Apple Podcasts
Spotify
Youtube Music
Spreaker
Podchaser
Amazon Music
Most organizations treat their Center of Excellence like a control tower built for a different era. Everything flows through approvals, reviews, and documentation. On paper, it looks like control. In reality, it’s friction. You promise the business agility. What they experience instead is waiting. After auditing ten different Power Platform CoEs across multiple industries, one thing became clear. The failure isn’t in the tools. It’s in the assumptions behind how we govern them. The idea that human oversight equals enterprise control simply doesn’t hold up anymore. It slows everything down while still allowing risk to slip through. When governance depends on people reviewing every solution, you don’t get safety. You get bottlenecks. And when those bottlenecks grow, the business finds ways around them. That’s when shadow IT starts to grow. In this episode, I break down the five patterns that consistently turn CoEs into progress-killing systems. These patterns show up everywhere, regardless of company size or industry. Once you see them, you can’t unsee them.
WHAT’S REALLY GOING WRONG
At the core, most CoEs are trying to control a high-speed platform with slow, manual processes.
- Governance lives in documents instead of the platform
- Approval boards review low-risk solutions that should never need review
- Environments exist in name only, without real isolation
- Critical automations have no clear ownership
- Success is measured by activity, not actual business impact
WHAT NEEDS TO CHANGE
The shift isn’t about adding more rules or more reviewers. It’s about changing how governance works at a fundamental level. Instead of relying on people to enforce standards, those standards need to be built directly into the platform. The system should guide behavior automatically, blocking risky actions and allowing safe ones without delay. This changes everything. Low-risk solutions can move instantly. High-risk scenarios still get the attention they need. And most importantly, governance becomes consistent. It no longer depends on who is reviewing something or how tired they are that day.
THE FIVE PATTERNS YOU’LL RECOGNIZE
Throughout the episode, we walk through the patterns that show up in almost every failed CoE. You’ll hear how documentation-based governance creates a false sense of control, why approval boards actually increase risk, and how environment sprawl turns tenants into unmanaged chaos. We also look at the hidden danger of orphaned automations and why most reporting dashboards completely miss the point. Each of these issues on its own is manageable. Together, they create a system that simply cannot scale.
THE PIVOT
The future CoE isn’t a committee. It’s a control plane. That means governance is always on. Decisions happen in real time. The platform enforces the rules automatically, and humans focus only on the scenarios that truly require judgment. This approach doesn’t just improve efficiency. It changes how the business experiences IT. Instead of being seen as a blocker, the CoE becomes an enabler. A system that makes the right path the easiest one to follow.
FINAL THOUGHT
The organizations I audited weren’t failing because they lacked control. They were failing because they applied control too late, in the wrong place, and in the wrong way. If your model still depends on manual approvals for everyday solutions, you’re not governing the platform. You’re slowing it down and hoping nothing breaks. It’s time to move away from the velvet rope. And start building the paved road.
Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.
🚀 Want to be part of m365.fm?
Then stop just listening… and start showing up.
👉 Connect with me on LinkedIn and let’s make something happen:
- 🎙️ Be a podcast guest and share your story
- 🎧 Host your own episode (yes, seriously)
- 💡 Pitch topics the community actually wants to hear
- 🌍 Build your personal brand in the Microsoft 365 space
This isn’t just a podcast — it’s a platform for people who take action.
🔥 Most people wait. The best ones don’t.
👉 Connect with me on LinkedIn and send me a message:
"I want in"
Let’s build something awesome 👊
1
00:00:00,000 --> 00:00:02,160
Most organizations treat the center of excellence
2
00:00:02,160 --> 00:00:04,320
like a nightclub with a manual guest list.
3
00:00:04,320 --> 00:00:05,760
You promised the business agility,
4
00:00:05,760 --> 00:00:08,480
but you delivered a six month backlog of manual reviews.
5
00:00:08,480 --> 00:00:11,320
I've audited 10 different COEs across 10 different industries,
6
00:00:11,320 --> 00:00:13,000
and the failure isn't the technology.
7
00:00:13,000 --> 00:00:15,240
The failure is the assumption that human oversight
8
00:00:15,240 --> 00:00:16,680
equals enterprise control.
9
00:00:16,680 --> 00:00:18,480
We are going to dismantle the five patterns
10
00:00:18,480 --> 00:00:21,480
that turn your COE into a progress-killing bottleneck.
11
00:00:21,480 --> 00:00:24,720
If a human has to click "Approved for a Standard Productivity App,"
12
00:00:24,720 --> 00:00:26,640
your digital transformation is already dead.
13
00:00:26,640 --> 00:00:28,040
You navigate, you search.
14
00:00:28,040 --> 00:00:29,880
You wait for a signature that never comes.
15
00:00:29,880 --> 00:00:32,040
The model is broken because it relies on people
16
00:00:32,040 --> 00:00:33,600
to do what code does better.
17
00:00:33,600 --> 00:00:36,240
We build hierarchies for a world that no longer exists.
18
00:00:36,240 --> 00:00:37,360
Now, we need context.
19
00:00:37,360 --> 00:00:38,960
We need to stop acting like gatekeepers
20
00:00:38,960 --> 00:00:42,080
and start acting like architects of a system that governs itself.
21
00:00:42,080 --> 00:00:44,440
Governance as documentation, not enforcement.
22
00:00:44,440 --> 00:00:46,760
I've seen beautiful 50-page PDFs
23
00:00:46,760 --> 00:00:49,640
that explain exactly how data should move across the platform.
24
00:00:49,640 --> 00:00:51,360
They are full of charts, color diagrams,
25
00:00:51,360 --> 00:00:53,960
and clear instructions for every maker in the company.
26
00:00:53,960 --> 00:00:56,360
But in reality, these documents are invisible
27
00:00:56,360 --> 00:00:58,240
to the platform's runtime behavior.
28
00:00:58,240 --> 00:01:01,200
They sit on a SharePoint site gathering digital dust.
29
00:01:01,200 --> 00:01:03,720
Across all 10 audits, I performed policies
30
00:01:03,720 --> 00:01:05,280
existed in the documentation,
31
00:01:05,280 --> 00:01:08,320
but flows violated them in production every single day.
32
00:01:08,320 --> 00:01:10,760
We are industrializing a hope-based security model
33
00:01:10,760 --> 00:01:12,280
where we hope-makers read the manual.
34
00:01:12,280 --> 00:01:13,760
It is a dangerous assumption.
35
00:01:13,760 --> 00:01:16,360
Because today, work doesn't start with reading a manual.
36
00:01:16,360 --> 00:01:18,920
It starts with a problem that needs a fast solution.
37
00:01:18,920 --> 00:01:21,080
Your internet wasn't designed for how people work today.
38
00:01:21,080 --> 00:01:24,640
It was designed for structure, pages, navigation, hierarchies.
39
00:01:24,640 --> 00:01:26,760
And the assumption that people know what they're looking for,
40
00:01:26,760 --> 00:01:28,040
that assumption is broken.
41
00:01:28,040 --> 00:01:29,640
Real governance isn't a suggestion.
42
00:01:29,640 --> 00:01:32,840
It's a non-bipossible boundary embedded in the environment.
43
00:01:32,840 --> 00:01:34,880
When policies disconnected from the platform,
44
00:01:34,880 --> 00:01:35,840
you don't have control.
45
00:01:35,840 --> 00:01:37,760
You have a paper trail for when things go wrong.
46
00:01:37,760 --> 00:01:39,040
It's the old model.
47
00:01:39,040 --> 00:01:42,000
You publish the content and then nobody uses it.
48
00:01:42,000 --> 00:01:44,640
What typically happens is that a maker builds a flow
49
00:01:44,640 --> 00:01:46,560
that connects a sensitive SQL database
50
00:01:46,560 --> 00:01:47,960
to an external Gmail account.
51
00:01:47,960 --> 00:01:49,720
They didn't read page 34 of the PDF.
52
00:01:49,720 --> 00:01:52,000
The platform allowed it because the COE hadn't
53
00:01:52,000 --> 00:01:54,040
configured the data loss prevention policies
54
00:01:54,040 --> 00:01:55,160
to match the document.
55
00:01:55,160 --> 00:01:56,360
The floor isn't the content.
56
00:01:56,360 --> 00:01:59,000
It's the assumption that people have time to go looking for it.
57
00:01:59,000 --> 00:01:59,760
That's where it breaks.
58
00:01:59,760 --> 00:02:02,240
I found one organization that spent $80,000
59
00:02:02,240 --> 00:02:03,880
on a governance consulting project.
60
00:02:03,880 --> 00:02:06,240
They got a massive document that was technically perfect.
61
00:02:06,240 --> 00:02:08,400
Six months later, I ran a scan of their tenant.
62
00:02:08,400 --> 00:02:11,440
We found 300 flows using unauthorized connectors.
63
00:02:11,440 --> 00:02:14,280
The documentation said no, but the platform said yes.
64
00:02:14,280 --> 00:02:15,880
So the makers did what was easiest.
65
00:02:15,880 --> 00:02:18,120
They built, they shipped, and they created
66
00:02:18,120 --> 00:02:19,640
a massive security hole.
67
00:02:19,640 --> 00:02:21,560
This is the velvet rope trap in action.
68
00:02:21,560 --> 00:02:23,680
You think you're in control because you have a rule book,
69
00:02:23,680 --> 00:02:25,480
but the door is wide open, and nobody
70
00:02:25,480 --> 00:02:26,960
is watching the back entrance.
71
00:02:26,960 --> 00:02:29,240
The shift we need is moving from PowerPoint governance
72
00:02:29,240 --> 00:02:31,040
to policy as code.
73
00:02:31,040 --> 00:02:32,840
This means the rules aren't in a file.
74
00:02:32,840 --> 00:02:34,520
They are in the runtime.
75
00:02:34,520 --> 00:02:36,640
If a maker tries to connect two data sources
76
00:02:36,640 --> 00:02:38,160
that shouldn't talk to each other,
77
00:02:38,160 --> 00:02:40,920
the platform blocks it instantly, not because a human courted,
78
00:02:40,920 --> 00:02:43,480
but because the system is incapable of allowing it.
79
00:02:43,480 --> 00:02:44,640
This is how you scale.
80
00:02:44,640 --> 00:02:46,480
You stop being the person who says no,
81
00:02:46,480 --> 00:02:48,680
and start being the person who builds the guardrails.
82
00:02:48,680 --> 00:02:49,600
You're in a meeting.
83
00:02:49,600 --> 00:02:50,880
You need an answer.
84
00:02:50,880 --> 00:02:53,120
You shouldn't have to check a PDF to see if your automation
85
00:02:53,120 --> 00:02:53,760
is allowed.
86
00:02:53,760 --> 00:02:55,080
The system should tell you.
87
00:02:55,080 --> 00:02:57,960
And one level deeper, this shift changes the culture.
88
00:02:57,960 --> 00:02:59,840
When governance is enforced by code,
89
00:02:59,840 --> 00:03:01,880
maker stops seeing IT as a hurdle.
90
00:03:01,880 --> 00:03:04,680
They see the platform as a safe space to experiment.
91
00:03:04,680 --> 00:03:07,000
They know that if they do something truly risky,
92
00:03:07,000 --> 00:03:09,760
the system will catch it before it causes damage.
93
00:03:09,760 --> 00:03:11,560
It removes the fear of breaking things.
94
00:03:11,560 --> 00:03:14,640
In most organizations, the COE is a no department.
95
00:03:14,640 --> 00:03:16,520
It's where ideas go to die in a committee.
96
00:03:16,520 --> 00:03:18,320
But when you move to policy as code,
97
00:03:18,320 --> 00:03:20,440
you become a safe to scale department.
