I want to start this blog post with an analogy: Do you remember when everyone was talking about Bring Your Own Device (BYOD)?
Around 15 years ago, employees started bringing their own smartphones and tablets to work. Remote work became both possible and increasingly popular. The promise was simple: people should be able to use their own devices for work.
The challenge, however, was far less simple.
Organizations often focused on employee flexibility while overlooking the significant governance, security, and operational responsibilities this created for IT departments. Employees expected everything to work, and somehow “someone” in IT was supposed to make it happen.
Fortunately, technologies such as Conditional Access made it possible to establish a balance. Organizations could allow full access and functionality on managed, compliant devices while restricting unmanaged devices to limited browser-based access. Governance became the key to enabling flexibility without sacrificing control.
Today, we are facing a very similar challenge once again.
From Excel Heroes to Citizen Developers
Most organizations have creative and curious employees. That is a good thing.
These are often the people who drive innovation and find better ways of working. For decades, they have built Excel spreadsheets with macros, integrations, and advanced logic that solved real business problems.
Many of those solutions eventually became business-critical. (Unfortunately, many also became impossible to govern.)
The spreadsheets were often stored on file shares, connected to various systems, dependent on complex permissions, and maintained by a single individual who eventually changed jobs or retired. The solution remained, but the owner disappeared. Nobody fully understood how it worked, who had access to it, or what would happen if it broke.
The same pattern repeated itself with Microsoft Access databases and other user-built solutions.
Creativity flourished BUT Governance vanished….
The First Citizen Development Wave
Roughly a decade ago, the next evolution arrived: low-code platforms.
Solutions like Microsoft Power Platform enabled employees to create applications, workflows, and automations without traditional software development skills.
The opportunities were enormous (So were the governance challenges.)
In many organizations today, the default Power Platform environment contains countless apps and flows with unclear ownership, limited documentation, and little or no lifecycle management.
This situation creates technical debt, security concerns, and operational risks.
While it has certainly created a lot of work for consultants like myself, I would much rather see organizations establish governance, ownership, and lifecycle management from the beginning than pay for large clean-up projects later.
Innovation does not need to come at the expense of control.
The goal should be a governed innovation process where good ideas are encouraged, but solutions are built with the right security, ownership, and operational model from day one.
For readers interested in Power Platform governance, I have written extensively about the topic on Providing Tips:
- Power Platform Governance: https://providing.tips/category/copilot/power-platform-governance/ [providing.tips]
- From AI Enthusiasm to Governed Business Value: https://providing.tips/2026/06/25/from-ai-enthusiasm-to-governed-business-value-how-organizations-can-avoid-an-expensive-ai-playground/ [providing.tips]
Citizen Development Has Leveled Up Again
Unfortunately, many organizations have still not gained full control of Power Platform.
Just as they are struggling to manage the previous wave of citizen development, a new and significantly more powerful wave has arrived:
Microsoft 365 Copilot and AI agents.
The challenge is no longer limited to user-created apps and workflows.
Today, users can create intelligent agents capable of finding information, interacting with systems, automating business processes, and collaborating with other agents.
This changes everything.
If governance was important before, it is absolutely critical now.
Without proper governance, organizations risk:
- Uncontrolled access to information
- Unmanaged agents and automations
- Unclear ownership and accountability
- Compliance violations
- Security risks
- Growing operational complexity
Organizations that fail to act will eventually find themselves behind—not only from a governance perspective but also from an innovation perspective.
Clean Up the Past While Governing the Future
There is only one cure for the governance challenges of previous years:
Clean-up.
The unmanaged apps, flows, environments, permissions, and solutions that exist today need attention.
But cleaning up historical problems is not enough.
At the same time, organizations must establish a structured process for innovation, development, ownership, deployment, and lifecycle management of future solutions.
This is especially important for Copilot agents.
What Organizations Should Do Right Now
Based on my experience, organizations should consider the following actions:
1. Establish Visibility and Control
Implement Microsoft Agent 365 to gain visibility into existing and future agents across the organization.
For an introduction, see:
- Copilot Governance – Microsoft Agent 365 Explained to Grandma: https://providing.tips/2025/12/05/copilot-governance-microsoft-agent-365-explained-to-grandma/ [providing.tips]
2. Review Copilot and Agent Settings
Review all Copilot and agent-related settings in the Microsoft 365 Admin Center.
Particular attention should be given to:
- Connectors
- Tools
- MCP servers
- Third-party integrations
- Data residency requirements
If a connector or integration is not needed, disable it.
A useful companion article is:
- Copilot Governance – Take Control over the Connectors: https://providing.tips/2025/10/30/copilot-governance-take-control-over-the-connectors/ [providing.tips]
You may also find value in:
- Default-On Is Not a Strategy: Why You Should Block Third-Party Copilot Agents and Connectors Until You Know What You’re Doing: https://providing.tips/2026/06/24/default-on-is-not-a-strategy-why-you-should-block-third-party-copilot-agents-and-connectors-until-you-know-what-youre-doing/ [providing.tips]
3. Decide Who Should Be Allowed to Build Agents
Just because everyone can build agents does not necessarily mean everyone should.
Each organization must decide whether:
- Agent creation should be open to all users
- Agent creation should be limited to specific roles
- Only centrally governed enterprise agents should be allowed
4. Establish Governance Through Security Groups
Define who can:
- Build agents
- Manage agents
- Use premium capabilities
- Access Copilot Studio
Then manage access through Entra ID security groups.
5. Implement a Proper Environment Strategy
Create:
- Personal development environments
- Governed development environments
- Test environments
- Production environments
Implement Application Lifecycle Management (ALM) and deployment pipelines that support a controlled path from development to production.
Organizations interested in this approach may also want to read:
- Copilot Governance – The Basics of Zoned Governance Explained to Grandma: https://providing.tips/2026/01/27/copilot-governance-the-basics-of-zoned-governance-explained-to-grandma/ [providing.tips]
6. Train People
Governance is not only technology.
Create:
- Policies
- Standards
- Training materials
- Governance processes
- Adoption programs
Users, makers, administrators, and service owners all need clear guidance.
7. Establish Continuous Governance
Perhaps the most important point:
Governance is not a project.
It is an ongoing responsibility.
New capabilities, connectors, tools, and features are continuously introduced. Organizations need dedicated resources who regularly review, assess, and govern the evolving landscape.
If you are not planning to allocate internal resources for this responsibility, you should consider engaging external expertise.
The Next Evolution Is Already Here
Earlier, I said that citizen development had leveled up because of Microsoft 365 Copilot.
In reality, it has already evolved again.
We are rapidly moving into a world where agents build, manage, and collaborate with other agents.
That makes governance even more important.
Because if autonomous digital workers are going to operate inside your environment, access your information, and support your business processes, you need absolute clarity regarding what they can do, where they can operate, and who is responsible for them.
The time to think about governance is not tomorrow.
The time to act is NOW.
This is my final blog post before I take a relaxing summer break to recharge my batteries for the autumn ahead.
And when the holiday season is over, if you need help getting started with Copilot Governance, Power Platform Governance, or Agent Governance, feel free to reach out.
Thanks to Rabia Williams for the “WorkIQ Persona Sketch prompt” she shared on GitHub that allowed me to use to create the featured image for this blog post. 😊👍
I wish you all a wonderful summer. 😊☀️








Leave a comment