1
00:00:00,000 --> 00:00:05,480
Hello, my name is Mirko Peters and I translate how technology actually shapes business reality.

2
00:00:05,480 --> 00:00:10,320
Most Microsoft 365 environments look perfectly healthy from the outside because teams is active,

3
00:00:10,320 --> 00:00:15,200
SharePoint usage is climbing and people are collaborating without any red lights or outages.

4
00:00:15,200 --> 00:00:20,960
Because everything seems to be running smoothly, leaders often make a quiet assumption that if the system works, it must be under control.

5
00:00:20,960 --> 00:00:23,400
That assumption is exactly where risk starts.

6
00:00:23,400 --> 00:00:27,160
In most organizations, the tenant you see is only the visible layer,

7
00:00:27,160 --> 00:00:29,600
while something much more complex sits underneath it.

8
00:00:29,600 --> 00:00:34,760
You have drifted permissions, workspaces with no owners and external sharing that nobody ever reviews.

9
00:00:34,760 --> 00:00:40,480
Sensitive files exist without labels or life cycles, leaving no real evidence trail for anyone to follow.

10
00:00:40,480 --> 00:00:46,360
In this episode, I want to show you the hidden tenant that is already shaping your security, compliance and AI risk.

11
00:00:46,360 --> 00:00:51,560
Productivity success without structural visibility does not actually remove your risk.

12
00:00:51,560 --> 00:00:55,080
It just delays it. The day nothing broke and risk still surfaced.

13
00:00:55,080 --> 00:01:00,480
Let me start with a specific case involving a mid-size company of about 2,500 people.

14
00:01:00,480 --> 00:01:07,560
They were experiencing fast growth and strong digital adoption, much like many organizations that accelerated hard during the remote shift.

15
00:01:07,560 --> 00:01:11,280
Microsoft 365 became the center of their work almost overnight,

16
00:01:11,280 --> 00:01:16,640
and teams turned into the meeting room, the project room, and the primary memory of the entire business.

17
00:01:16,640 --> 00:01:21,960
SharePoint grew right along with it as new sites and channels created more places for people to move fast.

18
00:01:21,960 --> 00:01:25,400
From the leadership side, the situation looked like a total success story.

19
00:01:25,400 --> 00:01:31,360
Usage numbers were strong because teams activity had climbed sharply, and SharePoint adoption was up across the board.

20
00:01:31,360 --> 00:01:35,240
Internal sentiment stayed positive since people could finally get their work done,

21
00:01:35,240 --> 00:01:39,400
and there were no major outages or security incidents to report on the board's slides.

22
00:01:39,400 --> 00:01:44,040
No visible disruption hit their daily operations, so the operating conclusion was simple.

23
00:01:44,040 --> 00:01:46,200
The environment is working, but here's the thing.

24
00:01:46,200 --> 00:01:49,960
A system can be highly productive and structurally fragile at the same time.

25
00:01:49,960 --> 00:01:53,880
In this case, the trigger was not a breach, which is an important distinction to make.

26
00:01:53,880 --> 00:01:59,960
Many organizations only learn from impact after the damage becomes obvious, but here, the signal came from a near miss.

27
00:01:59,960 --> 00:02:03,880
A sensitive financial document was shared externally in a way nobody intended,

28
00:02:03,880 --> 00:02:08,440
and while it was caught before turning into a reportable incident, the close call changed everything.

29
00:02:08,440 --> 00:02:10,560
Technically, nothing catastrophic happened that day.

30
00:02:10,560 --> 00:02:14,600
Once they looked closely at the infrastructure, the picture changed very fast.

31
00:02:14,600 --> 00:02:18,280
They discovered that 42% of their teams had no active owner.

32
00:02:18,280 --> 00:02:20,920
Think about what that means from a control perspective for a moment.

33
00:02:20,920 --> 00:02:24,920
Having no active owner means no one is clearly responsible for membership reviews,

34
00:02:24,920 --> 00:02:27,400
sharing permissions, or life cycle decisions.

35
00:02:27,400 --> 00:02:31,960
The collaboration space remains alive and the risk remains alive, but the accountability is completely gone.

36
00:02:31,960 --> 00:02:34,040
Then they turned their attention to SharePoint.

37
00:02:34,040 --> 00:02:37,560
58% of their SharePoint sites had external sharing enabled.

38
00:02:37,560 --> 00:02:41,960
External sharing is not automatically a bad thing, and it often meets a valid business need

39
00:02:41,960 --> 00:02:43,960
when working with partners or contractors.

40
00:02:43,960 --> 00:02:47,640
However, when more than half of your sites allow it, without a strong review discipline,

41
00:02:47,640 --> 00:02:49,400
it stops being a collaboration feature.

42
00:02:49,400 --> 00:02:50,760
It becomes an exposure pattern.

43
00:02:50,760 --> 00:02:52,200
Then they checked their labeling coverage.

44
00:02:52,200 --> 00:02:56,120
Only 18% of their documents had any sensitivity labels attached to them.

45
00:02:56,120 --> 00:03:00,280
The documented compliance posture looked one way, but the enforced reality looked very different.

46
00:03:00,280 --> 00:03:04,520
Policies and intent existed in the handbook, and the idea of control was there in spirit,

47
00:03:04,520 --> 00:03:09,080
but broad parts of the actual content layer were operating entirely outside the control plane.

48
00:03:09,080 --> 00:03:12,520
Then they found one of the most common signs of hidden governance failure.

49
00:03:12,520 --> 00:03:15,880
Audit logs were not being reviewed as a normal part of their operating practice.

50
00:03:15,880 --> 00:03:19,800
They weren't checking logs after incidents or during recurring governance reviews,

51
00:03:19,800 --> 00:03:22,440
and they certainly weren't using them to build evidence.

52
00:03:22,440 --> 00:03:27,320
The capability existed in theory, but in practice, the organization was not asking the basic questions

53
00:03:27,320 --> 00:03:28,920
that structural control depends on.

54
00:03:28,920 --> 00:03:32,200
They didn't know who accessed what wear-sensitive data was moving,

55
00:03:32,200 --> 00:03:34,440
or which external shares were still valid.

56
00:03:34,440 --> 00:03:35,960
So let's pause on that for a second.

57
00:03:35,960 --> 00:03:38,120
There was no outage and no headline breach.

58
00:03:38,120 --> 00:03:40,440
Adoption was good, and the users were happy.

59
00:03:40,440 --> 00:03:43,400
Underneath all of that, the tenant had drifted away from control.

60
00:03:43,400 --> 00:03:47,320
This clicked for me years ago because I kept seeing the same pattern in different forms.

61
00:03:47,320 --> 00:03:49,720
Leaders were reading activity as evidence of health,

62
00:03:49,720 --> 00:03:51,720
but activity is not the same thing as control.

63
00:03:51,720 --> 00:03:54,440
High activity can actually hide weak control for a long time,

64
00:03:54,440 --> 00:03:59,160
because the visible layer keeps producing value while the hidden layer keeps accumulating risk.

65
00:03:59,160 --> 00:04:01,480
That is why I use the phrase "invisible tenant".

66
00:04:01,480 --> 00:04:05,000
The tenant executives think they are managing is usually just the visible one.

67
00:04:05,000 --> 00:04:07,480
The real tenant is defined by ownership gaps,

68
00:04:07,480 --> 00:04:11,480
permissions inheritance, unlabeled content, and weak evidence habits.

69
00:04:11,480 --> 00:04:14,600
In this company, nothing was broken, and that was the real problem.

70
00:04:14,600 --> 00:04:16,680
The operating model had quietly shifted from

71
00:04:16,680 --> 00:04:19,080
governed collaboration to tolerated drift,

72
00:04:19,080 --> 00:04:21,640
but because no visible pain forced the question,

73
00:04:21,640 --> 00:04:24,120
the hidden gaps stayed hidden, and why is that?

74
00:04:24,120 --> 00:04:27,160
Because visible activity is never the same thing as structural control.

75
00:04:27,160 --> 00:04:29,400
The iceberg model of the tenant.

76
00:04:29,400 --> 00:04:33,560
So let me take one step back, because this is where the picture usually becomes clear for most leaders.

77
00:04:33,560 --> 00:04:38,600
Most organizations manage Microsoft 365 as if the tenant is only the visible part of the experience,

78
00:04:38,600 --> 00:04:42,040
focusing on team's adoption, email flow, and file activity.

79
00:04:42,040 --> 00:04:45,080
They look at meetings or a few dashboard trends from the admin center

80
00:04:45,080 --> 00:04:47,640
and see movement, usage, and service continuity.

81
00:04:47,640 --> 00:04:49,880
From an executive distance, that feels like control,

82
00:04:49,880 --> 00:04:51,960
because those are the things the business can actually see.

83
00:04:51,960 --> 00:04:54,600
But the tenant does not behave based on what is visible.

84
00:04:54,600 --> 00:04:56,600
It behaves based on what sits underneath.

85
00:04:56,600 --> 00:04:58,920
That is why the best mental model here is an iceberg,

86
00:04:58,920 --> 00:05:03,000
where the top layer above the surface represents the visible part of your infrastructure.

87
00:05:03,000 --> 00:05:05,400
Teams files meetings, email usage reports,

88
00:05:05,400 --> 00:05:09,080
adoption dashboards, everyone talks about this part because it is easy to observe,

89
00:05:09,080 --> 00:05:12,760
easy to measure, and very easy to celebrate during a quarterly review.

90
00:05:12,760 --> 00:05:15,160
It is the layer where productivity shows up,

91
00:05:15,160 --> 00:05:20,040
and it is also where funding decisions usually happen because visible usage creates visible confidence.

92
00:05:20,040 --> 00:05:22,840
Now go below the surface, that is where the real mass sits.

93
00:05:22,840 --> 00:05:24,280
Permissions inheritance.

94
00:05:24,280 --> 00:05:26,280
Anonymous or long-lived sharing links.

95
00:05:26,280 --> 00:05:28,360
Onalist teams and SharePoint sites.

96
00:05:28,360 --> 00:05:30,280
Unlabeled documents.

97
00:05:30,280 --> 00:05:32,280
Inactive Microsoft 365 groups.

98
00:05:32,920 --> 00:05:34,440
Stale guest accounts.

99
00:05:34,440 --> 00:05:36,920
Expired projects that never actually expired.

100
00:05:36,920 --> 00:05:40,120
Life cycle rules that exist on paper, but not in operating reality.

101
00:05:40,120 --> 00:05:43,720
This hidden layer matters more because it defines who can access what,

102
00:05:43,720 --> 00:05:45,480
who is accountable for the data,

103
00:05:45,480 --> 00:05:47,720
and whether policy is actually shaping behavior.

104
00:05:47,720 --> 00:05:49,480
When I talk about the invisible tenant,

105
00:05:49,480 --> 00:05:52,680
I am referring to the operational reality below the waterline,

106
00:05:52,680 --> 00:05:55,160
rather than the workspace someone opened this morning.

107
00:05:55,160 --> 00:05:57,560
It is not about the file people collaborated on,

108
00:05:57,560 --> 00:05:59,400
but rather the label, the retention state,

109
00:05:59,400 --> 00:06:01,240
and the share permissions surrounding it.

110
00:06:01,240 --> 00:06:05,640
The ownership and life cycle discipline determine whether a team is still saved six months later.

111
00:06:05,640 --> 00:06:10,280
Yet most executive governance conversations happen almost entirely at the tip of the iceberg.

112
00:06:10,280 --> 00:06:11,480
We fund collaboration.

113
00:06:11,480 --> 00:06:12,600
We measure adoption.

114
00:06:12,600 --> 00:06:14,040
We celebrate usage.

115
00:06:14,040 --> 00:06:15,960
We ask whether the platform is stable.

116
00:06:15,960 --> 00:06:17,240
All of these are good questions,

117
00:06:17,240 --> 00:06:23,720
but they are surface questions that ignore how risk accumulates in the places where ownership drifts and policies lose coverage.

118
00:06:23,720 --> 00:06:27,240
Nobody can easily explain why a person still has access to a workspace

119
00:06:27,240 --> 00:06:30,680
created two years ago for a project that ended 18 months ago.

120
00:06:31,240 --> 00:06:34,440
And this is where many organizations make the wrong diagnosis.

121
00:06:34,440 --> 00:06:38,760
They see oversharing, stale workspaces or poor life cycle hygiene,

122
00:06:38,760 --> 00:06:40,600
and they immediately call it a user problem.

123
00:06:40,600 --> 00:06:42,040
They say people need more training.

124
00:06:42,040 --> 00:06:43,320
They say users are careless.

125
00:06:43,320 --> 00:06:45,400
While that might be partly true structurally,

126
00:06:45,400 --> 00:06:47,160
that is not the main story,

127
00:06:47,160 --> 00:06:49,160
because it is actually a system outcome.

128
00:06:49,160 --> 00:06:52,200
If the environment makes broad sharing easy and ownership optional,

129
00:06:52,200 --> 00:06:53,560
then drift is not a surprise,

130
00:06:53,560 --> 00:06:56,840
but rather the predictable result of the operating design.

131
00:06:56,840 --> 00:06:59,880
The people inside the system are simply responding to convenience

132
00:06:59,880 --> 00:07:01,160
and local incentives,

133
00:07:01,160 --> 00:07:04,200
meaning the tenant is doing exactly what it was set up to do.

134
00:07:04,200 --> 00:07:06,760
It is just not set up for sustained control.

135
00:07:06,760 --> 00:07:09,320
The visible layer can mislead smart people for a long time,

136
00:07:09,320 --> 00:07:11,880
because an iceberg does not announce its mass from the top.

137
00:07:11,880 --> 00:07:14,680
A tenant does not announce its risk from active usage,

138
00:07:14,680 --> 00:07:18,520
and in fact, healthy looking activity can make the hidden layer harder to challenge.

139
00:07:18,520 --> 00:07:20,280
Leaders think they are managing well,

140
00:07:20,280 --> 00:07:21,880
because they are collaborating well,

141
00:07:21,880 --> 00:07:23,320
but those are not the same thing.

142
00:07:23,320 --> 00:07:25,720
You can have strong adoption and weak governance.

143
00:07:25,720 --> 00:07:28,120
You can have platform uptime and control failure.

144
00:07:28,120 --> 00:07:31,320
You can have high collaboration and low auditability.

145
00:07:31,320 --> 00:07:33,000
Once you see the tenant this way,

146
00:07:33,000 --> 00:07:36,120
you stop treating every issue as an isolated misconfiguration

147
00:07:36,120 --> 00:07:38,840
and start seeing a pattern of exposure below visibility.

148
00:07:38,840 --> 00:07:40,840
There is a pattern of governance below reporting

149
00:07:40,840 --> 00:07:42,840
and a pattern of risk below productivity,

150
00:07:42,840 --> 00:07:44,760
which is the reality of the iceberg.

151
00:07:44,760 --> 00:07:47,800
You are managing the tip your exposure sits underneath.

152
00:07:47,800 --> 00:07:51,320
Once we see that, clearly we can stop calling this a user issue

153
00:07:51,320 --> 00:07:53,880
and start treating it like an architectural issue.

154
00:07:53,880 --> 00:07:57,960
Why it works is a dangerous operating signal.

155
00:07:57,960 --> 00:08:01,640
Now map that iceberg to how most organizations judge platform health

156
00:08:01,640 --> 00:08:03,000
by asking a simple question.

157
00:08:03,000 --> 00:08:03,960
Does it work?

158
00:08:03,960 --> 00:08:05,000
Can people send mail?

159
00:08:05,000 --> 00:08:05,800
Can teams meet?

160
00:08:05,800 --> 00:08:06,680
Can files be opened?

161
00:08:06,680 --> 00:08:07,640
Can projects move?

162
00:08:07,640 --> 00:08:08,840
If the answer is yes,

163
00:08:08,840 --> 00:08:10,440
the environment gets marked as healthy,

164
00:08:10,440 --> 00:08:12,120
which makes sense from a service perspective

165
00:08:12,120 --> 00:08:14,760
because uptime and availability definitely matter.

166
00:08:14,760 --> 00:08:15,880
But here is the problem.

167
00:08:15,880 --> 00:08:19,000
Service availability only measures whether the platform is reachable,

168
00:08:19,000 --> 00:08:20,280
not whether it is governed.

169
00:08:20,280 --> 00:08:21,880
Those are two very different conditions.

170
00:08:21,880 --> 00:08:24,840
A tenant can have excellent uptime and terrible control hygiene.

171
00:08:24,840 --> 00:08:26,840
A team can be active and still onalous.

172
00:08:26,840 --> 00:08:29,320
A site can be heavily used and still overshared.

173
00:08:29,320 --> 00:08:31,960
A document can be business critical and still unlabeled.

174
00:08:31,960 --> 00:08:35,560
A sharing model can be convenient and still be structurally fragile.

175
00:08:35,560 --> 00:08:38,040
When leaders use it works as the operating signal,

176
00:08:38,040 --> 00:08:41,400
they are measuring visible continuity rather than actual control.

177
00:08:41,400 --> 00:08:45,160
Visible continuity is one of the easiest places for hidden risk to hide.

178
00:08:45,160 --> 00:08:48,360
And this is where many well-intentioned governance conversations go wrong.

179
00:08:48,360 --> 00:08:50,840
Business teams usually judge the environment by speed,

180
00:08:50,840 --> 00:08:52,520
so if collaboration is faster,

181
00:08:52,520 --> 00:08:54,040
the system feels like a success.

182
00:08:54,040 --> 00:08:56,520
Security teams often judge the environment by incidents,

183
00:08:56,520 --> 00:08:59,800
meaning if nothing major has happened yet, the system feels acceptable.

184
00:08:59,800 --> 00:09:02,520
Both perspectives miss the same thing, which is silent drift.

185
00:09:02,520 --> 00:09:05,880
Governance failure rarely announces itself as a dramatic event at the beginning,

186
00:09:05,880 --> 00:09:08,920
but instead starts as a slow accumulation of small issues.

187
00:09:08,920 --> 00:09:10,360
One inherited permission,

188
00:09:10,360 --> 00:09:13,560
nobody revisits or one external sharing setting left open

189
00:09:13,560 --> 00:09:15,560
does not create immediate pain on its own.

190
00:09:15,560 --> 00:09:18,280
One project team nobody retires and one label policy

191
00:09:18,280 --> 00:09:21,240
that never reaches the content that matters eventually create a tenant

192
00:09:21,240 --> 00:09:24,120
that feels productive while becoming harder to trust.

193
00:09:24,120 --> 00:09:27,080
That is why I call it works a dangerous operating signal.

194
00:09:27,080 --> 00:09:29,080
It is not because the statement is false,

195
00:09:29,080 --> 00:09:31,880
but because it is incomplete and incomplete signals

196
00:09:31,880 --> 00:09:34,120
are dangerous in executive decision making.

