They stall when the proposal is technically correct but organisationally misaligned. Teams may already own overlapping tools, fear workflow disruption, or see the project as extra overhead. If the control is not translated into their priorities and timing constraints, resistance can slow delivery even when the security rationale is sound.
Why This Matters for Security Teams
Cybersecurity programmes rarely stall because the risk is invisible. They stall because the business cost of action is immediate while the benefit is often deferred, distributed, or hard to attribute. That gap becomes sharper when teams already have overlapping tools, established workflows, or other change initiatives competing for the same budget and attention. The risk case may be sound, but the implementation case is not yet credible to the people who must absorb the work.
Practitioners also underestimate how often “good security” is interpreted as “extra process.” If a programme changes ticket queues, approval paths, exception handling, or ownership boundaries, it can trigger quiet resistance even without formal objections. Current guidance from the NIST Cybersecurity Framework 2.0 emphasises governance and outcomes, which is useful here: a programme succeeds when it is tied to decision rights, accountability, and measurable operational value, not just technical correctness.
In practice, many security teams encounter friction only after the new control has collided with service delivery, rather than through intentional alignment of priorities and operating models.
How It Works in Practice
Strong programmes move from a risk statement to an operational design that fits the organisation’s rhythm. That means translating “reduce exposure” into the language of service availability, audit readiness, incident reduction, customer trust, or regulatory deadline management. The same control can be received very differently depending on whether it is framed as a one-time project, a permanent process change, or a compensating control for an accepted risk.
A practical rollout usually needs three layers:
- Ownership: named business and technical owners, with explicit decision rights for exceptions and escalation.
- Integration: alignment with existing tooling, change windows, and support processes so the control is not introduced as a separate lane.
- Proof: a short path to evidence, such as reduced attack paths, better logging coverage, or fewer high-risk exceptions.
For threat-driven programmes, teams should anchor the proposal in real attacker behaviour and likely abuse paths. That is where resources such as CISA cyber threat advisories and the MITRE ATLAS adversarial AI threat matrix help translate abstract risk into observed tactics and control priorities. If AI-enabled workflows are involved, current guidance also suggests checking whether the programme affects model use, prompt pathways, or agent execution authority, because those changes can introduce new approval, monitoring, and logging requirements. These controls tend to break down when implementation depends on manual coordination across siloed teams because ownership, queue time, and exception handling become the bottleneck.
Common Variations and Edge Cases
Tighter control design often increases coordination overhead, requiring organisations to balance risk reduction against delivery friction. That tradeoff becomes especially visible in large estates, outsourced operations, or environments with heavy regulatory reporting, where every additional approval or integration step can slow deployment.
There is no universal standard for this yet, but best practice is evolving toward “minimum viable friction.” That means choosing the smallest control set that materially reduces exposure, then expanding only when the initial guardrails prove workable. In some programmes, the real issue is not resistance to security itself but fatigue from repeated initiatives that do not retire old controls or simplify user effort.
Edge cases matter. A control that works well in a centrally managed enterprise may fail in a highly federated environment, in a fast-moving product team, or where third-party operators own critical workflows. In those settings, current guidance suggests focusing first on incentives, integration points, and exception governance. If a programme touches AI-assisted operations, the Anthropic — first AI-orchestrated cyber espionage campaign report is a reminder that new tooling can change both attack surface and workflow trust assumptions. For mature control baselines, ISO/IEC 27002:2022 Information Security Controls remains useful when the goal is to map a programme to a broader, audit-friendly control set without overengineering the rollout.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATLAS address the attack and risk surface, while NIST CSF 2.0, CIS Controls v8, NIST AI RMF and NIST AI 600-1 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV | Governance and oversight explain why risk cases still fail to convert into action. |
| CIS Controls v8 | 4 | Controlled use of enterprise assets and software helps reduce overlap and resistance. |
| NIST AI RMF | GOVERN | AI-enabled programmes need explicit governance to align risk, accountability, and change impact. |
| MITRE ATLAS | Adversarial AI threat paths help justify controls where AI increases exposure. | |
| NIST AI 600-1 | GenAI guidance is relevant where the programme affects AI workflows or agent behaviour. |
Tie the programme to ownership, oversight, and measurable outcomes before asking teams to execute.
Related resources from NHI Mgmt Group
- Why do healthcare passwordless programmes often stall even when leaders support them?
- Why do passwordless programmes stall even when deployment rates are high?
- Why do VPNs create risk even when they use strong encryption?
- Why do account takeovers create fraud risk even after strong onboarding checks?