The Resilience Mandate: Leading Security in the Age of AI

1
00:00:00,000 --> 00:00:02,960
Most organizations think securities are checklist, MFA,

2
00:00:02,960 --> 00:00:06,680
EDR, a pile of policies, and a dashboard that's mostly green.

3
00:00:06,680 --> 00:00:09,560
That setup feels like control, it isn't, it's coverage,

4
00:00:09,560 --> 00:00:11,360
and coverage doesn't equal resilience.

5
00:00:11,360 --> 00:00:14,640
This episode is about the uncomfortable shift leaders have to make,

6
00:00:14,640 --> 00:00:16,840
from buying controls to designing trust

7
00:00:16,840 --> 00:00:19,040
and from chasing no incidents to engineering,

8
00:00:19,040 --> 00:00:21,000
fast containment and recovery.

9
00:00:21,000 --> 00:00:23,080
We'll anchor it in three Microsoft realities,

10
00:00:23,080 --> 00:00:25,560
intra-governance and identity threat detection,

11
00:00:25,560 --> 00:00:27,400
continuous access evaluation,

12
00:00:27,400 --> 00:00:29,960
and defender signals routed into service now,

13
00:00:29,960 --> 00:00:33,480
because the goal is decision speed, not feature completeness.

14
00:00:33,480 --> 00:00:36,760
Why well-secured organizations still get breached?

15
00:00:36,760 --> 00:00:38,200
Here's what most people miss.

16
00:00:38,200 --> 00:00:41,400
Breaches don't happen because an organization forgot to buy a product.

17
00:00:41,400 --> 00:00:44,600
They happen because the organization never updated its trust model,

18
00:00:44,600 --> 00:00:46,680
security teams deploy controls.

19
00:00:46,680 --> 00:00:50,200
The business keeps operating on assumptions that were true 10 years ago,

20
00:00:50,200 --> 00:00:53,600
that the network is a boundary, that authentication is a finish line,

21
00:00:53,600 --> 00:00:55,440
that permissions represent intent,

22
00:00:55,440 --> 00:00:58,000
and that alerts are the same thing as response.

23
00:00:58,000 --> 00:01:01,440
Those assumptions don't fail loudly, they decay quietly.

24
00:01:01,440 --> 00:01:03,240
And attackers don't need to break in anymore.

25
00:01:03,240 --> 00:01:05,160
They walk the pathways you already built.

26
00:01:05,160 --> 00:01:07,480
A modern breach story usually starts with identity,

27
00:01:07,480 --> 00:01:10,200
not because identity is weak, but because identity is everywhere.

28
00:01:10,200 --> 00:01:13,520
Cloud, SAS, API's, automation, contractors, service accounts,

29
00:01:13,520 --> 00:01:15,680
and now agents, identity isn't the directory,

30
00:01:15,680 --> 00:01:17,640
it's the control plane, that distinction matters

31
00:01:17,640 --> 00:01:21,200
because your control plane isn't protected by the existence of controls.

32
00:01:21,200 --> 00:01:24,320
It's protected by whether those controls enforce your intent.

33
00:01:24,320 --> 00:01:28,080
Most well-secured environments are rich in prevention and poor in constraint.

34
00:01:28,080 --> 00:01:31,320
You see it in the gap between authentication and authorization.

35
00:01:31,320 --> 00:01:34,760
They might have fishing-resistant MFA and still have reckless entitlements.

36
00:01:34,760 --> 00:01:36,720
They might have conditional access policies

37
00:01:36,720 --> 00:01:39,680
and still allow broad access packages that never expire.

38
00:01:39,680 --> 00:01:41,360
They might have privileged access tooling

39
00:01:41,360 --> 00:01:42,800
and still tolerate standing power

40
00:01:42,800 --> 00:01:45,320
because approvals are slow and exceptions are easier.

41
00:01:45,320 --> 00:01:46,600
Attackers understand this.

42
00:01:46,600 --> 00:01:50,360
They don't fight your MFA head-on if they can steal a token after the MFA challenge.

43
00:01:50,360 --> 00:01:52,320
They don't brute force a firewall

44
00:01:52,320 --> 00:01:55,560
if they can use a perfectly valid identity to call an API.

45
00:01:55,560 --> 00:01:57,720
They don't need to exploit a vulnerability

46
00:01:57,720 --> 00:02:00,880
if the environment already grants the privileges that do the damage.

47
00:02:00,880 --> 00:02:02,760
So when leaders ask, "How did this happen?"

48
00:02:02,760 --> 00:02:04,080
We had everything turned on.

49
00:02:04,080 --> 00:02:07,560
The correct answer is, "You had controls, but you didn't have enforced trust."

50
00:02:07,560 --> 00:02:09,400
Then there's the green dashboard problem.

51
00:02:09,400 --> 00:02:12,520
Dashboards show deployment state, not risk reality.

52
00:02:12,520 --> 00:02:15,000
We enabled feature X is not the same as feature X

53
00:02:15,000 --> 00:02:17,040
is constraining the right pathways.

54
00:02:17,040 --> 00:02:18,640
Attendant can show high compliance

55
00:02:18,640 --> 00:02:21,040
while still carrying structural exposure.

56
00:02:21,040 --> 00:02:23,800
Dormant accounts, stale guest access,

57
00:02:23,800 --> 00:02:25,560
over-permissioned applications,

58
00:02:25,560 --> 00:02:27,480
service principles with broad rights

59
00:02:27,480 --> 00:02:30,200
and exception policies that never die.

60
00:02:30,200 --> 00:02:32,440
Controls drift because organizations drift.

61
00:02:32,440 --> 00:02:35,800
Entitlements accumulate, policy exceptions become permanent

62
00:02:35,800 --> 00:02:37,280
and the system keeps working,

63
00:02:37,280 --> 00:02:39,400
which is exactly why the risk stays invisible.

64
00:02:39,400 --> 00:02:41,160
This is why compliance isn't the finish line.

65
00:02:41,160 --> 00:02:44,880
It's a snapshot and snapshots don't stop moving systems from eroding.

66
00:02:44,880 --> 00:02:47,120
A breach in that sense is not a moral failure.

67
00:02:47,120 --> 00:02:48,680
It's system behavior.

68
00:02:48,680 --> 00:02:50,240
Systems optimize for throughput.

69
00:02:50,240 --> 00:02:52,000
People optimize for getting work done.

70
00:02:52,000 --> 00:02:54,480
Security teams optimize for what they can measure.

71
00:02:54,480 --> 00:02:57,160
If the organization measures how many controls are deployed,

72
00:02:57,160 --> 00:02:58,600
it will get deployed controls.

73
00:02:58,600 --> 00:03:02,000
If it measures how fast can we contain identity-driven incidents

74
00:03:02,000 --> 00:03:04,920
end to end, it will build the ability to contain them.

75
00:03:04,920 --> 00:03:08,080
That is the difference between prevention, theater and resilience.

76
00:03:08,080 --> 00:03:09,480
And AI doesn't make this easier.

77
00:03:09,480 --> 00:03:10,440
It makes it faster.

78
00:03:10,440 --> 00:03:13,680
AI amplifies the speed of both offense and defense.

79
00:03:13,680 --> 00:03:15,600
It reduces the cost of generating fishing,

80
00:03:15,600 --> 00:03:17,600
social engineering and automation.

81
00:03:17,600 --> 00:03:20,200
But it also reduces the cost of correlating signals

82
00:03:20,200 --> 00:03:22,520
summarizing incidents and orchestrating response

83
00:03:22,520 --> 00:03:24,760
if you design the system to act on those signals.

84
00:03:24,760 --> 00:03:27,880
And if you don't, AI just accelerates your alert volume.

85
00:03:27,880 --> 00:03:30,320
You end up with higher telemetry, more noise

86
00:03:30,320 --> 00:03:31,920
and the same decision latency.

87
00:03:31,920 --> 00:03:32,920
That is not progress.

88
00:03:32,920 --> 00:03:34,240
That is expensive confusion.

89
00:03:34,240 --> 00:03:38,160
So what does well-secured but still breached look like in executive terms?

90
00:03:38,160 --> 00:03:42,000
It looks like an organization that can detect but can't decide.

91
00:03:42,000 --> 00:03:45,480
Or can decide but can't enforce or can enforce but can't recover quickly.

92
00:03:45,480 --> 00:03:46,800
Each hand of ads time.

93
00:03:46,800 --> 00:03:48,520
Each manual step adds delay.

94
00:03:48,520 --> 00:03:50,040
Each exception adds ambiguity.

95
00:03:50,040 --> 00:03:52,720
Over time you don't have a deterministic security model anymore.

96
00:03:52,720 --> 00:03:53,960
You have conditional chaos.

97
00:03:53,960 --> 00:03:56,440
And that's why organizations still get breached.

98
00:03:56,440 --> 00:03:58,000
Not because they lacked tools.

99
00:03:58,000 --> 00:04:01,200
Because the trust system was never engineered as a closed loop.

100
00:04:01,200 --> 00:04:04,440
Identity signals into policy decisions, decisions into enforcement,

101
00:04:04,440 --> 00:04:08,040
enforcement into response, response into recovery and recovery into learning.

102
00:04:08,040 --> 00:04:12,840
Without that loop, every control is just a static gate on a dynamic highway.

103
00:04:12,840 --> 00:04:14,280
Redefining success.

104
00:04:14,280 --> 00:04:16,880
From prevention fantasy to resilience discipline,

105
00:04:16,880 --> 00:04:20,360
leaders keep getting trapped by a definition of success that sounds reasonable

106
00:04:20,360 --> 00:04:22,160
but collapses in practice.

107
00:04:22,160 --> 00:04:23,600
Fewer incidents.

108
00:04:23,600 --> 00:04:24,480
It's a nice headline.

109
00:04:24,480 --> 00:04:25,720
It's also not a strategy.

110
00:04:25,720 --> 00:04:26,600
Prevention matters.

111
00:04:26,600 --> 00:04:28,800
Nobody is arguing for neglect.

112
00:04:28,800 --> 00:04:30,600
But prevention is probability management.

113
00:04:30,600 --> 00:04:32,640
It reduces the likelihood of an incident.

114
00:04:32,640 --> 00:04:34,720
Resilience is impact management.

115
00:04:34,720 --> 00:04:36,680
It reduces the cost, the downtime,

116
00:04:36,680 --> 00:04:39,480
and the organizational confusion when the incident happens anyway.

117
00:04:39,480 --> 00:04:42,400
That distinction matters because probability is never zero

118
00:04:42,400 --> 00:04:45,040
and the business still has to operate while you're cleaning up.

119
00:04:45,040 --> 00:04:48,760
The uncomfortable truth is that the goal is not no breaches.

120
00:04:48,760 --> 00:04:50,240
The goal is bounded failure.

121
00:04:50,240 --> 00:04:53,240
Bounded failure means the system anticipates compromise

122
00:04:53,240 --> 00:04:55,400
and limits what a compromise identity can do,

123
00:04:55,400 --> 00:04:58,080
how far it can move and how long it can persist.

124
00:04:58,080 --> 00:05:00,800
It treats incidents as inevitable system states,

125
00:05:00,800 --> 00:05:03,040
not unexpected moral violations.

126
00:05:03,040 --> 00:05:07,040
And it builds the muscle to contain those states quickly and repeatedly.

127
00:05:07,040 --> 00:05:08,960
This is where security programs get honest.

128
00:05:08,960 --> 00:05:11,320
A prevention first program tends to behave like this.

129
00:05:11,320 --> 00:05:13,840
Deploy more controls, tighten policies, increase friction,

130
00:05:13,840 --> 00:05:15,400
and hope the incident curve goes down.

131
00:05:15,400 --> 00:05:16,480
Sometimes it does.

132
00:05:16,480 --> 00:05:18,440
But the second order effect shows up later.

133
00:05:18,440 --> 00:05:20,920
The business finds workarounds, the exceptions pile up,

134
00:05:20,920 --> 00:05:23,040
and security becomes a cue.

135
00:05:23,040 --> 00:05:25,200
You've improved security in the dashboard sense

136
00:05:25,200 --> 00:05:28,080
while increasing organizational entropy in the real sense.

137
00:05:28,080 --> 00:05:30,440
A resilience first program behaves differently.

138
00:05:30,440 --> 00:05:33,200
It assumes compromise designs for rapid revocation,

139
00:05:33,200 --> 00:05:35,880
reduces standing privilege, automates containment steps,

140
00:05:35,880 --> 00:05:37,520
and rehearses decision making.

141
00:05:37,520 --> 00:05:39,280
It doesn't chase perfect defense.

142
00:05:39,280 --> 00:05:40,720
It builds repeatable recovery.

143
00:05:40,720 --> 00:05:42,560
If you want board-facing language for this,

144
00:05:42,560 --> 00:05:43,960
don't talk about products.

145
00:05:43,960 --> 00:05:45,080
Talk about three outcomes.

146
00:05:45,080 --> 00:05:48,040
Continuity, trust preservation, and decision speed.

147
00:05:48,040 --> 00:05:49,480
Continuity is obvious.

148
00:05:49,480 --> 00:05:50,840
Can the business keep operating?

149
00:05:50,840 --> 00:05:53,480
Or does an identity incident turn into a multi-day outage

150
00:05:53,480 --> 00:05:55,440
because nobody can tell what access is safe?

151
00:05:55,440 --> 00:05:57,920
Trust preservation is less obvious, but more expensive.

152
00:05:57,920 --> 00:05:59,720
Can customers, partners, and regulators

153
00:05:59,720 --> 00:06:01,840
believe you're in control during the incident?

154
00:06:01,840 --> 00:06:04,600
Or does the story become, we didn't know what we had,

155
00:06:04,600 --> 00:06:06,520
so we shut everything down?

156
00:06:06,520 --> 00:06:08,760
Decision speed is the actual multiplier.

157
00:06:08,760 --> 00:06:11,280
How fast can the organization detect, decide,

158
00:06:11,280 --> 00:06:14,440
and enforce, end to end without a dozen handoffs and three committees?

159
00:06:14,440 --> 00:06:16,520
This is why MTTR is not SOC trivia.

160
00:06:16,520 --> 00:06:18,480
It's executive telemetry.

161
00:06:18,480 --> 00:06:21,680
Mean time to respond or recover depending on how you define it

162
00:06:21,680 --> 00:06:23,400
turns an abstract security posture

163
00:06:23,400 --> 00:06:25,440
into a measurable operating capability.

164
00:06:25,440 --> 00:06:27,320
It forces the right conversations.

165
00:06:27,320 --> 00:06:29,480
Who has authority to disable an identity?

166
00:06:29,480 --> 00:06:31,720
Who can revoke access across critical apps?

167
00:06:31,720 --> 00:06:33,120
Which actions are automated?

168
00:06:33,120 --> 00:06:35,120
Which require approval and why?

169
00:06:35,120 --> 00:06:36,480
Where are the manual steps?

170
00:06:36,480 --> 00:06:39,920
And what risk are those steps supposedly managing?

171
00:06:39,920 --> 00:06:41,320
And it exposes the usual lie.

172
00:06:41,320 --> 00:06:42,760
We can respond quickly.

173
00:06:42,760 --> 00:06:44,800
Most organizations can respond quickly

174
00:06:44,800 --> 00:06:47,600
if the right person is awake, available, and empowered.

175
00:06:47,600 --> 00:06:50,040
That is not a capability, that is a dependency.

176
00:06:50,040 --> 00:06:52,600
Resilience discipline replaces heroics with design.

177
00:06:52,600 --> 00:06:55,280
It builds the response pathways before the incident.

178
00:06:55,280 --> 00:06:56,880
When everyone is calm and rational,

179
00:06:56,880 --> 00:06:58,560
instead of inventing their mid-breach

180
00:06:58,560 --> 00:07:00,880
when fear and politics take over.

181
00:07:00,880 --> 00:07:02,880
It also acknowledges a basic system law.

182
00:07:02,880 --> 00:07:05,000
Every manual handoff is a latency generator.

183
00:07:05,000 --> 00:07:07,200
Every exception is an ambiguity generator.

184
00:07:07,200 --> 00:07:09,120
Every ambiguity increases blast radius

185
00:07:09,120 --> 00:07:11,600
because people hesitate and attackers don't.

186
00:07:11,600 --> 00:07:14,840
This is also where AI is either your advantage or your tax.

187
00:07:14,840 --> 00:07:16,760
If AI is only used to summarize alerts,

188
00:07:16,760 --> 00:07:18,920
you get prettier descriptions of the same delays.

189
00:07:18,920 --> 00:07:21,840
If AI is used to compress the detect to decide phase

190
00:07:21,840 --> 00:07:24,880
and trigger auditable, reversible containment actions,

191
00:07:24,880 --> 00:07:27,480
then you get something that looks like real resilience.

192
00:07:27,480 --> 00:07:30,040
Less time spent arguing about what's happening,

193
00:07:30,040 --> 00:07:32,160
more time spent making it stop.

194
00:07:32,160 --> 00:07:34,080
So success needs a different definition.

195
00:07:34,080 --> 00:07:36,520
Success is not, we didn't have incidents this quarter.

196
00:07:36,520 --> 00:07:39,080
That's whether or not engineering success is,

197
00:07:39,080 --> 00:07:41,800
when identity-driven incidents occur and they will,

198
00:07:41,800 --> 00:07:43,680
the organization contains them in business time

199
00:07:43,680 --> 00:07:45,520
recovers without panic and learns

200
00:07:45,520 --> 00:07:47,320
without repeating the same failure mode.

201
00:07:47,320 --> 00:07:48,800
That's resilience.

202
00:07:48,800 --> 00:07:50,680
And once you adopt that definition,

203
00:07:50,680 --> 00:07:52,520
the rest of the strategy becomes obvious.

204
00:07:52,520 --> 00:07:54,120
You stop chasing control coverage

205
00:07:54,120 --> 00:07:55,680
and start designing the trust system

206
00:07:55,680 --> 00:07:57,680
that controls are supposed to enforce.

207
00:07:57,680 --> 00:08:00,320
Identity is the control plane, not a directory.

208
00:08:00,320 --> 00:08:02,320
Most organizations still talk about identity

209
00:08:02,320 --> 00:08:04,840
like it's a shared phone book, a place where users live,

210
00:08:04,840 --> 00:08:06,840
a place where groups live, a place you sync to,

211
00:08:06,840 --> 00:08:08,360
so Microsoft 365 works.

212
00:08:08,360 --> 00:08:09,800
That mental model is obsolete.

213
00:08:09,800 --> 00:08:11,240
Identity is not a directory.

214
00:08:11,240 --> 00:08:13,240
It is the control plane for the enterprise.

215
00:08:13,240 --> 00:08:14,960
It is the distributed decision engine

216
00:08:14,960 --> 00:08:16,720
that decides who can touch what,

217
00:08:16,720 --> 00:08:18,560
from where, using which device,

218
00:08:18,560 --> 00:08:21,360
under which conditions, with which level of confidence.

219
00:08:21,360 --> 00:08:23,040
Every time an employee opens a file,

220
00:08:23,040 --> 00:08:24,680
a workload calls an API,

221
00:08:24,680 --> 00:08:26,920
a contractor accesses a project site

222
00:08:26,920 --> 00:08:29,000
or an admin attempts a privileged action.

223
00:08:29,000 --> 00:08:30,920
The business is not logging in.

224
00:08:30,920 --> 00:08:33,400
The business is running an authorization decision.

225
00:08:33,400 --> 00:08:35,320
And the uncomfortable part is that the system

226
00:08:35,320 --> 00:08:37,000
makes those decisions continuously

227
00:08:37,000 --> 00:08:39,240
at scale across hundreds of services

228
00:08:39,240 --> 00:08:41,960
with a default posture that does not care about your intent.

229
00:08:41,960 --> 00:08:43,680
It cares about your configuration.

230
00:08:43,680 --> 00:08:46,360
This is why identity strategy is not an IT topic.

231
00:08:46,360 --> 00:08:47,880
It's operational architecture.

232
00:08:47,880 --> 00:08:49,760
The control plane is where business workflows

233
00:08:49,760 --> 00:08:51,120
become enforceable rules.

234
00:08:51,120 --> 00:08:53,480
If you design it well, autonomy becomes safe.

235
00:08:53,480 --> 00:08:56,040
If you design it poorly, autonomy becomes an incident.

236
00:08:56,040 --> 00:08:58,360
But this is also why the network stop being your boundary.

237
00:08:58,360 --> 00:08:59,840
Networks are still useful.

238
00:08:59,840 --> 00:09:02,600
They still matter for segmentation, routing, inspection,

239
00:09:02,600 --> 00:09:03,920
and reducing exposure.

240
00:09:03,920 --> 00:09:06,920
But they are no longer the thing that defines inside.

241
00:09:06,920 --> 00:09:09,640
Cloud and SAS dissolve that assumption years ago.

242
00:09:09,640 --> 00:09:12,040
Users sit on unmanaged networks, devices,

243
00:09:12,040 --> 00:09:14,280
roam, apps live outside your perimeter,

244
00:09:14,280 --> 00:09:17,240
and internal traffic often never touches your infrastructure.

245
00:09:17,240 --> 00:09:18,440
So trust moved.

246
00:09:18,440 --> 00:09:20,200
Not because Microsoft had a marketing moment,

247
00:09:20,200 --> 00:09:22,760
but because the architecture forced it to move.

248
00:09:22,760 --> 00:09:25,320
Trust now attaches to claims who the subject is,

249
00:09:25,320 --> 00:09:26,520
what the device looks like,

250
00:09:26,520 --> 00:09:28,280
how risky the behavior appears,

251
00:09:28,280 --> 00:09:31,000
what the session is doing, and what the resource is.

252
00:09:31,000 --> 00:09:33,080
In this terms, every access flow becomes

253
00:09:33,080 --> 00:09:36,040
subject policy decision, policy enforcement resource.

254
00:09:36,040 --> 00:09:37,480
Leaders don't need the diagram.

255
00:09:37,480 --> 00:09:38,760
They need the implication.

256
00:09:38,760 --> 00:09:41,480
Authorization is now the primary business risk surface.

257
00:09:41,480 --> 00:09:42,760
And that surface is huge.

258
00:09:42,760 --> 00:09:43,960
It's humans, yes.

259
00:09:43,960 --> 00:09:45,960
But it's also service principles,

260
00:09:45,960 --> 00:09:47,800
managed identities, automation accounts,

261
00:09:47,800 --> 00:09:49,320
connectors, third party apps,

262
00:09:49,320 --> 00:09:52,680
and increasingly AI agents that act on behalf of users.

263
00:09:52,680 --> 00:09:55,320
This is where the human machine blur becomes a governance problem,

264
00:09:55,320 --> 00:09:57,160
not a futuristic curiosity.

265
00:09:57,160 --> 00:09:59,560
Machine identities can outnumber humans dramatically

266
00:09:59,560 --> 00:10:00,840
in real enterprises,

267
00:10:00,840 --> 00:10:03,000
and they don't complain when you over-permission them.

268
00:10:03,000 --> 00:10:05,000
They just keep running, quietly.

269
00:10:05,000 --> 00:10:07,160
Perfectly, until they're abused.

270
00:10:07,160 --> 00:10:09,800
When identity is the control plane,

271
00:10:09,800 --> 00:10:12,680
then security maturity becomes less about how many tools you bought

272
00:10:12,680 --> 00:10:15,800
and more about how accurately you can answer a few basic questions.

273
00:10:15,800 --> 00:10:16,760
Who has access?

274
00:10:16,760 --> 00:10:17,640
Why do they have it?

275
00:10:17,640 --> 00:10:19,320
For how long? Under what conditions?

276
00:10:19,320 --> 00:10:21,400
And what happens when those conditions change?

