Drift between documented governance and actual system behavior. Accumulates through rational exceptions until the documented process becomes fiction and the real process is untraceable.
A production fix bypasses the change control process. A reconciliation is done manually in a spreadsheet because the automated check is too slow. An approval chain is skipped because the approver is unavailable and the deadline is real. Each exception is rational in isolation. Over time, the exceptions become the process, and the documented process becomes fiction.
Symptoms that indicate governance drift is active.
Governance drift creates two kinds of exposure. The first is regulatory and audit risk, an organization cannot demonstrate that its controls match its operations. The second is operational risk, decisions are being made on infrastructure whose actual behavior is unknown. When a material event occurs, the organization discovers simultaneously that its documentation is wrong, its ownership boundaries are unclear, and its recovery procedures assume a system state that no longer exists.
Remediation starts with mapping actual system behavior, not aspirational architecture, but what is running today, who touches it, and what controls are in place. From that baseline, we reinstate explicit control surfaces: ownership boundaries that match infrastructure reality, change control that operates at the speed the business requires, and supervisory structures that generate evidence as a byproduct of normal operations rather than a separate compliance exercise.
Governance drift was a defining challenge in our institutional energy trading engagement, where years of incremental exceptions had decoupled documented controls from the systems they governed. The remediation approach we applied there became the foundation for our Governance and Aggregation mandates.