Fabric Lineage Is Not Governance: The Distributed Decision Engine That Exposes The Data Control Plane Lie

1
00:00:00,000 --> 00:00:02,520
Most organizations treat fabric lineage like governance.

2
00:00:02,520 --> 00:00:03,280
They are wrong.

3
00:00:03,280 --> 00:00:05,640
Lineage is a diagram that makes people feel safe

4
00:00:05,640 --> 00:00:07,200
because it looks like control,

5
00:00:07,200 --> 00:00:09,200
but control requires authority,

6
00:00:09,200 --> 00:00:12,760
and authority requires the power to refuse execution.

7
00:00:12,760 --> 00:00:15,360
Most teams don't discover this gap during design reviews.

8
00:00:15,360 --> 00:00:16,960
They discover it during audits.

9
00:00:16,960 --> 00:00:18,120
When the questions get sharp,

10
00:00:18,120 --> 00:00:20,160
screenshots and lineage graphs don't answer them.

11
00:00:20,160 --> 00:00:22,120
So this episode does something different.

12
00:00:22,120 --> 00:00:25,520
No demos, no UI tours, no click here.

13
00:00:25,520 --> 00:00:28,480
Just architecture, five inevitability scenarios,

14
00:00:28,480 --> 00:00:30,280
and a deterministic test you can use

15
00:00:30,280 --> 00:00:33,080
to decide what fabric can and cannot govern.

16
00:00:33,080 --> 00:00:35,680
Governance is a verb, lineage is a noun.

17
00:00:35,680 --> 00:00:38,040
Start with language because marketing always wins

18
00:00:38,040 --> 00:00:39,920
when engineers stop defining words.

19
00:00:39,920 --> 00:00:43,000
Governance is a verb, it's something a system does to you.

20
00:00:43,000 --> 00:00:45,200
It constrains, it prevents, it refuses,

21
00:00:45,200 --> 00:00:47,480
it expresses intent as enforceable behavior.

22
00:00:47,480 --> 00:00:50,160
Lineage is a noun, it's something you look at.

23
00:00:50,160 --> 00:00:53,080
It describes, it traces, it reconstructs.

24
00:00:53,080 --> 00:00:54,400
That distinction matters.

25
00:00:55,840 --> 00:00:58,640
A lot of teams conflate these because the output looks similar,

26
00:00:58,640 --> 00:01:01,800
a neat graph of assets, arrows, dependencies, upstream

27
00:01:01,800 --> 00:01:03,400
and downstream impacts.

28
00:01:03,400 --> 00:01:05,840
And in the power BI era, people got used to thinking,

29
00:01:05,840 --> 00:01:07,800
if I can see it, I can control it.

30
00:01:07,800 --> 00:01:09,840
Visibility became a proxy for authority,

31
00:01:09,840 --> 00:01:11,640
but observability is not governance.

32
00:01:11,640 --> 00:01:14,000
Observability answers, what happened, where did it flow,

33
00:01:14,000 --> 00:01:16,920
what depends on what will break if I change this?

34
00:01:16,920 --> 00:01:20,040
Governance answers, what is allowed to happen in the first place?

35
00:01:20,040 --> 00:01:22,720
Measurement versus authority, a speedometer is not a break.

36
00:01:22,720 --> 00:01:24,600
And this speedometer analogy isn't cute,

37
00:01:24,600 --> 00:01:26,200
it's the entire failure mode.

38
00:01:26,200 --> 00:01:29,360
Lineage tells you the system was moving fast and where it went.

39
00:01:29,360 --> 00:01:30,960
Governance is the thing that stops it

40
00:01:30,960 --> 00:01:33,080
from crossing the line in the first place.

41
00:01:33,080 --> 00:01:34,760
So if someone tells you we have governance

42
00:01:34,760 --> 00:01:37,640
because we have lineage, ask a single litmus question.

43
00:01:37,640 --> 00:01:39,680
Can the system say no in real time?

44
00:01:39,680 --> 00:01:41,000
Not can we find out later?

45
00:01:41,000 --> 00:01:42,200
Not can we alert?

46
00:01:42,200 --> 00:01:43,760
Not can we open a ticket?

47
00:01:43,760 --> 00:01:47,080
No means deny synchronously before the action completes

48
00:01:47,080 --> 00:01:49,120
with the same reliability as the action itself.

49
00:01:49,120 --> 00:01:51,200
If the platform can't do that, it isn't governing,

50
00:01:51,200 --> 00:01:52,520
it is observing.

51
00:01:52,520 --> 00:01:54,640
And most organizations don't want to admit how much

52
00:01:54,640 --> 00:01:57,640
of their governance is really just post-fact explanations.

53
00:01:57,640 --> 00:02:00,120
Dashboards, diagrams, policies written in word,

54
00:02:00,120 --> 00:02:02,880
screenshots and audit packs, a quarterly review meeting

55
00:02:02,880 --> 00:02:05,280
where everyone agrees this is important,

56
00:02:05,280 --> 00:02:06,920
then grants the exception anyway

57
00:02:06,920 --> 00:02:08,400
because the business needs to ship.

58
00:02:08,400 --> 00:02:09,640
That's not governance.

59
00:02:09,640 --> 00:02:12,080
That's entropy management with good intentions.

60
00:02:12,080 --> 00:02:14,200
Here's why the confusion persists.

61
00:02:14,200 --> 00:02:15,880
Lineage feels like a control plane

62
00:02:15,880 --> 00:02:17,520
because it's centralized, it's visual,

63
00:02:17,520 --> 00:02:19,200
and it gives leaders something to point at.

64
00:02:19,200 --> 00:02:20,720
It produces artifacts.

65
00:02:20,720 --> 00:02:22,400
Artifacts create comfort.

66
00:02:22,400 --> 00:02:24,160
Comfort turns into policy.

67
00:02:24,160 --> 00:02:26,160
Then the policy turns into an assumption.

68
00:02:26,160 --> 00:02:27,920
Since we can trace it, we control it.

69
00:02:27,920 --> 00:02:29,320
But tracing is not controlling.

70
00:02:29,320 --> 00:02:31,880
Lineage is a forensic capability, a high quality one

71
00:02:31,880 --> 00:02:32,960
when implemented well.

72
00:02:32,960 --> 00:02:34,080
Forensics are valuable.

73
00:02:34,080 --> 00:02:37,720
They help you debug, do impact analysis and reconstruct flows.

74
00:02:37,720 --> 00:02:39,440
They also help you tell an audit story.

75
00:02:39,440 --> 00:02:41,640
And that audit story matters, but it's not the same

76
00:02:41,640 --> 00:02:42,480
as reducing risk.

77
00:02:42,480 --> 00:02:44,840
In regulated environments, auditors don't just ask,

78
00:02:44,840 --> 00:02:46,360
can you explain what happened?

79
00:02:46,360 --> 00:02:49,080
They ask, what prevents it from happening again?

80
00:02:49,080 --> 00:02:50,840
That's a completely different class of requirement.

81
00:02:50,840 --> 00:02:53,480
One is narrative, the other is system behavior.

82
00:02:53,480 --> 00:02:55,440
And this is where fabric becomes revealing

83
00:02:55,440 --> 00:02:57,720
because fabric is built to reduce friction.

84
00:02:57,720 --> 00:03:00,440
Unification, one lake, easy sharing, fast notebooks,

85
00:03:00,440 --> 00:03:02,160
pipelines that connect everything.

86
00:03:02,160 --> 00:03:04,560
The platform is optimized for execution velocity,

87
00:03:04,560 --> 00:03:05,160
which is fine.

88
00:03:05,160 --> 00:03:06,640
That's what it was designed for.

89
00:03:06,640 --> 00:03:08,840
But velocity and governance are natural enemies

90
00:03:08,840 --> 00:03:11,200
unless the platform has an enforcement mechanism

91
00:03:11,200 --> 00:03:12,520
that keeps up with that velocity.

92
00:03:12,520 --> 00:03:14,720
So the problem is not that lineage is bad.

93
00:03:14,720 --> 00:03:16,360
The problem is that lineage is being used

94
00:03:16,360 --> 00:03:18,360
as a substitute for authority.

95
00:03:18,360 --> 00:03:19,800
Lineage lives after the action.

96
00:03:19,800 --> 00:03:21,520
Governance lives before the action.

97
00:03:21,520 --> 00:03:24,720
If governance is prevention, then the next question is simple.

98
00:03:24,720 --> 00:03:27,160
Where does prevention live?

99
00:03:27,160 --> 00:03:29,400
The policy enforcement point fabric doesn't have.

100
00:03:29,400 --> 00:03:31,320
Every governed system answers that question

101
00:03:31,320 --> 00:03:32,680
with a policy enforcement point.

102
00:03:32,680 --> 00:03:33,400
Fabric doesn't.

103
00:03:33,400 --> 00:03:34,200
That's not an insult.

104
00:03:34,200 --> 00:03:36,280
It's an architectural classification.

105
00:03:36,280 --> 00:03:39,240
A policy enforcement point, PEP is the moment a system

106
00:03:39,240 --> 00:03:42,480
evaluates intent and either allows an action or refuses it.

107
00:03:42,480 --> 00:03:44,080
And it has three properties that matter

108
00:03:44,080 --> 00:03:45,880
if you're serious about governance.

109
00:03:45,880 --> 00:03:46,960
First, it's synchronous.

110
00:03:46,960 --> 00:03:48,760
The decision happens in line with the request,

111
00:03:48,760 --> 00:03:50,160
not in a background job.

112
00:03:50,160 --> 00:03:51,400
Second, it's transactional.

113
00:03:51,400 --> 00:03:53,440
The deny happens before the state change commits.

114
00:03:53,440 --> 00:03:55,400
But if the right succeeds, the governance layer failed

115
00:03:55,400 --> 00:03:57,320
even if it logs the event perfectly.

116
00:03:57,320 --> 00:03:58,880
Third, it's authoritative.

117
00:03:58,880 --> 00:04:00,920
It's the last gate before execution.

118
00:04:00,920 --> 00:04:02,760
Not an observer attached to the side.

119
00:04:02,760 --> 00:04:04,640
If you want a simple rule, governance

120
00:04:04,640 --> 00:04:06,680
that arrives after execution is paperwork,

121
00:04:06,680 --> 00:04:08,520
useful paperwork but paperwork.

122
00:04:08,520 --> 00:04:10,520
Now look at what fabric lineage actually is.

123
00:04:10,520 --> 00:04:11,920
Lineage is emitted telemetry.

124
00:04:11,920 --> 00:04:15,160
It's metadata about relationships between items, pipelines,

125
00:04:15,160 --> 00:04:18,200
notebooks, lake houses, warehouses, semantic models, reports.

126
00:04:18,200 --> 00:04:20,640
It's a reconstruction graph of this used that

127
00:04:20,640 --> 00:04:24,400
and this produced that built from events and metadata extraction.

128
00:04:24,400 --> 00:04:25,600
That's observability.

129
00:04:25,600 --> 00:04:26,680
That is not a gate.

130
00:04:26,680 --> 00:04:28,680
And the easiest way to prove this without a demo

131
00:04:28,680 --> 00:04:30,000
is to talk about time.

132
00:04:30,000 --> 00:04:34,280
In a govern system, the sequence is request, policy check,

133
00:04:34,280 --> 00:04:36,840
allow or deny execution.

134
00:04:36,840 --> 00:04:40,440
In an observed system, the sequence is execution event emitted,

135
00:04:40,440 --> 00:04:43,120
metadata updated, someone reviews it later.

