Skip to content
セキュリティとガバナンス

Why 80% of Developers Bypass Security Policy, and Why Blaming Them Misses the Point

~80% of developers bypass security policy. For CISOs, that's a control-design failure, not a discipline problem. Why advisory governance fails at AI scale, and the fix.

Zof Reliability Team · エンジニアリング & プロダクト

2025年1月14日 · 読了時間 7 分 · 2025年1月14日 更新

Share
01

The bypass rate is a verdict on your controls, not your people

When roughly four in five developers route around a guardrail, the standard response is to treat it as a discipline failure: more secure-coding training, a stricter PR template, another mandatory checkbox, a quarterly reminder from the security org. Each of these assumes the problem is that engineers do not know the rule or do not care enough to follow it.

That assumption almost never survives contact with the data. Developers bypass policy because following it is expensive at exactly the moment they can least afford expense. A required threat model competes with a feature due Friday. A "run the full SAST scan before merge" step competes with a pipeline that is already slow and a backlog that is already late. A break-glass override exists precisely because the governed path sometimes blocks legitimate work, and once break-glass is normalized, it becomes the path.

The uncomfortable reframe for a CISO is this: the bypass rate is the most honest audit of your security program you will ever get. It tells you, change by change, where compliance costs more than non-compliance. You can keep treating that as insubordination, or you can treat it as a design spec. The teams that lower their real-world risk do the second thing.

A useful diagnostic question for any control your team owns: where does it physically sit relative to the action it governs, and how long does it take? If the honest answer is "in a policy document the engineer is expected to remember, and it adds twenty minutes," you do not have a control. You have a suggestion with an audit trail, and the audit trail mostly records the suggestion being ignored.

02

Why a tolerable tax just became an unacceptable exposure

For most of software history, policy bypass was a manageable cost. A skipped review here, an unrun scan there, absorbed by humans who roughly understood the blast radius of their own changes. The volume was human-paced, and so was the risk.

That assumption is breaking under the weight of two numbers. Industry research now puts roughly 41% of codebases as AI-generated, and finds that around 45% of AI coding tasks introduce critical flaws or security issues. Read those together and the implication for a security org is stark. A large and growing share of the code entering your repositories is produced by something that does not read your secure-coding standard, does not feel deadline pressure, and does not pause at a checklist, and a meaningful fraction of that output ships exploitable defects by default.

The old bypass problem was humans skipping rules they understood. The new one is machine-speed generation producing volume faster than any advisory control can inspect it. The cost of poor software quality is already estimated near $2.41 trillion, and a rising portion of that is security debt accruing at a rate no review board can keep pace with by hand.

This is the part that should change how a CISO allocates attention. When generation was the bottleneck, the security org could afford controls that were slow because the inflow was slow. That equilibrium is gone. If your policy is not enforced at the point of action, the gap between what your policy says and what actually ships now widens with every AI-assisted commit. At this scale, advisory governance is not weak security. It is the appearance of security, which is worse, because it is what you report upward.

03

Stop ranking everything; rank what is reachable

There is a second, quieter reason developers route around security gates: most of what those gates flag does not matter, and engineers know it. A scanner that returns hundreds of findings, the overwhelming majority of which are not exploitable in your actual deployment, does not produce diligence. It produces alert fatigue, and alert fatigue produces bypass. When the signal-to-noise ratio of a control is bad enough, ignoring it becomes the rational engineering choice.

The fix is not a louder scanner. It is prioritization grounded in reachability: which vulnerabilities are actually reachable and exploitable along a real path in your running system, given how your services and dependencies are actually wired. Reachability-based prioritization can mean 70 to 90% less exploitable exposure to triage, because you stop spending human judgment on findings that cannot be reached. That has two effects that compound. It shrinks the genuine risk surface, and it restores the credibility of the gate, because every time it fires, it is firing on something that matters.

A control developers trust is a control developers stop bypassing. Credibility is not a soft virtue here. It is the mechanism by which a security gate survives contact with a deadline.

04

Make the governed path the fast path

The contrarian core of all of this: you do not reduce bypass by raising the cost of skipping. You reduce it by lowering the cost of complying below the cost of the workaround. Enforcement that fights the engineer loses over time, because motivated people under pressure always find a more creative skip. Enforcement that runs faster than the workaround wins quietly, every day, with no reminder required.

For a security organization, that reframes the entire job. You are not trying to police developers into compliance. You are trying to make the secure path the path of least resistance, so that doing the right thing requires no willpower. Three properties make a control hold:

  • It executes rather than instructs. The check runs automatically inside the workflow, not as a step a human must remember to perform.
  • It is change-aware, not blanket. A control that knows what actually changed runs narrowly and proportionately; a one-line config edit and a refactor of the authentication path are not treated as equal risk.
  • It is faster than the workaround. If the governed path adds friction measured in seconds and surfaces only reachable risk, it sticks. If it adds an hour of noise, it gets disabled under load.

That last point is where most well-intentioned security programs quietly die. Gates that ignore context punish every change equally, so they get skipped exactly when the system is moving fastest, which is exactly when risk is highest.

05

What a control layer does about it

This is the gap a control layer is built to close. Instead of security policy as documentation that hopes to be read, it makes policy executable: a single governed plane that sits between intent and production and decides, on every change, what may proceed and what needs a human.

Concretely, a few things have to work together. It needs a live model of the system. A System Graph that maps services, dependencies, and CI/CD is what makes validation change-aware and reachability-aware, so enforcement is proportionate instead of punishing. It needs validation that adapts as the system evolves, because static scripts rot and a rotting gate is a bypassed gate; Testing Fleets plan, execute, and maintain validation as systems change rather than decaying into noise.

And it needs a clear authorization boundary. The governing principle is that agents propose and humans authorize. When a change, human or machine, falls outside policy, the control layer does not silently fix it and does not silently wave it through. It produces a proposal with evidence and routes the decision to someone with the authority to make it. Low-risk changes flow; genuinely risky ones pause. A serious enterprise does not want more autonomous AI it cannot see. It wants control. Every decision is captured as audit-ready evidence by default, and for regulated or sensitive environments, Edge Runners let this run inside your own boundary so governance does not require your code or data to leave it. The deeper economics of this shift are worth a read in the security debt crisis.

06

The bottom line

続きを読む

01Zof Console

姿勢、操作、次に注意が必要なことを 1 つの面で確認できます。

エンジニアリング、QA、SREの各チームが毎日開く認証済みのホーム。品質の姿勢、進行中の実行、モジュールごとのカバレッジ、そして次に注目すべきことが分かります。

運用上の KPI

実行数、カバレッジ、リスク

出荷先のあらゆる環境に対応します。

ワークスパイン

仕様・テスト・スケジュール

仕様から計画された回帰まで。

ガードレール

RBAC・SSO・監査

指定された人間に起因するすべての行為。

LIVE/console
Zof AI ホーム コマンド センターには、94% パスでの 12 件の実行、3 つの未解決の重大な問題、84% のカバレッジ、4 つのモジュール トレーサビリティ バー、仕様パイプライン、今後のスケジュール、アクティブ実行サイドバー付きの推奨される次のアクションが表示されます。
ホーム ビュー · チェックアウト サービス · ステージング · 製品からライブでキャプチャ。
  • 01 · RUNS · 24H

    94% pass

    12 runs across staging

  • 02 · COVERAGE

    84%

    Across four modules

  • 03 · ACTIVE RUNS

    3 running

    Live on this branch

  • 04 · NEXT ACTIONS

    Recommended

    Triage gaps, new spec

Why 80% of Developers Bypass Security Policy, and Why Blaming Them Mis