DEV Community

Martin Nicolas Sanchez Morales
Martin Nicolas Sanchez Morales

Posted on

What If We’ve Been Doing Software Governance Wrong This Whole Time?

`# What If We’ve Been Doing Software Governance Wrong This Whole Time?

I know. Big claim.

But hear me out.

We’re really good at tracking systems.
Like, really good.

  • logs
  • metrics
  • traces
  • event streams

We can replay what happened down to the millisecond.

But then something breaks — not just a bug, but something messy —
and suddenly the question changes:

not what happened
but why did we allow this to happen?

And that’s where things get weird.

The thing we don’t model

There’s one thing almost no system treats as a real, first-class object:

👉 the human decision behind a change

We assume it exists somewhere:

  • “it was approved”
  • “we talked about it”
  • “it’s in a ticket”

But inside the system?

It’s gone.

So what do we actually have?

We have systems that can tell you:

✔ what changed
✔ when it changed
✔ how it changed

But not:

❌ who decided
❌ under what reasoning
❌ whether that decision even existed

That’s not a bug

That’s a missing layer.

And it gets worse with AI

Now we’re building systems that:

  • generate code
  • trigger actions
  • chain decisions

And we’re still logging like it’s 2010.
We’re capturing outputs…

but not the decision boundary that allowed them.

The uncomfortable realization

We’ve been building systems that can explain everything…

except responsibility.

What I’ve been working on

I’ve been exploring this as a structural problem, not a tooling one.

The idea is simple:
What if decisions were part of the system?

Not comments.
Not tickets.
Not “somewhere else”.

But bound to the execution itself.

Minimal model

That leads to something very small, almost boring:

  • append-only logs
  • evidence that includes presence and absence (E+ / E−)
  • explicit decision events (HUMAN_DECISION)

That’s it.

No framework.
No magic.

Just a missing primitive.

Why this matters

If a system can’t reconstruct:

who allowed a change and why
Then it’s not fully auditable.
And if it’s not auditable…

you don’t actually control it.

I wrote this up

Paper:

“The Missing Decision Layer: Structural Failure in Information Systems and the Case for a Minimal Governance Kernel”

👉 https://doi.org/10.5281/zenodo.19709093

Curious

How are you handling this today?

  • approvals in code?
  • logs + tickets?
  • just trust? 😅

Because I’m starting to think:

👉 we’ve been solving observability
👉 but ignoring authority

And that gap is going to matter more than we think.
`

Top comments (0)