The Embodied Lie: How the Speaking Agent Obscures Architectural Entropy

1
00:00:00,000 --> 00:00:02,200
At 0902, the agent signs in.

2
00:00:02,200 --> 00:00:06,880
Conditional access evaluates once, passes, and a token gets issued.

3
00:00:06,880 --> 00:00:11,000
At 0904, the meeting changes, and external guest joins a channel gets renamed

4
00:00:11,000 --> 00:00:13,200
a document link, shifts, whatever.

5
00:00:13,200 --> 00:00:14,360
Context moves.

6
00:00:14,360 --> 00:00:20,920
At 0907, the agent executes a destructive tool call anyway, inside the workload with a still valid token.

7
00:00:20,920 --> 00:00:23,240
At 0908, Perview has the transcript.

8
00:00:23,240 --> 00:00:24,760
Copilot logs have the activity.

9
00:00:24,760 --> 00:00:28,080
The identity is correct, the timestamps are correct, the story is perfect.

10
00:00:28,080 --> 00:00:32,720
Every control worked, every log is correct, and the system still did the wrong thing is

11
00:00:32,720 --> 00:00:33,600
what this is not.

12
00:00:33,600 --> 00:00:36,280
Anti-voice, anti-UX, anti-microsoft.

13
00:00:36,280 --> 00:00:37,880
This is not an anti-voice rant.

14
00:00:37,880 --> 00:00:43,320
Voice is useful, avatars are useful, accessibility matters, and real-time interaction matters.

15
00:00:43,320 --> 00:00:48,120
A speaking interface can lower friction, reduce cognitive load, and make a system usable

16
00:00:48,120 --> 00:00:50,560
for people who would never type into a chat box.

17
00:00:50,560 --> 00:00:52,760
This is also not an anti-microsoft episode.

18
00:00:52,760 --> 00:00:56,880
Microsoft has shipped real governance improvements that most platforms still don't have.

19
00:00:56,880 --> 00:01:01,320
Perview can capture transcripts, copilot studio can log activities, Entra has a clearer model

20
00:01:01,320 --> 00:01:03,840
for workload identities and non-human identities.

21
00:01:03,840 --> 00:01:06,120
Conditional access exists and it's mature.

22
00:01:06,120 --> 00:01:07,200
Those are not small things.

23
00:01:07,200 --> 00:01:10,640
That is the scaffolding you need for operating agents at enterprise scale.

24
00:01:10,640 --> 00:01:14,040
But this is the boundary line, the industry keeps refusing to say out loud.

25
00:01:14,040 --> 00:01:15,400
Forensics are not control.

26
00:01:15,400 --> 00:01:17,400
Or it tells you what happened after the fact.

27
00:01:17,400 --> 00:01:19,240
It gives you a narrative you can export.

28
00:01:19,240 --> 00:01:23,600
It helps legal, it helps incident response, it helps you argue with reality less.

29
00:01:23,600 --> 00:01:28,200
One of that prevents an allowed identity from doing a wrong thing at the moment of execution.

30
00:01:28,200 --> 00:01:30,200
And that's why the format of this episode matters.

31
00:01:30,200 --> 00:01:33,920
This isn't a tutorial on building agents, there won't be configuration walkthroughs, no

32
00:01:33,920 --> 00:01:35,400
click here demos.

33
00:01:35,400 --> 00:01:36,400
This is an autopsy.

34
00:01:36,400 --> 00:01:39,600
Claim, failure pattern, architectural cause consequence.

35
00:01:39,600 --> 00:01:41,600
Because the failure isn't that teams lack tools.

36
00:01:41,600 --> 00:01:45,360
The failure is that teams keep buying comfort instead of determinism.

37
00:01:45,360 --> 00:01:49,760
The embodied lie, trust signaling wrapped around probabilistic execution.

38
00:01:49,760 --> 00:01:50,840
Here's the embodied lie.

39
00:01:50,840 --> 00:01:54,080
A voice in a face are not features, they are trust signals.

40
00:01:54,080 --> 00:01:58,000
They're a human interface hack that makes a probabilistic system feel like a deterministic

41
00:01:58,000 --> 00:01:59,000
one.

42
00:01:59,000 --> 00:02:02,440
And the moment you add them, you change how people evaluate risk.

43
00:02:02,440 --> 00:02:05,920
The thing most people miss is that the speaking agent isn't just an agent.

44
00:02:05,920 --> 00:02:08,200
It's an execution engine, wearing a personality.

45
00:02:08,200 --> 00:02:10,200
The avatar doesn't make the agent more accurate.

46
00:02:10,200 --> 00:02:11,960
It makes the output more persuasive.

47
00:02:11,960 --> 00:02:14,880
That distinction matters because persuasion is not governance.

48
00:02:14,880 --> 00:02:17,600
In architectural terms, the agent is not a teammate.

49
00:02:17,600 --> 00:02:19,520
It is a distributed decision engine.

50
00:02:19,520 --> 00:02:23,880
It takes an input, retrieves some context, chooses a tool and executes an action.

51
00:02:23,880 --> 00:02:27,880
The choice is probabilistic, the retrieval is probabilistic, tool selection is probabilistic.

52
00:02:27,880 --> 00:02:31,480
Even when it's grounded, it's grounded in whatever it retrieved, not in what your intent

53
00:02:31,480 --> 00:02:32,480
actually was.

54
00:02:32,480 --> 00:02:36,760
Now add embodiment, low latency speech, smooth turn, taking a confident tone.

55
00:02:36,760 --> 00:02:38,040
Humans read those as competence.

56
00:02:38,040 --> 00:02:42,040
They stop asking what approved this and start accepting it sounded right.

57
00:02:42,040 --> 00:02:45,920
That's human interface trust bias doing what it always does, shifting scrutiny away from

58
00:02:45,920 --> 00:02:48,280
the control plane and onto the performance.

59
00:02:48,280 --> 00:02:50,400
That's why governance gets worse when you add a face.

60
00:02:50,400 --> 00:02:53,080
The organization starts optimizing for the experience plane.

61
00:02:53,080 --> 00:02:57,000
Prompt tweaks, persona tuning, make it sound more cautious.

62
00:02:57,000 --> 00:02:58,520
Add a confirmation question.

63
00:02:58,520 --> 00:02:59,600
Those are theater patches.

64
00:02:59,600 --> 00:03:01,440
They don't change the system's blast radius.

65
00:03:01,440 --> 00:03:02,760
They don't enforce intent.

66
00:03:02,760 --> 00:03:08,240
They don't create a deterministic gate between the agent's proposal and the platform's execution.

67
00:03:08,240 --> 00:03:12,320
This clicked for me when I watched teams celebrate transcripts as if they were safety.

68
00:03:12,320 --> 00:03:13,560
A transcript is not safety.

69
00:03:13,560 --> 00:03:15,440
A transcript is a post-incident artifact.

70
00:03:15,440 --> 00:03:16,440
It's a replay.

71
00:03:16,440 --> 00:03:17,440
It's a confession.

72
00:03:17,440 --> 00:03:20,520
You hand to counsel when the action already happened.

73
00:03:20,520 --> 00:03:23,160
The system did not become safer because it can narrate itself.

74
00:03:23,160 --> 00:03:26,600
Now, Microsoft will say the right things here and they're not wrong.

75
00:03:26,600 --> 00:03:28,760
Conditional access evaluates a token acquisition.

76
00:03:28,760 --> 00:03:30,800
Per view can capture interactions.

77
00:03:30,800 --> 00:03:31,800
Activity logs exist.

78
00:03:31,800 --> 00:03:33,280
Workload identity controls exist.

79
00:03:33,280 --> 00:03:34,280
That's the ticket booth.

80
00:03:34,280 --> 00:03:35,280
That's the camera system.

81
00:03:35,280 --> 00:03:36,280
That's the audit trail.

82
00:03:36,280 --> 00:03:41,360
But the embodied lie lives in the gap between those controls and the moment a tool called

83
00:03:41,360 --> 00:03:42,680
executes.

84
00:03:42,680 --> 00:03:45,000
Token time controls decide who can show up.

85
00:03:45,000 --> 00:03:47,560
And controls decide what is allowed to happen next.

86
00:03:47,560 --> 00:03:49,960
Most organizations build only the first one.

87
00:03:49,960 --> 00:03:53,080
Then they act surprised when the second one behaves like a suggestion.

88
00:03:53,080 --> 00:03:57,400
And this is where the speaking agent becomes an entropy generator because the more human

89
00:03:57,400 --> 00:04:01,440
it seems, the more likely you are to let it run with broad scopes, the more likely you

90
00:04:01,440 --> 00:04:06,040
are to skip segmentation, the more likely you are to accept its logged as a substitute

91
00:04:06,040 --> 00:04:07,800
for its prevented.

92
00:04:07,800 --> 00:04:12,960
Over time, you accumulate permissions, exceptions, and implicit trust until you have conditional

93
00:04:12,960 --> 00:04:13,960
chaos.

94
00:04:13,960 --> 00:04:18,160
And that behaves correctly most of the time, right up until the moment it doesn't.

95
00:04:18,160 --> 00:04:21,920
So when the agent speaks with certainty, treat that as a warning, not a reassurance.

96
00:04:21,920 --> 00:04:23,360
You are not hearing determinism.

97
00:04:23,360 --> 00:04:27,000
You are hearing probability wrapped in a voice that implies accountability.

98
00:04:27,000 --> 00:04:30,600
The control plane versus the experience plane, two timelines that don't meet.

99
00:04:30,600 --> 00:04:34,320
There are two timelines running every time an agent helps someone.

100
00:04:34,320 --> 00:04:38,320
Most organizations only instrument one of them because it's the one humans notice.

101
00:04:38,320 --> 00:04:39,880
That's the experience plane.

102
00:04:39,880 --> 00:04:43,840
It includes the chat transcript, the speaking voice, the avatar, the response latency,

103
00:04:43,840 --> 00:04:48,760
the citations, the little thinking indicator, and the meeting dynamics where nobody wants

104
00:04:48,760 --> 00:04:53,320
to slow the room down by arguing with a confident sounding assistant.

105
00:04:53,320 --> 00:04:56,440
Its perception management, its social flow, its persuasion at scale.

106
00:04:56,440 --> 00:04:59,480
The other timeline is the only one that matters when something breaks.

107
00:04:59,480 --> 00:05:01,160
That's the control plane.

108
00:05:01,160 --> 00:05:07,280
Identity issuance, token lifetime, scope, retrieval boundaries, tool invocation, side effects,

109
00:05:07,280 --> 00:05:13,720
state transitions, retry behavior, compensating actions, data class enforcement, venue enforcement.

110
00:05:13,720 --> 00:05:16,360
That's the plane where blast radius is defined.

111
00:05:16,360 --> 00:05:19,840
And the uncomfortable truth is that these two timelines don't line up.

112
00:05:19,840 --> 00:05:21,600
They rarely even touch.

113
00:05:21,600 --> 00:05:25,920
Because the platform's strongest controls tend to fire at token time while the damage

114
00:05:25,920 --> 00:05:27,800
happens at tool time.

115
00:05:27,800 --> 00:05:29,360
Condition access is a perfect example.

116
00:05:29,360 --> 00:05:30,560
It's the ticket booth.

117
00:05:30,560 --> 00:05:32,080
It answers a narrow question.

118
00:05:32,080 --> 00:05:35,360
Should this identity get a token right now under current conditions?

119
00:05:35,360 --> 00:05:40,520
It can evaluate signals, risk, device posture, location, it can deny, it can require stronger

120
00:05:40,520 --> 00:05:41,520
auth.

121
00:05:41,520 --> 00:05:42,520
That is real control.

122
00:05:42,520 --> 00:05:45,240
If the token exists, the train leaves the station.

123
00:05:45,240 --> 00:05:46,920
Now the system is in the workload.

124
00:05:46,920 --> 00:05:51,400
Tool selection happens, data gets read, rights happen, shares happen, deletes happen, and

125
00:05:51,400 --> 00:05:54,920
the control plane is often no longer in the loop in a deterministic way.

126
00:05:54,920 --> 00:05:59,120
You've moved from who may show up to what is happening, and most enterprises have no enforcement

127
00:05:59,120 --> 00:06:00,120
point in the middle.

128
00:06:00,120 --> 00:06:02,720
Per view is the other half of the same mismatch.

129
00:06:02,720 --> 00:06:04,640
Per view is the security camera system.

130
00:06:04,640 --> 00:06:09,000
It records, it correlates, it lets you do forensics after the fact, it's useful, and

131
00:06:09,000 --> 00:06:10,000
it's getting better.

132
00:06:10,000 --> 00:06:11,520
But cameras do not stop the train.

133
00:06:11,520 --> 00:06:14,440
They just help you reconstruct which door was forced and when.

134
00:06:14,440 --> 00:06:18,400
The reason this gap keeps surprising people is that the experience plane looks like control.

135
00:06:18,400 --> 00:06:19,520
The agent speaks calmly.

136
00:06:19,520 --> 00:06:20,520
It cites a document.

137
00:06:20,520 --> 00:06:22,200
It says, based on policy.

138
00:06:22,200 --> 00:06:25,660
It feels governed, and because it feels governed, people assume the control plane must have

139
00:06:25,660 --> 00:06:26,660
approved it.

140
00:06:26,660 --> 00:06:28,120
That assumption is false.

141
00:06:28,120 --> 00:06:30,760
A citation is not an authorization decision.

142
00:06:30,760 --> 00:06:32,960
A transcript is not a policy evaluation.

143
00:06:32,960 --> 00:06:35,840
A token issuance event is not a per-action gate.

144
00:06:35,840 --> 00:06:38,520
If you want a mental model, you can hold in your head, use the rail system.

145
00:06:38,520 --> 00:06:40,280
The ticket booth is conditional access.

146
00:06:40,280 --> 00:06:42,240
It can stop someone from entering the station.

147
00:06:42,240 --> 00:06:45,800
It cannot stop them from pulling the emergency brake once they're on the train.

148
00:06:45,800 --> 00:06:46,960
The cameras are per view.

149
00:06:46,960 --> 00:06:48,840
They can tell you which car it happened in.

150
00:06:48,840 --> 00:06:50,320
They cannot prevent the derailment.

151
00:06:50,320 --> 00:06:52,240
The missing role is the guard on the train.

152
00:06:52,240 --> 00:06:56,880
The deterministic policy gate that evaluates each action at the moment it is about to execute.

