Stop Managing Features: Rethinking Cloud Governance as Architecture

1
00:00:00,000 --> 00:00:05,480
Hello, my name is Milco Peters, and I translate how technology actually shapes business reality.

2
00:00:05,480 --> 00:00:09,800
Most organizations think governance fails because people ignore policy, but that is just

3
00:00:09,800 --> 00:00:13,440
a comfortable story we tell to protect leadership from a much harder truth.

4
00:00:13,440 --> 00:00:17,200
In almost every case, the governance was already there, the policy existed, the owners were

5
00:00:17,200 --> 00:00:19,440
named, and the controls were fully documented.

6
00:00:19,440 --> 00:00:23,320
Even with all those boxes checked, the system still failed to produce the result everyone

7
00:00:23,320 --> 00:00:24,320
expected.

8
00:00:24,320 --> 00:00:28,560
Copilot made that failure impossible to hide because it didn't just break security or create

9
00:00:28,560 --> 00:00:30,680
some brand new version of digital chaos.

10
00:00:30,680 --> 00:00:34,440
It simply surfaced what the organization had already made possible by bringing sensitive

11
00:00:34,440 --> 00:00:39,320
content, inherited access, and dark data into view at conversational speed.

12
00:00:39,320 --> 00:00:43,040
So this episode is about why smart organizations still get governance wrong even when they

13
00:00:43,040 --> 00:00:47,160
take it seriously, and more importantly we are going to look at the model that explains

14
00:00:47,160 --> 00:00:48,760
why this happens.

15
00:00:48,760 --> 00:00:52,720
Let me take one step back and explain why this keeps happening.

16
00:00:52,720 --> 00:00:54,000
The familiar story.

17
00:00:54,000 --> 00:00:55,680
Leaders keep misreading.

18
00:00:55,680 --> 00:00:59,000
Here is the familiar story that plays out in boardrooms every single day.

19
00:00:59,000 --> 00:01:03,240
A governance initiative starts with real intent, which leads to workshops, decision papers,

20
00:01:03,240 --> 00:01:07,360
and steering groups filled with people from IT, compliance, security, and the business.

21
00:01:07,360 --> 00:01:11,320
The framework gets approved where naming conventions are defined and classification rules

22
00:01:11,320 --> 00:01:15,560
are agreed upon, and then maybe some provisioning rules or approval workflows get added to

23
00:01:15,560 --> 00:01:16,560
the mix.

24
00:01:16,560 --> 00:01:21,320
At that point everyone in the room feels like the organization is finally being responsible,

25
00:01:21,320 --> 00:01:23,840
and to be fair that feeling isn't entirely irrational.

26
00:01:23,840 --> 00:01:27,800
On the outside these programs look mature because there is a clear structure, there is defined

27
00:01:27,800 --> 00:01:31,720
ownership, and there are slides that map every control to a specific risk.

28
00:01:31,720 --> 00:01:35,320
You can find policy documents explaining exactly how information should be shared or how

29
00:01:35,320 --> 00:01:39,760
retention should work, and if you audit those documents, the organization looks incredibly

30
00:01:39,760 --> 00:01:40,760
disciplined.

31
00:01:40,760 --> 00:01:41,760
But then business reality shows up.

32
00:01:41,760 --> 00:01:45,240
A project team needs a workspace immediately, a regional leader needs to share a file with

33
00:01:45,240 --> 00:01:49,880
an outside partner or a transformation program needs a way to coordinate across five different

34
00:01:49,880 --> 00:01:50,880
departments.

35
00:01:50,880 --> 00:01:55,840
A manager wants to try co-pilot to save time, someone in finance needs access to old records,

36
00:01:55,840 --> 00:01:59,840
and suddenly that nice, controlled governance model hits the actual speed of work.

37
00:01:59,840 --> 00:02:01,600
This is where the system starts to split.

38
00:02:01,600 --> 00:02:05,360
The official path is much slower than people expected, and the ownership model is usually

39
00:02:05,360 --> 00:02:08,080
less clear than it looked during the initial workshop.

40
00:02:08,080 --> 00:02:11,800
The approval chain depends on people who are already too busy to respond, which means

41
00:02:11,800 --> 00:02:15,840
the standards make sense on paper, but fail, the moment delivery pressure hits the team,

42
00:02:15,840 --> 00:02:16,920
and why is that?

43
00:02:16,920 --> 00:02:21,760
It happens because governance is being evaluated in theory while work is being executed in reality.

44
00:02:21,760 --> 00:02:26,200
That gap is where most leaders misread the problem, so they see a bypass and assume the

45
00:02:26,200 --> 00:02:28,600
issue is a lack of discipline among the staff.

46
00:02:28,600 --> 00:02:33,280
They see inconsistent adoption, and assume the solution is more training, or they see confusion

47
00:02:33,280 --> 00:02:36,440
and blame the complexity of the Microsoft ecosystem.

48
00:02:36,440 --> 00:02:40,480
The response becomes predictable, leading to more communication, more awareness sessions,

49
00:02:40,480 --> 00:02:44,560
another policy refresh, and yet another review meeting that nobody wants to attend.

50
00:02:44,560 --> 00:02:47,880
And here's the thing, if the behavior of the people inside the system doesn't change,

51
00:02:47,880 --> 00:02:50,240
the governance model was never actually operational.

52
00:02:50,240 --> 00:02:52,000
It was descriptive rather than decisive.

53
00:02:52,000 --> 00:02:56,480
This clicked for me years ago when I kept seeing the same pattern in different organizations

54
00:02:56,480 --> 00:02:59,440
where the people were serious and the risks were undeniably real.

55
00:02:59,440 --> 00:03:03,240
The intent was strong, yet the outcome looked weak because the mechanics were partial,

56
00:03:03,240 --> 00:03:05,720
and the system around the user had not actually changed.

57
00:03:05,720 --> 00:03:09,640
Let's say the policy says every team should be created through a governed process with naming

58
00:03:09,640 --> 00:03:12,440
and life cycle management built in from the start.

59
00:03:12,440 --> 00:03:13,680
That is a great intent.

60
00:03:13,680 --> 00:03:17,960
And if the real process takes days and requires multiple handoffs, the organization has quietly

61
00:03:17,960 --> 00:03:21,160
taught people that official governance is just a delay.

62
00:03:21,160 --> 00:03:25,840
It has taught them that speed lives somewhere outside the rules, and that is not a communication

63
00:03:25,840 --> 00:03:26,840
problem.

64
00:03:26,840 --> 00:03:27,840
It is a design problem.

65
00:03:27,840 --> 00:03:30,400
Once that pattern starts, it gets expensive fast.

66
00:03:30,400 --> 00:03:34,480
Governance stops being an administrative concern and becomes an operating model concern,

67
00:03:34,480 --> 00:03:38,280
where decisions slow down and exceptions begin to multiply.

68
00:03:38,280 --> 00:03:40,320
Records fragment across the environment.

69
00:03:40,320 --> 00:03:44,480
Active content spreads with inconsistent controls and eventually trust drops while everyone

70
00:03:44,480 --> 00:03:47,440
starts pointing fingers at IT or the software.

71
00:03:47,440 --> 00:03:49,800
But the system is doing exactly what it was set up to do.

72
00:03:49,800 --> 00:03:53,760
It is just not aligned with the reality of how the business functions.

73
00:03:53,760 --> 00:03:55,320
That is the part leaders need to see.

74
00:03:55,320 --> 00:03:59,840
When governance exists, mainly as a document set, it creates a false sense of confidence

75
00:03:59,840 --> 00:04:03,160
without creating any actual control over the environment.

76
00:04:03,160 --> 00:04:07,760
It produces formal maturity and operational fragility at the same time, which is dangerous

77
00:04:07,760 --> 00:04:10,120
because the organization thinks it is protected.

78
00:04:10,120 --> 00:04:12,000
It up until scale exposes the weakness.

79
00:04:12,000 --> 00:04:15,920
Copilot is doing that now and AI agents will do it even faster because once discovery and

80
00:04:15,920 --> 00:04:19,480
action speed up, any structural weakness in your data gets amplified.

81
00:04:19,480 --> 00:04:23,960
Access problems quickly become visibility problems, which turn into trust problems that

82
00:04:23,960 --> 00:04:26,560
eventually destroy your adoption rates.

83
00:04:26,560 --> 00:04:30,680
So when a governance program looks good in launch month but falls apart by month three,

84
00:04:30,680 --> 00:04:31,680
that isn't a surprise.

85
00:04:31,680 --> 00:04:32,960
It is a system outcome.

86
00:04:32,960 --> 00:04:37,560
And once you see that, the next failure pattern becomes much easier to understand.

87
00:04:37,560 --> 00:04:38,560
Failure pattern one.

88
00:04:38,560 --> 00:04:40,080
AI does not create chaos.

89
00:04:40,080 --> 00:04:41,120
It reveals it.

90
00:04:41,120 --> 00:04:44,840
The first failure pattern is something a lot of leaders are only now starting to understand.

91
00:04:44,840 --> 00:04:46,400
AI did not create the mess.

92
00:04:46,400 --> 00:04:48,320
It revealed the mess.

93
00:04:48,320 --> 00:04:52,440
That distinction matters because if you misread the cause, you build the wrong response.

94
00:04:52,440 --> 00:04:55,920
And that is exactly what many organizations are doing right now with Copilot.

95
00:04:55,920 --> 00:04:59,640
They see an uncomfortable output or a surprising prompt result.

96
00:04:59,640 --> 00:05:03,800
And when a document reference feels too broad, they react as if the AI became reckless.

97
00:05:03,800 --> 00:05:07,360
But that is not what happened because the AI simply respected the environment it was

98
00:05:07,360 --> 00:05:08,360
given.

99
00:05:08,360 --> 00:05:11,680
That Copilot works inside the permission model you already have.

100
00:05:11,680 --> 00:05:13,040
It does not invent access.

101
00:05:13,040 --> 00:05:17,120
It does not break your controls and it does not go rogue to open protected files.

102
00:05:17,120 --> 00:05:20,960
Instead, it surfaces what the organization had already made reachable through years of

103
00:05:20,960 --> 00:05:24,600
accumulated sharing inheritance, loose ownership and forgotten decisions.

104
00:05:24,600 --> 00:05:26,320
That is what makes this so uncomfortable.

105
00:05:26,320 --> 00:05:29,960
If there had been a breach, the story would feel easier because there would be an attacker

106
00:05:29,960 --> 00:05:32,680
and a clean line between what is safe and unsafe.

107
00:05:32,680 --> 00:05:34,400
But that is not the reality here.

108
00:05:34,400 --> 00:05:37,160
Since the exposure is internal, quiet and structural.

109
00:05:37,160 --> 00:05:41,280
In many cases, the access is completely legitimate from a technical permission perspective.

110
00:05:41,280 --> 00:05:43,560
From a system perspective, that is not just risky.

111
00:05:43,560 --> 00:05:45,040
It is revealing.

112
00:05:45,040 --> 00:05:49,600
For years, a lot of dark data stayed dark because the friction of finding it was high and

113
00:05:49,600 --> 00:05:52,200
the user would have needed to know exactly where to look.

114
00:05:52,200 --> 00:05:55,720
They would have needed the right folder, the right site or the specific project space.

115
00:05:55,720 --> 00:05:58,360
So while overexposure existed, it remained latent.

116
00:05:58,360 --> 00:06:02,800
The access problem was always there, but it stayed hidden behind search effort and human

117
00:06:02,800 --> 00:06:03,800
forgetfulness.

118
00:06:03,800 --> 00:06:05,600
Now map that to how we work today.

119
00:06:05,600 --> 00:06:08,960
A conversational interface changes the visibility model entirely.

120
00:06:08,960 --> 00:06:14,040
A single prompt can pull across SharePoint, Teams, OneDrive and Outlook, which means dark data

121
00:06:14,040 --> 00:06:18,640
stops being an archive problem and becomes an active discovery problem.

122
00:06:18,640 --> 00:06:23,760
Old permissions become current exposure, inherited access becomes conversational access and content

123
00:06:23,760 --> 00:06:27,320
people forgot existed suddenly starts shaping decisions.

124
00:06:27,320 --> 00:06:31,880
The thing most people miss is this, AI respects permissions and that is exactly why the exposure

125
00:06:31,880 --> 00:06:32,880
matters.

126
00:06:32,880 --> 00:06:36,440
The organization cannot blame a broken control plane because the control plane is functioning

127
00:06:36,440 --> 00:06:37,880
exactly as intended.

128
00:06:37,880 --> 00:06:41,960
The real problem is that the access model underneath it was never clean enough for AI scale

129
00:06:41,960 --> 00:06:42,960
discovery.

130
00:06:42,960 --> 00:06:47,800
So when leaders say co-pilot only shows what users already had access to, they are usually

131
00:06:47,800 --> 00:06:49,120
trying to calm the room.

132
00:06:49,120 --> 00:06:52,520
Structurally that statement should do the opposite because it proves the weakness was already

133
00:06:52,520 --> 00:06:53,520
there.

134
00:06:53,520 --> 00:06:55,560
And once users see that weakness, trust drops fast.

135
00:06:55,560 --> 00:06:58,080
It is not because the outputs are technically wrong.

136
00:06:58,080 --> 00:07:00,080
It is because they are correct in the wrong way.

137
00:07:00,080 --> 00:07:02,440
That is a very different kind of governance problem.

138
00:07:02,440 --> 00:07:06,240
If co-pilot gives the wrong answer, people complain about quality, but if it gives a correct

139
00:07:06,240 --> 00:07:08,800
answer based on content, they didn't realize they could reach.

140
00:07:08,800 --> 00:07:11,160
They start questioning the environment itself.

141
00:07:11,160 --> 00:07:15,040
They stop asking whether the tool is smart and start asking whether the organization has

142
00:07:15,040 --> 00:07:17,640
any real control over its own information estate.

143
00:07:17,640 --> 00:07:19,560
That is where adoption gets fragile.

144
00:07:19,560 --> 00:07:22,880
Research in this space keeps pointing to the same structural pressure.

145
00:07:22,880 --> 00:07:28,720
70% of sea suites are encouraging AI use in Microsoft 365, yet 53% of admin teams say

146
00:07:28,720 --> 00:07:31,360
deployment is outpacing their governance efforts.

147
00:07:31,360 --> 00:07:35,420
The business is accelerating into an environment that operations teams already know is not

148
00:07:35,420 --> 00:07:37,560
fully ready for this level of transparency.

149
00:07:37,560 --> 00:07:38,800
That gap is not a tool problem.

150
00:07:38,800 --> 00:07:40,320
It is an operating speed mismatch.

151
00:07:40,320 --> 00:07:45,440
Once that mismatch exists, every new AI capability multiplies the effect through more

152
00:07:45,440 --> 00:07:49,320
summarization, more synthesis, and more autonomous agents.

153
00:07:49,320 --> 00:07:52,960
The issue is not simply that people can find things faster, but rather that the cost of

154
00:07:52,960 --> 00:07:55,000
an untidy environment has changed.

155
00:07:55,000 --> 00:07:58,400
What used to be tolerated as background complexity now becomes visible business risk

156
00:07:58,400 --> 00:07:59,400
at scale.

157
00:07:59,400 --> 00:08:01,680
Co-pilot makes your environment feel chaotic.

158
00:08:01,680 --> 00:08:04,320
The right conclusion is not that AI created chaos.

159
00:08:04,320 --> 00:08:08,080
The right conclusion is that AI removed the hiding place, and once leaders see that clearly

160
00:08:08,080 --> 00:08:10,880
the next mistake gets even more expensive.

161
00:08:10,880 --> 00:08:12,040
The hook example.

162
00:08:12,040 --> 00:08:16,280
When co-pilot starts answering the wrong questions correctly, let me make this concrete because

163
00:08:16,280 --> 00:08:19,000
this is where the issue stops sounding abstract.

164
00:08:19,000 --> 00:08:23,280
An executive team rolls out co-pilot and the pilot looks successful, with early users

165
00:08:23,280 --> 00:08:26,080
impressed by how much time they save in outlook.

166
00:08:26,080 --> 00:08:30,360
Having summaries are useful, drafting gets faster, and search feels smarter, making it look

167
00:08:30,360 --> 00:08:34,240
like one of those rare technology moments where the promise is actually real.

168
00:08:34,240 --> 00:08:37,880
Then someone asks a normal question, maybe it is about headcount shifts, maybe it is about

169
00:08:37,880 --> 00:08:42,720
budget assumptions, maybe it is a summary request around a restructuring effort, and co-pilot

170
00:08:42,720 --> 00:08:43,720
responds well.

171
00:08:43,720 --> 00:08:44,880
Too well.

172
00:08:44,880 --> 00:08:48,920
It pulls in fragments from an HR document people assumed was private, or it references

173
00:08:48,920 --> 00:08:52,800
finance material inherited through old access paths that were never closed.

174
00:08:52,800 --> 00:08:56,720
It connects content from a sharepoint side nobody reviewed in years along with a team's

175
00:08:56,720 --> 00:08:59,040
thread that should never have been broadly reachable.

176
00:08:59,040 --> 00:09:02,160
The answer is coherent, useful, and structurally wrong.

177
00:09:02,160 --> 00:09:03,720
It is not because the answer is false.

178
00:09:03,720 --> 00:09:08,080
It is because it is correct on top of an exposure model, the organization no longer wants

179
00:09:08,080 --> 00:09:09,080
to defend.

180
00:09:09,080 --> 00:09:11,520
That is the moment leaders need to understand.

181
00:09:11,520 --> 00:09:15,520
This is not malicious behavior, it is not an external breach, and it is certainly not

182
00:09:15,520 --> 00:09:17,240
proof that the AI is broken.

183
00:09:17,240 --> 00:09:18,720
It is a system outcome.

184
00:09:18,720 --> 00:09:23,080
Examples of inherited access and convenience-based collaboration have been compressed into a single

185
00:09:23,080 --> 00:09:27,880
interface, so what used to be spread across forgotten workspaces now arrives as one clean

186
00:09:27,880 --> 00:09:29,120
response.

187
00:09:29,120 --> 00:09:33,160
Because the answer is fluent, the organization experiences the exposure more sharply than

188
00:09:33,160 --> 00:09:34,160
ever before.

