The 7 Deadly Sins of Microsoft Enterprise Architecture: Why Most Tenants Leak Millions in Invisible Inefficiency

1
00:00:00,000 --> 00:00:04,280
Most organizations treat Microsoft 365 as a collection of features to be purchased.

2
00:00:04,280 --> 00:00:05,280
They are wrong.

3
00:00:05,280 --> 00:00:07,880
What they're actually operating is an economic system.

4
00:00:07,880 --> 00:00:10,640
And like all systems, it leaks, not dramatically.

5
00:00:10,640 --> 00:00:12,160
Silently.

6
00:00:12,160 --> 00:00:14,800
Let me walk you through the seven patterns I see over and over.

7
00:00:14,800 --> 00:00:16,960
Each one individually looks manageable.

8
00:00:16,960 --> 00:00:20,040
Together they compound into what I call architectural entropy,

9
00:00:20,040 --> 00:00:23,400
the slow, invisible decay of value in your Microsoft tenant iter.

10
00:00:23,400 --> 00:00:26,440
Sin 1, the myth of procurement as strategy,

11
00:00:26,440 --> 00:00:27,680
the lie sound simple.

12
00:00:27,680 --> 00:00:30,040
Buy the right license, get the right outcome.

13
00:00:30,040 --> 00:00:34,360
Most organizations believe that purchasing e5 licenses equals digital transformation.

14
00:00:34,360 --> 00:00:36,560
They tell their CFO, they are modernizing.

15
00:00:36,560 --> 00:00:38,120
They renew annually.

16
00:00:38,120 --> 00:00:42,040
Nobody questions whether the capability they bought is actually creating value.

17
00:00:42,040 --> 00:00:43,160
Here's what happens instead.

18
00:00:43,160 --> 00:00:47,240
A global engineering firm with 5,000 seats decides to go digital.

19
00:00:47,240 --> 00:00:49,200
They land on e5 as the standard.

20
00:00:49,200 --> 00:00:52,040
90% adoption across the knowledge worker base.

21
00:00:52,040 --> 00:00:53,440
On paper, perfect.

22
00:00:53,440 --> 00:00:56,840
In reality, only a fraction of users ever touched the premium connectors.

23
00:00:56,840 --> 00:01:00,720
Co-pilot set unused, defender features were never operationalized.

24
00:01:00,720 --> 00:01:04,520
After 18 months, a rationalization audit revealed the truth.

25
00:01:04,520 --> 00:01:08,760
56% of those licenses were either inactive, underutilized,

26
00:01:08,760 --> 00:01:11,400
or completely misaligned with actual work patterns.

27
00:01:11,400 --> 00:01:13,960
Buy roll, buy region, buy function.

28
00:01:13,960 --> 00:01:15,240
The economic leakage?

29
00:01:15,240 --> 00:01:17,600
$1.6 million annually.

30
00:01:17,600 --> 00:01:20,720
They were financing architectural erosion without knowing it.

31
00:01:20,720 --> 00:01:23,320
This is what I mean by procurement masquerading as strategy.

32
00:01:23,320 --> 00:01:24,440
You bought a feature bundle.

33
00:01:24,440 --> 00:01:26,200
You mistook it for an operating model.

34
00:01:26,200 --> 00:01:28,360
The control plane fix is brutally simple.

35
00:01:28,360 --> 00:01:31,920
If you cannot map telemetry to quarterly value realization,

36
00:01:31,920 --> 00:01:34,680
if you cannot prove that the premium capabilities you paid for

37
00:01:34,680 --> 00:01:38,600
are actively driving business outcomes, then you don't have architecture.

38
00:01:38,600 --> 00:01:39,960
You have procurement.

39
00:01:39,960 --> 00:01:44,640
And procurement by definition has no accountability for the money after the check clears.

40
00:01:44,640 --> 00:01:46,680
Sin 2, permission sprawl.

41
00:01:46,680 --> 00:01:49,080
The authorization compiler nobody built.

42
00:01:49,080 --> 00:01:53,160
The next pattern is permission creep, and it's more dangerous than most organizations realize.

43
00:01:53,160 --> 00:01:57,040
In Entra ID, there's a default culture I call ad-only.

44
00:01:57,040 --> 00:01:58,040
Permissions get granted.

45
00:01:58,040 --> 00:01:59,680
They rarely get revoked.

46
00:01:59,680 --> 00:02:00,680
That's not in competence.

47
00:02:00,680 --> 00:02:01,680
That's design inertia.

48
00:02:01,680 --> 00:02:02,880
No one owns the life cycle.

49
00:02:02,880 --> 00:02:03,880
No one reviews it.

50
00:02:03,880 --> 00:02:04,880
So it accumulates.

51
00:02:04,880 --> 00:02:07,440
I audited a financial services firm last year.

52
00:02:07,440 --> 00:02:11,600
They discovered 847, often app registrations.

53
00:02:11,600 --> 00:02:15,640
Applications that were granted permissions three years ago for a pilot project that was abandoned.

54
00:02:15,640 --> 00:02:17,320
The permissions were never removed.

55
00:02:17,320 --> 00:02:22,440
The service principles still held Microsoft GraphRides to access tenant data, user information,

56
00:02:22,440 --> 00:02:23,720
mailbox contents.

57
00:02:23,720 --> 00:02:27,560
54% of IT leaders report complex identity and privilege sprawl.

58
00:02:27,560 --> 00:02:32,280
In large tenants, it's normal to have 200, 300, sometimes 400 privileged applications running

59
00:02:32,280 --> 00:02:35,000
with permissions that nobody can fully account for.

60
00:02:35,000 --> 00:02:36,600
Here's the economic consequence.

61
00:02:36,600 --> 00:02:37,600
Audit friction.

62
00:02:37,600 --> 00:02:38,920
Breach exposure.

63
00:02:38,920 --> 00:02:40,120
Operational paralysis.

64
00:02:40,120 --> 00:02:42,720
When a compliance team asks who has access to what?

65
00:02:42,720 --> 00:02:44,520
The answer takes weeks to assemble.

66
00:02:44,520 --> 00:02:45,640
And in a breach, you're blind.

67
00:02:45,640 --> 00:02:48,640
You don't know what was exposed because you don't know what permissions existed.

68
00:02:48,640 --> 00:02:53,160
The control plane fixes this treat permissions as entropy generators, not rewards.

69
00:02:53,160 --> 00:02:56,040
Design expiration into every access ground from the start.

70
00:02:56,040 --> 00:02:57,680
Enforced life cycle ownership.

71
00:02:57,680 --> 00:03:01,360
If an application's purpose has expired, its permissions expire with it.

72
00:03:01,360 --> 00:03:02,840
Automatically, this is not optional.

73
00:03:02,840 --> 00:03:04,360
This is architectural law.

74
00:03:04,360 --> 00:03:05,360
Sin, three.

75
00:03:05,360 --> 00:03:06,760
Tactical governance.

76
00:03:06,760 --> 00:03:08,480
The theater of compliance.

77
00:03:08,480 --> 00:03:10,920
Most organizations claim they have governance.

78
00:03:10,920 --> 00:03:12,360
What they actually have is theater.

79
00:03:12,360 --> 00:03:16,160
I walked into a healthcare organization with 72 teams governance policies.

80
00:03:16,160 --> 00:03:17,320
All of them documented.

81
00:03:17,320 --> 00:03:18,400
None of them automated.

82
00:03:18,400 --> 00:03:20,040
They relied on manual approvals.

83
00:03:20,040 --> 00:03:21,360
On reactive policing.

84
00:03:21,360 --> 00:03:22,600
On human bottlenecks.

85
00:03:22,600 --> 00:03:24,400
On inconsistent enforcement.

86
00:03:24,400 --> 00:03:26,720
How many manual hours went into that every year?

87
00:03:26,720 --> 00:03:27,720
4,000.

88
00:03:27,720 --> 00:03:28,720
Minimum.

89
00:03:28,720 --> 00:03:31,480
Someone's job was refreshing spreadsheets and sending escalation emails.

90
00:03:31,480 --> 00:03:36,360
72% of organizations cannot enforce full governance policies at scale.

91
00:03:36,360 --> 00:03:37,600
And the reason is always the same.

92
00:03:37,600 --> 00:03:41,120
They build governance as a control function instead of a system's layer.

93
00:03:41,120 --> 00:03:43,680
The economic consequence is hidden but substantial.

94
00:03:43,680 --> 00:03:46,240
4,000 hours annually per organization.

95
00:03:46,240 --> 00:03:49,120
It's two full-time employees just maintaining compliance theater.

96
00:03:49,120 --> 00:03:50,120
And it's fragile.

97
00:03:50,120 --> 00:03:51,160
One person leaves.

98
00:03:51,160 --> 00:03:52,160
The policies drift.

99
00:03:52,160 --> 00:03:53,520
The system decays.

100
00:03:53,520 --> 00:03:55,000
The fix is existential.

101
00:03:55,000 --> 00:03:57,600
Governance that isn't code is just a suggestion.

102
00:03:57,600 --> 00:04:02,080
If you're still relying on PDF policies and SharePoint checklists and email approvals,

103
00:04:02,080 --> 00:04:04,520
you have compliance theater, not compliance.

104
00:04:04,520 --> 00:04:05,520
Automated.

105
00:04:05,520 --> 00:04:06,520
Make it part of the system.

106
00:04:06,520 --> 00:04:07,520
Make violations impossible.

107
00:04:07,520 --> 00:04:08,520
Not just monitored.

108
00:04:08,520 --> 00:04:10,920
If you cannot automate it, you don't actually have governance.

109
00:04:10,920 --> 00:04:11,920
You have hope.

110
00:04:11,920 --> 00:04:12,920
Sin 4.

111
00:04:12,920 --> 00:04:13,920
Appworship.

112
00:04:13,920 --> 00:04:14,920
Confusing output.

113
00:04:14,920 --> 00:04:17,680
Enterprises celebrate app proliferation.

114
00:04:17,680 --> 00:04:19,720
We shipped 50 power apps this year.

115
00:04:19,720 --> 00:04:21,280
Citizen developers are empowered.

116
00:04:21,280 --> 00:04:22,760
Feature velocity is accelerating.

117
00:04:22,760 --> 00:04:24,040
But here's what actually happened.

118
00:04:24,040 --> 00:04:26,200
You created 50 new maintenance liabilities.

119
00:04:26,200 --> 00:04:28,040
50 new surface area multipliers.

120
00:04:28,040 --> 00:04:30,680
Every app is another piece of code someone has to support.

121
00:04:30,680 --> 00:04:32,240
Another integration that can fail.

122
00:04:32,240 --> 00:04:33,520
Another attack surface to defend.

123
00:04:33,520 --> 00:04:37,200
A mid-market organization had 340 power apps in their tenant.

124
00:04:37,200 --> 00:04:39,760
127 of them had never been used.

125
00:04:39,760 --> 00:04:40,760
Nobody owned them.

126
00:04:40,760 --> 00:04:41,760
Nobody maintained them.

127
00:04:41,760 --> 00:04:42,960
They were digital craft.

128
00:04:42,960 --> 00:04:46,560
Systemic causes structural builders get rewarded for creation.

129
00:04:46,560 --> 00:04:47,560
Architects are invisible.

130
00:04:47,560 --> 00:04:52,120
So the tenant fills up with applications that looked good in isolation, but create a technical

131
00:04:52,120 --> 00:04:53,120
debt at scale.

132
00:04:53,120 --> 00:04:55,880
The economic consequence is support overhead.

133
00:04:55,880 --> 00:04:56,880
Compliance risk.

134
00:04:56,880 --> 00:04:57,880
Vendorsprone.

135
00:04:57,880 --> 00:05:02,120
When you have 340 applications, the complexity of governance becomes overwhelming.

136
00:05:02,120 --> 00:05:03,880
Entitlements multiply.

137
00:05:03,880 --> 00:05:05,080
Integrations tangle.

138
00:05:05,080 --> 00:05:06,680
Security becomes impossible to manage.

139
00:05:06,680 --> 00:05:08,760
The control plane fixes architectural zoning.

140
00:05:08,760 --> 00:05:10,080
Stop counting apps.

141
00:05:10,080 --> 00:05:12,160
Start counting technical debt surface area.

142
00:05:12,160 --> 00:05:13,960
Enforce life cycle ownership.

143
00:05:13,960 --> 00:05:17,960
Decommission anything that doesn't have a clear owner and a business justification.

144
00:05:17,960 --> 00:05:21,000
Treat app portfolios the way you treat real estate.

145
00:05:21,000 --> 00:05:23,560
Not every building belongs in your district.

146
00:05:23,560 --> 00:05:24,560
Sin 5.

147
00:05:24,560 --> 00:05:25,560
AI chaos.

148
00:05:25,560 --> 00:05:26,920
Agents without boundaries.

149
00:05:26,920 --> 00:05:28,240
This one is still forming.

150
00:05:28,240 --> 00:05:29,920
Most organizations don't see it yet.

151
00:05:29,920 --> 00:05:31,480
That's the danger.

152
00:05:31,480 --> 00:05:35,040
Organizations are deploying co-pilot onto flat, unclassified data structures.

153
00:05:35,040 --> 00:05:38,680
They're standing up co-pilot studio agents without defining what data those agents can

154
00:05:38,680 --> 00:05:39,680
access.

155
00:05:39,680 --> 00:05:42,920
Accelerating AI adoption while data governance lags behind.

156
00:05:42,920 --> 00:05:43,920
Here's what I mean.

157
00:05:43,920 --> 00:05:48,760
An enterprise co-pilot pilot, six weeks in, discovered that custom agents were accessing

158
00:05:48,760 --> 00:05:52,000
personally identifiable information without classification.

159
00:05:52,000 --> 00:05:55,560
They were reading payroll data, benefit information, address records.

160
00:05:55,560 --> 00:06:00,240
All available because the data was unclassified and the agent permissions were unrestricted,

161
00:06:00,240 --> 00:06:02,760
the economic consequence is immediate and expensive.

162
00:06:02,760 --> 00:06:04,080
Security retrofits.

163
00:06:04,080 --> 00:06:06,880
Co-pilot studio credits burning through the budget.

164
00:06:06,880 --> 00:06:11,840
Every exposure, compliance re-ordered, all because someone deployed AI without architectural

165
00:06:11,840 --> 00:06:12,840
zoning.

166
00:06:12,840 --> 00:06:16,120
49% of AI programs stole due to unclear value.

167
00:06:16,120 --> 00:06:19,560
80% of Fortune 500 use agents without formal governance.

168
00:06:19,560 --> 00:06:24,560
The pattern is familiar, speed first, architecture second, then disaster.

169
00:06:24,560 --> 00:06:26,520
The fix is non-negotiable.

170
00:06:26,520 --> 00:06:29,440
Define data boundaries before deploying agents.

171
00:06:29,440 --> 00:06:33,920
Classified data, tier agents by risk, enforce data access via identity and policy.

172
00:06:33,920 --> 00:06:38,600
Meet AI not as a feature to ship, but as a governance layer that has to sit on top of solid

173
00:06:38,600 --> 00:06:39,840
data architecture.

174
00:06:39,840 --> 00:06:42,840
If your data foundation is weak, AI amplifies the weakness.

175
00:06:42,840 --> 00:06:44,160
It doesn't fix it.

176
00:06:44,160 --> 00:06:47,000
Since six, builder bias, the architect vacuum.

177
00:06:47,000 --> 00:06:49,480
Here's a pattern that explains everything else.

178
00:06:49,480 --> 00:06:51,400
Enterprises promote the person who knows the buttons.

179
00:06:51,400 --> 00:06:54,680
They re-roared builders, they celebrate features shipped.

180
00:06:54,680 --> 00:06:58,960
An architect, the people thinking about system resilience, about decay, about integration

181
00:06:58,960 --> 00:06:59,960
costs.

182
00:06:59,960 --> 00:07:01,120
Those people are invisible.

183
00:07:01,120 --> 00:07:06,040
An IT director recently hired a power platform expert and fired the identity architect.

184
00:07:06,040 --> 00:07:07,640
The reasoning was straightforward.

185
00:07:07,640 --> 00:07:09,120
We need builders right now.

186
00:07:09,120 --> 00:07:11,360
Strategy can wait.

187
00:07:11,360 --> 00:07:13,000
What actually happened was structural.

188
00:07:13,000 --> 00:07:16,800
Without architects enforcing design constraints, the platform started accumulating entropy

189
00:07:16,800 --> 00:07:17,800
faster.

190
00:07:17,800 --> 00:07:21,520
Features shipped, systems decayed, technical debt compounded.

191
00:07:21,520 --> 00:07:25,200
The economic consequence is an 18 month productivity wall.

192
00:07:25,200 --> 00:07:28,960
Initial gains from rapid development flatten, then performance degrades, then your managing

193
00:07:28,960 --> 00:07:31,320
technical debt instead of shipping features.

194
00:07:31,320 --> 00:07:33,400
The systemic problem is organizational.

195
00:07:33,400 --> 00:07:38,640
Only 23% of organizations have formal AI agent identity strategy.

196
00:07:38,640 --> 00:07:39,880
Ownership is fragmented.

197
00:07:39,880 --> 00:07:41,600
Seasows, see security risks.

198
00:07:41,600 --> 00:07:42,600
Builders see opportunity.

199
00:07:42,600 --> 00:07:43,600
Finance sees cost.

200
00:07:43,600 --> 00:07:45,440
Nobody is looking at the system as a whole.

201
00:07:45,440 --> 00:07:47,840
The control plane fix requires a mindset shift.

202
00:07:47,840 --> 00:07:50,040
Treat architects as leverage engineers.

203
00:07:50,040 --> 00:07:51,520
Not cost centers.

204
00:07:51,520 --> 00:07:55,160
Measure them by system health, by entropy reduction, by the number of future problems they

205
00:07:55,160 --> 00:07:56,400
prevent.

206
00:07:56,400 --> 00:07:58,120
Builders create visible value.

207
00:07:58,120 --> 00:07:59,600
Builders create invisible value.

208
00:07:59,600 --> 00:08:00,760
Invisible value is just as real.

209
00:08:00,760 --> 00:08:02,480
It's just harder to see.

210
00:08:02,480 --> 00:08:03,480
Sin 7.

211
00:08:03,480 --> 00:08:04,480
Licensing blindness.

212
00:08:04,480 --> 00:08:05,680
Capacity is strategy.

213
00:08:05,680 --> 00:08:09,200
The final sin is the most expensive because it's the most normalized.

214
00:08:09,200 --> 00:08:12,120
Organizations renew E5 because it's what we do.

215
00:08:12,120 --> 00:08:14,560
Not because they've mapped capability to value.

216
00:08:14,560 --> 00:08:17,560
Not because they've assessed whether users actually need premium features.

217
00:08:17,560 --> 00:08:21,200
Not because they've measured adoption of the capabilities they're already paying for.

218
00:08:21,200 --> 00:08:23,320
Meanwhile, shadow IT thrives.

219
00:08:23,320 --> 00:08:26,040
Users on basic skews accomplish the same roles.

220
00:08:26,040 --> 00:08:27,400
Premium features sit idle.

221
00:08:27,400 --> 00:08:31,560
The licensing strategy becomes a budget line item, not an architectural lever.

222
00:08:31,560 --> 00:08:32,560
Real numbers.

223
00:08:32,560 --> 00:08:37,160
An enterprise paying $2.1 million annually for E5 across the board.

224
00:08:37,160 --> 00:08:41,840
A rationalization audit found that 34% of those users could perform their exact same

225
00:08:41,840 --> 00:08:43,080
role on business standard.

226
00:08:43,080 --> 00:08:45,240
They had no need for the premium connector library.

227
00:08:45,240 --> 00:08:46,440
They didn't use co-pilot.

228
00:08:46,440 --> 00:08:49,560
They didn't need advanced threat protection beyond what business standard includes.

229
00:08:49,560 --> 00:08:53,120
The economic consequence is orthogonal to what most organizations see.

230
00:08:53,120 --> 00:08:55,440
It's not just the cost of unused licenses.

231
00:08:55,440 --> 00:08:59,080
It's the cost of not using licensing as a behavioral incentive.

232
00:08:59,080 --> 00:09:03,120
If your licensing skew is aligned to roles and capabilities, then it drives adoption.

233
00:09:03,120 --> 00:09:06,040
It forces you to make decisions about what's actually needed.