197
00:09:34,120 --> 00:09:37,000
They create a false sense of calm that tells you the platform is functioning,

198
00:09:37,000 --> 00:09:39,320
so you assume the control model is functioning too.

199
00:09:39,320 --> 00:09:41,400
The reason this works for so long is simple.

200
00:09:41,400 --> 00:09:43,960
The consequences of weak governance are usually delayed.

201
00:09:43,960 --> 00:09:46,040
They show up later, they show up during an audit

202
00:09:46,040 --> 00:09:49,320
when nobody can prove how a control is enforced in practice.

203
00:09:49,320 --> 00:09:51,080
They show up when a legal request arrives

204
00:09:51,080 --> 00:09:52,760
and the evidence chain is thin.

205
00:09:52,760 --> 00:09:54,600
They show up when co-pilot is introduced

206
00:09:54,600 --> 00:09:57,240
and suddenly broad access becomes broad discoverability.

207
00:09:57,240 --> 00:10:01,000
They show up when security asks a basic question about data exposure

208
00:10:01,000 --> 00:10:03,560
and the answer is that we think it is covered.

209
00:10:03,560 --> 00:10:06,360
That phrase alone tells you the system is not under control.

210
00:10:06,360 --> 00:10:07,480
If you remember nothing else,

211
00:10:07,480 --> 00:10:10,280
remember that healthy usage does not prove healthy control.

212
00:10:10,280 --> 00:10:13,320
In fact, healthy usage can actively mask unhealthy control

213
00:10:13,320 --> 00:10:16,440
because success at the collaboration layer often reduces the urgency

214
00:10:16,440 --> 00:10:17,800
to inspect the governance layer.

215
00:10:17,800 --> 00:10:20,600
The business sees momentum and IT sees adoption,

216
00:10:20,600 --> 00:10:22,680
so the hidden questions do not get asked

217
00:10:22,680 --> 00:10:24,600
until a near-miss forces attention.

218
00:10:24,600 --> 00:10:26,840
By then, the issue is rarely one bad setting

219
00:10:26,840 --> 00:10:28,920
but rather a pattern of accumulation.

220
00:10:28,920 --> 00:10:31,720
Platform native success metrics like adoption dashboards

221
00:10:31,720 --> 00:10:33,320
or compliance scores are useful,

222
00:10:33,320 --> 00:10:34,920
but they are not enough on their own.

223
00:10:34,920 --> 00:10:36,200
They tell you something happened,

224
00:10:36,200 --> 00:10:38,520
but they do not tell you whether access is appropriate

225
00:10:38,520 --> 00:10:39,880
or whether ownership is active.

226
00:10:39,880 --> 00:10:42,360
They do not show if life cycle controls are applied

227
00:10:42,360 --> 00:10:44,760
or if sensitive data is actually governed where it lives.

228
00:10:44,760 --> 00:10:46,920
A lot of leaders are waiting for a visible incident

229
00:10:46,920 --> 00:10:48,920
to justify a governance conversation,

230
00:10:48,920 --> 00:10:49,960
but that is backwards.

231
00:10:49,960 --> 00:10:52,680
By the time governance failure becomes visible,

232
00:10:52,680 --> 00:10:55,560
it has usually been a structural problem for months or even years.

233
00:10:55,560 --> 00:10:58,840
The real executive shift is to stop treating it works as proof

234
00:10:58,840 --> 00:11:01,000
and start treating it as a starting condition.

235
00:11:01,000 --> 00:11:02,360
The platform works.

236
00:11:02,360 --> 00:11:02,840
Good.

237
00:11:02,840 --> 00:11:04,520
Now ask whether it is under control,

238
00:11:04,520 --> 00:11:06,200
ask whether ownership is current,

239
00:11:06,200 --> 00:11:08,360
ask whether access still reflects business need,

240
00:11:08,360 --> 00:11:10,280
ask whether policy is enforced,

241
00:11:10,280 --> 00:11:11,720
not just documented,

242
00:11:11,720 --> 00:11:14,440
ask whether evidence exists before anyone asks for it.

243
00:11:14,440 --> 00:11:18,120
A functioning collaboration layer can still be a fragile operating environment

244
00:11:18,120 --> 00:11:20,920
and that brings me to the first measurable system outcome.

245
00:11:20,920 --> 00:11:23,720
Permission sprawl index, the risk you already granted.

246
00:11:23,720 --> 00:11:25,320
So let's make this measurable.

247
00:11:25,320 --> 00:11:29,560
The first signal I want executives to track is what I call the permission sprawl index.

248
00:11:29,560 --> 00:11:32,680
Very simply, it is the percentage of people who can access content

249
00:11:32,680 --> 00:11:34,280
beyond their actual business need.

250
00:11:34,280 --> 00:11:36,680
We aren't looking at who actually used that access

251
00:11:36,680 --> 00:11:37,560
or who abused it,

252
00:11:37,560 --> 00:11:39,080
but rather who simply has it.

253
00:11:39,080 --> 00:11:42,760
That distinction matters because most organizations only react to access

254
00:11:42,760 --> 00:11:44,440
once it becomes a full-blown incident.

255
00:11:44,440 --> 00:11:46,200
But from a governance perspective,

256
00:11:46,200 --> 00:11:48,360
access is risk the moment it exists,

257
00:11:48,360 --> 00:11:49,960
not the moment it is exploited.

258
00:11:49,960 --> 00:11:53,000
And this is where the invisible tenant becomes very concrete.

259
00:11:53,000 --> 00:11:54,920
In many Microsoft 365 environments,

260
00:11:54,920 --> 00:11:57,880
somewhere between 35 and 60% of users

261
00:11:57,880 --> 00:12:01,160
can reach sensitive content through inherited permissions,

262
00:12:01,160 --> 00:12:02,520
broad group membership,

263
00:12:02,520 --> 00:12:03,960
old project structures,

264
00:12:03,960 --> 00:12:06,360
or sharing patterns nobody came back to review.

265
00:12:06,360 --> 00:12:09,160
While the exact number will vary by tenant,

266
00:12:09,160 --> 00:12:10,520
the pattern itself does not.

267
00:12:10,520 --> 00:12:13,480
People accumulate access faster than organizations remove it,

268
00:12:13,480 --> 00:12:14,680
and that is a system outcome.

269
00:12:15,240 --> 00:12:16,840
Now some leaders hear that and think,

270
00:12:16,840 --> 00:12:19,320
yes, but if nobody opened the file, where is the issue?

271
00:12:19,320 --> 00:12:20,440
Here's the issue.

272
00:12:20,440 --> 00:12:22,280
Unused access is still exposure.

273
00:12:22,280 --> 00:12:24,600
A permission you forgot about is still a live pathway.

274
00:12:24,600 --> 00:12:26,760
A stale group is still an active control object

275
00:12:26,760 --> 00:12:29,160
and a site permission inherited from a parent structure

276
00:12:29,160 --> 00:12:30,920
still expands the blast radius

277
00:12:30,920 --> 00:12:33,000
even if nobody notices it today.

278
00:12:33,000 --> 00:12:34,680
In an AI-enabled environment,

279
00:12:34,680 --> 00:12:36,040
this gets even more serious

280
00:12:36,040 --> 00:12:39,160
because hidden access becomes discoverable access at speed.

281
00:12:39,160 --> 00:12:41,080
Copilot does not create those permissions

282
00:12:41,080 --> 00:12:42,760
but it reveals the reality of them.

283
00:12:42,760 --> 00:12:44,360
So the old comfort model of,

284
00:12:44,360 --> 00:12:45,880
well, technically they had access,

285
00:12:45,880 --> 00:12:47,800
but nobody would ever find that file

286
00:12:47,800 --> 00:12:49,640
starts to collapse very quickly.

287
00:12:49,640 --> 00:12:50,840
That is not a future problem.

288
00:12:50,840 --> 00:12:53,720
It is a tenant quality problem that already exists.

289
00:12:53,720 --> 00:12:56,040
One of the strongest research signals in the space

290
00:12:56,040 --> 00:12:59,400
is that 95% of Microsoft 365 permissions

291
00:12:59,400 --> 00:13:02,440
often go unused while still expanding the exposure surface.

292
00:13:02,440 --> 00:13:04,440
If most of the permissions inside your environment

293
00:13:04,440 --> 00:13:06,520
are not even needed for day-to-day work,

294
00:13:06,520 --> 00:13:09,640
then the tenant is carrying a huge amount of unnecessary reach.

295
00:13:09,640 --> 00:13:10,760
From a system perspective,

296
00:13:10,760 --> 00:13:12,920
that's not just inefficient, it's fragile

297
00:13:12,920 --> 00:13:14,600
because every unnecessary permission

298
00:13:14,600 --> 00:13:16,120
does four things at once.

299
00:13:16,120 --> 00:13:19,240
It increases overexposure, weakened segregation of access

300
00:13:19,240 --> 00:13:20,840
makes investigations harder,

301
00:13:20,840 --> 00:13:23,560
and widens the blast radius when something goes wrong.

302
00:13:23,560 --> 00:13:25,880
That something could be a bad share,

303
00:13:25,880 --> 00:13:28,280
a compromised account, an internal mistake,

304
00:13:28,280 --> 00:13:30,760
or an AI query that pulls together information

305
00:13:30,760 --> 00:13:33,560
nobody realized set inside the same access boundary.

306
00:13:33,560 --> 00:13:35,080
The reason this works as a metric

307
00:13:35,080 --> 00:13:37,160
is that it translates invisible architecture

308
00:13:37,160 --> 00:13:38,360
into executive language.

309
00:13:38,360 --> 00:13:40,080
If your permissions sprawl index is high

310
00:13:40,080 --> 00:13:42,680
then your business is operating with broad hidden exposure.

311
00:13:42,680 --> 00:13:45,400
That affects trust in the environment, confidence in compliance,

312
00:13:45,400 --> 00:13:47,560
readiness for AI, speed of investigation,

313
00:13:47,560 --> 00:13:49,160
and the cost of cleanup later.

314
00:13:49,160 --> 00:13:50,520
This clicked for me when I realized

315
00:13:50,520 --> 00:13:53,080
that many organizations still think about permissions

316
00:13:53,080 --> 00:13:55,000
as an admin configuration issue.

317
00:13:55,000 --> 00:13:56,920
But permissions are not just technical settings,

318
00:13:56,920 --> 00:13:58,360
they define business reality,

319
00:13:58,360 --> 00:14:01,000
they determine who can see what, act on what, copy what,

320
00:14:01,000 --> 00:14:02,360
and now ask AI about what.

321
00:14:02,360 --> 00:14:04,520
So if permissioning is broad by default,

322
00:14:04,520 --> 00:14:06,920
vague in ownership and rarely reviewed,

323
00:14:06,920 --> 00:14:08,680
then the environment is not secure simply

324
00:14:08,680 --> 00:14:10,440
because no incident has happened yet.

325
00:14:10,440 --> 00:14:12,440
It is permissive and permissive environments

326
00:14:12,440 --> 00:14:14,680
can look calm for a long time until they don't.

327
00:14:14,680 --> 00:14:17,960
If you remember, nothing else from this section, remember this.

328
00:14:17,960 --> 00:14:21,000
The risk you fear tomorrow is often the access

329
00:14:21,000 --> 00:14:22,360
you already granted yesterday.

330
00:14:22,360 --> 00:14:24,120
So when I say permissions sprawl index,

331
00:14:24,120 --> 00:14:26,840
I'm not introducing another vanity metric for a dashboard

332
00:14:26,840 --> 00:14:28,600
and I'm talking about a structural indicator

333
00:14:28,600 --> 00:14:31,320
of whether the tenant has drifted beyond business intent.

334
00:14:31,320 --> 00:14:33,240
Can people access only what they need

335
00:14:33,240 --> 00:14:35,880
or can they access what history, inheritance, convenience,

336
00:14:35,880 --> 00:14:37,400
and neglect have left open?

337
00:14:37,400 --> 00:14:38,760
That is a very different question

338
00:14:38,760 --> 00:14:41,480
and it is one most leadership teams are not routinely asking

339
00:14:41,480 --> 00:14:42,440
but they should be.

340
00:14:42,440 --> 00:14:44,920
Because once access exceeds business need at scale,

341
00:14:44,920 --> 00:14:46,840
control becomes mostly theoretical.

342
00:14:46,840 --> 00:14:49,080
You still have policies, you still have settings

343
00:14:49,080 --> 00:14:51,320
and you still have a security story, but underneath,

344
00:14:51,320 --> 00:14:53,240
the tenant is carrying access exposure

345
00:14:53,240 --> 00:14:55,560
as a normal operating state and access,

346
00:14:55,560 --> 00:14:57,880
unlike intent, compounds quietly.

347
00:14:57,880 --> 00:15:00,600
How permission sprawl becomes a system outcome?

348
00:15:00,600 --> 00:15:01,800
So the next question is obvious,

349
00:15:01,800 --> 00:15:03,320
how does a tenant actually get here?

350
00:15:03,320 --> 00:15:06,360
How do thousands of people end up with more access than they need?

351
00:15:06,360 --> 00:15:10,040
Even when nobody made a conscious decision to build an insecure environment?

352
00:15:10,040 --> 00:15:10,760
And why is that?

353
00:15:10,760 --> 00:15:13,000
Because permission sprawl is usually not created

354
00:15:13,000 --> 00:15:14,520
through one reckless act.

355
00:15:14,520 --> 00:15:16,200
It is produced through normal work.

356
00:15:16,200 --> 00:15:19,160
A new team gets created for a project that starts fast

357
00:15:19,160 --> 00:15:21,560
and someone copies an existing workspace structure

358
00:15:21,560 --> 00:15:25,000
because it is easier than designing clean access from scratch.

359
00:15:25,000 --> 00:15:28,200
A SharePoint site inherits permissions from a broader parent pattern

360
00:15:28,200 --> 00:15:29,800
and external guests get added

361
00:15:29,800 --> 00:15:32,760
because the deadline is real and the approval path is slow.

362
00:15:32,760 --> 00:15:35,240
The project ends but the workspace stays.

363
00:15:35,240 --> 00:15:38,200
The owner changes roles, leaves, or simply stops paying attention.

364
00:15:38,200 --> 00:15:40,200
Nobody comes back to reduce access

365
00:15:40,200 --> 00:15:42,840
because there is no operating rhythm that requires it.

366
00:15:42,840 --> 00:15:44,920
That is how broad access becomes normal,

367
00:15:44,920 --> 00:15:47,000
not through drama but through convenience.

368
00:15:47,000 --> 00:15:48,920
And that is the part most people miss.

369
00:15:48,920 --> 00:15:51,880
Microsoft 365 is optimized for collaboration speed.

370
00:15:51,880 --> 00:15:53,800
It is designed to reduce friction

371
00:15:53,800 --> 00:15:56,040
so people can create, share, and move.

372
00:15:56,040 --> 00:15:59,000
That is useful and in many cases it is exactly why adoption succeeds.

373
00:15:59,000 --> 00:16:01,240
But when convenience is not matched with review,

374
00:16:01,240 --> 00:16:03,560
convenience turns into structural compensation.

375
00:16:03,560 --> 00:16:05,320
People use the easiest path available.

376
00:16:05,320 --> 00:16:07,400
If broad sharing is easier than precise sharing,

377
00:16:07,400 --> 00:16:08,280
broad sharing wins.

378
00:16:08,280 --> 00:16:11,240
If cloning an old team is easier than creating a new one,

379
00:16:11,240 --> 00:16:12,840
copied permissions win.

380
00:16:12,840 --> 00:16:15,720
If requesting a review takes longer than just adding the group,

381
00:16:15,720 --> 00:16:17,400
inherited access wins.

382
00:16:17,400 --> 00:16:19,080
Behavior was not driven by bad intent.

383
00:16:19,080 --> 00:16:20,280
It was driven by environment.

384
00:16:20,280 --> 00:16:22,360
That matters because it changes the leadership response.

385
00:16:22,360 --> 00:16:24,440
If you frame this as a user discipline problem,

386
00:16:24,440 --> 00:16:27,080
you reach for more reminders, more training, and maybe more blame.

387
00:16:27,080 --> 00:16:29,560
But if you look closely, this is a design problem.

388
00:16:29,560 --> 00:16:32,840
The environment keeps rewarding speed at the point of creation

389
00:16:32,840 --> 00:16:35,720
and almost never rewards cleanup at the point of drift.

390
00:16:35,720 --> 00:16:38,040
So drift becomes the default operating pattern.

391
00:16:38,040 --> 00:16:40,520
Then there is the second layer administrative habit,

392
00:16:40,520 --> 00:16:44,360
shared admin practices, legacy groups that nobody fully understands,

393
00:16:44,360 --> 00:16:46,600
service accounts with broad standing access,

394
00:16:46,600 --> 00:16:49,320
old migration artifacts, nested memberships,

395
00:16:49,320 --> 00:16:52,600
and guest accounts that remain long after the original need is gone.

396
00:16:52,600 --> 00:16:54,840
Each one may have had a reason at the time,

397
00:16:54,840 --> 00:16:57,000
but over time these fragments stack.

398
00:16:57,000 --> 00:16:59,320
And once they stack, visibility drops fast.

399
00:16:59,320 --> 00:17:02,600
Now you have a tenant where access is not only broad, it is opaque.

400
00:17:02,600 --> 00:17:04,440
An opaque access is hard to challenge

401
00:17:04,440 --> 00:17:07,080
because nobody wants to touch what nobody fully understands.

402
00:17:07,080 --> 00:17:08,920
So the system keeps carrying permissions forward,

403
00:17:08,920 --> 00:17:12,440
not because they are trusted, but because they are risky to remove without evidence.

404
00:17:12,440 --> 00:17:14,280
That is how history becomes exposure.

405
00:17:14,280 --> 00:17:17,400
This is where the phrase "single point of failure" becomes useful.

406
00:17:17,400 --> 00:17:19,960
A lot of leaders think about single points of failure

407
00:17:19,960 --> 00:17:22,440
in terms of a person, a server, or a process.

408
00:17:22,440 --> 00:17:25,240
But in Microsoft 365, one badly-scoped permission

409
00:17:25,240 --> 00:17:27,720
can become a distributed single point of failure.

410
00:17:27,720 --> 00:17:31,240
One inherited access path can scale farther than one bad actor,

411
00:17:31,240 --> 00:17:34,280
and one stale group can connect people to content across sides

412
00:17:34,280 --> 00:17:35,720
they were never meant to reach.

413
00:17:35,720 --> 00:17:38,840
From a system perspective, that is not a small admin issue.

414
00:17:38,840 --> 00:17:41,000
It is latent infrastructure risk.

415
00:17:41,000 --> 00:17:43,320
And because the collaboration layer still works,

416
00:17:43,320 --> 00:17:46,440
nobody feels the need to redesign the access model in the moment.

