After years working inside IT governance and information security, I've noticed something that rarely makes it into the official conversation:

Most governance failures aren't technical. They're human.

The frameworks exist. The policies get written. The documentation gets approved. And then — quietly, gradually — things drift back to how they were before. People work around the process. Decisions get made the old way. The governance layer becomes something people manage rather than something that actually guides work.

I've been thinking about why this keeps happening. And the more I dig into it, the more I think we've been asking the wrong question.

We keep asking: how do we build better frameworks?

The more useful question is: why do people resist clear governance — and what would a system designed for adoption actually look like?

Two Things I Keep Coming Back To

The first is clarity.

Not the complexity of the framework — the clarity of intent. A lot of governance documents are written to be defensible, not to be useful. They cover every edge case, protect every stakeholder, and end up being something no one actually reads unless something goes wrong.

Governance that's designed for protection rather than guidance tends to create the very friction it was meant to prevent.

The second is friction itself.

Every new policy, process, or control introduces some amount of resistance. That's normal. But when the friction is higher than the value people perceive from the change, they route around it. Not out of malice — just because work still has to get done.

The implementation creates its own parallel problem.

Where the Interesting Work Is

These two things — clarity in design and friction in adoption — are where I think the most underexplored work in governance is happening right now.

Not at the framework level. Not in the technical controls. At the human layer, where governance either gets absorbed into how people actually work, or gets quietly ignored.

I'm building toward deeper research in this space. The practitioner experience over the years has given me a clear view of where the patterns live. The next step is understanding them more rigorously — what predicts adoption, what predicts resistance, and what governance design principles actually hold up across different organizational environments.

If this is a problem you've lived inside too, I'd genuinely like to hear how it's shown up in your context.

This is the conversation I'm most interested in having.