234
00:09:06,040 --> 00:09:09,320
The control plane fix is this licensing skew is a behavioral lever.

235
00:09:09,320 --> 00:09:10,320
Use it.

236
00:09:10,320 --> 00:09:13,800
If you're paying for E5 across the board, you've removed the constraint that forces architectural

237
00:09:13,800 --> 00:09:14,800
discipline.

238
00:09:14,800 --> 00:09:17,360
You've said effectively that everyone gets access to everything.

239
00:09:17,360 --> 00:09:18,360
That's not strategy.

240
00:09:18,360 --> 00:09:20,000
That's capitulation.

241
00:09:20,000 --> 00:09:22,440
These seven sins are patterns, not anomalies.

242
00:09:22,440 --> 00:09:23,760
They compound.

243
00:09:23,760 --> 00:09:25,400
Permission sprawl feeds abs sprawl.

244
00:09:25,400 --> 00:09:28,280
Conconcing blindness enables governance theatre.

245
00:09:28,280 --> 00:09:30,880
Procurement strategy masks the absence of architecture.

246
00:09:30,880 --> 00:09:33,280
Together they create what I call the leakage model.

247
00:09:33,280 --> 00:09:37,160
Millions of dollars in invisible inefficiency that nobody's measuring because nobody owns

248
00:09:37,160 --> 00:09:38,160
the outcome.

249
00:09:38,160 --> 00:09:39,160
That's the diagnosis.

250
00:09:39,160 --> 00:09:41,160
That's what we're actually operating here.

251
00:09:41,160 --> 00:09:43,160
The umbrella sin control plane neglect.

252
00:09:43,160 --> 00:09:45,120
These seven sins don't exist in isolation.

253
00:09:45,120 --> 00:09:46,440
They're not random failures.

254
00:09:46,440 --> 00:09:49,200
They're all symptoms of one structural absence.

255
00:09:49,200 --> 00:09:51,600
That absence is what I want to talk about now.

256
00:09:51,600 --> 00:09:55,360
Operating without a system's layer means entropy becomes your default operating system.

257
00:09:55,360 --> 00:09:56,360
You don't have governance.

258
00:09:56,360 --> 00:09:58,680
You have chaos with policies written on top of it.

259
00:09:58,680 --> 00:09:59,680
You don't have architecture.

260
00:09:59,680 --> 00:10:01,680
You have a platform which is something else entirely.

261
00:10:01,680 --> 00:10:03,080
Here is how it manifests.

262
00:10:03,080 --> 00:10:07,720
A 10,000 seat organization I worked with had EntraID governed by one team.

263
00:10:07,720 --> 00:10:09,080
Intune handled by another.

264
00:10:09,080 --> 00:10:11,080
Microsoft Defender managed separately.

265
00:10:11,080 --> 00:10:12,080
Per view.

266
00:10:12,080 --> 00:10:14,320
Data governance owned by compliance.

267
00:10:14,320 --> 00:10:17,280
Teams and SharePoint loosely monitored by service adoption.

268
00:10:17,280 --> 00:10:19,760
Nobody was looking at identity to app orchestration.

269
00:10:19,760 --> 00:10:23,360
Nobody was enforcing zoning and tearing across the entire system.

270
00:10:23,360 --> 00:10:24,880
Every service had its own policies.

271
00:10:24,880 --> 00:10:26,240
Its own approval workflows.

272
00:10:26,240 --> 00:10:27,960
Its own definitions of security baseline.

273
00:10:27,960 --> 00:10:30,920
What that organization actually had wasn't a security posture.

274
00:10:30,920 --> 00:10:34,240
It was security theater orchestrated across five different teams.

275
00:10:34,240 --> 00:10:35,640
The systemic causes this.

276
00:10:35,640 --> 00:10:39,960
Most organizations treat Microsoft Cloud as a collection of disconnected services.

277
00:10:39,960 --> 00:10:41,120
Identity over here.

278
00:10:41,120 --> 00:10:42,720
Data governance over there.

279
00:10:42,720 --> 00:10:44,120
Application somewhere else.

280
00:10:44,120 --> 00:10:45,280
Compliance in a separate silo.

281
00:10:45,280 --> 00:10:47,680
This creates what I call policy fragmentation.

282
00:10:47,680 --> 00:10:49,840
Each domain solves its own problems locally.

283
00:10:49,840 --> 00:10:53,800
But there's no layer that decides how those domains interact, how data flows from one

284
00:10:53,800 --> 00:10:55,040
system to another.

285
00:10:55,040 --> 00:10:59,400
How a user's access in EntraID connects to what they can do in SharePoint, what they can

286
00:10:59,400 --> 00:11:01,080
see in a co-pilot agent.

287
00:11:01,080 --> 00:11:02,800
That connecting layer, that's the control plane.

288
00:11:02,800 --> 00:11:04,320
And most organizations don't have one.

289
00:11:04,320 --> 00:11:07,760
The economic consequence of operating without it is staggering.

290
00:11:07,760 --> 00:11:12,400
That 10,000 seat organization, 3.2 million in unrealized productivity benefits over three

291
00:11:12,400 --> 00:11:13,400
years.

292
00:11:13,400 --> 00:11:14,520
Not because they lacked features.

293
00:11:14,520 --> 00:11:16,760
They had every Microsoft feature available.

294
00:11:16,760 --> 00:11:21,520
But because those features weren't integrated into a system, users couldn't find information.

295
00:11:21,520 --> 00:11:23,320
Admins couldn't trust their governance.

296
00:11:23,320 --> 00:11:25,800
They had no way to enforce decisions at scale.

297
00:11:25,800 --> 00:11:28,880
Control plane absence also means security debt accumulates.

298
00:11:28,880 --> 00:11:31,080
When EntraID policies drift, you don't know it.

299
00:11:31,080 --> 00:11:34,120
When SharePoint permissions exceed your threshold, there's nobody watching.

300
00:11:34,120 --> 00:11:38,240
When a co-pilot agent is accessing data you never approved, the policy layer doesn't catch

301
00:11:38,240 --> 00:11:39,240
it.

302
00:11:39,240 --> 00:11:40,240
Each service does its best.

303
00:11:40,240 --> 00:11:43,920
But there's no circuit breaker, no orchestration, no central place where someone says,

304
00:11:43,920 --> 00:11:46,440
no, that violates our architecture.

305
00:11:46,440 --> 00:11:48,920
The control plane fix requires a foundational shift.

306
00:11:48,920 --> 00:11:51,600
You have to build a unified policy compilation layer.

307
00:11:51,600 --> 00:11:55,200
Create Identity, EntraID as the control plane backbone.

308
00:11:55,200 --> 00:11:58,880
Make it the place where you define not just who can access what, but what that access means

309
00:11:58,880 --> 00:12:00,240
across your entire system.

310
00:12:00,240 --> 00:12:03,480
A user is an employee, a contractor, a vendor, a guest.

311
00:12:03,480 --> 00:12:07,960
Once you make that decision in Identity, every other system, Defender, PerView, Teams, SharePoint

312
00:12:07,960 --> 00:12:09,560
should inherit that context.

313
00:12:09,560 --> 00:12:11,240
Not ask for it separately.

314
00:12:11,240 --> 00:12:13,960
Inherited, then enforce cross-platform orchestration.

315
00:12:13,960 --> 00:12:17,840
If a user's EntraID role says they're in finance that determines their default access

316
00:12:17,840 --> 00:12:20,000
to financial data in SharePoint.

317
00:12:20,000 --> 00:12:23,040
If they're classified as guest, that determines what they see in Teams.

318
00:12:23,040 --> 00:12:27,240
If a co-pilot agent is tagged as accessing customer data, its identity and permissions

319
00:12:27,240 --> 00:12:29,120
flow from a single source of truth.

320
00:12:29,120 --> 00:12:30,480
Let me define this precisely.

321
00:12:30,480 --> 00:12:34,880
A control plane is the system that makes decisions about how other systems behave.

322
00:12:34,880 --> 00:12:36,400
It's the layer above execution.

323
00:12:36,400 --> 00:12:38,600
It's where intent is translated into policy.

324
00:12:38,600 --> 00:12:42,720
Without it, you have a platform, individual services, operating independently.

325
00:12:42,720 --> 00:12:43,880
With it, you have architecture.

326
00:12:43,880 --> 00:12:45,120
You have a system.

327
00:12:45,120 --> 00:12:46,640
Most organizations have the first.

328
00:12:46,640 --> 00:12:48,080
Almost none have the second.

329
00:12:48,080 --> 00:12:52,080
And that distinction is the difference between leaking millions invisibly and knowing exactly

330
00:12:52,080 --> 00:12:53,560
where your money is going.

331
00:12:53,560 --> 00:12:57,440
That distinction is the difference between a security posture and security theater.

332
00:12:57,440 --> 00:13:00,480
That distinction is the difference between governance that works and governance that's

333
00:13:00,480 --> 00:13:01,800
just a suggestion.

334
00:13:01,800 --> 00:13:03,800
People ignore when it inconveniences them.

335
00:13:03,800 --> 00:13:05,880
This is what makes the seven sins actually dangerous.

336
00:13:05,880 --> 00:13:07,560
It's not that they exist independently.

337
00:13:07,560 --> 00:13:11,280
It's that they compound because there's no central control layer catching them, measuring

338
00:13:11,280 --> 00:13:13,480
them, stopping them from spiraling.

339
00:13:13,480 --> 00:13:16,080
Without control plane architecture, you're not managing a system.

340
00:13:16,080 --> 00:13:18,640
You're managing a collection of problems.

341
00:13:18,640 --> 00:13:19,640
Sin 2.

342
00:13:19,640 --> 00:13:20,640
Permission sprawl.

343
00:13:20,640 --> 00:13:22,080
The authorization compiler nobody built.

344
00:13:22,080 --> 00:13:24,440
The next pattern I see constantly is permission creep.

345
00:13:24,440 --> 00:13:28,680
And it's more dangerous than most organizations realize because it operates silently, compounding

346
00:13:28,680 --> 00:13:30,440
over years while nobody's watching.

347
00:13:30,440 --> 00:13:32,960
In EntraID, there's a default culture I call ad-only.

348
00:13:32,960 --> 00:13:34,280
And permissions get granted.

349
00:13:34,280 --> 00:13:35,760
They rarely get revoked.

350
00:13:35,760 --> 00:13:36,760
That's not incompetence.

351
00:13:36,760 --> 00:13:38,560
That's architectural inertia.

352
00:13:38,560 --> 00:13:39,880
No life cycle ownership.

353
00:13:39,880 --> 00:13:41,320
No systematic review.

354
00:13:41,320 --> 00:13:43,680
No exploration mechanism built into the systems.

355
00:13:43,680 --> 00:13:45,400
So it accumulates.

356
00:13:45,400 --> 00:13:46,400
Here's how it works.

357
00:13:46,400 --> 00:13:49,680
A developer needs access to a specific Microsoft Graph endpoint.

358
00:13:49,680 --> 00:13:51,080
An application gets registered.

359
00:13:51,080 --> 00:13:52,080
It receives permissions.

360
00:13:52,080 --> 00:13:53,080
The project succeeds.

361
00:13:53,080 --> 00:13:54,480
The developer moves on.

362
00:13:54,480 --> 00:13:58,560
And the application registration sits there still holding permissions because nobody owned

363
00:13:58,560 --> 00:14:00,040
the task of sunsetting it.

364
00:14:00,040 --> 00:14:02,360
I audited a financial services firm last year.

365
00:14:02,360 --> 00:14:07,520
They discovered 847, often app registrations.

366
00:14:07,520 --> 00:14:10,800
Applications that were granted permissions three, four, sometimes five years ago for pilots

367
00:14:10,800 --> 00:14:12,040
that were abandoned.

368
00:14:12,040 --> 00:14:13,520
The permissions were never removed.

369
00:14:13,520 --> 00:14:18,120
The service principle still held Microsoft GraphRites to access tenant data, user information,

370
00:14:18,120 --> 00:14:19,480
mailbox contents.

371
00:14:19,480 --> 00:14:22,200
Some of them had credentials that hadn't been rotated in years.

372
00:14:22,200 --> 00:14:26,960
54% of IT leaders report complex identity and privilege sprawl in their environments.

373
00:14:26,960 --> 00:14:31,760
In a large tenant, it's normal to have 200, 300, sometimes 400 privileged applications running

374
00:14:31,760 --> 00:14:35,800
simultaneously with permissions that nobody can fully account for.

375
00:14:35,800 --> 00:14:41,000
Add in the growth of automation, AI agents and custom integrations, and that number explodes.

376
00:14:41,000 --> 00:14:45,320
125 or more apps holding elevator drives is no longer anomalous.

377
00:14:45,320 --> 00:14:46,320
It's expected.

378
00:14:46,320 --> 00:14:47,560
And here's what makes it dangerous.

379
00:14:47,560 --> 00:14:51,560
Each of these applications is a potential entry point, not just for attackers, for compliance

380
00:14:51,560 --> 00:14:54,760
violations, for uncontrolled data access.

381
00:14:54,760 --> 00:14:58,160
For mission creep, where an application that was designed to do one thing gradually gets

382
00:14:58,160 --> 00:15:01,560
permissions to do five other things because convenience wins over governance.

383
00:15:01,560 --> 00:15:04,320
The economic consequence manifests in multiple ways.

384
00:15:04,320 --> 00:15:05,600
First, audit friction.

385
00:15:05,600 --> 00:15:09,640
When a compliance team asks who has access to what in your tenant the answer takes weeks

386
00:15:09,640 --> 00:15:10,640
to assemble.

387
00:15:10,640 --> 00:15:12,040
Clearing app registrations.

388
00:15:12,040 --> 00:15:13,600
You're tracking credential history.

389
00:15:13,600 --> 00:15:16,640
You're cross referencing permissions against actual usage.

390
00:15:16,640 --> 00:15:19,280
And half the time you find permissions that shouldn't exist.

391
00:15:19,280 --> 00:15:22,560
And then you have to decide whether removing them will break something nobody remembers

392
00:15:22,560 --> 00:15:23,720
depending on.

393
00:15:23,720 --> 00:15:24,920
Second, breach exposure.

394
00:15:24,920 --> 00:15:28,640
In a breach scenario, you don't know what was exposed because you don't know what permissions

395
00:15:28,640 --> 00:15:29,640
actually existed.

396
00:15:29,640 --> 00:15:33,600
You assume an attacker who compromised the service principle can access customer data,

397
00:15:33,600 --> 00:15:35,600
financial records, employee information.

398
00:15:35,600 --> 00:15:36,960
But do they have graph permissions?

399
00:15:36,960 --> 00:15:38,480
Do they have mail delegation?

400
00:15:38,480 --> 00:15:39,720
Can they reset passwords?

401
00:15:39,720 --> 00:15:40,720
No guessing.

402
00:15:40,720 --> 00:15:42,520
And guessing in a breach is expensive.

403
00:15:42,520 --> 00:15:43,720
Third, operational paralysis.

404
00:15:43,720 --> 00:15:48,040
You can't move forward with security hardening because you don't understand the dependency graph.

405
00:15:48,040 --> 00:15:52,120
You can't enforce conditional access because it might break an integration nobody documented.

406
00:15:52,120 --> 00:15:55,200
You can't implement least privilege because the permission landscape is too sprawling

407
00:15:55,200 --> 00:15:56,200
to untangle.

408
00:15:56,200 --> 00:15:58,000
The systemic cause is architectural.

409
00:15:58,000 --> 00:16:01,200
Most organizations lack entitlement management discipline.

410
00:16:01,200 --> 00:16:03,280
There's no design lifecycle for applications.

411
00:16:03,280 --> 00:16:04,520
No automatic expiration.

412
00:16:04,520 --> 00:16:06,520
No regular access reviews that have teeth.

413
00:16:06,520 --> 00:16:10,520
No mechanism that says if you don't explicitly renew this permission every six months it gets

414
00:16:10,520 --> 00:16:11,520
revoked.

415
00:16:11,520 --> 00:16:13,200
The control plane fixes this.

416
00:16:13,200 --> 00:16:15,960
Treat permissions as entropy generators, not rewards.

417
00:16:15,960 --> 00:16:19,000
Every time you grant access, you're adding entropy to the system.

418
00:16:19,000 --> 00:16:21,520
Design expiration into every access grant from the start.

419
00:16:21,520 --> 00:16:22,520
Make it automatic.

420
00:16:22,520 --> 00:16:26,720
If an application's purpose has been fulfilled or abandoned, its permissions expire with it.

421
00:16:26,720 --> 00:16:30,600
Don't require a manual cleanup process that depends on someone remembering.

422
00:16:30,600 --> 00:16:31,920
Make it architectural law.

423
00:16:31,920 --> 00:16:35,920
This means implementing entitlement management that's not just an audit tool but a governance

424
00:16:35,920 --> 00:16:36,920
engine.

425
00:16:36,920 --> 00:16:41,040
Life cycle workflows that automatically remove permissions based on defined criteria, access

426
00:16:41,040 --> 00:16:42,680
packages that expire.

427
00:16:42,680 --> 00:16:45,520
Service principles with credential rotation enforced.

428
00:16:45,520 --> 00:16:49,080
Regular access reviews that don't just report on sprawl, they remediate it.

429
00:16:49,080 --> 00:16:51,920
And critically it means assigning life cycle ownership.

430
00:16:51,920 --> 00:16:55,720
Someone has to be accountable for whether an application still serves a business purpose.

431
00:16:55,720 --> 00:16:57,600
If the answer is no, the permissions go.

432
00:16:57,600 --> 00:16:59,520
Not eventually, immediately.

433
00:16:59,520 --> 00:17:01,520
Permission sprawl is the invisible attack surface.

434
00:17:01,520 --> 00:17:03,120
But the real problem is deeper.

435
00:17:03,120 --> 00:17:05,040
Its governance that isn't automated.

436
00:17:05,040 --> 00:17:08,880
One three, tactical governance, the theatre of compliance.

437
00:17:08,880 --> 00:17:11,400
Most organizations claim they have governance.

438
00:17:11,400 --> 00:17:12,640
What they actually have is theatre.

439
00:17:12,640 --> 00:17:16,800
I walked into a healthcare organization last year with 72 teams governance policies.

440
00:17:16,800 --> 00:17:20,080
All of them documented, beautifully written, signed off by compliance leadership, none

441
00:17:20,080 --> 00:17:21,880
of them automated zero.

442
00:17:21,880 --> 00:17:23,200
What did they rely on instead?

443
00:17:23,200 --> 00:17:24,200
Manual approvals.

444
00:17:24,200 --> 00:17:28,120
Someone had to review new teams requests and decide whether they met policy criteria,

445
00:17:28,120 --> 00:17:29,120
reactive policing.

446
00:17:29,120 --> 00:17:32,440
When someone created a team's channel without classification, someone else had to send

447
00:17:32,440 --> 00:17:34,360
them an email asking them to fix it.

448
00:17:34,360 --> 00:17:35,600
Human bottlenecks everywhere.

449
00:17:35,600 --> 00:17:36,920
An inconsistent enforcement.

450
00:17:36,920 --> 00:17:38,000
Some teams got corrected.

451
00:17:38,000 --> 00:17:39,000
Others didn't.

452
00:17:39,000 --> 00:17:40,680
It depended on who noticed and how busy they were.

453
00:17:40,680 --> 00:17:43,400
The real measure of governance isn't policy documents.

454
00:17:43,400 --> 00:17:44,560
It's enforcement.

455
00:17:44,560 --> 00:17:46,720
And this organization had no enforcement mechanism.

456
00:17:46,720 --> 00:17:47,720
They had hope.

457
00:17:47,720 --> 00:17:49,400
Here's how it manifests in practice.

458
00:17:49,400 --> 00:17:52,040
A business unit wants to create a new team's workspace.

459
00:17:52,040 --> 00:17:53,040
They fill out a form.

460
00:17:53,040 --> 00:17:54,760
It goes into an approval queue.

461
00:17:54,760 --> 00:17:57,920
Someone reviews it against 72 governance policies.

462
00:17:57,920 --> 00:18:00,880
Manually comparing what they're proposing against written criteria.

463
00:18:00,880 --> 00:18:01,880
This takes time.

464
00:18:01,880 --> 00:18:04,120
The request doesn't clearly violate a policy.

465
00:18:04,120 --> 00:18:05,120
It gets approved.

