My research addresses a single organising question:
Why do governance architectures designed to manage risk systematically reproduce the conditions for failure — even in organisations that are formally compliant, well-resourced, and operating in good faith?
The lens is enterprise architecture: the practice of designing how an organisation's structures, incentives, and systems fit together, and of working out why they fail to deliver what they were built for. Four decades in technology shaped this method. I started in software development in the 1980s and now work as a Principal Enterprise Architect in critical national infrastructure; information security became my main focus only in the past decade. An architect does not fix a system by asking the people inside it to be more careful or more honest — an architect changes the structure. Seen this way, governance failures are failures of architecture, and most have nothing to do with cyber.
Like any architecture, a governance architecture must withstand the actors who will use it in practice, not the ideal ones the design assumes. Two of them keep appearing. The first has interests that pull against the system's: the official who is safer deferring than deciding, the firm that is safer hiding an incident than recording it. An unresolved conflict of interest is a structural weakness, and the remedy is to take the conflict out of the decision — through separation of duties, or an adjudicator with no personal stake — not to appeal to good character. The second actor is neither hostile nor conflicted, but boundedly rational — limited in attention and time. Under pressure people satisfice (they settle for "good enough"), anchor on what is already visible, and judge how urgent a warning is by whether it is stated plainly. You cannot remove this by urging people to do better, because attention has limits that good intentions do not change. The remedy is to design the decision environment so that these ordinary shortcuts still produce safe outcomes. Neither actor responds to the usual language of trust and compliance. So the diagnosis is always the same: blame the architecture, not the person — who is either an adversary that will not comply or a bounded actor that cannot. The prescription is always the same in form too: build the quality the system needs into the structure, instead of asking the people inside it to provide it.
Much of the diagnosis follows a single causal sequence. Governance frameworks build predictable errors into every stage of the decision cycle: in what they choose to measure, in how signals travel up through reporting hierarchies, in the assumptions designers make about who will use their transparency mechanisms, and in how organisations cope when scale outgrows capacity. Each stage makes the one before it worse. A framework that measures the wrong thing produces false assurance; that false assurance is softened further as it moves up through reporting layers; the resulting signal reaches designers who assume cooperative use in adversarial conditions; and organisations that grow without rethinking how they coordinate absorb all three failures at once. Two further strands sit alongside this chain — why clear warnings still fail to become decisions, and why controls hold only where their purpose is visible — and a parallel strand applies the same logic to infrastructure investment over decades.
These mechanisms are diagnostic. The programme's prescriptive claim is that they share one remedy. It is not a better control at any single stage, but the capacity to learn faster than the environment gets worse: institutional memory, an honest incident record, and shared visibility, all designed into the architecture rather than demanded from the people inside it. The earlier sections set out the diagnosis; the later ones develop the remedy. The evidence base is a cross-sectional analysis of 171 NHS trusts and Freedom of Information data across health, policing, fire and local government.
The sequence begins with measurement. Compliance frameworks assess static attainment — whether an organisation has met a standard at one moment in time — rather than adaptive capacity, meaning whether it can respond to threats that did not exist when the standard was written. An organisation that keeps unchanged 2020-era controls and one that constantly experiments with new defences receive identical ratings. The metric cannot tell them apart.
Empirical analysis of 171 NHS trusts shows that the largest, best-resourced organisations do not outperform smaller ones on mandatory security assessments — the highest-resourced quartile scored lower on compliance than the lowest-resourced quartile (p=0.88, Cohen's d=0.02). This is not a resource problem. It is evidence that compliance metrics are disconnected, by design, from the capability they claim to measure. The remedy is not a better static score but a velocity signal — the Cyber Progress Measure (CPM), which scores whether the organisation is improving faster than the threat evolves, rather than whether it has met a fixed target. And the discretion that newer, judgement-based frameworks introduce makes the gap between what is compliant and what is safe wider, not narrower. The false confidence this creates is the entry point for every later failure in the chain.
False confidence from compliance metrics would be less dangerous if boards also saw the raw operational picture alongside it. They do not. Operational urgency is translated, softened, and reframed as it moves up through the organisation. By the time a risk reaches the board, it has often been turned into assurance. The board is told that governance is working at exactly the moment it most needs to hear that it is not.
This mechanism — cue validity collapse, the breakdown of the link between how a message sounds and how serious it actually is — works through the very communication habits that make organisations look professional: hedged language, diplomatic indirection, deference to rank. The communication style that protects an organisation's external standing quietly destroys the signal clarity needed to escalate a problem internally. An overloaded executive applies a reasonable rule of thumb: if it were urgent, it would say so plainly. That rule is ecologically rational — well-matched to its environment — everywhere except in a culture that has trained urgency and plain speaking apart. This is the bounded actor failing not through carelessness, but through a cue the architecture itself has made unreliable.