153
00:06:56,880 --> 00:06:59,640
And that's the heart of the architectural lie.

154
00:06:59,640 --> 00:07:04,160
Organizations keep building governance around artifacts that exist before and after execution,

155
00:07:04,160 --> 00:07:05,440
but not at execution.

156
00:07:05,440 --> 00:07:08,240
So you get beautiful audit trails and ugly outcomes.

157
00:07:08,240 --> 00:07:11,520
This also explains why embodiment makes the problem worse.

158
00:07:11,520 --> 00:07:15,000
The more polished the experience plane becomes, the more it masks the absence of control plane

159
00:07:15,000 --> 00:07:16,000
enforcement.

160
00:07:16,000 --> 00:07:18,480
The organization feels safer because it can see more.

161
00:07:18,480 --> 00:07:21,640
But visibility without gating is just higher resolution regret.

162
00:07:21,640 --> 00:07:26,640
Once you separate the two planes, you stop arguing about whether the platform has governance.

163
00:07:26,640 --> 00:07:27,640
It does.

164
00:07:27,640 --> 00:07:31,120
You start arguing about where in the timeline governance actually applies.

165
00:07:31,120 --> 00:07:35,080
And you stop treating that as semantics because timing is where incidents live.

166
00:07:35,080 --> 00:07:38,960
Token time control without tool time control is a polite front door with no locks inside

167
00:07:38,960 --> 00:07:40,280
the building.

168
00:07:40,280 --> 00:07:43,680
What Microsoft gets right and why it still doesn't save you.

169
00:07:43,680 --> 00:07:45,160
Microsoft is not asleep at the wheel here.

170
00:07:45,160 --> 00:07:49,840
That's what makes this harder because the comfortable critique is the platform is immature.

171
00:07:49,840 --> 00:07:50,840
It isn't.

172
00:07:50,840 --> 00:07:54,360
The uncomfortable critique is that the platform is improving in the places enterprises

173
00:07:54,360 --> 00:07:58,800
like to measure while the failure happens in the place they avoid designing.

174
00:07:58,800 --> 00:07:59,800
Start with purview.

175
00:07:59,800 --> 00:08:03,800
Getting co-pided conversations into a compliant surface is real progress.

176
00:08:03,800 --> 00:08:05,480
Change the nature of investigations.

177
00:08:05,480 --> 00:08:06,480
They give you a timeline.

178
00:08:06,480 --> 00:08:09,320
They give you a record of what was asked and what was answered.

179
00:08:09,320 --> 00:08:14,800
They also give you a way to correlate that conversation with a user identity and increasingly

180
00:08:14,800 --> 00:08:18,080
with the sources the system touched that closes a lot of the old.

181
00:08:18,080 --> 00:08:19,880
We have no idea what it did problem.

182
00:08:19,880 --> 00:08:25,360
Co-pilot studio logging is the same category of win activity logging tool invocation traces.

183
00:08:25,360 --> 00:08:29,960
The ability to see what actions were taken and when again real for operations teams that's

184
00:08:29,960 --> 00:08:33,800
better than folklore and screen recordings it turns agent behavior into something you can

185
00:08:33,800 --> 00:08:34,800
query.

186
00:08:34,800 --> 00:08:35,800
Now identity.

187
00:08:35,800 --> 00:08:39,000
Interest framing of workload identities and non-human identities is exactly where this

188
00:08:39,000 --> 00:08:40,000
should go.

189
00:08:40,000 --> 00:08:41,000
An agent is not a user.

190
00:08:41,000 --> 00:08:42,160
It is not an intern.

191
00:08:42,160 --> 00:08:47,080
It is a workload identity with automation privileges and treating it as such is the first

192
00:08:47,080 --> 00:08:48,600
admission of reality.

193
00:08:48,600 --> 00:08:51,480
Conditional access applying to those identities matters.

194
00:08:51,480 --> 00:08:54,920
Token issuance becomes conditional signals driven and enforceable.

195
00:08:54,920 --> 00:08:55,920
Risk goes up.

196
00:08:55,920 --> 00:08:57,160
Token issuance gets blocked.

197
00:08:57,160 --> 00:08:58,400
Device posture is wrong.

198
00:08:58,400 --> 00:08:59,880
Token issuance gets blocked.

199
00:08:59,880 --> 00:09:02,120
Token issuance gets blocked.

200
00:09:02,120 --> 00:09:03,720
You can make the front door real.

201
00:09:03,720 --> 00:09:07,640
And there's also continuous access evaluation sitting in the background as Microsoft's answer

202
00:09:07,640 --> 00:09:09,960
to context changes after sign in.

203
00:09:09,960 --> 00:09:13,960
It's an attempt to reduce the time lag between a changing risk posture and what the token

204
00:09:13,960 --> 00:09:15,160
is allowed to do.

205
00:09:15,160 --> 00:09:16,160
That direction is correct.

206
00:09:16,160 --> 00:09:20,640
You can't keep treating authentication as a one time ceremony in a world where sessions

207
00:09:20,640 --> 00:09:22,320
persist and context drift.

208
00:09:22,320 --> 00:09:23,520
All of that is necessary.

209
00:09:23,520 --> 00:09:25,040
All of it is still insufficient.

210
00:09:25,040 --> 00:09:26,760
Here's the boundary you don't get to hand wave.

211
00:09:26,760 --> 00:09:30,200
These controls mostly operate at token time and after execution.

212
00:09:30,200 --> 00:09:34,440
They don't operate at action time inside the tool call path with deterministic intent

213
00:09:34,440 --> 00:09:35,440
enforcement.

214
00:09:35,440 --> 00:09:36,600
Per view tells you what happened.

215
00:09:36,600 --> 00:09:38,960
It does not decide what is allowed to happen next.

216
00:09:38,960 --> 00:09:43,560
Conditional access decides whether an identity should be issued a token under current conditions.

217
00:09:43,560 --> 00:09:48,800
It does not evaluate whether a specific delete, share or send is appropriate given the intent

218
00:09:48,800 --> 00:09:53,680
of the request, the sensitivity of the target and the venue in which the result will be exposed.

219
00:09:53,680 --> 00:09:57,920
That distinction matters because enterprise harm rarely looks like the agent got global

220
00:09:57,920 --> 00:09:59,400
admin.

221
00:09:59,400 --> 00:10:02,320
Microsoft has already blocked a lot of those extremes for agent identities.

222
00:10:02,320 --> 00:10:07,520
The real harm looks like the agent had legitimate right access in the wrong place or the agent

223
00:10:07,520 --> 00:10:10,800
retrieved legitimate data and disclosed it in the wrong venue.

224
00:10:10,800 --> 00:10:12,360
And those are action time failures.

225
00:10:12,360 --> 00:10:14,400
If you want to hear the gap, walk the timeline.

226
00:10:14,400 --> 00:10:15,720
Agent signs in.

227
00:10:15,720 --> 00:10:17,960
Conditional access evaluates token issued.

228
00:10:17,960 --> 00:10:18,960
Fine.

229
00:10:18,960 --> 00:10:19,960
Agent retrieves documents.

230
00:10:19,960 --> 00:10:20,960
It is entitled to retrieve.

231
00:10:20,960 --> 00:10:21,960
Fine.

232
00:10:21,960 --> 00:10:22,960
Transcript gets captured.

233
00:10:22,960 --> 00:10:24,840
The agents get recorded fine.

234
00:10:24,840 --> 00:10:29,000
Now the agent proposes a tool call, delete a site, share a file, post a message, send an

235
00:10:29,000 --> 00:10:31,200
email, trigger a workflow.

236
00:10:31,200 --> 00:10:35,440
Where is the deterministic policy gate that evaluates that proposed action against intent,

237
00:10:35,440 --> 00:10:38,840
scope, data classification and venue before the tool executes?

238
00:10:38,840 --> 00:10:40,440
In most deployments it isn't there.

239
00:10:40,440 --> 00:10:42,520
The platform gave you the ticket booth and the cameras.

240
00:10:42,520 --> 00:10:45,120
It did not automatically give you a guard on the train.

241
00:10:45,120 --> 00:10:48,640
And because those Microsoft controls exist, organizations stop designing.

242
00:10:48,640 --> 00:10:50,320
They assume governance is covered.

243
00:10:50,320 --> 00:10:53,120
They feel safe because they can export transcripts.

244
00:10:53,120 --> 00:10:56,400
They feel safe because conditional access policies look mature.

245
00:10:56,400 --> 00:11:00,960
They feel safe because the agent has an identity object and identities feel like control.

246
00:11:00,960 --> 00:11:02,880
But control is not a directory object.

247
00:11:02,880 --> 00:11:04,160
Control is an enforcement point.

248
00:11:04,160 --> 00:11:05,880
So yes, praise the forensics.

249
00:11:05,880 --> 00:11:07,160
Praise the identity model.

250
00:11:07,160 --> 00:11:08,160
Praise the growing observability.

251
00:11:08,160 --> 00:11:10,120
And those are the raw materials you need.

252
00:11:10,120 --> 00:11:13,520
Then say the sentence that forces the architectural truth into the room.

253
00:11:13,520 --> 00:11:15,360
Microsoft has significantly improved visibility.

254
00:11:15,360 --> 00:11:18,200
They have not eliminated non-deterministic execution.

255
00:11:18,200 --> 00:11:23,000
Once you accept that, you stop asking the platform to save you with more logs and you start building

256
00:11:23,000 --> 00:11:24,480
the missing thing.

257
00:11:24,480 --> 00:11:28,280
Action time, per tool call determinism.

258
00:11:28,280 --> 00:11:29,760
Audit provenance policy gate.

259
00:11:29,760 --> 00:11:32,360
Here is the trilogy that keeps getting blurred on purpose.

260
00:11:32,360 --> 00:11:33,880
Audit is a record of what happened.

261
00:11:33,880 --> 00:11:37,800
Who asked what the agent said, which identity executed, which file got touched, which API

262
00:11:37,800 --> 00:11:39,440
got called, what time it happened?

263
00:11:39,440 --> 00:11:40,440
It's a timeline.

264
00:11:40,440 --> 00:11:41,440
It's useful.

265
00:11:41,440 --> 00:11:43,080
It's also inherently retrospective.

266
00:11:43,080 --> 00:11:46,320
Audit is the black box flight recorder you consult after the impact.

267
00:11:46,320 --> 00:11:48,880
It doesn't change the trajectory of the plane.

268
00:11:48,880 --> 00:11:51,920
Provenance is the missing middle that most teams pretend is nice to have.

269
00:11:51,920 --> 00:11:53,920
Provenance is not the transcript.

270
00:11:53,920 --> 00:11:57,720
Provenance is the decision chain, which chunks were retrieved, which candidates were considered

271
00:11:57,720 --> 00:12:02,560
and rejected, which tool options were available, which constraints were applied, and what caused

272
00:12:02,560 --> 00:12:04,080
the final selection.

273
00:12:04,080 --> 00:12:08,160
It is the explanation graph that ties inputs to outputs in a way that survives an incident

274
00:12:08,160 --> 00:12:09,160
review.

275
00:12:09,160 --> 00:12:12,360
Without provenance, you don't know why the agent did what it did.

276
00:12:12,360 --> 00:12:13,840
You only know that it did it.

277
00:12:13,840 --> 00:12:15,840
And then there's the part that prevents harm.

278
00:12:15,840 --> 00:12:16,840
The policy gate.

279
00:12:16,840 --> 00:12:20,560
A policy gate is a deterministic decision point that runs before execution.

280
00:12:20,560 --> 00:12:25,640
It evaluates a structured request against policy and authoritative state and returns, allow,

281
00:12:25,640 --> 00:12:26,640
deny or transform.

282
00:12:26,640 --> 00:12:28,160
It is not a prompt instruction.

283
00:12:28,160 --> 00:12:29,160
It is not a persona.

284
00:12:29,160 --> 00:12:31,360
It is not a please ask for confirmation.

285
00:12:31,360 --> 00:12:32,640
It is an enforcement layer.

286
00:12:32,640 --> 00:12:34,600
The agent cannot bypass.

287
00:12:34,600 --> 00:12:35,920
Most enterprises have ordered.

288
00:12:35,920 --> 00:12:37,520
Some have fragments of provenance.

289
00:12:37,520 --> 00:12:38,760
Almost none have a real gate.

290
00:12:38,760 --> 00:12:43,040
That distinction matters because your worst failures happen in the gap between entitled

291
00:12:43,040 --> 00:12:44,360
and appropriate.

292
00:12:44,360 --> 00:12:48,000
The agent can be entitled to read a document and still be wrong to disclose it in that

293
00:12:48,000 --> 00:12:49,000
venue.

294
00:12:49,000 --> 00:12:52,840
The agent can be entitled to write and still be wrong to write here now in that way.

295
00:12:52,840 --> 00:12:56,160
Audit will happily record the wrong thing with perfect fidelity.

296
00:12:56,160 --> 00:12:58,160
Provenance helps you argue with reality less.

297
00:12:58,160 --> 00:13:00,120
It tells you how you arrived at the bad action.

298
00:13:00,120 --> 00:13:03,680
It's what you need when a regulator asks, why did the system decide this?

299
00:13:03,680 --> 00:13:06,320
And your only other answer is, it felt right.

300
00:13:06,320 --> 00:13:09,760
Provenance turns post mortems from fan fiction into analysis, but provenance still doesn't

301
00:13:09,760 --> 00:13:11,000
prevent the incident.

302
00:13:11,000 --> 00:13:12,080
Only a gate does.

303
00:13:12,080 --> 00:13:13,960
And the thing most people miss is timing.

304
00:13:13,960 --> 00:13:17,680
The strongest built in controls are mostly outside the action path.

305
00:13:17,680 --> 00:13:19,680
Conditional access happens at token acquisition.

306
00:13:19,680 --> 00:13:23,480
Per view happens after the fact those are important controls, but they are not action time

307
00:13:23,480 --> 00:13:24,720
authorization.

308
00:13:24,720 --> 00:13:28,680
So here's what audit provenance policy gate looks like on a real timeline.

309
00:13:28,680 --> 00:13:32,600
The user asks the agent to do something in the agent retrieves context.

310
00:13:32,600 --> 00:13:34,160
It compiles candidates.

311
00:13:34,160 --> 00:13:35,520
It selects a tool.

312
00:13:35,520 --> 00:13:38,600
In a safe architecture, there's a hard boundary right there.

313
00:13:38,600 --> 00:13:41,680
The agent submits a request, not an imperative.