466
00:18:05,120 --> 00:18:06,800
If it's ambiguous, it gets escalated.

467
00:18:06,800 --> 00:18:10,480
If the escalation path is blocked, it gets approved by default because nobody wants to

468
00:18:10,480 --> 00:18:12,880
be the person blocking business velocity.

469
00:18:12,880 --> 00:18:14,480
Then someone creates the team.

470
00:18:14,480 --> 00:18:17,200
And then someone else has to verify that it was set up correctly.

471
00:18:17,200 --> 00:18:18,920
Check the sensitivity label.

472
00:18:18,920 --> 00:18:20,440
Verify the membership controls.

473
00:18:20,440 --> 00:18:21,600
Confirm the sharing settings.

474
00:18:21,600 --> 00:18:22,600
All manual.

475
00:18:22,600 --> 00:18:24,160
All dependent on discipline and memory.

476
00:18:24,160 --> 00:18:28,880
How many manual hours did that organization spend every year maintaining compliance theater?

477
00:18:28,880 --> 00:18:29,880
4,000.

478
00:18:29,880 --> 00:18:34,160
That's two full-time employees whose entire job was spreadsheets and escalation emails

479
00:18:34,160 --> 00:18:36,560
and follow-up conversations about policy drift.

480
00:18:36,560 --> 00:18:40,520
And it was fragile when the person maintaining the governance process left the organization

481
00:18:40,520 --> 00:18:42,200
knowledge walked out the door.

482
00:18:42,200 --> 00:18:43,200
Policies drifted.

483
00:18:43,200 --> 00:18:46,840
New teams started getting created without the controls that were supposed to exist.

484
00:18:46,840 --> 00:18:47,840
The system decayed.

485
00:18:47,840 --> 00:18:49,520
This is the fundamental disconnect.

486
00:18:49,520 --> 00:18:54,080
72% of organizations cannot enforce full governance policies at scale.

487
00:18:54,080 --> 00:18:55,360
And the reason is always the same.

488
00:18:55,360 --> 00:18:57,680
They built governance as a control function.

489
00:18:57,680 --> 00:19:00,240
And you do after the fact react to violations.

490
00:19:00,240 --> 00:19:01,240
Remind people to comply.

491
00:19:01,240 --> 00:19:05,040
Instead of building it as a system's layer, the systemic cause is structural.

492
00:19:05,040 --> 00:19:07,120
Governance is treated as a necessary evil.

493
00:19:07,120 --> 00:19:08,120
Compliance is seen as friction.

494
00:19:08,120 --> 00:19:10,280
So organizations minimize the investment.

495
00:19:10,280 --> 00:19:11,280
They write policies.

496
00:19:11,280 --> 00:19:12,280
They create processes.

497
00:19:12,280 --> 00:19:13,280
They hope people follow them.

498
00:19:13,280 --> 00:19:17,000
And then they're shocked when the system breaks under the weight of actual organizational

499
00:19:17,000 --> 00:19:18,000
scale.

500
00:19:18,000 --> 00:19:20,120
The economic consequence is hidden, but substantial.

501
00:19:20,120 --> 00:19:22,120
4,000 hours annually per organization.

502
00:19:22,120 --> 00:19:25,400
That's two full-time people just maintaining governance theater.

503
00:19:25,400 --> 00:19:26,400
And it's fragile.

504
00:19:26,400 --> 00:19:30,280
And it leaves priorities shift the governance system decays because it was never actually

505
00:19:30,280 --> 00:19:31,480
part of the architecture.

506
00:19:31,480 --> 00:19:35,280
It was bolted on top, dependent on sustained discipline and attention that eventually

507
00:19:35,280 --> 00:19:36,280
withers.

508
00:19:36,280 --> 00:19:39,480
The control plain fix is existential.

509
00:19:39,480 --> 00:19:42,880
Governance that isn't code is just a suggestion.

510
00:19:42,880 --> 00:19:46,720
If you're still relying on PDF policies and SharePoint checklists and email approvals,

511
00:19:46,720 --> 00:19:47,880
you have compliance theater.

512
00:19:47,880 --> 00:19:48,880
You don't have governance.

513
00:19:48,880 --> 00:19:49,880
And here's why it matters.

514
00:19:49,880 --> 00:19:51,280
Theater scales poorly.

515
00:19:51,280 --> 00:19:53,080
It breaks when you need it most.

516
00:19:53,080 --> 00:19:56,840
It depends on heroic individual effort and it never actually prevents violations.

517
00:19:56,840 --> 00:19:59,040
It just documents them after they happen.

518
00:19:59,040 --> 00:20:00,600
Real governance works differently.

519
00:20:00,600 --> 00:20:04,280
When someone creates a team's workspace, the system automatically applies the correct

520
00:20:04,280 --> 00:20:05,280
sensitivity label.

521
00:20:05,280 --> 00:20:06,560
The access controls are set.

522
00:20:06,560 --> 00:20:08,520
The membership restrictions are enforced.

523
00:20:08,520 --> 00:20:11,600
The data classification is inherited from the policy layer.

524
00:20:11,600 --> 00:20:15,480
No approval queue, no human review, no gap between intent and execution.

525
00:20:15,480 --> 00:20:16,640
That requires automation.

526
00:20:16,640 --> 00:20:17,640
It requires code.

527
00:20:17,640 --> 00:20:21,360
It requires treating governance as part of the system architecture, not as an external

528
00:20:21,360 --> 00:20:22,360
control function.

529
00:20:22,360 --> 00:20:25,440
If you cannot automate your governance, you don't actually have governance.

530
00:20:25,440 --> 00:20:26,440
You have hope.

531
00:20:26,440 --> 00:20:27,960
And hope is not a control.

532
00:20:27,960 --> 00:20:33,320
Sin 4, app worship, confusing output with architecture, enterprises celebrate app proliferation.

533
00:20:33,320 --> 00:20:34,880
We shipped 50 power apps this year.

534
00:20:34,880 --> 00:20:36,480
Citizen developers are empowered.

535
00:20:36,480 --> 00:20:37,880
Feature velocities accelerating.

536
00:20:37,880 --> 00:20:39,120
The business is moving faster.

537
00:20:39,120 --> 00:20:40,120
We're transforming.

538
00:20:40,120 --> 00:20:41,640
But here's what actually happened.

539
00:20:41,640 --> 00:20:45,560
You created 15 new maintenance liabilities, 15 new surface area multipliers.

540
00:20:45,560 --> 00:20:47,520
Every application is another piece of code.

541
00:20:47,520 --> 00:20:50,160
Someone has to support another integration that can fail.

542
00:20:50,160 --> 00:20:52,240
Another attack surface to defend.

543
00:20:52,240 --> 00:20:53,880
Another permission boundary to govern.

544
00:20:53,880 --> 00:20:57,560
This is where the builder bias I mentioned earlier collides with architectural reality.

545
00:20:57,560 --> 00:20:59,080
Builders get rewarded for shipping.

546
00:20:59,080 --> 00:21:00,520
The organization sees features.

547
00:21:00,520 --> 00:21:02,520
The business celebrates velocity.

548
00:21:02,520 --> 00:21:05,000
And nobody's counting the cost in technical debt.

549
00:21:05,000 --> 00:21:09,760
A mid market organization I worked with had 340 power apps in their tenant.

550
00:21:09,760 --> 00:21:12,400
340, I asked them how many were actively used.

551
00:21:12,400 --> 00:21:13,400
They didn't know.

552
00:21:13,400 --> 00:21:14,400
So we audited it.

553
00:21:14,400 --> 00:21:16,760
127 of them had never been used.

554
00:21:16,760 --> 00:21:17,760
Not once.

555
00:21:17,760 --> 00:21:19,640
Nobody ever registered a successful run.

556
00:21:19,640 --> 00:21:21,760
Some of them had been created three years ago.

557
00:21:21,760 --> 00:21:25,360
The original builder had long since moved on or left the organization.

558
00:21:25,360 --> 00:21:26,360
Nobody owned them.

559
00:21:26,360 --> 00:21:27,360
Nobody maintained them.

560
00:21:27,360 --> 00:21:28,680
They were digital craft.

561
00:21:28,680 --> 00:21:32,680
Sitting in the environment, creating governance complexity and compliance risk.

562
00:21:32,680 --> 00:21:37,120
Of the remaining 213 apps that were actually used fewer than half had documented business

563
00:21:37,120 --> 00:21:38,120
owners.

564
00:21:38,120 --> 00:21:40,520
The ones that did, the owners often didn't realize they owned them.

565
00:21:40,520 --> 00:21:43,720
They inherited the responsibility when they took over a team.

566
00:21:43,720 --> 00:21:46,840
Or the original creator had left it assigned to them without ever asking.

567
00:21:46,840 --> 00:21:48,680
The systemic causes structural.

568
00:21:48,680 --> 00:21:50,880
Builders get promotions for shipping features.

569
00:21:50,880 --> 00:21:54,360
The apps are invisible so the tenant fills up with applications that looked good in isolation

570
00:21:54,360 --> 00:21:56,000
but created technical debt at scale.

571
00:21:56,000 --> 00:21:57,440
There was no gating function.

572
00:21:57,440 --> 00:22:00,640
No architectural review that asked is this app necessary?

573
00:22:00,640 --> 00:22:02,720
Does it duplicate existing capability?

574
00:22:02,720 --> 00:22:03,720
Who owns it?

575
00:22:03,720 --> 00:22:04,720
What happens when the builder leaves?

576
00:22:04,720 --> 00:22:08,120
Instead, the organization operated on optimistic assumptions.

577
00:22:08,120 --> 00:22:09,400
Power apps are low-code.

578
00:22:09,400 --> 00:22:10,400
Citizens can build them.

579
00:22:10,400 --> 00:22:11,400
That's empowerment.

580
00:22:11,400 --> 00:22:12,400
That's agility.

581
00:22:12,400 --> 00:22:13,400
And it is.

582
00:22:13,400 --> 00:22:17,600
Until you wake up one day with 340 applications and no idea what most of them do.

583
00:22:17,600 --> 00:22:20,000
Economic consequence is operational paralysis.

584
00:22:20,000 --> 00:22:21,480
Support overhead explodes.

585
00:22:21,480 --> 00:22:23,520
When an application breaks, who fixes it?

586
00:22:23,520 --> 00:22:26,200
If the original builder is gone, nobody knows the code.

587
00:22:26,200 --> 00:22:30,320
So you either let it stay broken or you spend engineering time reverse engineering something

588
00:22:30,320 --> 00:22:32,360
that was never properly documented.

589
00:22:32,360 --> 00:22:33,720
Compliance risk multiplies.

590
00:22:33,720 --> 00:22:38,040
When an auditor asks how many applications access customer data you can't answer confidently.

591
00:22:38,040 --> 00:22:39,640
Vendors Brawl increases.

592
00:22:39,640 --> 00:22:42,560
Every app might integrate with external SaaS systems.

593
00:22:42,560 --> 00:22:46,680
Every integration is another contract, another permission boundary, another security surface.

594
00:22:46,680 --> 00:22:48,840
And here's the thing nobody talks about.

595
00:22:48,840 --> 00:22:51,640
Applications Brawl mirrors the sprawl you see in teams and SharePoint.

596
00:22:51,640 --> 00:22:54,160
It's the same root cause, default permissive settings.

597
00:22:54,160 --> 00:22:56,880
No life cycle governance, no exploration mechanism.

598
00:22:56,880 --> 00:23:01,240
No architecture that says if this application has no owner, it gets decommissioned.

599
00:23:01,240 --> 00:23:03,640
The control plane fix requires a mindset shift.

600
00:23:03,640 --> 00:23:04,640
Stop counting apps.

601
00:23:04,640 --> 00:23:05,640
That's the wrong metric.

602
00:23:05,640 --> 00:23:07,840
Start counting technical debt surface area.

603
00:23:07,840 --> 00:23:10,320
The real question isn't how many power apps do we have.

604
00:23:10,320 --> 00:23:14,600
It's what is the total complexity and maintenance burden we've accumulated and is it justified

605
00:23:14,600 --> 00:23:15,840
by business value?

606
00:23:15,840 --> 00:23:17,440
And for zoning laws.

607
00:23:17,440 --> 00:23:19,720
Not every application belongs in the environment.

608
00:23:19,720 --> 00:23:24,040
Some should be built as power platform solutions, governed as infrastructure.

609
00:23:24,040 --> 00:23:26,400
Others should be SaaS products, not custom builds.

610
00:23:26,400 --> 00:23:29,440
Some should be enterprise applications with formal governance.

611
00:23:29,440 --> 00:23:32,840
Some should be a femoral tools that disappear after they solve the problem they were meant

612
00:23:32,840 --> 00:23:33,840
to solve.

613
00:23:33,840 --> 00:23:37,280
And a sign, life cycle ownership, make it architectural law.

614
00:23:37,280 --> 00:23:41,120
An application without an identified accountable owner gets decommissioned.

615
00:23:41,120 --> 00:23:43,920
Not eventually, immediately, that forces discipline.

616
00:23:43,920 --> 00:23:47,760
That forces the organization to ask, do we actually need this instead of accumulating

617
00:23:47,760 --> 00:23:48,760
forever?

618
00:23:48,760 --> 00:23:52,680
This brings us to the most dangerous sin because it's one thing to have 340 applications

619
00:23:52,680 --> 00:23:54,600
creating support overhead.

620
00:23:54,600 --> 00:23:58,960
It's another entirely when you deploy AI onto that chaotic sprawling application landscape

621
00:23:58,960 --> 00:24:00,920
without architectural zoning.

622
00:24:00,920 --> 00:24:01,920
Sin 5.

623
00:24:01,920 --> 00:24:02,920
AI chaos.

624
00:24:02,920 --> 00:24:04,280
Agents without boundaries.

625
00:24:04,280 --> 00:24:05,520
This one is still forming.

626
00:24:05,520 --> 00:24:07,120
Most organizations don't see it yet.

627
00:24:07,120 --> 00:24:08,120
That's the danger.

628
00:24:08,120 --> 00:24:11,880
Organizations are deploying co-pilot onto flat, unclassified data structures.

629
00:24:11,880 --> 00:24:17,480
They're standing up co-pilot studio agents without defining what data those agents can access.

630
00:24:17,480 --> 00:24:20,720
They're accelerating AI adoption while data governance lags behind.

631
00:24:20,720 --> 00:24:22,000
And here's the architectural truth.

632
00:24:22,000 --> 00:24:23,840
AI doesn't solve your data problem.

633
00:24:23,840 --> 00:24:25,320
It broadcasts it at scale.

634
00:24:25,320 --> 00:24:26,320
Let me tell you what I mean.

635
00:24:26,320 --> 00:24:29,480
An enterprise co-pilot pilot six weeks in, they were excited.

636
00:24:29,480 --> 00:24:31,280
Initial adoption metrics looked strong.

637
00:24:31,280 --> 00:24:35,360
Users were asking the agent questions about products, customers, internal processes.

638
00:24:35,360 --> 00:24:37,840
And then someone asked it a question about compensation.

639
00:24:37,840 --> 00:24:40,800
The agent answered, it told them salary data benefits information.

640
00:24:40,800 --> 00:24:44,680
payroll details from the HR system, all available because the data was unclassified

641
00:24:44,680 --> 00:24:46,760
and the agent permissions were unrestricted.

642
00:24:46,760 --> 00:24:49,120
Here's what actually happened architecturally.

643
00:24:49,120 --> 00:24:52,560
The organization deployed co-pilot before they classified their data.

644
00:24:52,560 --> 00:24:56,840
Before they defined what co-pilot agents could access, before they implemented data boundaries.

645
00:24:56,840 --> 00:25:01,120
They treated AI as a feature to ship, not as a governance layer that has to sit on top

646
00:25:01,120 --> 00:25:02,520
of solid data architecture.

647
00:25:02,520 --> 00:25:04,000
The systemic cause is predictable.

648
00:25:04,000 --> 00:25:05,000
AI feels urgent.

649
00:25:05,000 --> 00:25:06,320
Everyone's talking about it.

650
00:25:06,320 --> 00:25:07,320
Competitors are moving.

651
00:25:07,320 --> 00:25:08,640
So organizations rush.

652
00:25:08,640 --> 00:25:10,240
They want to show value quickly.

653
00:25:10,240 --> 00:25:12,280
co-pilot adoption metrics.

654
00:25:12,280 --> 00:25:13,800
Agent deployment numbers.

655
00:25:13,800 --> 00:25:17,880
Proof of concept turned pilot turned production all before the foundational architecture is

656
00:25:17,880 --> 00:25:18,880
in place.

657
00:25:18,880 --> 00:25:22,280
But here's what happens when you deploy AI without data architecture.

658
00:25:22,280 --> 00:25:25,200
An agent gets access to everything it needs to do its job.

659
00:25:25,200 --> 00:25:26,200
That's reasonable.

660
00:25:26,200 --> 00:25:27,440
But everything it needs expands.

661
00:25:27,440 --> 00:25:28,760
It integrates with SharePoint.

662
00:25:28,760 --> 00:25:30,480
Now it's reading all documents.

663
00:25:30,480 --> 00:25:32,400
It connects to the mailbox system.

664
00:25:32,400 --> 00:25:33,680
Now it's processing email.

665
00:25:33,680 --> 00:25:35,240
It links to customer data.

666
00:25:35,240 --> 00:25:37,400
Now it's handling sensitive information.

667
00:25:37,400 --> 00:25:39,320
Each integration makes sense in isolation.

668
00:25:39,320 --> 00:25:43,960
Collectively, they create an unrestricted data access pattern that violates your compliance

669
00:25:43,960 --> 00:25:45,960
requirements and your common sense.

670
00:25:45,960 --> 00:25:48,960
The economic consequence is immediate and expensive.

671
00:25:48,960 --> 00:25:49,960
Security retrofits.

672
00:25:49,960 --> 00:25:50,960
You deployed co-pilot.

673
00:25:50,960 --> 00:25:55,480
Now you're scrambling to classify data retroactively, define boundaries, restrict agent

674
00:25:55,480 --> 00:25:56,480
access.

675
00:25:56,480 --> 00:25:57,480
That's rework.

676
00:25:57,480 --> 00:25:58,480
That's budget you didn't plan for.

677
00:25:58,480 --> 00:26:00,400
Co-pilot studio credits burning through.

678
00:26:00,400 --> 00:26:02,600
Every agent interaction consumes credits.

679
00:26:02,600 --> 00:26:08,480
At $200 per 25,000 messages at scale, this becomes a line item nobody forecasted.

680
00:26:08,480 --> 00:26:14,600
You're processing payroll data, customer information, health records through an AI system

681
00:26:14,600 --> 00:26:16,720
that wasn't designed with compliance in mind.

682
00:26:16,720 --> 00:26:20,680
Auditor's notice, regulators notice, and then you're explaining why you deployed AI faster

683
00:26:20,680 --> 00:26:22,640
than you implemented governance.

684
00:26:22,640 --> 00:26:23,640
Real numbers.

685
00:26:23,640 --> 00:26:27,000
49% of AI programs stall due to unclear value.

686
00:26:27,000 --> 00:26:30,840
80% of Fortune 500 use agents without formal governance.

687
00:26:30,840 --> 00:26:32,480
The pattern is universal.

688
00:26:32,480 --> 00:26:36,920
Speed first, architecture second, then disaster.

689
00:26:36,920 --> 00:26:39,880
The control plane fix is non-negotiable.

690
00:26:39,880 --> 00:26:42,800
Define data boundaries before deploying agents.

691
00:26:42,800 --> 00:26:43,880
Not after, before.

692
00:26:43,880 --> 00:26:45,520
This means classifying your data.

693
00:26:45,520 --> 00:26:46,720
Tearing agents by risk.

694
00:26:46,720 --> 00:26:51,320
An agent that answers FAQ questions has different access requirements than an agent that

695
00:26:51,320 --> 00:26:53,280
processes financial transactions.

696
00:26:53,280 --> 00:26:57,040
An agent that reads public documents has different boundaries than an agent that accesses

697
00:26:57,040 --> 00:26:58,520
customer records.

698
00:26:58,520 --> 00:27:01,600
Then enforce data access via identity and policy.

699
00:27:01,600 --> 00:27:03,520
Use agent 365 as a governance layer.

