Introduction
Most of the governance documents we are asked to review read like a theatre programme — impressive cast list, detailed synopsis, no sense that anything is actually going to happen on stage. This note is our attempt to describe the opposite.
By the numbers
74%
Policies with no named owner on first review
3
Principles that survived every rewrite
31 days
Median time to first real drill, Q1 2026
Three principles that earned their keep
First, the controls you write down must be the controls you actually run, automatically, on every deployment. Second, the human in the loop must be named, rostered, and allowed to stop the line without asking permission. Third, every failure mode you have not yet tested is a failure mode you do not yet understand.
What governance cannot catch
No framework will catch a confident wrong answer on a question nobody thought to ask. The honest admission in this paper is that governance buys you the ability to react quickly, not the ability to prevent every surprise. The trick is to design for the reaction, not pretend the surprises will not arrive.
What the data shows
Where governance documents fail their first test
Time to first real incident drill
The best thing we did was write down what counted as a failure before we switched anything on. Everything downstream became easier.
Where we land
We will keep writing these as we find them. If any of this lands close to a problem you are working on, the team is always happy to talk it through.