> In these situations your "egoless domain experts" might actually need the authority to force these things to stop, or might get burnt out spending all their time firefighting or playing hero.
The broader approach here is to encourage frameworks where changes must go through policy-as-code frameworks. SMEs write policy that is then enforced (or just warned, for some period ahead of enforcement) by the policy framework. Policies can encode exceptions, but changes to policy (i.e. to add exceptions) require SME review. The benefit is - stuff that passes policy doesn't require explicit review, so in the normative case autonomous teams are not slowed down, and when they are (due to policy failure), then it is for Good Reasons.
> Mandatory code review isn't a "feel-bad program", it's precisely to guard against disasters like this (also I'm pretty sure it's literally required by SOX/SOC2 and I'd certainly want my software vendors to implement this).
High-trust environments trust engineers to understand the difference between "this is a serious change so I need someone to review it" and "I'm just fixing a typo here so I'm going to rubber-stamp it." But yes, SOC2 requires mandatory code review, tickets, the lot. Yes, it slows things down, but that is the price you pay to become a Serious Enterprise Vendor. No, it doesn't fundamentally erode high-trust culture. People can just mark their MRs as "I need a rubber stamp" and find someone else to rubber-stamp them.
The broader approach here is to encourage frameworks where changes must go through policy-as-code frameworks. SMEs write policy that is then enforced (or just warned, for some period ahead of enforcement) by the policy framework. Policies can encode exceptions, but changes to policy (i.e. to add exceptions) require SME review. The benefit is - stuff that passes policy doesn't require explicit review, so in the normative case autonomous teams are not slowed down, and when they are (due to policy failure), then it is for Good Reasons.
> Mandatory code review isn't a "feel-bad program", it's precisely to guard against disasters like this (also I'm pretty sure it's literally required by SOX/SOC2 and I'd certainly want my software vendors to implement this).
High-trust environments trust engineers to understand the difference between "this is a serious change so I need someone to review it" and "I'm just fixing a typo here so I'm going to rubber-stamp it." But yes, SOC2 requires mandatory code review, tickets, the lot. Yes, it slows things down, but that is the price you pay to become a Serious Enterprise Vendor. No, it doesn't fundamentally erode high-trust culture. People can just mark their MRs as "I need a rubber stamp" and find someone else to rubber-stamp them.