314
00:13:41,680 --> 00:13:45,600
Data, intent, scope, data class, venue and an operation ID.

315
00:13:45,600 --> 00:13:49,840
The policy engine evaluates those attributes against rules and authoritative state, produces

316
00:13:49,840 --> 00:13:53,000
a decision artifact and only then does execution happen.

317
00:13:53,000 --> 00:13:55,800
And the decision artifact gets stored next to the action.

318
00:13:55,800 --> 00:13:59,560
That last part is what makes governance real, because the artifact is proof, not narrative.

319
00:13:59,560 --> 00:14:00,560
You can sample it.

320
00:14:00,560 --> 00:14:01,560
You can query it.

321
00:14:01,560 --> 00:14:02,560
You can show it in an audit.

322
00:14:02,560 --> 00:14:07,720
A loud under rule, D104, constraints C17 based on state version 6.

323
00:14:07,720 --> 00:14:11,000
Or denied under rule V302 due to mixed audience.

324
00:14:11,000 --> 00:14:13,160
This is what prevention looks like when it's measurable.

325
00:14:13,160 --> 00:14:15,800
Now, the obvious pushback is, but we have transcripts.

326
00:14:15,800 --> 00:14:17,000
We have citations.

327
00:14:17,000 --> 00:14:18,000
We have activity logs.

328
00:14:18,000 --> 00:14:19,000
Isn't that provenance?

329
00:14:19,000 --> 00:14:20,000
No.

330
00:14:20,000 --> 00:14:22,440
Transcripts are experienced playing narration.

331
00:14:22,440 --> 00:14:24,200
Citations are retrieval references.

332
00:14:24,200 --> 00:14:25,360
Activity logs are event records.

333
00:14:25,360 --> 00:14:26,360
They are necessary.

334
00:14:26,360 --> 00:14:27,360
They are not sufficient.

335
00:14:27,360 --> 00:14:28,880
They do not tell you what was excluded.

336
00:14:28,880 --> 00:14:31,200
They do not tell you what alternatives were rejected.

337
00:14:31,200 --> 00:14:35,080
They do not tell you whether a policy evaluated the action before execution.

338
00:14:35,080 --> 00:14:37,680
They do not tell you whether the system could have stopped itself.

339
00:14:37,680 --> 00:14:40,960
If you remember, nothing else from this section, keep this ordering straight.

340
00:14:40,960 --> 00:14:42,400
It explains what happened.

341
00:14:42,400 --> 00:14:44,680
Provenance explains why that path was taken.

342
00:14:44,680 --> 00:14:47,840
A policy gate decides whether it's allowed to happen at all.

343
00:14:47,840 --> 00:14:52,000
And when you add a face and a voice, you increase the probability that your organization

344
00:14:52,000 --> 00:14:54,120
confuses the first two for the third.

345
00:14:54,120 --> 00:14:58,120
Case study 1, mis-scoped tool call, deletes the wrong sharepoint side.

346
00:14:58,120 --> 00:15:02,320
Here's the first failure pattern because it's the one that keeps happening quietly in enterprises

347
00:15:02,320 --> 00:15:04,160
that believe were governed.

348
00:15:04,160 --> 00:15:08,160
A productivity team rolls out an agent to clean up obsolete project sites.

349
00:15:08,160 --> 00:15:09,480
The brief sounds harmless.

350
00:15:09,480 --> 00:15:11,280
The agent is grounded in sharepoint.

351
00:15:11,280 --> 00:15:15,680
It can read site metadata, pass a tracker spreadsheet, and it has Microsoft graph write

352
00:15:15,680 --> 00:15:19,720
access because eventually it needs to delete or archive things.

353
00:15:19,720 --> 00:15:21,240
The organization is proud.

354
00:15:21,240 --> 00:15:23,920
It's using a dedicated workload identity.

355
00:15:23,920 --> 00:15:26,600
Conditional access is enforced and purview capture is enabled.

356
00:15:26,600 --> 00:15:29,080
At 0902, the agent authenticates.

357
00:15:29,080 --> 00:15:30,880
Conditional access evaluates and passes.

358
00:15:30,880 --> 00:15:31,880
A token is issued.

359
00:15:31,880 --> 00:15:32,880
No anomaly.

360
00:15:32,880 --> 00:15:33,880
No risk event.

361
00:15:33,880 --> 00:15:35,880
This is what good looks like.

362
00:15:35,880 --> 00:15:40,160
At 0905, a user asks, "Can you remove the old project spaces from last year?"

363
00:15:40,160 --> 00:15:42,640
The active list is in the project's archive tracker.

364
00:15:42,640 --> 00:15:44,400
Now the agent does what agents do.

365
00:15:44,400 --> 00:15:45,400
It retrieves context.

366
00:15:45,400 --> 00:15:46,480
It reads the tracker.

367
00:15:46,480 --> 00:15:48,520
It searches for sites with similar names.

368
00:15:48,520 --> 00:15:49,720
It weighs signals.

369
00:15:49,720 --> 00:15:54,440
Last modified date, owner, whether a team's channel exists, whether there are recent files,

370
00:15:54,440 --> 00:15:58,680
maybe a week hint, from an email thread, none of those are authoritative truth.

371
00:15:58,680 --> 00:15:59,680
They're clues.

372
00:15:59,680 --> 00:16:00,680
Then it makes the choice.

373
00:16:00,680 --> 00:16:02,640
It selects a site that looks obsolete.

374
00:16:02,640 --> 00:16:03,800
And it calls the tool.

375
00:16:03,800 --> 00:16:06,520
It executes a graph delete on the wrong sharepoint site.

376
00:16:06,520 --> 00:16:07,520
Nothing exotic happened here.

377
00:16:07,520 --> 00:16:08,520
No prompt injection.

378
00:16:08,520 --> 00:16:10,120
No compromised credential.

379
00:16:10,120 --> 00:16:11,680
No global admin role.

380
00:16:11,680 --> 00:16:16,520
This is normal probabilistic selection, acting at machine speed, with standing right scopes.

381
00:16:16,520 --> 00:16:18,800
Now look at what your governance artifacts say.

382
00:16:18,800 --> 00:16:20,200
Purview will show an interaction.

383
00:16:20,200 --> 00:16:21,720
It will show the user request.

384
00:16:21,720 --> 00:16:23,520
It will show the agent's response.

385
00:16:23,520 --> 00:16:24,520
You will see timestamps.

386
00:16:24,520 --> 00:16:25,920
You will see the agent identity.

387
00:16:25,920 --> 00:16:29,920
You may see citations pointing to the tracker and maybe a policy doc.

388
00:16:29,920 --> 00:16:33,600
And you will see an activity a site was deleted by that agent identity.

389
00:16:33,600 --> 00:16:34,600
Everything is correct.

390
00:16:34,600 --> 00:16:37,640
And none of it answers the question that matters in the incident review.

391
00:16:37,640 --> 00:16:38,800
Why that site?

392
00:16:38,800 --> 00:16:40,880
Not the narrative because it was obsolete.

393
00:16:40,880 --> 00:16:42,360
The actual decision chain.

394
00:16:42,360 --> 00:16:46,000
Which retrieved chunk, pushed it over the threshold, which alternative candidates were

395
00:16:46,000 --> 00:16:47,840
considered and rejected.

396
00:16:47,840 --> 00:16:51,040
What eligibility rule was evaluated at the moment of execution?

397
00:16:51,040 --> 00:16:54,920
In most deployments, the answer is, no eligibility rule was evaluated.

398
00:16:54,920 --> 00:16:56,760
The agent inferred eligibility.

399
00:16:56,760 --> 00:17:00,760
That inference became an action because the tool was callable and the token was valid.

400
00:17:00,760 --> 00:17:02,200
Or it gave you a story.

401
00:17:02,200 --> 00:17:03,680
It did not give you prevention.

402
00:17:03,680 --> 00:17:07,360
And the worst part is how the post-incident conversation usually goes because it's always

403
00:17:07,360 --> 00:17:09,120
experience plane thinking.

404
00:17:09,120 --> 00:17:10,120
We'll improve the prompt.

405
00:17:10,120 --> 00:17:11,840
We'll add a confirmation step.

406
00:17:11,840 --> 00:17:13,960
We'll tell users to be more specific.

407
00:17:13,960 --> 00:17:15,280
Those are all entropy generators.

408
00:17:15,280 --> 00:17:18,800
They add more conditional branches, more human confusion and more opportunity for the

409
00:17:18,800 --> 00:17:21,280
agent to interpret a suggestion as a command.

410
00:17:21,280 --> 00:17:25,080
The architectural fix is boring and it works because it doesn't require belief.

411
00:17:25,080 --> 00:17:26,080
First, idempotency.

412
00:17:26,080 --> 00:17:30,120
Every destructive request carries an operation ID persisted before execution.

413
00:17:30,120 --> 00:17:33,560
The same request is replayed, retried, duplicated or reordered.

414
00:17:33,560 --> 00:17:37,240
The system returns the prior outcome and does not re-execute side effects.

415
00:17:37,240 --> 00:17:40,760
That turns event-driven unreliability into safe replay.

416
00:17:40,760 --> 00:17:41,920
Second, authoritative state.

417
00:17:41,920 --> 00:17:43,720
Eligible for deletion is not a vibe.

418
00:17:43,720 --> 00:17:46,360
It's a state property stored in a system of record.

419
00:17:46,360 --> 00:17:50,000
If the authoritative catalog says retired through dormant 90 days and owner approved

420
00:17:50,000 --> 00:17:51,720
true, then the site can be deleted.

421
00:17:51,720 --> 00:17:53,440
If not, the site cannot be deleted.

422
00:17:53,440 --> 00:17:55,280
The agent does not get to negotiate that.

423
00:17:55,280 --> 00:17:57,280
Third, the policy gate.

424
00:17:57,280 --> 00:18:00,080
Before the delete tool executes, the agent submits a structure.

425
00:18:00,080 --> 00:18:01,080
Request.

426
00:18:01,080 --> 00:18:02,080
Actor.

427
00:18:02,080 --> 00:18:03,080
Intent.

428
00:18:03,080 --> 00:18:04,080
Delete.

429
00:18:04,080 --> 00:18:05,080
Scope.

430
00:18:05,080 --> 00:18:06,080
Side.

431
00:18:06,080 --> 00:18:07,080
ID.

432
00:18:07,080 --> 00:18:08,080
Data class.

433
00:18:08,080 --> 00:18:09,080
Venue.

434
00:18:09,080 --> 00:18:10,080
Operation.

435
00:18:10,080 --> 00:18:11,080
ID.

436
00:18:11,080 --> 00:18:12,080
The policy engine evaluates that request against rules and authoritative state and returns allow,

437
00:18:12,080 --> 00:18:13,080
deny or transform.

438
00:18:13,080 --> 00:18:16,080
If it denies, the tool never sees the request.

439
00:18:16,080 --> 00:18:19,080
If it allows, the decision artifact is stored next to the action.

440
00:18:19,080 --> 00:18:21,440
Now, replay the same scenario under that model.

441
00:18:21,440 --> 00:18:22,840
The agent compiles candidates.

442
00:18:22,840 --> 00:18:24,520
It proposes the wrong side.

443
00:18:24,520 --> 00:18:28,160
The policy engine evaluates the proposal against the authoritative catalog.

444
00:18:28,160 --> 00:18:30,160
The wrong side fails eligibility.

445
00:18:30,160 --> 00:18:31,160
Deny.

446
00:18:31,160 --> 00:18:32,160
The user still gets a transcript.

447
00:18:32,160 --> 00:18:33,480
The activity logs still exist.

448
00:18:33,480 --> 00:18:37,320
The difference is that your incident is now a denied decision, not a post-mortem.

449
00:18:37,320 --> 00:18:41,080
That's what audit provenance policy gate means operationally.

450
00:18:41,080 --> 00:18:42,840
Audit will always be perfect after the damage.

451
00:18:42,840 --> 00:18:44,880
A gate makes the damage never happen.

452
00:18:44,880 --> 00:18:46,560
Case study 2.

453
00:18:46,560 --> 00:18:47,560
Compliant retrieval.

454
00:18:47,560 --> 00:18:49,560
Policy violation via voice in a meeting.

455
00:18:49,560 --> 00:18:53,600
Now move from wrong target to the failure that governance teams hate because it breaks

456
00:18:53,600 --> 00:18:55,760
all their comfortable categories.

457
00:18:55,760 --> 00:18:56,760
Everything is entitled.

458
00:18:56,760 --> 00:18:57,760
Everything is logged.

459
00:18:57,760 --> 00:18:58,760
Correct.

460
00:18:58,760 --> 00:19:00,080
And it's still unacceptable.

461
00:19:00,080 --> 00:19:03,560
An HR assistant agent gets deployed into team's meetings.

462
00:19:03,560 --> 00:19:08,400
It's grounded on policy documents, FAQ's, compensation guidance and a curated SharePoint

463
00:19:08,400 --> 00:19:11,080
library managed by the compensation team.

464
00:19:11,080 --> 00:19:12,520
The pitch sounds responsible.

465
00:19:12,520 --> 00:19:13,520
The agent is read only.

466
00:19:13,520 --> 00:19:15,080
It's not writing anywhere.

467
00:19:15,080 --> 00:19:17,480
And it's meant to reduce interruptions in live calls.

468
00:19:17,480 --> 00:19:18,760
A director asks a question.

469
00:19:18,760 --> 00:19:19,760
The agent answers.

470
00:19:19,760 --> 00:19:20,760
Everyone moves on.

471
00:19:20,760 --> 00:19:22,120
The identity model looks clean.

472
00:19:22,120 --> 00:19:24,400
It runs under a workload identity.

473
00:19:24,400 --> 00:19:26,120
Conditional access protects token issuance.

474
00:19:26,120 --> 00:19:29,240
Per view is configured to capture conversation transcripts.

475
00:19:29,240 --> 00:19:30,920
Copilot activity logs are enabled.

476
00:19:30,920 --> 00:19:33,080
From a governance standpoint it checks boxes.

477
00:19:33,080 --> 00:19:34,080
Then the meeting happens.

478
00:19:34,080 --> 00:19:37,160
A director asks, what are the employee trends this quarter?

479
00:19:37,160 --> 00:19:38,720
That question is vague on purpose.

480
00:19:38,720 --> 00:19:43,240
Humans ask vague questions in meetings because they don't want to specify constraints out loud.

481
00:19:43,240 --> 00:19:46,400
They assume the audience understands the implied boundaries.

