The AI Governance Brief

AI Governance Failure: You Don't Know Your Own Organization

Seventy-five percent of HR leaders report that managers are overwhelmed and not equipped to lead change. But before you dismiss this as a middle management problem, consider: by the time information reaches the CEO, it has been filtered, softened, and "customised to cater to superiors' expectations" at every level. Researchers call it "interpreting upwards." You're not leading the organization you think you're leading. You're leading the organization people want you to believe exists. And that organization is a fiction. In This Episode: * The CEO Bubble Is Real * Gartner 2025: 75% of managers overwhelmed and unequipped to lead change * CEIBS research: Information is "interpreted upwards" at each level—filtered, softened, divorced from ground truth * 66% of employees hide aspects of themselves from senior leaders * 80% of C-suite executives "cover" with almost everyone around them * You Cannot Move an Organization You Don't Understand * The org chart is a legal fiction—necessary for compliance, useless for understanding how work gets done * The 80/20 reality: 20% of people drive 80% of influence—and they're not always the people with titles * With just 20 influential employees identified through ONA, companies can reach 70% of the entire organization * The Seven Types of Informal Power * Expertise-Based Power (technical knowledge, organizational memory) * Reputational Power (track record, reliability) * Relational Power (access to key people, social capital) * Cultural Gatekeeping (control over "how things are done here") * Information Brokerage (bridging disconnected groups) * Resource Control (informal control over budgets, tools, access) * Positional Proximity (closeness to decision-makers) * Network Position Metrics That Matter * Degree Centrality: Direct connections—ability to spread information or resistance quickly * Betweenness Centrality: Bridge between disconnected groups—the brokers with cross-silo perspective * Eigenvector Centrality: Connected to other highly connected people—systemic influence * Why Your AI Governance Initiative Will Fail * You'll launch through formal channels targeting formal authority * You'll miss the informal systems that actually determine what people do * Predictable arc: announcement → compliance → erosion → irrelevance * Wells Fargo, Boeing: Executives were the last to know about problems employees understood clearly Your Seven-Day Action Plan: Days 1-3: Map one network—ask 15 people across levels: "When you need to get something done outside the normal process, who do you go to?" Days 4-5: Schedule three skip-level conversations two to three levels down Days 6-7: Identify one gap between the organization you thought you had and the organization you actually have Ready to see your actual organization? Understanding informal power structures isn't optional for AI governance success. It's the foundation everything else depends on. organizational network analysis, informal power structures, executive blindness, AI governance failure, organizational psychology, skip-level meetings, change management, CEO bubble, interpreting upwards, informal influencers, psychological safety, organizational intelligence

