Not long ago, we faced an IT service incident. The team was ready to troubleshoot quickly—tools were prepared, people were on standby, and the root cause was suspected. But before we could even touch the system, we had to request special access related to the incident.
The request was approved by the Incident Manager, which should’ve been enough. Yet the process didn’t stop there. We were still required to wait for another sign-off from the respective manager.
That extra approval step, which added no real security value, ended up blocking the team. Troubleshooting was delayed, and recovery dragged longer than it should have. In the middle of an incident, every minute counts—and redundant approvals cost us time we couldn’t afford.
The Problem With Redundancy
It’s like locking your front door with six identical padlocks, all opened by the same key. Looks secure from the outside, but anyone with that key breezes through.
In IT, I’ve seen this same “illusion of safety” repeatedly. Teams roll their eyes at endless approval steps. Some even become sloppy due to fatigue—clicking “approve” without thinking, to get it over with (to be honest, it includes me sometimes). And ironically, while people are stuck chasing signatures, the fundamental security gaps stay open longer.
What Actually Works
Good controls aren’t about more. They’re about different. Every layer should cover a new angle. For example:
- Multi-factor authentication. Not just “password plus password again.” Absolute independence between factors.
- Role-based checks. A senior architect doesn’t need the same hoops as an intern—different risks, different rules.
- Behavior monitoring. If Jemas Bnod (an imaginer engineer) constantly logs in from Jakarta and suddenly He’s “in” Paris at 3 a.m., that’s worth a second look.
- Split responsibilities. Don’t funnel everything through one poor manager’s inbox. Spread it around—compliance, security, project owners—each with a distinct role.
Think of it less like stacking the same key over and over, and more like a puzzle lock where every piece is unique.
Where AI Helps (and Where It Shouldn’t)
Redundant approvals slow things down because they treat every request as if it carries the same risk. In reality, some are routine and predictable, while others truly need human judgment. This is precisely where AI can make a difference.
AI can watch systems round-the-clock without fatigue, flagging anomalies long before a human would even notice. It can learn behavioral patterns—what “normal” looks like for a user, a device, or a process—and raise an alert only when something deviates from that baseline. That means routine approvals, like granting temporary access during a low-risk incident, can be streamlined or even automated. Humans are then freed up to step in only for the high-risk, unusual, or context-sensitive cases.
In short, AI helps by eliminating unnecessary checkpoints and ensuring that each approval step is meaningful. Instead of drowning teams in repetitive clicks, AI filters out the noise, allowing people to focus on what actually matters.
Where AI shouldn’t be is in creating more redundant layers to appear “smarter.” A poorly designed AI system that merely adds another checkbox to the workflow only exacerbates the problem. The goal isn’t to multiply approvals—it’s to make every approval count.
Moving Toward “Leaner Security”
So how do we cut the fat?
- Run an honest audit. Spot the approvals that are basically copy-paste.
- Ask teams outside security where they feel “approval pain.” Their answers will surprise you.
- Pick tools that simplify. If the fancy new platform adds three extra clicks, it’s not helping.
- Teach the “why.” When people understand the reason behind a control, they tend to stop resisting it.
Final Thought
Cybersecurity isn’t a game of quantity. It’s quality. Distinct layers keep the system safe; duplicates clog the pipes.
Next time you review an approval chain, ask yourself: if I removed this step, would the system actually be less secure—or just faster?
If it’s the latter, you already know what to do.