136
00:04:43,120 --> 00:04:45,880
Lineage sits on the second sequence, which means

137
00:04:45,880 --> 00:04:48,360
lineage can never be the thing that prevented the action

138
00:04:48,360 --> 00:04:49,160
it's describing.

139
00:04:49,160 --> 00:04:50,840
It can only describe it after the fact.

140
00:04:50,840 --> 00:04:53,400
So when someone says, but purview integrates with fabric

141
00:04:53,400 --> 00:04:55,800
and fabric has labels and we can see everything,

142
00:04:55,800 --> 00:04:57,120
the response is simple.

143
00:04:57,120 --> 00:04:58,800
Where is the synchronous deny?

144
00:04:58,800 --> 00:05:01,360
What component is guaranteed to run before the notebook

145
00:05:01,360 --> 00:05:02,400
reads the data?

146
00:05:02,400 --> 00:05:04,360
Before the pipeline writes the output,

147
00:05:04,360 --> 00:05:07,080
before the shortcut gets created, before the export happens.

148
00:05:07,080 --> 00:05:09,680
If you can't point to that component, you don't have governance.

149
00:05:09,680 --> 00:05:11,920
You have an incident narrative generator.

150
00:05:11,920 --> 00:05:13,120
Here's what most people miss.

151
00:05:13,120 --> 00:05:14,680
A pep is not a feature.

152
00:05:14,680 --> 00:05:16,120
It's a position in the architecture.

153
00:05:16,120 --> 00:05:18,120
You can ship 100 governance features and still not

154
00:05:18,120 --> 00:05:20,680
have a pep if none of them sit in the execution path.

155
00:05:20,680 --> 00:05:23,360
Tags don't, endorsements don't, lineage doesn't.

156
00:05:23,360 --> 00:05:25,880
Even many security signals don't because they were designed

157
00:05:25,880 --> 00:05:29,120
as classification and visibility first, enforcement second,

158
00:05:29,120 --> 00:05:31,040
and enforcement only in certain pathways.

159
00:05:31,040 --> 00:05:32,520
And when enforcement is selective,

160
00:05:32,520 --> 00:05:34,480
you've already conceded the security model.

161
00:05:34,480 --> 00:05:36,440
You've moved from deterministic to probabilistic.

162
00:05:36,440 --> 00:05:37,040
And we'll get to that.

163
00:05:37,040 --> 00:05:39,640
But remember this detail, partial enforcement

164
00:05:39,640 --> 00:05:41,320
is an entropy generator.

165
00:05:41,320 --> 00:05:43,240
Now to be fair to the platform, fabric is not

166
00:05:43,240 --> 00:05:44,800
pretending to be a data firewall.

167
00:05:44,800 --> 00:05:46,280
It is an execution substrate.

168
00:05:46,280 --> 00:05:49,240
It's a unified surface area where many workloads run against

169
00:05:49,240 --> 00:05:51,000
one-lake-backed data.

170
00:05:51,000 --> 00:05:52,280
That's the value proposition.

171
00:05:52,280 --> 00:05:54,400
Reduce integration burden, reduce friction,

172
00:05:54,400 --> 00:05:56,200
accelerate time to insight.

173
00:05:56,200 --> 00:05:58,640
But acceleration changes the governance problem.

174
00:05:58,640 --> 00:06:00,880
It makes after the fact controls less meaningful

175
00:06:00,880 --> 00:06:03,680
because the system can produce more outcomes in an hour

176
00:06:03,680 --> 00:06:06,080
than a governance committee can review in a month.

177
00:06:06,080 --> 00:06:07,800
So what happens in real organizations?

178
00:06:07,800 --> 00:06:09,440
They replace enforcement with process.

179
00:06:09,440 --> 00:06:10,680
They create naming standards.

180
00:06:10,680 --> 00:06:12,160
They create workspace conventions.

181
00:06:12,160 --> 00:06:14,080
They create gold, silver, bronze tagging.

182
00:06:14,080 --> 00:06:15,080
They create review boards.

183
00:06:15,080 --> 00:06:15,880
They create tickets.

184
00:06:15,880 --> 00:06:17,040
They create training decks.

185
00:06:17,040 --> 00:06:19,400
And then a senior analyst needs access by Friday.

186
00:06:19,400 --> 00:06:20,560
So the exception happens.

187
00:06:20,560 --> 00:06:22,080
And the exception becomes permanent.

188
00:06:22,080 --> 00:06:23,280
That is not a people problem.

189
00:06:23,280 --> 00:06:25,520
That is what systems do when architecture

190
00:06:25,520 --> 00:06:27,000
doesn't enforce intent.

191
00:06:27,000 --> 00:06:28,280
This is the uncomfortable truth.

192
00:06:28,280 --> 00:06:30,800
Without a policy enforcement point, fabric governance

193
00:06:30,800 --> 00:06:31,600
becomes cleaner.

194
00:06:31,600 --> 00:06:34,280
You detect drift, you document drift, you chase drift.

195
00:06:34,280 --> 00:06:36,000
Meanwhile, the platform keeps executing.

196
00:06:36,000 --> 00:06:37,640
Lineage helps you chase.

197
00:06:37,640 --> 00:06:39,200
It does not help you stop.

198
00:06:39,200 --> 00:06:41,040
So when you hear fabric has governance

199
00:06:41,040 --> 00:06:44,320
because it has lineage translated into the real statement,

200
00:06:44,320 --> 00:06:47,120
we can reconstruct what happened after it already happened.

201
00:06:47,120 --> 00:06:48,200
That's fine for debugging.

202
00:06:48,200 --> 00:06:49,640
It's even useful for audits.

203
00:06:49,640 --> 00:06:51,080
But it is not prevention.

204
00:06:51,080 --> 00:06:52,840
And if your risk model requires prevention,

205
00:06:52,840 --> 00:06:55,120
the prevention can't live inside a component

206
00:06:55,120 --> 00:06:57,760
that only knows the outcome after execution.

207
00:06:57,760 --> 00:06:59,560
Now the next step is to stop pretending

208
00:06:59,560 --> 00:07:01,880
this is a missing feature you can toggle on.

209
00:07:01,880 --> 00:07:03,520
It is an architectural boundary.

210
00:07:03,520 --> 00:07:06,000
And once you see fabric as an execution substrate,

211
00:07:06,000 --> 00:07:08,480
the rest of its behavior becomes predictable.

212
00:07:08,480 --> 00:07:10,360
Fabric is a router, not a firewall.

213
00:07:10,360 --> 00:07:12,760
So treat fabric honestly, not as a control plane.

214
00:07:12,760 --> 00:07:15,120
As a forwarding plane, the firewall is a control plane.

215
00:07:15,120 --> 00:07:15,960
A router is not.

216
00:07:15,960 --> 00:07:16,880
Fabric is a router.

217
00:07:16,880 --> 00:07:18,920
That line sounds blunt, but it's the cleanest way

218
00:07:18,920 --> 00:07:20,680
to stop the governance confusion.

219
00:07:20,680 --> 00:07:22,880
A firewall decides whether traffic is allowed.

220
00:07:22,880 --> 00:07:25,040
A router assumes the traffic is allowed,

221
00:07:25,040 --> 00:07:27,120
then focuses on moving it efficiently.

222
00:07:27,120 --> 00:07:28,960
If you configure a router like a firewall,

223
00:07:28,960 --> 00:07:30,240
you don't get a better firewall.

224
00:07:30,240 --> 00:07:32,320
You get accidental exposure at scale.

225
00:07:32,320 --> 00:07:35,520
Fabric's job is to make work happen in jest, transform,

226
00:07:35,520 --> 00:07:36,480
model, serve.

227
00:07:36,480 --> 00:07:37,920
It optimizes for throughput.

228
00:07:37,920 --> 00:07:39,480
It optimizes for reduced friction.

229
00:07:39,480 --> 00:07:41,400
It optimizes for just run the pipeline.

230
00:07:41,400 --> 00:07:42,520
Just connect the notebook.

231
00:07:42,520 --> 00:07:43,840
Just share the semantic model.

232
00:07:43,840 --> 00:07:45,280
Just build the report.

233
00:07:45,280 --> 00:07:48,280
That's execution substrate behavior.

234
00:07:48,280 --> 00:07:49,360
And once you see it this way,

235
00:07:49,360 --> 00:07:52,240
a lot of confusing design choices stop being confusing.

236
00:07:52,240 --> 00:07:54,840
They're inevitable because the platform has to keep moving.

237
00:07:54,840 --> 00:07:56,640
Now people will push back and say,

238
00:07:56,640 --> 00:07:58,120
"But fabric has a control plane.

239
00:07:58,120 --> 00:07:59,240
There are tenon settings.

240
00:07:59,240 --> 00:08:00,320
There are work spaces.

241
00:08:00,320 --> 00:08:01,320
There are capacities.

242
00:08:01,320 --> 00:08:02,760
There are roles."

243
00:08:02,760 --> 00:08:03,680
Sure.

244
00:08:03,680 --> 00:08:06,080
Those exist, but that's administrative configuration.

245
00:08:06,080 --> 00:08:08,640
That is not an execution time arbiter of intent.

246
00:08:08,640 --> 00:08:12,640
Control plane in architectural terms means a centralized authority

247
00:08:12,640 --> 00:08:15,520
that evaluates requests against policy before forwarding.

248
00:08:15,520 --> 00:08:18,320
It means decisions are compiled into enforcement.

249
00:08:18,320 --> 00:08:20,800
It means there is a single place you can point to

250
00:08:20,800 --> 00:08:23,640
and say, "That component prevented the action."

251
00:08:23,640 --> 00:08:25,720
Fabric's boundaries don't behave that way.

252
00:08:25,720 --> 00:08:26,840
Start with work spaces.

253
00:08:26,840 --> 00:08:29,280
Most teams treat a workspace like a security boundary.

254
00:08:29,280 --> 00:08:30,920
They assume it's a container that governs

255
00:08:30,920 --> 00:08:32,560
what can happen to data inside it.

256
00:08:32,560 --> 00:08:33,080
It isn't.

257
00:08:33,080 --> 00:08:36,000
A workspace is an organization boundary for items.

258
00:08:36,000 --> 00:08:37,480
It's a collaboration boundary.

259
00:08:37,480 --> 00:08:41,080
It's a place where roles apply consistently to a set of artifacts.

260
00:08:41,080 --> 00:08:43,000
That's useful, but it is not a data boundary.

261
00:08:43,000 --> 00:08:44,800
It does not guarantee containment

262
00:08:44,800 --> 00:08:47,880
because the platform is designed to connect items across work spaces

263
00:08:47,880 --> 00:08:49,160
and across experiences.

264
00:08:49,160 --> 00:08:51,080
And the more unified the platform becomes,

265
00:08:51,080 --> 00:08:54,640
the less workspace enables containment holds up as a mental model.

266
00:08:54,640 --> 00:08:55,600
Now look at capacities.

267
00:08:55,600 --> 00:08:58,760
Capacities get treated like governed compute.

268
00:08:58,760 --> 00:09:02,200
People assume that if they segregate by capacity, they segregate risk.

269
00:09:02,200 --> 00:09:04,560
But capacities are a resource allocation boundary.

270
00:09:04,560 --> 00:09:07,720
Performance costs throttling blast radius in the operational sense.

271
00:09:07,720 --> 00:09:08,480
Not governance.

272
00:09:08,480 --> 00:09:09,800
They don't recompile intent.

273
00:09:09,800 --> 00:09:13,200
They don't evaluate whether a particular data movement should be allowed.

274
00:09:13,200 --> 00:09:14,720
They just determine where the work runs

275
00:09:14,720 --> 00:09:16,880
and how much of the shared meter it burns.

