If Your Governance Framework Isn’t Pissing People Off, You’re Doing It Wrong
Good Governance = Friction: Effective governance should cause some friction, indicating it is actively preventing risky behaviors.
Expect Annoyance in Compliance Practices: Prepare for some developer grumbles; effective governance is meant to create boundaries that, while restrictive, ultimately secure the organization.
Zero Friction? No Thanks!: A governance framework boasting zero friction can be a red flag, suggesting a lack of proper controls and oversight that are vital for risk management.
Here's an uncomfortable truth: if your governance policies aren’t creating at least a mild amount of annoyance among your developers, they probably aren’t working.
Effective governance inherently creates friction because friction is what signals that your guardrails are actively preventing risky behaviors and protecting the business.
I recently heard from a CTO about an embarrassing moment when he shared at a quarterly all-hands meeting how the team had successfully implemented a new governance framework with “zero friction and total buy-in.” Within a week, an untagged AWS bucket leaked customer data, resulting in a frantic 72-hour mitigation marathon, a six-figure compliance fine, and a humbling lesson.
Friction-free governance is a myth—and he'd just proven it the hard way.
If you're ready to build governance that actually works—complete with the complaints that prove it's effective—our IT Governance Toolkit provides the frameworks, templates, and measurement tools to get started immediately.
Governance is a Top Priority for Companies Adopting Agentic AI
Recent data underscores this exact tension between innovation and control. A survey by API management firm Gravitee found that nearly 80% of IT professionals rated governance as "extremely important," highlighting the intense focus on responsibly deploying advanced technologies, such as agentic AI and large language models (LLMs).
The same study revealed that while 72% of organizations are actively deploying these cutting-edge AI solutions, many still grapple significantly with integration challenges and data security concerns, precisely the risks that effective governance aims to mitigate.
As Gravitee CEO Rory Blundell notes, "Companies are anxious to implement agentic AI for productivity, but they're cautious about governance. As companies better manage these challenges, adoption will accelerate even further."
Three Vivid Failure Modes (and Why They Persist)
1. Lax Guidelines
Companies draft extensive "best practice" guides without enforcing them, believing clarity alone drives compliance. In reality, teams interpret these guides as optional, leading to inconsistent application and eventual disregard.
2. Convenience Culture
When leaders prioritize ease-of-use and frictionless workflows over necessary restrictions, teams skip critical steps. Each shortcut erodes security and compliance, setting the stage for future disasters.
3. DIY Exceptions Run Rampant
When individual engineers frequently request "temporary" permissions or exceptions intended for short-term fixes, it often evolves into permanent operational practices that become permanent fixtures. Management turns a blind eye as short-term gains mask long-term risks. Over time, exceptions accumulate, creating complex webs of permissions and policies that are nearly impossible to untangle or audit effectively.
Recognizing these failure patterns is the first step, but implementation requires systematic action.
Our IT Governance Toolkit provides a comprehensive health check scorecard to assess your organization's current standing and a 30-day sprint plan to address the most critical gaps.
Intentional Friction is Essential
Good governance isn’t meant to please everyone. Netflix famously introduced the concept of the "Paved Road," a secure, standardized path teams are encouraged—but not required—to follow. If teams deviate, they shoulder the operational burdens and added risk. Engineers grumbled initially, but within a year, incident rates dropped significantly.
Similarly, Capital One implemented security gates that blocked high-risk code merges. Developers were frustrated initially by the "bureaucracy," but critical vulnerabilities dropped by 40%.
Shopify automated the nightly deletion of untagged cloud resources, initially prompting complaints, but ultimately saving millions in wasted cloud spend.
Complaints are proof that the guardrails are working.
How to Build Your Own Guardrails
1. Identify Critical Rules
Decide on the non-negotiables. Examples include mandatory resource tagging, absolute prohibition of public S3 buckets, and enforced vulnerability scans before code merges.
