I Audited 10 Power Platform CoEs: Here’s Why They Fail
In this episode, the host shares insights from auditing ten Power Platform Centers of Excellence (CoEs) and explains why many of them fail. The core issue isn’t the technology itself, but outdated governance approaches that rely heavily on manual reviews, documentation, and approval boards. These practices create bottlenecks, slow down innovation, and still fail to reduce risk—often leading to shadow IT.
The episode highlights five common failure patterns, including governance living outside the platform, unnecessary approvals, poor environment strategy, unclear ownership of automations, and measuring success by activity instead of business impact.
The key takeaway is that modern governance must shift from manual control to automated, platform-driven enforcement. By embedding rules directly into the system, organizations can enable faster delivery, reduce risk consistently, and transform the CoE from a blocker into a true enabler of business agility.
Picture this: your team works hard, but every new idea hits a wall. The same 5 mistakes keep turning your CoE into a bottleneck. Leadership wants faster results, but old-school, manual processes slow everything down. Maybe you see apps popping up everywhere, but nobody has clear ownership. Leadership gets stuck in endless approvals. Your team misses out on Power Platform’s real strengths because of a lack of visibility and unclear decision-making. If these bottleneck issues sound familiar, leadership and your team can break free by rethinking how governance works.
Key Takeaways
- Identify and address the five common mistakes that turn your CoE into a bottleneck: lack of strategy, unclear leadership, siloed knowledge, missing evaluations, and limited scope.
- Establish a clear charter for your CoE to define roles, responsibilities, and align with business goals, ensuring everyone knows their purpose.
- Empower teams by decentralizing decision-making. Trust them to make choices that drive innovation and reduce delays caused by excessive approvals.
- Implement automated governance to speed up processes. This reduces manual tasks, enhances quality, and allows teams to focus on building solutions.
- Foster open communication and engagement with stakeholders. Regular updates and feedback loops help align goals and keep everyone informed.
- Invest in upskilling your teams to keep pace with evolving technology. Tailored training and community engagement can enhance skills and boost morale.
- Shift from a control tower model to a control plane approach. This allows for better guidance and support while enabling teams to act quickly.
- Cultivate a culture of continuous improvement. Encourage small, daily changes that lead to significant long-term benefits for your CoE.
The 5 Mistakes Overview
Why CoEs Become Bottlenecks
You might wonder why your Center of Excellence (CoE) sometimes feels more like a roadblock than a launchpad. Many organizations set up a CoE to pool resources and share expertise. This sounds great at first. You get consistency in tools, standards, and practices. But things can slow down fast. When your CoE tries to handle every request or decision, it can’t keep up with the speed of business. Teams wait for approvals. Makers get frustrated. Innovation stalls.
A CoE can also become too focused on its own processes. If it doesn’t share knowledge or connect with other teams, it turns into a silo. You see duplicate apps, inconsistent user experiences, and even compliance risks. Without strong executive support, your CoE might not have the power to drive change. Instead, it becomes a bottleneck for everyone else.
Here’s a quick look at the most common mistakes that turn a CoE into a bottleneck:
| Mistake | Description |
|---|---|
| Lack of clear strategy and alignment | The CoE doesn’t connect its work to the bigger goals of your organization. |
| Unclear leadership structure | Teams don’t know who’s in charge, so decisions get stuck. |
| Siloed knowledge | The CoE keeps its expertise to itself, making it hard for others to learn or improve. |
| Missing performance evaluation | No one checks if the CoE is actually helping, so problems go unnoticed. |
| Limited scope | The CoE only focuses on small changes, not real transformation. |
The Need for Modern Governance
You don’t have to accept these bottlenecks as normal. The real problem often comes from outdated governance models. Manual processes slow everything down. Centralized control can disconnect IT from the business. You see app sprawl, security issues, and compliance headaches. Teams build the same thing twice. Support and training get messy. Data gets lost or mishandled.
Modern governance changes the game. Instead of relying on people to check every step, you can embed rules and standards right into the platform. Automated governance means you catch problems before they happen. You speed up approvals and reduce mistakes. For example, automated compliance checks can stop risky code from going live. AI tools can fix issues in minutes, not days. This approach boosts efficiency and helps your CoE deliver real value.
m365.fm’s Power Platform CoE shows how this works in practice. By shifting from manual oversight to automated, embedded governance, you turn your CoE from a control tower into a control plane. You guide behavior automatically. You make it easier for teams to innovate while staying safe and compliant. This is how you unlock the true power of the platform—and keep your CoE from becoming a bottleneck.
Lack of Clear Charter
Unclear Purpose and Scope
You can’t build a strong Center of Excellence without a clear purpose. If you skip this step, your team will struggle with structure and ownership. People won’t know who should make decisions or what the CoE actually does. You might see teams working on the same thing twice or ignoring important tasks. When you lack clarity, you lose focus and waste energy.
A solid charter gives you structure and sets the tone for everything that follows. You need to define ownership for each area, so everyone knows their role. This is where strategic thinking comes in. You want to make sure your CoE’s goals match what your business needs. If you don’t, you’ll end up with confusion and missed opportunities.
Here’s what best practices say you should include in your charter:
- Develop expertise and specialization for your focus area.
- Standardize processes and practices to create a repeatable structure.
- Communicate value and impact to show why your CoE matters.
- Establish a leadership team that blends business and technology.
- Identify challenges by talking with your team.
- Define the Minimum Lovable Product to focus your efforts.
- Outline actions for each objective in a clear structure.
- Track progress with a dashboard and set deadlines.
- Engage leaders for support and secure resources.
- Measure success and focus on continuous improvement.
Impact on Business Alignment
When you don’t have a clear charter, you risk misalignment at the top. You might think everyone agrees, but quiet misalignment can cause big problems. One leader might focus on cost, another on growth, and IT might just want to replace a system. On the surface, everyone supports the CoE. Underneath, they’re solving different problems.
One of the biggest hidden risks in digital transformation is executive misalignment. Not open conflict. Not visible dysfunction. Quiet misalignment. Where one executive believes the goal is cost reduction. Another believes it is standardization. Another believes it is growth enablement. And IT believes it is a system replacement. On the surface, everyone supports the initiative. Underneath, they are solving different problems.
This lack of alignment leads to real business issues. You’ll see poor communication, performance gaps, and even leadership turnover. The table below shows what happens when your CoE doesn’t have structure and ownership:
| Impact Type | Description |
|---|---|
| Poor communication | Leads to lower employee morale and productivity due to ambiguity about company goals. |
| Performance gaps | Results in noticeable discrepancies between strategic goals and actual performance, raising concerns. |
| Internal conflicts | Causes project delays and competition for resources due to differing interpretations of goals. |
| Strategic initiative failures | Misaligned execution and poor communication lead to delays and inefficiencies in launching initiatives. |
| Leadership turnover | Frequent changes in leadership signal misalignment and disrupt organizational progress. |
Solutions for Charter Clarity
You can fix these problems by focusing on structure, ownership, and clarity. Start by using standardized methodologies for problem-solving. Give local teams a framework so they can adapt solutions but still follow the main strategy. Build networks of expertise to share knowledge and support each other. Create digital repositories for learning and guidance.
Here are some proven strategies:
| Strategy | Description |
|---|---|
| Standardized Methodologies | Use consistent approaches for problem identification and solution development. |
| Local Adaptation Frameworks | Let teams tailor solutions within set boundaries for innovation and alignment. |
| Networks of Expertise | Engage more people as champions to boost collaboration and ownership. |
| Knowledge Management Repositories | Build digital systems for self-guided learning and expert support. |
When you focus on structure and ownership, you set your CoE up for success. Strategic thinking helps you keep your goals in line with the business. Clarity in your charter means everyone knows what to do, how to do it, and why it matters. That’s how you move from confusion to real results.
Over-Centralization & CEO Bottlenecks
Excessive Decision Layers
You know the feeling. You have a great idea, but you need approval from the ceo, then another leader, then maybe even a committee. This chain of command slows everything down. When the ceo tries to control every detail, you see micromanagement at its worst. Teams wait for decisions that should happen fast. The ceo bottlenecks appear when every project needs a personal review. You lose momentum. Your team starts to avoid the CoE because the process feels like a maze.
Here’s what happens when the ceo gets too involved:
- Slow review cycles drag out timelines.
- Teams resist change because they fear more friction.
