user-select
.element { user-select: none; }
Garth Mollet, Senior Principal Product Security Engineer and Technical Advisor for Product Security at Red Hat, joins host Robert Blumen for a discussion of AI supply chain security. They start with the basics of supply chain security, including the key components of the AI supply chain, and how it differs from the conventional software supply chain. Garth discusses whether the attacks target model weights or inference, and describes the most common attacks and what's in it for the attacker, whether exfiltration, credentials, sabotage, or resources. The episode also considers SPIFFE, SPIRE, attestation, workload identity, and whether AI has the equivalent of "reproducible builds."
Brought to you by IEEE Computer Society and IEEE Software magazine.
Vanitha Kumar, Market Technology Director at Thoughtworks, joins Ankit Jain to talk about how code review holds up when agents are writing most of the code.
In this episode, they get into:
Why pre-integration is no longer the only place review should happen, and
How teams decide what's even worth reviewing when a feature spans twenty markdown files, and
What shifting review "left" into a teaching moment looks like in practice, plus
Chapters
00:00 Introduction to Code Reviews
02:50 Evolution of Code Review Practices
05:46 The Role of Collaboration in Code Reviews
08:24 Cultural Shifts in Code Review Practices
11:12 Harness Engineering and AI in Code Reviews
16:37 The Future of Code Reviews and AI Integration
22:05 Platform Engineering in the AI Era
📫 Sign up for our email list for more podcasts, articles, events, and other updates: https://www.aviator.co/podcast
✏️ Subscribe for more videos: @Aviator-Co
🙌 Join a curated community of senior engineers and engineering leaders focused on developer experience and solving productivity challenges at scale! Check out our upcoming off-the-record online sessions where vetted, experienced professionals can exchange ideas and share hard-earned wisdom: https://dx.community/
Replace code reviews with verified intent
AI writes code faster than humans can review it. Aviator Verify provides compliance-grade verification through spec-driven development. Ship faster with complete audit trails. https://verify.aviator.co/
Microsoft's July 2026 Patch Tuesday just shattered records with hundreds of bug fixes, and AI is the force behind the surge. Are we witnessing the beginning of a safer Windows, or is this flood of vulnerabilities the new normal? Plus, Tony Redmond's epic book has a new name (was Office 365 for IT Pros) and is now a bundle of four books.
Windows
AI
Xbox and gaming
Tips and picks
Hosts: Leo Laporte, Paul Thurrott, and Richard Campbell
Download or subscribe to Windows Weekly at https://twit.tv/shows/windows-weekly
Check out Paul's blog at thurrott.com
The Windows Weekly theme music is courtesy of Carl Franklin.
Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit
Sponsors:
This is Part 2 of a three-part series. Part 1 mapped the people who decide whether your AI program ships. This one is for the Microsoft 365 admins and CIOs whose Copilot is paid for but not “on.” Part 3 will cover agent governance.
“We bought Copilot. Why can’t we turn it on?”
Maybe you’ve said this yourself. You have the licenses. You’re ready to assign them. Months later, Copilot still isn’t in front of a single clinician. The budget cleared. Leadership is asking for the productivity story they were promised, but the deployment is stuck.
The answer is not a license problem or a Copilot problem, but an identity problem. The identity foundation underneath isn’t ready. In healthcare, that foundation is harder to move than anywhere else I’ve worked. Get it right and two things turn on: a Copilot the clinician trusts at the bedside and the control plane for every agent that comes after.
Microsoft 365 Copilot authenticates users through Microsoft Entra ID. Every Copilot interaction honors the permissions of the signed-in user through Microsoft Graph, so the question “What can this person see?” is answered by your identity layer, not by Copilot. One of the great things about Copilot is it has access to everything you have access to — this is also one of the concerning things about Copilot.
Two different controls play a role here. Identity decides who is at the door and how far you trust the sign-in. Data governance decides what they can reach once inside. Copilot leans on both, and Entra is the first of the two. It is the one that decides whether you can safely turn Copilot on at all. That is why a responsible admin won’t flip Copilot on until the identity foundation holds. They need multifactor authentication everywhere, Conditional Access that actually evaluates risk, and a least-privilege model they trust. All three live in Entra.
Here’s where healthcare gets specific. Plenty of the health systems I work with authenticate through Okta. Microsoft 365 still sits on Entra underneath, the directory it’s built on, but the front door is brokered elsewhere. When Okta is the primary authentication layer, Entra still authorizes Microsoft 365 access.
What changes is the signal Entra gets to see:
Risk-based Conditional Access and Entra ID Protection then miss the full picture. You are running the front door of your AI program on one system and governing Copilot’s data access on another. That gap is the gate.