2. Automate Enforcement
Use policy-as-code solutions such as Terraform Sentinel, Open Policy Agent (OPA), and GitHub branch protection. Embed compliance into your deployment and build processes so violations are blocked at the earliest stage.
3. Measure the Grumbles
Track pushback and complaints as key indicators. If your Slack channels are silent, it's a red flag. Your rules likely aren't stringent enough.
4. Celebrate the Friction
Communicate regularly about incidents your governance framework prevented. Highlight tangible outcomes (cost savings, avoided breaches) to reinforce the value of intentional friction.
For detailed implementation guides, policy templates, and measurement frameworks, download our IT Governance Toolkit, which includes ready-to-use Terraform Sentinel policies, GitHub branch protection templates, and friction metrics dashboards.
Regulation Tailwinds Just Flipped
The Trump administration is scrapping Biden-era AI risk directives, trimming CISA funding, and tightening AI chip export controls.
For CTOs, Washington has just given you greater freedom to innovate quickly, but fewer external safety nets if things go wrong.
Now, your internal governance is your primary line of defense, and it must be more rigorous—and perhaps a bit more unpopular—to compensate for looser external regulations.
1. More latitude, less hand-holding
- AI & cloud policies are being deregulated
- E.O. 14179 “Removing Barriers to American Leadership in AI” wipes away Biden-era risk-management directives and tells agencies to “sustain and enhance AI dominance.”
- OMB Memo M-25-21 instructs every agency to accelerate AI pilots and “avoid unnecessarily burdensome requirements.”
Implication: Federal guardrails will loosen; investors and boards will expect you to move faster.
2. Export-control & supply-chain squeeze
While domestic rules are being relaxed, the White House is doubling down on AI-chip export controls—the Framework for AI Diffusion could restrict advanced GPU supply to non-allies.
Implication: Expect sourcing headaches, tighter vendor audits, and sudden CAPEX spikes for in-house compute.
3. Cybersecurity continuity—but with fewer resources
- Trump retained Biden’s major cyber executive orders but slashed CISA's headcount and funding by $10 million.
- New E.O. 14144 on “Strengthening and Promoting Innovation in the Nation’s Cybersecurity” shifts responsibility to industry-led solutions.
Implication: Compliance checklists stay, but federal support (grants, red-team services) thins out. Budget for more third-party assessment and threat-intel spend.
4. State & local “resilience hand-off”
An EO titled “Achieving Efficiency Through State and Local Preparedness” pushes critical infrastructure readiness down to states and counties.
Implication: Multi-jurisdictional SaaS (fintech, health-tech) may have to juggle 50 slightly different resilience requirements—tighten your policy-as-code layer to absorb variations.
What to do this quarter
- Re-score your internal AI-risk controls – The federal ceiling is higher, but shareholders will still demand proof of safe, compliant AI.
- Extend your export-control register to GPU partners and cloud regions—map workloads that could be hit by new restrictions.
- Budget a 15% uplift for independent security assessments to replace lost CISA services.
- Codify state-level disaster-recovery rules (Terraform Sentinel or OPA policies) so you can inherit rather than rewrite when mandates diverge.
- Brief the board early – “We’re moving faster under looser federal rules, but here’s how our beefed-up internal governance keeps us safe.”
Our IT Governance Toolkit includes ROI calculation worksheets and executive summary templates to help you develop a compelling business case for these enhanced controls.
Challenge: Tighten One Rule Today
Good governance feels uncomfortable because it challenges the status quo. This week, tighten one critical governance rule—perhaps enforcing tagging or introducing mandatory security gates. Then, listen closely for complaints. Those grumbles aren't just noise; they're confirmation that your governance is robust enough to protect the business.
Embrace the friction. It’s your new benchmark for safety and scalability.
Need help identifying which rule to tighten first? Our IT Governance Toolkit includes a governance health check scorecard that identifies your organization's weakest controls and provides step-by-step remediation guidance. And subscribe to The CTO Club's newsletter for more tools, frameworks, and IT governance insights.
