Why Governance Matters: The Key to Reducing Risk Without Slowing Down

Transcript

1. yourreference.com/link Building Systems That Scale · Alex Rivera Q C

   O N L O N D O N 2 0 2 6 Why Governance Matters: The Key to Reducing Risk Without Slowing Down Sarah Wells · Independent Consultant sarahwells.dev

2. yourreference.com/link Building Systems That Scale · Alex Rivera Q C

   O N L O N D O N 2 0 2 6 Why Governance Matters: The Key to Reducing Risk Without Slowing Down Sarah Wells · Independent Consultant sarahwells.dev

3. sarahwells.dev Why Governance Matters · QConLondon 2026 “Governance” has an

   image problem

4. sarahwells.dev Why Governance Matters · QConLondon 2026 Governance is the

   set of principles, practices and tools that help teams make consistent, informed and safe technical decisions

5. sarahwells.dev Why Governance Matters · QConLondon 2026

6. yourreference.com/link Building Systems That Scale · Alex Rivera sarahwells.dev Why

   Governance Matters · QConLondon 2026 C H A N G E A DV I S O R Y B OA R D S "a group that reviews, evaluates, and approves or rejects proposed changes"

7. sarahwells.dev Why Governance Matters · QConLondon 2026

8. sarahwells.dev Why Governance Matters · QConLondon 2026

9. sarahwells.dev Why Governance Matters · QConLondon 2026 “approval by an

   external body simply doesn't work to increase the stability of production systems Accelerate, Forsgren et al, 2018

10. sarahwells.dev Why Governance Matters · QConLondon 2026 “However, it certainly

    slows things down. Accelerate, Forsgren et al, 2018

11. sarahwells.dev Why Governance Matters · QConLondon 2026 Financial Conduct Authority

    research on CABs 93% https://www.fca.org.uk/publications/multi-firm-reviews/implementing-technology-change of major changes approved at CAB zero changes rejected by some firms in the entire year 3.8% average failure rate of major changes post CAB approval

12. sarahwells.dev Why Governance Matters · QConLondon 2026 “This raises questions

    over the effectiveness of CABs as an assurance mechanism https://www.fca.org.uk/publications/multi-firm-reviews/

13. sarahwells.dev Why Governance Matters · QConLondon 2026 CABs are an

    example

14. sarahwells.dev Why Governance Matters · QConLondon 2026 M A K

    I N G T H E C A S E F O R G OV E R N A N C E The complexity of managing risk in a modern software organisation

15. yourreference.com/link Building Systems That Scale · Alex Rivera sarahwells.dev Why

    Governance Matters · QConLondon 2026 S U P P LY C H A I N AT TAC K O N N P M A series of escalating attacks through late 2025

16. sarahwells.dev Why Governance Matters · QConLondon 2026 8th Sept 2025:

    the initial compromise What happened Aikido blog, September 2025 A phishing attack compromised a maintainer’s account 18 packages hit chalk, debug, strip-ansi, and 15 others. Packages collectively downloaded over 2.6 billion times per week. Payload Malware targeting cryptocurrency wallets and blockchain transactions [ Image placeholder ]

17. sarahwells.dev Why Governance Matters · QConLondon 2026 Mid September 2025:

    Shai-Hulud — a self-propagating worm What it did Stole tokens, authentication keys, and cloud credentials and exfiltrated these to public GitHub repositories named “Shai-Hulud” Spread Looked for every other npm package the victim could publish, injected itself into them, and released new versions automatically November variant Changed the point of infection, making it harder to prevent, and affected tens of thousands of GitHub repositories. [ Image placeholder ] CISA alert, September 2025

18. sarahwells.dev Why Governance Matters · QConLondon 2026 Responding to the

    attacks

19. sarahwells.dev Why Governance Matters · QConLondon 2026 https://xkcd.com/2347/

20. sarahwells.dev Why Governance Matters · QConLondon 2026

21. sarahwells.dev Why Governance Matters · QConLondon 2026 Semver ranges: why

    ^4.0.4 picks up the compromised version The problem A caret (^) means you pick up any release for the same major version (here, version 4) Why do this? If you don’t pick new versions up automatically, it’s easy to end up on an out-of-date and potentially vulnerable version The downside You can’t rely on looking for exact version matches unless you have the dependency pinned [ Image placeholder ] Source: semver.npmjs.com

22. sarahwells.dev Why Governance Matters · QConLondon 2026 Did we pull

    down a compromised version?