277
00:10:21,400 --> 00:10:23,800
Most organizations can answer the first question

278
00:10:23,800 --> 00:10:25,640
incompletely, the second question,

279
00:10:25,640 --> 00:10:27,320
narratively, the third question,

280
00:10:27,320 --> 00:10:28,760
rarely, and the fourth question

281
00:10:28,760 --> 00:10:31,000
with a policy document, nobody enforces.

282
00:10:31,000 --> 00:10:33,880
The last question is the one that decides whether you have resilience

283
00:10:33,880 --> 00:10:35,080
or just optimism,

284
00:10:35,080 --> 00:10:37,320
because identity isn't only about allowing access,

285
00:10:37,320 --> 00:10:39,160
it's about revoking it, fast.

286
00:10:39,160 --> 00:10:40,280
In a directory mindset,

287
00:10:40,280 --> 00:10:42,520
revocation is an administrative event.

288
00:10:42,520 --> 00:10:43,800
Someone disables an account,

289
00:10:43,800 --> 00:10:45,240
someone removes a group membership,

290
00:10:45,240 --> 00:10:46,600
someone closes a ticket.

291
00:10:46,600 --> 00:10:47,880
In a control plane mindset,

292
00:10:47,880 --> 00:10:50,200
revocation is a containment mechanism.

293
00:10:50,200 --> 00:10:51,800
It is part of incident response.

294
00:10:51,800 --> 00:10:53,480
It is supposed to happen in business time,

295
00:10:53,480 --> 00:10:54,600
not IT time.

296
00:10:54,600 --> 00:10:57,240
This is also why the identity plane is where governance

297
00:10:57,240 --> 00:10:58,760
either exists or it doesn't.

298
00:10:58,760 --> 00:11:01,160
Governance isn't a compliance activity you do annually.

299
00:11:01,160 --> 00:11:02,440
Governance is the mechanism

300
00:11:02,440 --> 00:11:04,280
that prevents entitlement drift

301
00:11:04,280 --> 00:11:06,200
from turning into permanent over-pimission.

302
00:11:06,200 --> 00:11:08,120
Drift is what happens when every joiner,

303
00:11:08,120 --> 00:11:09,560
mover, lever, contractor,

304
00:11:09,560 --> 00:11:12,520
and exception creates a small, reasonable access decision

305
00:11:12,520 --> 00:11:14,040
and nobody ever takes it back.

306
00:11:14,040 --> 00:11:17,000
Over time, the organization doesn't have access by design.

307
00:11:17,000 --> 00:11:18,440
It has access by archaeology

308
00:11:18,440 --> 00:11:20,440
and the control plane preserves all of it.

309
00:11:20,440 --> 00:11:22,280
So when leaders say we trust our people,

310
00:11:22,280 --> 00:11:24,360
that's fine, but the system doesn't trust people.

311
00:11:24,360 --> 00:11:25,880
It trusts claims and permissions.

312
00:11:25,880 --> 00:11:27,960
If permissions don't reflect business intent,

313
00:11:27,960 --> 00:11:29,480
then the system will authorize things

314
00:11:29,480 --> 00:11:31,480
the business never consciously approved.

315
00:11:31,480 --> 00:11:33,000
That's not a security failure.

316
00:11:33,000 --> 00:11:34,520
That's predictable system behavior.

317
00:11:34,520 --> 00:11:36,360
Once identity becomes the control plane,

318
00:11:36,360 --> 00:11:38,520
you stop asking, did they authenticate?

319
00:11:38,520 --> 00:11:39,880
And you start asking,

320
00:11:39,880 --> 00:11:42,120
what does this identity allow them to change,

321
00:11:42,120 --> 00:11:44,760
exfiltrate, approve, disable or persist?

322
00:11:44,760 --> 00:11:46,120
That's where business impact lives.

323
00:11:46,120 --> 00:11:48,600
And that is the transition point for the rest of this episode.

324
00:11:48,600 --> 00:11:50,520
The failure mode is not login.

325
00:11:50,520 --> 00:11:53,000
It's authorization and entitlement drift.

326
00:11:53,000 --> 00:11:55,640
Authorization failures beat authentication failures.

327
00:11:55,640 --> 00:11:57,640
MFA can be perfect and you can still lose.

328
00:11:57,640 --> 00:11:59,080
That sentence annoys people

329
00:11:59,080 --> 00:12:02,120
because MFA is the sacred cow of identity security.

330
00:12:02,120 --> 00:12:02,920
And it should be.

331
00:12:02,920 --> 00:12:06,040
Strong authentication removes an entire class of cheap attacks.

332
00:12:06,040 --> 00:12:07,800
But authentication is a gate.

333
00:12:07,800 --> 00:12:09,080
Authorization is the map.

334
00:12:09,080 --> 00:12:10,840
If the map is wrong, the gate doesn't matter.

335
00:12:10,840 --> 00:12:13,400
Most incident reviews obsess over how the attacker got in.

336
00:12:13,400 --> 00:12:15,560
The more useful question is what the attacker could do

337
00:12:15,560 --> 00:12:16,600
after they were in.

338
00:12:16,600 --> 00:12:17,640
That's authorization.

339
00:12:17,640 --> 00:12:18,600
That's entitlements.

340
00:12:18,600 --> 00:12:20,360
That's the permissions graph you built

341
00:12:20,360 --> 00:12:23,240
over years of reasonable decisions and never revisited.

342
00:12:23,240 --> 00:12:24,680
And the real failure mode is that

343
00:12:24,680 --> 00:12:26,840
authorization errors look like normal business.

344
00:12:26,840 --> 00:12:28,360
A privileged user downloads data.

345
00:12:28,360 --> 00:12:30,360
An automation account exports content.

346
00:12:30,360 --> 00:12:32,040
A service principle reads a directory.

347
00:12:32,040 --> 00:12:33,560
An admin disables a control.

348
00:12:33,560 --> 00:12:36,280
These are all legitimate actions in the right context.

349
00:12:36,280 --> 00:12:39,880
That's why authorization failures beat authentication failures.

350
00:12:39,880 --> 00:12:41,720
They hide inside allowed behavior.

351
00:12:41,720 --> 00:12:43,720
They're not break class events.

352
00:12:43,720 --> 00:12:45,800
They are business as usual events performed

353
00:12:45,800 --> 00:12:48,680
by the wrong actor at the wrong time for the wrong reason.

354
00:12:48,680 --> 00:12:50,840
This is also why token theft is so effective.

355
00:12:50,840 --> 00:12:53,160
The attacker doesn't need to defeat authentication

356
00:12:53,160 --> 00:12:55,880
if they can reuse the session after authentication.

357
00:12:55,880 --> 00:12:57,560
Now the system sees a valid token

358
00:12:57,560 --> 00:12:59,960
and the policy engine does what it was configured to do.

359
00:12:59,960 --> 00:13:02,840
Authorize your expensive identity controls become irrelevant

360
00:13:02,840 --> 00:13:04,920
because the attacker is no longer trying to log in.

361
00:13:04,920 --> 00:13:07,240
They're trying to act which brings us to privilege creep.

362
00:13:07,240 --> 00:13:09,000
Privileged creep is not a misconfiguration.

363
00:13:09,000 --> 00:13:10,440
It is an organizational default.

364
00:13:10,440 --> 00:13:13,560
Every organization hires, promotes, reorganizes,

365
00:13:13,560 --> 00:13:15,960
uses contractors, launches projects

366
00:13:15,960 --> 00:13:18,840
and grants temporary access to get work done.

367
00:13:18,840 --> 00:13:21,800
Access accumulates because removing access costs time

368
00:13:21,800 --> 00:13:23,480
and creates risk of breaking something.

369
00:13:23,480 --> 00:13:24,440
So people avoid it.

370
00:13:24,440 --> 00:13:26,840
Over time the default posture becomes

371
00:13:26,840 --> 00:13:29,240
keep access unless there's a reason to remove it.

372
00:13:29,240 --> 00:13:31,720
That is backwards but it feels safe operationally

373
00:13:31,720 --> 00:13:32,680
so it persists.

374
00:13:32,680 --> 00:13:35,080
This is where least privilege becomes a slogan

375
00:13:35,080 --> 00:13:36,440
instead of a system property.

376
00:13:36,440 --> 00:13:38,280
Least privilege is not something you declare.

377
00:13:38,280 --> 00:13:41,080
It is something you enforce through life cycle design,

378
00:13:41,080 --> 00:13:44,520
time limits, approvals, reviews and clear ownership.

379
00:13:44,520 --> 00:13:47,560
If those mechanisms aren't built into the way access is granted,

380
00:13:47,560 --> 00:13:50,920
the organization will drift toward maximum privilege over time.

381
00:13:50,920 --> 00:13:51,560
Always.

382
00:13:51,560 --> 00:13:52,680
That's not cynicism.

383
00:13:52,680 --> 00:13:53,720
That's entropy.

384
00:13:53,720 --> 00:13:55,640
And privilege creep isn't limited to humans.

385
00:13:55,640 --> 00:13:57,880
Non-human identities accumulate faster

386
00:13:57,880 --> 00:13:59,640
because they don't show up in org charts

387
00:13:59,640 --> 00:14:01,320
and they don't rotate roles.

388
00:14:01,320 --> 00:14:03,400
An application gets permissions for a project.

389
00:14:03,400 --> 00:14:04,200
The project ends.

390
00:14:04,200 --> 00:14:05,240
The permissions remain.

391
00:14:05,240 --> 00:14:07,000
A connector gets broad graph access

392
00:14:07,000 --> 00:14:08,440
because it needed it once.

393
00:14:08,440 --> 00:14:09,720
Nobody narrows it later.

394
00:14:09,720 --> 00:14:12,680
These identities are quiet, powerful and rarely reviewed.

395
00:14:12,680 --> 00:14:14,440
They are ideal attack infrastructure.

396
00:14:14,440 --> 00:14:16,440
So when leaders think identity risk,

397
00:14:16,440 --> 00:14:18,760
they picture stolen passwords and fishing.

398
00:14:18,760 --> 00:14:20,680
That's the entry point, not the impact surface.

399
00:14:20,680 --> 00:14:23,080
The impact surface is who can approve spend,

400
00:14:23,080 --> 00:14:24,920
who can access regulated data,

401
00:14:24,920 --> 00:14:27,560
who can create or modify conditional access policies,

402
00:14:27,560 --> 00:14:29,000
who can grant app consent,

403
00:14:29,000 --> 00:14:30,520
who can create new identities,

404
00:14:30,520 --> 00:14:32,120
who can change audit settings,

405
00:14:32,120 --> 00:14:34,280
and who can disable the tools you rely on

406
00:14:34,280 --> 00:14:35,480
to detect compromise.

407
00:14:35,480 --> 00:14:38,680
In other words, the risk concentrates in change authority.

408
00:14:38,680 --> 00:14:40,600
If an identity can change the environment,

409
00:14:40,600 --> 00:14:43,320
then that identity is effectively part of your control plane.

410
00:14:43,320 --> 00:14:45,640
And control plane identities need different rules,

411
00:14:45,640 --> 00:14:46,920
reduced standing privilege,

412
00:14:46,920 --> 00:14:48,120
stronger session constraints,

413
00:14:48,120 --> 00:14:50,360
more scrutiny and faster revocation.

414
00:14:50,360 --> 00:14:51,960
This is also where over permission

415
00:14:51,960 --> 00:14:53,800
becomes business process debt.

416
00:14:53,800 --> 00:14:56,680
IT didn't accidentally grant broad access.

417
00:14:56,680 --> 00:14:57,960
The business demanded speed,

418
00:14:57,960 --> 00:14:59,560
and the easiest way to deliver speed

419
00:14:59,560 --> 00:15:01,000
was to grant access broadly

420
00:15:01,000 --> 00:15:02,360
and hope nobody abuses it.

421
00:15:02,360 --> 00:15:04,360
That decision doesn't show up as a line item.

422
00:15:04,360 --> 00:15:07,240
It shows up later as incident cost, audit friction,

423
00:15:07,240 --> 00:15:08,360
and emergency cleanup

424
00:15:08,360 --> 00:15:11,640
when the access graph is too messy to trust under pressure.

425
00:15:11,640 --> 00:15:14,680
And the most expensive moment to discover authorization debt

426
00:15:14,680 --> 00:15:15,880
is during an incident.

427
00:15:15,880 --> 00:15:17,720
Because now you can't answer simple questions

428
00:15:17,720 --> 00:15:19,560
if we disable this account, what breaks?

429
00:15:19,560 --> 00:15:21,720
If we revoke this app's permissions, what stops?

430
00:15:21,720 --> 00:15:24,360
If we remove this group, which business process fails?

431
00:15:24,360 --> 00:15:26,760
So you hesitate, you negotiate, you open tickets,

432
00:15:26,760 --> 00:15:27,880
you call the system owners,

433
00:15:27,880 --> 00:15:29,400
meanwhile the attacker keeps moving.

434
00:15:29,400 --> 00:15:31,960
That's why authorization failures beat authentication failures.

435
00:15:31,960 --> 00:15:33,560
They don't require sophistication.

436
00:15:33,560 --> 00:15:35,800
They require patience and a permission path.

437
00:15:35,800 --> 00:15:37,480
So the leadership take away is blunt.

438
00:15:37,480 --> 00:15:38,520
If you want resilience,

439
00:15:38,520 --> 00:15:41,160
you need to manage authorization as a first class asset.

440
00:15:41,160 --> 00:15:43,240
Not a byproduct, not a quarterly spreadsheet,

441
00:15:43,240 --> 00:15:44,440
a living decision model.

442
00:15:44,440 --> 00:15:45,880
And this is the transition point.

443
00:15:45,880 --> 00:15:47,480
If identity is the control plane,

444
00:15:47,480 --> 00:15:49,960
an authorization is the primary failure mode,

445
00:15:49,960 --> 00:15:52,600
then identity governance is where strategy becomes real

446
00:15:52,600 --> 00:15:54,360
because it is the mechanism that turns

447
00:15:54,360 --> 00:15:56,520
who should have access into enforceable,

448
00:15:56,520 --> 00:15:57,560
reviewable truth.

449
00:15:57,560 --> 00:16:01,240
Identity governance as a business discipline.

450
00:16:01,240 --> 00:16:03,960
Identity governance is where security stops being

451
00:16:03,960 --> 00:16:06,440
a collection of settings and becomes a management system.

452
00:16:06,440 --> 00:16:07,960
Not a tool, a discipline.

453
00:16:07,960 --> 00:16:10,440
Because governance answers the only questions

454
00:16:10,440 --> 00:16:11,720
that matter in a breach.

455
00:16:11,720 --> 00:16:12,920
Who should have access?

456
00:16:12,920 --> 00:16:13,800
Why do they have it?

457
00:16:13,800 --> 00:16:15,800
For how long, under what conditions?

458
00:16:15,800 --> 00:16:18,360
And who is accountable when those answers are wrong?

459
00:16:18,360 --> 00:16:21,240
Most organizations treat those as documentation questions.

460
00:16:21,240 --> 00:16:21,880
They are not.

461
00:16:21,880 --> 00:16:23,160
They are designed questions.

462
00:16:23,160 --> 00:16:25,560
If the organization can't express intent

463
00:16:25,560 --> 00:16:27,320
in a way the control plane can enforce,

464
00:16:27,320 --> 00:16:30,520
then the control plane will default to what it always defaults to.

465
00:16:30,520 --> 00:16:32,840
Whatever grants, access, and avoids outages,

466
00:16:32,840 --> 00:16:34,920
that's why governance has to be owned like finance,

467
00:16:34,920 --> 00:16:35,880
not like a project.

468
00:16:35,880 --> 00:16:38,840
Finance doesn't turn on budgeting and declare victory.

469
00:16:38,840 --> 00:16:42,440
It runs a cadence, controls, approvals, reconciliation,

470
00:16:42,440 --> 00:16:43,960
audits, and corrective actions.

471
00:16:43,960 --> 00:16:46,840
Identity governance needs the same shape.

472
00:16:46,840 --> 00:16:49,240
Otherwise, access becomes a one-way valve.

473
00:16:49,240 --> 00:16:51,960
Granted quickly, removed slowly, reviewed rarely.

474
00:16:51,960 --> 00:16:53,320
That's not a security posture.

475
00:16:53,320 --> 00:16:54,920
That's entitlement inflation.

476
00:16:54,920 --> 00:16:57,080
So start with the foundational misunderstanding.

477
00:16:57,080 --> 00:16:59,320
People think governance is about saying no.

478
00:16:59,320 --> 00:17:00,040
It isn't.

479
00:17:00,040 --> 00:17:02,280
Governance is about making yes, safe.

480
00:17:02,280 --> 00:17:04,520
It creates predictable pathways for access,

481
00:17:04,520 --> 00:17:06,760
so the business doesn't need informal workarounds,

482
00:17:06,760 --> 00:17:08,760
shared accounts, or permanent exceptions.

483
00:17:08,760 --> 00:17:12,280
It is the system that turns autonomy into something you can tolerate.

484
00:17:12,280 --> 00:17:15,720
This is also why joiner, mover, lever is not an HR workflow.

485
00:17:15,720 --> 00:17:17,080
It is the access supply chain.

486
00:17:17,080 --> 00:17:17,800
Joiners are easy.

487
00:17:17,800 --> 00:17:19,480
The organization knows they need something,

488
00:17:19,480 --> 00:17:20,760
so it provisions access.

489
00:17:20,760 --> 00:17:22,120
Movers are where damage starts.

490
00:17:22,120 --> 00:17:24,120
People change roles, projects overlap.

491
00:17:24,120 --> 00:17:26,280
People keep their old permissions just in case,

492
00:17:26,280 --> 00:17:28,360
because removing access might break a process.

493
00:17:28,360 --> 00:17:29,880
So access accumulates.

494
00:17:29,880 --> 00:17:31,320
Leavers are the obvious part.

495
00:17:31,320 --> 00:17:32,360
Accounts get disabled.

496
00:17:32,360 --> 00:17:33,640
That's table stakes.

497
00:17:33,640 --> 00:17:35,480
But the real governance failure is that

498
00:17:35,480 --> 00:17:38,440
movers and temporary workers are treated like edge cases.

499
00:17:38,440 --> 00:17:40,680
In most enterprises, contractors, partners,

500
00:17:40,680 --> 00:17:42,040
and vendors are not edge cases.

501
00:17:42,040 --> 00:17:43,720
They are core operating capacity.

502
00:17:43,720 --> 00:17:45,720
That means the identities are first-class risk.

503
00:17:45,720 --> 00:17:48,040
Their access has to be time-bound by default,

504
00:17:48,040 --> 00:17:50,440
with explicit sponsorship and an expiration date

505
00:17:50,440 --> 00:17:51,560
that actually expires.

506
00:17:51,560 --> 00:17:53,640
If access doesn't expire, it is not governed.

507
00:17:53,640 --> 00:17:54,840
It is merely granted.

508
00:17:54,840 --> 00:17:56,760
And that's the difference between access reviews

509
00:17:56,760 --> 00:17:59,400
as a checkbox and access reviews as a control loop.

510
00:17:59,400 --> 00:18:01,560
An access review is not a spreadsheet exercise.

511
00:18:01,560 --> 00:18:04,440
It is the mechanism that forces intent to be restated.

512
00:18:04,440 --> 00:18:07,640
If nobody can explain why an identity still needs access,

513
00:18:07,640 --> 00:18:09,000
that access is dead.

514
00:18:09,000 --> 00:18:11,320
If the reviewer can't confidently remove access

515
00:18:11,320 --> 00:18:12,840
because nobody knows what it impacts,

516
00:18:12,840 --> 00:18:14,520
that's not a reason to keep it.

517
00:18:14,520 --> 00:18:17,640
That is evidence the system has become ungovernable.

518
00:18:17,640 --> 00:18:20,440
Governance is also where least privilege becomes practical.

519
00:18:20,440 --> 00:18:22,440
Least privilege isn't achieved by telling people

520
00:18:22,440 --> 00:18:23,640
to have less access.

521
00:18:23,640 --> 00:18:26,120
It's achieved by designing access as a package.

522
00:18:26,120 --> 00:18:28,280
Scoped, conditional, and temporary.

523
00:18:28,280 --> 00:18:30,200
Access packages, approval parts,

524
00:18:30,200 --> 00:18:33,240
and periodic recertification are not extra-process.

525
00:18:33,240 --> 00:18:35,160
They are how an organization prevents

526
00:18:35,160 --> 00:18:38,280
privilege creep from becoming an incident-response problem.

527
00:18:38,280 --> 00:18:40,120
Now apply that logic to privileged access

528
00:18:40,120 --> 00:18:41,880
because that's where business impact concentrates.

529
00:18:41,880 --> 00:18:44,840
Privileged access governance is not just admin roles.

530
00:18:44,840 --> 00:18:46,920
It is any identity that can change data,

531
00:18:46,920 --> 00:18:49,560
change systems, change controls, or change other identities.

532
00:18:49,560 --> 00:18:52,120
Those identities must be designed around two truths.

533
00:18:52,120 --> 00:18:53,480
Standing privilege is risk,

534
00:18:53,480 --> 00:18:55,880
and manual elevation is a latency generator.

535
00:18:55,880 --> 00:18:58,200
So the discipline is reduce standing privilege,

536
00:18:58,200 --> 00:19:00,280
make elevation fast and auditable,

537
00:19:00,280 --> 00:19:02,520
and enforce expiration without negotiation.

538
00:19:02,520 --> 00:19:04,600
If elevation requires three days and five approvals,

539
00:19:04,600 --> 00:19:05,560
people will bypass it.

540
00:19:05,560 --> 00:19:07,720
If it requires five minutes and leaves a perfect audit,

541
00:19:07,720 --> 00:19:08,760
trail people will use it.

542
00:19:08,760 --> 00:19:10,520
Systems train behavior.

543
00:19:10,520 --> 00:19:12,760
This is also where separation of duties

544
00:19:12,760 --> 00:19:14,280
stops being a policy statement

545
00:19:14,280 --> 00:19:16,280
and becomes a control plane property.

546
00:19:16,280 --> 00:19:17,640
The person who requests access

547
00:19:17,640 --> 00:19:19,240
should not be the person who approves it.

548
00:19:19,240 --> 00:19:21,400
The person who deploys should not be the only person

549
00:19:21,400 --> 00:19:22,520
who can disable logging.

550
00:19:22,520 --> 00:19:25,000
Governance is where those boundaries become enforceable,

551
00:19:25,000 --> 00:19:26,120
not aspirational.

552
00:19:26,120 --> 00:19:27,480
And one more uncomfortable truth,

553
00:19:27,480 --> 00:19:28,920
governance has a licensing model,

554
00:19:28,920 --> 00:19:30,600
but it also has an ownership model.

555
00:19:30,600 --> 00:19:32,120
Someone has to own access decisions

556
00:19:32,120 --> 00:19:33,480
the way someone own spend.

557
00:19:33,480 --> 00:19:35,320
That means business owners for resources.

558
00:19:35,320 --> 00:19:37,400
Not just IT, not the security team,

559
00:19:37,400 --> 00:19:39,000
the security team enforces.

560
00:19:39,000 --> 00:19:40,280
The business defines intent

561
00:19:40,280 --> 00:19:42,120
because when an identity incident happens,

562
00:19:42,120 --> 00:19:43,320
you don't need more dashboards.

563
00:19:43,320 --> 00:19:44,200
You need authority.

564
00:19:44,200 --> 00:19:46,280
So identity governance as a business discipline

565
00:19:46,280 --> 00:19:48,120
is the mechanism that turns identity

566
00:19:48,120 --> 00:19:49,560
from a sprawling permission graph

567
00:19:49,560 --> 00:19:51,320
into a manageable decision system.