CRA COUNTDOWN: Change Management: From Paralysis to Progress

Six months ago, I worked with a healthcare technology company that had everything CRA compliance requires on paper: executive sponsorship confirmed, steering committee formed, product inventory complete, SBOM tools selected, documentation templates created. Six months of planning. Six months of meetings. Six months of preparing to prepare. When I asked how many products had achieved conformity-ready status, the answer was zero. They had mistaken planning for progress. And September 2026 was now six months closer. In This Episode: * Why Knowledge Isn't the Barrier—Execution Is * CRA requires simultaneous changes across Engineering, Product, Security, Legal, Quality, and Documentation * Each function has competing priorities and limited capacity * Without structured change management, organizational capacity overwhelms and implementation stalls * The Three-Phase Implementation Roadmap * Phase One (Now → Early 2026): Governance, inventory, SBOM infrastructure, documentation systems * Phase Two (Mid-2026 → September 2026): PSIRT operationalization, vulnerability reporting workflows, 24-hour response verification * Phase Three (Late 2026 → December 2027): Complete documentation, conformity assessment, EU Declaration preparation * Quick Wins That Build Momentum * Week 1: Executive sponsor announcement * Week 2: Single business unit inventory * Week 3: First compliant SBOM * Week 4: Pilot product risk assessment * Week 6: Control mapping to existing frameworks * Week 8: Complete documentation package for pilot product * Week 12: Tabletop vulnerability exercise * Overcoming the Five Resistance Patterns * "We don't have time" → Explicit deprioritization decisions * "This isn't my responsibility" → RACI matrix clarity * "We already do this" → Evidence-based gap analysis * "The deadline is far away" → Phase gate accountability * "Let's wait for regulatory clarity" → Risk-based implementation * The Cost of Delay (Quantified) * 20 months remaining allows phased implementation * 14 months remaining requires 30% faster implementation * 8 months remaining requires 2.5x resource multiplication * Notified body calendars are filling NOW * Talent competition is intensifying * From Project to Operational Discipline * December 2027 isn't the finish line—it's the starting line * SBOM generation must become permanent pipeline capability * Vulnerability monitoring must become continuous * Documentation must be maintained as products evolve * Conformity must be reassessed when products change materially Your Fourteen-Day Action Plan: Days 1-3: Formalize executive commitment with documented engagement cadence Days 4-6: Identify specific individuals for CRA work with time allocation Days 7-9: Select three quick wins achievable in 90 days with owners and dates Days 10-12: Define Phase One milestones with specific completion dates Days 13-14: Prepare and distribute program kickoff communication Deliverables: 1. Documented executive commitment with engagement cadence 2. Named resource allocation with sponsor approval 3. Selected quick wins with owners and dates 4. Phase One milestone schedule 5. Program kickoff communication Ready to convert knowledge into action? The First Witness Stress Test reveals where your organization stands today—and builds the implementation roadmap that converts planning into progress. Stop preparing to prepare. Start executing. CRA implementation, CRA change management, compliance program execution, CRA roadmap, September 2026 compliance, CRA quick wins, compliance momentum, CRA phase gates, regulatory implementation, CRA operational discipline, compliance transformation, CRA program management

CRA COUNTDOWN: Episode 6: Healthcare and Finance: Your Sector-Specific Compliance Maze

A healthcare technology CEO told me last quarter that she wasn't worried about CRA because her products were medical devices regulated under MDR. She was half right. Her Class IIa infusion management system is indeed exempt from CRA product requirements. But the cloud platform that aggregates patient data from those devices? Not exempt. The mobile application clinicians use to monitor alerts? Not exempt. The integration APIs that connect to hospital EHR systems? Not exempt. Her MDR exemption protected one product. Her ecosystem has seventeen products in CRA scope that nobody was tracking. In This Episode: * Healthcare: Why Your MDR Exemption Is Narrower Than You Think * MDR exempts medical devices with medical purpose—not the digital ecosystem surrounding them * Cloud platforms, clinician dashboards, mobile alert apps, integration APIs: likely in CRA scope * The proposed MDR revision (COM(2025)1023): enhanced cybersecurity requirements coming for certified devices * Radio Equipment Directive (RED) overlay for WiFi/Bluetooth-enabled products * Finance: Why DORA Doesn't Satisfy CRA * DORA is entity-level regulation (your organization's ICT risk management) * CRA is product-level regulation (products placed on the market) * Your mobile banking app needs DORA compliance AND CRA compliance—separately * Financial industry exemption requests have not prevailed * The Silo Problem in Both Sectors * Healthcare: MDR teams lack DevSecOps velocity; IT Security lacks regulatory documentation expertise * Finance: DORA teams don't address product-level compliance; product teams operate outside regulatory structure * Result: competent functional performance producing collective compliance failure * The Integration Opportunity * ISO 27001 implementations provide ~60% CRA requirement coverage * Healthcare: Extend MDR QMS to cover CRA requirements * Finance: Map DORA ICT controls to CRA essential requirements * Organizations aren't starting from zero—they're closing specific gaps from established foundations * Sector-Specific Implementation Paths * Healthcare: Ecosystem inventory → QMS extension → Notified body harmonization → RED overlay * Finance: Product-vs-entity analysis → DORA-CRA mapping → Evidence integration → Dual reporting Your Fourteen-Day Action Plan: Days 1-3: Exemption analysis with documented regulatory rationale Days 4-7: Existing framework inventory (MDR QMS, DORA ICT, ISO 27001, NIST CSF) Days 8-11: Control mapping—CRA requirements vs. existing controls Days 12-13: Gap prioritization by examination risk and implementation effort Day 14: Integration strategy documentation for executive approval Deliverables: 1. Exemption analysis with documented rationale 2. Existing framework inventory 3. Control mapping showing CRA coverage percentage 4. Gap prioritization with preliminary roadmap Ready to map your regulatory overlaps? The First Witness Stress Test includes sector-specific analysis—mapping your existing MDR, DORA, or ISO 27001 controls against CRA requirements to reveal how much coverage you already have and where genuine gaps remain. Stop duplicating compliance effort. Start integrating it.  CRA MDR exemption, healthcare CRA compliance, financial services CRA, DORA CRA overlap, medical device regulation cybersecurity, CRA ISO 27001 mapping, integrated compliance framework, CRA healthcare ecosystem, fintech CRA requirements, connected medical devices, regulatory integration, CRA control mapping