23. sarahwells.dev Why Governance Matters · QConLondon 2026 AI is accelerating

    attacks 29 minutes https://www.crnasia.com/news/2026/cybersecurity/ai-cuts-cyberattack-breakout-time-to-29-minutes-reveals-crowdstrike-report https://www.coretelligent.com/resources/intelligence-report/december-2025-anthropic-disrupts-gtg-1002-cyber-espionage/ https://thenetworkinstallers.com/blog/ai-cyber-threat-statistics/ to breakout. AI helps attackers scan and exploit faster than humans can respond 80-90% of work during GTG-1002 attack done autonomously by an AI 87% of orgs targeted by an AI-powered cyberattack in 2025

24. sarahwells.dev Why Governance Matters · QConLondon 2026 A NEW KIND

    OF CHALLENGE AI tools inside the software development lifecycle

25. sarahwells.dev Why Governance Matters · QConLondon 2026 AI coding tools

    have moved from experiment to default 90%+ Sources: Cortex 2026 Engineering in the Age of AI report; Jellyfish 2025 State of Engineering Management report; Sonar 2026 State of Code Developer Survey; Pragmatic Engineer 2026 AI Tooling deep dive of teams now using AI coding tools 42% of committed code is now AI- generated 2-4 tools being used at once for most engineers

26. sarahwells.dev Why Governance Matters · QConLondon 2026 Governance hasn’t kept

    up 45% Sources: Cortex 2026 Engineering in the Age of AI report; Sonar 2026 State of Code Developer Survey of organisations have formal AI usage policies 35% of developers use AI tools via personal accounts 96% of engineers don’t trust AI code - yet only 48% always verify before commiting

27. sarahwells.dev Why Governance Matters · QConLondon 2026 Three governance challenges

    AI coding tools create Ownership Source: Veracode GenAI Code Security Report, October 2025 update Your processes assume the committer understands the code. AI assistance means they may not even have read it. Speed Code that took hours now takes minutes. Review processes designed for human-paced development can’t keep up. Security AI doesn’t know your standards and policies and AI agents aren’t good at writing secure code

28. sarahwells.dev Why Governance Matters · QConLondon 2026 AI just scales

    up the existing challenges

29. sarahwells.dev Why Governance Matters · QConLondon 2026 We do need

    governance! But a particular kind of governance.

30. sarahwells.dev Why Governance Matters · QConLondon 2026 W H AT

    G O O D G OV E R N A N C E LO O K S L I K E Speeding people up, not slowing them down

31. sarahwells.dev Why Governance Matters · QConLondon 2026 Governance has an

    *implementation* problem

32. sarahwells.dev Why Governance Matters · QConLondon 2026 43 documents you

    need to read

33. sarahwells.dev Why Governance Matters · QConLondon 2026

34. sarahwells.dev Why Governance Matters · QConLondon 2026 Bring engineering skills

    to bear on this problem

35. sarahwells.dev Why Governance Matters · QConLondon 2026 Good governance is

    not about saying "no" — it's about saying "yes", safely

36. sarahwells.dev Why Governance Matters · QConLondon 2026 T H E

    G OA L What effective governance delivers

37. sarahwells.dev Why Governance Matters · QConLondon 2026 What governance should

    do Provide clarity Teams want to do the right thing but often it's not easy to know what the right thing IS. Governance should make this obvious rather than burying it in documents. Improve consistency We are bad at doing something consistently — but machines are very good at that. Governance should be automated. Create alignment Alignment doesn’t happen by magic. It takes deliberate effort. Governance should guide you in the right direction.

38. sarahwells.dev Why Governance Matters · QConLondon 2026 Henrik Kniberg: https://blog.crisp.se/2023/09/20/henrikkniberg/agile-intro-slides-from-my-kth-talk

39. sarahwells.dev Why Governance Matters · QConLondon 2026 Henrik Kniberg: https://blog.crisp.se/wp-content/uploads/2016/08/Agile-Africa-keynote-Alignment-

    at-Scale.pdf

40. sarahwells.dev Why Governance Matters · QConLondon 2026 G E T

    T I N G G OV E R N A N C E R I G H T Foundations · Choices · Guardrails

41. sarahwells.dev Why Governance Matters · QConLondon 2026 A framework for

    effective governance Foundations Know your software estate. You can't govern what you don't know about. Choices Make smart technology decisions. Avoid chaos; enable thoughtful innovation. Guardrails Turn policies into automated checks. Embed governance into the way you work.