- The CoE gets fewer resources, so projects stall.
You might see delivery teams bypassing the CoE. They buy their own licenses and ignore governance guidelines. Quality checks become obstacles instead of helpful steps. Projects get delayed, and innovation suffers.
CEO Bottlenecks in CoE
The ceo bottlenecks show up in many ways. Sometimes, the ceo wants to approve every app or workflow. Sometimes, the ceo insists on strict rules that don’t fit the real needs of your team. This creates micromanagement. You see teams working around the CoE instead of with it. Leadership loses sight of what’s happening on the ground.
Let’s look at a few examples:
- Teams avoid the CoE because it feels too bureaucratic.
- Teams develop solutions on their own, skipping the ceo’s approval.
- Governance rules become hurdles, not guardrails.
If you want to move fast, you need to master the art of delegation. The ceo must trust teams to make smart choices. Leadership should guide, not dictate. When you delegate or stay stuck, you choose between progress and frustration.
Empowering Teams for Agility
You can break free from ceo bottlenecks by empowering teams. Decentralized governance lets teams make decisions where the action happens. Delegation pushes authority closer to the people who know the work best. Leadership provides direction, but teams drive execution.
Check out this table showing how empowering teams and delegation improve agility:
| Empowering Teams & Delegation Benefits |
|---|
| Teams make decisions together, cutting bottlenecks. |
| Authority moves to the execution level, where teams see real challenges. |
| Leadership offers guidance, not orders. |
| Planning cycles get shorter and more flexible. |
| Teams refine strategies using real-time feedback. |
| Organizations focus on delivering value to customers. |
| Decision-making centers on user experience. |
| Teams collaborate across functions, not just in silos. |
| Risk management happens daily, not just at the top. |
| Transparency improves with real-time dashboards. |
Delegation creates guardrails. Teams act quickly, but stay aligned with enterprise goals. Continuous feedback helps you adjust without big disruptions. This balance keeps your organization agile and disciplined. If you want to unlock Power Platform’s full potential, you must delegate or stay stuck. Leadership must shift from control to enablement. Empowering teams is the key to agility.
Manual Governance Processes
Slow Approvals and Controls
You probably know how frustrating it feels when your team waits for approvals. Manual governance processes slow everything down. You submit a request, then wait for someone to check it. The review process drags on. Sometimes, you lose track of where your app sits in the queue. Teams often get stuck because the review process depends on people, not technology. Manual tasks take time and introduce mistakes. You see delays in application development and deployment. The review process becomes a barrier instead of a boost. Teams want to move fast, but manual processes hold them back. You miss deadlines. Quality suffers. The review process can even complicate tracking, making it hard to know if your app meets quality standards.
Here’s what happens when organizations stick with manual governance processes:
- Many organizations struggle with unplanned costs due to late governance.
- Support teams chase unmanaged apps, wasting time and energy.
- Solutions need rebuilding if not deployed properly.
- Weak DLP setups cause compliance escalations.
- Shadow IT pops up when governance is invisible.
You see these issues everywhere. Teams lose momentum. Quality drops. The review process becomes a headache.
Friction for Makers
Manual governance processes create friction for makers. You want to build something new, but inefficient processes slow you down. The review process feels like a maze. Teams face bottlenecks and disconnected data. You can’t see what’s happening in your digital experience. Quality slips through the cracks. The review process gets fragmented, dragging operations across the business. Teams rely on manual processes, which slows service delivery. Legal teams lose their strategic focus because they lack data-driven technology. Makers feel blocked. Teams get frustrated. Quality takes a hit.
Here’s a quick look at the main sources of friction:
- Inefficient processes hinder productivity and adoption rates.
- Lack of visibility prevents you from spotting issues.
- Complex workflows lead to bottlenecks and disconnected data.
- Reliance on manual processes slows service delivery.
- Fragmented workflows create operational drag.
- Legal teams struggle without data-driven technology.
You see adoption rates drop. Teams avoid the review process. Quality becomes inconsistent. The review process needs clear processes to help teams succeed.
Embedding Automated Governance
You can solve these problems by embedding automated governance. Automated processes speed up the review process. Teams get real-time feedback. Quality improves. You don’t wait for approvals. The review process happens instantly. Teams focus on elevating code quality. You see fewer mistakes. Quality checks run automatically. Teams stay compliant without extra effort. The review process becomes a tool for success.
Let’s look at some real-world examples:
| Company | Description | Impact |
|---|---|---|
| Company X | Established a Power Platform Center of Excellence to manage governance and security risks associated with citizen developers. | Developed a comprehensive governance program ensuring compliance with security policies and meeting productivity demands. |
| G&J Pepsi | Implemented role-based access control for enhanced security. | Achieved nearly 50% reduction in mobile data expenses through real-time monitoring and alerts. |
Automated governance transforms your review process. Teams work faster. Quality rises. You don’t chase apps or rebuild solutions. The review process supports teams instead of slowing them down. You embed quality checks and code reviews right into your platform. Teams collaborate. Quality becomes a habit. The review process helps you deliver better results. You unlock the full potential of your team and your platform.
Poor Stakeholder Engagement
Communication Gaps
You can have the best technology and processes, but if you miss the mark on communication, your CoE will struggle. Many teams run into trouble because they don’t speak the same language—literally and figuratively. When you work with international stakeholders, you need to pay attention to cultural and emotional differences. If you ignore these, you risk misunderstandings and even conflict.
You might see these common communication gaps pop up:
- Information overload makes it hard for project managers to spot what matters most.
- Teams use different terms or come from different backgrounds, which leads to confusion.
- Vague messages cause people to miss the real goal.
Sometimes, a simple miscommunication can have huge consequences. Think about the Mars Climate Orbiter crash. NASA and the European Space Agency used different measurement units. That small gap led to a failed mission. In your CoE, unclear communication can mean missed deadlines, wasted resources, and frustrated teams.
Ignoring Feedback
You can’t build a strong CoE if you ignore what people tell you. When leadership overlooks input from partners or users, you lose valuable insights. This creates bottlenecks and slows down progress. If you skip over suggestions, you often need to redo work, which eats up time and resources.
Here’s a quick look at how ignoring feedback affects your CoE:
| Evidence Description | Impact on CoE Bottlenecks |
|---|---|
| Limited or no influence due to lack of partner input | Hinders overall success and feasibility of the study |
| Need for extensive revisions due to ignored suggestions | Consumes additional time and resources, creating bottlenecks |
You want your team to feel heard. When you listen and act on constructive feedback, you build trust. Teams work better together. Leadership shows they value everyone’s voice. This approach helps you avoid costly mistakes and keeps projects moving forward.
Building Engagement Loops
You can turn things around by building strong engagement loops. These loops help you connect with stakeholders and keep everyone involved. Start by sharing information openly. Let people know about decisions, timelines, and even setbacks. This kind of transparency builds credibility with your team and leadership.
Try these strategies to boost engagement:
- Share updates about decisions and impacts, even if the news isn’t great.
- Show how stakeholder input changes your deliverables.
- Invite quieter voices to share their thoughts, not just the loudest ones.
- Adjust your approach based on what you hear from others.
- Link engagement activities to business goals so meetings feel meaningful.
When you create these loops, you get timely feedback and keep everyone aligned. Leadership can spot issues early and make better decisions. Teams feel included and motivated. Your CoE becomes a place where everyone works together to reach shared goals.
Resource and Skill Gaps
Overloaded Teams
You probably see it every day. Your teams want to deliver results, but they feel stretched thin. When you ask your team to do more with less, stress builds up fast. People juggle multiple projects and struggle to keep up with new requests. You notice that deadlines slip and quality drops. Leadership often expects quick wins, but overloaded teams can’t keep pace. This pressure leads to burnout and high turnover. You lose valuable knowledge when experienced people leave. Team alignment suffers because everyone scrambles to cover gaps. If you want your Center of Excellence to thrive, you need to address these overload issues head-on.
Outdated Skills
Technology moves fast. If your team relies on old skills, you fall behind. Leadership sometimes assumes that past experience is enough. In reality, Power Platform evolves quickly. New features and tools appear all the time. Teams need to keep up or risk missing out on better ways to work. You might notice that some team members hesitate to try new things. They stick to what they know. This mindset slows down innovation. Leadership must recognize that upskilling is not a one-time event. It’s an ongoing journey. When you invest in learning, you help your team stay sharp and ready for change.