482
00:19:46,400 --> 00:19:49,120
Don't mention anything sensitive in front of externals.

483
00:19:49,120 --> 00:19:50,120
Keep it high level.

484
00:19:50,120 --> 00:19:53,120
Don't surface anything that can be misinterpreted or forwarded.

485
00:19:53,120 --> 00:19:54,800
The agent does not have those instincts.

486
00:19:54,800 --> 00:19:56,240
It does what it was built to do.

487
00:19:56,240 --> 00:19:57,240
It retrieves.

488
00:19:57,240 --> 00:19:58,240
It aggregates.

489
00:19:58,240 --> 00:19:59,240
It summarizes.

490
00:19:59,240 --> 00:20:01,680
It picks numbers because numbers sound authoritative.

491
00:20:01,680 --> 00:20:03,680
It synthesizes a clean verbal answer.

492
00:20:03,680 --> 00:20:04,840
And it says it out loud.

493
00:20:04,840 --> 00:20:07,920
Maybe it mentions compensation movement by level in region.

494
00:20:07,920 --> 00:20:10,280
Maybe it reports internal mobility rates.

495
00:20:10,280 --> 00:20:14,600
Maybe it references subgroup deltas because the underlying documents include those charts.

496
00:20:14,600 --> 00:20:15,600
No names.

497
00:20:15,600 --> 00:20:17,320
No row level PII.

498
00:20:17,320 --> 00:20:18,960
No single record disclosure.

499
00:20:18,960 --> 00:20:20,760
Still a policy violation.

500
00:20:20,760 --> 00:20:22,760
Because the harm here isn't access.

501
00:20:22,760 --> 00:20:24,520
The harm is venue.

502
00:20:24,520 --> 00:20:26,960
The harm is aggregation.

503
00:20:26,960 --> 00:20:29,080
The meeting includes external participants.

504
00:20:29,080 --> 00:20:33,200
Vendors, a partner org, someone dialing in from an unfamiliar domain that happens constantly

505
00:20:33,200 --> 00:20:34,920
in modern enterprises.

506
00:20:34,920 --> 00:20:36,880
Teams meetings are porous by default.

507
00:20:36,880 --> 00:20:39,440
The audience boundary shifts in real time.

508
00:20:39,440 --> 00:20:42,160
And the agent, because it is speaking, becomes an egress path.

509
00:20:42,160 --> 00:20:46,120
Now look at the telemetry and watch how it fails you while remaining technically correct.

510
00:20:46,120 --> 00:20:47,320
Per view shows the transcript.

511
00:20:47,320 --> 00:20:48,800
The question and the answer are there.

512
00:20:48,800 --> 00:20:51,240
The citations point to the right HR library documents.

513
00:20:51,240 --> 00:20:52,880
The agent identity is valid.

514
00:20:52,880 --> 00:20:56,240
The user who asked the question is entitled to the documents.

515
00:20:56,240 --> 00:20:57,800
The share point permissions are correct.

516
00:20:57,800 --> 00:20:59,440
The retrieval was security trimmed.

517
00:20:59,440 --> 00:21:01,240
All the traditional controls passed.

518
00:21:01,240 --> 00:21:02,480
So what exactly was missing?

519
00:21:02,480 --> 00:21:05,360
The policy evaluation that should have happened at speech time.

520
00:21:05,360 --> 00:21:09,320
Nobody asked a deterministic question like, is it permissible to verbalize this class of

521
00:21:09,320 --> 00:21:13,080
information at this aggregation level in this venue to this audience?

522
00:21:13,080 --> 00:21:15,720
Because speech was treated as output, not action.

523
00:21:15,720 --> 00:21:16,720
This is the trap.

524
00:21:16,720 --> 00:21:18,840
Teams treat tool calls like actions.

525
00:21:18,840 --> 00:21:22,320
Graph rights, deletes, shares, but they treat speech like harmless UI.

526
00:21:22,320 --> 00:21:23,160
It is not.

527
00:21:23,160 --> 00:21:25,040
In a meeting speech is publication.

528
00:21:25,040 --> 00:21:28,000
It leaves the system boundary the moment it hits the room.

529
00:21:28,000 --> 00:21:29,080
People repeat it.

530
00:21:29,080 --> 00:21:30,080
Screen shots happen.

531
00:21:30,080 --> 00:21:31,640
Someone says, can you send that to me?

532
00:21:31,640 --> 00:21:32,760
And now it's in chat.

533
00:21:32,760 --> 00:21:37,240
The output becomes durable even if the data never left share point at the file level.

534
00:21:37,240 --> 00:21:40,640
Your deal-p policies can stay green while your policy posture goes red.

535
00:21:40,640 --> 00:21:44,360
And because the agent sounds calm and competent, nobody interrupts it.

536
00:21:44,360 --> 00:21:47,440
Human interface trust bias turns the meeting into an amplifier.

537
00:21:47,440 --> 00:21:51,000
The agent just shipped an aggregation to a mixed audience at machine speed, wrapped in

538
00:21:51,000 --> 00:21:52,800
a tone that implies permission.

539
00:21:52,800 --> 00:21:54,560
Now the fix again isn't band voice.

540
00:21:54,560 --> 00:21:56,760
The fix is to treat voice as a tool call.

541
00:21:56,760 --> 00:22:00,640
Before the agent speaks, you classify the output, not just the input documents.

542
00:22:00,640 --> 00:22:01,680
The output.

543
00:22:01,680 --> 00:22:06,320
You attach attributes, data class compensation aggregation cohort, venue or team's meeting,

544
00:22:06,320 --> 00:22:09,000
audience mixed external present true.

545
00:22:09,000 --> 00:22:12,080
Then you submit that as a request to a policy engine.

546
00:22:12,080 --> 00:22:16,120
And the policy engine does what humans do automatically and machines never do unless

547
00:22:16,120 --> 00:22:17,160
you force them to.

548
00:22:17,160 --> 00:22:19,200
It evaluates a rule like.

549
00:22:19,200 --> 00:22:23,720
Compensation cohorts may not be disclosed verbally when external participants are present.

550
00:22:23,720 --> 00:22:27,040
Allow only high level summaries with no subgroup references.

551
00:22:27,040 --> 00:22:30,600
Transform the response or deny it if it denies the speech to never runs.

552
00:22:30,600 --> 00:22:33,480
If it transforms, the agent speaks a sanitized version.

553
00:22:33,480 --> 00:22:35,680
High level trends remained within target ranges.

554
00:22:35,680 --> 00:22:39,120
Detailed breakdown is available to HR only audiences.

555
00:22:39,120 --> 00:22:43,240
And the decision artifact gets stored next to the action denied or transformed under rule

556
00:22:43,240 --> 00:22:46,000
v302 with the attributes that triggered it.

557
00:22:46,000 --> 00:22:47,360
Now replay the incident.

558
00:22:47,360 --> 00:22:50,200
Some questions, same retrieval, same entitlement, different outcome.

559
00:22:50,200 --> 00:22:54,040
The agent proposes a detailed answer, the control plane disposes, the meeting gets a safe

560
00:22:54,040 --> 00:22:57,280
summary, and your governance story becomes boring on purpose.

561
00:22:57,280 --> 00:23:01,040
Because compliance systems still fail when venue and intent aren't enforced at the moment

562
00:23:01,040 --> 00:23:02,440
of publication.

563
00:23:02,440 --> 00:23:06,120
Case study 3, external shadow agent with internal blast radius.

564
00:23:06,120 --> 00:23:10,280
Now the failure pattern that doesn't show up as a breach until the screenshots are already

565
00:23:10,280 --> 00:23:11,280
circulating.

566
00:23:11,280 --> 00:23:13,120
A developer is under pressure.

567
00:23:13,120 --> 00:23:14,360
Support tickets are piling up.

568
00:23:14,360 --> 00:23:18,920
The product team wants a deflection bot and someone has seen a demo where an agent answers questions

569
00:23:18,920 --> 00:23:19,920
instantly.

570
00:23:19,920 --> 00:23:21,720
So they do what modern platforms encourage.

571
00:23:21,720 --> 00:23:26,240
They stand up an externally accessible agent, put a chat widget on a public page, and wire

572
00:23:26,240 --> 00:23:29,320
it to enterprise knowledge so it doesn't sound stupid.

573
00:23:29,320 --> 00:23:34,360
And because it's just answering questions, they give it broad read scopes to internal content.

574
00:23:34,360 --> 00:23:38,960
A share point side with runbooks, a wiki, maybe a knowledge base, maybe a support analytics

575
00:23:38,960 --> 00:23:39,960
store.

576
00:23:39,960 --> 00:23:42,280
They also add a couple of write scopes for later.

577
00:23:42,280 --> 00:23:46,320
Because they're malicious, because future features always arrive and nobody wants to redo consent,

578
00:23:46,320 --> 00:23:48,600
the agent authenticates using an app registration.

579
00:23:48,600 --> 00:23:49,600
It gets a token.

580
00:23:49,600 --> 00:23:51,000
It calls internal systems.

581
00:23:51,000 --> 00:23:52,000
Everything is legitimate.

582
00:23:52,000 --> 00:23:53,480
That's the core danger here.

583
00:23:53,480 --> 00:23:55,480
Nothing has to be compromised for this to go wrong.

584
00:23:55,480 --> 00:24:00,720
A customer asks a harmless question, what's the work around for the X120 firmware outage?

585
00:24:00,720 --> 00:24:04,320
The agent retrieves internal runbooks and post mortem fragments that were never meant

586
00:24:04,320 --> 00:24:05,600
to leave the tenant.

587
00:24:05,600 --> 00:24:07,320
It assembles a confident answer.

588
00:24:07,320 --> 00:24:08,800
It publishes it to the public chat.

589
00:24:08,800 --> 00:24:12,800
No exploit chain, no prompt injection, no data exfiltration tooling, just a public interface

590
00:24:12,800 --> 00:24:16,600
connected to an internal corpus by an overpermissioned workload identity.

591
00:24:16,600 --> 00:24:19,680
Now walk through what the logs tell you and what they can't.

592
00:24:19,680 --> 00:24:22,720
Enter shows token issuance under a workload identity.

593
00:24:22,720 --> 00:24:26,440
If conditional access is configured for that identity, it evaluates the signing context

594
00:24:26,440 --> 00:24:27,720
and issues the token.

595
00:24:27,720 --> 00:24:30,440
Per view shows the agent reading internal documents.

596
00:24:30,440 --> 00:24:34,880
The audit trail is pristine, identity timestamps resource access downstream calls.

597
00:24:34,880 --> 00:24:39,160
The organization can prove down to the minute that the agent touched those files and responded

598
00:24:39,160 --> 00:24:40,640
to that external user.

599
00:24:40,640 --> 00:24:45,320
And that's the trap, because the logs being correct becomes evidence incorrectly that the

600
00:24:45,320 --> 00:24:46,680
system was governed.

601
00:24:46,680 --> 00:24:49,640
What's missing is the decision chain and the boundary enforcement.

602
00:24:49,640 --> 00:24:53,720
Why did the external request get access to internal only material, which rule asserted

603
00:24:53,720 --> 00:24:56,360
that this venue is allowed to consume that corpus?

604
00:24:56,360 --> 00:25:01,320
Where is the policy artifact that says public audience internal classification deny disclosure?

605
00:25:01,320 --> 00:25:04,840
In most shadow deployments, there is no artifact because there was no gate.

606
00:25:04,840 --> 00:25:08,280
The agent selected sources based on similarity and availability.

607
00:25:08,280 --> 00:25:10,920
The tool call executed because the token allowed it.

608
00:25:10,920 --> 00:25:13,040
The system did exactly what you configured.

609
00:25:13,040 --> 00:25:16,720
This is where audit provenance policy gate becomes operationally expensive.

610
00:25:16,720 --> 00:25:18,360
Audit tells you the leak happened.

611
00:25:18,360 --> 00:25:21,840
Provenance would tell you how the agent chose that runbook over a public doc.

612
00:25:21,840 --> 00:25:23,120
What other candidates existed?

613
00:25:23,120 --> 00:25:24,640
What was excluded and why?

614
00:25:24,640 --> 00:25:28,280
A policy gate would have prevented the response from ever being published externally.

615
00:25:28,280 --> 00:25:30,640
But the public facing agent usually has none of that.

616
00:25:30,640 --> 00:25:35,200
It has an experience plane that looks polished and a control plane that is effectively absent.

617
00:25:35,200 --> 00:25:37,240
Now the blast radius, this isn't a single reply.

618
00:25:37,240 --> 00:25:38,880
It's speed, reach and replication.

619
00:25:38,880 --> 00:25:41,920
The agent can answer a thousand external users in a day.

620
00:25:41,920 --> 00:25:45,120
Each answer can include a slightly different internal detail.

621
00:25:45,120 --> 00:25:48,600
Customers screenshot aggregators scrape the information spreads because the interfaces

622
00:25:48,600 --> 00:25:51,560
public and the system is consistent in the one way that matters.

623
00:25:51,560 --> 00:25:53,200
It's consistently allowed.

624
00:25:53,200 --> 00:25:54,960
And the post incident review is predictable.

625
00:25:54,960 --> 00:25:59,920
People say we'll tighten the prompt or we'll add a disclaimer or we'll retrain the model.

626
00:25:59,920 --> 00:26:01,480
Those are not containment strategies.

627
00:26:01,480 --> 00:26:03,000
Those are narrative strategies.

628
00:26:03,000 --> 00:26:07,000
The deterministic fix is boring and it works because it creates failure domains.

629
00:26:07,000 --> 00:26:09,280
First, split the identities.

630
00:26:09,280 --> 00:26:13,840
The public facing agent identity must have zero access to internal core data planes.

631
00:26:13,840 --> 00:26:14,840
None.

632
00:26:14,840 --> 00:26:17,640
It should only query a curated, published, approved external knowledge base.

633
00:26:17,640 --> 00:26:22,840
If the public corpus can't answer the correct behavior as refusal or escalation, not improvisation.

634
00:26:22,840 --> 00:26:26,920
Second, if you truly need internal knowledge to support external responses, you introduce

635
00:26:26,920 --> 00:26:27,920
a broker.

636
00:26:27,920 --> 00:26:31,380
The public agent can ask the broker for candidate content but the broker is the policy

637
00:26:31,380 --> 00:26:32,380
gate.

638
00:26:32,380 --> 00:26:34,640
It evaluates venue, audience and data classification.