98
00:03:20,440 --> 00:03:21,720
You provide the paved road.
99
00:03:21,720 --> 00:03:22,720
You provide the context.
100
00:03:22,720 --> 00:03:25,560
You ensure the right thing is the easiest thing to do.
101
00:03:25,560 --> 00:03:28,280
That is the only way to survive the 2026 landscape
102
00:03:28,280 --> 00:03:30,400
of a gentick AI and mass automation.
103
00:03:30,400 --> 00:03:31,600
Stop writing manuals.
104
00:03:31,600 --> 00:03:33,680
Start writing policies that actually run.
105
00:03:33,680 --> 00:03:35,280
If you want to enable the business,
106
00:03:35,280 --> 00:03:37,160
you have to stop relying on their memory
107
00:03:37,160 --> 00:03:38,960
and start relying on your architecture.
108
00:03:38,960 --> 00:03:41,960
Governance is enforcement or it is nothing.
109
00:03:41,960 --> 00:03:43,560
The manual review bottleneck.
110
00:03:43,560 --> 00:03:46,480
Pattern 2 is what I call the approval board trap.
111
00:03:46,480 --> 00:03:49,320
It is a room full of high-cost architect spending four hours
112
00:03:49,320 --> 00:03:51,360
every Tuesday reviewing simple flows.
113
00:03:51,360 --> 00:03:53,400
They sit there looking at power automate logic
114
00:03:53,400 --> 00:03:55,600
that sends an email when a file is uploaded.
115
00:03:55,600 --> 00:03:57,880
It is a massive waste of intellectual capital.
116
00:03:57,880 --> 00:04:01,320
This is the primary reason deployment cycle times are exploding
117
00:04:01,320 --> 00:04:03,520
while business value remains stagnant.
118
00:04:03,520 --> 00:04:05,600
You've created a system where the cost of the review
119
00:04:05,600 --> 00:04:08,080
often exceeds the value of the automation being built.
120
00:04:08,080 --> 00:04:09,960
In my audits, I found backlogs measured in weeks
121
00:04:09,960 --> 00:04:12,040
for solutions that took four hours to build.
122
00:04:12,040 --> 00:04:12,880
Think about that.
123
00:04:12,880 --> 00:04:14,560
The business identifies a problem on Monday.
124
00:04:14,560 --> 00:04:16,320
The maker solves it by Monday afternoon.
125
00:04:16,320 --> 00:04:18,080
But the solution doesn't reach production
126
00:04:18,080 --> 00:04:20,040
until the third week of the next month.
127
00:04:20,040 --> 00:04:22,560
Why? Because the CEO committee hasn't met yet.
128
00:04:22,560 --> 00:04:24,520
This friction doesn't stop bad apps.
129
00:04:24,520 --> 00:04:27,000
It just stops people from telling I.T. they're building them.
130
00:04:27,000 --> 00:04:29,040
When the official path is a three week wait,
131
00:04:29,040 --> 00:04:30,520
the business goes underground.
132
00:04:30,520 --> 00:04:31,640
They use personal accounts.
133
00:04:31,640 --> 00:04:32,880
They find workarounds.
134
00:04:32,880 --> 00:04:34,240
They build in the shadows.
135
00:04:34,240 --> 00:04:36,440
You think you're maintaining control with your board,
136
00:04:36,440 --> 00:04:38,000
but you're actually driving risk
137
00:04:38,000 --> 00:04:40,000
into the dark corners of the organization.
138
00:04:40,000 --> 00:04:42,160
The model assumes that a human eye is the only thing
139
00:04:42,160 --> 00:04:43,320
that can detect risk.
140
00:04:43,320 --> 00:04:44,480
That is a flawed assumption.
141
00:04:44,480 --> 00:04:47,320
We need to replace the human in the loop for standard cases
142
00:04:47,320 --> 00:04:50,000
with automated logic that evaluates risk in real time.
143
00:04:50,000 --> 00:04:51,560
We need to stop treating every flow
144
00:04:51,560 --> 00:04:54,160
like it's a mission-critical ERP migration.
145
00:04:54,160 --> 00:04:55,680
If the app stays within a green zone
146
00:04:55,680 --> 00:04:58,440
of pre-approved connectors and standard data sources,
147
00:04:58,440 --> 00:05:00,040
the deployment should be instantaneous.
148
00:05:00,040 --> 00:05:01,480
It's about tiered governance.
149
00:05:01,480 --> 00:05:03,920
If a maker uses the Office 365 uses connector
150
00:05:03,920 --> 00:05:06,440
and a standard SharePoint list, why are we reviewing it?
151
00:05:06,440 --> 00:05:07,360
The risk is known.
152
00:05:07,360 --> 00:05:09,880
The boundaries are already set by your DLP policies.
153
00:05:09,880 --> 00:05:12,800
By forcing these low-risk solutions to a manual board,
154
00:05:12,800 --> 00:05:15,760
you are suffocating the very agility you promise the business.
155
00:05:15,760 --> 00:05:17,680
I saw one audit where 80% of the backlog
156
00:05:17,680 --> 00:05:19,760
consisted of simple notification flows.
157
00:05:19,760 --> 00:05:20,840
The architects were bored.
158
00:05:20,840 --> 00:05:21,960
The makers were frustrated.
159
00:05:21,960 --> 00:05:23,280
The business was losing money.
160
00:05:23,280 --> 00:05:24,960
What typically happens is that the COE
161
00:05:24,960 --> 00:05:26,400
becomes a bottleneck because it tries
162
00:05:26,400 --> 00:05:28,000
to be a gatekeeper for everything,
163
00:05:28,000 --> 00:05:29,560
but a gatekeeper who can't keep up
164
00:05:29,560 --> 00:05:31,760
with the volume eventually just becomes a wall.
165
00:05:31,760 --> 00:05:34,520
The shift here is moving toward automated triage.
166
00:05:34,520 --> 00:05:36,000
You define the rules of the road.
167
00:05:36,000 --> 00:05:39,000
You build a system that scans the solution as it submitted.
168
00:05:39,000 --> 00:05:41,720
If it passes the automated checks, it goes live immediately.
169
00:05:41,720 --> 00:05:43,280
No ticket, no meeting, no signature.
170
00:05:43,280 --> 00:05:45,360
This is how you handle the scale of 2026.
171
00:05:45,360 --> 00:05:48,120
You automate the boring stuff so your architects
172
00:05:48,120 --> 00:05:50,720
can focus on the 10% of high-risk logic
173
00:05:50,720 --> 00:05:52,760
that actually requires a human brain.
174
00:05:52,760 --> 00:05:53,680
You're in a race.
175
00:05:53,680 --> 00:05:55,960
The business needs to move at the speed of the market.
176
00:05:55,960 --> 00:05:58,480
If your governance model is built on a weekly meeting cadence,
177
00:05:58,480 --> 00:06:00,160
you've already lost the race.
178
00:06:00,160 --> 00:06:01,480
The assumption that human oversight
179
00:06:01,480 --> 00:06:04,040
equals enterprise control is a relic of a slower era.
180
00:06:04,040 --> 00:06:05,160
Control isn't a meeting.
181
00:06:05,160 --> 00:06:07,280
Control is a system that enforces your standards
182
00:06:07,280 --> 00:06:08,640
without needing a reminder.
183
00:06:08,640 --> 00:06:11,320
In one audit, we implemented an automated review tool
184
00:06:11,320 --> 00:06:14,040
that reduced the backlog by 90% in two weeks.
185
00:06:14,040 --> 00:06:16,920
The architects finally had time to work on the complex integrations
186
00:06:16,920 --> 00:06:18,040
that actually mattered.
187
00:06:18,040 --> 00:06:20,440
The makers were happy because their tools worked instantly.
188
00:06:20,440 --> 00:06:21,720
The risk didn't go up.
189
00:06:21,720 --> 00:06:24,480
It went down because the automated scanner was more consistent
190
00:06:24,480 --> 00:06:26,720
than a tired architect on a Tuesday afternoon.
191
00:06:26,720 --> 00:06:27,920
Stop being a gatekeeper.
192
00:06:27,920 --> 00:06:29,520
Start being a platform engineer.
193
00:06:29,520 --> 00:06:31,320
Your job isn't to look at every float.
194
00:06:31,320 --> 00:06:33,800
Your job is to build the system that looks for you.
195
00:06:33,800 --> 00:06:36,640
That is the only way to scale without breaking.
196
00:06:36,640 --> 00:06:39,000
Environment sprawl and the dev in prod myth.
197
00:06:39,000 --> 00:06:42,440
Almost every COE I audited had dev, test,
198
00:06:42,440 --> 00:06:45,280
and prod environments that were identical in configuration
199
00:06:45,280 --> 00:06:46,160
and access.
200
00:06:46,160 --> 00:06:49,600
They existed as labels, not as functional security boundaries.
201
00:06:49,600 --> 00:06:51,320
This is a massive structural failure.
202
00:06:51,320 --> 00:06:53,880
We've built a house where every room has the same key
203
00:06:53,880 --> 00:06:55,480
and we're surprised when a fire in the kitchen
204
00:06:55,480 --> 00:06:56,680
spreads to the bedroom.
205
00:06:56,680 --> 00:06:58,680
There is a dangerous trend of developers building
206
00:06:58,680 --> 00:07:00,240
directly in the default environment
207
00:07:00,240 --> 00:07:02,240
because the official path is too slow.
208
00:07:02,240 --> 00:07:03,880
It's the path of least resistance.
209
00:07:03,880 --> 00:07:06,040
But that path leads to a digital junk draw
210
00:07:06,040 --> 00:07:07,720
of half finished experiments.
211
00:07:07,720 --> 00:07:09,400
In my audits, production incidents
212
00:07:09,400 --> 00:07:11,480
were frequently traced back to dev builds
213
00:07:11,480 --> 00:07:13,520
that were never meant to handle enterprise data.
214
00:07:13,520 --> 00:07:15,600
Someone builds a test flow to move files.
215
00:07:15,600 --> 00:07:16,800
They use their own credentials.
216
00:07:16,800 --> 00:07:17,600
They forget about it.
217
00:07:17,600 --> 00:07:19,600
Six months later, that flow is still running,
218
00:07:19,600 --> 00:07:21,360
processing sensitive customer information
219
00:07:21,360 --> 00:07:22,600
without any oversight.
220
00:07:22,600 --> 00:07:24,800
The architecture is failing because we treat environments
221
00:07:24,800 --> 00:07:27,720
as folders rather than isolated security boundaries.
222
00:07:27,720 --> 00:07:29,760
We think that by naming something production,
223
00:07:29,760 --> 00:07:30,920
we've made it safe.
224
00:07:30,920 --> 00:07:32,800
But if the data loss prevention policies
225
00:07:32,800 --> 00:07:35,120
are the same across the board, the name is meaningless.
226
00:07:35,120 --> 00:07:38,240
Without a rooting strategy, your tenant is just chaos.
227
00:07:38,240 --> 00:07:40,160
You have makers building mission critical tools
228
00:07:40,160 --> 00:07:41,960
in personal productivity spaces.
229
00:07:41,960 --> 00:07:44,800
You have professional developers bypassing the COE entirely
230
00:07:44,800 --> 00:07:47,080
because they can't wait for a sandbox to be provisioned.
231
00:07:47,080 --> 00:07:48,640
This is the Dev and prod myth.
232
00:07:48,640 --> 00:07:50,240
We tell ourselves that we are agile
233
00:07:50,240 --> 00:07:52,400
because we let people build wherever they want.
234
00:07:52,400 --> 00:07:56,200
In reality, we are just accumulating risk that we can't see.