Upskilling and Resourcing
You can close skill gaps with the right strategies. Start by tailoring training to different user levels. A persona-based approach helps everyone learn at their own pace. Encourage community engagement. When teams share ideas in collaborative environments, everyone benefits. Hands-on workshops give your team practical experience. People learn best by doing. Leadership should also create recognition programs. Celebrate progress and motivate your team to keep growing.
Here are some proven ways to boost skills and resources:
- Offer training and upskilling programs for makers.
- Set up ‘Ask an expert’ events for personalized support.
- Run hackathons to spark creativity and teamwork.
Tip: When you combine these strategies, you build a culture of learning and support. Leadership plays a key role by providing resources and encouragement.
You also need to look at how you allocate resources. Make sure your teams have enough time and support to focus on what matters. Leadership should check in regularly to spot gaps and adjust plans. When you invest in upskilling and resourcing, you strengthen team alignment and set your Center of Excellence up for long-term success.
Transforming Your CoE
From Control Tower to Control Plane
You want your Center of Excellence to help, not hinder. The old control tower model puts you in the middle of every decision. This slows down your team and frustrates everyone. When you move to a control plane approach, you guide teams with clear rules and smart automation. You give teams the tools to act fast and stay safe.
Let’s look at what works. Many organizations have taken these steps to transform their CoE and see real results:
| Key Steps Taken | Results Achieved |
|---|---|
| Enhanced visibility | Better understanding of how things work, leading to smarter decisions |
| Integrated data | Simpler systems to enable clarity and less confusion from duplicate tools |
| Leveraged AI for proactive risk management | More efficient handling of problems and smoother processes |
You can see how these changes help teams work together and avoid bottlenecks. When you simplify systems to enable clarity, you make it easier for everyone to do their best work.
Embedding Standards in the Platform
You don’t have to rely on people to remember every rule. You can embed standards right into the Power Platform. This means your team follows best practices without extra effort. Automated checks and built-in policies keep everyone on track.
Here’s what happens when you embed standards:
- You manage the full lifecycle of solutions, so every app has an owner and a plan. This keeps your team accountable and helps you track performance.
- You connect governance to business value. You can measure time saved and money reduced, which shows why your efforts matter.
- You make sure everyone follows the rules. When users stick to policies, you get feedback that helps you improve your approach.
With these steps, your team spends less time on manual reviews and more time building great solutions. You create a follow-through culture where everyone knows what to do and why it matters.
Continuous Improvement Culture
You want your CoE to keep getting better. A continuous improvement culture helps your team learn, adapt, and grow. When you focus on small changes every day, you see big results over time.
Check out some benefits organizations have seen by making continuous improvement part of their CoE:
| Benefit | Description |
|---|---|
| Financial Savings | One company saved $2.5 million in 18 months. |
| Increased Agility | Teams respond faster to market and customer needs. |
| Higher Quality | Fewer mistakes and better service. |
| Improved Employee Engagement | Lower turnover and more productivity. |
| Enhanced Innovation | More ideas get tested and used. |
| Greater Customer Loyalty | Happy customers come back again and again. |
| Profit Margin Improvement | Companies with strong programs earn 3-5% more profit. |
You can start by encouraging teams to share ideas and try new things. Give your team space to learn from mistakes and celebrate wins. When you build this mindset, you help everyone grow and succeed together.
You’ve seen how these five mistakes can slow your team and block progress. If you want to remove bottlenecks, start by helping your teams work smarter. Give every team the tools and support they need. Let your teams focus on building, not waiting. Automated, embedded governance lets your team move fast and stay safe. Now is the time to review your CoE and help your teams unlock the full value of the Power Platform.
🚀 Want to be part of m365.fm?
Then stop just listening… and start showing up.
👉 Connect with me on LinkedIn and let’s make something happen:
- 🎙️ Be a podcast guest and share your story
- 🎧 Host your own episode (yes, seriously)
- 💡 Pitch topics the community actually wants to hear
- 🌍 Build your personal brand in the Microsoft 365 space
This isn’t just a podcast — it’s a platform for people who take action.
🔥 Most people wait. The best ones don’t.
👉 Connect with me on LinkedIn and send me a message:
"I want in"
Let’s build something awesome 👊
1
00:00:00,000 --> 00:00:02,160
Most organizations treat the center of excellence
2
00:00:02,160 --> 00:00:04,320
like a nightclub with a manual guest list.
3
00:00:04,320 --> 00:00:05,760
You promised the business agility,
4
00:00:05,760 --> 00:00:08,480
but you delivered a six month backlog of manual reviews.
5
00:00:08,480 --> 00:00:11,320
I've audited 10 different COEs across 10 different industries,
6
00:00:11,320 --> 00:00:13,000
and the failure isn't the technology.
7
00:00:13,000 --> 00:00:15,240
The failure is the assumption that human oversight
8
00:00:15,240 --> 00:00:16,680
equals enterprise control.
9
00:00:16,680 --> 00:00:18,480
We are going to dismantle the five patterns
10
00:00:18,480 --> 00:00:21,480
that turn your COE into a progress-killing bottleneck.
11
00:00:21,480 --> 00:00:24,720
If a human has to click "Approved for a Standard Productivity App,"
12
00:00:24,720 --> 00:00:26,640
your digital transformation is already dead.
13
00:00:26,640 --> 00:00:28,040
You navigate, you search.
14
00:00:28,040 --> 00:00:29,880
You wait for a signature that never comes.
15
00:00:29,880 --> 00:00:32,040
The model is broken because it relies on people
16
00:00:32,040 --> 00:00:33,600
to do what code does better.
17
00:00:33,600 --> 00:00:36,240
We build hierarchies for a world that no longer exists.
18
00:00:36,240 --> 00:00:37,360
Now, we need context.
19
00:00:37,360 --> 00:00:38,960
We need to stop acting like gatekeepers
20
00:00:38,960 --> 00:00:42,080
and start acting like architects of a system that governs itself.
21
00:00:42,080 --> 00:00:44,440
Governance as documentation, not enforcement.
22
00:00:44,440 --> 00:00:46,760
I've seen beautiful 50-page PDFs
23
00:00:46,760 --> 00:00:49,640
that explain exactly how data should move across the platform.
24
00:00:49,640 --> 00:00:51,360
They are full of charts, color diagrams,
25
00:00:51,360 --> 00:00:53,960
and clear instructions for every maker in the company.
26
00:00:53,960 --> 00:00:56,360
But in reality, these documents are invisible
27
00:00:56,360 --> 00:00:58,240
to the platform's runtime behavior.
28
00:00:58,240 --> 00:01:01,200
They sit on a SharePoint site gathering digital dust.
29
00:01:01,200 --> 00:01:03,720
Across all 10 audits, I performed policies
30
00:01:03,720 --> 00:01:05,280
existed in the documentation,
31
00:01:05,280 --> 00:01:08,320
but flows violated them in production every single day.
32
00:01:08,320 --> 00:01:10,760
We are industrializing a hope-based security model
33
00:01:10,760 --> 00:01:12,280
where we hope-makers read the manual.
34
00:01:12,280 --> 00:01:13,760
It is a dangerous assumption.
35
00:01:13,760 --> 00:01:16,360
Because today, work doesn't start with reading a manual.
36
00:01:16,360 --> 00:01:18,920
It starts with a problem that needs a fast solution.
37
00:01:18,920 --> 00:01:21,080
Your internet wasn't designed for how people work today.
38
00:01:21,080 --> 00:01:24,640
It was designed for structure, pages, navigation, hierarchies.
39
00:01:24,640 --> 00:01:26,760
And the assumption that people know what they're looking for,
40
00:01:26,760 --> 00:01:28,040
that assumption is broken.
41
00:01:28,040 --> 00:01:29,640
Real governance isn't a suggestion.
42
00:01:29,640 --> 00:01:32,840
It's a non-bipossible boundary embedded in the environment.
43
00:01:32,840 --> 00:01:34,880
When policies disconnected from the platform,
44
00:01:34,880 --> 00:01:35,840
you don't have control.
45
00:01:35,840 --> 00:01:37,760
You have a paper trail for when things go wrong.
46
00:01:37,760 --> 00:01:39,040
It's the old model.
47
00:01:39,040 --> 00:01:42,000
You publish the content and then nobody uses it.
