Control Decay

Your last audit was clean. So was the one before that. And then something happened anyway. In modern enterprises, controls rarely fail outright. They continue to operate, pass their tests, and produce their evidence. What changes is the world the controls were designed to govern — and that world is now governed by engineering, security, and operations teams moving faster than any assurance cycle was built to follow. This book introduces the concept of control decay: the gradual erosion of control effectiveness as the operating environment around a control evolves while the control itself does not.

Developed through analysis of consequential cases, including the Silicon Valley Bank collapse, the CrowdStrike outage of July 2024, and the Boeing 737 MAX MCAS case, the book presents C-DRAFT, a diagnostic framework that names six structural forces producing decay: Change Velocity, Dependency Drift, Role Dilution, Automation Opacity, Framework Lag, and Testing Illusion.

Established standards enforce and verify controls. They were not designed to detect when a control's design assumptions have drifted from the environment the control was meant to govern. C-DRAFT addresses that specific gap. Rather than replacing established standards such as COSO, COBIT, NIST, or ISO, or the security, engineering, and risk management frameworks organizations rely on day to day, C-DRAFT provides a shared lens through which audit, security, technology, engineering, and risk can read the same control environment. The focus is relevance, not compliance expansion. Control decay is everywhere. What it has lacked, until now, is a unified framework that can diagnose and respond to it.

What You Will Learn

• How to detect control decay before it produces a failure, using a diagnostic the existing frameworks were not built to provide
• How cloud, AI, automation, and third-party dependencies accelerate decay, and how to govern each one without expanding compliance
• How audit, security, technology, and risk can read the same control environment through a shared lens and stop duplicating each other

Who This Book is For

This book is written for professionals responsible for evaluating, designing, or relying on control effectiveness in modern enterprises. Internal auditors, technology auditors, cybersecurity professionals, risk managers, GRC leaders, and assurance advisors will find practical guidance, as will technology and security leaders who rely on audit and risk outcomes to understand why their controls behave as they do.