42. yourreference.com/link Building Systems That Scale · Alex Rivera sarahwells.dev Why

    Governance Matters · QConLondon 2026 F O U N DAT I O N S Know your software estate

43. sarahwells.dev Why Governance Matters · QConLondon 2026 Foundation 1: Building

    your inventory

44. sarahwells.dev Why Governance Matters · QConLondon 2026 Why this matters

    Who owns this service? The person who maintained it doesn’t work here anymore… Let’s read the documentation! Whoops, it hasn’t been updated in 5 years Let’s look at the code! Oh no… it’s in Ruby, despite everything else being in Node… [ Image placeholder ]

45. sarahwells.dev Why Governance Matters · QConLondon 2026 Start simple A

    spreadsheet or Confluence page is fine

46. sarahwells.dev Why Governance Matters · QConLondon 2026 The FT's BizOps:

    a graph of the software estate Why we built it Moving to microservices — new ones every week. High team autonomy. Many ways to do every step in the SDLC. What it did Tracked systems, teams, and people with relationships between them. Extended over time to GitHub repos and AWS resources. The payoff Investing in tracking complexity gave us visibility — the foundation for automation and governance. [ Image placeholder ] infoq.com/presentations/productivity-ft

47. sarahwells.dev Why Governance Matters · QConLondon 2026 The FT's service

    catalogue model Core entities Systems, Teams, and People — with many different types of relationship between them. Extensions GitHub repositories, AWS resources, monitoring, and on-call information all linked into the graph. Power A service catalogue becomes a foundation for automation, incident response, and governance dashboards. [ Image placeholder ] The FT's service catalogue — centre of the knowledge graph

48. sarahwells.dev Why Governance Matters · QConLondon 2026 People fix bad

    data far more readily than they supply new data

49. sarahwells.dev Why Governance Matters · QConLondon 2026

50. sarahwells.dev Why Governance Matters · QConLondon 2026 The hardest stuff

    to find Shadow IT Tools someone bought that you don’t know about Unowned systems These won’t surface when you ask teams to fill in forms. Where to look GitHub repos, procurement systems, cloud resource inventories, logs, monitoring dashboards.

51. sarahwells.dev Why Governance Matters · QConLondon 2026 Shadow AI Data

    governance Prompts containing your code, architecture decisions, or customer data are going to a service your security team hasn't reviewed and can't monitor Licence and IP risk You don’t know what training data policies apply to the model being used or whether code suggestions may carry IP implications Compliance trailing adoption Access controls, observability, audit trails aren’t likely built in from the start

52. sarahwells.dev Why Governance Matters · QConLondon 2026 Making the invisible

    visible

53. sarahwells.dev Why Governance Matters · QConLondon 2026 Foundation 2: Track

    changes

54. sarahwells.dev Why Governance Matters · QConLondon 2026 https://medium.com/ft-product-technology/the-advent-of-change-api-8dae0f95245e

55. sarahwells.dev Why Governance Matters · QConLondon 2026 Foundation 3: SBOMs

    — machine readable inventories

56. sarahwells.dev Why Governance Matters · QConLondon 2026 Not (yet) widely

    adopted 11% Sources: 2025 Harness State of Software Engineering Excellence Report; Linux Foundation / OpenSSF, based on Black Duck and Sonatype data; EU Cyber Resilience Act (regulation 2024/2847) of engineering organisations currently generate an SBOM for all artifacts 70-90% of modern software applications is code you didn’t write EU CRA mandates SBOMs for products sold into European markets and reporting is required from Sept 2026

57. sarahwells.dev Why Governance Matters · QConLondon 2026 What you get

    from strong foundations Clear picture A current-state view of your entire software estate — services, teams, dependencies, and changes. Where needs attention Visibility into unowned systems, outdated tech, missing data, and potential exposure. Basis for automation A foundation for building tools, automated checks, and governance guardrails.