700
00:27:03,520 --> 00:27:06,800
When you deploy an agent, its permissions flow from Entra ID.

701
00:27:06,800 --> 00:27:08,120
It has a defined identity.

702
00:27:08,120 --> 00:27:10,840
It can access only the data it's authorized to access.

703
00:27:10,840 --> 00:27:12,280
Its interactions are audited.

704
00:27:12,280 --> 00:27:14,240
It can be revoked if it's misused.

705
00:27:14,240 --> 00:27:15,840
This requires architectural discipline.

706
00:27:15,840 --> 00:27:17,320
It requires saying no to speed.

707
00:27:17,320 --> 00:27:21,360
It requires doing the unglamorous work of data classification and boundary definition

708
00:27:21,360 --> 00:27:23,160
before you ship the next agent.

709
00:27:23,160 --> 00:27:25,400
But without it, AI doesn't solve your data problems.

710
00:27:25,400 --> 00:27:26,400
It creates new ones.

711
00:27:26,400 --> 00:27:30,320
It takes the sprawl and the governance gaps you already have and amplifies them at scale.

712
00:27:30,320 --> 00:27:32,840
It turns hidden risks into active liabilities.

713
00:27:32,840 --> 00:27:34,040
And here's the uncomfortable truth.

714
00:27:34,040 --> 00:27:39,720
If your organization has 340 power apps without owners, if you have 700 orphaned app registrations

715
00:27:39,720 --> 00:27:44,160
in Entra ID, if you have governance policies that nobody enforces, then you're not ready

716
00:27:44,160 --> 00:27:46,000
to deploy AI agents.

717
00:27:46,000 --> 00:27:47,440
Because AI will make all of that worst.

718
00:27:47,440 --> 00:27:51,480
It will inherit all of that chaos and it will operate at a speed that your manual governance

719
00:27:51,480 --> 00:27:53,440
processes can't keep up with.

720
00:27:53,440 --> 00:27:54,880
This brings us to the root cause.

721
00:27:54,880 --> 00:27:57,040
All these sins don't exist independently.

722
00:27:57,040 --> 00:27:59,840
They exist because of one structural absence.

723
00:27:59,840 --> 00:28:03,120
Sin 6, Builder Bias, the architect vacuum.

724
00:28:03,120 --> 00:28:05,200
Here's a pattern that explains everything else.

725
00:28:05,200 --> 00:28:09,800
And its organizational, not technical, enterprises promote the person who knows the buttons.

726
00:28:09,800 --> 00:28:13,760
The person who shipped the feature, the person who delivered on deadline, they reward builders,

727
00:28:13,760 --> 00:28:17,920
they celebrate features shipped, they measure velocity, and architects, the people thinking

728
00:28:17,920 --> 00:28:21,560
about system resilience, about decay, about integration costs, about what happens five

729
00:28:21,560 --> 00:28:24,240
years from now, those people are invisible.

730
00:28:24,240 --> 00:28:27,120
An IT director I worked with recently made a telling decision.

731
00:28:27,120 --> 00:28:30,560
They hired a power platform expert and they fired the identity architect.

732
00:28:30,560 --> 00:28:32,360
The reasoning was straight forward.

733
00:28:32,360 --> 00:28:33,560
We need builders right now.

734
00:28:33,560 --> 00:28:35,080
We need people who can ship.

735
00:28:35,080 --> 00:28:36,080
Strategy can wait.

736
00:28:36,080 --> 00:28:37,080
Modernization can wait.

737
00:28:37,080 --> 00:28:38,960
We need features and we need them fast.

738
00:28:38,960 --> 00:28:40,560
What actually happened was structural.

739
00:28:40,560 --> 00:28:44,400
Without architects enforcing design constraints, without someone saying no, we can't do it that

740
00:28:44,400 --> 00:28:45,400
way.

741
00:28:45,400 --> 00:28:47,800
The platform started accumulating entropy faster.

742
00:28:47,800 --> 00:28:49,720
Features shipped, systems decayed.

743
00:28:49,720 --> 00:28:50,720
Technical debt compounded.

744
00:28:50,720 --> 00:28:55,280
18 months later, the organization hit what I called the productivity wall.

745
00:28:55,280 --> 00:28:57,520
Initial gains from rapid development flattened.

746
00:28:57,520 --> 00:28:58,520
Performance degraded.

747
00:28:58,520 --> 00:29:00,600
Infrastructure complexity made change harder.

748
00:29:00,600 --> 00:29:03,800
The organization was managing technical debt instead of shipping features.

749
00:29:03,800 --> 00:29:07,160
They'd moved fast initially, but they were moving slowly now because nobody had been thinking

750
00:29:07,160 --> 00:29:08,160
about sustainability.

751
00:29:08,160 --> 00:29:09,480
Here's how it manifests.

752
00:29:09,480 --> 00:29:14,200
A builder comes to you and says, "I need to integrate with this new SaaS system."

753
00:29:14,200 --> 00:29:16,480
And builders are great at solving immediate problems.

754
00:29:16,480 --> 00:29:17,760
So they build an integration.

755
00:29:17,760 --> 00:29:18,760
It works.

756
00:29:18,760 --> 00:29:19,760
The business is happy.

757
00:29:19,760 --> 00:29:22,600
But the builder didn't think about or wasn't asked to think about what happens when

758
00:29:22,600 --> 00:29:26,720
that SaaS systems API changes, what happens when the password for the service account needs

759
00:29:26,720 --> 00:29:30,560
to be rotated, what happens when you need to audit, who accessed, what?

760
00:29:30,560 --> 00:29:35,000
Who that integration, what happens when three other builders independently build integrations

761
00:29:35,000 --> 00:29:36,000
to the same system?

762
00:29:36,000 --> 00:29:39,200
And now you have three different approaches, three different failure modes, three times

763
00:29:39,200 --> 00:29:40,680
the maintenance burden.

764
00:29:40,680 --> 00:29:44,240
The systemic causes organizational structure, builders create visible value.

765
00:29:44,240 --> 00:29:45,880
They ship, they deliver.

766
00:29:45,880 --> 00:29:47,600
Organizations see progress.

767
00:29:47,600 --> 00:29:49,280
Architects prevent invisible failures.

768
00:29:49,280 --> 00:29:50,280
They say no.

769
00:29:50,280 --> 00:29:51,600
They require documentation.

770
00:29:51,600 --> 00:29:54,160
They ask hard questions about sustainability.

771
00:29:54,160 --> 00:29:56,960
And their value is invisible until something breaks.

772
00:29:56,960 --> 00:30:00,840
By which time the organization has learned the hard way that architecture matters.

773
00:30:00,840 --> 00:30:03,400
The real consequence is fragmented ownership.

774
00:30:03,400 --> 00:30:07,680
Only 23% of organizations have a formal AI agent identity strategy.

775
00:30:07,680 --> 00:30:08,680
Think about that.

776
00:30:08,680 --> 00:30:10,520
AI agents are proliferating.

777
00:30:10,520 --> 00:30:12,560
Most organizations don't have governance for them.

778
00:30:12,560 --> 00:30:13,560
Why?

779
00:30:13,560 --> 00:30:14,960
Because ownership is fragmented.

780
00:30:14,960 --> 00:30:16,280
Security thinks it's I'd's problem.

781
00:30:16,280 --> 00:30:17,760
It thinks it's the business's problem.

782
00:30:17,760 --> 00:30:19,640
The business thinks it's securities problem.

783
00:30:19,640 --> 00:30:23,680
And builders are shipping agents without anyone owning the architectural decision of whether

784
00:30:23,680 --> 00:30:25,920
they should exist or what their boundaries are.

785
00:30:25,920 --> 00:30:28,360
The economic consequence is substantial and usually lagged.

786
00:30:28,360 --> 00:30:29,800
You don't see it for 18 months.

787
00:30:29,800 --> 00:30:31,640
But when you do it's expensive.

788
00:30:31,640 --> 00:30:32,640
Technical debt compounds.

789
00:30:32,640 --> 00:30:33,640
Support costs rise.

790
00:30:33,640 --> 00:30:35,040
Security risks accumulate.

791
00:30:35,040 --> 00:30:36,400
Compliance becomes harder.

792
00:30:36,400 --> 00:30:38,880
And the organization realizes it needs architects.

793
00:30:38,880 --> 00:30:40,840
But architects are expensive to retrofit.

794
00:30:40,840 --> 00:30:44,720
You can't just hire one and expect them to untangle 18 months of architectural decisions

795
00:30:44,720 --> 00:30:46,000
made without their input.

796
00:30:46,000 --> 00:30:48,720
The control plane fix requires a mindset shift.

797
00:30:48,720 --> 00:30:51,760
Reframed architects as leverage engineers not cost centers.

798
00:30:51,760 --> 00:30:54,080
A builder can increase velocity on one project.

799
00:30:54,080 --> 00:30:58,000
An architect can increase velocity across the entire system by making good structural

800
00:30:58,000 --> 00:31:00,360
decisions that everyone benefits from.

801
00:31:00,360 --> 00:31:04,560
An architect can prevent the entire organization from making the same mistake in five different

802
00:31:04,560 --> 00:31:05,560
places.

803
00:31:05,560 --> 00:31:06,960
Measure architects by system health.

804
00:31:06,960 --> 00:31:08,120
By entropy reduction.

805
00:31:08,120 --> 00:31:10,400
By the number of future problems they prevent.

806
00:31:10,400 --> 00:31:12,600
By whether integration patterns are consistent.

807
00:31:12,600 --> 00:31:14,360
By whether governance is enforceable.

808
00:31:14,360 --> 00:31:17,960
By whether new builders inherit a platform that's easy to build on or swamp they have to

809
00:31:17,960 --> 00:31:18,960
wait through.

810
00:31:18,960 --> 00:31:20,840
Builders create visible value.

811
00:31:20,840 --> 00:31:22,720
Architects create invisible value.

812
00:31:22,720 --> 00:31:24,160
Local value is just as real.

813
00:31:24,160 --> 00:31:25,360
It's just harder to see.

814
00:31:25,360 --> 00:31:29,000
And organizations that don't see it are the ones that end up with sprawl with chaos with

815
00:31:29,000 --> 00:31:31,880
technical debt that becomes impossible to manage.

816
00:31:31,880 --> 00:31:33,640
This brings us to the final sin.

817
00:31:33,640 --> 00:31:37,760
Because even good architects fail if the foundational decisions about resources and investment

818
00:31:37,760 --> 00:31:38,760
are wrong.

819
00:31:38,760 --> 00:31:41,480
And that decision is usually made in procurement.

820
00:31:41,480 --> 00:31:43,000
Scene 7.

821
00:31:43,000 --> 00:31:44,000
Licensing blindness.

822
00:31:44,000 --> 00:31:45,480
Capacity as strategy.

823
00:31:45,480 --> 00:31:49,560
The final sin is the most expensive because it's the most normalized.

824
00:31:49,560 --> 00:31:52,680
Organizations renew E5 because it's what we do.

825
00:31:52,680 --> 00:31:55,000
Not because they've mapped capability to value.

826
00:31:55,000 --> 00:31:58,360
Not because they've assessed whether users actually need premium features.

827
00:31:58,360 --> 00:32:01,600
Not because they've measured adoption of the premium connectors they're already paying

828
00:32:01,600 --> 00:32:02,600
for.

829
00:32:02,600 --> 00:32:04,440
They renew because the license was good last year.

830
00:32:04,440 --> 00:32:05,440
So it's good this year.

831
00:32:05,440 --> 00:32:07,120
And the year after that no one questions it.

832
00:32:07,120 --> 00:32:09,440
Meanwhile shadow IT thrives.

833
00:32:09,440 --> 00:32:13,640
Users on basic skews accomplish the same roles as E5 users.

834
00:32:13,640 --> 00:32:15,120
Premium features sit idle.

835
00:32:15,120 --> 00:32:16,480
Copilot remains unused.

836
00:32:16,480 --> 00:32:20,240
The advanced threat protection that comes with E5 never gets operationalized.

837
00:32:20,240 --> 00:32:21,800
Feature parity is ignored.

838
00:32:21,800 --> 00:32:26,280
What is tracking whether the premium capabilities you paid for are actually driving outcomes.

839
00:32:26,280 --> 00:32:27,520
Here's a real example.

840
00:32:27,520 --> 00:32:33,160
An enterprise paying 2.1 million dollars annually for E5 across their knowledge worker base.

841
00:32:33,160 --> 00:32:34,760
They'd standardised on it years ago.

842
00:32:34,760 --> 00:32:35,760
E5 for finance.

843
00:32:35,760 --> 00:32:36,760
E5 for engineering.

844
00:32:36,760 --> 00:32:38,240
E5 for operations.

845
00:32:38,240 --> 00:32:39,720
Everyone gets the same license.

846
00:32:39,720 --> 00:32:41,040
In order to reveal the truth.

847
00:32:41,040 --> 00:32:46,760
34% of those users, roughly a third, could perform their exact same role on business standard.

848
00:32:46,760 --> 00:32:48,760
They had no need for the premium connector library.

849
00:32:48,760 --> 00:32:49,960
They didn't use copilot.

850
00:32:49,960 --> 00:32:53,280
They didn't need advanced threat protection beyond what business standard includes.

851
00:32:53,280 --> 00:32:55,280
They needed email teams, a document platform.

852
00:32:55,280 --> 00:32:56,280
That's it.

853
00:32:56,280 --> 00:32:57,800
They were paying for capabilities they would never touch.

854
00:32:57,800 --> 00:33:01,280
The economic consequences are orthogonal to what most organisations see.

855
00:33:01,280 --> 00:33:03,640
It's not just the cost of unused licenses.

856
00:33:03,640 --> 00:33:04,640
That's obvious.

857
00:33:04,640 --> 00:33:08,280
The real consequence is the cost of not using licensing as a behavioural incentive.

858
00:33:08,280 --> 00:33:12,560
If your licensing skews are aligned to roles and capabilities then it drives adoption.

859
00:33:12,560 --> 00:33:14,280
It forces architectural decisions.

860
00:33:14,280 --> 00:33:16,320
It makes you think about what people actually need.

861
00:33:16,320 --> 00:33:20,920
When you standardise on E5 across the board you've removed the constraint that forces architectural

862
00:33:20,920 --> 00:33:21,920
discipline.

863
00:33:21,920 --> 00:33:24,400
You've said effectively that everyone gets access to everything.

864
00:33:24,400 --> 00:33:25,400
That's not strategy.

865
00:33:25,400 --> 00:33:26,400
That's capitulation.

866
00:33:26,400 --> 00:33:27,400
It's budget capitulation.

867
00:33:27,400 --> 00:33:29,240
It's architectural capitulation.

868
00:33:29,240 --> 00:33:30,640
And it's expensive.

869
00:33:30,640 --> 00:33:33,040
The 2026 price hikes compound this mistake.

870
00:33:33,040 --> 00:33:38,600
Microsoft is implementing increases ranging from 9 to 33% effective July 1st.

871
00:33:38,600 --> 00:33:41,840
F1 plans jumping from $2.25 to $3.00.

872
00:33:41,840 --> 00:33:45,520
E3 rising from $36.39 per user per month.

873
00:33:45,520 --> 00:33:47,760
That organisation paying 2.1 million?

874
00:33:47,760 --> 00:33:48,760
Next renewal?

875
00:33:48,760 --> 00:33:50,360
That's closer to 2.4 million.

876
00:33:50,360 --> 00:33:55,200
If they'd rationalised licensing earlier they could have cut that by 20-30% but they didn't.

877
00:33:55,200 --> 00:33:57,520
And now they're paying twice for the same mistake.

878
00:33:57,520 --> 00:34:00,440
Here's what happens when you finally audit your licensing landscape.

879
00:34:00,440 --> 00:34:02,560
You discover premium connectors nobody's using.

880
00:34:02,560 --> 00:34:06,480
You find copated licenses assigned to roles that have no integration points.

881
00:34:06,480 --> 00:34:10,280
You realise that your premium security features are redundant with network based controls

882
00:34:10,280 --> 00:34:11,960
you already paid for elsewhere.

883
00:34:11,960 --> 00:34:17,000
You uncover the fact that 34% of your e5 investment could be recovered if you had the discipline

884
00:34:17,000 --> 00:34:20,600
to match licensing to actual capability requirements.

885
00:34:20,600 --> 00:34:22,320
The control plane fixes this.

886
00:34:22,320 --> 00:34:24,240
Licensing skyu is a behavioural lever.

887
00:34:24,240 --> 00:34:25,240
Use it.

888
00:34:25,240 --> 00:34:28,880
If you're paying for e5 across the board you've removed the mechanism that forces you to

889
00:34:28,880 --> 00:34:30,440
make architectural decisions.

890
00:34:30,440 --> 00:34:34,720
You've optimised for everyone gets everything instead of everyone gets what they need.

891
00:34:34,720 --> 00:34:37,080
Real architecture means saying no to simplicity.

892
00:34:37,080 --> 00:34:38,800
It means matching licensing to roles.

893
00:34:38,800 --> 00:34:44,120
e5 for roles that actually need premium connectors, threat intelligence or advanced governance.

894
00:34:44,120 --> 00:34:48,240
e3 for users who need collaboration and productivity but not advanced security.

895
00:34:48,240 --> 00:34:53,000
Business standard for roles that only need core email and team's functionality.

896
00:34:53,000 --> 00:34:56,040
And making those decisions forces you to understand your user base.

897
00:34:56,040 --> 00:34:59,320
It forces you to ask why does this person need this capability?

898
00:34:59,320 --> 00:35:02,160
And if you can't answer that question they don't get that licence.

899
00:35:02,160 --> 00:35:05,680
This is where the abstraction becomes concrete because when you force licensing alignment

900
00:35:05,680 --> 00:35:06,880
you also force governance.

901
00:35:06,880 --> 00:35:08,400
You have to know who's in what role.

902
00:35:08,400 --> 00:35:10,040
You have to enforce role definitions.

903
00:35:10,040 --> 00:35:13,880
You have to make sure the business is actually using the features you're paying for.

904
00:35:13,880 --> 00:35:16,520
And that discipline cascades into everything else.

905
00:35:16,520 --> 00:35:20,760
Better identity governance, better data classification, better understanding of what your

906
00:35:20,760 --> 00:35:22,680
system is actually supposed to do.

907
00:35:22,680 --> 00:35:24,760
All 7Sints point to one diagnosis.

908
00:35:24,760 --> 00:35:26,280
The absence of a control plane.

909
00:35:26,280 --> 00:35:28,400
The umbrella sin control plane neglect.

910
00:35:28,400 --> 00:35:30,400
These 7Sints don't exist in isolation.

911
00:35:30,400 --> 00:35:31,920
They're not random failures.

912
00:35:31,920 --> 00:35:35,240
They're not separate problems that happen to accumulate in the same tenant.

913
00:35:35,240 --> 00:35:37,320
They're all symptoms of one structural absence.

914
00:35:37,320 --> 00:35:41,520
And that absence is what binds them together into a single architectural failure.

915
00:35:41,520 --> 00:35:44,840
Operating without a system's layer means entropy becomes your default operating system.

916
00:35:44,840 --> 00:35:45,920
You don't have governance.

917
00:35:45,920 --> 00:35:48,480
You have chaos with policies written on top of it.

918
00:35:48,480 --> 00:35:52,200
Trying to contain something that was never architecturally constrained in the first place.

919
00:35:52,200 --> 00:35:53,320
You don't have architecture.

920
00:35:53,320 --> 00:35:54,320
You have a platform.

921
00:35:54,320 --> 00:35:55,920
And a platform is something else entirely.

922
00:35:55,920 --> 00:35:58,080
A platform is a collection of services.

923
00:35:58,080 --> 00:35:59,520
An architecture is a system.

924
00:35:59,520 --> 00:36:01,040
Here's how it manifests in practice.

925
00:36:01,040 --> 00:36:05,600
A 10,000 seed organisation I worked with had EntraID governed by one team.

926
00:36:05,600 --> 00:36:09,240
They handled identity provisioning conditional access role definitions.

927
00:36:09,240 --> 00:36:10,240
Solid work.

928
00:36:10,240 --> 00:36:11,680
Intune was managed by a separate team.

929
00:36:11,680 --> 00:36:15,240
They owned device management and point security compliance baselines.

930
00:36:15,240 --> 00:36:16,240
Also good.

931
00:36:16,240 --> 00:36:18,000
Microsoft defender handled by another team.