Between a signal reaching the board and the board acting on it lies a failure the chain does not capture. A clear-enough warning arrives, and still nothing happens — not because it was suppressed on the way up, but because the structure rewards delay. Asking for more evidence is easy to defend; acting on a partial signal is not. Where no one has stated the objective function — the goal the decision is meant to serve — at the level where the decision is taken, waiting for certainty is the rational choice for the individual, even when waiting costs more than acting. The result is decision latency: the warning becomes a history lesson, and the audit trail records due process instead of a decision actually made.
This is the same architecture that spreads a decision across many signatories so that no single person owns it, and that treats an unpublished threshold as safer than a committed one. None of this requires bad faith; it requires only a structure in which being defensible is rewarded and the absence of a decision goes unseen. It is the conflicted actor and the bounded actor at once — a personal incentive that pulls away from the institution's, acting under genuine uncertainty. The remedy is to state the objective function before delegating the decision, to put an explicit price on delay, and to make inaction as accountable as action.
This strand is currently developed through practitioner analysis; its academic treatment is in preparation and will be added on publication.
The measurement and reporting failures are not accidental — they are designed in. Governance designers optimise for the cooperative user: the board member who wants assurance, the citizen who wants to understand a decision, the regulator who wants compliance. They are blind, by design, to the adversarial behaviour their own systems invite.
Transparency mechanisms — explainability requirements, disclosure obligations, open publication of decision formulas — create accountability interfaces that are, at the same time, reverse-engineering interfaces. The same overconfidence that inflates compliance metrics leads designers to assume transparency will produce accountability rather than gaming. The pattern appears in welfare algorithm design, cybersecurity disclosure rules, and AI governance. The failure is not about attitude — it is the predictable result of designing for cooperative use in an adversarial environment. And the discipline that routinely models the actor whose interests diverge — threat modelling — is rarely brought to the governance table.
Explainability is the clearest case. Regulators require explainable AI and open decision logic so that affected citizens and oversight bodies can understand and challenge automated decisions — a cooperative-use rationale. But the same interface that explains a decision to a legitimate challenger also specifies to an adversary exactly which inputs to manipulate to obtain a desired output. In welfare and fraud-detection systems, the published criteria become a gaming manual: the transparency meant to produce accountability produces a reverse-engineering interface instead. The design error is to treat explainability as something that serves only the cooperative user, when in an adversarial environment it serves both. The remedy, bounded explainability — giving an individual the account they need without handing a whole population a recipe for gaming the system — is rarely the form specified.
Organisations that absorb the earlier failures — false metrics, suppressed signals, deferred decisions, blind-spot-laden design — face a problem that builds on itself. As an organisation grows, coordination costs grow faster than its defensive capability. When skilled people simply cannot be hired, however large the budget, the problem changes shape: the question is no longer how to reach a compliance target, but how to improve at the fastest rate it can sustain with the capacity it has.
This is where the programme's empirical finding — that resource scale does not predict compliance — meets a prescriptive framework. Flow-Constrained Risk Management applies the logic of the Theory of Constraints — focus effort on the one bottleneck that limits the whole system — to the order in which security work is done, replacing static targets with velocity-based metrics. An organisation at 50% maturity improving by 5% each quarter is on a better security path than one stuck at 80% with no ability to adapt. The same coordination-cost logic reaches well beyond cybersecurity: too many initiatives at once in government, capability gaps in public services, and funding designs that mistake the size of the input for the quality of the output all show the same structural pattern.
The failure chain operates in cybersecurity and health governance over months to years. A parallel strand of this programme looks at where the same mechanisms operate over decades: government technology and infrastructure investment. Here the regime itself changes: over decades the future is one of deep, Knightian uncertainty — there is no reliable probability distribution to forecast at all. The failure is no longer a true signal distorted on its way up, but the illusory precision of a point forecast treated as if it were knowledge.
Funding decisions that depend on long-range forecasts show every stage of the chain. Cost–benefit appraisals anchor on single point estimates that end up serving as compliance artefacts rather than real inputs to the decision (the measurement failure). Optimism bias is made worse by reporting structures that turn uncertainty into confidence as a business case moves up through approval layers (signal suppression). The Treasury and sponsoring departments design appraisal rules for cooperative use — honest forecasters — while the politics of megaprojects rewards strategic misrepresentation, the deliberate understating of cost and overstating of benefit (the cooperative-use blind spot). And the coordination costs of programmes that run for decades overwhelm the capacity of the institutions managing them to adapt (the resilience ceiling).
