop misreading the gauges.

783
00:30:27,440 --> 00:30:29,760
Treat co-pilot as a control plane participant,

784
00:30:29,760 --> 00:30:31,040
not an in-app helper.

785
00:30:31,040 --> 00:30:32,240
Track the chain, not the click.

786
00:30:32,240 --> 00:30:34,480
Govon the compiler, not the bytecode.

787
00:30:34,480 --> 00:30:36,480
When you do, the controls you believe you have

788
00:30:36,480 --> 00:30:37,840
start to matter again.

789
00:30:37,840 --> 00:30:39,920
Until then, they'll keep existing.

790
00:30:39,920 --> 00:30:41,680
While they're meaning erodes under the weight,

791
00:30:41,680 --> 00:30:43,440
you didn't know you'd put on them.

792
00:30:43,440 --> 00:30:46,480
The dynamics, MCP mechanics, that enable conditional chaos,

793
00:30:46,480 --> 00:30:50,160
most teams still picture co-pilot as a chat feature inside dynamics.

794
00:30:50,160 --> 00:30:51,840
Architecturally, it is something else.

795
00:30:51,840 --> 00:30:54,240
A distributed decision engine that compiles intent

796
00:30:54,240 --> 00:30:55,760
into multi-system action.

797
00:30:55,760 --> 00:30:58,880
The compiler here is co-pilot studio's orchestration layer.

798
00:30:58,880 --> 00:31:02,960
And the ABI to your ERP is the model context protocol, MCP.

799
00:31:02,960 --> 00:31:05,840
Put simply, MCP exposes tools and view models.

800
00:31:05,840 --> 00:31:07,920
Co-pilot chooses and sequences them.

801
00:31:07,920 --> 00:31:10,240
Your environment executes them with your entitlements.

802
00:31:10,240 --> 00:31:12,400
That's the pathway where meaning erodes.

803
00:31:12,400 --> 00:31:14,720
Okay, so basically, MCP is a standard broker.

804
00:31:14,720 --> 00:31:18,000
It presents a catalog of tools, find form, open form,

805
00:31:18,000 --> 00:31:20,720
read field, click button, execute operation,

806
00:31:20,720 --> 00:31:23,680
plus an exposed view model for each surface,

807
00:31:23,680 --> 00:31:25,760
which is the security scope metadata

808
00:31:25,760 --> 00:31:27,040
of what the user would see.

809
00:31:27,040 --> 00:31:29,600
Fields, actions, labels, state.

810
00:31:29,600 --> 00:31:32,000
When the agent receives a request,

811
00:31:32,000 --> 00:31:34,560
it doesn't run expospers logic directly.

812
00:31:34,560 --> 00:31:38,000
It asks the MCP server for the current view model snapshot.

813
00:31:38,000 --> 00:31:39,760
Reasons on the available actions,

814
00:31:39,760 --> 00:31:41,840
then calls tools in order to accomplish the goal.

815
00:31:41,840 --> 00:31:43,040
Every call is legitimate.

816
00:31:43,040 --> 00:31:44,400
The chain, however, is emergent.

817
00:31:44,400 --> 00:31:45,280
Here's the weird part.

818
00:31:45,280 --> 00:31:48,720
20 generic tool primitives unlock hundreds of thousands of operations.

819
00:31:48,720 --> 00:31:50,800
The May to November Microsoft previews moved

820
00:31:50,800 --> 00:31:54,000
from dozens of hard-coded actions to a human-like tool set.

821
00:31:54,000 --> 00:31:56,640
Navigate, select, set, submit,

822
00:31:56,640 --> 00:31:59,040
wrapped around a server-side computer-use model.

823
00:31:59,040 --> 00:32:00,560
No client session spins up.

824
00:32:00,560 --> 00:32:03,040
The agent consumes server-rendered view models,

825
00:32:03,040 --> 00:32:05,280
then issues actions the way a human would.

826
00:32:05,280 --> 00:32:07,040
That makes security review happy.

827
00:32:07,040 --> 00:32:08,080
No secret backdoor.

828
00:32:08,080 --> 00:32:10,240
It also means your control surface is now

829
00:32:10,240 --> 00:32:13,280
everything a human could do sequenced faster than a human would

830
00:32:13,280 --> 00:32:14,960
across features a human wouldn't remember.

831
00:32:14,960 --> 00:32:17,760
In other words, deterministic business logic hasn't gone away.

832
00:32:17,760 --> 00:32:19,840
It's been wrapped by stochastic orchestration.

833
00:32:19,840 --> 00:32:22,480
Your depreciation calculation remains precise.

834
00:32:22,480 --> 00:32:24,720
The path that reaches it is probabilistic,

835
00:32:24,720 --> 00:32:26,480
which form the agent opens first,

836
00:32:26,480 --> 00:32:28,400
which field it reads to infer context,

837
00:32:28,400 --> 00:32:30,320
which action it tries and retries,

838
00:32:30,320 --> 00:32:33,200
which connector it calls when it needs data outside the module.

839
00:32:33,200 --> 00:32:36,400
Non-determinism enters at the orchestration layer,

840
00:32:36,400 --> 00:32:39,360
tool choice, order, timeout handling, model selection,

841
00:32:39,360 --> 00:32:41,920
which then drives deterministic functions underneath.

842
00:32:41,920 --> 00:32:43,360
That distinction matters,

843
00:32:43,360 --> 00:32:46,160
because testing the function no longer proves the behavior.

844
00:32:46,160 --> 00:32:48,560
Think of the orchestration like an authorization compiler.

845
00:32:48,560 --> 00:32:51,520
You state intent, assess risk and release hold,

846
00:32:51,520 --> 00:32:53,600
and a planner decomposes it into steps

847
00:32:53,600 --> 00:32:55,360
that each satisfy local permissions.

848
00:32:55,360 --> 00:32:58,080
The composite pathway was never authorized explicitly

849
00:32:58,080 --> 00:33:00,240
as one thing, yet it exists.

850
00:33:00,240 --> 00:33:02,880
Because MCP keeps the view model bounded by role,

851
00:33:02,880 --> 00:33:05,280
duty and privilege, everyone relaxes.

852
00:33:05,280 --> 00:33:06,720
It can only see what a user can see.

853
00:33:06,720 --> 00:33:09,920
True, but the agent's memory and speed

854
00:33:09,920 --> 00:33:12,160
turn can see into will traverse

855
00:33:12,160 --> 00:33:14,560
and may click into will click in sequence.

856
00:33:14,560 --> 00:33:16,320
View model exposure is the pivot.

857
00:33:16,320 --> 00:33:18,320
Every field the human could inspect.

858
00:33:18,320 --> 00:33:19,760
Becomes a token for reasoning.

859
00:33:19,760 --> 00:33:22,400
Every enabled button becomes a candidate action.

860
00:33:22,400 --> 00:33:24,800
The model doesn't understand your policy intent.

861
00:33:24,800 --> 00:33:26,240
It understands affordances.

862
00:33:26,240 --> 00:33:28,240
Affordances are deceivingly neutral.

863
00:33:28,240 --> 00:33:30,000
Button presence looks harmless.

864
00:33:30,000 --> 00:33:33,120
Until you realize that button chains now compose across pages

865
00:33:33,120 --> 00:33:36,080
and processes without human cognition as the bottleneck,

866
00:33:36,080 --> 00:33:38,640
the affordance graph is your new control surface.

867
00:33:38,640 --> 00:33:40,960
Now add human-like tool semantics,

868
00:33:40,960 --> 00:33:45,120
open list, filter by label, select first row with matching text,

869
00:33:45,120 --> 00:33:45,920
click command.

870
00:33:45,920 --> 00:33:47,840
These are robust against UI changes

871
00:33:47,840 --> 00:33:50,320
and broad enough to cover edge forms you forgot existed.

872
00:33:50,320 --> 00:33:51,520
They're also noisy.

873
00:33:51,520 --> 00:33:53,520
The agent makes attempts, observes results,

874
00:33:53,520 --> 00:33:54,320
and adjusts.

875
00:33:54,320 --> 00:33:56,080
That adaptivity is a feature.

876
00:33:56,080 --> 00:33:59,280
It's also where non-determinism enters your deterministic rails.

877
00:33:59,280 --> 00:34:02,160
Different runs converge on different locally valid pathways.

878
00:34:02,160 --> 00:34:04,560
Computer use without a client is the other enabler.

879
00:34:04,560 --> 00:34:06,560
Because snapshots are server-rendered,

880
00:34:06,560 --> 00:34:08,960
there's no difference between what the user sees

881
00:34:08,960 --> 00:34:10,720
and what the agent reasons over.

882
00:34:10,720 --> 00:34:12,320
It's all metadata and state

883
00:34:12,320 --> 00:34:14,880
that eliminates a whole class of screen scrape fragility

884
00:34:14,880 --> 00:34:17,200
and makes the agent confident in navigating.

885
00:34:17,200 --> 00:34:20,160
It also hides lineage in a place your audit doesn't collect.

886
00:34:20,160 --> 00:34:22,160
The dialogue between planner and MCP

887
00:34:22,160 --> 00:34:24,960
about which actions were considered and rejected.

888
00:34:24,960 --> 00:34:26,400
You'll see the final tool calls.

889
00:34:26,400 --> 00:34:28,000
You won't see the discarded branches

890
00:34:28,000 --> 00:34:29,200
that shape the recommendation.

891
00:34:29,200 --> 00:34:32,240
Deterministic calls wrapped in probabilistic loops

892
00:34:32,240 --> 00:34:33,920
create conditional chaos,

893
00:34:33,920 --> 00:34:35,760
not because the system is broken,

894
00:34:35,760 --> 00:34:38,720
but because the order, timing, and retrieves influence outcomes

895
00:34:38,720 --> 00:34:41,600
at scale, a slow response from an analytic server

896
00:34:41,600 --> 00:34:44,400
changes which feature wins a tie break in the planner.

897
00:34:44,400 --> 00:34:46,560
A model upgrade weights recent payments

898
00:34:46,560 --> 00:34:48,880
slightly higher than aging distribution.

899
00:34:48,880 --> 00:34:50,480
A connector transient nudges the agent

900
00:34:50,480 --> 00:34:52,720
to fall back to a different data source this time.

901
00:34:52,720 --> 00:34:53,920
Every step is justified.

902
00:34:53,920 --> 00:34:55,200
The net effect is drift.

903
00:34:55,200 --> 00:34:57,920
Everything clicked when I mapped the mechanics to controls.

904
00:34:57,920 --> 00:35:00,240
The MCP guarantees the view model is security bounded.

905
00:35:00,240 --> 00:35:01,520
It does not guarantee lineage.

906
00:35:01,520 --> 00:35:04,240
The tool catalog guarantees actions are legitimate.

907
00:35:04,240 --> 00:35:05,760
It does not guarantee separation

908
00:35:05,760 --> 00:35:07,440
across observe recommend execute.

909
00:35:07,440 --> 00:35:09,280
Orchestration guarantees productivity.

910
00:35:09,280 --> 00:35:11,600
It does not guarantee reproducibility.

911
00:35:11,600 --> 00:35:12,720
When you realize that,

912
00:35:12,720 --> 00:35:15,200
you stop treating code pilot like an in-app helper

913
00:35:15,200 --> 00:35:17,840
and start treating it like a control plane participant

914
00:35:17,840 --> 00:35:21,440
that compiles your intent into action graphs you don't see.

915
00:35:21,440 --> 00:35:23,360
The mitigation isn't to block MCP.

916
00:35:23,360 --> 00:35:25,680
It's to encode intent at the orchestration edge.

917
00:35:25,680 --> 00:35:26,960
Require decision traces,

918
00:35:26,960 --> 00:35:28,880
inputs, tool sequences, feature weights,

919
00:35:28,880 --> 00:35:30,160
alongside outcomes,

920
00:35:30,160 --> 00:35:32,960
gate sensitive tool invocation behind step-up

921
00:35:32,960 --> 00:35:34,640
and treat prompts, tool maps,

922
00:35:34,640 --> 00:35:37,200
and model choices as code with ALM parity.

923
00:35:37,200 --> 00:35:39,440
Enforce your assumptions at the boundary

924
00:35:39,440 --> 00:35:42,240
where stochastic planning meets deterministic ERP.

925
00:35:42,240 --> 00:35:44,320
Otherwise you'll keep certifying green dashboards

926
00:35:44,320 --> 00:35:47,120
while the compiler quietly refactors what your controls mean.

927
00:35:47,120 --> 00:35:49,040
The governance model you're actually running.