276
00:09:16,880 --> 00:09:20,000
So what actually happens as fabric adoption scales is predictable.

277
00:09:20,000 --> 00:09:22,720
Work spaces proliferate because teams want autonomy.

278
00:09:22,720 --> 00:09:26,160
Roads get broadened because delivery pressure beats least privilege.

279
00:09:26,160 --> 00:09:29,520
Artifacts get shared because reuse beats rework.

280
00:09:29,520 --> 00:09:32,600
Shortcuts get created because duplication feels wasteful.

281
00:09:32,600 --> 00:09:34,240
Pipelines get copied because that's how

282
00:09:34,240 --> 00:09:36,000
humans operate under deadlines.

283
00:09:36,000 --> 00:09:37,560
Each of these is rational locally.

284
00:09:37,560 --> 00:09:39,880
Collectively, they are an entropy engine.

285
00:09:39,880 --> 00:09:41,320
And this is the unification effect.

286
00:09:41,320 --> 00:09:43,680
Reduced friction increases blast radius.

287
00:09:43,680 --> 00:09:45,400
When you make it easy to connect everything,

288
00:09:45,400 --> 00:09:47,720
you also make it easy to propagate mistakes,

289
00:09:47,720 --> 00:09:49,880
oversharing and unintended flows.

290
00:09:49,880 --> 00:09:51,560
The platform doesn't judge the intent.

291
00:09:51,560 --> 00:09:52,640
It roots the action.

292
00:09:52,640 --> 00:09:54,320
This is why lineage feels so comforting.

293
00:09:54,320 --> 00:09:55,720
It gives you a map of the roots.

294
00:09:55,720 --> 00:09:59,720
But it does not act as the checkpoint that decides whether the root should exist.

295
00:09:59,720 --> 00:10:01,200
So the system law here is simple.

296
00:10:01,200 --> 00:10:04,160
The platform executes faster than humans can govern.

297
00:10:04,160 --> 00:10:06,040
Fabric can produce new data products,

298
00:10:06,040 --> 00:10:07,880
new copies, new downstream derivatives

299
00:10:07,880 --> 00:10:09,680
and new sharing paths continuously.

300
00:10:09,680 --> 00:10:14,560
Meanwhile, governance in most organizations is a meeting, a ticket, a policy PDF,

301
00:10:14,560 --> 00:10:18,040
an annual review, a spreadsheet of approved data sets.

302
00:10:18,040 --> 00:10:20,280
That temple mismatch is not a maturity problem.

303
00:10:20,280 --> 00:10:21,360
It is a physics problem.

304
00:10:21,360 --> 00:10:24,840
If you want deterministic governance, you need deterministic choke points.

305
00:10:24,840 --> 00:10:28,400
Places where data must pass through a gate before it can leave a boundary,

306
00:10:28,400 --> 00:10:32,160
be exported, be copied, be shared, be materialized somewhere else.

307
00:10:32,160 --> 00:10:36,440
Fabric doesn't give you that by default because Fabric's core value is removing choke points.

308
00:10:36,440 --> 00:10:39,760
So the right posture is not how do we turn Fabric into a firewall.

309
00:10:39,760 --> 00:10:44,080
The right posture is wish-in-d-where do we place the firewall that Fabric will respect?

310
00:10:44,080 --> 00:10:46,760
And once you accept that, the next problem becomes unavoidable.

311
00:10:46,760 --> 00:10:50,360
If enforcement is partial, if some parts are gated and others aren't,

312
00:10:50,360 --> 00:10:54,200
security stops being deterministic and becomes probabilistic.

313
00:10:54,200 --> 00:10:57,280
Deterministic versus probabilistic security.

314
00:10:57,280 --> 00:10:58,560
How entropy wins?

315
00:10:58,560 --> 00:11:01,320
This is where most governance programs quietly die.

316
00:11:01,320 --> 00:11:05,680
Not because the team is incompetent, but because the system drifts from deterministic security

317
00:11:05,680 --> 00:11:08,720
into probabilistic security and nobody admits the shift.

318
00:11:08,720 --> 00:11:11,960
Deterministic security means the outcome is predictable.

319
00:11:11,960 --> 00:11:15,400
If you attempt an action that violates policy, the platform refuses it.

320
00:11:15,400 --> 00:11:18,240
Every time the rule is stable, the enforcement is stable,

321
00:11:18,240 --> 00:11:21,480
and the exception path is either impossible or painfully explicit.

322
00:11:21,480 --> 00:11:24,280
That's what auditors think you mean when you say governance.

323
00:11:24,280 --> 00:11:26,320
Probabilistic security is the opposite.

324
00:11:26,320 --> 00:11:28,200
The system doesn't guarantee prevention.

325
00:11:28,200 --> 00:11:29,000
It tries.

326
00:11:29,000 --> 00:11:29,840
It signals.

327
00:11:29,840 --> 00:11:30,520
It alerts.

328
00:11:30,520 --> 00:11:31,360
It labels.

329
00:11:31,360 --> 00:11:32,360
It logs.

330
00:11:32,360 --> 00:11:35,280
And then, depending on configuration, timing, identity context,

331
00:11:35,280 --> 00:11:39,560
and which pathway was used, the outcome might be blocked, or it might not.

332
00:11:39,560 --> 00:11:42,600
The organization then calls this governance because it feels governed.

333
00:11:42,600 --> 00:11:46,760
But architecturally, it's just a detection and response posture wearing a compliance costume.

334
00:11:46,760 --> 00:11:49,360
Here's the key law, and it's not optional.

335
00:11:49,360 --> 00:11:53,200
Probabilistic systems always drift toward human exception handling.

336
00:11:53,200 --> 00:11:58,160
Because when the system can't say no, consistently, humans create the real decision path.

337
00:11:58,160 --> 00:12:00,720
The decision becomes, is this acceptable this time?

338
00:12:00,720 --> 00:12:02,760
And once that decision exists, it gets reused.

339
00:12:02,760 --> 00:12:04,240
Then it gets automated informally.

340
00:12:04,240 --> 00:12:05,240
Then it becomes policy.

341
00:12:05,240 --> 00:12:06,680
Then it becomes technical debt.

342
00:12:06,680 --> 00:12:07,840
Then it becomes permanent.

343
00:12:07,840 --> 00:12:09,880
That is entropy.

344
00:12:09,880 --> 00:12:12,680
And the thing most people miss is what creates the entropy.

345
00:12:12,680 --> 00:12:15,320
It's not only misconfiguration, it's design omission.

346
00:12:15,320 --> 00:12:17,920
It's the absence of a universally enforced gate.

347
00:12:17,920 --> 00:12:21,080
Every time a platform offers an allowed path that bypasses policy,

348
00:12:21,080 --> 00:12:23,160
that path becomes a gravitational wealth.

349
00:12:23,160 --> 00:12:24,440
People fall into it because it works.

350
00:12:24,440 --> 00:12:25,760
They call it pragmatic.

351
00:12:25,760 --> 00:12:27,240
They call it unblocking.

352
00:12:27,240 --> 00:12:28,880
They call it business needs.

353
00:12:28,880 --> 00:12:30,960
In system terms, it's an entropy generator.

354
00:12:30,960 --> 00:12:34,640
So when you see fabric environments evolve over time, you don't see one big failure.

355
00:12:34,640 --> 00:12:36,480
You see a thousand small exceptions.

356
00:12:36,480 --> 00:12:38,800
A contributor role granted temporarily.

357
00:12:38,800 --> 00:12:41,000
A workspace shared just for a month.

358
00:12:41,000 --> 00:12:44,440
A data set published broadly, so the exact report doesn't break.

359
00:12:44,440 --> 00:12:48,920
A notebook that writes a convenient copy because direct lake was slow yesterday.

360
00:12:48,920 --> 00:12:50,960
Each one is defensible in isolation.

361
00:12:50,960 --> 00:12:55,240
Collectively, they convert a deterministic security model into a probabilistic one.

362
00:12:55,240 --> 00:12:58,960
And this is where lineage becomes dangerous, not because it's wrong, but because it's comforting.

363
00:12:58,960 --> 00:13:01,960
Lineage makes probabilistic security feel complete.

364
00:13:01,960 --> 00:13:04,000
It produces a graph that implies closure.

365
00:13:04,000 --> 00:13:05,680
The system knows what happened.

366
00:13:05,680 --> 00:13:07,200
The system can show you the path.

367
00:13:07,200 --> 00:13:11,560
The system can prove the flow, but proving the flow is not the same thing as preventing it.

368
00:13:11,560 --> 00:13:14,560
Lineage is often used as psychological debt refinancing.

369
00:13:14,560 --> 00:13:18,640
The organization feels it has reduced risk because it gained visibility.

370
00:13:18,640 --> 00:13:22,200
In reality, it has simply improved its ability to narrate failure.

371
00:13:22,200 --> 00:13:25,200
Now connect this back to the architecture we already established.

372
00:13:25,200 --> 00:13:26,200
The logic is a router.

373
00:13:26,200 --> 00:13:27,200
It roots execution.

374
00:13:27,200 --> 00:13:31,640
It is designed to move data through notebooks, pipelines, lakehouses, warehouses, semantic

375
00:13:31,640 --> 00:13:32,800
models, reports.

376
00:13:32,800 --> 00:13:35,480
The more unified it becomes, the more roots exist.

377
00:13:35,480 --> 00:13:39,960
And if the governance model depends on selectively gating some roots, but not others, the outcome

378
00:13:39,960 --> 00:13:40,960
is pre-decided.

379
00:13:40,960 --> 00:13:43,200
The system becomes probabilistic.

380
00:13:43,200 --> 00:13:46,280
And in probabilistic systems, people start governing by etiquette.

381
00:13:46,280 --> 00:13:47,280
Don't do that.

382
00:13:47,280 --> 00:13:48,800
Use the certified model.

383
00:13:48,800 --> 00:13:50,320
Follow the naming standard.

384
00:13:50,320 --> 00:13:51,800
Put it in the right domain.

385
00:13:51,800 --> 00:13:53,040
Those are not controlled.

386
00:13:53,040 --> 00:13:54,040
Those are requests.

387
00:13:54,040 --> 00:13:55,600
Those requests do not survive deadlines.

388
00:13:55,600 --> 00:13:58,440
So the question isn't, does fabric have security features?

389
00:13:58,440 --> 00:13:59,560
You know it does.

390
00:13:59,560 --> 00:14:04,240
The question is whether your governance posture is deterministic, denied by default, consistent

391
00:14:04,240 --> 00:14:07,480
enforcement, stable boundaries, and contained blast radius.

392
00:14:07,480 --> 00:14:08,480
Or probabilistic.

393
00:14:08,480 --> 00:14:13,000
Allow by default with scattered controls, lots of metadata, and the hope that someone

394
00:14:13,000 --> 00:14:15,320
reviews the right dashboard fast enough.

395
00:14:15,320 --> 00:14:18,560
And once you're in probabilistic mode, the incident pattern is inevitable.

396
00:14:18,560 --> 00:14:21,360
The platform allows an action, the action completes.

397
00:14:21,360 --> 00:14:25,480
When you notice, then you reconstruct, then you promise to tighten controls.

398
00:14:25,480 --> 00:14:28,520
Then you add one more exception because operations cannot stop.

399
00:14:28,520 --> 00:14:30,800
That loop doesn't end because nobody wants it to.

400
00:14:30,800 --> 00:14:33,720
It ends only when the architecture forces it to end.

401
00:14:33,720 --> 00:14:36,720
So here's the uncomfortable setup for the rest of this episode.