The “fast” option keeps Okta but moves the Microsoft 365 sign-in to Entra. You defederate the Microsoft 365 domain to managed authentication and register Okta as an external authentication method for MFA. Entra now runs primary sign-in and Conditional Access, so it evaluates device state and risk directly, while Okta still handles the MFA challenge and stays the portal your users know for everything else. You are not ripping out Okta. You are moving one domain’s sign-in to Entra so the signals reach it.
This is the correct path when leadership wants the Copilot productivity story this quarter and a full identity migration is a multi-year mountain you cannot climb first. External authentication methods are generally available as the supported successor to Custom Controls (requiring Entra ID P1). Custom Controls is on a deprecation path, with new configuration blocked and full retirement staged across 2026 into 2027, so confirm the current dates in Microsoft’s documentation before you plan around them.
The “strategic” option consolidates identity on Entra outright. It is the harder path but the one that closes the gap completely. Full consolidation is also what lights up device-bound token protection everywhere, because federated, non-Entra-joined devices never get an Entra Primary Refresh Token. Consolidate when Okta is mostly doing single sign-on. Keep Okta as the identity provider for its other apps when it is load-bearing across the estate and pulling it out buys you a second migration you do not need.
Either way, the signals must reach Entra before Copilot goes on. If you take the fast path, that managed cutover still runs through the readiness gate and the downtime discipline below. You just skip the full-consolidation mechanics. And if any Microsoft 365 sign-in stays truly federated to Okta, treat it as interim: the thinner Entra telemetry and the absent token protection above stay in force until you close them, so pair it with compensating controls.
In a normal enterprise, an identity migration is a weekend of change windows and a week of help-desk tickets. In a hospital, the same project touches patient safety. Four constraints make it different:
EHR single sign-on dependencies. The electronic health record is the center of gravity. Epic, Oracle Health, Meditech, and the rest all integrate with your identity provider, often through a tap-and-go layer like Imprivata so a clinician can badge into a shared workstation in a second or two. Change the identity provider and you may change badge tap, workstation sign-in, EHR launch, e-prescribing, medication administration, and chart access. You cannot do that blindly.
Round-the-clock, 24/7 care-continuity. There is no maintenance window. The health system runs every hour of every day. An identity change that would be a minor outage at a bank is, in an emergency department, a clinician who cannot open a chart during a trauma intake. The tolerance for downtime is not low. It is zero for anything on the critical path.
None of these are reasons to stay on a fragmented identity model. They are the reasons to migrate carefully rather than quickly.
Of the four constraints, EHR integration is the one most likely to stall your migration. The single most common mistake I see is treating it as a pure IT project and looping in the EHR vendor late. The EHR is not a bystander here. It authenticates against your identity provider. The vendor has a say in how that integration changes.
I watched one system set a hard cutover date before it talked to its EHR vendor. Three weeks out, it learned the tap-and-go integration had to be re-certified against the new identity provider. The date slipped by a month, and the fix was not technical. It was a conversation that should have happened at the start.
Coordination effort varies by platform. Use this table to start the vendor conversation. Do not use it to set a cutover date.
|
EHR platform |
Entra integration path |
Coordination load |
Watch for |
|
Epic |
Federation to Entra supported; SAML / OIDC, SMART on FHIR for app-to-EHR authorization |
Moderate |
Hyperdrive SSO behavior; SMART on FHIR app registrations; Imprivata or tap-and-go path; test real clinical workstation flows in non-prod |
|
Oracle Health (Cerner) |
SSO via SAML; tap-and-go middleware (Imprivata) common |
Moderate to high |
Middleware re-point is its own workstream; validate proximity-badge flows |
|
Meditech |
Vendor-assisted SSO; middleware common |
Higher |
Plan added lead time for vendor coordination; confirm supported Entra patterns early |
The pattern across all three: the identity team cannot set the cutover date alone. The EHR vendor and the tap-and-go middleware owner are on the critical path with you. Bring them in while the plan is still a draft, not when you have a date to defend.
If the left column is true, do not put Copilot in front of clinicians until the right column is done. Hand this to your identity and access lead and ask for your system’s version. It turns “Are we ready?” into a list someone owns.
|
If this is true |
Do not enable Copilot for clinical users until |
|
Okta enforces MFA but Entra risk policies are not active |
You have an Entra-led Conditional Access plan or a documented compensating control |
|
EHR SSO depends on tap-and-go middleware |
The EHR vendor and the middleware owner have tested the flow in non-prod |
|
Shared clinical workstations are in scope |
Badge tap, biometric, EHR launch, and chart access are validated by role |
|
Rollback needs daytime engineering support |
The wave is not approved |
|
Overshared or unlabeled sensitive sites remain |
The Copilot pilot scope is constrained to clean data |
You do not migrate a hospital’s identity in one cutover. You move in stages, prove each one, and keep a way back at every step. Once those readiness gates are owned, the work becomes a migration sequence. The first five steps are identity work. The sixth is where identity readiness becomes Copilot readiness. These steps hold up across most Okta-to-Entra migrations I have seen:
Enforce Conditional Access in report-only first. With identity consolidated on Entra, model MFA, device compliance, session controls, and risk-based access before you block anyone. Then enforce by wave once clinical workflows pass. This is the moment the security posture improves.