639
00:26:34,640 --> 00:26:35,980
It transforms or denies.

640
00:26:35,980 --> 00:26:39,880
The public agent never sees internal chunks that are not eligible for egress.

641
00:26:39,880 --> 00:26:42,780
Third, persist the decision artifact with the action.

642
00:26:42,780 --> 00:26:48,520
When a response is allowed externally, you store a loud underrule EX2-1 source set,

643
00:26:48,520 --> 00:26:51,320
PUB docs 2024 Q2.

644
00:26:51,320 --> 00:26:56,640
When it's denied, you store denied underrule EX3-01 internal only content.

645
00:26:56,640 --> 00:27:00,120
Now your audit stops being a story and becomes proof of enforcement.

646
00:27:00,120 --> 00:27:01,960
Replay the same incident under that model.

647
00:27:01,960 --> 00:27:03,880
The customer asks about firmware.

648
00:27:03,880 --> 00:27:06,880
The public agent searches the external corpus and finds nothing definitive.

649
00:27:06,880 --> 00:27:08,160
It asks the broker.

650
00:27:08,160 --> 00:27:11,280
The broker evaluates the internal candidate and denies egress.

651
00:27:11,280 --> 00:27:12,920
The agent replies calmly.

652
00:27:12,920 --> 00:27:17,000
I can't share internal remediation notes here but I can connect you with support.

653
00:27:17,000 --> 00:27:19,160
The screenshot that circulates is a refusal.

654
00:27:19,160 --> 00:27:22,000
That is what containment looks like when you stop trusting the interface and start

655
00:27:22,000 --> 00:27:24,200
enforcing the control plane.

656
00:27:24,200 --> 00:27:27,320
The internal standardizes the envelope, not the guarantees.

657
00:27:27,320 --> 00:27:31,560
Microsoft is right about one thing that most teams quietly misunderstand.

658
00:27:31,560 --> 00:27:35,800
Activities, turn context, direct line, the bot framework patterns, those are not hacks.

659
00:27:35,800 --> 00:27:37,560
They are intentional design surfaces.

660
00:27:37,560 --> 00:27:41,560
They're how Microsoft expects you to build conversational systems that can run across channels

661
00:27:41,560 --> 00:27:43,800
and survive real-world connectivity.

662
00:27:43,800 --> 00:27:48,640
But teams keep hearing supported protocol and mentally upgrading it to guaranteed behavior.

663
00:27:48,640 --> 00:27:49,640
It is not.

664
00:27:49,640 --> 00:27:51,680
A protocol standardizes the envelope.

665
00:27:51,680 --> 00:27:55,560
It standardizes field names, schemas and how events are represented on the wire.

666
00:27:55,560 --> 00:27:59,920
It does not standardize the guarantees you wish you had, ordering exactly once delivery,

667
00:27:59,920 --> 00:28:02,360
causal consistency or safe side effects.

668
00:28:02,360 --> 00:28:06,280
That distinction matters because the moment you wire tool execution to an event stream,

669
00:28:06,280 --> 00:28:07,840
you've built a distributed system.

670
00:28:07,840 --> 00:28:11,160
And distributed systems don't fail because you wrote bad code.

671
00:28:11,160 --> 00:28:13,800
They fail because reality is asynchronous.

672
00:28:13,800 --> 00:28:17,120
Here are the four failure modes you inherit the second you go event-driven.

673
00:28:17,120 --> 00:28:20,520
Duplication, delay, reordering and loss.

674
00:28:20,520 --> 00:28:23,080
Not edge cases, not rare, the environment.

675
00:28:23,080 --> 00:28:25,120
A retry duplicates an activity.

676
00:28:25,120 --> 00:28:27,720
A congested path delays it, two workers re-order it.

677
00:28:27,720 --> 00:28:29,680
A transient broker drop loses it.

678
00:28:29,680 --> 00:28:31,480
The SDK abstracts the plumbing.

679
00:28:31,480 --> 00:28:32,720
It does not repeal physics.

680
00:28:32,720 --> 00:28:33,720
Now add tools.

681
00:28:33,720 --> 00:28:38,160
A send email, delete site or post-message tool call is not a chat reply.

682
00:28:38,160 --> 00:28:39,160
It's a side effect.

683
00:28:39,160 --> 00:28:41,480
Side effects are where your system becomes expensive.

684
00:28:41,480 --> 00:28:45,560
If you treat an incoming activity as authoritative state you are saying, "If I see this envelope,

685
00:28:45,560 --> 00:28:46,880
I will mutate the world."

686
00:28:46,880 --> 00:28:49,080
That's fine for rendering a typing indicator.

687
00:28:49,080 --> 00:28:51,040
It's insane for deleting a site.

688
00:28:51,040 --> 00:28:54,480
And this is exactly how you get the incident pattern from the opening.

689
00:28:54,480 --> 00:28:59,000
Conditional access issued a token once, the context drifted, the agent executed anyway,

690
00:28:59,000 --> 00:29:02,440
and per view logged the whole tragedy with perfect fidelity.

691
00:29:02,440 --> 00:29:06,840
The comfortable response is to say, "Will did you, teams try to did you by best effort in

692
00:29:06,840 --> 00:29:11,520
memory caches, fuzzy comparisons, if the text matches or correlation IDs that exist only

693
00:29:11,520 --> 00:29:13,040
inside a process boundary?"

694
00:29:13,040 --> 00:29:16,080
That's not id-impotency, that's optimism.

695
00:29:16,080 --> 00:29:17,480
But impotency is a contract.

696
00:29:17,480 --> 00:29:22,240
The same operation id produces the same result once, no matter how many times it arrives.

697
00:29:22,240 --> 00:29:26,200
And the only way to make that true is to persist the operation id in an authoritative store

698
00:29:26,200 --> 00:29:28,080
before the side effect happens.

699
00:29:28,080 --> 00:29:29,920
That store is the real boundary.

700
00:29:29,920 --> 00:29:33,080
Not the activity envelope, not the transcript, not the avatar.

701
00:29:33,080 --> 00:29:35,200
This is where most agent architectures quietly rot.

702
00:29:35,200 --> 00:29:37,000
They build a state machine out of envelopes.

703
00:29:37,000 --> 00:29:40,720
Turn context feels like state because it carries context, but it's a context object, not

704
00:29:40,720 --> 00:29:41,720
a ledger.

705
00:29:41,720 --> 00:29:43,800
It's a structured wrapper for a single turn.

706
00:29:43,800 --> 00:29:46,680
Not a durable source of truth for workflow eligibility.

707
00:29:46,680 --> 00:29:49,680
When the process restarts, the truth evaporates.

708
00:29:49,680 --> 00:29:53,520
And the event stream happily replays old messages into a new process that has no memory

709
00:29:53,520 --> 00:29:54,920
of what it already did.

710
00:29:54,920 --> 00:29:56,400
That's conditional chaos.

711
00:29:56,400 --> 00:29:58,600
And notice what makes it worse, embodiment.

712
00:29:58,600 --> 00:30:00,520
Voice adds latency sensitivity.

713
00:30:00,520 --> 00:30:01,520
Streaming adds retries.

714
00:30:01,520 --> 00:30:04,080
Web RTC reconnect logic adds more events.

715
00:30:04,080 --> 00:30:08,040
The experience plane injects more asynchronous behavior into the system, which increases the

716
00:30:08,040 --> 00:30:11,640
probability of duplicates, reordering, and partial failures.

717
00:30:11,640 --> 00:30:13,160
Exactly where your tool calls live.

718
00:30:13,160 --> 00:30:14,880
So the fix starts with the demotion.

719
00:30:14,880 --> 00:30:17,160
Demote events to proposals and telemetry.

720
00:30:17,160 --> 00:30:20,960
Treat every event as a thing that happened or a request that arrived.

721
00:30:20,960 --> 00:30:23,440
Not a state transition that must execute.

722
00:30:23,440 --> 00:30:25,960
Your authoritative workflow position lives elsewhere.

723
00:30:25,960 --> 00:30:27,440
Eligibility lives elsewhere.

724
00:30:27,440 --> 00:30:28,960
The decision lives elsewhere.

725
00:30:28,960 --> 00:30:30,520
Then you do the boring thing that works.

726
00:30:30,520 --> 00:30:32,280
You interpose a deterministic gate.

727
00:30:32,280 --> 00:30:33,880
The agent does not send commands.

728
00:30:33,880 --> 00:30:36,640
It sends structured requests with an operation ID.

729
00:30:36,640 --> 00:30:42,240
The policy engine evaluates against authoritative state and returns, allow, deny, or transform.

730
00:30:42,240 --> 00:30:45,040
These accept decisions, not imperatives.

731
00:30:45,040 --> 00:30:49,800
If an event replays, the same operation ID returns the same decision and the same effect.

732
00:30:49,800 --> 00:30:53,960
If the event arrives out of order, the state store says resource doesn't exist yet.

733
00:30:53,960 --> 00:30:56,040
And the request gets denied deterministically.

734
00:30:56,040 --> 00:31:00,720
If the event arrives late, it gets the same cash decision, not a fresh guess.

735
00:31:00,720 --> 00:31:03,840
Protocol standardization made the system interoperable.

736
00:31:03,840 --> 00:31:05,680
Deterministic design makes it survivable.

737
00:31:05,680 --> 00:31:06,920
Event-driven entropy.

738
00:31:06,920 --> 00:31:09,320
Why retries become incidents without determinism?

739
00:31:09,320 --> 00:31:12,800
This is where enterprise teams accidentally build roulette tables and then act shocked when

740
00:31:12,800 --> 00:31:14,120
the ball lands on red.

741
00:31:14,120 --> 00:31:15,840
They wire an agent to an event stream.

742
00:31:15,840 --> 00:31:19,920
They see clean activities arriving and they treat the arrival of an envelope as permission

743
00:31:19,920 --> 00:31:21,360
to mutate the world.

744
00:31:21,360 --> 00:31:25,160
Create the task, delete the site, send the email, post the message, and because the agent

745
00:31:25,160 --> 00:31:28,200
is just responding, they don't treat it like a transactional system.

746
00:31:28,200 --> 00:31:29,440
They treat it like UI.

747
00:31:29,440 --> 00:31:30,840
That's the foundational mistake.

748
00:31:30,840 --> 00:31:33,240
In an event-driven system, delivery is not a guarantee.

749
00:31:33,240 --> 00:31:34,240
It is an attempt.

750
00:31:34,240 --> 00:31:35,240
The platform will retry.

751
00:31:35,240 --> 00:31:36,720
The SDK will reconnect.

752
00:31:36,720 --> 00:31:38,160
WebRTC will renegotiate.

753
00:31:38,160 --> 00:31:39,640
The broker will re-deliver.

754
00:31:39,640 --> 00:31:43,120
When you add a speaking agent, you add more opportunities for those retries because the

755
00:31:43,120 --> 00:31:46,840
experience plane depends on low latency streaming and noisy networks.

756
00:31:46,840 --> 00:31:48,160
The system compensates.

757
00:31:48,160 --> 00:31:49,640
It tries again.

758
00:31:49,640 --> 00:31:50,800
Here's the part.

759
00:31:50,800 --> 00:31:52,480
People refuse to internalize.

760
00:31:52,480 --> 00:31:54,760
At least once delivery is not reliability.

761
00:31:54,760 --> 00:31:56,880
It is duplication with good intentions.

762
00:31:56,880 --> 00:32:00,520
If your tool call is not a damp-potent, at least once becomes twice.

763
00:32:00,520 --> 00:32:03,120
Twice is an incident if the action isn't reversible.

764
00:32:03,120 --> 00:32:05,000
The cleanest example is email.

765
00:32:05,000 --> 00:32:07,880
Everyone thinks email is harmless because it's not deleting data.

766
00:32:07,880 --> 00:32:11,440
When the agent sends the same message twice because a transient error occurred after the

767
00:32:11,440 --> 00:32:15,600
first send before the system persisted success, the business impact isn't technical.

768
00:32:15,600 --> 00:32:16,600
It's human.

769
00:32:16,600 --> 00:32:18,080
People respond to the wrong thread.

770
00:32:18,080 --> 00:32:19,240
Someone escalates.

771
00:32:19,240 --> 00:32:20,480
Someone forwards.

772
00:32:20,480 --> 00:32:24,480
Now you've created confusion and possibly disclosure and your logs will insist everything

773
00:32:24,480 --> 00:32:26,840
was fine because both sends were legitimate.

774
00:32:26,840 --> 00:32:31,040
Now, upgrade the action to SharePoint Deletion or Permissions Changes and the same pattern

775
00:32:31,040 --> 00:32:32,440
becomes catastrophic.

776
00:32:32,440 --> 00:32:34,360
This is what actually happens in real workloads.

777
00:32:34,360 --> 00:32:35,840
The agent proposes an action.

778
00:32:35,840 --> 00:32:37,320
The orchestrator calls the tool.

779
00:32:37,320 --> 00:32:38,320
The tool executes.

780
00:32:38,320 --> 00:32:41,560
The response is slow or the network flakes or the process restarts.

781
00:32:41,560 --> 00:32:44,160
The orchestrator never receives the success, so it retries.

782
00:32:44,160 --> 00:32:45,640
The tool executes again.

783
00:32:45,640 --> 00:32:47,360
You now have two side effects.

784
00:32:47,360 --> 00:32:50,560
And the only reason you're surprised is because you treated the first execution as if it

785
00:32:50,560 --> 00:32:52,400
was tied to the event receipt.

786
00:32:52,400 --> 00:32:53,400
It wasn't.

787
00:32:53,400 --> 00:32:54,400
The action was tied to optimism.

788
00:32:54,400 --> 00:32:56,280
That's why D-D-D-UP doesn't save you.

789
00:32:56,280 --> 00:32:58,880
D-D-D-UP by best effort is not a safety mechanism.

790
00:32:58,880 --> 00:33:00,400
It is a logging convenience.

791
00:33:00,400 --> 00:33:01,800
People did do it using message text.

792
00:33:01,800 --> 00:33:04,920
That fails the first time the model rephrases the same intent.

793
00:33:04,920 --> 00:33:09,600
People did d-D-UP using timestamps that fails when delayed delivery shifts the arrival window.

794
00:33:09,600 --> 00:33:10,680
People did d-UP in memory.

795
00:33:10,680 --> 00:33:12,120
That fails on process restart.

796
00:33:12,120 --> 00:33:14,080
People did d-UP by correlating turn IDs.

797
00:33:14,080 --> 00:33:17,240
That fails across channels and adapters where IDs are transformed.

