Beyond ITSM: The ServiceNow and Microsoft Power Play

1
00:00:00,000 --> 00:00:03,680
Most organizations still talk about service now like it's the ticketing system.

2
00:00:03,680 --> 00:00:04,600
They are wrong.

3
00:00:04,600 --> 00:00:07,200
Ticketing was the entry point, not the destination.

4
00:00:07,200 --> 00:00:09,480
The real enterprise problem isn't too many tools.

5
00:00:09,480 --> 00:00:14,840
It's that work has no single state, no owner, and no enforceable path from someone asked to.

6
00:00:14,840 --> 00:00:15,880
It's done.

7
00:00:15,880 --> 00:00:17,840
Microsoft is where intent shows up.

8
00:00:17,840 --> 00:00:20,200
Chats, emails, meetings, documents.

9
00:00:20,200 --> 00:00:23,080
Service now is where intent becomes execution.

10
00:00:23,080 --> 00:00:26,320
Routing, approvals, evidence, audit.

11
00:00:26,320 --> 00:00:29,440
In the next hour, this will get painfully obvious because workflows

12
00:00:29,440 --> 00:00:30,440
don't fail in theory.

13
00:00:30,440 --> 00:00:32,400
They fail in your org chart.

14
00:00:32,400 --> 00:00:36,520
The enterprise workflow problem, digitally rich, operationally fragmented.

15
00:00:36,520 --> 00:00:38,080
Enterprises are digitally rich.

16
00:00:38,080 --> 00:00:44,160
They have Microsoft 365, they have an ERP, they have a dozen best of breed tools for security,

17
00:00:44,160 --> 00:00:49,400
HR, facilities, finance, procurement, customer operations, and whatever else someone bought

18
00:00:49,400 --> 00:00:51,400
during the last incident review.

19
00:00:51,400 --> 00:00:55,360
And they're still operationally fragmented because having systems isn't the same as having

20
00:00:55,360 --> 00:00:57,360
an operating layer.

21
00:00:57,360 --> 00:01:00,240
What most environments actually have is a collection of queues.

22
00:01:00,240 --> 00:01:05,640
In boxes, teams, channels, portals, ticket forms, Excel trackers, and shared mailboxes.

23
00:01:05,640 --> 00:01:06,920
Each queue has local truth.

24
00:01:06,920 --> 00:01:08,400
None of them have end to end truth.

25
00:01:08,400 --> 00:01:10,160
That distinction matters.

26
00:01:10,160 --> 00:01:12,000
The typical day looks like this.

27
00:01:12,000 --> 00:01:15,360
Someone starts in teams or outlook because that's where people actually work.

28
00:01:15,360 --> 00:01:19,480
They describe a need, new laptop, new access, purchase approval, urgent security alert,

29
00:01:19,480 --> 00:01:23,200
production outage, intent is created as a message, not a record.

30
00:01:23,200 --> 00:01:24,880
Then the system forces a context switch.

31
00:01:24,880 --> 00:01:29,040
Go to a portal, find the right form, pick the right category, attach the right screenshot,

32
00:01:29,040 --> 00:01:31,760
retype the same story you already wrote in chat.

33
00:01:31,760 --> 00:01:34,320
Submit, wait, follow up, follow up again.

34
00:01:34,320 --> 00:01:37,520
This is not a user experience problem, it's an execution model problem.

35
00:01:37,520 --> 00:01:41,160
Every time someone jumps from teams to a portal to an email thread to a spreadsheet and

36
00:01:41,160 --> 00:01:43,400
back again, the organization is paying attacks.

37
00:01:43,400 --> 00:01:47,320
It's not just time, it's loss of state, loss of accountability, and loss of evidence.

38
00:01:47,320 --> 00:01:48,640
People don't remember what they did.

39
00:01:48,640 --> 00:01:49,920
They remember where they did it.

40
00:01:49,920 --> 00:01:52,920
And that becomes the root cause of, we don't know what happened.

41
00:01:52,920 --> 00:01:57,080
The worst part is what happens next, manual handoffs, approvals, escalations, exceptions,

42
00:01:57,080 --> 00:02:00,000
quick favors, side channel decisions in chat.

43
00:02:00,000 --> 00:02:03,400
These are entropy generators that they feel fast in the moment and they're catastrophic

44
00:02:03,400 --> 00:02:04,400
later.

45
00:02:04,400 --> 00:02:08,640
Because each exception bypasses the thing that makes an enterprise predictable, a controlled

46
00:02:08,640 --> 00:02:13,440
sequence of steps with clear ownership and an ordered trail that survives turnover and

47
00:02:13,440 --> 00:02:14,440
panic.

48
00:02:14,440 --> 00:02:18,040
So you end up with a business that can produce documents, send messages, and host meetings

49
00:02:18,040 --> 00:02:21,480
at industrial scale, but can't reliably move work across boundaries.

50
00:02:21,480 --> 00:02:24,000
And that's why visibility fails.

51
00:02:24,000 --> 00:02:25,480
Locally everyone can see their piece.

52
00:02:25,480 --> 00:02:26,920
I sent the email.

53
00:02:26,920 --> 00:02:28,200
I approved in chat.

54
00:02:28,200 --> 00:02:30,000
I deployed the fix.

55
00:02:30,000 --> 00:02:32,000
Procurement is looking at it.

56
00:02:32,000 --> 00:02:33,160
Security said it was fine.

57
00:02:33,160 --> 00:02:34,360
Each team has a story.

58
00:02:34,360 --> 00:02:35,360
End to end.

59
00:02:35,360 --> 00:02:36,360
Nobody has the state machine.

60
00:02:36,360 --> 00:02:39,000
You get status everywhere and progress nowhere.

61
00:02:39,000 --> 00:02:42,160
Now the comfortable objection is, but we have an ERP.

62
00:02:42,160 --> 00:02:43,160
Yes, you do.

63
00:02:43,160 --> 00:02:44,560
It records transactions.

64
00:02:44,560 --> 00:02:45,560
It doesn't root work.

65
00:02:45,560 --> 00:02:48,640
It's designed to preserve integrity, not orchestrate humans.

66
00:02:48,640 --> 00:02:50,240
And ERP is a system of record.

67
00:02:50,240 --> 00:02:51,240
That's not an insult.

68
00:02:51,240 --> 00:02:52,240
That's the point.

69
00:02:52,240 --> 00:02:55,040
It's slow by design because correctness matters more than speed.

70
00:02:55,040 --> 00:02:58,080
The next objection is, but we have Microsoft 365.

71
00:02:58,080 --> 00:02:59,080
Yes, you do.

72
00:02:59,080 --> 00:03:02,120
It creates artifacts, emails, documents, meetings, chats, tasks.

73
00:03:02,120 --> 00:03:05,440
It captures intent extremely well, but it doesn't enforce intent.

74
00:03:05,440 --> 00:03:06,880
It doesn't guarantee sequence.

75
00:03:06,880 --> 00:03:08,800
It doesn't decide who owns the next step.

76
00:03:08,800 --> 00:03:10,320
It doesn't compel evidence.

77
00:03:10,320 --> 00:03:12,680
It's a productivity surface, not an execution engine.

78
00:03:12,680 --> 00:03:15,680
So organizations try to patch the gap with automation.

79
00:03:15,680 --> 00:03:20,440
They build small flows, post a message, create a task, mirror a notification.

80
00:03:20,440 --> 00:03:24,440
Even those flows multiply, ownership disappears and governance never shows up.

81
00:03:24,440 --> 00:03:25,960
Shadow automation is not innovation.

82
00:03:25,960 --> 00:03:28,360
It's integration debt with a friendly UI.

83
00:03:28,360 --> 00:03:31,360
And the longer it runs, the worse it gets.

84
00:03:31,360 --> 00:03:33,800
Connectors get overscoped to make it work.

85
00:03:33,800 --> 00:03:37,360
Service accounts become permanent super-users and nobody remembers why.

86
00:03:37,360 --> 00:03:39,320
This is the foundational mistake.

87
00:03:39,320 --> 00:03:42,160
Treating workflows like a side feature of tools.

88
00:03:42,160 --> 00:03:45,520
Instead of treating workflows as the thing the enterprise runs on, because the enterprise

89
00:03:45,520 --> 00:03:47,000
already runs on workflows.

90
00:03:47,000 --> 00:03:48,800
They're just undocumented and unowned.

91
00:03:48,800 --> 00:03:50,440
And boarding isn't an HR ticket.

92
00:03:50,440 --> 00:03:52,440
It's a cross-domain supply chain.

93
00:03:52,440 --> 00:03:56,800
Identity, access, hardware, payroll, compliance and training.

94
00:03:56,800 --> 00:03:58,920
Security incident response isn't a team's chat.

95
00:03:58,920 --> 00:04:02,480
It's a controlled sequence of containment actions with approvals and evidence.

96
00:04:02,480 --> 00:04:04,680
Finance approvals aren't an email thread.

97
00:04:04,680 --> 00:04:08,080
They're policy enforcement with segregation of duties and auditability.

98
00:04:08,080 --> 00:04:09,840
Major incidents aren't a war room.

99
00:04:09,840 --> 00:04:13,800
They're coordinated human communication plus authoritative execution and change control.

100
00:04:13,800 --> 00:04:16,360
So when people say tools sprawl, they're not wrong.

101
00:04:16,360 --> 00:04:19,240
But the real problem is workflow fragmentation.

102
00:04:19,240 --> 00:04:23,520
Work starts in one place, gets decided in another, gets executed in the third and gets documented

103
00:04:23,520 --> 00:04:24,840
maybe in a fourth.

104
00:04:24,840 --> 00:04:27,960
And that is the missing operating layer between people and systems.

105
00:04:27,960 --> 00:04:29,600
It is not optional.

106
00:04:29,600 --> 00:04:35,680
It will exist either by design, with governance or by accident, with entropy.

107
00:04:35,680 --> 00:04:37,760
The foundational misunderstanding.

108
00:04:37,760 --> 00:04:40,720
Tickets track pain, workflows control outcomes.

109
00:04:40,720 --> 00:04:42,200
Here's what most people miss.

110
00:04:42,200 --> 00:04:43,520
A ticket is not a workflow.

111
00:04:43,520 --> 00:04:45,160
A ticket is a container for pain.

112
00:04:45,160 --> 00:04:48,720
It's a log entry that says something is wrong or someone wants something.

113
00:04:48,720 --> 00:04:51,120
It's useful because enterprises need triage.

114
00:04:51,120 --> 00:04:52,120
They need cues.

115
00:04:52,120 --> 00:04:53,120
They need assignment.

116
00:04:53,120 --> 00:04:54,440
They need SLA's.

117
00:04:54,440 --> 00:04:56,600
But tickets don't control outcomes.

118
00:04:56,600 --> 00:05:00,760
Tickets just describe the problem while humans improvise a path to resolution.

119
00:05:00,760 --> 00:05:02,080
That sounds pedantic.

120
00:05:02,080 --> 00:05:03,080
It isn't.

121
00:05:03,080 --> 00:05:06,440
Because when an organization believes tickets are the operating model, it starts optimizing

122
00:05:06,440 --> 00:05:07,960
for the wrong things.

123
00:05:07,960 --> 00:05:12,560
Faster logging, better categorization, cleaner fields, nicer dashboards.

124
00:05:12,560 --> 00:05:15,200
Meanwhile, the real failure remains untouched.

125
00:05:15,200 --> 00:05:17,480
Work still moves through side channels.

126
00:05:17,480 --> 00:05:21,200
Approvals still happen in meetings and exceptions still get granted by whoever shouts

127
00:05:21,200 --> 00:05:22,200
loudest in teams.

128
00:05:22,200 --> 00:05:23,440
A workflow is different.

129
00:05:23,440 --> 00:05:25,080
A workflow is a control system.

130
00:05:25,080 --> 00:05:27,360
It defines sequence ownership and evidence.

131
00:05:27,360 --> 00:05:30,160
It makes the path from requested to done repeatable.

132
00:05:30,160 --> 00:05:32,280
It doesn't just track the thing that happened.

133
00:05:32,280 --> 00:05:34,800
It creates the conditions for the thing to happen predictably.

134
00:05:34,800 --> 00:05:37,160
That's why, beyond ITSM is not marketing.

135
00:05:37,160 --> 00:05:38,160
It's a category shift.

136
00:05:38,160 --> 00:05:42,240
ITSM is the first place most enterprises meet workflow discipline because incidents

137
00:05:42,240 --> 00:05:44,280
and requests force the conversation.

138
00:05:44,280 --> 00:05:49,040
But the minute you cross into cross-domain work and HR, security, finance, facilities,

139
00:05:49,040 --> 00:05:50,760
the ticket model starts lying to you.

140
00:05:50,760 --> 00:05:52,840
Take the three classic idle shapes.

141
00:05:52,840 --> 00:05:53,840
Incidents are interruptions.

142
00:05:53,840 --> 00:05:55,960
They demand speed and coordination.

143
00:05:55,960 --> 00:05:57,280
Requests are supply chain.

144
00:05:57,280 --> 00:06:00,360
They need fulfillment, approvals and inventory like thinking.

145
00:06:00,360 --> 00:06:01,840
Changes are risk management.

146
00:06:01,840 --> 00:06:04,320
They exist to prevent you from making a bad day worse.

147
00:06:04,320 --> 00:06:07,440
Now watch what happens when you treat all three like a ticket.

148
00:06:07,440 --> 00:06:11,360
You build one intake form, one queue, one set of statuses, and then you rely on humans

149
00:06:11,360 --> 00:06:13,040
to do the orchestration in their heads.

150
00:06:13,040 --> 00:06:14,240
That's where drift starts.

151
00:06:14,240 --> 00:06:17,240
Because the moment reality gets messy, onboarding a VP,

152
00:06:17,240 --> 00:06:20,640
responding to an incident trying to buy something before quarter end,

153
00:06:20,640 --> 00:06:23,360
the workflow gets replaced by just do it.

154
00:06:23,360 --> 00:06:24,640
Approvals happen in chat.

155
00:06:24,640 --> 00:06:26,640
Access gets granted temporarily.

156
00:06:26,640 --> 00:06:28,200
Procurement bypasses checks.

157
00:06:28,200 --> 00:06:30,400
Security says, "We'll document later."

158
00:06:30,400 --> 00:06:31,920
And later never arrives.

159
00:06:31,920 --> 00:06:33,040
That's the entropy pattern.

160
00:06:33,040 --> 00:06:35,200
A shortcut under pressure becomes the real process.

161
00:06:35,200 --> 00:06:38,160
And this is where cross-domain work breaks ticket thinking completely.