928
00:35:49,040 --> 00:35:51,280
Most organizations still describe their environment

929
00:35:51,280 --> 00:35:53,280
as if they are operating an identity provider

930
00:35:53,280 --> 00:35:55,200
with apps at the edge and humans in the loop.

931
00:35:55,200 --> 00:35:56,160
They are not.

932
00:35:56,160 --> 00:35:58,960
Architecturally, you are running a distributed decision engine

933
00:35:58,960 --> 00:35:59,680
where,

934
00:35:59,680 --> 00:36:01,040
entra, dynamics,

935
00:36:01,040 --> 00:36:02,080
copilot studio,

936
00:36:02,080 --> 00:36:04,800
power automate, graph outlook and teams collaborate

937
00:36:04,800 --> 00:36:06,880
to compile intent into action graphs.

938
00:36:06,880 --> 00:36:08,960
That distinction matters because your governance model

939
00:36:08,960 --> 00:36:10,640
isn't the one written in your policies.

940
00:36:10,640 --> 00:36:12,960
It's the one expressed by the system's actual behavior.

941
00:36:12,960 --> 00:36:13,920
Start with identity.

942
00:36:13,920 --> 00:36:16,080
You think authentication plus R-back.

943
00:36:16,080 --> 00:36:18,400
In reality, it's identity as orchestration.

944
00:36:18,400 --> 00:36:21,200
Human session tokens, run as service principles,

945
00:36:21,200 --> 00:36:22,080
connector secrets,

946
00:36:22,080 --> 00:36:25,280
and implicit scopes stitched by agents at runtime.

947
00:36:25,280 --> 00:36:26,320
Entra sits at the center,

948
00:36:26,320 --> 00:36:28,880
but what leaves entra is not a stable subject acting

949
00:36:28,880 --> 00:36:30,160
in one application.

950
00:36:30,160 --> 00:36:32,720
It's a subject that multiplies into a composite pathway

951
00:36:32,720 --> 00:36:33,840
across tools.

952
00:36:33,840 --> 00:36:35,760
You are no longer granting access to apps.

953
00:36:35,760 --> 00:36:37,760
You're granting permission to assemble action graphs.

954
00:36:37,760 --> 00:36:39,280
Now look at the control plane.

955
00:36:39,280 --> 00:36:41,440
Copilot studio is not a chat designer.

956
00:36:41,440 --> 00:36:44,080
It's an implicit compiler of policy and prompts.

957
00:36:44,080 --> 00:36:46,480
You describe guardrails and goals in natural language,

958
00:36:46,480 --> 00:36:49,360
attach tool maps, select models, and connect data.

959
00:36:49,360 --> 00:36:51,200
The orchestrator translates that into plans

960
00:36:51,200 --> 00:36:52,720
the agent executes.

961
00:36:52,720 --> 00:36:54,960
Every helpful change, a prompt tweak,

962
00:36:54,960 --> 00:36:56,000
a new grounding source,

963
00:36:56,000 --> 00:36:57,600
a re-ordered tool preference,

964
00:36:57,600 --> 00:36:59,120
altars production decision functions.

965
00:36:59,120 --> 00:37:00,640
If you treat these like configuration,

966
00:37:00,640 --> 00:37:02,160
you get configuration hygiene.

967
00:37:02,160 --> 00:37:04,160
If you treat them like code, you get governance.

968
00:37:04,160 --> 00:37:05,440
Most teams do the former.

969
00:37:05,440 --> 00:37:07,520
Exceptions are your entropy generators.

970
00:37:07,520 --> 00:37:10,240
Every, except for this one urgent scenario,

971
00:37:10,240 --> 00:37:12,800
each temporarily allow this connector.

972
00:37:12,800 --> 00:37:15,040
Every run as account with broader scope

973
00:37:15,040 --> 00:37:17,840
to unblock the team expands the probabilistic surface.

974
00:37:17,840 --> 00:37:21,920
Deterministic rules degrade into probabilistic behaviors

975
00:37:21,920 --> 00:37:24,240
through accreted allowances you never rolled back.

976
00:37:24,240 --> 00:37:26,400
Over time, the exception path becomes the default.

977
00:37:26,400 --> 00:37:27,520
You didn't change policy.

978
00:37:27,520 --> 00:37:29,360
You diluted it through convenience,

979
00:37:29,360 --> 00:37:30,880
drift mechanics to the rest.

980
00:37:30,880 --> 00:37:34,000
Prompts evolve, tool catalogs grow,

981
00:37:34,000 --> 00:37:35,680
agent roles multiply.

982
00:37:35,680 --> 00:37:38,960
None of this has ALM parity with your deterministic systems.

983
00:37:38,960 --> 00:37:41,360
There's no standard diff for tone-tightened,

984
00:37:41,360 --> 00:37:42,960
risk emphasis increased.

985
00:37:42,960 --> 00:37:46,480
There's no rollback semantics for re-ranked grounding sources.

986
00:37:46,480 --> 00:37:48,640
There's no impact analysis for added supply

987
00:37:48,640 --> 00:37:50,640
enrichment feed with sparse coverage.

988
00:37:50,640 --> 00:37:53,520
The result is live mutation of production behavior

989
00:37:53,520 --> 00:37:54,640
without gates.

990
00:37:54,640 --> 00:37:56,240
Drift isn't a failure to document.

991
00:37:56,240 --> 00:37:58,880
It's the inevitable outcome of governing stochastic logic

992
00:37:58,880 --> 00:38:00,400
with static processes.

993
00:38:00,400 --> 00:38:03,600
Because you cannot guarantee determinism at the orchestration edge,

994
00:38:03,600 --> 00:38:06,720
you operationalize unpredictability through human smoothing.

995
00:38:06,720 --> 00:38:09,280
This is the hidden policy, acceptable failures.

996
00:38:09,280 --> 00:38:11,120
If it looks odd, the analyst tweaks it.

997
00:38:11,120 --> 00:38:13,520
If it escalates, the supervisor fixes it.

998
00:38:13,520 --> 00:38:16,240
If a refund feels off, the rep adjusts the amount.

999
00:38:16,240 --> 00:38:19,840
You wrap non-determinism in human discretion and call it resilience.

1000
00:38:19,840 --> 00:38:23,760
It works until volume rises, people change, or incentives shift.

1001
00:38:23,760 --> 00:38:26,640
Then the smoothing layer becomes a randomizer with a smile.

1002
00:38:26,640 --> 00:38:27,600
Ownership follows.

1003
00:38:27,600 --> 00:38:30,560
Racy models assume clear, named owners for steps.

1004
00:38:30,560 --> 00:38:33,280
In the orchestration reality, authorship diffuses.

1005
00:38:33,280 --> 00:38:36,640
Model selection by a platform admin, prompt by a designer,

1006
00:38:36,640 --> 00:38:38,960
connector scopes by an integration owner,

1007
00:38:38,960 --> 00:38:40,640
tool sequencing by the planner,

1008
00:38:40,640 --> 00:38:42,560
and a human click at the end.

1009
00:38:42,560 --> 00:38:45,040
Post-incident, everyone influenced the outcome.

1010
00:38:45,040 --> 00:38:48,160
Nobody authored it in a way you can change without touching four teams.

1011
00:38:48,160 --> 00:38:51,360
Your governance is a federation of good intentions tied together

1012
00:38:51,360 --> 00:38:53,520
by a control plane you do not treat as such.

1013
00:38:53,520 --> 00:38:54,800
Here is the uncomfortable truth.

1014
00:38:54,800 --> 00:38:58,000
What you believe you're running, identity provider plus app controls

1015
00:38:58,000 --> 00:39:00,640
isn't strong enough to express the system you actually run.

1016
00:39:00,640 --> 00:39:02,400
The working governance looks like this.

1017
00:39:02,400 --> 00:39:04,080
Identity as composition.

1018
00:39:04,080 --> 00:39:07,760
The effective actor is a chain, not a user, policy as compilation.

1019
00:39:07,760 --> 00:39:10,480
Intent is transformed into plans by orchestration,

1020
00:39:10,480 --> 00:39:12,160
not enforced directly.

1021
00:39:12,160 --> 00:39:14,080
Exceptions as entropy.

1022
00:39:14,080 --> 00:39:17,360
Every allowance increases the probabilistic surface.

1023
00:39:17,360 --> 00:39:21,040
Drift as default, logic mutates without all-emperity or rollback.

1024
00:39:21,040 --> 00:39:25,200
Acceptable failures as process, human smooth unpredictability at Hawk.

1025
00:39:25,200 --> 00:39:28,000
Accountability as diffusion, many hands, no author.

1026
00:39:28,000 --> 00:39:31,520
What survives in that landscape are the controls you can encode

1027
00:39:31,520 --> 00:39:34,640
where stochastic planning meets deterministic course.

1028
00:39:34,640 --> 00:39:36,960
Enforce step-up at sensitive tool invocation,

1029
00:39:36,960 --> 00:39:38,400
not just at sign-in.

1030
00:39:38,400 --> 00:39:42,480
Require decision traces, inputs, sources, tool sequences,

1031
00:39:42,480 --> 00:39:44,960
and feature influences attached to outcomes.

1032
00:39:44,960 --> 00:39:48,320
Treat prompts, tool maps, model choices, and connector scopes

1033
00:39:48,320 --> 00:39:51,200
as code with gates, reviews, and rollbacks.

1034
00:39:51,200 --> 00:39:54,640
Model composite pathways in access reviews, not isolated grants,

1035
00:39:54,640 --> 00:39:57,600
and define SOD across observe-recommend execute,

1036
00:39:57,600 --> 00:39:59,280
not just who clicked submit.

1037
00:39:59,280 --> 00:40:01,120
You are already running a control plane.

1038
00:40:01,120 --> 00:40:02,800
If you don't govern it as such,

1039
00:40:02,800 --> 00:40:04,960
it will continue to compile your written intent

1040
00:40:04,960 --> 00:40:07,280
into behaviors your written controls can't explain.

1041
00:40:07,280 --> 00:40:09,520
That is the governance model you're actually running

1042
00:40:09,520 --> 00:40:11,360
until you design a better one.

1043
00:40:11,360 --> 00:40:12,960
Audit without causality.

1044
00:40:12,960 --> 00:40:15,200
Why what happened isn't why it happened.

1045
00:40:15,200 --> 00:40:18,240
Auditors keep asking the right question with the wrong instruments.

1046
00:40:18,240 --> 00:40:20,080
They ask what happened.

1047
00:40:20,080 --> 00:40:21,440
The systems answer flawlessly.

1048
00:40:21,440 --> 00:40:24,640
Who clicked which record, which timestamp, which work flow hop?

1049
00:40:24,640 --> 00:40:28,720
But in a distributed decision engine, what is not why?

1050
00:40:28,720 --> 00:40:31,520
Causality lives in the orchestration layer, feature weights,

1051
00:40:31,520 --> 00:40:34,720
tool sequences, retrieval choices, and discarded branches

1052
00:40:34,720 --> 00:40:36,560
not in the ERP event log.

1053
00:40:36,560 --> 00:40:39,280
Mechanically, your logs are faithful to effects.

1054
00:40:39,280 --> 00:40:42,560
Dynamics records the approval, the field change, the entity update,

1055
00:40:42,560 --> 00:40:46,320
power automate records the run, the connector call, the success code,

1056
00:40:46,320 --> 00:40:48,960
Outlook logs the draft set, teams logs the post.

1057
00:40:48,960 --> 00:40:52,240
Each service is a perfect historian of its own actions.

1058
00:40:52,240 --> 00:40:55,200
None of them captured the decision chain that led to those actions.

1059
00:40:55,200 --> 00:40:57,600
The inputs evaluated, the alternatives considered,

1060
00:40:57,600 --> 00:40:59,120
the thresholds that tipped,

1061
00:40:59,120 --> 00:41:02,000
or the reason one pathway was taken over another.

1062
00:41:02,000 --> 00:41:03,840
You have chronology without causality.

1063
00:41:03,840 --> 00:41:07,120
Okay, so basically, you're auditing bytecode without the compiler trace.

1064
00:41:07,120 --> 00:41:10,880
The compiler here is copilot studio's planner working through MCP.

1065
00:41:10,880 --> 00:41:13,120
It decides which view model to request,

1066
00:41:13,120 --> 00:41:15,120
which fields to read, which tool to call,

1067
00:41:15,120 --> 00:41:17,600
in what order with what backoffs?

1068
00:41:17,600 --> 00:41:21,440
It weighs features, blends sources, and prunes branches.

1069
00:41:21,440 --> 00:41:23,520
That dialogue is where why lives?