189
00:09:34,160 --> 00:09:36,920
The issue is no longer buried in the structure because now it speaks back.

190
00:09:36,920 --> 00:09:39,640
That changes the politics of governance immediately.

191
00:09:39,640 --> 00:09:44,440
Before co-pilot, overexposure could survive, because it was mostly invisible and technically

192
00:09:44,440 --> 00:09:47,120
reachable, but not easy to assemble or notice.

193
00:09:47,120 --> 00:09:51,600
Now the experience is different since a user does not need to understand permission inheritance

194
00:09:51,600 --> 00:09:54,200
or remember an old team name to get results.

195
00:09:54,200 --> 00:09:58,360
They ask in plain language, and the system returns exactly what the environment allows.

196
00:09:58,360 --> 00:10:00,520
This is why the wrong questions matter so much.

197
00:10:00,520 --> 00:10:02,360
The questions themselves are often ordinary.

198
00:10:02,360 --> 00:10:06,000
Nobody is trying to break policy, and nobody is sitting there acting like an attacker.

199
00:10:06,000 --> 00:10:07,400
They are just working.

200
00:10:07,400 --> 00:10:11,240
When ordinary works start surfacing extraordinary exposure, governance stops being a policy

201
00:10:11,240 --> 00:10:14,040
debate and becomes an executive credibility issue.

202
00:10:14,040 --> 00:10:16,240
There is a number that should make this land harder.

203
00:10:16,240 --> 00:10:20,800
In some environments, over 40% of co-pilot responses reference content users did not realize

204
00:10:20,800 --> 00:10:21,800
they could access.

205
00:10:21,800 --> 00:10:23,120
Just sit with that for a second.

206
00:10:23,120 --> 00:10:27,240
It is not content they should not technically access, but rather content they did not realize

207
00:10:27,240 --> 00:10:29,560
was inside their reachable world.

208
00:10:29,560 --> 00:10:30,880
That gap is the real signal.

209
00:10:30,880 --> 00:10:32,880
It tells you the issue is not intelligence.

210
00:10:32,880 --> 00:10:34,320
It is exposure at scale.

211
00:10:34,320 --> 00:10:36,560
The business consequence is bigger than security.

212
00:10:36,560 --> 00:10:40,000
Once this happens a few times, trust gets hit from both sides because cautious leaders

213
00:10:40,000 --> 00:10:44,000
pull back while enthusiastic leaders keep pushing for productivity.

214
00:10:44,000 --> 00:10:48,080
Admin teams get stuck in the middle trying to explain that the tool is obeying the rules,

215
00:10:48,080 --> 00:10:51,920
while everyone else is reacting to the fact that the rules produce the bad outcome.

216
00:10:51,920 --> 00:10:54,120
This is where most organizations lose the plot.

217
00:10:54,120 --> 00:10:58,480
They start arguing about whether co-pilot is trustworthy, when the real question is whether

218
00:10:58,480 --> 00:11:01,480
the information architecture underneath it is trustworthy.

219
00:11:01,480 --> 00:11:02,960
That is the architectural truth here.

220
00:11:02,960 --> 00:11:08,000
The AI is not inventing a new business reality, but it is accelerating the existing one,

221
00:11:08,000 --> 00:11:09,640
until people can no longer ignore it.

222
00:11:09,640 --> 00:11:12,000
I have seen this land in rooms very fast.

223
00:11:12,000 --> 00:11:16,560
One surprising answer can undo months of rollout confidence because leaders suddenly realize

224
00:11:16,560 --> 00:11:19,840
they were measuring readiness through licensing and adoption signals.

225
00:11:19,840 --> 00:11:23,960
They ignored the fact that the real dependency was data exposure readiness all along.

226
00:11:23,960 --> 00:11:27,720
So if co-pilot starts answering the wrong questions correctly, do not treat that as a strange

227
00:11:27,720 --> 00:11:29,800
edge case, treat it as a diagnostic event.

228
00:11:29,800 --> 00:11:32,200
The system is telling you something true about itself.

229
00:11:32,200 --> 00:11:35,840
And the first instinct of course is to tighten rules everywhere at once, but that usually

230
00:11:35,840 --> 00:11:38,320
creates the second failure.

231
00:11:38,320 --> 00:11:39,800
Failure pattern 2.

232
00:11:39,800 --> 00:11:43,800
The second failure pattern is more political, but it is just as predictable as the first.

233
00:11:43,800 --> 00:11:47,800
When governance slows down the pace of work, the business quietly removes it.

234
00:11:47,800 --> 00:11:52,200
This doesn't happen through an open rebellion or some dramatic anti-IT movement, but rather

235
00:11:52,200 --> 00:11:55,600
through the steady normal pressure of daily operations.

236
00:11:55,600 --> 00:12:01,000
A team needs to move on a project, a client deadline gets closer, or a cross-functional task

237
00:12:01,000 --> 00:12:03,200
starts today, instead of next week.

238
00:12:03,200 --> 00:12:07,200
When these moments hit, the people inside the system look at the two parts in front of

239
00:12:07,200 --> 00:12:10,920
them and make a choice.

240
00:12:10,920 --> 00:12:14,920
One path is official, it involves filling out forms, waiting for approvals, checking naming

241
00:12:14,920 --> 00:12:19,440
conventions, and validating ownership while someone in the central office reviews the request.

242
00:12:19,440 --> 00:12:20,920
The other path is unofficial.

243
00:12:20,920 --> 00:12:24,920
It starts with a quick chat leads to reusing an old workspace for the wrong purpose, and

244
00:12:24,920 --> 00:12:29,000
ends with files sitting in a personal one-drive folder, or a side channel that nobody wants

245
00:12:29,000 --> 00:12:30,000
to admit exists.

246
00:12:30,000 --> 00:12:31,000
And which path wins?

247
00:12:31,000 --> 00:12:32,640
Usually it is the one that respects time.

248
00:12:32,640 --> 00:12:36,360
This is where a lot of governance language becomes completely detached from business reality.

249
00:12:36,360 --> 00:12:40,440
Leaders often say they want controlled collaboration, which sounds fine in a meeting, but if controlled

250
00:12:40,440 --> 00:12:44,800
collaboration takes three days while the uncontrolled version takes three minutes, the real

251
00:12:44,800 --> 00:12:46,360
policy becomes obvious.

252
00:12:46,360 --> 00:12:50,280
The organization has structurally rewarded the bypass, and that is the part people rarely

253
00:12:50,280 --> 00:12:51,520
want to say out loud.

254
00:12:51,520 --> 00:12:54,880
From a governance perspective, this looks like the business is being irresponsible, but

255
00:12:54,880 --> 00:12:57,720
from a business perspective, the system is being unreasonable.

256
00:12:57,720 --> 00:13:01,680
If you force people to choose between hitting their delivery targets and following a slow

257
00:13:01,680 --> 00:13:06,160
process, often enough they will eventually stop treating that process as something real.

258
00:13:06,160 --> 00:13:10,280
This explains why so many governance programs look strong during the launch month, but fall

259
00:13:10,280 --> 00:13:11,880
apart by month three.

260
00:13:11,880 --> 00:13:16,480
At the start, attention is high, and stakeholders are engaged, so people are willing to try

261
00:13:16,480 --> 00:13:20,360
the official route because there is still plenty of goodwill and optimism in the air.

262
00:13:20,360 --> 00:13:21,880
Then the friction starts to accumulate.

263
00:13:21,880 --> 00:13:26,360
A request gets stuck in a queue, an approval sits with the wrong person, or a template simply

264
00:13:26,360 --> 00:13:28,000
doesn't fit the actual use case.

265
00:13:28,000 --> 00:13:31,280
Someone needs an exception because they don't know who owns the next step, and slowly but

266
00:13:31,280 --> 00:13:35,560
surely the business learns exactly what the official process actually costs in time and

267
00:13:35,560 --> 00:13:36,560
energy.

268
00:13:36,560 --> 00:13:37,840
This is where the week 12 store shows up.

269
00:13:37,840 --> 00:13:42,040
On paper, your governance is live and active, but in practice, an exception culture has already

270
00:13:42,040 --> 00:13:43,520
taken over the office.

271
00:13:43,520 --> 00:13:49,360
Research into co-pilot and Microsoft 365 rollouts shows the same pattern over and over again.

272
00:13:49,360 --> 00:13:53,520
Deployments often store between weeks, six and twelve, when governance is treated as a one-time

273
00:13:53,520 --> 00:13:56,400
launch event instead of a living operating model.

274
00:13:56,400 --> 00:14:01,240
As energy fades and tolerance drops, work keeps moving, which means those unofficial

275
00:14:01,240 --> 00:14:03,880
workarounds become the stable, permanent patterns.

276
00:14:03,880 --> 00:14:07,320
Events that happens, governance doesn't just disappear, it gets designed out.

277
00:14:07,320 --> 00:14:11,080
That phrase is important because the business usually isn't rejecting the idea of control

278
00:14:11,080 --> 00:14:12,080
itself.

279
00:14:12,080 --> 00:14:16,000
It rejects control that behaves like a delay, it rejects unclear accountability, and

280
00:14:16,000 --> 00:14:19,080
it rejects governance that arrives as an interruption instead of a help.

281
00:14:19,080 --> 00:14:22,520
People stop asking for permission in the way the framework expected and start solving for

282
00:14:22,520 --> 00:14:23,520
momentum instead.

283
00:14:23,520 --> 00:14:27,760
I once saw this in an environment where creating a new team was tightly controlled through

284
00:14:27,760 --> 00:14:29,120
a central approval process.

285
00:14:29,120 --> 00:14:33,360
The intent made perfect sense because they wanted naming consistency, clear ownership,

286
00:14:33,360 --> 00:14:36,560
and a lot of the internal compliance, but the provisioning flow took days for an activity

287
00:14:36,560 --> 00:14:38,760
that needed to start the same afternoon.

288
00:14:38,760 --> 00:14:43,280
The result was that existing teams were repurposed, files moved into the wrong spaces and external

289
00:14:43,280 --> 00:14:47,440
channels emerged while the formal control model remained intact as an empty shell.

290
00:14:47,440 --> 00:14:49,320
That is a dangerous illusion for any leader.

291
00:14:49,320 --> 00:14:53,600
You can point to the policy and say governance exists, but meanwhile the real collaboration

292
00:14:53,600 --> 00:14:55,800
system has already moved somewhere else.

293
00:14:55,800 --> 00:14:58,240
There is also a major measurement problem here.

294
00:14:58,240 --> 00:15:02,240
Many organizations track whether standards were defined or whether workflows were implemented,

295
00:15:02,240 --> 00:15:06,520
they fail to track whether people actually use the govern path when the pressure is high.

296
00:15:06,520 --> 00:15:10,400
The first metric gives you audit comfort, but the second one tells you whether your system

297
00:15:10,400 --> 00:15:12,840
can actually survive contact with real work.

298
00:15:12,840 --> 00:15:16,320
If you remember nothing else from this section, remember this.

299
00:15:16,320 --> 00:15:19,720
Governance that slows the business will be redesigned by the business with or without

300
00:15:19,720 --> 00:15:20,720
your approval.

301
00:15:20,720 --> 00:15:23,560
That redesign won't happen in an architecture review meeting.

302
00:15:23,560 --> 00:15:25,080
It will happen through daily behavior.

303
00:15:25,080 --> 00:15:29,560
It starts with one shared link, one unofficial app, or one reused workspace that never gets

304
00:15:29,560 --> 00:15:30,560
cleaned up.

305
00:15:30,560 --> 00:15:34,160
Then it happens again and again until you have a formally governed environment sitting on

306
00:15:34,160 --> 00:15:35,840
top of an operational reality.

307
00:15:35,840 --> 00:15:36,840
It no longer controls.

308
00:15:36,840 --> 00:15:39,080
The lesson here isn't that governance should go away.

309
00:15:39,080 --> 00:15:42,920
It's that governance has to compete on speed, clarity and usability inside the workflow

310
00:15:42,920 --> 00:15:46,480
itself, or the business will simply build a structural compensation around it.

311
00:15:46,480 --> 00:15:49,240
Once you see that, the next point becomes even more important.

312
00:15:49,240 --> 00:15:52,200
Why people bypass governance without trying to be reckless?

313
00:15:52,200 --> 00:15:56,000
This is where a lot of governance conversations go wrong because they become moral far too

314
00:15:56,000 --> 00:15:57,000
quickly.

315
00:15:57,000 --> 00:16:01,960
Someone uses an unsanctioned app or stores a file in the wrong place, and the immediate instinct

316
00:16:01,960 --> 00:16:05,520
is to describe that person as careless or undisciplined.

317
00:16:05,520 --> 00:16:08,120
Sometimes that is true, but most of the time it is something else entirely.

318
00:16:08,120 --> 00:16:10,360
It's structural compensation.

319
00:16:10,360 --> 00:16:14,160
Busy professionals don't wake up in the morning thinking about how to undermine the IT

320
00:16:14,160 --> 00:16:15,160
department.

321
00:16:15,160 --> 00:16:18,200
They are just trying to get their work done inside a system that keeps sending them signals

322
00:16:18,200 --> 00:16:19,600
about what matters most.

323
00:16:19,600 --> 00:16:23,760
If the system signals that speed is the priority, they optimize for speed, and if the signal is

324
00:16:23,760 --> 00:16:27,480
delivery under pressure, they will build a way around anything that slows them down.

325
00:16:27,480 --> 00:16:28,480
That isn't a character flaw.

326
00:16:28,480 --> 00:16:29,960
It's a system outcome.

327
00:16:29,960 --> 00:16:33,640
In most organizations, the people inside the system are already balancing too many moving

328
00:16:33,640 --> 00:16:36,600
parts like meetings, clients and internal politics.

329
00:16:36,600 --> 00:16:40,520
When governance arrives as an extra set of rules and forms to interpret, it becomes

330
00:16:40,520 --> 00:16:44,200
just one more thing that has to be understood before any real action can happen.

331
00:16:44,200 --> 00:16:47,880
Naturally, people look for the shortest path that feels safe enough to keep moving.

332
00:16:47,880 --> 00:16:51,720
This is exactly how shadow IT and shadow AI grow, not because people hate the idea of

333
00:16:51,720 --> 00:16:55,920
control, but because the govern path keeps asking them to slow down and translate their intent

334
00:16:55,920 --> 00:16:57,240
into bureaucracy.

335
00:16:57,240 --> 00:17:01,320
The thing most people miss is that bypass behavior is often taught by the system itself.

336
00:17:01,320 --> 00:17:05,360
If a team takes three days to provision, the system is teaching people to reuse old ones,

337
00:17:05,360 --> 00:17:09,320
and if external sharing is unclear, the system is teaching them to use side channels.

338
00:17:09,320 --> 00:17:13,720
When official tools feel harder to use than consumer tools, the system is actively teaching

339
00:17:13,720 --> 00:17:15,680
people to drift away from the standard.

340
00:17:15,680 --> 00:17:20,000
Once people learn that lesson a few times, they stop seeing governance as a part of their

341
00:17:20,000 --> 00:17:23,520
work and start seeing it as an obstacle they have to "root around".

342
00:17:23,520 --> 00:17:27,520
That is a serious shift because at that point, non-compliance is no longer an exception.

343
00:17:27,520 --> 00:17:30,360
It has become the standard operating pattern under pressure.

344
00:17:30,360 --> 00:17:32,640
There is solid research behind this as well.

345
00:17:32,640 --> 00:17:37,000
In many environments, about 80% of employees use non-sanctioned apps when the official

346
00:17:37,000 --> 00:17:38,560
paths fail to meet their needs.

347
00:17:38,560 --> 00:17:42,440
That number is important because it proves the behavior is normal, and widespread bypass

348
00:17:42,440 --> 00:17:44,760
at that scale is not a people problem.

349
00:17:44,760 --> 00:17:46,360
It is a design signal.

350
00:17:46,360 --> 00:17:48,720
People generally do what the environment rewards.

351
00:17:48,720 --> 00:17:51,960
If the environment rewards completion and speed, then anything that delivers those results

352
00:17:51,960 --> 00:17:55,960
with less friction is going to win, even if it introduces risk or sits outside the official

353
00:17:55,960 --> 00:17:56,960
policy.

354
00:17:56,960 --> 00:18:00,440
This is where leaders need to stop blaming individuals and start reading the patterns.

355
00:18:00,440 --> 00:18:04,920
A manager who shares a file through the wrong channel or a project lead who spins up an unofficial

356
00:18:04,920 --> 00:18:07,600
workspace isn't necessarily rejecting compliance.

357
00:18:07,600 --> 00:18:11,760
They are likely just compensating for a system that made the governed root too slow or too

358
00:18:11,760 --> 00:18:14,320
disconnected from the pace of their actual work.

359
00:18:14,320 --> 00:18:16,560
That distinction changes your response completely.

360
00:18:16,560 --> 00:18:20,280
If you frame a bypass as bad behavior you reach for enforcement, but if you frame it as

361
00:18:20,280 --> 00:18:23,240
structural compensation, you reach for a redesign.

362
00:18:23,240 --> 00:18:24,920
Redesign is almost always the right move.

363
00:18:24,920 --> 00:18:26,400
You don't need softer governance.

364
00:18:26,400 --> 00:18:29,600
You need stronger governance that works through better mechanics.

365
00:18:29,600 --> 00:18:34,160
This means making the approved path faster, making ownership visible, and building controls

366
00:18:34,160 --> 00:18:37,920
into the defaults so you can remove the handoffs that create delay.

367
00:18:37,920 --> 00:18:41,800
If you don't make those changes, the business will keep solving the problem in its own way.

368
00:18:41,800 --> 00:18:45,440
And from their perspective, that solution will feel completely rational.

369
00:18:45,440 --> 00:18:50,640
When you map that to how we work today, inside Microsoft 365 you see an environment that is

370
00:18:50,640 --> 00:18:55,440
broad and powerful, but also full of places where friction can push people toward the exit.

371
00:18:55,440 --> 00:18:59,160
This is exactly why the next failure pattern matters so much.