162
00:06:38,160 --> 00:06:41,840
Onboarding is not an HR ticket plus an IT ticket.

163
00:06:41,840 --> 00:06:43,880
It's one workflow with dependencies.

164
00:06:43,880 --> 00:06:48,160
Higher date triggers identity, identity triggers access, access triggers device provisioning,

165
00:06:48,160 --> 00:06:51,200
device provisioning triggers security baselines, security baselines,

166
00:06:51,200 --> 00:06:53,080
trigger compliance confirmations.

167
00:06:53,080 --> 00:06:56,800
If that chain isn't enforced somewhere, you get chaos disguised as productivity,

168
00:06:56,800 --> 00:07:01,160
same with access requests, same with procurement, same with security response.

169
00:07:01,160 --> 00:07:03,720
A ticket can sit in a queue and still be open.

170
00:07:03,720 --> 00:07:05,320
That's fine for pain tracking.

171
00:07:05,320 --> 00:07:07,960
But it tells you nothing about throughput bottlenecks or risk.

172
00:07:07,960 --> 00:07:10,680
You can close a ticket and still have the wrong access assigned.

173
00:07:10,680 --> 00:07:14,120
You can resolve an incident and still have the same conditions that caused it.

174
00:07:14,120 --> 00:07:18,600
You can implement a change and have zero evidence for why the blast radius was acceptable.

175
00:07:18,600 --> 00:07:20,120
So the reframe is simple.

176
00:07:20,120 --> 00:07:22,080
Ticketing is a visibility tool.

177
00:07:22,080 --> 00:07:23,560
Workflows are an execution tool.

178
00:07:23,560 --> 00:07:26,560
And the enterprise doesn't get punished for missing visibility.

179
00:07:26,560 --> 00:07:28,520
It gets punished for missing execution.

180
00:07:28,520 --> 00:07:33,440
Because execution is where risk accumulates, who approved, who changed what, what evidence exists,

181
00:07:33,440 --> 00:07:37,600
what controls were bypassed and what is now permanently true in your environment.

182
00:07:37,600 --> 00:07:39,720
Because someone needed it done.

183
00:07:39,720 --> 00:07:45,720
So when leaders say we need to get beyond ITSM, what they usually mean without having the words for it is,

184
00:07:45,720 --> 00:07:48,320
we need enterprise request fulfillment and orchestration.

185
00:07:48,320 --> 00:07:52,880
We need an operating layer that makes work deterministic even when humans are not.

186
00:07:52,880 --> 00:07:55,520
That's the platform lens executives actually fund.

187
00:07:55,520 --> 00:07:58,160
Not apps, not tickets, operating layers.

188
00:07:58,160 --> 00:08:01,920
And once you see that, the Microsoft and ServiceNow split stops being confusing.

189
00:08:01,920 --> 00:08:03,200
It becomes obvious.

190
00:08:03,200 --> 00:08:06,680
Platform not product, systems of record versus systems of action.

191
00:08:06,680 --> 00:08:08,720
Executives keep buying platforms.

192
00:08:08,720 --> 00:08:13,000
But most of what gets implemented is still treated like a product, a portal, a ticket form,

193
00:08:13,000 --> 00:08:16,280
a reporting dashboard, an AI add-on, a new license tier.

194
00:08:16,280 --> 00:08:19,880
That's how you end up with expensive tooling and the same operational outcomes.

195
00:08:19,880 --> 00:08:22,240
The useful lens is older and much less exciting.

196
00:08:22,240 --> 00:08:24,640
System of record versus system of action.

197
00:08:24,640 --> 00:08:27,040
A system of record is where truth lives.

198
00:08:27,040 --> 00:08:30,760
It's authoritative data, governed fields, auditability and retention.

199
00:08:30,760 --> 00:08:33,720
It's built to be correct, durable and defensible.

200
00:08:33,720 --> 00:08:35,960
The price of that durability is friction.

201
00:08:35,960 --> 00:08:39,080
Approvals, controls and slower change velocity.

202
00:08:39,080 --> 00:08:41,600
ERP is the obvious example, so is your HRS.

203
00:08:41,600 --> 00:08:45,240
And yes, ServiceNow can be a system of record for certain operational data too.

204
00:08:45,240 --> 00:08:47,160
A system of action is where work moves.

205
00:08:47,160 --> 00:08:52,720
It roots tasks, enforces sequencing, captures decisions and produces outcomes with evidence.

206
00:08:52,720 --> 00:08:54,080
It's designed for throughput.

207
00:08:54,080 --> 00:08:57,840
It has to handle humans, exceptions and time pressure without turning into folklore.

208
00:08:57,840 --> 00:09:01,920
Most organizations try to force their systems of record to behave like systems of action.

209
00:09:01,920 --> 00:09:05,520
They attach a workflow to an ERP transaction and call it orchestration.

210
00:09:05,520 --> 00:09:10,240
Or they treat Microsoft 365 artifacts, emails, planet asks, teams, messages as if they are

211
00:09:10,240 --> 00:09:11,560
a process state.

212
00:09:11,560 --> 00:09:13,080
That mistake doesn't show up in a demo.

213
00:09:13,080 --> 00:09:15,960
It shows up when the CFO asks who approved this.

214
00:09:15,960 --> 00:09:18,280
And the answer is it was in a chat thread.

215
00:09:18,280 --> 00:09:21,760
Or when security asks who authorized that privilege elevation.

216
00:09:21,760 --> 00:09:23,960
And the answer is we agreed in the war room.

217
00:09:23,960 --> 00:09:25,720
Documents aren't state chat isn't governance.

218
00:09:25,720 --> 00:09:27,800
A mailbox is not an audit trail.

219
00:09:27,800 --> 00:09:30,600
And here's the part that makes architects uncomfortable.

220
00:09:30,600 --> 00:09:33,720
A system of action must behave like a state machine.

221
00:09:33,720 --> 00:09:34,720
That's not a metaphor.

222
00:09:34,720 --> 00:09:35,720
It's a requirement.

223
00:09:35,720 --> 00:09:39,480
There has to be an authoritative definition of where this work is.

224
00:09:39,480 --> 00:09:40,840
What happens next?

225
00:09:40,840 --> 00:09:42,200
Who can move it?

226
00:09:42,200 --> 00:09:44,920
And what evidence is required to move it?

227
00:09:44,920 --> 00:09:49,120
If the work can progress by someone typing approved into teams, you do not have a state

228
00:09:49,120 --> 00:09:50,120
machine.

229
00:09:50,120 --> 00:09:51,400
You have conditional chaos.

230
00:09:51,400 --> 00:09:55,040
This is why we have M365 doesn't solve execution.

231
00:09:55,040 --> 00:09:58,760
Microsoft is exceptional at capturing intent and providing collaboration surfaces.

232
00:09:58,760 --> 00:10:02,760
It is not designed to be the authoritative engine that enforces enterprise sequence,

233
00:10:02,760 --> 00:10:04,560
policy and evidence across domains.

234
00:10:04,560 --> 00:10:07,680
It will happily host the conversation where the bypass decision gets made.

235
00:10:07,680 --> 00:10:09,240
It will not stop you from doing it.

236
00:10:09,240 --> 00:10:12,160
And this is why we have an ERP doesn't solve execution.

237
00:10:12,160 --> 00:10:16,560
ERP will preserve the transaction after the fact it won't coordinate the human chain

238
00:10:16,560 --> 00:10:20,640
of approvals, exception handling and downstream tasks that make the transaction legitimate

239
00:10:20,640 --> 00:10:21,640
in the first place.

240
00:10:21,640 --> 00:10:23,640
So enterprises need both layers.

241
00:10:23,640 --> 00:10:25,520
System of record underneath.

242
00:10:25,520 --> 00:10:27,960
Authoritative data, integrity compliance.

243
00:10:27,960 --> 00:10:32,160
System of action above it, orchestration, rooting, enforcement, audit, surface for execution.

244
00:10:32,160 --> 00:10:34,320
The mistake is believing one replaces the other.

245
00:10:34,320 --> 00:10:38,000
It's also why ServiceNow's gravity keeps expanding beyond ITSM.

246
00:10:38,000 --> 00:10:39,960
It's not because IT tickets are exciting.

247
00:10:39,960 --> 00:10:43,280
It's because the enterprise keeps discovering the same gap.

248
00:10:43,280 --> 00:10:48,160
There is no shared execution layer between people, set a thing and systems change the thing.

249
00:10:48,160 --> 00:10:52,640
ServiceNow fits that gap because it can hold state across domains, tie tasks and approvals

250
00:10:52,640 --> 00:10:55,520
together in force policy gates and produce evidence.

251
00:10:55,520 --> 00:10:59,600
The turns we should into, we did, with a trail you can actually defend.

252
00:10:59,600 --> 00:11:03,240
And Microsoft fits the other half because it owns where humans actually live.

253
00:11:03,240 --> 00:11:08,400
Autlook, SharePoint, Word, Meetings, Calls, that's where intent shows up, that's where decisions

254
00:11:08,400 --> 00:11:11,280
get discussed, that's where people demand status.

255
00:11:11,280 --> 00:11:15,280
So the correct architecture isn't ServiceNow versus Microsoft.

256
00:11:15,280 --> 00:11:17,920
It's a split-brain model by design.

257
00:11:17,920 --> 00:11:19,440
Microsoft is the engagement plane.

258
00:11:19,440 --> 00:11:22,760
Capture intent, collaboration, communication, context.

259
00:11:22,760 --> 00:11:25,000
ServiceNow is the execution plane.

260
00:11:25,000 --> 00:11:27,440
Authoritative state, routing, approvals, evidence.

261
00:11:27,440 --> 00:11:31,040
Once you accept that, the rest of the episode stops sounding like theory.

262
00:11:31,040 --> 00:11:32,360
It becomes an operating pattern.

263
00:11:32,360 --> 00:11:37,680
Now the only question worth asking is what happens when those two planes get stitched together correctly,

264
00:11:37,680 --> 00:11:40,760
without letting governance evaporate?

265
00:11:40,760 --> 00:11:44,200
One sentence each, the Microsoft ServiceNow.

266
00:11:44,200 --> 00:11:48,920
PowerSplit, ServiceNow in one sentence, it's the enterprise execution engine, the place

267
00:11:48,920 --> 00:11:52,800
where work becomes a govern state machine, not a conversation.

268
00:11:52,800 --> 00:11:56,840
Microsoft in one sentence, it's the productivity and intelligence surface.

269
00:11:56,840 --> 00:12:00,440
The place where humans generate intent, context and pressure, that's the split and it's

270
00:12:00,440 --> 00:12:04,520
not philosophical, it's architectural jurisdiction.

271
00:12:04,520 --> 00:12:09,000
Most organizations keep trying to crown one platform as the single pane of glass.

272
00:12:09,000 --> 00:12:10,400
That instinct is understandable.

273
00:12:10,400 --> 00:12:14,080
It's also how you end up with a pane of glass full of cracks, because the problem isn't

274
00:12:14,080 --> 00:12:15,080
visibility.

275
00:12:15,080 --> 00:12:17,200
The problem is ownership of state.

276
00:12:17,200 --> 00:12:21,760
Microsoft owns human behavior, teams chats, outlook threads, meetings, documents, that's

277
00:12:21,760 --> 00:12:23,320
where intent shows up.

278
00:12:23,320 --> 00:12:27,560
ServiceNow owns operational truth, the current state, the next owner, the approvals, the gates

279
00:12:27,560 --> 00:12:28,640
and the evidence.

280
00:12:28,640 --> 00:12:30,640
That's execution.

281
00:12:30,640 --> 00:12:34,080
So the partnership story becomes obvious when you strip away the press releases.

282
00:12:34,080 --> 00:12:35,600
The goal isn't to merge products.

283
00:12:35,600 --> 00:12:39,200
The goal is to reduce context switching without collapsing governance.

284
00:12:39,200 --> 00:12:42,080
Teams is where the request starts because that's where people are.

285
00:12:42,080 --> 00:12:46,480
ServiceNow is where the request stays coherent because that's where process lives.

286
00:12:46,480 --> 00:12:48,440
Microsoft gives you the easiest place to ask.

287
00:12:48,440 --> 00:12:51,960
ServiceNow gives you the hardest thing to build, an operating layer that keeps working

288
00:12:51,960 --> 00:12:53,520
after the chat scrolls away.

289
00:12:53,520 --> 00:12:55,120
And here's the uncomfortable truth.

290
00:12:55,120 --> 00:12:58,800
You can't lose beat point solutions because entropy scales faster than your org chart.

291
00:12:58,800 --> 00:13:02,880
Every time a team solves their problem with a one off board, a custom form, a flow or a

292
00:13:02,880 --> 00:13:05,320
mailbox rule, they create a local optimum.

293
00:13:05,320 --> 00:13:06,600
Then another team does the same.

294
00:13:06,600 --> 00:13:10,040
You end up with 50 local optima and one global mess.

295
00:13:10,040 --> 00:13:12,560
Central policy doesn't fail because people are malicious.

296
00:13:12,560 --> 00:13:15,160
It fails because exceptions accumulate.

297
00:13:15,160 --> 00:13:17,560
This is why the Microsoft captures intent.

298
00:13:17,560 --> 00:13:19,680
ServiceNow executes intent line matters.

299
00:13:19,680 --> 00:13:20,680
It's not a slogan.

300
00:13:20,680 --> 00:13:22,000
It's an enforcement boundary.

301
00:13:22,000 --> 00:13:27,760
Intent means take human language, human context and human ambiguity and turn it into something

302
00:13:27,760 --> 00:13:29,520
structured enough to act on.

303
00:13:29,520 --> 00:13:34,320
That's what co-pilot is good at inside M365, summarizing extracting tasks, identifying relevant

304
00:13:34,320 --> 00:13:36,960
files, pulling context from meetings and messages.

305
00:13:36,960 --> 00:13:41,840
It helps humans articulate executing intent means take that structured request and push it

306
00:13:41,840 --> 00:13:49,600
through deterministic gates, approvals, routing, SLA timers, risk decisions and auditable outcomes.

307
00:13:49,600 --> 00:13:52,880
That's what ServiceNow is built to do, own the workflow state, the policy surface and the

308
00:13:52,880 --> 00:13:53,880
evidence trail.

309
00:13:53,880 --> 00:13:55,960
In other words, Microsoft is your front door.

310
00:13:55,960 --> 00:13:57,400
ServiceNow is the factory floor.

311
00:13:57,400 --> 00:14:02,560
You don't run a factory by letting every employee rewrite the assembly line in chat.