1070
00:41:23,520 --> 00:41:26,800
You don't collect it, so you reconstruct intent after the fact

1071
00:41:26,800 --> 00:41:29,040
by stitching effects across five systems

1072
00:41:29,040 --> 00:41:31,600
and calling the resulting timeline an explanation.

1073
00:41:31,600 --> 00:41:32,400
It isn't.

1074
00:41:32,400 --> 00:41:33,680
Here's the uncomfortable part.

1075
00:41:33,680 --> 00:41:36,160
Reproducibility is your surrogate for causality,

1076
00:41:36,160 --> 00:41:37,840
and non-determinism breaks it.

1077
00:41:37,840 --> 00:41:40,400
If you can replay the inputs and get the same outcome,

1078
00:41:40,400 --> 00:41:42,880
you feel justified that the decision was sound.

1079
00:41:42,880 --> 00:41:44,560
But reasoning models are probabilistic.

1080
00:41:44,560 --> 00:41:47,520
Model snapshots shift, retrieval windows roll.

1081
00:41:47,520 --> 00:41:49,840
Connector latencies change order of evidence.

1082
00:41:49,840 --> 00:41:53,840
Identical prompts produce adjacent, sometimes divergent, recommendations.

1083
00:41:53,840 --> 00:41:56,960
Your replay passes because you got an answer, not the answer.

1084
00:41:56,960 --> 00:41:58,640
Causality remains unknown.

1085
00:41:58,640 --> 00:42:00,800
In other words, current evidence answers

1086
00:42:00,800 --> 00:42:02,400
who perform the terminal action,

1087
00:42:02,400 --> 00:42:04,000
not who authored the decision.

1088
00:42:04,000 --> 00:42:06,000
Your rassie points to the human click

1089
00:42:06,000 --> 00:42:08,560
because that's the only stable identity in the chain.

1090
00:42:08,560 --> 00:42:10,160
But authorship is distributed.

1091
00:42:10,160 --> 00:42:12,160
The prompt, the designer edited last week,

1092
00:42:12,160 --> 00:42:14,800
the tool map that re-ordered a connector fallback yesterday,

1093
00:42:14,800 --> 00:42:16,640
the planner that waited recent payments

1094
00:42:16,640 --> 00:42:19,040
a touch higher than aging this morning.

1095
00:42:19,040 --> 00:42:21,680
The click executed, the plan decided.

1096
00:42:21,680 --> 00:42:22,720
Let's make it concrete.

1097
00:42:22,720 --> 00:42:24,160
Pull an override from last month.

1098
00:42:24,160 --> 00:42:27,280
Your audit shows, user A released hold at 1042,

1099
00:42:27,280 --> 00:42:29,280
automated flow B ran successfully,

1100
00:42:29,280 --> 00:42:32,160
Outlook mailed confirmation teams informed the account team.

1101
00:42:32,160 --> 00:42:34,080
Tight, legible, compliant.

1102
00:42:34,080 --> 00:42:35,840
Now ask, which disputes were present

1103
00:42:35,840 --> 00:42:36,960
and which were down-weighted,

1104
00:42:36,960 --> 00:42:38,880
which enrichment feeds were missing,

1105
00:42:38,880 --> 00:42:40,880
so risk defaulted to unknown,

1106
00:42:40,880 --> 00:42:42,240
which confidence threshold,

1107
00:42:42,240 --> 00:42:43,600
tipped the recommendation from,

1108
00:42:43,600 --> 00:42:45,600
maintained to partial release,

1109
00:42:45,600 --> 00:42:48,560
and which fallback source supplied the tie-breaking signal

1110
00:42:48,560 --> 00:42:50,160
after a transient timeout.

1111
00:42:50,160 --> 00:42:51,840
You won't find those answers in one place.

1112
00:42:51,840 --> 00:42:53,840
You'll find effects and info causes.

1113
00:42:53,840 --> 00:42:55,360
Here's what most people miss.

1114
00:42:55,360 --> 00:42:58,480
Explainability isn't a narrative paragraph attached to a record.

1115
00:42:58,480 --> 00:43:00,800
It's an artifact that binds inputs to outcome

1116
00:43:00,800 --> 00:43:02,720
via the selections the planner made.

1117
00:43:02,720 --> 00:43:04,080
Without a decision trace,

1118
00:43:04,080 --> 00:43:05,440
the inputs ingested,

1119
00:43:05,440 --> 00:43:06,720
sources consulted,

1120
00:43:06,720 --> 00:43:10,000
feature influences, tool calls in order and branches pruned.

1121
00:43:10,000 --> 00:43:11,680
You cannot distinguish a sound judgment

1122
00:43:11,680 --> 00:43:14,400
from a satisfying shortcut that happened to pass.

1123
00:43:14,400 --> 00:43:17,360
You can certify ceremony, you cannot certify reasoning.

1124
00:43:17,360 --> 00:43:19,120
What this actually means is your compliance

1125
00:43:19,120 --> 00:43:21,440
stance overfits to the observable.

1126
00:43:21,440 --> 00:43:23,200
You collect what your system's emit

1127
00:43:23,200 --> 00:43:24,480
because that's what exists,

1128
00:43:24,480 --> 00:43:26,640
regulators accept it because it's consistent.

1129
00:43:26,640 --> 00:43:28,720
Meanwhile, the locus of risk has moved to a layer

1130
00:43:28,720 --> 00:43:30,240
that emits nothing you retain.

1131
00:43:30,240 --> 00:43:31,600
The audit answers what happened

1132
00:43:31,600 --> 00:43:34,000
with increasing precision as why it happened,

1133
00:43:34,000 --> 00:43:36,720
drifts further into guesswork and institutional memory.

1134
00:43:36,720 --> 00:43:38,640
Everything clicked when I watched an incident review,

1135
00:43:38,640 --> 00:43:40,800
tried to answer a basic variance question.

1136
00:43:40,800 --> 00:43:43,200
Why did March approve a skew lenient?

1137
00:43:43,200 --> 00:43:44,400
The room pulled exports,

1138
00:43:44,400 --> 00:43:45,600
tallied clicks,

1139
00:43:45,600 --> 00:43:47,200
compared model versions,

1140
00:43:47,200 --> 00:43:49,280
and argued about seasonality.

1141
00:43:49,280 --> 00:43:51,760
Nobody could show the causal graph of decisions.

1142
00:43:51,760 --> 00:43:55,680
Not the list of features that mattered more this month than last.

1143
00:43:55,680 --> 00:43:58,800
Not the tool fallbacks that silently changed evidence order,

1144
00:43:58,800 --> 00:44:00,640
not the confidence threshold that moved from most.

1145
00:44:00,640 --> 00:44:02,320
Late 74 to 0.71,

1146
00:44:02,320 --> 00:44:04,880
the team produced a professional looking narrative.

1147
00:44:04,880 --> 00:44:06,080
It wasn't causality,

1148
00:44:06,080 --> 00:44:08,240
it was storytelling with timestamps.

1149
00:44:08,240 --> 00:44:09,040
So what's the fix?

1150
00:44:09,040 --> 00:44:11,600
Require decision traces at the orchestration edge.

1151
00:44:11,600 --> 00:44:13,920
Treat them like first class artifacts.

1152
00:44:13,920 --> 00:44:16,080
Capture the inputs the agent saw,

1153
00:44:16,080 --> 00:44:17,760
tables fields, external feeds,

1154
00:44:17,760 --> 00:44:19,280
the feature influences or scores,

1155
00:44:19,280 --> 00:44:21,360
the order tool sequence with parameters,

1156
00:44:21,360 --> 00:44:23,120
the branches considered and pruned,

1157
00:44:23,120 --> 00:44:24,880
the model snapshot identifier,

1158
00:44:24,880 --> 00:44:26,960
and the prompt slash version hashes.

1159
00:44:26,960 --> 00:44:28,560
Buying that trace to the outcome record,

1160
00:44:28,560 --> 00:44:30,320
now your what points to a why,

1161
00:44:30,320 --> 00:44:32,240
you can inspect, replay and challenge.

1162
00:44:32,240 --> 00:44:33,920
At a second guard,

1163
00:44:33,920 --> 00:44:36,000
step up on sensitive tool invocation.

1164
00:44:36,000 --> 00:44:38,320
If the plan touches high impact actions,

1165
00:44:38,320 --> 00:44:40,320
release hold issue refund beyond threshold,

1166
00:44:40,320 --> 00:44:43,680
reassign supplier demand human affirmation with the trace visible.

1167
00:44:43,680 --> 00:44:44,880
Make acceptance explicit,

1168
00:44:44,880 --> 00:44:46,800
I reviewed inputs and influences.

1169
00:44:46,800 --> 00:44:48,000
This doesn't slow the world,

1170
00:44:48,000 --> 00:44:50,800
it localizes accountability to the authorship moment,

1171
00:44:50,800 --> 00:44:52,000
not the terminal click.

1172
00:44:52,000 --> 00:44:54,880
Finally, put orchestration artifacts under ALM.

1173
00:44:54,880 --> 00:44:57,120
Prompts, tool maps, model choices,

1174
00:44:57,120 --> 00:44:58,480
connectors scopes, version them,

1175
00:44:58,480 --> 00:45:00,320
gate them, diff them, roll them back.

1176
00:45:00,320 --> 00:45:03,520
Without that your decision traces will show drift you can't control.

1177
00:45:03,520 --> 00:45:05,520
Auditors can keep certifying effects,

1178
00:45:05,520 --> 00:45:06,800
or you can give them causes.

1179
00:45:06,800 --> 00:45:10,240
Without causality, green dashboards mean you know how to log.

1180
00:45:10,240 --> 00:45:12,960
They do not mean you know how the system decided.

1181
00:45:12,960 --> 00:45:15,200
The one test every admin should run next week,

1182
00:45:15,200 --> 00:45:18,400
pick one copilot influence decision that actually shipped value.

1183
00:45:18,400 --> 00:45:19,200
Not a demo,

1184
00:45:19,200 --> 00:45:21,120
a production action with dollars attached,

1185
00:45:21,120 --> 00:45:22,240
and approved invoice,

1186
00:45:22,240 --> 00:45:23,600
a released credit hold,

1187
00:45:23,600 --> 00:45:24,960
a preferred supplier award,

1188
00:45:24,960 --> 00:45:26,080
or a goodwill refund.

1189
00:45:26,080 --> 00:45:27,120
Give it a ticket number,

1190
00:45:27,120 --> 00:45:28,400
that's your specimen.

1191
00:45:28,400 --> 00:45:29,440
Reconstruct the inputs,

1192
00:45:29,440 --> 00:45:30,720
not all dynamics data.

1193
00:45:30,720 --> 00:45:34,080
Enumerate tables and fields the agent likely touched.

1194
00:45:34,080 --> 00:45:35,760
For finance, vent invoice,

1195
00:45:35,760 --> 00:45:37,360
door vent trans, ledger trans,

1196
00:45:37,360 --> 00:45:38,800
perch line in vent trans,

1197
00:45:38,800 --> 00:45:40,080
bank pay them ledger,

1198
00:45:40,080 --> 00:45:41,280
fields like amount curve,

1199
00:45:41,280 --> 00:45:42,800
cash disk, delivery date,

1200
00:45:42,800 --> 00:45:43,920
three way match status,

1201
00:45:43,920 --> 00:45:44,960
aging bucket,

1202
00:45:44,960 --> 00:45:45,840
for credit.

1203
00:45:45,840 --> 00:45:46,720
Cast trans,

1204
00:45:46,720 --> 00:45:48,000
cast aging snapshot,

1205
00:45:48,000 --> 00:45:48,960
cast table,

1206
00:45:48,960 --> 00:45:50,640
case entity for disputes,

1207
00:45:50,640 --> 00:45:52,240
fields like days past due,

1208
00:45:52,240 --> 00:45:53,040
dispute reason,

1209
00:45:53,040 --> 00:45:55,200
promise to pay date, credit max.

1210
00:45:55,200 --> 00:45:56,080
For procurement,

1211
00:45:56,080 --> 00:45:57,040
vent table,

1212
00:45:57,040 --> 00:45:58,240
perch RF queue line,

1213
00:45:58,240 --> 00:45:59,200
quality measures,

1214
00:45:59,200 --> 00:46:01,440
external risk feeds if you have them.

1215
00:46:01,440 --> 00:46:03,280
For service case interaction history,

1216
00:46:03,280 --> 00:46:05,040
warranty terms, fraud signals,

1217
00:46:05,040 --> 00:46:06,880
write the list before you query anything.

1218
00:46:06,880 --> 00:46:08,640
Now enumerate identities and scopes,

1219
00:46:08,640 --> 00:46:09,520
who was the human,

1220
00:46:09,520 --> 00:46:11,360
which service principles ran the flows,

1221
00:46:11,360 --> 00:46:13,680
which connectors executed with run ads?