372
00:18:59,160 --> 00:19:00,440
Failure pattern 3.

373
00:19:00,440 --> 00:19:04,080
Governance is usually built as documentation, not as an operating system.

374
00:19:04,080 --> 00:19:07,560
The third failure pattern sits right underneath the first two and it's arguably the most

375
00:19:07,560 --> 00:19:11,320
dangerous because it feels like you've done the work when you actually haven't.

376
00:19:11,320 --> 00:19:15,920
This governance is built as documentation rather than an operating system and while that sounds

377
00:19:15,920 --> 00:19:18,760
like a small distinction, it changes every single outcome.

378
00:19:18,760 --> 00:19:22,320
Documentation tells people what should happen in a perfect world, but an operating system

379
00:19:22,320 --> 00:19:24,920
actually shapes what does happen when things get busy.

380
00:19:24,920 --> 00:19:26,280
That is the gap we have to close.

381
00:19:26,280 --> 00:19:31,200
A lot of governance work still lives inside slide decks, policies, decision trees, and ownership

382
00:19:31,200 --> 00:19:32,840
charts that nobody looks at twice.

383
00:19:32,840 --> 00:19:36,120
None of that is useless because intent and definitions matter and you certainly need

384
00:19:36,120 --> 00:19:40,400
a shared language for things like retention, access, and external sharing.

385
00:19:40,400 --> 00:19:43,600
For those foundations, your governance has no direction at all, but we have to remember

386
00:19:43,600 --> 00:19:45,960
that direction is not the same thing as execution.

387
00:19:45,960 --> 00:19:49,200
I've seen plenty of organizations with detailed governance packs that looked incredibly

388
00:19:49,200 --> 00:19:52,320
mature in a steering committee but fell apart in daily work.

389
00:19:52,320 --> 00:19:56,080
The naming standards and approval points existed on paper, the roles were mapped out and if

390
00:19:56,080 --> 00:19:59,080
you just looked at the documents, everything felt complete.

391
00:19:59,080 --> 00:20:02,680
Then you looked at the actual behavior of the system and saw a completely different story.

392
00:20:02,680 --> 00:20:07,040
You'd find sites with no real owner and teams created for one purpose but used for another

393
00:20:07,040 --> 00:20:08,040
entirely.

394
00:20:08,040 --> 00:20:13,080
Investigative files were stored in spaces with broad inherited access and life cycle reviews

395
00:20:13,080 --> 00:20:16,800
only existed in theory rather than as a regular rhythm.

396
00:20:16,800 --> 00:20:20,640
Exceptions were approved once and then forgotten, while power platform environments were treated

397
00:20:20,640 --> 00:20:24,080
like random containers instead of the bounded zones they were meant to be.

398
00:20:24,080 --> 00:20:27,680
The organization believes it has governance because it has described governance but description

399
00:20:27,680 --> 00:20:28,680
is not control.

400
00:20:28,680 --> 00:20:30,400
Let's make this practical for a second.

401
00:20:30,400 --> 00:20:34,280
If your policy says project work spaces must have named ownership and standard templates

402
00:20:34,280 --> 00:20:36,800
that sounds fine but where does that logic actually live?

403
00:20:36,800 --> 00:20:40,520
Does it live in the provisioning flow, the automated checks or the access reviews that happen as

404
00:20:40,520 --> 00:20:42,000
part of normal operations?

405
00:20:42,000 --> 00:20:46,600
Or does it live in a PDF and an approval form that someone has to manually remember to enforce

406
00:20:46,600 --> 00:20:47,600
every single time?

407
00:20:47,600 --> 00:20:50,720
Because if it's the second one, your governance is fragile.

408
00:20:50,720 --> 00:20:55,240
From a system perspective, a governance framework without embedded mechanics is a single

409
00:20:55,240 --> 00:20:56,240
point of failure.

410
00:20:56,240 --> 00:20:59,840
It depends on people reading, remembering and manually applying rules while they are already

411
00:20:59,840 --> 00:21:00,840
under immense pressure.

412
00:21:00,840 --> 00:21:04,960
That's not strong control, it's structural hope and hope is not a strategy that scales.

413
00:21:04,960 --> 00:21:09,160
This is why so many organizations have a strange split between audit, confidence and operational

414
00:21:09,160 --> 00:21:10,160
weakness.

415
00:21:10,160 --> 00:21:14,320
On paper their maturity looks high because there are standards and documented controls but

416
00:21:14,320 --> 00:21:16,520
in reality compliance is inconsistent.

417
00:21:16,520 --> 00:21:20,600
The system keeps asking humans to compensate for what the environment itself never made easy

418
00:21:20,600 --> 00:21:23,680
and the reason this works so badly is actually very simple.

419
00:21:23,680 --> 00:21:26,320
Policies describe intent but systems produce outcomes.

420
00:21:26,320 --> 00:21:30,160
If those two things are not tightly connected, behavior starts to drift and drift is exactly

421
00:21:30,160 --> 00:21:33,440
what Microsoft 365 environments are good at producing.

422
00:21:33,440 --> 00:21:37,640
You end up with too many spaces, too many inherited permissions and too many workarounds happening

423
00:21:37,640 --> 00:21:40,520
across teams, sharepoint and the power platform.

424
00:21:40,520 --> 00:21:45,080
There are simply too many changes for static documentation to hold the line by itself, especially

425
00:21:45,080 --> 00:21:47,240
as we add co-pilot and agents into the mix.

426
00:21:47,240 --> 00:21:50,520
So when leaders tell me they already have governance, the question I always want to ask is

427
00:21:50,520 --> 00:21:51,800
where does it actually live?

428
00:21:51,800 --> 00:21:55,640
Does it live inside the workflow, the defaults and the automated boundaries or does it mostly

429
00:21:55,640 --> 00:21:59,800
live in documents that people stop reading the moment delivery pressure rises?

430
00:21:59,800 --> 00:22:03,720
But question matters more now because AI speeds up the cost of weak mechanics.

431
00:22:03,720 --> 00:22:07,440
If governance is manual and dependent on human interpretation, then co-pilot doesn't

432
00:22:07,440 --> 00:22:11,520
just pressure your model, it exposes the fact that there was no real operating system underneath

433
00:22:11,520 --> 00:22:12,520
it.

434
00:22:12,520 --> 00:22:16,320
A governance framework is not the same as a governed environment and once you see it as

435
00:22:16,320 --> 00:22:21,040
a system of embedded mechanics instead of a library of policies, the path forward becomes

436
00:22:21,040 --> 00:22:22,360
much clearer.

437
00:22:22,360 --> 00:22:24,840
The core model intends mechanics behavior.

438
00:22:24,840 --> 00:22:28,360
I want you to hold on to this model because once you see governance through this lens,

439
00:22:28,360 --> 00:22:30,040
the confusion starts to clear up.

440
00:22:30,040 --> 00:22:33,800
There are really three layers, intent, mechanics and behavior.

441
00:22:33,800 --> 00:22:37,680
And governance breaks the moment those three layers start to drift apart.

442
00:22:37,680 --> 00:22:39,000
Let's start with intent.

443
00:22:39,000 --> 00:22:42,520
Intent is what the organization wants representing the policy layer, the risk posture and the

444
00:22:42,520 --> 00:22:43,920
compliance obligations.

445
00:22:43,920 --> 00:22:47,600
This is where leaders usually spend most of their energy because defining who should access

446
00:22:47,600 --> 00:22:51,480
what and how long content should live feels responsible and visible.

447
00:22:51,480 --> 00:22:55,880
It can be signed off and shown to auditors, which is important, but intent alone doesn't

448
00:22:55,880 --> 00:22:57,360
actually govern anything.

449
00:22:57,360 --> 00:23:01,360
It is the declaration of a desired state, not the delivery mechanism that makes it happen.

450
00:23:01,360 --> 00:23:03,920
Now let's look at the second layer, mechanics.

451
00:23:03,920 --> 00:23:07,080
Mechanics are where governance becomes real because this is the operational layer where

452
00:23:07,080 --> 00:23:09,360
policy translates into system behavior.

453
00:23:09,360 --> 00:23:13,560
We're talking about labels, access models, provisioning logic and the automated checks that

454
00:23:13,560 --> 00:23:16,840
decide what happens when nobody is in the room to explain the policy.

455
00:23:16,840 --> 00:23:21,120
If your governance only works when a specialist is present to interpret it, then the system

456
00:23:21,120 --> 00:23:22,680
is fundamentally weak.

457
00:23:22,680 --> 00:23:26,360
Strong governance survives ordinary work and high pressure deadlines because the environment

458
00:23:26,360 --> 00:23:29,200
itself keeps pulling people back toward the intended path.

459
00:23:29,200 --> 00:23:31,400
It shouldn't require a hero to stay compliant.

460
00:23:31,400 --> 00:23:33,480
It should be the path of least resistance.

461
00:23:33,480 --> 00:23:35,960
Then we get to the third layer, which is behavior.

462
00:23:35,960 --> 00:23:39,680
Behavior is what people actually do when deadlines are real and the approved process collides

463
00:23:39,680 --> 00:23:41,000
with the urgent need to move.

464
00:23:41,000 --> 00:23:44,440
If it's not what people say they'll do in a workshop or what the framework assumes they'll

465
00:23:44,440 --> 00:23:45,440
do on a good day.

466
00:23:45,440 --> 00:23:49,360
It's what happens on a Tuesday afternoon when a project has to start immediately, and

467
00:23:49,360 --> 00:23:52,240
this is where governance usually gets exposed.

468
00:23:52,240 --> 00:23:55,920
Most organizations do not fail at intent and many do not even fail at mechanics completely

469
00:23:55,920 --> 00:23:57,960
but they almost always fail at alignment.

470
00:23:57,960 --> 00:24:01,240
The policy says one thing, the platform allows another and the people under pressure do

471
00:24:01,240 --> 00:24:02,240
a third.

472
00:24:02,240 --> 00:24:03,960
That gap is where governance stops being real.

473
00:24:03,960 --> 00:24:05,680
Let me show you exactly how this plays out.

474
00:24:05,680 --> 00:24:09,200
An organization says every team should have clear ownership and a life cycle, which is

475
00:24:09,200 --> 00:24:12,320
great intent, but then the mechanics are only partially built.

476
00:24:12,320 --> 00:24:16,440
Maybe there's an approval form or a policy page, but if provisioning takes too long and

477
00:24:16,440 --> 00:24:21,160
the reviews are manual behavior will adapt, people will reuse old teams or create things

478
00:24:21,160 --> 00:24:23,320
outside the standard just to save time.

479
00:24:23,320 --> 00:24:25,720
Now, what is the real policy in that scenario?

480
00:24:25,720 --> 00:24:29,800
It isn't the documented one, the real policy is whatever the system rewards.

481
00:24:29,800 --> 00:24:34,200
If bypassing the rules takes two clicks and staying compliant takes ten steps, the bypass

482
00:24:34,200 --> 00:24:35,200
is your real policy.

483
00:24:35,200 --> 00:24:36,520
That's not being cynical.

484
00:24:36,520 --> 00:24:39,040
It's an architectural truth that we have to acknowledge.

485
00:24:39,040 --> 00:24:42,960
Once leaders understand this saying, we have a policy, starts to sound incomplete because

486
00:24:42,960 --> 00:24:47,520
it only describes intent without addressing whether the system reliably shapes behavior.

487
00:24:47,520 --> 00:24:51,080
Does the system produce the behavior you need or does it produce structural compensation

488
00:24:51,080 --> 00:24:53,000
around the controls you thought were enough?

489
00:24:53,000 --> 00:24:56,560
This clicked for me when I stopped looking at governance as a compliance artifact and

490
00:24:56,560 --> 00:24:59,040
started seeing it as a behavioral design problem.

491
00:24:59,040 --> 00:25:03,800
If people keep bypassing your controls, the issue isn't that they miss the memo, it's

492
00:25:03,800 --> 00:25:07,640
that the environment made the bypass the only rational choice.

493
00:25:07,640 --> 00:25:12,040
If you remember nothing else, remember that governance does not fail because of missing

494
00:25:12,040 --> 00:25:13,040
rules.

495
00:25:13,040 --> 00:25:15,960
It fails because the system does not shape behavior.

496
00:25:15,960 --> 00:25:18,640
Intent without mechanics is just aspiration.

497
00:25:18,640 --> 00:25:21,720
And mechanics without behavioral fit only create friction.

498
00:25:21,720 --> 00:25:25,800
If you want structural resilience in this new AI landscape, those three layers have to

499
00:25:25,800 --> 00:25:27,440
reinforce each other.

500
00:25:27,440 --> 00:25:32,440
Otherwise the platform will just keep scaling exactly what your architecture already allows.

501
00:25:32,440 --> 00:25:36,000
Why more policy usually makes the system more fragile?

502
00:25:36,000 --> 00:25:41,240
Once leaders understand that governance is a system of intent, mechanics and behavior.

503
00:25:41,240 --> 00:25:43,860
The next trap becomes much easier to spot.

504
00:25:43,860 --> 00:25:47,280
It is the reflex to add more policy every time the system underperforms.

505
00:25:47,280 --> 00:25:51,000
A team bypass is the approved path, so another rule gets written.

506
00:25:51,000 --> 00:25:55,320
A copilot response exposes weak access controls, so another review layer gets added.

507
00:25:55,320 --> 00:25:58,080
A sharing problem appears, so approval chains get longer.

508
00:25:58,080 --> 00:26:01,120
A compliance concern shows up, so documentation expands.

509
00:26:01,120 --> 00:26:05,200
From the outside that looks responsible, but here's the thing, more policy does not automatically

510
00:26:05,200 --> 00:26:06,440
create more control.

511
00:26:06,440 --> 00:26:09,200
And in many organizations, it actually creates the opposite.

512
00:26:09,200 --> 00:26:13,080
It adds complexity without adding structural compensation.

513
00:26:13,080 --> 00:26:17,320
When complexity rises faster than usability, the system becomes more fragile rather than

514
00:26:17,320 --> 00:26:18,480
more resilient.

515
00:26:18,480 --> 00:26:19,480
And why is that?

516
00:26:19,480 --> 00:26:23,280
Because every extra rule creates one more interpretation point, one more handoff and

517
00:26:23,280 --> 00:26:24,280
one more delay.

518
00:26:24,280 --> 00:26:28,280
It creates one more place where a busy person has to stop, decode intent and decide whether

519
00:26:28,280 --> 00:26:31,040
following the official path is actually worth their time.

520
00:26:31,040 --> 00:26:32,200
That cost matters.

521
00:26:32,200 --> 00:26:36,980
This is especially true in Microsoft 365, where the platform changes constantly and collaboration

522
00:26:36,980 --> 00:26:37,980
moves fast.

523
00:26:37,980 --> 00:26:42,640
New features, permissions, agents and connectors keep shifting the operational surface, which

524
00:26:42,640 --> 00:26:46,560
means static policy stacks decay quickly in an environment like that.

525
00:26:46,560 --> 00:26:50,480
It's not that policy has no value, but when it sits above the workflow instead of inside

526
00:26:50,480 --> 00:26:53,240
it, the whole structure becomes brittle under change.

527
00:26:53,240 --> 00:26:56,520
This is where leaders often confuse strictness with strength.

528
00:26:56,520 --> 00:26:59,960
Strictness feels like control because it sounds serious, but strength is different.

529
00:26:59,960 --> 00:27:03,320
Strength means the environment keeps producing the behavior you need without depending on

530
00:27:03,320 --> 00:27:04,840
constant human correction.

531
00:27:04,840 --> 00:27:08,960
If the only answer to drift is more documentation, the system is already weak, let me make that

532
00:27:08,960 --> 00:27:09,960
practical.

533
00:27:09,960 --> 00:27:13,360
Say you discover people are creating workspaces outside the approved process.

534
00:27:13,360 --> 00:27:17,480
A common response is to tighten approvals, add mandatory fields and centralize decisions

535
00:27:17,480 --> 00:27:18,480
even further.

536
00:27:18,480 --> 00:27:22,600
But if the original problem was friction, that response usually increases the incentive

537
00:27:22,600 --> 00:27:24,160
to avoid the official path.

538
00:27:24,160 --> 00:27:28,880
The organization feels safer because the formal rules got tighter while actual visibility

539
00:27:28,880 --> 00:27:32,480
gets worse because more work moves outside the govern structure.

540
00:27:32,480 --> 00:27:33,480
That is fragility.

541
00:27:33,480 --> 00:27:36,600
The stricter the form, the more attractive the work around becomes.

542
00:27:36,600 --> 00:27:39,880
The more approvals you add, the more valuable unofficial speed becomes.

543
00:27:39,880 --> 00:27:43,680
When governance behaves like an interruption, the business invests its energy into avoiding

544
00:27:43,680 --> 00:27:44,680
it.

545
00:27:44,680 --> 00:27:47,960
So what looked like risk reduction becomes risk displacement.

546
00:27:47,960 --> 00:27:51,680
And that is a much harder problem to manage because once activity moves outside the path

547
00:27:51,680 --> 00:27:56,180
you control, you don't just lose compliance, you lose observability, you lose consistent

548
00:27:56,180 --> 00:28:00,360
records and the ability to understand where data lives, how decisions were made, who

549
00:28:00,360 --> 00:28:02,400
has access and what should be retained.

550
00:28:02,400 --> 00:28:06,560
This is why I keep saying cloud governance is not just a compliance topic, it's a performance

551
00:28:06,560 --> 00:28:07,560
topic.

552
00:28:07,560 --> 00:28:11,360
The control model makes normal work harder, the business pays for that in slower delivery

553
00:28:11,360 --> 00:28:15,400
fragmented collaboration and a growing dependence on exceptions.

554
00:28:15,400 --> 00:28:20,160
That cost rarely shows up cleanly in one dashboard, but it shows up everywhere in the operating

555
00:28:20,160 --> 00:28:21,160
model.

556
00:28:21,160 --> 00:28:25,640
And AI makes this even sharper, every weak permission model, every unclear ownership boundary

557
00:28:25,640 --> 00:28:29,720
and every overshared space gets pushed harder by a system that accelerates discovery and

558
00:28:29,720 --> 00:28:30,720
action.

