The 7 Deadly Sins of Microsoft Enterprise Architecture: Why Most Tenants Leak Millions in Invisible Inefficiency

President Barack Obama.

Virginia, we are counting on you.

Republicans want to steal enough seats in Congress

to raid the next election and wield unchecked power

for two more years.

But you can stop them by voting yes by April 21st.

Help put our elections back on a level playing field

and let voters decide not politicians.

Vote yes by April 21st.

Paid for by Virginians for fair elections.

This podcast is supported by the original

organic betting and bath brand, Kojuchi.

Kojuchi has spent 35 years pioneering

quality organic textiles.

Long before the word organic became, you know, trendy.

But words matter to Kojuchi.

Words like craftsmanship, longevity, and wellness.

So what does the word wellness mean to Kojuchi?

It means that all of our products are absolutely free

from harsh chemicals and dangerous toxins

that can seep into your skin.

It means effortless style that looks as good as it feels

with naturally breathable, pre-washed organic cotton.

And what does all of that mean to you?

Well, it means that you can sleep well

in Kojuchi's crisp, cool, luxuriously soft sheets

that are ethically made and made with you in mind.

Live well, sleep well, with Kojuchi.

Get 15% off your first order when you visit Kojuchi.com.

That's Kojuchi.com to get 15% off.

C-O-Y-U-C-H-I.com.

Most organizations treat Microsoft 365

as a collection of features to be purchased.

They are wrong.

What they're actually operating is an economic system.

And like all systems, it leaks, not dramatically.

Silently.

Let me walk you through the seven patterns I see over and over.

Each one individually looks manageable.

Together, they compound into what I call architectural entropy,

the slow, invisible decay of value in your Microsoft tenant

iter.

Sin 1, the myth of procurement as strategy.

The lice on simple.

By the right license, get the right outcome.

Most organizations believe that purchasing E5 licenses

equals digital transformation.

They tell their CFO, they are modernizing.

They renew annually.

Nobody questions whether the capability they bought

is actually creating value.

Here's what happens instead.

A global engineering firm with 5,000 seats

decides to go digital.

They land on E5 as the standard.

90% adoption across the knowledge worker base.

On paper, perfect.

In reality, only a fraction of users ever

touched the premium connectors.

Co-pilot set unused.

Defender features were never operationalized.

After 18 months, a rationalization audit revealed the truth.

56% of those licenses were either inactive, underutilized,

or completely misaligned with actual work patterns.

By role, by region, by function.

The economic leakage?

$1.6 million annually.

They were financing architectural erosion without knowing it.

This is what I mean by procurement

masquerading a strategy.

You bought a feature bundle.

You mistook it for an operating model.

The control plane fix is brutally simple.

If you cannot map telemetry to quarterly value

realization, if you cannot prove that the premium capabilities

you paid for are actively driving business outcomes,

then you don't have architecture.

You have procurement.

And procurement, by definition,

has no accountability for the money

after the check clears.

Sin 2, permission sprawl.

The authorization compiler nobody built.

The next pattern is permission creep.

And it's more dangerous than most organizations realize.

In Entra ID, there's a default culture I call ad-only.

Permissions get granted.

They rarely get revoked.

That's not in competence.

That's design inertia.

No one owns the lifecycle.

No one reviews it.

So it accumulates.

I audited a financial services firm last year.

They discovered 847 often app registrations.

Applications that were granted permissions three years ago

for a pilot project that was abandoned.

The permissions were never removed.

The service principles still held Microsoft GraphRides

to access tenant data, user information, mailbox contents.

54% of IT leaders report complex identity and privilege sprawl.

In large tenants, it's normal to have 200, 300, sometimes

400 privileged applications running

with permissions that nobody can fully account for.

Here's the economic consequence.

Audit friction, breach exposure, operational paralysis.

When a compliance team asks, who has access to what?

The answer takes weeks to assemble.

And in a breach, you're blind.

You don't know what was exposed

because you don't know what permissions existed.

The control plane fixes this.

Treat permissions as entropy generators, not rewards.

Design expiration into every access

ground from the start.

Enforced lifecycle ownership.

If an application's purpose has expired,

its permissions expire with it.

Automatically, this is not optional.

This is architectural law.

Sin, three, tactical governance.

The theater of compliance.

Most organizations claim they have governance.

What they actually have is theater.

I walked into a healthcare organization

with 72 teams governance policies.

All of them documented.

None of them automated.

They relied on manual approvals,

on reactive policing, on human bottlenecks,

on inconsistent enforcement.

How many manual hours went into that every year?

4,000, minimum.

Someone's job was refreshing spreadsheets

and sending escalation emails.

72% of organizations cannot enforce

full governance policies at scale.

And the reason is always the same.

They build governance as a control function

instead of a systems layer.

The economic consequence is hidden but substantial.

4,000 hours annually per organization.

That's two full-time employees

just maintaining compliance theater.

And it's fragile.

One person leaves, the policies drift, the system decays.

The fix is existential.

Governance that isn't code is just a suggestion.

If you're still relying on PDF policies

and SharePoint checklists and email approvals,

you have compliance theater, not compliance.

Automated, make it part of the system,

make violations impossible, not just monitored.

If you cannot automate it, you don't actually have governance.

You have hope.

Sin 4, app worship, confusing output with architecture.

Enterprises celebrate app proliferation.

We shipped 50 power apps this year.

Citizen developers are empowered.

Feature velocity is accelerating.

But here's what actually happened.

You created 50 new maintenance liabilities.

50 new surface area multipliers.

Every app is another piece of code someone has to support.

Another integration that can fail.

Another attack surface to defend.

A mid-market organization had 340 power apps in their tenant.

127 of them had never been used.

Nobody owned them.

Nobody maintained them.

They were digital craft.

The systemic cause is structural.

Builders get rewarded for creation.

Architects are invisible.

So the tenant fills up with applications

that looked good in isolation,

but created technical debt at scale.

The economic consequence is support overhead.

Compliance risk, vendor sprawl.

When you have 340 applications,

the complexity of governance becomes overwhelming.

Entitlements multiply, integrations tangle.

Security becomes impossible to manage.

The control plane fixes architectural zoning.

Stop counting apps.

Start counting technical debt surface area.

Enforce life cycle ownership.

Decommission anything that doesn't have a clear owner

and a business justification.

Treat app portfolios the way you treat real estate.

Not every building belongs in your district.

Sin 5. AI chaos.

Agents without boundaries.

This one is still forming.

Most organizations don't see it yet.

That's the danger.

Organizations are deploying co-pilot

onto flat, unclassified data structures.

They're standing up co-pilot studio agents

without defining what data those agents can access.

They're accelerating AI adoption

while data governance lags behind.

Here's what I mean.

An enterprise co-pilot pilot, six weeks in,

discovered that custom agents

were accessing personally identifiable information

without classification.

They were reading payroll data,

benefit information, address records.

All available because the data was unclassified

and the agent permissions were unrestricted,

the economic consequences immediate and expensive.

Security retrofits.

Co-pilot studio credits burning through the budget.

Regulatory exposure, compliance reordids,

all because someone deployed AI

without architectural zoning.

49% of AI programs store due to unclear value.

80% of Fortune 500 use agents without formal governance.

The pattern is familiar, speed first, architecture second,

then disaster.

The fix is non-negotiable.

Define data boundaries before deploying agents.

Classified data, tier agents by risk,

enforce data access via identity and policy.

Treat AI not as a feature to ship,

but as a governance layer that has to sit

on top of solid data architecture.

If your data foundation is weak,

AI amplifies the weakness, it doesn't fix it.

Since six, builder bias, the architect vacuum,

here's a pattern that explains everything else.

Enterprises promote the person who knows the buttons.

They reward builders, they celebrate features shipped.

And architects, the people thinking about system resilience,

about decay, about integration costs,

those people are invisible.

An IT director recently hired a power platform expert

and fired the identity architect.

The reasoning was straightforward.