48
00:01:42,000 --> 00:01:44,640
What typically happens is that a maker builds a flow
49
00:01:44,640 --> 00:01:46,560
that connects a sensitive SQL database
50
00:01:46,560 --> 00:01:47,960
to an external Gmail account.
51
00:01:47,960 --> 00:01:49,720
They didn't read page 34 of the PDF.
52
00:01:49,720 --> 00:01:52,000
The platform allowed it because the COE hadn't
53
00:01:52,000 --> 00:01:54,040
configured the data loss prevention policies
54
00:01:54,040 --> 00:01:55,160
to match the document.
55
00:01:55,160 --> 00:01:56,360
The floor isn't the content.
56
00:01:56,360 --> 00:01:59,000
It's the assumption that people have time to go looking for it.
57
00:01:59,000 --> 00:01:59,760
That's where it breaks.
58
00:01:59,760 --> 00:02:02,240
I found one organization that spent $80,000
59
00:02:02,240 --> 00:02:03,880
on a governance consulting project.
60
00:02:03,880 --> 00:02:06,240
They got a massive document that was technically perfect.
61
00:02:06,240 --> 00:02:08,400
Six months later, I ran a scan of their tenant.
62
00:02:08,400 --> 00:02:11,440
We found 300 flows using unauthorized connectors.
63
00:02:11,440 --> 00:02:14,280
The documentation said no, but the platform said yes.
64
00:02:14,280 --> 00:02:15,880
So the makers did what was easiest.
65
00:02:15,880 --> 00:02:18,120
They built, they shipped, and they created
66
00:02:18,120 --> 00:02:19,640
a massive security hole.
67
00:02:19,640 --> 00:02:21,560
This is the velvet rope trap in action.
68
00:02:21,560 --> 00:02:23,680
You think you're in control because you have a rule book,
69
00:02:23,680 --> 00:02:25,480
but the door is wide open, and nobody
70
00:02:25,480 --> 00:02:26,960
is watching the back entrance.
71
00:02:26,960 --> 00:02:29,240
The shift we need is moving from PowerPoint governance
72
00:02:29,240 --> 00:02:31,040
to policy as code.
73
00:02:31,040 --> 00:02:32,840
This means the rules aren't in a file.
74
00:02:32,840 --> 00:02:34,520
They are in the runtime.
75
00:02:34,520 --> 00:02:36,640
If a maker tries to connect two data sources
76
00:02:36,640 --> 00:02:38,160
that shouldn't talk to each other,
77
00:02:38,160 --> 00:02:40,920
the platform blocks it instantly, not because a human courted,
78
00:02:40,920 --> 00:02:43,480
but because the system is incapable of allowing it.
79
00:02:43,480 --> 00:02:44,640
This is how you scale.
80
00:02:44,640 --> 00:02:46,480
You stop being the person who says no,
81
00:02:46,480 --> 00:02:48,680
and start being the person who builds the guardrails.
82
00:02:48,680 --> 00:02:49,600
You're in a meeting.
83
00:02:49,600 --> 00:02:50,880
You need an answer.
84
00:02:50,880 --> 00:02:53,120
You shouldn't have to check a PDF to see if your automation
85
00:02:53,120 --> 00:02:53,760
is allowed.
86
00:02:53,760 --> 00:02:55,080
The system should tell you.
87
00:02:55,080 --> 00:02:57,960
And one level deeper, this shift changes the culture.
88
00:02:57,960 --> 00:02:59,840
When governance is enforced by code,
89
00:02:59,840 --> 00:03:01,880
maker stops seeing IT as a hurdle.
90
00:03:01,880 --> 00:03:04,680
They see the platform as a safe space to experiment.
91
00:03:04,680 --> 00:03:07,000
They know that if they do something truly risky,
92
00:03:07,000 --> 00:03:09,760
the system will catch it before it causes damage.
93
00:03:09,760 --> 00:03:11,560
It removes the fear of breaking things.
94
00:03:11,560 --> 00:03:14,640
In most organizations, the COE is a no department.
95
00:03:14,640 --> 00:03:16,520
It's where ideas go to die in a committee.
96
00:03:16,520 --> 00:03:18,320
But when you move to policy as code,
97
00:03:18,320 --> 00:03:20,440
you become a safe to scale department.
98
00:03:20,440 --> 00:03:21,720
You provide the paved road.
99
00:03:21,720 --> 00:03:22,720
You provide the context.
100
00:03:22,720 --> 00:03:25,560
You ensure the right thing is the easiest thing to do.
101
00:03:25,560 --> 00:03:28,280
That is the only way to survive the 2026 landscape
102
00:03:28,280 --> 00:03:30,400
of a gentick AI and mass automation.
103
00:03:30,400 --> 00:03:31,600
Stop writing manuals.
104
00:03:31,600 --> 00:03:33,680
Start writing policies that actually run.
105
00:03:33,680 --> 00:03:35,280
If you want to enable the business,
106
00:03:35,280 --> 00:03:37,160
you have to stop relying on their memory
107
00:03:37,160 --> 00:03:38,960
and start relying on your architecture.
108
00:03:38,960 --> 00:03:41,960
Governance is enforcement or it is nothing.
109
00:03:41,960 --> 00:03:43,560
The manual review bottleneck.
110
00:03:43,560 --> 00:03:46,480
Pattern 2 is what I call the approval board trap.
111
00:03:46,480 --> 00:03:49,320
It is a room full of high-cost architect spending four hours
112
00:03:49,320 --> 00:03:51,360
every Tuesday reviewing simple flows.
113
00:03:51,360 --> 00:03:53,400
They sit there looking at power automate logic
114
00:03:53,400 --> 00:03:55,600
that sends an email when a file is uploaded.
115
00:03:55,600 --> 00:03:57,880
It is a massive waste of intellectual capital.
116
00:03:57,880 --> 00:04:01,320
This is the primary reason deployment cycle times are exploding
117
00:04:01,320 --> 00:04:03,520
while business value remains stagnant.
118
00:04:03,520 --> 00:04:05,600
You've created a system where the cost of the review
119
00:04:05,600 --> 00:04:08,080
often exceeds the value of the automation being built.
120
00:04:08,080 --> 00:04:09,960
In my audits, I found backlogs measured in weeks
121
00:04:09,960 --> 00:04:12,040
for solutions that took four hours to build.
122
00:04:12,040 --> 00:04:12,880
Think about that.
123
00:04:12,880 --> 00:04:14,560
The business identifies a problem on Monday.
124
00:04:14,560 --> 00:04:16,320
The maker solves it by Monday afternoon.
125
00:04:16,320 --> 00:04:18,080
But the solution doesn't reach production
126
00:04:18,080 --> 00:04:20,040
until the third week of the next month.
127
00:04:20,040 --> 00:04:22,560
Why? Because the CEO committee hasn't met yet.
128
00:04:22,560 --> 00:04:24,520
This friction doesn't stop bad apps.
129
00:04:24,520 --> 00:04:27,000
It just stops people from telling I.T. they're building them.
130
00:04:27,000 --> 00:04:29,040
When the official path is a three week wait,
131
00:04:29,040 --> 00:04:30,520
the business goes underground.
132
00:04:30,520 --> 00:04:31,640
They use personal accounts.
133
00:04:31,640 --> 00:04:32,880
They find workarounds.
134
00:04:32,880 --> 00:04:34,240
They build in the shadows.
135
00:04:34,240 --> 00:04:36,440
You think you're maintaining control with your board,
136
00:04:36,440 --> 00:04:38,000
but you're actually driving risk
137
00:04:38,000 --> 00:04:40,000
into the dark corners of the organization.
138
00:04:40,000 --> 00:04:42,160
The model assumes that a human eye is the only thing
139
00:04:42,160 --> 00:04:43,320
that can detect risk.
140
00:04:43,320 --> 00:04:44,480
That is a flawed assumption.
141
00:04:44,480 --> 00:04:47,320
We need to replace the human in the loop for standard cases
142
00:04:47,320 --> 00:04:50,000
with automated logic that evaluates risk in real time.
143
00:04:50,000 --> 00:04:51,560
We need to stop treating every flow
144
00:04:51,560 --> 00:04:54,160
like it's a mission-critical ERP migration.
145
00:04:54,160 --> 00:04:55,680
If the app stays within a green zone
146
00:04:55,680 --> 00:04:58,440
of pre-approved connectors and standard data sources,
147
00:04:58,440 --> 00:05:00,040
the deployment should be instantaneous.