417
00:17:46,440 --> 00:17:50,200
The system appears productive, therefore the hidden permission model remains untouched

418
00:17:50,200 --> 00:17:51,720
until AI enters the picture.

419
00:17:51,720 --> 00:17:54,520
Then the same sprawl that felt harmless becomes visible all at once

420
00:17:54,520 --> 00:17:57,720
because discoverability increases, query speed increases,

421
00:17:57,720 --> 00:18:01,960
and the gap between intended access and actual access becomes much harder to ignore.

422
00:18:01,960 --> 00:18:05,000
So if you want the simplest explanation for permission sprawl, here it is.

423
00:18:05,000 --> 00:18:09,480
Fast workspace creation plus low friction sharing plus weak review loops

424
00:18:09,480 --> 00:18:10,840
equals broad access over time.

425
00:18:10,840 --> 00:18:11,800
That is the formula.

426
00:18:11,800 --> 00:18:14,760
Not malice, not incompetence, and not one careless employee.

427
00:18:14,760 --> 00:18:15,880
It's a system outcome.

428
00:18:15,880 --> 00:18:18,200
And once you see it that way, the response changes.

429
00:18:18,200 --> 00:18:20,840
You stop asking who caused this, and you start asking

430
00:18:20,840 --> 00:18:23,080
what in the environment keeps producing this result.

431
00:18:23,080 --> 00:18:25,240
Because if the result is predictable,

432
00:18:25,240 --> 00:18:27,800
then the real issue is not the person inside the system.

433
00:18:27,800 --> 00:18:29,400
It is the operating model around them.

434
00:18:29,400 --> 00:18:33,560
Now map that to how we work today when new collaboration spaces appear every single week.

435
00:18:33,560 --> 00:18:35,000
Time to control lag.

436
00:18:35,000 --> 00:18:37,720
The window where governance does not exist yet.

437
00:18:37,720 --> 00:18:39,720
Once you see how access spreads,

438
00:18:39,720 --> 00:18:41,800
the next problem becomes even more uncomfortable.

439
00:18:41,800 --> 00:18:43,960
Even if you cleaned up every bad permission today,

440
00:18:43,960 --> 00:18:47,720
many organizations are still creating new exposure faster than they can control it.

441
00:18:47,720 --> 00:18:51,480
This is where I'd introduce a second metric every executive team should know.

442
00:18:51,480 --> 00:18:52,760
Time to control lag.

443
00:18:53,320 --> 00:18:56,520
Very simply, this is the amount of time between a workspace being created

444
00:18:56,520 --> 00:18:59,720
and that workspace actually falling under a real governance enforcement.

445
00:18:59,720 --> 00:19:04,440
I am not talking about theoretical governance or a policy document tucked away in a folder.

446
00:19:04,440 --> 00:19:08,040
I am not talking about the admin assumption that we have standards either.

447
00:19:08,040 --> 00:19:10,520
I mean, the specific point at which the space has an owner,

448
00:19:10,520 --> 00:19:14,120
a classification, a life cycle path, and an access review expectation.

449
00:19:14,120 --> 00:19:17,720
In a lot of tenants, that lag sits somewhere between 30 and 90 days,

450
00:19:17,720 --> 00:19:19,480
and sometimes it lasts even longer.

451
00:19:19,480 --> 00:19:22,120
Now think about what that means in business reality.

452
00:19:22,120 --> 00:19:27,720
The first days and weeks of a new team, site, or project space are usually the most intense

453
00:19:27,720 --> 00:19:31,400
because that is when people upload the first files, add members fast,

454
00:19:31,400 --> 00:19:33,560
and invite externals to build momentum.

455
00:19:33,560 --> 00:19:36,920
It is a high concentration period where information moves quickly,

456
00:19:36,920 --> 00:19:38,520
decisions happen in real time,

457
00:19:38,520 --> 00:19:41,880
and the collaboration space becomes operational memory almost immediately.

458
00:19:41,880 --> 00:19:44,520
But governance often arrives later if it arrives at all.

459
00:19:44,520 --> 00:19:47,000
The environment is productive first and govern second,

460
00:19:47,000 --> 00:19:51,480
which creates a massive problem because risk is highest exactly when control is weakest.

461
00:19:51,480 --> 00:19:54,600
That is the hidden window most organizations do not measure.

462
00:19:54,600 --> 00:19:58,200
A new team appears, people get to work, content starts piling up,

463
00:19:58,200 --> 00:20:00,040
and membership expands rapidly.

464
00:20:00,040 --> 00:20:03,240
Sensitive files land there because the project is real and the pressure is high,

465
00:20:03,240 --> 00:20:06,360
so nobody is thinking in that moment about future auditability.

466
00:20:06,360 --> 00:20:11,240
Then maybe weeks later someone checks naming conventions or a classification finally gets added.

467
00:20:11,240 --> 00:20:14,040
Maybe an owner review happens or a life cycle rule gets discussed,

468
00:20:14,040 --> 00:20:17,080
but by that point the space has already become active infrastructure.

469
00:20:17,080 --> 00:20:18,920
The risk window has already existed.

470
00:20:18,920 --> 00:20:23,720
This is why time to control lag matters more than many beautifully written governance policies.

471
00:20:23,720 --> 00:20:26,360
A policy you enforce after the fact is not prevention,

472
00:20:26,360 --> 00:20:27,960
it is just delayed administration.

473
00:20:27,960 --> 00:20:33,160
This clicked for me when I realized many leadership teams talk about governance maturity

474
00:20:33,160 --> 00:20:35,960
as if the existence of a policy equals the presence of control.

475
00:20:35,960 --> 00:20:37,720
But structurally that is not true.

476
00:20:37,720 --> 00:20:41,160
If your tenant allows rapid creation and slow governance attachment,

477
00:20:41,160 --> 00:20:44,120
then the operating model contains a built-in exposure gap.

478
00:20:44,120 --> 00:20:47,240
The system is saying yes to collaboration before it says yes to control,

479
00:20:47,240 --> 00:20:51,000
because people are busy that order rarely gets corrected on its own.

480
00:20:51,000 --> 00:20:52,840
There is also a compounding effect here.

481
00:20:52,840 --> 00:20:55,720
One unmanaged workspace is a small issue,

482
00:20:55,720 --> 00:21:01,560
but hundreds of newly created workspaces every quarter each carrying a 30-90-day control lag

483
00:21:01,560 --> 00:21:03,000
become a systemic issue.

484
00:21:03,000 --> 00:21:06,120
Now the tenant is not just struggling with old drift.

485
00:21:06,120 --> 00:21:09,320
It is continuously manufacturing fresh governance dead,

486
00:21:09,320 --> 00:21:11,320
that debt shows up in very practical ways.

487
00:21:11,320 --> 00:21:14,120
Sensitive content lands in unclassified spaces.

488
00:21:14,120 --> 00:21:16,280
External sharing happens before review,

489
00:21:16,280 --> 00:21:18,360
and owners are assigned loosely or not at all.

490
00:21:18,360 --> 00:21:21,080
When someone finally asks if a space is governed,

491
00:21:21,080 --> 00:21:22,920
the honest answer is often not yet.

492
00:21:22,920 --> 00:21:26,040
That phrase should worry leadership more than it usually does,

493
00:21:26,040 --> 00:21:30,200
because not yet in a live environment means you are exposed during peak usage.

494
00:21:30,200 --> 00:21:33,240
From a business perspective, that creates a dangerous mismatch.

495
00:21:33,240 --> 00:21:37,400
Leaders think growth is succeeding because new spaces help the business move faster.

496
00:21:37,400 --> 00:21:41,320
And while that part is true, growth is also multiplying unmanaged risk at the same time.

497
00:21:41,320 --> 00:21:44,280
So time to control lag is not just an admin metric,

498
00:21:44,280 --> 00:21:48,120
it is a growth metric, it tells you whether your control model can keep up with the way your

499
00:21:48,120 --> 00:21:49,400
organization actually works.

500
00:21:49,400 --> 00:21:53,000
If it can't, then the tenant is expanding faster than it is being governed.

501
00:21:53,000 --> 00:21:57,480
That means your productivity story is quietly carrying an unmanaged exposure story inside it,

502
00:21:57,480 --> 00:22:00,520
and this is where it becomes relevant for anyone responsible for growth.

503
00:22:00,520 --> 00:22:03,320
Why fast growth outruns control?

504
00:22:03,320 --> 00:22:04,680
Let's stay with that point for a moment,

505
00:22:04,680 --> 00:22:07,240
because this is where many organizations misread success.

506
00:22:07,240 --> 00:22:10,200
Microsoft 365 is built for low friction adoption,

507
00:22:10,200 --> 00:22:12,040
which is one of its greatest strengths.

508
00:22:12,040 --> 00:22:16,120
A team can create a workspace quickly, a department can launch a site in minutes,

509
00:22:16,120 --> 00:22:20,200
and a project can start collaborating before anyone books a governance workshop.

510
00:22:20,200 --> 00:22:22,280
From a productivity perspective that feels efficient,

511
00:22:22,280 --> 00:22:25,640
but from a control perspective, it creates a structural imbalance.

512
00:22:25,640 --> 00:22:27,880
The reason is simple, growth happens in real time,

513
00:22:27,880 --> 00:22:30,120
while governance usually arrives as a retrofit.

514
00:22:30,120 --> 00:22:32,760
Retrofits are always slower than creation.

515
00:22:32,760 --> 00:22:35,880
That is not a Microsoft problem first, it is an operating model problem.

516
00:22:35,880 --> 00:22:39,160
Most organizations still govern as if collaboration environments

517
00:22:39,160 --> 00:22:42,760
grow slowly in predictable waves with central oversight close behind.

518
00:22:42,760 --> 00:22:44,920
But that is not how modern work behaves.

519
00:22:44,920 --> 00:22:48,760
Work now expands through projects cross-functional teams and urgent initiatives

520
00:22:48,760 --> 00:22:51,880
because the business needs motion now, not after a review cycle.

521
00:22:51,880 --> 00:22:54,600
Now map that to how many control models still work today.

522
00:22:54,600 --> 00:22:57,800
You see manual approval, manual classification, manual review,

523
00:22:57,800 --> 00:22:59,480
and manual ownership checks.

524
00:22:59,480 --> 00:23:01,800
That might work when space creation is limited,

525
00:23:01,800 --> 00:23:06,760
but it breaks when the collaboration graph expands faster than the people assigned to govern it.

526
00:23:06,760 --> 00:23:10,520
Control capacity does not scale at the same speed as workspace creation,

527
00:23:10,520 --> 00:23:12,680
unless automation is part of the design.

528
00:23:12,680 --> 00:23:16,200
This is where remote work changed the equation for a lot of tenants.

529
00:23:16,200 --> 00:23:18,520
During periods of fast digital acceleration,

530
00:23:18,520 --> 00:23:22,200
Microsoft 365 became the operating layer for almost everything.

531
00:23:22,200 --> 00:23:23,960
Meetings moved there, files moved there,

532
00:23:23,960 --> 00:23:27,720
and decisions moved there, then mergers and AI pilots added even more complexities.

533
00:23:27,720 --> 00:23:30,040
Suddenly the number of places where work could begin,

534
00:23:30,040 --> 00:23:32,840
multiplied faster than the governance model could adapt.

535
00:23:32,840 --> 00:23:35,640
The tenant kept growing, but control did not grow with it.

536
00:23:35,640 --> 00:23:38,840
When that happens, organizations start depending on structural compensation.

537
00:23:38,840 --> 00:23:40,920
They assume managers will own what they create,

538
00:23:40,920 --> 00:23:43,640
they assume users will classify content properly,

539
00:23:43,640 --> 00:23:47,240
and they assume old spaces will get cleaned up when they are no longer needed.

540
00:23:47,240 --> 00:23:50,120
These assumptions feel reasonable until volume rises,

541
00:23:50,120 --> 00:23:51,720
and then they become fantasy.

542
00:23:51,720 --> 00:23:54,920
Research in this area shows the same pattern in other domains,

543
00:23:54,920 --> 00:23:57,480
where disconnected tooling and automation spread,

544
00:23:57,480 --> 00:23:58,840
weaken full enforcement.

545
00:23:58,840 --> 00:24:03,320
The fragmented control model cannot keep pace with a fast-moving collaboration estate.

546
00:24:03,320 --> 00:24:06,600
One team is looking at identities while another is looking at retention

547
00:24:06,600 --> 00:24:08,680
and another owns provisioning scripts.

548
00:24:08,680 --> 00:24:10,440
Each part may work on its own,

549
00:24:10,440 --> 00:24:13,160
but the environment between them drifts.

550
00:24:13,160 --> 00:24:16,360
Growth does not just add more workspaces, it adds more seams.

551
00:24:16,360 --> 00:24:18,680
Unmanaged seams are where governance fails first.

552
00:24:18,680 --> 00:24:22,680
This is why I keep saying the system is doing exactly what it was designed to do.

553
00:24:22,680 --> 00:24:24,920
It was designed to help people start working quickly,

554
00:24:24,920 --> 00:24:27,080
but it was not designed to preserve your old,

555
00:24:27,080 --> 00:24:30,040
slower human-review-based control model at scale.

556
00:24:30,040 --> 00:24:31,480
That distinction matters.

557
00:24:31,480 --> 00:24:36,280
If leaders keep expecting manual governance to control exponential collaboration growth,

558
00:24:36,280 --> 00:24:38,760
they are effectively asking a legacy operating habit

559
00:24:38,760 --> 00:24:40,920
to govern a modern-cloud reality.

560
00:24:40,920 --> 00:24:44,600
From a system perspective, that's not just unrealistic, it's fragile.

561
00:24:44,600 --> 00:24:46,120
Once fragility becomes normal,

562
00:24:46,120 --> 00:24:48,440
teams stop trying to achieve full control

563
00:24:48,440 --> 00:24:50,280
and start aiming for partial visibility.

564
00:24:50,280 --> 00:24:52,280
They settle for a few reports, a few reviews,

565
00:24:52,280 --> 00:24:55,880
and a few sensitive sites under closer watch while the wider tenant keeps moving.

566
00:24:55,880 --> 00:24:58,280
The organization develops confidence in pockets,

567
00:24:58,280 --> 00:25:00,680
while exposure spreads in the gaps.

568
00:25:00,680 --> 00:25:02,040
Fast growth is not neutral.

569
00:25:02,040 --> 00:25:05,720
In an under-instrumented tenant, it is a force multiplier for drift.

570
00:25:05,720 --> 00:25:09,080
You end up with more spaces, more permissions, more guests,

571
00:25:09,080 --> 00:25:11,640
and more data copies that nobody has time to revisit.

572
00:25:11,640 --> 00:25:14,120
If you want the executive translation, here it is.

573
00:25:14,120 --> 00:25:18,040
The problem is not that your organization is growing too fast.

574
00:25:18,040 --> 00:25:21,400
The problem is that your control model was never built to keep pace with that growth.

575
00:25:21,400 --> 00:25:22,680
If that stays true,

576
00:25:22,680 --> 00:25:27,640
every new success metric in Microsoft 365 can quietly increase unmanaged risk underneath it.

577
00:25:27,640 --> 00:25:29,640
But even if you close the workspace gap,

578
00:25:29,640 --> 00:25:31,640
there is still one deeper problem.

579
00:25:31,640 --> 00:25:35,160
Compliance visibility gap, the compliance you cannot actually prove.

580
00:25:35,160 --> 00:25:38,200
This is the part many leadership teams find most uncomfortable

581
00:25:38,200 --> 00:25:39,720
because it challenges a common belief.

582
00:25:39,720 --> 00:25:44,040
Most executives think compliance exists simply because a policy exists.

583
00:25:44,040 --> 00:25:45,640
They assume control is real,

584
00:25:45,640 --> 00:25:47,880
because a framework was approved, labels were configured,

585
00:25:47,880 --> 00:25:49,480
and a retention schedule was documented.

586
00:25:49,480 --> 00:25:50,920
If the dashboard looks active,

587
00:25:50,920 --> 00:25:52,760
they assume progress is happening.

588
00:25:52,760 --> 00:25:53,640
But here is the thing.

589
00:25:53,640 --> 00:25:56,760
Compliance that lives in documentation is not the same as compliance

590
00:25:56,760 --> 00:25:58,680
you can prove in operating reality.

591
00:25:58,680 --> 00:26:02,360
That distance between the two is what I call the compliance visibility gap.

592
00:26:02,360 --> 00:26:06,600
It is a system outcome where your intended rules don't match your actual data footprint.

593
00:26:06,600 --> 00:26:10,760
Very simply, this gap represents the percentage of business critical data

594
00:26:10,760 --> 00:26:12,920
not covered by enforceable labels,

595
00:26:12,920 --> 00:26:17,480
life cycle controls, or review practices in the places where that data actually lives.

596
00:26:17,480 --> 00:26:19,800
I'm not talking about where you intended to govern it.

597
00:26:19,800 --> 00:26:21,640
I am talking about where it sits today.

598
00:26:21,640 --> 00:26:25,720
In many organizations, practical coverage is much lower than the policy story suggests.

599
00:26:25,720 --> 00:26:29,720
A common pattern I see is that only 20 to 40% of critical content

600
00:26:29,720 --> 00:26:32,840
is truly governed in a way you can demonstrate with confidence.

601
00:26:32,840 --> 00:26:35,960
The rest sits in a gray zone of unlabeled files,

602
00:26:35,960 --> 00:26:39,720
inactive sites, and old project spaces with no current owner.

603
00:26:39,720 --> 00:26:42,440
These shared documents often outlive their original purpose

604
00:26:42,440 --> 00:26:45,880
but their permissions stay active creating a silent risk surface.

605
00:26:45,880 --> 00:26:48,520
On paper, the organization looks compliant.

606
00:26:48,520 --> 00:26:51,240
In practice, it is partially governed and partially assumed.

607
00:26:51,240 --> 00:26:55,400
This distinction matters because regulators and auditors do not care about your intentions

608
00:26:55,400 --> 00:26:57,640
once the pressure arrives. They care about evidence.

609
00:26:57,640 --> 00:27:00,600
They want to see which rule applied, how it was enforced,

610
00:27:00,600 --> 00:27:02,680
and what happened when that rule was violated.

611
00:27:02,680 --> 00:27:05,160
This is where hidden tenant chaos usually shows up first.

612
00:27:05,160 --> 00:27:06,840
It doesn't always start with a massive breach,

613
00:27:06,840 --> 00:27:10,760
but rather as an inability to answer basic control questions during an audit.

614
00:27:10,760 --> 00:27:13,640
Can you prove sensitive files are labeled where they actually live?

615
00:27:13,640 --> 00:27:17,880
Can you prove retention is active across the collaboration spaces people really use,

616
00:27:17,880 --> 00:27:20,040
rather than just the ones IT remembers?