We need builders right now.

Strategy can wait.

What actually happened was structural.

Without architects enforcing design constraints,

the platform started accumulating entropy faster.

Features shipped, systems decayed, technical debt compounded.

The economic consequence is an 18 month productivity wall.

Initial gains from rapid development flatten,

then performance degrades, then you're managing technical debt

instead of shipping features.

The systemic problem is organizational.

Only 23% of organizations have formal AI agent identity strategy.

Ownership is fragmented.

Seasows, see security risks.

Builders see opportunity.

Finance sees cost.

Nobody's looking at the system as a whole.

The control plane fix requires a mindset shift.

Treat architects as leverage engineers.

Not cost centers.

Measure them by system health, by entropy reduction,

by the number of future problems they prevent.

Builders create visible value.

Architects create invisible value.

Invisible value is just as real.

It's just harder to see.

Since seven, licensing blindness, capacity, and strategy.

The final sin is the most expensive

because it's the most normalized.

Organizations renew E5 because it's what we do.

Not because they've mapped capability to value.

Not because they've assessed whether users actually

need premium features.

Not because they've measured adoption

of the capabilities they're already paying for.

Meanwhile, shadow IT thrives.

Users on basic skews accomplish the same roles.

Premium features sit idle.

The licensing strategy becomes a budget line item,

not an architectural lever.

Real numbers.

An enterprise paying $2.1 million annually

for E5 across the board.

A rationalization audit found that 34% of those users

could perform their exact same role on business standard.

They had no need for the premium connector library.

They didn't use co-pilot.

They didn't need advanced threat protection

beyond what business standard includes.

The economic consequence is orthogonal

to what most organizations see.

It's not just the cost of unused licenses.

It's the cost of not using licensing

as a behavioral incentive.

If your licensing skew is aligned to roles and capabilities,

then it drives adoption.

It forces you to make decisions about what's actually needed.

The control plane fix is this.

Licensing skew is a behavioral lever.

Use it.

If you're paying for E5 across the board,

you've removed the constraint that forces architectural discipline.

You've said effectively that everyone gets access to everything.

That's not strategy.

That's capitulation.

These seven sins are patterns, not anomalies.

They compound.

Permission sprawl feeds apps sprawl.

Licensing blindness enables governance theater.

Procurement strategy masks the absence of architecture.

Together they create what I call the leakage model.

Millions of dollars in invisible inefficiency

that nobody's measuring because nobody owns the outcome.

That's the diagnosis.

That's what we're actually operating here.

The umbrella sin control plane neglect.

These seven sins don't exist in isolation.

They're not random failures.

They're all symptoms of one structural absence.

And that absence is what I want to talk about now.

Operating without a system's layer means entropy

becomes your default operating system.

You don't have governance.

You have chaos with policies written on top of it.

You don't have architecture.

You have a platform which is something else entirely.

Here's how it manifests.

A 10,000 seat organization I worked with

had EnterID governed by one team.

Intune handled by another.

Microsoft Defender managed separately.

Per view, data governance owned by compliance.

Teams and SharePoint loosely monitored by service adoption.

Nobody was looking at identity to app orchestration.

Nobody was enforcing zoning and tearing across the entire system.

Every service had its own policies, its own approval workflows,

its own definitions of security baseline.

What that organization actually had wasn't a security posture.

It was security theater orchestrated across five different teams.

The systemic causes this.

Most organizations treat Microsoft Cloud

as a collection of disconnected services.

Identity over here.

Data governance over there, application somewhere else.

Compliance in a separate silo.

This creates what I call policy fragmentation.

Each domain solves its own problems locally.

But there's no layer that decides how those domains interact.

How data flows from one system to another.

How a user's access in EnterID connects to what they can do

in SharePoint, what they can see in a co-pilot agent.

That connecting layer, that's the control plane.

And most organizations don't have one.

The economic consequence of operating without it is staggering.

That 10,000 seat organization,

3.2 million in unrealized productivity benefits over three years.

Not because they lacked features.

They had every Microsoft feature available.

But because those features weren't integrated into a system,

users couldn't find information.

Admins couldn't trust their governance.

Architects had no way to enforce decisions at scale.

Control plane absence also means security debt accumulates.

When EnterID policies drift, you don't know it.

When SharePoint permissions exceed your threshold,

there's nobody watching.

When a co-pilot agent is accessing data you never approved,

the policy layer doesn't catch it.

Each service does its best.

But there's no circuit breaker, no orchestration,

no central place where someone says,

no, that violates our architecture.

The control plane fix requires a foundational shift.

You have to build a unified policy compilation layer.

Treat identity, EnterID as the control plane backbone.

Make it the place where you define not just who can access what,

but what that access means across your entire system.

A user is an employee, a contractor, a vendor, a guest.

Once you make that decision in identity,

every other system, Defender, PerView, Teams, SharePoint

should inherit that context.

Not ask for it separately.

Inherited, then enforced cross-platform orchestration.

If a user's EnterID role says they're in finance,

that determines their default access

to financial data in SharePoint.

If they're classified as guest,

that determines what they see in Teams.

If a co-pilot agent is tagged as accessing customer data,

its identity and permissions flow from a single source of truth.

Let me define this precisely.

A control plane is the system that makes decisions

about how other systems behave.

It's the layer above execution.

It's where intent is translated into policy.

Without it, you have a platform, individual services,

operating independently.

With it, you have architecture.

You have a system, most organizations have the first,

almost none have the second.

And that distinction is the difference between leaking millions

invisibly and knowing exactly where your money is going.

That distinction is the difference between a security posture

and security theater.

That distinction is the difference between governance

that works and governance that's just a suggestion

people ignore when it inconveniences them.

This is what makes the seven sins actually dangerous.

It's not that they exist independently.

It's that they compound

because there's no central control layer catching them,

measuring them, stopping them from spiraling.

Without control plane architecture,

you're not managing a system.

You're managing a collection of problems.

President Barack Obama.

Virginia, we are counting on you.

Republicans want to steal enough seats in Congress

to raid the next election and wield unchecked power for two more years.

But you can stop them by voting yes by April 21st.

Help put our elections back on a level playing field

and let voters decide not politicians.

Vote yes by April 21st.

Paid for by Virginians for fair elections.

Work moves fast.

Every email, report, and proposal counts.

That's where Grammarly comes in.

It's your one place to think, write, and finish.

Grammarly's AI agents help you find natural phrasing,

fine-tuned tone, and confidently write wherever you work.

It's the premiere writing tool

that 93% of users trust to get more work done.

In a world of generic AI, don't sound like everyone else.

With Grammarly, you never will.

Download Grammarly for free at Grammarly.com.

President Barack Obama.

Virginia, we are counting on you.

Republicans want to steal enough seats in Congress

to raid the next election and wield unchecked power

for two more years.

But you can stop them by voting yes by April 21st.

Help put our elections back on a level playing field

and let voters decide not politicians.

Vote yes by April 21st.

Paid for by Virginians for fair elections.

Sin II, permission sprawl, the authorization compiler

nobody built.

The next pattern I see constantly is permission creep.

And it's more dangerous than most organizations realize

because it operates silently, compounding over years

while nobody's watching.

In Enter ID, there's a default culture I call ad-only.

When permissions get granted, they rarely get revoked.

That's not incompetence, that's architectural inertia,

no life cycle ownership, no systematic review,

no expiration mechanism built into the system,

so it accumulates.

Here's how it works.

A developer needs access to a specific Microsoft graph endpoint.

An application gets registered.

It receives permissions.

The project succeeds.

The developer moves on.

And the application registration sits there

still holding permissions because nobody

owned the task of sun setting it.

I audited a financial services firm last year.

They discovered 847, often app registrations.

Applications that were granted permissions

three, four, sometimes five years ago

for pilots that were abandoned.

The permissions were never removed.

The service principle still held Microsoft GraphRites

to access tenant data, user information, mailbox contents.

Some of them had credentials that hadn't been rotated in years.