235
00:07:56,200 --> 00:07:58,280
One audit revealed a major retail company
236
00:07:58,280 --> 00:08:00,280
where 40% of their production apps
237
00:08:00,280 --> 00:08:03,240
were actually hosted in an environment marked sandbox.
238
00:08:03,240 --> 00:08:05,480
Why? Because the sandbox had fewer restrictions.
239
00:08:05,480 --> 00:08:06,680
The makers were smart.
240
00:08:06,680 --> 00:08:09,360
They realized that if they wanted to use a specific connector
241
00:08:09,360 --> 00:08:11,080
that was blocked in prod, they could just
242
00:08:11,080 --> 00:08:13,080
build it in the sandbox and share it from there.
243
00:08:13,080 --> 00:08:14,880
The COE had no visibility into this.
244
00:08:14,880 --> 00:08:16,680
They were looking at the front door while the business
245
00:08:16,680 --> 00:08:19,000
was moving the furniture out through the side window.
246
00:08:19,000 --> 00:08:20,720
This isn't just a technical problem.
247
00:08:20,720 --> 00:08:22,040
It's a failure of intent.
248
00:08:22,040 --> 00:08:23,920
We need to automate environment provisioning
249
00:08:23,920 --> 00:08:27,120
so that every project starts in a governed space by default.
250
00:08:27,120 --> 00:08:28,320
The goal is isolation.
251
00:08:28,320 --> 00:08:30,360
We need to ensure a mistake in a sandbox
252
00:08:30,360 --> 00:08:32,680
can't escalate into a tenant-wide data breach.
253
00:08:32,680 --> 00:08:34,920
This requires a fundamental shift in how we think
254
00:08:34,920 --> 00:08:36,360
about the platform.
255
00:08:36,360 --> 00:08:38,120
We need to move away from the one big tenant model
256
00:08:38,120 --> 00:08:39,720
and to what a zoned model.
257
00:08:39,720 --> 00:08:42,520
You have a personal productivity zone for low-risk tasks.
258
00:08:42,520 --> 00:08:44,840
You have an innovation zone for experimentation
259
00:08:44,840 --> 00:08:46,200
with temporary life cycles.
260
00:08:46,200 --> 00:08:48,720
And you have an enterprise zone for mission-critical apps
261
00:08:48,720 --> 00:08:51,160
with full ALM and automated guardrails.
262
00:08:51,160 --> 00:08:53,600
This isn't about adding more layers of bureaucracy.
263
00:08:53,600 --> 00:08:55,720
It's about using environment-rooting logic
264
00:08:55,720 --> 00:08:57,200
to place the maker in the right bucket
265
00:08:57,200 --> 00:08:59,080
the moment they click create.
266
00:08:59,080 --> 00:09:00,880
What typically happens is that IT tries
267
00:09:00,880 --> 00:09:02,480
to manage environments manually.
268
00:09:02,480 --> 00:09:04,880
A maker fills out a form, a ticket is created.
269
00:09:04,880 --> 00:09:07,280
An admin eventually creates the environment.
270
00:09:07,280 --> 00:09:09,400
By the time that happens, the maker has already
271
00:09:09,400 --> 00:09:11,360
built the app in the default environment.
272
00:09:11,360 --> 00:09:12,720
The horse has bolted.
273
00:09:12,720 --> 00:09:16,440
The shift in 2026 is toward just-in-time environments.
274
00:09:16,440 --> 00:09:18,200
You use the Power Platform API
275
00:09:18,200 --> 00:09:20,200
to spin up a governed sandbox automatically
276
00:09:20,200 --> 00:09:22,120
based on the maker's project profile.
277
00:09:22,120 --> 00:09:24,280
You apply the correct DLP policies instantly.
278
00:09:24,280 --> 00:09:25,720
You set an expiration date.
279
00:09:25,720 --> 00:09:27,320
This removes the incentive to cheat.
280
00:09:27,320 --> 00:09:29,080
If getting a governed environment is faster
281
00:09:29,080 --> 00:09:30,640
than building in the default space,
282
00:09:30,640 --> 00:09:32,360
people will choose the governed space.
283
00:09:32,360 --> 00:09:34,160
You stop fighting human nature and start
284
00:09:34,160 --> 00:09:35,880
using it to drive compliance.
285
00:09:35,880 --> 00:09:37,160
If you don't control the map,
286
00:09:37,160 --> 00:09:38,480
you don't control the journey.
287
00:09:38,480 --> 00:09:41,040
Stop letting your tenant become a digital wasteland
288
00:09:41,040 --> 00:09:42,480
of orphaned experiments.
289
00:09:42,480 --> 00:09:44,560
Build the zones, automate the routing,
290
00:09:44,560 --> 00:09:47,640
and treat every environment as a specific security contract.
291
00:09:47,640 --> 00:09:49,680
That is how you stop the spool.
292
00:09:49,680 --> 00:09:51,760
The orphaned problem in ownership decay.
293
00:09:51,760 --> 00:09:53,720
I found hundreds of critical business flows
294
00:09:53,720 --> 00:09:55,680
in these audits that were tied to accounts of employees
295
00:09:55,680 --> 00:09:57,200
who left the company months ago.
296
00:09:57,200 --> 00:09:58,680
This is the orphaned problem.
297
00:09:58,680 --> 00:10:00,960
It represents automations that run the business
298
00:10:00,960 --> 00:10:03,640
but have no listed owner and no failover plan.
299
00:10:03,640 --> 00:10:05,680
When an orphaned flow breaks, the business stops.
300
00:10:05,680 --> 00:10:08,720
IT then spends days playing detective to find the original maker.
301
00:10:08,720 --> 00:10:11,880
The structural flow here is that most KOE's measure the build
302
00:10:11,880 --> 00:10:14,280
but completely ignore the life cycle.
303
00:10:14,280 --> 00:10:15,880
They celebrate the birth of an app
304
00:10:15,880 --> 00:10:17,360
but never plan for its retirement
305
00:10:17,360 --> 00:10:19,160
or its transition when a team changes.
306
00:10:19,160 --> 00:10:21,040
You've essentially built a digital workforce
307
00:10:21,040 --> 00:10:24,400
where half the employees have no manager and no HR record.
308
00:10:24,400 --> 00:10:25,920
It's a liability waiting to explode.
309
00:10:25,920 --> 00:10:28,440
In one specific audit for a global logistics firm,
310
00:10:28,440 --> 00:10:29,960
we discovered a flow responsible
311
00:10:29,960 --> 00:10:31,960
for processing customs clearance data.
312
00:10:31,960 --> 00:10:34,280
It was processing thousands of records an hour.
313
00:10:34,280 --> 00:10:36,360
The problem, the person who built it had been gone
314
00:10:36,360 --> 00:10:38,080
for three fiscal quarters.
315
00:10:38,080 --> 00:10:39,880
The day the flows connection expired,
316
00:10:39,880 --> 00:10:41,760
the entire shipping line stalled.
317
00:10:41,760 --> 00:10:43,960
Nobody knew who owned it, nobody had the documentation.
318
00:10:43,960 --> 00:10:46,360
The CEO was flying blind because they treated the platform
319
00:10:46,360 --> 00:10:47,400
as a collection of tools
320
00:10:47,400 --> 00:10:49,840
rather than a collection of managed identities.
321
00:10:49,840 --> 00:10:52,680
This is what happens when you prioritize creation over continuity.
322
00:10:52,680 --> 00:10:54,000
You accumulate technical debt
323
00:10:54,000 --> 00:10:56,600
that eventually bankrupts your operational stability.
324
00:10:56,600 --> 00:10:58,760
We must implement automated ownership validation.
325
00:10:58,760 --> 00:11:00,760
If a flow doesn't have a valid business owner,
326
00:11:00,760 --> 00:11:02,200
it shouldn't be running.
327
00:11:02,200 --> 00:11:03,680
This isn't a suggestion.
328
00:11:03,680 --> 00:11:06,440
It's a requirement for enterprise-grade operations.
329
00:11:06,440 --> 00:11:09,560
Using Microsoft Enter ID to tie agent and flow identities
330
00:11:09,560 --> 00:11:12,560
to active organizational roles is the only way forward.
331
00:11:12,560 --> 00:11:14,560
You need a system that checks the employment status
332
00:11:14,560 --> 00:11:16,440
of every maker every single week.
333
00:11:16,440 --> 00:11:18,560
If the system detects that an owner has left
334
00:11:18,560 --> 00:11:19,920
or changed departments,
335
00:11:19,920 --> 00:11:21,640
it should trigger an automated request
336
00:11:21,640 --> 00:11:23,440
for ownership to the department head.
337
00:11:23,440 --> 00:11:25,720
If no owner is assigned within 48 hours,
338
00:11:25,720 --> 00:11:26,960
the flow is quarantined.
339
00:11:26,960 --> 00:11:28,520
The sounds harsh, but it's the only way
340
00:11:28,520 --> 00:11:30,480
to prevent your tenant from becoming a graveyard
341
00:11:30,480 --> 00:11:31,520
of broken logic.
342
00:11:31,520 --> 00:11:33,880
A COE that doesn't manage the exit strategy for an app
343
00:11:33,880 --> 00:11:35,560
is just accumulating risk.
344
00:11:35,560 --> 00:11:37,640
You need to treat these low-code assets
345
00:11:37,640 --> 00:11:41,200
with the same rigor you apply to your pro-code repositories.
346
00:11:41,200 --> 00:11:43,320
That means every asset must be mapped to a cost center
347
00:11:43,320 --> 00:11:45,520
and a human who is accountable for its behavior.
348
00:11:45,520 --> 00:11:48,280
What typically happens is that organizations assume
349
00:11:48,280 --> 00:11:50,840
the platform will just take care of it.
350
00:11:50,840 --> 00:11:53,480
But the platform only does what you architect it to do.
351
00:11:53,480 --> 00:11:55,720
If you don't have a heartbeat check on your owners,
352
00:11:55,720 --> 00:11:57,280
you don't have a government environment,
353
00:11:57,280 --> 00:11:58,560
you have a ticking time bomb.
354
00:11:58,560 --> 00:12:02,120
The shift in 2026 is moving toward identity first governance.
355
00:12:02,120 --> 00:12:03,960
Every flow is a service principle.
356
00:12:03,960 --> 00:12:05,760
Every board is a governed identity.
357
00:12:05,760 --> 00:12:08,000
By anchoring your COE in Enter ID,
358
00:12:08,000 --> 00:12:10,800
you ensure that ownership is dynamic, not static.
359
00:12:10,800 --> 00:12:13,000
You move away from a world of who built this
360
00:12:13,000 --> 00:12:16,840
and into a world of who is responsible for this right now.
361
00:12:16,840 --> 00:12:19,240
That distinction is what separates a hobbyist set up
362
00:12:19,240 --> 00:12:21,000
from a professional enterprise architecture,
363
00:12:21,000 --> 00:12:22,880
stop letting your makers build in a vacuum,
364
00:12:22,880 --> 00:12:25,480
force the ownership metadata at the point of creation
365
00:12:25,480 --> 00:12:27,840
and validate it throughout the entire life cycle.
366
00:12:27,840 --> 00:12:30,880
If the business value is high enough to build, it's high enough to own.
367
00:12:30,880 --> 00:12:33,000
If nobody wants to own it, it shouldn't exist
368
00:12:33,000 --> 00:12:35,120
in your production environment, period.
369
00:12:35,120 --> 00:12:37,920
Your job as an architect is to ensure that when the people change,
370
00:12:37,920 --> 00:12:39,560
the process is remain stable.
371
00:12:39,560 --> 00:12:41,760
That only happens when you automate the handover
372
00:12:41,760 --> 00:12:44,280
before the person even leaves the building.
