← Field notes
CTO Platform engineering · developer velocity

The road you pave is the road they take

A CTO tried to make six hundred engineers do the right thing with a policy. It failed. Then he tried something quieter — and learned that governance is mostly a paving problem.

Field Notes CXO Technology editorial May 2026 · 8 min read
Featuring HashiCorp

We talked to Sam, CTO of a 600-engineer software company, about the very good policy he wrote — and why it made everything worse before a quieter idea fixed it.

Q Field Notes asksStart at the beginning. What was the problem?

Infrastructure was being provisioned six different ways. Secrets were living in places secrets should never live. Every audit was a small archaeology project. So I did what a thorough person does — I wrote the standard down. Where secrets go, how environments get built, what "done" means. It was clear, it was correct, and I sent it to everyone.

Six months later, things were worse. Not because anyone defied me — nobody stood up and refused. They just kept shipping, and shipping happens under deadline, and under deadline a thirty-page standard isn't a guide, it's an obstacle. They found the shortest path to working software and took it. Compliance was, if anything, lower than before I wrote the thing, because now there was a written rule to quietly route around.

600engineers shipping under deadline
30 pagesof standard nobody had time to read
compliance, after the policy shipped
Q Field Notes asksWhere did the idea that fixed it come from?

Landscape architecture, of all places. When you build a campus, you can lay the walkways wherever you like — but people walk where they want to walk, and their feet wear a line into the grass, the shortest route between where they are and where they need to be. Those worn lines have a name. They're called desire paths.

You can fence off the desire path, or you can pave it. The fence is a fight you have every day. The pavement is a decision you make once.

My policy was a sign on the grass that read please use the walkway. It changed nothing, because the walkway went the wrong way. My engineers had a desire path — the fastest route from idea to production — and I'd written a memo asking them not to use it. The reframe was embarrassingly simple: stop trying to make people follow the secure path, and make the secure path the fastest one. If doing it right is also doing it quickest, you don't need a policy. Water runs downhill on its own.

Before · the memo

Fence the grass

  • Right way = more steps than the shortcut
  • Compliance depends on willpower
  • Every audit is archaeology
After · the golden path

Pave the desire path

  • Right way = fewer keystrokes than wrong
  • Correct by construction, no willpower
  • Audit is a query, not a dig
Q Field Notes asksHow did you actually pave it?

This is where HashiCorp comes in, and the reason it worked is that we used the tools to build a road, not a wall. We'd had Terraform and Vault in the building for years — that wasn't the change. Most shops have the tools. The change was what we did with them.

HashiCorp
The vendor in the room · HashiCorp

The platform team wrapped Terraform modules and Vault into a self-service golden path: one command stood up an environment, correctly configured, with secrets handled and policy baked in. The secure way required less typing than the insecure way. Compliance went up not because anyone was watching, but because doing it right was now the path of least resistance.

We took the thirty-page standard and turned it into a single command. Run it, and you got an environment correct by construction — secrets wired through Vault, never touching a config file; provisioning through vetted modules that encoded every rule in the document, except now the rules were invisible, because they were just how the thing worked. The golden path wasn't a recommendation. It was the easy button, and it happened to be the secure one.

The engineers took it for the most unsentimental reason imaginable: it was less typing. The desire path and the secure path had become the same line in the grass. Audit stopped being archaeology. And I never had to send another memo.

Q Field Notes asksWhat should every CTO take from this?

If your security or your standards depend on engineers exercising willpower under deadline, you've already lost — you just haven't gotten the audit yet. Willpower doesn't scale to six hundred people on a Friday before a launch. It barely scales to one. Anything you're relying on people to remember to do is a desire path you've chosen to fence instead of pave.

1 command
A correct environment, secrets and policy included, in fewer keystrokes than the shortcut. That's not a rule. That's a road.

Governance isn't a document. It's a terrain. Engineers will always take the shortest path — that's not a flaw, it's the definition of a good one. Your only real decision is where that path leads. So pave the one you want them on, and make it downhill.