54% of IT leaders report complex identity

and privilege sprawl in their environments.

In a large tenant, it's normal to have 200, 300, sometimes

400 privileged applications running simultaneously

with permissions that nobody can fully account for.

Add in the growth of automation, AI agents,

and custom integrations, and that number explodes.

125 or more apps holding elevated rights

is no longer anomalous.

It's expected.

And here's what makes it dangerous.

Each of these applications is a potential entry point,

not just for attackers, for compliance violations,

for uncontrolled data access, for mission creep,

where an application that was designed to do one thing

gradually gets permissions to do five other things

because convenience wins over governance.

The economic consequence manifests in multiple ways.

First, audit friction.

When a compliance team asks who has access to what

in your tenant the answer takes weeks to assemble.

You're querying app registrations.

You're tracking credential history.

You're cross-referencing permissions against actual usage.

And half the time you find permissions that shouldn't exist.

And then you have to decide whether removing them

will break something nobody remembers depending on.

Second, breach exposure.

In a breach scenario, you don't know what was exposed

because you don't know what permissions actually existed.

You assume an attacker who compromised the service

principle can access customer data, financial records,

employee information.

But do they have graph permissions?

Do they have mail delegation?

Can they reset passwords?

You're guessing and guessing in a breach is expensive.

Third, operational paralysis.

You can't move forward with security hardening

because you don't understand the dependency graph.

You can't enforce conditional access

because it might break an integration nobody documented.

You can't implement least privilege

because the permission landscape

is too sprawling to untangle.

The systemic cause is architectural.

Most organizations lack entitlement management discipline.

There's no design lifecycle for applications,

no automatic expiration, no regular access reviews

that have teeth.

No mechanism that says if you don't explicitly renew

this permission every six months, it gets revoked.

The control plane fixes this.

Treat permissions as entropy generators, not rewards.

Every time you grant access,

you're adding entropy to the system.

Design expiration into every access grant from the start.

Make it automatic.

If an application's purpose has been fulfilled

or abandoned, its permissions expire with it.

Don't require a manual cleanup process

that depends on someone remembering.

Make it architectural law.

This means implementing entitlement management

that's not just an audit tool, but a governance engine.

Life cycle workflows that automatically remove permissions

based on defined criteria, access packages that expire.

Service principles with credential rotation enforced.

Regular access reviews that don't just report on sprawl,

they remediate it.

And critically, it means assigning life cycle ownership.

Someone has to be accountable

for whether an application still serves a business purpose.

And if the answer is no, the permissions go.

Not eventually, immediately.

Permission sprawl is the invisible attack surface.

But the real problem is deeper.

It's governance that isn't automated.

Sin 3. Tactical governance.

The theater of compliance.

Most organizations claim they have governance.

What they actually have is theater.

I walked into a healthcare organization

last year with 72 teams governance policies.

All of them documented, beautifully written,

signed off by compliance leadership.

None of them automated the zero.

What did they rely on instead?

Manual approvals.

Someone had to review new teams requests

and decide whether they met policy criteria.

Reactive policing.

When someone created a team's channel

without classification,

someone else had to send them an email asking them to fix it.

Human bottlenecks everywhere.

An inconsistent enforcement.

Some teams got corrected.

Others didn't.

It depended on who noticed and how busy they were.

The real measure of governance isn't policy documents.

It's enforcement.

And this organization had no enforcement mechanism.

They had hope.

Here's how it manifests in practice.

A business unit wants to create a new team's workspace.

They fill out a form.

It goes into an approval queue.

Someone reviews it against 72 governance policies,

manually comparing what they're proposing

against written criteria.

This takes time.

If the request doesn't clearly violate a policy,

it gets approved.

If it's ambiguous, it gets escalated.

If the escalation path is blocked,

it gets approved by default

because nobody wants to be the person

blocking business velocity.

Then someone creates the team.

And then someone else has to verify

that it was set up correctly.

Check the sensitivity label.

Verify the membership controls.

Confirm the sharing settings.

All manual.

All dependent on discipline and memory.

How many manual hours did that organization

spend every year maintaining compliance theater?

4,000.

Minimum.

That's two full-time employees

whose entire job was spreadsheets

and escalation emails

and follow-up conversations about policy drift.

And it was fragile

when the person maintaining the governance process

left the organization knowledge walked out the door.

Policies drifted.

New teams started getting created

without the controls that were supposed to exist.

The system decayed.

This is the fundamental disconnect.

72% of organizations cannot enforce

full governance policies at scale.

And the reason is always the same.

They build governance as a control function.

Something you do after the fact.

React to violations.

Remind people to comply.

Instead of building it as a systems layer,

the systemic cause is structural.

Governance is treated as a necessary evil.

Compliance is seen as friction.

So organizations minimize the investment.

They write policies.

They create processes.

They hope people follow them.

And then they're shocked

when the system breaks

under the weight of actual organizational scale.

The economic consequence is hidden, but substantial.

4,000 hours annually per organization.

That's two full-time people

just maintaining governance theater.

And it's fragile.

One person leaves.

Priorities shift.

The governance system decays

because it was never actually part of the architecture.

It was bolted on top, dependent on sustained discipline

and attention that eventually withers.

The control plane fix is existential.

President Barack Obama.

Virginia, we are counting on you.

Republicans want to steal enough seats in Congress

to raid the next election

and wield unchecked power for two more years.

But you can stop them.

By voting yes, by April 21st.

Help put our elections back on a level playing field

and let voters decide not politicians.

Vote yes, by April 21st.

Paid for five Virginians for fair elections.

Craving the coffee flavor you love.

But without the caffeine,

Kachava's got you covered

with their newest coffee flavor.

This all-in-one nutrition shake

delivers bold, authentic flavor,

crafted from premium decaffeinated Brazilian beans

with 25 grams of protein,

six grams of fiber, greens, and so much more.

Treat yourself to the flavor and nutrition

your body craves.

Go to kachava.com and use code news.

New customers get 15% off their first order.

That's KAC, HAVA.com code news.

President Barack Obama.

Virginia, we are counting on you.

Republicans want to steal enough seats in Congress

to raid the next election

and wield unchecked power for two more years.

But you can stop them.

By voting yes, by April 21st.

Help put our elections back on a level playing field

and let voters decide not politicians.

Vote yes by April 21st.

Paid for five Virginians for fair elections.

Governance that isn't code is just a suggestion.

If you're still relying on PDF policies

and SharePoint checklists and email approvals,

you have compliance theater.

You don't have governance.

And here's why it matters.

Theater scales poorly.

It breaks when you need it most.

It depends on heroic individual effort

and it never actually prevents violations.

It just documents them after they happen.

Real governance works differently.

When someone creates a team's workspace,

the system automatically applies the correct sensitivity label.

The access controls are set.

The membership restrictions are enforced.

The data classification is inherited from the policy layer.

No approval queue, no human review,

no gap between intent and execution.

That requires automation.

It requires code.

It requires treating governance

as part of the system architecture,

not as an external control function.

If you cannot automate your governance,

you don't actually have governance, you have hope.

And hope is not a control.

Sin 4, app worship, confusing output with architecture,

enterprises celebrate app proliferation.

We shipped 50 power apps this year.

Citizen developers are empowered,

feature velocities accelerating.

The business is moving faster, we're transforming.

But here's what actually happened.

You created 15 new maintenance liabilities,

15 new surface area multipliers.

Every application is another piece of code.

Someone has to support another integration

that can fail, another attack surface to defend,

another permission boundary to govern.

This is where the builder bias I mentioned earlier

collides with architectural reality.

Builders get rewarded for shipping.

The organization sees features.

The business celebrates velocity.

And nobody's counting the cost in technical debt.

A mid-market organization I worked with

had 340 power apps in their tenant.

340, I asked them how many were actively used.

They didn't know.

So we audited it, 127 of them had never been used.

Not once.

Nobody ever registered a successful run.

Some of them had been created three years ago.