559
00:28:30,720 --> 00:28:34,800
When leaders react to AI pressure by writing more policy instead of redesigning mechanics,

560
00:28:34,800 --> 00:28:38,280
they increase the distance between governance, language and business reality.

561
00:28:38,280 --> 00:28:39,800
That's the real danger.

562
00:28:39,800 --> 00:28:44,200
More policy can make leaders feel covered while making the organization less governable.

563
00:28:44,200 --> 00:28:46,920
If you remember nothing else here, remember this.

564
00:28:46,920 --> 00:28:49,960
Complexity without structural compensation always leaks.

565
00:28:49,960 --> 00:28:54,240
It leaks into bypass behavior, shadow tools, exceptions and a loss of trust.

566
00:28:54,240 --> 00:28:56,920
So the question is not whether you need policy, you do.

567
00:28:56,920 --> 00:29:00,880
The question is whether your next control actually reduces ambiguity and embed safer behavior

568
00:29:00,880 --> 00:29:05,080
or whether it simply adds weight to a system that is already struggling to hold, because if

569
00:29:05,080 --> 00:29:09,440
the answer is "weight" not design, then what your building is not stronger governance, it

570
00:29:09,440 --> 00:29:12,200
is more elegant fragility.

571
00:29:12,200 --> 00:29:15,320
Case study, the global firm that over engineered governance.

572
00:29:15,320 --> 00:29:18,520
Let me ground this in a case because this pattern becomes much easier to see when it

573
00:29:18,520 --> 00:29:20,680
stops sounding theoretical.

574
00:29:20,680 --> 00:29:24,200
I worked with a global professional services firm with more than 8,000 people.

575
00:29:24,200 --> 00:29:28,200
They operated in a highly regulated environment with a strong compliance culture and a serious

576
00:29:28,200 --> 00:29:29,200
leadership team.

577
00:29:29,200 --> 00:29:31,760
This was not an organization ignoring risk.

578
00:29:31,760 --> 00:29:35,640
If anything, they were trying harder than most to prove they were in control and on paper

579
00:29:35,640 --> 00:29:36,640
they were.

580
00:29:36,640 --> 00:29:40,040
They had a detailed governance framework for Microsoft 365 collaboration where naming

581
00:29:40,040 --> 00:29:43,280
conventions were defined and classification models were mapped.

582
00:29:43,280 --> 00:29:47,600
Approval workflows were documented, workspace requests followed a formal path and ownership

583
00:29:47,600 --> 00:29:49,400
expectations were clear.

584
00:29:49,400 --> 00:29:54,120
There were responsible people in the room and security compliance and IT were all fully engaged.

585
00:29:54,120 --> 00:29:56,840
If you looked at the structure, it felt mature.

586
00:29:56,840 --> 00:30:00,800
But the experience of governance inside the business was something else entirely.

587
00:30:00,800 --> 00:30:05,040
Creating a normal collaboration workspace took between 5 and 10 days, just pause on that

588
00:30:05,040 --> 00:30:06,040
for a second.

589
00:30:06,040 --> 00:30:09,920
This wasn't for a high-risk regulated matter or some unusual exception.

590
00:30:09,920 --> 00:30:11,960
It was for normal business activity.

591
00:30:11,960 --> 00:30:16,200
A team starting a client engagement had to wait, a cross-functional group launching a project

592
00:30:16,200 --> 00:30:20,880
had to wait and a regional initiative that needed a shared space had to wait.

593
00:30:20,880 --> 00:30:22,520
During that wait, work did not pause.

594
00:30:22,520 --> 00:30:24,200
It moved.

595
00:30:24,200 --> 00:30:26,160
This is where the whole thing started to fracture.

596
00:30:26,160 --> 00:30:30,040
The formal process asked for completeness but the business needed responsiveness.

597
00:30:30,040 --> 00:30:34,640
So people adapted, some reused existing teams for work they were never meant to hold, while

598
00:30:34,640 --> 00:30:39,240
others stored files locally until the right workspace appeared and then forgot to move

599
00:30:39,240 --> 00:30:40,240
them properly.

600
00:30:40,240 --> 00:30:44,440
Some used external collaboration tools with less friction and others coordinated through

601
00:30:44,440 --> 00:30:49,640
email chains and side channels because that was faster than waiting for the official environment.

602
00:30:49,640 --> 00:30:53,760
Some asked a colleague with an existing space to just add us for now, which meant the

603
00:30:53,760 --> 00:30:58,360
access and ownership model drifted again and now you can probably see what happened next.

604
00:30:58,360 --> 00:31:02,400
The organization still had governance but the business had already started building around

605
00:31:02,400 --> 00:31:03,400
it.

606
00:31:03,400 --> 00:31:05,720
When we looked closer, the number was stark.

607
00:31:05,720 --> 00:31:10,160
About 70% of collaboration had moved outside the govern structures that leadership thought

608
00:31:10,160 --> 00:31:12,280
were protecting the environment.

609
00:31:12,280 --> 00:31:15,000
That's the part executives usually don't see soon enough.

610
00:31:15,000 --> 00:31:19,760
The official model still exists so it creates a sense of control while actual work has migrated

611
00:31:19,760 --> 00:31:22,280
into a different operating pattern entirely.

612
00:31:22,280 --> 00:31:26,680
From a system perspective that's not a minor adoption issue, it's an architectural failure.

613
00:31:26,680 --> 00:31:31,000
Because the design put control outside the flow of work instead of inside it, governance

614
00:31:31,000 --> 00:31:35,440
arrived as a checkpoint around collaboration rather than as part of collaboration.

615
00:31:35,440 --> 00:31:39,840
Every governed action felt like delay, while every work around felt like progress.

616
00:31:39,840 --> 00:31:40,840
And why is that?

617
00:31:40,840 --> 00:31:45,080
Because the system optimized for approval quality but ignored operating speed.

618
00:31:45,080 --> 00:31:47,360
That tradeoff matters more than most leaders think.

619
00:31:47,360 --> 00:31:50,480
In a fast moving business speed is not a luxury variable.

620
00:31:50,480 --> 00:31:52,840
It is part of the control environment.

621
00:31:52,840 --> 00:31:56,800
If your governance model cannot move at the pace of ordinary work, it trains the business

622
00:31:56,800 --> 00:31:58,960
to separate control from execution.

623
00:31:58,960 --> 00:32:00,320
That is exactly what happened here.

624
00:32:00,320 --> 00:32:01,400
The firm was not careless.

625
00:32:01,400 --> 00:32:04,560
The people inside it were not reckless and the governance team was not unserious.

626
00:32:04,560 --> 00:32:06,840
They were just solving for the wrong failure mode.

627
00:32:06,840 --> 00:32:10,680
They built the model as if the main risk was unmanaged creation but the bigger risk became

628
00:32:10,680 --> 00:32:11,680
unmanaged avoidance.

629
00:32:11,680 --> 00:32:13,240
That's the shift.

630
00:32:13,240 --> 00:32:17,280
When governance is so heavy that people avoid it, the organization has reduced formal

631
00:32:17,280 --> 00:32:19,720
variance while increasing hidden variance.

632
00:32:19,720 --> 00:32:23,640
You might have fewer approved spaces but you end up with more unofficial ones, more side

633
00:32:23,640 --> 00:32:25,800
channels and more fragmented records.

634
00:32:25,800 --> 00:32:29,560
More work happens in places that the governance model never intended to support.

635
00:32:29,560 --> 00:32:32,840
So the controls looked stronger while the environment got weaker.

636
00:32:32,840 --> 00:32:36,320
And this is why I keep pushing leaders to stop asking, do we have the policy?

637
00:32:36,320 --> 00:32:40,080
And start asking, does the workflow produce govern behavior under pressure?

638
00:32:40,080 --> 00:32:42,360
Because in this firm, the answer was clearly no.

639
00:32:42,360 --> 00:32:46,720
The framework was thoughtful, the intentions were good and the documentation was extensive.

640
00:32:46,720 --> 00:32:48,840
But the lived experience of governance was interruption.

641
00:32:48,840 --> 00:32:53,160
And once governance is experienced as interruption, the business does what business is always

642
00:32:53,160 --> 00:32:54,160
do.

643
00:32:54,160 --> 00:32:55,720
It roots around the interruption.

644
00:32:55,720 --> 00:32:56,960
That is the lesson in this case.

645
00:32:56,960 --> 00:33:00,800
It's not that strong control is wrong or that regulated environments should loosen everything.

646
00:33:00,800 --> 00:33:02,760
The lesson is simpler and more uncomfortable.

647
00:33:02,760 --> 00:33:06,360
If governance does not respect the operating speed of the business, the business will create

648
00:33:06,360 --> 00:33:11,320
its own parallel architecture and that parallel architecture is usually the real risk surface.

649
00:33:11,320 --> 00:33:12,960
What actually failed in that firm?

650
00:33:12,960 --> 00:33:14,680
So what actually failed in that firm?

651
00:33:14,680 --> 00:33:17,000
It wasn't a lack of seriousness or a lack of effort.

652
00:33:17,000 --> 00:33:21,200
They had policies in place and the technical capability of Microsoft 365 was sitting right

653
00:33:21,200 --> 00:33:22,960
there ready to be used.

654
00:33:22,960 --> 00:33:26,320
The failure wasn't about the tools or the intentions of the people involved.

655
00:33:26,320 --> 00:33:28,480
What failed was the architecture of control.

656
00:33:28,480 --> 00:33:32,560
The firm treated governance like a layer wrapped around work instead of a layer built inside

657
00:33:32,560 --> 00:33:33,560
work.

658
00:33:33,560 --> 00:33:37,880
And while that sounds like a subtle distinction, it changes the business outcome completely.

659
00:33:37,880 --> 00:33:42,840
Control was positioned as an external checkpoint that reviewed delayed and validated every move.

660
00:33:42,840 --> 00:33:46,520
It was never built into the specific moments where the business actually needed to move.

661
00:33:46,520 --> 00:33:50,880
That is the structural failure because when control sits outside the workflow, it competes

662
00:33:50,880 --> 00:33:55,360
with the workflow and once those two forces start to compete, the work usually wins.

663
00:33:55,360 --> 00:33:58,960
The governance team in that firm was trying to reduce risk, which is a fair goal, but the

664
00:33:58,960 --> 00:34:02,320
way they pursued it created a different risk pattern entirely.

665
00:34:02,320 --> 00:34:06,520
They concentrated authority in a central process and added manual review points to ensure

666
00:34:06,520 --> 00:34:09,800
every collaboration space met the standard before it even existed.

667
00:34:09,800 --> 00:34:13,400
From a policy perspective that looks like discipline, but from an operational perspective

668
00:34:13,400 --> 00:34:15,240
it created a single point of failure.

669
00:34:15,240 --> 00:34:18,560
A handful of people became the throughput limit for everyone else.

670
00:34:18,560 --> 00:34:20,080
That isn't resilience.

671
00:34:20,080 --> 00:34:21,680
That's fragility.

672
00:34:21,680 --> 00:34:23,240
And why is that?

673
00:34:23,240 --> 00:34:25,880
The business does not experience governance as a theory.

674
00:34:25,880 --> 00:34:29,440
It experiences it as elapsed time, waiting, and uncertainty.

675
00:34:29,440 --> 00:34:33,760
Even if the logic behind a policy is perfectly sound, the lived experience becomes negative

676
00:34:33,760 --> 00:34:36,520
if the mechanism doesn't respect operating speed.

677
00:34:36,520 --> 00:34:39,280
This is where leaders often miss the real breakdown.

678
00:34:39,280 --> 00:34:43,840
They see people avoiding the rules and conclude the business was simply unwilling to comply,

679
00:34:43,840 --> 00:34:47,800
but in this case the business was being asked to follow a process that didn't respect how

680
00:34:47,800 --> 00:34:50,000
work actually happened on the ground.

681
00:34:50,000 --> 00:34:54,320
Client work started fast, internal initiatives shifted fast, and cross functional teams

682
00:34:54,320 --> 00:34:57,920
formed fast, but the architecture around governance stayed slow.

683
00:34:57,920 --> 00:35:00,080
The environment produced a predictable split.

684
00:35:00,080 --> 00:35:03,160
Formal maturity lived on one side, behavioral drift lived on the other.

685
00:35:03,160 --> 00:35:06,720
That split is the real failure mode in many cloud governance programs today.

686
00:35:06,720 --> 00:35:10,760
The organization can still produce evidence of structure by showing standards, owners,

687
00:35:10,760 --> 00:35:15,720
and decision logs, but none of that tells you if governance is shaping daily behavior under

688
00:35:15,720 --> 00:35:16,720
pressure.

689
00:35:16,720 --> 00:35:17,720
In this firm it clearly wasn't.

690
00:35:17,720 --> 00:35:21,400
The system was generating policy avoidance while still reporting policy presence.

691
00:35:21,400 --> 00:35:22,400
That's why this matters.

692
00:35:22,400 --> 00:35:25,880
If you only look at the formal layer, you miss the operational truth, and the truth here

693
00:35:25,880 --> 00:35:30,320
was that governance was experienced as an interruption rather than an enablement.

694
00:35:30,320 --> 00:35:34,440
It asked the business to stop moving, so the control model could catch up, but the business

695
00:35:34,440 --> 00:35:38,400
was never going to do that consistently because too much depended on speed.

696
00:35:38,400 --> 00:35:39,760
So let's make the lesson precise.

697
00:35:39,760 --> 00:35:41,920
The problem wasn't that the firm lacked controls.

698
00:35:41,920 --> 00:35:44,560
The problem was that the controls depended on interruption.

699
00:35:44,560 --> 00:35:47,560
An interruption is a weak design pattern in cloud environments.

700
00:35:47,560 --> 00:35:52,240
This is especially true in Microsoft 365, where collaboration is fluid and the boundary

701
00:35:52,240 --> 00:35:55,200
between communication and content keeps collapsing.

702
00:35:55,200 --> 00:35:59,640
In that kind of environment, control has to sit closer to the act itself by shaping defaults

703
00:35:59,640 --> 00:36:02,320
and automating boundaries at the point of action.

704
00:36:02,320 --> 00:36:06,320
If it shows up later as a manual review, it becomes optional in practice even when it

705
00:36:06,320 --> 00:36:07,920
remains mandatory on paper.

706
00:36:07,920 --> 00:36:12,440
I would describe the failure in that firm as architectural before I'd call it procedural.

707
00:36:12,440 --> 00:36:13,440
Procedures were present.

708
00:36:13,440 --> 00:36:15,120
Architecture was weak.

709
00:36:15,120 --> 00:36:18,560
The business was left to bridge the gap manually, and we know that busy people do not bridge

710
00:36:18,560 --> 00:36:19,800
gaps in elegant ways.

711
00:36:19,800 --> 00:36:24,520
They bridge them with convenience, local decisions, and side channels that eventually become permanent

712
00:36:24,520 --> 00:36:25,520
patterns.

713
00:36:25,520 --> 00:36:29,840
Once that starts, governance fails, behaviorally, before it ever fails, technically.

714
00:36:29,840 --> 00:36:31,760
That sequence matters.

715
00:36:31,760 --> 00:36:36,200
First people stop using the intended path, then records fragment and ownership gets fuzzy,

716
00:36:36,200 --> 00:36:40,280
and eventually, the organization discovers its formal controls, no longer describe the

717
00:36:40,280 --> 00:36:41,600
real operating environment.

718
00:36:41,600 --> 00:36:45,280
By the time you realize what's happened, the issue is much harder to unwind.

719
00:36:45,280 --> 00:36:49,600
If you look at that firm and ask what failed, the answer isn't that they govern too much,

720
00:36:49,600 --> 00:36:51,880
but rather that they govern in the wrong place.

721
00:36:51,880 --> 00:36:56,320
They place control outside the workflow where it's slowed execution instead of stabilizing

722
00:36:56,320 --> 00:37:00,280
it, and once you understand that, the next shift becomes unavoidable.

723
00:37:00,280 --> 00:37:04,080
Cloud governance cannot be treated as an IT project with compliance attachments.

724
00:37:04,080 --> 00:37:06,680
It has to be treated as business design.

725
00:37:06,680 --> 00:37:09,520
Governance as a business discipline, not an IT project.

726
00:37:09,520 --> 00:37:12,960
This brings me to the shift most leadership teams still haven't fully made.

727
00:37:12,960 --> 00:37:16,560
Cloud governance is not an IT project with policy input coming in from the side.

728
00:37:16,560 --> 00:37:19,640
It is a business discipline, and why does that distinction matter?

729
00:37:19,640 --> 00:37:23,600
I'd projects are usually framed around delivery, where a capability gets implemented, and

730
00:37:23,600 --> 00:37:27,640
a platform gets rolled out, leading the organization to assume governance exists because

731
00:37:27,640 --> 00:37:29,760
the technical foundation is in place.

732
00:37:29,760 --> 00:37:32,240
But governance is not the same thing as deployment.

733
00:37:32,240 --> 00:37:36,120
It just decides how the organization actually operates inside the platform.

734
00:37:36,120 --> 00:37:40,040
It determines who gets access, how exceptions work, and how risk is tolerated.

735
00:37:40,040 --> 00:37:44,760
It defines how collaboration is allowed to scale without dissolving into total ambiguity.

736
00:37:44,760 --> 00:37:46,360
Those are not just technical decisions.

737
00:37:46,360 --> 00:37:48,120
They are operating model decisions.

738
00:37:48,120 --> 00:37:52,000
That means governance sits much closer to finance, legal, and business leadership than many

739
00:37:52,000 --> 00:37:53,600
organizations want to admit.

740
00:37:53,600 --> 00:37:57,800
The moment you define who can move fast, and what gets retained or shared, you aren't

741
00:37:57,800 --> 00:38:00,040
just configuring Microsoft 365.

742
00:38:00,040 --> 00:38:01,760
You are shaping business reality.

743
00:38:01,760 --> 00:38:04,440
This is where a lot of governance programs get trapped.

744
00:38:04,440 --> 00:38:08,200
Because they are funded and staffed like technical work, success is described in implementation

745
00:38:08,200 --> 00:38:11,360
language like labels published or policies documented.