CRA COUNTDOWN: Who Owns This? (The Accountability Nobody Wants)

I recently facilitated a CRA readiness meeting with a mid-size medical technology company. Present: the CISO, the VP of Engineering, the Chief Product Officer, the General Counsel, and the VP of Quality Assurance. I asked a simple question: "Who owns CRA compliance for your flagship monitoring platform?" Forty-five seconds of silence. Then the CISO said, "I assumed Product owned it." The CPO said, "We thought it was a security matter." The VP of Engineering said, "Legal never told us it was our responsibility." The General Counsel said, "We've been waiting for someone to tell us what Legal's role should be." That platform ships to thirty-two EU countries. Nobody owns its compliance. In This Episode: * The Accountability Diffusion Problem * CRA compliance touches eight functions—when everyone owns it, no one owns it * Each function optimizes for its own objectives; no function optimizes for CRA specifically * Competent functional performance producing collective compliance failure * The Four Accountability Gaps * Product lifecycle ownership discontinuity: who owns the product across 5+ years of support? * Cross-functional requirement translation: who converts CRA language into engineering specs, test cases, documentation requirements? * Evidence aggregation: who integrates outputs from multiple functions into examination-ready packages? * Conformity declaration authority: who signs, and do they have visibility into actual compliance status? * * The Three-Level Accountability Solution * Executive Sponsor: Named executive accountable for compliance outcomes—resolves resource conflicts, ensures priority, provides board visibility * CRA Program Owner: Operational coordination, roadmap management, cross-functional alignment, consolidated status reporting * Product Compliance Owners: Named individual accountable for each product's conformity, documentation completeness, evidence maintenance * * The Steering Committee Model * Cross-functional decision-making body, not a status meeting * Resolves conflicts individual functions cannot resolve alone * Weekly during implementation, bi-weekly during steady state * Chaired by Program Owner, executive sponsor attends monthly * * The RACI Framework * Product inventory: Product Management (R), Program Owner (A) * Risk assessment: IT Security (R), Product Compliance Owner (A) * SBOM generation: Engineering (R), Product Compliance Owner (A) * Technical documentation: Engineering/Tech Writing (R), Product Compliance Owner (A) * Conformity testing: Quality Assurance (R), Product Compliance Owner (A) * EU Declaration of Conformity: Legal (R), Executive Sponsor (A) * * Five Governance Pitfalls to Avoid * Assigning ownership without authority * Over-centralizing execution (creates bottlenecks) * Treating CISO as default owner (CRA is product safety, not just security) * Failing to define product-level owners * Governance without executive commitment Your Fourteen-Day Action Plan: Days 1-3: Confirm executive sponsorship with explicit CEO/executive team discussion Days 4-6: Identify/appoint CRA Program Owner with defined authority Days 7-9: Form Steering Committee, define membership and meeting cadence Days 10-12: Assign Product Compliance Owners for every in-scope product Days 13-14: Develop RACI matrix for key CRA activities Deliverables: 1. Documented executive sponsorship 2. Appointed Program Owner with defined authority 3. Formed Steering Committee with scheduled meetings 4. Assigned Product Compliance Owners for all in-scope products 5. RACI matrix defining cross-functional accountability Ready to establish CRA governance? The First Witness Stress Test includes governance assessment—identifying accountability gaps, mapping current ownership patterns, and recommending structures that convert functional activity into compliance outcomes. Stop assuming someone owns it. Start documenting who does. CRA governance, CRA accountability, compliance ownership, CRA program owner, executive sponsorship compliance, RACI matrix CRA, CRA steering committee, product compliance owner, regulatory accountability, cross-functional compliance, CRA organizational structure, compliance governance framework