402
00:14:36,720 --> 00:14:38,720
The next five scenarios aren't what ifs.

403
00:14:38,720 --> 00:14:43,640
They are the natural output of probabilistic governance in an execution-first platform.

404
00:14:43,640 --> 00:14:45,640
Scenario one starts with the simplest one.

405
00:14:45,640 --> 00:14:49,640
Cross workspace data exfiltration that the platform will happily execute, and lineage

406
00:14:49,640 --> 00:14:52,280
will dutifully document after the fact.

407
00:14:52,280 --> 00:14:53,280
Scenario one.

408
00:14:53,280 --> 00:14:55,680
Cross workspace data exfiltration.

409
00:14:55,680 --> 00:14:59,560
This scenario is the cleanest proof because it doesn't require malice, advance tooling,

410
00:14:59,560 --> 00:15:01,840
or some exotic zero-day trick.

411
00:15:01,840 --> 00:15:04,360
It requires two normal things fabric encourages.

412
00:15:04,360 --> 00:15:05,880
Reuse and speed.

413
00:15:05,880 --> 00:15:09,920
Start with a dataset, a lake house table, a warehouse table, pick your poison.

414
00:15:09,920 --> 00:15:14,720
It lives in workspace A, owned by team A, with whatever controls team A, things are good

415
00:15:14,720 --> 00:15:15,720
enough.

416
00:15:15,720 --> 00:15:19,440
Maybe it's certified, maybe it's labeled, maybe it has a nice description in a catalog.

417
00:15:19,440 --> 00:15:20,440
One of that matters yet.

418
00:15:20,440 --> 00:15:22,600
Now, team B has a legitimate business need.

419
00:15:22,600 --> 00:15:24,040
They don't want to rebuild the model.

420
00:15:24,040 --> 00:15:25,600
They don't want to duplicate pipelines.

421
00:15:25,600 --> 00:15:27,320
They want to consume what already exists.

422
00:15:27,320 --> 00:15:31,560
So the asset gets shared across workspaces, or it gets accessed through whatever sanctioned

423
00:15:31,560 --> 00:15:34,680
cross workspace pathway exists in your environment.

424
00:15:34,680 --> 00:15:37,400
From a governance point of view, the question is simple.

425
00:15:37,400 --> 00:15:42,520
Can fabric evaluate destination context before data becomes resident somewhere else?

426
00:15:42,520 --> 00:15:45,560
Because the exfiltration pattern isn't someone viewed the data.

427
00:15:45,560 --> 00:15:48,240
It's someone made a new copy under a different boundary.

428
00:15:48,240 --> 00:15:50,240
And fabric's execution model makes that easy.

429
00:15:50,240 --> 00:15:54,760
A downstream notebook runs in workspace B, or a pipeline in workspace B writes to a lakehouse

430
00:15:54,760 --> 00:15:56,000
in workspace B.

431
00:15:56,000 --> 00:15:59,560
The data is read from the shared source, then materialized into a new destination that team

432
00:15:59,560 --> 00:16:00,560
B controls.

433
00:16:00,560 --> 00:16:03,000
At that moment, the governance failure has already occurred.

434
00:16:03,000 --> 00:16:05,200
The data is no longer only where it started.

435
00:16:05,200 --> 00:16:10,720
It now exists in a second place governed by a second set of workspace roles, sharing settings,

436
00:16:10,720 --> 00:16:15,200
export behaviors and human practices, and then lineage lights up like a Christmas tree.

437
00:16:15,200 --> 00:16:17,800
It will show you the upstream asset in workspace A.

438
00:16:17,800 --> 00:16:20,680
It will show you the notebook or pipeline in workspace B.

439
00:16:20,680 --> 00:16:24,600
It will show you the downstream lakehouse or warehouse in workspace B. It will do its job

440
00:16:24,600 --> 00:16:28,200
traceability, but traceability isn't containment.

441
00:16:28,200 --> 00:16:31,080
The architectural proof sits entirely in the timing.

442
00:16:31,080 --> 00:16:32,280
The right succeeded.

443
00:16:32,280 --> 00:16:35,520
If lineage were governance, the data would still be where it started.

444
00:16:35,520 --> 00:16:38,480
Instead, what you get is a beautiful diagram of approved damage.

445
00:16:38,480 --> 00:16:41,640
Now people will object here and say, "But that's just copying data.

446
00:16:41,640 --> 00:16:42,960
We can control who can do that."

447
00:16:42,960 --> 00:16:44,440
Yes, with our back.

448
00:16:44,440 --> 00:16:45,600
But our back is not intent.

449
00:16:45,600 --> 00:16:49,880
Our back answers is this identity allowed to perform this category of action.

450
00:16:49,880 --> 00:16:54,560
Not is this action allowed under this policy with this data to this destination right now.

451
00:16:54,560 --> 00:16:58,560
That distinction matters because copy and fabric is not one unified operation.

452
00:16:58,560 --> 00:17:03,040
It's many operations across notebooks, pipelines, shortcuts, export surfaces and compute

453
00:17:03,040 --> 00:17:04,040
experiences.

454
00:17:04,040 --> 00:17:07,320
If you gate some of them and miss one, the missing path becomes the path.

455
00:17:07,320 --> 00:17:08,960
That's probabilistic security.

456
00:17:08,960 --> 00:17:12,720
And it gets worse once you consider how organizations actually run fabric.

457
00:17:12,720 --> 00:17:16,800
These spaces represent teams, projects, domains, cost centers and experiments.

458
00:17:16,800 --> 00:17:18,760
They're not stable security compartments.

459
00:17:18,760 --> 00:17:20,600
They're organizational convenience.

460
00:17:20,600 --> 00:17:22,560
So the second copy isn't a rare event.

461
00:17:22,560 --> 00:17:25,640
It is the natural behavior of self-service analytics at scale.

462
00:17:25,640 --> 00:17:27,560
People make local copies for performance.

463
00:17:27,560 --> 00:17:29,680
People make local copies for experimentation.

464
00:17:29,680 --> 00:17:33,960
People make local copies because they don't want to wait for upstream governance debates.

465
00:17:33,960 --> 00:17:35,520
And the platform helps them do it.

466
00:17:35,520 --> 00:17:38,680
Lineage will faithfully document every one of those flows.

467
00:17:38,680 --> 00:17:40,440
It becomes an exfiltration ledger.

468
00:17:40,440 --> 00:17:42,320
That's the exact psychological trap.

469
00:17:42,320 --> 00:17:45,920
Leadership sees the ledger and calls it governance because it looks like central visibility.

470
00:17:45,920 --> 00:17:49,360
But governance is the thing that prevents the second copy from being created in the first

471
00:17:49,360 --> 00:17:50,360
place.

472
00:17:50,360 --> 00:17:52,000
Unless the policy explicitly allows it.

473
00:17:52,000 --> 00:17:54,480
So the real test in this scenario is brutally simple.

474
00:17:54,480 --> 00:17:58,080
Where is the deny before right gate tied to destination context?

475
00:17:58,080 --> 00:18:02,320
Where is the control that says you can read this data set but you cannot materialize it into

476
00:18:02,320 --> 00:18:04,520
that workspace or that storage boundary?

477
00:18:04,520 --> 00:18:08,360
If you can't point to that mechanism as a first-class enforcement step in the execution

478
00:18:08,360 --> 00:18:10,600
path, then this scenario is not a risk.

479
00:18:10,600 --> 00:18:12,680
It is an inevitability.

480
00:18:12,680 --> 00:18:16,920
And once that inevitability exists, every downstream control becomes clean up.

481
00:18:16,920 --> 00:18:21,160
You hunt for copies, you explain copies, you label copies, you try to delete copies.

482
00:18:21,160 --> 00:18:23,480
But you never prevented the moment that mattered.

483
00:18:23,480 --> 00:18:28,120
Now the next scenario makes it even more uncomfortable because in scenario one, the actor at least

484
00:18:28,120 --> 00:18:30,280
needed to run a pipeline or a notebook.

485
00:18:30,280 --> 00:18:34,040
In scenario two, the platform hands them the capability bundle up front.

486
00:18:34,040 --> 00:18:37,760
Scenario two over-privileged workspace, capacity rolls.

487
00:18:37,760 --> 00:18:42,360
Area two is where the governance illusion gets embarrassing because nothing clever happens.

488
00:18:42,360 --> 00:18:47,520
No cross workspace trick, no notebook sorcery, no exotic export path, just rolls.

489
00:18:47,520 --> 00:18:50,000
Fabrics R-Back model is a capability allocator.

490
00:18:50,000 --> 00:18:51,720
It answers who can do things here.

491
00:18:51,720 --> 00:18:57,600
It does not answer, should this thing happen with this data right now to that destination?

492
00:18:57,600 --> 00:19:02,320
So the failure mode is predictable, the organization grants a role to move fast.

493
00:19:02,320 --> 00:19:04,720
And that role becomes the standing exception engine.

494
00:19:04,720 --> 00:19:08,440
And with a workspace under delivery pressure, someone needs to build pipelines, create lake

495
00:19:08,440 --> 00:19:12,480
houses, publish semantic models, share reports, maybe manage a few connections.

496
00:19:12,480 --> 00:19:14,880
The team doesn't want to be blocked by admin tickets.

497
00:19:14,880 --> 00:19:16,680
So the solution is always the same.

498
00:19:16,680 --> 00:19:18,440
Give them member or contributor.

499
00:19:18,440 --> 00:19:20,440
Sometimes admin because it's easier.

500
00:19:20,440 --> 00:19:24,600
Those roles are not small, they are bundles.

501
00:19:24,600 --> 00:19:29,200
They include actions that look operationally convenient but are architecturally dangerous.

502
00:19:29,200 --> 00:19:33,960
Creating new items, configuring and running compute, publishing, sharing, exporting, moving

503
00:19:33,960 --> 00:19:37,840
artifacts, and in some cases changing security relevant settings.

504
00:19:37,840 --> 00:19:41,640
Now put a person in that role who isn't malicious, they're simply trying to get work done.

505
00:19:41,640 --> 00:19:43,680
They copy a pipeline from another workspace.

506
00:19:43,680 --> 00:19:47,480
They create a lake house to stage data, they publish a data set so the business can build

507
00:19:47,480 --> 00:19:48,880
a report by tomorrow.

508
00:19:48,880 --> 00:19:53,680
They share it broadly because the executive group is large and nobody wants to manage it carefully.

509
00:19:53,680 --> 00:19:56,800
Every one of those actions is allowed because the role allows it.

510
00:19:56,800 --> 00:20:01,160
And the moment the action is allowed, governance has already made its only real decision.

511
00:20:01,160 --> 00:20:03,400
It delegated authority to the user.

512
00:20:03,400 --> 00:20:07,080
That is the point, most organizations refuse to say out loud, they want governance to be

513
00:20:07,080 --> 00:20:09,040
a centralized property of the platform.

514
00:20:09,040 --> 00:20:12,080
But in practice in fabric governance collapses into role assignment.

515
00:20:12,080 --> 00:20:14,960
So lineage shows up again as the regret ledger.

516
00:20:14,960 --> 00:20:16,640
It records what the contributor did.

517
00:20:16,640 --> 00:20:18,320
It records what got created.

518
00:20:18,320 --> 00:20:19,680
It records what got connected.

519
00:20:19,680 --> 00:20:21,320
It records what got shared.

520
00:20:21,320 --> 00:20:25,640
And it makes leadership feel like the system is under control because the map exists.

521
00:20:25,640 --> 00:20:29,160
But ask the only question that matters, did any dashboard prevent the action?