746
00:38:11,360 --> 00:38:12,360
That's fine.

747
00:38:12,360 --> 00:38:16,400
But none of that tells you if the business can actually function safely at scale.

748
00:38:16,400 --> 00:38:18,520
That is the question executives need to own.

749
00:38:18,520 --> 00:38:23,800
If governance is treated as the IT team's job, the business stays in the position of a consumer

750
00:38:23,800 --> 00:38:25,400
instead of a co-owner.

751
00:38:25,400 --> 00:38:26,720
Legal appears too late.

752
00:38:26,720 --> 00:38:30,520
Security pushes for restriction, and operations pushes for speed, leaving nobody to hold

753
00:38:30,520 --> 00:38:32,080
the whole trade off together.

754
00:38:32,080 --> 00:38:34,760
That fragmentation is expensive.

755
00:38:34,760 --> 00:38:39,040
From a system perspective, governance without shared ownership becomes a coordination problem

756
00:38:39,040 --> 00:38:41,080
disguised as a tool problem.

757
00:38:41,080 --> 00:38:44,840
Everyone touches the outcome, but nobody fully owns the operating tension inside it.

758
00:38:44,840 --> 00:38:46,080
Let me make that more concrete.

759
00:38:46,080 --> 00:38:50,160
No finance leader would accept a world where spending policy lived in a document while the

760
00:38:50,160 --> 00:38:52,880
payment systems ignored it in daily operations.

761
00:38:52,880 --> 00:38:57,520
We understand instinctively that financial control has to live inside the mechanism of spending

762
00:38:57,520 --> 00:38:59,080
approval and reporting.

763
00:38:59,080 --> 00:39:01,400
What governance should be treated the same way?

764
00:39:01,400 --> 00:39:05,240
If your sharing rules live in a policy but not in the actual sharing experience, that is

765
00:39:05,240 --> 00:39:06,560
weak governance.

766
00:39:06,560 --> 00:39:10,520
If your retention model lives in legal guidance but not in life cycle operations, that is also

767
00:39:10,520 --> 00:39:11,520
weak governance.

768
00:39:11,520 --> 00:39:15,280
The business has to co-own those mechanics because the business is the one living inside

769
00:39:15,280 --> 00:39:16,280
the consequences.

770
00:39:16,280 --> 00:39:19,760
And this is where executive responsibility becomes very practical.

771
00:39:19,760 --> 00:39:23,680
Executive ownership does not mean approving a slight deck once a year.

772
00:39:23,680 --> 00:39:27,360
It means naming the real trade-offs that the organization has to live with.

773
00:39:27,360 --> 00:39:28,360
Where do we need speed?

774
00:39:28,360 --> 00:39:29,720
Where do we need friction?

775
00:39:29,720 --> 00:39:31,600
What level of autonomy is acceptable?

776
00:39:31,600 --> 00:39:32,840
What must be automated?

777
00:39:32,840 --> 00:39:34,360
Those are business design questions.

778
00:39:34,360 --> 00:39:38,320
IT can implement a lot and security can advise a lot, but leadership has to decide how

779
00:39:38,320 --> 00:39:40,000
the system should behave under pressure.

780
00:39:40,000 --> 00:39:43,880
I'd argue governance needs the same seriousness as any core business discipline because the

781
00:39:43,880 --> 00:39:47,120
platform is now part of the operating model itself.

782
00:39:47,120 --> 00:39:51,280
Teams, SharePoint and Copilot are no longer peripheral infrastructure.

783
00:39:51,280 --> 00:39:53,840
They are the places where work actually happens.

784
00:39:53,840 --> 00:39:57,800
If governance shapes how work happens, then governance is part of business design.

785
00:39:57,800 --> 00:40:00,880
And once leaders accept that, the conversation gets much cleaner.

786
00:40:00,880 --> 00:40:04,920
You stop asking which feature to switch on next and start asking where the control surface

787
00:40:04,920 --> 00:40:06,520
should sit inside the workflow.

788
00:40:06,520 --> 00:40:10,640
You stop funding isolated fixes and start funding structural resilience.

789
00:40:10,640 --> 00:40:14,600
If governance remains framed as an IT project, it will keep producing technical outputs with

790
00:40:14,600 --> 00:40:15,880
weak business adoption.

791
00:40:15,880 --> 00:40:19,160
But if it's treated as a business discipline, it can finally do what it was supposed to

792
00:40:19,160 --> 00:40:20,320
do from the start.

793
00:40:20,320 --> 00:40:21,960
It can enable safe scale.

794
00:40:21,960 --> 00:40:26,720
And once you make that shift, the architecture conversation becomes much easier to see.

795
00:40:26,720 --> 00:40:30,640
The architectural shift from feature management to control surfaces.

796
00:40:30,640 --> 00:40:35,000
Once you start treating governance as a core part of business design, the next architectural

797
00:40:35,000 --> 00:40:37,000
move becomes obvious.

798
00:40:37,000 --> 00:40:40,720
You have to stop managing features and start managing control surfaces.

799
00:40:40,720 --> 00:40:44,680
While that might sound like technical jargon, the business implication is actually very simple.

800
00:40:44,680 --> 00:40:49,440
A feature is just something a platform offers, but the control surface is the specific place

801
00:40:49,440 --> 00:40:51,040
where human behavior is shaped.

802
00:40:51,040 --> 00:40:54,680
If leadership keeps asking whether they should enable a specific feature, they stay trapped

803
00:40:54,680 --> 00:40:55,920
in a reactive posture.

804
00:40:55,920 --> 00:41:00,440
They are always chasing a road map or debating settings, and they end up discussing capability

805
00:41:00,440 --> 00:41:04,680
after capability as if governance were just a collection of product switches.

806
00:41:04,680 --> 00:41:05,680
It isn't.

807
00:41:05,680 --> 00:41:09,200
Features do not actually govern anything by themselves because they only matter at the

808
00:41:09,200 --> 00:41:12,000
exact point where they intersect with real work.

809
00:41:12,000 --> 00:41:15,600
That intersection is the control surface, and it is the only place where the organization

810
00:41:15,600 --> 00:41:20,200
either embeds control into the workflow or leaves people to improvise on their own.

811
00:41:20,200 --> 00:41:21,680
And why is that important?

812
00:41:21,680 --> 00:41:25,280
Work does not happen inside the categories of an admin center, but instead it happens

813
00:41:25,280 --> 00:41:26,640
inside specific moments.

814
00:41:26,640 --> 00:41:30,600
A team gets created, a file gets shared, or a new workflow gets published.

815
00:41:30,600 --> 00:41:32,720
These are the moments that actually matter.

816
00:41:32,720 --> 00:41:36,840
When an agent gets permission to act or a site gets provisioned, that is where the system

817
00:41:36,840 --> 00:41:39,080
either guides the user or fails them.

818
00:41:39,080 --> 00:41:40,880
So the architectural question has to change.

819
00:41:40,880 --> 00:41:44,360
We shouldn't be asking what Microsoft 365 allows us to do now, but rather we should ask

820
00:41:44,360 --> 00:41:47,520
where the system needs to shape decisions before drift begins.

821
00:41:47,520 --> 00:41:49,520
That is a much stronger way to frame the problem.

822
00:41:49,520 --> 00:41:53,680
If creating a new team is a risk point, then the control surface isn't teams governance

823
00:41:53,680 --> 00:41:54,920
in a general sense.

824
00:41:54,920 --> 00:41:59,040
The surface is the creation path itself, including the templates, the naming logic, and the naming

825
00:41:59,040 --> 00:42:02,240
requirements that exist between the request and the actual use.

826
00:42:02,240 --> 00:42:05,600
That is the moment where governance either becomes a reality or stays irrelevant.

827
00:42:05,600 --> 00:42:09,320
When external sharing is the risk, the control surface is the sharing experience.

828
00:42:09,320 --> 00:42:13,080
We have to look at what the defaults are, what requires a manual review, and what kind

829
00:42:13,080 --> 00:42:14,680
of warning appears to the user.

830
00:42:14,680 --> 00:42:18,160
This isn't about an abstract policy written in a handbook, but about shaping a decision

831
00:42:18,160 --> 00:42:20,040
at the exact point of action.

832
00:42:20,040 --> 00:42:24,240
If agent permissions are the risk, the control surface becomes identity and scope.

833
00:42:24,240 --> 00:42:28,600
We need to know what this non-human workload can reach, who is responsible for it, and

834
00:42:28,600 --> 00:42:31,200
how it gets retired when it is no longer needed.

835
00:42:31,200 --> 00:42:34,560
This is the architecture conversation that leaders need to have right now, especially as

836
00:42:34,560 --> 00:42:36,680
we move into the 2026 landscape.

837
00:42:36,680 --> 00:42:40,560
This is where feature-first governance starts to break apart because that way of thinking

838
00:42:40,560 --> 00:42:41,840
scatters your attention.

839
00:42:41,840 --> 00:42:46,360
You end up with one conversation about sensitivity labels, another about power platform, and another

840
00:42:46,360 --> 00:42:47,960
about co-pilot readiness.

841
00:42:47,960 --> 00:42:52,320
Everything gets discussed as a separate domain, and the organization slowly builds a fragmented

842
00:42:52,320 --> 00:42:55,400
map of partial answers that don't actually connect.

843
00:42:55,400 --> 00:42:58,560
But the people inside the system do not experience fragmentation that way.

844
00:42:58,560 --> 00:43:00,480
They experience one single workflow.

845
00:43:00,480 --> 00:43:05,320
To the user, it is just one request, one share action, or one setup step in a collaboration

846
00:43:05,320 --> 00:43:06,320
moment.

847
00:43:06,320 --> 00:43:11,000
If your controls are fragmented, while the work is unified, the user carries the burden

848
00:43:11,000 --> 00:43:14,720
of stitching your governance together, and that is exactly what fails when people are

849
00:43:14,720 --> 00:43:15,720
under pressure.

850
00:43:15,720 --> 00:43:17,600
Architecture first governance does the opposite.

851
00:43:17,600 --> 00:43:21,120
It starts with the recurring moments of your operation and asks where the boundaries

852
00:43:21,120 --> 00:43:22,440
should sit by default.

853
00:43:22,440 --> 00:43:26,280
We have to decide where ownership should be visible and where the system should slow down

854
00:43:26,280 --> 00:43:28,200
or accelerate based on risk.

855
00:43:28,200 --> 00:43:32,600
High-risk work should trigger stronger controls because the exposure justifies it, while low-risk

856
00:43:32,600 --> 00:43:35,560
work should move fast without any unnecessary friction.

857
00:43:35,560 --> 00:43:37,640
That is how you build structural resilience.

858
00:43:37,640 --> 00:43:41,480
You don't get there by adding more scattered controls, but by placing fewer better controls

859
00:43:41,480 --> 00:43:42,720
at the right surfaces.

860
00:43:42,720 --> 00:43:46,400
This approach reduces the decision load on your people, which is one of the most underrated

861
00:43:46,400 --> 00:43:48,520
parts of a good governance strategy.

862
00:43:48,520 --> 00:43:52,520
If every employee has to interpret risk manually, you don't have a strong environment.

863
00:43:52,520 --> 00:43:54,360
You just have distributed ambiguity.

864
00:43:54,360 --> 00:43:57,880
Good architecture removes the need for repeated judgment where the answer should already

865
00:43:57,880 --> 00:43:59,320
be embedded in the system.

866
00:43:59,320 --> 00:44:01,960
This is the game changer that nobody talks about enough.

867
00:44:01,960 --> 00:44:04,960
Governance actually feels lighter when the architecture is better, not because the control

868
00:44:04,960 --> 00:44:10,080
is weaker, but because the system stops asking people to do the work of governance manually.

869
00:44:10,080 --> 00:44:11,840
So the executive shift is this.

870
00:44:11,840 --> 00:44:16,400
Stop funding governance as a collection of feature conversations and start designing the

871
00:44:16,400 --> 00:44:21,040
few control surfaces that actually shape behavior across your entire tenant.

872
00:44:21,040 --> 00:44:25,240
Once those surfaces are in the right place, the platform becomes much easier to govern,

873
00:44:25,240 --> 00:44:27,720
even as the complexity of the technology grows.

874
00:44:27,720 --> 00:44:32,280
And that is exactly how we need to translate this into Microsoft 365 terms.

875
00:44:32,280 --> 00:44:34,880
What this means in Microsoft 365 terms?

876
00:44:34,880 --> 00:44:39,600
Let's bring this down from a high-level concept into the reality of Microsoft 365, because

877
00:44:39,600 --> 00:44:42,720
this is usually where people either get practical or get lost.

878
00:44:42,720 --> 00:44:46,320
When I talk about an architecture first approach, I am not talking about abstract diagrams

879
00:44:46,320 --> 00:44:47,600
that have no operating value.

880
00:44:47,600 --> 00:44:51,000
I mean looking at the core control points of the platform and asking if they are being

881
00:44:51,000 --> 00:44:54,000
used as business infrastructure or just as technical features.

882
00:44:54,000 --> 00:44:56,200
Take sensitivity labels as an example.

883
00:44:56,200 --> 00:45:00,760
Most organizations still talk about labels as if they are just compliance metadata used

884
00:45:00,760 --> 00:45:03,400
to classify files or support a policy.

885
00:45:03,400 --> 00:45:07,120
While that is technically true in practice, labels are actually behavioral infrastructure.

886
00:45:07,120 --> 00:45:10,640
They decide what can be shared and what boundaries follow a piece of content into ordinary

887
00:45:10,640 --> 00:45:11,640
work.

888
00:45:11,640 --> 00:45:15,320
If your labels are inconsistent or optional, then your infrastructure is weak and your

889
00:45:15,320 --> 00:45:18,680
AI outputs and sharing patterns will all inherit that same weakness.

890
00:45:18,680 --> 00:45:19,960
Now look at access reviews.

891
00:45:19,960 --> 00:45:23,920
A lot of teams treat these reviews like a cleanup task or a periodic admin exercise that

892
00:45:23,920 --> 00:45:26,240
you only do when risk starts to feel visible again.

893
00:45:26,240 --> 00:45:29,160
But the stronger framing is to see them as a life cycle rhythm.

894
00:45:29,160 --> 00:45:33,480
Reviews are how the environment remembers that access should change as the work changes.

895
00:45:33,480 --> 00:45:36,680
Projects end, roles shift and ownership drifts over time.

896
00:45:36,680 --> 00:45:41,120
If a review is just a one-off event, the system forgets and forgotten access is exactly

897
00:45:41,120 --> 00:45:45,080
what turns into exposure when co-pilot or agent start moving through the tenant faster

898
00:45:45,080 --> 00:45:46,160
than people do.

899
00:45:46,160 --> 00:45:49,560
The same logic applies to how you provision teams and sharepoint sites.

900
00:45:49,560 --> 00:45:54,560
If provisioning is just manual gatekeeping, you create a delay, but if it is a governed service,

901
00:45:54,560 --> 00:45:55,840
you create repeatability.

902
00:45:55,840 --> 00:45:56,880
That difference matters a lot.

903
00:45:56,880 --> 00:46:01,400
A governed service means the request path is fast and the defaults are already shaped.

904
00:46:01,400 --> 00:46:04,760
The business gets what it needs without having to negotiate the control model every single

905
00:46:04,760 --> 00:46:08,360
time because the expectations are already attached to the service.

906
00:46:08,360 --> 00:46:10,400
That is what good architecture feels like.

907
00:46:10,400 --> 00:46:13,680
Not more admin work, but better defaults inside the flow of work.

908
00:46:13,680 --> 00:46:15,960
Now map that same thinking to the power platform.

909
00:46:15,960 --> 00:46:20,120
This is where I see a lot of governance models become strangely vague.

910
00:46:20,120 --> 00:46:23,600
Environments often get treated like simple containers where apps and flows happen to live,

911
00:46:23,600 --> 00:46:25,400
but that is far too shallow.

912
00:46:25,400 --> 00:46:27,520
Environments are actually zones of risk and freedom.

913
00:46:27,520 --> 00:46:31,680
They should have a specific purpose and data boundaries based on what they are for.

914
00:46:31,680 --> 00:46:35,600
Personal productivity is not the same thing as an enterprise process and a flexible zone

915
00:46:35,600 --> 00:46:40,320
for citizen development is not the same as a controlled zone for high impact workflows.

916
00:46:40,320 --> 00:46:44,800
If you flatten all of that into generic management, you miss the real architecture question.

917
00:46:44,800 --> 00:46:49,000
You have to ask what kind of behavior each zone is supposed to support safely.

918
00:46:49,000 --> 00:46:52,640
Now let's look at co-pilot readiness because this is where the industry still talks too much

919
00:46:52,640 --> 00:46:55,120
about licensing and not enough about exposure.

920
00:46:55,120 --> 00:46:57,640
Co-pilot readiness is actually data exposure readiness.

921
00:46:57,640 --> 00:46:58,960
That is the real translation.

922
00:46:58,960 --> 00:47:01,400
It isn't mainly about whether users have a license.

923
00:47:01,400 --> 00:47:06,000
It is about whether your permissions and ownership models can survive conversational discovery.

924
00:47:06,000 --> 00:47:09,520
If they can't, then the rollout is structurally premature, even if the business case looks

925
00:47:09,520 --> 00:47:10,880
great on paper.

926
00:47:10,880 --> 00:47:12,080
And then we have the agents.

927
00:47:12,080 --> 00:47:16,240
This is where the 2026 landscape changes the conversation again because agents are not

928
00:47:16,240 --> 00:47:18,000
just another feature category.

929
00:47:18,000 --> 00:47:19,520
They are an entirely new workload.

930
00:47:19,520 --> 00:47:24,080
That means identity, scope and observability start mattering in a completely different way.

931
00:47:24,080 --> 00:47:28,080
You are no longer just governing what people can do, but you are governing what non-human

932
00:47:28,080 --> 00:47:30,360
actors can reach and coordinate over time.

933
00:47:30,360 --> 00:47:34,480
If you don't treat this as identity management from day one, agents sprawl will just become

934
00:47:34,480 --> 00:47:36,480
another hidden layer of operational risk.

935
00:47:36,480 --> 00:47:40,800
So if you pull all of this together, Microsoft 365 governance becomes much clearer.