932
00:36:18,000 --> 00:36:21,240
They owned threat detection, incident response, security monitoring.

933
00:36:21,240 --> 00:36:26,600
Yet another team owned purview, data governance, sensitivity labels, retention policies.

934
00:36:26,600 --> 00:36:29,880
And teams in SharePoint were loosely monitored by the service adoption team.

935
00:36:29,880 --> 00:36:32,760
They tracked usage metrics and provided training.

936
00:36:32,760 --> 00:36:35,040
Nobody was looking at identity to app orchestration.

937
00:36:35,040 --> 00:36:38,000
Nobody was enforcing zoning and tearing across the entire system.

938
00:36:38,000 --> 00:36:41,560
Every service had its own policies, its own approval workflows, its own definitions of

939
00:36:41,560 --> 00:36:43,080
what security baseline meant.

940
00:36:43,080 --> 00:36:45,360
Each domain solved its own problems locally.

941
00:36:45,360 --> 00:36:49,560
But there was no layer that decided how those domains actually interacted, how data flowed

942
00:36:49,560 --> 00:36:53,800
from one system to another, how users access decisions in EntraID connected to what they

943
00:36:53,800 --> 00:36:57,840
could do in SharePoint, how that related to what they could see in a co-pilot agent,

944
00:36:57,840 --> 00:37:00,520
what that organisation actually had wasn't a security posture.

945
00:37:00,520 --> 00:37:04,800
It was security theatre orchestrated across five different teams, each performing their

946
00:37:04,800 --> 00:37:06,640
part with no conductor.

947
00:37:06,640 --> 00:37:08,320
The systemic cause is this.

948
00:37:08,320 --> 00:37:12,560
Most organisations treat Microsoft Cloud as a collection of disconnected services.

949
00:37:12,560 --> 00:37:16,240
Identity over here, data governance over there, applications somewhere else, compliance

950
00:37:16,240 --> 00:37:17,520
in a separate silo.

951
00:37:17,520 --> 00:37:19,720
This creates what I call policy fragmentation.

952
00:37:19,720 --> 00:37:21,960
Each domain solves its own problems locally.

953
00:37:21,960 --> 00:37:24,560
But there's no layer that ensures consistency.

954
00:37:24,560 --> 00:37:29,000
No place that says, when we make an identity decision, what does that mean for data access,

955
00:37:29,000 --> 00:37:32,240
for app permissions, for compliance boundaries?

956
00:37:32,240 --> 00:37:36,320
That connecting layer is the control plane, and most organisations don't have one.

957
00:37:36,320 --> 00:37:37,320
They think they do.

958
00:37:37,320 --> 00:37:40,680
They point to their EntraID governance, they show you their defender dashboards.

959
00:37:40,680 --> 00:37:43,160
They talk about their purview compliance framework.

960
00:37:43,160 --> 00:37:46,680
But those are individual services responding to local constraints.

961
00:37:46,680 --> 00:37:49,280
Not a unified system making coordinated decisions.

962
00:37:49,280 --> 00:37:52,120
The economic consequence of operating without it is massive.

963
00:37:52,120 --> 00:37:57,600
That 10,000 seat organisation, 3.2 million in unrealised productivity benefits over three

964
00:37:57,600 --> 00:37:58,600
years.

965
00:37:58,600 --> 00:38:01,600
Not because they lacked features, they had every Microsoft feature available.

966
00:38:01,600 --> 00:38:05,080
Because those features weren't integrated into a system.

967
00:38:05,080 --> 00:38:09,360
Users couldn't find information because it was classified inconsistently across SharePoint.

968
00:38:09,360 --> 00:38:13,280
Admins couldn't trust their governance because policies drifted when one team made changes

969
00:38:13,280 --> 00:38:15,840
without checking impact on other teams.

970
00:38:15,840 --> 00:38:20,000
Architects had no way to enforce decisions at scale because there was no mechanism to translate

971
00:38:20,000 --> 00:38:22,240
intent into system-wide behaviour.

972
00:38:22,240 --> 00:38:25,600
Control plane absence also means security debt accumulates invisibly.

973
00:38:25,600 --> 00:38:27,880
When EntraID policies drift, nobody knows it.

974
00:38:27,880 --> 00:38:31,000
When SharePoint permissions exceed your threshold, there's nobody watching.

975
00:38:31,000 --> 00:38:35,480
When a co-pilot agent is accessing data you never approved, the policy layer doesn't catch

976
00:38:35,480 --> 00:38:36,480
it.

977
00:38:36,480 --> 00:38:37,480
Each service does its best.

978
00:38:37,480 --> 00:38:38,480
But there's no circuit breaker.

979
00:38:38,480 --> 00:38:43,400
No orchestration, no central place where someone says no, that violates our architecture.

980
00:38:43,400 --> 00:38:45,520
Real security data backs this up.

981
00:38:45,520 --> 00:38:50,560
63% of M365 tenants face configuration tampering in identity and device management.

982
00:38:50,560 --> 00:38:52,200
And here's the architectural gap.

983
00:38:52,200 --> 00:38:54,960
Microsoft doesn't natively back up tenant configurations.

984
00:38:54,960 --> 00:38:56,320
You deploy defender policies.

985
00:38:56,320 --> 00:38:57,600
You configure EntraID.

986
00:38:57,600 --> 00:38:59,000
You set up purview rules.

987
00:38:59,000 --> 00:39:03,160
If something goes catastrophically wrong if an attacker modifies your policies, if someone

988
00:39:03,160 --> 00:39:07,760
accidentally deletes your conditional access rules, you don't have a native recovery mechanism.

989
00:39:07,760 --> 00:39:10,640
You're relying on change logs and manual reconstruction.

990
00:39:10,640 --> 00:39:13,560
The control plane fix requires foundational architecture.

991
00:39:13,560 --> 00:39:17,720
You have to build a unified policy compilation layer, a single source of truth where architectural

992
00:39:17,720 --> 00:39:20,800
intent gets translated into system-wide policy.

993
00:39:20,800 --> 00:39:23,840
Treat identity EntraID as the control plane backbone.

994
00:39:23,840 --> 00:39:27,840
Make it the place where you define not just who can access what, but what that access means

995
00:39:27,840 --> 00:39:29,160
across your entire system.

996
00:39:29,160 --> 00:39:32,560
A user is an employee, a contractor, a vendor, a guest.

997
00:39:32,560 --> 00:39:36,760
Once you make that decision in identity, every other system should inherit that context.

998
00:39:36,760 --> 00:39:38,200
Not ask for it separately.

999
00:39:38,200 --> 00:39:39,200
Inherited.

1000
00:39:39,200 --> 00:39:41,160
Then enforce cross-platform orchestration.

1001
00:39:41,160 --> 00:39:45,880
If a user's EntraID role says finance, that determines their default access to financial

1002
00:39:45,880 --> 00:39:47,320
data in SharePoint.

1003
00:39:47,320 --> 00:39:50,320
If they are classified as guest, that determines what they see in teams.

1004
00:39:50,320 --> 00:39:54,400
If a copilot agent is accessing customer data, its identity and permissions flow from a single

1005
00:39:54,400 --> 00:39:55,400
source of truth.

1006
00:39:55,400 --> 00:39:56,400
Let me define this precisely.

1007
00:39:56,400 --> 00:40:00,560
A control plane is the system that makes decisions about how other systems behave.

1008
00:40:00,560 --> 00:40:02,160
It's the layer above execution.

1009
00:40:02,160 --> 00:40:04,760
It's where intent gets translated into policy.

1010
00:40:04,760 --> 00:40:08,480
Without it, you have a platform, individual services operating independently.

1011
00:40:08,480 --> 00:40:10,960
With it, you have architecture, you have a system.

1012
00:40:10,960 --> 00:40:12,720
Most organizations have the first.

1013
00:40:12,720 --> 00:40:14,240
Almost none have the second.

1014
00:40:14,240 --> 00:40:15,600
The leakage model.

1015
00:40:15,600 --> 00:40:17,960
How to calculate your invisible waste.

1016
00:40:17,960 --> 00:40:19,960
Let me walk you through a calculation.

1017
00:40:19,960 --> 00:40:20,960
And I want you to follow along.

1018
00:40:20,960 --> 00:40:23,240
If you have a notebook nearby, now's the time to grab it.

1019
00:40:23,240 --> 00:40:24,320
This isn't complicated math.

1020
00:40:24,320 --> 00:40:26,800
And it's the math most organizations never actually do.

1021
00:40:26,800 --> 00:40:30,480
So they never see how much money is actually flowing out of their tenant invisibly.

1022
00:40:30,480 --> 00:40:31,880
Start with your total seat count.

1023
00:40:31,880 --> 00:40:33,800
Let's say you're a mid-sized organization.

1024
00:40:33,800 --> 00:40:36,720
5,000 employees, round number, easy to think about.

1025
00:40:36,720 --> 00:40:41,480
Now assume that roughly 20 to 30% of the advanced Microsoft capabilities you've paid for

1026
00:40:41,480 --> 00:40:42,960
are not operationalized.

1027
00:40:42,960 --> 00:40:43,960
Not used.

1028
00:40:43,960 --> 00:40:44,960
Just available.

1029
00:40:44,960 --> 00:40:45,960
This isn't cynicism.

1030
00:40:45,960 --> 00:40:46,960
This is empirical.

1031
00:40:46,960 --> 00:40:48,120
I've ordered a dozens of tenants.

1032
00:40:48,120 --> 00:40:49,120
It's consistent.

1033
00:40:49,120 --> 00:40:51,200
One in three advanced features sits idle.

1034
00:40:51,200 --> 00:40:56,960
For a 5,000 seat organization on e5, the delta between e5 and e3 is roughly $12 per user per

1035
00:40:56,960 --> 00:40:58,440
month, $12.

1036
00:40:58,440 --> 00:41:04,060
Times 5,000 seats, times 12 months, that's $720,000 annually that you're spending on features

1037
00:41:04,060 --> 00:41:05,160
you're not using.

1038
00:41:05,160 --> 00:41:06,520
But that's just the beginning.

1039
00:41:06,520 --> 00:41:08,680
Now add the inactive license premium.

1040
00:41:08,680 --> 00:41:13,120
Roughly 10 to 15% of licenses are assigned to accounts that haven't logged in in 30 days

1041
00:41:13,120 --> 00:41:14,120
or longer.

1042
00:41:14,120 --> 00:41:15,120
Dormant.

1043
00:41:15,120 --> 00:41:16,120
Forgotten.

1044
00:41:16,120 --> 00:41:17,120
Still being built.

1045
00:41:17,120 --> 00:41:21,920
$26 per user for e5 and 15% of your licenses are inactive.

1046
00:41:21,920 --> 00:41:24,560
That's another $250,000.

1047
00:41:24,560 --> 00:41:25,560
Gone.

1048
00:41:25,560 --> 00:41:26,560
Just evaporated.

1049
00:41:26,560 --> 00:41:27,560
That's nearly a million right there.

1050
00:41:27,560 --> 00:41:28,560
Now add co-pilot.

1051
00:41:28,560 --> 00:41:31,640
The base cost of co-pilot is $30 per user per month.

1052
00:41:31,640 --> 00:41:32,920
But that's not the real cost.

1053
00:41:32,920 --> 00:41:34,080
That's the headline number.

1054
00:41:34,080 --> 00:41:39,640
The real cost includes co-pilot studio credits burning through $200 per 25,000 messages.

1055
00:41:39,640 --> 00:41:44,520
For a tenant of 5,000 employees, if even half of them use co-pilot occasionally, you're

1056
00:41:44,520 --> 00:41:46,160
burning through credits fast.

1057
00:41:46,160 --> 00:41:49,400
You're going to get a $250,000 annually for a mid-size deployment.

1058
00:41:49,400 --> 00:41:50,880
Then add the security retrofits.

1059
00:41:50,880 --> 00:41:55,040
When you deploy co-pilot without data boundaries, you have to go back and classify data, define

1060
00:41:55,040 --> 00:41:57,080
agent access, implement DLP policies.

1061
00:41:57,080 --> 00:41:58,080
That's not a feature.

1062
00:41:58,080 --> 00:41:59,080
That's remediation.

1063
00:41:59,080 --> 00:42:01,280
Call it $50,000 in unplanned spending.

1064
00:42:01,280 --> 00:42:04,920
So co-pilot alone is consuming $200,000 plus and that's conservative.

1065
00:42:04,920 --> 00:42:06,320
And then there's governance labor.

1066
00:42:06,320 --> 00:42:08,000
The hours spend managing sprawl.

1067
00:42:08,000 --> 00:42:09,000
The manual cleanup.

1068
00:42:09,000 --> 00:42:10,000
The spreadsheets.

1069
00:42:10,000 --> 00:42:11,000
The escalation emails.

1070
00:42:11,000 --> 00:42:15,320
For a 5,000 seat tenant, that's roughly two full-time employees' worth of effort.

1071
00:42:15,320 --> 00:42:21,040
$150,000 annually minimum added up 720,000 in unused feature capacity.

1072
00:42:21,040 --> 00:42:23,840
$250,000 in inactive licenses.

1073
00:42:23,840 --> 00:42:27,240
$200,000 in co-pilot costs and security retrofits.

1074
00:42:27,240 --> 00:42:29,480
$150,000 in governance labor.

1075
00:42:29,480 --> 00:42:33,280
That's $1.3 million annually in a mid-sized organization.

1076
00:42:33,280 --> 00:42:35,320
And here's what the breakdown actually looks like.

1077
00:42:35,320 --> 00:42:36,320
License waste.

1078
00:42:36,320 --> 00:42:38,000
Features you paid for but don't use.

1079
00:42:38,000 --> 00:42:40,200
Accounts for about 40%.

1080
00:42:40,200 --> 00:42:43,040
Unoptimized connectors and shadow IT, another 20%.

1081
00:42:43,040 --> 00:42:45,120
AI sprawl, 15%.

1082
00:42:45,120 --> 00:42:48,480
Accounts labor that doesn't actually prevent anything 25%.

1083
00:42:48,480 --> 00:42:53,640
Real organizations implementing software asset management best practices can cut spending

1084
00:42:53,640 --> 00:42:55,880
by 30% in year one.

1085
00:42:55,880 --> 00:42:59,480
30% of 1.3 million is nearly $400,000.

1086
00:42:59,480 --> 00:43:00,480
Recovered.

1087
00:43:00,480 --> 00:43:01,480
Just by paying attention.

1088
00:43:01,480 --> 00:43:02,480
That's the leakage model.

1089
00:43:02,480 --> 00:43:05,200
That's what most organizations are bleeding without knowing it.

1090
00:43:05,200 --> 00:43:09,560
And that's before the July 2026 price increases hit when they do that leak gets worse.

1091
00:43:09,560 --> 00:43:10,560
Not better.

1092
00:43:10,560 --> 00:43:11,640
But these numbers are symptoms.

1093
00:43:11,640 --> 00:43:13,320
The disease is systemic.

1094
00:43:13,320 --> 00:43:14,320
It causes analysis.

1095
00:43:14,320 --> 00:43:15,440
Why this happens?

1096
00:43:15,440 --> 00:43:16,880
The leakage isn't random.

1097
00:43:16,880 --> 00:43:18,560
The seven sins aren't coincidences.

1098
00:43:18,560 --> 00:43:21,840
They're not separate failures that happen to occur in the same organization.

1099
00:43:21,840 --> 00:43:26,200
Their structural outcomes of how enterprises make decisions about Microsoft Cloud.

1100
00:43:26,200 --> 00:43:29,160
And if you understand the structure, you understand why this keeps happening.

1101
00:43:29,160 --> 00:43:31,200
The core problem is an operating model failure.

1102
00:43:31,200 --> 00:43:32,280
Not a technical one.

1103
00:43:32,280 --> 00:43:33,960
An organizational one.

1104
00:43:33,960 --> 00:43:38,600
Architectural decisions about Microsoft 365 are made by procurement, not by architects.

1105
00:43:38,600 --> 00:43:40,120
Let me say that again because it matters.

1106
00:43:40,120 --> 00:43:44,600
The decision about what you're going to buy, which SKU, how many licenses, what feature

1107
00:43:44,600 --> 00:43:47,240
set, that decision gets made at the procurement level.

1108
00:43:47,240 --> 00:43:52,040
It gets made by someone looking at a spreadsheet comparing price per user across different vendors.

1109
00:43:52,040 --> 00:43:55,160
It gets made by someone asking, what's the industry standard?

1110
00:43:55,160 --> 00:43:56,320
And then buying that.

1111
00:43:56,320 --> 00:44:00,360
It gets made by someone who's never been inside an enter ID policy or a conditional access

1112
00:44:00,360 --> 00:44:01,360
rule.

1113
00:44:01,360 --> 00:44:04,400
And then that procurement decision gets treated as an architectural decision.

1114
00:44:04,400 --> 00:44:05,400
We bought E5.

1115
00:44:05,400 --> 00:44:06,960
So E5 is our architecture.

1116
00:44:06,960 --> 00:44:10,160
We standardized on teams, so teams governance is solved.

1117
00:44:10,160 --> 00:44:12,400
We licensed co-pilot, so we have an AI strategy.

1118
00:44:12,400 --> 00:44:13,880
That's not how architecture works.

1119
00:44:13,880 --> 00:44:16,600
That's how you end up with a shopping cart instead of a system.

1120
00:44:16,600 --> 00:44:19,320
The second structural problem is an accountability vacuum.

1121
00:44:19,320 --> 00:44:21,000
Nobody owns the economic outcome.

1122
00:44:21,000 --> 00:44:22,000
Budgets get siloed.

1123
00:44:22,000 --> 00:44:24,200
Finance owns the Microsoft licensing budget.

1124
00:44:24,200 --> 00:44:26,680
IT owns the infrastructure operations budget.

1125
00:44:26,680 --> 00:44:31,120
The business owns their departmental software spending, procurement owns vendor contracts.

1126
00:44:31,120 --> 00:44:32,920
And nobody's looking at the tenant as a whole.

1127
00:44:32,920 --> 00:44:35,120
Nobody's asking, are we getting value from this?

1128
00:44:35,120 --> 00:44:38,400
Is the money we spent on E5 actually driving business outcomes?

1129
00:44:38,400 --> 00:44:40,880
If the co-pilot pilot stalls, who's accountable?

1130
00:44:40,880 --> 00:44:43,080
Not the executive who approved the spending.

1131
00:44:43,080 --> 00:44:44,920
Not the business unit who didn't adopt it.

1132
00:44:44,920 --> 00:44:47,720
It gets blamed on poor change management or lack of training.

1133
00:44:47,720 --> 00:44:50,680
Nobody says we spent 200,000 on this and got nothing.

1134
00:44:50,680 --> 00:44:51,920
Who owns that failure?

1135
00:44:51,920 --> 00:44:53,160
This leads to the third problem.

1136
00:44:53,160 --> 00:44:55,840
Finance is completely absent from architecture decisions.

1137
00:44:55,840 --> 00:44:57,480
The CFO sees the spend line.

1138
00:44:57,480 --> 00:44:59,000
The CIO sees the features.

1139
00:44:59,000 --> 00:45:00,080
They never reconcile.

1140
00:45:00,080 --> 00:45:02,560
The CFO doesn't know what the premium connectors cost.

1141
00:45:02,560 --> 00:45:05,200
The CIO doesn't know how many of them are actually used.

1142
00:45:05,200 --> 00:45:07,880
They're operating in different universes with different success metrics.

1143
00:45:07,880 --> 00:45:09,520
The CFO wants to reduce cost.

1144
00:45:09,520 --> 00:45:11,280
The CIO wants to increase adoption.

1145
00:45:11,280 --> 00:45:12,280
Those aren't aligned.

1146
00:45:12,280 --> 00:45:13,280
They're at odds.

1147
00:45:13,280 --> 00:45:14,880
And when they're at odds neither gets what they want.

1148
00:45:14,880 --> 00:45:18,800
You end up with expensive features that nobody uses and cheap tools that everybody

1149
00:45:18,800 --> 00:45:20,400
re-impliments with Shadow IT.

1150
00:45:20,400 --> 00:45:23,400
This is what I call the procurement lead transformation trap.

1151
00:45:23,400 --> 00:45:25,320
The organization buys the right tools.

1152
00:45:25,320 --> 00:45:27,120
The tools are technically sound.