The Annual Portfolio Model proposes an alternative built for that regime: instead of predict-and-act, it works by robust satisficing — spending limits revised every year, commitments made in stages with clear exit options, and fast-and-frugal priority rules that still hold up when the forecasts are wrong.
Each of the earlier stages concerns governance architectures that are already in place. But a failure comes before all of them. At the moment they decide to adopt AI, organisations — public and private — consistently underestimate the long-term human and social consequences of that choice. The cause is not negligence but a predictable effect of overconfidence bias working at the level of the decision itself: adopting AI is framed as a narrow efficiency problem, the costs of transition are treated as manageable and temporary, and the longer-term consequences are made invisible by the cost-benefit lens being used.
Three versions of this pattern are visible in the current wave of AI adoption. The first is social: companies keep the efficiency gains from AI-driven redundancies while passing the psychological and community costs — the loss of purpose and of a recognised role in society — to individuals and the state. Replacing lost income does not restore what the history of deindustrialisation shows can persist for decades. The second is organisational: the norms for delegating to AI form before anyone consciously designs them, and accountability spreads thin as the person who formally owns a decision no longer owns the reasoning behind it. The third is generational: automating the basic analytical work removes the path through which organisations grow leaders who can later challenge the systems they inherit.
Compliance frameworks assume that once a control is in place, people will follow it. Mostly they do not — not out of indifference, but because a control that feels arbitrary or disconnected from the actual work is rationally bypassed under pressure. What keeps a constraint alive is not enforcement but visible purpose: people accept the friction when they can see the failure it is there to prevent. Where that meaning is missing, compliance becomes performative — it holds while the auditor is in the room and breaks down the moment operational pressure rises.
This is the other face of the bounded actor. The earlier strands design the decision environment so that limited attention still leads to safe choices; this one asks whether the constrained person can even see why the constraint exists. A cyber control whose purpose is unclear, or a clinical security rule cut off from any patient outcome, is honoured at the audit and abandoned at the bedside. Building meaning into the control, rather than urging people to comply with it, is what makes the behaviour last.
This strand is currently developed through practitioner analysis; its theoretical treatment is in preparation.
The earlier sections are diagnostic: they explain why governance architectures reproduce failure. This one is prescriptive. At every stage, the implied remedy is the same — not a better control, but the capacity to learn faster than the environment gets worse. In a world where failure is inevitable, what sets resilient organisations apart is not that they never fall, but that they recover reliably, and with a better understanding than before. That capacity is an architectural property that has to be designed in, and most governance systems actively suppress it in three distinct ways.
The first is memory. A system that keeps too little history cannot tell whether an incident is a one-off or the latest case of a pattern it has already seen; each event is treated as new, and learning never builds up. The second is the honest record. Where the same channel that collects incident data also carries enforcement consequences, documenting a governance failure honestly becomes irrational for the individual — so the record turns technically accurate but silent on governance, defeating the very learning the reporting was meant to produce. Separating the learning function from the deterrence function, as aviation safety reporting did fifty years ago, is what makes honest disclosure rational. The third is shared visibility. Learning that stays inside one organisation and is never pooled produces no collective immunity: attackers route through the weakest point, so without comparative, sector-wide visibility even well-governed organisations are left exposed through their neighbours.
Memory, honest record, shared visibility: each is a design choice, not a cultural aspiration, and each is the architectural answer to a failure the earlier sections diagnose.
One theme runs across these strands and points beyond them. Where an actor's interests diverge from the system's, no amount of good faith resolves the conflict — the only lasting remedy is to separate the function from the stake. Aviation separates the learning channel from the enforcement channel so that honest reporting is the rational choice; the honest-record strand above is one example. The same move generalises: whoever adjudicates concentrated power should not be a party that profits from it, and a critical public system should not depend on a supplier whose legal duties, under another country's law, can diverge from its users' interests. This is separation of duties — the oldest security control — applied to institutions rather than to computer systems.
A fuller treatment, on why impartial oversight of concentrated technological power must be designed rather than assumed, is in preparation.
I am open to collaboration on research, legislative and regulatory design, and teaching in governance, risk, and AI accountability — particularly with practitioners, policy institutions, and academic colleagues working at the intersection of these fields. If you are interested in joint work, guest teaching, or advisory engagement, please get in touch.
Three further working papers provide the empirical and theoretical foundations that underpin the programme as a whole.