312
00:14:02,560 --> 00:14:05,880
Now the integration implication is where most teams get themselves into trouble.

313
00:14:05,880 --> 00:14:09,040
They hear integrated experience and assume one tool.

314
00:14:09,040 --> 00:14:12,120
What they should hear is one experience, two authorities.

315
00:14:12,120 --> 00:14:16,840
ServiceServiceNow records in teams, reduced context switching, but keep workflow state authoritative

316
00:14:16,840 --> 00:14:20,320
in ServiceNow or your back to screenshots and social approvals.

317
00:14:20,320 --> 00:14:24,000
And yes, AI can answer questions, that's useful, but answers aren't outcomes.

318
00:14:24,000 --> 00:14:25,960
AI without workflows creates noise.

319
00:14:25,960 --> 00:14:28,120
AI inside workflows creates outcomes.

320
00:14:28,120 --> 00:14:32,000
So the power play here isn't that Microsoft and ServiceNow both have assistance.

321
00:14:32,000 --> 00:14:35,400
The power play is that they're competing for the operating layer and the only sustainable

322
00:14:35,400 --> 00:14:39,680
design is to keep engagement and execution separate, then stitch them together with explicit

323
00:14:39,680 --> 00:14:41,000
controls.

324
00:14:41,000 --> 00:14:44,600
Because if you let the engagement layer right directly into execution without guardrails,

325
00:14:44,600 --> 00:14:45,760
you don't get automation.

326
00:14:45,760 --> 00:14:52,360
You get accelerated entropy, the operating layer pattern, events, workflows, decisions,

327
00:14:52,360 --> 00:14:53,360
outcomes.

328
00:14:53,360 --> 00:14:57,680
If you want a simple model that explains why we have all the tools still produces chaos,

329
00:14:57,680 --> 00:15:02,040
it's this chain, events, workflows, decisions, outcomes.

330
00:15:02,040 --> 00:15:06,280
Most enterprises are drowning in events, improvising workflows, outsourcing decisions to side

331
00:15:06,280 --> 00:15:11,440
channels, and then acting surprised when outcomes are inconsistent, the operating layer exists

332
00:15:11,440 --> 00:15:14,680
to make that chain deterministic start with events.

333
00:15:14,680 --> 00:15:18,200
An event is anything that says something changed and work should happen.

334
00:15:18,200 --> 00:15:22,640
A new higher date in the HR system, a security alert from Defender, a manager asking for budget

335
00:15:22,640 --> 00:15:27,160
approval in Teams, a CI pipeline failing, an in-tune device going non-compliant, even a

336
00:15:27,160 --> 00:15:31,680
human sentence like, "Can you get me access by Friday?" is an event, just unstructured.

337
00:15:31,680 --> 00:15:33,240
The problem isn't that events are missing.

338
00:15:33,240 --> 00:15:36,160
The problem is that events don't map cleanly to execution.

339
00:15:36,160 --> 00:15:40,520
They land in inboxes, chats and dashboards, and then humans translate them into work by

340
00:15:40,520 --> 00:15:41,520
hand.

341
00:15:41,520 --> 00:15:46,360
This relation is where meaning gets lost, urgency gets distorted, and risk gets ignored.

342
00:15:46,360 --> 00:15:48,120
It's also where you get the classic failure.

343
00:15:48,120 --> 00:15:51,360
The event is seen, discussed, and then nobody owns the next step.

344
00:15:51,360 --> 00:15:54,200
So the operating layer does something boring and essential.

345
00:15:54,200 --> 00:15:56,280
It converts events into workflows.

346
00:15:56,280 --> 00:15:57,920
A workflow is not a diagram.

347
00:15:57,920 --> 00:16:02,800
It's an executable state machine, steps, dependencies, ownership, time boundaries, and evidence

348
00:16:02,800 --> 00:16:03,800
requirements.

349
00:16:03,800 --> 00:16:07,840
It turns we should into the system will not proceed until.

350
00:16:07,840 --> 00:16:10,240
This is where the enterprise stops lying to itself.

351
00:16:10,240 --> 00:16:13,360
Because the system can either enforce sequence or it can't.

352
00:16:13,360 --> 00:16:17,720
And if it can't, your process is just people with good intentions and bad memory.

353
00:16:17,720 --> 00:16:19,560
Workflows are also where entropy hides.

354
00:16:19,560 --> 00:16:22,120
Approvals are the obvious example, not because approvals are virtuous.

355
00:16:22,120 --> 00:16:23,120
They're not.

356
00:16:23,120 --> 00:16:25,640
They're expensive, but approvals are where policy meets pressure.

357
00:16:25,640 --> 00:16:28,520
If approvals happen in the workflow, you get traceability.

358
00:16:28,520 --> 00:16:31,320
If approvals happen in chat, you get plausible deniability.

359
00:16:31,320 --> 00:16:34,040
Next, decisions.

360
00:16:34,040 --> 00:16:36,120
Decisions are not the same as workflow steps.

361
00:16:36,120 --> 00:16:39,320
A workflow step is, request manager approval.

362
00:16:39,320 --> 00:16:45,080
A decision is, is this request eligible under policy and low risk enough to approve?

363
00:16:45,080 --> 00:16:49,560
Enterprises keep trying to remove decisions from the system because decisions create friction.

364
00:16:49,560 --> 00:16:52,000
Then they wonder why risk explodes.

365
00:16:52,000 --> 00:16:53,560
Decisions are where governance lives.

366
00:16:53,560 --> 00:16:58,360
Sagaiation of duties, entitlement boundaries, finance thresholds, change risk scoring, exception

367
00:16:58,360 --> 00:17:00,560
handling, in practical terms.

368
00:17:00,560 --> 00:17:05,080
It's the difference between deterministic security and probabilistic security.

369
00:17:05,080 --> 00:17:09,160
Socialistic security says, if these conditions are true, the system allows the action and

370
00:17:09,160 --> 00:17:10,800
we can prove it later.

371
00:17:10,800 --> 00:17:14,920
Probabilistic security says, someone said it was fine in a meeting and hopefully that person

372
00:17:14,920 --> 00:17:16,920
still works here during the audit.

373
00:17:16,920 --> 00:17:18,240
That distinction matters.

374
00:17:18,240 --> 00:17:21,000
And this is where identity becomes the enforcement boundary.

375
00:17:21,000 --> 00:17:22,560
Entra ID doesn't just authenticate.

376
00:17:22,560 --> 00:17:26,800
It defines who the actor is, what roles they have, what conditional access gates apply,

377
00:17:26,800 --> 00:17:30,680
and when you use it correctly, what the blast radius of a bad decision can be.

378
00:17:30,680 --> 00:17:34,520
When you don't anchor decisions to identity, you end up anchoring them to social authority.

379
00:17:34,520 --> 00:17:36,800
That means the loudest person wins.

380
00:17:36,800 --> 00:17:39,800
Finally, outcomes.

381
00:17:39,800 --> 00:17:41,960
Outcomes aren't ticket closed.

382
00:17:41,960 --> 00:17:44,000
Outcomes are fulfillment completed.

383
00:17:44,000 --> 00:17:47,840
Access provisioned with evidence, containment executed with approval trail, procurement

384
00:17:47,840 --> 00:17:50,120
posted with policy intact.

385
00:17:50,120 --> 00:17:52,880
Change deployed with roll back path documented.

386
00:17:52,880 --> 00:17:57,440
Outcomes are measurable cycle time, measurable compliance, and measurable throughput.

387
00:17:57,440 --> 00:17:59,480
Here's the hard reality.

388
00:17:59,480 --> 00:18:01,160
Enterprises don't fail at planning.

389
00:18:01,160 --> 00:18:02,800
They fail at execution throughput.

390
00:18:02,800 --> 00:18:06,200
They fail because work spends its life in the gaps.

391
00:18:06,200 --> 00:18:09,800
Between systems, between teams, between we agreed and we did.

392
00:18:09,800 --> 00:18:14,280
The operating layer closes those gaps by keeping state authoritative and transitions controlled.

393
00:18:14,280 --> 00:18:16,680
Now AI shows up and tries to be helpful.

394
00:18:16,680 --> 00:18:18,120
Copilot can summarize events.

395
00:18:18,120 --> 00:18:19,680
It can even propose next steps.

396
00:18:19,680 --> 00:18:23,080
Now assist can pull service, now context, and suggest actions.

397
00:18:23,080 --> 00:18:24,320
Useful.

398
00:18:24,320 --> 00:18:28,200
But the operating layer has one law you don't get to negotiate.

399
00:18:28,200 --> 00:18:30,200
Read can be fast and forgiving.

400
00:18:30,200 --> 00:18:31,840
Right must be governed.

401
00:18:31,840 --> 00:18:36,440
So AI belongs at the event and decision edges interpreting intent, proposing actions,

402
00:18:36,440 --> 00:18:37,440
ranking urgency.

403
00:18:37,440 --> 00:18:40,560
But outcomes still require workflows, approvals, and audit trails.

404
00:18:40,560 --> 00:18:44,760
Otherwise you've automated the weakest part of the system, human improvisation.

405
00:18:44,760 --> 00:18:47,560
And that's how you get what everyone is quietly building right now.

406
00:18:47,560 --> 00:18:48,560
Accelerated entropy.

407
00:18:48,560 --> 00:18:54,240
Scenario one, employee onboarding, HR plus IT plus security without email chains.

408
00:18:54,240 --> 00:18:58,760
Onboarding is the cleanest way to expose enterprise reality because it looks simple until you try

409
00:18:58,760 --> 00:19:00,400
to execute it at scale.

410
00:19:00,400 --> 00:19:05,200
New hire equals laptop, accounts, access, maybe a badge, maybe training, maybe a regulated

411
00:19:05,200 --> 00:19:09,520
role that needs extra approvals, everyone nods, everyone agrees it should be repeatable.

412
00:19:09,520 --> 00:19:10,920
Then it hits the org chart.

413
00:19:10,920 --> 00:19:12,680
Work starts where humans live.

414
00:19:12,680 --> 00:19:14,080
Outlook and teams.

415
00:19:14,080 --> 00:19:17,320
A hiring manager forwards an offer email, HR posts a note.

416
00:19:17,320 --> 00:19:20,280
Someone drops, start date is Monday, into a chat.

417
00:19:20,280 --> 00:19:22,320
Intent exists loudly in human language.

418
00:19:22,320 --> 00:19:23,320
It is not yet work.

419
00:19:23,320 --> 00:19:25,200
It's just pressure with a calendar attached.

420
00:19:25,200 --> 00:19:30,520
In a 50,000 person global enterprise, the first failure mode shows up immediately.

421
00:19:30,520 --> 00:19:32,520
There is no single owner of the end to end state.

422
00:19:32,520 --> 00:19:37,520
HR owns the employee record, IT owns devices and accounts, security owns access boundaries,

423
00:19:37,520 --> 00:19:41,920
facilities owns physical access, finance owns cost centers, legal might care.

424
00:19:41,920 --> 00:19:43,560
Compliance definitely cares.

425
00:19:43,560 --> 00:19:45,560
So what actually happens is predictable.

426
00:19:45,560 --> 00:19:48,320
People create a chain of messages and call it a process.

427
00:19:48,320 --> 00:19:50,120
One email thread becomes the system.

428
00:19:50,120 --> 00:19:51,960
A team's chat becomes the hand off.

429
00:19:51,960 --> 00:19:54,320
A spreadsheet becomes the tracker.

430
00:19:54,320 --> 00:19:58,800
And the only reason it works at all is because a few humans remember the tribal sequence.

431
00:19:58,800 --> 00:19:59,800
Until they don't.

432
00:19:59,800 --> 00:20:03,960
This is where the Microsoft and ServiceNow split becomes useful instead of political.

433
00:20:03,960 --> 00:20:07,560
Microsoft is where the request is born because that's where the manager already is.

434
00:20:07,560 --> 00:20:11,760
And co-pilot can help at that exact moment in a way that's actually valuable.

435
00:20:11,760 --> 00:20:13,360
Extract what matters.

436
00:20:13,360 --> 00:20:18,600
Start date, location, role, manager, department, cost center, whether the person is internal,

437
00:20:18,600 --> 00:20:21,840
contractor or vendor, and whether they're joining a regulated function.

438
00:20:21,840 --> 00:20:25,680
It's a data capture, normalization, turning a messy message into structured facts, but capturing

439
00:20:25,680 --> 00:20:26,880
intent isn't the win.

440
00:20:26,880 --> 00:20:30,800
The win is what happens after that when the workflow has to survive the weekend.

441
00:20:30,800 --> 00:20:32,880
ServiceNow has to own the authoritative state.

442
00:20:32,880 --> 00:20:36,200
The onboarding case, its tasks, its dependencies and its gates.

443
00:20:36,200 --> 00:20:38,360
HR triggers the joiner event.

444
00:20:38,360 --> 00:20:40,120
ServiceNow generates the work.

445
00:20:40,120 --> 00:20:44,520
Device requests, identity provisioning, mailbox creation, baseline access, application

446
00:20:44,520 --> 00:20:48,760
entitlements, security training, and whatever region-specific requirements exist.

447
00:20:48,760 --> 00:20:51,680
And every task has an owner, not a someone.

448
00:20:51,680 --> 00:20:57,160
An assignment group, a queue, an SLA and escalation rules that don't rely on a helpful person noticing

449
00:20:57,160 --> 00:20:58,160
the message.

450
00:20:58,160 --> 00:21:00,160
Here's what most people miss.

451
00:21:00,160 --> 00:21:01,560
Identity is not a task.

452
00:21:01,560 --> 00:21:03,240
Identity is the enforcement boundary.

453
00:21:03,240 --> 00:21:08,040
In onboarding, enter ID is where the organization decides what the new hire is allowed to become.

454
00:21:08,040 --> 00:21:12,200
It's the difference between they should have access to these apps and they do.

455
00:21:12,200 --> 00:21:15,920
That means entitlements and group membership can't be granted through sidechats.

456
00:21:15,920 --> 00:21:18,000
They have to be routed, approved, and auditable.

457
00:21:18,000 --> 00:21:19,360
So the right pattern is boring.

458
00:21:19,360 --> 00:21:20,960
The manager asks in teams.

459
00:21:20,960 --> 00:21:22,640
The workflow runs in ServiceNow.

460
00:21:22,640 --> 00:21:24,360
Identity changes happen under control.

461
00:21:24,360 --> 00:21:28,760
If the organization needs privileged access, the workflow has to force explicit approvals

462
00:21:28,760 --> 00:21:29,760
and time boundaries.

