DiagnosticMind · ← All editions · PT

Three Audits, One Assumption

How layered compliance can amplify the assumption no one writes down

Sometimes a system fails despite every audit signing off green. This shape — the post-mortem that finds no negligence and yet finds the failure was visible — is treated as bad luck. It is not.

Three audits ran across the same organisation in the same year. Business continuity, information security, AI governance. All scoped well. All performed by competent firms. All passed. Twelve months later, the failure that consumed regulatory attention was traceable, in clean hindsight, to a single line that no audit had flagged: an unwritten definition of what counted as "critical."


How the three audits passed

In the continuity audit, "critical processes" had been operationalised as revenue-generating processes. A defensible choice. Tier-1 recovery objectives followed accordingly.

In the information security audit, the asset register inherited that tiering. Revenue systems were hardened. Internal systems — payroll, HR, employee-facing automation — were treated as tier-2. A defensible choice, given the upstream tiering.

In the AI governance audit, the scope question was "which AI systems support critical processes." The mapping pulled directly from tier-1. The high-stakes AI sat in customer-facing operations, where attention was concentrated.

The AI tool used in payroll — tier-2, hardly anyone's audit priority — was the one that started terminating people who had not been terminated.


What the audits shared

Each audit was internally consistent. Each was externally defensible. Their problem was not in what they examined but in what they shared: an upstream definition that none of them was scoped to question, because the definition was scoped into all of them.

This is the shape that is hardest to see, and the one that matters most: when three diagnostics agree, the question worth asking is whether they are agreeing because the world is that way, or because they share a prior that none of them tested.

Independent verification requires independent priors. The principle is unsurprising in physics or in statistics. In audit work it is routinely ignored. Cross-walks between standards are presented as a strength, and they are — but only against errors that are downstream of the cross-walked boundary. Against errors upstream of the shared boundary, cross-walks amplify rather than test.

The same logic applies to the auditor's own cognition. Two opinions from the same head, even held in good faith, are not two opinions. An AI assistant trained on the same corpus that produced the standards it is auditing against is not a second pair of eyes. The "second opinion" that lives inside the same prior is decorative.


The question with no clause number

Catching this requires a move that audit methods do not natively make. Naming the load-bearing assumptions — the definitions that flow through multiple vectors and are tested in none — is not a technique that any standard formally requires. It is closer to an instinct. The instinct is: before checking whether the answers are consistent, check whether the questions share something that makes their answers' consistency uninformative.

In practice, this is one paragraph in every audit-of-audits: what does this assessment take as given that earlier assessments also took as given? That paragraph rarely gets written, because it has no clause number to anchor it.


None of this is an argument against running multiple audits. It is an argument for the cheap addition that turns multiple audits from a stacked confirmation into an actual triangulation: ask, in plain language, what they all assumed.

When three audits agree, the agreement is either evidence or echo. The work of telling them apart sits where no standard places it.