the-governance-paradox-why-better-brakes-create-faster-dev-ex

Home / Blog

16 JANUARY 2026

The Governance Paradox: Why Better “Brakes” Create Faster DevEx

Author: Mihir Vora

banner

When I explain platform engineering to non-technical stakeholders, I start with a simple question:

Why does a Formula 1 car have such powerful brakes?

Most people answer, “So it can stop.” Which is true… but it misses the point.

The real reason an F1 car has massive carbon-ceramic brakes is so the driver can go fast. If you didn’t trust the brakes, you wouldn’t push the car. You’d drive cautiously, always negotiating the next corner. The engine might be capable of 200+ mph, but your confidence would cap you at 40.

That’s the moment where the analogy stops being about cars and starts being about software.

In a lot of engineering organizations – especially ones with real risk exposure – we’ve been conditioned to treat governance as the enemy of speed. Compliance checks, security reviews, manual approval boards… Those are the “brakes,” and brakes slow you down, right?

After watching high-performing teams for years, I realized that framing is backwards.

Good governance doesn’t reduce velocity. It creates it – because it gives developers the confidence to move fast without losing control

The catch is in the words “good governance.” Because what most teams experience today isn’t “brakes.” It’s… something else entirely.

If you only skim one section, skim this: governance becomes an accelerator when it’s built into the platform, not enforced through waiting rooms.

The “Ticket Ops” Fatigue

Let’s be real for a moment about what governance looks like in many large organizations. It usually looks like a ticket. Or five.

You write the code in a few hours – sometimes less. You’re in flow. The change makes sense. Tests are green. You’re ready. Then the Slack thread starts: “Who owns this gate?” “Is this required for this change?” “Can we get an exception?” And suddenly the work isn’t engineering anymore – it’s navigation.

You open a ticket to provision infrastructure. Another for IAM and access. Another for a security group change, a firewall rule, or a network path. Somewhere in there, you schedule a security review that’s booked out far enough that you start doing calendar arithmetic instead of engineering.

I call this Ticket Ops.

Ticket Ops is governance delivered through waiting rooms. And it’s one of the most reliable ways to slowly drain developer morale without ever declaring an “incident.”

I’ve been on both sides of this: the engineer waiting on the gate, and the person being asked, “Can we make this repeatable?” That’s when you realize the issue usually isn’t intent – it’s implementation. To be clear, I’m not anti-governance. In risk-heavy environments, the controls matter. What I’m against is delivering those controls as surprise checkpoints run by humans.

The real cost isn’t just time. It’s cognitive load.

When we force an engineer to memorize a 50-page compliance document just to deploy a microservice, we’re not making them safer. We’re paralyzing them. We’re turning the cost of trying something new into a mini-project of process navigation. onboarding to the right systems, registering components for scanning, learning the change process, figuring out what evidence “counts,” and chasing the right approvals.

That’s when teams start to act like a driver with unreliable brakes. They don’t push the system. They don’t experiment. They avoid changes that feel risky, not because the change is inherently dangerous, but because the governance system is unpredictable.

And unpredictability has a very specific smell in software: it smells like meetings. It smells like “let’s ask for approval.” It smells like “let’s wait until the next sprint.” It smells like engineering energy quietly leaking out of the organization.

philip-veater-eQQfYv7bhwU-unsplash.jpg

The Golden Path as a Product Contract

The most effective platform engineering organizations I’ve seen don’t treat governance as an external gate. They treat it as a feature of the platform. Instead of asking developers to become experts in policy interpretation, these organizations build what’s often called a Golden Path (or paved road): an opinionated, supported way to go from commit to production. It usually trades unlimited flexibility for safe defaults – because most teams don’t need infinite customization; they need a reliable way to ship. But here’s the key: a Golden Path isn’t just a curated toolchain. It’s a contract.

Here’s the deal: Build however you want. But if you use this pipeline, these templates, and these patterns, you get the fast lane – because the platform is doing the governance work in the background. You move faster because you’re on the governed path.

This is where the F1 metaphor becomes useful again. Great brakes don’t feel like a slowdown. They feel like trust in the car and confidence to push. A Golden Path, done well, creates that same feeling for developers: “If the platform says I’m good, I’m good.”