463
00:21:29,760 --> 00:21:31,400
No permanent temporary access.

464
00:21:31,400 --> 00:21:32,400
No informal.

465
00:21:32,400 --> 00:21:33,400
I'll remove it later.

466
00:21:33,400 --> 00:21:36,360
The system either expires access automatically, or it doesn't.

467
00:21:36,360 --> 00:21:38,240
And if it doesn't, you didn't onboard someone.

468
00:21:38,240 --> 00:21:39,920
You created future incident fuel.

469
00:21:39,920 --> 00:21:43,640
Now let's talk about where it breaks today because this is where executives recognize

470
00:21:43,640 --> 00:21:44,640
themselves.

471
00:21:44,640 --> 00:21:47,960
First approvals happen in email or chat because it feels faster.

472
00:21:47,960 --> 00:21:50,240
That means the approval isn't linked to the action.

473
00:21:50,240 --> 00:21:54,320
Having an audit, you can't prove who approved what only that people talked about it.

474
00:21:54,320 --> 00:21:56,440
Second, exceptions become the default.

475
00:21:56,440 --> 00:21:57,440
Just give them access.

476
00:21:57,440 --> 00:21:58,440
They start tomorrow.

477
00:21:58,440 --> 00:21:59,800
Then tomorrow becomes six months.

478
00:21:59,800 --> 00:22:03,400
Then the person changes roles and keeps the old access because nobody owns deprovisioning

479
00:22:03,400 --> 00:22:04,800
across domains.

480
00:22:04,800 --> 00:22:05,800
Third visibility is fake.

481
00:22:05,800 --> 00:22:09,280
HR says the hire is complete because the HR tasks are complete.

482
00:22:09,280 --> 00:22:11,280
IT says the laptop shipped.

483
00:22:11,280 --> 00:22:12,680
Security says training is assigned.

484
00:22:12,680 --> 00:22:14,720
The new hire says they can't do their job.

485
00:22:14,720 --> 00:22:16,240
Every system is locally correct.

486
00:22:16,240 --> 00:22:17,280
And to end, it's a failure.

487
00:22:17,280 --> 00:22:19,320
So what does good look like in this scenario?

488
00:22:19,320 --> 00:22:23,600
It looks like one request thread in teams that never pretends to be the authoritative state.

489
00:22:23,600 --> 00:22:24,600
It's just the interface.

490
00:22:24,600 --> 00:22:27,800
The same conversation can surface a service now card.

491
00:22:27,800 --> 00:22:31,640
On-boarding case created, current status, blockers, and next steps.

492
00:22:31,640 --> 00:22:33,880
The manager can ask, "What's holding this up?"

493
00:22:33,880 --> 00:22:37,320
And get an answer that's derived from workflow state, not someone's memory.

494
00:22:37,320 --> 00:22:39,600
It also means controlled exception handling.

495
00:22:39,600 --> 00:22:43,680
If someone needs early access, the workflow captures it as an exception with a reason,

496
00:22:43,680 --> 00:22:46,840
an approver, a time limit, and a log change.

497
00:22:46,840 --> 00:22:47,840
It's hard for bidden.

498
00:22:47,840 --> 00:22:49,560
They're recorded and constrained.

499
00:22:49,560 --> 00:22:50,720
That's entropy management.

500
00:22:50,720 --> 00:22:54,120
And the real payoff is off-boarding, even though nobody wants to talk about it during

501
00:22:54,120 --> 00:22:55,120
onboarding.

502
00:22:55,120 --> 00:22:58,600
If you build onboarding as a governed state machine, you can build off-boarding as the

503
00:22:58,600 --> 00:23:00,920
inverse workflow with the same discipline.

504
00:23:00,920 --> 00:23:05,640
That's how you stop often access from becoming a security incident with a press release

505
00:23:05,640 --> 00:23:06,640
attached.

506
00:23:06,640 --> 00:23:09,320
On-boarding is the happy path, but it's still a stress test.

507
00:23:09,320 --> 00:23:13,400
It forces you to decide where intent lives, where execution lives, and whether identity

508
00:23:13,400 --> 00:23:16,800
is controlled by policy or by social urgency.

509
00:23:16,800 --> 00:23:19,200
Next, the stress test becomes explicit.

510
00:23:19,200 --> 00:23:23,640
Security incident response where everyone wants speed and governance is always later.

511
00:23:23,640 --> 00:23:29,280
Scenario 2 Security incident response, collaboration in teams, execution in workflows.

512
00:23:29,280 --> 00:23:33,280
Security incident response is where every nice process dies, because under pressure people

513
00:23:33,280 --> 00:23:34,280
don't follow policy.

514
00:23:34,280 --> 00:23:35,280
They follow urgency.

515
00:23:35,280 --> 00:23:37,000
They spin up a team's war room.

516
00:23:37,000 --> 00:23:41,880
Tag everyone they can think of and start trading theories, screenshots, and half-finished conclusions.

517
00:23:41,880 --> 00:23:43,440
And that part is fine.

518
00:23:43,440 --> 00:23:44,680
Collaboration is supposed to be messy.

519
00:23:44,680 --> 00:23:48,000
The failure happens when the messy part becomes the control system.

520
00:23:48,000 --> 00:23:51,560
In a regulated enterprise, the first question isn't, can we fix it?

521
00:23:51,560 --> 00:23:55,040
It's who is allowed to do what and who approved it?

522
00:23:55,040 --> 00:24:00,120
Containment actions change reality, disabling accounts, revoking sessions, isolating devices,

523
00:24:00,120 --> 00:24:04,200
blocking IPs, rotating secrets, pulling logs, escalating privileges.

524
00:24:04,200 --> 00:24:05,520
Those aren't chat decisions.

525
00:24:05,520 --> 00:24:07,800
Those are governed operations with blast radius.

526
00:24:07,800 --> 00:24:09,840
So here's the pattern that actually works.

527
00:24:09,840 --> 00:24:14,040
The alert surfaces in Microsoft, but the execution runs in service now.

528
00:24:14,040 --> 00:24:18,480
The alert might come from Defender, Sentinel, a SOC tool or a third party platform.

529
00:24:18,480 --> 00:24:19,480
Where does it land?

530
00:24:19,480 --> 00:24:20,480
Teams.

531
00:24:20,480 --> 00:24:21,480
Because that's where humans are.

532
00:24:21,480 --> 00:24:23,000
And that's where humans coordinate.

533
00:24:23,000 --> 00:24:26,840
You want the incident channel, the pinned context, the running timeline, the stakeholders,

534
00:24:26,840 --> 00:24:29,600
the communications lead, the who's on point assignments.

535
00:24:29,600 --> 00:24:32,720
Microsoft is the engagement plane doing exactly what it's built to do.

536
00:24:32,720 --> 00:24:36,040
But the moment you start taking action, the system needs an execution plane.

537
00:24:36,040 --> 00:24:37,040
Service.

538
00:24:37,040 --> 00:24:41,680
Now owns the Security incident record, the workflow state, the tasking, the evidence capture,

539
00:24:41,680 --> 00:24:44,000
and the approvals that you can defend later.

540
00:24:44,000 --> 00:24:46,440
The triage isn't just, we think it's fishing.

541
00:24:46,440 --> 00:24:50,560
It's classification, severity, assignment, SLA triggers, and a controlled flow that can

542
00:24:50,560 --> 00:24:51,960
survive shift changes.

543
00:24:51,960 --> 00:24:54,960
Because the incident doesn't care that the night team is different people.

544
00:24:54,960 --> 00:24:57,760
This is where the Microsoft captures intent.

545
00:24:57,760 --> 00:25:01,360
Service now executes intent, split becomes operational.

546
00:25:01,360 --> 00:25:04,240
In Teams, someone says, we need to disable this account now.

547
00:25:04,240 --> 00:25:06,320
It's actively exfiltrating.

548
00:25:06,320 --> 00:25:07,680
That sentence is intent.

549
00:25:07,680 --> 00:25:09,320
It's also a liability.

550
00:25:09,320 --> 00:25:13,600
In a mature model, that intent becomes an action request, a workflow step in service

551
00:25:13,600 --> 00:25:20,000
now that says disable account X with an approver, a reason, a timestamp, and a recorded outcome.

552
00:25:20,000 --> 00:25:24,480
If the organization uses privileged identity management, the workflow drives that elevation

553
00:25:24,480 --> 00:25:25,920
through controlled gates.

554
00:25:25,920 --> 00:25:30,760
If it doesn't, the workflow at least forces a documented approval and ties it to the change.

555
00:25:30,760 --> 00:25:35,160
Because the ugly truth is this, the fastest way to create security debt is to let containment

556
00:25:35,160 --> 00:25:37,000
happen through informal authority.

557
00:25:37,000 --> 00:25:38,520
The other failure mode is evidence.

558
00:25:38,520 --> 00:25:41,520
In a security incident, evidence isn't nice to have.

559
00:25:41,520 --> 00:25:44,840
It's the difference between a controllable incident and an audit nightmare.

560
00:25:44,840 --> 00:25:46,520
Teams conversations don't give you evidence.

561
00:25:46,520 --> 00:25:48,000
They give you a transcript.

562
00:25:48,000 --> 00:25:49,920
Service now can force evidence.

563
00:25:49,920 --> 00:25:56,200
Log links, indicators, containment actions, impacted assets, who approved what was changed

564
00:25:56,200 --> 00:25:57,400
and when.

565
00:25:57,400 --> 00:25:59,680
Nobody likes documentation in the middle of a fire.

566
00:25:59,680 --> 00:26:02,880
That's why it has to be baked into the workflow, not left to human discipline.

567
00:26:02,880 --> 00:26:06,720
Now layer in AI because this is where everyone gets confused and starts building the wrong

568
00:26:06,720 --> 00:26:07,720
thing.

569
00:26:07,720 --> 00:26:11,320
Copilot is great at summarizing teams, threats, pulling key decisions, finding the file

570
00:26:11,320 --> 00:26:16,000
that contains the indicator list and generating a draft comms update.

571
00:26:16,000 --> 00:26:19,000
That's real value because it reduces cognitive load.

572
00:26:19,000 --> 00:26:23,080
But Copilot doesn't get to execute containment just because it can write a confident paragraph.

573
00:26:23,080 --> 00:26:25,680
Now assist is great at the service now side.

574
00:26:25,680 --> 00:26:30,160
Summarizing case history, suggesting related incidents, pulling knowledge articles, proposing

575
00:26:30,160 --> 00:26:34,880
next actions based on prior patterns and helping agents write resolution notes.

576
00:26:34,880 --> 00:26:38,120
That's useful because it speeds decisions inside the execution plane.

577
00:26:38,120 --> 00:26:42,480
And here's the law, AI can propose workflows decide read operations can be fast, right

578
00:26:42,480 --> 00:26:43,880
operations must be governed.

579
00:26:43,880 --> 00:26:49,040
So the correct flow is AI accelerates triage and decision making, but execution remains

580
00:26:49,040 --> 00:26:50,040
deterministic.

581
00:26:50,040 --> 00:26:55,200
If you let an AI agent just take care of it, you've replaced human improvisation with probabilistic

582
00:26:55,200 --> 00:26:57,040
improvisation at machine speed.

583
00:26:57,040 --> 00:26:58,040
That's not automation.

584
00:26:58,040 --> 00:27:02,200
That's a faster incident in the composite enterprise 50k employees, multiple regions,

585
00:27:02,200 --> 00:27:03,200
heavy regulation.

586
00:27:03,200 --> 00:27:05,520
This also becomes a communications problem.

587
00:27:05,520 --> 00:27:10,440
The war room needs an external narrative leadership updates, customer comms, legal review and

588
00:27:10,440 --> 00:27:11,920
operational timelines.

589
00:27:11,920 --> 00:27:15,920
Teams is still the best place to coordinate that, but service now needs to remain the authoritative

590
00:27:15,920 --> 00:27:18,040
timeline for what was actually done.

591
00:27:18,040 --> 00:27:22,600
Otherwise the post-incident review becomes a debate about whose memory is correct.

592
00:27:22,600 --> 00:27:27,200
So good in this scenario looks like teams for coordination and shared awareness.

593
00:27:27,200 --> 00:27:30,920
Service now for triage assignment approvals, evidence and outcome tracking identity as

594
00:27:30,920 --> 00:27:33,360
the enforcement boundary for privileged actions.

595
00:27:33,360 --> 00:27:38,160
AI as an accelerant inside the guardrails, not a replacement for them and the payoff is

596
00:27:38,160 --> 00:27:39,160
measurable.

597
00:27:39,160 --> 00:27:43,600
Lower decision latency, fewer manual handoffs, cleaner audit trails and fewer temporary access

598
00:27:43,600 --> 00:27:46,280
grants that survive into the next quarter.

599
00:27:46,280 --> 00:27:47,120
Reflection pause.

600
00:27:47,120 --> 00:27:50,400
If you're listening to this and thinking, yes, this sounds familiar, that's the point.

601
00:27:50,400 --> 00:27:51,720
None of this is hypothetical.

602
00:27:51,720 --> 00:27:54,320
This is how your organization already works just without an owner.

603
00:27:54,320 --> 00:27:58,560
Now take that same discipline and move it out of the SOC and into finance where pressure

604
00:27:58,560 --> 00:28:01,800
comes from quarter end instead of attackers.

605
00:28:01,800 --> 00:28:06,480
In our three finance approvals, procure to pay without policy erosion.

606
00:28:06,480 --> 00:28:10,240
Finance is where people finally admit they don't want better collaboration.

607
00:28:10,240 --> 00:28:13,560
They want enforceable policy because the failure mode isn't that nobody can request

608
00:28:13,560 --> 00:28:14,560
spend.

609
00:28:14,560 --> 00:28:18,440
The failure mode is that spend gets approved in the least defensible place possible.

610
00:28:18,440 --> 00:28:22,800
An email thread, a team's message or a hallway conversation that later becomes we all

611
00:28:22,800 --> 00:28:23,800
agreed.

612
00:28:23,800 --> 00:28:27,600
Procure to pay is basically the same pattern as onboarding and security response just

613
00:28:27,600 --> 00:28:28,600
with different nouns.

614
00:28:28,600 --> 00:28:31,600
The work starts in Microsoft because that's where the pressure lives.

615
00:28:31,600 --> 00:28:34,920
Moving forwards a vendor quote, someone tags a finance lead in teams.

616
00:28:34,920 --> 00:28:36,400
Can we get this approved today?

617
00:28:36,400 --> 00:28:37,400
Quarter end.