617
00:27:20,040 --> 00:27:24,200
When I ask these questions, many organizations answer with some version of mostly,

618
00:27:24,200 --> 00:27:28,440
or "rebeliefs oak". From a system perspective, that isn't assurance.

619
00:27:28,440 --> 00:27:31,000
That is exposure with good intentions layered on top.

620
00:27:31,000 --> 00:27:34,440
This is also why unlabeled files are such a structural problem.

621
00:27:34,440 --> 00:27:36,920
An unlabeled file isn't just missing metadata.

622
00:27:36,920 --> 00:27:38,600
It is missing policy context.

623
00:27:38,600 --> 00:27:41,560
It becomes harder to protect, harder to search for during a legal event,

624
00:27:41,560 --> 00:27:43,800
and nearly impossible to explain to an auditor.

625
00:27:43,800 --> 00:27:46,040
The same logic applies to inactive sites.

626
00:27:46,040 --> 00:27:47,960
People assume inactivity means low risk,

627
00:27:47,960 --> 00:27:50,040
but inactive does not mean empty.

628
00:27:50,040 --> 00:27:53,880
Forgotten content inside live permissions is still a single point of failure.

629
00:27:53,880 --> 00:27:57,160
There is a massive gap between documented policy and enforced policy.

630
00:27:57,160 --> 00:28:01,240
This is where mature looking organizations are often the most structurally fragile.

631
00:28:01,240 --> 00:28:02,760
They have the diagrams and the roles,

632
00:28:02,760 --> 00:28:05,880
but the enforcement is partial or uneven across the tenant.

633
00:28:05,880 --> 00:28:08,760
What leadership is actually seeing is governance theatre

634
00:28:08,760 --> 00:28:11,640
with small pockets of real control hidden inside it.

635
00:28:11,640 --> 00:28:14,840
That sounds harsh, but it forces us to ask the right question,

636
00:28:14,840 --> 00:28:16,920
are we showing compliance or can we prove it?

637
00:28:16,920 --> 00:28:18,680
Those are two very different states.

638
00:28:18,680 --> 00:28:23,480
This clicked for me when I realized how often leaders confuse the availability of a capability

639
00:28:23,480 --> 00:28:25,240
with the execution of that capability.

640
00:28:25,240 --> 00:28:27,960
Just because purview labels and audit logs exist

641
00:28:27,960 --> 00:28:29,720
doesn't mean the tenant is governed.

642
00:28:29,720 --> 00:28:31,880
Capabilities sitting idle in a platform

643
00:28:31,880 --> 00:28:34,520
do not automatically produce governed outcomes.

644
00:28:34,520 --> 00:28:35,960
Without coverage, adoption,

645
00:28:35,960 --> 00:28:39,160
and a consistent operating rhythm compliance is just a presentation.

646
00:28:39,160 --> 00:28:40,120
It is not proof.

647
00:28:40,120 --> 00:28:41,800
This creates a dangerous business condition

648
00:28:41,800 --> 00:28:45,080
because the moment you try to scale AI or answer a regulator,

649
00:28:45,080 --> 00:28:46,680
the gap becomes visible all at once.

650
00:28:46,680 --> 00:28:49,320
Suddenly the conversation isn't about whether a policy exists

651
00:28:49,320 --> 00:28:51,560
but rather how far that policy actually reaches.

652
00:28:51,560 --> 00:28:54,120
Once you see this gap, you stop asking if you have policies,

653
00:28:54,120 --> 00:28:58,040
you start asking if your tenant can survive the moment someone asks you to prove them.

654
00:28:58,040 --> 00:29:01,240
And that is exactly why dashboards can make mature organisations

655
00:29:01,240 --> 00:29:03,480
look much safer than they actually are.

656
00:29:03,480 --> 00:29:05,800
The mirage of dashboards and delayed confidence.

657
00:29:05,800 --> 00:29:07,240
Now we need to talk about dashboards

658
00:29:07,240 --> 00:29:09,880
because this is where modern governance starts to look mature

659
00:29:09,880 --> 00:29:11,400
long before it becomes reliable.

660
00:29:11,400 --> 00:29:14,680
Most executive teams are shown a control view,

661
00:29:14,680 --> 00:29:16,840
a compliance score, or a secure score

662
00:29:16,840 --> 00:29:18,440
that suggests progress is happening.

663
00:29:18,440 --> 00:29:20,760
These tools are useful and I am not dismissing them

664
00:29:20,760 --> 00:29:24,040
but the problem starts when leaders treat them as direct evidence of control.

665
00:29:24,040 --> 00:29:26,760
In reality these are just representations and snapshots.

666
00:29:26,760 --> 00:29:30,760
They are signals with timing gaps and dependency gaps built into the design.

667
00:29:30,760 --> 00:29:35,640
A dashboard can only show what the underlying processes have already captured and surfaced.

668
00:29:35,640 --> 00:29:37,880
If those processes are delayed or partial,

669
00:29:37,880 --> 00:29:40,680
the dashboard isn't necessarily lying to you but it is lagging.

670
00:29:40,680 --> 00:29:42,840
Lagging signals create delayed confidence.

671
00:29:42,840 --> 00:29:45,640
You think you are looking at the current state of the tenant

672
00:29:45,640 --> 00:29:48,920
but you are actually looking at a processed version of recent history.

673
00:29:48,920 --> 00:29:52,840
Research into Microsoft PerView compliance manager shows that score updates

674
00:29:52,840 --> 00:29:55,480
can take 24 hours or more to reflect realities.

675
00:29:55,480 --> 00:29:58,920
Sometimes they require manual re-evaluation or specific audit logging

676
00:29:58,920 --> 00:30:01,160
to be enabled before progress even shows up.

677
00:30:01,160 --> 00:30:04,440
If a control was changed this morning and the dashboard still looks the same tomorrow,

678
00:30:04,440 --> 00:30:06,200
what exactly are you governing against?

679
00:30:06,200 --> 00:30:09,240
You might be looking at reality or you might be looking at yesterday's version of it.

680
00:30:09,240 --> 00:30:11,480
This uncertainty isn't just a technical detail,

681
00:30:11,480 --> 00:30:13,640
it changes how executives behave.

682
00:30:13,640 --> 00:30:15,480
When the reporting layer updates late,

683
00:30:15,480 --> 00:30:19,000
leaders start confusing reporting delays with actual control maturity.

684
00:30:19,000 --> 00:30:22,680
A green trend line feels reassuring but it doesn't tell you if a new workspace

685
00:30:22,680 --> 00:30:24,600
launched yesterday has an active owner.

686
00:30:24,600 --> 00:30:28,600
It doesn't tell you if stale sharing paths are sitting underneath a clean looking summary.

687
00:30:28,600 --> 00:30:33,080
The thing most people miss is that dashboards are strongest at showing movement,

688
00:30:33,080 --> 00:30:34,200
not certainty.

689
00:30:34,200 --> 00:30:37,080
They can show that actions were taken and that activity is happening

690
00:30:37,080 --> 00:30:39,880
but they do not automatically prove coverage or enforcement.

691
00:30:39,880 --> 00:30:43,320
This is why activity heavy environments can produce beautiful dashboards

692
00:30:43,320 --> 00:30:45,560
while carrying unmanaged exposure underneath.

693
00:30:45,560 --> 00:30:48,200
Many leadership teams end up managing what is easiest to see

694
00:30:48,200 --> 00:30:50,200
because that is what the reporting makes available.

695
00:30:50,200 --> 00:30:53,800
They review the scores and the incidents while the hidden tenant remains uneven.

696
00:30:53,800 --> 00:30:57,000
Analyst spaces still exist, permissions still drift,

697
00:30:57,000 --> 00:31:01,560
and external sharing remains open in places no executive report was designed to explain.

698
00:31:01,560 --> 00:31:03,800
This isn't a failure of the dashboard itself

699
00:31:03,800 --> 00:31:05,880
but a category mistake in how we use it.

700
00:31:05,880 --> 00:31:09,160
We are asking reporting tools to give us operational certainty

701
00:31:09,160 --> 00:31:11,080
they were never designed to provide alone.

702
00:31:11,080 --> 00:31:13,240
If you remember nothing else remember this.

703
00:31:13,240 --> 00:31:15,880
A green indicator is not the same as governed reality.

704
00:31:15,880 --> 00:31:20,840
In fact green indicators can coexist with unmanaged exposure for a very long time.

705
00:31:20,840 --> 00:31:24,760
In large tenants policy propagation and human follow-through move at different speeds.

706
00:31:24,760 --> 00:31:26,920
Once leaders get used to those green summaries,

707
00:31:26,920 --> 00:31:30,600
the dashboard becomes a form of emotional protection that reduces urgency.

708
00:31:30,600 --> 00:31:32,680
It creates a sense that the environment is under control

709
00:31:32,680 --> 00:31:34,600
because the visible layer looks stable.

710
00:31:34,600 --> 00:31:36,600
But the system underneath may still be drifting.

711
00:31:36,600 --> 00:31:39,400
This is why executive governance needs a different posture.

712
00:31:39,400 --> 00:31:42,520
Use the dashboards but treat them as lagging representations

713
00:31:42,520 --> 00:31:44,040
rather than proof of present control.

714
00:31:44,040 --> 00:31:47,480
You have to pair them with structural questions that expose the truth.

715
00:31:47,480 --> 00:31:50,680
What percentage of your critical data is actually labeled today?

716
00:31:50,680 --> 00:31:53,560
How many active workspaces currently have no owner?

717
00:31:53,560 --> 00:31:56,760
How long does it take for a new space to fall under real governance?

718
00:31:56,760 --> 00:32:00,520
When you ask these questions you find the difference between display and reality.

719
00:32:00,520 --> 00:32:02,680
The business risk isn't that your dashboard is wrong.

720
00:32:02,680 --> 00:32:05,720
The risk is that your confidence arrives faster than your evidence.

721
00:32:05,720 --> 00:32:10,520
Once that happens your reporting starts masking the very fragility it was meant to reveal.

722
00:32:10,520 --> 00:32:15,480
The real question then becomes what this hidden chaos is doing to your actual business performance.

723
00:32:15,480 --> 00:32:17,080
The entropy tax on the business.

724
00:32:17,080 --> 00:32:19,400
So let's translate all of this into business performance

725
00:32:19,400 --> 00:32:23,160
because hidden governance gaps never stay confined to a security conversation.

726
00:32:23,160 --> 00:32:26,920
They eventually show up as drag and I'm talking about a quiet compounding drag

727
00:32:26,920 --> 00:32:28,360
that I call the entropy tax.

728
00:32:28,360 --> 00:32:30,840
Every unlabeled file adds search friction

729
00:32:30,840 --> 00:32:34,520
while every duplicate workspace adds decision friction for your team.

730
00:32:34,520 --> 00:32:37,240
When you have stale permissions they add investigation friction

731
00:32:37,240 --> 00:32:40,600
and every onalist team adds accountability friction to the system.

732
00:32:40,600 --> 00:32:45,240
None of that looks dramatic in isolation which is exactly why it survives so long in most organizations.

733
00:32:45,240 --> 00:32:48,440
A single duplicate site does not trigger a board conversation

734
00:32:48,440 --> 00:32:52,200
and a handful of outdated documents rarely looks like a strategic risk.

735
00:32:52,200 --> 00:32:55,320
One in active workspace with broad access feels small

736
00:32:55,320 --> 00:32:59,000
but when those conditions repeat across thousands of collaboration objects

737
00:32:59,000 --> 00:33:02,040
the tenant starts taxing the business every single day.

738
00:33:02,040 --> 00:33:06,600
Search gets noisier and trust in results gets weaker as a direct result of this clutter.

739
00:33:06,600 --> 00:33:11,720
People stop knowing which site is current so they ask in chat instead of relying on the structure we build for them.

740
00:33:11,720 --> 00:33:15,080
They download copies of files just in case the system fails them

741
00:33:15,080 --> 00:33:18,600
and then they create another team because the old one feels too messy to use.

742
00:33:18,600 --> 00:33:21,080
And just like that entropy creates more entropy.

743
00:33:21,080 --> 00:33:23,400
The system starts producing compensating behavior

744
00:33:23,400 --> 00:33:27,480
because the original environment no longer feels reliable enough to work from directly.

745
00:33:27,480 --> 00:33:31,480
That is not just an untidy digital closet it is an expensive structural failure

746
00:33:31,480 --> 00:33:35,880
because once information quality drops decision quality starts dropping right along with it.

747
00:33:35,880 --> 00:33:39,560
People take longer to find the right file and they spend more time validating

748
00:33:39,560 --> 00:33:41,640
whether a version is actually current.

749
00:33:41,640 --> 00:33:44,360
Legal spends more time assessing retention exposure

750
00:33:44,360 --> 00:33:47,480
while compliance struggles to prove what should already be obvious.

751
00:33:47,480 --> 00:33:50,520
IT spends their days tracing ownership and permissions

752
00:33:50,520 --> 00:33:52,600
that should have been visible by design.

753
00:33:52,600 --> 00:33:54,600
Governance debt eventually becomes time debt

754
00:33:54,600 --> 00:33:56,920
and that is the business reality we have to face.

755
00:33:56,920 --> 00:33:59,640
Time debt moves across every function in the company.

756
00:33:59,640 --> 00:34:04,120
IT pays for it in cleanup and support while security pays for it in exposure analysis.

757
00:34:04,120 --> 00:34:06,920
Legal pays for it in discovery and evidence reconstruction

758
00:34:06,920 --> 00:34:09,080
and compliance pays for it in reporting strain.

759
00:34:09,080 --> 00:34:12,200
Business teams pay for it in hesitation, duplication and low confidence

760
00:34:12,200 --> 00:34:13,960
in the information they use to make decisions.

761
00:34:13,960 --> 00:34:16,440
So when leaders treat governance as a compliance tax

762
00:34:16,440 --> 00:34:18,200
I think they are missing the structure completely.

763
00:34:18,200 --> 00:34:21,240
Poor governance is the real tax because it forces the organization

764
00:34:21,240 --> 00:34:25,320
to compensate manually for things the environment should already be handling well.

765
00:34:25,320 --> 00:34:28,280
The reason this matters is simple, entropy compounds over time.

766
00:34:28,280 --> 00:34:30,440
A tenant does not become hard to govern overnight

767
00:34:30,440 --> 00:34:33,880
but instead it becomes difficult through a slow process of accumulation.

768
00:34:33,880 --> 00:34:35,960
Old sites remain while new sites appear

769
00:34:35,960 --> 00:34:38,200
and permissions stack up as files multiply.

770
00:34:38,200 --> 00:34:40,440
Labels stay partial and reviews get delayed

771
00:34:40,440 --> 00:34:42,680
which means each new change becomes more difficult

772
00:34:42,680 --> 00:34:45,400
because nobody is changing a clean environment anymore.

773
00:34:45,400 --> 00:34:46,760
They are changing a crowded one.

774
00:34:46,760 --> 00:34:49,080
That makes transformation slower than it needs to be.

775
00:34:49,080 --> 00:34:50,600
If you want to roll out co-pilot

776
00:34:50,600 --> 00:34:52,120
you now have to pause and assess

777
00:34:52,120 --> 00:34:54,120
oversharing across the entire landscape.

778
00:34:54,120 --> 00:34:55,640
If you want to tighten compliance

779
00:34:55,640 --> 00:34:58,920
you first need to find what was never brought under policy in the first place.

780
00:34:58,920 --> 00:35:01,640
When you want to rationalize storage or reduce license waste

781
00:35:01,640 --> 00:35:04,760
you find yourself working against years of unmanaged sprawl.

782
00:35:04,760 --> 00:35:07,240
This is where the entropy tax becomes a strategic problem.

783
00:35:07,240 --> 00:35:09,080
The tenant is no longer just messy

784
00:35:09,080 --> 00:35:11,080
it is actually harder to change safely

785
00:35:11,080 --> 00:35:13,880
and when an environment becomes hard to change safely

786
00:35:13,880 --> 00:35:16,520
the organization becomes slower than it thinks.

787
00:35:16,520 --> 00:35:19,480
Changes take longer, reviews get heavier

788
00:35:19,480 --> 00:35:23,880
and confidence drops because the underlying structure is less trustworthy than it should be.

789
00:35:23,880 --> 00:35:27,640
I don't see tenant entropy as a simple admin cleanup task

790
00:35:27,640 --> 00:35:29,160
but rather as a structural cost.

791
00:35:29,160 --> 00:35:33,400
It is a cost that compounds while everyone is busy measuring visible productivity at the surface.

792
00:35:33,400 --> 00:35:36,600
If your Microsoft 365 environment is accumulating

793
00:35:36,600 --> 00:35:39,160
unlabeled content and stale access

794
00:35:39,160 --> 00:35:41,400
then the business is already paying for that condition

795
00:35:41,400 --> 00:35:43,000
whether it recognizes it or not.

796
00:35:43,000 --> 00:35:45,720
It is paying in slower retrieval and lower trust

797
00:35:45,720 --> 00:35:49,080
it is paying in higher remediation costs and weaker audit readiness.

798
00:35:49,080 --> 00:35:51,000
You see it in longer change cycles

799
00:35:51,000 --> 00:35:52,920
and less confidence in the digital environment

800
00:35:52,920 --> 00:35:54,680
that holds your company's operating memory.

801
00:35:54,680 --> 00:35:55,800
That is the entropy tax.

802
00:35:55,800 --> 00:35:57,800
You may not see it on one single invoice

803
00:35:57,800 --> 00:35:59,240
but it is already in the business

804
00:35:59,240 --> 00:36:02,200
and AI makes that cost visible much faster.

805
00:36:02,200 --> 00:36:04,760
Why co-pilot exposes what the tenant was hiding?

806
00:36:04,760 --> 00:36:08,120
And this is where a lot of leaders suddenly feel the hidden tenant for the first time.

807
00:36:08,120 --> 00:36:11,000
They introduce co-pilot expecting a productivity conversation

808
00:36:11,000 --> 00:36:13,000
about faster drafting and better summaries.

809
00:36:13,000 --> 00:36:15,640
They want to spend less time hunting through files and meetings

810
00:36:15,640 --> 00:36:17,240
and while that part can be real

811
00:36:17,240 --> 00:36:20,280
co-pilot also does something else that is structurally important.

812
00:36:20,280 --> 00:36:22,600
It exposes what the tenant was already hiding.

813
00:36:22,600 --> 00:36:24,280
It doesn't do this by breaking the rules

814
00:36:24,280 --> 00:36:26,440
but by operating perfectly inside them.

815
00:36:26,440 --> 00:36:29,800
That distinction matters because many organizations talk about co-pilot

816
00:36:29,800 --> 00:36:32,280
as if it creates a new class of governance problem.

817
00:36:32,280 --> 00:36:33,480
In most cases it doesn't.

818
00:36:33,480 --> 00:36:37,240
It simply accelerates discovery inside the access model you already allowed.