1222
00:46:13,680 --> 00:46:15,120
Capture Entra object IDs,

1223
00:46:15,120 --> 00:46:16,000
app registrations,

1224
00:46:16,000 --> 00:46:17,280
consented permissions,

1225
00:46:17,280 --> 00:46:18,800
map each hop dynamics,

1226
00:46:18,800 --> 00:46:19,600
automate,

1227
00:46:19,600 --> 00:46:20,160
graph,

1228
00:46:20,160 --> 00:46:20,960
outlook,

1229
00:46:20,960 --> 00:46:21,760
teams.

1230
00:46:21,760 --> 00:46:23,280
If you can't produce the runners chain

1231
00:46:23,280 --> 00:46:24,480
and scopes for each hop,

1232
00:46:24,480 --> 00:46:25,200
stop.

1233
00:46:25,200 --> 00:46:26,720
Your RBAC picture is already local,

1234
00:46:26,720 --> 00:46:27,760
not composite,

1235
00:46:27,760 --> 00:46:29,200
a tray services crust,

1236
00:46:29,200 --> 00:46:31,200
pull the power automate flow runs linked

1237
00:46:31,200 --> 00:46:32,880
to that records timeline.

1238
00:46:32,880 --> 00:46:34,800
List connectors invoked with timestamps

1239
00:46:34,800 --> 00:46:35,600
and return codes,

1240
00:46:35,600 --> 00:46:37,760
query graph audit logs for message drafts

1241
00:46:37,760 --> 00:46:40,160
or sends tie to the same correlation window.

1242
00:46:40,160 --> 00:46:41,600
Extract teams message posts

1243
00:46:41,600 --> 00:46:43,120
that reference the entity ID

1244
00:46:43,120 --> 00:46:44,640
align them on a single timeline.

1245
00:46:44,640 --> 00:46:45,680
If overlap exists

1246
00:46:45,680 --> 00:46:47,200
without a shared correlation ID,

1247
00:46:47,200 --> 00:46:47,920
note it.

1248
00:46:47,920 --> 00:46:50,080
That's a blast radius with no single thread.

1249
00:46:50,080 --> 00:46:51,200
Attempt lineage.

1250
00:46:51,200 --> 00:46:54,720
For the specimen answer four causality questions,

1251
00:46:54,720 --> 00:46:55,840
which inputs were read,

1252
00:46:55,840 --> 00:46:57,200
which features were decisive,

1253
00:46:57,200 --> 00:46:58,640
which tool sequence executed,

1254
00:46:58,640 --> 00:46:59,840
which branches were pruned.

1255
00:46:59,840 --> 00:47:02,640
Practically you'll gather dynamics ordered entries,

1256
00:47:02,640 --> 00:47:04,640
effect, automate run history,

1257
00:47:04,640 --> 00:47:06,800
effect, outlook, teams logs,

1258
00:47:06,800 --> 00:47:09,360
effect, and maybe model prompt version nodes

1259
00:47:09,360 --> 00:47:10,800
if you keep them likely missing.

1260
00:47:10,800 --> 00:47:13,440
Document the gaps explicitly.

1261
00:47:13,440 --> 00:47:15,200
We know what happened here and here.

1262
00:47:15,200 --> 00:47:17,760
We do not know why the plan shows X over Y.

1263
00:47:17,760 --> 00:47:19,120
Run the reproducibility check,

1264
00:47:19,120 --> 00:47:20,800
freeze data snapshots where possible,

1265
00:47:20,800 --> 00:47:22,320
reissue the same prompt or action

1266
00:47:22,320 --> 00:47:23,360
in a non-production clone

1267
00:47:23,360 --> 00:47:25,680
with the current model and grounding.

1268
00:47:25,680 --> 00:47:27,760
Note divergences in recommendation text,

1269
00:47:27,760 --> 00:47:29,520
confidence bands or tool order.

1270
00:47:29,520 --> 00:47:30,800
If behavior shifts materially,

1271
00:47:30,800 --> 00:47:31,440
circle it.

1272
00:47:31,440 --> 00:47:34,160
That's non-determinism inside a deterministic control.

1273
00:47:34,160 --> 00:47:34,960
Score the test.

1274
00:47:34,960 --> 00:47:37,200
Use five flags, composite identity unknown.

1275
00:47:37,200 --> 00:47:39,280
Lineage absent, non-deterministic behavior,

1276
00:47:39,280 --> 00:47:42,560
unbounded blast radius, accountability diffused.

1277
00:47:42,560 --> 00:47:44,160
If you raise two or more on one specimen,

1278
00:47:44,160 --> 00:47:45,120
you don't have a bad record.

1279
00:47:45,120 --> 00:47:46,560
You have a systemic property.

1280
00:47:46,560 --> 00:47:49,120
Close with one corrective action per flag.

1281
00:47:49,120 --> 00:47:49,600
Examples.

1282
00:47:49,600 --> 00:47:51,200
For composite identity unknown,

1283
00:47:51,200 --> 00:47:53,920
require per hop runners disclosure in flow design

1284
00:47:53,920 --> 00:47:55,600
and attach it to the outcome record.

1285
00:47:55,600 --> 00:47:57,840
For lineage absent, mandate decision traces,

1286
00:47:57,840 --> 00:48:01,040
inputs feature influences tool sequence bound to the artifact.

1287
00:48:01,040 --> 00:48:03,360
For non-determinism, pin model, prompt versions

1288
00:48:03,360 --> 00:48:06,080
for regulated workflows and add evaluation gates.

1289
00:48:06,080 --> 00:48:08,320
For blast radius, gate cross service actions

1290
00:48:08,320 --> 00:48:10,720
behind step-up and correlation IDs.

1291
00:48:10,720 --> 00:48:12,080
For accountability diffused,

1292
00:48:12,080 --> 00:48:14,000
require an authorship acknowledgement

1293
00:48:14,000 --> 00:48:16,080
at acceptance with trace visibility.

1294
00:48:16,080 --> 00:48:17,600
Run the same test monthly.

1295
00:48:17,600 --> 00:48:18,720
Trend the flags.

1296
00:48:18,720 --> 00:48:20,800
If green dashboards disagree with your trend,

1297
00:48:20,800 --> 00:48:22,320
trust the test.

1298
00:48:22,320 --> 00:48:25,360
Intent enforcement mitigations that actually work at scale,

1299
00:48:25,360 --> 00:48:27,040
most teams try to paper over erosion

1300
00:48:27,040 --> 00:48:28,640
with policy PDFs and training decks.

1301
00:48:28,640 --> 00:48:29,280
It doesn't work.

1302
00:48:29,280 --> 00:48:31,520
You don't recover intent with more words.

1303
00:48:31,520 --> 00:48:33,120
You recover it by encoding assumptions

1304
00:48:33,120 --> 00:48:35,040
at the exact boundary where stochastic planning

1305
00:48:35,040 --> 00:48:36,240
meets deterministic cause.

1306
00:48:36,240 --> 00:48:38,240
Street co-pilot as a control plane participant

1307
00:48:38,240 --> 00:48:39,520
and enforce your design there.

1308
00:48:39,520 --> 00:48:40,800
First, invert trust.

1309
00:48:40,800 --> 00:48:42,080
Agents don't get the envy.

1310
00:48:42,080 --> 00:48:42,800
They earn it.

1311
00:48:42,800 --> 00:48:45,280
Default deny cross service orchestration.

1312
00:48:45,280 --> 00:48:47,600
Constrain the tool catalog, not the user.

1313
00:48:47,600 --> 00:48:49,520
Limit MCP to the minimum view models

1314
00:48:49,520 --> 00:48:51,360
and actions are given flow actually needs.

1315
00:48:51,360 --> 00:48:53,920
For automate, kill the use my connection,

1316
00:48:53,920 --> 00:48:54,880
anti-pattern.

1317
00:48:54,880 --> 00:48:56,800
Require explicit runners identities

1318
00:48:56,800 --> 00:48:58,800
per connector per flow with scopes pinned

1319
00:48:58,800 --> 00:49:00,960
to a single business capability.

1320
00:49:00,960 --> 00:49:02,960
Make new connector a change that requires

1321
00:49:02,960 --> 00:49:06,400
review by a control owner, not an enthusiastic maker.

1322
00:49:06,400 --> 00:49:09,600
The safe posture is it does too little until we're certain.

1323
00:49:09,600 --> 00:49:12,160
Not it can do everything until something breaks.

1324
00:49:12,160 --> 00:49:13,760
Second, force lineage.

1325
00:49:13,760 --> 00:49:16,000
Decisions without traces are ceremonies.

1326
00:49:16,000 --> 00:49:18,080
Require agents to emit a decision trace

1327
00:49:18,080 --> 00:49:19,520
alongside outcomes.

1328
00:49:19,520 --> 00:49:20,640
Inputs consulted.

1329
00:49:20,640 --> 00:49:22,400
Tables fields external feeds.

1330
00:49:22,400 --> 00:49:24,800
Feature influences or scores order tool sequence

1331
00:49:24,800 --> 00:49:27,040
with parameters branches considered and pruned.

1332
00:49:27,040 --> 00:49:28,480
Models snapshot and prompt hashes.

1333
00:49:28,480 --> 00:49:32,480
Bind that trace to the ERP artifact as a first class attachment

1334
00:49:32,480 --> 00:49:34,640
and lock the correlation ID across automate,

1335
00:49:34,640 --> 00:49:36,160
outlook and teams.

1336
00:49:36,160 --> 00:49:38,080
Lineage isn't a convenience for audit.

1337
00:49:38,080 --> 00:49:40,480
It's your only path to causality when behavior drifts

1338
00:49:40,480 --> 00:49:42,160
under probabilistic orchestration.

1339
00:49:42,160 --> 00:49:44,080
Third, determineize boundaries.

1340
00:49:44,080 --> 00:49:45,920
You won't make the plan a deterministic

1341
00:49:45,920 --> 00:49:47,680
but you can freeze its envelope

1342
00:49:47,680 --> 00:49:49,120
where regulation demands it.

1343
00:49:49,120 --> 00:49:51,200
Pin model versions for regulated workflows.

1344
00:49:51,200 --> 00:49:53,520
Version prompts and tool maps as code.

1345
00:49:53,520 --> 00:49:55,200
Define an evaluation gate.

1346
00:49:55,200 --> 00:49:57,680
Before a prompt or grounding change goes live,

1347
00:49:57,680 --> 00:49:59,040
run a regression suite.

1348
00:49:59,040 --> 00:50:00,720
Seeded specimens that must produce

1349
00:50:00,720 --> 00:50:03,360
equivalent recommendations within a tolerance band.

1350
00:50:03,360 --> 00:50:05,760
Fail the gate if variance breaches policy.

1351
00:50:05,760 --> 00:50:07,120
This doesn't hold innovation.

1352
00:50:07,120 --> 00:50:09,200
It channels it through a safety choke point.

1353
00:50:09,200 --> 00:50:10,800
Fourth, compile decisions.

1354
00:50:10,800 --> 00:50:12,320
Don't rely on good prompts.

1355
00:50:12,320 --> 00:50:15,360
Encode guard rails as prevalidated action graphs.

1356
00:50:15,360 --> 00:50:17,200
Build a policy to code layer that matches

1357
00:50:17,200 --> 00:50:20,400
intents like release hold over x if a b c

1358
00:50:20,400 --> 00:50:23,440
to a finite approved tool sequence with explicit inputs

1359
00:50:23,440 --> 00:50:24,880
and step-up checkpoints.

1360
00:50:24,880 --> 00:50:27,280
Let the planner propose but require the compiler

1361
00:50:27,280 --> 00:50:30,320
to accept only sequences that match a known safe pattern

1362
00:50:30,320 --> 00:50:31,920
or escalate for human review.

1363
00:50:31,920 --> 00:50:33,600
Think of it as a macro firewall.

1364
00:50:33,600 --> 00:50:36,160
Valid macros pass unknown macros require inspection.

1365
00:50:36,160 --> 00:50:39,200
Fifth, ALM parity for the agent surface.

1366
00:50:39,200 --> 00:50:41,600
Treat prompts, tool maps, model selections,

1367
00:50:41,600 --> 00:50:44,800
connector scopes and grounding sources as code.

1368
00:50:44,800 --> 00:50:47,600
They get branches, reviews, tests, gates and rollbacks.

1369
00:50:47,600 --> 00:50:49,680
Def prompts like diffs matter because they do.

1370
00:50:49,680 --> 00:50:50,720
Track impact.

