I reviewed a governance program that had more than 100 policies. They were well-written and were organized, with a taxonomy. They had owners, review dates, and version history.
The institution had zero mechanisms.
When an auditor asked "how does this access review control actually work?" the answer was a policy document that said access reviews are conducted quarterly. When the auditor asked for evidence the Q2 review had completed, the answer was a spreadsheet someone had started but never finished. When the auditor asked what happens when a manager fails to complete their review on time, the answer was silence.
This is governance theater.
An impressive collection of documents that satisfies the appearance of governance without producing any of its substance. It is the single most common failure mode I have seen at regulated institutions of every size.
The Design Failure Nobody Talks About
Policies are necessary. They establish intent, define boundaries, and create the authoritative basis for governance. I am not arguing against policies. I am arguing that most organizations stop at the policy layer and call it done and that this is a design failure, not an effort failure.
A policy is a declaration of what should happen.
A control is an enforceable activity that makes it happen.
A mechanism is the designed, repeatable system that produces predictable governance outcomes.
Most governance programs conflate all three. They write a policy, call it a control, and wonder why the auditor issues findings.
Pick any policy in your governance program. Trace it forward. Can you identify the specific control that enforces it? Can you identify the mechanism that makes that control repeatable and evidence-generating? Can you point to the artifact that proves the control executed last quarter? If the answer to any of those questions is no, you have a policy. You do not have a governance program.
What a Mechanism Actually Looks Like
The distinction is not semantic. It is structural. Let me make it concrete with an example everyone in banking recognizes: the access review.
Policy
"All user access must be reviewed quarterly." This declares intent. It is a boundary. It tells the organization what should happen.
Control
"Managers must certify or revoke each entitlement assigned to their direct reports within 14 calendar days of campaign launch." This specifies the enforceable action. It has a who, a what, and a timeline.
Mechanism
"The IGA platform auto-generates quarterly review campaigns scoped to the authoritative HR feed. Campaigns route to the manager of record. Non-responses escalate to the manager's supervisor at day 10. Uncertified entitlements auto-revoke at day 15. Completion evidence logs to the governance repository with timestamps, decisions, and escalation records."
That is a mechanism. It is designed. It is repeatable. It produces predictable outcomes regardless of whether any individual manager is disciplined or forgetful. And it generates its own evidence as a byproduct of operation not because someone remembered to update a spreadsheet afterward.
When the Mechanism Layer Is Missing
When organizations skip the mechanism layer, here is what actually happens: someone in IT sends an email reminder about access reviews. Some managers respond. Others do not. The overdue list grows. Exceptions accumulate. Someone chases stragglers for three weeks. By the time the review "closes," the evidence shows partial completion, no enforcement of the timeline, and no consequence for non-compliance. The policy said quarterly. The control said 14 days. The reality is a six-week scramble that produces a half-finished spreadsheet.
That is the anatomy of an audit finding. Not because the policy was wrong. Not because the people were negligent. Because the mechanism was never designed.
The Governance Spine
The way to ensure policies produce outcomes and outcomes produce evidence is to trace every governance activity through five stages: Appetite, Strategy, Controls, Evidence, Reporting.
Risk Appetite
Defines the boundaries. What level of risk is the organization willing to accept, in which domains? This is the executive-level decision that all downstream governance traces back to.
Strategy
Translates appetite into investment. Which domains are prioritized? What maturity targets are set? What resources are allocated? Strategy connects risk tolerance to operational action.
Controls
The enforceable activities that execute the strategy. Each control must be traceable upward to a strategic objective and downward to an evidence artifact. Orphaned controls, ones that exist but cannot be connected to a risk appetite statement, are governance debris. They consume effort without advancing the program.
Evidence
The proof layer. Every control must generate its own evidence as a byproduct of operation. If a control requires a human to manually record that it happened, the evidence is an assertion, not proof. Assertions degrade. They have gaps. They are inconsistent. And under examination, gaps become findings.
Reporting
Translates evidence into governance intelligence for decision-makers. Reporting without evidence is storytelling. Evidence without reporting is invisible value.
The break test: pick any control. Trace it backward to a risk appetite statement. Trace it forward to an evidence artifact. If the spine is intact, both traces succeed. If the spine is broken (it usually is), the gap tells you exactly where to invest.
Three Questions That Diagnose Any Control
You can evaluate the health of any governance control in your program (AI approvals, access reviews, segregation of duties, vendor risk, etc.) with three questions.
1. Is this a policy, a control, or a mechanism?
If it is only a policy, you have intent without enforcement. If it is a control without a mechanism, you have enforcement that depends on individual discipline rather than system design. Mechanisms produce outcomes. Policies produce documents.
2. Does it generate its own evidence?
If the evidence requires manual documentation through someone writing a summary, saving a screenshot, updating a tracker it will degrade. Mechanisms that produce evidence as a byproduct of operation are self-proving. That is the design target.
3. Can you trace it in both directions?
Backward to appetite, forward to reporting. If either trace breaks, the control exists in a governance vacuum. It may be useful. It is not part of a program.
The shift from policies to mechanisms is not a philosophical preference. It is the operational difference between governance programs that survive examination and governance programs that produce findings. I have seen both up close. The gap between them is always the same: one was designed. The other was documented.