The original builder had long since moved on

or left the organization.

Nobody owned them, nobody maintained them.

They were digital craft, sitting in the environment,

creating governance complexity and compliance risk.

Of the remaining 213 apps that were actually used,

fewer than half had documented business owners.

The ones that did, the owners often didn't realize

they owned them, they'd inherited the responsibility

when they took over a team, or the original creator

had left it assigned to them without ever asking.

The systemic causes structural.

Builders get promotions for shipping features.

Architects are invisible, so the tenant fills up

with applications that looked good in isolation

but created technical debt at scale.

There was no gating function.

No architectural review that asked, is this app necessary?

Does it duplicate existing capability?

Who owns it?

What happens when the builder leaves?

Instead, the organization operated on optimistic assumptions.

Power apps are low-code, citizens can build them.

That's empowerment, that's agility, and it is.

Until you wake up one day with 340 applications

and no idea what most of them do.

The economic consequence is operational paralysis,

support overhead explodes.

When an application breaks, who fixes it?

If the original builder is gone, nobody knows the code.

So you either let it stay broken,

or you spend engineering time reverse engineering

something that was never properly documented.

Compliance risk multiplies.

When an auditor asks how many applications

access customer data you can't answer confidently.

Vendor sprawl increases.

Every app might integrate with external SaaS systems.

Every integration is another contract,

another permission boundary, another security surface.

And here's the thing nobody talks about.

Applications sprawl mirrors the sprawl you see

in teams and SharePoint.

It's the same root cause, default permissive settings,

no lifecycle governance, no expiration mechanism,

no architecture that says if this application has no owner,

it gets decommissioned.

The control plane fix requires a mindset shift.

Stop counting apps.

That's the wrong metric.

Start counting technical debt surface area.

The real question isn't how many power apps do we have.

It's what is the total complexity and maintenance burden

we've accumulated, and is it justified by business value?

And for zoning laws.

Not every application belongs in the environment.

Some should be built as power platform solutions

governed as infrastructure.

Others should be SaaS products, not custom builds.

Some should be enterprise applications

with formal governance.

Some should be ephemeral tools that disappear

after they solve the problem they were meant to solve.

And a sign, lifecycle ownership, make it architectural law.

An application without an identified,

accountable owner gets decommissioned.

Not eventually, immediately, that forces discipline.

It forces the organization to ask,

do we actually need this instead of accumulating forever?

This brings us to the most dangerous sin

because it's one thing to have 340 applications

creating support overhead.

It's another entirely when you deploy AI

onto that chaotic sprawling application landscape

without architectural zoning.

Sin 5, AI chaos, agents without boundaries.

This one is still forming.

Most organizations don't see it yet.

That's the danger.

Organizations are deploying co-pilot

onto flat, unclassified data structures.

They're standing up co-pilot studio agents

without defining what data those agents can access.

They're accelerating AI adoption

while data governance lags behind.

And here's the architectural truth.

AI doesn't solve your data problem.

It broadcasts it at scale.

Let me tell you what I mean.

An enterprise co-pilot pilot six weeks in,

they were excited.

Initial adoption metrics looked strong.

Users were asking the agent questions

about products, customers, internal processes.

And then someone asked it a question about compensation.

The agent answered, it told them salary data,

benefits information, payroll details from the HR system,

all available because the data was unclassified

and the agent permissions were unrestricted.

Here's what actually happened architecturally.

The organization deployed co-pilot

before they classified their data.

Before they defined what co-pilot agents could access,

before they implemented data boundaries.

They treated AI as a feature to ship,

not as a governance layer that has to sit

on top of solid data architecture.

The systemic cause is predictable.

AI feels urgent.

Everyone's talking about it.

Competitors are moving.

So organizations rush.

They want to show value quickly.

Co-pilot adoption metrics.

Agent deployment numbers.

Proof of concept turned pilot, turned production

all before the foundational architecture is in place.

But here's what happens when you deploy AI

without data architecture.

An agent gets access to everything it needs to do its job.

That's reasonable.

But everything it needs expands.

It integrates with SharePoint.

Now it's reading all documents.

It connects to the mailbox system.

Now it's processing email.

It links to customer data.

Now it's handling sensitive information.

Each integration makes sense in isolation.

Collectively, they create an unrestricted data access

pattern that violates your compliance requirements

and your common sense.

The economic consequence is immediate and expensive.

Security retrofits.

You deployed co-pilot.

Now you're scrambling to classify data retroactively,

define boundaries, restrict agent access.

That's rework.

That's budget you didn't plan for.

Co-pilot studio credits burning through.

Every agent interaction consumes credits.

At $200 per 25,000 messages at scale,

this becomes a line item nobody forecasted.

Regulatory exposure.

Your processing payroll data, customer information,

health records, through an AI system

that wasn't designed with compliance in mind.

Auditors notice, regulators notice.

And then you're explaining why you deployed AI faster

than you implemented governance.

Real numbers.

49% of AI programs stall due to unclear value.

80% of Fortune 500 use agents without formal governance.

The pattern is universal.

Speed first, architecture second, then disaster.

The control plane fix is non-negotiable.

Define data boundaries before deploying agents.

Not after, before.

This means classifying your data.

Tearing agents by risk.

An agent that answers FAQ questions

has different access requirements than an agent

that processes financial transactions.

An agent that reads public documents has different boundaries

than an agent that accesses customer records.

Then enforce data access via identity and policy.

Use agent 365 as a governance layer.

When you deploy an agent,

its permissions flow from Entra ID.

It has a defined identity.

It can access only the data it's authorized to access.

Its interactions are audited.

It can be revoked if it's misused.

This requires architectural discipline.

It requires saying no to speed.

It requires doing the unglamorous work

of data classification and boundary definition

before you ship the next agent.

But without it, AI doesn't solve your data problems.

It creates new ones.

It takes the sprawl and the governance gaps

you already have and amplifies them at scale.

It turns hidden risks into active liabilities.

And here's the uncomfortable truth.

If your organization has 340 power apps without owners,

if you have 700 often app registrations in Entra ID,

if you have governance policies that nobody enforces,

then you're not ready to deploy AI agents.

Because AI will make all of that worse.

It will inherit all of that chaos.

And it will operate at a speed

that your manual governance processes can't keep up with.

President Barack Obama.

Virginia, we are counting on you.

Republicans want to steal enough seats in Congress

to raid the next election and wield unchecked power

for two more years.

But you can stop them by voting yes by April 21st.

Help put our elections back on a level playing field

and let voters decide not politicians.

Vote yes by April 21st.

Paid for by Virginians for fair elections.

Craving the coffee flavor you love.

But without the caffeine, Kachava's

got you covered with their newest coffee flavor.

This all-in-one nutrition shake

delivers bold, authentic flavor,

crafted from premium, decaffeinated Brazilian beans.

Quality nutrition shouldn't be complicated.

Just two scoops of Kachava's all-in-one nutrition shake

and you've got 25 grams of protein,

six grams of fiber, greens, and so much more.

Whether you're craving that coffee taste

to kickstart your morning ritual

or as a nutrient-packed reward to round out your afternoon,

Kachava keeps you fueled and satisfied

wherever your day takes you.

Plus, it actually tastes delicious.

No fillers, no nonsense.

Just the good stuff, your body craves.

And for the times you feel like switching it up,

you've got seven flavors to choose from,

all with the highest quality ingredients.

Treat yourself to the flavor and nutrition your body craves.

Go to Kachava.com and use code news.

New customers get 15% off their first order.

That's KAC, H-A-V-A.com, code news.

President Barack Obama.

Virginia, we are counting on you.

Republicans want to steal enough seats in Congress

to raid the next election and wield unchecked power

for two more years, but you can stop them.

By voting yes, by April 21st.

Help put our elections back on a level playing field

and let voters decide not politicians.

Vote yes, by April 21st.

Paid for by Virginians for fair elections.

This brings us to the root cause.