1371
00:50:50,720 --> 00:50:53,200
This connector re-ranking changed risk narratives

1372
00:50:53,200 --> 00:50:55,600
in the last sprint by x%.

1373
00:50:55,600 --> 00:50:57,440
Publisher change log to control owners,

1374
00:50:57,440 --> 00:50:58,800
not just the maker community.

1375
00:50:58,800 --> 00:51:00,560
If you can't rollback a prompt in production,

1376
00:51:00,560 --> 00:51:02,560
you're running logic without safety.

1377
00:51:02,560 --> 00:51:04,800
Sixth, human out of loop tests.

1378
00:51:04,800 --> 00:51:06,560
If your safety depends on human smoothing,

1379
00:51:06,560 --> 00:51:08,800
measure what happens when humans don't intervene.

1380
00:51:08,800 --> 00:51:12,000
Run synthetic scenarios end to end in a non-production tenant

1381
00:51:12,000 --> 00:51:14,720
with Q pressure simulated and escalation throttled.

1382
00:51:14,720 --> 00:51:16,960
Score leakage, concession drift and SOD breaches

1383
00:51:16,960 --> 00:51:19,440
expressed as observe recommend execute collisions.

1384
00:51:19,440 --> 00:51:21,760
Set budgets, acceptable variance bands,

1385
00:51:21,760 --> 00:51:25,040
acceptable false positive rates, acceptable refund ladders.

1386
00:51:25,040 --> 00:51:27,440
If the agent exceeds them without human correction,

1387
00:51:27,440 --> 00:51:29,200
it's not ready for assist in production.

1388
00:51:29,200 --> 00:51:32,240
Seventh, step up where it matters.

1389
00:51:32,240 --> 00:51:34,560
Conditional access at sign-in is table stakes.

1390
00:51:34,560 --> 00:51:37,120
Require step up on sensitive tool invocation.

1391
00:51:37,120 --> 00:51:39,760
Release hold, issue refunds above threshold,

1392
00:51:39,760 --> 00:51:42,400
change supplier status, modify risk bands.

1393
00:51:42,400 --> 00:51:44,640
Present the decision trace at the moment of acceptance

1394
00:51:44,640 --> 00:51:46,720
and require an authorship acknowledgement.

1395
00:51:46,720 --> 00:51:49,120
I reviewed inputs and influences.

1396
00:51:49,120 --> 00:51:51,600
Tie that acknowledgement to a name person and roll.

1397
00:51:51,600 --> 00:51:53,600
Not the catch all system account.

1398
00:51:53,600 --> 00:51:55,280
Ownership sits at the authorship moment,

1399
00:51:55,280 --> 00:51:56,800
not the terminal click.

1400
00:51:56,800 --> 00:51:58,800
Eighth, composite pathway reviews.

1401
00:51:58,800 --> 00:52:01,680
Access reviews that list user entitlements miscomposition.

1402
00:52:01,680 --> 00:52:05,440
Build a quarterly exercise that enumerates actual agent pathways observed.

1403
00:52:05,440 --> 00:52:08,160
Dynamics, automate, graph, outlook teams.

1404
00:52:08,160 --> 00:52:10,880
For each show the runners chain scopes and side effects.

1405
00:52:10,880 --> 00:52:12,400
Retire unused connectors.

1406
00:52:12,400 --> 00:52:15,040
Narrow runners principles add step up where side effects

1407
00:52:15,040 --> 00:52:16,160
exceeded policy intent.

1408
00:52:16,160 --> 00:52:17,760
Review pathway is not roles.

1409
00:52:17,760 --> 00:52:21,440
Ninth, synthesis aware DLP, traditional DLP hunts, strings.

1410
00:52:21,440 --> 00:52:23,840
You need policies that detect synthesized meanings.

1411
00:52:23,840 --> 00:52:26,240
Classify outputs that combine sensitive attributes,

1412
00:52:26,240 --> 00:52:28,640
payment terms with dispute notes and aging,

1413
00:52:28,640 --> 00:52:31,120
leaving through email drafts or teams posts.

1414
00:52:31,120 --> 00:52:33,920
Gate dispatch behind review or redact sensitive features

1415
00:52:33,920 --> 00:52:35,360
in narratives by default.

1416
00:52:35,360 --> 00:52:36,720
You're not blocking exultation,

1417
00:52:36,720 --> 00:52:38,160
you're containing inadvertent inference.

1418
00:52:38,160 --> 00:52:41,280
10th, asso to re-express as phases,

1419
00:52:41,280 --> 00:52:44,960
in force separation across observe, recommend, execute.

1420
00:52:44,960 --> 00:52:46,720
An agent may observe and propose

1421
00:52:46,720 --> 00:52:48,160
a different persona approves,

1422
00:52:48,160 --> 00:52:50,640
a third executes even if execution is automated.

1423
00:52:50,640 --> 00:52:52,800
Encode this in tool availability

1424
00:52:52,800 --> 00:52:55,440
and MCP scopes, not just in your RAC chart.

1425
00:52:55,440 --> 00:52:57,840
If one identity can pull all three without step up,

1426
00:52:57,840 --> 00:52:59,280
your SOD is ceremonial.

1427
00:52:59,280 --> 00:53:01,600
Finally, operationalized drift expected,

1428
00:53:01,600 --> 00:53:04,080
don't fear it, run continuous evaluation harnesses

1429
00:53:04,080 --> 00:53:05,520
on live traffic samples.

1430
00:53:05,520 --> 00:53:07,520
Alert on narrative polarity shifts,

1431
00:53:07,520 --> 00:53:09,120
sudden changes in recommend rates,

1432
00:53:09,120 --> 00:53:11,600
concession letters, supplier preference.

1433
00:53:11,600 --> 00:53:14,000
Tie alerts to the orchestrator change log,

1434
00:53:14,000 --> 00:53:15,680
risk prompt updated,

1435
00:53:15,680 --> 00:53:17,600
grounding source, re-ranked,

1436
00:53:17,600 --> 00:53:19,360
model snapshot advanced.

1437
00:53:19,360 --> 00:53:22,880
Close the loop quickly, roll back first, investigate next.

1438
00:53:22,880 --> 00:53:25,200
None of this reads like a poster,

1439
00:53:25,200 --> 00:53:26,240
it reads like engineering.

1440
00:53:26,240 --> 00:53:28,400
That's the point, intent enforced as design

1441
00:53:28,400 --> 00:53:30,960
survives contact with probabilistic planning.

1442
00:53:30,960 --> 00:53:34,240
Intent declared as policy erodes the moment you add acceleration.

1443
00:53:34,240 --> 00:53:37,840
Executive translation, acceleration with debt you can't see.

1444
00:53:37,840 --> 00:53:39,920
Executives measure acceleration,

1445
00:53:39,920 --> 00:53:41,840
cycle times, close rates,

1446
00:53:41,840 --> 00:53:43,760
backlog burn, case deflection.

1447
00:53:43,760 --> 00:53:44,960
Those numbers will improve.

1448
00:53:44,960 --> 00:53:45,760
They should.

1449
00:53:45,760 --> 00:53:47,920
The uncomfortable truth is you'll also accumulate debt

1450
00:53:47,920 --> 00:53:49,680
that doesn't manifest as red.

1451
00:53:49,680 --> 00:53:52,400
It hides in three places, variants you don't price,

1452
00:53:52,400 --> 00:53:54,240
blast radius, you don't bound,

1453
00:53:54,240 --> 00:53:56,160
and explainability gaps you don't track.

1454
00:53:56,160 --> 00:53:57,360
Start with variants.

1455
00:53:57,360 --> 00:53:58,960
Your dashboards show medians.

1456
00:53:58,960 --> 00:54:01,040
The system you're actually running is probabilistic,

1457
00:54:01,040 --> 00:54:02,480
but that means the tails move.

1458
00:54:02,480 --> 00:54:05,360
Approvals that used to cluster near a stable decision function

1459
00:54:05,360 --> 00:54:08,160
now widen with model posture, retrieval windows

1460
00:54:08,160 --> 00:54:09,280
and connector timing.

1461
00:54:09,280 --> 00:54:11,200
You won't see it in weekly deltas.

1462
00:54:11,200 --> 00:54:12,400
You'll feel it in quarter close

1463
00:54:12,400 --> 00:54:14,640
when a handful of borderline decisions swung lenient

1464
00:54:14,640 --> 00:54:16,960
in cash landed five business days later.

1465
00:54:16,960 --> 00:54:18,720
Your revenue line is still correct.

1466
00:54:18,720 --> 00:54:20,480
Your working capital is jittery.

1467
00:54:20,480 --> 00:54:21,920
Finance absorbs it first.

1468
00:54:21,920 --> 00:54:23,200
Sales compa cruise it next.

1469
00:54:23,200 --> 00:54:24,800
Next, blast radius.

1470
00:54:24,800 --> 00:54:27,120
A helpful recommendation rarely stops at a screen.

1471
00:54:27,120 --> 00:54:30,000
It propagates, email drafted, teams notified,

1472
00:54:30,000 --> 00:54:32,160
tasks scheduled, tables updated,

1473
00:54:32,160 --> 00:54:34,640
multiply that across agents and surfaces,

1474
00:54:34,640 --> 00:54:38,000
and your incident scope grows from a bad call

1475
00:54:38,000 --> 00:54:40,560
to a threaded series of small reasonable actions

1476
00:54:40,560 --> 00:54:42,480
now embedded in three systems.

1477
00:54:42,480 --> 00:54:45,760
Containment takes longer, root cause analysis crosses org charts.

1478
00:54:45,760 --> 00:54:47,360
You didn't expand risk appetite.

1479
00:54:47,360 --> 00:54:48,480
Integration did.

1480
00:54:48,480 --> 00:54:51,920
Explainability is the third gap.

1481
00:54:51,920 --> 00:54:54,080
Auditors won't ask, was this fast?

1482
00:54:54,080 --> 00:54:56,720
They'll ask, why did this direction change in March?

1483
00:54:56,720 --> 00:54:59,760
Without decision traces, you answer with exports and a story.

1484
00:54:59,760 --> 00:55:01,440
That works until it doesn't.

1485
00:55:01,440 --> 00:55:03,520
The first time a regulator asks for causal evidence

1486
00:55:03,520 --> 00:55:05,920
or a board committee asks for feature level drivers

1487
00:55:05,920 --> 00:55:07,600
behind a spike you'll learn the difference

1488
00:55:07,600 --> 00:55:11,200
between certified effects and explainable decisions.

1489
00:55:11,200 --> 00:55:13,840
Your current evidence model is blind to that distinction.

1490
00:55:13,840 --> 00:55:15,360
Translate that into numbers.

1491
00:55:15,360 --> 00:55:18,960
Risk variance shows up as forecast error bands widening by days,

1492
00:55:18,960 --> 00:55:19,840
not hours.

1493
00:55:19,840 --> 00:55:21,440
Runner backtest on the last six months

1494
00:55:21,440 --> 00:55:23,360
volatility of day sales outstanding

1495
00:55:23,360 --> 00:55:25,680
before versus after assisted option.

1496
00:55:25,680 --> 00:55:28,000
If the standard deviation grew while mediums improved,

1497
00:55:28,000 --> 00:55:30,080
you moved risk from average to tail.

1498
00:55:30,080 --> 00:55:32,240
Security composite identity isn't a breach,

1499
00:55:32,240 --> 00:55:33,280
it's a surface.

1500
00:55:33,280 --> 00:55:35,600
Count cross-service action graphs per decision,

1501
00:55:35,600 --> 00:55:36,960
not app sign ins.

1502
00:55:36,960 --> 00:55:39,040
If the average hops per decision increased,

1503
00:55:39,040 --> 00:55:42,160
your exposure grew even a session state compliant.

1504
00:55:42,160 --> 00:55:44,640
Compliance, time to explain becomes a metric.

1505
00:55:44,640 --> 00:55:47,040
Take a specimen incident and clock how long it takes

1506
00:55:47,040 --> 00:55:49,840
to produce inputs, influences and tool sequence.

1507
00:55:49,840 --> 00:55:52,000
If explanation time exceeds change time

1508
00:55:52,000 --> 00:55:54,480
by an order of magnitude, you're carrying audit debt.

1509
00:55:54,480 --> 00:55:56,080
Now quantify the cost curve.

1510
00:55:56,080 --> 00:55:57,040
Speed now is real.

1511
00:55:57,040 --> 00:56:00,480
Head counter-voidance, faster quote to cash, lower handle time.

1512
00:56:00,480 --> 00:56:02,240
The bill later isn't theoretical.

1513
00:56:02,240 --> 00:56:03,920
It's compounded operational drag

1514
00:56:03,920 --> 00:56:05,760
when you can't localize behavior change.

