The AI Control Problem

The Fifth Theme the Thoughtworks Radar Missed

TV
Thiago Victorino
10 min read
The Fifth Theme the Thoughtworks Radar Missed
Listen to this article

On April 15, Thoughtworks published Volume 34 of its Technology Radar. The document is organized around four themes:

  1. Retaining principles, relinquishing patterns
  2. Securing permission-hungry agents
  3. Putting coding agents on a leash
  4. The challenge of evaluating technology in an agentic world

Each one is a governance theme. Each one is an engineering governance theme. That is a ceiling, not a complaint.

What the Radar Gets Right

The four themes are honest descriptions of what engineering organizations are actually wrestling with in 2026. Zero trust architecture sits in Adopt because treating a coding agent like a trusted teammate is how credentials leak. Agent Skills, mutation testing, and feedback sensors for coding agents sit in Trial because the industry is converging on feedforward plus feedback as the operating pattern for autonomous code generators. Spec-driven development, architecture drift reduction with LLMs, and measuring collaboration quality with coding agents sit in Assess because nobody has production-grade answers yet. Codebase cognitive debt and agent instruction bloat sit in Caution for the reason every careful reader already knows: agents replicate whatever they find, including the parts a team never wanted to keep.

Rachel Laycock, Thoughtworks CTO, states the thesis plainly: “The inflection point we’re at isn’t so much about technology — it’s about technique.” That sentence is the most useful thing in the press release. It concedes that model capability is not the bottleneck. Discipline is.

The Radar is a credible census of engineering practice. It points at the right problems.

A note on attribution, since the Radar amplifies two terms that did not originate inside it. “Cognitive debt” was coined by Margaret-Anne Storey on February 9, 2026, and extended by Martin Fowler on February 13, 2026. “Semantic diffusion” is a Fowler post from 2006, originally applied to “agile” and “Web 2.0.” Fowler has been Chief Scientist at Thoughtworks since 2000, so the firm has a legitimate intellectual lineage on both terms — but the Radar itself adopted and re-applied them rather than coining them. We made the same citation call six weeks ago in Cognitive Debt: The Invisible Cost of AI-Generated Code, and I am making it again here because provenance matters when an industry vocabulary is forming in real time.

What the Radar Is Not

The Radar is a software engineering document. Every theme, every blip, every tool it evaluates addresses what happens inside a development team. That is the genre. Thoughtworks is not hiding this.

The consequence is worth naming. When the most-read governance document of the quarter is scoped to engineering, the rest of the organization inherits a gap by default. Marketing, legal, sales, HR, and finance are running the same four patterns the Radar describes, and in some cases more aggressively than engineering is. They are doing it without the absorption mechanisms that make engineering’s governance story even partially workable.

Engineering has deploy pipelines, pull requests, tests, linters, observability, and a decade of post-incident review culture. When something like Agent Skills or mutation testing shows up, those mechanisms can be bent to fit. The cost is high but the substrate exists.

Marketing does not have a pull request. Legal does not have CI. Sales does not run mutation tests on a sequence of follow-up emails. HR does not version its screening prompts in git. Finance does not have code review for an agent that reconciles a ledger. The patterns are arriving; the governance substrate is not.

That is the fifth theme.

The Fifth Theme: The Same Four Patterns, Outside Engineering

Map each Radar theme to the function where it is already active, and the scope limit becomes a strategy document.

Theme 1 in marketing and legal: retaining principles, relinquishing patterns.

The marketing analog is already in the trade press under a different name: brand guidelines becoming brand guardrails. When agents generate creative at volume, “follow the brand voice” stops being a pattern a human can enforce and starts being a principle that needs technical embedding at runtime. ComplexDiscovery’s 2026 piece on brand guardrails frames this as a leadership responsibility, which is the right altitude. The wrong altitude is the one most marketing organizations are operating at: a PDF of brand guidelines circulated over email while agentic tools generate a thousand variants per day.

