Governance gaps stall Microsoft automation at scale

New research into how large organisations run Microsoft automation in production finds many IT teams struggle with governance, integration and visibility as their automation estates grow.

A survey of 180 IT managers and senior system engineers at organisations with more than 1,000 employees found that 72% cannot enforce full governance policies across automation, covering identity, approvals and audit. It also found that 83% have automation spread across three or more disconnected tools, limiting end-to-end orchestration.

The study focused on Microsoft-centric environments, including Microsoft 365 and Azure. It examined operational failure points in live production, such as unclear ownership of scripts and workflows, inconsistent identity and service-account use, weak audit trails, and limited integration with IT service management and monitoring tools.

Production reality

Microsoft automation is now routine in IT operations through tools such as Power Automate, Azure Automation, Logic Apps and PowerShell. Task-level automation is common, but many teams still rely on scripts that are hard to run reliably across teams and shifts.

Many respondents reported gaps in basic run-time accountability. Teams often cannot quickly confirm what ran, who triggered it, which identity was used, or whether approved standards were followed. During incidents, these gaps can drive manual intervention and create dependence on a few individuals who understand how workflows behave in production.

Fragmentation also shows up in integration. Only 17% reported full integration across ITSM, monitoring and infrastructure tooling; most cited partial integration or siloed operation. Without clean links between operational systems, teams often end up with isolated scripts rather than orchestrated workflows spanning monitoring alerts, ticketing and infrastructure changes.

Uneven maturity

The survey suggests many organisations are mid-transition. Nearly 40% said they have automated most repetitive IT tasks. At the same time, 33% reported partial automation, and 28% said they still handle most tasks manually.

Visibility emerged as a constraint on scaling beyond early wins. Only 31% said they actively identify processes for automation. Most teams said they have only a rough idea of what could be automated, while a small portion reported no visibility at all. Without discovery and measurement, automation roadmaps can become reactive-driven by local team needs rather than organisation-wide priorities.

Self-service also appears underused. The research found that 47% have self-service portals, but they are underused. Another 27% route most issues through the service desk, while 27% said issues are frequently resolved through bots or portals. The report frames the challenge as delegated execution rather than broad access to scripts, highlighting the difference between enabling more people to trigger automations and handing out privileged access.

Governance gaps

Governance remains a structural weakness. The headline finding that 72% cannot enforce full governance policies aligns with a breakdown showing 28% enforce full governance, 58% apply partial controls and 14% lack governance entirely.

These weaknesses are reflected in identities and permissions. Shared admin accounts and inconsistent service-account practices can leave audit trails incomplete and make it harder to prove an automation run complied with internal standards. The research notes that guidelines alone are often insufficient in large environments, pointing instead to policy enforcement at execution time as a feature of more mature programmes.

Central control

The report links centralised execution with improved operational metrics. Teams that centralised execution across legacy schedulers reported 40% faster incident response and a 60% reduction in privilege-related audit findings. The results suggest consolidation can improve response and audit outcomes without rewriting existing scripts.

One case study describes Brose, an automotive supplier, implementing centralised governance for its Microsoft automation estate. The work standardised execution and visibility across distributed teams, with reported savings of more than 4,000 hours annually and reduced maintenance overhead.

The research outlines an architectural approach it calls an "automation control plane": a centralised execution and orchestration layer above scripts, schedulers and workflows. It lists capabilities including unified execution, policy enforcement, and integration with ITSM and identity systems, and says the layer should work regardless of where scripts originate.

ScriptRunner, which commissioned the research, positions its own platform in this category. The study lists ScriptRunner as an example of a platform focused on Microsoft ecosystems.

Agentic shift

The report argues that governance and audit foundations will become more important as organisations adopt more autonomous automation. It describes "agentic automation" as a shift towards AI-driven, zero-touch workflows and closed-loop remediation. As autonomy increases, it says organisations will need strict execution boundaries, enforced identities and auditable decision paths.

It concluded that Microsoft automation is widely adopted, but often remains a collection of isolated scripts and workflows rather than a cohesive operational capability.

The research suggests the next phase of automation programmes will focus on consolidating run-time control, tightening identity and audit practices, and improving integration between automation tools, ticketing platforms and monitoring systems.