522
00:20:29,160 --> 00:20:31,920
No, the action completed because our back allowed it.

523
00:20:31,920 --> 00:20:33,600
It simply documented the outcome.

524
00:20:33,600 --> 00:20:35,880
Now add capacity roles into the mix.

525
00:20:35,880 --> 00:20:41,080
Capacities are often treated like a governed boundary because they feel platform level.

526
00:20:41,080 --> 00:20:45,080
People assume that if the right admins control the capacity the estate is governed.

527
00:20:45,080 --> 00:20:47,400
But capacity administration is still administration.

528
00:20:47,400 --> 00:20:49,200
It's not an execution time policy engine.

529
00:20:49,200 --> 00:20:53,160
It can't inspect data context and deny a specific right at the moment of execution.

530
00:20:53,160 --> 00:20:56,320
It can only define who can manage the environment and how resources get allocated.

531
00:20:56,320 --> 00:20:58,280
So over time you get predictable drift.

532
00:20:58,280 --> 00:21:02,480
The capacity admin gets added temporarily to fix a performance issue.

533
00:21:02,480 --> 00:21:07,400
A workspace admin gets added because the original owner left a service principle gets elevated.

534
00:21:07,400 --> 00:21:12,800
So CICD can run a group gets broadened because managing fine grained access is annoying.

535
00:21:12,800 --> 00:21:16,840
Then nobody removes the access because nobody owns the removal that is not misconfiguration.

536
00:21:16,840 --> 00:21:18,680
That is organizational thermodynamics.

537
00:21:18,680 --> 00:21:22,600
And the more fabric is used as the office for data platform, the more pressure exists to

538
00:21:22,600 --> 00:21:23,600
broaden roles.

539
00:21:23,600 --> 00:21:28,000
Arun Ulaag's framing is explicit reduce products brawl reduce integration burden.

540
00:21:28,000 --> 00:21:31,080
Make it easy for business to move that strategy is coherent.

541
00:21:31,080 --> 00:21:35,040
But when easy meets our back bundles, least privilege collapses because bundles are the

542
00:21:35,040 --> 00:21:40,440
opposite of intent intent is specific bundles are generic governance needs intent.

543
00:21:40,440 --> 00:21:44,080
Now pause here because this is the moment many listeners will try to rescue the story by saying

544
00:21:44,080 --> 00:21:46,000
okay, but we can just tighten roles.

545
00:21:46,000 --> 00:21:47,520
We can just do least privilege.

546
00:21:47,520 --> 00:21:50,400
No you can't not sustainably not at scale.

547
00:21:50,400 --> 00:21:53,080
In fabric, least privilege is not a default posture.

548
00:21:53,080 --> 00:21:55,200
It's an ongoing fight against delivery velocity.

549
00:21:55,200 --> 00:21:59,000
The system will always trend toward broader access because broader access reduces friction

550
00:21:59,000 --> 00:22:01,800
and fabric is designed to reward reduced friction.

551
00:22:01,800 --> 00:22:03,680
So scenario two is not a hypothetical.

552
00:22:03,680 --> 00:22:05,040
It's the default operating model.

553
00:22:05,040 --> 00:22:08,880
You give people the ability to cause impact then you call the impact governed because you

554
00:22:08,880 --> 00:22:10,200
can see it afterward.

555
00:22:10,200 --> 00:22:11,200
That's not governance.

556
00:22:11,200 --> 00:22:13,960
That's permission chaos with high quality telemetry.

557
00:22:13,960 --> 00:22:18,120
And once you accept that our back governs capability, not intent, the next illusion becomes

558
00:22:18,120 --> 00:22:23,280
obvious sensitivity labels and DLP like signals because a label that can't refuse execution

559
00:22:23,280 --> 00:22:29,680
is just metadata theater scenario three sensitivity labels without execution constraint scenario

560
00:22:29,680 --> 00:22:33,520
three is where people confuse classification with control because Microsoft has trained

561
00:22:33,520 --> 00:22:38,440
them to see labels as enforcement in Microsoft 365 sensitivity label can mean something

562
00:22:38,440 --> 00:22:42,680
concrete encryption, watermarks restricted sharing DLP behavior.

563
00:22:42,680 --> 00:22:46,920
It's reasonable to carry that expectation into fabric and assume if the data is labeled

564
00:22:46,920 --> 00:22:50,800
the platform will block the wrong use of it that assumption fails the same way every

565
00:22:50,800 --> 00:22:53,240
other lineage based governance assumption fails.

566
00:22:53,240 --> 00:22:58,120
Timing a sensitivity label is metadata it describes the data it does not inherently sit

567
00:22:58,120 --> 00:23:03,400
in the execution path as a deny gate and a label that can't refuse execution is documentation

568
00:23:03,400 --> 00:23:08,800
not control start with the clean setup a table in one lake backed storage is labeled confidential

569
00:23:08,800 --> 00:23:13,480
or highly confidential or whatever your taxonomy is maybe the label is applied manually.

570
00:23:13,480 --> 00:23:17,120
Maybe it's applied automatically maybe it propagates to downstream items all of that looks

571
00:23:17,120 --> 00:23:21,120
like governance because it looks like intent got attached to the asset but intent is not

572
00:23:21,120 --> 00:23:23,120
the same as enforceable behavior.

573
00:23:23,120 --> 00:23:28,160
Now a notebook reads that labeled data not a malicious notebook a normal one a notebook exists

574
00:23:28,160 --> 00:23:34,480
to transform in rich join aggregate and write that's what fabric notebooks are for turning

575
00:23:34,480 --> 00:23:39,360
inputs into outputs the notebook reads the label table performs a transformation and

576
00:23:39,360 --> 00:23:44,320
writes the results somewhere else a new lake house a new warehouse a file export a staging

577
00:23:44,320 --> 00:23:49,200
area for a report a temporary data set that becomes permanent pick any destination that

578
00:23:49,200 --> 00:23:52,920
is less controlled than the source or control differently here is the critical

579
00:23:52,920 --> 00:23:57,520
question governance requires does the platform evaluate the label in combination with the

580
00:23:57,520 --> 00:24:02,760
destination and refuse the right not does it show the label not does it propagate the label

581
00:24:02,760 --> 00:24:07,200
not does it record that the label data float into an output refuse means the output cannot

582
00:24:07,200 --> 00:24:12,720
be created and in most real estate nothing in that execution path is guaranteed to say no.

583
00:24:12,720 --> 00:24:16,360
What you get instead is label propagation theater the label travels the metadata updates

584
00:24:16,360 --> 00:24:20,880
and everyone points at the fact that the sensitive content state tagged that is not prevention

585
00:24:20,880 --> 00:24:24,680
because the risk you're trying to go in is not whether the output is tagged the risk is

586
00:24:24,680 --> 00:24:28,560
whether the output exists in a location where the wrong people can access it or where the

587
00:24:28,560 --> 00:24:33,760
wrong egress paths exist or where export is easier or where sharing is broader a label

588
00:24:33,760 --> 00:24:37,600
can change the physics of access boundaries if the access boundary is a workspace role

589
00:24:37,600 --> 00:24:41,200
assignment and a sharing model and this is where fabrics execution first nature makes

590
00:24:41,200 --> 00:24:44,800
the problem worse notebooks and pipelines are designed to make copies they are copy

591
00:24:44,800 --> 00:24:49,880
engines if your governance posture depends on labels to prevent copying your relying on

592
00:24:49,880 --> 00:24:54,320
a signal to stop a mechanism that was built to ignore signals unless forced so what does

593
00:24:54,320 --> 00:24:58,720
lineage show it shows the labeled input it shows the notebook it shows the output it makes

594
00:24:58,720 --> 00:25:03,720
the flow look responsible because the metadata appears consistent it even makes the organization

595
00:25:03,720 --> 00:25:08,480
feel mature look we have labeling and we can trace it but nothing stopped the right this

596
00:25:08,480 --> 00:25:12,600
is why people get blindsided in audits an auditor doesn't care that the copied data set

597
00:25:12,600 --> 00:25:16,920
is labeled confidential if it now exists in a workspace where contributors can export

598
00:25:16,920 --> 00:25:21,960
it to excel or share it broadly or connect downstream systems they care that the data moved

599
00:25:21,960 --> 00:25:26,800
into a weaker boundary and the platform did not refuse the move the uncomfortable truth

600
00:25:26,800 --> 00:25:31,400
is that labels are often treated as a substitute for architectural containment organizations label

601
00:25:31,400 --> 00:25:35,000
everything and assume that means the platform is governing but labels are a description

602
00:25:35,000 --> 00:25:39,880
layer without an enforcement layer that is both consistent and positioned before execution

603
00:25:39,880 --> 00:25:43,960
labels become compliance decoration and just like with our back bundles the exception

604
00:25:43,960 --> 00:25:48,760
pattern shows up immediately someone needs the data in another workspace just for analysis

605
00:25:48,760 --> 00:25:53,000
someone needs to stage it just for performance someone needs a copy just for the board

606
00:25:53,000 --> 00:25:57,880
pack the label remains the copy exists the governance team feels satisfied because the

607
00:25:57,880 --> 00:26:03,000
telemetry looks clean meanwhile the risk surface expanded so when you hear we're safe because

608
00:26:03,000 --> 00:26:07,880
we label our fabric assets translated into the real statement we know what we leaked that's

609
00:26:07,880 --> 00:26:12,600
not nothing but it's not governance governance means the platform can say you can't write

610
00:26:12,600 --> 00:26:17,080
label data into that destination you can't export it through that path you can't share it outside

611
00:26:17,080 --> 00:26:21,640
that boundary if the label can't refuse execution it cannot be your control plane and once you accept

612
00:26:21,640 --> 00:26:27,080
that scenario for becomes obvious adding purview and adding native lineage doesn't fix the timing

613
00:26:27,080 --> 00:26:32,440
problem it just gives you two observers watching the same failure scenario for purview versus native

614
00:26:32,440 --> 00:26:37,320
fabric lineage scenario for is the one Microsoft quietly benefits from because it turns a missing

615
00:26:37,320 --> 00:26:42,520
control into a perceived upgrade path native lineage is nice but will connect purview as if adding

616
00:26:42,520 --> 00:26:47,240
a second lineage graph upgrades observability into governance it does not purview is better at

617
00:26:47,240 --> 00:26:52,120
a lot of things fabric lineage is better at a few things they overlap they integrate they create

618
00:26:52,120 --> 00:26:57,400
a larger cleaner story but they are still observers and two observers do not equal one enforcer

619
00:26:57,400 --> 00:27:02,200
start with what each tool really is not what the marketing wants it to be fabric lineage is workspace

620
00:27:02,200 --> 00:27:07,720
centric dependency mapping it tells you what items used what other items inside the fabric execution

621
00:27:07,720 --> 00:27:15,000
surface notebooks pipelines lake houses warehouses semantic models reports it's good for impact analysis

622
00:27:15,000 --> 00:27:19,800
it's good for debugging it's good for what changed and what will break purview is an enterprise meta

623
00:27:19,800 --> 00:27:25,080
data platform it builds an inventory it scans it classifies it gives you governance domains data

624
00:27:25,080 --> 00:27:29,960
products business context ownership workflows and critically visibility across systems that aren't

625
00:27:29,960 --> 00:27:35,160
fabric purview is a catalog of catalogs fabric lineage is a local map but both share the same

626
00:27:35,160 --> 00:27:40,200
structural limitation they operate after the fact look at the execution order again a pipeline runs