936
00:47:40,800 --> 00:47:42,120
Labels are not just labels.

937
00:47:42,120 --> 00:47:44,040
They are behavioral infrastructure.

938
00:47:44,040 --> 00:47:45,720
Access reviews are not just cleanup.

939
00:47:45,720 --> 00:47:47,720
They are a life cycle rhythm.

940
00:47:47,720 --> 00:47:49,120
Provisioning is not a request cue.

941
00:47:49,120 --> 00:47:50,560
It is a governed service.

942
00:47:50,560 --> 00:47:52,720
Power platform environments are not containers.

943
00:47:52,720 --> 00:47:54,520
They are operating zones.

944
00:47:54,520 --> 00:47:56,720
Co-pilot readiness is not about licenses.

945
00:47:56,720 --> 00:47:58,560
It is about exposure readiness.

946
00:47:58,560 --> 00:48:00,760
And agent governance is not future work.

947
00:48:00,760 --> 00:48:03,280
It is workload governance for non-human actors.

948
00:48:03,280 --> 00:48:07,600
What is the architectural translation?

949
00:48:07,600 --> 00:48:10,360
Most organizations still hit the same wall for one simple reason.

950
00:48:10,360 --> 00:48:12,600
Tools do not create alignment by themselves.

951
00:48:12,600 --> 00:48:15,120
Why tools alone do not solve governance?

952
00:48:15,120 --> 00:48:19,000
This is the exact moment where most organizations reach for the wrong fix.

953
00:48:19,000 --> 00:48:20,080
They see the mess.

954
00:48:20,080 --> 00:48:21,880
They feel the increasing pressure.

955
00:48:21,880 --> 00:48:25,400
And they realize their governance is much weaker than they originally thought.

956
00:48:25,400 --> 00:48:26,400
So they go shopping.

957
00:48:26,400 --> 00:48:30,120
They look for another dashboard, another reporting layer or a new governance platform to fix

958
00:48:30,120 --> 00:48:31,120
the problem.

959
00:48:31,120 --> 00:48:35,480
For one more visibility add-on that promises to bring order to a digital environment that

960
00:48:35,480 --> 00:48:37,880
already feels fragmented and chaotic.

961
00:48:37,880 --> 00:48:39,360
Sometimes those tools actually help.

962
00:48:39,360 --> 00:48:42,360
Native Microsoft controls are quite strong in several areas.

963
00:48:42,360 --> 00:48:45,360
And tools like PerView, Entra and Defender really do matter.

964
00:48:45,360 --> 00:48:49,320
The same goes for SharePoint teams and Power Platform admin capabilities.

965
00:48:49,320 --> 00:48:53,440
If you aren't using the controls already sitting inside your existing stack that is usually

966
00:48:53,440 --> 00:48:55,800
the first gap you need to close rather than the last.

967
00:48:55,800 --> 00:48:57,840
But here is the thing you have to remember.

968
00:48:57,840 --> 00:49:01,080
Tools express policy, but they cannot create alignment by themselves.

969
00:49:01,080 --> 00:49:03,120
What is the line leaders need to hold on to?

970
00:49:03,120 --> 00:49:07,680
Because you can have excellent technical controls in place and still suffer from weak governance

971
00:49:07,680 --> 00:49:08,680
outcomes.

972
00:49:08,680 --> 00:49:12,760
You might publish labels but still see poor classification behavior from your team.

973
00:49:12,760 --> 00:49:17,840
You can enable access reviews and still find stale permissions everywhere or deploy DLP

974
00:49:17,840 --> 00:49:22,000
only to watch people move their work into unmanaged spaces anyway.

975
00:49:22,000 --> 00:49:25,360
Adding more tooling often leaves you with the same bypass patterns, the same ownership

976
00:49:25,360 --> 00:49:27,560
confusion and the same constant drift.

977
00:49:27,560 --> 00:49:28,560
And why is that?

978
00:49:28,560 --> 00:49:32,040
The reason is that a governance failure is rarely just a gap in features.

979
00:49:32,040 --> 00:49:36,240
It is usually an ownership gap or a failure in how the workflow was designed.

980
00:49:36,240 --> 00:49:40,280
The tool can enforce what you decide but it cannot decide how your operating model should

981
00:49:40,280 --> 00:49:41,280
actually work.

982
00:49:41,280 --> 00:49:45,080
This is why I get very cautious when organizations describe their next governance phase as a

983
00:49:45,080 --> 00:49:46,480
tooling phase.

984
00:49:46,480 --> 00:49:51,440
That language sounds practical but it is often just a way of avoiding a much harder conversation.

985
00:49:51,440 --> 00:49:55,720
The harder conversation is about who owns the final outcome and where the friction sits.

986
00:49:55,720 --> 00:49:59,720
You have to figure out what the approved path feels like and how the business security and

987
00:49:59,720 --> 00:50:01,760
IT functions make trade-offs together.

988
00:50:01,760 --> 00:50:03,480
No dashboard is going to solve that for you.

989
00:50:03,480 --> 00:50:06,160
The research keeps pointing in this direction as well.

990
00:50:06,160 --> 00:50:10,520
Many organizations prefer native Microsoft 365 tools because they reduce sprawl and fit

991
00:50:10,520 --> 00:50:14,000
the existing estate which is a preference that makes perfect sense.

992
00:50:14,000 --> 00:50:18,200
But even when those native tools are strong, process discipline remains the primary bottleneck.

993
00:50:18,200 --> 00:50:22,360
The controls aren't useless but controls without aligned operating behavior will always

994
00:50:22,360 --> 00:50:23,600
stay partial.

995
00:50:23,600 --> 00:50:24,960
That is the recurring pattern.

996
00:50:24,960 --> 00:50:29,000
The technology can say no, it can warn the user and it can log every action.

997
00:50:29,000 --> 00:50:31,800
It can classify data and review access all day long.

998
00:50:31,800 --> 00:50:35,600
But if the request path is still slow and ownership is fuzzy, the business will still

999
00:50:35,600 --> 00:50:37,720
experience governance as an interruption.

1000
00:50:37,720 --> 00:50:41,040
The control stack is just sitting on top of the same structural problem.

1001
00:50:41,040 --> 00:50:44,120
Buying another layer often creates a strange kind of false confidence.

1002
00:50:44,120 --> 00:50:46,960
The reporting gets better but the architecture does not.

1003
00:50:46,960 --> 00:50:50,720
Leaders might see more data but the people inside the system still have to navigate the

1004
00:50:50,720 --> 00:50:52,440
same friction every single day.

1005
00:50:52,440 --> 00:50:56,280
The bypass continues just like before only now it happens under a more sophisticated

1006
00:50:56,280 --> 00:50:58,360
monitoring model that isn't a transformation.

1007
00:50:58,360 --> 00:51:01,600
It is just observability without any real redesign.

1008
00:51:01,600 --> 00:51:05,400
If your flow is broken, a better dashboard just gives you a clearer view of that broken

1009
00:51:05,400 --> 00:51:06,400
flow.

1010
00:51:06,400 --> 00:51:09,240
While that might be useful, it is certainly not sufficient.

1011
00:51:09,240 --> 00:51:11,560
The system is doing exactly what it was set up to do.

1012
00:51:11,560 --> 00:51:13,920
But it just isn't aligned to business reality.

1013
00:51:13,920 --> 00:51:17,880
This is where mature governance really separates itself from the reactive kind.

1014
00:51:17,880 --> 00:51:22,400
Reactive governance asks what tool is missing but mature governance asks what behavior

1015
00:51:22,400 --> 00:51:25,520
we are producing and what operating conditions are causing it.

1016
00:51:25,520 --> 00:51:28,440
That second question changes your investment strategy completely.

1017
00:51:28,440 --> 00:51:32,200
Maybe you do need more tooling or better automation but the fix always starts with redesign

1018
00:51:32,200 --> 00:51:33,200
rather than expansion.

1019
00:51:33,200 --> 00:51:35,760
You have to redesign the flow and clarify who owns it.

1020
00:51:35,760 --> 00:51:39,720
You reduce the handoffs, embed the defaults and match the intensity of your controls to

1021
00:51:39,720 --> 00:51:41,320
the actual risk involved.

1022
00:51:41,320 --> 00:51:44,960
When you make the governed path usable even under pressure, the tools start performing

1023
00:51:44,960 --> 00:51:46,800
the way you expected them to all along.

1024
00:51:46,800 --> 00:51:50,400
They finally support a coherent operating model instead of trying to compensate for the

1025
00:51:50,400 --> 00:51:51,480
absence of one.

1026
00:51:51,480 --> 00:51:53,000
The message here is simple.

1027
00:51:53,000 --> 00:51:56,920
Do not confuse your control inventory with true governance maturity.

1028
00:51:56,920 --> 00:52:00,560
A tenant full of enabled features can still be behaviorally ungoverned.

1029
00:52:00,560 --> 00:52:04,240
Once you accept that, the first practical move becomes much easier to see.

1030
00:52:04,240 --> 00:52:05,960
Don't reach for more tooling first.

1031
00:52:05,960 --> 00:52:08,080
Design the fastest safe path first.

1032
00:52:08,080 --> 00:52:09,680
The first practical shift.

1033
00:52:09,680 --> 00:52:11,440
Design for the fastest safe path.

1034
00:52:11,440 --> 00:52:13,640
If tools aren't the starting point then what is?

1035
00:52:13,640 --> 00:52:16,480
The first practical shift is to design for the fastest safe path.

1036
00:52:16,480 --> 00:52:19,600
I don't mean the most restrictive path or the one with the most documentation.

1037
00:52:19,600 --> 00:52:21,200
I mean the fastest safe path.

1038
00:52:21,200 --> 00:52:25,400
If the governed route is slower than the workaround, the workaround is going to win every single time.

1039
00:52:25,400 --> 00:52:27,280
People aren't being irrational when they do this.

1040
00:52:27,280 --> 00:52:29,440
They are responding rationally to operating pressure.

1041
00:52:29,440 --> 00:52:32,000
That is the business reality you have to design for.

1042
00:52:32,000 --> 00:52:34,680
This is the point where governance starts becoming useful again.

1043
00:52:34,680 --> 00:52:38,680
You don't need to redesign your entire tenant at once, which is actually where most programs

1044
00:52:38,680 --> 00:52:39,680
stall out.

1045
00:52:39,680 --> 00:52:43,200
Too much scope and too many abstract debates lead to zero change in the lived experience

1046
00:52:43,200 --> 00:52:44,200
of your users.

1047
00:52:44,200 --> 00:52:47,840
Instead pick one high friction moment where people constantly collide with your control

1048
00:52:47,840 --> 00:52:48,840
model.

1049
00:52:48,840 --> 00:52:53,000
Encoration is a great example as is external sharing or setting up a new project workspace.

1050
00:52:53,000 --> 00:52:56,360
It could be a power platform request or an agent set up path.

1051
00:52:56,360 --> 00:53:00,080
Pick anything people touch often enough that the friction starts to compound.

1052
00:53:00,080 --> 00:53:01,480
Then ask one simple question.

1053
00:53:01,480 --> 00:53:05,160
How long does the governed path actually take from the moment of need to the moment of

1054
00:53:05,160 --> 00:53:06,160
action?

1055
00:53:06,160 --> 00:53:08,160
Don't look at the ideal process map.

1056
00:53:08,160 --> 00:53:09,160
Look at the real one.

1057
00:53:09,160 --> 00:53:13,080
Count the steps, the approvals, the handoffs, and the total time spent waiting.

1058
00:53:13,080 --> 00:53:16,320
Look for the points where someone has to stop and interpret a policy instead of just

1059
00:53:16,320 --> 00:53:17,320
moving through it.

1060
00:53:17,320 --> 00:53:20,440
And this is where many leaders discover something uncomfortable.

1061
00:53:20,440 --> 00:53:23,640
What they thought was a control path is actually just a delay path.

1062
00:53:23,640 --> 00:53:27,680
It is full of manual checkpoints that don't always improve quality, but they absolutely

1063
00:53:27,680 --> 00:53:28,760
reduce speed.

1064
00:53:28,760 --> 00:53:31,760
But here's the thing, speed and control are not opposites.

1065
00:53:31,760 --> 00:53:35,880
That idea has damaged governance for years, as if you have to choose between being safe

1066
00:53:35,880 --> 00:53:36,880
or being fast.

1067
00:53:36,880 --> 00:53:41,280
From a system perspective that isn't just incomplete, it is often flat out wrong.

1068
00:53:41,280 --> 00:53:44,680
Good architecture can make the standard path both quicker and more controlled because

1069
00:53:44,680 --> 00:53:47,960
defaults carry the burden that people use to carry manually.

1070
00:53:47,960 --> 00:53:49,800
That is the shortcut nobody teaches you.

1071
00:53:49,800 --> 00:53:53,680
If your workspace request automatically applies the right template and captures the

1072
00:53:53,680 --> 00:53:57,240
owner, you have increased speed and control at the same time.

1073
00:53:57,240 --> 00:54:01,440
When the system attaches life-cycle logic and only roots unusual cases for extra review,

1074
00:54:01,440 --> 00:54:04,120
the process gets lighter because the architecture got smarter.

1075
00:54:04,120 --> 00:54:05,920
That is what I call structural compensation.

1076
00:54:05,920 --> 00:54:09,520
You are designing for the fact that your people are busy and trying to move quickly.

1077
00:54:09,520 --> 00:54:13,200
Instead of asking them to slow down and translate policy every time, you put the policy

1078
00:54:13,200 --> 00:54:15,000
directly into the path itself.

1079
00:54:15,000 --> 00:54:19,080
To make that concrete, a standard team for internal project work should not take days

1080
00:54:19,080 --> 00:54:20,080
to set up.

1081
00:54:20,080 --> 00:54:21,080
It should take minutes.

1082
00:54:21,080 --> 00:54:23,760
It needs clear ownership and clear defaults, but it should be fast.

1083
00:54:23,760 --> 00:54:26,920
If regulated collaboration needs stronger checks, you can add them there, but don't make

1084
00:54:26,920 --> 00:54:30,000
every low-risk request pass through that same, heavy path.

1085
00:54:30,000 --> 00:54:33,240
That is exactly how unofficial shadow-it-behavior starts.

1086
00:54:33,240 --> 00:54:36,000
This is where executive leadership really matters.

1087
00:54:36,000 --> 00:54:40,000
Leaders need to stop asking if a governance process exists and start asking how fast a standard

1088
00:54:40,000 --> 00:54:41,440
governed action can happen.

1089
00:54:41,440 --> 00:54:45,280
If the answer for routine work is measured in days, your system is already leaking.

1090
00:54:45,280 --> 00:54:47,440
You just might not see where the leaks are yet.

1091
00:54:47,440 --> 00:54:51,320
Once you redesign even one fast-safe path, something important happens.

1092
00:54:51,320 --> 00:54:53,320
People start to trust the governed route again.

1093
00:54:53,320 --> 00:54:55,880
That trust matters more than any dashboard will ever show.

1094
00:54:55,880 --> 00:55:00,520
Once the official path becomes the easy path, your training and adoption get much easier.

1095
00:55:00,520 --> 00:55:04,000
Exceptions become more meaningful because they are actually exceptions again rather than

1096
00:55:04,000 --> 00:55:07,120
just survival tactics used by frustrated employees.

1097
00:55:07,120 --> 00:55:10,160
If you want one practical move to start with, make it this one.

1098
00:55:10,160 --> 00:55:14,560
Make one flow, measure the friction honestly and strip out every unnecessary step.

1099
00:55:14,560 --> 00:55:17,040
Automate your defaults while preserving accountability.

1100
00:55:17,040 --> 00:55:20,480
Set a new standard that routine work should move in minutes, not days.

1101
00:55:20,480 --> 00:55:24,880
When the safe path finally becomes the fast path, governance stops feeling like an interruption.

1102
00:55:24,880 --> 00:55:29,200
It starts behaving like infrastructure and that is the first real sign that your architecture

1103
00:55:29,200 --> 00:55:30,800
is finally working.

1104
00:55:30,800 --> 00:55:32,560
The second practical shift.

1105
00:55:32,560 --> 00:55:34,920
Create zones instead of universal friction.

1106
00:55:34,920 --> 00:55:38,600
The second practical shift is to stop treating every single workload like it carries the

1107
00:55:38,600 --> 00:55:43,120
same risk, the same consequence and the same need for absolute control.

1108
00:55:43,120 --> 00:55:47,240
When organizations try to govern everything with one uniform layer of friction, they usually

1109
00:55:47,240 --> 00:55:49,400
end up with the worst of both worlds.

1110
00:55:49,400 --> 00:55:52,160
Low risk work gets slowed down for no good reason.

1111
00:55:52,160 --> 00:55:56,240
While high risk work still slips through the cracks because the model is too blunt to focus

1112
00:55:56,240 --> 00:55:57,960
attention where it actually matters.

1113
00:55:57,960 --> 00:55:59,680
That is why zone governance matters.

1114
00:55:59,680 --> 00:56:03,120
It is not about lighter governance, it is about more precise governance.

1115
00:56:03,120 --> 00:56:07,200
Instead of forcing the whole organization through one generic control model, you create

1116
00:56:07,200 --> 00:56:11,600
clear operating zones based on exposure, business sensitivity and consequence.

1117
00:56:11,600 --> 00:56:15,840
One zone might support low risk collaboration where speed is the priority and controls can

1118
00:56:15,840 --> 00:56:19,320
be lighter because the content and audience are less sensitive.

1119
00:56:19,320 --> 00:56:22,800
Another zone supports controlled business operations where ownership, review and life cycle

1120
00:56:22,800 --> 00:56:26,720
need to be much stronger because the work affects real processes and decisions.

1121
00:56:26,720 --> 00:56:31,120
Finally, you have high risk or regulated spaces where the organization intentionally accepts

1122
00:56:31,120 --> 00:56:34,080
more friction because the exposure is materially different.

1123
00:56:34,080 --> 00:56:36,120
That zoning changes the conversation immediately.

1124
00:56:36,120 --> 00:56:39,760
You'll stop asking why everything is so hard and start asking what kind of work they are

1125
00:56:39,760 --> 00:56:41,680
doing and what kind of boundary it needs.

