{"id":1307,"date":"2026-07-17T06:40:54","date_gmt":"2026-07-17T14:40:54","guid":{"rendered":"https:\/\/unmitigatedrisk.com\/?p=1307"},"modified":"2026-07-17T06:40:54","modified_gmt":"2026-07-17T14:40:54","slug":"the-status-quo-outlived-its-status","status":"publish","type":"post","link":"https:\/\/unmitigatedrisk.com\/?p=1307","title":{"rendered":"The Status Quo Outlived Its Status"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In security we like to say that the problems live in the gaps between systems. Each system, on its own, is usually coherent. It has a threat model, invariants, and someone who owns it. The seam between two systems is owned by nobody, and each side quietly assumes the other is handling the thing that neither is. The load balancer assumes the backend validates. The parser assumes the canonicalizer normalized. The audit covers the software but not the network it runs on. Attackers don&#8217;t have to beat either component. They just have to find the assumption neither side wrote down. The attacker gets to pick the threat model, and they pick the one that lives in the seam.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Once you see this pattern, you see it everywhere, and not just in security.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Quality Lives in the Gaps of Ownership<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In software quality, the same topology produces a different failure class. Security gaps produce exploits. Ownership gaps produce jank.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A user&#8217;s journey through a product is inherently horizontal. They sign up, configure, use, get billed, get help. But ownership is vertical, carved along team boundaries. So the experience degrades precisely at the handoffs. The onboarding flow owned by one team dumps you into a product owned by another, with terminology that doesn&#8217;t match, settings that don&#8217;t carry over, and an error message that references a concept from a third team&#8217;s domain model. Every screen passed its own review. The journey never got one, because the journey has no owner.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is the same root cause as the security version. Contracts between components are written in terms of what each side provides, not what the whole must feel like or withstand. Functionality composes. Quality attributes don&#8217;t. Not security, not usability, not performance, not consistency. Those are emergent properties of the composition, and emergent properties are exactly what per-team accountability structures can&#8217;t see. A dashboard that takes eight seconds to load is usually five services each meeting their SLO.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">You Ship the Org Chart in N Dimensions<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Conway&#8217;s law is usually quoted as a statement about architecture, that organizations design systems which mirror their communication structures. But architecture is just the most legible projection. The org chart also manifests in the security posture, where trust boundaries land wherever the reporting lines do. It shows up in the latency profile, where every org boundary becomes a network hop plus a queue plus a retry policy. It shows up in the data model, where the same &#8220;customer&#8221; is defined four ways because four VPs own four systems. It shows up in the compliance scope, where audits map to cost centers rather than to where the risk actually lives. It even shows up in the documentation, where each team documents its interior and nobody documents the crossings.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You don&#8217;t ship your org chart once. You ship it in every dimension at the same time.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">And it&#8217;s stickier than the chart on the wall, because the formal org chart is only the visible part. The real partitioning is cultural. It is who trusts whom, which teams have history, where the scar tissue from the last reorg sits, and who won the last budget fight. Systems calcify around those boundaries. That&#8217;s why reorgs so rarely fix seam problems. You can redraw the chart in a day, but the shipped artifact embodies the org chart as it existed at every point in the system&#8217;s history. Legacy code is really legacy org structure. You&#8217;re maintaining the fossil record of decade-old turf wars, and the team that could explain a given seam disbanded three reorgs ago.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Bureaucracy Is the Fixative<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Here&#8217;s where it hardens. Process is how organizations serialize distrust between units. Every approval gate, every ticket queue, every review board is a treaty boundary between fiefdoms, and treaties optimize for non-aggression, not for the emergent properties of the whole.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The bureaucratic instinct when a seam fails is to add process at the seam. A checklist, a sign-off, a form. This papers over the gap without giving it an owner, and now the seam has a compliance artifact defending its existence.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Which brings us to the uncomfortable part. Bureaucracy defends the status quo long past the point where the status quo lost its status. Not out of malice, and usually not even out of preference. The mechanism is simpler and more forgivable than that. Process is memory without comprehension.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Every rule is a compressed lesson. Some incident happened, someone got burned, a control was born. But the compression is lossy. The rule survives while the context doesn&#8217;t. The organization keeps executing the answer long after everyone who understood the question is gone. It&#8217;s Chesterton&#8217;s fence, except nobody can find the fence&#8217;s author, the field it enclosed is now a parking lot, and there&#8217;s a Fence Compliance team whose headcount depends on the fence.