148
00:05:00,040 --> 00:05:01,480
It's about tiered governance.
149
00:05:01,480 --> 00:05:03,920
If a maker uses the Office 365 uses connector
150
00:05:03,920 --> 00:05:06,440
and a standard SharePoint list, why are we reviewing it?
151
00:05:06,440 --> 00:05:07,360
The risk is known.
152
00:05:07,360 --> 00:05:09,880
The boundaries are already set by your DLP policies.
153
00:05:09,880 --> 00:05:12,800
By forcing these low-risk solutions to a manual board,
154
00:05:12,800 --> 00:05:15,760
you are suffocating the very agility you promise the business.
155
00:05:15,760 --> 00:05:17,680
I saw one audit where 80% of the backlog
156
00:05:17,680 --> 00:05:19,760
consisted of simple notification flows.
157
00:05:19,760 --> 00:05:20,840
The architects were bored.
158
00:05:20,840 --> 00:05:21,960
The makers were frustrated.
159
00:05:21,960 --> 00:05:23,280
The business was losing money.
160
00:05:23,280 --> 00:05:24,960
What typically happens is that the COE
161
00:05:24,960 --> 00:05:26,400
becomes a bottleneck because it tries
162
00:05:26,400 --> 00:05:28,000
to be a gatekeeper for everything,
163
00:05:28,000 --> 00:05:29,560
but a gatekeeper who can't keep up
164
00:05:29,560 --> 00:05:31,760
with the volume eventually just becomes a wall.
165
00:05:31,760 --> 00:05:34,520
The shift here is moving toward automated triage.
166
00:05:34,520 --> 00:05:36,000
You define the rules of the road.
167
00:05:36,000 --> 00:05:39,000
You build a system that scans the solution as it submitted.
168
00:05:39,000 --> 00:05:41,720
If it passes the automated checks, it goes live immediately.
169
00:05:41,720 --> 00:05:43,280
No ticket, no meeting, no signature.
170
00:05:43,280 --> 00:05:45,360
This is how you handle the scale of 2026.
171
00:05:45,360 --> 00:05:48,120
You automate the boring stuff so your architects
172
00:05:48,120 --> 00:05:50,720
can focus on the 10% of high-risk logic
173
00:05:50,720 --> 00:05:52,760
that actually requires a human brain.
174
00:05:52,760 --> 00:05:53,680
You're in a race.
175
00:05:53,680 --> 00:05:55,960
The business needs to move at the speed of the market.
176
00:05:55,960 --> 00:05:58,480
If your governance model is built on a weekly meeting cadence,
177
00:05:58,480 --> 00:06:00,160
you've already lost the race.
178
00:06:00,160 --> 00:06:01,480
The assumption that human oversight
179
00:06:01,480 --> 00:06:04,040
equals enterprise control is a relic of a slower era.
180
00:06:04,040 --> 00:06:05,160
Control isn't a meeting.
181
00:06:05,160 --> 00:06:07,280
Control is a system that enforces your standards
182
00:06:07,280 --> 00:06:08,640
without needing a reminder.
183
00:06:08,640 --> 00:06:11,320
In one audit, we implemented an automated review tool
184
00:06:11,320 --> 00:06:14,040
that reduced the backlog by 90% in two weeks.
185
00:06:14,040 --> 00:06:16,920
The architects finally had time to work on the complex integrations
186
00:06:16,920 --> 00:06:18,040
that actually mattered.
187
00:06:18,040 --> 00:06:20,440
The makers were happy because their tools worked instantly.
188
00:06:20,440 --> 00:06:21,720
The risk didn't go up.
189
00:06:21,720 --> 00:06:24,480
It went down because the automated scanner was more consistent
190
00:06:24,480 --> 00:06:26,720
than a tired architect on a Tuesday afternoon.
191
00:06:26,720 --> 00:06:27,920
Stop being a gatekeeper.
192
00:06:27,920 --> 00:06:29,520
Start being a platform engineer.
193
00:06:29,520 --> 00:06:31,320
Your job isn't to look at every float.
194
00:06:31,320 --> 00:06:33,800
Your job is to build the system that looks for you.
195
00:06:33,800 --> 00:06:36,640
That is the only way to scale without breaking.
196
00:06:36,640 --> 00:06:39,000
Environment sprawl and the dev in prod myth.
197
00:06:39,000 --> 00:06:42,440
Almost every COE I audited had dev, test,
198
00:06:42,440 --> 00:06:45,280
and prod environments that were identical in configuration
199
00:06:45,280 --> 00:06:46,160
and access.
200
00:06:46,160 --> 00:06:49,600
They existed as labels, not as functional security boundaries.
201
00:06:49,600 --> 00:06:51,320
This is a massive structural failure.
202
00:06:51,320 --> 00:06:53,880
We've built a house where every room has the same key
203
00:06:53,880 --> 00:06:55,480
and we're surprised when a fire in the kitchen
204
00:06:55,480 --> 00:06:56,680
spreads to the bedroom.
205
00:06:56,680 --> 00:06:58,680
There is a dangerous trend of developers building
206
00:06:58,680 --> 00:07:00,240
directly in the default environment
207
00:07:00,240 --> 00:07:02,240
because the official path is too slow.
208
00:07:02,240 --> 00:07:03,880
It's the path of least resistance.
209
00:07:03,880 --> 00:07:06,040
But that path leads to a digital junk draw
210
00:07:06,040 --> 00:07:07,720
of half finished experiments.
211
00:07:07,720 --> 00:07:09,400
In my audits, production incidents
212
00:07:09,400 --> 00:07:11,480
were frequently traced back to dev builds
213
00:07:11,480 --> 00:07:13,520
that were never meant to handle enterprise data.
214
00:07:13,520 --> 00:07:15,600
Someone builds a test flow to move files.
215
00:07:15,600 --> 00:07:16,800
They use their own credentials.
216
00:07:16,800 --> 00:07:17,600
They forget about it.
217
00:07:17,600 --> 00:07:19,600
Six months later, that flow is still running,
218
00:07:19,600 --> 00:07:21,360
processing sensitive customer information
219
00:07:21,360 --> 00:07:22,600
without any oversight.
220
00:07:22,600 --> 00:07:24,800
The architecture is failing because we treat environments
221
00:07:24,800 --> 00:07:27,720
as folders rather than isolated security boundaries.
222
00:07:27,720 --> 00:07:29,760
We think that by naming something production,
223
00:07:29,760 --> 00:07:30,920
we've made it safe.
224
00:07:30,920 --> 00:07:32,800
But if the data loss prevention policies
225
00:07:32,800 --> 00:07:35,120
are the same across the board, the name is meaningless.
226
00:07:35,120 --> 00:07:38,240
Without a rooting strategy, your tenant is just chaos.
227
00:07:38,240 --> 00:07:40,160
You have makers building mission critical tools
228
00:07:40,160 --> 00:07:41,960
in personal productivity spaces.
229
00:07:41,960 --> 00:07:44,800
You have professional developers bypassing the COE entirely
230
00:07:44,800 --> 00:07:47,080
because they can't wait for a sandbox to be provisioned.
231
00:07:47,080 --> 00:07:48,640
This is the Dev and prod myth.
232
00:07:48,640 --> 00:07:50,240
We tell ourselves that we are agile
233
00:07:50,240 --> 00:07:52,400
because we let people build wherever they want.
234
00:07:52,400 --> 00:07:56,200
In reality, we are just accumulating risk that we can't see.
235
00:07:56,200 --> 00:07:58,280
One audit revealed a major retail company
236
00:07:58,280 --> 00:08:00,280
where 40% of their production apps
237
00:08:00,280 --> 00:08:03,240
were actually hosted in an environment marked sandbox.
238
00:08:03,240 --> 00:08:05,480
Why? Because the sandbox had fewer restrictions.
239
00:08:05,480 --> 00:08:06,680
The makers were smart.
240
00:08:06,680 --> 00:08:09,360
They realized that if they wanted to use a specific connector
241
00:08:09,360 --> 00:08:11,080
that was blocked in prod, they could just
242
00:08:11,080 --> 00:08:13,080
build it in the sandbox and share it from there.
243
00:08:13,080 --> 00:08:14,880
The COE had no visibility into this.
244
00:08:14,880 --> 00:08:16,680
They were looking at the front door while the business
245
00:08:16,680 --> 00:08:19,000
was moving the furniture out through the side window.