1126
00:56:41,680 --> 00:56:45,440
That is a much healthier question because it links control to consequence instead of applying

1127
00:56:45,440 --> 00:56:46,920
the same drag everywhere.

1128
00:56:46,920 --> 00:56:49,880
You can see why this matters in Microsoft 365 very quickly.

1129
00:56:49,880 --> 00:56:53,840
A temporary internal project workspace does not need the same operating model as a finance

1130
00:56:53,840 --> 00:56:58,600
collaboration space and a general knowledge site does not need the same path as a regulated

1131
00:56:58,600 --> 00:56:59,840
records area.

1132
00:56:59,840 --> 00:57:04,200
A low risk co-pilot pilot should not begin with the whole tenant equally exposed, just

1133
00:57:04,200 --> 00:57:08,920
like a citizen built automation for personal productivity should not sit in the same governance

1134
00:57:08,920 --> 00:57:13,960
lane as a business critical power platform solution connected to core data.

1135
00:57:13,960 --> 00:57:17,960
When those differences disappear, people experience governance as arbitrary and arbitrary

1136
00:57:17,960 --> 00:57:19,440
control is very hard to trust.

1137
00:57:19,440 --> 00:57:24,760
This is why Microsoft recommended phased models matter more than they first appear.

1138
00:57:24,760 --> 00:57:29,240
Starting with up to 100 low risk sites for initial co-pilot testing is not just a pilot

1139
00:57:29,240 --> 00:57:32,240
tactic, it is a zoned governance principle.

1140
00:57:32,240 --> 00:57:36,520
You learn where the exposure patterns are and how users behave without pretending every

1141
00:57:36,520 --> 00:57:39,040
part of the environment is equally ready on day one.

1142
00:57:39,040 --> 00:57:41,000
That is how resilient systems scale.

1143
00:57:41,000 --> 00:57:44,840
It is not done through universal activation but through bounded learning.

1144
00:57:44,840 --> 00:57:47,960
Power Platform gives us another clear example of this logic.

1145
00:57:47,960 --> 00:57:49,320
Environments need purpose.

1146
00:57:49,320 --> 00:57:53,400
Some should function as personal productivity spaces, some should support development and

1147
00:57:53,400 --> 00:57:57,560
testing and others should carry production business logic with stronger life cycle management

1148
00:57:57,560 --> 00:57:59,080
and monitoring.

1149
00:57:59,080 --> 00:58:03,000
If you govern all of them the same way, you either choke local innovation or leave critical

1150
00:58:03,000 --> 00:58:06,800
operations to lose and both of those outcomes are system failures.

1151
00:58:06,800 --> 00:58:11,560
Now map that same logic to co-pilot, not every site, team, library or data set should be

1152
00:58:11,560 --> 00:58:13,720
equally available in the first wave.

1153
00:58:13,720 --> 00:58:18,040
Some areas are cleaner, better owned and easier to review so you should start there to build

1154
00:58:18,040 --> 00:58:20,400
trust and fix the weaker zones before expanding.

1155
00:58:20,400 --> 00:58:25,080
If you flatten everything into one universal access posture, the system stops distinguishing

1156
00:58:25,080 --> 00:58:27,640
between safe acceleration and reckless exposure.

1157
00:58:27,640 --> 00:58:29,000
That is the executive lesson.

1158
00:58:29,000 --> 00:58:32,040
Universal friction feels fair but structurally it is lazy.

1159
00:58:32,040 --> 00:58:36,560
It avoids making trade-offs explicit so everyone pays the same cost whether the risk justifies

1160
00:58:36,560 --> 00:58:37,560
it or not.

1161
00:58:37,560 --> 00:58:42,000
Zoned governance does the harder and better thing by naming where speed should win, where

1162
00:58:42,000 --> 00:58:45,720
control should tighten and where learning should happen before you hit scale.

1163
00:58:45,720 --> 00:58:47,400
Once you do that, resistance drops.

1164
00:58:47,400 --> 00:58:51,680
For a simple reason, people can feel that the boundary matches the work and the system finally

1165
00:58:51,680 --> 00:58:53,280
starts making sense.

1166
00:58:53,280 --> 00:58:54,840
That is what good governance should do.

1167
00:58:54,840 --> 00:58:58,800
It should not force every activity through the same narrow gate but should create the right

1168
00:58:58,800 --> 00:59:02,640
operating conditions for different kinds of work so people know where they are and why

1169
00:59:02,640 --> 00:59:04,200
rules apply.

1170
00:59:04,200 --> 00:59:08,000
Because if every path feels equally heavy, the business eventually stops seeing governance

1171
00:59:08,000 --> 00:59:10,880
as guidance and starts seeing it as weather.

1172
00:59:10,880 --> 00:59:14,160
The AI and agent reality leaders must design for.

1173
00:59:14,160 --> 00:59:19,400
Now map-zoned governance to where Microsoft 365 is going next because 2026 removes the

1174
00:59:19,400 --> 00:59:23,400
luxury of treating governance as a slower, later conversation.

1175
00:59:23,400 --> 00:59:26,000
AI accelerates three things at once.

1176
00:59:26,000 --> 00:59:29,800
Content creation, content discovery and workflow execution.

1177
00:59:29,800 --> 00:59:33,480
That combination matters more than most leaders first assume because each one compounds the

1178
00:59:33,480 --> 00:59:34,480
others.

1179
00:59:34,480 --> 00:59:38,920
More content means more material to govern and faster discovery means more of that material

1180
00:59:38,920 --> 00:59:43,120
becomes visible to the wrong audience if access is weak.

1181
00:59:43,120 --> 00:59:45,880
This is why the AI wave is not just another feature wave.

1182
00:59:45,880 --> 00:59:48,560
It changes the operating conditions of the tenant.

1183
00:59:48,560 --> 00:59:53,440
One third of Microsoft 365 content now requires long term or permanent preservation which

1184
00:59:53,440 --> 00:59:59,120
creates massive pressure because active collaboration spaces were never meant to become endless archives.

1185
00:59:59,120 --> 01:00:03,360
Add AI generated content to that mix and the volume grows faster while ownership often

1186
01:00:03,360 --> 01:00:04,760
gets weaker.

1187
01:00:04,760 --> 01:00:09,240
Data sprawl stops being a storage inconvenience and turns into a cost, exposure and discovery

1188
01:00:09,240 --> 01:00:10,560
problem all at once.

1189
01:00:10,560 --> 01:00:12,800
Now put executive pressure on top of that reality.

1190
01:00:12,800 --> 01:00:19,120
70% of C-sweets encourage AI use in Microsoft 365 and one third are pushing for rapid adoption

1191
01:00:19,120 --> 01:00:24,400
while more than half of admin teams report that deployment is moving faster than governance.

1192
01:00:24,400 --> 01:00:27,640
That gap is not a communication issue, it is a design issue.

1193
01:00:27,640 --> 01:00:31,240
Leadership is increasing velocity at the top while the control model underneath is still

1194
01:00:31,240 --> 01:00:36,280
catching up and in any other business system we would recognize that instantly as instability

1195
01:00:36,280 --> 01:00:38,280
and then agents enter the picture.

1196
01:00:38,280 --> 01:00:42,240
This is where many governance models become outdated very quickly because agents are not

1197
01:00:42,240 --> 01:00:44,280
just another user experience layer.

1198
01:00:44,280 --> 01:00:49,400
They are a new workload, they need identity, permissions, scope boundaries and life cycle

1199
01:00:49,400 --> 01:00:51,880
management just like any human user.

1200
01:00:51,880 --> 01:00:57,200
Once a non-human actor can retrieve information, trigger workflows or act across systems, governance

1201
01:00:57,200 --> 01:01:00,680
has moved beyond user behavior into delegated behavior.

1202
01:01:00,680 --> 01:01:02,280
That changes the risk shape entirely.

1203
01:01:02,280 --> 01:01:07,360
A user with broad access is one issue but a fleet of agents with broad access and weak

1204
01:01:07,360 --> 01:01:09,560
observability is a much bigger one.

1205
01:01:09,560 --> 01:01:14,280
Right now many organizations do not have a centralized inventory that shows which agents exist or

1206
01:01:14,280 --> 01:01:15,840
what data they can touch.

1207
01:01:15,840 --> 01:01:21,120
That visibility gap matters because unmanaged agents create a form of hidden delegation

1208
01:01:21,120 --> 01:01:25,640
where work gets automated and access gets exercised at scale but the operating model still

1209
01:01:25,640 --> 01:01:28,240
behaves as if only humans need governance.

1210
01:01:28,240 --> 01:01:32,240
From a system perspective that is no longer true, this is why I keep translating AI readiness

1211
01:01:32,240 --> 01:01:33,760
into governance language.

1212
01:01:33,760 --> 01:01:37,800
Autonomous work without governance is unmanaged delegation which means the organization is allowing

1213
01:01:37,800 --> 01:01:42,200
work to be done on its behalf without fully defining boundaries or accountability.

1214
01:01:42,200 --> 01:01:46,000
Once that happens, every existing weakness in permissions and ownership gets amplified

1215
01:01:46,000 --> 01:01:47,720
through a faster execution layer.

1216
01:01:47,720 --> 01:01:50,360
That is the business reality leaders need to design for now.

1217
01:01:50,360 --> 01:01:53,600
It is not just about better prompts or more licenses or another pilot.

1218
01:01:53,600 --> 01:01:58,640
You are designing for a tenant where AI can search, summarize and act and where non-human workloads

1219
01:01:58,640 --> 01:02:02,400
need the same seriousness we already apply to privileged human access.

1220
01:02:02,400 --> 01:02:05,840
The speed pressure from the boardroom can no longer be separated from governance readiness

1221
01:02:05,840 --> 01:02:06,760
on the ground.

1222
01:02:06,760 --> 01:02:10,840
The old model where governance reviews happen quarterly while AI moves weekly just does

1223
01:02:10,840 --> 01:02:11,840
not hold up anymore.

1224
01:02:11,840 --> 01:02:12,840
It is too slow.

1225
01:02:12,840 --> 01:02:17,360
It assumes a world where exposure grows gradually and behavior stays mostly human but that is

1226
01:02:17,360 --> 01:02:18,560
not the world we are in.

1227
01:02:18,560 --> 01:02:23,400
The environment is becoming more conversational, more automated and more delegated.

1228
01:02:23,400 --> 01:02:28,560
This means governance has to become more architectural, more observable and much closer to the actual

1229
01:02:28,560 --> 01:02:29,560
flow of work.

1230
01:02:29,560 --> 01:02:33,400
Once you accept that, executive ownership starts to look very different.

1231
01:02:33,400 --> 01:02:35,920
What executive ownership actually looks like?

1232
01:02:35,920 --> 01:02:40,200
If our digital environment is moving faster, becoming more conversational and pushing authority

1233
01:02:40,200 --> 01:02:43,840
down to the edges, executive ownership has to change too.

1234
01:02:43,840 --> 01:02:48,000
It can no longer mean just signing off on a policy deck once a year and hoping the system

1235
01:02:48,000 --> 01:02:49,000
manages itself.

1236
01:02:49,000 --> 01:02:50,320
That isn't true ownership.

1237
01:02:50,320 --> 01:02:53,840
It is just distance and in a high-speed system, distance creates risk.

1238
01:02:53,840 --> 01:02:57,280
Real ownership begins when leadership finally names the trade-offs.

1239
01:02:57,280 --> 01:02:59,960
The organization is already making every single day.

1240
01:02:59,960 --> 01:03:03,560
These choices are happening right now whether anyone admits it or not and they usually fall

1241
01:03:03,560 --> 01:03:05,440
into a few specific buckets.

1242
01:03:05,440 --> 01:03:08,440
You are choosing between speed of delivery and the speed of manual review.

1243
01:03:08,440 --> 01:03:12,200
You are balancing open collaboration against tighter data boundaries.

1244
01:03:12,200 --> 01:03:16,360
There is a constant tug of war between giving people broader access and enforcing strict

1245
01:03:16,360 --> 01:03:17,360
least privilege.

1246
01:03:17,360 --> 01:03:21,680
Even your storage strategy is a trade-off between long-term data retention and the rising

1247
01:03:21,680 --> 01:03:22,680
costs of discovery.

1248
01:03:22,680 --> 01:03:27,040
Right now your teams are likely feeling the pressure of a fast AI roll-out versus the need

1249
01:03:27,040 --> 01:03:30,000
for a slower cleanup before that exposure expands.

1250
01:03:30,000 --> 01:03:32,120
These decisions are being made by default every hour.

1251
01:03:32,120 --> 01:03:35,520
The only real question is whether executives are making them intentionally or letting

1252
01:03:35,520 --> 01:03:40,040
them drift across IT, compliance and the business one exception at a time.

1253
01:03:40,040 --> 01:03:41,280
And why does that matter so much?

1254
01:03:41,280 --> 01:03:44,320
It matters because drift is incredibly expensive for a business.

1255
01:03:44,320 --> 01:03:48,040
It creates a false sense that nobody actually chose the current mess when the reality is

1256
01:03:48,040 --> 01:03:52,720
that the outcome emerged from all the small choices that leadership failed to make clearly.

1257
01:03:52,720 --> 01:03:57,080
This is exactly how you end up with massive oversharing that nobody owns, provisioning delays

1258
01:03:57,080 --> 01:04:01,200
that everyone hates and AI pressure that crushes teams who don't have the authority

1259
01:04:01,200 --> 01:04:03,000
to slow things down.

1260
01:04:03,000 --> 01:04:06,400
Executive ownership means stepping directly into that ambiguity and clearing it out.

1261
01:04:06,400 --> 01:04:10,840
It requires building a governance forum that actually resolves the friction between IT,

1262
01:04:10,840 --> 01:04:12,920
security, legal and the business units.

1263
01:04:12,920 --> 01:04:16,120
Most governance boards fail because they act like new stations.

1264
01:04:16,120 --> 01:04:19,720
They gather information, they listen to status reports and they log concerns, but they never

1265
01:04:19,720 --> 01:04:23,560
actually resolve the operating conflicts that drive human behavior.

1266
01:04:23,560 --> 01:04:27,920
Because those conflicts stay alive, the friction survives month after month, and the people

1267
01:04:27,920 --> 01:04:31,080
inside the system keep finding ways to bypass the rules.

1268
01:04:31,080 --> 01:04:34,720
A functional governance board needs to answer very practical structural questions.

1269
01:04:34,720 --> 01:04:38,360
You need to decide on the acceptable wait time for a standard teams request.

1270
01:04:38,360 --> 01:04:42,560
You have to define which collaboration scenarios stay, self-service and where you must require

1271
01:04:42,560 --> 01:04:45,520
a human review before external sharing happens.

1272
01:04:45,520 --> 01:04:49,360
Leadership needs to dictate which agent use cases are safe to pilot today and exactly what

1273
01:04:49,360 --> 01:04:52,640
needs to be labeled before co-pilot expands to the next department.

1274
01:04:52,640 --> 01:04:55,840
These are not just technical details for the admins to figure out.

1275
01:04:55,840 --> 01:04:58,600
They are business rules expressed through system architecture.

1276
01:04:58,600 --> 01:05:01,120
The way we measure success has to shift as well.

1277
01:05:01,120 --> 01:05:05,160
If executives only ask if a standard exists, they will keep getting green lights while the

1278
01:05:05,160 --> 01:05:07,520
actual environment rots underneath them.

1279
01:05:07,520 --> 01:05:12,120
You need metrics that describe lived governance rather than just declared governance.

1280
01:05:12,120 --> 01:05:14,600
Provisioning speed is a vital sign of system health.

1281
01:05:14,600 --> 01:05:17,760
Bipast rates tell you exactly where your policy is failing.

1282
01:05:17,760 --> 01:05:21,160
Reducing oversharing is a key outcome, but access review completion doesn't mean much

1283
01:05:21,160 --> 01:05:22,160
by itself.

1284
01:05:22,160 --> 01:05:26,400
You also need to know if stale access is actually dropping or if people are just clicking

1285
01:05:26,400 --> 01:05:29,280
approve to get back to work.

1286
01:05:29,280 --> 01:05:31,320
Adoption behavior is the ultimate truth teller here.

1287
01:05:31,320 --> 01:05:34,800
A governed path that nobody uses isn't a secure control.

1288
01:05:34,800 --> 01:05:37,520
It is just a band and infrastructure that people are working around.

1289
01:05:37,520 --> 01:05:39,640
So I want you to start asking different questions.

1290
01:05:39,640 --> 01:05:42,200
Where is the friction highest for your employees right now?

1291
01:05:42,200 --> 01:05:45,400
Where are people forced to create side paths just to do their jobs?

1292
01:05:45,400 --> 01:05:49,080
You need to find where the policy intent has drifted away from, what the tools actually

1293
01:05:49,080 --> 01:05:50,080
enforce.

1294
01:05:50,080 --> 01:05:53,680
Look for where you have non-human access without a clear owner and find where the business

1295
01:05:53,680 --> 01:05:56,960
still sees governance as an interruption instead of a way to get things done.

1296
01:05:56,960 --> 01:05:58,880
These questions shift the entire conversation.

1297
01:05:58,880 --> 01:06:02,960
They force the organization to deal with operating reality instead of hiding behind compliance

1298
01:06:02,960 --> 01:06:03,960
language.

1299
01:06:03,960 --> 01:06:06,760
This also means your ownership has to be visible to the rest of the company.

1300
01:06:06,760 --> 01:06:08,080
I don't mean performative emails.

1301
01:06:08,080 --> 01:06:09,680
I mean structural visibility.

1302
01:06:09,680 --> 01:06:13,360
The people inside the system need to see that governance isn't just a task delegated

1303
01:06:13,360 --> 01:06:16,120
to administrators after the real strategy is finished.

1304
01:06:16,120 --> 01:06:20,040
They need to see leadership deciding where speed is the priority, where risk tolerance

1305
01:06:20,040 --> 01:06:23,640
ends and where redesign gets funded because the current flow is broken.

1306
01:06:23,640 --> 01:06:27,480
That funding piece is more important than most leaders realize.