627
00:27:40,200 --> 00:27:44,680
a notebook writes a data set gets published a downstream artifact is created then telemetry gets

628
00:27:44,680 --> 00:27:50,040
emitted then the lineage graph updates then purview scans ingest meta data and presents it in a

629
00:27:50,040 --> 00:27:55,640
unified catalog that order matters because anything that requires scanning ingestion mapping and

630
00:27:55,640 --> 00:27:59,880
visualization is not sitting in line with the right operation it is not a gate so in this scenario

631
00:27:59,880 --> 00:28:04,200
the organization does what it always does it takes a weakness and wraps it in a dashboard they

632
00:28:04,200 --> 00:28:08,920
connect fabric to purview they enable the admin apis they run scans they create collections they

633
00:28:08,920 --> 00:28:13,720
build governance domains they assign owners they see their assets they see their lineage they see

634
00:28:13,720 --> 00:28:18,120
their classifications and then the data still moves because none of that changed the execution pathway

635
00:28:18,120 --> 00:28:22,440
purview can tell you that sensitive data exists in a lake house it can tell you that it flowed

636
00:28:22,440 --> 00:28:26,360
through a notebook it can show you that a report depends on it it can even show you the approval

637
00:28:26,360 --> 00:28:30,920
workflow for requesting access to a data product but if someone already has the ability to run the

638
00:28:30,920 --> 00:28:35,720
notebook and write the output purview did not prevent anything it simply improved the quality of

639
00:28:35,720 --> 00:28:40,360
the narrative this is why the purview will fix governance belief is so persistent purview feels

640
00:28:40,360 --> 00:28:44,920
like governance because it uses governance language domains policies data products access requests

641
00:28:44,920 --> 00:28:49,080
stewardship quality scores it gives you formal structures it gives you process it looks like

642
00:28:49,080 --> 00:28:54,120
authority but process is not authority unless the process is bound to an enforcement point otherwise

643
00:28:54,120 --> 00:28:59,080
it's a request and requests do not survive deadlines here's the counter intuitive part purview

644
00:28:59,080 --> 00:29:04,040
integration can actually increase false confidence because now you have two layers of visibility when

645
00:29:04,040 --> 00:29:08,120
something goes wrong you can open fabric lineage and explain the local flow then you can open

646
00:29:08,120 --> 00:29:12,520
purview and explain the broader flow you can show labels you can show classifications you can show

647
00:29:12,520 --> 00:29:17,800
who owns what and because the story's richer leadership feels the system is more governed meanwhile

648
00:29:17,800 --> 00:29:22,600
the actual gating decision still lives where it always lived in role assignment and in whatever

649
00:29:22,600 --> 00:29:28,200
egress controls exist outside fabric so the real test for scenario four isn't can purview show

650
00:29:28,200 --> 00:29:34,280
me the lineage of course it can the test is can purview refuse the notebook right right now before

651
00:29:34,280 --> 00:29:39,320
the output exists because the destination violates policy if the answer is no purview is not your

652
00:29:39,320 --> 00:29:43,800
enforcement layer it is your observability layer a valuable one but not the one you needed this

653
00:29:43,800 --> 00:29:49,320
scenario ends with the same uncomfortable line every scenario ends with visibility is not authority

654
00:29:49,320 --> 00:29:54,920
purview plus fabric lineage equals better visibility it does not equal governance and once you accept

655
00:29:54,920 --> 00:30:00,200
that you can finally see why the illusion exists at all Microsoft sells unification as safety and

656
00:30:00,200 --> 00:30:06,200
that is the next problem the office for data story creates control plane illusions Microsoft didn't

657
00:30:06,200 --> 00:30:11,560
accidentally create this confusion the platform story trains people to expect governance because it

658
00:30:11,560 --> 00:30:17,480
borrows the most emotionally persuasive analogy in enterprise software office Arun Ulaag says it

659
00:30:17,480 --> 00:30:23,640
plainly in interviews customers were drowning in complexity too many products too much integration

660
00:30:23,640 --> 00:30:29,400
burden and the goal was to do for data what office did for productivity one suite one surface one

661
00:30:29,400 --> 00:30:34,360
lake one place to work and for adoption that's brilliant but office never promised control it promised

662
00:30:34,360 --> 00:30:40,440
convenience the illusion happens when organizations translate unified experience into unified authority

663
00:30:40,440 --> 00:30:45,000
they they assume that because everything is in one place the platform must also be the place where

664
00:30:45,000 --> 00:30:49,880
policy is enforced they assume the unification layer is the control plane it isn't office is not a

665
00:30:49,880 --> 00:30:54,280
firewall it's a productivity surface people can still paste secrets into a document they can

666
00:30:54,280 --> 00:30:58,680
still forward an attachment they can still save something to the wrong place Microsoft added purview

667
00:30:58,680 --> 00:31:03,240
dLP labels and retention over time because the base product was about creating and sharing not

668
00:31:03,240 --> 00:31:08,120
enforcing intent fabric is following the same pattern it is a productivity surface for data and when

669
00:31:08,120 --> 00:31:13,080
you hear one lake is one drive for data you should translate it into the real architectural implication

670
00:31:13,080 --> 00:31:18,120
this is a shared substrate optimized for movement movement is the point friction is the enemy that

671
00:31:18,120 --> 00:31:23,240
is white cells now add the slogan that gets repeated in governance discussions discipline at the

672
00:31:23,240 --> 00:31:29,000
core flexibility at the edge it sounds responsible it sounds like a mature federated model it is also

673
00:31:29,000 --> 00:31:34,120
a perfect description of how entropy gets invited in because flexibility at the edge is where execution

674
00:31:34,120 --> 00:31:39,080
happens edge teams create notebooks pipelines and data products under deadline they copy artifacts

675
00:31:39,080 --> 00:31:44,120
they share shortcuts they publish models they materialize outputs and if the platform does not

676
00:31:44,120 --> 00:31:49,160
have a hard enforcement point that forces discipline into those actions discipline at the core becomes

677
00:31:49,160 --> 00:31:54,120
a documentation exercise central teams write standards edge teams root around them everyone calls

678
00:31:54,120 --> 00:31:57,960
it balance this is the uncomfortable truth federated governance without enforcement is just

679
00:31:57,960 --> 00:32:03,080
distributed exception handling and Microsoft's incentive structure reinforces it the platform

680
00:32:03,080 --> 00:32:08,440
succeeds when it reduces friction and increases usage it succeeds when teams can onboard quickly build

681
00:32:08,440 --> 00:32:13,400
quickly and iterate without waiting for a central counsel to approve every move so the product pushes

682
00:32:13,400 --> 00:32:18,120
power outward more capabilities in workspaces more self service creation more integration between

683
00:32:18,120 --> 00:32:23,240
experiences and more pathways to get data from here to there that is not a bug that is the

684
00:32:23,240 --> 00:32:27,880
business model which means the platform will always bias toward enabling actions first and

685
00:32:27,880 --> 00:32:32,760
documenting them second control shows up later as overlays labeling cataloging scanning dashboards

686
00:32:32,760 --> 00:32:39,240
and governance hubs useful overlays but overlays the psychological trap is predictable unification

687
00:32:39,240 --> 00:32:44,760
produces visibility visibility feels like control leaders see domains catalogs endorsements labels

688
00:32:44,760 --> 00:32:49,000
and lineage graphs and assume the platform is governing because it looks orderly orderliness is

689
00:32:49,000 --> 00:32:54,200
not authority and the more the platform integrates the stronger the illusion gets when fabric integrates

690
00:32:54,200 --> 00:32:58,920
with purview and purview integrates with the Microsoft 365 compliance stack and governance

691
00:32:58,920 --> 00:33:04,040
language becomes ubiquitous people stop asking the only question that matters where is the deny

692
00:33:04,040 --> 00:33:08,440
they start asking softer questions do we have a dashboard do we have ownership do we have labels

693
00:33:08,440 --> 00:33:13,240
do we have lineage those are observability questions they are not enforcement questions so the office

694
00:33:13,240 --> 00:33:18,040
for data story creates a specific kind of organizational failure it convinces executives that buying

695
00:33:18,040 --> 00:33:23,080
unification board control it convinces architects that a single platform implies a single policy

696
00:33:23,080 --> 00:33:28,440
plane it convinces governance teams that adding more metadata will eventually become enforcement

697
00:33:28,440 --> 00:33:34,200
and then reality shows up on a timeline not a diagram a timeline an incident happens a breach

698
00:33:34,200 --> 00:33:39,400
an overshare a regulatory exposure how did this data get here moment and the organization learns

699
00:33:39,400 --> 00:33:44,360
in the most expensive way possible that the platform can explain what happened it cannot reverse it

700
00:33:44,360 --> 00:33:49,320
that's the next scenario because nothing closes the gap between observability and governance like

701
00:33:49,320 --> 00:33:55,480
incident response scenario five incident response timeline incident response is where the lineage lie

702
00:33:55,480 --> 00:34:00,600
stops being philosophical and becomes a calendar because governance is measured in timing not in

703
00:34:00,600 --> 00:34:05,880
diagrams here's the standard timeline every regulated organization eventually lives through something

704
00:34:05,880 --> 00:34:11,400
happens data shows up somewhere it shouldn't a report gets shared too broadly a data set gets exported

705
00:34:11,400 --> 00:34:15,720
a lake house copy appears in the wrong workspace sometimes it's malicious most of the time it's

706
00:34:15,720 --> 00:34:21,320
just normal work moving faster than policy that's moment one impact then comes moment two detection

707
00:34:21,320 --> 00:34:25,960
maybe it's a DLP alert maybe it's an insider risk signal maybe it's a user saying why can I see

708
00:34:25,960 --> 00:34:30,520
this maybe it's an auditor asking for evidence you can't produce the important part is that

709
00:34:30,520 --> 00:34:36,120
detection is downstream of impact then comes moment three the scramble for narrative this is when

710
00:34:36,120 --> 00:34:41,800
everyone opens the same set of tools activity logs audit logs lineage graphs catalog entries workspace

711
00:34:41,800 --> 00:34:47,160
permissions people start reconstructing and yes lineage is useful here it tells you which items used

712
00:34:47,160 --> 00:34:51,960
which sources it gives you a dependency chain it helps you answer how did the data travel but notice

713
00:34:51,960 --> 00:34:56,440
what just happened lineage entered the story after the outcome existed which means lineage is

714
00:34:56,440 --> 00:35:02,120
participating in forensics not prevention now moment four containment this is where the organization

715
00:35:02,120 --> 00:35:06,840
tries to stop further damage they remove access they lock down sharing they revoke tokens they

716
00:35:06,840 --> 00:35:11,960
disable exports they rotate secrets they update a policy they create a new security group they

717
00:35:11,960 --> 00:35:16,360
rename a workspace they move an artifact they tell everyone to stop using the old thing and use the

718
00:35:16,360 --> 00:35:21,480
new thing containment is messy because fabric is unified the same convenience that accelerates

719
00:35:21,480 --> 00:35:26,440
delivery also accelerates blast radius if a data set has been reused widely you now have to unwind

720
00:35:26,440 --> 00:35:31,560
reuse if a pipeline has been copied you now have multiple copies if a notebook wrote a derivative

721
00:35:31,560 --> 00:35:35,880
you now have derivative assets with their own downstream consumers you're no longer fixing one

722
00:35:35,880 --> 00:35:40,760
thing you're negotiating with a dependency graph that grew without you then moment five reconstruction

723
00:35:40,760 --> 00:35:45,240
this is the part auditors love and engineers hate you build an incident report you export logs you

724
00:35:45,240 --> 00:35:50,040
annotate lineage screenshots you write the story what happened when who did it what systems were