246
00:08:19,000 --> 00:08:20,720
This isn't just a technical problem.
247
00:08:20,720 --> 00:08:22,040
It's a failure of intent.
248
00:08:22,040 --> 00:08:23,920
We need to automate environment provisioning
249
00:08:23,920 --> 00:08:27,120
so that every project starts in a governed space by default.
250
00:08:27,120 --> 00:08:28,320
The goal is isolation.
251
00:08:28,320 --> 00:08:30,360
We need to ensure a mistake in a sandbox
252
00:08:30,360 --> 00:08:32,680
can't escalate into a tenant-wide data breach.
253
00:08:32,680 --> 00:08:34,920
This requires a fundamental shift in how we think
254
00:08:34,920 --> 00:08:36,360
about the platform.
255
00:08:36,360 --> 00:08:38,120
We need to move away from the one big tenant model
256
00:08:38,120 --> 00:08:39,720
and to what a zoned model.
257
00:08:39,720 --> 00:08:42,520
You have a personal productivity zone for low-risk tasks.
258
00:08:42,520 --> 00:08:44,840
You have an innovation zone for experimentation
259
00:08:44,840 --> 00:08:46,200
with temporary life cycles.
260
00:08:46,200 --> 00:08:48,720
And you have an enterprise zone for mission-critical apps
261
00:08:48,720 --> 00:08:51,160
with full ALM and automated guardrails.
262
00:08:51,160 --> 00:08:53,600
This isn't about adding more layers of bureaucracy.
263
00:08:53,600 --> 00:08:55,720
It's about using environment-rooting logic
264
00:08:55,720 --> 00:08:57,200
to place the maker in the right bucket
265
00:08:57,200 --> 00:08:59,080
the moment they click create.
266
00:08:59,080 --> 00:09:00,880
What typically happens is that IT tries
267
00:09:00,880 --> 00:09:02,480
to manage environments manually.
268
00:09:02,480 --> 00:09:04,880
A maker fills out a form, a ticket is created.
269
00:09:04,880 --> 00:09:07,280
An admin eventually creates the environment.
270
00:09:07,280 --> 00:09:09,400
By the time that happens, the maker has already
271
00:09:09,400 --> 00:09:11,360
built the app in the default environment.
272
00:09:11,360 --> 00:09:12,720
The horse has bolted.
273
00:09:12,720 --> 00:09:16,440
The shift in 2026 is toward just-in-time environments.
274
00:09:16,440 --> 00:09:18,200
You use the Power Platform API
275
00:09:18,200 --> 00:09:20,200
to spin up a governed sandbox automatically
276
00:09:20,200 --> 00:09:22,120
based on the maker's project profile.
277
00:09:22,120 --> 00:09:24,280
You apply the correct DLP policies instantly.
278
00:09:24,280 --> 00:09:25,720
You set an expiration date.
279
00:09:25,720 --> 00:09:27,320
This removes the incentive to cheat.
280
00:09:27,320 --> 00:09:29,080
If getting a governed environment is faster
281
00:09:29,080 --> 00:09:30,640
than building in the default space,
282
00:09:30,640 --> 00:09:32,360
people will choose the governed space.
283
00:09:32,360 --> 00:09:34,160
You stop fighting human nature and start
284
00:09:34,160 --> 00:09:35,880
using it to drive compliance.
285
00:09:35,880 --> 00:09:37,160
If you don't control the map,
286
00:09:37,160 --> 00:09:38,480
you don't control the journey.
287
00:09:38,480 --> 00:09:41,040
Stop letting your tenant become a digital wasteland
288
00:09:41,040 --> 00:09:42,480
of orphaned experiments.
289
00:09:42,480 --> 00:09:44,560
Build the zones, automate the routing,
290
00:09:44,560 --> 00:09:47,640
and treat every environment as a specific security contract.
291
00:09:47,640 --> 00:09:49,680
That is how you stop the spool.
292
00:09:49,680 --> 00:09:51,760
The orphaned problem in ownership decay.
293
00:09:51,760 --> 00:09:53,720
I found hundreds of critical business flows
294
00:09:53,720 --> 00:09:55,680
in these audits that were tied to accounts of employees
295
00:09:55,680 --> 00:09:57,200
who left the company months ago.
296
00:09:57,200 --> 00:09:58,680
This is the orphaned problem.
297
00:09:58,680 --> 00:10:00,960
It represents automations that run the business
298
00:10:00,960 --> 00:10:03,640
but have no listed owner and no failover plan.
299
00:10:03,640 --> 00:10:05,680
When an orphaned flow breaks, the business stops.
300
00:10:05,680 --> 00:10:08,720
IT then spends days playing detective to find the original maker.
301
00:10:08,720 --> 00:10:11,880
The structural flow here is that most KOE's measure the build
302
00:10:11,880 --> 00:10:14,280
but completely ignore the life cycle.
303
00:10:14,280 --> 00:10:15,880
They celebrate the birth of an app
304
00:10:15,880 --> 00:10:17,360
but never plan for its retirement
305
00:10:17,360 --> 00:10:19,160
or its transition when a team changes.
306
00:10:19,160 --> 00:10:21,040
You've essentially built a digital workforce
307
00:10:21,040 --> 00:10:24,400
where half the employees have no manager and no HR record.
308
00:10:24,400 --> 00:10:25,920
It's a liability waiting to explode.
309
00:10:25,920 --> 00:10:28,440
In one specific audit for a global logistics firm,
310
00:10:28,440 --> 00:10:29,960
we discovered a flow responsible
311
00:10:29,960 --> 00:10:31,960
for processing customs clearance data.
312
00:10:31,960 --> 00:10:34,280
It was processing thousands of records an hour.
313
00:10:34,280 --> 00:10:36,360
The problem, the person who built it had been gone
314
00:10:36,360 --> 00:10:38,080
for three fiscal quarters.
315
00:10:38,080 --> 00:10:39,880
The day the flows connection expired,
316
00:10:39,880 --> 00:10:41,760
the entire shipping line stalled.
317
00:10:41,760 --> 00:10:43,960
Nobody knew who owned it, nobody had the documentation.
318
00:10:43,960 --> 00:10:46,360
The CEO was flying blind because they treated the platform
319
00:10:46,360 --> 00:10:47,400
as a collection of tools
320
00:10:47,400 --> 00:10:49,840
rather than a collection of managed identities.
321
00:10:49,840 --> 00:10:52,680
This is what happens when you prioritize creation over continuity.
322
00:10:52,680 --> 00:10:54,000
You accumulate technical debt
323
00:10:54,000 --> 00:10:56,600
that eventually bankrupts your operational stability.
324
00:10:56,600 --> 00:10:58,760
We must implement automated ownership validation.
325
00:10:58,760 --> 00:11:00,760
If a flow doesn't have a valid business owner,
326
00:11:00,760 --> 00:11:02,200
it shouldn't be running.
327
00:11:02,200 --> 00:11:03,680
This isn't a suggestion.
328
00:11:03,680 --> 00:11:06,440
It's a requirement for enterprise-grade operations.
329
00:11:06,440 --> 00:11:09,560
Using Microsoft Enter ID to tie agent and flow identities
330
00:11:09,560 --> 00:11:12,560
to active organizational roles is the only way forward.
331
00:11:12,560 --> 00:11:14,560
You need a system that checks the employment status
332
00:11:14,560 --> 00:11:16,440
of every maker every single week.
333
00:11:16,440 --> 00:11:18,560
If the system detects that an owner has left
334
00:11:18,560 --> 00:11:19,920
or changed departments,
335
00:11:19,920 --> 00:11:21,640
it should trigger an automated request
336
00:11:21,640 --> 00:11:23,440
for ownership to the department head.
337
00:11:23,440 --> 00:11:25,720
If no owner is assigned within 48 hours,
338
00:11:25,720 --> 00:11:26,960
the flow is quarantined.
339
00:11:26,960 --> 00:11:28,520
The sounds harsh, but it's the only way
340
00:11:28,520 --> 00:11:30,480
to prevent your tenant from becoming a graveyard
341
00:11:30,480 --> 00:11:31,520
of broken logic.
342
00:11:31,520 --> 00:11:33,880
A COE that doesn't manage the exit strategy for an app
343
00:11:33,880 --> 00:11:35,560
is just accumulating risk.