568
00:19:51,320 --> 00:19:53,560
It creates bounded access, predictable change,

569
00:19:53,560 --> 00:19:54,760
and fast revocation.

570
00:19:54,760 --> 00:19:56,040
And that's the transition point.

571
00:19:56,040 --> 00:19:57,400
Once governance exists,

572
00:19:57,400 --> 00:19:59,960
identity becomes a foundation you can build on.

573
00:19:59,960 --> 00:20:02,040
Without it, every advance control you add

574
00:20:02,040 --> 00:20:04,520
is just another policy layered on top of drift.

575
00:20:04,520 --> 00:20:05,560
Scenario one,

576
00:20:05,560 --> 00:20:06,600
Entra ID,

577
00:20:06,600 --> 00:20:09,640
Identity governance plus ITDR as the foundation.

578
00:20:09,640 --> 00:20:11,480
Scenario one is Entra ID,

579
00:20:11,480 --> 00:20:13,880
done the way leadership assumes it already is.

580
00:20:13,880 --> 00:20:15,400
Governance plus identity,

581
00:20:15,400 --> 00:20:17,000
threat detection and response.

582
00:20:17,000 --> 00:20:19,000
Treat it as a control plane capability,

583
00:20:19,000 --> 00:20:21,560
not a portal someone logs into when they remember.

584
00:20:21,560 --> 00:20:23,240
Start with the clean definition.

585
00:20:23,240 --> 00:20:25,240
Entra is not where identities live.

586
00:20:25,240 --> 00:20:28,200
Entra is where trust decisions compile.

587
00:20:28,200 --> 00:20:30,520
It takes signals, applies policy intent,

588
00:20:30,520 --> 00:20:31,720
and issues the tokens

589
00:20:31,720 --> 00:20:34,360
that let humans and machines act inside your business.

590
00:20:34,360 --> 00:20:36,840
When that engine is governed, you get bounded access.

591
00:20:36,840 --> 00:20:38,920
When it isn't, you get an authorization lottery

592
00:20:38,920 --> 00:20:39,960
with a nice UI.

593
00:20:39,960 --> 00:20:42,040
So the foundation is two linked disciplines.

594
00:20:42,040 --> 00:20:43,320
First identity governance,

595
00:20:43,320 --> 00:20:46,360
this is the part that answers should this identity have this access

596
00:20:46,360 --> 00:20:48,040
and forces time into the equation.

597
00:20:48,040 --> 00:20:49,160
Access packages,

598
00:20:49,160 --> 00:20:51,800
expiration, sponsorship, reviews,

599
00:20:51,800 --> 00:20:54,040
privileged elevation with justification,

600
00:20:54,040 --> 00:20:55,400
the goal isn't bureaucracy,

601
00:20:55,400 --> 00:20:57,400
the goal is to stop entitlement drift

602
00:20:57,400 --> 00:20:59,800
from becoming your default security model.

603
00:20:59,800 --> 00:21:01,960
Second, ITDR identity threat,

604
00:21:01,960 --> 00:21:04,360
detection and response is the part that answers

605
00:21:04,360 --> 00:21:06,360
is this identity behaving like itself

606
00:21:06,360 --> 00:21:08,520
and how fast can we contain it when it doesn't.

607
00:21:08,920 --> 00:21:10,040
Not as a SO-key hobby,

608
00:21:10,040 --> 00:21:11,240
as an operating requirement.

609
00:21:11,240 --> 00:21:13,640
Most organizations treat identity telemetry

610
00:21:13,640 --> 00:21:14,920
like a forensic archive.

611
00:21:14,920 --> 00:21:17,800
Sign-in logs, audit logs, risky users, risky sign-ins.

612
00:21:17,800 --> 00:21:19,320
Useful, but not decisive.

613
00:21:19,320 --> 00:21:20,920
ITDR is decisive.

614
00:21:20,920 --> 00:21:21,880
It's the shift from,

615
00:21:21,880 --> 00:21:23,080
we can investigate later,

616
00:21:23,080 --> 00:21:24,280
to we can revoke now.

617
00:21:24,280 --> 00:21:26,680
Because identity incidents are not technical events.

618
00:21:26,680 --> 00:21:29,160
They are business events with business blast radius.

619
00:21:29,160 --> 00:21:30,840
The attacker doesn't want your login page.

620
00:21:30,840 --> 00:21:32,120
They want your approval chains,

621
00:21:32,120 --> 00:21:33,720
your data export paths,

622
00:21:33,720 --> 00:21:35,400
your automation identities,

623
00:21:35,400 --> 00:21:36,520
and your admin surface.

624
00:21:36,520 --> 00:21:39,400
So what does Entra governance pass ITDR actually look like

625
00:21:39,400 --> 00:21:41,240
in practical terms without turning this

626
00:21:41,240 --> 00:21:42,840
into a configuration tutorial?

627
00:21:42,840 --> 00:21:44,840
It looks like the organization treating access

628
00:21:44,840 --> 00:21:46,600
as a product with a life cycle.

629
00:21:46,600 --> 00:21:48,920
A new contractor needs access to a project space

630
00:21:48,920 --> 00:21:50,520
and they requested through an access package.

631
00:21:50,520 --> 00:21:53,000
The package is scoped to what the contractor should touch,

632
00:21:53,000 --> 00:21:54,600
not what's convenient to grant.

633
00:21:54,600 --> 00:21:56,680
It requires a sponsor who is accountable,

634
00:21:56,680 --> 00:21:58,440
it expires automatically.

635
00:21:58,440 --> 00:21:59,800
And there is a review cadence

636
00:21:59,800 --> 00:22:01,720
that doesn't depend on someone remembering.

637
00:22:01,720 --> 00:22:02,680
That seems simple.

638
00:22:02,680 --> 00:22:03,560
Here's the weird part.

639
00:22:03,560 --> 00:22:04,920
It is rare.

640
00:22:04,920 --> 00:22:07,080
Most contractors get access via group membership.

641
00:22:07,080 --> 00:22:08,360
The membership doesn't expire.

642
00:22:08,360 --> 00:22:09,560
The sponsor changes jobs.

643
00:22:09,560 --> 00:22:10,440
The project ends.

644
00:22:10,440 --> 00:22:11,560
The access remains.

645
00:22:11,560 --> 00:22:12,600
That's not malicious.

646
00:22:12,600 --> 00:22:13,400
That's drift.

647
00:22:13,400 --> 00:22:15,400
And drift is the raw material of breaches.

648
00:22:15,400 --> 00:22:16,920
Now layer in privileged access.

649
00:22:16,920 --> 00:22:18,920
Entra PIM is not a nice to have.

650
00:22:18,920 --> 00:22:21,000
It's the mechanism that prevents standing power

651
00:22:21,000 --> 00:22:22,840
from becoming standing exposure.

652
00:22:22,840 --> 00:22:24,840
If an identity can change conditional access,

653
00:22:24,840 --> 00:22:27,480
modify app consent, create new service principles,

654
00:22:27,480 --> 00:22:29,480
reset credentials, or turn off logging,

655
00:22:29,480 --> 00:22:31,400
that identity is part of your control plane.

656
00:22:31,400 --> 00:22:33,720
Control plane power cannot be permanently assigned

657
00:22:33,720 --> 00:22:35,880
and still be called least privilege.

658
00:22:35,880 --> 00:22:37,400
It becomes inherited risk.

659
00:22:37,400 --> 00:22:39,800
So the model is, eligible by default,

660
00:22:39,800 --> 00:22:42,360
active only when needed, time bound, always,

661
00:22:42,360 --> 00:22:43,800
and auditable without effort.

662
00:22:43,800 --> 00:22:45,640
If elevation is slow, people bypass.

663
00:22:45,640 --> 00:22:47,960
If elevation is fast and logged, people comply.

664
00:22:47,960 --> 00:22:49,400
Your design trains your culture.

665
00:22:49,400 --> 00:22:51,640
Now the ITDR half.

666
00:22:51,640 --> 00:22:53,800
Identity incidents rarely announce themselves

667
00:22:53,800 --> 00:22:56,120
with a single obvious alert.

668
00:22:56,120 --> 00:22:57,720
They show up as weak signals.

669
00:22:57,720 --> 00:23:00,520
Unusual token use, a sign in that's technically valid

670
00:23:00,520 --> 00:23:02,040
but behaviorally wrong,

671
00:23:02,040 --> 00:23:04,680
a new OAuth app consent that shouldn't exist,

672
00:23:04,680 --> 00:23:06,840
an admin role activation at an odd time

673
00:23:06,840 --> 00:23:09,160
an account that starts enumerating directory objects

674
00:23:09,160 --> 00:23:11,720
it never touched before, the system has those signals.

675
00:23:11,720 --> 00:23:14,040
The question is whether you connected them to response.

676
00:23:14,040 --> 00:23:16,040
This is where Entra becomes an execution layer,

677
00:23:16,040 --> 00:23:17,080
not a reporting layer.

678
00:23:17,080 --> 00:23:18,840
Risk signals can drive policy actions.

679
00:23:18,840 --> 00:23:21,160
Session risk can trigger step-up requirements.

680
00:23:21,160 --> 00:23:23,000
Compromised accounts can be disabled.

681
00:23:23,000 --> 00:23:24,440
Tokens can be invalidated.

682
00:23:24,440 --> 00:23:26,200
Privileged sessions can be constrained

683
00:23:26,200 --> 00:23:27,960
and the moment you can do that quickly,

684
00:23:27,960 --> 00:23:29,800
you change the economics of an attack.

685
00:23:29,800 --> 00:23:32,120
Because the attacker's best advantage is time

686
00:23:32,120 --> 00:23:34,280
and governance is what makes response safe.

687
00:23:34,280 --> 00:23:37,560
Without governance, every containment action becomes political.

688
00:23:37,560 --> 00:23:40,360
If we disable this account, we'll payroll break.

689
00:23:40,360 --> 00:23:43,160
If we revoke this app, will the sales team lose access?

690
00:23:43,160 --> 00:23:44,760
So the organization hesitates.

691
00:23:44,760 --> 00:23:46,280
Governance reduces that hesitation

692
00:23:46,280 --> 00:23:49,000
by making access intentional, scoped and owned.

693
00:23:49,000 --> 00:23:50,840
You can be decisive because you understand

694
00:23:50,840 --> 00:23:52,920
what normal access looks like.

695
00:23:52,920 --> 00:23:55,800
There's also a 2026 reality leaders should not ignore.

696
00:23:55,800 --> 00:23:58,600
Entra is tightening the rules around application identities

697
00:23:58,600 --> 00:24:01,800
and service principle less authentication behavior is being retired.

698
00:24:01,800 --> 00:24:02,760
That is not a nuisance.

699
00:24:02,760 --> 00:24:03,800
That is a forcing function.

700
00:24:03,800 --> 00:24:05,720
It's Microsoft telling you in policy

701
00:24:05,720 --> 00:24:08,360
that invisible identities don't get to exist anymore,

702
00:24:08,360 --> 00:24:09,640
which is the point.

703
00:24:09,640 --> 00:24:11,080
Scenario one is the foundation

704
00:24:11,080 --> 00:24:12,520
because it restores determinism.

705
00:24:12,520 --> 00:24:13,880
It makes access time-bound.

706
00:24:13,880 --> 00:24:15,240
It makes privilege temporary.

707
00:24:15,240 --> 00:24:16,840
It makes ownership explicit.

708
00:24:16,840 --> 00:24:19,560
And it turns identity signals into actions instead of evidence.

709
00:24:19,560 --> 00:24:21,000
Then you can build zero trust

710
00:24:21,000 --> 00:24:24,360
that actually works because now your trust model has teeth.

711
00:24:24,360 --> 00:24:26,280
Zero trust is not a product rollout.

712
00:24:26,280 --> 00:24:28,120
Zero trust is where a lot of security programs

713
00:24:28,120 --> 00:24:30,840
go to die because it gets treated like a procurement event.

714
00:24:30,840 --> 00:24:33,320
A vendor pitches a zero trust solution.

715
00:24:33,320 --> 00:24:35,080
The organization buys licenses.

716
00:24:35,080 --> 00:24:36,840
Someone turns on conditional access.

717
00:24:36,840 --> 00:24:38,360
A slide gets shown to the board.

718
00:24:38,360 --> 00:24:40,920
And everybody quietly agrees the journey is complete.

719
00:24:40,920 --> 00:24:42,440
It isn't zero trust is not a product.

720
00:24:42,440 --> 00:24:43,320
It is not a portal.

721
00:24:43,320 --> 00:24:44,840
It is not a single policy set.

722
00:24:44,840 --> 00:24:45,800
In architectural terms,

723
00:24:45,800 --> 00:24:49,000
it is a replacement for your old trust assumptions.

724
00:24:49,000 --> 00:24:51,160
The idea that inside means safe,

725
00:24:51,160 --> 00:24:53,080
that authenticated means trusted

726
00:24:53,080 --> 00:24:55,560
and that compliant means controlled.

727
00:24:55,560 --> 00:24:57,720
Zero trust says none of that is true by default.

728
00:24:57,720 --> 00:24:59,800
Trust has to be earned continuously

729
00:24:59,800 --> 00:25:02,360
per request and revoked when reality changes.

730
00:25:02,360 --> 00:25:03,480
That distinction matters

731
00:25:03,480 --> 00:25:06,200
because product rollouts create coverage.

732
00:25:06,200 --> 00:25:08,760
Zero trust requires behavior change in the system.

733
00:25:08,760 --> 00:25:11,560
The foundational misunderstanding is that people translate

734
00:25:11,560 --> 00:25:13,880
"Never trust, always verify"

735
00:25:13,880 --> 00:25:15,240
into "add more prompts".

736
00:25:15,240 --> 00:25:17,720
More MFA prompts, more approvals, more blocks,

737
00:25:17,720 --> 00:25:19,880
that's not zero trust, that's friction.

738
00:25:19,880 --> 00:25:22,680
Zero trust unproperly reduces friction for normal work

739
00:25:22,680 --> 00:25:24,840
and increases constraint for abnormal work.

740
00:25:24,840 --> 00:25:27,960
It does that by making policy decisions dynamic,

741
00:25:27,960 --> 00:25:30,280
contextual and enforceable close to the resource.

742
00:25:30,280 --> 00:25:32,040
That's the NIST model in plain language.

743
00:25:32,040 --> 00:25:33,480
A subject requests access,

744
00:25:33,480 --> 00:25:35,800
a policy decision happens using real signals

745
00:25:35,800 --> 00:25:38,200
and a policy enforcement point applies that decision.

746
00:25:38,200 --> 00:25:40,040
And that loop never stops existing

747
00:25:40,040 --> 00:25:42,040
just because the user passed a login screen once.

748
00:25:42,040 --> 00:25:44,360
This is why the phrase we turned on conditional access

749
00:25:44,360 --> 00:25:45,480
is such a warning sign.

750
00:25:45,480 --> 00:25:47,320
Conditional access is a policy engine.

751
00:25:47,320 --> 00:25:48,120
It's powerful.

752
00:25:48,120 --> 00:25:51,160
But if the program around it is built on exception culture,

753
00:25:51,160 --> 00:25:52,680
shared responsibility gaps,

754
00:25:52,680 --> 00:25:54,680
and unowned entitlements,

755
00:25:54,680 --> 00:25:57,320
then conditional access becomes conditional chaos,

756
00:25:57,320 --> 00:25:59,800
a pile of policies that look sophisticated

757
00:25:59,800 --> 00:26:01,640
and behave inconsistently.

758
00:26:01,640 --> 00:26:03,960
The system doesn't degrade because it's malicious.

759
00:26:03,960 --> 00:26:06,840
It degrades because organizations are, they merge, they reorganize,

760
00:26:06,840 --> 00:26:08,680
they acquire, they ship new apps,

761
00:26:08,680 --> 00:26:11,400
they onboard third parties, they add automation.

762
00:26:11,400 --> 00:26:14,600
And every one of those changes generates just one exception.

763
00:26:14,600 --> 00:26:16,760
Remember this detail, it's going to matter later.

764
00:26:16,760 --> 00:26:18,360
Exceptions are entropy generators.

765
00:26:18,360 --> 00:26:20,200
Every exception is a trust assumption

766
00:26:20,200 --> 00:26:21,880
you are choosing not to enforce.

767
00:26:21,880 --> 00:26:23,880
It becomes a permanent alternate pathway

768
00:26:23,880 --> 00:26:25,640
unless you govern it like a liability,

769
00:26:25,640 --> 00:26:27,560
expiration, justification, and review.

770
00:26:27,560 --> 00:26:29,240
If you don't, your zero trust program

771
00:26:29,240 --> 00:26:31,160
becomes a museum of past urgency.

772
00:26:31,160 --> 00:26:32,840
Nobody knows which policies still matter,

773
00:26:32,840 --> 00:26:35,000
nobody knows which applications rely on them.

774
00:26:35,000 --> 00:26:37,320
And when an incident hits, you cannot act decisively

775
00:26:37,320 --> 00:26:39,720
because you can't predict the blast radius of enforcement.

776
00:26:39,720 --> 00:26:41,880
That's why zero trust is not a technical rollout.

777
00:26:41,880 --> 00:26:43,000
It's an operating model.

778
00:26:43,000 --> 00:26:45,480
Operating model means ownership boundaries are explicit.

779
00:26:45,480 --> 00:26:47,160
Someone defines policy intent.

780
00:26:47,160 --> 00:26:49,240
Someone implements it, someone monitors drift,

781
00:26:49,240 --> 00:26:50,680
someone owns exceptions.

782
00:26:50,680 --> 00:26:53,240
Someone is accountable for outcomes, not configuration.

783
00:26:53,240 --> 00:26:56,360
And in most organizations, that's exactly where the program fails.

784
00:26:56,360 --> 00:26:59,960
Identity teams own identity, endpoint teams own devices,

785
00:26:59,960 --> 00:27:01,640
network teams own connectivity,

786
00:27:01,640 --> 00:27:03,400
application teams own uptime,

787
00:27:03,400 --> 00:27:06,040
security teams own alerts, nobody owns trust end to end.

788
00:27:06,040 --> 00:27:08,600
So the attacker gets gaps between teams, always.

789
00:27:08,600 --> 00:27:11,960
A real zero trust transformation collapses

790
00:27:11,960 --> 00:27:14,840
those gaps by defining the trust system as one loop.

791
00:27:14,840 --> 00:27:17,800
Signals into decision, decision into enforcement,

792
00:27:17,800 --> 00:27:19,480
enforcement into response.

793
00:27:19,480 --> 00:27:21,400
It becomes less about do we have the feature

794
00:27:21,400 --> 00:27:25,480
and more about does the system reliably constrain the pathways that matter?

795
00:27:25,480 --> 00:27:28,760
This is also where leadership has to stop rewarding the wrong behavior.

796
00:27:28,760 --> 00:27:31,400
If teams are punished for outages and not punished for drift,

797
00:27:31,400 --> 00:27:32,360
they will choose drift.

798
00:27:32,360 --> 00:27:34,680
If teams are rewarded for fast delivery

799
00:27:34,680 --> 00:27:37,000
and not rewarded for revocation discipline,

800
00:27:37,000 --> 00:27:38,440
they will accumulate permissions.

801
00:27:38,440 --> 00:27:41,320
If security is measured by how many requested blocks,

802
00:27:41,320 --> 00:27:42,520
it will block more.

803
00:27:42,520 --> 00:27:44,040
And the business will root around it.

804
00:27:44,040 --> 00:27:46,520
Zero trust done right has a different success condition.

805
00:27:46,520 --> 00:27:47,640
Safe autonomy.

806
00:27:47,640 --> 00:27:49,000
People should be able to work quickly

807
00:27:49,000 --> 00:27:50,920
because the system makes low-risk work easy

808
00:27:50,920 --> 00:27:52,280
and high-risk work controlled.

809
00:27:52,280 --> 00:27:53,480
That requires two things.

810
00:27:53,480 --> 00:27:55,000
Leaders rarely fund explicitly.

811
00:27:55,000 --> 00:27:56,600
Decision quality and enforcement speed.

812
00:27:56,600 --> 00:27:59,000
Decision quality comes from identity governance

813
00:27:59,000 --> 00:28:01,000
and clean entitlement design.

814
00:28:01,000 --> 00:28:03,080
Enforcement speed comes from capabilities

815
00:28:03,080 --> 00:28:05,000
like continuous access evaluation

816
00:28:05,000 --> 00:28:06,520
and automated response loops.

817
00:28:06,520 --> 00:28:09,240
Without those, zero trust stays a diagram.

818
00:28:09,240 --> 00:28:11,960
A beautiful policy model with no runtime authority.

819
00:28:11,960 --> 00:28:15,640
So the product rollout mindset needs to die.

820
00:28:15,640 --> 00:28:17,640
What replaces it is a program mindset.

821
00:28:17,640 --> 00:28:19,240
Trust assumptions are explicit,

822
00:28:19,240 --> 00:28:20,360
exceptions are governed,

823
00:28:20,360 --> 00:28:22,600
sessions are continuously evaluated

824
00:28:22,600 --> 00:28:25,560
and revocation happens fast enough that it matters.

825
00:28:25,560 --> 00:28:26,520
And once you accept that,

826
00:28:26,520 --> 00:28:28,040
the next point becomes obvious.

827
00:28:28,040 --> 00:28:29,480
Trust doesn't decay at login.

828
00:28:29,480 --> 00:28:31,960
It decays continuously inside the session.

829
00:28:31,960 --> 00:28:35,640
Trust decays continuously, not at login.

830
00:28:35,640 --> 00:28:37,720
Most organizations still design trust

831
00:28:37,720 --> 00:28:39,080
like it's a moment in time.

832
00:28:39,080 --> 00:28:41,240
You authenticate, you pass MFA, you're good.

833
00:28:41,240 --> 00:28:43,000
Then you get a token

834
00:28:43,000 --> 00:28:45,000
and that token becomes a little permission slip

835
00:28:45,000 --> 00:28:46,600
that travels with you for hours.

836
00:28:46,600 --> 00:28:48,920
That model made sense when the network was the boundary

837
00:28:48,920 --> 00:28:50,280
and sessions were short.

838
00:28:50,280 --> 00:28:51,880
In cloud and sass, it's backwards.

839
00:28:51,880 --> 00:28:54,200
The reality is that the session is the attack surface.

840
00:28:54,200 --> 00:28:55,480
Not the login screen,

841
00:28:55,480 --> 00:28:56,840
because the attacker doesn't care

842
00:28:56,840 --> 00:28:58,200
about proving who they are.

843
00:28:58,200 --> 00:29:00,440
They care about inheriting what you already proved.

844
00:29:00,440 --> 00:29:02,280
If they can get hold of the session token

845
00:29:02,280 --> 00:29:03,160
or the refresh token,

846
00:29:03,160 --> 00:29:04,920
they're not trying to authenticate anymore.

847
00:29:04,920 --> 00:29:06,600
They're trying to operate as you

848
00:29:06,600 --> 00:29:08,520
after the platform already granted trust.

849
00:29:08,520 --> 00:29:10,680
This is why we have strong MFA

850
00:29:10,680 --> 00:29:13,640
can be true and still irrelevant to the event that hurts you.

851
00:29:13,640 --> 00:29:15,960
It's also why leaders keep hearing the same sentence

852
00:29:15,960 --> 00:29:17,000
after incidents.

853
00:29:17,000 --> 00:29:19,080
The user successfully completed MFA.

854
00:29:19,080 --> 00:29:21,400
Yes, and then the session lived long enough to be abused.

855
00:29:21,400 --> 00:29:22,920
So the core shift is this.

856
00:29:22,920 --> 00:29:24,920
Authentication is not the end of trust.