58. yourreference.com/link Building Systems That Scale · Alex Rivera sarahwells.dev Why

    Governance Matters · QConLondon 2026 C H O I C E S Making smart technology decisions

59. sarahwells.dev Why Governance Matters · QConLondon 2026 The allure of

    shiny and new

60. sarahwells.dev Why Governance Matters · QConLondon 2026 Boring tech is

    well understood The failure modes are known Dan McKinley: https://mcfunley.com/choose-boring-technology

61. sarahwells.dev Why Governance Matters · QConLondon 2026 Breaking the boring

    rule When Take risks on technology that could give your business a competitive advantage Avoid Let someone else do the bleeding- edge adoption for infrastructure How Develop a culture of thoughtful adoption

62. sarahwells.dev Why Governance Matters · QConLondon 2026 Not letting enthusiasm

    drive adoption, but not blocking everything new either

63. sarahwells.dev Why Governance Matters · QConLondon 2026 A technology radar

    Adopt We use this — it's our standard. Teams should default to this. Trial One team is testing with a real use case. Gives a legitimate route for proposing something new. Assess/Hold Assess: watching, not using. Hold: evaluated and decided against, or moving away. [ Image placeholder ] Source: https://opensource.zalando.com/tech-radar

64. sarahwells.dev Why Governance Matters · QConLondon 2026 A technology governance

    group (TGG) What this is An open forum for discussing changes with wide impact across engineering. Anyone can attend. How it works Proposals circulated in advance. Consensus built asynchronously. The meeting shares information and formally endorses. What’s “significant”? Introducing a new programming language? A new data store? Replacing a core capability? If it affects other teams, bring it here.

65. sarahwells.dev Why Governance Matters · QConLondon 2026 Benefits of a

    TGG Legitimate path for change Engineers have a clear route to propose something new. No back channels, no surprise adoptions. Shared understanding Everyone hears about changes that affect them. The people who listen and learn are just as important as the people who propose. Decisions get recorded Proposals become documentation. You can look back and understand why a decision was made, not just what was decided.

66. sarahwells.dev Why Governance Matters · QConLondon 2026 What you get

    from smart technology choices Innovation In the right places and for competitive advantage, not just because one person loves Perl. Standardisation For everything else. No one actually needs five different CI/CD pipeline tech stacks. Plans, not chaos A visible radar that tells every engineer what's sanctioned, what's being evaluated, and what's off the table.

67. yourreference.com/link Building Systems That Scale · Alex Rivera sarahwells.dev Why

    Governance Matters · QConLondon 2026 G UA R D R A I L S Building guardrails that work

68. sarahwells.dev Why Governance Matters · QConLondon 2026 Policy → Standard

    → Guardrail Policy High-level rule. Example: "All data must be encrypted at rest." Standard Detailed, actionable requirement. Example: "Use AES-256 encryption for all databases." Guardrail Something that helps you do the right thing Example: automation to prevent deployment of storage without encryption enabled

69. sarahwells.dev Why Governance Matters · QConLondon 2026 Make the right

    thing the easy thing

70. sarahwells.dev Why Governance Matters · QConLondon 2026 The FT's Engineering

    Checklist What it was A checklist loosely in the order you needed to tackle things to build a new product or feature. Focus The things teams were less likely to think about but that mattered to the company — not basic build, test, deploy. How it worked Each item linked to related policies and standards but more importantly we automated guardrails wherever we could [ Image placeholder ] The FT's Engineering Checklist

71. sarahwells.dev Why Governance Matters · QConLondon 2026 Build guardrails into

    your build and release processes

72. sarahwells.dev Why Governance Matters · QConLondon 2026 An example: change

    and release logging

73. sarahwells.dev Why Governance Matters · QConLondon 2026 Powerful for security

    guardrails

74. sarahwells.dev Why Governance Matters · QConLondon 2026 Signing and verification:

    Cosign Securely sign and verify container images Identity-based rather than key-based. Use your CI provider’s OIDC identity Whole chain is auditable Every signature is recorded in a public transparency log (Rekor) GitHub and GitLab support Add some yaml in your pipeline [ Image placeholder ] https://docs.sigstore.dev/about/overview/

75. sarahwells.dev Why Governance Matters · QConLondon 2026 Supply chain transparency:

    SBOMs Generate an SBOM As part of your release pipeline. Every dependency, version, and licence automatically documented EU Cyber Resilience Act compliant With a machine-readable SBOM that you’re going to need for digital products sold in the EU Are we affected by a vulnerability? Takes minutes to work out, not days [ Image placeholder ] cyclonedx.org