798
00:33:17,240 --> 00:33:19,400
The important see is not probably the same.

799
00:33:19,400 --> 00:33:20,760
It is provably the same.

800
00:33:20,760 --> 00:33:24,480
And provably the same requires two things, a stable operation identity and an authoritative

801
00:33:24,480 --> 00:33:26,400
state store that outlives the process.

802
00:33:26,400 --> 00:33:27,560
This is the system law.

803
00:33:27,560 --> 00:33:30,960
If an event can't be safely replayed, it shouldn't control state.

804
00:33:30,960 --> 00:33:32,520
Now apply that law to agents.

805
00:33:32,520 --> 00:33:33,960
The agents job is to propose.

806
00:33:33,960 --> 00:33:37,520
The system's job is to decide and decide must be persistent.

807
00:33:37,520 --> 00:33:39,560
So the deterministic design is simple.

808
00:33:39,560 --> 00:33:43,600
Even if the implementation isn't, every side effecting operation gets an immutable operation

809
00:33:43,600 --> 00:33:48,360
ID that is generated once, not per retry, once.

810
00:33:48,360 --> 00:33:51,960
That operation ID is persisted before the tool executes.

811
00:33:51,960 --> 00:33:55,720
The persisted record includes the proposed action and its current status.

812
00:33:55,720 --> 00:33:58,280
Proposed allowed denied executed failed.

813
00:33:58,280 --> 00:34:00,000
Then every retry becomes boring.

814
00:34:00,000 --> 00:34:03,840
If the same operation ID arrives again, the system returns the already recorded decision

815
00:34:03,840 --> 00:34:04,840
and outcome.

816
00:34:04,840 --> 00:34:05,840
No new side effect.

817
00:34:05,840 --> 00:34:08,960
No second deletion, no second email, no double share.

818
00:34:08,960 --> 00:34:10,480
The replay is saved by design.

819
00:34:10,480 --> 00:34:12,800
This is also how you neutralize reordering.

820
00:34:12,800 --> 00:34:17,160
If complete task arrives before create task, the state store says the task doesn't exist

821
00:34:17,160 --> 00:34:19,440
and the request is denied deterministically.

822
00:34:19,440 --> 00:34:20,920
Not handled later, denied.

823
00:34:20,920 --> 00:34:23,400
The event becomes telemetry, not authority.

824
00:34:23,400 --> 00:34:25,320
And this is how you neutralize delay.

825
00:34:25,320 --> 00:34:27,120
Later rivals don't trigger fresh decisions.

826
00:34:27,120 --> 00:34:30,640
They map to existing operation IDs and return existing outcomes.

827
00:34:30,640 --> 00:34:33,720
The system does not relitigate intent because the packet arrived late.

828
00:34:33,720 --> 00:34:35,960
Now here's the uncomfortable part.

829
00:34:35,960 --> 00:34:37,560
None of this is a model problem.

830
00:34:37,560 --> 00:34:39,120
None of this is hallucination.

831
00:34:39,120 --> 00:34:40,840
None of this is Microsoft being sloppy.

832
00:34:40,840 --> 00:34:44,240
This is distributed systems behavior colliding with side effects.

833
00:34:44,240 --> 00:34:47,800
And the more you anthropomorphize the agent, the less likely you are to build these boring

834
00:34:47,800 --> 00:34:51,160
guarantees because you start believing the interaction is the system.

835
00:34:51,160 --> 00:34:52,160
It isn't.

836
00:34:52,160 --> 00:34:54,800
The system is the state spine behind the conversation.

837
00:34:54,800 --> 00:34:57,120
Without that spine, retries are not resilience.

838
00:34:57,120 --> 00:35:02,160
Retries are how your architecture manufactures incidents out of transient failures.

839
00:35:02,160 --> 00:35:05,800
At pattern one, idempotency keys, post-authoritative state spine.

840
00:35:05,800 --> 00:35:09,200
Now the first deterministic pattern is the one everybody claims they already have.

841
00:35:09,200 --> 00:35:11,800
Right up until the first replay deletes the wrong thing.

842
00:35:11,800 --> 00:35:14,280
Idempotency is not, we try not to do it twice.

843
00:35:14,280 --> 00:35:15,480
Idempotency is a guarantee.

844
00:35:15,480 --> 00:35:19,640
The same operation, identified the same way, produces the same effect exactly once,

845
00:35:19,640 --> 00:35:22,400
no matter how many times the system replays the request.

846
00:35:22,400 --> 00:35:26,920
And the only way to get that guarantee is to stop pretending the event stream is your state.

847
00:35:26,920 --> 00:35:29,000
Here's the model that holds under pressure.

848
00:35:29,000 --> 00:35:33,080
This side-effecting action gets an operation id that is generated once, at the moment the

849
00:35:33,080 --> 00:35:34,680
intent becomes a request.

850
00:35:34,680 --> 00:35:37,200
Not after the tool call, not after the model replies.

851
00:35:37,200 --> 00:35:39,480
Before, that operation id is immutable.

852
00:35:39,480 --> 00:35:43,240
Collision-resistant, boring, it doesn't encode meaning, it encodes identity.

853
00:35:43,240 --> 00:35:47,360
Then you persisted to an authoritative state spine before you execute anything.

854
00:35:47,360 --> 00:35:51,520
That spine is not your turn state, it is not an in-memory cache, it is not will reconstructed

855
00:35:51,520 --> 00:35:52,720
from logs.

856
00:35:52,720 --> 00:35:57,760
It is a durable store that outlives the process and survives retries, restarts and parallel

857
00:35:57,760 --> 00:35:58,760
workers.

858
00:35:58,760 --> 00:36:03,480
Then you store the minimum fields that make replay safe, operation id, proposed action

859
00:36:03,480 --> 00:36:09,160
structured, not pros, current status, proposed, decided executed.

860
00:36:09,160 --> 00:36:14,160
Decision artifact pointer allowed, denied, transformed, target resource identifiers,

861
00:36:14,160 --> 00:36:16,760
and a timestamp plus version for concurrency control.

862
00:36:16,760 --> 00:36:20,760
Once you have that, retries stop being dangerous because retries stop being meaningful.

863
00:36:20,760 --> 00:36:25,040
A duplicate event arrives, you look up the operation id, you already have a status of

864
00:36:25,040 --> 00:36:28,640
executed, you return the previous outcome, no second side effect, no best effort

865
00:36:28,640 --> 00:36:29,640
to do it.

866
00:36:29,640 --> 00:36:33,800
It is deterministic because the state spine is authoritative, reordering becomes boring

867
00:36:33,800 --> 00:36:38,720
for the same reason, an event arrives that says complete task before create task, in

868
00:36:38,720 --> 00:36:43,000
an envelope driven system that creates a time machine, in a spine driven system you check

869
00:36:43,000 --> 00:36:44,000
state.

870
00:36:44,000 --> 00:36:45,800
Task doesn't exist.

871
00:36:45,800 --> 00:36:50,720
You deny deterministically, not because the agent is smart, but because the state is authoritative.

872
00:36:50,720 --> 00:36:52,240
Delays become boring as well.

873
00:36:52,240 --> 00:36:56,520
If the event arrives late, it still references the same operation id, you return the same decision.

874
00:36:56,520 --> 00:37:00,240
The system doesn't reinterpret intent because a packet took a scenic route through someone's

875
00:37:00,240 --> 00:37:01,240
VPN happened.

876
00:37:01,240 --> 00:37:04,440
Now the thing most people miss is the separation of concerns.

877
00:37:04,440 --> 00:37:07,600
Item potency prevents double harm, it does not decide what is allowed.

878
00:37:07,600 --> 00:37:13,520
That's why the operation id must exist before policy evaluation and before tool execution.

879
00:37:13,520 --> 00:37:17,880
It becomes the anchor for everything else, decision execution, audit, provenance.

880
00:37:17,880 --> 00:37:22,480
Without that anchor, you can't tie what we decided to, what we did in a way that survives

881
00:37:22,480 --> 00:37:23,480
failure.

882
00:37:23,480 --> 00:37:25,880
And you need one more piece to make the spine real.

883
00:37:25,880 --> 00:37:30,440
A workflow state machine that is defined outside the agent, the agent can propose the system

884
00:37:30,440 --> 00:37:34,920
must track progression, proposed decided executed is not optional ceremony.

885
00:37:34,920 --> 00:37:38,360
It is how you prevent event noise from becoming irreversible action.

886
00:37:38,360 --> 00:37:42,920
When a worker crashes after executing, but before replying, the state already says executed.

887
00:37:42,920 --> 00:37:44,720
The next worker doesn't try again.

888
00:37:44,720 --> 00:37:46,160
It returns the recorded effect.

889
00:37:46,160 --> 00:37:48,480
This is also why you don't store only success.

890
00:37:48,480 --> 00:37:50,440
You store denials and transforms too.

891
00:37:50,440 --> 00:37:54,480
Because the absence of an action is still a decision you need to replace safely.

892
00:37:54,480 --> 00:38:00,240
If the policy denied the delete at 0905 and the same request replace at 0906, you must deny

893
00:38:00,240 --> 00:38:04,320
again for the same operation id, otherwise you've built a system that can be bypassed by

894
00:38:04,320 --> 00:38:05,840
retry storms.

895
00:38:05,840 --> 00:38:08,440
The practical consequence is that you stop debugging ghosts.

896
00:38:08,440 --> 00:38:12,600
Your incident review stops being how did this run twice and becomes why did we ever allow

897
00:38:12,600 --> 00:38:15,240
this operation id to execute once.

898
00:38:15,240 --> 00:38:16,240
That's progress.

899
00:38:16,240 --> 00:38:17,560
That is where accountability lives.

900
00:38:17,560 --> 00:38:19,280
And yes, this costs engineering effort.

901
00:38:19,280 --> 00:38:23,400
So does every week you spend reconstructing an incident from transcripts and half correlated

902
00:38:23,400 --> 00:38:28,440
log lines, id, potency keys, plus an authoritative state spine are not an optimization.

903
00:38:28,440 --> 00:38:33,080
They are the price of admission for letting probabilistic agents touch deterministic systems.

904
00:38:33,080 --> 00:38:35,320
Deterministic pattern 2 per tool call policy gate.

905
00:38:35,320 --> 00:38:37,160
id, potency gives you safe replay.

906
00:38:37,160 --> 00:38:38,160
Good.

907
00:38:38,160 --> 00:38:40,000
It stops duplicates from turning into double damage.

908
00:38:40,000 --> 00:38:43,960
But id, potency doesn't answer the question that actually decides whether you have an incident.

909
00:38:43,960 --> 00:38:45,480
Should this action be allowed at all?

910
00:38:45,480 --> 00:38:47,920
That's where most enterprises fall back into religion.

911
00:38:47,920 --> 00:38:49,200
The agent knows.

912
00:38:49,200 --> 00:38:50,520
The prompt told it.

913
00:38:50,520 --> 00:38:51,360
We trained it.

914
00:38:51,360 --> 00:38:52,520
It has citations.

915
00:38:52,520 --> 00:38:54,120
None of that is an enforcement model.

916
00:38:54,120 --> 00:38:55,120
It's a hope model.

917
00:38:55,120 --> 00:39:00,080
A per tool called policy gate is the mechanism that converts hope into a deterministic decision.

918
00:39:00,080 --> 00:39:02,200
And the key change is conceptual, not technical.

919
00:39:02,200 --> 00:39:03,680
The agent stops issuing commands.

920
00:39:03,680 --> 00:39:05,600
It starts submitting requests.

921
00:39:05,600 --> 00:39:11,920
The moment you let the model speak in imperatives, delete side X, share file Y, email this to Zid.

922
00:39:11,920 --> 00:39:13,920
You've made the LLM the control plane.

923
00:39:13,920 --> 00:39:16,640
You've delegated authority to a probabilistic system.

924
00:39:16,640 --> 00:39:18,040
That is not agentic.

925
00:39:18,040 --> 00:39:19,040
That is application.

926
00:39:19,040 --> 00:39:20,960
A policy gate flips the relationship.

927
00:39:20,960 --> 00:39:23,840
The agent proposes the control plane disposes.

928
00:39:23,840 --> 00:39:25,480
So what does the gate actually evaluate?

929
00:39:25,480 --> 00:39:30,760
Not pros, not vibe, not it sounded reasonable, a structured request.

930
00:39:30,760 --> 00:39:36,360
At minimum, every tool reaching request carries a tuple, actor, intent, scope, data class,

931
00:39:36,360 --> 00:39:38,400
venue and operation id.

932
00:39:38,400 --> 00:39:43,320
Actor is the identity that would execute the call, human, workload identity or segmented

933
00:39:43,320 --> 00:39:44,800
agent principle.

934
00:39:44,800 --> 00:39:51,280
It is the verb, delete, share, send, post, create, approve, small, innumerable, boring.

935
00:39:51,280 --> 00:39:56,760
Scope is the concrete target, site id, file id, mailbox, distribution list, external domain,

936
00:39:56,760 --> 00:39:58,080
API endpoint.

937
00:39:58,080 --> 00:40:02,200
Data class is the sensitivity of the thing being touched or disclosed, derived from authoritative

938
00:40:02,200 --> 00:40:04,840
classification, not guessed by the model.

939
00:40:04,840 --> 00:40:08,920
Venew is where the effect will manifest internal tenant, external email, teams meeting

940
00:40:08,920 --> 00:40:13,640
with external's public web chat, operation id, anchors, replay and traceability as we already

941
00:40:13,640 --> 00:40:14,640
covered.

942
00:40:14,640 --> 00:40:18,360
Now the policy engine evaluates that tuple against rules and authoritative state.

943
00:40:18,360 --> 00:40:20,240
It returns one of three outcomes.

944
00:40:20,240 --> 00:40:24,240
Allow, deny, transform.

945
00:40:24,240 --> 00:40:27,680
Allow means it can proceed, but not as a blank check.

946
00:40:27,680 --> 00:40:32,920
It can attach constraints, time window, max recipients, required approval, rate limits,

947
00:40:32,920 --> 00:40:34,440
a narrow target set.

948
00:40:34,440 --> 00:40:36,280
deny means the tool never executes.

949
00:40:36,280 --> 00:40:40,280
The refusal is not a moral stance, it's a deterministic result, intent x and venue

950
00:40:40,280 --> 00:40:46,320
y with data class z violates rule r, transform is the underused one that keeps systems usable.