1153
00:45:27,120 --> 00:45:28,880
Microsoft 365 is a good platform.

1154
00:45:28,880 --> 00:45:31,040
But then procurement declares victory.

1155
00:45:31,040 --> 00:45:32,200
We bought the right tools.

1156
00:45:32,200 --> 00:45:34,000
We have the right strategy.

1157
00:45:34,000 --> 00:45:36,280
Success is now inevitable, except it's not.

1158
00:45:36,280 --> 00:45:40,120
85% of organizations increased AI investments in the past 12 months.

1159
00:45:40,120 --> 00:45:43,920
Only 5% are what Gardner calls future build leaders.

1160
00:45:43,920 --> 00:45:46,880
Organizations that are actually getting multiplier effects from their AI spending.

1161
00:45:46,880 --> 00:45:48,680
The other 80% bought the tools.

1162
00:45:48,680 --> 00:45:50,160
They didn't build the architecture.

1163
00:45:50,160 --> 00:45:51,160
Here's a real story.

1164
00:45:51,160 --> 00:45:55,360
An enterprise spent $4.2 million on Microsoft 365 modernization.

1165
00:45:55,360 --> 00:45:56,360
That's not a small bet.

1166
00:45:56,360 --> 00:45:57,920
That's organizational commitment.

1167
00:45:57,920 --> 00:46:00,120
And they measured success by adoption percentage.

1168
00:46:00,120 --> 00:46:01,120
Did people use teams?

1169
00:46:01,120 --> 00:46:02,120
Yes.

1170
00:46:02,120 --> 00:46:03,120
Did usage go up?

1171
00:46:03,120 --> 00:46:04,120
Absolutely.

1172
00:46:04,120 --> 00:46:06,880
But did those tools drive business outcomes?

1173
00:46:06,880 --> 00:46:08,040
Nobody measured that.

1174
00:46:08,040 --> 00:46:11,040
Did the premium capabilities actually reduce support tickets?

1175
00:46:11,040 --> 00:46:12,040
Nobody tracked it?

1176
00:46:12,040 --> 00:46:13,840
Did automation save labor hours?

1177
00:46:13,840 --> 00:46:14,840
Nobody quantified it.

1178
00:46:14,840 --> 00:46:16,000
The only metric was adoption.

1179
00:46:16,000 --> 00:46:17,000
An adoption looked good.

1180
00:46:17,000 --> 00:46:18,600
But adoption isn't architecture.

1181
00:46:18,600 --> 00:46:20,080
Adoption is visibility.

1182
00:46:20,080 --> 00:46:22,800
Someone using a tool doesn't mean the tool is solving a problem.

1183
00:46:22,800 --> 00:46:24,120
It just means they're using it.

1184
00:46:24,120 --> 00:46:25,720
And here's the final structural problem.

1185
00:46:25,720 --> 00:46:28,080
This is the one most organizations don't want to hear.

1186
00:46:28,080 --> 00:46:29,960
Microsoft doesn't enforce governance.

1187
00:46:29,960 --> 00:46:31,800
It enables chaos by default.

1188
00:46:31,800 --> 00:46:35,280
Microsoft 365 assumes you want to be permissive.

1189
00:46:35,280 --> 00:46:36,600
Everyone can create teams.

1190
00:46:36,600 --> 00:46:38,120
Everyone can register apps.

1191
00:46:38,120 --> 00:46:39,640
Everyone can consent to permissions.

1192
00:46:39,640 --> 00:46:40,920
Everyone can share data widely.

1193
00:46:40,920 --> 00:46:41,920
That's not a bug.

1194
00:46:41,920 --> 00:46:42,920
That's a feature.

1195
00:46:42,920 --> 00:46:44,320
It makes the product more accessible.

1196
00:46:44,320 --> 00:46:48,080
But that permissiveness cascades into sprawl without intentional architecture to constrain

1197
00:46:48,080 --> 00:46:49,080
it.

1198
00:46:49,080 --> 00:46:50,560
Microsoft doesn't force you to classify data.

1199
00:46:50,560 --> 00:46:52,800
It doesn't require approval for co-pilot agents.

1200
00:46:52,800 --> 00:46:54,720
It doesn't mandate permission life cycles.

1201
00:46:54,720 --> 00:46:56,600
Those are architectural decisions you have to make.

1202
00:46:56,600 --> 00:46:58,120
And most organizations don't make them.

1203
00:46:58,120 --> 00:46:59,560
So they get the default behavior.

1204
00:46:59,560 --> 00:47:00,560
Which is chaos.

1205
00:47:00,560 --> 00:47:01,600
This is not Microsoft's failure.

1206
00:47:01,600 --> 00:47:02,600
It's yours.

1207
00:47:02,600 --> 00:47:03,600
And it's fixable.

1208
00:47:03,600 --> 00:47:06,040
But fixing it requires a different operating model.

1209
00:47:06,040 --> 00:47:09,840
The compliance wall, CMMC 2.0 and the architects trap.

1210
00:47:09,840 --> 00:47:13,080
Here's what happens when you don't architect for tomorrow's requirements.

1211
00:47:13,080 --> 00:47:15,160
Tomorrow's requirements architect you instead.

1212
00:47:15,160 --> 00:47:19,400
CMMC 2.0 enforcement became mandatory on November 10, 2025.

1213
00:47:19,400 --> 00:47:20,880
That date has already passed.

1214
00:47:20,880 --> 00:47:23,440
And it caught a lot of organizations flat-footed.

1215
00:47:23,440 --> 00:47:26,600
CMMC is the cybersecurity maturity model certification.

1216
00:47:26,600 --> 00:47:29,840
It's the Department of Defense's way of saying that if you want to work with us, if you

1217
00:47:29,840 --> 00:47:33,520
want a government contract, if you want to touch controlled, unclassified information,

1218
00:47:33,520 --> 00:47:38,640
which is what the DOD call CUI, then your security infrastructure has to meet specific standards,

1219
00:47:38,640 --> 00:47:40,240
not guidelines, standards.

1220
00:47:40,240 --> 00:47:43,160
110 controls from NIST SP 871.

1221
00:47:43,160 --> 00:47:44,880
Level 2 compliance is non-negotiable.

1222
00:47:44,880 --> 00:47:47,080
And here's the architectural detail that matters.

1223
00:47:47,080 --> 00:47:50,840
Microsoft 365 commercial cannot be used for CMMC level 2.

1224
00:47:50,840 --> 00:47:51,840
Full stop.

1225
00:47:51,840 --> 00:47:53,320
The commercial cloud is multi-tenant.

1226
00:47:53,320 --> 00:47:56,560
Data from your organization sits alongside data from other organizations.

1227
00:47:56,560 --> 00:47:58,320
The DOD doesn't accept that risk boundary.

1228
00:47:58,320 --> 00:48:02,680
So if you're a defense contractor and you've been using Microsoft 365 commercial, which

1229
00:48:02,680 --> 00:48:06,520
is what most organizations do because it's cheaper and simpler, you cannot use it for

1230
00:48:06,520 --> 00:48:07,520
CUI anymore.

1231
00:48:07,520 --> 00:48:09,280
You have to migrate to GCC High.

1232
00:48:09,280 --> 00:48:13,560
Government community cloud, a separate isolated cloud environment, different infrastructure,

1233
00:48:13,560 --> 00:48:17,360
different data centers, different governance, it's not a checkbox upgrade.

1234
00:48:17,360 --> 00:48:20,920
It's a retennanting, it's an architectural pivot, how it manifests in practice.

1235
00:48:20,920 --> 00:48:24,240
A defense contractor, 2000 seats, running in commercial.

1236
00:48:24,240 --> 00:48:29,000
They're already using Teams, Exchange, SharePoint, everything's deployed, integrated working,

1237
00:48:29,000 --> 00:48:30,840
then CMMC enforcement happens.

1238
00:48:30,840 --> 00:48:34,720
And suddenly they learn, usually from their compliance officer or their government customer

1239
00:48:34,720 --> 00:48:38,680
that they need to be in GCC High by a specific date or they lose their contract.

1240
00:48:38,680 --> 00:48:39,680
Now they're scrambling.

1241
00:48:39,680 --> 00:48:44,240
They have to migrate 2000 users and all their data to a completely different cloud environment.

1242
00:48:44,240 --> 00:48:47,840
They have to revalidate their conditional access policies because GCC High has different

1243
00:48:47,840 --> 00:48:48,840
feature availability.

1244
00:48:48,840 --> 00:48:52,840
They have to retest integrations because third party connectors behave differently in

1245
00:48:52,840 --> 00:48:54,000
government clouds.

1246
00:48:54,000 --> 00:48:58,480
They have to re-architect their governance because the audit logging in GCC High works differently

1247
00:48:58,480 --> 00:48:59,640
than in commercial.

1248
00:48:59,640 --> 00:49:01,600
The systemic cause is straightforward.

1249
00:49:01,600 --> 00:49:04,320
Compliance requirements were not baked into the initial tenant design.

1250
00:49:04,320 --> 00:49:07,440
The organization chose commercial because it was the standard choice.

1251
00:49:07,440 --> 00:49:11,720
Nobody asked if we were a defense contractor what are our long term compliance requirements.

1252
00:49:11,720 --> 00:49:14,560
Nobody mapped that requirement to an architectural decision.

1253
00:49:14,560 --> 00:49:19,080
Nobody said we should build this in GCC High from day one, even though it's more expensive

1254
00:49:19,080 --> 00:49:21,320
because our business model requires it.

1255
00:49:21,320 --> 00:49:25,520
We had the organization built for cost and simplicity and then when compliance requirements

1256
00:49:25,520 --> 00:49:29,160
arrived they had to re-tenant, which is expensive.

1257
00:49:29,160 --> 00:49:33,600
Real numbers, a defense contractor re-tenanting 2000 users to GCC High.

1258
00:49:33,600 --> 00:49:38,080
Professional services alone, the migration effort, the testing, the validation runs north

1259
00:49:38,080 --> 00:49:39,680
of $500,000.

1260
00:49:39,680 --> 00:49:42,560
Then there's the period of operational disruption.

1261
00:49:42,560 --> 00:49:45,560
Users relearning systems that work slightly differently.

1262
00:49:45,560 --> 00:49:47,600
Integrations that broke and had to be rebuilt.

1263
00:49:47,600 --> 00:49:50,720
Training for the new environment, audits that have to be repeated.

1264
00:49:50,720 --> 00:49:54,160
In the extended timeline, what should have been a two week migration stretch to three months

1265
00:49:54,160 --> 00:49:55,960
because the architecture wasn't built for it?

1266
00:49:55,960 --> 00:49:59,040
The economic consequence is layered, the direct cost of migration.

1267
00:49:59,040 --> 00:50:03,120
The opportunity cost of the engineering team's time diverted to crisis mode.

1268
00:50:03,120 --> 00:50:07,440
The risk of incomplete migration where some data or configurations get missed, discovered

1269
00:50:07,440 --> 00:50:08,520
later in an audit.

1270
00:50:08,520 --> 00:50:13,000
And the ongoing cost, GCC High licensing is more expensive than commercial and you can't

1271
00:50:13,000 --> 00:50:14,320
easily move back.

1272
00:50:14,320 --> 00:50:16,680
The control plane fix is ruthlessly simple.

1273
00:50:16,680 --> 00:50:19,360
Design your tenant for your compliance requirements from day one.

1274
00:50:19,360 --> 00:50:20,360
Not eventually.

1275
00:50:20,360 --> 00:50:23,720
If you're a defense contractor, you build in GCC High.

1276
00:50:23,720 --> 00:50:27,440
You accept the higher cost and complexity upfront because your business model requires

1277
00:50:27,440 --> 00:50:28,440
it.

1278
00:50:28,440 --> 00:50:31,400
If you're in healthcare, you might need HIPAA compliance, which affects data residency

1279
00:50:31,400 --> 00:50:32,720
and audit logging.

1280
00:50:32,720 --> 00:50:36,960
If you're in financial services, you might need SoC2, which affects who can access what

1281
00:50:36,960 --> 00:50:38,280
these aren't nice to have.

1282
00:50:38,280 --> 00:50:39,840
These are architectural constraints.

1283
00:50:39,840 --> 00:50:41,880
And here's the lesson that applies beyond CMMC.

1284
00:50:41,880 --> 00:50:44,680
The window for architectural decisions closes early.

1285
00:50:44,680 --> 00:50:48,560
You make the decision about which cloud to use, about how to classify data, about where

1286
00:50:48,560 --> 00:50:49,800
to store information.

1287
00:50:49,800 --> 00:50:52,760
And then that decision constrains everything that comes after.

1288
00:50:52,760 --> 00:50:56,480
If you make the wrong decision early because you didn't anticipate compliance requirements,

1289
00:50:56,480 --> 00:50:57,720
you're rebuilding later.

1290
00:50:57,720 --> 00:50:58,720
That's expensive.

1291
00:50:58,720 --> 00:51:02,440
If you don't architect for tomorrow's requirements, tomorrow's requirements will architect

1292
00:51:02,440 --> 00:51:03,440
you.

1293
00:51:03,440 --> 00:51:05,760
And by then you're already operating at a cost disadvantage.

1294
00:51:05,760 --> 00:51:08,080
The recovery path from decay to design.

1295
00:51:08,080 --> 00:51:09,600
Here's the thing about architecture.

1296
00:51:09,600 --> 00:51:10,800
You can't fix it all at once.

1297
00:51:10,800 --> 00:51:14,400
You have to fix it deliberately in phases with clear outcomes at each step.

1298
00:51:14,400 --> 00:51:18,640
Otherwise you'll just be throwing money at problems without solving the structural issues

1299
00:51:18,640 --> 00:51:19,960
that created them.

1300
00:51:19,960 --> 00:51:21,960
Recovery from 10NTK follows a pattern.

1301
00:51:21,960 --> 00:51:22,960
And the pattern works.

1302
00:51:22,960 --> 00:51:24,320
I've seen it work dozens of times.

1303
00:51:24,320 --> 00:51:28,280
It takes 90 days to get to a place where you can actually claim you have architecture instead

1304
00:51:28,280 --> 00:51:30,160
of just a platform running unsupervised.

1305
00:51:30,160 --> 00:51:31,560
Phase one is 30 days.

1306
00:51:31,560 --> 00:51:32,560
Audit and inventory.

1307
00:51:32,560 --> 00:51:35,760
You have to see what you've actually got before you can change anything.

1308
00:51:35,760 --> 00:51:40,240
This means discovering inactive licenses, running reports on user log in history.

1309
00:51:40,240 --> 00:51:43,400
Finding accounts that haven't authenticated in 30 days or longer.

1310
00:51:43,400 --> 00:51:44,400
These are your easy wins.

1311
00:51:44,400 --> 00:51:46,040
You reclaim them immediately.

1312
00:51:46,040 --> 00:51:47,720
You also discover often apps.

1313
00:51:47,720 --> 00:51:49,320
The 340 power apps.

1314
00:51:49,320 --> 00:51:52,000
The 847 app registrations.

1315
00:51:52,000 --> 00:51:54,680
The automation flows that nobody remembers creating.

1316
00:51:54,680 --> 00:51:55,680
You don't delete them yet.

1317
00:51:55,680 --> 00:51:56,960
You just inventory them.

1318
00:51:56,960 --> 00:51:57,960
Who owns this?

1319
00:51:57,960 --> 00:51:58,960
Has it been used?

1320
00:51:58,960 --> 00:52:00,160
Is there a business case for keeping it?

1321
00:52:00,160 --> 00:52:01,600
You also do a permission audit.

1322
00:52:01,600 --> 00:52:02,880
You look at entry-d roles.

1323
00:52:02,880 --> 00:52:04,840
You find the accounts with excessive privilege.

1324
00:52:04,840 --> 00:52:08,480
You find the service principles with credentials that haven't been rotated.

1325
00:52:08,480 --> 00:52:12,040
You find application permissions that exceed what the application actually needs.

1326
00:52:12,040 --> 00:52:13,680
None of this gets fixed in phase one.

1327
00:52:13,680 --> 00:52:15,840
You just establish what the baseline looks like.

1328
00:52:15,840 --> 00:52:17,640
By the end of 30 days you have clarity.

1329
00:52:17,640 --> 00:52:19,160
You know how much leakage exists.

1330
00:52:19,160 --> 00:52:20,880
You know how many licenses are wasted.

1331
00:52:20,880 --> 00:52:23,640
You know how many often applications are sitting in your environment.

1332
00:52:23,640 --> 00:52:24,640
You have a number.

1333
00:52:24,640 --> 00:52:26,880
And that number becomes your benchmark for recovery.

1334
00:52:26,880 --> 00:52:28,560
Phase two is 60 days.

1335
00:52:28,560 --> 00:52:29,560
Automate governance.

1336
00:52:29,560 --> 00:52:32,440
Now that you know what you have, you start building the systems that will prevent decay

1337
00:52:32,440 --> 00:52:33,600
from happening again.

1338
00:52:33,600 --> 00:52:36,160
You deploy life cycle workflows in Entra ID.

1339
00:52:36,160 --> 00:52:39,400
When a user joins, their access gets provisioned automatically.

1340
00:52:39,400 --> 00:52:42,600
When they leave, their access gets deprovisioned automatically.

1341
00:52:42,600 --> 00:52:43,600
No manual process.

1342
00:52:43,600 --> 00:52:44,600
No spreadsheets.

1343
00:52:44,600 --> 00:52:46,760
No emails asking someone to remember to offboard this person.

1344
00:52:46,760 --> 00:52:47,760
The system does it.

1345
00:52:47,760 --> 00:52:49,080
You implement entitlement management.

1346
00:52:49,080 --> 00:52:52,720
You create access packages that bundle related permissions.

1347
00:52:52,720 --> 00:52:53,960
Employee joins the finance team.

1348
00:52:53,960 --> 00:52:58,080
They automatically get access to the finance shared mailbox, the finance share point side,

1349
00:52:58,080 --> 00:52:59,480
the finance team's channel.

1350
00:52:59,480 --> 00:53:01,560
All through a single approval workflow.

1351
00:53:01,560 --> 00:53:03,560
Not separate requests to different people.

1352
00:53:03,560 --> 00:53:07,560
Not finding out three weeks later that someone didn't get access to something they needed.

1353
00:53:07,560 --> 00:53:11,040
You enforce sensitivity labels and data loss prevention at scale.

1354
00:53:11,040 --> 00:53:13,040
Every document in SharePoint gets classified.

1355
00:53:13,040 --> 00:53:14,040
Not manually.

1356
00:53:14,040 --> 00:53:15,040
Automatically.

1357
00:53:15,040 --> 00:53:17,000
Content analysis based on metadata.

1358
00:53:17,000 --> 00:53:21,720
If a document contains sensitive financial information, it gets the finance label automatically.

1359
00:53:21,720 --> 00:53:25,760
And once it's labeled, DLP policies automatically restrict how it can be shared.

1360
00:53:25,760 --> 00:53:28,480
You can't email a sensitive financial document externally.

1361
00:53:28,480 --> 00:53:29,480
The policy blocks it.

1362
00:53:29,480 --> 00:53:30,880
Phase three is 90 days.

1363
00:53:30,880 --> 00:53:31,880
Build the control plane.

1364
00:53:31,880 --> 00:53:33,160
This is where you architect.

1365
00:53:33,160 --> 00:53:35,000
You define a policy compilation layer.

1366
00:53:35,000 --> 00:53:40,080
A single system of truth where organizational intent gets translated into platform policy.

1367
00:53:40,080 --> 00:53:42,760
You establish Entra ID as the orchestration backbone.

1368
00:53:42,760 --> 00:53:46,640
Every other system in your tenant inherits authorization decisions from identity.

1369
00:53:46,640 --> 00:53:50,920
A user's role in Entra ID determines their access to data in SharePoint, their visibility

1370
00:53:50,920 --> 00:53:53,720
in teams, their permissions in co-pilot agents.

1371
00:53:53,720 --> 00:53:55,720
You implement cross-platform governance.

1372
00:53:55,720 --> 00:53:58,360
When you make a decision in one place, it cascades everywhere.

1373
00:53:58,360 --> 00:53:59,360
It doesn't break systems.

1374
00:53:59,360 --> 00:54:00,640
It doesn't create exceptions.

1375
00:54:00,640 --> 00:54:02,400
It creates consistency.