819
00:36:37,240 --> 00:36:40,680
If a user has broad access through inherited permissions or stale groups,

820
00:36:40,680 --> 00:36:42,440
co-pilot works with that reality.

821
00:36:42,440 --> 00:36:44,520
It surfaces information from the environment

822
00:36:44,520 --> 00:36:45,880
as the environment exists,

823
00:36:45,880 --> 00:36:48,040
not as leadership assumed it existed.

824
00:36:48,040 --> 00:36:50,200
That is why I keep saying AI is not the new problem.

825
00:36:50,200 --> 00:36:51,560
It is the diagnostic tool.

826
00:36:51,560 --> 00:36:53,240
The hidden comfort model in many tenants

827
00:36:53,240 --> 00:36:55,080
was always based on a specific assumption.

828
00:36:55,080 --> 00:36:57,400
People thought that even if access was a little broad

829
00:36:57,400 --> 00:37:01,080
and the structure was messy, nobody would actually find half of that content anyway.

830
00:37:01,080 --> 00:37:03,880
The mess was protected by friction because search took effort

831
00:37:03,880 --> 00:37:05,640
and context was fragmented.

832
00:37:05,640 --> 00:37:08,680
Old files stayed buried in places people rarely revisited

833
00:37:08,680 --> 00:37:11,080
so the tenant could carry years of loose access

834
00:37:11,080 --> 00:37:13,160
without forcing a serious reckoning.

835
00:37:13,160 --> 00:37:15,320
Co-pilot changes that equation completely.

836
00:37:15,320 --> 00:37:18,920
Broad access suddenly becomes broad discoverability across files,

837
00:37:18,920 --> 00:37:20,360
chats, sites and mail.

838
00:37:20,360 --> 00:37:21,880
It pulls from meeting history

839
00:37:21,880 --> 00:37:24,840
and the organizational memory layer people forgot was still exposed.

840
00:37:24,840 --> 00:37:26,360
Once that happens,

841
00:37:26,360 --> 00:37:28,280
weak governance stops being abstract

842
00:37:28,280 --> 00:37:30,440
and starts showing up in outputs people can see.

843
00:37:30,440 --> 00:37:32,920
You might see a vague answer or a surprising reference

844
00:37:32,920 --> 00:37:35,240
in a document surfaced from a place nobody expected.

845
00:37:35,240 --> 00:37:37,320
You get a result that is technically permitted

846
00:37:37,320 --> 00:37:39,240
but clearly misaligned with business intent.

847
00:37:39,240 --> 00:37:41,640
This is why early co-pilot concerned centers

848
00:37:41,640 --> 00:37:44,440
so heavily on data quality and access controls.

849
00:37:44,440 --> 00:37:47,240
It isn't because AI suddenly made tenants unsafe

850
00:37:47,240 --> 00:37:51,240
but because AI removed the illusion that obscurity was ever controlled.

851
00:37:51,240 --> 00:37:54,040
That illusion has been carrying a lot of organizations for years

852
00:37:54,040 --> 00:37:56,440
but there is another layer here that matters just as much.

853
00:37:56,440 --> 00:37:58,520
Co-pilot does not only reveal over permissioning,

854
00:37:58,520 --> 00:38:00,440
it also reveals information chaos.

855
00:38:00,440 --> 00:38:03,240
If the tenant is full of duplicate files and weak ownership

856
00:38:03,240 --> 00:38:06,440
then the quality problem surfaces through the user experience itself.

857
00:38:06,440 --> 00:38:08,440
People start getting responses that feel uncertain

858
00:38:08,440 --> 00:38:10,440
or too generic and then trust drops.

859
00:38:10,440 --> 00:38:12,040
They say the AI is unreliable

860
00:38:12,040 --> 00:38:15,480
but often the deeper issue is that the tenant itself is unreliable.

861
00:38:15,480 --> 00:38:18,840
The model is grounding in an environment with weak structure

862
00:38:18,840 --> 00:38:22,280
so what gets exposed is not only data risk but tenant quality.

863
00:38:22,280 --> 00:38:27,240
This clicked for me because co-pilot forces a very uncomfortable executive realization.

864
00:38:27,240 --> 00:38:31,880
For years many organizations were able to separate productivity from governance in their thinking.

865
00:38:31,880 --> 00:38:34,920
Collaboration happened in one silo while compliance happened in another

866
00:38:34,920 --> 00:38:36,680
and the seams stayed mostly hidden.

867
00:38:36,680 --> 00:38:38,280
Co-pilot collapses those seams.

868
00:38:38,280 --> 00:38:42,520
Suddenly permissions shape the user experience and data quality shapes the output quality.

869
00:38:42,520 --> 00:38:46,040
Ownership shapes trust and governance stops being a background function.

870
00:38:46,040 --> 00:38:49,880
It becomes visible in the actual value people do or do not get from AI.

871
00:38:49,880 --> 00:38:54,040
That makes co-pilot a forcing function because it reflects the tenant rather than punishing it.

872
00:38:54,040 --> 00:38:59,240
That is also why bug history and control concerns matter so much in executive decision making.

873
00:38:59,240 --> 00:39:02,840
If you already have broad hidden access and weak review discipline

874
00:39:02,840 --> 00:39:05,880
then even isolated defects create outsized anxiety.

875
00:39:05,880 --> 00:39:10,680
Trust is fragile in environments where the control story was already weaker than the reporting story.

876
00:39:10,680 --> 00:39:14,360
So the right question is not whether co-pilot will create a permissions problem for us.

877
00:39:14,360 --> 00:39:18,840
The better question is what existing permissions problem will co-pilot expose faster

878
00:39:18,840 --> 00:39:20,600
than our old ways of working ever did.

879
00:39:20,600 --> 00:39:24,360
Because if you look closely AI is not introducing chaos into the tenant.

880
00:39:24,360 --> 00:39:28,440
It is making accumulated chaos visible at operating speed and once that happens

881
00:39:28,440 --> 00:39:31,720
the organization can no longer pretend the hidden layer is theoretical.

882
00:39:31,720 --> 00:39:34,440
It becomes part of everyday business reality.

883
00:39:34,440 --> 00:39:37,160
Data sprawl and AI accuracy are the same problem.

884
00:39:37,160 --> 00:39:42,200
Most organizations still treat data governance and AI quality as two completely separate issues.

885
00:39:42,200 --> 00:39:44,920
They'll tell you they have a compliance problem in one department

886
00:39:44,920 --> 00:39:47,160
and a performance problem with their AI in another.

887
00:39:47,160 --> 00:39:52,280
But if you look closely those are usually just the same structural failure seen from different angles.

888
00:39:52,280 --> 00:39:54,840
When a tenant is overflowing with duplicate documents,

889
00:39:54,840 --> 00:39:57,640
stale versions and scattered content with no clear owners.

890
00:39:57,640 --> 00:40:01,880
Co-pilot doesn't magically rise above that mess to give you perfect answers.

891
00:40:01,880 --> 00:40:07,480
It operates entirely within the environment you've built grounding itself in whatever data the tenant surfaces.

892
00:40:07,480 --> 00:40:11,960
If your underlying information architecture is noisy, fragmented, or 10 years out of date

893
00:40:11,960 --> 00:40:15,080
the output quality will reflect that reality every single time.

894
00:40:15,080 --> 00:40:19,400
This is exactly why data sprawl and AI accuracy belong in the same conversation.

895
00:40:19,400 --> 00:40:23,800
The real issue isn't just whether sensitive information is overexposed to the wrong people

896
00:40:23,800 --> 00:40:28,200
but whether your information landscape is coherent enough to produce a reliable answer in the first place.

897
00:40:28,200 --> 00:40:32,600
And why is that? It's because AI systems perform best when information has a clear home,

898
00:40:32,600 --> 00:40:35,800
a current version, and an accountable owner who maintains it.

899
00:40:35,800 --> 00:40:39,080
If you have one trusted policy library, one active project site,

900
00:40:39,080 --> 00:40:44,280
and one maintained customer record, the model has a high probability of grounding itself in something stable.

901
00:40:44,280 --> 00:40:47,560
But when that same information exists across five different folders,

902
00:40:47,560 --> 00:40:50,120
three teams channels and two forgotten sharepoint sites,

903
00:40:50,120 --> 00:40:55,400
you are effectively asking the AI to resolve an ambiguity that your organization never bothered to fix.

904
00:40:55,400 --> 00:40:58,520
That isn't a failure of the AI model. It is a failure of tenant quality.

905
00:40:58,520 --> 00:41:02,120
I realize this when I watch leaders blame the AI for being vague,

906
00:41:02,120 --> 00:41:05,080
even though the estate it was pulling from was just as vague.

907
00:41:05,080 --> 00:41:07,000
People describe co-pilot as inconsistent,

908
00:41:07,000 --> 00:41:10,360
but the files it relies on are filled with old drafts conflicting data

909
00:41:10,360 --> 00:41:13,960
and un-maintained reference content that should have been deleted years ago.

910
00:41:13,960 --> 00:41:16,440
The model isn't inventing the disorder.

911
00:41:16,440 --> 00:41:18,440
It is simply inheriting it.

912
00:41:18,440 --> 00:41:23,480
The business consequence here is much bigger than just getting a mediocre answer to a prompt.

913
00:41:23,480 --> 00:41:27,000
Week answers lead to a loss of trust and once that trust drops,

914
00:41:27,000 --> 00:41:30,040
your adoption rates will fall right alongside it.

915
00:41:30,040 --> 00:41:33,720
The organization then starts questioning the entire value case for AI,

916
00:41:33,720 --> 00:41:37,080
even though the root cause sits much lower in the technical stack.

917
00:41:37,080 --> 00:41:40,440
The problem isn't your prompt engineering or which model you selected,

918
00:41:40,440 --> 00:41:44,840
but the broken information architecture that serves as the foundation for everything else.

919
00:41:44,840 --> 00:41:50,760
Research on co-pilot heading into 2026 shows that complex tasks still trail behind human reliability

920
00:41:50,760 --> 00:41:53,560
and poor data quality only makes that gap wider.

921
00:41:53,560 --> 00:41:57,960
If agent mode in Excel is already struggling to match human performance on demanding work,

922
00:41:57,960 --> 00:42:03,320
imagine what happens when the underlying files are duplicated or scattered across unmanaged spaces.

923
00:42:03,320 --> 00:42:05,400
That performance gap doesn't just stay there,

924
00:42:05,400 --> 00:42:08,040
it gets amplified by the chaos of the environment.

925
00:42:08,040 --> 00:42:12,760
Clean information architecture is not a nice to have feature for your AI strategy.

926
00:42:12,760 --> 00:42:16,920
It is a core part of your accuracy layer and you need clear homes for content,

927
00:42:16,920 --> 00:42:21,320
current documents instead of abandoned versions and explicit ownership to make it work.

928
00:42:21,320 --> 00:42:25,400
Without a lightweight life cycle discipline to keep the truth from drifting apart,

929
00:42:25,400 --> 00:42:29,000
your AI investment just becomes a very expensive way to generate ambiguity.

930
00:42:29,000 --> 00:42:31,560
It might still look impressive during a polished demo,

931
00:42:31,560 --> 00:42:34,520
but in live operations your people will second guess every result

932
00:42:34,520 --> 00:42:37,080
because the tenant doesn't provide enough structural confidence.

933
00:42:37,080 --> 00:42:39,000
If you remember nothing else from this section,

934
00:42:39,000 --> 00:42:43,960
remember that bad AI answers are often just delayed evidence of a bad tenant structure.

935
00:42:43,960 --> 00:42:48,760
Most AI conversations start at the model layer when they should really start at the environment layer.

936
00:42:48,760 --> 00:42:51,000
If your tenant is cluttered and weakly owned,

937
00:42:51,000 --> 00:42:54,280
the AI will scale those problems faster than your people ever could.

938
00:42:54,280 --> 00:42:55,560
Once that becomes visible,

939
00:42:55,560 --> 00:42:59,240
the organization finally realizes this isn't an AI tuning problem at all.

940
00:42:59,240 --> 00:43:04,120
It's a business information quality problem that the AI has simply made impossible to ignore,

941
00:43:04,120 --> 00:43:07,800
which is exactly why so many roll-out stall after the initial excitement fades.

942
00:43:07,800 --> 00:43:10,200
The 612-week stall pattern.

943
00:43:10,200 --> 00:43:14,040
Once you recognize that data sprawl and AI accuracy are the same structural issue,

944
00:43:14,040 --> 00:43:16,520
a very specific roll-out pattern starts to emerge.

945
00:43:16,520 --> 00:43:20,120
The first few weeks of a pilot usually feel strong because the early use cases

946
00:43:20,120 --> 00:43:23,800
sit in low friction territory where the stakes are relatively small.

947
00:43:23,800 --> 00:43:27,720
People use co-pilot to summarize email threads, turn meeting notes into drafts,

948
00:43:27,720 --> 00:43:29,480
or get a head start on a new document.

949
00:43:29,480 --> 00:43:32,200
The productivity gain is visible almost immediately,

950
00:43:32,200 --> 00:43:37,160
leadership sees movement, and the IT department sees adoption curves heading in the right direction.

951
00:43:37,160 --> 00:43:39,720
Because the novelty is high and the tasks are simple,

952
00:43:39,720 --> 00:43:42,280
the roll-out is framed as a massive success.

953
00:43:42,280 --> 00:43:45,480
Then, somewhere between week 6 and week 12,

954
00:43:45,480 --> 00:43:48,360
the tone of the conversation starts to shift.

955
00:43:48,360 --> 00:43:50,280
It doesn't always happen with a loud crash.

956
00:43:50,280 --> 00:43:54,040
Sometimes it's just a quiet hesitation or a slower expansion of licenses.

957
00:43:54,040 --> 00:43:55,880
You'll hear the sentence that matters most.

958
00:43:55,880 --> 00:43:59,720
We need to pause and sort a few things out before we go any further.

959
00:43:59,720 --> 00:44:03,000
And why is that? It's because the pilot period was essentially borrowing confidence

960
00:44:03,000 --> 00:44:04,680
from the visible layer of the software.

961
00:44:04,680 --> 00:44:06,600
Users were testing the convenience of the tool,

962
00:44:06,600 --> 00:44:09,960
but they hadn't yet collided with the messy structure underneath the surface.

963
00:44:09,960 --> 00:44:13,720
By the second or third month, the hidden tenon starts asserting itself,

964
00:44:13,720 --> 00:44:18,440
and someone eventually notices overshared content appearing in ways that feel uncomfortable or risky.

965
00:44:18,440 --> 00:44:24,200
A business lead might question if the underlying files are current enough to trust the AI's output,

966
00:44:24,200 --> 00:44:29,320
while the security team starts asking for access review evidence before any more licenses are assigned.

967
00:44:29,320 --> 00:44:34,760
Suddenly, the rollout that started as a simple productivity story transforms into a complex governance story.

968
00:44:34,760 --> 00:44:38,200
This is the stall pattern, and it isn't a failure that happens on day one,

969
00:44:38,200 --> 00:44:42,360
but rather a friction that builds up after the early enthusiasm wears off.

970
00:44:42,360 --> 00:44:46,040
Many organizations misdiagnose this by thinking users just lost interest

971
00:44:46,040 --> 00:44:47,640
or that the training wasn't good enough.

972
00:44:47,640 --> 00:44:50,200
While training helps, the deeper reason is structural,

973
00:44:50,200 --> 00:44:54,200
as the environment simply stops supporting trust at the speed the rollout required.

974
00:44:54,200 --> 00:44:57,000
Research on co-pilot deployments shows this pattern clearly,

975
00:44:57,000 --> 00:45:01,800
especially when governance is treated as a one-time event instead of an ongoing operating discipline.

976
00:45:01,800 --> 00:45:04,680
If you only look at governance at the very beginning, your pilot will look

977
00:45:04,680 --> 00:45:07,000
ready even if the tenant is fundamentally uneven,

978
00:45:07,000 --> 00:45:09,960
but if your governance is tied to the life state of the environment,

979
00:45:09,960 --> 00:45:12,600
you have a real chance to scale without hitting that wall.

980
00:45:12,600 --> 00:45:16,920
Most organizations don't hit the wall because the AI suddenly got worse at its job.

981
00:45:16,920 --> 00:45:19,000
They hit it because the tenant became more visible,

982
00:45:19,000 --> 00:45:23,160
and that visibility forced leadership to see the real blockers that were there all along.

983
00:45:23,160 --> 00:45:28,360
Broad access controls, weak data quality, and unclear ownership all become glaring issues

984
00:45:28,360 --> 00:45:29,480
when you try to scale.

985
00:45:29,480 --> 00:45:33,480
When there is thin evidence for what is actually governed versus what was only intended

986
00:45:33,480 --> 00:45:37,160
to be governed, the 6-12-week stall serves as a vital executive signal.

987
00:45:37,160 --> 00:45:40,520
It tells you that the rollout didn't actually stall because of the AI,

988
00:45:40,520 --> 00:45:42,600
but because of the quality of your tenant.

989
00:45:42,600 --> 00:45:45,720
The business cost of this stall is much higher than just a delayed pilot.

990
00:45:45,720 --> 00:45:49,240
You end up with sunk license costs without the scaled value you promised,

991
00:45:49,240 --> 00:45:52,760
and leadership becomes skeptical because the early potential now feels harder

992
00:45:52,760 --> 00:45:56,760
to trust. This puts immense pressure on IT and security to fix governance

993
00:45:56,760 --> 00:45:59,640
under the heat of an active rollout instead of through deliberate design.

994
00:45:59,640 --> 00:46:03,000
Perhaps most damaging of all is the credibility gap that forms

995
00:46:03,000 --> 00:46:05,160
when people feel the technology was overhyped,

996
00:46:05,160 --> 00:46:07,560
even though the real issue was an under-governed environment.

997
00:46:07,560 --> 00:46:10,200
If you see a rollout lose momentum in that 2-3 months range,

998
00:46:10,200 --> 00:46:12,520
don't just ask if your users need more training videos.

999
00:46:12,520 --> 00:46:15,160
Ask what that stall is actually revealing about your system.

1000
00:46:15,160 --> 00:46:19,560
What access model became uncomfortable once your data became more discoverable?

1001
00:46:19,560 --> 00:46:24,120
What information quality problem became a deal breaker once the answers had to be trusted for real work?

1002
00:46:24,120 --> 00:46:26,920
This isn't just random friction, it's a system outcome.

1003
00:46:26,920 --> 00:46:31,320
When you see it through that lens, the stall stops looking like a disappointing adoption curve

1004
00:46:31,320 --> 00:46:33,400
and starts looking like a diagnostic event.

1005
00:46:33,400 --> 00:46:35,960
It's a very expensive lesson if you choose to ignore it,

1006
00:46:35,960 --> 00:46:40,520
but the hidden tenant isn't just about AI, it changes human behaviour too.