Legal is further along in naming the shift. General counsels are pivoting procurement criteria from “does this tool improve efficiency?” to “can this tool withstand scrutiny if challenged?” That is the same move the Radar makes in Theme 1: stop cargo-culting the pattern, hold onto the principle. The pattern being relinquished is “procurement as productivity evaluation.” The principle being retained is evidentiary defensibility.

Theme 2 in sales and finance: securing permission-hungry agents.

Agentic CRM is not a slide. Autonomous follow-ups, prospect research, deal-record updates, and outbound sequencing are shipping in mainstream sales platforms. The permission model for these agents (what data they can read, which accounts they can touch, which actions they can take without a human) is being configured by sales operations leaders who have never heard “zero trust” used as a design pattern. The Radar’s Theme 2 asks engineering to sandbox agents. The equivalent question in sales is who owns the sandbox. In most companies, nobody does.

Finance is the quieter version. Heads of finance are configuring compliance-checking agents, reconciliation agents, and allocation agents inside their own departments. Each one with its own credentials. Each one touching production ledgers. There is no AppSec review because AppSec does not scope to finance. The agents have admin-adjacent access the moment they are useful. This is the permission-hungry pattern, off the radar of the function that knows how to contain it.

Theme 3 in marketing and legal: putting coding agents on a leash.

The leash pattern (feedforward specs plus feedback controls) maps directly onto two non-engineering functions that are discovering it the hard way.

Marketing teams deploying agentic content systems now talk about AI acceptable use policies with human-in-the-loop procedures and kill-switch protocols. Those are the leash components. What is missing is the feedback half of the loop: the equivalent of mutation testing or feedback sensors, something that catches drift before a human reviews it. In marketing, the feedback leash is mostly absent. Content ships, drift accumulates, the next quarter’s tone is slightly off, and nobody can trace when it happened. This is cognitive debt in brand voice. We explored the engineering version in Cognitive Debt: The Invisible Cost of AI-Generated Code. The marketing version has the same shape and worse instrumentation.

Legal is in a different place because the feedback leash arrived as case law. Over seven hundred court cases worldwide now involve AI-generated hallucinations in filings, with five-figure sanctions becoming routine. Mandatory human review is not a best practice. It is survival. The profession is learning that Theme 3’s feedback control is not optional. It is what stands between a productivity gain and a bar complaint.

Theme 4 in HR: the challenge of evaluating technology in an agentic world.

Semantic diffusion is already eating HR procurement. What “bias audit” means depends on the vendor you are talking to. What “explainability” means depends on whose marketing page you are reading. What an “AI hiring agent” actually does depends on which screen of the product you are looking at.

The forcing function is legal, not editorial. The EU AI Act reaches full application to high-risk systems on August 2, 2026. Employment AI (screening, ranking, performance evaluation) is explicitly in scope. The regime requires annual third-party bias audits, risk assessments, transparency disclosures, and conformity documentation. Penalties reach 15 million euros or 3% of global turnover under the HR provisions; the general high-risk penalties go higher. Crowell & Moring’s legal briefing is the cleanest practitioner summary.

HR teams are now being asked to evaluate tools against a regulatory standard that their vendor marketing obscures. The Radar’s Theme 4 is the right diagnosis. HR is where the diagnosis lands hardest.

Why This Matters More Than a Radar Can Acknowledge

Engineering has a property that the rest of the organization does not. When a new discipline is named (DevOps, SRE, platform engineering, harness engineering), there is a scaffold to build it on. Source control exists. CI exists. Testing culture exists. Post-incident review exists. New practices can attach to old surfaces.

As we argued in Harness Engineering Is Not New — But Naming It Matters, the name is the organizational event. It creates headcount, budget, and accountability. Engineering can absorb a new name because the substrate is in place.