1376
00:54:02,400 --> 00:54:05,040
A global firm I worked with followed this path.

1377
00:54:05,040 --> 00:54:06,160
Five thousand seats.

1378
00:54:06,160 --> 00:54:10,280
They recovered $1.2 million in year one through systematic rationalization.

1379
00:54:10,280 --> 00:54:14,800
They reclaimed $130,000 in unused licenses in month one.

1380
00:54:14,800 --> 00:54:17,960
They decommissioned 78 orphaned power apps in month two.

1381
00:54:17,960 --> 00:54:22,880
By month three, they'd reduced their password reset volume by 86% through automated entitlement

1382
00:54:22,880 --> 00:54:23,880
management.

1383
00:54:23,880 --> 00:54:24,880
The research is consistent.

1384
00:54:24,880 --> 00:54:30,400
The break-even point for technology investment in M365 is 54 minutes of time savings per employee

1385
00:54:30,400 --> 00:54:31,400
per month.

1386
00:54:31,400 --> 00:54:34,720
This organization achieved that in the first 30 days.

1387
00:54:34,720 --> 00:54:36,600
Everything after that was pure recovery.

1388
00:54:36,600 --> 00:54:40,480
All outcomes matter.

1389
00:54:40,480 --> 00:54:43,640
Help desk tickets for access requests basically disappeared.

1390
00:54:43,640 --> 00:54:45,960
Compliance audits became routine instead of crisis.

1391
00:54:45,960 --> 00:54:49,800
They could prove they had governance because governance was built into the platform, but

1392
00:54:49,800 --> 00:54:53,160
recovery requires something else beyond process.

1393
00:54:53,160 --> 00:54:54,400
The mindset shift.

1394
00:54:54,400 --> 00:54:58,600
From procurement to architecture, recovery requires a mindset shift.

1395
00:54:58,600 --> 00:55:02,800
And mindset shifts are harder than process changes because they require executives to change

1396
00:55:02,800 --> 00:55:04,760
how they think about what they're doing.

1397
00:55:04,760 --> 00:55:08,280
The shift sounds simple when you say it, but it reshapes everything.

1398
00:55:08,280 --> 00:55:10,280
Stop asking what tools should we buy?

1399
00:55:10,280 --> 00:55:12,120
Start asking what system do we need?

1400
00:55:12,120 --> 00:55:13,720
This is the fundamental reframe.

1401
00:55:13,720 --> 00:55:16,880
Most organizations approach Microsoft 365 like they're shopping.

1402
00:55:16,880 --> 00:55:17,880
What features do we need?

1403
00:55:17,880 --> 00:55:19,160
What's the industry standard?

1404
00:55:19,160 --> 00:55:20,560
What are competitors using?

1405
00:55:20,560 --> 00:55:21,760
What's the price per user?

1406
00:55:21,760 --> 00:55:22,760
And then they buy?

1407
00:55:22,760 --> 00:55:25,320
They've solved the problem by acquiring the product.

1408
00:55:25,320 --> 00:55:27,000
But tools and systems are different things.

1409
00:55:27,000 --> 00:55:28,760
A tool is something you buy and deploy.

1410
00:55:28,760 --> 00:55:30,400
A system is something you architect.

1411
00:55:30,400 --> 00:55:32,080
A tool solves isolated problems.

1412
00:55:32,080 --> 00:55:33,800
A system solves interconnected problems.

1413
00:55:33,800 --> 00:55:34,800
You can buy a co-pilot.

1414
00:55:34,800 --> 00:55:37,280
That's a tool, but you can't buy a co-pilot system.

1415
00:55:37,280 --> 00:55:38,280
You have to architect it.

1416
00:55:38,280 --> 00:55:40,120
You have to decide what data it accesses.

1417
00:55:40,120 --> 00:55:41,480
You have to define its boundaries.

1418
00:55:41,480 --> 00:55:43,880
You have to think about how it integrates with governance.

1419
00:55:43,880 --> 00:55:45,600
You have to measure what it actually delivers.

1420
00:55:45,600 --> 00:55:50,240
The shift from tools to systems changes everything because now the question isn't, how do we buy

1421
00:55:50,240 --> 00:55:51,240
this faster?

1422
00:55:51,240 --> 00:55:53,480
It's, what are we trying to accomplish?

1423
00:55:53,480 --> 00:55:56,480
And how does this tool fit into the larger system we need?

1424
00:55:56,480 --> 00:55:58,320
Stop measuring by adoption percentage.

1425
00:55:58,320 --> 00:56:00,280
Start measuring by economic realization.

1426
00:56:00,280 --> 00:56:02,680
Most organizations track adoption because it's visible.

1427
00:56:02,680 --> 00:56:04,360
How many users logged into co-pilot?

1428
00:56:04,360 --> 00:56:05,920
How many teams channels got created?

1429
00:56:05,920 --> 00:56:07,320
How many people attended training?

1430
00:56:07,320 --> 00:56:10,120
These metrics feel like success because they're easy to see.

1431
00:56:10,120 --> 00:56:11,120
And they're useless.

1432
00:56:11,120 --> 00:56:13,480
A user logged into co-pilot once and never returned.

1433
00:56:13,480 --> 00:56:14,480
Is that adoption?

1434
00:56:14,480 --> 00:56:15,480
Technically yes.

1435
00:56:15,480 --> 00:56:17,120
But economically, it's a failure.

1436
00:56:17,120 --> 00:56:20,520
You spend $30 a month on a license that delivered zero value.

1437
00:56:20,520 --> 00:56:21,520
That's not adoption.

1438
00:56:21,520 --> 00:56:22,840
That's waste measured in percentages.

1439
00:56:22,840 --> 00:56:23,920
Real metrics are different.

1440
00:56:23,920 --> 00:56:26,640
Did co-pilot reduce the time it takes to write a report?

1441
00:56:26,640 --> 00:56:28,240
By how much can you quantify that?

1442
00:56:28,240 --> 00:56:30,080
Did it reduce password reset calls?

1443
00:56:30,080 --> 00:56:31,560
How many fewer calls per month?

1444
00:56:31,560 --> 00:56:33,440
Did it accelerate on boarding by how long?

1445
00:56:33,440 --> 00:56:34,440
These are economic metrics.

1446
00:56:34,440 --> 00:56:36,600
They connect tool usage to business outcome.

1447
00:56:36,600 --> 00:56:37,920
And they're much harder to achieve.

1448
00:56:37,920 --> 00:56:39,680
So organizations don't measure them.

1449
00:56:39,680 --> 00:56:41,360
They measure adoption instead.

1450
00:56:41,360 --> 00:56:43,360
Stop treating architects as cost centers.

1451
00:56:43,360 --> 00:56:45,080
Start treating them as leverage multipliers.

1452
00:56:45,080 --> 00:56:49,000
This is the hardest mindset shift because it requires the organization to value something

1453
00:56:49,000 --> 00:56:50,960
that's invisible until something breaks.

1454
00:56:50,960 --> 00:56:52,520
A builder creates a feature.

1455
00:56:52,520 --> 00:56:53,520
Everyone sees it.

1456
00:56:53,520 --> 00:56:54,880
The business sees value immediately.

1457
00:56:54,880 --> 00:56:58,480
An architect prevents a problem that would have cost millions to fix later.

1458
00:56:58,480 --> 00:57:00,720
Nobody sees it because the problem never happened.

1459
00:57:00,720 --> 00:57:02,160
But invisibility is dangerous.

1460
00:57:02,160 --> 00:57:05,000
It gets architects fired and builders promoted.

1461
00:57:05,000 --> 00:57:06,360
But here's the arithmetic.

1462
00:57:06,360 --> 00:57:09,640
One architect can set standards that affect hundreds of builders.

1463
00:57:09,640 --> 00:57:13,680
One architectural decision about how to handle data boundaries can prevent thousands of hours

1464
00:57:13,680 --> 00:57:14,840
of rework later.

1465
00:57:14,840 --> 00:57:19,160
One governance framework that automates entitlement management can reclaim hundreds of thousands

1466
00:57:19,160 --> 00:57:21,160
of dollars in license waste and labor.

1467
00:57:21,160 --> 00:57:22,160
That's leverage.

1468
00:57:22,160 --> 00:57:25,280
Stop treating licensing as a budget line item.

1469
00:57:25,280 --> 00:57:27,400
Start treating it as a behavioral incentive.

1470
00:57:27,400 --> 00:57:28,800
Licensing SKU drives behavior.

1471
00:57:28,800 --> 00:57:32,400
If you assign everyone E5, you're saying everyone gets access to everything that removes

1472
00:57:32,400 --> 00:57:33,400
all constraints.

1473
00:57:33,400 --> 00:57:34,560
It removes all discipline.

1474
00:57:34,560 --> 00:57:38,640
It removes the mechanism that forces you to make hard architectural decisions about what

1475
00:57:38,640 --> 00:57:39,840
people actually need.

1476
00:57:39,840 --> 00:57:44,120
But if you intentionally align licensing to roles, then the organization has to know what

1477
00:57:44,120 --> 00:57:45,120
roles are.

1478
00:57:45,120 --> 00:57:46,320
It has to enforce role definitions.

1479
00:57:46,320 --> 00:57:49,920
It has to ask why does this person need this capability?

1480
00:57:49,920 --> 00:57:53,520
And in asking that question, it starts building architecture instead of buying features.

1481
00:57:53,520 --> 00:57:56,200
A CIO I worked with made this shift explicitly.

1482
00:57:56,200 --> 00:57:58,520
They'd been trying to drive co-pilot adoption.

1483
00:57:58,520 --> 00:58:03,680
Doing it out to everyone, measuring usage metrics, adoption wasn't happening, usage was low,

1484
00:58:03,680 --> 00:58:05,400
value was unclear.

1485
00:58:05,400 --> 00:58:06,840
So they reframed it.

1486
00:58:06,840 --> 00:58:11,940
Instead of co-pilot is a productivity tool, they said co-pilot is a data governance accelerator.

1487
00:58:11,940 --> 00:58:13,440
And they changed who got licenses.

1488
00:58:13,440 --> 00:58:18,480
Not everyone, teams that had high data governance maturity, teams that had classified their data,

1489
00:58:18,480 --> 00:58:20,600
teams that understood their compliance requirements.

1490
00:58:20,600 --> 00:58:25,120
Suddenly, co-pilot became an incentive for doing the unglomerious work of data classification

1491
00:58:25,120 --> 00:58:26,120
first.

1492
00:58:26,120 --> 00:58:31,000
But reframing looks like in practice, not different tools, different intent, different alignment,

1493
00:58:31,000 --> 00:58:32,200
different outcomes.

1494
00:58:32,200 --> 00:58:33,320
And here's the final refram.

1495
00:58:33,320 --> 00:58:35,880
Your Microsoft tenant is not a collection of applications.

1496
00:58:35,880 --> 00:58:37,840
It is not a set of services you subscribe to.

1497
00:58:37,840 --> 00:58:39,080
It is an economic system.

1498
00:58:39,080 --> 00:58:41,080
Every decision has an economic consequence.

1499
00:58:41,080 --> 00:58:43,120
Every sprawl you tolerate costs money.

1500
00:58:43,120 --> 00:58:45,620
Every governance gap you ignore compounds into debt.

1501
00:58:45,620 --> 00:58:48,400
The question isn't, do we have Microsoft 365?

1502
00:58:48,400 --> 00:58:50,960
The question is, are we managing it as a system?

1503
00:58:50,960 --> 00:58:53,840
The governance operating model, how to sustain it?

1504
00:58:53,840 --> 00:58:55,280
Recovery is the easy part.

1505
00:58:55,280 --> 00:58:57,600
Making it is where most organizations fail.

1506
00:58:57,600 --> 00:58:59,440
You'll go through the 90 day recovery.

1507
00:58:59,440 --> 00:59:00,680
You'll reclaim licenses.

1508
00:59:00,680 --> 00:59:02,640
You'll decommission orfant applications.

1509
00:59:02,640 --> 00:59:04,120
You'll implement automation.

1510
00:59:04,120 --> 00:59:06,840
And for about six months, the organization will feel good about it.

1511
00:59:06,840 --> 00:59:07,840
We fixed it.

1512
00:59:07,840 --> 00:59:08,840
We're more efficient.

1513
00:59:08,840 --> 00:59:09,840
We have governance.

1514
00:59:09,840 --> 00:59:11,600
Then slowly entropy returns.

1515
00:59:11,600 --> 00:59:16,240
A new business unit wants to deploy a co-pilot agent without following the approval workflow.

1516
00:59:16,240 --> 00:59:19,960
Someone creates a teams channel for a project and assigns permissions to broadly.

1517
00:59:19,960 --> 00:59:24,440
A new integration gets built because the standard integration points are documented poorly.

1518
00:59:24,440 --> 00:59:26,200
And the builder doesn't know they exist.

1519
00:59:26,200 --> 00:59:28,000
The control plane drifts.

1520
00:59:28,000 --> 00:59:29,600
Policies become suggestions again.

1521
00:59:29,600 --> 00:59:32,040
This is why governance requires an operating model.

1522
00:59:32,040 --> 00:59:35,280
Not a one time intervention, not a checklist you complete and then ignore.

1523
00:59:35,280 --> 00:59:39,000
An ongoing system that sustains architectural discipline.

1524
00:59:39,000 --> 00:59:40,880
Governance operating models have three components.

1525
00:59:40,880 --> 00:59:44,440
Ownership, decision rights, cadence.

1526
00:59:44,440 --> 00:59:45,440
First ownership.

1527
00:59:45,440 --> 00:59:46,720
Somebody has to own the control plane.

1528
00:59:46,720 --> 00:59:47,720
Not everyone.

1529
00:59:47,720 --> 00:59:51,800
Not a committee that meets quarterly, one accountable person or a small office that

1530
00:59:51,800 --> 00:59:55,440
owns architectural intent and policy, consistency.

1531
00:59:55,440 --> 00:59:58,120
At many organizations, this gets assigned to the CIO.

1532
00:59:58,120 --> 01:00:02,920
But if your CIO is spread across a hundred initiatives, ownership becomes meaningless.

1533
01:00:02,920 --> 01:00:05,160
Effective models establish a distinct role.

1534
01:00:05,160 --> 01:00:08,480
Chief architect or office of architecture or governance council lead.

1535
01:00:08,480 --> 01:00:13,320
Someone whose primary responsibility, not secondary, not among other things, is ensuring

1536
01:00:13,320 --> 01:00:15,320
the control plane stays intact.

1537
01:00:15,320 --> 01:00:16,520
This ownership is active.

1538
01:00:16,520 --> 01:00:17,920
It's not theoretical.

1539
01:00:17,920 --> 01:00:21,760
It's weekly staff meetings where the architecture team reviews what's being requested.

1540
01:00:21,760 --> 01:00:26,960
New applications, new integrations, new data classifications, new governance exceptions.

1541
01:00:26,960 --> 01:00:28,960
Every request flows through this office.

1542
01:00:28,960 --> 01:00:33,080
And the office has the authority to say no, not to obstruct, to enforce standards.

1543
01:00:33,080 --> 01:00:34,960
Second, decision rights.

1544
01:00:34,960 --> 01:00:36,600
Define explicitly who decides what.

1545
01:00:36,600 --> 01:00:39,360
This prevents the diffusion of responsibility that kills governance.

1546
01:00:39,360 --> 01:00:41,800
Who approves new applications, not the business.

1547
01:00:41,800 --> 01:00:43,760
Specifically, the application review board.

1548
01:00:43,760 --> 01:00:47,240
Who has authority to create co-pilot agents, the AI governance council.

1549
01:00:47,240 --> 01:00:50,560
Who decides data classifications, the data owner with IT validation.

1550
01:00:50,560 --> 01:00:53,640
Who can request exceptions to conditional access policies.

1551
01:00:53,640 --> 01:00:57,840
The executive sponsor with the CISO sign off, write these down, make them clear.

1552
01:00:57,840 --> 01:00:59,640
And then enforce them without exception.

1553
01:00:59,640 --> 01:01:01,640
Real exceptions happen, legitimate ones.

1554
01:01:01,640 --> 01:01:06,680
But if you grant exceptions without requiring explicit approval and documented business justification,

1555
01:01:06,680 --> 01:01:07,760
exceptions become the rule.

1556
01:01:07,760 --> 01:01:09,080
And rules become irrelevant.

1557
01:01:09,080 --> 01:01:10,680
Third, cadence.

1558
01:01:10,680 --> 01:01:13,400
Governance that operates only in crisis mode isn't governance.

1559
01:01:13,400 --> 01:01:14,880
It's damage control.

1560
01:01:14,880 --> 01:01:16,320
Establish three levels of rhythm.

1561
01:01:16,320 --> 01:01:17,320
Weekly operational.

1562
01:01:17,320 --> 01:01:22,080
The governance team meeting to review requests, approve standard decisions, identify anomalies.

1563
01:01:22,080 --> 01:01:23,600
Not long meetings, 30 minutes.

1564
01:01:23,600 --> 01:01:24,600
What came in this week?

1565
01:01:24,600 --> 01:01:25,600
Are we seeing drift?

1566
01:01:25,600 --> 01:01:26,920
Do we need to escalate anything?

1567
01:01:26,920 --> 01:01:27,920
Monthly tactical.

1568
01:01:27,920 --> 01:01:28,920
This is the broader review.

1569
01:01:28,920 --> 01:01:30,240
How are policies performing?

1570
01:01:30,240 --> 01:01:31,440
What did automation catch?

1571
01:01:31,440 --> 01:01:33,040
What required manual intervention?

1572
01:01:33,040 --> 01:01:34,520
Are there patterns we should address?

1573
01:01:34,520 --> 01:01:36,960
Are there new threats we need to govern against?

1574
01:01:36,960 --> 01:01:37,960
Quaternary strategic.

1575
01:01:37,960 --> 01:01:39,800
This is alignment with business outcomes.

1576
01:01:39,800 --> 01:01:42,480
Are our governance decisions supporting business goals?

1577
01:01:42,480 --> 01:01:44,920
Are we over-controlling and blocking innovation?

1578
01:01:44,920 --> 01:01:46,640
Are we under-controlling and exposing risk?

1579
01:01:46,640 --> 01:01:49,320
Do we need to adjust policies based on what we've learned?

1580
01:01:49,320 --> 01:01:51,960
This is the meeting that connects governance to business impact.

1581
01:01:51,960 --> 01:01:54,120
Tide this to outcomes.

1582
01:01:54,120 --> 01:01:59,000
Organizations with formal governance operating models achieve 130% or higher ROI in year

1583
01:01:59,000 --> 01:02:00,000
one.

1584
01:02:00,000 --> 01:02:04,000
Not through cost savings alone, through the compounding effect of consistent decision making,

1585
01:02:04,000 --> 01:02:08,160
of reduced rework, of architects preventing problems instead of engineers fixing them

1586
01:02:08,160 --> 01:02:09,160
after the fact.

1587
01:02:09,160 --> 01:02:12,840
A global enterprise established an architecture council.

1588
01:02:12,840 --> 01:02:16,520
Representatives from IT, finance, security, business, met quarterly.

1589
01:02:16,520 --> 01:02:20,040
And all new initiatives evaluated them against architectural standards.

1590
01:02:20,040 --> 01:02:21,240
Court problems early.

1591
01:02:21,240 --> 01:02:25,560
Within two years, they had reduced infrastructure change failures by 70%.

1592
01:02:25,560 --> 01:02:28,800
Because architectural intent was clear and decisions were coordinated.

1593
01:02:28,800 --> 01:02:29,880
Track metrics that matter.

1594
01:02:29,880 --> 01:02:33,000
Not adoption, cost per seat, feature utilization percentage.

1595
01:02:33,000 --> 01:02:35,280
Audit readiness score, breach risk score.

1596
01:02:35,280 --> 01:02:37,360
These connect governance to business reality.

1597
01:02:37,360 --> 01:02:39,040
Is your co-pilot adoption tracking?

1598
01:02:39,040 --> 01:02:41,360
Measure actual time saved, not just login events.

1599
01:02:41,360 --> 01:02:43,000
Are your license cost predictable?

1600
01:02:43,000 --> 01:02:44,760
Track cost per user by role?

1601
01:02:44,760 --> 01:02:46,840
Is your security post your hardening?

1602
01:02:46,840 --> 01:02:51,360
Measure your conditional access coverage, your MFA adoption rate, your unmanaged device exposure?