1007
00:46:40,520 --> 00:46:43,560
Shadow Governance and structural compensation,

1008
00:46:43,560 --> 00:46:46,840
let's move away from AI for a moment and look at what people actually do

1009
00:46:46,840 --> 00:46:49,400
when the official environment stops feeling workable.

1010
00:46:49,400 --> 00:46:53,320
This is the exact point where hidden tenant chaos stops being a technical glitch

1011
00:46:53,320 --> 00:46:55,080
and starts becoming a cultural habit.

1012
00:46:55,080 --> 00:46:58,760
When governance is slow, unclear, or disconnected from how work actually happens,

1013
00:46:58,760 --> 00:47:02,200
people don't just stop working, they simply root around the obstacles.

1014
00:47:02,200 --> 00:47:04,360
That shift is the beginning of shadow governance.

1015
00:47:04,360 --> 00:47:05,800
It's usually not malicious or rebellious,

1016
00:47:05,800 --> 00:47:09,400
but rather a practical response to a system that creates too much friction.

1017
00:47:09,400 --> 00:47:12,120
A team can't wait 3 days for a clean workspace request,

1018
00:47:12,120 --> 00:47:14,840
so they spin up a new team themselves to keep the project moving.

1019
00:47:14,840 --> 00:47:17,160
A manager doesn't trust the shared side structure,

1020
00:47:17,160 --> 00:47:21,080
so critical files migrate into personal one-drive folders where they feel safe.

1021
00:47:21,080 --> 00:47:22,280
You know, we see this everywhere.

1022
00:47:22,280 --> 00:47:24,440
Project groups copy documents into side locations

1023
00:47:24,440 --> 00:47:28,200
because nobody is sure which version in the official channel is actually current.

1024
00:47:28,200 --> 00:47:30,760
Someone builds a power automate flow without oversight

1025
00:47:30,760 --> 00:47:32,760
because the approved path takes too long,

1026
00:47:32,760 --> 00:47:35,000
or an external partner needs access today.

1027
00:47:35,000 --> 00:47:38,360
So a sharing link gets created outside the standard process.

1028
00:47:38,360 --> 00:47:40,840
Once those patterns start helping work move again,

1029
00:47:40,840 --> 00:47:43,080
they stick, and that's the part that should worry you.

1030
00:47:43,080 --> 00:47:45,640
Shadow Governance survives because it solves for speed

1031
00:47:45,640 --> 00:47:47,720
where the formal model creates friction.

1032
00:47:47,720 --> 00:47:50,360
While many organizations describe this as non-compliance,

1033
00:47:50,360 --> 00:47:53,160
if you look closely, it's actually structural compensation.

1034
00:47:53,160 --> 00:47:56,840
The people inside the system are simply adapting to the environment they were given.

1035
00:47:56,840 --> 00:47:59,960
If the official route is too slow, they choose a faster one,

1036
00:47:59,960 --> 00:48:01,800
and if the official space is too messy,

1037
00:48:01,800 --> 00:48:04,120
they create a cleaner one somewhere else.

1038
00:48:04,120 --> 00:48:06,040
Behavior isn't driven by rebellion,

1039
00:48:06,040 --> 00:48:08,040
it's driven by the environment.

1040
00:48:08,040 --> 00:48:10,520
Once you understand that your leadership response has to change,

1041
00:48:10,520 --> 00:48:13,800
you stop asking why people are bypassing governance

1042
00:48:13,800 --> 00:48:18,760
and start asking what in the environment makes bypassing the system the most rational choice.

1043
00:48:18,760 --> 00:48:20,680
If large numbers of people are doing it,

1044
00:48:20,680 --> 00:48:22,840
you aren't looking at an employee attitude problem,

1045
00:48:22,840 --> 00:48:24,200
you're looking at a design signal.

1046
00:48:24,200 --> 00:48:28,040
It means your operating model is no longer aligned with how real work happens.

1047
00:48:28,040 --> 00:48:31,080
This is why I call it Shadow Governance rather than just Shadow IT

1048
00:48:31,080 --> 00:48:33,640
because what emerges isn't random chaos,

1049
00:48:33,640 --> 00:48:35,240
but a second operating model.

1050
00:48:35,240 --> 00:48:37,480
It's unofficial, untract, and often fragile,

1051
00:48:37,480 --> 00:48:40,920
but it's functional enough that people depend on it to get their jobs done every day.

1052
00:48:40,920 --> 00:48:44,920
You'll see this reflected in personal file stores acting as team repositories,

1053
00:48:44,920 --> 00:48:47,560
ad hoc teams created outside life cycle rules,

1054
00:48:47,560 --> 00:48:51,240
and private channels holding critical decisions that nobody ever reviews.

1055
00:48:51,240 --> 00:48:52,680
The formal model says one thing,

1056
00:48:52,680 --> 00:48:54,840
but the real model people depend on says another,

1057
00:48:54,840 --> 00:48:57,960
and from a system perspective, that's where the risk deepens.

1058
00:48:57,960 --> 00:49:00,680
Leadership is governing the tenant they think exists.

1059
00:49:00,680 --> 00:49:03,800
While the people inside the system are operating inside a completely different one,

1060
00:49:03,800 --> 00:49:05,480
that creates a massive visibility gap.

1061
00:49:05,480 --> 00:49:07,800
You don't just lose control of files or permissions,

1062
00:49:07,800 --> 00:49:10,120
you lose sight of how work is actually happening.

1063
00:49:10,120 --> 00:49:13,800
This clicked for me when I realized that many governance conversations still assume

1064
00:49:13,800 --> 00:49:16,200
policy is the operating model, but it usually isn't.

1065
00:49:16,200 --> 00:49:17,880
Policy is just the intended model,

1066
00:49:17,880 --> 00:49:20,280
while actual behavior reveals the real one.

1067
00:49:20,280 --> 00:49:24,040
If the real model depends on side channels and unowned spaces,

1068
00:49:24,040 --> 00:49:27,400
the tenant is already splitting into a visible structure and a hidden one.

1069
00:49:27,400 --> 00:49:30,200
That split is expensive because it weakens auditability,

1070
00:49:30,200 --> 00:49:31,720
breaks clean ownership,

1071
00:49:31,720 --> 00:49:34,440
and multiplies data copies across the environment.

1072
00:49:34,440 --> 00:49:37,880
It hides critical context in places nobody's governing,

1073
00:49:37,880 --> 00:49:41,560
making future clean up much harder because you aren't just cleaning up objects,

1074
00:49:41,560 --> 00:49:43,960
you're trying to change compensating habits.

1075
00:49:43,960 --> 00:49:45,800
Habits form around environmental truth.

1076
00:49:45,800 --> 00:49:48,200
If the official system keeps creating friction,

1077
00:49:48,200 --> 00:49:52,200
people will keep rebuilding informal alternatives even after you remove the old ones.

1078
00:49:52,200 --> 00:49:54,760
If you remember nothing else from this section, remember this.

1079
00:49:54,760 --> 00:49:57,000
Shadow behavior is a system outcome.

1080
00:49:57,000 --> 00:50:01,800
The tenant is producing workarounds because the formal model isn't absorbing the real pressure of work.

1081
00:50:01,800 --> 00:50:04,840
Once that happens, your governance becomes partly fictional.

1082
00:50:04,840 --> 00:50:09,160
The org chart says control is centralized, but the behavior says control is distributed,

1083
00:50:09,160 --> 00:50:11,080
improvised, and mostly invisible.

1084
00:50:11,080 --> 00:50:12,840
That is the hidden tenant in action.

1085
00:50:12,840 --> 00:50:17,080
And if you look closely, ownership is where that drift becomes permanent.

1086
00:50:17,080 --> 00:50:19,640
Often workspaces as business risk containers.

1087
00:50:19,640 --> 00:50:23,720
This is where the conversation gets very specific because once shadow behavior settles in,

1088
00:50:23,720 --> 00:50:25,000
ownership starts thinning out.

1089
00:50:25,000 --> 00:50:26,360
It doesn't happen everywhere at once,

1090
00:50:26,360 --> 00:50:28,440
but it happens just enough to become dangerous.

1091
00:50:28,440 --> 00:50:30,120
A team gets created for a project,

1092
00:50:30,120 --> 00:50:32,680
a sharepoint site launches for a department push,

1093
00:50:32,680 --> 00:50:35,960
and the workspace becomes active in full of decisions in history.

1094
00:50:35,960 --> 00:50:39,800
Then the project lead changes roles, the sponsor leaves, or the team gets reshuffled.

1095
00:50:39,800 --> 00:50:42,920
Nobody closes the space because nobody wants to lose the context.

1096
00:50:42,920 --> 00:50:45,000
So the workspace remains active enough to matter,

1097
00:50:45,000 --> 00:50:46,680
but unowned enough to drift.

1098
00:50:46,680 --> 00:50:49,400
That is an often workspace, not a dead object,

1099
00:50:49,400 --> 00:50:51,880
but a live-risk container with zero accountability.

1100
00:50:51,880 --> 00:50:57,000
In Microsoft 365, ownership isn't just administrative decoration,

1101
00:50:57,000 --> 00:50:58,840
it's a primary control mechanism.

1102
00:50:58,840 --> 00:51:01,400
The owner is the person expected to review membership,

1103
00:51:01,400 --> 00:51:06,280
notice oversharing, and make judgment calls when the workspace no longer fits its original use.

1104
00:51:06,280 --> 00:51:08,600
When you remove that layer, the space still works,

1105
00:51:08,600 --> 00:51:10,600
but the control loop weakens immediately.

1106
00:51:10,600 --> 00:51:13,160
In that two 500-person company I mentioned earlier,

1107
00:51:13,160 --> 00:51:15,800
42% of teams had no active owner.

1108
00:51:15,800 --> 00:51:20,120
Nearly half of their collaboration spaces had lost the person responsible for basic accountability,

1109
00:51:20,120 --> 00:51:22,360
even though the business still felt productive on the surface.

1110
00:51:22,360 --> 00:51:25,160
From a system perspective, that isn't a minor hygiene issue.

1111
00:51:25,160 --> 00:51:30,680
It means a large part of the environment has shifted from governed collaboration into unmanaged persistence.

1112
00:51:30,680 --> 00:51:33,880
Unmanaged persistence is where risk compounds quietly,

1113
00:51:33,880 --> 00:51:36,360
because onalous spaces don't review themselves.

1114
00:51:36,360 --> 00:51:39,480
They don't question whether guest access still makes sense,

1115
00:51:39,480 --> 00:51:42,040
or if the membership still reflects the actual business need.

1116
00:51:42,040 --> 00:51:45,640
They don't ask whether the files inside should be labelled archived or deleted.

1117
00:51:45,640 --> 00:51:50,280
They simply continue to exist inside live operations without any current accountability.

1118
00:51:50,280 --> 00:51:52,600
That makes them perfect containers for hidden risk

1119
00:51:52,600 --> 00:51:55,880
where institutional memory and sensitive content get trapped.

1120
00:51:55,880 --> 00:51:58,520
The business keeps benefiting from the existence of the space,

1121
00:51:58,520 --> 00:52:03,000
but nobody is actively governing the conditions under which that benefit continues.

1122
00:52:03,000 --> 00:52:05,240
People often assume inactivity lowers risk,

1123
00:52:05,240 --> 00:52:07,080
but often it doesn't always mean inactive,

1124
00:52:07,080 --> 00:52:08,920
and inactive certainly doesn't mean harmless.

1125
00:52:08,920 --> 00:52:13,080
A quiet team can still hold board drafts, HR discussions, or customer information,

1126
00:52:13,080 --> 00:52:17,080
and a low traffic sharepoint site can still be widely accessible to the wrong people.

1127
00:52:17,080 --> 00:52:21,080
A project space from two years ago can still sit underneath current inheritance parts,

1128
00:52:21,080 --> 00:52:22,920
still reachable and still discoverable.

1129
00:52:22,920 --> 00:52:26,680
When a workspace loses ownership, it doesn't become neutral, it becomes ambiguous.

1130
00:52:27,320 --> 00:52:31,320
The ambiguity is hard to govern because no one feels fully authorized to intervene.

1131
00:52:31,320 --> 00:52:34,200
The system keeps the workspace alive because deletion feels risky

1132
00:52:34,200 --> 00:52:37,640
and the people around it avoid cleanup because they might need that context later.

1133
00:52:37,640 --> 00:52:40,200
IT hesitates because business relevance is unclear,

1134
00:52:40,200 --> 00:52:43,320
and the business hesitates because the technical implications are fuzzy.

1135
00:52:43,320 --> 00:52:45,960
The space stays in the tenant as a tolerated unknown,

1136
00:52:45,960 --> 00:52:49,320
and tolerated unknowns are exactly how fragile environment scale.

1137
00:52:49,320 --> 00:52:53,560
This is also why lifecycle controls fail more often than leaders expect,

1138
00:52:53,560 --> 00:52:57,560
because lifecycle only works when someone can actually answer basic questions.

1139
00:52:57,560 --> 00:53:01,480
If nobody can tell you who owns the content or who approves access changes,

1140
00:53:01,480 --> 00:53:03,800
the workspace is outside effective governance.

1141
00:53:03,800 --> 00:53:07,560
Once enough of these accumulate, the tenant starts carrying abandoned structures inside

1142
00:53:07,560 --> 00:53:10,120
live business operations. They aren't archived or reviewed,

1143
00:53:10,120 --> 00:53:13,880
they're just left in place because removal feels more dangerous than continuation.

1144
00:53:13,880 --> 00:53:16,520
This is a business risk pattern, not a storage pattern,

1145
00:53:16,520 --> 00:53:20,520
because these spaces affect audit readiness and access exposure all at once.

1146
00:53:20,520 --> 00:53:24,200
An orphaned workspace is a collaboration asset that still holds business value,

1147
00:53:24,200 --> 00:53:25,960
but no longer has clear accountability.

1148
00:53:25,960 --> 00:53:28,520
It's a risk container, not because something dramatic happened,

1149
00:53:28,520 --> 00:53:30,200
but because nothing happened at all.

1150
00:53:30,200 --> 00:53:33,080
No one reviewed it, no one closed it, and no one reclaimed control.

1151
00:53:33,080 --> 00:53:37,240
In Microsoft 365, that kind of silence is exactly how hidden exposure survives.

1152
00:53:37,240 --> 00:53:40,200
Why auditability fails before security fails?

1153
00:53:40,200 --> 00:53:43,880
The reason this matters is that most organizations discover their governance

1154
00:53:43,880 --> 00:53:46,360
is weak in a very specific painful order.

1155
00:53:46,360 --> 00:53:49,480
It doesn't happen when the first bad permission is granted,

1156
00:53:49,480 --> 00:53:52,840
or when a stale site is ignored for the sixth month in a row.

1157
00:53:52,840 --> 00:53:55,560
It doesn't even happen when a risky external share occurs.

1158
00:53:55,560 --> 00:53:58,840
They discover the system is broken when someone finally asks for proof.

1159
00:53:58,840 --> 00:54:02,440
Maybe a regulator comes knocking, or the legal team needs a discovery report,

1160
00:54:02,440 --> 00:54:05,320
or an executive starts asking questions after a near miss.

1161
00:54:05,320 --> 00:54:09,400
An auditor eventually asks a simple question that should have a one sentence answer.

1162
00:54:09,400 --> 00:54:11,720
Who access this content? When did they do it?

1163
00:54:11,720 --> 00:54:13,080
And what control allowed it?

1164
00:54:13,080 --> 00:54:14,600
And suddenly the room gets quiet.

1165
00:54:14,600 --> 00:54:18,840
This is the part many leaders miss because they assume security is the first thing to go.

1166
00:54:18,840 --> 00:54:22,040
But security failure is rarely the first visible sign of trouble.

1167
00:54:22,040 --> 00:54:25,160
Auditability failure is the real early warning light.

1168
00:54:25,160 --> 00:54:27,320
Long before a breach is formally declared,

1169
00:54:27,320 --> 00:54:31,720
the organization has usually already lost the ability to explain its own environment with confidence.

1170
00:54:31,720 --> 00:54:35,560
A lot of tenants generate logs, but generating data is not the same as reviewing it.

1171
00:54:35,560 --> 00:54:37,560
Most platforms support audit trails,

1172
00:54:37,560 --> 00:54:40,680
but that is not the same as maintaining an evidence chain strong enough

1173
00:54:40,680 --> 00:54:42,680
to hold up under professional scrutiny.

1174
00:54:42,680 --> 00:54:46,440
In many companies, audit habits are still driven by events rather than systems.

1175
00:54:46,440 --> 00:54:49,800
Something breaks so people go looking for a cause, a request arrives,

1176
00:54:49,800 --> 00:54:52,120
so the IT team starts tracing steps.

1177
00:54:52,120 --> 00:54:56,120
A dispute appears, and only then does the tenant get examined under a microscope.

1178
00:54:56,120 --> 00:54:59,480
But if your auditability only becomes active after the stress arrives,

1179
00:54:59,480 --> 00:55:02,920
your environment is already under-instrumented from a system perspective.

1180
00:55:02,920 --> 00:55:05,000
Evidence is not most valuable after the fact.

1181
00:55:05,000 --> 00:55:08,440
It is most valuable when it functions as a normal everyday control.

1182
00:55:08,440 --> 00:55:12,440
This is where weak governance shows up in a very practical, expensive way.

1183
00:55:12,440 --> 00:55:16,200
Basic questions that should take seconds to answer suddenly require a week of manual labor.

1184
00:55:16,680 --> 00:55:19,480
You find yourself asking if the file was labeled at the time,

1185
00:55:19,480 --> 00:55:23,800
if external sharing was even active, or if the workspace had a legitimate owner.

1186
00:55:23,800 --> 00:55:28,200
The confusion grows when you realize the answers are scattered across different silos.

1187
00:55:28,200 --> 00:55:30,280
Identity is reviewed in one place,

1188
00:55:30,280 --> 00:55:34,680
data policy lives in another, and threat signals sit somewhere else entirely.

1189
00:55:34,680 --> 00:55:38,040
If you also have shared admin accounts or disconnected automation,

1190
00:55:38,040 --> 00:55:39,720
your evidence chain falls apart.

1191
00:55:39,720 --> 00:55:43,320
You might have fragments of telemetry, but fragments are not the same as proof.

1192
00:55:43,320 --> 00:55:46,280
That is why auditability fails before security fails.

1193
00:55:46,280 --> 00:55:49,480
The first thing you lose is not protection, but explainability.

1194
00:55:49,480 --> 00:55:51,480
In the business reality we work in today,

1195
00:55:51,480 --> 00:55:53,880
boards and regulators do not reward assumptions.

1196
00:55:53,880 --> 00:55:57,320
They reward evidence they want to see that your governance is a lived reality,

1197
00:55:57,320 --> 00:55:59,400
not just a document sitting on a sharepoint site.

