OIA Autoimmune Scan Execution
How do you run an organizational autoimmune scan for compliance bypass detection?
Purpose
This recipe executes an organizational autoimmune scan — systematically detecting where the organization's own compliance, approval, and control systems are being routinely bypassed. It produces a classified inventory of autoimmune patterns with severity scores and a friction point map distinguishing protective friction from paralyzing friction. [src1, src2]
Prerequisites
- Network analysis findings from OIA Network Analysis
- IT/security log access — SIEM read-only or IT admin log exports
- Employee survey distribution list from HR
- Executive communication — sponsor has communicated non-punitive intent
- Survey tool — Google Forms, Typeform, or equivalent
Constraints
- Interviews and surveys must be voluntary and anonymous. [src4]
- Survey response rate must exceed 60% for statistical validity.
- Friction classification requires consensus from at least 2 analysts. [src3]
- Critical severity patterns must be reported to executive sponsor within 24 hours.
- Shadow IT findings must never be used for punitive action. [src2]
Tool Selection Decision
Which approach?
├── Full SIEM access + interviews available
│ └── PATH A: Log Analysis + Interviews + Survey
├── IT admin logs + survey only
│ └── PATH B: Log Review + Survey
├── Survey + interviews only (no log access)
│ └── PATH C: Qualitative Only
└── Survey only (minimal access)
└── PATH D: Survey-Only| Path | Tools | Cost | Speed | Output Quality |
|---|---|---|---|---|
| A: Full | SIEM + interviews + survey | $0-$200 | 4-5 days | Excellent |
| B: Logs + Survey | IT logs + survey tool | $0-$100 | 3-4 days | Good |
| C: Qualitative | Interviews + survey | $0-$200 | 3-4 days | Good |
| D: Survey-Only | Survey tool | $0-$100 | 2-3 days | Adequate |
Execution Flow
Step 1: Compliance Bypass Detection
Duration: 4-8 hours · Tool: SIEM queries, IT admin logs
Query IT and security logs for split transactions, after-hours access, shadow IT, approval shortcuts, and exception request volume.
Verify: Pattern frequency quantified per department, at least 3 bypass categories analyzed. · If failed: Skip to Step 2 (interviews surface the same patterns qualitatively).
Step 2: Shadow Workaround Inventory
Duration: 1-2 days · Tool: 30-minute structured interviews (10-15 employees)
Interview employees stratified by department and level using structured friction diary: what rules they work around, what takes more effort than it should, what tools IT didn't set up. [src2]
Verify: > 80% of scheduled interviews completed, each department represented. · If failed: Supplement with anonymous online survey.
Step 3: Security Fatigue Assessment
Duration: 4-8 hours · Tool: IT security dashboard + anonymous survey
Measure MFA prompt frequency, approval backlog days, exception request volume, policy document read rates, password reset frequency. [src1]
Verify: Fatigue score calculated per department, > 60% survey response rate. · If failed: Extend survey window, executive sponsor sends reminder.
Step 4: Friction Point Mapping
Duration: 4-8 hours · Tool: Classification matrix
Classify each workaround as protective friction (prevents financial loss, legal liability, safety risk) or paralyzing friction (serves hierarchy without measurable risk mitigation). [src2, src3]
Verify: Each friction point classified with 2-analyst consensus. · If failed: Escalate ambiguous cases to client stakeholder.
Step 5: Severity Scoring & Report
Duration: 4-8 hours · Tool: Scoring rubric + report template
Score each pattern: low (inconvenience), medium (productivity loss), high (compliance risk), critical (legal/financial exposure). Produce prioritized inventory. [src3]
Verify: Top 10 patterns prioritized, all critical-severity patterns flagged. · If failed: Broaden interview scope or extend survey.
Output Schema
{
"output_type": "autoimmune_scan_report",
"format": "XLSX + PDF + JSON",
"key_metrics": [
{"name": "total_patterns", "description": "Total autoimmune patterns identified"},
{"name": "critical_count", "description": "Patterns with critical severity"},
{"name": "paralyzing_friction_pct", "description": "% of friction classified as paralyzing"},
{"name": "avg_fatigue_score", "description": "Organization-wide security fatigue average (1-5)"}
]
}Quality Benchmarks
| Quality Metric | Minimum Acceptable | Good | Excellent |
|---|---|---|---|
| Patterns identified | > 5 | > 10 | > 15 |
| Survey response rate | > 60% | > 75% | > 90% |
| Interview completion rate | > 70% | > 85% | > 95% |
| Department coverage | > 50% | > 75% | > 90% |
| Analyst classification agreement | > 70% | > 85% | > 95% |
If below minimum: Extend survey window, add interview slots, or broaden SIEM query scope.
Error Handling
| Error | Likely Cause | Recovery Action |
|---|---|---|
| Low survey response (< 60%) | Lack of trust or survey fatigue | Executive sponsor sends personal message, extend deadline |
| Interview cancellations | Discomfort or scheduling conflicts | Offer written response option, reschedule |
| SIEM access denied | IT security policy | Escalate to sponsor, proceed qualitative only |
| No patterns found | Questions too gentle or culture of silence | Reframe around "efficiency improvements" |
| Critical pattern mid-scan | Active compliance violation | Report to sponsor within 24 hours, continue scan |
Cost Breakdown
| Component | Free Tier | Paid Tier | At Scale |
|---|---|---|---|
| Survey tool | $0 (Google Forms) | $50 (Typeform) | $200 (SurveyMonkey) |
| Interview time | $0 | $0 | $0 |
| SIEM access | $0 (client existing) | $0 | $0 |
| Total | $0 | $0-$50 | $0-$500 |
Anti-Patterns
Wrong: Treating workarounds as misconduct
Approaching the scan as a compliance audit that punishes violators. Result: employees refuse to participate. [src4]
Correct: Frame as efficiency improvement
Shadow workarounds are symptoms of organizational friction, not employee failure. [src2]
Wrong: Classifying all bypasses as problems
Recommending more controls when the organization already has too many. [src3]
Correct: Distinguish protective from paralyzing friction
Remove paralyzing friction while strengthening protective friction.
Wrong: Running survey without executive air cover
Sending the survey without executive communication first. Result: employees assume it is a trap. [src1]
Correct: Executive sponsor sends first communication
Before any survey, have the sponsor explain purpose, anonymity guarantees, and non-punitive intent.
When This Matters
Use when an agent needs to detect and classify organizational autoimmune patterns. This is Step 4 of the OIA engagement lifecycle. Requires network analysis findings to target interviews. Output feeds into stress test design and the overall OIA health score.