373
00:12:44,280 --> 00:12:46,600
Vanity metrics versus business impact.
374
00:12:46,600 --> 00:12:49,360
The most common slide in a COE monthly report is,
375
00:12:49,360 --> 00:12:51,760
number of makers onboarded.
376
00:12:51,760 --> 00:12:53,360
It's a number that looks great in a board meeting
377
00:12:53,360 --> 00:12:54,760
because it implies growth.
378
00:12:54,760 --> 00:12:57,880
It suggests that your digital transformation is gaining momentum.
379
00:12:57,880 --> 00:13:01,560
But in reality, this is a vanity metric that measures activity
380
00:13:01,560 --> 00:13:03,720
while ignoring the actual business outcome.
381
00:13:03,720 --> 00:13:05,680
I've seen tenants with 5,000 active flows
382
00:13:05,680 --> 00:13:08,320
where not a single one contributed to a measurable KPI
383
00:13:08,320 --> 00:13:09,760
like cycle time reduction.
384
00:13:09,760 --> 00:13:12,440
You are celebrating the chaos accelerator.
385
00:13:12,440 --> 00:13:13,920
You are scaling the volume of builds
386
00:13:13,920 --> 00:13:16,840
without measuring a single ounce of the value delivered.
387
00:13:16,840 --> 00:13:19,320
If your COE can't show a reduction in risk events
388
00:13:19,320 --> 00:13:22,360
or a clear improvement in ROI, it's a reporting function,
389
00:13:22,360 --> 00:13:23,840
not a center of excellence.
390
00:13:23,840 --> 00:13:26,160
We've fallen into the trap of counting licenses
391
00:13:26,160 --> 00:13:27,600
instead of counting results.
392
00:13:27,600 --> 00:13:28,840
You see it in every audit.
393
00:13:28,840 --> 00:13:31,520
The IT leadership is proud because they have 10,000 people
394
00:13:31,520 --> 00:13:32,960
with a power automate seat.
395
00:13:32,960 --> 00:13:36,080
But when you look deeper, you realize that 9,000 of those people
396
00:13:36,080 --> 00:13:38,200
are just sending themselves a daily weather report
397
00:13:38,200 --> 00:13:39,720
or a happy Friday gift.
398
00:13:39,720 --> 00:13:41,680
That isn't transformation, that is just noise.
399
00:13:41,680 --> 00:13:42,760
And that noise has a cost.
400
00:13:42,760 --> 00:13:44,040
It costs licensing fees.
401
00:13:44,040 --> 00:13:45,360
It costs storage.
402
00:13:45,360 --> 00:13:47,720
It costs the attention of your security team
403
00:13:47,720 --> 00:13:49,520
who has to monitor all that traffic.
404
00:13:49,520 --> 00:13:52,040
We are measuring the wrong side of the equation.
405
00:13:52,040 --> 00:13:54,920
We are measuring the input and hoping the output just takes care
406
00:13:54,920 --> 00:13:55,440
of itself.
407
00:13:55,440 --> 00:13:58,040
The reason this happens is that activity is easy to track.
408
00:13:58,040 --> 00:13:59,200
Impact is hard.
409
00:13:59,200 --> 00:14:01,240
It requires you to understand the business process
410
00:14:01,240 --> 00:14:02,720
before you automate it.
411
00:14:02,720 --> 00:14:05,080
It requires you to ask how long did this take before
412
00:14:05,080 --> 00:14:06,840
and how long does it take now?
413
00:14:06,840 --> 00:14:10,240
Most COEs skip that step because they want to move fast.
414
00:14:10,240 --> 00:14:11,600
They want to show high adoption numbers
415
00:14:11,600 --> 00:14:13,000
to justify their budget.
416
00:14:13,000 --> 00:14:14,720
But high adoption of low-value tasks
417
00:14:14,720 --> 00:14:16,640
is a net loss for the enterprise.
418
00:14:16,640 --> 00:14:19,560
You're in a situation where the complexity of the environment
419
00:14:19,560 --> 00:14:20,920
is growing exponentially.
420
00:14:20,920 --> 00:14:23,280
But the efficiency of the business is staying flat.
421
00:14:23,280 --> 00:14:24,640
That is a structural failure.
422
00:14:24,640 --> 00:14:27,080
We need to pivot to impact metrics.
423
00:14:27,080 --> 00:14:28,600
This is where the conversation changes.
424
00:14:28,600 --> 00:14:31,080
Stop talking about how many people have the maker license.
425
00:14:31,080 --> 00:14:32,880
Start talking about how much manual work
426
00:14:32,880 --> 00:14:35,120
we actually removed from the system this quarter.
427
00:14:35,120 --> 00:14:38,800
Instead of total flows, track total manual hours saved.
428
00:14:38,800 --> 00:14:41,120
Instead of makers unborted, track number
429
00:14:41,120 --> 00:14:43,440
of mission-critical processes fixed.
430
00:14:43,440 --> 00:14:46,400
This shift forces the COE to become a business partner
431
00:14:46,400 --> 00:14:48,200
rather than just a software provider.
432
00:14:48,200 --> 00:14:49,560
You start looking for the bottlenecks
433
00:14:49,560 --> 00:14:51,880
in the finance department or the supply chain
434
00:14:51,880 --> 00:14:53,800
and you target your enablement efforts there.
435
00:14:53,800 --> 00:14:56,960
You're no longer just throwing tools at a wall to see what sticks.
436
00:14:56,960 --> 00:14:59,680
In one audit, we found a company that had reduced its makers
437
00:14:59,680 --> 00:15:03,880
by 50% but increased its measurable ROI by 300%.
438
00:15:03,880 --> 00:15:05,680
They did this by shutting down the toy apps
439
00:15:05,680 --> 00:15:07,520
and focusing their best citizen developers
440
00:15:07,520 --> 00:15:10,080
on high-impact workflows like invoice reconciliation
441
00:15:10,080 --> 00:15:11,400
and contract approvals.
442
00:15:11,400 --> 00:15:13,000
They stopped measuring activity
443
00:15:13,000 --> 00:15:15,920
and started measuring the delta in their operational costs.
444
00:15:15,920 --> 00:15:18,800
The leadership didn't care that there were fewer people building.
445
00:15:18,800 --> 00:15:20,560
They cared that the people who were building
446
00:15:20,560 --> 00:15:22,040
were actually moving the needle.
447
00:15:22,040 --> 00:15:24,760
If you remember nothing else from this section, remember this.
448
00:15:24,760 --> 00:15:27,440
A thousand flows that do nothing are a liability.
449
00:15:27,440 --> 00:15:29,880
One flow that saves a thousand hours is an asset.
450
00:15:29,880 --> 00:15:31,920
Your metrics should reflect that reality.
451
00:15:31,920 --> 00:15:34,280
Stop counting the crowd and start counting the impact.
452
00:15:34,280 --> 00:15:36,760
If your COE is just a dashboard of rising bar charts
453
00:15:36,760 --> 00:15:38,520
with no connection to the bottom line,
454
00:15:38,520 --> 00:15:39,960
you aren't leading a transformation.
455
00:15:39,960 --> 00:15:42,840
You're just managing a very expensive hobbyist club.
456
00:15:42,840 --> 00:15:46,040
The shift to 2026 requires us to be more disciplined.
457
00:15:46,040 --> 00:15:48,720
We need to prove that every dollar spent on the platform
458
00:15:48,720 --> 00:15:50,760
is returning $5 in efficiency.
459
00:15:50,760 --> 00:15:52,520
That only happens when you stop measuring the who
460
00:15:52,520 --> 00:15:54,200
and start measuring the what.
461
00:15:54,200 --> 00:15:56,760
Focus on the processes we fundamentally changed.
462
00:15:56,760 --> 00:15:58,440
That is the only metric that matters.
463
00:15:58,440 --> 00:16:01,360
And the pivot from gatekeeper to control plane.
464
00:16:01,360 --> 00:16:03,440
The 2026 model for a center of excellence
465
00:16:03,440 --> 00:16:04,640
isn't a committee meeting.
466
00:16:04,640 --> 00:16:06,560
It is an automated control plane.
467
00:16:06,560 --> 00:16:09,120
We are moving toward a world where governance is always on.
468
00:16:09,120 --> 00:16:11,840
Remediation happens in milliseconds, not weeks.
469
00:16:11,840 --> 00:16:14,840
This shift requires us to embrace tools like Agent 365
470
00:16:14,840 --> 00:16:17,480
to manage the sheer volume of AI-driven automation.
471
00:16:17,480 --> 00:16:20,400
We are replacing the manual checklist with policy as code.
472
00:16:20,400 --> 00:16:21,640
This allows the system to handle
473
00:16:21,640 --> 00:16:24,280
90% of routine tasks automatically.
474
00:16:24,280 --> 00:16:26,240
Humans can then focus their limited attention
475
00:16:26,240 --> 00:16:30,440
on the 10% of high-risk logic that defines enterprise strategy.
476
00:16:30,440 --> 00:16:32,440
Managed environments and automated guardrails
477
00:16:32,440 --> 00:16:34,160
turn the COE from a no-department
478
00:16:34,160 --> 00:16:35,720
into a safe-to-scale department.
479
00:16:35,720 --> 00:16:37,360
Think of it as a structural upgrade.
480
00:16:37,360 --> 00:16:40,000
We are replacing the velvet rope with a paved road.
481
00:16:40,000 --> 00:16:41,520
Our goal is to make the right thing
482
00:16:41,520 --> 00:16:43,560
the easiest thing for every maker to do.
483
00:16:43,560 --> 00:16:45,080
Digital transformation doesn't happen
484
00:16:45,080 --> 00:16:47,560
when you hire more reviewers to stare at screens.
485
00:16:47,560 --> 00:16:50,320
It happens when you automate the review process itself.
486
00:16:50,320 --> 00:16:52,320
You are building a system that observes, governs,
487
00:16:52,320 --> 00:16:53,800
and secures by design.
488
00:16:53,800 --> 00:16:55,880
This control plane approach provides visibility
489
00:16:55,880 --> 00:16:57,680
that a human board could never achieve.
490
00:16:57,680 --> 00:16:59,720
You can see data lineage across every agent.
491
00:16:59,720 --> 00:17:02,440
You can enforce identity boundaries at the moment of creation.
492
00:17:02,440 --> 00:17:03,720
You move from being a bottleneck
493
00:17:03,720 --> 00:17:06,560
to being an architect of a self-sustaining ecosystem.
494
00:17:06,560 --> 00:17:08,280
This isn't just about efficiency.
495
00:17:08,280 --> 00:17:11,160
It's about survival in an era of agentic workflows.
496
00:17:11,160 --> 00:17:13,600
When an AI can generate 100 flows in an hour,
497
00:17:13,600 --> 00:17:15,280
a human reviewer is a joke.
498
00:17:15,280 --> 00:17:17,160
You need a machine to govern the machine.
499
00:17:17,160 --> 00:17:18,760
By moving your rules into the code,
500
00:17:18,760 --> 00:17:21,800
you ensure that compliance is a constant, not a variable.
501
00:17:21,800 --> 00:17:23,920
You provide the business with the speed they demand
502
00:17:23,920 --> 00:17:25,480
while keeping the enterprise safe
503
00:17:25,480 --> 00:17:27,200
from the chaos of ungoverned growth.
504
00:17:27,200 --> 00:17:28,320
That is the new standard.
505
00:17:28,320 --> 00:17:29,960
We stop being the police and start being
506
00:17:29,960 --> 00:17:31,160
the engineers of the highway.
507
00:17:31,160 --> 00:17:33,520
It is a fundamental change in how we define our value
508
00:17:33,520 --> 00:17:34,720
to the organization.