618
00:28:37,400 --> 00:28:39,480
Someone drops a spreadsheet link and asks for a thumbs up.

619
00:28:39,480 --> 00:28:40,480
That's intent.

620
00:28:40,480 --> 00:28:44,040
And it's also the beginning of policy erosion because finance policy doesn't fail through

621
00:28:44,040 --> 00:28:45,040
malice.

622
00:28:45,040 --> 00:28:46,040
It fails through impatience.

623
00:28:46,040 --> 00:28:47,640
Approvals get rushed.

624
00:28:47,640 --> 00:28:49,520
Thresholds get ignored.

625
00:28:49,520 --> 00:28:52,960
Segregation of duties becomes, can you just approve it for me?

626
00:28:52,960 --> 00:28:56,760
And once the organization proves it can bypass controls when it's inconvenient, it will

627
00:28:56,760 --> 00:28:57,760
keep doing it.

628
00:28:57,760 --> 00:28:58,760
That's not culture.

629
00:28:58,760 --> 00:29:00,120
That's system behavior.

630
00:29:00,120 --> 00:29:04,320
So in the composite enterprise, 50K employees regulated industry, the operating layer has

631
00:29:04,320 --> 00:29:05,840
to be explicit.

632
00:29:05,840 --> 00:29:09,600
Microsoft captures the request and the context, but service now enforces the gates that

633
00:29:09,600 --> 00:29:11,520
make the request legitimate.

634
00:29:11,520 --> 00:29:13,440
The way it usually breaks is almost boring.

635
00:29:13,440 --> 00:29:14,840
A request lands in teams.

636
00:29:14,840 --> 00:29:16,160
The approver is on mobile.

637
00:29:16,160 --> 00:29:19,760
They reply approved because it's faster than opening the portal.

638
00:29:19,760 --> 00:29:23,840
Someone screenshots that message and attaches it to something maybe.

639
00:29:23,840 --> 00:29:26,520
Then procurement moves forward because we have approval.

640
00:29:26,520 --> 00:29:31,520
The ERP eventually records the transaction because that's what ERPs do, but the ERP doesn't

641
00:29:31,520 --> 00:29:33,080
know whether the approval met policy.

642
00:29:33,080 --> 00:29:35,080
It just knows the transaction exists.

643
00:29:35,080 --> 00:29:39,320
And when audit time arrives, the organization tries to reconstruct governance from scattered

644
00:29:39,320 --> 00:29:40,320
artifacts.

645
00:29:40,320 --> 00:29:42,720
An email, a team's thread, a PDF, a memory.

646
00:29:42,720 --> 00:29:43,880
That's not an audit trail.

647
00:29:43,880 --> 00:29:45,120
That's archaeology.

648
00:29:45,120 --> 00:29:49,280
So what does good look like without turning finance into a bureaucratic museum exhibit?

649
00:29:49,280 --> 00:29:51,640
Good looks like letting teams stay the front door.

650
00:29:51,640 --> 00:29:53,960
Let the requests start where people already work.

651
00:29:53,960 --> 00:29:58,520
It co-pilot help translate the messy human ask into structured fields.

652
00:29:58,520 --> 00:30:02,920
Vendor, amount, cost center, description, urgency, whether it's capex or opax and which

653
00:30:02,920 --> 00:30:03,920
policy applies.

654
00:30:03,920 --> 00:30:05,520
That's intent capture.

655
00:30:05,520 --> 00:30:10,720
But the moment the request becomes real money, execution moves to a workflow state machine.

656
00:30:10,720 --> 00:30:14,840
Service now owns the approval workflow because it can enforce sequence, thresholds and separation

657
00:30:14,840 --> 00:30:15,840
of duties.

658
00:30:15,840 --> 00:30:17,240
It can root automatically.

659
00:30:17,240 --> 00:30:21,160
Manager approval under one threshold, finance approval under another, security review

660
00:30:21,160 --> 00:30:25,920
if it touches a risky vendor category procurement review if a preferred vendor exists, legal

661
00:30:25,920 --> 00:30:27,920
review if contract terms trigger it.

662
00:30:27,920 --> 00:30:29,120
The point isn't complexity.

663
00:30:29,120 --> 00:30:32,400
The point is enforceable branching with an auditable Y.

664
00:30:32,400 --> 00:30:34,720
And the ERP stays exactly where it belongs.

665
00:30:34,720 --> 00:30:35,800
The system of record.

666
00:30:35,800 --> 00:30:37,160
It posts the purchase order.

667
00:30:37,160 --> 00:30:38,160
It pays the invoice.

668
00:30:38,160 --> 00:30:39,800
It preserves the financial truth.

669
00:30:39,800 --> 00:30:42,240
Service now sits above it as the system of action.

670
00:30:42,240 --> 00:30:46,120
It orchestrates the human chain that makes the transaction acceptable, then hands the result

671
00:30:46,120 --> 00:30:48,400
to the ERP with evidence attached.

672
00:30:48,400 --> 00:30:52,120
This is also where executives finally see the cost of quick exceptions.

673
00:30:52,120 --> 00:30:55,160
Every exception to approval policy is an entropy generator.

674
00:30:55,160 --> 00:30:56,160
It feels like speed.

675
00:30:56,160 --> 00:30:57,960
It actually creates ambiguity.

676
00:30:57,960 --> 00:31:01,120
And ambiguity is what auditors charge for, not emotionally.

677
00:31:01,120 --> 00:31:05,200
Financially, in time, remediation and the constant tax of controls that nobody trusts.

678
00:31:05,200 --> 00:31:09,960
So the real value proposition in finance isn't faster approvals as a vanity metric.

679
00:31:09,960 --> 00:31:12,040
It's consistent enforcement under pressure.

680
00:31:12,040 --> 00:31:15,920
Because quarter end is basically a recurring incident except itself inflicted and everyone

681
00:31:15,920 --> 00:31:16,920
pretends it's normal.

682
00:31:16,920 --> 00:31:18,600
Now the integration pattern matters.

683
00:31:18,600 --> 00:31:23,320
If all you do is surface finance requests inside teams as read-only cards you reduce context

684
00:31:23,320 --> 00:31:26,240
switching but you haven't stopped bypass behavior.

685
00:31:26,240 --> 00:31:28,360
People still approve in chat because it's convenient.

686
00:31:28,360 --> 00:31:29,640
Retrieval doesn't fix execution.

687
00:31:29,640 --> 00:31:32,920
So the operating layer has to support actual actions under control.

688
00:31:32,920 --> 00:31:36,560
Approvals can approve from within teams, but the approval must be written into the service

689
00:31:36,560 --> 00:31:40,560
now workflow state tied to identity and locked as a structured decision.

690
00:31:40,560 --> 00:31:44,000
Not as a message, not as a reaction icon, as a control transition.

691
00:31:44,000 --> 00:31:49,000
And because finance is a right heavy domain, approvals, rooting, updates, the read fast,

692
00:31:49,000 --> 00:31:51,160
right governed rule becomes non-negotiable.

693
00:31:51,160 --> 00:31:53,880
You start with assisted drafting and summarization, sure.

694
00:31:53,880 --> 00:31:55,800
But you keep rights supervised and auditable.

695
00:31:55,800 --> 00:31:58,720
Otherwise you've just built a faster way to create non-compliance.

696
00:31:58,720 --> 00:32:01,640
If you want the executive version of this scenario, it's simple.

697
00:32:01,640 --> 00:32:03,640
Microsoft is where spend pressure gets expressed.

698
00:32:03,640 --> 00:32:05,880
Service now is where spend policy gets enforced.

699
00:32:05,880 --> 00:32:07,600
ERP is where spend gets recorded.

700
00:32:07,600 --> 00:32:11,880
When those three roles stay clean, cycle time improves, audit findings drop and nobody

701
00:32:11,880 --> 00:32:13,600
has to ask who approved this.

702
00:32:13,600 --> 00:32:17,800
Like it's a mystery novel and once finance works this way, it becomes impossible to keep pretending

703
00:32:17,800 --> 00:32:19,720
service now is just eat.

704
00:32:19,720 --> 00:32:21,280
It's the enterprise execution layer.

705
00:32:21,280 --> 00:32:25,840
Next, take the same pattern back to the place most organizations think they understand.

706
00:32:25,840 --> 00:32:30,480
The major incident war room, where teams feels like the whole story, until change control

707
00:32:30,480 --> 00:32:31,720
shows up.

708
00:32:31,720 --> 00:32:36,880
Scenario 4, major IT incident plus change, the war room versus the control system.

709
00:32:36,880 --> 00:32:40,800
Major incidents are where organizations confuse adrenaline with control.

710
00:32:40,800 --> 00:32:44,880
The war room spins up in teams because that's where humans can coordinate at speed.

711
00:32:44,880 --> 00:32:48,680
Voice, chat, screen shares, a running narrative and the one thing people actually need in the

712
00:32:48,680 --> 00:32:50,080
first 10 minutes.

713
00:32:50,080 --> 00:32:51,600
Shared situational awareness.

714
00:32:51,600 --> 00:32:52,840
Who's on what's impacted?

715
00:32:52,840 --> 00:32:53,920
What's the latest signal?

716
00:32:53,920 --> 00:32:54,920
What are we trying next?

717
00:32:54,920 --> 00:32:55,920
Teams is perfect for that.

718
00:32:55,920 --> 00:33:00,040
It's also the place where most enterprises accidentally move, change control into a chat

719
00:33:00,040 --> 00:33:01,880
thread and call it agility.

720
00:33:01,880 --> 00:33:03,360
Here's the uncomfortable truth.

721
00:33:03,360 --> 00:33:06,320
A major incident is not just fix it fast.

722
00:33:06,320 --> 00:33:09,200
It's fix it fast without making the blast radius worse.

723
00:33:09,200 --> 00:33:13,560
The only mechanism enterprises have for controlling blast radius is change management.

724
00:33:13,560 --> 00:33:15,480
Not because key Airbnb meetings are fun.

725
00:33:15,480 --> 00:33:17,440
Because production doesn't care about feelings.

726
00:33:17,440 --> 00:33:20,960
So this scenario is the cleanest proof of the split brain model.

727
00:33:20,960 --> 00:33:22,240
Teams is the war room.

728
00:33:22,240 --> 00:33:23,600
Service now is the control system.

729
00:33:23,600 --> 00:33:27,720
In the composite enterprise, a major incident usually starts with a flood of symptoms.

730
00:33:27,720 --> 00:33:28,720
Users can't log in.

731
00:33:28,720 --> 00:33:29,720
An API is timing out.

732
00:33:29,720 --> 00:33:33,600
A region is degraded or a minor change from earlier in the day quietly becomes the root

733
00:33:33,600 --> 00:33:35,480
cause of a widespread outage.

734
00:33:35,480 --> 00:33:38,240
The first job is triage and coms that belongs in Microsoft.

735
00:33:38,240 --> 00:33:42,400
You want incident channels, stay-coulder coms and the ability to brief leadership without

736
00:33:42,400 --> 00:33:43,800
digging through 10 portals.

737
00:33:43,800 --> 00:33:46,760
But the second job, the dangerous one is execution.

738
00:33:46,760 --> 00:33:52,160
Execution is assigned tasks with owners and time boundaries, coordinate remediation steps,

739
00:33:52,160 --> 00:33:57,120
create emergency changes, capture approvals, record what was done, and preserve enough evidence

740
00:33:57,120 --> 00:34:00,240
that the post-incident review isn't a religious argument.

741
00:34:00,240 --> 00:34:02,240
That work needs an authoritative state machine.

742
00:34:02,240 --> 00:34:03,880
This is where service now earns its keep.

743
00:34:03,880 --> 00:34:05,600
A team's war room can tell a story.

744
00:34:05,600 --> 00:34:06,600
It cannot enforce one.

745
00:34:06,600 --> 00:34:09,720
A team's thread can say we agreed to reboot the database.

746
00:34:09,720 --> 00:34:14,440
It cannot prove who authorized it, whether the rollback plan existed, or whether that reboot

747
00:34:14,440 --> 00:34:16,520
was part of a control change sequence.

748
00:34:16,520 --> 00:34:19,400
And in a regulated environment, we agreed it's not governance.

749
00:34:19,400 --> 00:34:20,400
It's a liability.

750
00:34:20,400 --> 00:34:22,720
So the right design is boring and strict.

751
00:34:22,720 --> 00:34:25,480
The major incident record lives in service now.

752
00:34:25,480 --> 00:34:30,480
It owns the timeline, the tasks, the coms artifacts, and the dependency map between actions.

753
00:34:30,480 --> 00:34:35,840
The team's channel is linked to the major incident record, not treated as a parallel universe.

754
00:34:35,840 --> 00:34:37,440
And the problem happens in teams.

755
00:34:37,440 --> 00:34:38,760
Authorities stays in service now.

756
00:34:38,760 --> 00:34:42,600
Now the part that always collapses under pressure, emergency change in the war room, someone

757
00:34:42,600 --> 00:34:45,240
says we need to push a conflict change right now.

758
00:34:45,240 --> 00:34:47,640
Another person says just do it, we'll backfill later.

759
00:34:47,640 --> 00:34:51,400
And this is exactly how temporary bypass becomes permanent policy decay.

760
00:34:51,400 --> 00:34:52,920
Because the bypass isn't the outage.

761
00:34:52,920 --> 00:34:54,440
The bypass is the future outage.

762
00:34:54,440 --> 00:34:58,440
If you let major incidents teach your teams that controls are optional, you don't get

763
00:34:58,440 --> 00:34:59,640
faster recovery.

764
00:34:59,640 --> 00:35:01,160
You get repeatable chaos.

765
00:35:01,160 --> 00:35:05,560
So emergency change has to be a first-class workflow, not an apology.

766
00:35:05,560 --> 00:35:06,680
Now can do that.

767
00:35:06,680 --> 00:35:10,360
Create the emergency change record as part of the major incident workflow.

768
00:35:10,360 --> 00:35:12,720
Enforced the minimum approvals required.

769
00:35:12,720 --> 00:35:14,840
Capture the reason for urgency.

770
00:35:14,840 --> 00:35:16,520
Link the impacted services.

771
00:35:16,520 --> 00:35:19,400
And record the implementation and rollback steps.

772
00:35:19,400 --> 00:35:23,000
It can keep the blast radius bounded even when humans are improvising.

773
00:35:23,000 --> 00:35:24,000
And yes, it adds friction.

774
00:35:24,000 --> 00:35:25,000
That's the point.

775
00:35:25,000 --> 00:35:29,200
Friction is what turns someone push the thing into the organization can defend why it push

776
00:35:29,200 --> 00:35:30,200
the thing.