1198
00:55:59,400 --> 00:56:03,320
I've seen this happen firsthand where a near miss triggered a basic access review,

1199
00:56:03,320 --> 00:56:05,480
and the hardest part wasn't fixing the permissions.

1200
00:56:05,480 --> 00:56:06,840
It was the reconstruction.

1201
00:56:06,840 --> 00:56:10,760
The team had to piece together what happened across different tools and timestamps,

1202
00:56:10,760 --> 00:56:14,360
because no one had built a clean operational rhythm around evidence.

1203
00:56:14,360 --> 00:56:17,160
The tenant was functioning, but the audit story was dead.

1204
00:56:17,160 --> 00:56:19,960
Once that story dies, the business impact widens fast.

1205
00:56:19,960 --> 00:56:23,400
Legal responses slow down, board confidence drops,

1206
00:56:23,400 --> 00:56:26,840
and your security team spends all their energy reconstructing history

1207
00:56:26,840 --> 00:56:29,080
instead of reducing present risk.

1208
00:56:29,080 --> 00:56:33,480
Leadership realizes too late that we think we're covered is not a defensible position.

1209
00:56:33,480 --> 00:56:35,480
So if you want one clear rule, it's this.

1210
00:56:35,480 --> 00:56:39,720
If you cannot answer who accessed what and why without assembling a small crisis team,

1211
00:56:39,720 --> 00:56:43,640
your tenant is not audit ready, and an environment that isn't audit ready

1212
00:56:43,640 --> 00:56:48,120
is usually much less secure than it looks because weak evidence hygiene and weak control hygiene

1213
00:56:48,120 --> 00:56:49,320
always travel together.

1214
00:56:49,320 --> 00:56:51,240
Watch how hard it is to prove control.

1215
00:56:51,240 --> 00:56:55,080
When proof becomes slow or conditional, you should assume the hidden tenant

1216
00:56:55,080 --> 00:56:58,360
has already grown far beyond the story your dashboards are telling you.

1217
00:56:58,360 --> 00:57:03,320
What structural resilience in M365 actually looks like?

1218
00:57:03,320 --> 00:57:08,520
If auditability is the early warning sign, we have to ask what a better-built tenant actually looks like.

1219
00:57:08,520 --> 00:57:12,520
I'm not talking about a fantasy environment with zero drift and zero human mess.

1220
00:57:12,520 --> 00:57:16,120
I mean a tenant that stays governable while the business keeps moving at full speed,

1221
00:57:16,120 --> 00:57:19,160
that is what I call structural resilience.

1222
00:57:19,160 --> 00:57:25,000
In Microsoft 365, this resilience isn't created by a single policy or a one-time cleaner project.

1223
00:57:25,000 --> 00:57:28,360
It comes from building control into the operating rhythm of the environment

1224
00:57:28,360 --> 00:57:31,400
so the tenant can absorb change without losing visibility.

1225
00:57:31,400 --> 00:57:34,120
Governance cannot sit beside your operations.

1226
00:57:34,120 --> 00:57:35,800
It has to sit inside them.

1227
00:57:35,800 --> 00:57:39,480
If your control model depends on periodic heroics from a few smart people,

1228
00:57:39,480 --> 00:57:40,760
your system is fragile.

1229
00:57:40,760 --> 00:57:44,440
It means the environment is only stable when specific individuals are paying on

1230
00:57:44,440 --> 00:57:48,200
usual attention, which is just temporary compensation, not true resilience.

1231
00:57:48,200 --> 00:57:51,640
A resilient tenant behaves differently because it is designed with redundancy.

1232
00:57:51,640 --> 00:57:56,040
It has redundancy in ownership, so one person leaving doesn't create an instant or

1233
00:57:56,040 --> 00:57:57,080
often workspace.

1234
00:57:57,080 --> 00:58:02,040
It has redundancy in policy enforcement, so labels don't depend entirely on a user's memory.

1235
00:58:02,040 --> 00:58:07,560
Most importantly, it has redundancy and evidence, so proving control doesn't require a forensic investigation.

1236
00:58:07,560 --> 00:58:10,120
The resilient systems assume that drift will happen,

1237
00:58:10,120 --> 00:58:13,160
and they don't bet the entire business on the hope that things will stay perfect.

1238
00:58:13,160 --> 00:58:16,760
In practice, this starts with treating ownership as an operational control.

1239
00:58:16,760 --> 00:58:21,240
Work spaces must have named accountability, and those owners must be reviewed regularly.

1240
00:58:21,240 --> 00:58:25,080
If a space becomes ownerless, the system should trigger an automatic action.

1241
00:58:25,080 --> 00:58:29,880
When ownership is weak, every other layer of your security gets thinner over time.

1242
00:58:29,880 --> 00:58:32,760
Next, your policy enforcement needs to be as automated as possible.

1243
00:58:32,760 --> 00:58:36,760
This isn't because automation is a trend, but because manual governance cannot scale

1244
00:58:36,760 --> 00:58:38,360
with modern collaboration.

1245
00:58:38,360 --> 00:58:42,440
Sensitivity labels, life cycle prompts, and access reviews need to reduce your

1246
00:58:42,440 --> 00:58:44,360
dependence on perfect human behavior.

1247
00:58:44,360 --> 00:58:48,440
The people inside your system are busy, and structural resilience means the environment

1248
00:58:48,440 --> 00:58:50,280
supports good behavior by default.

1249
00:58:50,280 --> 00:58:53,240
Monitoring also needs to be continuous, I don't mean constant panic,

1250
00:58:53,240 --> 00:58:55,160
but rather continuous visibility.

1251
00:58:55,160 --> 00:58:58,760
You should be watching for broad sharing or unlabeled content as a living

1252
00:58:58,760 --> 00:59:02,680
condition of the tenant, not as a quarterly surprise that ruins everyone's weekend.

1253
00:59:02,680 --> 00:59:05,240
This is also where leaders need to get the two logic right.

1254
00:59:05,240 --> 00:59:07,320
Per view and Sentinel are not the same thing.

1255
00:59:07,320 --> 00:59:11,160
Per view helps you govern your data posture through classification and retention,

1256
00:59:11,160 --> 00:59:13,880
helping you answer if your data is governed and provable.

1257
00:59:13,880 --> 00:59:16,920
Sentinel is about threat detection and response across signals.

1258
00:59:16,920 --> 00:59:21,160
Too many organizations talk about visibility as if one dashboard can do every job,

1259
00:59:21,160 --> 00:59:22,120
but it can't.

1260
00:59:22,120 --> 00:59:26,280
Data governance and threat hunting are related, but they are two different disciplines.

1261
00:59:26,280 --> 00:59:29,560
Structural resilience means using these native controls correctly,

1262
00:59:29,560 --> 00:59:32,040
and then surrounding them with habits that keep them alive.

1263
00:59:32,040 --> 00:59:35,640
Regular ownership checks, life cycle enforcement, and audit review

1264
00:59:35,640 --> 00:59:37,480
cadences aren't glamorous tasks.

1265
00:59:37,480 --> 00:59:41,800
However, from a structural perspective, they are what keep your tenant from decaying

1266
00:59:41,800 --> 00:59:43,640
into a high-functioning blind spot.

1267
00:59:43,640 --> 00:59:46,280
The real test for any executive is simple.

1268
00:59:46,280 --> 00:59:50,920
Can your Microsoft 365 environment keep changing without becoming harder to govern?

1269
00:59:50,920 --> 00:59:51,800
Every single quarter.

1270
00:59:51,800 --> 00:59:55,640
If the answer is no, your environment might be productive, but it is not resilient.

1271
00:59:55,640 --> 00:59:58,040
Resilience doesn't mean that nothing ever goes wrong.

1272
00:59:58,040 --> 01:00:01,160
It means the environment stays controllable while reality keeps moving.

1273
01:00:01,160 --> 01:00:02,920
That is what mature governance looks like,

1274
01:00:02,920 --> 01:00:06,280
operational discipline with enough redundancy to prevent the tenant itself

1275
01:00:06,280 --> 01:00:08,440
from becoming a single point of failure.

1276
01:00:08,440 --> 01:00:11,960
The executive scorecard that should exist before the next AI decision,

1277
01:00:11,960 --> 01:00:14,120
if structural resilience is your actual goal,

1278
01:00:14,120 --> 01:00:17,560
then leadership needs a scorecard that reflects structural reality

1279
01:00:17,560 --> 01:00:19,400
rather than just vanity metrics.

1280
01:00:19,400 --> 01:00:22,520
We need to move past looking at platform activity alone,

1281
01:00:22,520 --> 01:00:26,520
because seeing a spike in usage growth might suggest people are collaborating,

1282
01:00:26,520 --> 01:00:30,920
but it says almost nothing about whether that collaboration is actually governable.

1283
01:00:30,920 --> 01:00:35,000
The scorecard I would want in every executive review before the next co-pilot expansion,

1284
01:00:35,000 --> 01:00:37,800
automation push, or compliance conversation,

1285
01:00:37,800 --> 01:00:41,640
is built around three core measures that define your system health.

1286
01:00:41,640 --> 01:00:43,880
The first measure is the permission sprawl index.

1287
01:00:43,880 --> 01:00:47,800
Very simply, we need to know what percentage of your people can access content

1288
01:00:47,800 --> 01:00:49,960
that sits far beyond their actual business need.

1289
01:00:49,960 --> 01:00:53,320
This isn't a theoretical exercise about how you designed your permissions,

1290
01:00:53,320 --> 01:00:56,680
but a look at how they work in practice across inherited groups,

1291
01:00:56,680 --> 01:00:59,480
stale project spaces, and overshared folders.

1292
01:00:59,480 --> 01:01:02,840
If your tenant is exposing far more data than people need to do their jobs,

1293
01:01:02,840 --> 01:01:05,880
then AI doesn't create the risk, it simply operationalizes it

1294
01:01:05,880 --> 01:01:08,520
by making that data instantly discoverable.

1295
01:01:08,520 --> 01:01:10,600
The second metric is time to control lag.

1296
01:01:10,600 --> 01:01:13,880
We have to measure how long it takes between the creation of a new team,

1297
01:01:13,880 --> 01:01:15,240
or automation surface,

1298
01:01:15,240 --> 01:01:18,040
and the moment real governance actually snaps into place.

1299
01:01:18,040 --> 01:01:20,920
This includes classification, ownership, and policy coverage.

1300
01:01:20,920 --> 01:01:23,800
If that lag is measured in weeks instead of hours,

1301
01:01:23,800 --> 01:01:27,320
then your organization is repeatedly creating uncontrolled environments

1302
01:01:27,320 --> 01:01:29,640
during the exact period when they are most active.

1303
01:01:29,640 --> 01:01:31,880
That isn't just a small gap in your process.

1304
01:01:31,880 --> 01:01:35,320
It is a recurring risk window built directly into your operating model.

1305
01:01:35,320 --> 01:01:37,720
The third pillar is the compliance visibility gap.

1306
01:01:37,720 --> 01:01:41,160
We need to identify what percentage of business critical data is not covered

1307
01:01:41,160 --> 01:01:43,640
by enforceable labels, retention, or review evidence.

1308
01:01:43,640 --> 01:01:46,520
I'm not talking about what your policy says should be covered,

1309
01:01:46,520 --> 01:01:48,840
but what is demonstrably protected right now?

1310
01:01:48,840 --> 01:01:50,600
If leadership cannot see that number clearly,

1311
01:01:50,600 --> 01:01:53,800
then every assurance conversation is sitting on a dangerous assumption.

1312
01:01:53,800 --> 01:01:55,400
If you cannot measure these three things,

1313
01:01:55,400 --> 01:01:56,760
you do not control your tenant,

1314
01:01:56,760 --> 01:01:58,760
and that is the anchor line for everything else.

1315
01:01:58,760 --> 01:01:59,880
Around those three pillars,

1316
01:01:59,880 --> 01:02:01,720
I would want a set of supporting signals

1317
01:02:01,720 --> 01:02:04,280
that make the hidden layer of your infrastructure visible.

1318
01:02:04,280 --> 01:02:06,360
We should track the often workspace rate to see

1319
01:02:06,360 --> 01:02:08,680
how many active sites have no current owner,

1320
01:02:08,680 --> 01:02:10,680
and monitor external sharing exposure

1321
01:02:10,680 --> 01:02:14,760
to find spaces that allow sharing the business hasn't revalidated.

1322
01:02:14,760 --> 01:02:17,800
We also need to look at labeling coverage for high-value content

1323
01:02:17,800 --> 01:02:19,800
and the actual cadence of your audit reviews.

1324
01:02:19,800 --> 01:02:22,040
Most importantly, we need to see the trend direction

1325
01:02:22,040 --> 01:02:25,320
to know if the tenant is getting more governable over time or just more active.

1326
01:02:25,320 --> 01:02:28,760
Activity without governability is exactly how leaders misread risk,

1327
01:02:28,760 --> 01:02:32,040
and this is why the scorecard cannot live only in technical meetings.

1328
01:02:32,040 --> 01:02:35,160
If these metrics stay trapped inside admin conversations,

1329
01:02:35,160 --> 01:02:38,200
the board hears one story while the people responsible for AI scale

1330
01:02:38,200 --> 01:02:40,520
react to a completely different version of reality.

1331
01:02:40,520 --> 01:02:42,600
That is a fragile way to run a business.

1332
01:02:42,600 --> 01:02:44,520
These measures belong in governance reviews

1333
01:02:44,520 --> 01:02:45,800
where real decisions are made

1334
01:02:45,800 --> 01:02:48,840
because each metric translates directly into a business outcome

1335
01:02:48,840 --> 01:02:50,520
that executives understand.

1336
01:02:50,520 --> 01:02:52,760
Permissions sprawl translates into your blast radius

1337
01:02:52,760 --> 01:02:55,160
during a breach while time-to-control lag translates

1338
01:02:55,160 --> 01:02:57,560
into unmanage growth and delay assurance.

1339
01:02:57,560 --> 01:03:00,600
The compliance visibility gap shows up as audit weakness

1340
01:03:00,600 --> 01:03:04,120
and the oftened workspace rate represents a total fade in accountability.

1341
01:03:04,120 --> 01:03:06,840
By tying each structural condition to exposure, delay,

1342
01:03:06,840 --> 01:03:07,880
and decision confidence,

1343
01:03:07,880 --> 01:03:10,520
you make governance legible at the executive level.

1344
01:03:10,520 --> 01:03:13,480
You aren't drowning leadership in technical controls language.

1345
01:03:13,480 --> 01:03:15,880
You are giving them the data they need to manage the business.

1346
01:03:15,880 --> 01:03:17,960
The scorecard is not there to create fear,

1347
01:03:17,960 --> 01:03:21,080
but to end the ambiguity that slows down innovation.

1348
01:03:21,080 --> 01:03:22,840
Once you can see these measures clearly,

1349
01:03:22,840 --> 01:03:24,920
you stop asking broad, useless questions

1350
01:03:24,920 --> 01:03:27,160
like whether the company is ready for AI.

1351
01:03:27,160 --> 01:03:30,440
Instead, you start asking where your exposure is already highest,

1352
01:03:30,440 --> 01:03:32,520
and which parts of the tenant are scaling faster

1353
01:03:32,520 --> 01:03:34,120
than your ability to control them.

1354
01:03:34,120 --> 01:03:36,200
That is a much more serious operating posture,

1355
01:03:36,200 --> 01:03:38,920
and it is also much more useful for long-term growth.

1356
01:03:38,920 --> 01:03:41,640
The moment leadership starts reviewing the tenant this way,

1357
01:03:41,640 --> 01:03:44,760
Microsoft 365 stops being treated like a software subscription

1358
01:03:44,760 --> 01:03:46,440
with some admin settings on top.

1359
01:03:46,440 --> 01:03:49,160
It starts being treated like business infrastructure

1360
01:03:49,160 --> 01:03:52,840
that needs observability and ownership to support secure scale.

1361
01:03:52,840 --> 01:03:54,520
Because this is living infrastructure,

1362
01:03:54,520 --> 01:03:57,800
the first move you make shouldn't be a massive transformation program,

1363
01:03:57,800 --> 01:04:00,520
but a focused look at the ground you are already standing on.

1364
01:04:00,520 --> 01:04:03,480
The 14-day governance reality check.

1365
01:04:03,480 --> 01:04:06,040
If the scorecard is what leadership should review,

1366
01:04:06,040 --> 01:04:09,080
the next question is what you should actually do on Monday morning to get started.

1367
01:04:09,080 --> 01:04:11,480
I would strongly suggest you resist the usual instinct

1368
01:04:11,480 --> 01:04:13,400
to launch a six-month transformation program

1369
01:04:13,400 --> 01:04:15,240
or disappear into policy workshops

1370
01:04:15,240 --> 01:04:17,400
while the tenant keeps drifting underneath you.

1371
01:04:17,400 --> 01:04:20,520
Instead, start with a reality check that lasts exactly 14 days.

1372
01:04:20,520 --> 01:04:23,240
The goal isn't to solve every problem at once,

1373
01:04:23,240 --> 01:04:25,960
but to see clearly enough that your next decisions

1374
01:04:25,960 --> 01:04:28,600
are grounded in evidence instead of comfort.

1375
01:04:28,600 --> 01:04:31,960
This 14-day check is an exposure project designed to answer

1376
01:04:31,960 --> 01:04:33,640
one simple executive question.

1377
01:04:33,640 --> 01:04:35,800
What kind of tenant do we actually have right now?

1378
01:04:35,800 --> 01:04:38,120
Step one is a baseline exposure scan,

1379
01:04:38,120 --> 01:04:40,760
where you get a real view of who has access to what.

1380
01:04:40,760 --> 01:04:43,080
You need to find which sites are broadly accessible

1381
01:04:43,080 --> 01:04:45,560
and which external sharing parts remain open.

1382
01:04:45,560 --> 01:04:49,240
This matters because most leadership teams are governing by assumption.

1383
01:04:49,240 --> 01:04:50,600
Knowing policies exist,

1384
01:04:50,600 --> 01:04:53,480
but not knowing the live overlap between sensitive content

1385
01:04:53,480 --> 01:04:55,400
and real access patterns.

1386
01:04:55,400 --> 01:04:57,400
For the first few days, your goal is visibility

1387
01:04:57,400 --> 01:04:59,000
rather than perfect classification.

1388
01:04:59,000 --> 01:05:01,800
You need to identify where the tenant is obviously overexposed

1389
01:05:01,800 --> 01:05:04,200
and which collaboration spaces would make you uncomfortable

1390
01:05:04,200 --> 01:05:06,360
if their discoverability increased tomorrow.

1391
01:05:06,360 --> 01:05:10,200
This gives you a starting map of the highest risk concentrations of business value.