857
00:29:24,920 --> 00:29:28,040
It's the beginning of a continuously evaluated relationship

858
00:29:28,040 --> 00:29:29,800
between an identity, a device,

859
00:29:29,800 --> 00:29:31,160
a session, and a resource.

860
00:29:31,160 --> 00:29:32,760
And that relationship decays.

861
00:29:32,760 --> 00:29:36,520
Sometimes it decays because the device posture changes.

862
00:29:36,520 --> 00:29:38,680
A laptop goes from compliant to not compliant.

863
00:29:38,680 --> 00:29:41,320
An endpoint alert fires, a risky sign in is detected.

864
00:29:41,320 --> 00:29:43,800
A user is disabled, a role assignment changes.

865
00:29:43,800 --> 00:29:46,760
Or a credential reset happens for suspected compromise.

866
00:29:46,760 --> 00:29:49,720
Those are all state changes that should alter trust immediately.

867
00:29:49,720 --> 00:29:51,960
But in a point in time model, none of them matter

868
00:29:51,960 --> 00:29:54,200
until the session naturally expires.

869
00:29:54,200 --> 00:29:57,320
That gap between the world changed and enforcement caught up

870
00:29:57,320 --> 00:29:58,840
is where modern incidents live.

871
00:29:58,840 --> 00:30:01,400
It's the difference between knowing a door should be locked

872
00:30:01,400 --> 00:30:03,960
and waiting eight hours for the lock to engage

873
00:30:03,960 --> 00:30:05,400
because the key card still works.

874
00:30:05,400 --> 00:30:07,480
This is where it gets uncomfortable for leadership

875
00:30:07,480 --> 00:30:10,360
because IT time is not the time unit that matters.

876
00:30:10,360 --> 00:30:11,480
Business time is.

877
00:30:11,480 --> 00:30:13,320
If it takes you six hours to revoke access

878
00:30:13,320 --> 00:30:15,400
because you rely on token expiration,

879
00:30:15,400 --> 00:30:17,400
the attacker has six hours of clean runway.

880
00:30:17,400 --> 00:30:18,600
They don't need persistence.

881
00:30:18,600 --> 00:30:21,240
They need time and your organization usually gives it to them

882
00:30:21,240 --> 00:30:23,320
because it designed trust as a single event,

883
00:30:23,320 --> 00:30:24,760
not a continuous state.

884
00:30:24,760 --> 00:30:26,680
Now, layer in the things leaders don't see.

885
00:30:26,680 --> 00:30:29,720
Sessions aren't only for humans, workloads have sessions,

886
00:30:29,720 --> 00:30:32,600
automation has sessions, integrations have sessions,

887
00:30:32,600 --> 00:30:34,360
third party apps have sessions.

888
00:30:34,360 --> 00:30:36,360
And these identities often have broader permissions

889
00:30:36,360 --> 00:30:39,160
because someone wanted the workflow to just work.

890
00:30:39,160 --> 00:30:40,360
When those sessions are abused,

891
00:30:40,360 --> 00:30:42,680
you don't get a helpful prompt or user complaint.

892
00:30:42,680 --> 00:30:44,760
You get silent high throughput actions

893
00:30:44,760 --> 00:30:46,840
that look like normal system activity.

894
00:30:46,840 --> 00:30:49,560
That's the human machine blur, operationalized.

895
00:30:49,560 --> 00:30:51,640
So when people say continuous verification,

896
00:30:51,640 --> 00:30:53,880
they tend to imagine constant MFA prompts.

897
00:30:53,880 --> 00:30:55,160
That's the wrong mental model.

898
00:30:55,160 --> 00:30:57,160
The system doesn't need to keep asking the user

899
00:30:57,160 --> 00:30:58,280
to prove their human.

900
00:30:58,280 --> 00:30:59,960
The system needs to keep validating

901
00:30:59,960 --> 00:31:03,000
whether the conditions that justified access still exist.

902
00:31:03,000 --> 00:31:05,080
In zero trust terms, the policy decision point

903
00:31:05,080 --> 00:31:07,160
should not be consulted once and then ignored.

904
00:31:07,160 --> 00:31:08,280
It should stay relevant.

905
00:31:08,280 --> 00:31:09,560
It should be able to say

906
00:31:09,560 --> 00:31:11,960
that session was valid, but now it isn't.

907
00:31:11,960 --> 00:31:14,040
Which implies something simple and brutal.

908
00:31:14,040 --> 00:31:15,480
Trust must be revocable,

909
00:31:15,480 --> 00:31:17,160
not in an annual access review,

910
00:31:17,160 --> 00:31:18,200
not in a ticket queue,

911
00:31:18,200 --> 00:31:19,400
not after a meeting,

912
00:31:19,400 --> 00:31:20,760
revocable in near real time

913
00:31:20,760 --> 00:31:23,080
and in a way, your critical apps actually honor.

914
00:31:23,080 --> 00:31:25,240
Because the most expensive form of security control

915
00:31:25,240 --> 00:31:26,440
is one that detects risk

916
00:31:26,440 --> 00:31:29,000
and cannot enforce consequences quickly enough to matter.

917
00:31:29,000 --> 00:31:31,880
This is also where exception culture quietly destroys you.

918
00:31:31,880 --> 00:31:34,680
If you've carved out bypasses for business critical apps

919
00:31:34,680 --> 00:31:36,920
or you allow legacy auth because it's complicated

920
00:31:36,920 --> 00:31:38,760
or you exempt privileged identities

921
00:31:38,760 --> 00:31:41,000
because they can't be disrupted,

922
00:31:41,000 --> 00:31:42,440
you have effectively declared

923
00:31:42,440 --> 00:31:45,480
that the most important pathways are the least governable.

924
00:31:45,480 --> 00:31:46,760
That's not a security program.

925
00:31:46,760 --> 00:31:48,840
That's a liability register you refuse to name.

926
00:31:48,840 --> 00:31:51,480
And the reason this matters to leaders is not philosophical.

927
00:31:51,480 --> 00:31:52,520
It's operational.

928
00:31:52,520 --> 00:31:54,440
If trust decays continuously,

929
00:31:54,440 --> 00:31:57,160
then your organization must be able to revoke continuously.

930
00:31:57,160 --> 00:31:59,480
Otherwise, you're running a probabilistic security model.

931
00:31:59,480 --> 00:32:01,160
Sometimes revocation happens fast,

932
00:32:01,160 --> 00:32:02,120
sometimes it doesn't,

933
00:32:02,120 --> 00:32:04,200
and you just hope the attacker lands in the slow lane.

934
00:32:04,200 --> 00:32:07,400
So the ahaha to hold on to is this.

935
00:32:07,400 --> 00:32:09,400
Resilience in identity-driven incidents

936
00:32:09,400 --> 00:32:11,080
is mostly about collapsing the time

937
00:32:11,080 --> 00:32:12,760
between a trust decision changing

938
00:32:12,760 --> 00:32:14,360
and enforcement taking effect.

939
00:32:14,360 --> 00:32:15,720
That's why the next scenario matters.

940
00:32:15,720 --> 00:32:18,120
Continuous access evaluation is where zero trust

941
00:32:18,120 --> 00:32:21,320
stops being a diagram and starts being lived reality.

942
00:32:21,320 --> 00:32:22,360
Scenario three.

943
00:32:22,360 --> 00:32:24,040
Continuous access evaluation.

944
00:32:24,040 --> 00:32:26,680
CAE as lived zero trust.

945
00:32:26,680 --> 00:32:29,000
CAE is what happens when an organization

946
00:32:29,000 --> 00:32:31,800
stops pretending that access granted is a permanent state.

947
00:32:31,800 --> 00:32:32,520
It is not.

948
00:32:32,520 --> 00:32:34,520
It is a temporary decision that should collapse

949
00:32:34,520 --> 00:32:36,360
the moment the conditions behind it change.

950
00:32:36,360 --> 00:32:39,080
CAE is the mechanism that makes that collapse real

951
00:32:39,080 --> 00:32:41,160
and fast in the Microsoft ecosystem,

952
00:32:41,160 --> 00:32:43,720
not as a concept as runtime behavior.

953
00:32:43,720 --> 00:32:44,920
Here's the simple version.

954
00:32:44,920 --> 00:32:48,120
CAE lets entra tell participating applications.

955
00:32:48,120 --> 00:32:50,200
This session is no longer acceptable.

956
00:32:50,200 --> 00:32:52,280
And have the app enforce that in near real time

957
00:32:52,280 --> 00:32:54,040
instead of waiting for token expiry.

958
00:32:54,040 --> 00:32:56,440
That's the gap it closes, decision versus enforcement.

959
00:32:56,440 --> 00:32:59,080
Most security programs have decent decision making.

960
00:32:59,080 --> 00:33:00,760
They know when something is risky,

961
00:33:00,760 --> 00:33:02,960
they can flag a user, they can disable an account,

962
00:33:02,960 --> 00:33:04,440
they can mark a sign in as high risk,

963
00:33:04,440 --> 00:33:06,920
they can detect a device falling out of compliance.

964
00:33:06,920 --> 00:33:09,160
But then nothing happens quickly enough to matter

965
00:33:09,160 --> 00:33:11,240
because the user's session keeps running.

966
00:33:11,240 --> 00:33:14,680
CAE is how you stop granting attackers the courtesy of time.

967
00:33:14,680 --> 00:33:17,000
Why leaders should care is straightforward.

968
00:33:17,000 --> 00:33:20,200
It converts trust revocation from an administrative workflow

969
00:33:20,200 --> 00:33:21,640
into an operational control.

970
00:33:21,640 --> 00:33:24,040
It turns we noticed into we contained

971
00:33:24,040 --> 00:33:26,680
without a help desk ticket and without waiting six hours

972
00:33:26,680 --> 00:33:27,960
for a token to die naturally.

973
00:33:27,960 --> 00:33:29,320
But CAE is not magic.

974
00:33:29,320 --> 00:33:30,040
It's a contract.

975
00:33:30,040 --> 00:33:31,240
Entra can emit the signal.

976
00:33:31,240 --> 00:33:32,920
The application has to honor it.

977
00:33:32,920 --> 00:33:34,440
And that's where reality shows up.

978
00:33:34,440 --> 00:33:37,640
Microsoft services like Exchange Online, SharePoint Online, Teams

979
00:33:37,640 --> 00:33:39,800
and others support CAE in specific ways.

980
00:33:39,800 --> 00:33:41,320
Many third party SaaS apps don't.

981
00:33:41,320 --> 00:33:44,280
Some claim they do, but implemented partially or inconsistently.

982
00:33:44,280 --> 00:33:46,680
So we enabled CAE is not an end state.

983
00:33:46,680 --> 00:33:50,680
It's the start of verifying which of your critical applications

984
00:33:50,680 --> 00:33:53,400
actually behave like they live in a zero trust system.

985
00:33:53,400 --> 00:33:55,800
That distinction matters because CAE creates

986
00:33:55,800 --> 00:33:57,560
an uncomfortable inventory problem.

987
00:33:57,560 --> 00:33:59,640
Which sessions can you actually revoke quickly

988
00:33:59,640 --> 00:34:00,840
across the apps that matter?

989
00:34:00,840 --> 00:34:02,360
This is where leaders get leverage

990
00:34:02,360 --> 00:34:05,080
because CAE forces a clean separation

991
00:34:05,080 --> 00:34:07,040
between two types of work.

992
00:34:07,040 --> 00:34:10,120
First, the policy work deciding which events should trigger

993
00:34:10,120 --> 00:34:12,440
revocation and for which resources.

994
00:34:12,440 --> 00:34:15,560
Account disabled, password reset, risk level elevated,

995
00:34:15,560 --> 00:34:18,800
device non-compliant, role change, those are business decisions

996
00:34:18,800 --> 00:34:20,520
framed are security conditions.

997
00:34:20,520 --> 00:34:23,280
Second, the application work, ensuring critical apps

998
00:34:23,280 --> 00:34:26,000
honor revocation signals and that your user experience

999
00:34:26,000 --> 00:34:28,440
doesn't collapse into constant reauthentication.

1000
00:34:28,440 --> 00:34:31,400
Now, the part nobody likes, exceptions.

1001
00:34:31,400 --> 00:34:34,280
CAE works exactly as well as your exception governance.

1002
00:34:34,280 --> 00:34:37,040
Every time someone says don't enforce this for executives

1003
00:34:37,040 --> 00:34:39,320
or exclude this app because it breaks,

1004
00:34:39,320 --> 00:34:40,840
you've created a permanent bypass

1005
00:34:40,840 --> 00:34:43,800
around your revocation model and bypasses don't stay rare.

1006
00:34:43,800 --> 00:34:44,720
They replicate.

1007
00:34:44,720 --> 00:34:47,440
This is where CAE exposes the program's maturity.

1008
00:34:47,440 --> 00:34:49,080
If exception handling is informal,

1009
00:34:49,080 --> 00:34:51,480
CAE becomes another half-deployed capability.

1010
00:34:51,480 --> 00:34:53,280
If exception handling is governed,

1011
00:34:53,280 --> 00:34:55,560
expiration justification, review cadence,

1012
00:34:55,560 --> 00:34:57,600
CAE becomes a control you can trust.

1013
00:34:57,600 --> 00:34:59,840
There's also a dependency most people miss.

1014
00:34:59,840 --> 00:35:03,280
CAE pushes you toward cleaner identity architecture.

1015
00:35:03,280 --> 00:35:05,000
If your environment still relies heavily

1016
00:35:05,000 --> 00:35:06,640
on legacy authentication patterns

1017
00:35:06,640 --> 00:35:08,600
or your application estate treats tokens

1018
00:35:08,600 --> 00:35:11,200
as long-lived entitlements, then CAE becomes

1019
00:35:11,200 --> 00:35:14,120
a compatibility argument instead of a security capability.

1020
00:35:14,120 --> 00:35:15,480
That's not a reason to avoid it.

1021
00:35:15,480 --> 00:35:17,680
That's a reason to treat application modernization

1022
00:35:17,680 --> 00:35:19,000
as part of security resilience

1023
00:35:19,000 --> 00:35:21,320
because the business depends on revocation speed.

1024
00:35:21,320 --> 00:35:23,760
A concrete scenario makes this obvious.

1025
00:35:23,760 --> 00:35:25,880
An employee's account gets flagged as high risk

1026
00:35:25,880 --> 00:35:27,640
after anomalous activity.

1027
00:35:27,640 --> 00:35:29,200
In the old model, the security team

1028
00:35:29,200 --> 00:35:30,200
disables the account,

1029
00:35:30,200 --> 00:35:32,000
but the attacker's token remains valid

1030
00:35:32,000 --> 00:35:34,000
in a browser session connected to SharePoint

1031
00:35:34,000 --> 00:35:35,600
or another SaaS service.

1032
00:35:35,600 --> 00:35:37,240
The attacker continues downloading data

1033
00:35:37,240 --> 00:35:38,520
until the session expires.

1034
00:35:38,520 --> 00:35:40,880
The organization responded, but impact continued.

1035
00:35:40,880 --> 00:35:42,520
With CAE, disabling the account

1036
00:35:42,520 --> 00:35:44,280
or changing the risk state can trigger

1037
00:35:44,280 --> 00:35:45,880
a near real-time re-evaluation.

1038
00:35:45,880 --> 00:35:47,840
The app receives the revocation signal.

1039
00:35:47,840 --> 00:35:49,880
The session is forced to re-authenticate

1040
00:35:49,880 --> 00:35:51,640
and the attacker's runway collapses.

1041
00:35:51,640 --> 00:35:53,760
The cost of compromise becomes bounded,

1042
00:35:53,760 --> 00:35:55,800
not because the attacker failed to get in,

1043
00:35:55,800 --> 00:35:57,040
but because they couldn't stay.

1044
00:35:57,040 --> 00:35:58,320
That is lived zero trust.

1045
00:35:58,320 --> 00:35:59,560
Not a poster, not a slide,

1046
00:35:59,560 --> 00:36:02,040
a system that revokes trust inside the session.

1047
00:36:02,040 --> 00:36:03,640
And CAE has a second order benefit

1048
00:36:03,640 --> 00:36:04,960
that leaders tend to miss.

1049
00:36:04,960 --> 00:36:07,320
It reduces the need for blanket shutdowns.

1050
00:36:07,320 --> 00:36:09,200
When you can revoke precisely

1051
00:36:09,200 --> 00:36:11,480
this identity, these sessions, these apps,

1052
00:36:11,480 --> 00:36:13,520
you stop reaching for the blunt instrument

1053
00:36:13,520 --> 00:36:16,920
of turn-off access for everyone until we figure it out.

1054
00:36:16,920 --> 00:36:20,120
Precision is how you preserve continuity while you contain.

1055
00:36:20,120 --> 00:36:22,320
That is resilience measured in business uptime,

1056
00:36:22,320 --> 00:36:23,760
not in policy documents.

1057
00:36:23,760 --> 00:36:26,800
So CAE is not a feature you enable to feel modern.

1058
00:36:26,800 --> 00:36:28,800
It is a forcing function that makes you prove

1059
00:36:28,800 --> 00:36:30,560
your trust model is enforceable.

1060
00:36:30,560 --> 00:36:32,880
Your app estate is compatible with revocation

1061
00:36:32,880 --> 00:36:34,760
and your exception culture is governed.

1062
00:36:34,760 --> 00:36:36,480
If you can't revoke trust quickly,

1063
00:36:36,480 --> 00:36:37,760
you don't have zero trust.

1064
00:36:37,760 --> 00:36:39,880
You have conditional chaos with nicer branding.

1065
00:36:39,880 --> 00:36:42,520
Why adding controls often slows the business.

1066
00:36:42,520 --> 00:36:45,000
Now here's the part leaders feel in their bones.

1067
00:36:45,000 --> 00:36:47,840
Every time security improves, the business feels slower,

1068
00:36:47,840 --> 00:36:50,320
more prompts, more tickets, more waiting,

1069
00:36:50,320 --> 00:36:52,720
more people saying, "I can't do my job."

1070
00:36:52,720 --> 00:36:54,360
And then the predictable conclusion,

1071
00:36:54,360 --> 00:36:56,520
security is the department of no.

1072
00:36:56,520 --> 00:36:58,520
That conclusion is convenient, it's also wrong.

1073
00:36:58,520 --> 00:37:00,920
The system is doing exactly what it was designed to do.

1074
00:37:00,920 --> 00:37:04,000
Most organizations add controls the way they add speed bumps,

1075
00:37:04,000 --> 00:37:07,040
reactively, locally, and without redesigning the road.

1076
00:37:07,040 --> 00:37:09,480
A fishing incident happens so MFA prompts increase.

1077
00:37:09,480 --> 00:37:12,040
A data leak happens so downloads get blocked

1078
00:37:12,040 --> 00:37:13,440
and audit finding appears.

1079
00:37:13,440 --> 00:37:15,720
So an approval step gets inserted.

1080
00:37:15,720 --> 00:37:17,080
None of these are irrational.

1081
00:37:17,080 --> 00:37:19,760
But stack together, they create a security program

1082
00:37:19,760 --> 00:37:21,200
that behaves like a queue.

1083
00:37:21,200 --> 00:37:23,040
Cue's create latency.

1084
00:37:23,040 --> 00:37:25,440
Latency creates workarounds.

1085
00:37:25,440 --> 00:37:27,440
This is where the real failure happens.

1086
00:37:27,440 --> 00:37:29,840
The business doesn't break security because it's malicious.

1087
00:37:29,840 --> 00:37:32,160
It roots around security because security behaves

1088
00:37:32,160 --> 00:37:34,400
like an obstacle course bolted onto workflows

1089
00:37:34,400 --> 00:37:35,560
that were never redesigned.

1090
00:37:35,560 --> 00:37:37,720
People will always optimize for outcomes.

1091
00:37:37,720 --> 00:37:39,040
If the system blocks outcomes,

1092
00:37:39,040 --> 00:37:40,960
people will find alternate pathways.

1093
00:37:40,960 --> 00:37:43,280
And the alternate pathways are never the safe ones.

1094
00:37:43,280 --> 00:37:45,920
This is also why security teams are stuck in a losing pattern.

1095
00:37:45,920 --> 00:37:48,040
They add a control, the business adapts,

1096
00:37:48,040 --> 00:37:51,080
exceptions multiply, the control loses force.

1097
00:37:51,080 --> 00:37:54,080
The dashboard stays green because the control exists.

1098
00:37:54,080 --> 00:37:57,320
But the organization is now operating on a shadow model.

1099
00:37:57,320 --> 00:38:00,240
What the policies say versus what people actually do

1100
00:38:00,240 --> 00:38:02,240
to get work done, that distinction matters

1101
00:38:02,240 --> 00:38:03,960
because leadership often measures security

1102
00:38:03,960 --> 00:38:05,160
by visible friction.

1103
00:38:05,160 --> 00:38:07,040
Look, we're blocking risky behavior.

1104
00:38:07,040 --> 00:38:08,720
Meanwhile, the most dangerous behaviors

1105
00:38:08,720 --> 00:38:10,400
are now happening invisibly.

1106
00:38:10,400 --> 00:38:13,120
Shared admin access because approvals are too slow,

1107
00:38:13,120 --> 00:38:15,680
unsanctioned SaaS because procurement takes months,

1108
00:38:15,680 --> 00:38:18,880
personal devices because corporate enrollment is painful,

1109
00:38:18,880 --> 00:38:21,640
or OAuth app consent because it's faster

1110
00:38:21,640 --> 00:38:23,560
than requesting integration support.

1111
00:38:23,560 --> 00:38:25,320
Security didn't prevent risk.

1112
00:38:25,320 --> 00:38:26,480
It displaced it.

1113
00:38:26,480 --> 00:38:28,600
This is what happens when controls aren't embedded

1114
00:38:28,600 --> 00:38:29,720
in the way work is done.

1115
00:38:29,720 --> 00:38:31,160
They become after the fact checkpoints

1116
00:38:31,160 --> 00:38:34,040
and checkpoints create backlogs, backlogs create pressure.

1117
00:38:34,040 --> 00:38:35,240
Pressure creates bypass.

1118
00:38:35,240 --> 00:38:37,440
Over time, you don't get higher security.

1119
00:38:37,440 --> 00:38:40,480
You get conditional compliance, people comply when it's easy

1120
00:38:40,480 --> 00:38:41,840
and evade when it's hard.

1121
00:38:41,840 --> 00:38:43,440
This is also why just add more approvals

1122
00:38:43,440 --> 00:38:45,040
is such a dangerous reflex.

1123
00:38:45,040 --> 00:38:46,840
Approvals feel like governance, but approvals

1124
00:38:46,840 --> 00:38:47,880
are just decision gates.

1125
00:38:47,880 --> 00:38:50,840
If those gates are slow, inconsistent, or unclear,

1126
00:38:50,840 --> 00:38:53,600
you've traded technical risk for operational risk.

1127
00:38:53,600 --> 00:38:55,560
Now the business can't execute quickly

1128
00:38:55,560 --> 00:38:57,360
and when the business can't execute quickly,

1129
00:38:57,360 --> 00:38:59,840
the business creates its own execution layer.

1130
00:38:59,840 --> 00:39:02,000
That is shadowite and it is not a moral problem.

1131
00:39:02,000 --> 00:39:03,200
It is a systems outcome.

1132
00:39:03,200 --> 00:39:04,440
So why does this keep happening?

1133
00:39:04,440 --> 00:39:07,240
Because controls are being deployed as independent artifacts

1134
00:39:07,240 --> 00:39:09,200
instead of as parts of a trust system,

1135
00:39:09,200 --> 00:39:11,560
each control is optimized for its own purpose.

1136
00:39:11,560 --> 00:39:13,520
The combined effect is rarely modeled.