509
00:17:34,720 --> 00:17:37,120
We provide the infrastructure for innovation,
510
00:17:37,120 --> 00:17:38,200
not the permission.
511
00:17:39,160 --> 00:17:41,600
I didn't see 10 different failures in those audits.
512
00:17:41,600 --> 00:17:44,560
I saw the same flawed system failing in 10 different places.
513
00:17:44,560 --> 00:17:46,720
COEs don't fail because they lack control.
514
00:17:46,720 --> 00:17:50,160
They fail because they apply it too late in the process.
515
00:17:50,160 --> 00:17:52,720
If your governance model still requires a human signature
516
00:17:52,720 --> 00:17:54,800
for a low-code app, you aren't governing.
517
00:17:54,800 --> 00:17:56,880
You're just waiting for the system to break.
518
00:17:56,880 --> 00:17:57,880
Stop being a bottleneck.
519
00:17:57,880 --> 00:17:59,160
Start being an architect.
520
00:17:59,160 --> 00:18:01,600
Move your rules into the code and let the business run.
521
00:18:01,600 --> 00:18:03,920
If this audit changed how you think about your power platform
522
00:18:03,920 --> 00:18:06,760
strategy, connect with me, Mirko Peters, on LinkedIn.
523
00:18:06,760 --> 00:18:09,560
Please leave a review for the M365FM podcast.
524
00:18:09,560 --> 00:18:12,160
It helps more leaders find the structural clarity they need
525
00:18:12,160 --> 00:18:14,200
to actually scale their digital transformation.
526
00:18:14,200 --> 00:18:15,960
Stop waiting for meetings and start building
527
00:18:15,960 --> 00:18:18,000
the control plane your enterprise deserves.
528
00:18:18,000 --> 00:18:19,240
Now is the time to pivot.
00:00:00,000 --> 00:00:02,160
Most organizations treat the center of excellence
2
00:00:02,160 --> 00:00:04,320
like a nightclub with a manual guest list.
3
00:00:04,320 --> 00:00:05,760
You promised the business agility,
4
00:00:05,760 --> 00:00:08,480
but you delivered a six month backlog of manual reviews.
5
00:00:08,480 --> 00:00:11,320
I've audited 10 different COEs across 10 different industries,
6
00:00:11,320 --> 00:00:13,000
and the failure isn't the technology.
7
00:00:13,000 --> 00:00:15,240
The failure is the assumption that human oversight
8
00:00:15,240 --> 00:00:16,680
equals enterprise control.
9
00:00:16,680 --> 00:00:18,480
We are going to dismantle the five patterns
10
00:00:18,480 --> 00:00:21,480
that turn your COE into a progress-killing bottleneck.
11
00:00:21,480 --> 00:00:24,720
If a human has to click "Approved for a Standard Productivity App,"
12
00:00:24,720 --> 00:00:26,640
your digital transformation is already dead.
13
00:00:26,640 --> 00:00:28,040
You navigate, you search.
14
00:00:28,040 --> 00:00:29,880
You wait for a signature that never comes.
15
00:00:29,880 --> 00:00:32,040
The model is broken because it relies on people
16
00:00:32,040 --> 00:00:33,600
to do what code does better.
17
00:00:33,600 --> 00:00:36,240
We build hierarchies for a world that no longer exists.
18
00:00:36,240 --> 00:00:37,360
Now, we need context.
19
00:00:37,360 --> 00:00:38,960
We need to stop acting like gatekeepers
20
00:00:38,960 --> 00:00:42,080
and start acting like architects of a system that governs itself.
21
00:00:42,080 --> 00:00:44,440
Governance as documentation, not enforcement.
22
00:00:44,440 --> 00:00:46,760
I've seen beautiful 50-page PDFs
23
00:00:46,760 --> 00:00:49,640
that explain exactly how data should move across the platform.
24
00:00:49,640 --> 00:00:51,360
They are full of charts, color diagrams,
25
00:00:51,360 --> 00:00:53,960
and clear instructions for every maker in the company.
26
00:00:53,960 --> 00:00:56,360
But in reality, these documents are invisible
27
00:00:56,360 --> 00:00:58,240
to the platform's runtime behavior.
28
00:00:58,240 --> 00:01:01,200
They sit on a SharePoint site gathering digital dust.
29
00:01:01,200 --> 00:01:03,720
Across all 10 audits, I performed policies
30
00:01:03,720 --> 00:01:05,280
existed in the documentation,
31
00:01:05,280 --> 00:01:08,320
but flows violated them in production every single day.
32
00:01:08,320 --> 00:01:10,760
We are industrializing a hope-based security model
33
00:01:10,760 --> 00:01:12,280
where we hope-makers read the manual.
34
00:01:12,280 --> 00:01:13,760
It is a dangerous assumption.
35
00:01:13,760 --> 00:01:16,360
Because today, work doesn't start with reading a manual.
36
00:01:16,360 --> 00:01:18,920
It starts with a problem that needs a fast solution.
37
00:01:18,920 --> 00:01:21,080
Your internet wasn't designed for how people work today.
38
00:01:21,080 --> 00:01:24,640
It was designed for structure, pages, navigation, hierarchies.
39
00:01:24,640 --> 00:01:26,760
And the assumption that people know what they're looking for,
40
00:01:26,760 --> 00:01:28,040
that assumption is broken.
41
00:01:28,040 --> 00:01:29,640
Real governance isn't a suggestion.
42
00:01:29,640 --> 00:01:32,840
It's a non-bipossible boundary embedded in the environment.
43
00:01:32,840 --> 00:01:34,880
When policies disconnected from the platform,
44
00:01:34,880 --> 00:01:35,840
you don't have control.
45
00:01:35,840 --> 00:01:37,760
You have a paper trail for when things go wrong.
46
00:01:37,760 --> 00:01:39,040
It's the old model.
47
00:01:39,040 --> 00:01:42,000
You publish the content and then nobody uses it.
48
00:01:42,000 --> 00:01:44,640
What typically happens is that a maker builds a flow
49
00:01:44,640 --> 00:01:46,560
that connects a sensitive SQL database
50
00:01:46,560 --> 00:01:47,960
to an external Gmail account.
51
00:01:47,960 --> 00:01:49,720
They didn't read page 34 of the PDF.
52
00:01:49,720 --> 00:01:52,000
The platform allowed it because the COE hadn't
53
00:01:52,000 --> 00:01:54,040
configured the data loss prevention policies
54
00:01:54,040 --> 00:01:55,160
to match the document.
55
00:01:55,160 --> 00:01:56,360
The floor isn't the content.
56
00:01:56,360 --> 00:01:59,000
It's the assumption that people have time to go looking for it.
57
00:01:59,000 --> 00:01:59,760
That's where it breaks.
58
00:01:59,760 --> 00:02:02,240
I found one organization that spent $80,000
59
00:02:02,240 --> 00:02:03,880
on a governance consulting project.
60
00:02:03,880 --> 00:02:06,240
They got a massive document that was technically perfect.
61
00:02:06,240 --> 00:02:08,400
Six months later, I ran a scan of their tenant.
62
00:02:08,400 --> 00:02:11,440
We found 300 flows using unauthorized connectors.
63
00:02:11,440 --> 00:02:14,280
The documentation said no, but the platform said yes.
64
00:02:14,280 --> 00:02:15,880
So the makers did what was easiest.
65
00:02:15,880 --> 00:02:18,120
They built, they shipped, and they created
66
00:02:18,120 --> 00:02:19,640
a massive security hole.
67
00:02:19,640 --> 00:02:21,560
This is the velvet rope trap in action.
68
00:02:21,560 --> 00:02:23,680
You think you're in control because you have a rule book,
69
00:02:23,680 --> 00:02:25,480
but the door is wide open, and nobody
70
00:02:25,480 --> 00:02:26,960
is watching the back entrance.
71
00:02:26,960 --> 00:02:29,240
The shift we need is moving from PowerPoint governance
72
00:02:29,240 --> 00:02:31,040
to policy as code.
73
00:02:31,040 --> 00:02:32,840
This means the rules aren't in a file.
74
00:02:32,840 --> 00:02:34,520
They are in the runtime.
75
00:02:34,520 --> 00:02:36,640
If a maker tries to connect two data sources
76
00:02:36,640 --> 00:02:38,160
that shouldn't talk to each other,
77
00:02:38,160 --> 00:02:40,920
the platform blocks it instantly, not because a human courted,
78
00:02:40,920 --> 00:02:43,480
but because the system is incapable of allowing it.
79
00:02:43,480 --> 00:02:44,640
This is how you scale.
80
00:02:44,640 --> 00:02:46,480
You stop being the person who says no,
81
00:02:46,480 --> 00:02:48,680
and start being the person who builds the guardrails.
82
00:02:48,680 --> 00:02:49,600
You're in a meeting.
83
00:02:49,600 --> 00:02:50,880
You need an answer.
84
00:02:50,880 --> 00:02:53,120
You shouldn't have to check a PDF to see if your automation
85
00:02:53,120 --> 00:02:53,760
is allowed.
86
00:02:53,760 --> 00:02:55,080
The system should tell you.
87
00:02:55,080 --> 00:02:57,960
And one level deeper, this shift changes the culture.
88
00:02:57,960 --> 00:02:59,840
When governance is enforced by code,
89
00:02:59,840 --> 00:03:01,880
maker stops seeing IT as a hurdle.
90
00:03:01,880 --> 00:03:04,680
They see the platform as a safe space to experiment.
91
00:03:04,680 --> 00:03:07,000
They know that if they do something truly risky,
92
00:03:07,000 --> 00:03:09,760
the system will catch it before it causes damage.
93
00:03:09,760 --> 00:03:11,560
It removes the fear of breaking things.
94
00:03:11,560 --> 00:03:14,640
In most organizations, the COE is a no department.
95
00:03:14,640 --> 00:03:16,520
It's where ideas go to die in a committee.
96
00:03:16,520 --> 00:03:18,320
But when you move to policy as code,
97
00:03:18,320 --> 00:03:20,440
you become a safe to scale department.
98
00:03:20,440 --> 00:03:21,720
You provide the paved road.
99
00:03:21,720 --> 00:03:22,720
You provide the context.
100
00:03:22,720 --> 00:03:25,560
You ensure the right thing is the easiest thing to do.
101
00:03:25,560 --> 00:03:28,280
That is the only way to survive the 2026 landscape
102
00:03:28,280 --> 00:03:30,400
of a gentick AI and mass automation.
103
00:03:30,400 --> 00:03:31,600
Stop writing manuals.
104
00:03:31,600 --> 00:03:33,680
Start writing policies that actually run.
105
00:03:33,680 --> 00:03:35,280
If you want to enable the business,
106
00:03:35,280 --> 00:03:37,160
you have to stop relying on their memory
107
00:03:37,160 --> 00:03:38,960
and start relying on your architecture.
108
00:03:38,960 --> 00:03:41,960
Governance is enforcement or it is nothing.
109
00:03:41,960 --> 00:03:43,560
The manual review bottleneck.
110
00:03:43,560 --> 00:03:46,480
Pattern 2 is what I call the approval board trap.
111
00:03:46,480 --> 00:03:49,320
It is a room full of high-cost architect spending four hours
112
00:03:49,320 --> 00:03:51,360
every Tuesday reviewing simple flows.
113
00:03:51,360 --> 00:03:53,400
They sit there looking at power automate logic
114
00:03:53,400 --> 00:03:55,600
that sends an email when a file is uploaded.
115
00:03:55,600 --> 00:03:57,880
It is a massive waste of intellectual capital.
116
00:03:57,880 --> 00:04:01,320
This is the primary reason deployment cycle times are exploding
117
00:04:01,320 --> 00:04:03,520
while business value remains stagnant.