1307
01:06:27,480 --> 01:06:31,480
Many organizations will approve a massive spend for new software because buying a tool feels

1308
01:06:31,480 --> 01:06:32,960
like taking action.

1309
01:06:32,960 --> 01:06:38,640
Very few will fund a service, redesign or a workflow simplification with that same urgency,

1310
01:06:38,640 --> 01:06:41,600
even though those moves actually change how people work.

1311
01:06:41,600 --> 01:06:45,640
From a system perspective that is completely backwards, adding tools without a redesign

1312
01:06:45,640 --> 01:06:49,600
just preserves the same old friction inside a much more expensive technology stack.

1313
01:06:49,600 --> 01:06:52,520
So here is what executive ownership looks like in practice.

1314
01:06:52,520 --> 01:06:54,040
You name the trade-offs clearly.

1315
01:06:54,040 --> 01:06:57,600
You assign cross-functional decision rights so things don't get stuck.

1316
01:06:57,600 --> 01:07:00,520
You measure actual behavior instead of just looking at documentation.

1317
01:07:00,520 --> 01:07:05,240
You fund the redesign of any process where friction is causing people to bypass the rules.

1318
01:07:05,240 --> 01:07:09,400
Finally, you treat governance as an operating system that needs constant tuning, not as a

1319
01:07:09,400 --> 01:07:10,920
boring annual exercise.

1320
01:07:10,920 --> 01:07:14,600
If your governance maturity can't tell you where the system is slow or where it is drifting

1321
01:07:14,600 --> 01:07:17,240
under AI pressure, then you don't have maturity.

1322
01:07:17,240 --> 01:07:18,360
You just have reporting.

1323
01:07:18,360 --> 01:07:20,000
The 30-day move.

1324
01:07:20,000 --> 01:07:22,520
Design one critical governance flow.

1325
01:07:22,520 --> 01:07:26,400
Before we wrap this up, I want to give you one specific move your leadership team can

1326
01:07:26,400 --> 01:07:27,960
make in the next 30 days.

1327
01:07:27,960 --> 01:07:32,000
Without a concrete step, governance stays in that important but later category and later

1328
01:07:32,000 --> 01:07:34,400
is where weak systems quietly continue to fail.

1329
01:07:34,400 --> 01:07:38,200
Do not try to overhaul your entire governance model in a single quarter.

1330
01:07:38,200 --> 01:07:42,480
Don't launch a massive remediation program just to look like you're doing something and

1331
01:07:42,480 --> 01:07:45,880
please, do not start by rewriting your policy documents again.

1332
01:07:45,880 --> 01:07:48,840
Instead, I want you to pick one critical governance flow.

1333
01:07:48,840 --> 01:07:52,880
Do something people touch every day, something that creates obvious friction and something

1334
01:07:52,880 --> 01:07:54,560
the business is already bypassing.

1335
01:07:54,560 --> 01:07:59,360
Your goal is to redesign that one flow so that control and usability finally work together.

1336
01:07:59,360 --> 01:08:00,360
That is the entire move.

1337
01:08:00,360 --> 01:08:04,960
A great candidate is usually something like the setup for a new project workspace, the process

1338
01:08:04,960 --> 01:08:08,880
for external sharing or the path to get a new automated agent approved.

1339
01:08:08,880 --> 01:08:11,640
It needs to be common enough that people feel the pain every week.

1340
01:08:11,640 --> 01:08:15,880
You are looking for a flow where delays or too many handoffs have turned the safe way

1341
01:08:15,880 --> 01:08:17,480
into a major interruption.

1342
01:08:17,480 --> 01:08:20,760
Group 1 is to measure that friction but you have to do it with real numbers.

1343
01:08:20,760 --> 01:08:24,360
You need to know the actual wait time from request to completion.

1344
01:08:24,360 --> 01:08:28,000
Count how many steps the request takes and how many different people have to click approve

1345
01:08:28,000 --> 01:08:29,280
before work can start.

1346
01:08:29,280 --> 01:08:32,600
Look at how many handoffs happen between different teams and how much of that path relies

1347
01:08:32,600 --> 01:08:34,720
on someone manually forwarding an email.

1348
01:08:34,720 --> 01:08:39,160
If you don't quantify this burden, leadership will keep treating it like a perception problem

1349
01:08:39,160 --> 01:08:41,320
when it is actually a structural failure.

1350
01:08:41,320 --> 01:08:44,000
Then you move to step 2 which is mapping the bypass.

1351
01:08:44,000 --> 01:08:46,720
Where are your people avoiding the official route right now?

1352
01:08:46,720 --> 01:08:50,800
Are they reusing old messy workspaces because getting a new one takes three days?

1353
01:08:50,800 --> 01:08:54,840
Are they using personal external tools because the internal setup is too slow?

1354
01:08:54,840 --> 01:08:58,440
Maybe they are just calling a friend in IT to get an exception because the official path

1355
01:08:58,440 --> 01:09:00,080
feels like a dead end.

1356
01:09:00,080 --> 01:09:02,600
This matters because bypass behavior is a gift.

1357
01:09:02,600 --> 01:09:06,480
It is a live diagram showing you exactly where your operating model stopped making sense

1358
01:09:06,480 --> 01:09:07,480
for the business.

1359
01:09:07,480 --> 01:09:11,320
It shows you where people are willing to pay for speed outside of the controls you put

1360
01:09:11,320 --> 01:09:12,320
in place.

1361
01:09:12,320 --> 01:09:15,640
Step 3 is the redesign itself and it has to meet three requirements.

1362
01:09:15,640 --> 01:09:17,640
It must be fast enough for normal work to happen.

1363
01:09:17,640 --> 01:09:21,640
It must be controlled enough to handle the real risks, not just every theoretical one.

1364
01:09:21,640 --> 01:09:25,240
Most importantly, it must be clear enough that people don't need a manual to understand

1365
01:09:25,240 --> 01:09:26,240
it.

1366
01:09:26,240 --> 01:09:30,160
In practice, this usually means using standardized templates and setting stronger defaults

1367
01:09:30,160 --> 01:09:31,160
at the beginning.

1368
01:09:31,160 --> 01:09:35,600
You should remove any approval steps that don't actually require human judgment.

1369
01:09:35,600 --> 01:09:39,600
Make ownership explicit the moment something is created and move your reviews to the end

1370
01:09:39,600 --> 01:09:42,240
of the life cycle instead of blocking the start of the work.

1371
01:09:42,240 --> 01:09:46,360
You are shifting from trying to inspect quality from the outside to building the right conditions

1372
01:09:46,360 --> 01:09:47,760
into the workflow itself.

1373
01:09:47,760 --> 01:09:50,360
This is what leaders should be demanding from their teams.

1374
01:09:50,360 --> 01:09:52,560
We want minutes not days for standard actions.

1375
01:09:52,560 --> 01:09:54,640
We need clear ownership from the very first day.

1376
01:09:54,640 --> 01:09:58,840
We want default protections that don't rely on a human being having a perfect memory.

1377
01:09:58,840 --> 01:10:03,200
We need to review rhythms that catch problems after the work starts, rather than gates that

1378
01:10:03,200 --> 01:10:05,120
stop the work before it even begins.

1379
01:10:05,120 --> 01:10:07,160
The test for success here is very simple.

1380
01:10:07,160 --> 01:10:11,440
If it becomes faster for an employee to follow the rules than to break them, you are winning.

1381
01:10:11,440 --> 01:10:14,360
You aren't just winning philosophically, you are winning structurally.

1382
01:10:14,360 --> 01:10:18,080
The system itself has finally started rewarding the behavior you actually want to see.

1383
01:10:18,080 --> 01:10:20,080
This is why this 30 day movie is so powerful.

1384
01:10:20,080 --> 01:10:22,800
It creates a visible proof point for the rest of the company.

1385
01:10:22,800 --> 01:10:27,360
It shows everyone that governance isn't just a language of no or a set of hurdles.

1386
01:10:27,360 --> 01:10:31,720
It can actually become a business advantage that removes ambiguity and stops the endless

1387
01:10:31,720 --> 01:10:32,720
waiting.

1388
01:10:32,720 --> 01:10:37,640
Once you improve just one flow, you gain the one thing most governance programs never have.

1389
01:10:37,640 --> 01:10:38,640
Credibility.

1390
01:10:38,640 --> 01:10:42,320
You start to believe that the governed path might actually help them get their jobs done.

1391
01:10:42,320 --> 01:10:46,600
Your security teams will see control returning to the actual workflow where it belongs.

1392
01:10:46,600 --> 01:10:50,800
Compliance gets better evidence because people aren't being forced into side channels.

1393
01:10:50,800 --> 01:10:54,640
Most importantly, executives finally get a model they can scale because people are actually

1394
01:10:54,640 --> 01:10:55,640
using it.

1395
01:10:55,640 --> 01:10:58,160
So, for the next 30 days, don't try to fix everything.

1396
01:10:58,160 --> 01:11:01,680
Just fix the one flow where the business keeps colliding with the rules.

1397
01:11:01,680 --> 01:11:05,120
Measure the friction, find the bypass and redesign the mechanic.

1398
01:11:05,120 --> 01:11:06,840
Then watch the behavior change on its own.

1399
01:11:06,840 --> 01:11:10,460
When the safe path finally becomes the fast path, governance stops being a slogan and

1400
01:11:10,460 --> 01:11:11,860
starts becoming a reality.

1401
01:11:11,860 --> 01:11:15,800
If you audited your own governance flows the same way you audit your technical systems,

1402
01:11:15,800 --> 01:11:16,800
what would you find?

1403
01:11:16,800 --> 01:11:20,680
Is that system designed to support the people inside it or is it just a single point of failure

1404
01:11:20,680 --> 01:11:22,200
waiting to happen?

1405
01:11:22,200 --> 01:11:23,200
Unifying shift.

1406
01:11:23,200 --> 01:11:25,040
Stop treating governance as enforcement.

1407
01:11:25,040 --> 01:11:28,160
We can reduce this entire conversation to one unifying shift.

1408
01:11:28,160 --> 01:11:30,840
You have to stop treating governance as enforcement.

1409
01:11:30,840 --> 01:11:34,440
That framing might sound like a small tweak in language, but it changes almost every

1410
01:11:34,440 --> 01:11:36,320
outcome in your organization.

1411
01:11:36,320 --> 01:11:40,320
When governance is framed as enforcement, the business quietly turns it into a downstream

1412
01:11:40,320 --> 01:11:44,640
function that exists only to review, block or tell people what they should have done three

1413
01:11:44,640 --> 01:11:46,120
weeks ago.

1414
01:11:46,120 --> 01:11:49,680
Once governance takes that shape, leaders start measuring the wrong things entirely.

1415
01:11:49,680 --> 01:11:53,840
They ask if the rule exists, if the exception was documented or if the control can be shown

1416
01:11:53,840 --> 01:11:57,720
during an audit, but none of those metrics tell you if the environment is actually governable

1417
01:11:57,720 --> 01:11:59,920
when things get busy.

1418
01:11:59,920 --> 01:12:03,760
Enforcement can prove that a rule was present on paper, but it cannot prove that the system

1419
01:12:03,760 --> 01:12:06,680
was actually followable for the person trying to do their job.

1420
01:12:06,680 --> 01:12:08,200
That is the critical distinction.

1421
01:12:08,200 --> 01:12:12,560
If the people inside the system are constantly avoiding the governed path, then your governance

1422
01:12:12,560 --> 01:12:16,840
is failing, even if the policy looks complete and the ownership matrix was approved by the

1423
01:12:16,840 --> 01:12:17,840
board.

1424
01:12:17,840 --> 01:12:20,240
Governance isn't successful just because it exists in a handbook.

1425
01:12:20,240 --> 01:12:24,560
It is only successful when it shapes normal behavior at scale without requiring a manual.

1426
01:12:24,560 --> 01:12:28,320
This is exactly why AI has become such an uncomfortable mirror for leadership teams

1427
01:12:28,320 --> 01:12:29,320
lately.

1428
01:12:29,320 --> 01:12:32,600
When copilot suddenly exposes sensitive content that people didn't realize they could

1429
01:12:32,600 --> 01:12:36,600
reach, it's very tempting to label that as an AI problem, but it isn't.

1430
01:12:36,600 --> 01:12:40,720
It's an exposure problem that was finally made visible through a better interface.

1431
01:12:40,720 --> 01:12:41,920
The weakness was already there.

1432
01:12:41,920 --> 01:12:45,920
The permissions were already broken and the ownership gaps were already wide open, but

1433
01:12:45,920 --> 01:12:49,800
AI simply removed the illusion that hidden access was harmless.

1434
01:12:49,800 --> 01:12:53,080
The same pattern shows up every time we look at workflow friction.

1435
01:12:53,080 --> 01:12:56,960
If your control slowed down delivery, the business will eventually root around them to

1436
01:12:56,960 --> 01:12:57,960
get things done.

1437
01:12:57,960 --> 01:13:01,680
This doesn't happen because the people inside the system are careless or lazy, but because

1438
01:13:01,680 --> 01:13:05,400
the system is asking them to choose between progress and compliance in moments where

1439
01:13:05,400 --> 01:13:06,640
both feel urgent.

1440
01:13:06,640 --> 01:13:09,000
That isn't a character flaw in your employees.

1441
01:13:09,000 --> 01:13:10,840
It's a design flaw in your architecture.

1442
01:13:10,840 --> 01:13:14,480
Because of this, better governance often feels lighter to the end user.

1443
01:13:14,480 --> 01:13:18,320
That can confuse people at first, especially in regulated or security heavy environments

1444
01:13:18,320 --> 01:13:22,520
where seriousness is usually expressed through more reviews and more visible hurdles.

1445
01:13:22,520 --> 01:13:24,000
But lighter does not mean weaker.

1446
01:13:24,000 --> 01:13:27,760
It means you've reduced ambiguity, you've cut down on waiting, and you've stopped asking

1447
01:13:27,760 --> 01:13:30,400
for repeated interpretations of the same rule.

1448
01:13:30,400 --> 01:13:34,520
Social work can finally move forward without asking people to manually bridge the gap between

1449
01:13:34,520 --> 01:13:38,040
policy and action every single time they open a document.

1450
01:13:38,040 --> 01:13:40,200
That is what stronger governance actually looks like.

1451
01:13:40,200 --> 01:13:42,080
It doesn't succeed because it asks for less.

1452
01:13:42,080 --> 01:13:45,880
It succeeds because it depends less on every single person exhibiting perfect behavior

1453
01:13:45,880 --> 01:13:46,960
every single day.

1454
01:13:46,960 --> 01:13:51,080
From a system perspective, good governance is the architecture of safe scale.

1455
01:13:51,080 --> 01:13:54,920
It creates the conditions where ordinary work stays inside, visible, accountable, and

1456
01:13:54,920 --> 01:13:58,240
reviewable paths without needing constant human intervention.

1457
01:13:58,240 --> 01:14:02,480
It uses defaults, identity and zone control to absorb the pressure that would otherwise

1458
01:14:02,480 --> 01:14:06,400
leak into shadow IT, stale access, and unmanage delegation.

1459
01:14:06,400 --> 01:14:08,320
So let me put that more directly for you.

1460
01:14:08,320 --> 01:14:10,040
Governance is not the department of no.

1461
01:14:10,040 --> 01:14:14,840
It is the design of how your organization says yes safely, repeatedly, and at speed.

1462
01:14:14,840 --> 01:14:17,960
Once leaders see it through that lens, the whole conversation matures.

1463
01:14:17,960 --> 01:14:21,360
The question is no longer about how to force better compliance through sheer will.

1464
01:14:21,360 --> 01:14:25,040
Instead, the question becomes, where does the system still make safe behavior harder

1465
01:14:25,040 --> 01:14:26,880
than unsafe behavior?

1466
01:14:26,880 --> 01:14:29,600
Where is friction still teaching our people the wrong lesson?

1467
01:14:29,600 --> 01:14:32,760
Where is our control still detached from the actual flow of work?

1468
01:14:32,760 --> 01:14:37,640
Where is AI exposing access that the business never truly meant to operationalize in the first

1469
01:14:37,640 --> 01:14:38,640
place?

1470
01:14:38,640 --> 01:14:39,640
Those are executive questions.

1471
01:14:39,640 --> 01:14:42,320
They aren't admin tasks dressed up for the boardroom.

1472
01:14:42,320 --> 01:14:46,360
They are fundamental questions about operating design, structural resilience, and business

1473
01:14:46,360 --> 01:14:50,280
reality under cloud conditions that move faster every quarter.

1474
01:14:50,280 --> 01:14:53,800
If this episode leaves you with one shift, let it be this.

1475
01:14:53,800 --> 01:14:58,080
Stop looking at governance as a set of restrictions you impose on top of work.

1476
01:14:58,080 --> 01:15:02,720
Start looking at it as the architecture that determines whether safe scale is even possible.

1477
01:15:02,720 --> 01:15:06,600
Because once governance is reduced to enforcement, it always arrives too late, and by the time

1478
01:15:06,600 --> 01:15:11,120
it gets there, the business has usually already found a different path.

1479
01:15:11,120 --> 01:15:13,480
Or did the system not just the policy?

1480
01:15:13,480 --> 01:15:17,440
Governance fails when organizations define the rules but never design a system that people

1481
01:15:17,440 --> 01:15:19,280
can actually follow under real pressure.

1482
01:15:19,280 --> 01:15:23,040
In the next 30 days, I want you to pick one governance flow and find a way to make the

1483
01:15:23,040 --> 01:15:24,680
safe path the fast path.

1484
01:15:24,680 --> 01:15:28,720
If you want more conversations like this, subscribe to the M365FM podcast, leave a review

1485
01:15:28,720 --> 01:15:33,120
and connect with me on LinkedIn to tell me where governance in your organization is still

1486
01:15:33,120 --> 01:15:34,880
a single point of failure.

1487
01:15:34,880 --> 01:15:38,960
If you audited your system the same way you audited your policy, what would you find?

1488
01:15:38,960 --> 01:15:42,960
And more importantly, is that system designed to sustain your growth or is it slowly draining

1489
01:15:42,960 --> 01:15:44,000
your speed over time?