All these sins don't exist independently.

They exist because of one structural absence.

Since six, builder bias, the architect vacuum.

Here's a pattern that explains everything else.

And it's organizational, not technical, enterprises

promote the person who knows the buttons.

The person who shipped the feature,

the person who delivered on deadline,

they reward builders, they celebrate features shipped,

they measure velocity, and architects,

the people thinking about system resilience,

about decay, about integration costs,

about what happens five years from now,

those people are invisible.

An IT director I worked with recently made a telling decision.

They hired a power platform expert

and they fired the identity architect.

The reasoning was straight forward.

We need builders right now.

We need people who can ship.

Strategy can wait. Modernization can wait.

We need features and we need them fast.

And what actually happened was structural.

Without architects enforcing design constraints

without someone saying, no, we can't do it that way.

The platform started accumulating entropy faster.

Features shipped, systems decayed.

Technical debt compounded.

Eighteen months later, the organization hit

what I call the productivity wall.

Initial gains from rapid development flattened.

Performance degraded infrastructure complexity

made change harder.

And the organization was managing technical debt

instead of shipping features.

They'd moved fast initially.

But they were moving slowly now

because nobody had been thinking about sustainability.

Here's how it manifests.

A builder comes to you and says,

I need to integrate with this new SaaS system.

And builders are great at solving immediate problems.

So they build an integration.

It works, the business is happy.

But the builder didn't think about or wasn't asked

to think about what happens when that SaaS systems API

changes, what happens when the password

for the service account needs to be rotated.

What happens when you need to audit

who accessed what through that integration?

What happens when three other builders

independently build integrations to the same system?

And now you have three different approaches,

three different failure modes, three times the maintenance burden.

The systemic causes organizational structure.

Builders create visible value.

They ship, they deliver.

Organizations see progress.

Architects prevent invisible failures.

They say, no, they require documentation.

They ask hard questions about sustainability.

And their value is invisible until something breaks.

By which time the organization has learned the hard way

that architecture matters.

The real consequence is fragmented ownership.

Only 23% of organizations have a formal AI agent identity strategy.

Think about that.

AI agents are proliferating.

Most organizations don't have governance for them.

Why?

Because ownership is fragmented.

Security thinks it's I'd's problem.

It thinks it's the business's problem.

The business thinks it's security's problem.

And builders are shipping agents

without anyone owning the architectural decision

of whether they should exist or what their boundaries are.

The economic consequence is substantial and usually lagged.

You don't see it for 18 months.

But when you do, it's expensive.

Technical debt compounds, support costs rise.

Security risks accumulate.

Compliance becomes harder.

And the organization realizes it needs architects.

But architects are expensive to retrofit.

You can't just hire one and expect them

to untangle 18 months of architectural decisions made

without their input.

The control plane fix requires a mindset shift.

Reframe architects as leverage engineers not cost centers.

A builder can increase velocity on one project.

An architect can increase velocity across the entire system

by making good structural decisions

that everyone benefits from.

An architect can prevent the entire organization

from making the same mistake in five different places.

Measure architects by system health, by entropy reduction,

by the number of future problems they prevent,

by whether integration patterns are consistent,

by whether governance is enforceable,

by whether new builders inherit a platform

that's easy to build on or a swamp they have to wait through,

builders create visible value,

architects create invisible value.

Invisible value is just as real.

It's just harder to see.

And organizations that don't see it

are the ones that end up with sprawl with chaos,

with technical debt that becomes impossible to manage.

And this brings us to the final sin

because even good architects fail

if the foundational decisions about resources

and investment are wrong.

And that decision is usually made in procurement.

Scene seven, licensing blindness, capacity as strategy.

The final sin is the most expensive

because it's the most normalized.

Organizations renew E5 because it's what we do,

not because they've mapped capability to value,

not because they've assessed

whether users actually need premium features,

not because they've measured adoption

of the premium connectors they're already paying for,

they renew because the license was good last year.

So it's good this year.

And the year after that, no one questions it.

Meanwhile, shadow IT thrives.

Users on basic skews accomplish the same roles

as E5 users, premium features sit idle.

Copilot remains unused.

The advanced threat protection

that comes with E5 never gets operationalized.

Feature parity is ignored.

Nobody's tracking whether the premium capabilities

you paid for are actually driving outcomes.

Here's a real example.

An enterprise paying $2.1 million annually

for E5 across their knowledge worker-based.

They'd standardized on it years ago.

E5 for finance, E5 for engineering, E5 for operations.

Everyone gets the same license.

And audit revealed the truth.

34% of those users, roughly a third,

could perform their exact same role on business standard.

They had no need for the premium connector library.

They didn't use copilot.

They didn't need advanced threat protection

beyond what business standard includes.

They needed email teams, a document platform.

That's it.

They were paying for capabilities they would never touch.

The economic consequence is orthogonal

to what most organizations see.

It's not just the cost of unused licenses.

That's obvious.

The real consequence is the cost of not using licensing

as a behavioral incentive.

If your licensing schedule is aligned to roles

and capabilities, then it drives adoption.

It forces architectural decisions.

It makes you think about what people actually need.

When you standardize on E5 across the board,

you've removed the constraint

that forces architectural discipline.

You've said effectively that everyone gets access

to everything.

That's not strategy.

That's capitulation.

It's budget capitulation.

It's architectural capitulation.

And it's expensive.

The 2026 price hikes compound this mistake.

Microsoft is implementing increases

ranging from nine to 33% effective July 1st.

F1 plans jumping from $2.25 to $3.

E3 rising from $36 to $39 per user per month.

That organization paying $2.1 million.

Next renewal, that's closer to $2.4 million.

If they'd rationalized licensing earlier,

they could have cut that by 20%, 30%.

But they didn't.

And now they're paying twice for the same mistake.

Here's what happens when you finally

audit your licensing landscape.

You discover premium connectors nobody's using.

You find copilot licenses assigned to roles

that have no integration points.

You realize that your premium security features

are redundant with network-based controls

you already paid for elsewhere.

You uncover the fact that 34% of your E5 investment

could be recovered if you had the discipline

to match licensing to actual capability requirements.

The control plane fixes this.

Licensing SkyU is a behavioral lever.

Use it.

If you're paying for E5 across the board,

you've removed the mechanism that forces you

to make architectural decisions.

You've optimized for everyone gets everything

instead of everyone gets what they need.

Real architecture means saying no to simplicity.

It means matching licensing to roles.

E5 for roles that actually need premium connectors,

threat intelligence, or advanced governance.

E3 for users who need collaboration and productivity,

but not advanced security.

Business standard for roles that only need core email

and team's functionality.

And making those decisions forces you

to understand your user base.

It forces you to ask, why does this person

need this capability?

And if you can't answer that question,

they don't get that license.

This is where the abstraction becomes concrete.

Because when you force licensing alignment,

you also force governance.

You have to know who's in what role.

You have to enforce role definitions.

You have to make sure the business

is actually using the features you're paying for.

And that discipline cascades into everything else.

Better identity governance, better data classification,

better understanding of what your system

is actually supposed to do.

All seven sins point to one diagnosis.

The absence of a control plane.

The umbrella sin control plane neglect.

These seven sins don't exist in isolation.

They're not random failures.

They're not separate problems that happen

to accumulate in the same tenant.

They're all symptoms of one structural absence.

And that absence is what binds them together

into a single architectural failure.

Operating without a system's layer

means entropy becomes your default operating system.

You don't have governance.

You have chaos with policies written on top of it,

trying to contain something that was never architecturally

constrained in the first place.

You don't have architecture.

You have a platform.

And a platform is something else entirely.

A platform is a collection of services.

An architecture is a system.

Here's how it manifests in practice.

A 10,000 seed organization I worked with

had Entra ID governed by one team.

They handled identity provisioning,

conditional access, role definitions, solid work.

Intune was managed by a separate team.

They owned device management and point security

compliance baselines, also good.

Microsoft Defender handled by another team.