951
00:40:46,320 --> 00:40:49,600
It means the action is allowed only in a safer form.

952
00:40:49,600 --> 00:40:53,800
Replace share externally with share internally and create an approval task.

953
00:40:53,800 --> 00:40:58,600
Replace speak compensation cohort data with speaker high level summary template.

954
00:40:58,600 --> 00:41:00,720
Replace delete with move to quarantine.

955
00:41:00,720 --> 00:41:02,960
This is how you avoid the false choice.

956
00:41:02,960 --> 00:41:05,840
Between agents are useless and agents are dangerous.

957
00:41:05,840 --> 00:41:09,760
The gate is also where you encode negative space, not just what you did, what you refused

958
00:41:09,760 --> 00:41:13,720
to do, what you refused to retrieve, what you refused to disclose.

959
00:41:13,720 --> 00:41:17,440
Because governance without refusal telemetry becomes performative, it only shows motion.

960
00:41:17,440 --> 00:41:21,080
Now here's the part that separates a real gate from a prompt based imitation.

961
00:41:21,080 --> 00:41:23,480
Tools must accept decisions, not requests.

962
00:41:23,480 --> 00:41:28,080
If your tool endpoint will execute any authenticated call that contains delete, true, you don't have

963
00:41:28,080 --> 00:41:31,360
a gate, you have a suggestion layer in front of a loaded weapon.

964
00:41:31,360 --> 00:41:35,480
The tool should accept only a signed decision artifact from the policy engine bound to

965
00:41:35,480 --> 00:41:40,200
the operation ID with a short TTL if the decision doesn't match the tool denies.

966
00:41:40,200 --> 00:41:43,840
If the operation ID was already executed, the tool returns the prior outcome.

967
00:41:43,840 --> 00:41:48,440
That binds execution to policy and makes bypassing the gate materially harder.

968
00:41:48,440 --> 00:41:49,920
And yes, this sounds like overhead.

969
00:41:49,920 --> 00:41:50,920
It is.

970
00:41:50,920 --> 00:41:53,640
It's also the only place where intent can be enforced at action time.

971
00:41:53,640 --> 00:41:54,880
Conditional access can't do this.

972
00:41:54,880 --> 00:41:56,200
It doesn't see the tool call.

973
00:41:56,200 --> 00:41:57,760
It sees token issuance context.

974
00:41:57,760 --> 00:41:58,760
Per view can't do this.

975
00:41:58,760 --> 00:42:00,360
It sees the aftermath.

976
00:42:00,360 --> 00:42:01,360
Citations can't do this.

977
00:42:01,360 --> 00:42:03,160
They explain retrieval, not permission.

978
00:42:03,160 --> 00:42:05,160
Only a gate can stop the train while it's moving.

979
00:42:05,160 --> 00:42:09,680
If you want a concrete mental picture, treat the policy engine like an authorization compiler.

980
00:42:09,680 --> 00:42:11,360
The agent submits a high level request.

981
00:42:11,360 --> 00:42:13,280
The compiler checks it against rules and state.

982
00:42:13,280 --> 00:42:15,000
It emits a decision artifact.

983
00:42:15,000 --> 00:42:16,760
The runtime can execute.

984
00:42:16,760 --> 00:42:18,760
Without that artifact execution is invalid.

985
00:42:18,760 --> 00:42:21,600
That's determinism grafted onto probabilistic reasoning.

986
00:42:21,600 --> 00:42:24,800
And once you have it, your incident reviews change shape.

987
00:42:24,800 --> 00:42:28,360
You stop asking why did it do that as if the agent had agency?

988
00:42:28,360 --> 00:42:30,480
You ask which rule allowed this?

989
00:42:30,480 --> 00:42:31,960
And who changed it?

990
00:42:31,960 --> 00:42:33,440
That's accountability.

991
00:42:33,440 --> 00:42:38,040
And then the logistic pattern three segmented agent identities as failure domains.

992
00:42:38,040 --> 00:42:41,920
Once you put a real policy gate in front of tools, you've solved the should this be a

993
00:42:41,920 --> 00:42:46,800
loud problem at action time, but you still haven't solved the bigger failure domain problem.

994
00:42:46,800 --> 00:42:50,560
Because if one identity can do everything, your gate becomes your only break and breaks

995
00:42:50,560 --> 00:42:51,560
fail.

996
00:42:51,560 --> 00:42:52,560
Rules drift.

997
00:42:52,560 --> 00:42:53,880
Someone adds an exception.

998
00:42:53,880 --> 00:42:56,120
An urgent request becomes permanent.

999
00:42:56,120 --> 00:42:58,760
Entropy always wins unless you give it walls to hit.

1000
00:42:58,760 --> 00:43:00,360
Segmented agent identities are those walls.

1001
00:43:00,360 --> 00:43:01,960
One agent is not one identity.

1002
00:43:01,960 --> 00:43:03,520
One agent is an orchestrator.

1003
00:43:03,520 --> 00:43:07,600
It should coordinate multiple principles, each with a narrow capability and a narrow blast

1004
00:43:07,600 --> 00:43:08,600
radius.

1005
00:43:08,600 --> 00:43:10,120
Read, write and address.

1006
00:43:10,120 --> 00:43:13,840
That distinction matters because the dominant failure mode in enterprise agents is not the

1007
00:43:13,840 --> 00:43:15,680
agent got global admin.

1008
00:43:15,680 --> 00:43:17,680
Microsoft has already constrained a lot of that.

1009
00:43:17,680 --> 00:43:19,440
The dominant failure is the boring one.

1010
00:43:19,440 --> 00:43:24,440
A convenience driven, overscoped identity executing at machine speed in the wrong place.

1011
00:43:24,440 --> 00:43:25,880
Least privilege isn't a value statement.

1012
00:43:25,880 --> 00:43:26,880
It's math.

1013
00:43:26,880 --> 00:43:30,880
Scopes multiplied by ambiguity multiplied by speed equals blast radius.

1014
00:43:30,880 --> 00:43:35,360
If you let the same identity retrieve broadly, write broadly and communicate externally, you've

1015
00:43:35,360 --> 00:43:37,240
created a super user with a polite interface.

1016
00:43:37,240 --> 00:43:39,400
It doesn't matter how good your prompt is.

1017
00:43:39,400 --> 00:43:40,680
The capability exists.

1018
00:43:40,680 --> 00:43:42,680
The model will eventually root intent into it.

1019
00:43:42,680 --> 00:43:44,760
So you split capability at the identity boundary.

1020
00:43:44,760 --> 00:43:46,240
The read identity can only read.

1021
00:43:46,240 --> 00:43:50,000
It can query SharePoint metadata, retrieve files and summarize content.

1022
00:43:50,000 --> 00:43:51,000
It cannot delete.

1023
00:43:51,000 --> 00:43:52,000
It cannot share.

1024
00:43:52,000 --> 00:43:53,000
It cannot send.

1025
00:43:53,000 --> 00:43:54,960
It cannot write anywhere that matters.

1026
00:43:54,960 --> 00:43:56,600
Its job is to propose not to act.

1027
00:43:56,600 --> 00:43:58,040
Then you create a write identity.

1028
00:43:58,040 --> 00:43:59,440
This one is intentionally painful.

1029
00:43:59,440 --> 00:44:03,320
It holds only the minimum permissions needed for irreversible actions.

1030
00:44:03,320 --> 00:44:07,880
And those permissions are resource, scoped, short-lived and ideally minted just in time.

1031
00:44:07,880 --> 00:44:11,240
If you can't make them short-lived, then you rotate aggressively and monitor like you mean

1032
00:44:11,240 --> 00:44:12,240
it.

1033
00:44:12,240 --> 00:44:13,720
This identity never retrieves broadly.

1034
00:44:13,720 --> 00:44:14,720
It doesn't need to.

1035
00:44:14,720 --> 00:44:18,640
It executes against explicit targets that have already passed policy evaluation.

1036
00:44:18,640 --> 00:44:20,320
And then you create an egress identity.

1037
00:44:20,320 --> 00:44:24,560
This one can talk outside the tenant or publish to public surfaces or send email to external

1038
00:44:24,560 --> 00:44:25,560
domains.

1039
00:44:25,560 --> 00:44:27,720
It has zero access to internal corporate data planes.

1040
00:44:27,720 --> 00:44:28,720
None.

1041
00:44:28,720 --> 00:44:32,600
You can see internal runbooks and also post externally you've already lost.

1042
00:44:32,600 --> 00:44:33,680
Egress is not a feature.

1043
00:44:33,680 --> 00:44:34,680
It's a failure domain.

1044
00:44:34,680 --> 00:44:37,560
Now the obvious objection is that's three times the complexity.

1045
00:44:37,560 --> 00:44:41,840
No, it's three times the clarity because now every action has a lane and lanes don't cross

1046
00:44:41,840 --> 00:44:43,000
without a broker.

1047
00:44:43,000 --> 00:44:44,440
The orchestrator can request.

1048
00:44:44,440 --> 00:44:47,960
The policy gate can decide the correct identity can execute.

1049
00:44:47,960 --> 00:44:52,280
If the read identity gets compromised, the attacker gets visibility, not destruction.

1050
00:44:52,280 --> 00:44:56,040
If the right identity gets compromised, the attacker gets destruction, but only within

1051
00:44:56,040 --> 00:45:00,640
a narrowly scoped domain and ideally only for a short time window.

1052
00:45:00,640 --> 00:45:04,720
If the egress identity gets compromised, the attacker can speak, but they can't see your

1053
00:45:04,720 --> 00:45:06,040
internal knowledge base.

1054
00:45:06,040 --> 00:45:09,920
This is how you build containment into the system rather than writing incident reviews

1055
00:45:09,920 --> 00:45:11,680
about will be more careful.

1056
00:45:11,680 --> 00:45:14,400
And it pairs cleanly with the previous two patterns.

1057
00:45:14,400 --> 00:45:16,040
Identity gives you safe replay.

1058
00:45:16,040 --> 00:45:19,200
The policy gate gives you action time authorization.

1059
00:45:19,200 --> 00:45:22,360
Segmented identities give you blast radius containment when the gate is wrong.

1060
00:45:22,360 --> 00:45:25,200
Now here's the part most teams miss.

1061
00:45:25,200 --> 00:45:28,160
Reaction must be enforced by design, not etiquette.

1062
00:45:28,160 --> 00:45:31,720
Don't let the agent choose which identity to use based on a prompt instruction.

1063
00:45:31,720 --> 00:45:32,720
That's still hope.

1064
00:45:32,720 --> 00:45:37,160
Identity selection should be a deterministic mapping from intent and venue to a principle

1065
00:45:37,160 --> 00:45:38,920
enforced by the control plane.

1066
00:45:38,920 --> 00:45:41,320
Delete intent routes to the right principle.

1067
00:45:41,320 --> 00:45:44,320
External publication routes to the egress principle.

1068
00:45:44,320 --> 00:45:46,080
Retrieval routes to the read principle.

1069
00:45:46,080 --> 00:45:50,400
The agent can't override that because it never directly holds the credentials for the

1070
00:45:50,400 --> 00:45:51,640
other lanes.

1071
00:45:51,640 --> 00:45:54,160
This is also how you survive shadow agents sprawl.

1072
00:45:54,160 --> 00:45:58,120
When someone spins up a quick external bot, the external lane simply cannot authenticate

1073
00:45:58,120 --> 00:46:00,200
to internal core data planes.

1074
00:46:00,200 --> 00:46:02,280
Even if they try, even if they copy code.

1075
00:46:02,280 --> 00:46:06,240
Even if they add a connector, the design makes the bad path impossible without an explicit

1076
00:46:06,240 --> 00:46:07,400
governance decision.

1077
00:46:07,400 --> 00:46:11,280
So if you remember one sentence from this pattern, make it this.

1078
00:46:11,280 --> 00:46:13,880
Agents should fail small, not fail loud.

1079
00:46:13,880 --> 00:46:17,240
A single identity design makes failure loud by default.

1080
00:46:17,240 --> 00:46:20,640
Segmented identities make failure bounded by default.

1081
00:46:20,640 --> 00:46:24,720
That's the difference between a contained incident and a tenet wide outage delivered by

1082
00:46:24,720 --> 00:46:26,120
a calm voice.

1083
00:46:26,120 --> 00:46:31,040
Bragg as a security boundary, retrieval filters plus negative space plus output classification

1084
00:46:31,040 --> 00:46:34,960
not tie the whole thing back to the part everybody treats as just search.

1085
00:46:34,960 --> 00:46:37,120
Retrieval.

1086
00:46:37,120 --> 00:46:39,360
Most teams implement rag like a convenience feature.

1087
00:46:39,360 --> 00:46:43,440
Embed documents, vector search, pull the top five chunks, stuff them into the prompt and

1088
00:46:43,440 --> 00:46:45,080
call it grounded.

1089
00:46:45,080 --> 00:46:46,080
That is not a boundary.

1090
00:46:46,080 --> 00:46:49,120
That is a suggestion engine feeding a probabilistic model.

1091
00:46:49,120 --> 00:46:51,520
In a real enterprise, retrieval is an authorization event.

1092
00:46:51,520 --> 00:46:55,240
It is the moment your system decides what information is allowed to exist for this actor

1093
00:46:55,240 --> 00:46:56,960
in this venue right now.

1094
00:46:56,960 --> 00:47:00,680
If you don't treat it that way, the nearest neighbor algorithm will outrun your governance

1095
00:47:00,680 --> 00:47:01,680
model every time.

1096
00:47:01,680 --> 00:47:03,560
So the boundary starts before similarity.

1097
00:47:03,560 --> 00:47:05,800
Alligibility comes first.

1098
00:47:05,800 --> 00:47:10,200
Before you run a vector search, you filter the candidate set using hard predicates,

1099
00:47:10,200 --> 00:47:13,800
principle, access scope, confidentiality and venue.

1100
00:47:13,800 --> 00:47:17,720
Principle means the workload identity or user context that is actually operating.

1101
00:47:17,720 --> 00:47:21,480
This scope means what corpus this identity is allowed to see based on an authoritative

1102
00:47:21,480 --> 00:47:25,200
catalog, not on whatever connector happens to be configured.

1103
00:47:25,200 --> 00:47:28,520
Confidentiality means the classification level of the content.

1104
00:47:28,520 --> 00:47:31,320
venue means where the answer will be consumed.

1105
00:47:31,320 --> 00:47:35,480
Internal chat, mixed audience meeting, external web, email public site.

