The Safest Governance Model May Not Be The Strictest One
by James Barton
James Barton argued in a recent article that as MCPs, AI agents and connected workflows become more common, the real governance challenge is not whether we have enough controls, but whether those controls are proportionate, practical and actually followed. That got us thinking about a related issue: what if the biggest risk is not under-governing new technology, but overengineering governance until it slows decisions, pushes work outside the process, and creates risk in new places?
Why overdesigned controls can leave organisations less protected
There is a familiar pattern whenever a new technology arrives inside the business.
A promising tool appears. The use case is clear. The productivity upside is easy to see. Then the conversation shifts from capability to control. What data can it access? What actions can it take? What approval steps are needed? What documentation should exist before anyone can use it?
These are sensible questions. In fact, they are necessary ones.
But many organisations still answer them using governance models designed for a much slower world. Policies, standards and review processes were built for technology cycles that moved at a manageable pace. AI, agents and MCP-style integrations do not move at that speed. The gap between the speed of the technology and the speed of the governance is becoming harder to ignore.
That is where the real problem begins.
The two governance traps organisations keep falling into
James describes two common responses to this problem.
The first is to respond to uncertainty by building a larger governance machine: more documentation, more stages, more approvals, more oversight, more process. It looks thorough. It looks serious. It looks responsible. But it also creates drag. Teams spend so long trying to build a perfect decision framework that they delay action, miss timing, and lose the value the technology was supposed to create in the first place.
The second trap goes the other way. Organisations decide the opportunity is too attractive to wait, so they move quickly without proper assessment. They connect tools, enable automations and roll out integrations because the benefits look obvious. The risk is not removed. It is simply postponed until it appears as a security issue, a compliance problem or an unintended business consequence.
One path creates paralysis. The other creates exposure.
Neither is a sign of mature governance.
The real issue is not speed versus control
Many organisations still frame governance as a trade-off. If you want to move fast, you must accept weaker control. If you want stronger control, you must accept slower progress.
That sounds logical, but it is becoming less useful.
The more helpful question is not whether control slows things down. It is whether the control was designed well enough to support movement in the first place.
A good control should not exist simply to make the organisation feel safer. It should help people make better decisions, more consistently, in situations where risk is real but certainty is impossible.
That is especially important with AI-related tools, where waiting for perfect clarity is often unrealistic. The aim is not to remove every unknown before acting. The aim is to build enough confidence to proceed, while keeping enough visibility and accountability to adjust if something changes. That is a very different standard from traditional governance.
Why paper controls often fail in real life
This is the uncomfortable part.
An organisation can have a governance process that looks impressive in a policy deck and still be badly protected in practice.
Why? Because burdensome controls change behaviour.
When approval paths become too slow, teams look for workarounds. When documentation becomes excessive, people complete it mechanically rather than thoughtfully. When rules are too broad, too abstract or too disconnected from actual risk, they stop guiding decisions and start becoming background noise.
This is the paradox at the centre of James’s article. More control does not always create more safety. In some cases, it creates enough friction that the process itself becomes the new source of risk. People either avoid it, rush through it, or treat it as a box-ticking exercise. At that point, the organisation has not strengthened governance. It has weakened compliance with governance.
And a control that only exists on paper is not really a control at all.
Four signs your governance model is creating risk instead of reducing it
1. Every new tool triggers the same heavy process
If a low-risk workflow and a high-risk integration go through the same level of scrutiny, the organisation is not governing proportionately. It is treating governance as a standard template rather than a risk-based decision.
2. Teams describe governance as something to get through
When people see governance as an obstacle rather than a support, they are more likely to rush it, bypass it or wait until late in the process to mention what they are doing.
3. Documentation is growing faster than clarity
More forms, more steps and more sign-offs do not automatically improve decision quality. If the process is expanding but people still cannot explain the real risk clearly, complexity is replacing judgement.
4. The process protects optics more than outcomes
If the main strength of a governance model is that it looks rigorous in an audit trail, but it does not help the business act sensibly and safely in real time, it may be optimised for appearance rather than effectiveness.
What better governance looks like
Better governance is not lighter because risk is unimportant. It is lighter because precision matters more than weight.
That means starting with the actual use case rather than a generic policy response. What data is accessible? What actions can the system take? What existing controls are already in place? What could realistically go wrong? What level of oversight is proportionate for this context?
This changes the design of the process.
1. Assess the real risk, not the imagined maximum
Not every AI tool, agent or MCP needs to be governed as though it has unrestricted access and enterprise-wide impact. Governance should reflect the actual level of exposure, not the most dramatic possible scenario.
2. Build controls people can realistically follow
A control is only effective if it is usable. If it is so cumbersome that teams avoid it, the business has traded theoretical assurance for practical weakness.
3. Keep accountability clear
Simpler governance should not mean vague ownership. Someone still needs to understand the decision, the trade-offs and the boundaries of acceptable use.
4. Design for adjustment, not perfection
In fast-moving environments, governance must allow organisations to act with care and then refine as they learn. Waiting for a flawless future-proof framework is often just a more respectable form of delay.
Why this matters now
This matters because AI is not just introducing new tools. It is exposing weaknesses in how organisations make decisions.
It is forcing a more honest question about whether current governance models are fit for purpose in environments where capabilities evolve quickly, use cases multiply, and the cost of slow decision-making is rising. James’s point is not that governance should disappear. It is that governance must become more proportionate, more contextual and more usable if it is going to remain effective.
That has wider implications than technology policy.
It affects how organisations balance trust and control. It affects how leaders define acceptable risk. It affects whether teams feel confident making decisions inside a framework, or whether they feel constrained by a system that was designed to prevent mistakes at the cost of useful action.
The governance capability organisations actually need
The organisations that handle this well will not be the ones with the thickest policy documents or the fastest unchecked experimentation.
They will be the ones that learn a harder discipline: how to move quickly without being careless, and how to govern without creating paralysis.
That requires a shift in mindset.
Governance is not about maximising control. It is about applying the right amount of control for the decision in front of you. Too little creates exposure. Too much creates friction, delay and eventual non-compliance. The goal is not to choose between agility and safety. The goal is to build controls that make safe progress possible.
That is the real capability modern organisations need.
Because in an environment shaped by AI, MCPs and autonomous workflows, the greatest risk may not be moving too fast.
It may be designing so much protection around change that the business no longer knows how to change at all.