1137
00:39:13,520 --> 00:39:15,640
Nobody asks the core question,

1138
00:39:15,640 --> 00:39:18,080
what decision latency are we introducing

1139
00:39:18,080 --> 00:39:20,800
and what behaviors will that latency incentivize?

1140
00:39:20,800 --> 00:39:23,480
Security teams also get trapped by the wrong success metric.

1141
00:39:23,480 --> 00:39:26,440
If success is reduced incidents, teams will add friction.

1142
00:39:26,440 --> 00:39:27,960
A friction reduces some incidents,

1143
00:39:27,960 --> 00:39:30,160
but friction also creates bypass and resentment

1144
00:39:30,160 --> 00:39:31,920
which creates new incidents later.

1145
00:39:31,920 --> 00:39:34,600
It's the same pattern as poorly designed compliance.

1146
00:39:34,600 --> 00:39:37,080
It produces paperwork, not capability.

1147
00:39:37,080 --> 00:39:38,760
The better metric is still MTTR

1148
00:39:38,760 --> 00:39:40,360
because when you measure MTTR,

1149
00:39:40,360 --> 00:39:42,080
you get forced to remove friction

1150
00:39:42,080 --> 00:39:43,560
that doesn't produce containment.

1151
00:39:43,560 --> 00:39:46,440
You start asking which steps are genuinely necessary

1152
00:39:46,440 --> 00:39:49,840
and which steps exist because we don't trust our own systems.

1153
00:39:49,840 --> 00:39:51,200
Which checks can be automated

1154
00:39:51,200 --> 00:39:52,360
and which require humans

1155
00:39:52,360 --> 00:39:54,440
because the decision is truly business sensitive.

1156
00:39:54,440 --> 00:39:56,200
That's where automation matters, not as a gadget

1157
00:39:56,200 --> 00:39:58,400
but as a way to restore human decision time.

1158
00:39:58,400 --> 00:40:00,600
Automation doesn't eliminate accountability.

1159
00:40:00,600 --> 00:40:02,520
It collapses the boring latency,

1160
00:40:02,520 --> 00:40:06,000
enrichment, correlation, ticket creation, routing

1161
00:40:06,000 --> 00:40:07,760
and reversible containment actions

1162
00:40:07,760 --> 00:40:10,280
that should not require a human to copy paste data

1163
00:40:10,280 --> 00:40:12,320
across tools at 2AM.

1164
00:40:12,320 --> 00:40:14,920
The human should be deciding intent and impact.

1165
00:40:14,920 --> 00:40:17,640
The system should be executing repeatable mechanics

1166
00:40:17,640 --> 00:40:19,480
and the reason leaders should care is simple.

1167
00:40:19,480 --> 00:40:22,880
When you make security slow, you make the business unsafe.

1168
00:40:22,880 --> 00:40:24,360
Not because users are careless

1169
00:40:24,360 --> 00:40:27,600
because the system taught them that speed requires evasion.

1170
00:40:27,600 --> 00:40:29,600
So the problem is not too many controls.

1171
00:40:29,600 --> 00:40:32,400
The problem is controls added without redesigning workflows

1172
00:40:32,400 --> 00:40:33,800
into safe autonomy.

1173
00:40:33,800 --> 00:40:35,760
Controls that don't create safe autonomy

1174
00:40:35,760 --> 00:40:37,720
will always be experienced as friction

1175
00:40:37,720 --> 00:40:38,840
and friction is not neutral.

1176
00:40:38,840 --> 00:40:40,280
It is an entropy generator.

1177
00:40:40,280 --> 00:40:41,600
If you want speed and security,

1178
00:40:41,600 --> 00:40:43,280
you don't negotiate with human nature.

1179
00:40:43,280 --> 00:40:44,480
You redesign the system

1180
00:40:44,480 --> 00:40:47,040
so the safe path is the fast path.

1181
00:40:47,040 --> 00:40:49,040
Human behavior is not the weak link.

1182
00:40:49,040 --> 00:40:52,160
Design is human behavior isn't the weak link.

1183
00:40:52,160 --> 00:40:52,920
That's the story.

1184
00:40:52,920 --> 00:40:55,240
Security tells itself when it can't admit the system

1185
00:40:55,240 --> 00:40:57,960
is poorly designed, people don't wake up wanting to create risk.

1186
00:40:57,960 --> 00:40:59,680
They wake up wanting to finish work,

1187
00:40:59,680 --> 00:41:02,240
ship the release, close the quarter, onboard the partner,

1188
00:41:02,240 --> 00:41:04,800
respond to the customer, unblock the executive.

1189
00:41:04,800 --> 00:41:06,160
When security makes that harder,

1190
00:41:06,160 --> 00:41:07,800
people don't ignore policy.

1191
00:41:07,800 --> 00:41:08,960
They optimize around it.

1192
00:41:08,960 --> 00:41:09,880
That's not negligence.

1193
00:41:09,880 --> 00:41:12,600
That's predictable behavior inside a constrained system.

1194
00:41:12,600 --> 00:41:15,040
This is why blaming users is such a comfortable mistake.

1195
00:41:15,040 --> 00:41:17,400
It turns a design failure into a training problem.

1196
00:41:17,400 --> 00:41:20,160
It converts architecture into morality.

1197
00:41:20,160 --> 00:41:22,120
And it lets leadership believe the solution

1198
00:41:22,120 --> 00:41:23,520
is another awareness module

1199
00:41:23,520 --> 00:41:25,720
instead of fixing the way access workflow

1200
00:41:25,720 --> 00:41:27,320
and response actually function.

1201
00:41:27,320 --> 00:41:30,040
The system creates the behavior, always.

1202
00:41:30,040 --> 00:41:32,800
If privileged access elevation takes two days,

1203
00:41:32,800 --> 00:41:35,000
people will find a standing admin account.

1204
00:41:35,000 --> 00:41:36,720
If app onboarding takes six weeks,

1205
00:41:36,720 --> 00:41:39,640
teams will use personal tokens and unsanctioned CES.

1206
00:41:39,640 --> 00:41:41,880
If approvals require three different managers,

1207
00:41:41,880 --> 00:41:44,280
someone will share credentials temporarily

1208
00:41:44,280 --> 00:41:45,960
and temporary will become permanent

1209
00:41:45,960 --> 00:41:48,560
because the business still needs to operate tomorrow.

1210
00:41:48,560 --> 00:41:50,760
Your policies don't fail because people are bad.

1211
00:41:50,760 --> 00:41:52,640
They fail because the path of least resistance

1212
00:41:52,640 --> 00:41:53,760
is the unsafe path.

1213
00:41:53,760 --> 00:41:57,000
This is where workarounds stop being a human failure

1214
00:41:57,000 --> 00:41:58,680
and start being system telemetry.

1215
00:41:58,680 --> 00:41:59,840
A workaround is a signal

1216
00:41:59,840 --> 00:42:02,200
that the intended workflow doesn't match reality.

1217
00:42:02,200 --> 00:42:03,760
It's evidence that the control plane

1218
00:42:03,760 --> 00:42:06,280
isn't aligned with how work actually happens.

1219
00:42:06,280 --> 00:42:09,280
And when security treats workarounds as insubordination,

1220
00:42:09,280 --> 00:42:10,880
it guarantees two outcomes.

1221
00:42:10,880 --> 00:42:12,160
Workarounds go underground

1222
00:42:12,160 --> 00:42:13,960
and the organization loses visibility

1223
00:42:13,960 --> 00:42:15,800
into its true operating model.

1224
00:42:15,800 --> 00:42:18,000
Silent non-compliance is the default state

1225
00:42:18,000 --> 00:42:19,720
of mature bureaucracies.

1226
00:42:19,720 --> 00:42:21,800
The policy exists, the dashboard is green,

1227
00:42:21,800 --> 00:42:24,080
the audit passes, the behavior diverges anyway

1228
00:42:24,080 --> 00:42:25,800
because the system rewards throughput

1229
00:42:25,800 --> 00:42:27,360
more than it rewards adherents.

1230
00:42:27,360 --> 00:42:29,760
Meanwhile, the organization tells itself a story.

1231
00:42:29,760 --> 00:42:31,640
We're secure because we have controls.

1232
00:42:31,640 --> 00:42:33,040
The attacker enjoys that story.

1233
00:42:33,040 --> 00:42:35,760
This is also why security fatigue is not a user problem.

1234
00:42:35,760 --> 00:42:36,720
It's a design problem.

1235
00:42:36,720 --> 00:42:38,240
If MFA prompts a constant,

1236
00:42:38,240 --> 00:42:40,440
users learn to approve without reading.

1237
00:42:40,440 --> 00:42:42,200
If warning banners appear on every email,

1238
00:42:42,200 --> 00:42:43,600
people stop seeing them.

1239
00:42:43,600 --> 00:42:45,680
If every request is treated like a crisis,

1240
00:42:45,680 --> 00:42:46,920
the workforce becomes numb.

1241
00:42:46,920 --> 00:42:48,360
The control becomes noise.

1242
00:42:48,360 --> 00:42:50,880
And noise is not protection, it's attacks.

1243
00:42:50,880 --> 00:42:53,200
A well-designed system doesn't require heroic attention.

1244
00:42:53,200 --> 00:42:55,840
It assumes attention is scarce and builds guardrails

1245
00:42:55,840 --> 00:42:58,640
that work even when people are tired, rushed or distracted.

1246
00:42:58,640 --> 00:43:01,360
That's not cynical, that's operational realism.

1247
00:43:01,360 --> 00:43:03,720
So when organizations say people are the weakest link,

1248
00:43:03,720 --> 00:43:05,320
they're usually describing a mismatch

1249
00:43:05,320 --> 00:43:07,920
between two speeds, the speed of business

1250
00:43:07,920 --> 00:43:09,440
and the speed of security.

1251
00:43:09,440 --> 00:43:11,400
Security responds by slowing the business

1252
00:43:11,400 --> 00:43:13,600
and the business responds by rooting around security.

1253
00:43:13,600 --> 00:43:14,440
That is the loop.

1254
00:43:14,440 --> 00:43:16,440
It repeats until either leadership intervenes

1255
00:43:16,440 --> 00:43:17,720
or the attacker does.

1256
00:43:17,720 --> 00:43:19,520
And AI makes the mismatch sharper.

1257
00:43:19,520 --> 00:43:21,040
AI accelerates work.

1258
00:43:21,040 --> 00:43:23,800
Drafting, coding, summarizing, automating, integrating,

1259
00:43:23,800 --> 00:43:26,440
the organization's appetite for speed increases.

1260
00:43:26,440 --> 00:43:29,000
If security remains a manual gate, tickets, approvals,

1261
00:43:29,000 --> 00:43:32,000
reviews done quarterly, then security becomes the bottleneck

1262
00:43:32,000 --> 00:43:33,400
that the business will circumvent,

1263
00:43:33,400 --> 00:43:35,040
not because it wants to, because it has to.

1264
00:43:35,040 --> 00:43:37,480
This is why secure by design is not a slogan.

1265
00:43:37,480 --> 00:43:39,400
It's a requirement for maintaining control

1266
00:43:39,400 --> 00:43:41,400
when the systems throughput doubles.

1267
00:43:41,400 --> 00:43:44,160
Design is how you scale trust without scaling friction.

1268
00:43:44,160 --> 00:43:47,360
Design means the safest path is also the fastest path.

1269
00:43:47,360 --> 00:43:49,520
Users shouldn't need to choose between compliance

1270
00:43:49,520 --> 00:43:50,600
and productivity.

1271
00:43:50,600 --> 00:43:52,360
If they do, they will choose productivity

1272
00:43:52,360 --> 00:43:54,960
because that's what the organization actually rewards.

1273
00:43:54,960 --> 00:43:57,120
So what does design look like in this context?

1274
00:43:57,120 --> 00:43:58,920
It looks like making identity governance

1275
00:43:58,920 --> 00:44:01,640
and privileged access not only strict but usable.

1276
00:44:01,640 --> 00:44:03,200
It looks like time-bound access

1277
00:44:03,200 --> 00:44:05,280
that can be requested and approved quickly

1278
00:44:05,280 --> 00:44:06,920
with clear accountability.

1279
00:44:06,920 --> 00:44:09,360
It looks like conditional access policies

1280
00:44:09,360 --> 00:44:11,000
that are consistent and predictable,

1281
00:44:11,000 --> 00:44:12,600
not a maze of exceptions.

1282
00:44:12,600 --> 00:44:14,480
It looks like continuous session revocation,

1283
00:44:14,480 --> 00:44:16,880
so compromised access doesn't linger.

1284
00:44:16,880 --> 00:44:18,320
It looks like response workflows

1285
00:44:18,320 --> 00:44:20,040
that trigger actions automatically.

1286
00:44:20,040 --> 00:44:21,920
So humans spend time deciding impact,

1287
00:44:21,920 --> 00:44:23,920
not moving data between portals.

1288
00:44:23,920 --> 00:44:26,600
And it looks like explicitly designing for failure,

1289
00:44:26,600 --> 00:44:28,720
assume compromise, reduce blast radius

1290
00:44:28,720 --> 00:44:30,160
and make containment normal.

1291
00:44:30,160 --> 00:44:32,680
If those properties exist, humans don't need to be perfect.

1292
00:44:32,680 --> 00:44:34,840
The system catches them, the system constrains them,

1293
00:44:34,840 --> 00:44:37,240
the system corrects quickly when reality changes.

1294
00:44:37,240 --> 00:44:39,720
If those properties don't exist, humans are asked

1295
00:44:39,720 --> 00:44:41,480
to compensate for architectural gaps

1296
00:44:41,480 --> 00:44:42,800
with attention and discipline.

1297
00:44:42,800 --> 00:44:43,800
That is not a strategy.

1298
00:44:43,800 --> 00:44:44,800
That is a fragile wish.

1299
00:44:44,800 --> 00:44:46,640
So stop saying the user is the problem.

1300
00:44:46,640 --> 00:44:48,040
The user is the environment

1301
00:44:48,040 --> 00:44:51,840
and your environment behaves exactly as you designed it to behave.

1302
00:44:51,840 --> 00:44:52,960
Safe autonomy.

1303
00:44:52,960 --> 00:44:55,320
The real objective of modern security.

1304
00:44:55,320 --> 00:44:57,880
Safe autonomy is the objective leaders actually want

1305
00:44:57,880 --> 00:44:59,400
even if they keep funding the opposite.

1306
00:44:59,400 --> 00:45:00,760
They want teams to move fast

1307
00:45:00,760 --> 00:45:02,720
without creating new existential risks.

1308
00:45:02,720 --> 00:45:05,040
They want developers shipping, finance approving,

1309
00:45:05,040 --> 00:45:06,760
sales sharing and operations running

1310
00:45:06,760 --> 00:45:09,080
without every meaningful action turning into a security

1311
00:45:09,080 --> 00:45:11,080
exception or a SOC incident.

1312
00:45:11,080 --> 00:45:13,400
And they want that speed to be reliable,

1313
00:45:13,400 --> 00:45:16,320
not dependent on which senior engineer happens to be awake.

1314
00:45:16,320 --> 00:45:18,640
Security that cannot produce safe autonomy

1315
00:45:18,640 --> 00:45:20,160
becomes a break you never tuned.

1316
00:45:20,160 --> 00:45:22,720
It still slows the car, but it doesn't prevent the crash.

1317
00:45:22,720 --> 00:45:25,240
It just makes everyone angry on the way there.

1318
00:45:25,240 --> 00:45:26,640
So define it cleanly.

1319
00:45:26,640 --> 00:45:29,160
Autonomy means people and systems can act

1320
00:45:29,160 --> 00:45:31,920
without waiting for a central authority on every decision.

1321
00:45:31,920 --> 00:45:33,880
It means access is available when needed.

1322
00:45:33,880 --> 00:45:35,440
It means change is possible.

1323
00:45:35,440 --> 00:45:37,240
It means the organization can execute.

1324
00:45:37,240 --> 00:45:40,440
But autonomy without guardrails is just distributed risk creation.

1325
00:45:40,440 --> 00:45:42,920
Safe autonomy is autonomy with constraints

1326
00:45:42,920 --> 00:45:45,760
that are dynamic, enforceable and fast.

1327
00:45:45,760 --> 00:45:48,160
Dynamic means the control plane uses context,

1328
00:45:48,160 --> 00:45:49,640
not static assumptions.

1329
00:45:49,640 --> 00:45:53,320
Identity and device posture, risk signals, session state,

1330
00:45:53,320 --> 00:45:56,360
resource sensitivity, those inputs shape the decision

1331
00:45:56,360 --> 00:45:57,200
continuously.

1332
00:45:57,200 --> 00:45:59,280
If the context changes, the decision changes.

1333
00:45:59,280 --> 00:46:00,120
That's not a feature.

1334
00:46:00,120 --> 00:46:02,160
That's the only model that survives modern SAS

1335
00:46:02,160 --> 00:46:03,560
and AI accelerated work.

1336
00:46:03,560 --> 00:46:06,400
Enforceable means the decision isn't just policy text.

1337
00:46:06,400 --> 00:46:08,600
It is honored by the system's people actually use.

1338
00:46:08,600 --> 00:46:10,600
If a privileged role requires elevation,

1339
00:46:10,600 --> 00:46:13,120
the elevation path has to exist and work.

1340
00:46:13,120 --> 00:46:15,520
If a session is revoked, the app has to comply.

1341
00:46:15,520 --> 00:46:17,720
If an access package expires, the access

1342
00:46:17,720 --> 00:46:19,560
must disappear without negotiation.

1343
00:46:19,560 --> 00:46:20,960
Otherwise, you don't have governance.

1344
00:46:20,960 --> 00:46:22,800
You have aspiration.

1345
00:46:22,800 --> 00:46:25,600
Fast means the safe path is the easy path.

1346
00:46:25,600 --> 00:46:27,800
This is the mistake security keeps making.

1347
00:46:27,800 --> 00:46:30,320
It builds a safe path that is correct but slow.

1348
00:46:30,320 --> 00:46:32,920
Then it acts surprised when the business roots around it.

1349
00:46:32,920 --> 00:46:35,240
If you want safe autonomy, your control mechanisms

1350
00:46:35,240 --> 00:46:36,960
must operate at business speed.

1351
00:46:36,960 --> 00:46:39,680
Access requests must be fulfilable without weeks of tickets.

1352
00:46:39,680 --> 00:46:42,280
Privilege elevation must be minutes, not days.

1353
00:46:42,280 --> 00:46:46,160
Revocation must be near real time, not when the token times out.

1354
00:46:46,160 --> 00:46:48,280
Response must be orchestrated, not tribal.

1355
00:46:48,280 --> 00:46:50,360
This is also where least privilege stops

1356
00:46:50,360 --> 00:46:53,280
being a purity test and becomes a design pattern.

1357
00:46:53,280 --> 00:46:55,040
These privilege in a safe autonomy model

1358
00:46:55,040 --> 00:46:57,560
is not, you get less access forever.

1359
00:46:57,560 --> 00:47:00,560
It's, you get exactly what you need, exactly when you need it,

1360
00:47:00,560 --> 00:47:02,520
and it disappears when you don't.

1361
00:47:02,520 --> 00:47:05,240
Time is the missing dimension in most access models.

1362
00:47:05,240 --> 00:47:07,320
At time and the whole system becomes easier

1363
00:47:07,320 --> 00:47:09,280
to secure without slowing work.

1364
00:47:09,280 --> 00:47:11,120
Remove time and privilege is accumulate

1365
00:47:11,120 --> 00:47:13,600
until your environment is permanently overauthorized

1366
00:47:13,600 --> 00:47:15,600
and autonomy doesn't just apply to humans.

1367
00:47:15,600 --> 00:47:17,960
Work loads, connectors, service principles

1368
00:47:17,960 --> 00:47:21,560
and increasingly AI agents are acting on behalf of the business.

1369
00:47:21,560 --> 00:47:23,280
If those identities aren't governed,

1370
00:47:23,280 --> 00:47:26,560
scoped permissions, explicit ownership, rotation, and monitoring,

1371
00:47:26,560 --> 00:47:27,840
you don't have autonomy.

1372
00:47:27,840 --> 00:47:29,280
You have unattended authority.

1373
00:47:29,280 --> 00:47:31,200
That is the fastest way to create a breach

1374
00:47:31,200 --> 00:47:33,720
with no obvious user mistake to blame.

1375
00:47:33,720 --> 00:47:36,120
So safe autonomy requires two loops

1376
00:47:36,120 --> 00:47:38,320
to be built into the platform experience.

1377
00:47:38,320 --> 00:47:41,640
Loop one is the trust loop signals to decision to enforcement

1378
00:47:41,640 --> 00:47:43,080
continuously.

1379
00:47:43,080 --> 00:47:45,080
This is where entra governance, conditional access,

1380
00:47:45,080 --> 00:47:46,440
and CAE live.

1381
00:47:46,440 --> 00:47:48,240
It's where trust is earned, constrained,

1382
00:47:48,240 --> 00:47:49,760
and revoked without drama.

1383
00:47:49,760 --> 00:47:53,280
Loop two is the response loop, detection to action to recovery.

1384
00:47:53,280 --> 00:47:56,040
Because safe autonomy doesn't mean nothing goes wrong.

1385
00:47:56,040 --> 00:47:57,280
It means when something goes wrong,

1386
00:47:57,280 --> 00:47:58,800
the system contains it fast enough

1387
00:47:58,800 --> 00:48:00,320
that the business can keep moving.

1388
00:48:00,320 --> 00:48:01,840
This is the part leaders often miss.

1389
00:48:01,840 --> 00:48:04,720
Autonomy increases the number of actions taken without oversight,

1390
00:48:04,720 --> 00:48:06,640
so the system must be able to correct quickly

1391
00:48:06,640 --> 00:48:08,840
when an action turns out to be risky.

1392
00:48:08,840 --> 00:48:11,560
The faster you can revoke, isolate, and remediate,

1393
00:48:11,560 --> 00:48:13,840
the more autonomy you can safely allow.

1394
00:48:13,840 --> 00:48:15,480
That's the trade.

1395
00:48:15,480 --> 00:48:16,960
If your response loop is slow,

1396
00:48:16,960 --> 00:48:19,480
you will inevitably compensate by reducing autonomy,

1397
00:48:19,480 --> 00:48:23,000
more approvals, more gates, more centralized control.

1398
00:48:23,000 --> 00:48:24,400
Not because it's philosophically better,

1399
00:48:24,400 --> 00:48:26,440
but because it's the only way to reduce blast radius

1400
00:48:26,440 --> 00:48:27,840
when you can't contain quickly.

1401
00:48:27,840 --> 00:48:30,480
That is the real reason security slows the business.

1402
00:48:30,480 --> 00:48:32,360
It is compensating for weak revocation

1403
00:48:32,360 --> 00:48:34,320
and weak response with human friction.

1404
00:48:34,320 --> 00:48:36,040
Safe autonomy flips that equation.

1405
00:48:36,040 --> 00:48:38,880
It says, invest in control, plane clarity, and response speed,

1406
00:48:38,880 --> 00:48:40,960
so the organization can decentralize execution

1407
00:48:40,960 --> 00:48:42,280
without decentralizing risk.

1408
00:48:42,280 --> 00:48:43,640
And the executive level marker

1409
00:48:43,640 --> 00:48:45,800
that you're building it correctly is simple,

1410
00:48:45,800 --> 00:48:48,840
fewer emergency exceptions, fewer escalations,

1411
00:48:48,840 --> 00:48:52,000
fewer security needs to approve this right now moments.

1412
00:48:52,000 --> 00:48:53,200
Not because you blocked more,

1413
00:48:53,200 --> 00:48:56,200
because you designed the trusted path to be the default path.

1414
00:48:56,200 --> 00:48:59,680
When safe autonomy exists, security stops being a queue.

1415
00:48:59,680 --> 00:49:02,120
It becomes an operating property of the business.