Turn on the Purview controls Copilot will lean on. Start with sensitivity labels, audit, and an oversharing review, then add Data Loss Prevention. The Microsoft 365 Copilot location in Purview DLP is generally available for sensitivity-label-based blocking. Newer controls, like SIT-based prompt blocking, web-search restrictions, and DLP for Copilot Studio agents, are still rolling out or in preview depending on your tenant, so confirm what you have before the rollout depends on them.
The framing that changes how this project gets run: in a hospital, identity downtime is a clinical event. Treat it that way and the rest of the plan falls into place. A useful test for every mitigation is what I call the 2 a.m. trauma intake. Not “does this pass in a maintenance window,” but “does this hold when a trauma comes through the door at two in the morning and a clinician has to open a chart right now.” If your rollback story only works during business hours with the full team online, it is not a rollback story.
Run the project on the safest assumption: something will go wrong at the worst possible time. Plan for that time. A cutover safety check before any wave goes live:
Here is what turns on: a clinician badges in once and Copilot is right there, scoped to exactly what that person is cleared to see, safe to use in front of a patient. That is the payoff. The control plane underneath is what makes it safe to leave on.
With Entra as the foundation, the liability ownership Legal wanted in Part 1 and the access controls the CISO needed are finally yours to run. Identity secures the perimeter. Most of what follows is the data-governance work it is now safe to start. Here is what to enable after the migration and where each control lives.
|
Post-migration control |
What it unlocks for Copilot and agents |
Where it lives |
Healthcare watch-out |
|
Conditional Access, Copilot-scoped |
Real-time access decisions on user risk, device health, and location |
Microsoft Entra |
Start report-only; enforce by care-setting wave |
|
Sensitivity labels |
Label-aware responses; protected content stays protected |
Microsoft Purview |
Label ePHI and research data before broad enablement |
|
Oversharing review |
Stops Copilot surfacing overshared sites and files |
Purview / SharePoint |
Run clinical and research SharePoint first |
|
Audit |
Full trail of Copilot activity for Legal and the CISO |
Microsoft Purview |
Keep the HIPAA ePHI access trail intact through cutover |
|
DLP for Microsoft 365 Copilot |
Restricts sensitive content from Copilot grounding and prompts |
Microsoft Purview |
Confirm which controls are GA in your tenant |
Every agent you build acts as an identity or on behalf of it. You cannot govern what an agent can reach if you cannot govern who the agent is. After this migration, you can.
Identity is the gate. It is also the most underestimated project in a healthcare AI program, because it looks like plumbing and behaves like patient safety. Get the identity foundation right and Copilot can turn on without the security story degrading. Data hygiene, oversharing, and clinical adoption still matter, but the gate is open. You are ready for the harder question: not whether you can deploy an agent, but which agents should exist, whose identity they run under, what they can reach, and who can shut them off.
Part 3, “Agent Governance Is Organizational Readiness,” closes the series. Governance is not the brake on agents. It is what allows you to say yes to them.
Product names, availability, and timelines reflect Microsoft guidance at the time of writing and can change. Verify current state against official Microsoft documentation for your tenant.
Charles Wallace is a Senior FastTrack Architect at Microsoft. He works on Microsoft 365 Copilot and agent adoption across healthcare and life sciences. His focus is the security, identity, and governance foundations that decide whether AI deployments actually succeed.
The pointer-events property controls whether an element can become the target of pointer events like clicks, hover states, and other pointer-based events. In other words, it lets you decide whether the browser should treat an element as interactive when the pointer is over it.
.no-pointer-events {
pointer-events: none;
}
To understand how the property works, it helps to know what the browser does before it fires a pointer event. First, it has to determine which element is under the pointer. This process is known as hit-testing.
Normally, the browser chooses the topmost element under the pointer. But if that element has pointer-events set to none, the browser skips it and continues looking for the next eligible element underneath.
