The approval process isn’t protecting you. It’s training people to work around you.#

I get approvals. I do. Security needs a say. Legal needs a say. Compliance needs a say. Fair enough.

But somewhere along the line, we’ve added the farmer, the bloke on the corner, someone’s nan, and a guy who left the company in 2019 but still has his name on a sign-off form.

And now it takes six months to get a tool approved.

Six months.

You know what happens in six months? The tool you wanted has shipped three major updates. The problem you were trying to solve has mutated into something else. And the person who raised the request has either found a workaround or quietly given up.

Here’s the thing about workarounds: they’re not rebellion. They’re not people being reckless or ignoring security. They’re people with jobs to do and deadlines that don’t care about your approval queue.

Why wait half a year when there’s a free tier? Why wait for sign-off when there’s a browser extension that does the same thing? Why follow the process when the process feels like it was designed by someone who’s never actually had to use it?

The workaround wins. Every time.

Not because it’s better. But because it’s there.

The process exists because it existed yesterday#

Here’s what I reckon happens. Someone, at some point, created an approval workflow. It made sense at the time. Maybe there was an incident. Maybe there was an audit. Maybe someone just really liked Visio diagrams.

And then it stuck.

No one reviewed it. No one asked if it still made sense. No one checked whether the fourteen approvers were all still relevant. Or still employed. It just… persisted. Because that’s what processes do when no one’s paying attention.

Meanwhile, the tools changed. The risks changed. The way people work changed. But the approval form? Same as it was in 2017. Still asking for a “business justification” in a 500-character text box like that’s going to capture the nuance of anything.

Slow approvals don’t reduce risk. They relocate it.#

This is the bit that gets me.

The assumption behind a lengthy approval process is that it’s protecting the organisation. More checks, more safety. More eyes, fewer mistakes.

But that only works if people actually follow it.

When the process is so slow that it becomes an obstacle rather than a safeguard, people stop using it. They find alternatives. They use personal accounts. They sign up with a different email. They do the thing anyway, just without telling anyone.

And now you’ve got the same risk. Maybe more. Except now it’s invisible.

The tool still gets used. The data still gets processed. The only difference is that security doesn’t know about it.

That’s not protection. That’s just a blind spot with extra paperwork.

What would actually help#

I don’t have all the answers here. But a few things I’ve seen work:

Tiered approvals. Not everything needs the full gauntlet. Low-risk tools shouldn’t require the same scrutiny as something touching production data. Treat them differently.

Time limits on decisions. If no one’s responded in two weeks, escalate or auto-approve with conditions. Silence shouldn’t mean “wait forever.”

Fewer approvers who actually matter. If someone’s on the list but hasn’t rejected anything in three years, maybe they don’t need to be there. Every additional approver is another bottleneck and another inbox where requests go to die.

Feedback loops. When someone finds a workaround, that’s data. That’s a sign the process failed before they did. Treat it as a signal, not a violation.

The uncomfortable truth#

If your approval process is slow enough that workarounds are more attractive than compliance, you don’t have a people problem.

You have a process problem.

And the longer it takes to fix, the more your “approved” tooling list drifts away from what people are actually using.

Curious if others are seeing this. How long does it take to get a new tool approved where you work? And more importantly, do people actually wait… or do they just find another way?