1416
00:49:02,120 --> 00:49:05,200
Detection without response is expensive telemetry.

1417
00:49:05,200 --> 00:49:07,640
Once you accept safe autonomy as the objective,

1418
00:49:07,640 --> 00:49:09,320
the next failure becomes obvious.

1419
00:49:09,320 --> 00:49:12,000
Most security programs are built like observatories.

1420
00:49:12,000 --> 00:49:13,840
They collect signals, they classify events,

1421
00:49:13,840 --> 00:49:16,080
they generate alerts, then they stop.

1422
00:49:16,080 --> 00:49:17,440
And then everyone acts surprised

1423
00:49:17,440 --> 00:49:19,880
when incidents still turn into business outages.

1424
00:49:19,880 --> 00:49:21,880
Detection by itself doesn't reduce impact,

1425
00:49:21,880 --> 00:49:23,280
it documents impact.

1426
00:49:23,280 --> 00:49:24,320
That distinction matters

1427
00:49:24,320 --> 00:49:26,720
because dashboards are emotionally comforting.

1428
00:49:26,720 --> 00:49:28,800
A high severity alert feels like progress,

1429
00:49:28,800 --> 00:49:32,040
a unified incident view feels like control.

1430
00:49:32,040 --> 00:49:33,680
But none of it changes the outcome

1431
00:49:33,680 --> 00:49:36,560
if the organization can't convert signal into action

1432
00:49:36,560 --> 00:49:37,760
fast enough to matter.

1433
00:49:37,760 --> 00:49:40,720
This is why so many well-secured organizations still fail.

1434
00:49:40,720 --> 00:49:42,360
Not because they lack detection,

1435
00:49:42,360 --> 00:49:45,160
because they lack decision speed and enforcement speed.

1436
00:49:45,160 --> 00:49:47,920
You can think of response as a pipeline with four stages.

1437
00:49:47,920 --> 00:49:50,600
Detect, decide, enforce, recover.

1438
00:49:50,600 --> 00:49:53,520
Most organizations over-invest in the first stage,

1439
00:49:53,520 --> 00:49:55,440
under-invest in the second and third

1440
00:49:55,440 --> 00:49:57,480
and treat the fourth as an annual exercise.

1441
00:49:57,480 --> 00:49:59,120
So the system behaves like a camera,

1442
00:49:59,120 --> 00:50:00,280
not like a control system.

1443
00:50:00,280 --> 00:50:02,080
A camera is valuable after the fact.

1444
00:50:02,080 --> 00:50:03,880
It tells you what happened, it can help you learn.

1445
00:50:03,880 --> 00:50:05,800
But it doesn't stop the car from hitting the wall.

1446
00:50:05,800 --> 00:50:07,240
For that, you need brakes.

1447
00:50:07,240 --> 00:50:09,440
In security terms, you need orchestration.

1448
00:50:09,440 --> 00:50:12,280
Consistent, auditable actions that reduce blast radius quickly.

1449
00:50:12,280 --> 00:50:15,240
The core issue is that response is usually human middleware

1450
00:50:15,240 --> 00:50:16,200
and alert fires.

1451
00:50:16,200 --> 00:50:17,160
It lands in a queue.

1452
00:50:17,160 --> 00:50:20,280
Someone triages it, they copy information from one portal to another,

1453
00:50:20,280 --> 00:50:22,440
they ask an app owner what the identity does.

1454
00:50:22,440 --> 00:50:24,480
They ask I'd to isolate a device.

1455
00:50:24,480 --> 00:50:27,160
They ask identity administrators to disable an account.

1456
00:50:27,160 --> 00:50:29,360
They ask messaging teams to purge an email.

1457
00:50:29,360 --> 00:50:31,360
They ask someone else to reset credentials.

1458
00:50:31,360 --> 00:50:33,080
Each step is rational in isolation.

1459
00:50:33,080 --> 00:50:34,680
Collectively, it's a latency engine.

1460
00:50:34,680 --> 00:50:36,400
An attacker's exploit latency.

1461
00:50:36,400 --> 00:50:37,480
They don't need to be brilliant.

1462
00:50:37,480 --> 00:50:38,520
They need you to be slow.

1463
00:50:38,520 --> 00:50:41,400
This is where leadership gets trapped in the wrong conversation.

1464
00:50:41,400 --> 00:50:43,360
They ask, do we have a sock?

1465
00:50:43,360 --> 00:50:45,000
They ask, are we monitoring?

1466
00:50:45,000 --> 00:50:47,040
They ask, how many alerts did we close out?

1467
00:50:47,040 --> 00:50:48,320
Those are activity metrics.

1468
00:50:48,320 --> 00:50:50,680
They don't tell you whether the organization can contain

1469
00:50:50,680 --> 00:50:52,840
an identity-driven incident in business time.

1470
00:50:52,840 --> 00:50:55,160
The question that matters is, how long does it take

1471
00:50:55,160 --> 00:50:57,720
from first signal to first meaningful containment?

1472
00:50:57,720 --> 00:51:00,600
Not to a ticket, not to a slack thread, to containment?

1473
00:51:00,600 --> 00:51:03,880
Because that's the moment you stop paying compounding interest on the breach.

1474
00:51:03,880 --> 00:51:07,160
Now, the uncomfortable part, detection without response is not neutral.

1475
00:51:07,160 --> 00:51:07,920
It's expensive.

1476
00:51:07,920 --> 00:51:09,160
It consumes licensing.

1477
00:51:09,160 --> 00:51:10,240
It consumes storage.

1478
00:51:10,240 --> 00:51:11,720
It consumes analyst time.

1479
00:51:11,720 --> 00:51:13,560
It consumes executive attention.

1480
00:51:13,560 --> 00:51:15,520
And when it's not connected to action,

1481
00:51:15,520 --> 00:51:17,800
it creates a worse outcome than ignorance.

1482
00:51:17,800 --> 00:51:22,400
A alert fatigue, where the organization learns to ignore its own warning systems.

1483
00:51:22,400 --> 00:51:24,840
Once that happens, you have telemetry theatre.

1484
00:51:24,840 --> 00:51:25,840
Lots of data.

1485
00:51:25,840 --> 00:51:27,120
Little control.

1486
00:51:27,120 --> 00:51:30,160
This is also why more sensors is a weak investment posture.

1487
00:51:30,160 --> 00:51:32,680
If you add more signals, without fixing the response loop,

1488
00:51:32,680 --> 00:51:33,600
you increase noise.

1489
00:51:33,600 --> 00:51:34,920
Noise reduces trust.

1490
00:51:34,920 --> 00:51:35,840
Reduced trust.

1491
00:51:35,840 --> 00:51:37,040
Slows decisions.

1492
00:51:37,040 --> 00:51:38,600
Slower decisions increase impact.

1493
00:51:38,600 --> 00:51:39,280
That's the loop.

1494
00:51:39,280 --> 00:51:42,360
It's the security equivalent of adding more gauges to a cockpit

1495
00:51:42,360 --> 00:51:44,880
while leaving the control surfaces unresponsive.

1496
00:51:44,880 --> 00:51:46,880
So what does a good response loop look like

1497
00:51:46,880 --> 00:51:48,720
without turning this into a tool demo?

1498
00:51:48,720 --> 00:51:52,320
It looks like the organization pre-defining a small set of reversible actions

1499
00:51:52,320 --> 00:51:55,360
that can happen fast with clear authority and clear logging.

1500
00:51:55,360 --> 00:51:58,320
If an identity exhibits a high confidence compromise signal,

1501
00:51:58,320 --> 00:52:02,120
the system can, revoke sessions, require reauthentication,

1502
00:52:02,120 --> 00:52:05,160
block risky sign-ins, disable the account,

1503
00:52:05,160 --> 00:52:08,240
remove standing privilege, quarantine a device,

1504
00:52:08,240 --> 00:52:11,360
suspend an OAuth app or route a case to the system owner

1505
00:52:11,360 --> 00:52:13,200
with context already attached.

1506
00:52:13,200 --> 00:52:14,640
Not all at once, not everywhere,

1507
00:52:14,640 --> 00:52:17,720
but as a designed set of bounded responses.

1508
00:52:17,720 --> 00:52:19,440
Bounded matters because leaders here

1509
00:52:19,440 --> 00:52:21,440
automation and picture chaos.

1510
00:52:21,440 --> 00:52:23,440
Accidental lockouts, business disruption,

1511
00:52:23,440 --> 00:52:25,720
the wrong account disabled at the wrong time.

1512
00:52:25,720 --> 00:52:29,040
That fear is rational when automation is built as an improvisation.

1513
00:52:29,040 --> 00:52:32,160
It becomes less rational when automation is built as policy.

1514
00:52:32,160 --> 00:52:34,960
Explicit triggers, reversible actions, audit trails,

1515
00:52:34,960 --> 00:52:37,320
and human approval where the blast radius is large.

1516
00:52:37,320 --> 00:52:41,320
That is how you turn response speed into a capability instead of a gamble.

1517
00:52:41,320 --> 00:52:43,800
And this ties directly back to identity as the control plane.

1518
00:52:43,800 --> 00:52:46,840
If your fastest containment actions live in identity,

1519
00:52:46,840 --> 00:52:49,640
session revocation, privilege reduction, access blocks,

1520
00:52:49,640 --> 00:52:51,440
then response becomes feasible.

1521
00:52:51,440 --> 00:52:54,000
If your containment requires days of coordination

1522
00:52:54,000 --> 00:52:57,480
across disconnected teams, response becomes aspirational.

1523
00:52:57,480 --> 00:52:58,880
So the takeaway is blunt.

1524
00:52:58,880 --> 00:53:00,960
You don't buy resilience with telemetry.

1525
00:53:00,960 --> 00:53:03,560
You buy resilience by funding the conversion layer

1526
00:53:03,560 --> 00:53:05,000
between signal and action.

1527
00:53:05,000 --> 00:53:06,800
And that conversion layer is not glamorous.

1528
00:53:06,800 --> 00:53:09,200
It's workflow, it's ownership, it's automation,

1529
00:53:09,200 --> 00:53:10,680
it's rehearsed authority.

1530
00:53:10,680 --> 00:53:12,960
Without it, you don't have a resilience program.

1531
00:53:12,960 --> 00:53:15,280
You have a very expensive record of how you lost.

1532
00:53:15,280 --> 00:53:18,760
Scenario 2, Microsoft Defender, ServiceNow Automation.

1533
00:53:18,760 --> 00:53:22,880
If identity is the control plane, and CAE is the revocation muscle,

1534
00:53:22,880 --> 00:53:25,640
then this scenario is the nervous system connection.

1535
00:53:25,640 --> 00:53:27,960
How signals become coordinated action

1536
00:53:27,960 --> 00:53:31,520
without turning your SOC into a human API.

1537
00:53:31,520 --> 00:53:34,640
Microsoft Defender gives you signals, ServiceNow gives you execution.

1538
00:53:34,640 --> 00:53:37,400
Most organizations own both categories of tooling,

1539
00:53:37,400 --> 00:53:39,240
but treat them like separate religions.

1540
00:53:39,240 --> 00:53:42,360
Security detects, IT operates, and the business weights.

1541
00:53:42,360 --> 00:53:44,280
That separation is where MTR is born.

1542
00:53:44,280 --> 00:53:46,080
Defender is already doing aggregation

1543
00:53:46,080 --> 00:53:49,440
across endpoint identity, email, SAS, and cloud activity.

1544
00:53:49,440 --> 00:53:53,120
It can correlate activity that looks unrelated in isolation,

1545
00:53:53,120 --> 00:53:56,000
a risky sign-in, a suspicious mailbox rule,

1546
00:53:56,000 --> 00:53:57,960
an endpoint alert and OAuth app consent,

1547
00:53:57,960 --> 00:53:59,800
a new admin role activation.

1548
00:53:59,800 --> 00:54:02,000
The value isn't that any single alert exists.

1549
00:54:02,000 --> 00:54:04,640
The value is that the platform can form an incident story

1550
00:54:04,640 --> 00:54:07,320
without asking an analyst to manually stitch it together.

1551
00:54:07,320 --> 00:54:09,160
But correlation doesn't contain anything.

1552
00:54:09,160 --> 00:54:10,840
Containment happens when the organization

1553
00:54:10,840 --> 00:54:14,280
executes a bounded set of actions fast with clear authority

1554
00:54:14,280 --> 00:54:17,840
and with an audit trail that survives the post-incident review.

1555
00:54:17,840 --> 00:54:20,640
That's where ServiceNow becomes useful, not as a ticket factory,

1556
00:54:20,640 --> 00:54:23,800
as the system of action that codifies decisions, approvals,

1557
00:54:23,800 --> 00:54:25,840
handoffs, and remediation steps

1558
00:54:25,840 --> 00:54:27,520
in a way that is repeatable under stress.

1559
00:54:27,520 --> 00:54:30,400
The simple version is Defender detects and enriches service.

1560
00:54:30,400 --> 00:54:31,440
Now roots and governs.

1561
00:54:31,440 --> 00:54:33,960
Automation executes the first response steps.

1562
00:54:33,960 --> 00:54:37,000
Humans handle the exceptions and the irreversible decisions.

1563
00:54:37,000 --> 00:54:39,680
That's the 1080-10 model in practice.

1564
00:54:39,680 --> 00:54:42,080
Without pretending the platform can replace judgment.

1565
00:54:42,080 --> 00:54:44,280
So what does good automation look like here?

1566
00:54:44,280 --> 00:54:46,400
It looks like defining a small number of playbooks

1567
00:54:46,400 --> 00:54:48,040
that are intentionally boring.

1568
00:54:48,040 --> 00:54:50,840
When Defender raises a high confidence identity incident,

1569
00:54:50,840 --> 00:54:53,360
the system can automatically create a ServiceNow Security

1570
00:54:53,360 --> 00:54:56,080
incident with the right context already attached.

1571
00:54:56,080 --> 00:55:00,600
Effected identity, impacted assets, correlated alerts, timestamps,

1572
00:55:00,600 --> 00:55:02,600
and suggested containment actions.

1573
00:55:02,600 --> 00:55:05,600
No copy-paste, no, what's the UPN back and forth?

1574
00:55:05,600 --> 00:55:08,280
No analyst spending 20 minutes collecting screenshots

1575
00:55:08,280 --> 00:55:09,560
for a ticket nobody will read.

1576
00:55:09,560 --> 00:55:11,760
Then automation does the first reversible moves.

1577
00:55:11,760 --> 00:55:14,160
Reversible means you can undo the action

1578
00:55:14,160 --> 00:55:16,680
without negotiating with half the organization.

1579
00:55:16,680 --> 00:55:19,440
Reauthentication prompts, session revocation,

1580
00:55:19,440 --> 00:55:22,640
blocking risky sign-ins, disabling a single account,

1581
00:55:22,640 --> 00:55:25,440
removing a role activation, isolating a device,

1582
00:55:25,440 --> 00:55:28,680
quarantining an email, suspending an OAuth app consent,

1583
00:55:28,680 --> 00:55:30,720
depending on what signal fired and what authority

1584
00:55:30,720 --> 00:55:31,920
you've pre-approved.

1585
00:55:31,920 --> 00:55:34,040
This is the key leadership decision,

1586
00:55:34,040 --> 00:55:36,160
which actions are allowed to happen automatically

1587
00:55:36,160 --> 00:55:37,760
and under what confidence threshold.

1588
00:55:37,760 --> 00:55:39,880
If everything requires a human you get latency,

1589
00:55:39,880 --> 00:55:41,240
if everything is automated,

1590
00:55:41,240 --> 00:55:44,520
you get accidental outages and political backlash.

1591
00:55:44,520 --> 00:55:47,160
The only stable model is a tiered model.

1592
00:55:47,160 --> 00:55:49,480
Automatic containment for high confidence,

1593
00:55:49,480 --> 00:55:51,760
low blast radius actions, human approval

1594
00:55:51,760 --> 00:55:53,400
for high blast radius actions,

1595
00:55:53,400 --> 00:55:55,160
and explicit escalation when the system

1596
00:55:55,160 --> 00:55:56,600
can't determine impact.

1597
00:55:56,600 --> 00:55:59,480
ServiceNow is where that tearing becomes enforceable.

1598
00:55:59,480 --> 00:56:00,960
It can embed approval workflows

1599
00:56:00,960 --> 00:56:02,400
in forced segregation of duties

1600
00:56:02,400 --> 00:56:05,040
and ensure every exception has an owner and an expiration.

1601
00:56:05,040 --> 00:56:07,560
It can also track recovery tasks as actual work,

1602
00:56:07,560 --> 00:56:10,160
not as tribal knowledge, credential resets,

1603
00:56:10,160 --> 00:56:13,080
access-reviewed triggers, device re-enrollment,

1604
00:56:13,080 --> 00:56:16,160
application owner confirmation, customer communications,

1605
00:56:16,160 --> 00:56:18,560
and post-incident backlog items.

1606
00:56:18,560 --> 00:56:19,880
That last part matters.

1607
00:56:19,880 --> 00:56:24,080
Most organizations can contain when the right people are awake.

1608
00:56:24,080 --> 00:56:25,480
They can't recover consistently

1609
00:56:25,480 --> 00:56:27,160
because recovery is treated as cleanup,

1610
00:56:27,160 --> 00:56:30,000
not as an engineered loop, service.

1611
00:56:30,000 --> 00:56:33,000
Now forces recovery to be legible, tasks, owners,

1612
00:56:33,000 --> 00:56:34,920
deadlines, evidence.

1613
00:56:34,920 --> 00:56:36,680
Now the counterintuitive part,

1614
00:56:36,680 --> 00:56:38,920
this automation isn't about speed for its own sake,

1615
00:56:38,920 --> 00:56:40,960
it's about restoring human decision time.

1616
00:56:40,960 --> 00:56:42,320
Humans should decide intent.

1617
00:56:42,320 --> 00:56:44,080
Is this identity business critical?

1618
00:56:44,080 --> 00:56:45,400
Is this activity expected?

1619
00:56:45,400 --> 00:56:46,360
Do we accept the risk?

1620
00:56:46,360 --> 00:56:47,520
Do we shut down a workflow?

1621
00:56:47,520 --> 00:56:48,680
Do we notify customers?

1622
00:56:48,680 --> 00:56:50,560
Do we escalate to legal?

1623
00:56:50,560 --> 00:56:52,320
The system should execute mechanics.

1624
00:56:52,320 --> 00:56:54,440
Collect data, correlate, create the case,

1625
00:56:54,440 --> 00:56:56,240
root it, apply reversible containment,

1626
00:56:56,240 --> 00:56:57,480
and maintain the audit trail.

1627
00:56:57,480 --> 00:57:00,080
If your analysts are doing mechanics, you don't have a so key.

1628
00:57:00,080 --> 00:57:02,080
You have a very expensive workflow gap.

1629
00:57:02,080 --> 00:57:04,040
And the reason this scenario belongs

1630
00:57:04,040 --> 00:57:06,440
in an executive briefing is that it changes

1631
00:57:06,440 --> 00:57:07,560
what leaders fund.

1632
00:57:07,560 --> 00:57:09,080
Instead of buying more detection,

1633
00:57:09,080 --> 00:57:11,880
you invest in the conversion layer, integrations,

1634
00:57:11,880 --> 00:57:15,720
playbooks, ownership models, and rehearsed authority.

1635
00:57:15,720 --> 00:57:17,320
You build the muscle that turns,

1636
00:57:17,320 --> 00:57:20,200
we saw something into, we contained something,

1637
00:57:20,200 --> 00:57:21,920
because the board doesn't care that you detected

1638
00:57:21,920 --> 00:57:24,160
an identity incident at 2.03 AM.

1639
00:57:24,160 --> 00:57:28,000
They care whether the attacker still had access at 2.33 AM.

1640
00:57:28,000 --> 00:57:29,920
This is also where you stop measuring success

1641
00:57:29,920 --> 00:57:31,560
by ticket volume and start measuring it

1642
00:57:31,560 --> 00:57:34,600
by decision latency, time to detect, time to decide,

1643
00:57:34,600 --> 00:57:36,680
time to enforce, time to recover.

1644
00:57:36,680 --> 00:57:39,400
Service now gives you the workflow time stamps.

1645
00:57:39,400 --> 00:57:41,240
Defender gives you the signal time stamps.

1646
00:57:41,240 --> 00:57:43,800
Together, they give you the only metric that matters.

1647
00:57:43,800 --> 00:57:45,560
MTR becomes visible.

1648
00:57:45,560 --> 00:57:49,360
And once MTR is visible, leadership can actually manage it.

1649
00:57:49,360 --> 00:57:51,400
Either resilience is an operating capability,

1650
00:57:51,400 --> 00:57:52,640
not an incident plan.

1651
00:57:52,640 --> 00:57:54,400
Resilience is what the organization can do

1652
00:57:54,400 --> 00:57:56,040
on a bad day without improvising,

1653
00:57:56,040 --> 00:57:58,200
not what it wrote down in a binder two years ago.

1654
00:57:58,200 --> 00:58:01,360
Most enterprises have an incident response plan.

1655
00:58:01,360 --> 00:58:04,760
It exists, it has owners, it has a PDF, it satisfies audits.

1656
00:58:04,760 --> 00:58:06,920
And it fails at the exact moment it's needed,

1657
00:58:06,920 --> 00:58:08,880
because plans don't execute themselves

1658
00:58:08,880 --> 00:58:11,320
and stressed humans don't behave like flowcharts.

1659
00:58:11,320 --> 00:58:13,320
An incident plan is documentation.

1660
00:58:13,320 --> 00:58:15,840
Resilience is an operating capability, practiced,

1661
00:58:15,840 --> 00:58:18,480
funded, measured and continuously improved.

1662
00:58:18,480 --> 00:58:20,200
It lives in the muscle memory of teams

1663
00:58:20,200 --> 00:58:23,680
and the design of systems, not in the phrasing of a policy.

1664
00:58:23,680 --> 00:58:25,360
This is the uncomfortable truth.

1665
00:58:25,360 --> 00:58:28,040
Modern incidents are not puzzles, they are time games.

1666
00:58:28,040 --> 00:58:29,800
The attacker's advantage is not brilliance.

1667
00:58:29,800 --> 00:58:31,600
It's that your organization needs a meeting

1668
00:58:31,600 --> 00:58:32,800
before it can act.

1669
00:58:32,800 --> 00:58:34,960
Resilience is the decision to remove that meeting

1670
00:58:34,960 --> 00:58:36,240
from the critical path.

1671
00:58:36,240 --> 00:58:39,000
So resilience engineering starts with one stance,

1672
00:58:39,000 --> 00:58:42,680
expect failure, not as pessimism as design input.

1673
00:58:42,680 --> 00:58:44,640
Your human identity will be compromised,

1674
00:58:44,640 --> 00:58:46,760
your sumatoken will be stolen, your sumatown,

1675
00:58:46,760 --> 00:58:48,440
or O-Auth app will get consented,

1676
00:58:48,440 --> 00:58:50,600
your sumatement will make a mistake.

1677
00:58:50,600 --> 00:58:52,520
Then you design for bounded failure,

1678
00:58:52,520 --> 00:58:55,240
small blast radius, fast revocation

1679
00:58:55,240 --> 00:58:57,600
and recovery that doesn't require heroics.

1680
00:58:57,600 --> 00:59:00,000
Bounded failure is the opposite of prevention fantasy.

1681
00:59:00,000 --> 00:59:02,640
It's not nothing bad happens, it's it's it's bad

1682
00:59:02,640 --> 00:59:05,440
things happen and the organization keeps operating.

1683
00:59:05,440 --> 00:59:08,120
That implies three capabilities leaders can actually fund.

1684
00:59:08,120 --> 00:59:09,840
First, containment readiness.