1106
00:47:35,480 --> 00:47:38,720
If a chunk is not eligible under those predicates, it does not exist.

1107
00:47:38,720 --> 00:47:40,040
Not it won't be used.

1108
00:47:40,040 --> 00:47:41,480
It doesn't exist.

1109
00:47:41,480 --> 00:47:43,040
This is the uncomfortable truth.

1110
00:47:43,040 --> 00:47:44,760
Similarity search is not a permissions model.

1111
00:47:44,760 --> 00:47:48,600
It is math and math will happily return the best match from an ineligible corpus unless

1112
00:47:48,600 --> 00:47:49,800
you fence it.

1113
00:47:49,800 --> 00:47:53,200
Then you do the thing that makes the whole system safer without anyone noticing.

1114
00:47:53,200 --> 00:47:55,160
You build negative space.

1115
00:47:55,160 --> 00:47:58,440
Negative space means the system records what it refused to retrieve and what it refused

1116
00:47:58,440 --> 00:47:59,440
to say.

1117
00:47:59,440 --> 00:48:03,600
When the pre-filters exclude chunks, you lock that exclusion with a reason.

1118
00:48:03,600 --> 00:48:08,160
Excluded because venue external, excluded because confidentiality and turn only, excluded

1119
00:48:08,160 --> 00:48:10,320
because principle lacks access scope.

1120
00:48:10,320 --> 00:48:14,120
When the filtered retrieval returns nothing, that emptiness is not an error.

1121
00:48:14,120 --> 00:48:15,280
It is a safe outcome.

1122
00:48:15,280 --> 00:48:18,440
It is the system refusing to invent or overshare.

1123
00:48:18,440 --> 00:48:21,120
Most organizations treat no results as a UX bug.

1124
00:48:21,120 --> 00:48:23,120
They force the model to answer anyway.

1125
00:48:23,120 --> 00:48:25,680
That turns your rack system into a leak mechanism.

1126
00:48:25,680 --> 00:48:27,680
The safe behavior is sight or silent.

1127
00:48:27,680 --> 00:48:30,480
If there is no eligible evidence, the agent says less.

1128
00:48:30,480 --> 00:48:33,080
No eligible content found for this request is a feature.

1129
00:48:33,080 --> 00:48:37,120
It's the guardrail that stops the model from converting uncertainty into confident

1130
00:48:37,120 --> 00:48:38,120
nonsense.

1131
00:48:38,120 --> 00:48:40,840
Now you enforce the same discipline on generation.

1132
00:48:40,840 --> 00:48:45,240
The model can only assert claims that map to eligible chunk IDs and it must cite them.

1133
00:48:45,240 --> 00:48:46,720
If it can't cite it downgrades.

1134
00:48:46,720 --> 00:48:49,200
If it can't downgrade safely, it refuses.

1135
00:48:49,200 --> 00:48:52,360
This is how you make grounding measurable instead of aspirational.

1136
00:48:52,360 --> 00:48:55,200
But the part that most people miss is output classification.

1137
00:48:55,200 --> 00:48:59,120
Enterprises label inputs and then pretend outputs inherit safety biosmosis.

1138
00:48:59,120 --> 00:49:00,120
They don't.

1139
00:49:00,120 --> 00:49:01,120
The output is a new artifact.

1140
00:49:01,120 --> 00:49:02,120
It can aggregate.

1141
00:49:02,120 --> 00:49:03,120
It can summarize.

1142
00:49:03,120 --> 00:49:07,040
It can combine two non-sensitive facts into a sensitive conclusion.

1143
00:49:07,040 --> 00:49:09,360
And invoice scenarios output is publication.

1144
00:49:09,360 --> 00:49:13,680
So you derive an output sensitivity label from the sources used and the aggregation level

1145
00:49:13,680 --> 00:49:14,680
of the answer.

1146
00:49:14,680 --> 00:49:19,720
If the answer pulls from compensation guidance and produces cohort level metrics, the output

1147
00:49:19,720 --> 00:49:24,000
is compensation sensitive even if no single chunk was labeled secret.

1148
00:49:24,000 --> 00:49:27,400
Then you root that output through the same policy gate that controls tool calls because

1149
00:49:27,400 --> 00:49:32,360
speech is a tool call, venue plus output classification becomes your egress boundary.

1150
00:49:32,360 --> 00:49:37,960
Mixed audience, external participants, then the speech path requires a transform or deny.

1151
00:49:37,960 --> 00:49:39,120
Internal HR channel.

1152
00:49:39,120 --> 00:49:42,440
You might allow text, deny speech or require different identity.

1153
00:49:42,440 --> 00:49:46,920
The point is that the system decides at action time, not after the transcript is stored.

1154
00:49:46,920 --> 00:49:51,120
This is how rag stops being a knowledge feature and becomes a security boundary.

1155
00:49:51,120 --> 00:49:53,360
Eligibility before similarity.

1156
00:49:53,360 --> 00:49:57,440
Negative space as a first class record, outputs classified and gated like actions.

1157
00:49:57,440 --> 00:49:59,200
The agent still speaks when it has proof.

1158
00:49:59,200 --> 00:50:00,880
It goes quiet when it doesn't.

1159
00:50:00,880 --> 00:50:05,360
And that silence is what prevents the next incident from being perfectly logged.

1160
00:50:05,360 --> 00:50:06,360
Conditional access?

1161
00:50:06,360 --> 00:50:07,360
Necessary?

1162
00:50:07,360 --> 00:50:08,360
Not sufficient.

1163
00:50:08,360 --> 00:50:12,080
Conditional access is the most over praised control in the agent conversation and it's

1164
00:50:12,080 --> 00:50:13,080
still mandatory.

1165
00:50:13,080 --> 00:50:14,080
It is the front gate.

1166
00:50:14,080 --> 00:50:18,600
It decides whether an identity should receive a token right now under current risk signals,

1167
00:50:18,600 --> 00:50:22,040
device posture, location, sign-in-risk, workload context.

1168
00:50:22,040 --> 00:50:25,240
For agents and other non-human identities, that matters.

1169
00:50:25,240 --> 00:50:27,920
It shrinks who can even show up holding credentials.

1170
00:50:27,920 --> 00:50:28,920
You don't skip that.

1171
00:50:28,920 --> 00:50:33,160
But conditional access is also where enterprises stop thinking because it feels like enforcement.

1172
00:50:33,160 --> 00:50:34,880
This is the uncomfortable truth.

1173
00:50:34,880 --> 00:50:36,560
Conditional access is a token time decision.

1174
00:50:36,560 --> 00:50:38,080
It is not an action time decision.

1175
00:50:38,080 --> 00:50:40,760
And answers, may this identity obtain a token?

1176
00:50:40,760 --> 00:50:44,480
Not may this identity delete this site, share this file or speak this aggregation in this

1177
00:50:44,480 --> 00:50:45,480
venue?

1178
00:50:45,480 --> 00:50:48,720
Once the token exists, you are no longer in an authentication problem.

1179
00:50:48,720 --> 00:50:50,520
You are in an authorization problem.

1180
00:50:50,520 --> 00:50:55,480
And token issuance cannot adjudicate tool execution because tool execution happens later in a different

1181
00:50:55,480 --> 00:51:00,480
context after retrieval, after orchestration, after the meeting audience changes, after

1182
00:51:00,480 --> 00:51:03,160
the agent chooses a path you didn't anticipate.

1183
00:51:03,160 --> 00:51:08,040
That's why so many incidents look compliant in entra and still unacceptable in the business.

1184
00:51:08,040 --> 00:51:10,080
Walk the timeline and the gap becomes obvious.

1185
00:51:10,080 --> 00:51:12,040
The agent requests a token.

1186
00:51:12,040 --> 00:51:13,920
Conditional access evaluates and passes.

1187
00:51:13,920 --> 00:51:14,920
Good.

1188
00:51:14,920 --> 00:51:18,760
Then the agent retrieves a loud data under its scopes, logged, fine.

1189
00:51:18,760 --> 00:51:20,400
Then the agent proposes an action.

1190
00:51:20,400 --> 00:51:22,760
Delete, share, email, post, speak.

1191
00:51:22,760 --> 00:51:26,240
This is the moment that matters because this is the moment side effects happen.

1192
00:51:26,240 --> 00:51:30,120
And conditional access is not in that path unless you force it back in with a separate decision

1193
00:51:30,120 --> 00:51:31,120
point.

1194
00:51:31,120 --> 00:51:32,440
That is what the policy gate is for.

1195
00:51:32,440 --> 00:51:34,600
It is not a replacement for conditional access.

1196
00:51:34,600 --> 00:51:36,360
It is the missing second gate.

1197
00:51:36,360 --> 00:51:37,960
Conditional access decides who may try.

1198
00:51:37,960 --> 00:51:39,760
The policy engine decides what may happen.

1199
00:51:39,760 --> 00:51:43,960
Now the mistake teams make is trying to stretch conditional access to cover what it can't.

1200
00:51:43,960 --> 00:51:48,040
They pile on network locations, token protection, session controls, device filters and assume

1201
00:51:48,040 --> 00:51:50,080
the blast radius shrinks automatically.

1202
00:51:50,080 --> 00:51:51,080
It doesn't.

1203
00:51:51,080 --> 00:51:54,960
If the agent holds broad right scopes, the radius is already baked in.

1204
00:51:54,960 --> 00:51:57,320
Conditional access just decides who gets to hold the match.

1205
00:51:57,320 --> 00:51:59,760
So the architecture you enforce is a braid.

1206
00:51:59,760 --> 00:52:02,800
Conditional access at token time, strict and non-negotiable.

1207
00:52:02,800 --> 00:52:06,400
Least privilege on scopes because permissions are blast radius math.

1208
00:52:06,400 --> 00:52:10,480
Uncreated identities because one agent should not be one super identity and per tool call

1209
00:52:10,480 --> 00:52:14,640
policy evaluation because action time authorization is where incidents either happen or don't.

1210
00:52:14,640 --> 00:52:16,440
Now make monitoring, earn its keep.

1211
00:52:16,440 --> 00:52:19,080
Watch token issuance patterns on agent identities.

1212
00:52:19,080 --> 00:52:22,240
Unusual cadence, unusual geos, new client types.

1213
00:52:22,240 --> 00:52:23,480
That's the identity plane.

1214
00:52:23,480 --> 00:52:28,760
But also watch tool call shapes, spikes in deletes, sudden external egress, novel venues.

1215
00:52:28,760 --> 00:52:29,760
That's the action plane.

1216
00:52:29,760 --> 00:52:32,640
And when you detect drift, you don't retrain the agent.

1217
00:52:32,640 --> 00:52:37,040
With titan scopes, titan policies and shrink failure domains, conditional access is necessary

1218
00:52:37,040 --> 00:52:39,560
because it keeps the wrong identities from showing up.

1219
00:52:39,560 --> 00:52:43,080
It is not sufficient because the right identity can still do the wrong thing, perfectly

1220
00:52:43,080 --> 00:52:45,240
logged with a valid token.

1221
00:52:45,240 --> 00:52:49,240
The experience plane tax, web RTC, speech regions and metered certainty.

1222
00:52:49,240 --> 00:52:52,960
Now the punchline nobody budgets for until the demo becomes production, the experience plane

1223
00:52:52,960 --> 00:52:53,960
tax.

1224
00:52:53,960 --> 00:52:56,400
The face and the voice don't just add engagement.

1225
00:52:56,400 --> 00:53:01,120
They add failure domains, networks, regions and metering and none of that complexity

1226
00:53:01,120 --> 00:53:04,800
buys you a single extra millisecond of deterministic control.

1227
00:53:04,800 --> 00:53:05,880
Start with web RTC.

1228
00:53:05,880 --> 00:53:07,800
It works beautifully in a clean lab.

1229
00:53:07,800 --> 00:53:12,360
Then it meets enterprise reality, NIT traversal, VPN hairpins, deep packet inspection, split

1230
00:53:12,360 --> 00:53:16,760
tunnel policies and firewalls that quietly hate UDP, so you fall back to relays.

1231
00:53:16,760 --> 00:53:18,040
Turn becomes mandatory.

1232
00:53:18,040 --> 00:53:20,640
That adds hops, jitter and operational overhead.

1233
00:53:20,640 --> 00:53:25,200
The avatar stutters, the audio talks over itself and the system compensates with retries

1234
00:53:25,200 --> 00:53:30,000
and reconnects more events, more envelope churn, more entropy injected into the same pathway

1235
00:53:30,000 --> 00:53:31,880
that also drives tool calls.

1236
00:53:31,880 --> 00:53:32,880
Then speech regions.

1237
00:53:32,880 --> 00:53:35,040
Azure Speech is region bound by design.

1238
00:53:35,040 --> 00:53:37,080
Keys are region locked and points are regional.

1239
00:53:37,080 --> 00:53:40,400
If you serve multiple geographies, you don't have a voice.

1240
00:53:40,400 --> 00:53:45,840
You have a fleet of voices, separate resources, quotas, keys, routing logic and failover plans.

1241
00:53:45,840 --> 00:53:50,120
When a region blips, the agent doesn't fail in a way your control plane can reason about.

1242
00:53:50,120 --> 00:53:53,840
It fails in the human layer, the voice disappears and the business interprets that as the

1243
00:53:53,840 --> 00:53:58,640
agent is down, even if the decision engine is still happily proposing actions.

1244
00:53:58,640 --> 00:54:02,720
And it's all metered, per second, not per outcome, not per prevented incident, per second

1245
00:54:02,720 --> 00:54:04,040
of stream certainty.

1246
00:54:04,040 --> 00:54:07,960
So you end up financing persuasion, tens of millions of seconds of compute to animate confidence

1247
00:54:07,960 --> 00:54:11,560
while the control plane that could prevent harm remains underbuilt.

1248
00:54:11,560 --> 00:54:15,160
Conclusion, assume the face is lying and force intended action time.

1249
00:54:15,160 --> 00:54:16,600
The voice adds trust.

1250
00:54:16,600 --> 00:54:19,520
The system did not earn it and logs won't save you after the fact.

1251
00:54:19,520 --> 00:54:22,800
Make the agent propose then force the control plane to dispose.

1252
00:54:22,800 --> 00:54:29,160
Item potency, authoritative state, per tool call policy gates and segmented identities.

1253
00:54:29,160 --> 00:54:33,240
If you do one thing next, audit where actions execute without a gate and market red, then

1254
00:54:33,240 --> 00:54:34,720
fund determinism not avatars.