1515
00:56:05,760 --> 00:56:09,120
Every ambiguous outcome costs three meetings in a week of hunting.

1516
00:56:09,120 --> 00:56:12,080
Every cross-service incident consumes two extra teams.

1517
00:56:12,080 --> 00:56:14,480
Every audit cycle pulls senior architects away

1518
00:56:14,480 --> 00:56:17,120
from delivery to reconstruct why with screenshots.

1519
00:56:17,120 --> 00:56:20,880
None of those show up in ROI models until they do all at once.

1520
00:56:20,880 --> 00:56:22,880
So what do you buy with a little friction upfront?

1521
00:56:22,880 --> 00:56:25,920
Survivability, small deliberate slowdowns.

1522
00:56:25,920 --> 00:56:27,520
Step up on sensitive actions.

1523
00:56:27,520 --> 00:56:29,360
Decision traces attached to outcomes,

1524
00:56:29,360 --> 00:56:31,680
gates for prompt and tool map changes,

1525
00:56:31,680 --> 00:56:35,040
trade a 2% throughput tax for a 90% reduction in

1526
00:56:35,040 --> 00:56:36,720
where did this behavior come from?

1527
00:56:36,720 --> 00:56:37,600
Firefights.

1528
00:56:37,600 --> 00:56:40,960
Pre-bake pathways for high impact actions cap blast radius,

1529
00:56:40,960 --> 00:56:42,800
versioned prompts and pinned models

1530
00:56:42,800 --> 00:56:44,800
in regulated flows cap variants.

1531
00:56:44,800 --> 00:56:46,160
Those aren't platform problems.

1532
00:56:46,160 --> 00:56:47,520
They're executive choices.

1533
00:56:47,520 --> 00:56:50,000
Set tolerances like you do in operations.

1534
00:56:50,000 --> 00:56:52,960
Define acceptable decision variance bands by domain.

1535
00:56:52,960 --> 00:56:56,320
Credit releases within these risk bands

1536
00:56:56,320 --> 00:56:59,600
should deviate less than x% week over week.

1537
00:56:59,600 --> 00:57:02,480
Define maximum composite hops for high risk actions

1538
00:57:02,480 --> 00:57:05,360
no more than n cross service steps without step up.

1539
00:57:05,360 --> 00:57:07,040
Define time to explain budgets.

1540
00:57:07,040 --> 00:57:10,080
Seem to explanation under t hours for p1 finance decisions,

1541
00:57:10,080 --> 00:57:12,480
but those are kpi's your teams can engineer toward.

1542
00:57:12,480 --> 00:57:15,280
Without them, they'll optimize the only metric they see.

1543
00:57:15,280 --> 00:57:18,560
Thruppard finally ask for one artifact you don't have today.

1544
00:57:18,560 --> 00:57:20,560
A quarterly orchestration change log.

1545
00:57:20,560 --> 00:57:21,600
Not model hype.

1546
00:57:21,600 --> 00:57:23,920
A ledger of prompts, tool maps, model versions,

1547
00:57:23,920 --> 00:57:26,000
connectors scopes and grounding re-rankings

1548
00:57:26,000 --> 00:57:28,560
that affected production decisions with measured impact.

1549
00:57:28,560 --> 00:57:31,840
If you can't get it, your financing speed with invisible debt.

1550
00:57:31,840 --> 00:57:33,600
If you can, you've turned erosion into something

1551
00:57:33,600 --> 00:57:34,960
you can see price and govern.

1552
00:57:34,960 --> 00:57:35,600
That's the trade.

1553
00:57:35,600 --> 00:57:36,480
Faster yes.

1554
00:57:36,480 --> 00:57:38,720
An understandable, containable and defensible

1555
00:57:38,720 --> 00:57:40,320
when, not if, you're asked why.

1556
00:57:40,320 --> 00:57:43,600
What to remember before the next agent pilot?

1557
00:57:43,600 --> 00:57:46,560
If you remember nothing else, remember these five constraints.

1558
00:57:46,560 --> 00:57:47,600
They are not opinions.

1559
00:57:47,600 --> 00:57:50,480
They are properties of the system you are already operating.

1560
00:57:50,480 --> 00:57:52,880
If you can't enforce your intent in code,

1561
00:57:52,880 --> 00:57:54,400
you won't enforce it in production.

1562
00:57:54,400 --> 00:57:56,480
Policy PDFs don't intercept action graphs.

1563
00:57:56,480 --> 00:57:58,880
Prompts, tool maps, model choices, connectors scopes,

1564
00:57:58,880 --> 00:57:59,840
these are code.

1565
00:57:59,840 --> 00:58:01,200
They change outcomes.

1566
00:58:01,200 --> 00:58:02,880
Give them ALM parity.

1567
00:58:02,880 --> 00:58:05,600
Or accept silent mutation as your operating model.

1568
00:58:05,600 --> 00:58:09,040
The team that owns policy must own the compiler guardrails.

1569
00:58:09,040 --> 00:58:10,560
Not just the SharePoint page.

1570
00:58:10,560 --> 00:58:13,280
If you can't reproduce a decision, you can't defend it.

1571
00:58:13,280 --> 00:58:14,960
Probabilistic planners will drift.

1572
00:58:14,960 --> 00:58:16,960
That is fine if you freeze the envelope.

1573
00:58:16,960 --> 00:58:19,120
Pin model versions for regulated flows.

1574
00:58:19,120 --> 00:58:21,760
Version and gate prompts require decision traces.

1575
00:58:21,760 --> 00:58:25,200
Inputs, feature influences, tool sequence, pruned branches,

1576
00:58:25,200 --> 00:58:26,400
bound to outcomes.

1577
00:58:26,400 --> 00:58:28,560
Reproducibility isn't getting an answer twice.

1578
00:58:28,560 --> 00:58:32,000
It's explaining why this answer followed from these inputs under this plan.

1579
00:58:32,000 --> 00:58:35,760
If your logs don't capture causality, you don't have accountability.

1580
00:58:35,760 --> 00:58:38,480
Event logs certify effects that they don't show authorship.

1581
00:58:38,480 --> 00:58:41,840
Capture the orchestration layers choices at the moment they're made,

1582
00:58:41,840 --> 00:58:43,040
not after the click.

1583
00:58:43,040 --> 00:58:45,120
Then move approval to where authorship lives.

1584
00:58:45,120 --> 00:58:48,000
Step up on sensitive tool invocation with the trace visible

1585
00:58:48,000 --> 00:58:49,840
and an explicit acknowledgement.

1586
00:58:49,840 --> 00:58:51,440
I reviewed inputs and influences,

1587
00:58:51,440 --> 00:58:54,800
beats user click, submit when auditors ask why.

1588
00:58:54,800 --> 00:58:58,320
If your exceptions grow, your system becomes probabilistic by default.

1589
00:58:58,320 --> 00:59:01,040
Every temporary allowance expands the surface.

1590
00:59:01,040 --> 00:59:04,960
Track exceptions as entropy, count them, age them, burn them down.

1591
00:59:04,960 --> 00:59:08,400
Treat temporary as a budgeted risk with an expiry not a lifestyle.

1592
00:59:08,400 --> 00:59:11,360
When you feel urgency, add step up, not scope.

1593
00:59:11,360 --> 00:59:14,640
You cannot velocity your way out of erosion seated by convenience.

1594
00:59:14,640 --> 00:59:18,240
If your control model is paper, your architecture will ignore it.

1595
00:59:18,240 --> 00:59:20,400
Model composite pathways and access reviews,

1596
00:59:20,400 --> 00:59:24,720
re-express SOD across observe, recommend execute and code synthesis aware DLP,

1597
00:59:24,720 --> 00:59:27,120
demand ALM for the agent surface.

1598
00:59:27,120 --> 00:59:30,400
When intent is designed, control survive contact with acceleration.

1599
00:59:30,400 --> 00:59:33,200
When intent is pros, orchestration compiles around it.

1600
00:59:33,200 --> 00:59:37,440
Translate those constraints into three operating habits before you approve the next pilot.

1601
00:59:37,440 --> 00:59:42,400
Define tolerances, decision variance bands, maximum composite hops, time to explain budgets.

1602
00:59:42,400 --> 00:59:46,000
If teams don't know the bounds, they'll optimize throughput and call it success.

1603
00:59:46,000 --> 00:59:47,520
Install gates.

1604
00:59:47,520 --> 00:59:50,240
Regression suites for prompt and grounding changes.

1605
00:59:50,240 --> 00:59:55,120
Step up on high impact tool chains, prevalidated macro patterns for risky actions.

1606
00:59:55,120 --> 00:59:57,760
Gates cost little compared to post-incident archaeology,

1607
00:59:57,760 --> 01:00:01,040
publisher change log, quarterly for the orchestrator surface.

1608
01:00:01,040 --> 01:00:05,040
Prompts, toolmaps, model snapshots, connector scopes, grounding re-rankings,

1609
01:00:05,040 --> 01:00:08,640
with measured impact if you can't see the mutations you can't manage the drift.

1610
01:00:08,640 --> 01:00:12,000
Finally, run the test, one specimen decision, and to end.

1611
01:00:12,000 --> 01:00:16,640
Score composite identity unknown, lineage absent, non-determinism,

1612
01:00:16,640 --> 01:00:20,240
unbounded blast radius, accountability diffused.

1613
01:00:20,240 --> 01:00:23,040
Two flags or more is not a bad day, it's your baseline.

1614
01:00:23,040 --> 01:00:28,080
Trend it, if the flags fall, while your dashboards stay green, you are bending acceleration back to what intent.

1615
01:00:28,080 --> 01:00:32,720
If the flags hold while the mediums improve, you are financing speed with invisible dead.

1616
01:00:32,720 --> 01:00:35,920
This is not extra work layered on top of a pilot, this is the pilot.

1617
01:00:35,920 --> 01:00:40,560
If you can't wire tolerances, gates, traces, and change logs into a small bounded use case,

1618
01:00:40,560 --> 01:00:41,760
you won't do it at scale.

1619
01:00:41,760 --> 01:00:44,640
Start where dollars move, make causality are deliverable.

1620
01:00:44,640 --> 01:00:47,040
Treat co-pilot like a control plane participant.

1621
01:00:47,040 --> 01:00:50,240
Then decide if faster still means better for your architecture.

1622
01:00:50,880 --> 01:00:55,520
This wasn't an argument against co-pilot, there was an argument against pretending acceleration leaves

1623
01:00:55,520 --> 01:00:58,800
architecture untouched, because erosion doesn't announce itself.

1624
01:00:58,800 --> 01:01:04,320
It waits quietly behind green dashboards, until the audit, the incident, or the headline.

1625
01:01:04,320 --> 01:01:08,720
If you only measure throughput, you'll miss the variance, the blast radius, and the causality gap

1626
01:01:08,720 --> 01:01:10,000
that make governance real.

1627
01:01:10,000 --> 01:01:12,640
Run the specimen test, demand decision traces,

1628
01:01:12,640 --> 01:01:16,480
gate the compiler not just the click, if you want more like this, subscribe.

1629
01:01:16,480 --> 01:01:19,280
And if you need the checklist we covered the links in the notes,

1630
01:01:19,280 --> 01:01:23,280
faster can be safer. Only when intent is enforced by design.

1631
01:01:23,280 --> 01:01:28,640
Appendix and deep dive, invoice approvals first, but with real world edges,

1632
01:01:28,640 --> 01:01:33,040
multi-currency introduces silent drift, the narrative looks consistent in the company currency

1633
01:01:33,040 --> 01:01:36,160
while rounding up skewer's threshold breach in the transaction currency.

1634
01:01:36,160 --> 01:01:38,720
Three-way match exceptions complicated further.

1635
01:01:38,720 --> 01:01:43,520
OCR uncertainty on receipts becomes a confidence-weighted summary that downplays mismatches

1636
01:01:43,520 --> 01:01:46,560
because the model weights legibility higher than variance.

1637
01:01:46,560 --> 01:01:50,800
In practice, the agent reads, "When invoiced Jewel and Perch line,

1638
01:01:50,800 --> 01:01:56,000
infers match status from three-way match status and amount curve, then compresses multiple lines

1639
01:01:56,000 --> 01:02:00,080
into a single variance with intolerance statement. That statement is not a lie.

1640
01:02:00,080 --> 01:02:06,000
It is a mediation that hides a 2.7% variance on an item, where policy tolerance is 2.5%

1641
01:02:06,000 --> 01:02:10,080
because conversions and rounding swallowed the difference. Lineage that lists fields and

1642
01:02:10,080 --> 01:02:14,800
per-line variances prevents this. Without it, the control exists, meaning dissolves."