777
00:35:30,200 --> 00:35:34,080
This is also where good looks counterintuitive to teams first organizations.

778
00:35:34,080 --> 00:35:36,520
It does not mean forcing everyone out of teams.

779
00:35:36,520 --> 00:35:40,840
Good means letting teams be the interface while refusing to let it become the system of record

780
00:35:40,840 --> 00:35:42,040
for execution.

781
00:35:42,040 --> 00:35:46,440
The incident commander can run comms in teams, but the tasks are created, owned and closed

782
00:35:46,440 --> 00:35:47,440
in service now.

783
00:35:47,440 --> 00:35:50,760
The approvals can be surfaced in teams, but the approval state must be written to the

784
00:35:50,760 --> 00:35:53,520
change record tied to identity with an audit trail.

785
00:35:53,520 --> 00:35:56,160
This is where AI tempts people into the wrong move.

786
00:35:56,160 --> 00:35:58,960
Copilot can summarize the war room and draft status updates.

787
00:35:58,960 --> 00:35:59,960
Great.

788
00:35:59,960 --> 00:36:04,600
Assist can generate post-incident review drafts and resolution notes, also useful, but

789
00:36:04,600 --> 00:36:09,280
AI cannot be allowed to convert we think into we changed without controls, because right

790
00:36:09,280 --> 00:36:11,560
operations are blast radius multipliers.

791
00:36:11,560 --> 00:36:14,400
So the measurable outcome isn't, we had a great war room.

792
00:36:14,400 --> 00:36:17,840
It's, did the incident produce a clean authoritative timeline?

793
00:36:17,840 --> 00:36:19,160
Did every action have an owner?

794
00:36:19,160 --> 00:36:22,080
Did emergency changes have approvals and rollback paths?

795
00:36:22,080 --> 00:36:27,200
Did the organization avoid creating new security and compliance debt while restoring service?

796
00:36:27,200 --> 00:36:28,760
Teams makes the war room fast.

797
00:36:28,760 --> 00:36:30,800
Now makes the recovery defensible.

798
00:36:30,800 --> 00:36:33,920
And if those two responsibilities blur, you don't get resilience.

799
00:36:33,920 --> 00:36:36,320
You get a group chat with production permissions?

800
00:36:36,320 --> 00:36:37,320
Integration.

801
00:36:37,320 --> 00:36:38,320
Reality.

802
00:36:38,320 --> 00:36:39,800
Connectors give answers.

803
00:36:39,800 --> 00:36:40,960
Orchestration gets outcomes.

804
00:36:40,960 --> 00:36:44,640
Now take those four scenarios and ask the only question that matters once you leave

805
00:36:44,640 --> 00:36:45,640
the whiteboard.

806
00:36:45,640 --> 00:36:49,840
How do these two worlds actually connect without creating a new category of failure?

807
00:36:49,840 --> 00:36:52,520
Because integration gets marketed like it's a single thing.

808
00:36:52,520 --> 00:36:53,520
It isn't.

809
00:36:53,520 --> 00:36:57,500
In practice, there are two modes and confusing them is how organizations end up with a shiny

810
00:36:57,500 --> 00:36:59,500
demo and unchanged throughput.

811
00:36:59,500 --> 00:37:03,660
Mode one is red, mode two is right, read integration is about answers.

812
00:37:03,660 --> 00:37:06,740
It's search, indexing, summaries and quick lookups.

813
00:37:06,740 --> 00:37:08,260
Microsoft has a clean story here.

814
00:37:08,260 --> 00:37:12,660
Microsoft Graph Connectors can index service now content, so co-pilot can retrieve it in

815
00:37:12,660 --> 00:37:14,340
the flow of work.

816
00:37:14,340 --> 00:37:16,820
Incidents, knowledge articles, catalog items.

817
00:37:16,820 --> 00:37:18,500
Those are common connector patterns.

818
00:37:18,500 --> 00:37:22,660
People ask in teams, co-pilot answers with the relevant service now context, and nobody

819
00:37:22,660 --> 00:37:26,340
has to alt tab into another portal just to find a link that is real value.

820
00:37:26,340 --> 00:37:27,780
But it is not orchestration.

821
00:37:27,780 --> 00:37:28,780
It's an information plane.

822
00:37:28,780 --> 00:37:30,340
It reduces context switching.

823
00:37:30,340 --> 00:37:31,780
It reduces time to knowledge.

824
00:37:31,780 --> 00:37:36,900
It reduces the, where do I even find this friction that burns hours across large companies?

825
00:37:36,900 --> 00:37:40,300
And for early adoption, read only is politically easy.

826
00:37:40,300 --> 00:37:45,220
Lower risk, minimal change control, fewer permission arguments and far less blast radius if

827
00:37:45,220 --> 00:37:46,660
something is mis-scoped.

828
00:37:46,660 --> 00:37:50,580
This is why read only wins first, because everyone can agree that finding answers faster

829
00:37:50,580 --> 00:37:55,060
is good, and almost nobody wants to be the executive who approved letting an AI write

830
00:37:55,060 --> 00:37:56,740
to production systems.

831
00:37:56,740 --> 00:37:58,620
Now mode two, write integration.

832
00:37:58,620 --> 00:38:02,820
Write integration is about outcomes, creating the request, updating the record, approving

833
00:38:02,820 --> 00:38:07,220
the step, executing the workflow transition, triggering the containment task, posting the

834
00:38:07,220 --> 00:38:10,620
approval decision, calling the API that changes reality.

835
00:38:10,620 --> 00:38:14,860
Write is orchestration, and orchestration is where governance lives or dies.

836
00:38:14,860 --> 00:38:18,780
Microsoft's path to write typically runs through controlled action frameworks.

837
00:38:18,780 --> 00:38:23,860
Co-pilot studio connectors, approved plugins, explicit API calls, and tooling that can be

838
00:38:23,860 --> 00:38:25,620
governed and monitored.

839
00:38:25,620 --> 00:38:28,060
ServiceNow's side runs through its workflow engine.

840
00:38:28,060 --> 00:38:32,260
Flow designer, integration hub, approval engines, and the record state machine that actually

841
00:38:32,260 --> 00:38:33,260
owns the process.

842
00:38:33,260 --> 00:38:35,220
The architectural point is simple.

843
00:38:35,220 --> 00:38:36,940
Connectors can tell you what's happening.

844
00:38:36,940 --> 00:38:38,260
Orchestration makes something happen.

845
00:38:38,260 --> 00:38:41,540
If you stop at read integration, you'll build what looks like progress, but behaves like

846
00:38:41,540 --> 00:38:42,540
theater.

847
00:38:42,540 --> 00:38:44,860
Co-pilot can summarize an incident, great.

848
00:38:44,860 --> 00:38:49,140
Someone still has to open service now, create tasks, chase approvals and record evidence.

849
00:38:49,140 --> 00:38:51,140
Co-pilot can find the right knowledge article.

850
00:38:51,140 --> 00:38:52,140
Great.

851
00:38:52,140 --> 00:38:55,580
First, to execute the onboarding workflow and enforce identit gates.

852
00:38:55,580 --> 00:38:57,860
Retrieval without execution is just faster browsing.

853
00:38:57,860 --> 00:39:02,380
This is the line where most enterprises get stuck, because moving from read to write forces

854
00:39:02,380 --> 00:39:04,420
three ugly conversations.

855
00:39:04,420 --> 00:39:07,820
First permissions read can tolerate broad access patterns, write cannot.

856
00:39:07,820 --> 00:39:11,540
When you let something create or update records, you are delegating authority.

857
00:39:11,540 --> 00:39:15,340
An authority needs least privilege, explicit scope, and revocation parts.

858
00:39:15,340 --> 00:39:19,180
Otherwise the integration account becomes a permanent super user, and you've created a

859
00:39:19,180 --> 00:39:21,340
bot-shaped insider threat.

860
00:39:21,340 --> 00:39:22,340
You need audit.

861
00:39:22,340 --> 00:39:26,300
If a workflow step gets approved from teams, you need to know who approved it under what

862
00:39:26,300 --> 00:39:29,860
identity with what context and what record state changed as a result.

863
00:39:29,860 --> 00:39:34,740
If you can't prove that, you didn't automate approvals, you created an un-auditable bypass

864
00:39:34,740 --> 00:39:36,340
with a nicer interface.

865
00:39:36,340 --> 00:39:38,980
Third, change control and blast radius.

866
00:39:38,980 --> 00:39:41,900
Read failures are annoying, write failures are incidents.

867
00:39:41,900 --> 00:39:45,420
The moment actions can be triggered from the engagement layer, you need to think like

868
00:39:45,420 --> 00:39:46,820
an architect.

869
00:39:46,820 --> 00:39:51,300
How do you limit scope, monitor behavior, roll back mistakes, and keep the system

870
00:39:51,300 --> 00:39:52,300
deterministic?

871
00:39:52,300 --> 00:39:55,060
So the same operating stance is phased.

872
00:39:55,060 --> 00:39:59,300
Start with search and read only surfaces to reduce context switching and prove adoption.

873
00:39:59,300 --> 00:40:04,780
Clean up knowledge hygiene because AI search will amplify whatever mess you already have.

874
00:40:04,780 --> 00:40:09,300
Then graduate to governed actions, a limited set of requests, updates, and approvals where

875
00:40:09,300 --> 00:40:12,700
workflow state remains authoritative in service now.

876
00:40:12,700 --> 00:40:16,820
Rites are supervised at first because supervised rights are entropy control.

877
00:40:16,820 --> 00:40:19,580
Only then do you talk about agentic execution.

878
00:40:19,580 --> 00:40:22,980
Those agents that can write without guardrails aren't helpful.

879
00:40:22,980 --> 00:40:24,460
They are probabilistic operators.

880
00:40:24,460 --> 00:40:28,060
The integration reality stripped of the sales gloss is this.

881
00:40:28,060 --> 00:40:31,660
Microsoft can be the best front end your enterprise has ever had.

882
00:40:31,660 --> 00:40:35,340
Service now has to remain the execution engine your enterprise can defend.

883
00:40:35,340 --> 00:40:39,700
If you can't separate answering from acting, you will automate, but you'll automate the

884
00:40:39,700 --> 00:40:41,900
wrong thing.

885
00:40:41,900 --> 00:40:45,660
Copilot plus now assist, two brains, two jurisdictions.

886
00:40:45,660 --> 00:40:49,860
Now we get to the part everyone wants to skip to, copilot and now assist, two assistance,

887
00:40:49,860 --> 00:40:53,820
two brands, two demos where someone types a sentence and the system politely pretends

888
00:40:53,820 --> 00:40:55,620
enterprise execution is simple.

889
00:40:55,620 --> 00:40:56,700
Here's the correct framing.

890
00:40:56,700 --> 00:40:58,940
These are two brains with two jurisdictions.

891
00:40:58,940 --> 00:41:03,460
And if you don't define jurisdiction, you get a constitutional crisis at scale.

892
00:41:03,460 --> 00:41:06,580
Copilot's jurisdiction is the Microsoft productivity estate.

893
00:41:06,580 --> 00:41:10,740
It understands meetings, mail chats, files, calendars, and the messy human context that

894
00:41:10,740 --> 00:41:12,500
lives inside M365.

895
00:41:12,500 --> 00:41:16,380
It's good at turning unstructured intent into something coherent.

896
00:41:16,380 --> 00:41:20,380
Summaries, action items, drafts, and what did we decide in that meeting it?

897
00:41:20,380 --> 00:41:22,300
It reduces the cost of thinking and searching.

898
00:41:22,300 --> 00:41:25,780
Now assists jurisdiction is service now operational reality.

899
00:41:25,780 --> 00:41:30,620
It understands records, workflows, knowledge bases, catalog items, case history, assignment

900
00:41:30,620 --> 00:41:34,100
groups, SLAs and the govern state machine that actually moves work.

901
00:41:34,100 --> 00:41:37,940
It's good at turning operational context into controlled next steps.

902
00:41:37,940 --> 00:41:43,180
Occasion, routing, suggested actions, response drafting, and workflow aware assistance for agents.

903
00:41:43,180 --> 00:41:47,100
So if you want a single sentence that doesn't lie, copilot is fluent in human context.

904
00:41:47,100 --> 00:41:49,260
Now assist is fluent in operational state.

905
00:41:49,260 --> 00:41:52,700
That's why two assistance is not redundancy, it's separation of concerns.

906
00:41:52,700 --> 00:41:55,140
But it's also where organizations make a classic mistake.

907
00:41:55,140 --> 00:41:58,100
They assume the assistant that can talk should also be allowed to write.

908
00:41:58,100 --> 00:42:02,380
That's how you get AI actions that are really just permission drift wearing a lab coat.

909
00:42:02,380 --> 00:42:05,900
The integration pattern that actually survives audit is a handoff model.

910
00:42:05,900 --> 00:42:08,660
It operates in teams as the engagement surface.

911
00:42:08,660 --> 00:42:13,660
It captures the request in human terms, pulls relevant Microsoft context, and then hands

912
00:42:13,660 --> 00:42:17,100
off to service now when the next step requires workflow state.

913
00:42:17,100 --> 00:42:20,820
That handoff can look like a service now card, a linked record, or a guided request flow

914
00:42:20,820 --> 00:42:23,980
that lands inside the service now workflow engine.

915
00:42:23,980 --> 00:42:26,060
Now assist does the inverse when needed.

916
00:42:26,060 --> 00:42:30,820
From inside service now it can call Microsoft context to help with communication artifacts,

917
00:42:30,820 --> 00:42:35,820
drafting an incident update email, generating a PowerPoint summary for leadership, or pulling

918
00:42:35,820 --> 00:42:37,700
relevant meeting notes.

919
00:42:37,700 --> 00:42:42,580
Without pretending that the Microsoft artifact is the authoritative record of the incident.

920
00:42:42,580 --> 00:42:44,940
This is not one AI to rule them all.

921
00:42:44,940 --> 00:42:46,660
It's two assistance that delegate properly.

922
00:42:46,660 --> 00:42:50,460
Now the hidden complexity is not the models, it's grounding and permissions.

923
00:42:50,460 --> 00:42:53,540
Grounding is the question of what the assistant is allowed to know.

924
00:42:53,540 --> 00:42:56,060
And what sources it uses to generate an answer.

925
00:42:56,060 --> 00:43:00,220
Copilot is grounded in Microsoft Graph, and whatever your tenant exposes through permissions

926
00:43:00,220 --> 00:43:01,220
and connectors.