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That&#8217;s the inversion point. Controls that began as instruments become constituencies. A process accretes staff, tooling, budget, an annual review cycle. It stops being a means and becomes a stakeholder. And stakeholders defend themselves.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Asymmetric Bookkeeping<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The genius of bureaucratic self-defense is that it never has to argue the status quo is good. It only has to make change expensive.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Every proposal to remove a control gets evaluated by asking what risk removal creates. Nobody asks what risk retention creates. The cost of the existing process is denominated in currencies the review process can&#8217;t count, things like velocity, morale, and opportunities that quietly went elsewhere, while the cost of change is denominated in the one currency it&#8217;s built to count. With bookkeeping that asymmetric, the ratchet only turns one way.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There&#8217;s a reliable tell for when status is lost but the defense continues. The justifications go circular. Ask why we do this and the answer stops referencing a threat or an outcome and starts referencing the process itself. It&#8217;s required for the audit. It&#8217;s policy. That&#8217;s the template. When a control&#8217;s referent is another control, you are no longer managing risk. You are maintaining a liturgy. And liturgies are stable. That&#8217;s what they&#8217;re for.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The people defending the liturgy usually aren&#8217;t cynics, either. Institutions promote the people who thrived under the current rules, which means the people with the authority to change the system are precisely the ones whose careers validate it. They don&#8217;t defend the status quo because they&#8217;ve weighed it and found it good. They defend it because it&#8217;s the ladder they climbed, and it&#8217;s genuinely hard to see your own ladder as arbitrary. The system doesn&#8217;t need guards. It manufactures believers. That&#8217;s why correction so often comes from outside, from a competitor, a collapse, or a technology that routes around the institution entirely, rather than from reform. Reform requires the institution to metabolize the idea that its own selection function is the problem, which is roughly asking the liturgy to audit itself.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Deletion Has No Constituency<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">So what do you do about it? Two things, and both are harder than they sound.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">First, admit that the seams are the system, and staff them accordingly. You can&#8217;t fix an n-dimensional Conway problem with a one-dimensional intervention. A design system fixes the UX projection. A service mesh fixes the network projection. A GRC tool fixes the audit projection. But the generator is the accountability topology itself, so the pathology just re-expresses in whatever dimension you didn&#8217;t treat. The only durable moves are changing the human topology, which is rare, painful, and temporary, or forcing the interfaces to be explicit, adversarially specified, and owned as products. That&#8217;s the real lesson of the Amazon API mandate. It wasn&#8217;t about services. It was about giving the gaps owners.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Second, build a decay function. Controls get created by incidents, which are vivid and have advocates. Control removal has no incident, no advocate, no ceremony. The beneficiary of deletion is diffuse while the loser is a specific person in the room. So organizations accumulate process the way arteries accumulate plaque, one reasonable deposit at a time. Sunset clauses, zero-based process reviews, and deletion treated as a first-class ritual with the same ceremony as launch are ideas everyone nods at and almost nobody funds. The organizations that stay fast are the ones that treat removing a rule as an achievement, not an admission.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Because the status quo isn&#8217;t defended because it won an argument. It&#8217;s defended because it&#8217;s the null hypothesis, and the burden of proof only ever runs one direction. Every so often, you have to flip the burden and make the process re-justify itself in terms of an outcome rather than another process. If it can&#8217;t, it isn&#8217;t protecting you anymore.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It&#8217;s just protecting itself.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In security we like to say that the problems live in the gaps between systems. Each system, on its own, is usually coherent. It has a threat model, invariants, and someone who owns it. The seam between two systems is owned by nobody, and each side quietly assumes the other is handling the thing that [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1307","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/1307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1307"}],"version-history":[{"count":1,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/1307\/revisions"}],"predecessor-version":[{"id":1312,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/1307\/revisions\/1312"}],"wp:attachment":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1307"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1307"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}