Who's Governing Your Power Platform Now That Microsoft's COE Starter Kit Is Gone?

In our recent webinar on the future of Power Platform governance, we walked through a question that is landing in more and more IT and compliance conversations right now: if Microsoft's Centre of Excellence Starter Kit is gone, who is governing your Power Platform?

It is a question worth unpacking in detail, because the answer has significant implications for risk, compliance, and operational continuity over the next 12 to 18 months.

Microsoft's Centre of Excellence (COE) Starter Kit was never an official product. It was a community-supported, free toolkit that helped Power Platform administrators get a handle on what was being built inside their tenants: which apps existed, who built them, which flows were running, and where data was moving. For thousands of organisations, it became the default starting point for Power Platform governance.

Now Microsoft has de-strategised it. No new features. No bug fixes. No investment. The toolkit is being quietly sunset while some of its lighter capabilities migrate into the Power Platform Admin Centre. For organisations that built their governance approach around the COE, this is not a minor inconvenience. It is a structural problem arriving at exactly the wrong moment.

Three Trends That Are Colliding Right Now

The COE deprecation does not exist in isolation. It is landing at the intersection of two other trends that are accelerating simultaneously, and the combination creates a governance gap that will become unmanageable without deliberate action.

Citizen developer programmes are scaling faster than IT can review. A few years ago, the ratio of makers to IT administrators in most organisations was roughly 1 to 50. That ratio is already inverting. Microsoft has embedded AI assistance directly into Power Apps, Power Automate, and Copilot Studio, making it faster and easier than ever for non-technical users to build production logic. Organisations that invested in citizen developer programmes, training and encouraging employees to automate their own workflows, are now watching that investment pay off in ways that are difficult to monitor. The manual review processes that worked when a handful of power users were building things will not scale to an environment where hundreds of employees are creating flows and apps every week.

The more immediate concern is what happens when that manual review process collapses entirely. It has already happened in some organisations: more apps are being created than can realistically be reviewed, so the review stops being meaningful and gradually stops happening altogether. When that occurs, the organisation loses not just oversight of individual assets but visibility into patterns of risk: which connectors are being used at scale, which departments are building against sensitive data sources, and which flows have accumulated privileged access that nobody has reviewed in over a year.

AI has fundamentally changed the risk profile of what gets built. Classic low-code development was relatively bounded. A Canvas app described its behaviour in formulas, its inputs were type-validated, and connector permissions were controlled through Data Loss Prevention policies. The governance approach was imperfect but manageable. That is no longer the case. Copilot Studio agents describe behaviour in natural language. Their outputs can change over time. They pull data from multiple sources, including SharePoint sites, external connectors, and custom knowledge bases, and they can be exposed to external users through Teams. The attack surface for a single agent is orders of magnitude larger than a traditional Power App, and the tools organisations relied on to review that surface are now being removed.

This is a category shift, not an incremental change. Low-code governance assumed the IT team could inspect what a resource did and form a judgement about whether it was compliant. That inspection model does not translate to agentic AI. An agent's behaviour cannot be fully characterised by reading its configuration. It needs to be monitored in context, across its data sources, its usage patterns, and its exposure points simultaneously.

The default governance starting point is depreciating. With the COE Starter Kit going unmaintained, organisations face a choice they did not expect to make. The toolkit still works today, but it will not keep pace with the platform it is supposed to govern. Every quarter that passes without a replacement strategy is a quarter in which the gap between what is being built and what is being governed grows wider.

The Difference Between Visibility and Governance

One of the more important distinctions to understand in this moment is what the Power Platform Admin Centre actually replaces and what it does not. Microsoft has committed to bringing inventory and usage reporting, operational health monitoring, and best practice guidance into the Admin Centre. That is useful. It is not governance.

Governance is not a dashboard. Governance is the combination of inventory, policy enforcement, ownership accountability, lifecycle management, and audit readiness operating together as a continuous process. Knowing that an orphaned flow exists is not the same as having a system that identifies it, notifies the relevant owner, escalates if there is no response, and documents the resolution for compliance purposes.

The Admin Centre gives you a list. Governance gives you a process that acts on that list automatically, at scale, across every service in your Microsoft 365 environment, not just Power Platform.

What the Admin Centre cannot address is cross-service visibility. A Power Automate flow that triggers an AI capability, pulls from a SharePoint site with a confidential sensitivity label, and surfaces results through a Teams tab used by external guests represents a multi-service compliance risk. No single-service admin tool can trace that chain. Organisations that need to answer audit questions about data movement and access across M365 need a governance layer that models the full tenant, not individual components of it.

The Regulatory Clock Is Running

The urgency here is not theoretical. In Europe, NIS2, DORA, and the EU AI Act are either live or coming into force, all of which require organisations to maintain a current register of their applications, understand where AI systems are operating, and demonstrate control over how data is processed. Organisations that cannot list every Copilot Studio agent in their tenant, trace which SharePoint sites each agent is consuming, or demonstrate that orphaned assets are identified and resolved within a defined timeframe will struggle to satisfy those requirements. The risk does not sit with IT administrators. It sits at the board level.

This is not a problem that only affects organisations subject to European regulation. Any organisation operating in a regulated industry, whether financial services, healthcare, or the public sector, is facing increased scrutiny of its AI governance posture. Regulators are beginning to ask specific questions about how automated processes and AI-assisted workflows are inventoried, monitored, and controlled. A governance approach that relies on periodic manual review and a deprecated community toolkit is not a defensible answer to those questions.

Organisations have a window of roughly 12 to 18 months before the combination of platform growth, AI adoption, and governance tool withdrawal creates a situation that is genuinely difficult to recover from. That window is shorter than it sounds. Every month that citizen developers build without governance guardrails in place is a month of technical and compliance debt accumulating.

What the Path Forward Looks Like

The answer is not to lock Power Platform down. Organisations invested in citizen developer programmes because they generate real value: faster process automation, reduced dependency on central IT, and more responsive business operations. The goal is to protect that investment, not eliminate it.

Effective governance at this scale requires four things to work together. First, a complete and continuously updated inventory that spans the full Microsoft 365 tenant, not just Power Platform, and maps relationships between resources across services. Second, automated policy enforcement that acts on that inventory without requiring IT staff to manually review every resource. Third, clear ownership and lifecycle rules, so that every app, flow, and agent has an accountable owner and a defined path for review, renewal, or decommission. Fourth, audit trails that satisfy compliance requirements and can be surfaced quickly when a regulator, auditor, or security team asks for them.

The COE Starter Kit served its purpose for the platform as it existed three or four years ago. The platform has moved past what a free community toolkit can govern. Organisations that recognise this early and build a productised governance strategy now will not be scrambling when the next compliance audit arrives or the next AI governance regulation comes into force. The ones that wait will be operating blind, with a growing surface area and no systematic way to see it.

If you would like to understand what this looks like in practice, watch the recording of our recent webinar or book a 30-minute call with the team.