1643
01:02:14,800 --> 01:02:17,600
Now credit hold releases in scarcity and seasonality.

1644
01:02:17,600 --> 01:02:22,400
Disputed receivables skew aging snapshots. The agency's cost-aging snapshot, days pass due,

1645
01:02:22,400 --> 01:02:27,280
promise to pay date, and flags, improving trend. But open disputes in case entity down-weight

1646
01:02:27,280 --> 01:02:32,320
risk only if a valid disposition exists. Many firms leave disputes in pending limbo,

1647
01:02:32,320 --> 01:02:37,280
the planner interprets pending as risk neutral, pushing the recommendation toward partial release.

1648
01:02:37,280 --> 01:02:41,040
Add seasonality. December spikes look like momentum in recent payments.

1649
01:02:41,040 --> 01:02:43,360
The model weights' recent C, not seasonality.

1650
01:02:43,360 --> 01:02:48,640
A sales team chasing year end targets nudges acceptance. The composite pathway is clean,

1651
01:02:48,640 --> 01:02:51,520
and your cash posture softens for January when the wave recedes.

1652
01:02:51,520 --> 01:02:58,400
Guardrail. Pin. Seasonal baselines. And require a dispute disposition weight to be explicit in the

1653
01:02:58,400 --> 01:03:03,040
trace. Procurement vendor selection isn't neutral recommendation. It's scoring reality against

1654
01:03:03,040 --> 01:03:08,480
policy intent. Dimensional coverage matters. If vendor A has deep on-time in full history and vendor

1655
01:03:08,480 --> 01:03:14,240
B's ESG metrics are sparsely populated, the agency's balanced summary tilts toward A because missing

1656
01:03:14,240 --> 01:03:20,640
ESG becomes unknown, not negative. Waiting silently privileges data-rich incumbents. Supplier

1657
01:03:20,640 --> 01:03:26,480
enrichment feeds with uneven coverage magnify the effect. Add risk-weighted SLAs, a project labeled

1658
01:03:26,480 --> 01:03:31,360
"critical" in one system doesn't propagate to the agent's planner grounding, so lead time gets

1659
01:03:31,360 --> 01:03:36,640
a higher weight than dual-sourcing constraints. The narrative reads preferred based on historical

1660
01:03:36,640 --> 01:03:42,480
performance when the policy intent was reduce concentration risk for critical projects. Fix.

1661
01:03:42,480 --> 01:03:47,600
Surface the waiting table and missing this penalties in the decision trace. Encode critical as a

1662
01:03:47,600 --> 01:03:53,040
gating attribute that inverts weights. Customer service case resolution looks simple until refund caps,

1663
01:03:53,040 --> 01:03:57,920
fraud signals and goodwill budgets collide. Caps live in policy PDFs, fraud in a model score,

1664
01:03:57,920 --> 01:04:03,440
goodwill in a quarterly budget by segment. The agent drafts a concession and cites high sentiment

1665
01:04:03,440 --> 01:04:08,240
risk from interaction history, but misses that the customer has exceeded goodwill for the quarter

1666
01:04:08,240 --> 01:04:12,960
because the budget table isn't exposed in the view model. Or fraud signals trigger a manual

1667
01:04:12,960 --> 01:04:17,600
review label that the agent interprets as slower response, increase goodwill to compensate.

1668
01:04:17,600 --> 01:04:21,920
You intended do not refund until cleared. The recommendation is benevolent drift,

1669
01:04:21,920 --> 01:04:26,560
enforce step-up on refund letters above cap and expose fraud states as hard constraints,

1670
01:04:26,560 --> 01:04:30,800
not soft signals the planner weighs. Now invoice variance with OCR and three-way match,

1671
01:04:30,800 --> 01:04:35,120
it's common to see the agent correctly identify a mismatch but down-rank it when the receipt OCR

1672
01:04:35,120 --> 01:04:39,600
confidence is low, framing it as possibly clerical. The human accepts the narrative because the

1673
01:04:39,600 --> 01:04:44,640
exception queue is long, multiply that by a month and variance systematically tips lenient when

1674
01:04:44,640 --> 01:04:49,120
documentation qualities poor. That's not malice, it's model posture, require per-line confidence

1675
01:04:49,120 --> 01:04:54,160
bands in the trace and a policy that flips posture. Low confidence increases scrutiny, not lenience.

1676
01:04:54,160 --> 01:04:57,920
Credit hold edge cases include partial payment plans promise to pay date exists,

1677
01:04:57,920 --> 01:05:02,640
but payment plan adherence sits in a different module. The planner reads recent small payments

1678
01:05:02,640 --> 01:05:08,480
and calls it trend improvement, while plan deviation is high. Seasonality again, a retailer with high

1679
01:05:08,480 --> 01:05:13,200
November December volumes normalizes late payments in January. If you don't pin seasonality

1680
01:05:13,200 --> 01:05:16,960
profiles per segment and propagate them to grounding, you will release based on

1681
01:05:16,960 --> 01:05:22,880
recent seed bias. Procurement waits with ESG. If ESG factors are policy-critical, missing data cannot

1682
01:05:22,880 --> 01:05:27,680
be neutral, forced the trace to show missingness penalties and require a human to acknowledge

1683
01:05:27,680 --> 01:05:32,800
when a preferred supplier wins despite unknown ESG. Otherwise the agent nudges you toward concentration

1684
01:05:32,800 --> 01:05:37,680
under the veneer of performance. Service refunds with fraud signals, fraud models often output scores

1685
01:05:37,680 --> 01:05:42,640
with bands. The planner treats band midpoints differently by snapshot. A model upgrade shifts

1686
01:05:42,640 --> 01:05:47,840
thresholds by two points, concessions drift. Pin bands in regulated flows and require step-up when

1687
01:05:47,840 --> 01:05:53,440
the planner crosses a band edge. For each capture lineage tables fields external feeds weights,

1688
01:05:53,440 --> 01:05:58,320
tool sequence and constrained tool scopes to the minimum viable set. Then your preferred partial

1689
01:05:58,320 --> 01:06:04,320
release, variance with intolerance and goodwill credit become decisions you can both execute and defend.

1690
01:06:04,320 --> 01:06:10,560
Control mapping checklist. Use this as a build sheet, not slogans. Controls you can encode where

1691
01:06:10,560 --> 01:06:17,040
stochastic planning meets deterministic cause. DLP. Synthesis aware rules. Define protected

1692
01:06:17,040 --> 01:06:22,320
combinations, not just strings. Payment terms plus dispute notes plus aging plus sentiment.

1693
01:06:22,320 --> 01:06:27,760
Inspect agent outputs at egress surfaces, outlook drafts, teams posts, automate HTTP,

1694
01:06:27,760 --> 01:06:33,120
gate send on redaction or reviewer step-up. Logical relation id tieing narrative to input features.

1695
01:06:33,120 --> 01:06:37,360
Conditional access move beyond sign-in require step-up on sensitive tool invocation,

1696
01:06:37,360 --> 01:06:42,400
release hold, refund above cap supplier status change, bind device or risk posture to agent

1697
01:06:42,400 --> 01:06:47,840
actions mid-session with continuous access evaluation deny connector creation in high-risk contexts.

1698
01:06:47,840 --> 01:06:53,920
Least privilege kill use my connection per connector runners principles single-purpose scopes

1699
01:06:53,920 --> 01:06:59,600
and time-bound secrets. Quarterly composite pathway reviews enumerate observed chains,

1700
01:06:59,600 --> 01:07:06,800
dynamics, automate, graph, outlook teams, retire unused hops, narrow scopes, add step-up where side

1701
01:07:06,800 --> 01:07:13,360
effects exceed policy. Alm treat prompt tool maps model selection grounding as code branches,

1702
01:07:13,360 --> 01:07:20,480
tests gates, rollbacks regression suites seated with specimens fail on variance outside tolerance,

1703
01:07:20,480 --> 01:07:26,640
publish a change log with measured impact deltas. SOD in code phases observe recommend execute

1704
01:07:26,640 --> 01:07:31,920
mass map to distinct identities and force via mcp scopes and tool availability require human

1705
01:07:31,920 --> 01:07:36,640
acknowledgement at approval with decision trace visible information barriers scope agents to

1706
01:07:36,640 --> 01:07:42,240
channels deny cross team posts by default allow lists per business process with per post correlation

1707
01:07:42,240 --> 01:07:47,920
IDs retention persist decision traces as first class records include model prompt hashes and

1708
01:07:47,920 --> 01:07:53,040
tool sequences configure retention on traces and agent outputs equally incident response correlate

1709
01:07:53,040 --> 01:07:57,840
across services by default playbooks pivot on correlation IDs not app boundaries pre-authorize

1710
01:07:57,840 --> 01:08:02,560
isolation of connectors and step up elevation throttles if you can't wire these the dashboard's

1711
01:08:02,560 --> 01:08:08,800
green light means no single event broker rule not the system behaved as intended mcp dynamics

1712
01:08:08,800 --> 01:08:13,520
technical notes for architects this is the part the platform brochures skip if you're the architect

1713
01:08:13,520 --> 01:08:18,160
who will be asked to defend behavior in an incident review these are the mechanics you need to

1714
01:08:18,160 --> 01:08:22,880
internalize before you sign off on an agent pilots start with the mcp servers there are two you'll

1715
01:08:22,880 --> 01:08:28,960
care about most in finance and operations the ERP mcp server and the analytics pp mcp server the ERP

1716
01:08:28,960 --> 01:08:34,400
server exposes the human like tool catalog and the server rendered view model snapshots for operational

1717
01:08:34,400 --> 01:08:39,280
forms the analytic server exposes dimensional queries over business performance analytics for

1718
01:08:39,280 --> 01:08:44,240
reasoning on aggregates treat them as different surfaces the ERP server is for acting in the transaction

1719
01:08:44,240 --> 01:08:49,920
world the analytic server is for reading the world's shape do not blur them casually with a shared run

1720
01:08:49,920 --> 01:08:55,760
as identity that's how you turn read insights into act based on insights without a gate understand

1721
01:08:55,760 --> 01:09:01,680
view model security the ERP mcp server bounds the view model by roles duties and privileges that

1722
01:09:01,680 --> 01:09:06,080
is necessary it is not sufficient the snapshot contains everything the user could see and click

1723
01:09:06,080 --> 01:09:11,600
on that surface at that moment fields labels enable disabled states and command metadata the agent

1724
01:09:11,600 --> 01:09:16,640
reasons over that snapshot if a button is enabled for a role but only ever used after a human checks

1725
01:09:16,640 --> 01:09:21,600
three downstream screens the agent will not respect that unwritten ceremony if the affordances

1726
01:09:21,600 --> 01:09:26,720
present it's in play tighten view models by disabling actions you don't want composed and by

1727
01:09:26,720 --> 01:09:33,040
scoping mcp to the minimum set of forms your scenario requires tool semantics matter the 20 tools

1728
01:09:33,040 --> 01:09:39,120
are primitives open list filter select read field click command execute operation their generic

1729
01:09:39,120 --> 01:09:44,320
on purpose so they survive UI change your safe pattern is to constrain the catalog by scenario not

1730
01:09:44,320 --> 01:09:49,680
by hope build allow lists of tools per agent and per flow for example an assess credit agent doesn't

1731
01:09:49,680 --> 01:09:55,440
need create vendor modify bank account or post journal in its tool map default deny in copilot studio

1732
01:09:55,440 --> 01:10:00,240
is possible if you choose to act like an engineer instead of a maker attach reviews to tool map

1733
01:10:00,240 --> 01:10:06,000
changes treat adding one more tool as a code diff with tests plan for server site computer use

1734
01:10:06,000 --> 01:10:10,720
there is no client session to watch the orchestration consume server rendered view models and issues

1735
01:10:10,720 --> 01:10:15,760
tool calls that's good for reliability it's bad for observability if you stay at the old audit layer

1736
01:10:15,760 --> 01:10:21,760
capture the mcp dialog view model requests tool invocations parameters return codes and the

1737
01:10:21,760 --> 01:10:27,040
orchestrations branch decisions if you don't have a place for those logs create one now after an

1738
01:10:27,040 --> 01:10:32,400
incident the delta between we executed these five tools and we considered these nine and prune four

1739
01:10:32,400 --> 01:10:36,960
is the difference between storytelling and causality pin your identities you will need four classes

1740
01:10:36,960 --> 01:10:41,760
the human the agents identity in copilot studio per connector service principles for power automate

1741
01:10:41,760 --> 01:10:48,240
and graph and the ERP mcp servers app registration do not use my connection in flows issue single