No such substrate exists in marketing, legal, sales, HR, or finance. There is no equivalent of a pull request for a campaign brief. There is no CI pipeline for a deposition draft. There is no mutation test for a reconciliation agent. There is no linter for an HR screening prompt. When the Radar says “deploy feedback controls,” engineering can answer. The other functions cannot. Not because they are less capable, but because the substrate was never built.

This is not a call to port engineering tooling to other functions. Most of those ports fail. Legal review is not code review. Brand compliance is not a type check. The pattern the Radar describes is real; the mechanism has to be different in each function.

It is a call to recognize that governance now has to be an organizational discipline, not a tooling discipline. The move Thoughtworks is making within engineering (cognitive debt, leashes, feedforward and feedback) is the right move. It has to happen across every function where agents now operate. The Radar does not address this because the Radar is, correctly, a Technology Radar. But the next Radar, or the next governance document from any serious consultancy, has to.

A prior POV on a separate Thoughtworks piece, Thoughtworks Discovered Governance-as-Code. We Have Been Building It., made an adjacent point: encoding standards in a team repository is developer tooling when it stops there, and governance infrastructure when it extends across functions. That argument still stands. What Volume 34 adds is a clearer picture of how far the gap has widened. Engineering now has named themes. Everyone else has unnamed problems.

What Volume 35 Should Include

If the Radar is willing to stretch its scope once, here is the blip set that would matter:

  • Agentic authority scoping across functions. The permission-hungry pattern is no longer engineering-only. A useful blip would catalog how marketing, legal, sales, HR, and finance are (or are not) scoping agent authority, and whether the resulting practices look like zero trust or look like shadow IT.
  • Spec governance beyond code. Spec-driven development is Assess for engineering. Spec-as-product exists in legal (disclosure templates), marketing (brand systems), and HR (screening criteria). We examined this in When the Spec Is the Product, Who Governs the Spec?. A cross-functional spec governance blip would be overdue.
  • Cross-function cognitive debt. Margaret-Anne Storey’s original framing was about system understanding. The same dynamic plays out in marketing (nobody can explain why the brand voice drifted), in legal (nobody remembers why the clause was drafted that way), in HR (nobody can reconstruct why the screening model rejects a category of candidates). Cognitive debt is not code-shaped. It is organization-shaped.
  • Regulatory feedback loops. The EU AI Act’s August 2, 2026 deadline is the most consequential governance event of the year for non-engineering functions. A serious Radar in late 2026 will have to speak to it.

Position: Governance Is Organizational, Not Tooling

Victorino’s position has been consistent and will stay consistent. The Radar’s technical prescriptions (zero trust, feedforward and feedback controls, spec-driven development) are necessary. They are not sufficient. Governance that travels only through engineering tooling will be stranded there, while the rest of the organization runs the same four patterns with none of the absorption mechanisms.

The firms that will look governed in two years are not the ones with the best AGENTS.md files. They are the ones where legal, marketing, sales, HR, finance, and engineering share a vocabulary for what an agent is, what it is allowed to do, who owns its output, and how its failures are caught. That vocabulary is what we build. The Radar names four themes that belong to engineering. We are writing the fifth one, and it belongs to the whole company.

This analysis draws on the Thoughtworks Technology Radar Volume 34 (April 2026), Margaret-Anne Storey’s “Cognitive Debt” (February 2026), Martin Fowler’s “Semantic Diffusion” (2006), Crowell & Moring’s EU AI Act HR briefing (2026), and ComplexDiscovery’s Brand Guardrails analysis (2026).

Victorino Group builds governance that travels beyond engineering. Let’s talk.

All articles on The Thinking Wire are written with the assistance of Anthropic's Opus LLM. Each piece goes through multi-agent research to verify facts and surface contradictions, followed by human review and approval before publication. If you find any inaccurate information or wish to contact our editorial team, please reach out at editorial@victorinollc.com . About The Thinking Wire →

Part of The Thinking Wire, published by Victorino Group.

If this resonates, let's talk

We help companies implement AI without losing control.

Schedule a Conversation