Cybervize – Cybersecurity Beratung
All articles

Governance as Bullshit Filter: AI & Cyber Decisions

Alexander Busse·January 28, 2026
Governance as Bullshit Filter: AI & Cyber Decisions

The Bullshit Problem in AI and Cybersecurity

Across mid-sized companies, we're witnessing a growing phenomenon: The biggest risk in AI and cybersecurity decisions isn't lack of knowledge, but the flood of half-truths, vendor promises, and unsubstantiated best practices.

Brandolini's principle, also known as the Bullshit Asymmetry Principle, captures it perfectly: It takes an order of magnitude more energy to refute nonsense than to produce it. While a vendor claims in five minutes that their tool will "solve all security problems," you need hours or days to verify, question, and refute that statement.

The Daily Reality in Mid-Sized Companies

Decision-makers face daily confrontations with:

  • Vendor pitches with grand promises lacking substance
  • LinkedIn hype about AI tools supposedly revolutionizing everything
  • Supposed compliance shortcuts that don't deliver upon closer inspection
  • Best practices torn from context and expected to be adopted without adaptation

The result: Hours of discussion leading to shaky decisions. Decisions built on sand that won't hold up when things get serious.

Governance as a Pragmatic Bullshit Filter

Governance isn't a bureaucratic monster, but a filter for better decision hygiene. Properly understood and implemented, governance protects you not just from compliance risks, but above all from bad, expensive, and risky decisions.

The difference lies in the approach: Don't view governance as a mandatory exercise, but as a systematic mechanism to separate wheat from chaff. It's about decision hygiene in regular operations.

Five Pragmatic Building Blocks for Your Governance Filter

1. Claim to Evidence Requirement: Assertions Need Proof

Every substantial statement must be backed by evidence and disclosed assumptions. Specifically, this means:

Example AI Tool: "Our AI chatbot reduces support tickets by 40%"

Required Evidence:

  • Which study or pilot project does this figure come from?
  • Which ticket types were measured?
  • What prerequisites (data basis, training, integration) were in place?
  • Which comparable companies have achieved similar results?

Example Security Tool: "Tool X makes your company secure"

Critical Questions:

  • Against which specific threats does the tool protect?
  • Which attack vectors remain uncovered?
  • What false-positive rate should be expected?
  • What resources are required for operation and monitoring?

Make it a binding rule: No evidence, no budget, no approval, no decision.

2. One-Pager Decision Memo: Clarity Over Slide Decks

Replace 50-page PowerPoint presentations with structured one-page memos containing these mandatory elements:

Structure of a Decision Memo:

  • Problem: What exactly are we solving? (2-3 sentences)
  • Options: Which alternatives have we evaluated? (including "do nothing")
  • Risks: What can go wrong? With what probability?
  • Costs: Total Cost of Ownership over 3 years (not just license costs)
  • Measurable Impact: Which KPIs improve and by how much?
  • Recommendation: Clear statement with rationale

The constraint of brevity creates clarity. If you can't present your case on one page, you haven't fully thought it through yourself.

3. Clarify Roles: Owner and Challenger

Create clear accountabilities instead of committee democracy:

The Owner:

  • Drives the decision
  • Bears responsibility for the outcome
  • Delivers the decision memo
  • Makes a concrete proposal

The Challenger:

  • Objects in a structured and constructive manner
  • Questions assumptions and evidence
  • Typically from Security, Legal, Privacy, or IT Operations
  • Has explicit veto power on compliance violations

Important: Not "everyone gets to have their say," but defined roles with clear mandates. The Challenger isn't a blocker but the quality assurance for your decision.

4. Definition of Done for AI and Security

Make it measurable when an implementation is truly complete. Paper concepts aren't enough.

Definition of Done for AI Projects:

  • Documented decision criteria and thresholds
  • Conducted hallucination checks with defined test scenarios
  • Bias tests on relevant dimensions (fairness, discrimination)
  • Implemented monitoring with alerts
  • Escalation paths for problematic outputs
  • Documented data sources and training foundations

Definition of Done for Cybersecurity Measures:

  • Control evidence through independent tests (no vendor check)
  • Conducted incident response exercises with protocol
  • Proof of actual patch management reality (not just policy)
  • Working and tested backup restoration
  • Monitoring dashboard with defined thresholds
  • Escalation and responsibility matrix

Only when these criteria are met is a project considered complete. Not when the budget is exhausted.