They owned threat detection,

incident response, security monitoring.

Yet another team owned purview, data governance,

sensitivity labels, retention policies.

And teams and SharePoint were loosely monitored

by the service adoption team.

They tracked usage metrics and provided training.

Nobody was looking at identity to app orchestration.

Nobody was enforcing zoning and tearing

across the entire system.

Every service had its own policies,

its own approval workflows,

its own definitions of what security baseline meant.

Each domain solved its own problems locally.

But there was no layer that decided

how those domains actually interacted,

how data flowed from one system to another,

how a user's access decisions in Entra ID

connected to what they could do in SharePoint,

how that related to what they could see in a co-pilot agent,

what that organization actually had

wasn't a security posture.

It was security theater orchestrated

across five different teams,

each performing their part with no conductor.

The systemic cause is this.

Most organizations treat Microsoft Cloud

as a collection of disconnected services.

Identity over here, data governance over there,

applications somewhere else, compliance in a separate silo.

This creates what I call policy fragmentation.

Each domain solves its own problems locally.

But there's no layer that ensures consistency.

No place that says, when we make an identity decision,

what does that mean for data access,

for app permissions, for compliance boundaries?

That connecting layer is the control plane.

And most organizations don't have one.

They think they do, they point to their Entra ID governance,

they show you their defender dashboards,

they talk about their purview compliance framework.

But those are individual services

responding to local constraints,

not a unified system making coordinated decisions,

the economic consequence of operating without it is massive.

That 10,000-seat organization,

3.2 million in unrealized productivity benefits

over three years, not because they lacked features,

they had every Microsoft feature available.

But because those features weren't integrated into a system,

users couldn't find information

because it was classified inconsistently across SharePoint.

Admins couldn't trust their governance

because policies drifted when one team made changes

without checking impact on other teams.

Architects had no way to enforce decisions at scale

because there was no mechanism to translate intent

into system-wide behavior.

Control plane absence also means security

that accumulates invisibly.

When Entra ID policies drift, nobody knows it.

When SharePoint permissions exceed your threshold,

there's nobody watching.

When a copilot agent is accessing data you never approved,

the policy layer doesn't catch it.

Each service does its best, but there's no circuit breaker.

No orchestration, no central place where someone says,

no, that violates our architecture.

Real security data backs this up.

63% of M365 tenants face configuration tempering

and identity and device management.

And here's the architectural gap.

Microsoft doesn't natively back up tenant configurations.

You deploy defender policies, you configure Entra ID,

you set up per view rules.

If something goes catastrophically wrong,

if an attacker modifies your policies,

if someone accidentally deletes your conditional access rules,

you don't have a native recovery mechanism.

You're relying on change logs and manual reconstruction.

The control plane fix requires foundational architecture.

You have to build a unified policy compilation layer,

a single source of truth where architectural intent

gets translated into system-wide policy.

Treat identity, Entra ID, as the control plane backbone.

Make it the place where you define not just who can access what,

but what that access means across your entire system.

A user is an employee, a contractor, a vendor, a guest.

Once you make that decision in identity,

every other system should inherit that context.

Not ask for it separately, inherit it.

Then enforce cross-platform orchestration.

If a user's Entra ID role says finance,

that determines their default access

to financial data in SharePoint.

If they're classified as guest,

that determines what they see in teams.

If a co-pilot agent is accessing customer data,

its identity and permissions flow from a single source of truth.

Let me define this precisely.

A control plane is the system that makes decisions

about how other systems behave.

It's the layer above execution.

It's where intent gets translated into policy.

Without it, you have a platform,

individual services operating independently.

With it, you have architecture, you have a system.

Most organizations have the first.

Almost none have the second.

President Barack Obama.

Virginia, we are counting on you.

Republicans want to steal enough seats in Congress

to raid the next election and wield unchecked power

for two more years.

But you can stop them by voting yes by April 21st.

Help put our elections back on a level playing field

and let voters decide not politicians.

Vote yes by April 21st.

Paid for five Virginians for fair elections.

Craving the coffee flavor you love.

But without the caffeine,

Kachava's got you covered with their newest coffee flavor.

This all-in-one nutrition shake

delivers bold, authentic flavor,

crafted from premium decaffeinated Brazilian beans.

Quality nutrition shouldn't be complicated.

Just two scoops of Kachava's all-in-one nutrition shake

and you've got 25 grams of protein,

six grams of fiber, greens, and so much more.

Whether you're craving that coffee taste

to kickstart your morning ritual

or as a nutrient-packed reward to round out your afternoon,

Kachava keeps you fueled and satisfied

wherever your day takes you.

Plus, it actually tastes delicious.

No fillers, no nonsense.

Just the good stuff, your body craves.

And for the times you feel like switching it up,

you've got seven flavors to choose from.

All with the highest quality ingredients.

Treat yourself to the flavor and nutrition

your body craves.

Go to Kachava.com and use code news.

New customers get 15% off their first order.

That's KAC, hav.com code news.

President Barack Obama.

Virginia, we are counting on you.

Republicans want to steal enough seats in Congress

to raid the next election and wield unchecked power

for two more years.

But you can stop them.

By voting yes, by April 21st.

Help put our elections back on a level playing field

and let voters decide not politicians.

Vote yes, by April 21st.

Paid for by Virginians for fair elections.

The leakage model.

How to calculate your invisible waste.

Let me walk you through a calculation.

And I want you to follow along.

If you have a notebook nearby,

now's the time to grab it.

This isn't complicated math,

but it's the math most organizations never actually do.

So they never see how much money is actually

flowing out of their tenant invisibly.

Start with your total seat count.

Let's say you're a mid-sized organization.

5,000 employees, round number, easy to think about.

Now, assume that roughly 20% to 30%

of the advanced Microsoft capabilities

you've paid for are not operationalized.

Not used, just available.

This isn't cynicism.

This is empirical.

I've ordered it dozens of tenants.

It's consistent.

One in three advanced features sits idle.

For a 5,000 seat organization on E5,

the delta between E5 and E3 is roughly $12 per user per month,

$12 times 5,000 seats times 12 months.

That's $720,000 annually that you're spending on features

you're not using.

But that's just the beginning.

Now, add the inactive license premium.

Roughly 10 to 15% of licenses are assigned to accounts

that haven't logged in in 30 days or longer.

Dormant, forgotten.

Still being built.

If you're paying $36 per user for E5

and 15% of your licenses are inactive,

that's another $250,000.

Gone.

Just evaporated.

That's nearly a million right there.

Now, add co-pilot.

The base cost of co-pilot is $30 per user per month.

But that's not the real cost.

That's the headline number.

The real cost includes co-pilot studio credits burning through.

$200 per 25,000 messages.

For a tenant of 5,000 employees,

if even half of them use co-pilot occasionally,

you're burning through credits fast.

Call it 150,000 annually for a mid-sized deployment.

Then add the security retrofits.

When you deploy co-pilot without data boundaries,

you have to go back and classify data,

define agent access, implement DLP policies.

And that's not a feature.

That's remediation.

Call it 50,000 in unplanned spending.

So co-pilot alone is consuming $200,000 plus.

And that's conservative.

And then there's governance labor.

The hours spent managing sprawl.

The manual cleanup, the spreadsheets,

the escalation emails.

For a 5,000 seat tenant,

that's roughly two full-time employees' worth of effort.

$150,000 annually minimum added up,

720,000 in unused feature capacity,

250,000 in inactive licenses,

200,000 in co-pilot costs and security retrofits,

150,000 in governance labor,

but that's $1.3 million annually in a mid-sized organization.

And here's what the breakdown actually looks like.

License waste, features you paid for but don't use,

accounts for about 40%.

Unoptimized connectors and shadow IT, another 20%,

AI sprawl 15%, governance labor

that doesn't actually prevent anything 25%.

Real organizations implementing software asset management

best practices can cut spending by 30% in year one.

30% of 1.3 million is nearly $400,000.