725
00:35:50,040 --> 00:35:56,040
involved what data was exposed what controls existed what controls failed what remediation you applied

726
00:35:56,040 --> 00:36:00,520
that report feels like governance because it produces artifacts it produces process output it

727
00:36:00,520 --> 00:36:05,320
produces a sense of closure but closure is not control it's documentation of failure now here's

728
00:36:05,320 --> 00:36:11,640
the part most organizations don't say out loud the timeline proves what layer you actually govern with

729
00:36:11,640 --> 00:36:15,880
if the first time you can govern the event is after the right completed you didn't govern it you

730
00:36:15,880 --> 00:36:20,200
observed it if the first time you can apply policy is after the export happened you didn't prevent

731
00:36:20,200 --> 00:36:24,920
anything if the first time you can classify the asset is after it already moved the classification

732
00:36:24,920 --> 00:36:30,120
is just metadata about a new problem you now have governance that arrives after impact is not

733
00:36:30,120 --> 00:36:35,000
governance it is incident response an incident response is necessary but it is not an acceptable

734
00:36:35,000 --> 00:36:39,480
substitute for a policy enforcement point when your risk model requires prevention so when someone

735
00:36:39,480 --> 00:36:44,280
claims fabric lineage gives us governance the incident response timeline is the clean rebuttal

736
00:36:44,280 --> 00:36:49,720
ask them in order when did the system refuse the action not when did it show it now not when did it

737
00:36:49,720 --> 00:36:55,000
alerted not when did we notice when did it deny because if the answer is we saw it in lineage you've

738
00:36:55,000 --> 00:36:59,800
already lost lineage is what you open when the outcome exists you are now doing forensics you are

739
00:36:59,800 --> 00:37:04,280
now explaining damage that was permitted by design this is why the platform feels safe right up

740
00:37:04,280 --> 00:37:09,000
until it doesn't everything looks controlled until an event forces the only question that matters

741
00:37:09,000 --> 00:37:13,800
what prevented this and if the honest answer is nothing prevented it but we can explain it then you

742
00:37:13,800 --> 00:37:18,600
don't have governance you have observability plus meetings plus hope so stop blaming lineage for

743
00:37:18,600 --> 00:37:23,000
not being a gate that's not its job the actual failure is blaming the wrong layer for the right

744
00:37:23,000 --> 00:37:28,040
problem and that takes us to the responsibility map who answers who who answers what happened who

745
00:37:28,040 --> 00:37:33,400
answers can it run and who is supposed to answer should it run here now with this data the

746
00:37:33,400 --> 00:37:38,440
responsibility map stop miss assigning blame most governance failures happen because the wrong

747
00:37:38,440 --> 00:37:43,320
layer is blamed for the right failure people blame fabric for not governing they blame purview

748
00:37:43,320 --> 00:37:49,320
for not enforcing they blame entra for not being granular then they add more policies more dashboards

749
00:37:49,320 --> 00:37:54,040
more committees and they wonder why nothing gets safer the system did exactly what you asked it to do

750
00:37:54,040 --> 00:37:59,080
you just ask the wrong layer so here's the responsibility map stated the way systems actually behave

751
00:37:59,080 --> 00:38:04,440
not the way product pages describe them start with Microsoft entra and entra answers who are you

752
00:38:04,440 --> 00:38:10,360
and at a course level are you allowed into the surface area authentication token issuance conditional

753
00:38:10,360 --> 00:38:14,680
access conditions group membership role assignments that decide whether the user can even reach the

754
00:38:14,680 --> 00:38:19,960
workload entra is identity it is not a data control plane it does not understand the semantics of

755
00:38:19,960 --> 00:38:24,600
this table is sensitive and cannot be written into that workspace because entra doesn't see

756
00:38:24,600 --> 00:38:29,720
tables and workspaces as policy objects in the way your auditors imagine entra enforces identity

757
00:38:29,720 --> 00:38:34,840
posture it doesn't compile data intent into execution time denies so when governance teams keep

758
00:38:34,840 --> 00:38:40,040
saying will fix fabric governance in entra what they mean is will restrict who can get in that

759
00:38:40,040 --> 00:38:45,160
helps it will not solve intent then there's Microsoft fabric fabric answers can this run it's an

760
00:38:45,160 --> 00:38:49,240
execution substrate a distributed decision engine for running workloads but not a centralized

761
00:38:49,240 --> 00:38:54,120
policy arbiter for evaluating whether an outcome should exist it will happily run a notebook run

762
00:38:54,120 --> 00:39:00,120
a pipeline materialize an output publish a model generate a report fabrics core job is to execute

763
00:39:00,120 --> 00:39:04,360
within the permissions already granted so when you say fabric should have blocked that you are

764
00:39:04,360 --> 00:39:09,960
trying to retrofit should into a layer design to answer can fabric does not do morals it does mechanics

765
00:39:10,280 --> 00:39:15,640
then there's Microsoft purview purview answers what happened and what is this data it catalogs it

766
00:39:15,640 --> 00:39:20,760
classifies it builds lineage across systems it supports audits and investigations it can make data

767
00:39:20,760 --> 00:39:25,720
discoverable with ownership domains and workflows which is valuable because most organizations have

768
00:39:25,720 --> 00:39:30,440
no idea what they own until something goes wrong but purview is still not your inline gate purview

769
00:39:30,440 --> 00:39:35,240
excels at describing reality it does not sit inside every execution path and refuse every

770
00:39:35,240 --> 00:39:39,880
prohibited action before the state change commits if you treat purview as an enforcement layer

771
00:39:39,880 --> 00:39:44,920
you will build a program that looks governed and behaves permissively and this is where people get

772
00:39:44,920 --> 00:39:50,760
confused because Microsoft uses governance language for visibility products domains data products

773
00:39:50,760 --> 00:39:56,600
quality scores risk assessments all useful still not an execution time deny so what's missing

774
00:39:56,600 --> 00:40:02,200
a layer that answers the only question governance actually requires should this run here now with

775
00:40:02,200 --> 00:40:06,680
this data to that destination under these conditions that's the policy decision point and it's

776
00:40:06,680 --> 00:40:11,320
sibling the policy enforcement point call it a data control plane if you want but the definition is

777
00:40:11,320 --> 00:40:16,360
the same centralized intent compiled into deterministic enforcement placed before execution not

778
00:40:16,360 --> 00:40:22,040
after if that layer doesn't exist governance becomes a cultural program instead of a system behavior

779
00:40:22,040 --> 00:40:27,160
and cultural programs degrade under pressure now to be clear this missing layer doesn't have to be

780
00:40:27,160 --> 00:40:33,080
a single Microsoft product it rarely is in most enterprises it's a combination of architecture choices

781
00:40:33,080 --> 00:40:39,320
constrained egress restricted destinations pre-approved pathways and explicit deny conditions

782
00:40:39,320 --> 00:40:45,400
it is designed that makes the unsafe path impossible not a policy that asks people politely so

783
00:40:45,400 --> 00:40:53,000
the responsibility map is brutal but liberating enter who fabric can it run purview what happened

784
00:40:53,000 --> 00:40:58,200
missing layer should it run once you assign responsibility correctly you stop trying to squeeze

785
00:40:58,200 --> 00:41:03,960
governance out of lineage you stop asking observability tools to behave like enforcement tools and you

786
00:41:03,960 --> 00:41:09,400
stop assuming that unified means governed then the rest becomes mechanical you can test any governance

787
00:41:09,400 --> 00:41:14,440
feature by asking where it lives in this map if it's identity it won't govern data intent if it's

788
00:41:14,440 --> 00:41:19,160
metadata it won't prevent execution if it's execution it will not judge outcomes that distinction

789
00:41:19,160 --> 00:41:23,960
matters because once you stop misassigning blame you can finally define governance in a way that

790
00:41:23,960 --> 00:41:29,480
survives reality the four question governance litmus test so if the responsibility map is correct

791
00:41:29,480 --> 00:41:34,360
the next move is to stop arguing about features and start testing architecture most governance

792
00:41:34,360 --> 00:41:39,800
conversations stay vague on purpose vague language protects bad assumptions we have controls

793
00:41:39,800 --> 00:41:45,800
we have visibility we have purview we have policies none of those statements mean anything until

794
00:41:45,800 --> 00:41:51,880
you can answer one question can the system stop the outcome to make this practical user litmus test

795
00:41:51,880 --> 00:41:56,840
four questions if you can't answer yes to all four for a given control then it's not governance it

796
00:41:56,840 --> 00:42:01,720
might be useful it might be necessary but it's not governance question one can the system say no

797
00:42:01,720 --> 00:42:07,800
not can it warn not can it alert not can it log not can it show me a report can it refuse the action

798
00:42:07,800 --> 00:42:12,120
if a user can still copy the data export it materialize it or share it and the systems

799
00:42:12,120 --> 00:42:16,280
contribution is that it documented the action then the system did not say no it said good luck

800
00:42:16,280 --> 00:42:21,240
and then wrote a receipt question two can it say no before execution this is where most tools die

801
00:42:21,240 --> 00:42:25,960
before execution means the denial occurs prior to state change before the notebook write commits

802
00:42:25,960 --> 00:42:30,840
before the pipeline output exists before the shortcut resolves into accessible data before the

803
00:42:30,840 --> 00:42:35,640
export lands in someone's downloads folder if the deny happens after execution its incident

804
00:42:35,640 --> 00:42:41,400
response maybe automated incident response still incident response governance that arrives after

805
00:42:41,400 --> 00:42:47,960
impact is paperwork useful paperwork not governance question three can it enforce centrally

806
00:42:47,960 --> 00:42:53,080
centrally doesn't mean there's a portal centrally means there is one place where intent is expressed

807
00:42:53,080 --> 00:42:58,920
and consistently enforced across the estate across workspaces across domains across teams across

808
00:42:58,920 --> 00:43:04,440
workloads if the enforcement depends on every workspace admin remembering to configure the same

809
00:43:04,440 --> 00:43:09,720
settings you don't have a control plane you have distributed hope and hope as a governance strategy

810
00:43:09,720 --> 00:43:15,720
has a short half-life question four can it fail safely a govern system fails closed deny by default

811
00:43:15,720 --> 00:43:21,000
contained blast radius the safe failure mode is nothing happened not something happened and will

812
00:43:21,000 --> 00:43:25,960
clean it up if a system fails open because a dependency is down a scan didn't run a label didn't

813
00:43:25,960 --> 00:43:30,280
propagate an exception got added then you're operating a probabilistic security model you're betting

814
00:43:30,280 --> 00:43:34,600
your compliance posture on uptime timing and human discipline that is not a bet you get to make

815
00:43:34,600 --> 00:43:38,840
forever now take those four questions and apply them to the things people commonly call fabric

816
00:43:38,840 --> 00:43:44,440
governance lineage can it say no no can it say no before execution no can it enforce centrally

817
00:43:44,440 --> 00:43:49,000
it can centralize visibility not enforcement can it fail safely it fails is incomplete telemetry not

818
00:43:49,000 --> 00:43:54,360
as a deny gate that's not governance tags and endorsements can they say no no they're metadata

819
00:43:54,360 --> 00:44:00,520
and trust signals useful not enforcement purview catalogs and scans can they say no they can

820
00:44:00,520 --> 00:44:05,800
drive workflows and classifications but unless a policy is enforced in line scans do not stop rights

821
00:44:05,800 --> 00:44:10,760
and scans by definition occur after something exists to be scanned even many security features people

822
00:44:10,760 --> 00:44:15,640
assume our governance collapse under this test because they only apply to specific egress parts