5. Traceability as Standard: Decision Log and Risk Acceptance

Document decisions in a structured way. This saves massive time when things get serious (audit, incident, legal dispute).

What Belongs in the Decision Log:

  • Date and involved persons
  • Decision subject and context
  • Evaluated options with assessment
  • Chosen option with rationale
  • Explicit risk acceptance for identified residual risks
  • Next review dates

Particularly important: Written risk acceptance by the responsible leadership level. If a residual risk is consciously accepted (e.g., delayed patching due to production schedules), this must be documented and accepted by the appropriate level.

The Business Value: Why the Effort Pays Off

These governance mechanisms aren't additional bureaucracy but an investment in:

Faster Decisions: Clear criteria reduce endless discussion loops

Better Decision Quality: Evidence-based decisions lead to measurable improvements

Reduced Risk: Documented risk acceptance protects during audits and in case of damage

Fewer Wrong Purchases: See through vendor hype before you invest

Legal Certainty: Demonstrably compliant with GDPR, NIS2, AI Act, and other regulations

First Steps: How to Implement Your Bullshit Filter

  1. Choose a pilot area: Start with AI tool evaluations or security investments, for example
  2. Define 2-3 evidence rules: What must be proven at minimum in your organization?
  3. Establish the one-pager format: Implement it consistently for the next three decisions
  4. Designate Owner and Challenger: Make the roles explicit
  5. Start a Decision Log: A simple structured document suffices initially

Practical Implementation in Your Organization

Let's look at a concrete example of how this plays out:

Scenario: Your IT department proposes implementing an AI-powered security tool.

Without Governance Filter:

  • Vendor presents impressive demo with bold claims
  • 3-hour meeting with circular discussions
  • Decision delayed because "we need more input"
  • Eventually approved based on vendor promises
  • Six months later: Tool doesn't deliver, expensive change required

With Governance Filter:

  • Claim to Evidence: Vendor must provide case studies, independent test results, proof of claimed detection rates
  • One-Pager: IT delivers structured memo comparing three options, including TCO and measurable security improvements
  • Owner/Challenger: IT owns, Security challenges assumptions, Legal reviews compliance aspects
  • Definition of Done: Clear criteria including successful test against your specific threat landscape
  • Decision Log: Documented decision with identified limitations and accepted residual risks
  • Result: Clear decision in one focused meeting, realistic expectations, measurable success criteria

Addressing Common Objections

"We don't have time for this." You don't have time NOT to do this. Each poorly made decision costs more time in corrections, discussions, and failures than proper upfront hygiene.

"This seems too rigid for our agile culture." Evidence requirements and clear roles actually enable agility. They prevent getting stuck in endless debates and enable faster, confident decisions.

"Our leadership won't accept written risk acceptance." That's precisely the point. If leadership isn't willing to explicitly accept a risk, you shouldn't be taking it. This mechanism surfaces hidden disagreements before they become problems.

The Competitive Advantage of Decision Hygiene

Companies that master decision hygiene gain significant advantages:

Speed: While competitors debate, you decide and execute

Resource Efficiency: Budget flows to initiatives with proven impact, not vendor favorites

Resilience: When incidents occur, you have documented decisions and accepted risk positions

Regulatory Readiness: With NIS2, AI Act, and evolving cyber regulations, documented governance isn't optional

Talent Attraction: Smart professionals want to work where decisions are rational and evidence-based, not political

Conclusion: From Noise to Signal

In a world full of AI hype and cyber threats, structured decision hygiene isn't a luxury but a necessity. Companies that establish pragmatic governance mechanisms today make better, faster, and more resilient decisions tomorrow.

Mid-sized companies don't need complex enterprise governance frameworks. They need pragmatic filters that separate bullshit from substance. The five building blocks presented here are exactly that: Effective, implementable, and immediately deployable.

The decisive question isn't whether, but how quickly you establish these mechanisms. Because every day without a filter costs you unnecessary discussions, time, money, and nerves.

Which 2-3 evidence rules would make the biggest difference in your company? And what's stopping you from making them binding starting tomorrow?

Back to all articles