Skip to content
Draffin.ai
← All articles

April 26, 2026

Policies should follow controls, not the other way around

By Ben Draffin · Director of Security at Decagon

GRC Policies Controls Governance

Most governance writing describes a single direction: policy defines what should be true, standards narrow it, procedures operationalize it, and controls prove it. That model is clean. It is also often incomplete for companies shipping AI products on weekly cadences.

In practice, controls frequently emerge from product reality first — a retention rule in infrastructure, a redaction path in the inference stack, an authorization check added after a pen test. Policy catches up later, if it catches up at all. The reverse happens too: policy exists, implementation lags. Both directions run at once. The useful question is which direction dominates in your organization right now.

Policy–control alignment sits at the intersection of governance, engineering, and enterprise sales. In AI-native security programs I’ve run, the same failure mode repeats: external claims and internal systems describe different companies. The teams that close enterprise deals reliably run a two-way loop — not a one-way cascade from policy to code.

Top-down dominant: strong narrative, thin evidence

Symptoms. The policy library is current. Control evidence is stale or scattered. Enterprise buyers and auditors receive confident narratives that struggle when someone asks to see enforcement in production.

Risk. Document reviews pass; implementation reviews fail. The organization looks more compliant than it is.

Direction of travel. Policy → intended control → implementation (often delayed).

What helps. Coding-agent or scanner-assisted inventories, continuous evidence collection, and policy language that tracks what actually shipped — not what the team wishes had shipped.

Bottom-up dominant: strong systems, weak external story

Symptoms. Technical controls are real. Policy coverage is thin or inconsistent. Different teams answer questionnaires differently. Institutional memory lives in Slack threads and merged PRs.

Risk. The organization may be safer than it can prove. Deals stall when trust collateral does not match operational reality.

Direction of travel. Implementation → implicit control → policy (maybe later).

What helps. Scheduled reconciliation against technical inventories, and a single owner for what the company claims externally.

The two-way loop: what “mature” looks like

Mature AI-native GRC does not pick a single arrow. It runs a loop:

  1. Product and engineering reality changes.
  2. Technical control inventory updates (ideally agent- or scanner-assisted).
  3. Policy, standards, and external claims update to match — or narrow to match.
  4. New requirements arrive from sales, audits, and vendors.
  5. Engineering closes the next gap.

Update policy based on controls when implementation leads. Update controls based on policy when commitments lead — new certification scope, new enterprise clause, new regulatory obligation.

The failure mode is running only one direction and hoping the other catches up on its own.

The table below is a quick diagnostic.

Signal Likely dominant mode First fix
Policies refreshed annually; product ships weekly Top-down on paper, bottom-up in reality Inventory + reconcile
Questionnaire answers differ by team Bottom-up Single external claims owner
Audit findings cite “not operating effectively” Top-down narrative gap Evidence paths per control
Security review surprises despite “good” policies Bottom-up implementation without external sync Trust collateral refresh

A one-hour workshop exercise

You do not need a transformation program to learn which mode you are in.

  1. Pick five controls your largest customers asked about last quarter.
  2. For each, document: where it lives in code or infrastructure, where it lives in policy, and how it appears in questionnaire answers.
  3. Mark whether implementation or policy came first.
  4. Agree on one reconciliation action per control.

Most AI-native companies are bottom-up until they intentionally install the loop. That is not a moral failure — it is a predictable stage of velocity. The goal is to make the loop explicit before a customer audit makes it explicit for you.

How this series fits together

Traditional GRC assumed controls and policies moved at human pace. That assumption is breaking. Redlines measure maturity. Vendor contracts reveal gaps. Coding agents help inventory reality. AI-assisted prep stress-tests narratives before auditors do. The two-way loop is the operating model that ties those pieces together.

Operating GRC at AI speed is not about working faster on old process. It is about running governance that matches how AI products and enterprise buyers actually move — with policy and production finally describing the same system.

Previous: Audit prep in the age of AI · Series index

Newsletter

Email when I publish.

You'll get a confirmation email first.

Pushback? LinkedIn is fine.