1603
01:02:51,360 --> 01:02:53,120
These metrics create accountability.

1604
01:02:53,120 --> 01:02:54,600
The governance team owns them.

1605
01:02:54,600 --> 01:02:56,000
They report quarterly.

1606
01:02:56,000 --> 01:02:59,840
When metrics drift, someone has to explain why and what they're doing to fix it.

1607
01:02:59,840 --> 01:03:01,040
This is not optional.

1608
01:03:01,040 --> 01:03:02,960
This is foundational.

1609
01:03:02,960 --> 01:03:06,160
Without an operating model to sustain it, your recovery becomes temporary.

1610
01:03:06,160 --> 01:03:08,640
Within 18 months, your back where you started.

1611
01:03:08,640 --> 01:03:11,720
Slightly more expensive, but fundamentally unchanged.

1612
01:03:11,720 --> 01:03:14,280
With it, governance becomes a permanent capability.

1613
01:03:14,280 --> 01:03:17,840
Having the organization does not something it periodically attempts.

1614
01:03:17,840 --> 01:03:20,720
The executive prescription, what leadership must do.

1615
01:03:20,720 --> 01:03:22,120
Here is what needs to happen.

1616
01:03:22,120 --> 01:03:23,120
Not eventually.

1617
01:03:23,120 --> 01:03:27,360
Before your next renewal, before the July 2026 price increases, force your hand.

1618
01:03:27,360 --> 01:03:30,080
Demand an architecture audit before your next license renewal.

1619
01:03:30,080 --> 01:03:31,080
Not a vendor assessment.

1620
01:03:31,080 --> 01:03:32,400
Not a feature comparison.

1621
01:03:32,400 --> 01:03:33,560
An actual audit.

1622
01:03:33,560 --> 01:03:37,360
Someone independent, not your infrastructure team, they have incentive to minimize problems.

1623
01:03:37,360 --> 01:03:38,880
Comes in and maps your tenant.

1624
01:03:38,880 --> 01:03:39,880
What's actually running?

1625
01:03:39,880 --> 01:03:40,880
What's being used?

1626
01:03:40,880 --> 01:03:41,880
What's decaying?

1627
01:03:41,880 --> 01:03:42,880
What's the compliance posture?

1628
01:03:42,880 --> 01:03:44,240
What's the governance maturity?

1629
01:03:44,240 --> 01:03:45,240
What's the secondary?

1630
01:03:45,240 --> 01:03:46,800
Truth is primary.

1631
01:03:46,800 --> 01:03:50,240
This audit produces three artifacts, first a baseline of where you are.

1632
01:03:50,240 --> 01:03:51,360
What's the current leakage?

1633
01:03:51,360 --> 01:03:52,880
How much license waste exists?

1634
01:03:52,880 --> 01:03:53,880
What's your security debt?

1635
01:03:53,880 --> 01:03:55,040
Second, a gap analysis.

1636
01:03:55,040 --> 01:03:59,640
If you want to achieve a specific level of governance maturity, what do you need to change?

1637
01:03:59,640 --> 01:04:01,280
Third, a recovery roadmap.

1638
01:04:01,280 --> 01:04:02,280
90 days.

1639
01:04:02,280 --> 01:04:03,280
Minimum.

1640
01:04:03,280 --> 01:04:04,280
Clear milestones.

1641
01:04:04,280 --> 01:04:05,280
Economic outcomes measured.

1642
01:04:05,280 --> 01:04:06,600
This audit is not free.

1643
01:04:06,600 --> 01:04:09,960
Plan for 50,000 to 150,000 depending on size.

1644
01:04:09,960 --> 01:04:10,960
That's not an expense.

1645
01:04:10,960 --> 01:04:14,960
Insurance.

1646
01:04:14,960 --> 01:04:17,560
Your assumptions are wrong.

1647
01:04:17,560 --> 01:04:19,160
Everyone's assumptions are wrong.

1648
01:04:19,160 --> 01:04:23,000
Require a quarterly economic outcome reporting tied to your Microsoft spend.

1649
01:04:23,000 --> 01:04:28,480
Your CFO shouldn't see a line item that says Microsoft 365 3.2 million dollars.

1650
01:04:28,480 --> 01:04:31,880
Your CFO should see Microsoft 365 3.2 million.

1651
01:04:31,880 --> 01:04:33,280
ROI outcomes.

1652
01:04:33,280 --> 01:04:36,040
Reduce time to onboard by 25%.

1653
01:04:36,040 --> 01:04:40,280
Automated 86% of access requests prevented four compliance failures.

1654
01:04:40,280 --> 01:04:41,280
That's a conversation.

1655
01:04:41,280 --> 01:04:42,280
That's governance.

1656
01:04:42,280 --> 01:04:44,440
Establish a control plane governance model with clear ownership.

1657
01:04:44,440 --> 01:04:45,920
Assign someone.

1658
01:04:45,920 --> 01:04:46,920
Explicitly.

1659
01:04:46,920 --> 01:04:49,000
Not a committee, not a part-time responsibilities.

1660
01:04:49,000 --> 01:04:52,600
Someone whose primary job is ensuring architectural intent gets enforced.

1661
01:04:52,600 --> 01:04:55,120
Give them authority to approve or reject requests.

1662
01:04:55,120 --> 01:04:56,120
Give them budget.

1663
01:04:56,120 --> 01:04:57,440
Measure them by system health.

1664
01:04:57,440 --> 01:04:59,080
Not by features shipped.

1665
01:04:59,080 --> 01:05:02,120
Map licensing SKU to organizational roles and capabilities.

1666
01:05:02,120 --> 01:05:04,360
This is unglamorous work, but it's mandatory.

1667
01:05:04,360 --> 01:05:05,360
You need a matrix.

1668
01:05:05,360 --> 01:05:09,480
Finance roles require E5 because they need advanced threat intelligence and premium

1669
01:05:09,480 --> 01:05:10,880
connectors.

1670
01:05:10,880 --> 01:05:15,360
Engineering roles require E3 because they need collaboration but not premium security.

1671
01:05:15,360 --> 01:05:18,720
Support roles require business standard because they need email and teams and nothing

1672
01:05:18,720 --> 01:05:19,720
else.

1673
01:05:19,720 --> 01:05:20,720
Write this down.

1674
01:05:20,720 --> 01:05:22,840
Make it policy and force it.

1675
01:05:22,840 --> 01:05:25,960
Implement automated compliance monitoring for regulatory requirements.

1676
01:05:25,960 --> 01:05:29,480
If you're a defense contractor, you need to know continuously whether you're maintaining

1677
01:05:29,480 --> 01:05:31,160
CMMC compliance.

1678
01:05:31,160 --> 01:05:32,160
Not at audit time.

1679
01:05:32,160 --> 01:05:33,160
Continuously.

1680
01:05:33,160 --> 01:05:37,160
If you're in health care, you need to know whether your HIPAA controls are intact, automated

1681
01:05:37,160 --> 01:05:38,160
real-time.

1682
01:05:38,160 --> 01:05:39,160
It requires tooling.

1683
01:05:39,160 --> 01:05:40,160
It requires investment.

1684
01:05:40,160 --> 01:05:41,160
It's non-negotiable.

1685
01:05:41,160 --> 01:05:42,160
Real story.

1686
01:05:42,160 --> 01:05:46,680
A CFO at a mid-market organization demanded an ROI model before approving the co-pilot rollout.

1687
01:05:46,680 --> 01:05:47,680
The team pushed back.

1688
01:05:47,680 --> 01:05:48,680
Just let us pilot it.

1689
01:05:48,680 --> 01:05:49,680
See how adoption goes.

1690
01:05:49,680 --> 01:05:50,680
The CFO said no.

1691
01:05:50,680 --> 01:05:51,680
Show me the model.

1692
01:05:51,680 --> 01:05:53,400
Show me what time savings will achieve.

1693
01:05:53,400 --> 01:05:55,400
Show me how that translates to economic value.

1694
01:05:55,400 --> 01:05:58,280
They built the model and they discovered something.

1695
01:05:58,280 --> 01:06:03,240
40% of existing E5 licenses could be downgraded to E3 because users weren't using the premium

1696
01:06:03,240 --> 01:06:05,480
connectors or the advanced security features.

1697
01:06:05,480 --> 01:06:08,200
They were just using the basic collaboration tools.

1698
01:06:08,200 --> 01:06:12,520
40% that's hundreds of thousands of dollars recovered before they spent a dime on co-pilot.

1699
01:06:12,520 --> 01:06:15,560
The CFO's insistence on economic modeling exposed the real problem.

1700
01:06:15,560 --> 01:06:16,880
Here's the conversation starter.

1701
01:06:16,880 --> 01:06:21,640
If you cannot explain your Microsoft strategy in economic terms, you don't have a strategy.

1702
01:06:21,640 --> 01:06:22,640
You have a shopping list.

1703
01:06:22,640 --> 01:06:25,680
A strategy connects technical decisions to business outcomes.

1704
01:06:25,680 --> 01:06:29,840
The strategy says we're implementing this control because it reduces risk.

1705
01:06:29,840 --> 01:06:32,480
Or we're decommissioning that because it's not driving value.

1706
01:06:32,480 --> 01:06:36,360
Or we're investing in governance because the savings from automation exceed the cost

1707
01:06:36,360 --> 01:06:37,600
by 5 to 1.

1708
01:06:37,600 --> 01:06:40,320
If you can't say those things, you don't have a strategy.

1709
01:06:40,320 --> 01:06:41,840
And here's the non-negotiable.

1710
01:06:41,840 --> 01:06:43,640
Procurement is not transformation.

1711
01:06:43,640 --> 01:06:44,640
Architecture is.

1712
01:06:44,640 --> 01:06:45,640
Stop conflating the two.

1713
01:06:45,640 --> 01:06:46,640
Buying tools is easy.

1714
01:06:46,640 --> 01:06:47,640
Building systems is hard.

1715
01:06:47,640 --> 01:06:48,640
One is a transaction.

1716
01:06:48,640 --> 01:06:49,920
The other is a capability.

1717
01:06:49,920 --> 01:06:51,240
One generates a purchase order.

1718
01:06:51,240 --> 01:06:53,080
The other generates economic value.

1719
01:06:53,080 --> 01:06:56,640
Your job as a leader is to demand architecture, not procurement.

1720
01:06:56,640 --> 01:07:00,320
Demand that before you renew, someone explains to you how your Microsoft tenant is actually

1721
01:07:00,320 --> 01:07:04,680
organized, what the control plane looks like, how decisions are enforced, what's working,

1722
01:07:04,680 --> 01:07:07,280
what's decaying, what the economics actually are.

1723
01:07:07,280 --> 01:07:08,280
That's leadership.

1724
01:07:08,280 --> 01:07:09,960
Everything else is just spending money.

1725
01:07:09,960 --> 01:07:10,960
The uncomfortable truth.

1726
01:07:10,960 --> 01:07:12,280
Why this matters now?

1727
01:07:12,280 --> 01:07:13,760
This is not a 2027 problem.

1728
01:07:13,760 --> 01:07:15,080
This is a 26 problem.

1729
01:07:15,080 --> 01:07:16,080
And it's already here.

1730
01:07:16,080 --> 01:07:21,160
Microsoft is increasing prices 9 to 33% effective July 1, 2026.

1731
01:07:21,160 --> 01:07:22,200
That date is approaching.

1732
01:07:22,200 --> 01:07:25,160
For most organizations, that's your next renewal window.

1733
01:07:25,160 --> 01:07:27,320
The question isn't whether prices are going up.

1734
01:07:27,320 --> 01:07:31,320
The question is whether you'll be paying higher prices on a rationalized tenant or a

1735
01:07:31,320 --> 01:07:32,360
decayed one.

1736
01:07:32,360 --> 01:07:36,760
If you rationalize now, before renewal, you recover license waste while you're still paying

1737
01:07:36,760 --> 01:07:37,760
current pricing.

1738
01:07:37,760 --> 01:07:43,040
A 30% cost reduction on your E5 mix locked in at today's rates survives the July increase.

1739
01:07:43,040 --> 01:07:47,440
If you wait until after the increase, you're recovering 30% over higher base.

1740
01:07:47,440 --> 01:07:49,160
You're optimizing at a disadvantage.

1741
01:07:49,160 --> 01:07:52,440
The arithmetic is stock, a global firm delayed rationalization.

1742
01:07:52,440 --> 01:07:54,960
They told themselves they'd address it after their renewal.

1743
01:07:54,960 --> 01:07:57,720
They renewal landed two weeks after the price increase.

1744
01:07:57,720 --> 01:07:59,360
They tried to write size licenses then.

1745
01:07:59,360 --> 01:08:01,800
They recovered 100,000 in quarterly waste.

1746
01:08:01,800 --> 01:08:05,680
But they were recovering it from a base that had already increased by 300,000.

1747
01:08:05,680 --> 01:08:06,680
They optimized too late.

1748
01:08:06,680 --> 01:08:11,200
They're now paying 200,000 more annually than if they had acted before the increase.

1749
01:08:11,200 --> 01:08:12,680
The second pressure is regulatory.

1750
01:08:12,680 --> 01:08:14,840
The compliance landscape is tightening, not loosening.

1751
01:08:14,840 --> 01:08:16,960
CMMC 2.0 enforcement is not optional.

1752
01:08:16,960 --> 01:08:18,600
It's not something to handle eventually.

1753
01:08:18,600 --> 01:08:19,600
It's here.

1754
01:08:19,600 --> 01:08:22,800
And if you're a defense contractor and you're not already in GCC high, you're operating

1755
01:08:22,800 --> 01:08:23,800
on borrowed time.

1756
01:08:23,800 --> 01:08:25,320
The customer will enforce it.

1757
01:08:25,320 --> 01:08:26,720
Your contract depends on it.

1758
01:08:26,720 --> 01:08:28,760
Waiting until you lose the contract is expensive.

1759
01:08:28,760 --> 01:08:32,400
Beyond CMMC, state level AI regulation is accelerating.

1760
01:08:32,400 --> 01:08:36,800
38 US states enacted roughly 100 AI measures in 2025.

1761
01:08:36,800 --> 01:08:39,480
The number is growing and regulations require governance.

1762
01:08:39,480 --> 01:08:41,680
Real governance, not policies written in English.

1763
01:08:41,680 --> 01:08:44,600
Automated enforcement, audit trails, human oversight.

1764
01:08:44,600 --> 01:08:46,320
These are not optional nice to have.

1765
01:08:46,320 --> 01:08:48,960
These are requirements and they're expensive to retrofit.

1766
01:08:48,960 --> 01:08:50,960
The third pressure is threat velocity.

1767
01:08:50,960 --> 01:08:53,320
Tenant level attacks are becoming more sophisticated.

1768
01:08:53,320 --> 01:08:56,840
63% of M365 tenants face configuration tampering.

1769
01:08:56,840 --> 01:08:58,440
And here's the architectural consequence.

1770
01:08:58,440 --> 01:09:01,560
Microsoft doesn't natively back up tenant configurations.

1771
01:09:01,560 --> 01:09:04,560
You deploy a conditional access policy and attacker modifies it.

1772
01:09:04,560 --> 01:09:06,000
You have no recovery point.

1773
01:09:06,000 --> 01:09:07,000
No native rollback.

1774
01:09:07,000 --> 01:09:09,000
You're reconstructing from logs if you're lucky.

1775
01:09:09,000 --> 01:09:10,520
If you're not, you're rebuilding.

1776
01:09:10,520 --> 01:09:11,840
That's not a theoretical risk.

1777
01:09:11,840 --> 01:09:15,920
That's your architecture exposing you to extended downtime with no recovery path.

1778
01:09:15,920 --> 01:09:17,960
The fourth pressure is AI sprawl.

1779
01:09:17,960 --> 01:09:20,200
And this one's moving faster than you can see it.

1780
01:09:20,200 --> 01:09:25,440
80% of Fortune 500 companies are using active AI agents, 80% and most of them have no formal

1781
01:09:25,440 --> 01:09:28,080
strategy for agent identity management.

1782
01:09:28,080 --> 01:09:29,680
No governance, no boundaries.

1783
01:09:29,680 --> 01:09:34,160
Agents are proliferating, consuming credits, accessing data, operating without oversight.

1784
01:09:34,160 --> 01:09:35,920
Co-pilot itself burns tokens fast.

1785
01:09:35,920 --> 01:09:37,440
The cost model isn't linear.

1786
01:09:37,440 --> 01:09:39,280
Popular agents accelerate consumption.

1787
01:09:39,280 --> 01:09:43,240
And without capacity planning, without governance, without boundaries, your co-pilot budget becomes

1788
01:09:43,240 --> 01:09:44,240
unpredictable.

1789
01:09:44,240 --> 01:09:48,040
The tenant debt of unmanaged agents is real and it's compounding faster than cleanup can

1790
01:09:48,040 --> 01:09:49,040
address it.

1791
01:09:49,040 --> 01:09:53,360
Your ties all for pressures together, the window for proactive architecture is closing.

1792
01:09:53,360 --> 01:09:57,920
Every month you delay recovery, your storing up compound problems, more orphaned applications

1793
01:09:57,920 --> 01:10:01,960
accumulate, more permissions drift, more inactive licenses get built, more technical debt

1794
01:10:01,960 --> 01:10:05,440
accrues and every month the cost of fixing it later increases.

1795
01:10:05,440 --> 01:10:08,360
Organizations that act now in the next 90 days have leveraged.

1796
01:10:08,360 --> 01:10:10,760
You can recover licenses before the price increase.

1797
01:10:10,760 --> 01:10:14,520
You can rationalize co-pilot costs before agent sprawl becomes unmanageable.

1798
01:10:14,520 --> 01:10:18,080
You can implement governance frameworks before regulatory audits expose gaps.

1799
01:10:18,080 --> 01:10:22,560
You can build a control plane while you still have the organizational bandwidth to do it.

1800
01:10:22,560 --> 01:10:24,400
Organizations that wait face a different arithmetic.

1801
01:10:24,400 --> 01:10:26,840
They'll pay higher prices on misaligned licenses.

1802
01:10:26,840 --> 01:10:29,440
They'll face compliance fines because governance wasn't in place.

1803
01:10:29,440 --> 01:10:33,200
They'll have security incidents from unmanaged agents and permissions sprawl.

1804
01:10:33,200 --> 01:10:35,800
And they'll pay crisis premiums to fix all of it at once.

1805
01:10:35,800 --> 01:10:36,800
This is not doom.

1806
01:10:36,800 --> 01:10:38,280
This is inevitability.

1807
01:10:38,280 --> 01:10:40,080
This is what happens when debt compounds.

1808
01:10:40,080 --> 01:10:41,840
The question isn't whether it will happen.

1809
01:10:41,840 --> 01:10:45,280
It's whether you'll address it proactively or reactively.

1810
01:10:45,280 --> 01:10:46,640
The final diagnosis.

1811
01:10:46,640 --> 01:10:47,680
Here's what I know.

1812
01:10:47,680 --> 01:10:49,560
Your Microsoft tenant is leaking millions.

1813
01:10:49,560 --> 01:10:51,280
Your financing your own decay.

1814
01:10:51,280 --> 01:10:52,280
And you can stop it.

1815
01:10:52,280 --> 01:10:53,280
The problem is not Microsoft.

1816
01:10:53,280 --> 01:10:56,440
It is the absence of economic ownership in your architecture.

1817
01:10:56,440 --> 01:10:58,160
The solution is not more tools.

1818
01:10:58,160 --> 01:10:59,160
It is a control plane.

1819
01:10:59,160 --> 01:11:00,640
The timeline is not eventually.

1820
01:11:00,640 --> 01:11:01,640
It is now.

1821
01:11:01,640 --> 01:11:02,640
Remember this.

1822
01:11:02,640 --> 01:11:03,640
This is not about tools.

1823
01:11:03,640 --> 01:11:04,640
This is about economic ownership.

1824
01:11:04,640 --> 01:11:05,640
Ordered your tenant.

1825
01:11:05,640 --> 01:11:06,640
Established governance ownership.

1826
01:11:06,640 --> 01:11:07,640
Measure economic outcomes.

1827
01:11:07,640 --> 01:11:09,320
Do it in the next 90 days.

1828
01:11:09,320 --> 01:11:10,360
Your margins depend on it.