927
00:43:01,220 --> 00:43:03,020
Now assist is grounded in service.

928
00:43:03,020 --> 00:43:07,620
Now records and knowledge sources governed by service now access controls and user criteria.

929
00:43:07,620 --> 00:43:12,820
If you blur those boundaries, you get confident nonsense or worse, confident data leakage.

930
00:43:12,820 --> 00:43:14,060
Permissions are the harder landmine.

931
00:43:14,060 --> 00:43:18,220
Copilot can only act within the permissions of the user and the configured connectors.

932
00:43:18,220 --> 00:43:19,540
Same story with now assist.

933
00:43:19,540 --> 00:43:23,380
That sounds comforting until someone fixes a failing integration by giving the connector

934
00:43:23,380 --> 00:43:24,700
account broad access.

935
00:43:24,700 --> 00:43:26,340
Then it works, then nobody reduces it.

936
00:43:26,340 --> 00:43:29,740
Then you've created a silent super user that will outlive the project.

937
00:43:29,740 --> 00:43:32,540
That's not misconfiguration, that's design omission.

938
00:43:32,540 --> 00:43:35,740
This is where jurisdiction becomes a security control, not a diagram.

939
00:43:35,740 --> 00:43:40,060
The assistance can only be as safe as the identity and authorization model they operate under.

940
00:43:40,060 --> 00:43:42,500
And that brings you right back to the operating layer law.

941
00:43:42,500 --> 00:43:44,780
Read can be generous, right must be governed.

942
00:43:44,780 --> 00:43:46,260
So a same design looks like this.

943
00:43:46,260 --> 00:43:50,580
Copilot can read service now contacts through connectors and summarize it for the user in teams,

944
00:43:50,580 --> 00:43:52,460
low blast radius, high adoption.

945
00:43:52,460 --> 00:43:57,380
When the user wants to do something, create a request, approve a change, trigger containment.

946
00:43:57,380 --> 00:44:02,460
The system routes that into service now as a workflow step with explicit identity, logging

947
00:44:02,460 --> 00:44:03,980
and approval state.

948
00:44:03,980 --> 00:44:06,380
Rights are either supervised or constrained by policy.

949
00:44:06,380 --> 00:44:09,420
And if someone wants fully agentic behavior, just take care of it.

950
00:44:09,420 --> 00:44:10,860
The answer is still no.

951
00:44:10,860 --> 00:44:15,100
Not because AI is bad, because enterprises run on constrained authority, not vibes.

952
00:44:15,100 --> 00:44:18,220
So the power play isn't Microsoft versus service now assistance.

953
00:44:18,220 --> 00:44:21,740
The power play is who owns the next step when the assistant finishes talking.

954
00:44:21,740 --> 00:44:26,620
If Copilot closes a conversation but no workflow change state, you created a nicer chat experience.

955
00:44:26,620 --> 00:44:31,060
If now assist proposes an action, but it can't execute it under governance, you created

956
00:44:31,060 --> 00:44:32,340
better suggestions.

957
00:44:32,340 --> 00:44:36,660
The operating layer only exists when the state machine moves with evidence, two brains,

958
00:44:36,660 --> 00:44:38,140
two jurisdictions.

959
00:44:38,140 --> 00:44:42,220
And one non-negotiable boundary, the assistant can speak anywhere, but it can only write

960
00:44:42,220 --> 00:44:43,940
where you can audit it.

961
00:44:43,940 --> 00:44:49,380
AI changes who executes work, deterministic workflows versus probabilistic agents.

962
00:44:49,380 --> 00:44:53,940
Now the uncomfortable part, AI doesn't just change how work is requested, it changes who

963
00:44:53,940 --> 00:44:55,220
is executing work.

964
00:44:55,220 --> 00:44:59,660
And enterprises are about to learn the difference between deterministic systems and probabilistic

965
00:44:59,660 --> 00:45:00,660
ones the hard way.

966
00:45:00,660 --> 00:45:03,220
A deterministic workflow is boring on purpose.

967
00:45:03,220 --> 00:45:06,220
Given the same inputs, it produces the same outcome.

968
00:45:06,220 --> 00:45:11,820
Same rooting, same approvals, same evidence requirements, same SLA timers, same escalation

969
00:45:11,820 --> 00:45:12,820
paths.

970
00:45:12,820 --> 00:45:14,260
It behaves like an authorization compiler.

971
00:45:14,260 --> 00:45:17,700
You feed it policy and state and it decides what's allowed next.

972
00:45:17,700 --> 00:45:19,420
A probabilistic agent is different.

973
00:45:19,420 --> 00:45:23,780
It interprets, it guesses, it ranks options, it can be right for the wrong reasons and

974
00:45:23,780 --> 00:45:25,540
it can be wrong with high confidence.

975
00:45:25,540 --> 00:45:26,540
That's not a flaw.

976
00:45:26,540 --> 00:45:28,260
That's the nature of LL-em based systems.

977
00:45:28,260 --> 00:45:31,220
They generate plausible output, not guaranteed truth.

978
00:45:31,220 --> 00:45:34,260
So the enterprise decision isn't AI or workflows.

979
00:45:34,260 --> 00:45:38,100
It's where does probabilistic behavior belong and where is it forbidden?

980
00:45:38,100 --> 00:45:41,300
AI belongs at the edges of the operating layer.

981
00:45:41,300 --> 00:45:46,180
Intake, summarization, classification suggestions, prioritization and drafting.

982
00:45:46,180 --> 00:45:49,500
It belongs anywhere the primary job is to reduce human cognitive load.

983
00:45:49,500 --> 00:45:53,620
AI does not belong as an unconstrained writer into your execution plane.

984
00:45:53,620 --> 00:45:56,740
Because once an agent can write, it can create state transitions.

985
00:45:56,740 --> 00:46:00,940
It can approve, it can provision access, it can close an incident, it can trigger containment,

986
00:46:00,940 --> 00:46:04,940
it can move money, it can change reality and that's the exact moment your organization

987
00:46:04,940 --> 00:46:06,580
stops being deterministic.

988
00:46:06,580 --> 00:46:08,220
You become probabilistic by design.

989
00:46:08,220 --> 00:46:11,180
This is why human in the loop isn't a temporary phase.

990
00:46:11,180 --> 00:46:14,700
It's the only sustainable operating model for write operations at scale.

991
00:46:14,700 --> 00:46:17,020
Read operations can move autonomous earlier.

992
00:46:17,020 --> 00:46:22,260
Let the assistant fetch records, summarize threads, draft responses and propose the next step.

993
00:46:22,260 --> 00:46:24,220
Read failures are annoying but survivable.

994
00:46:24,220 --> 00:46:26,260
They create confusion, not catastrophe.

995
00:46:26,260 --> 00:46:28,500
Read operations must start supervised.

996
00:46:28,500 --> 00:46:32,140
Every write needs an approval boundary, a logged identity and a rollback story.

997
00:46:32,140 --> 00:46:36,220
Not because compliance people are mean, because entropy is real and write access is the fastest

998
00:46:36,220 --> 00:46:37,540
way to manufacture it.

999
00:46:37,540 --> 00:46:42,620
So the pattern is simple, AI proposes, a workflow enforces, a human authorizes, the system

1000
00:46:42,620 --> 00:46:43,620
records.

1001
00:46:43,620 --> 00:46:45,980
Over time some writes can become more autonomous.

1002
00:46:45,980 --> 00:46:51,020
But only when you can prove that the action is low risk, reversible and observable.

1003
00:46:51,020 --> 00:46:53,620
That's not optimism, that's engineering discipline.

1004
00:46:53,620 --> 00:46:55,820
And this is where governance beats model quality.

1005
00:46:55,820 --> 00:46:57,980
People keep asking, is the model good enough?

1006
00:46:57,980 --> 00:46:59,700
Wrong question, models will improve.

1007
00:46:59,700 --> 00:47:01,180
Your governance won't fix itself.

1008
00:47:01,180 --> 00:47:05,060
If you don't build the guard rails now, you'll just accelerate your existing dysfunction

1009
00:47:05,060 --> 00:47:06,060
later.

1010
00:47:06,060 --> 00:47:10,380
Governance means, least privilege for connectors and agents, explicit scopes, approval gates

1011
00:47:10,380 --> 00:47:13,820
for state changes and audit trails that survive executive turnover.

1012
00:47:13,820 --> 00:47:17,060
It also means you can answer the only question auditors care about.

1013
00:47:17,060 --> 00:47:19,900
Who did what, under what authority and why?

1014
00:47:19,900 --> 00:47:23,060
Rollback paths matter here more than anyone wants to admit.

1015
00:47:23,060 --> 00:47:27,300
If an agent creates a service now, change record and schedules work, can you stop it?

1016
00:47:27,300 --> 00:47:29,980
If it grants access, can you revoke it automatically?

1017
00:47:29,980 --> 00:47:33,980
If it updates a security incident, can you reconstruct the exact sequence of actions without

1018
00:47:33,980 --> 00:47:35,220
relying on chat logs?

1019
00:47:35,220 --> 00:47:36,820
If you can't, you don't have automation.

1020
00:47:36,820 --> 00:47:38,940
You have accelerated risk.

1021
00:47:38,940 --> 00:47:42,140
This is why AI inside workflows creates outcomes.

1022
00:47:42,140 --> 00:47:45,100
Isn't a motivational line, it's an architectural constraint.

1023
00:47:45,100 --> 00:47:49,180
AI should live inside the workflow state machine, not beside it.

1024
00:47:49,180 --> 00:47:51,420
The workflow provides determinism.

1025
00:47:51,420 --> 00:47:54,140
Steps, gates, evidence and ownership.

1026
00:47:54,140 --> 00:47:58,180
AI provides judgment support, summarized, recommend and draft.

1027
00:47:58,180 --> 00:48:01,100
Together you get throughput without losing control.

1028
00:48:01,100 --> 00:48:04,260
Without the workflow, AI becomes a noise generator.

1029
00:48:04,260 --> 00:48:09,220
More suggestions, more messages, more help and no authoritative state change.

1030
00:48:09,220 --> 00:48:11,460
People feel busy, nothing finishes.

1031
00:48:11,460 --> 00:48:14,860
And when AI does start finishing things without workflows, it finishes them in whatever

1032
00:48:14,860 --> 00:48:16,740
way seems plausible at the time.

1033
00:48:16,740 --> 00:48:18,580
That's conditional chaos with better grammar.

1034
00:48:18,580 --> 00:48:22,940
So the strategic move for the enterprise isn't a chase fully autonomous agents.

1035
00:48:22,940 --> 00:48:27,780
The strategic move is to redesign execution so that autonomy is a controlled gradient.

1036
00:48:27,780 --> 00:48:32,540
Read first autonomy, supervised rights, then selective automation where risk is bounded.

1037
00:48:32,540 --> 00:48:36,100
The system doesn't care about your intent, it only respects what you enforce.

1038
00:48:36,100 --> 00:48:40,180
Failure modes, workflow, entropy, shadow automation and permission drift.

1039
00:48:40,180 --> 00:48:44,060
Every integration story sounds clean until it hits the three forces that always win in

1040
00:48:44,060 --> 00:48:45,460
the real enterprise.

1041
00:48:45,460 --> 00:48:47,700
Urgency, convenience and forgetting.

1042
00:48:47,700 --> 00:48:50,980
Those forces don't break platforms, they break your assumptions.

1043
00:48:50,980 --> 00:48:53,020
And they always express themselves the same way.

1044
00:48:53,020 --> 00:48:55,900
Workflow, entropy, shadow automation and permission drift.

1045
00:48:55,900 --> 00:48:58,220
Workflow, entropy is the quiet killer.

1046
00:48:58,220 --> 00:49:00,100
It starts as a temporary exception.

1047
00:49:00,100 --> 00:49:01,540
A manager needs access today.

1048
00:49:01,540 --> 00:49:05,660
A procurement approval gets rushed because quarter end, a change gets pushed without the

1049
00:49:05,660 --> 00:49:08,020
formal step because the outage clock is running.

1050
00:49:08,020 --> 00:49:09,820
Nobody thinks they're undermining governance.

1051
00:49:09,820 --> 00:49:11,420
They think they're being helpful.

1052
00:49:11,420 --> 00:49:13,820
Then that exception becomes the actual process.

1053
00:49:13,820 --> 00:49:17,260
Not because anyone chose it but because the exception path is faster than the policy

1054
00:49:17,260 --> 00:49:18,260
path.

1055
00:49:18,260 --> 00:49:21,460
People root around friction the same way water roots around rocks.

1056
00:49:21,460 --> 00:49:26,500
Over time your documented workflow becomes ceremonial and your real workflow becomes DM the

1057
00:49:26,500 --> 00:49:28,740
right person, get a thumbs up, move on.

1058
00:49:28,740 --> 00:49:33,220
That's why conditional access exceptions, emergency approvals and bypass routes are entropy

1059
00:49:33,220 --> 00:49:34,220
generators.

1060
00:49:34,220 --> 00:49:35,460
They don't just create one gap.

1061
00:49:35,460 --> 00:49:38,980
They teach the organization that state transitions are optional.

1062
00:49:38,980 --> 00:49:43,020
Once state transitions are optional, your system of action becomes a logging tool.

1063
00:49:43,020 --> 00:49:46,100
It records the mess after the fact it doesn't control it.

1064
00:49:46,100 --> 00:49:48,220
The second failure mode is shadow automation.

1065
00:49:48,220 --> 00:49:51,340
This is where teams and power automate become a parallel universe.

1066
00:49:51,340 --> 00:49:55,140
Someone builds a flow that posts a message to a channel when an email arrives.

1067
00:49:55,140 --> 00:49:58,260
Someone builds a form that creates a task list in planner.

1068
00:49:58,260 --> 00:50:01,020
Someone wires up approvals and chat because it's just easier.

1069
00:50:01,020 --> 00:50:02,180
And on day one it works.

1070
00:50:02,180 --> 00:50:03,180
Of course it works.

1071
00:50:03,180 --> 00:50:04,860
Local automation always works locally.

1072
00:50:04,860 --> 00:50:07,940
The problem is what it displaces, governed orchestration.

1073
00:50:07,940 --> 00:50:09,940
Shadow automation doesn't fail because it's malicious.

1074
00:50:09,940 --> 00:50:11,420
It fails because it's unowned.

1075
00:50:11,420 --> 00:50:14,820
No life cycle, no audit story, no defined blast radius.

1076
00:50:14,820 --> 00:50:19,420
The builder leaves, the flow keeps running and the next incident response includes.

