A VP of Engineering sits in a leadership meeting on a Tuesday afternoon. The CTO has just finished walking through last quarter's incident report. Someone, maybe the head of risk, maybe the new chief architect, leans forward and says it: "We need to put a design review board in place. We had three production incidents and we need oversight."
The room nods. People are starting to talk about meeting cadence and approval thresholds. The VP is not against governance. The VP has watched what happens when teams have none. But the VP also knows that "more oversight" is not automatically "less risk," and that whatever gets agreed to in this room will outlive the incidents that triggered it.
The harder thing to say, the thing the room is not ready to hear, is: "Let's evaluate this before we agree to build it."
The comfortable lie about governance
Most governance gets in the way of technical debt accumulating. One urgent decision at a time, each one defensible in isolation, with no review of whether the accumulated structure is doing what it should.
The comfortable lie is that adding process equals reducing risk. The uncomfortable reality is that most governance additions create the appearance of control without reducing the actual risk. Some of them make things worse, by burying the signal under ceremony so the next incident is harder to see coming, not easier.
The DORA 2024 research backs this up with data. Teams with well-defined responsibilities and clear decision-making authority outperform teams with more approval gates. Throughput and stability are correlated, not opposed. More speed without structure makes things worse; more structure without measurement makes things worse, too.
Protective governance vs. theater governance
Protective governance reduces a specific, named risk. It enables faster decisions once it is in place. It gets measured, so you can tell whether it is doing its job.
Theater governance creates the appearance of control without reducing real risk. It slows decisions without a compensating benefit. It never gets measured, because measuring it honestly would reveal that it is not doing anything.
A few examples make the difference obvious.
Protective governance, in practice
Automated deployment gates that catch failed tests, security violations, or coverage drops before a human reviewer needs to look. The specific risk is regression bugs reaching production. The measurable signal is the change in failure rate. The fastest version already exists inside your CI/CD pipeline; you are extending it, not building a new ceremony.
The NIST AI Risk Management Framework is another good example, with its govern-map-measure-manage structure. Specific, named risks. Lightweight implementation. Built-in measurement. Designed to scale up or down based on the actual risk of the AI use case, rather than treating every model the same way.
Source: NIST AI Risk Management Framework, nist.gov/itl/ai-risk-management-framework
Theater governance, in practice
A weekly design review meeting that every team must attend, regardless of what they are building. The specific risk is unclear, usually framed as "we need oversight." Nobody tracks whether attended designs have fewer incidents than unattended ones. The meeting persists because it would be uncomfortable to suggest removing it.
A newly chartered AI ethics committee with no published charter, no metrics, and a six-week approval cycle for any AI feature. The specific risk it evaluates is unclear. The outcome is immeasurable. A faster version exists (an AI risk checklist filled out at the team level), but it gets rejected in favor of the heavier ceremony.
A team that built a scaling framework five years ago might find that the structure that protected them at fifty engineers is now threatened at two hundred. What earned its keep yesterday is not automatically what earns its keep today. (For the warning signs, see Five Signs Your Scaling Framework Is Now the Bottleneck.)
The three-question test
For any proposed governance addition, three questions. If a proposal cannot answer all three, that is the signal you need.
1. What specific risk does this prevent?
Not "more oversight." Not "better quality." Not "compliance." A named, concrete risk that you could write down in one sentence. If you cannot name it, you do not have a governance proposal. You have anxiety wearing the costume of governance.
2. How will we measure whether it is working?
Every protective governance addition should have a measurable signal indicating it is doing its job. Lead time on a specific class of decisions. Incident frequency for a specific failure mode. Audit findings for a specific control area. If there is no metric, there is no honest accountability, and the governance can drift indefinitely without anyone noticing.
The trick is choosing a measure that actually moves when the governance is working, and stays flat when it is not. (We have written before about the difference between metrics that signal real change and metrics that just create noise; the same principle applies to measuring governance.)
3. What is the fastest version of this that still achieves the protective goal?
Before you build the full version, ask what twenty percent of the structure delivers eighty percent of the protection. A weekly review board is usually not the answer. An automated check, a small checklist, or a quick async approval often is. Most governance proposals fail this question and reveal themselves as theater.
A governance design checklist you can bring to leadership
Use this for proposed governance additions and existing ones. Most organizations have never run this checklist against their existing processes.
Named risk: What specific failure are we trying to prevent? One sentence.
Specific signal we will measure: What number tells us this is working?
Owner of the measurement: Who reviews the signal, and how often?
Lightest viable version: What is the smallest structure that achieves the protective goal?
Review cadence: When do we ask "is this still earning its keep?"
Sunset trigger: What would tell us to remove it?
Pay attention to the last two. Governance with no review cadence and no sunset trigger is permanent by default. That is how organizations end up carrying twenty years of accumulated processes for which they cannot remember the reason.
Four traps to watch for
The "we had an incident" trap. After every incident, the temptation is to add a review board. The better question is: what is the lightest structural change that prevents the specific failure mode? Often, it is a checklist or an automated check, not a meeting.
The "other companies do it" trap. Just because Acme Corp has a Change Advisory Board does not mean you need one. Their context might require it; yours might not. Borrow practices, not certainties.
The "compliance equals governance" trap. Compliance is one type of governance. Not all governance is compliance. Conflating them adds bureaucracy where compliance is never required.
The "worst case" trap. Most governance is built for the worst-case scenario, then applied to every case. Build for the common case, escalate the worst case separately.
Try this next week
Pick the governance addition your organization made most recently. The newest review board. The newest approval gate. The newest committee. The newest mandatory artifact.
Run it through the three-question test by yourself before anyone else weighs in. Write down the answers honestly. If you cannot name the specific risk, cannot describe how you would measure it working, and cannot articulate a faster version that achieves the same protective goal, bring those answers to your next leadership conversation.
Do not propose removing it. Propose evaluating it.
That move creates new alignment. Either the conversation reaffirms the governance with measurable accountability, or it surfaces that this is a candidate for retirement. Either way, you have upgraded the conversation from "do we need more process?" to "is this process earning its keep?"
If you are navigating a "we need more structure" conversation and want a second set of eyes before you commit, our coaching team works with leaders on decisions like this. Often, the most valuable hour is the one before the meeting that locks in the structure.
If your evaluation reveals that the governance accumulated over the years has crossed into theater, the next question is how to dismantle it without creating chaos.