Recovered, just by paying attention.

That's the leakage model.

That's what most organizations are bleeding

without knowing it.

And that's before the July 2026 price increases hit

when they do that leak gets worse, not better.

But these numbers are symptoms, the disease is systemic.

Root cause analysis, why this happens.

The leakage isn't random.

The seven sins aren't coincidences.

They're not separate failures that happen to occur

in the same organization.

They're structural outcomes of how enterprises

make decisions about Microsoft Cloud.

And if you understand the structure,

you understand why this keeps happening.

The core problem is an operating model failure,

not a technical one, an organizational one.

Architectural decisions about Microsoft 365

are made by procurement, not by architects.

Let me say that again because it matters.

The decision about what you're going to buy,

which SKU, how many licenses, what feature set,

that decision gets made at the procurement level.

It gets made by someone looking at a spreadsheet,

comparing price per user across different vendors.

It gets made by someone asking,

what's the industry standard?

And then buying that.

It gets made by someone who's never been inside

an enter ID policy or a conditional access rule.

And then that procurement decision gets treated

as an architectural decision.

We bought E5, so E5 is our architecture.

We standardized on teams, so teams governance is solved.

We licensed co-pilot, so we have an AI strategy.

That's not how architecture works.

That's how you end up with a shopping cart instead of a system.

The second structural problem is an accountability vacuum.

Nobody owns the economic outcome.

Budgets get siloed.

Finance owns the Microsoft licensing budget.

IT owns the infrastructure operations budget.

The business owns their departmental software spending,

procurement owns vendor contracts.

And nobody's looking at the tenant as a whole.

Nobody's asking, are we getting value from this?

Is the money we spent on E5 actually driving business outcomes?

If the co-pilot pilot stalls, who's accountable?

Not the executive who approved the spending.

Not the business unit who didn't adopt it.

It gets blamed on poor change management

or lack of training.

Nobody says we spend 200,000 on this and got nothing.

Who owns that failure?

This leads to the third problem.

Finance is completely absent from architecture decisions.

The CFO sees the spend line.

The CIO sees the features.

They never reconcile.

The CFO doesn't know what the premium connectors cost.

The CIO doesn't know how many of them are actually used.

They're operating in different universes

with different success metrics.

The CFO wants to reduce cost.

The CIO wants to increase adoption.

Those aren't aligned.

They're at odds.

And when they're at odds, neither gets what they want.

You end up with expensive features that nobody uses

and cheap tools that everybody re-impliments with Shadow IT.

This is what I call the procurement-led transformation trap.

The organization buys the right tools.

The tools are technically sound.

Microsoft 365 is a good platform.

But then procurement declares victory.

We bought the right tools.

We have the right strategy.

Success is now inevitable, except it's not.

85% of organizations increased AI investments

in the past 12 months.

Only 5% are what Gardner calls future-built leaders.

Organizations that are actually getting multiplier effects

from their AI spending.

The other 80% bought the tools.

They didn't build the architecture.

Here's a real story.

An enterprise spent $4.2 million on Microsoft 365

modernization.

That's not a small bet.

That's organizational commitment.

And they measured success by adoption percentage.

Did people use teams?

Yes, did they log into SharePoint?

Yes, did usage go up?

Absolutely.

But did those tools drive business outcomes?

Nobody measured that.

Did the premium capabilities actually reduce support tickets?

Nobody tracked it.

Did automation save labor hours?

Nobody quantified it.

The only metric was adoption.

An adoption looked good.

But adoption isn't architecture.

Adoption is visibility.

Someone using a tool doesn't mean the tool is solving a problem.

It just means they're using it.

And here's the final structural problem.

This is the one most organizations don't want to hear.

Microsoft doesn't enforce governance.

It enables chaos by default.

Every service in Microsoft 365 assumes

you want to be permissive.

Everyone can create teams.

Everyone can register apps.

Everyone can consent to permissions.

Everyone can share data widely.

That's not a bug.

That's a feature.

It makes the product more accessible.

But that permissiveness cascades into sprawl

without intentional architecture to constrain it.

Microsoft doesn't force you to classify data.

It doesn't require approval for co-pilot agents.

It doesn't mandate permission life cycles.

Those are architectural decisions you have to make.

And most organizations don't make them.

So they get the default behavior, which is chaos.

This is not Microsoft's failure.

It's yours.

And it's fixable.

But fixing it requires a different operating model.

The compliance wall, CMMC 2.0 and the architect's trap.

Here's what happens when you don't architect

for tomorrow's requirements.

Tomorrow's requirements architect you instead.

CMMC 2.0 enforcement became mandatory

on November 10th, 2025.

That date has already passed.

And it caught a lot of organizations flat footed.

CMMC is the cybersecurity maturity model certification.

It's the Department of Defense's way of saying

that if you want to work with us,

if you want a government contract,

if you want to touch controlled, unclassified information,

which is what the DOD call CUI,

then your security infrastructure

has to meet specific standards, not guidelines.

Standards, 110 controls from NIST SP, 871.

Level two compliance is non-negotiable.

And here's the architectural detail that matters.

Microsoft 365 commercial cannot be used

for CMMC level two, full stop.

The commercial cloud is multi-tenant.

Data from your organization sits alongside data

from other organizations.

The DOD doesn't accept that risk boundary.

So if you're a defense contractor

and you've been using Microsoft 365 commercial,

which is what most organizations do

because it's cheaper and simpler,

you cannot use it for CUI anymore.

You have to migrate to GCC High.

Government community cloud,

a separate isolated cloud environment,

different infrastructure, different data centers,

different governance, it's not a checkbox upgrade.

It's a retenanting, it's an architectural pivot,

how it manifests in practice.

A defense contractor, 2000 seats, running in commercial.

They're already using Teams Exchange SharePoint,

everything's deployed, integrated working,

then CMMC enforcement happens.

And suddenly they learn,

usually from their compliance officer

or their government customer

that they need to be in GCC High by a specific date

or they lose their contract.

Now they're scrambling,

they have to migrate 2000 users

and all their data to a completely different cloud environment.

They have to revalidate their conditional access policies

because GCC High has different feature availability.

They have to retest integrations

because third party connectors behave differently

in government clouds.

They have to re-architect their governance

because the audit logging in GCC High

works differently than in commercial.

The systemic cause is straightforward.

Compliance requirements were not baked

into the initial tenant design.

The organization chose commercial

because it was the standard choice.

Nobody asked if we were a defense contractor,

what are our long term compliance requirements?

Nobody mapped that requirement to an architectural decision.

Nobody said we should build this in GCC High from day one,

even though it's more expensive

because our business model requires it.

Instead, the organization built for cost and simplicity.

And then when compliance requirements arrived,

they had to re-tenant, which is expensive.

Craving the coffee flavor you love.

But without the caffeine,

Kachava's got you covered with their newest coffee flavor.

This all-in-one nutrition shake

delivers bold, authentic flavor,

crafted from premium, decaffeinated Brazilian beans

with 25 grams of protein, six grams of fiber,

greens, and so much more.

Treat yourself to the flavor and nutrition your body craves.

Go to kachava.com and use code news.

New customers get 15% off their first order.

That's K-A-C-H-A-V-A.com code news.

Warning, the following Zippercruder radio spot

you are about to hear is going to be filled with F words.

When you're hiring, we at Zippercruder

know you can feel frustrated.

For Lauren, even, like your efforts are futile.

And you can spend a fortune trying to find fabulous people

only to get flooded with candidates who are just fine.

Fuck.

Fortunately, Zippercruder figured out how to fix all that.

And right now, you can try Zippercruder for free.

at zippercruder.com slash zip.

With Zippercruder, you can forget your frustrations.

Because we find the right people for your roles fast,

which is our absolute favorite F word.

In fact, four out of five employers

who post on Zippercruder get a quality candidate

within the first day.

Fantastic.

So whether you need to hire four, 40, or 400 people,

get ready to meet first rate talent.