118
00:04:03,520 --> 00:04:05,600
You've created a system where the cost of the review
119
00:04:05,600 --> 00:04:08,080
often exceeds the value of the automation being built.
120
00:04:08,080 --> 00:04:09,960
In my audits, I found backlogs measured in weeks
121
00:04:09,960 --> 00:04:12,040
for solutions that took four hours to build.
122
00:04:12,040 --> 00:04:12,880
Think about that.
123
00:04:12,880 --> 00:04:14,560
The business identifies a problem on Monday.
124
00:04:14,560 --> 00:04:16,320
The maker solves it by Monday afternoon.
125
00:04:16,320 --> 00:04:18,080
But the solution doesn't reach production
126
00:04:18,080 --> 00:04:20,040
until the third week of the next month.
127
00:04:20,040 --> 00:04:22,560
Why? Because the CEO committee hasn't met yet.
128
00:04:22,560 --> 00:04:24,520
This friction doesn't stop bad apps.
129
00:04:24,520 --> 00:04:27,000
It just stops people from telling I.T. they're building them.
130
00:04:27,000 --> 00:04:29,040
When the official path is a three week wait,
131
00:04:29,040 --> 00:04:30,520
the business goes underground.
132
00:04:30,520 --> 00:04:31,640
They use personal accounts.
133
00:04:31,640 --> 00:04:32,880
They find workarounds.
134
00:04:32,880 --> 00:04:34,240
They build in the shadows.
135
00:04:34,240 --> 00:04:36,440
You think you're maintaining control with your board,
136
00:04:36,440 --> 00:04:38,000
but you're actually driving risk
137
00:04:38,000 --> 00:04:40,000
into the dark corners of the organization.
138
00:04:40,000 --> 00:04:42,160
The model assumes that a human eye is the only thing
139
00:04:42,160 --> 00:04:43,320
that can detect risk.
140
00:04:43,320 --> 00:04:44,480
That is a flawed assumption.
141
00:04:44,480 --> 00:04:47,320
We need to replace the human in the loop for standard cases
142
00:04:47,320 --> 00:04:50,000
with automated logic that evaluates risk in real time.
143
00:04:50,000 --> 00:04:51,560
We need to stop treating every flow
144
00:04:51,560 --> 00:04:54,160
like it's a mission-critical ERP migration.
145
00:04:54,160 --> 00:04:55,680
If the app stays within a green zone
146
00:04:55,680 --> 00:04:58,440
of pre-approved connectors and standard data sources,
147
00:04:58,440 --> 00:05:00,040
the deployment should be instantaneous.
148
00:05:00,040 --> 00:05:01,480
It's about tiered governance.
149
00:05:01,480 --> 00:05:03,920
If a maker uses the Office 365 uses connector
150
00:05:03,920 --> 00:05:06,440
and a standard SharePoint list, why are we reviewing it?
151
00:05:06,440 --> 00:05:07,360
The risk is known.
152
00:05:07,360 --> 00:05:09,880
The boundaries are already set by your DLP policies.
153
00:05:09,880 --> 00:05:12,800
By forcing these low-risk solutions to a manual board,
154
00:05:12,800 --> 00:05:15,760
you are suffocating the very agility you promise the business.
155
00:05:15,760 --> 00:05:17,680
I saw one audit where 80% of the backlog
156
00:05:17,680 --> 00:05:19,760
consisted of simple notification flows.
157
00:05:19,760 --> 00:05:20,840
The architects were bored.
158
00:05:20,840 --> 00:05:21,960
The makers were frustrated.
159
00:05:21,960 --> 00:05:23,280
The business was losing money.
160
00:05:23,280 --> 00:05:24,960
What typically happens is that the COE
161
00:05:24,960 --> 00:05:26,400
becomes a bottleneck because it tries
162
00:05:26,400 --> 00:05:28,000
to be a gatekeeper for everything,
163
00:05:28,000 --> 00:05:29,560
but a gatekeeper who can't keep up
164
00:05:29,560 --> 00:05:31,760
with the volume eventually just becomes a wall.
165
00:05:31,760 --> 00:05:34,520
The shift here is moving toward automated triage.
166
00:05:34,520 --> 00:05:36,000
You define the rules of the road.
167
00:05:36,000 --> 00:05:39,000
You build a system that scans the solution as it submitted.
168
00:05:39,000 --> 00:05:41,720
If it passes the automated checks, it goes live immediately.
169
00:05:41,720 --> 00:05:43,280
No ticket, no meeting, no signature.
170
00:05:43,280 --> 00:05:45,360
This is how you handle the scale of 2026.
171
00:05:45,360 --> 00:05:48,120
You automate the boring stuff so your architects
172
00:05:48,120 --> 00:05:50,720
can focus on the 10% of high-risk logic
173
00:05:50,720 --> 00:05:52,760
that actually requires a human brain.
174
00:05:52,760 --> 00:05:53,680
You're in a race.
175
00:05:53,680 --> 00:05:55,960
The business needs to move at the speed of the market.
176
00:05:55,960 --> 00:05:58,480
If your governance model is built on a weekly meeting cadence,
177
00:05:58,480 --> 00:06:00,160
you've already lost the race.
178
00:06:00,160 --> 00:06:01,480
The assumption that human oversight
179
00:06:01,480 --> 00:06:04,040
equals enterprise control is a relic of a slower era.
180
00:06:04,040 --> 00:06:05,160
Control isn't a meeting.
181
00:06:05,160 --> 00:06:07,280
Control is a system that enforces your standards
182
00:06:07,280 --> 00:06:08,640
without needing a reminder.
183
00:06:08,640 --> 00:06:11,320
In one audit, we implemented an automated review tool
184
00:06:11,320 --> 00:06:14,040
that reduced the backlog by 90% in two weeks.
185
00:06:14,040 --> 00:06:16,920
The architects finally had time to work on the complex integrations
186
00:06:16,920 --> 00:06:18,040
that actually mattered.
187
00:06:18,040 --> 00:06:20,440
The makers were happy because their tools worked instantly.
188
00:06:20,440 --> 00:06:21,720
The risk didn't go up.
189
00:06:21,720 --> 00:06:24,480
It went down because the automated scanner was more consistent
190
00:06:24,480 --> 00:06:26,720
than a tired architect on a Tuesday afternoon.
191
00:06:26,720 --> 00:06:27,920
Stop being a gatekeeper.
192
00:06:27,920 --> 00:06:29,520
Start being a platform engineer.
193
00:06:29,520 --> 00:06:31,320
Your job isn't to look at every float.
194
00:06:31,320 --> 00:06:33,800
Your job is to build the system that looks for you.
195
00:06:33,800 --> 00:06:36,640
That is the only way to scale without breaking.
196
00:06:36,640 --> 00:06:39,000
Environment sprawl and the dev in prod myth.
197
00:06:39,000 --> 00:06:42,440
Almost every COE I audited had dev, test,
198
00:06:42,440 --> 00:06:45,280
and prod environments that were identical in configuration
199
00:06:45,280 --> 00:06:46,160
and access.
200
00:06:46,160 --> 00:06:49,600
They existed as labels, not as functional security boundaries.
201
00:06:49,600 --> 00:06:51,320
This is a massive structural failure.
202
00:06:51,320 --> 00:06:53,880
We've built a house where every room has the same key
203
00:06:53,880 --> 00:06:55,480
and we're surprised when a fire in the kitchen
204
00:06:55,480 --> 00:06:56,680
spreads to the bedroom.
205
00:06:56,680 --> 00:06:58,680
There is a dangerous trend of developers building
206
00:06:58,680 --> 00:07:00,240
directly in the default environment
207
00:07:00,240 --> 00:07:02,240
because the official path is too slow.
208
00:07:02,240 --> 00:07:03,880
It's the path of least resistance.
209
00:07:03,880 --> 00:07:06,040
But that path leads to a digital junk draw
210
00:07:06,040 --> 00:07:07,720
of half finished experiments.
211
00:07:07,720 --> 00:07:09,400
In my audits, production incidents
212
00:07:09,400 --> 00:07:11,480
were frequently traced back to dev builds
213
00:07:11,480 --> 00:07:13,520
that were never meant to handle enterprise data.
214
00:07:13,520 --> 00:07:15,600
Someone builds a test flow to move files.
215
00:07:15,600 --> 00:07:16,800
They use their own credentials.
216
00:07:16,800 --> 00:07:17,600
They forget about it.
217
00:07:17,600 --> 00:07:19,600
Six months later, that flow is still running,
218
00:07:19,600 --> 00:07:21,360
processing sensitive customer information
219
00:07:21,360 --> 00:07:22,600
without any oversight.
220
00:07:22,600 --> 00:07:24,800
The architecture is failing because we treat environments
221
00:07:24,800 --> 00:07:27,720
as folders rather than isolated security boundaries.
222
00:07:27,720 --> 00:07:29,760
We think that by naming something production,
223
00:07:29,760 --> 00:07:30,920
we've made it safe.
224
00:07:30,920 --> 00:07:32,800
But if the data loss prevention policies
225
00:07:32,800 --> 00:07:35,120
are the same across the board, the name is meaningless.
226
00:07:35,120 --> 00:07:38,240
Without a rooting strategy, your tenant is just chaos.
227
00:07:38,240 --> 00:07:40,160
You have makers building mission critical tools
228
00:07:40,160 --> 00:07:41,960
in personal productivity spaces.
229
00:07:41,960 --> 00:07:44,800
You have professional developers bypassing the COE entirely
230
00:07:44,800 --> 00:07:47,080
because they can't wait for a sandbox to be provisioned.
231
00:07:47,080 --> 00:07:48,640
This is the Dev and prod myth.
232
00:07:48,640 --> 00:07:50,240
We tell ourselves that we are agile
233
00:07:50,240 --> 00:07:52,400
because we let people build wherever they want.
234
00:07:52,400 --> 00:07:56,200
In reality, we are just accumulating risk that we can't see.
235
00:07:56,200 --> 00:07:58,280
One audit revealed a major retail company
236
00:07:58,280 --> 00:08:00,280
where 40% of their production apps
237
00:08:00,280 --> 00:08:03,240
were actually hosted in an environment marked sandbox.
238
00:08:03,240 --> 00:08:05,480
Why? Because the sandbox had fewer restrictions.
239
00:08:05,480 --> 00:08:06,680
The makers were smart.
240
00:08:06,680 --> 00:08:09,360
They realized that if they wanted to use a specific connector
241
00:08:09,360 --> 00:08:11,080
that was blocked in prod, they could just
242
00:08:11,080 --> 00:08:13,080
build it in the sandbox and share it from there.
243
00:08:13,080 --> 00:08:14,880
The COE had no visibility into this.
244
00:08:14,880 --> 00:08:16,680
They were looking at the front door while the business
245
00:08:16,680 --> 00:08:19,000
was moving the furniture out through the side window.
246
00:08:19,000 --> 00:08:20,720
This isn't just a technical problem.
247
00:08:20,720 --> 00:08:22,040
It's a failure of intent.
248
00:08:22,040 --> 00:08:23,920
We need to automate environment provisioning
249
00:08:23,920 --> 00:08:27,120
so that every project starts in a governed space by default.
250
00:08:27,120 --> 00:08:28,320
The goal is isolation.
251
00:08:28,320 --> 00:08:30,360
We need to ensure a mistake in a sandbox
252
00:08:30,360 --> 00:08:32,680
can't escalate into a tenant-wide data breach.
253
00:08:32,680 --> 00:08:34,920
This requires a fundamental shift in how we think
254
00:08:34,920 --> 00:08:36,360
about the platform.
255
00:08:36,360 --> 00:08:38,120
We need to move away from the one big tenant model
256
00:08:38,120 --> 00:08:39,720
and to what a zoned model.
