This recipe executes an organizational autoimmune scan — systematically detecting where the organization's own compliance, approval, and control systems are being routinely bypassed. It produces a classified inventory of autoimmune patterns with severity scores and a friction point map distinguishing protective friction from paralyzing friction. [src1, src2]
Which approach?
├── Full SIEM access + interviews available
│ └── PATH A: Log Analysis + Interviews + Survey
├── IT admin logs + survey only
│ └── PATH B: Log Review + Survey
├── Survey + interviews only (no log access)
│ └── PATH C: Qualitative Only
└── Survey only (minimal access)
└── PATH D: Survey-Only| Path | Tools | Cost | Speed | Output Quality |
|---|---|---|---|---|
| A: Full | SIEM + interviews + survey | $0-$200 | 4-5 days | Excellent |
| B: Logs + Survey | IT logs + survey tool | $0-$100 | 3-4 days | Good |
| C: Qualitative | Interviews + survey | $0-$200 | 3-4 days | Good |
| D: Survey-Only | Survey tool | $0-$100 | 2-3 days | Adequate |
Duration: 4-8 hours · Tool: SIEM queries, IT admin logs
Query IT and security logs for split transactions, after-hours access, shadow IT, approval shortcuts, and exception request volume.
Verify: Pattern frequency quantified per department, at least 3 bypass categories analyzed. · If failed: Skip to Step 2 (interviews surface the same patterns qualitatively).
Duration: 1-2 days · Tool: 30-minute structured interviews (10-15 employees)
Interview employees stratified by department and level using structured friction diary: what rules they work around, what takes more effort than it should, what tools IT didn't set up. [src2]
Verify: > 80% of scheduled interviews completed, each department represented. · If failed: Supplement with anonymous online survey.
Duration: 4-8 hours · Tool: IT security dashboard + anonymous survey
Measure MFA prompt frequency, approval backlog days, exception request volume, policy document read rates, password reset frequency. [src1]
Verify: Fatigue score calculated per department, > 60% survey response rate. · If failed: Extend survey window, executive sponsor sends reminder.
Duration: 4-8 hours · Tool: Classification matrix
Classify each workaround as protective friction (prevents financial loss, legal liability, safety risk) or paralyzing friction (serves hierarchy without measurable risk mitigation). [src2, src3]
Verify: Each friction point classified with 2-analyst consensus. · If failed: Escalate ambiguous cases to client stakeholder.
Duration: 4-8 hours · Tool: Scoring rubric + report template
Score each pattern: low (inconvenience), medium (productivity loss), high (compliance risk), critical (legal/financial exposure). Produce prioritized inventory. [src3]
Verify: Top 10 patterns prioritized, all critical-severity patterns flagged. · If failed: Broaden interview scope or extend survey.
{
"output_type": "autoimmune_scan_report",
"format": "XLSX + PDF + JSON",
"key_metrics": [
{"name": "total_patterns", "description": "Total autoimmune patterns identified"},
{"name": "critical_count", "description": "Patterns with critical severity"},
{"name": "paralyzing_friction_pct", "description": "% of friction classified as paralyzing"},
{"name": "avg_fatigue_score", "description": "Organization-wide security fatigue average (1-5)"}
]
}| Quality Metric | Minimum Acceptable | Good | Excellent |
|---|---|---|---|
| Patterns identified | > 5 | > 10 | > 15 |
| Survey response rate | > 60% | > 75% | > 90% |
| Interview completion rate | > 70% | > 85% | > 95% |
| Department coverage | > 50% | > 75% | > 90% |
| Analyst classification agreement | > 70% | > 85% | > 95% |
If below minimum: Extend survey window, add interview slots, or broaden SIEM query scope.
| Error | Likely Cause | Recovery Action |
|---|---|---|
| Low survey response (< 60%) | Lack of trust or survey fatigue | Executive sponsor sends personal message, extend deadline |
| Interview cancellations | Discomfort or scheduling conflicts | Offer written response option, reschedule |
| SIEM access denied | IT security policy | Escalate to sponsor, proceed qualitative only |
| No patterns found | Questions too gentle or culture of silence | Reframe around "efficiency improvements" |
| Critical pattern mid-scan | Active compliance violation | Report to sponsor within 24 hours, continue scan |
| Component | Free Tier | Paid Tier | At Scale |
|---|---|---|---|
| Survey tool | $0 (Google Forms) | $50 (Typeform) | $200 (SurveyMonkey) |
| Interview time | $0 | $0 | $0 |
| SIEM access | $0 (client existing) | $0 | $0 |
| Total | $0 | $0-$50 | $0-$500 |
Approaching the scan as a compliance audit that punishes violators. Result: employees refuse to participate. [src4]
Shadow workarounds are symptoms of organizational friction, not employee failure. [src2]
Recommending more controls when the organization already has too many. [src3]
Remove paralyzing friction while strengthening protective friction.
Sending the survey without executive communication first. Result: employees assume it is a trap. [src1]
Before any survey, have the sponsor explain purpose, anonymity guarantees, and non-punitive intent.
Use when an agent needs to detect and classify organizational autoimmune patterns. This is Step 4 of the OIA engagement lifecycle. Requires network analysis findings to target interviews. Output feeds into stress test design and the overall OIA health score.