Just go to zippercruder.com slash zip

to try Zippercruder for free.

Don't forget that zippercruder.com slash zip.

Finally, that zippercruder.com slash zip.

Warning, the following Zippercruder radio spot

you are about to hear is going to be filled with F words.

When you're hiring, we at Zippercruder

know you can feel frustrated.

For Lauren, even, like your efforts are futile.

And you can spend a fortune trying to find fabulous people

only to get flooded with candidates who are just fine.

Fuck.

Fortunately, Zippercruder figured out how to fix all that.

And right now, you can try Zippercruder for free

at zippercruder.com slash zip.

With Zippercruder, you can forget your frustrations

because we find the right people for your roles fast,

which is our absolute favorite effort.

In fact, four out of five employers

who post on Zippercruder get a quality candidate

within the first day.

Fantastic.

So whether you need to hire four, 40, or 400 people,

get ready to meet first rate talent.

Just go to zippercruder.com slash zip

to try Zippercruder for free.

Don't forget that zippercruder.com slash zip.

Finally, that zippercruder.com slash zip.

Real numbers, a defense contractor

reteniting 2,000 users to GCC high.

Professional services alone, the migration effort,

the testing, the validation runs north of $500,000.

Then there's the period of operational disruption.

Users relearning systems that work slightly differently,

integrations that broke and had to be rebuilt,

training for the new environment,

audits that have to be repeated.

And the extended timeline,

what should have been a two week migration stretch

to three months because the architecture wasn't built for it,

the economic consequence is layered,

the direct cost of migration,

the opportunity cost of the engineering team's time

diverted to crisis mode,

the risk of incomplete migration

where some data or configurations get missed,

discovered later in an audit,

and the ongoing cost, GCC high licensing,

is more expensive than commercial,

and you can't easily move back.

The control plane fix is ruthlessly simple.

Design your tenant for your compliance requirements

from day one, not eventually.

Day one, if you're a defense contractor,

you build in GCC high,

you accept the higher cost and complexity up front

because your business model requires it.

If you're in healthcare,

you might need hyper compliance,

which affects data residency and audit logging.

If you're in financial services,

you might need SOC2,

which affects who can access what these aren't nice to have,

these are architectural constraints.

And here's the lesson that applies beyond CMMC.

The window for architectural decisions closes early,

you make the decision about which cloud to use,

about how to classify data,

about where to store information,

and then that decision constrains everything

that comes after.

If you make the wrong decision early

because you didn't anticipate compliance requirements,

you're rebuilding later.

That's expensive.

If you don't architect for tomorrow's requirements,

tomorrow's requirements will architect you.

And by then, you're already operating at a cost disadvantage.

The recovery path from decay to design.

Here's the thing about architecture.

You can't fix it all at once.

You have to fix it deliberately in phases

with clear outcomes at each step.

Otherwise, you'll just be throwing money at problems

without solving the structural issues that created them.

Recovery from 10 and decay follows a pattern.

And the pattern works.

I've seen it work dozens of times.

It takes 90 days to get to a place

where you can actually claim you have architecture

instead of just a platform running unsupervised.

Phase one is 30 days, audit an inventory.

You have to see what you've actually got

before you can change anything.

This means discovering inactive licenses,

running reports on user log in history,

finding accounts that haven't authenticated

in 30 days or longer.

These are your easy wins.

You reclaim them immediately.

You also discover often apps, the 340 power apps,

the 847 app registrations.

The automation flows that nobody remembers creating.

You don't delete them yet.

You just inventory them.

Who owns this?

Has it been used?

Is there a business case for keeping it?

You also do a permission audit.

You look at enter ID roles.

You find the accounts with excessive privilege.

You find the service principles with credentials

that haven't been rotated.

You find application permissions

that exceed what the application actually needs.

None of this gets fixed in phase one.

You just establish what the baseline looks like.

By the end of 30 days, you have clarity.

You know how much leakage exists.

You know how many licenses are wasted.

You know how many often applications

are sitting in your environment.

You have a number.

And that number becomes your benchmark for recovery.

Phase two is 60 days, automate governance.

Now that you know what you have,

you start building the systems

that will prevent decay from happening again.

You deploy life cycle workflows in enter ID.

When a user joins, their access gets provisioned automatically.

When they leave, their access gets deprovisioned automatically.

No manual process, no spreadsheets,

no emails asking someone to remember to offboard this person.

The system does it.

You implement entitlement management.

You create access packages that bundle related permissions.

Employee joins the finance team.

They automatically get access to the finance shared mailbox,

the finance share point side, the finance team's channel.

All through a single approval workflow.

Not separate requests to different people.

Not finding out three weeks later

that someone didn't get access to something they needed.

You enforce sensitivity labels and data loss prevention at scale.

Every document in SharePoint gets classified.

Not manually, automatically.

Based on content analysis, based on metadata.

If a document contains sensitive financial information,

it gets the finance label automatically.

And once it's labeled, DLP policies automatically restrict

how it can be shared.

You can't email a sensitive financial document externally.

The policy blocks it.

Phase three is 90 days.

Build the control plane.

This is where you architect.

You define a policy compilation layer.

A single system of truth where organizational intent

gets translated into platform policy.

You establish EntraID as the orchestration backbone.

Every other system in your tenant

inherits authorization decisions from identity.

A user's role in EntraID determines their access

to data in SharePoint, their visibility in teams,

their permissions in co-pilot agents.

You implement cross-platform governance.

When you make a decision in one place, it cascades everywhere.

It doesn't break systems.

It doesn't create exceptions.

It creates consistency.

A global firm I worked with followed this path.

5,000 seats.

They recovered $1.2 million in year one

through systematic rationalization.

They reclaimed $130,000 in unused licenses in month one.

They decommissioned 78 orphaned power apps in month two.

By month three, they reduced their password reset volume

by 86% through automated entitlement management.

The research is consistent.

The break-even point for technology investment in M365

is 54 minutes of time savings per employee per month.

This organization achieved that in the first 30 days.

Everything after that was pure recovery.

Measureable outcomes matter.

Onboarding time dropped 25%.

Help desk tickets for access requests basically disappeared.

Compliance audits became routine instead of crisis.

They could prove they had governance

because governance was built into the platform.

But recovery requires something else beyond process.

The mindset shift, from procurement to architecture,

recovery requires a mindset shift.

And mindset shifts are harder than process changes

because they require executives to change how they think

about what they're doing, the shift sounds simple

when you say it.

But it reshapes everything.

Stop asking, what tools should we buy?

Start asking, what system do we need?

This is the fundamental reframe.

Most organizations approach Microsoft 365

like they're shopping.

What features do we need?

What's the industry standard?

What are competitors using?

What's the price per user?

And then they buy?

They've solved the problem by acquiring the product.

But tools and systems are different things.

A tool is something you buy and deploy.

The system is something you architect.

A tool solves isolated problems.

A system solves interconnected problems.

You can buy a co-pilot.

That's a tool, but you can't buy a co-pilot system.

You have to architect it.

You have to decide what data it accesses.

You have to define its boundaries.

You have to think about how it integrates with governance.

You have to measure what it actually delivers.

The shift from tools to systems changes everything

because now the question isn't, how do we buy this faster?

It's what are we trying to accomplish?

And how does this tool fit into the larger system we need?

Stop measuring by adoption percentage.

Start measuring by economic realization.

Most organizations track adoption because it's visible.

How many users logged into co-pilot?

How many teams channels got created?

How many people attended training?

These metrics feel like success because they're easy to see.

And they're useless.

A user logged into co-pilot once and never returned.

Is that adoption?

Technically yes.

But economically, it's a failure.

You spend $30 a month on a license that delivered zero value.

That's not adoption.

That's waste measured in percentages.

Real metrics are different.

Did co-pilot reduce the time it takes to write a report?

By how much can you quantify that?

Did it reduce password reset calls?

How many fewer calls per month?

Did it accelerate onboarding by how long?

These are economic metrics.