257
00:08:39,720 --> 00:08:42,520
You have a personal productivity zone for low-risk tasks.
258
00:08:42,520 --> 00:08:44,840
You have an innovation zone for experimentation
259
00:08:44,840 --> 00:08:46,200
with temporary life cycles.
260
00:08:46,200 --> 00:08:48,720
And you have an enterprise zone for mission-critical apps
261
00:08:48,720 --> 00:08:51,160
with full ALM and automated guardrails.
262
00:08:51,160 --> 00:08:53,600
This isn't about adding more layers of bureaucracy.
263
00:08:53,600 --> 00:08:55,720
It's about using environment-rooting logic
264
00:08:55,720 --> 00:08:57,200
to place the maker in the right bucket
265
00:08:57,200 --> 00:08:59,080
the moment they click create.
266
00:08:59,080 --> 00:09:00,880
What typically happens is that IT tries
267
00:09:00,880 --> 00:09:02,480
to manage environments manually.
268
00:09:02,480 --> 00:09:04,880
A maker fills out a form, a ticket is created.
269
00:09:04,880 --> 00:09:07,280
An admin eventually creates the environment.
270
00:09:07,280 --> 00:09:09,400
By the time that happens, the maker has already
271
00:09:09,400 --> 00:09:11,360
built the app in the default environment.
272
00:09:11,360 --> 00:09:12,720
The horse has bolted.
273
00:09:12,720 --> 00:09:16,440
The shift in 2026 is toward just-in-time environments.
274
00:09:16,440 --> 00:09:18,200
You use the Power Platform API
275
00:09:18,200 --> 00:09:20,200
to spin up a governed sandbox automatically
276
00:09:20,200 --> 00:09:22,120
based on the maker's project profile.
277
00:09:22,120 --> 00:09:24,280
You apply the correct DLP policies instantly.
278
00:09:24,280 --> 00:09:25,720
You set an expiration date.
279
00:09:25,720 --> 00:09:27,320
This removes the incentive to cheat.
280
00:09:27,320 --> 00:09:29,080
If getting a governed environment is faster
281
00:09:29,080 --> 00:09:30,640
than building in the default space,
282
00:09:30,640 --> 00:09:32,360
people will choose the governed space.
283
00:09:32,360 --> 00:09:34,160
You stop fighting human nature and start
284
00:09:34,160 --> 00:09:35,880
using it to drive compliance.
285
00:09:35,880 --> 00:09:37,160
If you don't control the map,
286
00:09:37,160 --> 00:09:38,480
you don't control the journey.
287
00:09:38,480 --> 00:09:41,040
Stop letting your tenant become a digital wasteland
288
00:09:41,040 --> 00:09:42,480
of orphaned experiments.
289
00:09:42,480 --> 00:09:44,560
Build the zones, automate the routing,
290
00:09:44,560 --> 00:09:47,640
and treat every environment as a specific security contract.
291
00:09:47,640 --> 00:09:49,680
That is how you stop the spool.
292
00:09:49,680 --> 00:09:51,760
The orphaned problem in ownership decay.
293
00:09:51,760 --> 00:09:53,720
I found hundreds of critical business flows
294
00:09:53,720 --> 00:09:55,680
in these audits that were tied to accounts of employees
295
00:09:55,680 --> 00:09:57,200
who left the company months ago.
296
00:09:57,200 --> 00:09:58,680
This is the orphaned problem.
297
00:09:58,680 --> 00:10:00,960
It represents automations that run the business
298
00:10:00,960 --> 00:10:03,640
but have no listed owner and no failover plan.
299
00:10:03,640 --> 00:10:05,680
When an orphaned flow breaks, the business stops.
300
00:10:05,680 --> 00:10:08,720
IT then spends days playing detective to find the original maker.
301
00:10:08,720 --> 00:10:11,880
The structural flow here is that most KOE's measure the build
302
00:10:11,880 --> 00:10:14,280
but completely ignore the life cycle.
303
00:10:14,280 --> 00:10:15,880
They celebrate the birth of an app
304
00:10:15,880 --> 00:10:17,360
but never plan for its retirement
305
00:10:17,360 --> 00:10:19,160
or its transition when a team changes.
306
00:10:19,160 --> 00:10:21,040
You've essentially built a digital workforce
307
00:10:21,040 --> 00:10:24,400
where half the employees have no manager and no HR record.
308
00:10:24,400 --> 00:10:25,920
It's a liability waiting to explode.
309
00:10:25,920 --> 00:10:28,440
In one specific audit for a global logistics firm,
310
00:10:28,440 --> 00:10:29,960
we discovered a flow responsible
311
00:10:29,960 --> 00:10:31,960
for processing customs clearance data.
312
00:10:31,960 --> 00:10:34,280
It was processing thousands of records an hour.
313
00:10:34,280 --> 00:10:36,360
The problem, the person who built it had been gone
314
00:10:36,360 --> 00:10:38,080
for three fiscal quarters.
315
00:10:38,080 --> 00:10:39,880
The day the flows connection expired,
316
00:10:39,880 --> 00:10:41,760
the entire shipping line stalled.
317
00:10:41,760 --> 00:10:43,960
Nobody knew who owned it, nobody had the documentation.
318
00:10:43,960 --> 00:10:46,360
The CEO was flying blind because they treated the platform
319
00:10:46,360 --> 00:10:47,400
as a collection of tools
320
00:10:47,400 --> 00:10:49,840
rather than a collection of managed identities.
321
00:10:49,840 --> 00:10:52,680
This is what happens when you prioritize creation over continuity.
322
00:10:52,680 --> 00:10:54,000
You accumulate technical debt
323
00:10:54,000 --> 00:10:56,600
that eventually bankrupts your operational stability.
324
00:10:56,600 --> 00:10:58,760
We must implement automated ownership validation.
325
00:10:58,760 --> 00:11:00,760
If a flow doesn't have a valid business owner,
326
00:11:00,760 --> 00:11:02,200
it shouldn't be running.
327
00:11:02,200 --> 00:11:03,680
This isn't a suggestion.
328
00:11:03,680 --> 00:11:06,440
It's a requirement for enterprise-grade operations.
329
00:11:06,440 --> 00:11:09,560
Using Microsoft Enter ID to tie agent and flow identities
330
00:11:09,560 --> 00:11:12,560
to active organizational roles is the only way forward.
331
00:11:12,560 --> 00:11:14,560
You need a system that checks the employment status
332
00:11:14,560 --> 00:11:16,440
of every maker every single week.
333
00:11:16,440 --> 00:11:18,560
If the system detects that an owner has left
334
00:11:18,560 --> 00:11:19,920
or changed departments,
335
00:11:19,920 --> 00:11:21,640
it should trigger an automated request
336
00:11:21,640 --> 00:11:23,440
for ownership to the department head.
337
00:11:23,440 --> 00:11:25,720
If no owner is assigned within 48 hours,
338
00:11:25,720 --> 00:11:26,960
the flow is quarantined.
339
00:11:26,960 --> 00:11:28,520
The sounds harsh, but it's the only way
340
00:11:28,520 --> 00:11:30,480
to prevent your tenant from becoming a graveyard
341
00:11:30,480 --> 00:11:31,520
of broken logic.
342
00:11:31,520 --> 00:11:33,880
A COE that doesn't manage the exit strategy for an app
343
00:11:33,880 --> 00:11:35,560
is just accumulating risk.
344
00:11:35,560 --> 00:11:37,640
You need to treat these low-code assets
345
00:11:37,640 --> 00:11:41,200
with the same rigor you apply to your pro-code repositories.
346
00:11:41,200 --> 00:11:43,320
That means every asset must be mapped to a cost center
347
00:11:43,320 --> 00:11:45,520
and a human who is accountable for its behavior.
348
00:11:45,520 --> 00:11:48,280
What typically happens is that organizations assume
349
00:11:48,280 --> 00:11:50,840
the platform will just take care of it.
350
00:11:50,840 --> 00:11:53,480
But the platform only does what you architect it to do.
351
00:11:53,480 --> 00:11:55,720
If you don't have a heartbeat check on your owners,
352
00:11:55,720 --> 00:11:57,280
you don't have a government environment,
353
00:11:57,280 --> 00:11:58,560
you have a ticking time bomb.
354
00:11:58,560 --> 00:12:02,120
The shift in 2026 is moving toward identity first governance.
355
00:12:02,120 --> 00:12:03,960
Every flow is a service principle.
356
00:12:03,960 --> 00:12:05,760
Every board is a governed identity.
357
00:12:05,760 --> 00:12:08,000
By anchoring your COE in Enter ID,
358
00:12:08,000 --> 00:12:10,800
you ensure that ownership is dynamic, not static.
359
00:12:10,800 --> 00:12:13,000
You move away from a world of who built this
360
00:12:13,000 --> 00:12:16,840
and into a world of who is responsible for this right now.
361
00:12:16,840 --> 00:12:19,240
That distinction is what separates a hobbyist set up
362
00:12:19,240 --> 00:12:21,000
from a professional enterprise architecture,
363
00:12:21,000 --> 00:12:22,880
stop letting your makers build in a vacuum,
364
00:12:22,880 --> 00:12:25,480
force the ownership metadata at the point of creation
365
00:12:25,480 --> 00:12:27,840
and validate it throughout the entire life cycle.
366
00:12:27,840 --> 00:12:30,880
If the business value is high enough to build, it's high enough to own.
367
00:12:30,880 --> 00:12:33,000
If nobody wants to own it, it shouldn't exist
368
00:12:33,000 --> 00:12:35,120
in your production environment, period.
369
00:12:35,120 --> 00:12:37,920
Your job as an architect is to ensure that when the people change,
370
00:12:37,920 --> 00:12:39,560
the process is remain stable.
371
00:12:39,560 --> 00:12:41,760
That only happens when you automate the handover
372
00:12:41,760 --> 00:12:44,280
before the person even leaves the building.
373
00:12:44,280 --> 00:12:46,600
Vanity metrics versus business impact.
374
00:12:46,600 --> 00:12:49,360
The most common slide in a COE monthly report is,
375
00:12:49,360 --> 00:12:51,760
number of makers onboarded.
376
00:12:51,760 --> 00:12:53,360
It's a number that looks great in a board meeting
377
00:12:53,360 --> 00:12:54,760
because it implies growth.
378
00:12:54,760 --> 00:12:57,880
It suggests that your digital transformation is gaining momentum.
379
00:12:57,880 --> 00:13:01,560
But in reality, this is a vanity metric that measures activity
380
00:13:01,560 --> 00:13:03,720
while ignoring the actual business outcome.
381
00:13:03,720 --> 00:13:05,680
I've seen tenants with 5,000 active flows
382
00:13:05,680 --> 00:13:08,320
where not a single one contributed to a measurable KPI
383
00:13:08,320 --> 00:13:09,760
like cycle time reduction.
384
00:13:09,760 --> 00:13:12,440
You are celebrating the chaos accelerator.
385
00:13:12,440 --> 00:13:13,920
You are scaling the volume of builds
386
00:13:13,920 --> 00:13:16,840
without measuring a single ounce of the value delivered.
387
00:13:16,840 --> 00:13:19,320
If your COE can't show a reduction in risk events
388
00:13:19,320 --> 00:13:22,360
or a clear improvement in ROI, it's a reporting function,
389
00:13:22,360 --> 00:13:23,840
not a center of excellence.
390
00:13:23,840 --> 00:13:26,160
We've fallen into the trap of counting licenses
391
00:13:26,160 --> 00:13:27,600
instead of counting results.
392
00:13:27,600 --> 00:13:28,840
You see it in every audit.