344
00:11:35,560 --> 00:11:37,640
You need to treat these low-code assets
345
00:11:37,640 --> 00:11:41,200
with the same rigor you apply to your pro-code repositories.
346
00:11:41,200 --> 00:11:43,320
That means every asset must be mapped to a cost center
347
00:11:43,320 --> 00:11:45,520
and a human who is accountable for its behavior.
348
00:11:45,520 --> 00:11:48,280
What typically happens is that organizations assume
349
00:11:48,280 --> 00:11:50,840
the platform will just take care of it.
350
00:11:50,840 --> 00:11:53,480
But the platform only does what you architect it to do.
351
00:11:53,480 --> 00:11:55,720
If you don't have a heartbeat check on your owners,
352
00:11:55,720 --> 00:11:57,280
you don't have a government environment,
353
00:11:57,280 --> 00:11:58,560
you have a ticking time bomb.
354
00:11:58,560 --> 00:12:02,120
The shift in 2026 is moving toward identity first governance.
355
00:12:02,120 --> 00:12:03,960
Every flow is a service principle.
356
00:12:03,960 --> 00:12:05,760
Every board is a governed identity.
357
00:12:05,760 --> 00:12:08,000
By anchoring your COE in Enter ID,
358
00:12:08,000 --> 00:12:10,800
you ensure that ownership is dynamic, not static.
359
00:12:10,800 --> 00:12:13,000
You move away from a world of who built this
360
00:12:13,000 --> 00:12:16,840
and into a world of who is responsible for this right now.
361
00:12:16,840 --> 00:12:19,240
That distinction is what separates a hobbyist set up
362
00:12:19,240 --> 00:12:21,000
from a professional enterprise architecture,
363
00:12:21,000 --> 00:12:22,880
stop letting your makers build in a vacuum,
364
00:12:22,880 --> 00:12:25,480
force the ownership metadata at the point of creation
365
00:12:25,480 --> 00:12:27,840
and validate it throughout the entire life cycle.
366
00:12:27,840 --> 00:12:30,880
If the business value is high enough to build, it's high enough to own.
367
00:12:30,880 --> 00:12:33,000
If nobody wants to own it, it shouldn't exist
368
00:12:33,000 --> 00:12:35,120
in your production environment, period.
369
00:12:35,120 --> 00:12:37,920
Your job as an architect is to ensure that when the people change,
370
00:12:37,920 --> 00:12:39,560
the process is remain stable.
371
00:12:39,560 --> 00:12:41,760
That only happens when you automate the handover
372
00:12:41,760 --> 00:12:44,280
before the person even leaves the building.
373
00:12:44,280 --> 00:12:46,600
Vanity metrics versus business impact.
374
00:12:46,600 --> 00:12:49,360
The most common slide in a COE monthly report is,
375
00:12:49,360 --> 00:12:51,760
number of makers onboarded.
376
00:12:51,760 --> 00:12:53,360
It's a number that looks great in a board meeting
377
00:12:53,360 --> 00:12:54,760
because it implies growth.
378
00:12:54,760 --> 00:12:57,880
It suggests that your digital transformation is gaining momentum.
379
00:12:57,880 --> 00:13:01,560
But in reality, this is a vanity metric that measures activity
380
00:13:01,560 --> 00:13:03,720
while ignoring the actual business outcome.
381
00:13:03,720 --> 00:13:05,680
I've seen tenants with 5,000 active flows
382
00:13:05,680 --> 00:13:08,320
where not a single one contributed to a measurable KPI
383
00:13:08,320 --> 00:13:09,760
like cycle time reduction.
384
00:13:09,760 --> 00:13:12,440
You are celebrating the chaos accelerator.
385
00:13:12,440 --> 00:13:13,920
You are scaling the volume of builds
386
00:13:13,920 --> 00:13:16,840
without measuring a single ounce of the value delivered.
387
00:13:16,840 --> 00:13:19,320
If your COE can't show a reduction in risk events
388
00:13:19,320 --> 00:13:22,360
or a clear improvement in ROI, it's a reporting function,
389
00:13:22,360 --> 00:13:23,840
not a center of excellence.
390
00:13:23,840 --> 00:13:26,160
We've fallen into the trap of counting licenses
391
00:13:26,160 --> 00:13:27,600
instead of counting results.
392
00:13:27,600 --> 00:13:28,840
You see it in every audit.
393
00:13:28,840 --> 00:13:31,520
The IT leadership is proud because they have 10,000 people
394
00:13:31,520 --> 00:13:32,960
with a power automate seat.
395
00:13:32,960 --> 00:13:36,080
But when you look deeper, you realize that 9,000 of those people
396
00:13:36,080 --> 00:13:38,200
are just sending themselves a daily weather report
397
00:13:38,200 --> 00:13:39,720
or a happy Friday gift.
398
00:13:39,720 --> 00:13:41,680
That isn't transformation, that is just noise.
399
00:13:41,680 --> 00:13:42,760
And that noise has a cost.
400
00:13:42,760 --> 00:13:44,040
It costs licensing fees.
401
00:13:44,040 --> 00:13:45,360
It costs storage.
402
00:13:45,360 --> 00:13:47,720
It costs the attention of your security team
403
00:13:47,720 --> 00:13:49,520
who has to monitor all that traffic.
404
00:13:49,520 --> 00:13:52,040
We are measuring the wrong side of the equation.
405
00:13:52,040 --> 00:13:54,920
We are measuring the input and hoping the output just takes care
406
00:13:54,920 --> 00:13:55,440
of itself.
407
00:13:55,440 --> 00:13:58,040
The reason this happens is that activity is easy to track.
408
00:13:58,040 --> 00:13:59,200
Impact is hard.
409
00:13:59,200 --> 00:14:01,240
It requires you to understand the business process
410
00:14:01,240 --> 00:14:02,720
before you automate it.
411
00:14:02,720 --> 00:14:05,080
It requires you to ask how long did this take before
412
00:14:05,080 --> 00:14:06,840
and how long does it take now?
413
00:14:06,840 --> 00:14:10,240
Most COEs skip that step because they want to move fast.
414
00:14:10,240 --> 00:14:11,600
They want to show high adoption numbers
415
00:14:11,600 --> 00:14:13,000
to justify their budget.
416
00:14:13,000 --> 00:14:14,720
But high adoption of low-value tasks
417
00:14:14,720 --> 00:14:16,640
is a net loss for the enterprise.
418
00:14:16,640 --> 00:14:19,560
You're in a situation where the complexity of the environment
419
00:14:19,560 --> 00:14:20,920
is growing exponentially.
420
00:14:20,920 --> 00:14:23,280
But the efficiency of the business is staying flat.
421
00:14:23,280 --> 00:14:24,640
That is a structural failure.
422
00:14:24,640 --> 00:14:27,080
We need to pivot to impact metrics.
423
00:14:27,080 --> 00:14:28,600
This is where the conversation changes.
424
00:14:28,600 --> 00:14:31,080
Stop talking about how many people have the maker license.
425
00:14:31,080 --> 00:14:32,880
Start talking about how much manual work
426
00:14:32,880 --> 00:14:35,120
we actually removed from the system this quarter.
427
00:14:35,120 --> 00:14:38,800
Instead of total flows, track total manual hours saved.
428
00:14:38,800 --> 00:14:41,120
Instead of makers unborted, track number
429
00:14:41,120 --> 00:14:43,440
of mission-critical processes fixed.
430
00:14:43,440 --> 00:14:46,400
This shift forces the COE to become a business partner
431
00:14:46,400 --> 00:14:48,200
rather than just a software provider.
432
00:14:48,200 --> 00:14:49,560
You start looking for the bottlenecks
433
00:14:49,560 --> 00:14:51,880
in the finance department or the supply chain
434
00:14:51,880 --> 00:14:53,800
and you target your enablement efforts there.
435
00:14:53,800 --> 00:14:56,960
You're no longer just throwing tools at a wall to see what sticks.
436
00:14:56,960 --> 00:14:59,680
In one audit, we found a company that had reduced its makers
437
00:14:59,680 --> 00:15:03,880
by 50% but increased its measurable ROI by 300%.
438
00:15:03,880 --> 00:15:05,680
They did this by shutting down the toy apps
439
00:15:05,680 --> 00:15:07,520
and focusing their best citizen developers
440
00:15:07,520 --> 00:15:10,080
on high-impact workflows like invoice reconciliation
441
00:15:10,080 --> 00:15:11,400
and contract approvals.