823
00:44:15,640 --> 00:44:20,680
specific workloads or specific user experiences selective enforcement is still not deterministic

824
00:44:20,680 --> 00:44:25,960
governance now keep this distinction clean this litmus test is not saying fabric is insecure it is

825
00:44:25,960 --> 00:44:30,440
saying something more uncomfortable fabric is an execution platform execution platforms do not

826
00:44:30,440 --> 00:44:35,240
govern by default they execute by default so if your governance requirement is prevention you

827
00:44:35,240 --> 00:44:40,360
must place prevention where prevention can exist at the point of decision and enforcement before

828
00:44:40,360 --> 00:44:45,720
execution consistently and with safe failure modes say the four questions slowly because you will

829
00:44:45,720 --> 00:44:52,040
reuse them in meetings can the system say no can it say no before execution can it enforce centrally

830
00:44:52,040 --> 00:44:57,960
can it fail safely and now say them faster because this is how you spot the lie in real time no before

831
00:44:57,960 --> 00:45:02,520
central safe if any one of those is missing you don't have governance you have observability plus

832
00:45:02,520 --> 00:45:06,760
process the next step is turning this into a decision tree because architects don't need more

833
00:45:06,760 --> 00:45:11,640
principles they need a rooting rule when to treat something as prevention and when to treat it as

834
00:45:11,640 --> 00:45:18,440
telemetry the decision tree prevention versus observability now take the litmus test and weaponize it

835
00:45:18,440 --> 00:45:23,160
not as philosophy as a routing decision because in real enterprises you don't get to implement

836
00:45:23,160 --> 00:45:27,720
governance you choose where you're going to spend constraint and where you're going to accept

837
00:45:27,720 --> 00:45:32,760
drift so here's the decision tree first branch do you need prevention or do you need observability

838
00:45:32,760 --> 00:45:37,880
that sounds obvious but most organizations never answer it explicitly they just buy tools enable

839
00:45:37,880 --> 00:45:43,080
features and assume it all adds up to governed it doesn't if you need prevention the rule is simple

840
00:45:43,080 --> 00:45:47,560
you must design for enforcement before execution that means you don't start with lineage you start

841
00:45:47,560 --> 00:45:53,400
with choke points you identify the actions that create irreversible risk data leaving a boundary

842
00:45:53,400 --> 00:45:59,800
new copies being created exports external sharing downstream materialization into less trusted zones

843
00:45:59,800 --> 00:46:04,360
then you force those actions through a limited number of pathways you reduce the number of ways a

844
00:46:04,360 --> 00:46:09,000
human can accomplish the same outcome because in a distributed execution platform multiple pathways

845
00:46:09,000 --> 00:46:13,560
is the enemy every extra pathways and extra policy surface and every policy surface becomes

846
00:46:13,560 --> 00:46:19,000
inconsistent over time so prevention mode looks like this you don't ask can we track it you ask where

847
00:46:19,000 --> 00:46:24,680
can we deny it pre execution gates controlled egress explicit destinations a model that fails closed

848
00:46:24,680 --> 00:46:29,320
a model where the unsafe outcome is impossible without deliberately breaking glass and in

849
00:46:29,320 --> 00:46:34,040
fabric terms this usually means you stop treating the workspace as your containment boundary

850
00:46:34,040 --> 00:46:39,240
you treat it as collaboration the actual containment lives outside it in network egress controls

851
00:46:39,240 --> 00:46:44,680
in storage boundaries in pre-approved publishing parts in external policy engines in whatever mechanism

852
00:46:44,680 --> 00:46:49,480
your architecture can force fabric to respect second branch if you need observability then stop

853
00:46:49,480 --> 00:46:54,120
pretending your building gates build sensors this is where lineage is excellent audit logs are

854
00:46:54,120 --> 00:46:59,880
excellent purview is excellent monitoring hubs activity logs inventory classification ownership

855
00:46:59,880 --> 00:47:05,480
workflows this is the real world where observability wins observability mode looks like this you accept

856
00:47:05,480 --> 00:47:09,880
that the platform will execute therefore you maximize your ability to understand troubleshoot

857
00:47:09,880 --> 00:47:15,000
and explain you optimize for impact analysis not containment you treat lineage as a dependency

858
00:47:15,000 --> 00:47:19,880
graph not a safety boundary and you use that visibility to reduce mean time to detection reduce

859
00:47:19,880 --> 00:47:25,400
mean time to response and improve your ability to answer regulators with evidence that's valuable

860
00:47:25,400 --> 00:47:30,120
it's just not prevention now the third branch is the one nobody admits the mixed mode most

861
00:47:30,120 --> 00:47:35,480
organizations end up here they have a few prevention controls in a few places and observability

862
00:47:35,480 --> 00:47:40,440
everywhere else this is the default because it feels balanced but mixed mode is where probabilistic

863
00:47:40,440 --> 00:47:45,400
security is born because the moment you have some parts are blocked some parts are just logged

864
00:47:45,400 --> 00:47:50,600
people root around the blocked parts not maliciously operationally they pick the path that works

865
00:47:50,600 --> 00:47:55,320
so if you're in mixed mode you have exactly one job make sure the un gated paths do not exist

866
00:47:55,320 --> 00:47:59,480
for high impact outcomes if you can't do that then stop calling the system governed call it

867
00:47:59,480 --> 00:48:04,760
monitored and design incident response like you mean it now apply the decision tree to the artifacts

868
00:48:04,760 --> 00:48:10,440
people love to cite lineage observability always treated as forensic telemetry purview catalog

869
00:48:10,440 --> 00:48:16,200
observability and process useful for discovery ownership and audit trails still not your inline gate

870
00:48:16,200 --> 00:48:21,240
are back access control it constraints who can act it does not constrain whether the act is acceptable

871
00:48:21,240 --> 00:48:26,440
for the data and destination so the decision tree becomes a practical meeting tool when someone says

872
00:48:26,440 --> 00:48:31,560
we'll use lineage for governance you respond with one question are we trying to prevent an outcome

873
00:48:31,560 --> 00:48:36,440
or are we trying to explain it if they say prevent you ask where is the deny before execution gate

874
00:48:36,440 --> 00:48:40,440
if they can't answer the conversation ends not because you're being difficult but because the

875
00:48:40,440 --> 00:48:45,480
architecture already decided and if they say explain then fine turn on lineage integrate purview

876
00:48:45,480 --> 00:48:50,120
improve the catalog instrument everything build the best forensic story you can just don't confuse

877
00:48:50,120 --> 00:48:54,280
that with authority now here's the part that actually changes behavior repeat the routing rule

878
00:48:54,280 --> 00:48:59,240
in one line prevention lives above fabric observability lives after fabric and if you confuse the two you

879
00:48:59,240 --> 00:49:04,680
don't get better governance you get audit failure with better diagrams which is why the next section

880
00:49:04,680 --> 00:49:10,120
matters a governance model that doesn't depend on hope and doesn't require a product shopping spree

881
00:49:10,120 --> 00:49:16,120
30 to 60 day governance model that doesn't depend on hope now the obvious question what does an

882
00:49:16,120 --> 00:49:21,480
actual governance posture look like if fabric lineage is telemetry not authority it looks like

883
00:49:21,480 --> 00:49:27,160
governance subtraction not addition most teams try to govern by piling on artifacts more tags more

884
00:49:27,160 --> 00:49:31,720
domains more documentation more meetings that increases the narrative quality it does not reduce the

885
00:49:31,720 --> 00:49:37,560
number of ways data can escape so the 30 60 day model starts with one ruthless move remove pathways

886
00:49:37,560 --> 00:49:43,080
not educate people to behave and remove the ability to bypass intent week one and two define explicit

887
00:49:43,080 --> 00:49:47,720
deny conditions this is not a policy document this is a set of outcomes that are architecturally

888
00:49:47,720 --> 00:49:53,880
unacceptable sensitive data materialized outside approved workspaces data exported to unmanaged

889
00:49:53,880 --> 00:50:00,600
endpoints data shared externally high risk assets copied into personal or exploratory zones

890
00:50:00,600 --> 00:50:05,960
workloads running with identities that cannot be traced to accountable owners write them as deny

891
00:50:05,960 --> 00:50:11,720
statements because that forces clarity this must not happen week three and four externalize enforcement

892
00:50:11,720 --> 00:50:17,560
if you need a deny before execution gate put it where a deny can exist in the parts that create new

893
00:50:17,560 --> 00:50:22,680
state in practice that means you pick controlled egress points and make them boring publishing pipelines

894
00:50:22,680 --> 00:50:27,720
that are the only allowed route into curated zones approved destinations that are the only allowed

895
00:50:27,720 --> 00:50:33,080
place sensitive outputs can land network constraints that make just right at somewhere else fail this is

896
00:50:33,080 --> 00:50:38,200
the part people hate because it reduces freedom good governance is the deliberate reduction of freedom

897
00:50:38,200 --> 00:50:43,160
for high impact actions week five and six reduce fabric privileges stop treating contributor

898
00:50:43,160 --> 00:50:48,760
and member as default developer roles their capability bundles bundles create entropy so you shrink

899
00:50:48,760 --> 00:50:54,120
who can create new items who can publish widely who can share who can export who can manage connections

900
00:50:54,120 --> 00:50:58,840
you do it with groups not people because people move and groups are the only scalable unit of intent

901
00:50:58,840 --> 00:51:03,880
and when someone says we need admin just for this one thing you treat that as a break glass event

902
00:51:03,880 --> 00:51:09,480
with an owner a time limit and an audit trail not because you love bureaucracy but because temporary

903
00:51:09,480 --> 00:51:14,680
admin is the most common permanent condition in Microsoft estates week seven and eight formalize

904
00:51:14,680 --> 00:51:19,880
lineage as audit only telemetry this is a psychological change not a technical one you stop using lineage

905
00:51:19,880 --> 00:51:24,760
to argue that your governed you use lineage to answer three things what depends on what what changed

906
00:51:24,760 --> 00:51:29,080
and what happened you align lineage with incident response and operational troubleshooting not

907
00:51:29,080 --> 00:51:34,440
prevention that keeps the tool honest and keeps your governance posture from turning into theater now

908
00:51:34,440 --> 00:51:38,840
notice what I didn't say I didn't say go buy more governance products I didn't say turn on every

909
00:51:38,840 --> 00:51:43,240
feature I didn't say build a bigger catalog because the core issue wasn't a missing dashboard it was

910
00:51:43,240 --> 00:51:47,640
a missing enforcement layer and too many allowed parts around intent when you subtract pathways and

911
00:51:47,640 --> 00:51:52,920
you constrain high impact actions into narrow enforceable routes the platform becomes calmer the blast

912
00:51:52,920 --> 00:51:58,120
radius shrinks the number of exceptions drops and the system starts behaving deterministically again

913
00:51:58,120 --> 00:52:02,280
then lineage becomes what it should have been all along a forensic graph that helps you operate not

914
00:52:02,280 --> 00:52:07,480
a comfort blanket that helps you pretend and once you do that the final reframe lands cleanly fabric

915
00:52:07,480 --> 00:52:12,520
didn't fail at governance your assumption did fabric lineage explains what happened governance

916
00:52:12,520 --> 00:52:17,480
prevents what's allowed to happen confusing them turns your data estate into conditional chaos

917
00:52:17,480 --> 00:52:21,960
if you want the next step the next episode designs an actual data control plane and explains why

918
00:52:21,960 --> 00:52:27,720
Microsoft doesn't ship one by default subscribe and send this to the person who keeps calling dashboards controls