393
00:13:28,840 --> 00:13:31,520
The IT leadership is proud because they have 10,000 people
394
00:13:31,520 --> 00:13:32,960
with a power automate seat.
395
00:13:32,960 --> 00:13:36,080
But when you look deeper, you realize that 9,000 of those people
396
00:13:36,080 --> 00:13:38,200
are just sending themselves a daily weather report
397
00:13:38,200 --> 00:13:39,720
or a happy Friday gift.
398
00:13:39,720 --> 00:13:41,680
That isn't transformation, that is just noise.
399
00:13:41,680 --> 00:13:42,760
And that noise has a cost.
400
00:13:42,760 --> 00:13:44,040
It costs licensing fees.
401
00:13:44,040 --> 00:13:45,360
It costs storage.
402
00:13:45,360 --> 00:13:47,720
It costs the attention of your security team
403
00:13:47,720 --> 00:13:49,520
who has to monitor all that traffic.
404
00:13:49,520 --> 00:13:52,040
We are measuring the wrong side of the equation.
405
00:13:52,040 --> 00:13:54,920
We are measuring the input and hoping the output just takes care
406
00:13:54,920 --> 00:13:55,440
of itself.
407
00:13:55,440 --> 00:13:58,040
The reason this happens is that activity is easy to track.
408
00:13:58,040 --> 00:13:59,200
Impact is hard.
409
00:13:59,200 --> 00:14:01,240
It requires you to understand the business process
410
00:14:01,240 --> 00:14:02,720
before you automate it.
411
00:14:02,720 --> 00:14:05,080
It requires you to ask how long did this take before
412
00:14:05,080 --> 00:14:06,840
and how long does it take now?
413
00:14:06,840 --> 00:14:10,240
Most COEs skip that step because they want to move fast.
414
00:14:10,240 --> 00:14:11,600
They want to show high adoption numbers
415
00:14:11,600 --> 00:14:13,000
to justify their budget.
416
00:14:13,000 --> 00:14:14,720
But high adoption of low-value tasks
417
00:14:14,720 --> 00:14:16,640
is a net loss for the enterprise.
418
00:14:16,640 --> 00:14:19,560
You're in a situation where the complexity of the environment
419
00:14:19,560 --> 00:14:20,920
is growing exponentially.
420
00:14:20,920 --> 00:14:23,280
But the efficiency of the business is staying flat.
421
00:14:23,280 --> 00:14:24,640
That is a structural failure.
422
00:14:24,640 --> 00:14:27,080
We need to pivot to impact metrics.
423
00:14:27,080 --> 00:14:28,600
This is where the conversation changes.
424
00:14:28,600 --> 00:14:31,080
Stop talking about how many people have the maker license.
425
00:14:31,080 --> 00:14:32,880
Start talking about how much manual work
426
00:14:32,880 --> 00:14:35,120
we actually removed from the system this quarter.
427
00:14:35,120 --> 00:14:38,800
Instead of total flows, track total manual hours saved.
428
00:14:38,800 --> 00:14:41,120
Instead of makers unborted, track number
429
00:14:41,120 --> 00:14:43,440
of mission-critical processes fixed.
430
00:14:43,440 --> 00:14:46,400
This shift forces the COE to become a business partner
431
00:14:46,400 --> 00:14:48,200
rather than just a software provider.
432
00:14:48,200 --> 00:14:49,560
You start looking for the bottlenecks
433
00:14:49,560 --> 00:14:51,880
in the finance department or the supply chain
434
00:14:51,880 --> 00:14:53,800
and you target your enablement efforts there.
435
00:14:53,800 --> 00:14:56,960
You're no longer just throwing tools at a wall to see what sticks.
436
00:14:56,960 --> 00:14:59,680
In one audit, we found a company that had reduced its makers
437
00:14:59,680 --> 00:15:03,880
by 50% but increased its measurable ROI by 300%.
438
00:15:03,880 --> 00:15:05,680
They did this by shutting down the toy apps
439
00:15:05,680 --> 00:15:07,520
and focusing their best citizen developers
440
00:15:07,520 --> 00:15:10,080
on high-impact workflows like invoice reconciliation
441
00:15:10,080 --> 00:15:11,400
and contract approvals.
442
00:15:11,400 --> 00:15:13,000
They stopped measuring activity
443
00:15:13,000 --> 00:15:15,920
and started measuring the delta in their operational costs.
444
00:15:15,920 --> 00:15:18,800
The leadership didn't care that there were fewer people building.
445
00:15:18,800 --> 00:15:20,560
They cared that the people who were building
446
00:15:20,560 --> 00:15:22,040
were actually moving the needle.
447
00:15:22,040 --> 00:15:24,760
If you remember nothing else from this section, remember this.
448
00:15:24,760 --> 00:15:27,440
A thousand flows that do nothing are a liability.
449
00:15:27,440 --> 00:15:29,880
One flow that saves a thousand hours is an asset.
450
00:15:29,880 --> 00:15:31,920
Your metrics should reflect that reality.
451
00:15:31,920 --> 00:15:34,280
Stop counting the crowd and start counting the impact.
452
00:15:34,280 --> 00:15:36,760
If your COE is just a dashboard of rising bar charts
453
00:15:36,760 --> 00:15:38,520
with no connection to the bottom line,
454
00:15:38,520 --> 00:15:39,960
you aren't leading a transformation.
455
00:15:39,960 --> 00:15:42,840
You're just managing a very expensive hobbyist club.
456
00:15:42,840 --> 00:15:46,040
The shift to 2026 requires us to be more disciplined.
457
00:15:46,040 --> 00:15:48,720
We need to prove that every dollar spent on the platform
458
00:15:48,720 --> 00:15:50,760
is returning $5 in efficiency.
459
00:15:50,760 --> 00:15:52,520
That only happens when you stop measuring the who
460
00:15:52,520 --> 00:15:54,200
and start measuring the what.
461
00:15:54,200 --> 00:15:56,760
Focus on the processes we fundamentally changed.
462
00:15:56,760 --> 00:15:58,440
That is the only metric that matters.
463
00:15:58,440 --> 00:16:01,360
And the pivot from gatekeeper to control plane.
464
00:16:01,360 --> 00:16:03,440
The 2026 model for a center of excellence
465
00:16:03,440 --> 00:16:04,640
isn't a committee meeting.
466
00:16:04,640 --> 00:16:06,560
It is an automated control plane.
467
00:16:06,560 --> 00:16:09,120
We are moving toward a world where governance is always on.
468
00:16:09,120 --> 00:16:11,840
Remediation happens in milliseconds, not weeks.
469
00:16:11,840 --> 00:16:14,840
This shift requires us to embrace tools like Agent 365
470
00:16:14,840 --> 00:16:17,480
to manage the sheer volume of AI-driven automation.
471
00:16:17,480 --> 00:16:20,400
We are replacing the manual checklist with policy as code.
472
00:16:20,400 --> 00:16:21,640
This allows the system to handle
473
00:16:21,640 --> 00:16:24,280
90% of routine tasks automatically.
474
00:16:24,280 --> 00:16:26,240
Humans can then focus their limited attention
475
00:16:26,240 --> 00:16:30,440
on the 10% of high-risk logic that defines enterprise strategy.
476
00:16:30,440 --> 00:16:32,440
Managed environments and automated guardrails
477
00:16:32,440 --> 00:16:34,160
turn the COE from a no-department
478
00:16:34,160 --> 00:16:35,720
into a safe-to-scale department.
479
00:16:35,720 --> 00:16:37,360
Think of it as a structural upgrade.
480
00:16:37,360 --> 00:16:40,000
We are replacing the velvet rope with a paved road.
481
00:16:40,000 --> 00:16:41,520
Our goal is to make the right thing
482
00:16:41,520 --> 00:16:43,560
the easiest thing for every maker to do.
483
00:16:43,560 --> 00:16:45,080
Digital transformation doesn't happen
484
00:16:45,080 --> 00:16:47,560
when you hire more reviewers to stare at screens.
485
00:16:47,560 --> 00:16:50,320
It happens when you automate the review process itself.
486
00:16:50,320 --> 00:16:52,320
You are building a system that observes, governs,
487
00:16:52,320 --> 00:16:53,800
and secures by design.
488
00:16:53,800 --> 00:16:55,880
This control plane approach provides visibility
489
00:16:55,880 --> 00:16:57,680
that a human board could never achieve.
490
00:16:57,680 --> 00:16:59,720
You can see data lineage across every agent.
491
00:16:59,720 --> 00:17:02,440
You can enforce identity boundaries at the moment of creation.
492
00:17:02,440 --> 00:17:03,720
You move from being a bottleneck
493
00:17:03,720 --> 00:17:06,560
to being an architect of a self-sustaining ecosystem.
494
00:17:06,560 --> 00:17:08,280
This isn't just about efficiency.
495
00:17:08,280 --> 00:17:11,160
It's about survival in an era of agentic workflows.
496
00:17:11,160 --> 00:17:13,600
When an AI can generate 100 flows in an hour,
497
00:17:13,600 --> 00:17:15,280
a human reviewer is a joke.
498
00:17:15,280 --> 00:17:17,160
You need a machine to govern the machine.
499
00:17:17,160 --> 00:17:18,760
By moving your rules into the code,
500
00:17:18,760 --> 00:17:21,800
you ensure that compliance is a constant, not a variable.
501
00:17:21,800 --> 00:17:23,920
You provide the business with the speed they demand
502
00:17:23,920 --> 00:17:25,480
while keeping the enterprise safe
503
00:17:25,480 --> 00:17:27,200
from the chaos of ungoverned growth.
504
00:17:27,200 --> 00:17:28,320
That is the new standard.
505
00:17:28,320 --> 00:17:29,960
We stop being the police and start being
506
00:17:29,960 --> 00:17:31,160
the engineers of the highway.
507
00:17:31,160 --> 00:17:33,520
It is a fundamental change in how we define our value
508
00:17:33,520 --> 00:17:34,720
to the organization.
509
00:17:34,720 --> 00:17:37,120
We provide the infrastructure for innovation,
510
00:17:37,120 --> 00:17:38,200
not the permission.
511
00:17:39,160 --> 00:17:41,600
I didn't see 10 different failures in those audits.
512
00:17:41,600 --> 00:17:44,560
I saw the same flawed system failing in 10 different places.
513
00:17:44,560 --> 00:17:46,720
COEs don't fail because they lack control.
514
00:17:46,720 --> 00:17:50,160
They fail because they apply it too late in the process.
515
00:17:50,160 --> 00:17:52,720
If your governance model still requires a human signature
516
00:17:52,720 --> 00:17:54,800
for a low-code app, you aren't governing.
517
00:17:54,800 --> 00:17:56,880
You're just waiting for the system to break.
518
00:17:56,880 --> 00:17:57,880
Stop being a bottleneck.
519
00:17:57,880 --> 00:17:59,160
Start being an architect.
520
00:17:59,160 --> 00:18:01,600
Move your rules into the code and let the business run.
521
00:18:01,600 --> 00:18:03,920
If this audit changed how you think about your power platform
522
00:18:03,920 --> 00:18:06,760
strategy, connect with me, Mirko Peters, on LinkedIn.
523
00:18:06,760 --> 00:18:09,560
Please leave a review for the M365FM podcast.
524
00:18:09,560 --> 00:18:12,160
It helps more leaders find the structural clarity they need
525
00:18:12,160 --> 00:18:14,200
to actually scale their digital transformation.
526
00:18:14,200 --> 00:18:15,960
Stop waiting for meetings and start building
527
00:18:15,960 --> 00:18:18,000
the control plane your enterprise deserves.
528
00:18:18,000 --> 00:18:19,240
Now is the time to pivot.