1685
00:59:09,840 --> 00:59:13,520
This is the existence of kill switches that work.

1686
00:59:13,520 --> 00:59:16,000
Rapid account disabling, privilege stripping,

1687
00:59:16,000 --> 00:59:18,880
session revocation, conditional access escalation,

1688
00:59:18,880 --> 00:59:21,920
device isolation and application level blocks,

1689
00:59:21,920 --> 00:59:26,040
pre-approved, auditable and reversible, where possible.

1690
00:59:26,040 --> 00:59:28,560
If containment actions require ad hoc approvals,

1691
00:59:28,560 --> 00:59:30,280
you don't have containment readiness,

1692
00:59:30,280 --> 00:59:33,760
you have hope, second, recovery readiness.

1693
00:59:33,760 --> 00:59:36,760
Containment stops the bleeding, recovery restores the business.

1694
00:59:36,760 --> 00:59:39,640
Most organizations skip designing recovery as a system,

1695
00:59:39,640 --> 00:59:41,480
so they pay for it in chaos.

1696
00:59:41,480 --> 00:59:44,040
Recovery readiness means the organization knows

1697
00:59:44,040 --> 00:59:47,520
how to restore access safely, rebuild trust in identities

1698
00:59:47,520 --> 00:59:49,920
and reestablish clean operating conditions.

1699
00:59:49,920 --> 00:59:53,280
Credential resets with verification, reissuing tokens,

1700
00:59:53,280 --> 00:59:56,720
validating device posture, re-onboarding service accounts,

1701
00:59:56,720 --> 00:59:59,080
verifying that privileged roles are clean,

1702
00:59:59,080 --> 01:00:01,520
and proving that logging and controls are still intact.

1703
01:00:01,520 --> 01:00:03,520
If the org can't reestablish trust quickly,

1704
01:00:03,520 --> 01:00:05,120
it will either stay offline too long

1705
01:00:05,120 --> 01:00:06,920
or come back online too early.

1706
01:00:06,920 --> 01:00:08,240
Both are expensive.

1707
01:00:08,240 --> 01:00:12,440
Third, learning loop discipline.

1708
01:00:12,440 --> 01:00:14,200
Resilience isn't we survived.

1709
01:00:14,200 --> 01:00:17,480
Resilience is we survived and we made it harder next time.

1710
01:00:17,480 --> 01:00:19,240
That requires turning incident lessons

1711
01:00:19,240 --> 01:00:21,360
into owned backlog items with deadlines,

1712
01:00:21,360 --> 01:00:23,640
not we should review access,

1713
01:00:23,640 --> 01:00:26,200
not we should tighten conditional access,

1714
01:00:26,200 --> 01:00:28,800
specific changes, which entitlement gets rescoped,

1715
01:00:28,800 --> 01:00:31,960
which exception expires, which workflow becomes automated,

1716
01:00:31,960 --> 01:00:33,560
which app must support CAE,

1717
01:00:33,560 --> 01:00:36,080
which privileged role gets moved to eligible only,

1718
01:00:36,080 --> 01:00:38,560
which detection trigger now roots to action.

1719
01:00:38,560 --> 01:00:40,760
This is where most programs rot.

1720
01:00:40,760 --> 01:00:42,840
The incident becomes a post-mortem presentation,

1721
01:00:42,840 --> 01:00:44,240
not an engineering input.

1722
01:00:44,240 --> 01:00:45,360
Now to make this real,

1723
01:00:45,360 --> 01:00:47,640
leaders need to stop treating tabletop exercises

1724
01:00:47,640 --> 01:00:48,760
as compliance theater.

1725
01:00:48,760 --> 01:00:50,040
A tabletop isn't a quiz.

1726
01:00:50,040 --> 01:00:51,480
It's a rehearsal of decisions.

1727
01:00:51,480 --> 01:00:53,960
Who has authority to disable an executive account?

1728
01:00:53,960 --> 01:00:56,840
Who can revoke access for a third party integration

1729
01:00:56,840 --> 01:00:57,880
that drives revenue?

1730
01:00:57,880 --> 01:01:00,680
Who can force reauthentication for a business critical SaaS app?

1731
01:01:00,680 --> 01:01:02,360
Who can approve isolating a device

1732
01:01:02,360 --> 01:01:04,000
used for production deployment?

1733
01:01:04,000 --> 01:01:04,960
Who talks to legal?

1734
01:01:04,960 --> 01:01:06,040
Who talks to customers?

1735
01:01:06,040 --> 01:01:07,120
Who owns the timeline?

1736
01:01:07,120 --> 01:01:08,480
Those are not technical questions.

1737
01:01:08,480 --> 01:01:10,800
They are governance questions under stress.

1738
01:01:10,800 --> 01:01:13,120
A good tabletop produces two outputs,

1739
01:01:13,120 --> 01:01:15,960
decision clarity and remediation backlog.

1740
01:01:15,960 --> 01:01:18,200
If it only produces, we learned a lot.

1741
01:01:18,200 --> 01:01:19,400
It produced nothing.

1742
01:01:19,400 --> 01:01:21,600
There's also a structural implication to resilience

1743
01:01:21,600 --> 01:01:23,800
that security teams dislike admitting.

1744
01:01:23,800 --> 01:01:26,880
Resilience requires alignment between identity, IT,

1745
01:01:26,880 --> 01:01:29,600
and the business, not cooperation, alignment.

1746
01:01:29,600 --> 01:01:31,920
Because response actions always affect operations.

1747
01:01:31,920 --> 01:01:33,440
If the business refuses disruption,

1748
01:01:33,440 --> 01:01:35,120
the attacker gets persistence.

1749
01:01:35,120 --> 01:01:38,280
If security refuses accountability, the business gets chaos.

1750
01:01:38,280 --> 01:01:40,800
Resilience is the negotiated operating model

1751
01:01:40,800 --> 01:01:42,440
that makes decisive action possible

1752
01:01:42,440 --> 01:01:44,040
without endless escalation.

1753
01:01:44,040 --> 01:01:45,400
And AI doesn't change this.

1754
01:01:45,400 --> 01:01:47,080
It accelerates it.

1755
01:01:47,080 --> 01:01:48,440
AI makes attacks faster,

1756
01:01:48,440 --> 01:01:50,200
but it also makes defense more scalable

1757
01:01:50,200 --> 01:01:51,680
if the organization has the workflow

1758
01:01:51,680 --> 01:01:53,360
to convert signals into action.

1759
01:01:53,360 --> 01:01:56,120
Without that, AI just increases the volume of insights

1760
01:01:56,120 --> 01:01:57,400
you fail to operationalize.

1761
01:01:57,400 --> 01:01:59,040
So resilience isn't the binder.

1762
01:01:59,040 --> 01:01:59,960
It's the loop.

1763
01:01:59,960 --> 01:02:01,760
Contain, recover, learn, repeat it

1764
01:02:01,760 --> 01:02:04,520
until the system becomes harder to break than it is to run.

1765
01:02:04,520 --> 01:02:07,160
And once you treat resilience as an operating capability,

1766
01:02:07,160 --> 01:02:10,280
you can finally put it on a scoreboard leadership understands.

1767
01:02:10,280 --> 01:02:12,440
The leadership metric, reduce MTTR

1768
01:02:12,440 --> 01:02:14,120
for identity-driven incidents.

1769
01:02:14,120 --> 01:02:16,480
This is where leadership usually asks for a dashboard

1770
01:02:16,480 --> 01:02:18,440
and security hands them the wrong one.

1771
01:02:18,440 --> 01:02:19,440
They get counts.

1772
01:02:19,440 --> 01:02:21,600
Number of incidents, number of blocked sign-ins,

1773
01:02:21,600 --> 01:02:24,080
number of risky users, number of alerts closed.

1774
01:02:24,080 --> 01:02:24,880
That's activity.

1775
01:02:24,880 --> 01:02:26,120
It's not capability.

1776
01:02:26,120 --> 01:02:28,960
Capability is what happens when an identity-driven incident

1777
01:02:28,960 --> 01:02:31,360
is already in motion and the business is bleeding time.

1778
01:02:31,360 --> 01:02:32,520
The only metric that translates

1779
01:02:32,520 --> 01:02:36,320
cleanly from security to operations to the board is MTTR.

1780
01:02:36,320 --> 01:02:37,880
Mean time to respond and to end.

1781
01:02:37,880 --> 01:02:39,480
Not time to create a ticket.

1782
01:02:39,480 --> 01:02:40,480
Not time to acknowledge.

1783
01:02:40,480 --> 01:02:42,280
Respond means containment has occurred

1784
01:02:42,280 --> 01:02:45,280
and the attack as ability to act has been materially reduced.

1785
01:02:45,280 --> 01:02:47,640
If you can't define that moment, you can't manage it.

1786
01:02:47,640 --> 01:02:48,960
That distinction matters.

1787
01:02:48,960 --> 01:02:51,320
Identity-driven incidents dominate business impact

1788
01:02:51,320 --> 01:02:53,760
because identity is the permission fabric for everything else.

1789
01:02:53,760 --> 01:02:56,400
When an endpoint is compromised, you might lose a machine.

1790
01:02:56,400 --> 01:02:57,960
When an identity is compromised,

1791
01:02:57,960 --> 01:03:01,040
you can lose data, approvals, code, financial workflows,

1792
01:03:01,040 --> 01:03:02,840
and the ability to trust your own systems.

1793
01:03:02,840 --> 01:03:05,280
It is the difference between a local fire

1794
01:03:05,280 --> 01:03:07,600
and a fire in the building's electrical panel.

1795
01:03:07,600 --> 01:03:09,240
So the leadership mandate is simple.

1796
01:03:09,240 --> 01:03:11,680
Reduce the time window in which a compromise identity

1797
01:03:11,680 --> 01:03:12,520
can operate.

1798
01:03:12,520 --> 01:03:14,800
The 40-60% reduction target is not magic.

1799
01:03:14,800 --> 01:03:16,640
It is the difference between a system

1800
01:03:16,640 --> 01:03:19,320
that relies on humans to stitch context together

1801
01:03:19,320 --> 01:03:21,640
and a system that treats identity as a control plane

1802
01:03:21,640 --> 01:03:23,400
with enforcement and workflow.

1803
01:03:23,400 --> 01:03:26,160
If your current MTTR is measured in hours,

1804
01:03:26,160 --> 01:03:28,360
cutting it roughly in half is entirely plausible

1805
01:03:28,360 --> 01:03:31,080
when you move the first actions from manual to orchestrate it

1806
01:03:31,080 --> 01:03:34,000
and when you stop waiting for token expiry to do your job.

1807
01:03:34,000 --> 01:03:36,760
But leaders need to understand what they are actually measuring.

1808
01:03:36,760 --> 01:03:38,360
MTTR is not a single stopwatch.

1809
01:03:38,360 --> 01:03:40,840
It's a chain and chains fail at the weakest link,

1810
01:03:40,840 --> 01:03:42,520
so break it into four timestamps

1811
01:03:42,520 --> 01:03:45,040
that are board legible and operationally honest.

1812
01:03:45,040 --> 01:03:46,080
Time to detect.

1813
01:03:46,080 --> 01:03:48,280
When did the system first have a credible signal

1814
01:03:48,280 --> 01:03:49,440
that something was wrong?

1815
01:03:49,440 --> 01:03:52,120
Not when someone looked at it, when it existed.

1816
01:03:52,120 --> 01:03:53,480
Time to decide.

1817
01:03:53,480 --> 01:03:56,520
How long did it take for a human or a policy engine to decide?

1818
01:03:56,520 --> 01:03:58,360
This is real enough to act?

1819
01:03:58,360 --> 01:04:02,000
This is where alert fatigue and unclear severity definitions

1820
01:04:02,000 --> 01:04:03,840
turn into business exposure.

1821
01:04:03,840 --> 01:04:04,960
Time to enforce.

1822
01:04:04,960 --> 01:04:07,360
How long did it take for the decision to change reality?

1823
01:04:07,360 --> 01:04:08,320
Disable the account.

1824
01:04:08,320 --> 01:04:10,960
Revoque sessions, block the sign in, remove privilege,

1825
01:04:10,960 --> 01:04:11,920
quarantine the device.

1826
01:04:11,920 --> 01:04:14,600
If it took two hours to get approval, that's not governance.

1827
01:04:14,600 --> 01:04:15,920
That's latency.

1828
01:04:15,920 --> 01:04:17,120
Time to recover.

1829
01:04:17,120 --> 01:04:20,320
How long until the business can operate safely again?

1830
01:04:20,320 --> 01:04:22,160
Not we stopped the attacker.

1831
01:04:22,160 --> 01:04:24,760
We restored trusted access and verified the control plane

1832
01:04:24,760 --> 01:04:25,680
is intact.

1833
01:04:25,680 --> 01:04:27,920
That model gives leaders something they can fund

1834
01:04:27,920 --> 01:04:29,640
because each stage has different blockers.

1835
01:04:29,640 --> 01:04:32,160
Time to detect is usually a signal coverage and correlation

1836
01:04:32,160 --> 01:04:33,040
problem.

1837
01:04:33,040 --> 01:04:35,720
Defender and entra can help, but only if the environment is

1838
01:04:35,720 --> 01:04:38,840
instrumented and identity signals aren't treated as optional.

1839
01:04:38,840 --> 01:04:41,800
Time to decide is usually a clarity problem.

1840
01:04:41,800 --> 01:04:44,360
Who owns the call, what thresholds matter,

1841
01:04:44,360 --> 01:04:45,920
and what actions are pre-approved?

1842
01:04:45,920 --> 01:04:48,320
Ambiguity is the most expensive security control

1843
01:04:48,320 --> 01:04:49,320
you can deploy.

1844
01:04:49,320 --> 01:04:51,640
Time to enforce is an architecture problem.

1845
01:04:51,640 --> 01:04:53,760
If revocation depends on token expiry,

1846
01:04:53,760 --> 01:04:55,080
you chose slow enforcement.

1847
01:04:55,080 --> 01:04:57,360
If enforcement depends on three teams in a meeting,

1848
01:04:57,360 --> 01:04:58,880
you chose slow enforcement.

1849
01:04:58,880 --> 01:05:00,560
CAE and privileged access governance

1850
01:05:00,560 --> 01:05:02,280
exist to collapse this gap.

1851
01:05:02,280 --> 01:05:04,560
Time to recover is an operating model problem.

1852
01:05:04,560 --> 01:05:07,360
If recoveries at Hock, it is slow by design.

1853
01:05:07,360 --> 01:05:09,600
If recovery tasks are templated, owned,

1854
01:05:09,600 --> 01:05:12,520
and automated where possible, it becomes repeatable.

1855
01:05:12,520 --> 01:05:15,520
Now here's what blocks MTTR improvement in real organizations,

1856
01:05:15,520 --> 01:05:16,680
unclear authority.

1857
01:05:16,680 --> 01:05:19,080
Nobody wants to be the person who disabled the CFO's

1858
01:05:19,080 --> 01:05:21,200
account during quarter close, so they escalate

1859
01:05:21,200 --> 01:05:22,720
until the attacker is done.

1860
01:05:22,720 --> 01:05:23,720
Manual handoffs.

1861
01:05:23,720 --> 01:05:26,160
Signals move from defender to email to chat to ticket,

1862
01:05:26,160 --> 01:05:27,880
with context lost every time.

1863
01:05:27,880 --> 01:05:28,920
Exception sprawl.

1864
01:05:28,920 --> 01:05:30,600
The most critical identities and apps

1865
01:05:30,600 --> 01:05:33,080
are often the most exempt, which means your highest risk

1866
01:05:33,080 --> 01:05:34,960
pathways are your least governable ones.

1867
01:05:34,960 --> 01:05:36,480
An entitlement ambiguity.

1868
01:05:36,480 --> 01:05:38,000
If you don't know what an identity can do,

1869
01:05:38,000 --> 01:05:39,440
you can't contain it confidently.

1870
01:05:39,440 --> 01:05:40,080
You hesitate.

1871
01:05:40,080 --> 01:05:41,120
The attacker doesn't.

1872
01:05:41,120 --> 01:05:44,200
So leadership should treat MTTR like a resilience KPI,

1873
01:05:44,200 --> 01:05:45,240
not a SOC KPI.

1874
01:05:45,240 --> 01:05:47,160
It's how you measure whether the enterprise

1875
01:05:47,160 --> 01:05:50,280
can make trust decisions and enforce them in business time.

1876
01:05:50,280 --> 01:05:52,440
Everything you funded earlier, intra-governance,

1877
01:05:52,440 --> 01:05:55,040
ITDI discipline, CIE, and defender to service

1878
01:05:55,040 --> 01:05:56,840
now orchestration should show up here

1879
01:05:56,840 --> 01:05:59,800
as lower decision latency and faster enforcement.

1880
01:05:59,800 --> 01:06:01,880
And if it doesn't, you don't have a tooling problem.

1881
01:06:01,880 --> 01:06:03,480
You have an operating model that still

1882
01:06:03,480 --> 01:06:05,760
confuses visibility with control.

1883
01:06:05,760 --> 01:06:06,760
Composite incident.

1884
01:06:06,760 --> 01:06:07,440
Same tools.

1885
01:06:07,440 --> 01:06:08,520
Different outcome.

1886
01:06:08,520 --> 01:06:11,320
Now put all of this into a story that leaders recognize,

1887
01:06:11,320 --> 01:06:14,240
not a named breach, not a vendor fairy tale.

1888
01:06:14,240 --> 01:06:16,480
A composite incident built from the same patterns,

1889
01:06:16,480 --> 01:06:19,160
every SOC and identity team has seen.

1890
01:06:19,160 --> 01:06:20,160
Session abuse.

1891
01:06:20,160 --> 01:06:21,000
Over permission.

1892
01:06:21,000 --> 01:06:23,000
Slow revocation and manual response.

1893
01:06:23,000 --> 01:06:24,000
Same organization.

1894
01:06:24,000 --> 01:06:25,280
Same Microsoft stack.

1895
01:06:25,280 --> 01:06:27,320
Same green dashboards.

1896
01:06:27,320 --> 01:06:30,000
Two different outcomes determined entirely by design.

1897
01:06:30,000 --> 01:06:32,040
In the first version, the attacker doesn't start

1898
01:06:32,040 --> 01:06:33,360
with some exotic exploit.

1899
01:06:33,360 --> 01:06:35,520
They start with an identity that has more authority

1900
01:06:35,520 --> 01:06:38,480
than anyone remembers approving, a contractor account,

1901
01:06:38,480 --> 01:06:40,840
a partner identity, or an internal user

1902
01:06:40,840 --> 01:06:43,760
who moved roles three times and kept access every time.

1903
01:06:43,760 --> 01:06:45,480
The initial foothold is boring.

1904
01:06:45,480 --> 01:06:48,960
A captured session token via a malicious browser extension.

1905
01:06:48,960 --> 01:06:50,920
A convincing OAuth consent.

1906
01:06:50,920 --> 01:06:53,840
Or straight credential theft followed by MFA completion.

1907
01:06:53,840 --> 01:06:55,960
It doesn't matter which because the system's failure mode

1908
01:06:55,960 --> 01:06:56,760
is the same.

1909
01:06:56,760 --> 01:06:58,880
The user successfully completed MFA.

1910
01:06:58,880 --> 01:07:00,760
So the attacker doesn't fight authentication.

1911
01:07:00,760 --> 01:07:01,720
They inherit it.

1912
01:07:01,720 --> 01:07:03,760
From there, the attacker explores entitlements.

1913
01:07:03,760 --> 01:07:05,200
They don't need to scan networks.

1914
01:07:05,200 --> 01:07:07,800
They just enumerate what the identity can reach.

1915
01:07:07,800 --> 01:07:09,040
SharePoint sites.

1916
01:07:09,040 --> 01:07:10,120
Teams files.

1917
01:07:10,120 --> 01:07:11,440
Mailbox rules.

1918
01:07:11,440 --> 01:07:12,960
Power BI workspaces.

1919
01:07:12,960 --> 01:07:14,080
Azure resources.

1920
01:07:14,080 --> 01:07:15,680
Third party SAS.

1921
01:07:15,680 --> 01:07:18,400
They look for the same things every attacker looks for.

1922
01:07:18,400 --> 01:07:19,560
Export paths.

1923
01:07:19,560 --> 01:07:20,640
Admin paths.

1924
01:07:20,640 --> 01:07:21,800
And trust paths.

1925
01:07:21,800 --> 01:07:23,160
Here's the weird part.

1926
01:07:23,160 --> 01:07:25,320
Most of this activity doesn't look like malware.

1927
01:07:25,320 --> 01:07:27,040
It looks like a busy employee.

1928
01:07:27,040 --> 01:07:27,920
Downloads.

1929
01:07:27,920 --> 01:07:28,760
List operations.

1930
01:07:28,760 --> 01:07:30,040
API calls.

1931
01:07:30,040 --> 01:07:30,840
Roll lookups.

1932
01:07:30,840 --> 01:07:31,800
Consent grants.

1933
01:07:31,800 --> 01:07:33,720
Maybe a few impossible travel hints.

1934
01:07:33,720 --> 01:07:35,240
But nothing that screams ransomware.

1935
01:07:35,240 --> 01:07:37,000
So the organization stays calm.

1936
01:07:37,000 --> 01:07:38,240
Defenders see signals.

1937
01:07:38,240 --> 01:07:39,600
Entracies risky behavior.

1938
01:07:39,600 --> 01:07:40,600
The logs are there.

1939
01:07:40,600 --> 01:07:42,600
But the decision loop isn't connected to enforcement.

1940
01:07:42,600 --> 01:07:45,520
So what happens is the most common failure mode in identity

1941
01:07:45,520 --> 01:07:46,280
incidents.

1942
01:07:46,280 --> 01:07:48,960
People notice, but nothing changes fast enough to matter.

1943
01:07:48,960 --> 01:07:50,640
A ticket gets created and analysts

1944
01:07:50,640 --> 01:07:51,920
pings the identity team.

1945
01:07:51,920 --> 01:07:54,800
The identity team asks the business owner whether the account

1946
01:07:54,800 --> 01:07:55,480
is critical.

1947
01:07:55,480 --> 01:07:56,960
The business owner isn't sure.

1948
01:07:56,960 --> 01:07:58,320
Someone schedules a call.

1949
01:07:58,320 --> 01:07:59,920
Meanwhile, the attacker keeps operating

1950
01:07:59,920 --> 01:08:01,360
because the session remains valid.

1951
01:08:01,360 --> 01:08:03,160
Tokens don't care about meetings.

1952
01:08:03,160 --> 01:08:04,800
Then the attacker finds the real value

1953
01:08:04,800 --> 01:08:07,360
an identity pathway that can change control.

1954
01:08:07,360 --> 01:08:09,280
A role that can read security settings.

1955
01:08:09,280 --> 01:08:11,760
An account that can create new app registrations.

1956
01:08:11,760 --> 01:08:14,440
A service principle with broad graph permissions.

1957
01:08:14,440 --> 01:08:15,960
Or a legacy admin group.

1958
01:08:15,960 --> 01:08:16,960
Nobody reviews.

1959
01:08:16,960 --> 01:08:19,840
Now the incident stops being suspicious user behavior

1960
01:08:19,840 --> 01:08:21,560
and becomes a business event.

1961
01:08:21,560 --> 01:08:24,480
Data exfiltration, control disablement, or persistence

1962
01:08:24,480 --> 01:08:25,520
creation.

1963
01:08:25,520 --> 01:08:27,520
And the root cause later reads like a checklist

1964
01:08:27,520 --> 01:08:28,840
of comfortable truths.

1965
01:08:28,840 --> 01:08:30,760
MFA was enabled.

1966
01:08:30,760 --> 01:08:32,760
Defender generated alerts.