76. sarahwells.dev Why Governance Matters · QConLondon 2026 Provenance and build

    integrity: SLSA Prove where your software came from And how it was built. SLSA (supply chain levels for software artifacts) gives you levels of assurance, from basic documentation up to tamper-resistant, signed provenance A common language “This artefact is SLSA level 3” communicates a specific set of guarantees to your teams, customers and auditors Integrates with CI tools For GitHub actions, use the slsa-github-generator to get to SLSA level - signed provenance [ Image placeholder ] https://slsa.dev/

77. sarahwells.dev Why Governance Matters · QConLondon 2026 Turning rules into

    signals

78. sarahwells.dev Why Governance Matters · QConLondon 2026 Making good behaviour

    visible FT operability score Points for completing runbook fields, weighted by importance. Didn't block deployment — but made gaps visible. The effect Teams fixed things because they could see what was missing and what information was the most important A metric for improvement Measuring this gave teams an easy key result for OKRs [ Image placeholder ]

79. sarahwells.dev Why Governance Matters · QConLondon 2026 OpenSSF Scorecard: governance

    on every merge How it works Add the Scorecard GitHub action. Runs on every merge to trunk. Check: are dependencies pinned? Branch protection? Security policies defined? A visible signal of quality Add the scorecard badge to your README. It auto- updates on every change. When teams can see a score, they care about a score Culture change, gradually Set a baseline of the most critical checks. Then gradually step it up [ Image placeholder ] OpenSSF Scorecard — github.com/ossf/scorecard

80. sarahwells.dev Why Governance Matters · QConLondon 2026

81. sarahwells.dev Why Governance Matters · QConLondon 2026 "Good toil” =

    weeding the garden

82. sarahwells.dev Why Governance Matters · QConLondon 2026 Guardrails for AI-generated

    code AI code scanning https://www.aikido.dev/blog/slopsquatting-ai-package-hallucination-attacks Scanning tools (e.g. Sonar and GitHub Advanced Security) now have AI- specific rules that flag issues common in LLM- generated code Attribution metadata Tag whether code was AI- generated so reviews and auditors know what they are looking at Dependency verification AI tools can hallucinate package names that attackers can then register. Verify packages rather than letting the AI agent install them.

83. sarahwells.dev Why Governance Matters · QConLondon 2026 What you get

    from effective guardrails Catch early Problems surface at code review or in the pipeline — not six months later at a security review. Clarity Developers understand what good looks like. No ambiguity, no 43 documents to read. Continuous security Because guardrails run automatically on every change, your security posture improves as a side effect of normal engineering work.

84. sarahwells.dev Why Governance Matters · QConLondon 2026 C O N

    C L U S I O N S Getting governance right

85. sarahwells.dev Why Governance Matters · QConLondon 2026 “Manual code review

    was never as rigorous as we told ourselves Andrea Laforgia https://www.linkedin.com/posts/andrealaforgia_ai-artificialintelligence- softwaredevelopment-activity-7425517167242178560-NuZV

86. sarahwells.dev Why Governance Matters · QConLondon 2026 Progressive delivery as

    a guardrail Canary / gradual rollout Deploy to a small percentage first. You're not making a binary choice between 'not deployed' and 'deployed to everyone'. Automated checks Error rates, latency, and key business metrics determine whether the rollout continues automatically. Replaces the CAB Not with bureaucracy, but with automation that has more context and faster feedback than any human committee.

87. sarahwells.dev Why Governance Matters · QConLondon 2026 AI doesn’t change

    what good governance looks like but it makes it more urgent to get right

88. sarahwells.dev Why Governance Matters · QConLondon 2026 Friction can now

    be vibe- coded away

89. sarahwells.dev Why Governance Matters · QConLondon 2026 Good governance is

    largely invisible to developers in their day-to-day work…

90. sarahwells.dev Why Governance Matters · QConLondon 2026 ... manifesting as

    helpful automation, clear guidelines, and self-service tools that make the right choices the easy choices

91. sarahwells.dev Why Governance Matters · QConLondon 2026 Foundations · Choices

    · Guardrails Foundations Know your software estate. Build your inventory. Track changes and what's inside each release. Choices Technology radar. Thoughtful adoption culture. Governance that keeps pace with AI-assisted development. Guardrails Policies in pipelines. Visible scores. Progressive delivery. Security as yaml. Good toil.

92. sarahwells.dev Building Systems That Scale · Alex Rivera Thank You

    Let's keep the conversation going Website sarahwells.dev LinkedIn https://www.linkedin.com/in/sarahjwells1/