CRA COUNTDOWN: Episode 4 -Documentation That Actually Survives an Audit

In January 2025, a German market surveillance authority examined twelve IoT manufacturers under existing CE marking requirements. Four couldn't produce documentation within the required timeframe. Three produced documentation that failed to demonstrate conformity. Two had documentation so disorganized examiners couldn't determine what had been tested. Only three manufacturers—twenty-five percent—provided documentation that satisfied examination. And this was before CRA requirements took effect. Market surveillance authorities won't inspect your codebase. They won't interview your developers. They won't observe your security practices. They will examine documentation—and documentation alone. In This Episode: * What Market Surveillance Actually Examines * Article 31: Authority to require documentation demonstrating conformity * Article 54: Ten-year minimum retention requirement * Why engineering documentation doesn't satisfy regulatory requirements * The Four CRA Documentation Annexes Decoded * Annex II: User information requirements (manufacturer ID, security risks, update sources, vulnerability reporting contact) * Annex V: EU Declaration of Conformity (the legal attestation creating personal liability) * Annex VII: Technical documentation (risk assessment, design specification, test results, production process, vulnerability handling) * Annex VIII: Conformity assessment procedures (documented internal assessment for Default category) * The Five Documentation Gaps That Fail Examination * Risk assessment without design traceability * Evidence chains without version control * Production process without conformity maintenance * Vulnerability handling without product-specific records * Support periods without formal definition or notification mechanism * Documentation as a System, Not a Collection * Document identifiers and explicit cross-references * Traceability matrices linking requirements → risks → design → tests → evidence * Integration with engineering workflows for automatic evidence generation * Distinct documentation ownership separate from engineering ownership * Retention infrastructure designed for ten-year horizons * The Six Required Documentation Types * Product Risk Assessment (with treatment decisions referencing design) * Design Specification (with requirement traceability matrices) * Test Plan and Results (with requirement coverage matrix) * Production Process Description (with continuous conformity evidence) * Vulnerability Handling Record (with timeline documentation) * EU Declaration of Conformity (with authorized signatory) Your Fourteen-Day Action Plan: Days 1-3: Documentation inventory for priority product Days 4-6: Gap analysis against CRA requirements using six document types Days 7-9: Traceability assessment—trace one requirement through full evidence chain Days 10-12: Workflow integration analysis—identify automation opportunities Days 13-14: Documentation roadmap draft with prioritized improvements Deliverables: 1. Documentation inventory 2. Gap analysis against CRA requirements 3. Traceability assessment identifying where evidence chains break 4. Prioritized documentation roadmap Ready to assess your documentation gaps? The First Witness Stress Test includes comprehensive documentation assessment—revealing where your evidence chains break, where traceability fails, and what examination would expose. The organizations that discover gaps internally can remediate. The organizations that discover gaps during examination cannot. MAKE AN APPOINTMENT WITH ME TO PREPARE YOUR DOCUMENTATION APPROACH https://calendly.com/verbalalchemist/30min [https://calendly.com/verbalalchemist/30min] CRA documentation requirements, CRA technical documentation, Annex VII documentation, EU Declaration of Conformity, market surveillance examination, compliance evidence, regulatory documentation, CRA audit preparation, ten-year retention, risk assessment traceability, conformity assessment documentation, CRA Annex II user information