1967
01:08:32,760 --> 01:08:33,880
We had logging.

1968
01:08:33,880 --> 01:08:35,200
We followed the process.

1969
01:08:35,200 --> 01:08:35,680
Yes.

1970
01:08:35,680 --> 01:08:38,240
And the attacker had time now rerun the same incident

1971
01:08:38,240 --> 01:08:39,480
in the redesigned environment.

1972
01:08:39,480 --> 01:08:41,880
Same tools, different outcome.

1973
01:08:41,880 --> 01:08:44,040
The attacker still gets the initial token.

1974
01:08:44,040 --> 01:08:45,320
That part is not fantasy.

1975
01:08:45,320 --> 01:08:46,200
Assume breach.

1976
01:08:46,200 --> 01:08:48,000
But the identity is governed differently.

1977
01:08:48,000 --> 01:08:49,200
The access is time bound.

1978
01:08:49,200 --> 01:08:51,000
Privilege is eligible, not standing.

1979
01:08:51,000 --> 01:08:52,280
Entitlements have owners.

1980
01:08:52,280 --> 01:08:54,960
And the first meaningful actions don't require heroics.

1981
01:08:54,960 --> 01:08:57,680
The first sign of risk elevates the account state.

1982
01:08:57,680 --> 01:09:00,360
Entrance identity signals change the trust decision.

1983
01:09:00,360 --> 01:09:03,200
CAE forces re-evaluation inside the session.

1984
01:09:03,200 --> 01:09:05,240
The attacker's borrowed trust collapses

1985
01:09:05,240 --> 01:09:07,160
while they're still trying to explore.

1986
01:09:07,160 --> 01:09:08,600
Not because someone woke up faster

1987
01:09:08,600 --> 01:09:11,240
because the platform revoked trust in business time.

1988
01:09:11,240 --> 01:09:13,880
At the same moment, Defender correlates the incident

1989
01:09:13,880 --> 01:09:15,480
and pushes it into service now

1990
01:09:15,480 --> 01:09:17,160
with the context already attached.

1991
01:09:17,160 --> 01:09:21,120
Identity, device, SaaS artifacts, and recommended containment.

1992
01:09:21,120 --> 01:09:23,240
Service now isn't used to start a conversation.

1993
01:09:23,240 --> 01:09:25,920
It's used to execute a predefined response path.

1994
01:09:25,920 --> 01:09:28,400
Automation takes the reversible steps immediately.

1995
01:09:28,400 --> 01:09:30,640
Revoke sessions, block risky sign-ins,

1996
01:09:30,640 --> 01:09:32,800
remove active privilege role assignments,

1997
01:09:32,800 --> 01:09:34,120
isolate the device if needed,

1998
01:09:34,120 --> 01:09:37,040
suspend suspicious or author's grounds if they exist.

1999
01:09:37,040 --> 01:09:38,640
Humans still decide the big calls.

2000
01:09:38,640 --> 01:09:40,200
Do we disable the account entirely?

2001
01:09:40,200 --> 01:09:41,520
Do we pause a business workflow?

2002
01:09:41,520 --> 01:09:42,400
Do we notify legal?

2003
01:09:42,400 --> 01:09:44,480
Do we trigger broader access reviews?

2004
01:09:44,480 --> 01:09:46,800
But humans are deciding while the attacker is contained.

2005
01:09:46,800 --> 01:09:48,560
Not while the attacker is still active.

2006
01:09:48,560 --> 01:09:50,000
That is the entire difference.

2007
01:09:50,000 --> 01:09:52,760
In the first environment, trust, drift, and decision-latency

2008
01:09:52,760 --> 01:09:55,760
turned a minor identity compromise into an enterprise incident.

2009
01:09:55,760 --> 01:09:57,560
In the second, the attacker still got in,

2010
01:09:57,560 --> 01:09:59,400
but they couldn't stay, couldn't escalate,

2011
01:09:59,400 --> 01:10:02,600
and couldn't move fast enough to make the event existential.

2012
01:10:02,600 --> 01:10:05,400
Same tools, same tenant, same budget line items.

2013
01:10:05,400 --> 01:10:06,480
Different outcome?

2014
01:10:06,480 --> 01:10:08,920
Because the organization stopped measuring security

2015
01:10:08,920 --> 01:10:11,840
by coverage and started engineering it as a control loop,

2016
01:10:11,840 --> 01:10:14,800
identity governance to reduce reckless entitlements,

2017
01:10:14,800 --> 01:10:17,720
CAE to revoke sessions when reality changes,

2018
01:10:17,720 --> 01:10:19,560
and orchestration to collapse the time

2019
01:10:19,560 --> 01:10:21,280
between signal and action.

2020
01:10:21,280 --> 01:10:23,320
This is the moment leaders need to internalize.

2021
01:10:23,320 --> 01:10:25,760
Security isn't the number of incidents you prevent.

2022
01:10:25,760 --> 01:10:28,000
It's the size and duration of the incidents you allow.

2023
01:10:28,000 --> 01:10:31,000
The executive operating model for security beyond controls.

2024
01:10:31,000 --> 01:10:33,840
So if the story is same tools, different outcome,

2025
01:10:33,840 --> 01:10:36,400
the obvious executive question is what actually changed?

2026
01:10:36,400 --> 01:10:39,240
Not the product list, the operating model.

2027
01:10:39,240 --> 01:10:40,960
Because controls don't run themselves,

2028
01:10:40,960 --> 01:10:43,480
they are executed through ownership, decision rights,

2029
01:10:43,480 --> 01:10:46,360
and a loop that converts intent into enforcement.

2030
01:10:46,360 --> 01:10:48,160
Without that, you're just accumulating features

2031
01:10:48,160 --> 01:10:49,560
and calling it maturity.

2032
01:10:49,560 --> 01:10:51,920
Here's the model leaders need to hold in their heads,

2033
01:10:51,920 --> 01:10:55,280
one loop, end to end, identity, trust decisions,

2034
01:10:55,280 --> 01:10:57,280
detection, response, recovery.

2035
01:10:57,280 --> 01:10:58,880
Identity is your control plane

2036
01:10:58,880 --> 01:11:00,640
because it's where permissions live.

2037
01:11:00,640 --> 01:11:02,960
Trust decisions are the policies that decide

2038
01:11:02,960 --> 01:11:05,520
under what conditions is that identity allowed to act.

2039
01:11:05,520 --> 01:11:07,360
And detection is the sensing layer.

2040
01:11:07,360 --> 01:11:08,840
Response is the action layer.

2041
01:11:08,840 --> 01:11:11,880
Recovery is the process of restoring trusted operations

2042
01:11:11,880 --> 01:11:14,360
and proving the environment is clean enough to resume.

2043
01:11:14,360 --> 01:11:16,160
If any part of that loop is weak,

2044
01:11:16,160 --> 01:11:18,680
the whole enterprise becomes a probabilistic system.

2045
01:11:18,680 --> 01:11:20,840
And leaders should stop accepting probabilistic.

2046
01:11:20,840 --> 01:11:23,320
Now, most enterprises treat each part of that loop

2047
01:11:23,320 --> 01:11:25,200
as a separate department, identity team,

2048
01:11:25,200 --> 01:11:28,040
security operations, IT operations, application owners,

2049
01:11:28,040 --> 01:11:31,280
risk, legal audit, the attacker doesn't care.

2050
01:11:31,280 --> 01:11:33,440
So the operating model has to align those pieces

2051
01:11:33,440 --> 01:11:37,040
without creating a bureaucracy that moves slower than the threat.

2052
01:11:37,040 --> 01:11:39,680
That starts with a clean split, policy intent

2053
01:11:39,680 --> 01:11:41,120
versus policy enforcement.

2054
01:11:41,120 --> 01:11:42,800
Policy intent belongs to the business,

2055
01:11:42,800 --> 01:11:45,080
not because the business writes conditional access rules,

2056
01:11:45,080 --> 01:11:47,920
but because the business defines the tolerable risk.

2057
01:11:47,920 --> 01:11:50,440
Who should have access to what, for how long,

2058
01:11:50,440 --> 01:11:52,440
with what approvals and under what conditions?

2059
01:11:52,440 --> 01:11:54,760
That's governance, that's not an IT preference.

2060
01:11:54,760 --> 01:11:56,680
That's a business decision about trust.

2061
01:11:56,680 --> 01:11:59,040
Policy enforcement belongs to the platform teams.

2062
01:11:59,040 --> 01:12:01,520
Identity, endpoint, and security engineering

2063
01:12:01,520 --> 01:12:04,760
translate intent into deterministic mechanisms.

2064
01:12:04,760 --> 01:12:07,920
Conditional access, privileged access constraints,

2065
01:12:07,920 --> 01:12:12,360
entitlement packages, CAE triggers, and automation playbooks.

2066
01:12:12,360 --> 01:12:14,800
But the key is this, enforcement must be testable.

2067
01:12:14,800 --> 01:12:17,640
If a policy can't be tested under realistic conditions,

2068
01:12:17,640 --> 01:12:20,520
it's not a control, it's a belief.

2069
01:12:20,520 --> 01:12:22,520
The second component of the operating model

2070
01:12:22,520 --> 01:12:23,720
is exception governance.

2071
01:12:23,720 --> 01:12:25,280
This is where most programs collapse.

2072
01:12:25,280 --> 01:12:28,320
Exceptions are not rare edge cases, they are entropy generators.

2073
01:12:28,320 --> 01:12:30,720
They accumulate because the business is trying to function

2074
01:12:30,720 --> 01:12:32,720
and because security is trying to accommodate,

2075
01:12:32,720 --> 01:12:34,720
overtime exceptions become the real policy

2076
01:12:34,720 --> 01:12:36,720
and the real policy becomes theater.

2077
01:12:36,720 --> 01:12:39,400
So executives need a non-negotiable rule.

2078
01:12:39,400 --> 01:12:41,920
Every exception must have an owner,

2079
01:12:41,920 --> 01:12:45,800
a justification, an expiration date, and a review cadence.

2080
01:12:45,800 --> 01:12:48,400
No expiration means you're not granting an exception.

2081
01:12:48,400 --> 01:12:51,200
You're redesigning the security model without admitting it.

2082
01:12:51,200 --> 01:12:54,000
And exceptions need to be treated as first class risk objects,

2083
01:12:54,000 --> 01:12:56,320
tracked, measured, and reduced over time.

2084
01:12:56,320 --> 01:12:58,280
Otherwise, you will always enable CAE,

2085
01:12:58,280 --> 01:13:00,560
enable governance, enable zero trust,

2086
01:13:00,560 --> 01:13:03,360
and then quietly bypass it everywhere it matters.

2087
01:13:03,360 --> 01:13:06,120
Third, decision speed requires decision rights.

2088
01:13:06,120 --> 01:13:07,920
Identity incidents become expensive

2089
01:13:07,920 --> 01:13:09,360
when nobody is allowed to act.

2090
01:13:09,360 --> 01:13:12,000
The SOCC signals but can't revoke access.

2091
01:13:12,000 --> 01:13:14,920
It can isolate devices but can't disable accounts.

2092
01:13:14,920 --> 01:13:18,000
App owners can approve access, but don't understand blast radius.

2093
01:13:18,000 --> 01:13:21,120
Legal one certainty, the business one's continuity.

2094
01:13:21,120 --> 01:13:23,720
So define three tiers of authority in advance.

2095
01:13:23,720 --> 01:13:26,080
Tier one, pre-approved, reversible actions

2096
01:13:26,080 --> 01:13:28,640
that can happen immediately when confidence is high,

2097
01:13:28,640 --> 01:13:31,720
session revocation, forcing reauthentication,

2098
01:13:31,720 --> 01:13:35,800
blocking risky sign-ins, suspending a suspicious O-orth grant.

2099
01:13:35,800 --> 01:13:37,600
These should not require a meeting.

2100
01:13:37,600 --> 01:13:39,640
Tier two, disruptive but bounded actions

2101
01:13:39,640 --> 01:13:41,280
that require fast approval,

2102
01:13:41,280 --> 01:13:43,600
disabling an account tied to revenue workflows,

2103
01:13:43,600 --> 01:13:45,560
locking down a sensitive sharepoint site,

2104
01:13:45,560 --> 01:13:48,640
removing privileged access from a production operator.

2105
01:13:48,640 --> 01:13:50,840
These need named approvals, not the team.

2106
01:13:50,840 --> 01:13:53,200
Tier three, enterprise impact actions

2107
01:13:53,200 --> 01:13:55,720
that trigger executive incident governance.

2108
01:13:55,720 --> 01:13:58,160
Broad access shutdowns, customer notifications,

2109
01:13:58,160 --> 01:13:59,680
regulatory disclosures.

2110
01:13:59,680 --> 01:14:01,800
These are rare but if you don't pre-define them,

2111
01:14:01,800 --> 01:14:04,080
you'll discover your authority model in real time.

2112
01:14:04,080 --> 01:14:06,160
That's not leadership, that's improvisation.

2113
01:14:06,160 --> 01:14:07,680
Fourth, investment posture.

2114
01:14:07,680 --> 01:14:10,000
Leaders need to fund the loop, not the sensors.

2115
01:14:10,000 --> 01:14:12,200
If the organization already detects plenty

2116
01:14:12,200 --> 01:14:13,560
but still bleeds time,

2117
01:14:13,560 --> 01:14:16,760
the gap is response, orchestration, and identity enforcement.

2118
01:14:16,760 --> 01:14:19,520
That means funding integration work, automation playbooks,

2119
01:14:19,520 --> 01:14:22,640
entitlement, cleanup, and application modernization

2120
01:14:22,640 --> 01:14:24,560
so that revocation is actually honored

2121
01:14:24,560 --> 01:14:27,480
that is not operational detail, that is the only path

2122
01:14:27,480 --> 01:14:29,720
to reducing MTTR, finally accountability,

2123
01:14:29,720 --> 01:14:31,720
not in the abstract, in the operating rhythm.

2124
01:14:31,720 --> 01:14:34,400
Every quarter leaders should demand three outputs.

2125
01:14:34,400 --> 01:14:37,160
Current MTTR for identity-driven incidents,

2126
01:14:37,160 --> 01:14:40,880
the top ten exception paths by risk and business criticality,

2127
01:14:40,880 --> 01:14:43,520
and the backlog of identity and response improvements

2128
01:14:43,520 --> 01:14:45,240
with owners and dates.

2129
01:14:45,240 --> 01:14:46,440
If those three are visible,

2130
01:14:46,440 --> 01:14:49,240
security stops being an argument and becomes a new problem

2131
01:14:49,240 --> 01:14:52,400
a system, that's the executive operating model, one loop.

2132
01:14:52,400 --> 01:14:55,240
Explicit ownership, governed exceptions, pre-approved actions,

2133
01:14:55,240 --> 01:14:57,880
and a scoreboard that measures speed of containment.

2134
01:14:57,880 --> 01:14:59,360
Everything else is commentary.

2135
01:14:59,360 --> 01:15:00,680
Executive checklist.

2136
01:15:00,680 --> 01:15:02,440
What to ask your teams this quarter?

2137
01:15:02,440 --> 01:15:04,640
If leadership wants this to move from security

2138
01:15:04,640 --> 01:15:06,920
is complicated to security is operated,

2139
01:15:06,920 --> 01:15:09,360
the fastest way is to ask better questions.

2140
01:15:09,360 --> 01:15:12,080
Not more questions, better ones.

2141
01:15:12,080 --> 01:15:14,080
Here are the questions that cut through tooling

2142
01:15:14,080 --> 01:15:16,480
and land directly on system behavior.

2143
01:15:16,480 --> 01:15:18,440
First, where do we have authorization risk,

2144
01:15:18,440 --> 01:15:19,640
not authentication gaps?

2145
01:15:19,640 --> 01:15:21,600
Don't accept we have MFA as an answer.

2146
01:15:21,600 --> 01:15:24,520
Asquare-accompromised identity could still do disproportionate damage

2147
01:15:24,520 --> 01:15:26,000
because the entitlements are wrong.

2148
01:15:26,000 --> 01:15:27,080
Who can export data?

2149
01:15:27,080 --> 01:15:28,680
Who can change sharing settings?

2150
01:15:28,680 --> 01:15:30,240
Who can create app registrations?

2151
01:15:30,240 --> 01:15:31,720
Who can grant admin consent?

2152
01:15:31,720 --> 01:15:33,160
Who can disable controls?

2153
01:15:33,160 --> 01:15:35,040
If the answer is we are not sure.

2154
01:15:35,040 --> 01:15:36,280
That's not a visibility gap.

2155
01:15:36,280 --> 01:15:37,640
That's unmanaged blast radius.

2156
01:15:37,640 --> 01:15:41,280
Second, which identities can change systems, data, or controls?

2157
01:15:41,280 --> 01:15:42,960
Humans and non-humans.

2158
01:15:42,960 --> 01:15:45,320
This is where most organizations lie to themselves.

2159
01:15:45,320 --> 01:15:46,360
They can list admins.

2160
01:15:46,360 --> 01:15:48,960
They can't list service principles, automation accounts,

2161
01:15:48,960 --> 01:15:52,960
CIS, CD identities, connectors, or the new wave of agent identities.

2162
01:15:52,960 --> 01:15:55,800
If machine identities outnumber humans in your environment

2163
01:15:55,800 --> 01:15:57,760
and they usually do then governing only humans

2164
01:15:57,760 --> 01:15:59,400
is a decorative security program.

2165
01:15:59,400 --> 01:16:02,680
Ask for an inventory, ownership model, and rotation posture.

2166
01:16:02,680 --> 01:16:04,720
If nobody owns an identity, it owns you.

2167
01:16:04,720 --> 01:16:06,800
Third, how quickly can we revoke access

2168
01:16:06,800 --> 01:16:08,800
across our critical apps when risk changes?

2169
01:16:08,800 --> 01:16:10,840
Not can we disable the user?

2170
01:16:10,840 --> 01:16:13,360
How quickly can we actually remove effective access

2171
01:16:13,360 --> 01:16:14,680
in the apps that matter?

2172
01:16:14,680 --> 01:16:17,480
Email, files, collaboration, ERP finance,

2173
01:16:17,480 --> 01:16:20,200
ticketing code repos, and your top SAS platforms.

2174
01:16:20,200 --> 01:16:22,520
Ask for proof, not assurance, which of these apps

2175
01:16:22,520 --> 01:16:25,280
honor near real-time revocation signals,

2176
01:16:25,280 --> 01:16:28,160
and which will keep a session alive until token expiry.

2177
01:16:28,160 --> 01:16:30,680
If revocation is slow, you are granting attackers time

2178
01:16:30,680 --> 01:16:31,360
by design.

2179
01:16:31,360 --> 01:16:34,760
Fourth, how many response steps remain manual and why?

2180
01:16:34,760 --> 01:16:36,640
This is not a call to automate everything.

2181
01:16:36,640 --> 01:16:39,240
It's a call to identify the latency you've normalized.

2182
01:16:39,240 --> 01:16:41,400
Ask your teams to map one identity incident

2183
01:16:41,400 --> 01:16:43,120
and to end and count the handoffs.

2184
01:16:43,120 --> 01:16:45,960
How many times does context get re-entered into a new system?

2185
01:16:45,960 --> 01:16:49,360
How many steps exist only because systems don't talk to each other?

2186
01:16:49,360 --> 01:16:50,720
The goal is not fewer tickets.

2187
01:16:50,720 --> 01:16:53,640
The goal is fewer minutes between signal and containment.

2188
01:16:53,640 --> 01:16:55,360
Fifth, what exceptions exist?

2189
01:16:55,360 --> 01:16:57,120
Who owns them and when do they expire?

2190
01:16:57,120 --> 01:16:58,480
Executives are often the reason

2191
01:16:58,480 --> 01:17:02,040
exception culture survives, so ask for the uncomfortable list.

2192
01:17:02,040 --> 01:17:05,040
Exclusions in conditional access, bypasses for business

2193
01:17:05,040 --> 01:17:08,400
critical apps, accounts that never get access reviewed,

2194
01:17:08,400 --> 01:17:11,520
service principles with broad permissions temporarily,

2195
01:17:11,520 --> 01:17:15,360
and privileged roles that stay standing because it's easier.

2196
01:17:15,360 --> 01:17:19,440
If an exception has no owner and no expiry, it is not an exception.

2197
01:17:19,440 --> 01:17:20,880
It is the real architecture.

2198
01:17:20,880 --> 01:17:24,160
Sixth, what is our current MTTR for identity-driven incidents

2199
01:17:24,160 --> 01:17:27,840
and to end, not a guess, not a slide, a measured baseline?

2200
01:17:27,840 --> 01:17:32,000
An MTTR broken into detect, decide, enforce, recover.

2201
01:17:32,000 --> 01:17:34,040
If your teams can't produce those timestamps,

2202
01:17:34,040 --> 01:17:35,000
they can't improve them.

2203
01:17:35,000 --> 01:17:37,600
If they can produce them, then leadership can fund

2204
01:17:37,600 --> 01:17:39,400
the stage that is actually slow.

2205
01:17:39,400 --> 01:17:43,880
Decision rights, enforcement mechanisms, or recovery workflows.

2206
01:17:43,880 --> 01:17:46,320
Seventh, and this is the one most leaders avoid.

2207
01:17:46,320 --> 01:17:49,160
Who has authority to act and how fast can they act

2208
01:17:49,160 --> 01:17:51,320
when the identity is politically sensitive?

2209
01:17:51,320 --> 01:17:53,320
Ask specifically about the hard cases,

2210
01:17:53,320 --> 01:17:56,000
an executive account, a production deployment identity,

2211
01:17:56,000 --> 01:17:58,400
a revenue workflow, a third party integration

2212
01:17:58,400 --> 01:18:02,360
that a business unit owns or a service principle nobody understands.

2213
01:18:02,360 --> 01:18:05,240
In those cases, does the organization have pre-approved actions

2214
01:18:05,240 --> 01:18:06,640
or does it have meetings?

2215
01:18:06,640 --> 01:18:09,120
Because an attacker doesn't care that the identity is important,

2216
01:18:09,120 --> 01:18:10,440
they care that it is powerful.

2217
01:18:10,440 --> 01:18:12,600
If you ask these questions and you get vague answers,

2218
01:18:12,600 --> 01:18:14,440
that is not a failure of the security team.

2219
01:18:14,440 --> 01:18:16,760
That is a leadership problem, unclear intent,

2220
01:18:16,760 --> 01:18:20,600
unclear ownership, and no mandate to reduce decision latency.

2221
01:18:20,600 --> 01:18:23,240
So don't ask your teams for a zero trust road map,

2222
01:18:23,240 --> 01:18:26,440
ask them for proof that the trust model is enforceable,

2223
01:18:26,440 --> 01:18:29,600
exceptions are governed, and response actions are pre-approved

2224
01:18:29,600 --> 01:18:30,280
and rehearsed.

2225
01:18:30,280 --> 01:18:33,640
That is what security maturity looks like when it's real time.

2226
01:18:33,640 --> 01:18:35,840
Conclusion by security as an enabler.

2227
01:18:35,840 --> 01:18:38,480
Security maturity is safe autonomy plus fast recovery,

2228
01:18:38,480 --> 01:18:41,760
measured by MTTR, not by how many controls you can list.

2229
01:18:41,760 --> 01:18:43,440
If you want the practitioner version of this,

2230
01:18:43,440 --> 01:18:45,560
listen to the follow-up episode where we unpack

2231
01:18:45,560 --> 01:18:48,560
intra-governance, CAE, and Defender to Service

2232
01:18:48,560 --> 01:18:51,000
now responds loops in plain operational terms.

2233
01:18:51,000 --> 01:18:54,480
Subscribe to M365FM and queue that next episode now.