Automating the “No” Without Making People Feel Policed

Let's be honest: in most organizations, 'governance' is just a person saying 'no'. A security architect reviews a diagram and says no. A reviewer spots a missing control and says no. A compliance checklist doesn’t look complete and says no. The industry is moving away from policy-as-documentation toward policy-as-code for a simple reason: policy becomes scalable only when it becomes executable.

Sometimes those “no’s” are correct. But the delivery mechanism is flawed: it’s slow, inconsistent, and emotionally expensive. It turns governance into negotiation and surprise.

This is why the industry is moving away from policy-as-documentation toward policy-as-code. Policy becomes scalable only when it becomes executable.

When governance is encoded into the platform and pipeline, the rules become consistent, feedback becomes immediate, outcomes become predictable, and evidence becomes a byproduct of delivery.

The difference is a completely different experience. In the old world, a developer might find out they missed a requirement three days later. In the new world, they find out in minutes – sometimes in the pull request, sometimes before merge, sometimes even in the IDE.

That shift does something important for the human side of engineering: it removes fear. A developer no longer has to wonder, “Did I miss some rule I didn’t know existed?” If the change passes the governed pipeline, it’s safe to proceed.

This doesn’t have to be exotic to work. The most effective guardrails are often boring:

  • Instead of a manual security review, the pipeline scans for vulnerabilities and blocks builds past an agreed threshold.
  • Instead of a tagging audit, infrastructure templates apply required ownership/cost metadata by default.
  • Instead of reviewing everything, controls become risk-tiered, so low-risk changes flow quickly while high-risk changes trigger deeper validation.

Reliable, automated, invisible brakes – so teams can keep their foot on the gas.

Why the Golden Path Wins: Adoption by Choice

There’s a misconception I hear a lot: “Teams won’t standardize unless you force them.

I don’t buy it. Teams won’t standardize if the standard path is painful. But if the platform absorbs the boring, scary parts of delivery – compliance, evidence, security checks – most teams want to standardize. And once you hit a certain adoption threshold, the platform becomes a flywheel: More adoption → more consistency → stronger evidence → fewer exceptions → fewer human gates → faster delivery → even more adoption.

That flywheel is the real prize. It’s how you scale governance without scaling bureaucracy.

And yes – there’s always a stick approach. Enforcement can push teams toward standardization. But if the system isn’t built well, you’ll get compliance without trust. Teams will follow the letter of the process and route around the spirit of it.

Build the experience first; enforce second.

Measuring Whether Governance Is Actually Helping DevEx

One reason governance debates go in circles is because we argue from anecdotes. So if you want to lead this conversation with credibility, measure the outcomes.

Start with signals like:

  • Adoption: Are teams choosing the Golden Path?
  • Lead time / cycle time: Did waiting rooms disappear or just move around?
  • Manual compliance effort: How much time is spent producing evidence, chasing approvals, and reconstructing proof?

That last one is the governance number that tells the truth. If policy-as-code and evidence-by-default are real, you should see a step-change reduction in manual compliance work.

And don’t forget one stability signal – change failure rate or rollback time – so you can prove speed didn’t come at the cost of control.

To go fast don’t just upgrade the engine—Upgrade the Brakes

As leaders, we need to stop asking, “How do we reduce governance?” and start asking a better question:

How do we automate it?

If you want the organization to move faster, don't just invest in engines – faster CI, better tooling, more cloud primitives. Invest in brakes that developers can trust: a platform where the safe thing to do is also the easiest thing to do.

That is how compliance stops being a bottleneck and starts becoming an accelerator.

The goal of platform engineering isn’t to control developers. It’s to give them confidence – through invisible, trustworthy governance – so they can ship without constantly wondering whether the next corner is going to surprise them.

About the Author:

Mihir is a Senior Distinguished Engineer at Capital One with a passion for empowering teams and driving innovation. A firm believer in "influencing without authority," Mihir has successfully balanced technical contributions with strategic leadership. With over 15 years of experience in cloud engineering, DevOps, and full-stack development, he has been instrumental in transforming banking through technology. His expertise in optimizing developer experience and accelerating software delivery has led to significant improvements in productivity and efficiency

@ 2026 Harness Inc.