1392
01:05:10,200 --> 01:05:12,280
Once you have that map, you can move to step two,

1393
01:05:12,280 --> 01:05:14,120
which is an uncontrolled workspace audit

1394
01:05:14,120 --> 01:05:17,000
where you stop looking at data and start looking at containers.

1395
01:05:17,000 --> 01:05:19,480
You need to find the teams, sharepoint sites,

1396
01:05:19,480 --> 01:05:20,920
and groups that are active

1397
01:05:20,920 --> 01:05:23,400
without any clear control conditions around them.

1398
01:05:23,400 --> 01:05:25,960
These are the spaces with no owner, no classification,

1399
01:05:25,960 --> 01:05:28,600
and membership that no one has reviewed in months.

1400
01:05:28,600 --> 01:05:31,640
Risk in Microsoft 365 doesn't just sit in files.

1401
01:05:31,640 --> 01:05:35,560
It sits in the places that gather files, people, and permissions over time.

1402
01:05:35,560 --> 01:05:38,040
If those places are drifting without ownership,

1403
01:05:38,040 --> 01:05:41,880
then your tenant is accumulating unmanaged business context every single day.

1404
01:05:41,880 --> 01:05:45,640
When leaders see how many live containers sit outside of clean governance,

1405
01:05:45,640 --> 01:05:48,280
the tenant stops looking like a need-success story

1406
01:05:48,280 --> 01:05:51,080
and starts looking like infrastructure that needs discipline.

1407
01:05:51,080 --> 01:05:53,160
You are looking for the obvious structural gaps,

1408
01:05:53,160 --> 01:05:56,280
like onerless spaces or sites that should have expired

1409
01:05:56,280 --> 01:05:57,640
but are still sitting open.

1410
01:05:57,640 --> 01:06:01,080
This audit usually changes the tone of the conversation very fast

1411
01:06:01,080 --> 01:06:04,360
because it highlights exactly where the business has lost accountability

1412
01:06:04,360 --> 01:06:05,640
for its own data.

1413
01:06:05,640 --> 01:06:07,720
Step three is a policy gap snapshot,

1414
01:06:07,720 --> 01:06:11,320
where you ask the hard questions about what is actually happening in the environment.

1415
01:06:11,320 --> 01:06:14,120
You need to know what percentage of important content is labeled

1416
01:06:14,120 --> 01:06:15,880
and how much retention coverage is real

1417
01:06:15,880 --> 01:06:18,280
versus what is just documented on a PDF somewhere.

1418
01:06:18,280 --> 01:06:19,960
This is where documented governance

1419
01:06:19,960 --> 01:06:22,600
and enforced governance finally separate.

1420
01:06:22,600 --> 01:06:24,600
Many organizations have great policies on paper

1421
01:06:24,600 --> 01:06:27,720
but very few can show that those policies are actually being enforced

1422
01:06:27,720 --> 01:06:28,680
in the live environment.

1423
01:06:28,680 --> 01:06:31,880
Notice that this 14-day process is not a massive technical rebuild

1424
01:06:31,880 --> 01:06:33,080
or a licensing debate.

1425
01:06:33,080 --> 01:06:36,120
It is a reality check that makes hidden conditions visible enough

1426
01:06:36,120 --> 01:06:38,600
for executive action and that is exactly why it works.

1427
01:06:38,600 --> 01:06:40,600
Once you have this baseline, you can stop saying

1428
01:06:40,600 --> 01:06:43,080
you think you are in control and start pointing to exactly

1429
01:06:43,080 --> 01:06:44,920
where exposure is concentrated.

1430
01:06:44,920 --> 01:06:47,400
That is a completely different quality of decision-making

1431
01:06:47,400 --> 01:06:49,960
that leads to much better outcomes for the business.

1432
01:06:49,960 --> 01:06:52,440
The expected outcome here isn't perfection

1433
01:06:52,440 --> 01:06:56,520
but total clarity on whether your tenant is ready for more AI discoverability.

1434
01:06:56,520 --> 01:06:59,560
You need to know if your compliance confidence is based on evidence

1435
01:06:59,560 --> 01:07:02,600
or if the business is just operating on tolerated drift.

1436
01:07:02,600 --> 01:07:06,200
If I were advising a board-level leader, I would tell them to run this check

1437
01:07:06,200 --> 01:07:08,440
before making any major expansion decisions.

1438
01:07:08,440 --> 01:07:11,720
If you invest in more AI without measuring this hidden layer,

1439
01:07:11,720 --> 01:07:14,040
you aren't accelerating a controlled environment.

1440
01:07:14,040 --> 01:07:16,520
You are just accelerating ambiguity.

1441
01:07:16,520 --> 01:07:19,640
What leaders need to stop saying about Microsoft 365?

1442
01:07:19,640 --> 01:07:21,560
Once you have run that reality check,

1443
01:07:21,560 --> 01:07:23,480
something else becomes unavoidable

1444
01:07:23,480 --> 01:07:26,200
and certain leadership phrases stop being harmless.

1445
01:07:26,200 --> 01:07:28,920
They start becoming evidence that the organization is still managing

1446
01:07:28,920 --> 01:07:30,680
the visible tenant instead of the real one.

1447
01:07:30,680 --> 01:07:34,120
The first one I hear all the time is the claim that we haven't had an incident.

1448
01:07:34,120 --> 01:07:38,200
But here is the thing, the absence of a visible incident is not proof of control.

1449
01:07:38,200 --> 01:07:41,560
It might only be proof that nothing has forced the hidden layer into the open yet

1450
01:07:41,560 --> 01:07:46,120
because no regulator asked and no AI rollout exposed your discoverability.

1451
01:07:46,120 --> 01:07:48,520
When no legal event requires reconstruction

1452
01:07:48,520 --> 01:07:51,720
and no major near-miss surfaces in a way leadership can feel,

1453
01:07:51,720 --> 01:07:55,000
you aren't looking at resilience, you are looking at untested exposure.

1454
01:07:55,000 --> 01:07:56,760
The second phrase is just as common,

1455
01:07:56,760 --> 01:08:00,040
which is the idea that the platform is secure by default.

1456
01:08:00,040 --> 01:08:02,920
Now from a Microsoft perspective, there are strong controls available

1457
01:08:02,920 --> 01:08:05,880
but available controls and operating defaults are not the same thing.

1458
01:08:05,880 --> 01:08:07,960
The business does not run on vendor potential.

1459
01:08:07,960 --> 01:08:11,080
It runs on the tenant as it is actually configured,

1460
01:08:11,080 --> 01:08:13,560
governed and maintained in your specific environment.

1461
01:08:13,560 --> 01:08:15,560
When leaders say secure by default

1462
01:08:15,560 --> 01:08:17,880
without examining local ownership or audit habits,

1463
01:08:17,880 --> 01:08:20,120
they are borrowing confidence from the platform brand

1464
01:08:20,120 --> 01:08:22,520
instead of their own operating reality.

1465
01:08:22,520 --> 01:08:24,200
That is a fragile way to run a system.

1466
01:08:24,200 --> 01:08:26,920
The next one is softer, but it carries just as much risk

1467
01:08:26,920 --> 01:08:29,080
the claim that our admins have policies.

1468
01:08:29,080 --> 01:08:32,360
Maybe they do, but policy existence is not the same as policy reach.

1469
01:08:32,360 --> 01:08:35,240
A policy that is written is different from one that is configured

1470
01:08:35,240 --> 01:08:38,680
and a policy that is enforced is different from one that is actually reviewed.

1471
01:08:38,680 --> 01:08:41,480
Those are four very different stages of maturity.

1472
01:08:41,480 --> 01:08:44,200
What matters in business reality is not whether someone can show

1473
01:08:44,200 --> 01:08:45,960
a setting screen or a governance document

1474
01:08:45,960 --> 01:08:50,040
but whether the tenant is actually behaving inside those controls at scale.

1475
01:08:50,040 --> 01:08:53,880
If enforcement is partial or dependent on manual cleanup,

1476
01:08:53,880 --> 01:08:57,400
then saying you have policies creates comfort without proving control.

1477
01:08:57,400 --> 01:09:00,760
Then there is the phrase that usually appears when drift becomes visible,

1478
01:09:00,760 --> 01:09:03,400
which is the suggestion that users need more training.

1479
01:09:03,400 --> 01:09:06,280
Sometimes they do, but training is not a structural substitute

1480
01:09:06,280 --> 01:09:08,600
for bad defaults and friction heavy operating models.

1481
01:09:08,600 --> 01:09:11,240
And if people keep oversharing or building shadow workflows,

1482
01:09:11,240 --> 01:09:14,520
the answer cannot always be that they need another awareness session.

1483
01:09:14,520 --> 01:09:16,920
Very often the environment is rewarding drift

1484
01:09:16,920 --> 01:09:20,280
because the governed path is slower or less usable than the workaround.

1485
01:09:20,280 --> 01:09:23,720
That is not mainly a training problem, it is a design problem.

1486
01:09:23,720 --> 01:09:26,040
There is one more phrase I think leaders need to retire

1487
01:09:26,040 --> 01:09:28,280
and that is the claim that we are broadly covered.

1488
01:09:28,280 --> 01:09:31,880
This is one of those reassuring sentences that collapses under even basic scrutiny

1489
01:09:31,880 --> 01:09:33,720
because it avoids every important specific.

1490
01:09:33,720 --> 01:09:34,760
Broadly covered where?

1491
01:09:34,760 --> 01:09:38,040
On labels, on retention or on AI ready access controls.

1492
01:09:38,040 --> 01:09:40,440
Structurally, vagueness is the whole problem here.

1493
01:09:40,440 --> 01:09:43,000
If you are broadly covered but cannot show the permissions

1494
01:09:43,000 --> 01:09:45,160
brawl index or the compliance visibility gap,

1495
01:09:45,160 --> 01:09:46,680
then you are not describing control.

1496
01:09:46,680 --> 01:09:49,400
You are describing confidence and confidence is not evidence.

1497
01:09:49,400 --> 01:09:50,920
So what should replace these phrases?

1498
01:09:50,920 --> 01:09:51,720
Better questions.

1499
01:09:51,720 --> 01:09:52,760
Who owns this space?

1500
01:09:52,760 --> 01:09:54,200
What is our real exposure surface?

1501
01:09:54,200 --> 01:09:56,680
How long do new workspaces stay uncontrolled?

1502
01:09:56,680 --> 01:09:59,400
What percentage of critical content is actually governed?

1503
01:09:59,400 --> 01:10:02,280
How quickly could we prove access history under pressure?

1504
01:10:02,280 --> 01:10:04,920
Where is discoverability about to outrun control?

1505
01:10:04,920 --> 01:10:07,880
Those are executive questions because they forced the organization

1506
01:10:07,880 --> 01:10:10,280
to move from comfort language to structural language.

1507
01:10:10,280 --> 01:10:13,240
They move you from platform trust to tenant evidence

1508
01:10:13,240 --> 01:10:15,720
and from assumptions to measurable conditions.

1509
01:10:15,720 --> 01:10:17,880
This is the mindset shift underneath the whole episode.

1510
01:10:17,880 --> 01:10:21,480
Microsoft 365 is not risky because collaboration exists.

1511
01:10:21,480 --> 01:10:25,880
It becomes risky when the scale of that collaboration outruns your ownership and control.

1512
01:10:25,880 --> 01:10:29,080
If I were sitting with a CIO or a board technology committee right now,

1513
01:10:29,080 --> 01:10:30,680
I'd say this very plainly.

1514
01:10:30,680 --> 01:10:32,680
Stop asking whether the platform works.

1515
01:10:32,680 --> 01:10:36,200
Of course it works that the real question is whether your operating model can prove

1516
01:10:36,200 --> 01:10:38,440
that what works is also under control.

1517
01:10:38,440 --> 01:10:40,120
Once you stop saying the wrong things,

1518
01:10:40,120 --> 01:10:43,080
you create room to make the real decision underneath all of this.

1519
01:10:43,080 --> 01:10:46,280
The real decision, productivity, theatre or governed scale.

1520
01:10:46,280 --> 01:10:50,280
After all of that, the real decision is not whether Microsoft 365 is useful

1521
01:10:50,280 --> 01:10:51,800
because we already know it is.

1522
01:10:51,800 --> 01:10:55,480
The real decision is whether the organization wants visible productivity

1523
01:10:55,480 --> 01:10:58,440
on top of hidden fragility or whether it wants governed scale.

1524
01:10:58,440 --> 01:10:59,720
Those are not the same future.

1525
01:10:59,720 --> 01:11:03,400
Productivity theatre is when collaboration looks strong from the outside.

1526
01:11:03,400 --> 01:11:05,960
But the structural layer underneath is drifting.

1527
01:11:05,960 --> 01:11:08,200
Usage is high, teams are active,

1528
01:11:08,200 --> 01:11:11,080
and leadership sees speed and calls it maturity.

1529
01:11:11,080 --> 01:11:15,080
But below that surface, permissions are sprawling and ownership is thinning

1530
01:11:15,080 --> 01:11:18,360
which means the environment is carrying more and more invisible debt.

1531
01:11:18,360 --> 01:11:21,480
Govern scale looks different and it does not mean slower collaboration.

1532
01:11:21,480 --> 01:11:25,560
It means collaboration that can keep expanding without losing control,

1533
01:11:25,560 --> 01:11:26,920
trust and proof.

1534
01:11:26,920 --> 01:11:29,720
New workspace is appear, but ownership is clear.

1535
01:11:29,720 --> 01:11:33,240
Content grows, but classification and life cycle keep pace.

1536
01:11:33,240 --> 01:11:36,680
AI gets introduced, but discoverability does not outrun governance.

1537
01:11:36,680 --> 01:11:40,360
The environment stays usable because the control model is built into the way it grows.

1538
01:11:40,360 --> 01:11:42,600
That is the distinction leaders need to sit with.

1539
01:11:42,600 --> 01:11:47,160
Many organizations still treat governance as if it is the tax you pay after productivity,

1540
01:11:47,160 --> 01:11:50,680
which is a logic that fails because cleanup does not stay behind growth.

1541
01:11:50,680 --> 01:11:52,120
It accumulates inside growth.

1542
01:11:52,120 --> 01:11:55,000
The bigger the tenant gets, the more expensive ambiguity becomes.

1543
01:11:55,000 --> 01:11:55,720
And why is that?

1544
01:11:55,720 --> 01:11:58,360
Because every unmanaged workspace and every stale permission

1545
01:11:58,360 --> 01:12:01,560
creates rework later for IT, compliance and legal.

1546
01:12:01,560 --> 01:12:03,640
Governance is not a break on performance.

1547
01:12:03,640 --> 01:12:07,000
It is an efficiency layer that reduces the cost of future change.

1548
01:12:07,000 --> 01:12:09,640
That is the part many executive teams still miss.

1549
01:12:09,640 --> 01:12:12,600
A governed tenant is easier to search, easier to secure,

1550
01:12:12,600 --> 01:12:15,480
and easier to scale without triggering avoidable hesitation.

1551
01:12:15,480 --> 01:12:21,240
It lowers friction in the places that matter later, which means governance improves the economics of the whole environment.

1552
01:12:21,240 --> 01:12:24,920
Now map that to the business choices ahead, like more co-pilot, more automation,

1553
01:12:24,920 --> 01:12:27,080
and more data moving across more surfaces.

1554
01:12:27,080 --> 01:12:29,960
If the tenant underneath that expansion is weakly owned,

1555
01:12:29,960 --> 01:12:33,720
the organization will keep paying an entropy tax on every next move.

1556
01:12:33,720 --> 01:12:35,800
Every innovation initiative starts with cleanup,

1557
01:12:35,800 --> 01:12:38,040
and every rollout carries hidden uncertainty,

1558
01:12:38,040 --> 01:12:40,840
because nobody is fully sure what the environment will surface.

1559
01:12:40,840 --> 01:12:41,960
That is not scale.

1560
01:12:41,960 --> 01:12:44,440
It is expansion without structural resilience.

1561
01:12:44,440 --> 01:12:47,320
From a business infrastructure perspective, that is the wrong bit.

1562
01:12:47,320 --> 01:12:51,640
Microsoft 365 is no longer just a software subscription sitting beside the business.

1563
01:12:51,640 --> 01:12:54,840
For many organizations, it is the business operating layer.

1564
01:12:54,840 --> 01:12:58,040
Communication documents and decisions all run through it.

1565
01:12:58,040 --> 01:13:00,040
If that layer is treated casually,

1566
01:13:00,040 --> 01:13:04,120
the organization is effectively building its future on infrastructure it cannot fully describe.

1567
01:13:04,120 --> 01:13:06,440
That should feel serious, not dramatic, just serious.

1568
01:13:06,440 --> 01:13:09,640
From a system perspective, the tenant will keep doing what it was shaped to do.

1569
01:13:09,640 --> 01:13:12,760
If it was shaped for frictionless growth without enough control,

1570
01:13:12,760 --> 01:13:15,640
it will keep producing speed and hidden exposure at the same time.

1571
01:13:15,640 --> 01:13:17,240
If it is shaped for governed growth,

1572
01:13:17,240 --> 01:13:20,440
it will support speed with more trust and less rework.

1573
01:13:20,440 --> 01:13:24,120
The decision is not productivity or governance because that is a false choice.

1574
01:13:24,120 --> 01:13:27,560
The real choice is short term appearance or sustainable scale.

1575
01:13:27,560 --> 01:13:32,040
It is visible output with hidden fragility or governed growth with structural resilience.

1576
01:13:32,040 --> 01:13:35,560
For leaders responsible for business reality, that is the actual call.

1577
01:13:35,560 --> 01:13:38,120
Implementation payoff and closing challenge.

1578
01:13:38,120 --> 01:13:39,320
My name is Mirko Peters,

1579
01:13:39,320 --> 01:13:42,360
and I translate how technology actually shapes business reality.

1580
01:13:42,360 --> 01:13:44,120
The payoff here is simple but critical.

1581
01:13:44,120 --> 01:13:46,760
Operational success in Microsoft 365,

1582
01:13:46,760 --> 01:13:48,280
often hides structural failure,

1583
01:13:48,280 --> 01:13:51,160
and that hidden layer is what actually determines your risk,

1584
01:13:51,160 --> 01:13:53,960
your trust, and whether your scale stays governable.

1585
01:13:53,960 --> 01:13:57,000
Before you commit to your next co-pilot rollout or security investment,

1586
01:13:57,000 --> 01:13:59,400
I want you to run the 14-day governance reality check

1587
01:13:59,400 --> 01:14:01,240
to see what is really happening under the hood.

1588
01:14:01,240 --> 01:14:03,880
If you audited your tenant the same way you audited your systems,

1589
01:14:03,880 --> 01:14:04,760
what would you find?

1590
01:14:04,760 --> 01:14:08,840
Subscribe and leave a review if this episode exposed the hidden layer for you,

1591
01:14:08,840 --> 01:14:10,600
and let's connect on LinkedIn.