442
00:15:11,400 --> 00:15:13,000
They stopped measuring activity
443
00:15:13,000 --> 00:15:15,920
and started measuring the delta in their operational costs.
444
00:15:15,920 --> 00:15:18,800
The leadership didn't care that there were fewer people building.
445
00:15:18,800 --> 00:15:20,560
They cared that the people who were building
446
00:15:20,560 --> 00:15:22,040
were actually moving the needle.
447
00:15:22,040 --> 00:15:24,760
If you remember nothing else from this section, remember this.
448
00:15:24,760 --> 00:15:27,440
A thousand flows that do nothing are a liability.
449
00:15:27,440 --> 00:15:29,880
One flow that saves a thousand hours is an asset.
450
00:15:29,880 --> 00:15:31,920
Your metrics should reflect that reality.
451
00:15:31,920 --> 00:15:34,280
Stop counting the crowd and start counting the impact.
452
00:15:34,280 --> 00:15:36,760
If your COE is just a dashboard of rising bar charts
453
00:15:36,760 --> 00:15:38,520
with no connection to the bottom line,
454
00:15:38,520 --> 00:15:39,960
you aren't leading a transformation.
455
00:15:39,960 --> 00:15:42,840
You're just managing a very expensive hobbyist club.
456
00:15:42,840 --> 00:15:46,040
The shift to 2026 requires us to be more disciplined.
457
00:15:46,040 --> 00:15:48,720
We need to prove that every dollar spent on the platform
458
00:15:48,720 --> 00:15:50,760
is returning $5 in efficiency.
459
00:15:50,760 --> 00:15:52,520
That only happens when you stop measuring the who
460
00:15:52,520 --> 00:15:54,200
and start measuring the what.
461
00:15:54,200 --> 00:15:56,760
Focus on the processes we fundamentally changed.
462
00:15:56,760 --> 00:15:58,440
That is the only metric that matters.
463
00:15:58,440 --> 00:16:01,360
And the pivot from gatekeeper to control plane.
464
00:16:01,360 --> 00:16:03,440
The 2026 model for a center of excellence
465
00:16:03,440 --> 00:16:04,640
isn't a committee meeting.
466
00:16:04,640 --> 00:16:06,560
It is an automated control plane.
467
00:16:06,560 --> 00:16:09,120
We are moving toward a world where governance is always on.
468
00:16:09,120 --> 00:16:11,840
Remediation happens in milliseconds, not weeks.
469
00:16:11,840 --> 00:16:14,840
This shift requires us to embrace tools like Agent 365
470
00:16:14,840 --> 00:16:17,480
to manage the sheer volume of AI-driven automation.
471
00:16:17,480 --> 00:16:20,400
We are replacing the manual checklist with policy as code.
472
00:16:20,400 --> 00:16:21,640
This allows the system to handle
473
00:16:21,640 --> 00:16:24,280
90% of routine tasks automatically.
474
00:16:24,280 --> 00:16:26,240
Humans can then focus their limited attention
475
00:16:26,240 --> 00:16:30,440
on the 10% of high-risk logic that defines enterprise strategy.
476
00:16:30,440 --> 00:16:32,440
Managed environments and automated guardrails
477
00:16:32,440 --> 00:16:34,160
turn the COE from a no-department
478
00:16:34,160 --> 00:16:35,720
into a safe-to-scale department.
479
00:16:35,720 --> 00:16:37,360
Think of it as a structural upgrade.
480
00:16:37,360 --> 00:16:40,000
We are replacing the velvet rope with a paved road.
481
00:16:40,000 --> 00:16:41,520
Our goal is to make the right thing
482
00:16:41,520 --> 00:16:43,560
the easiest thing for every maker to do.
483
00:16:43,560 --> 00:16:45,080
Digital transformation doesn't happen
484
00:16:45,080 --> 00:16:47,560
when you hire more reviewers to stare at screens.
485
00:16:47,560 --> 00:16:50,320
It happens when you automate the review process itself.
486
00:16:50,320 --> 00:16:52,320
You are building a system that observes, governs,
487
00:16:52,320 --> 00:16:53,800
and secures by design.
488
00:16:53,800 --> 00:16:55,880
This control plane approach provides visibility
489
00:16:55,880 --> 00:16:57,680
that a human board could never achieve.
490
00:16:57,680 --> 00:16:59,720
You can see data lineage across every agent.
491
00:16:59,720 --> 00:17:02,440
You can enforce identity boundaries at the moment of creation.
492
00:17:02,440 --> 00:17:03,720
You move from being a bottleneck
493
00:17:03,720 --> 00:17:06,560
to being an architect of a self-sustaining ecosystem.
494
00:17:06,560 --> 00:17:08,280
This isn't just about efficiency.
495
00:17:08,280 --> 00:17:11,160
It's about survival in an era of agentic workflows.
496
00:17:11,160 --> 00:17:13,600
When an AI can generate 100 flows in an hour,
497
00:17:13,600 --> 00:17:15,280
a human reviewer is a joke.
498
00:17:15,280 --> 00:17:17,160
You need a machine to govern the machine.
499
00:17:17,160 --> 00:17:18,760
By moving your rules into the code,
500
00:17:18,760 --> 00:17:21,800
you ensure that compliance is a constant, not a variable.
501
00:17:21,800 --> 00:17:23,920
You provide the business with the speed they demand
502
00:17:23,920 --> 00:17:25,480
while keeping the enterprise safe
503
00:17:25,480 --> 00:17:27,200
from the chaos of ungoverned growth.
504
00:17:27,200 --> 00:17:28,320
That is the new standard.
505
00:17:28,320 --> 00:17:29,960
We stop being the police and start being
506
00:17:29,960 --> 00:17:31,160
the engineers of the highway.
507
00:17:31,160 --> 00:17:33,520
It is a fundamental change in how we define our value
508
00:17:33,520 --> 00:17:34,720
to the organization.
509
00:17:34,720 --> 00:17:37,120
We provide the infrastructure for innovation,
510
00:17:37,120 --> 00:17:38,200
not the permission.
511
00:17:39,160 --> 00:17:41,600
I didn't see 10 different failures in those audits.
512
00:17:41,600 --> 00:17:44,560
I saw the same flawed system failing in 10 different places.
513
00:17:44,560 --> 00:17:46,720
COEs don't fail because they lack control.
514
00:17:46,720 --> 00:17:50,160
They fail because they apply it too late in the process.
515
00:17:50,160 --> 00:17:52,720
If your governance model still requires a human signature
516
00:17:52,720 --> 00:17:54,800
for a low-code app, you aren't governing.
517
00:17:54,800 --> 00:17:56,880
You're just waiting for the system to break.
518
00:17:56,880 --> 00:17:57,880
Stop being a bottleneck.
519
00:17:57,880 --> 00:17:59,160
Start being an architect.
520
00:17:59,160 --> 00:18:01,600
Move your rules into the code and let the business run.
521
00:18:01,600 --> 00:18:03,920
If this audit changed how you think about your power platform
522
00:18:03,920 --> 00:18:06,760
strategy, connect with me, Mirko Peters, on LinkedIn.
523
00:18:06,760 --> 00:18:09,560
Please leave a review for the M365FM podcast.
524
00:18:09,560 --> 00:18:12,160
It helps more leaders find the structural clarity they need
525
00:18:12,160 --> 00:18:14,200
to actually scale their digital transformation.
526
00:18:14,200 --> 00:18:15,960
Stop waiting for meetings and start building
527
00:18:15,960 --> 00:18:18,000
the control plane your enterprise deserves.
528
00:18:18,000 --> 00:18:19,240
Now is the time to pivot.
Founder of m365.fm, m365.show and m365con.net
Mirko Peters is a Microsoft 365 expert, content creator, and founder of m365.fm, a platform dedicated to sharing practical insights on modern workplace technologies. His work focuses on Microsoft 365 governance, security, collaboration, and real-world implementation strategies.
Through his podcast and written content, Mirko provides hands-on guidance for IT professionals, architects, and business leaders navigating the complexities of Microsoft 365. He is known for translating complex topics into clear, actionable advice, often highlighting common mistakes and overlooked risks in real-world environments.
With a strong emphasis on community contribution and knowledge sharing, Mirko is actively building a platform that connects experts, shares experiences, and helps organizations get the most out of their Microsoft 365 investments.