1077
00:50:19,420 --> 00:50:22,820
Nobody knows what triggers this but it's been doing it for months.

1078
00:50:22,820 --> 00:50:26,100
That's what happens when you treat the engagement plane as the execution plane.

1079
00:50:26,100 --> 00:50:30,340
Now the third failure mode is the one that makes security teams tired permission drift.

1080
00:50:30,340 --> 00:50:35,340
Integrations require permissions, AI assistance require permissions, connectors require permissions.

1081
00:50:35,340 --> 00:50:39,380
And when something fails during setup, the quickest fix is always the same.

1082
00:50:39,380 --> 00:50:40,700
Just give it more access.

1083
00:50:40,700 --> 00:50:43,900
So you create an integration account, you grant board graph permissions,

1084
00:50:43,900 --> 00:50:47,540
you grant broad service, now roles, you get the demo working, everyone claps,

1085
00:50:47,540 --> 00:50:49,780
then nobody goes back and reduces scope.

1086
00:50:49,780 --> 00:50:52,620
Six months later that account has more access than most humans.

1087
00:50:52,620 --> 00:50:56,900
It's a permanent super user with no human manager, no quarterly access review,

1088
00:50:56,900 --> 00:50:59,300
and no business owner who can explain why it exists.

1089
00:50:59,300 --> 00:51:02,860
That's not misconfiguration, that's architectural erosion.

1090
00:51:02,860 --> 00:51:04,820
And permission drift doesn't stay in one place.

1091
00:51:04,820 --> 00:51:05,540
It spreads.

1092
00:51:05,540 --> 00:51:08,540
A second connector gets deployed and reuses the same account.

1093
00:51:08,540 --> 00:51:09,860
A third flow depends on it.

1094
00:51:09,860 --> 00:51:12,940
Now you can't fix it without breaking business critical automation.

1095
00:51:12,940 --> 00:51:15,820
That's how security that becomes operational dependency.

1096
00:51:15,820 --> 00:51:16,820
Here's the weird part.

1097
00:51:16,820 --> 00:51:19,500
AI accelerates all three failure modes.

1098
00:51:19,500 --> 00:51:24,300
Workflow entropy gets faster because AI makes it easier to justify exceptions.

1099
00:51:24,300 --> 00:51:25,900
Copilot says it's low risk.

1100
00:51:25,900 --> 00:51:31,700
Shadow automation gets faster because AI makes it easier to build flows without understanding the governance model.

1101
00:51:31,700 --> 00:51:35,340
Permission drift gets faster because agents that can act need permissions

1102
00:51:35,340 --> 00:51:37,620
and people will overscope them to avoid friction.

1103
00:51:37,620 --> 00:51:40,140
That's why AI without workflows creates noise.

1104
00:51:40,140 --> 00:51:42,380
But AI with bad workflows creates damage.

1105
00:51:42,380 --> 00:51:44,500
So the prevention strategy is not a checklist.

1106
00:51:44,500 --> 00:51:46,060
It's an operating stance you enforce.

1107
00:51:46,060 --> 00:51:48,540
First, treat exceptions as first class objects.

1108
00:51:48,540 --> 00:51:52,940
If someone needs a bypass, capture it as an exception in the workflow with a reason,

1109
00:51:52,940 --> 00:51:54,980
an approver, and an expiration.

1110
00:51:54,980 --> 00:51:56,900
No expiration means it's not an exception.

1111
00:51:56,900 --> 00:51:58,500
It's a hidden policy change.

1112
00:51:58,500 --> 00:52:02,100
Second, treat automations as production assets.

1113
00:52:02,100 --> 00:52:06,020
If it can write, it needs ownership, life cycle management, and controls.

1114
00:52:06,020 --> 00:52:07,580
Otherwise, it's a ghost system.

1115
00:52:07,580 --> 00:52:10,780
Third, treat permissions as temporary until proven otherwise.

1116
00:52:10,780 --> 00:52:12,300
These privileges are not a principle.

1117
00:52:12,300 --> 00:52:13,620
It's entropy management.

1118
00:52:13,620 --> 00:52:17,540
If you don't continuously pull scope back, it will only expand.

1119
00:52:17,540 --> 00:52:19,580
The workflow first operating model,

1120
00:52:19,580 --> 00:52:21,820
re-platform execution in phases.

1121
00:52:21,820 --> 00:52:24,660
So if the diagnosis is workflow fragmentation,

1122
00:52:24,660 --> 00:52:26,820
the treatment isn't by more apps.

1123
00:52:26,820 --> 00:52:30,180
It's re-platforming execution, not migrating tickets,

1124
00:52:30,180 --> 00:52:32,020
not rolling out another chatbot,

1125
00:52:32,020 --> 00:52:34,060
re-platforming the operating layer,

1126
00:52:34,060 --> 00:52:37,500
where work starts, how it moves, who can change state,

1127
00:52:37,500 --> 00:52:40,060
and how the organization proves what happened later.

1128
00:52:40,060 --> 00:52:43,140
And the first step is the one everyone skips because it's not glamorous.

1129
00:52:43,140 --> 00:52:44,340
Mapping execution.

1130
00:52:44,340 --> 00:52:46,340
Not processing mapping as a PowerPoint hobby.

1131
00:52:46,340 --> 00:52:47,420
Execution mapping.

1132
00:52:47,420 --> 00:52:48,900
Where does work actually begin?

1133
00:52:48,900 --> 00:52:50,300
What are the real approval gates?

1134
00:52:50,300 --> 00:52:51,500
What systems change state?

1135
00:52:51,500 --> 00:52:54,500
And what metrics define done across domains?

1136
00:52:54,500 --> 00:52:57,100
If you can't draw the end-to-end chain for onboarding,

1137
00:52:57,100 --> 00:53:00,180
incident containment, finance approvals, and emergency change,

1138
00:53:00,180 --> 00:53:01,300
you don't have processes.

1139
00:53:01,300 --> 00:53:02,060
You have traditions.

1140
00:53:02,060 --> 00:53:04,380
Now the split of ownership is non-negotiable.

1141
00:53:04,380 --> 00:53:07,500
Service now owns workflow state, routing, audit, enforcement,

1142
00:53:07,500 --> 00:53:10,540
Microsoft owns collaboration, content, intent, capture,

1143
00:53:10,540 --> 00:53:12,140
and the surfaces where humans live.

1144
00:53:12,140 --> 00:53:13,180
This is not a preference.

1145
00:53:13,180 --> 00:53:15,220
It's how you prevent authority drift.

1146
00:53:15,220 --> 00:53:17,620
Because the moment teams becomes the authoritative system

1147
00:53:17,620 --> 00:53:21,220
for approvals or changes, you've turned chat into a control plane.

1148
00:53:21,220 --> 00:53:22,540
And chat is not a control plane.

1149
00:53:22,540 --> 00:53:23,460
It is not.

1150
00:53:23,460 --> 00:53:25,860
So the operating model is faced because enterprises

1151
00:53:25,860 --> 00:53:27,580
don't change in one cutover.

1152
00:53:27,580 --> 00:53:29,420
They degrade and improve ingredients.

1153
00:53:29,420 --> 00:53:31,380
Phase one is about reducing context switching

1154
00:53:31,380 --> 00:53:32,740
without moving authority.

1155
00:53:32,740 --> 00:53:35,100
This is where you embed service now into teams,

1156
00:53:35,100 --> 00:53:37,100
service records, and use search connectors

1157
00:53:37,100 --> 00:53:39,860
so people can find knowledge, incidents, and catalog items

1158
00:53:39,860 --> 00:53:41,060
from where they already work.

1159
00:53:41,060 --> 00:53:42,620
It's intentionally read heavy.

1160
00:53:42,620 --> 00:53:44,780
The goal is adoption and friction removal.

1161
00:53:44,780 --> 00:53:45,940
Fewer portals.

1162
00:53:45,940 --> 00:53:47,300
Fewer, where do I do this?

1163
00:53:47,300 --> 00:53:49,860
Fewer screenshots as status updates.

1164
00:53:49,860 --> 00:53:52,060
But it's also where you clean your knowledge hygiene.

1165
00:53:52,060 --> 00:53:54,700
Because AI search will amplify whatever mess you've allowed

1166
00:53:54,700 --> 00:53:55,420
to accumulate.

1167
00:53:55,420 --> 00:53:58,340
If the knowledge base is stale, your new AI assistant

1168
00:53:58,340 --> 00:54:01,020
will simply produce confident stale answers at scale.

1169
00:54:01,020 --> 00:54:02,060
That's not transformation.

1170
00:54:02,060 --> 00:54:04,420
That's automated misinformation.

1171
00:54:04,420 --> 00:54:06,300
Phase two is governed actions.

1172
00:54:06,300 --> 00:54:09,660
This is where you stop pretending that retrieval equals execution.

1173
00:54:09,660 --> 00:54:11,260
Pick a small set of right paths that

1174
00:54:11,260 --> 00:54:12,940
map cleanly to workflows.

1175
00:54:12,940 --> 00:54:15,340
Submit a catalog request, update an incident,

1176
00:54:15,340 --> 00:54:18,100
approve a step, escalate a case, open a change.

1177
00:54:18,100 --> 00:54:20,300
Then make those rights flow through service now

1178
00:54:20,300 --> 00:54:22,180
as authoritative state transitions.

1179
00:54:22,180 --> 00:54:24,020
The user can click approve in teams.

1180
00:54:24,020 --> 00:54:24,700
Fine.

1181
00:54:24,700 --> 00:54:27,180
But the approval must land as a workflow transition

1182
00:54:27,180 --> 00:54:29,180
in service now tied to identity,

1183
00:54:29,180 --> 00:54:30,860
logged, and constrained by policy.

1184
00:54:30,860 --> 00:54:32,780
The engagement plane can host the button.

1185
00:54:32,780 --> 00:54:34,460
The execution plane owns the truth.

1186
00:54:34,460 --> 00:54:36,900
This is also where you enforce least privilege, like you mean it.

1187
00:54:36,900 --> 00:54:39,180
Integration accounts don't get broad access

1188
00:54:39,180 --> 00:54:40,660
because someone had a demo deadline.

1189
00:54:40,660 --> 00:54:43,780
Agents don't get right scope, just because it's easier.

1190
00:54:43,780 --> 00:54:45,860
Every connector and assistant get scoped

1191
00:54:45,860 --> 00:54:47,820
to the minimum set of actions required.

1192
00:54:47,820 --> 00:54:50,620
And it gets reviewed like any other privileged identity.

1193
00:54:50,620 --> 00:54:52,580
Because permissions are not a set-up step.

1194
00:54:52,580 --> 00:54:54,100
They are an operational liability.

1195
00:54:54,100 --> 00:54:56,220
Phase three is a genetic execution.

1196
00:54:56,220 --> 00:54:57,940
And it's where most organizations rush

1197
00:54:57,940 --> 00:54:59,660
because the demos look magical.

1198
00:54:59,660 --> 00:55:01,260
But a genetic execution only works

1199
00:55:01,260 --> 00:55:02,940
when two conditions are already true.

1200
00:55:02,940 --> 00:55:04,500
The workflow state machine is clean

1201
00:55:04,500 --> 00:55:06,140
and the right controls are enforceable.

1202
00:55:06,140 --> 00:55:07,620
Otherwise, you're not deploying agents.

1203
00:55:07,620 --> 00:55:09,340
You're deploying entropy accelerators.

1204
00:55:09,340 --> 00:55:10,380
So the rule is simple.

1205
00:55:10,380 --> 00:55:12,500
Autonomous reads can expand quickly.

1206
00:55:12,500 --> 00:55:14,460
Supervised rights expands slowly.

1207
00:55:14,460 --> 00:55:16,700
And only after you've proven that an action is low risk,

1208
00:55:16,700 --> 00:55:19,220
reversible and observable does it earn more autonomy.

1209
00:55:19,220 --> 00:55:22,060
This is also where observability stops being optional.

1210
00:55:22,060 --> 00:55:24,420
If an agent can propose actions, you need to see what it

1211
00:55:24,420 --> 00:55:26,660
proposed, what was approved, what it executed,

1212
00:55:26,660 --> 00:55:27,900
and what changed as a result.

1213
00:55:27,900 --> 00:55:30,540
You need traceability across Microsoft and ServiceNow,

1214
00:55:30,540 --> 00:55:33,260
the intent source, the workflow state and the outcome record.

1215
00:55:33,260 --> 00:55:35,780
If you can't reconstruct the chain, you have no governance.

1216
00:55:35,780 --> 00:55:37,020
You have vibes.

1217
00:55:37,020 --> 00:55:38,580
And the biggest architectural discipline

1218
00:55:38,580 --> 00:55:39,980
in this whole model is rollback.

1219
00:55:39,980 --> 00:55:43,140
Workflows without rollback are just scripted confidence.

1220
00:55:43,140 --> 00:55:46,340
Every right path needs an undue story, revoke access,

1221
00:55:46,340 --> 00:55:49,820
canceled procurement, rollback a change, reopen the incident,

1222
00:55:49,820 --> 00:55:50,980
restore the prior state.

1223
00:55:50,980 --> 00:55:53,700
Otherwise, your automation becomes a one-way door.

1224
00:55:53,700 --> 00:55:56,580
And one-way doors are how incidents become outages.

1225
00:55:56,580 --> 00:55:58,420
So the workflow first operating model

1226
00:55:58,420 --> 00:56:00,900
is basically enterprise humility formalized,

1227
00:56:00,900 --> 00:56:04,300
humans generate intent in Microsoft, systems execute intent

1228
00:56:04,300 --> 00:56:07,020
in ServiceNow, AI accelerates the edges, not the center,

1229
00:56:07,020 --> 00:56:08,740
and control is what survives pressure.

1230
00:56:08,740 --> 00:56:11,820
That's the point, not convenience, not novelty.

1231
00:56:11,820 --> 00:56:14,380
Control that still works when people are tired, urgent,

1232
00:56:14,380 --> 00:56:15,700
and improvising.

1233
00:56:15,700 --> 00:56:18,660
Execution throughput is the actual power play.

1234
00:56:18,660 --> 00:56:21,500
The power play isn't copilot versus now assist.

1235
00:56:21,500 --> 00:56:23,140
It's building an operating layer

1236
00:56:23,140 --> 00:56:26,300
where intent becomes governed execution every time.

1237
00:56:26,300 --> 00:56:29,220
If you want the next episode, it's on where governance fails first,

1238
00:56:29,220 --> 00:56:32,540
identity connectors or quick exceptions that become policy.

1239
00:56:32,540 --> 00:56:34,740
Subscribe and watch that one next.