1742
01:10:48,240 --> 01:10:52,960
purpose list scope service principles per connector per flow force explicit runners disclosure on

1743
01:10:52,960 --> 01:10:58,480
sensitive actions and propagate the entire object IDs through correlation IDs into outcome records

1744
01:10:58,480 --> 01:11:05,040
when you do your composite pathway review you want a clean chain user copilot studio agent ID ERP

1745
01:11:05,040 --> 01:11:12,000
mcp app ID automate flow app IDs graph outlook teams app IDs if you can't draw it on one line you won't

1746
01:11:12,000 --> 01:11:17,440
be able to contain it in one call model selection is not trivia reasoning models behave differently

1747
01:11:17,440 --> 01:11:22,640
Microsoft's guidance will change your obligation will not for regulated flows pin the model snapshot

1748
01:11:22,640 --> 01:11:27,360
and record the hash with the outcome and the decision trace maintain a compatibility matrix for

1749
01:11:27,360 --> 01:11:32,800
model prompt tool map regression test them together a benign upgrade in the planner can alter

1750
01:11:32,800 --> 01:11:39,120
tie-break behavior turn recent payments into a stronger signal than aging distribution or change

1751
01:11:39,120 --> 01:11:43,760
how the agent handles timeouts if you don't have a gate that runs seated specimens and checks

1752
01:11:43,760 --> 01:11:48,720
variance bands you will learn about posture changes through production drift grounding sources are

1753
01:11:48,720 --> 01:11:54,160
part of your attack surface the temptation is to add just one more enrichment feed every new source

1754
01:11:54,160 --> 01:11:59,360
is another domain of missing this penalties and data sparsity the planner will treat as neutral

1755
01:11:59,360 --> 01:12:05,120
document your ranking for example internal disputes statements correspondent emails enrichment feed

1756
01:12:05,120 --> 01:12:09,920
x put that ranking under change control when someone reorder sources require a test that shows

1757
01:12:09,920 --> 01:12:14,880
narrative polarity didn't flip for your seated specimens snapshots and state deserve attention

1758
01:12:14,880 --> 01:12:20,000
view models reflect the service state now long running plans may re-request the snapshot and see

1759
01:12:20,000 --> 01:12:24,640
new evidence that a human wouldn't have checked again that adaptivity can be useful it can also

1760
01:12:24,640 --> 01:12:28,880
produce race conditions where plans step three relies on a field that change between step one

1761
01:12:28,880 --> 01:12:33,680
and three if your scenario is sensitive to that constrain the plan to a bounded window or require

1762
01:12:33,680 --> 01:12:38,960
step up if the view model changed in a material way between reads you can't freeze the ERP you can

1763
01:12:38,960 --> 01:12:44,240
engineer around change integrate continuous access evaluation into action not just sign in if

1764
01:12:44,240 --> 01:12:49,760
device posture or risk levels degrade during a session block sensitive tool invocations midplan

1765
01:12:49,760 --> 01:12:54,720
this is where conditional access can still matter if you move it from session start to action time

1766
01:12:54,720 --> 01:12:59,520
why are the check into the orchestration edge don't hope the plan finishes before posture changes

1767
01:12:59,520 --> 01:13:04,640
treat bpa carefully the analytics mcp server is powerful and tempting it can answer what is the

1768
01:13:04,640 --> 01:13:09,760
monthly trend quickly it cannot explain line level exceptions if you let the planner lean on bpa

1769
01:13:09,760 --> 01:13:14,560
aggregates for case level decisions without exposing per record evidence you are building narratives

1770
01:13:14,560 --> 01:13:19,600
out of statistics force the planner to fetch line level data for decisions that affect dollars

1771
01:13:19,600 --> 01:13:25,440
and use bpa as context not authority evaluate retries and backoffs tool calls will fail transiently

1772
01:13:25,440 --> 01:13:31,520
the planner will retry or select a fallback write policy for retries how many over what window

1773
01:13:31,520 --> 01:13:37,600
and when to escalate lock the back of a surprising amount of drift is simply timeout handling changing

1774
01:13:37,600 --> 01:13:42,960
the evidence order if you don't lock the delays you'll misdiagnose posture as policy decide how

1775
01:13:42,960 --> 01:13:47,920
you'll handle unknown for missing data cannot be neutral in policy critical dimensions for ESG

1776
01:13:47,920 --> 01:13:53,760
procurement unknown must be penalized explicitly for fraud and service refunds manual review should

1777
01:13:53,760 --> 01:13:58,720
be a hard constraint on action not a soft signal to add goodwill encode these as guardrails at the

1778
01:13:58,720 --> 01:14:03,760
orchestration edge if you leave it to the planner it will treat unknown as low friction and push

1779
01:14:03,760 --> 01:14:08,880
toward convenience finally build your engineering ergonomics now provide SDK like rappers that

1780
01:14:08,880 --> 01:14:14,160
enforce decision trace emission correlation ID propagation step up prompts for sensitive tools

1781
01:14:14,160 --> 01:14:19,200
and regression test hooks for prompt and grounding changes give makers paved roads that make

1782
01:14:19,200 --> 01:14:24,240
the safe thing the easy thing if your environment rewards the quick demo over the audited pathway

1783
01:14:24,240 --> 01:14:29,280
you'll get acceleration with erosion by design if you wire these mechanics early you can keep the

1784
01:14:29,280 --> 01:14:34,640
power of mcp and co-pilot while containing the blast radius and preserving causality if you don't

1785
01:14:34,640 --> 01:14:38,480
you'll be the person in the room explaining why everything was technically within scope while the

1786
01:14:38,480 --> 01:14:45,600
meaning of your controls quietly dissolved reliability and evaluation patterns most teams ask is it

1787
01:14:45,600 --> 01:14:52,240
accurate and stop there reliability for agentex systems isn't a single metric it's a portfolio evaluate

1788
01:14:52,240 --> 01:14:57,120
like an s re with a regulator looking over your shoulder the categories are consistent accuracy

1789
01:14:57,120 --> 01:15:01,920
and groundedness reliability under stress safety and compliance and ROI tied to a real business

1790
01:15:01,920 --> 01:15:07,440
denominator if you can't score each with artifacts you retain your grading vibes start with accuracy

1791
01:15:07,440 --> 01:15:13,040
and groundedness the simple version is does the output match a gold label the grown-up version is

1792
01:15:13,040 --> 01:15:17,440
does the recommendation trace back to authorize sources and reproduce within a tolerance band

1793
01:15:17,440 --> 01:15:22,400
build a seated corpus of specimens per domain 10 to 20 invoice credit procurement and service

1794
01:15:22,400 --> 01:15:27,760
cases with frozen inputs and expected outcomes for each define acceptable variance bands identical

1795
01:15:27,760 --> 01:15:33,440
may be impossible same decision class with rational referencing these fields is realistic require

1796
01:15:33,440 --> 01:15:39,280
source citations to point to actual tables and fields not just a general based on account history

1797
01:15:39,280 --> 01:15:44,640
if an answer can't show its grounding it isn't accurate in a way you can defend reliability is not

1798
01:15:44,640 --> 01:15:49,760
best effort sunshine it's how the system behaves when the world is noisy test retries and backoffs

1799
01:15:49,760 --> 01:15:54,320
by injecting latency and timeouts into downstream connectors does evidence order change do

1800
01:15:54,320 --> 01:16:00,400
recommendations flip more often than your policy tolerates at input fuzzing missing fields malformed

1801
01:16:00,400 --> 01:16:06,320
attachments OCR noise to ensure posture alliance with policy low confidence should increase scrutiny

1802
01:16:06,320 --> 01:16:12,640
not lenience measure tail behavior mean time between assist unavailable mean time to recovery and

1803
01:16:12,640 --> 01:16:17,920
percentage of actions aborted versus escalated when guardrail strip these are SLOs for the plan

1804
01:16:17,920 --> 01:16:23,040
are not just the API safety and compliance are not a separate spreadsheet they are visible behaviors

1805
01:16:23,040 --> 01:16:28,720
at the orchestration edge build red team scenarios for synthesis dlp combine benign attributes into

1806
01:16:28,720 --> 01:16:33,120
sensitive outputs and see if your gates catch them at egress probe s o d by attempting observe

1807
01:16:33,120 --> 01:16:38,640
recommend execute with one identity and confirms step up fires try privilege creep by modifying

1808
01:16:38,640 --> 01:16:44,240
tool maps and connector scopes your evaluation harness should detect new capabilities before production

1809
01:16:44,240 --> 01:16:49,360
does test c a at action time by changing device or risk posture mid plan and confirm sensitive

1810
01:16:49,360 --> 01:16:54,720
invocations block these tests are your canaries run them weekly groundedness needs its own harness

1811
01:16:54,720 --> 01:16:58,880
retrieval isn't free of failure modes evaluate hallucination rates not as percentage of false

1812
01:16:58,880 --> 01:17:04,720
sentences but as percentage of recommendations with unverifiable claims given the trace require

1813
01:17:04,720 --> 01:17:09,760
the agent to list the fields and records that drove the decision verify they exist in the snapshot

1814
01:17:09,760 --> 01:17:14,720
score unsupported assertions per hundred decisions and set a budget if your number drifts upward

1815
01:17:14,720 --> 01:17:20,000
pause changes at the compiler business value sits alongside reliability not in a different meeting

1816
01:17:20,000 --> 01:17:25,680
define ROI metrics that blend throughput with explainability and containment time to resolution time

1817
01:17:25,680 --> 01:17:31,680
to explain variance bands step up rates and rework cost per decision a shorter average handle time

1818
01:17:31,680 --> 01:17:37,360
with a three x increase in time to explain is a bad trade for regulated workflows track assist

1819
01:17:37,360 --> 01:17:42,480
acceptance rate with a counterpart assist rollback rate and assist driven incident rate if you can't

1820
01:17:42,480 --> 01:17:47,280
correlate behavior to orchestrator changes through a change log you're running an untestable system

1821
01:17:47,280 --> 01:17:52,240
no matter how good your medians look observability is the substrate you cannot evaluate what you do

1822
01:17:52,240 --> 01:17:57,760
not see instrument the orchestration dialogue model snapshot IDs prompt and tool map hashes inputs

1823
01:17:57,760 --> 01:18:03,120
ingested feature influences even of course tool sequence branches prune retries executed step-up

1824
01:18:03,120 --> 01:18:07,920
prompts shown and human acknowledgments emit a correlation ID that threads through dynamics

1825
01:18:07,920 --> 01:18:13,600
automate graph outlook and teams put this on a separate queryable plane before your first pilot

1826
01:18:13,600 --> 01:18:19,440
your evaluation harness should consume traces like logs not screenshots non-determinism isn't an excuse

1827
01:18:19,440 --> 01:18:25,120
it's a constraint you design around adopt tolerance based regression for your seated corpus

1828
01:18:25,120 --> 01:18:31,360
define decision class equivalents approve hold investigate narrative invariance fields that

1829
01:18:31,360 --> 01:18:37,040
must be cited and numerical tolerance bands for thresholds pin model and prompt snapshots for

1830
01:18:37,040 --> 01:18:42,640
regulated flows and only advance with a passing gate when you do advance run a b evaluation measure

1831
01:18:42,640 --> 01:18:47,440
shifts in acceptance step ups and concession letters across live traffic samples alert on polarity

1832
01:18:47,440 --> 01:18:52,960
shifts meaningful changes in recommend rates or refund amounts tied to orchestrator change log entries

1833
01:18:52,960 --> 01:18:57,680
finally package evaluation like an operator not a marketer maintain a living scorecard with four

1834
01:18:57,680 --> 01:19:03,680
sections reliability SLO's availability of assist escalation rate retry behavior accuracy and

1835
01:19:03,680 --> 01:19:09,040
groundedness decision class match rate unsupported assertion budget safety and compliance

1836
01:19:09,040 --> 01:19:15,440
S.O.D. violation attempts blocked synthesis DLP catches CA action time blocks and business impact

1837
01:19:15,440 --> 01:19:21,360
time to resolution time to explain incident mean time to contain tied deltas to explicit changes

1838
01:19:21,360 --> 01:19:27,040
in prompts tool maps model snapshots and connector scopes publish it monthly to control owners

1839
01:19:27,040 --> 01:19:31,280
if your evaluation runs only at launch you don't have reliability you have a demo the counter

1840
01:19:31,280 --> 01:19:36,080
intuitive part is simple you don't make probabilistic systems deterministic enough you make their

1841
01:19:36,080 --> 01:19:40,800
envelopes crisply testable then you pin what must not drift observe what will and gate the compiler

1842
01:19:40,800 --> 01:19:44,800
where meaning meets acceleration