The latest episode of Cloudy with a Chance of Insights took a slightly different turn from what began as a fairly standard run through of Microsoft Cloud updates. As tends to happen, we ended up drifting into a much bigger conversation about what AI is actually doing to the way we build systems, secure environments, and think about value in technology roles.

We opened with Microsoft’s latest certification updates, including the introduction of new AI focused roles and the quiet retirement of several well known exams. On the surface this feels like a routine refresh, but it is hard to ignore the bigger signal. Microsoft is clearly repositioning skills around AI, not as a niche specialism, but as a default expectation. If the last exam you sat still had “Office 365” in the title, it might be time for a rethink.

From there, the discussion moved into Zero Trust taking on a new shape. Treating AI agents as identities sounds obvious on paper, but it brings a host of uncomfortable questions with it. Concepts like least privilege, assume breach, and conditional access are well understood when applied to people, far less so when the “user” is an algorithm making real time decisions. If AI agents are acting independently, security models need to evolve to reflect that reality rather than pretending nothing has changed.

We also touched on a run of important but easy to miss changes across the Microsoft Cloud security stack. Purview DLP expanding to protect local files, endpoint DLP moving squarely into Purview, Conditional Access policies tightening up long standing edge cases, and legacy identity patterns such as service principal less authentication finally being blocked. None of these are headline grabbing announcements, but collectively they close real gaps that many organisations still rely on without realising it.

The conversation then shifted firmly toward identity as the real perimeter, prompted by discussion around post breach tooling built on Microsoft Graph. Once access tokens are compromised, the amount of damage that can be done through perfectly legitimate APIs is sobering. What was particularly interesting here was not the offensive capability itself, but the defensive opportunity. Graph based views of identity, permissions, and relationships offer a far clearer way to understand blast radius and risk than traditional point in time alerts.

At this point the episode took a sharper turn away from updates and into reflection. If AI makes it possible for someone to build a functional website, diagramming tool, or application in a matter of hours, what does an application actually mean anymore. This led us into a discussion about vibe coding, not as a gimmick, but as a shift in where effort and value now sit.

Writing code is no longer the hard part. Composition, orchestration, constraints, and judgement matter far more than syntax ever did. Two systems can look identical on the surface and be wildly different underneath, depending on how they are governed, secured, and connected to real data and workflows. That is where differentiation now lives.

The episode closed on a slightly uneasy note. We have been here before. Access databases, shadow IT, ungoverned Power Platform sprawl, all of these patterns emerged when tools became more accessible. AI accelerates those same risks at a much faster pace. The question is not whether people will build their own tools, they already are. The question is whether organisations can adapt governance fast enough to keep up without killing the very creativity they are trying to unlock.

If nothing else, this episode reinforced one thing. AI is not just changing technology stacks, it is forcing a rethink of what skills matter, how security is applied, and where real value is created. That conversation is only just getting started.