Once you think about pointer-events this way, most of its behavior starts to make sense. Rather than disabling events, it simply changes which element (or, in the case of SVG, which part of an element) becomes the event target in the first place.
pointer-events: auto | bounding-box | visiblePainted | visibleFill | visibleStroke | visible | painted | fill | stroke | all | none;
pointer-events: auto;
pointer-events: none;
/* SVG values */
pointer-events: visiblePainted;
pointer-events: visibleFill;
pointer-events: visibleStroke;
pointer-events: visible;
pointer-events: painted;
pointer-events: fill;
pointer-events: stroke;
pointer-events: bounding-box;
pointer-events: all;
/* Global values */
pointer-events: inherit;
pointer-events: initial;
pointer-events: revert;
pointer-events: revert-layer;
pointer-events: unset;
Besides the standard CSS global values shown above, pointer-events defines eleven keyword values. You’ll use auto and none with both HTML and SVG elements, while the other nine are SVG-only and provide finer control over which parts of a graphic can receive pointer events.
auto: The default value. The element behaves normally and can receive pointer events. In SVG, this behaves the same as visiblePainted.none: The element itself can’t become the target of pointer events, meaning it can’t be clicked or hovered. Instead, the browser targets whatever is underneath it.visiblePainted: The element only receives pointer events when it’s visible (visibility: visible) and the pointer is over a painted part of the graphic. In other words, it’s over a filled area (fill is not none) or a stroked edge (stroke is not none).visibleFill: The element only receives pointer events when it’s visible and the pointer is over its fill, regardless of the value of the fill property, meaning it can even be set to none.visibleStroke: The element only receives pointer events when it’s visible and the pointer is over its stroke, regardless of the value of the stroke property.fill and stroke properties.painted: The element only receives pointer events when the pointer is over a painted part of the graphic (its fill or stroke), regardless of the value of the visibility property.fill: The element only receives pointer events when the pointer is over its fill, regardless of the values of the fill or visibility properties.stroke: The element only receives pointer events when the pointer is over its stroke, regardless of the values of the stroke or visibility properties.bounding-box: The element receives pointer events anywhere inside its bounding box—the smallest rectangle that completely surrounds it—regardless of its shape, even if parts of that area aren’t painted.all: The element receives pointer events when the pointer is over either its fill or stroke, regardless of the values of the fill, stroke, or visibility properties.One thing that’s easy to miss is that pointer-events is an inherited property. Setting pointer-events to none on a parent means its children inherit that value as well. However, any child can override the inherited value by setting pointer-events back to auto (or another valid value).
.parent {
pointer-events: none;
}
.child {
pointer-events: auto;
}
In this example, the parent ignores pointer events, but the child can still become their target.
A common use case is a modal. You might use a full-page container to center the modal, but that container also covers the entire viewport. Without changing its pointer-events value, it prevents pointer events from reaching the elements underneath it. Setting pointer-events to none on the container fixes that, but because the property is inherited, you’ll also need to restore the modal itself with pointer-events set to auto.
In the following demo, when the pointer-events property is specified as none you can interact with the background buttons even though they are behind the overlay.
The pointer-events property only determines which element becomes the event target. It doesn’t change how events travel through the DOM afterward.
For example, if a child with pointer-events: auto is clicked inside a parent with pointer-events: none, the child still becomes event.target. From there, the event follows its normal capture and bubble phases, so event listeners attached to the parent still run.
In other words, pointer-events affects target selection, not event propagation.
In the following demo, you can see how the parent with pointer-events: none can still receive click, pointerenter, and pointerleave when you click or move the pointer into or out of its interactive child.
The pointer-events property only prevents the element from becoming the target of pointer events. Therefore, the element can still receive keyboard focus with the Tab key, and users can continue interacting with it using the keyboard if it’s otherwise focusable.
If you need to disable a native form control, use the disabled attribute instead. And if your goal is to make an entire section of the page completely non-interactive—including pointer input, keyboard focus, and the accessibility tree—the inert attribute is a better choice.
Setting the pointer-events property to none doesn’t stop users from selecting text. For example, users can still select the text by pressing Ctrl/Cmd + A on the keyboard.
That’s because text selection isn’t determined by whether an element can become the target of pointer events.
If your goal is to prevent text from being selected, use the user-select property instead.
.avoid-user-selection {
user-select: none;
}
Try selecting the text in each block below:
When building a navigation menu, a common pattern is to hide a submenu by setting its opacity to 0 and then make it visible when the user hovers over its parent menu item. The problem is that the submenu is still there, so it can still receive pointer events even though you can’t see it.
Below, you can see two identical menus. One hides its submenu using only opacity, while the other also uses pointer-events. Hover over the hidden submenu area and try interacting with the content behind it to see how pointer-events prevents invisible elements from getting in the way.
Also, to better understand how each SVG value of this property works, pick one from the dropdown and move your pointer around the ring: over its filled band, inside its hollow center, and over the empty corners of the dashed bounding box. Notice how the interactive area changes with each value.
pointer-events originally handwritten and published with love on CSS-Tricks. You should really get the newsletter as well.
Learn how MCP resources in C# expose readable data with URI templates, then use MCP prompts so .NET teams can publish reusable agent workflow templates.