1. Choose one high-impact workflow
Pick a workflow where authority is high, use is frequent, pressure is real, and failure has meaningful blast radius. Strong starting points include production deployment, break-glass access, bulk data movement, privileged identity issuance, vendor access, and agent external action.
2. Name the workflow states
Use states that reflect readiness rather than infrastructure trivia. For deployment: change proposed → reviewed → artifact built → artifact validated → deploy authorized → deploy executed → deploy complete.
3. Name one transition that must become unreachable
Examples: deploy to production without a validated artifact; mint privileged access without workflow context; export sensitive data without a purpose-bound pathway and terminal state; allow an agent to execute an external action without approval state.
4. Build the governed path
Bound authority
Mint power for a specific purpose, workflow state, scope, and terminal condition.
Expose curated actions
Let teams express intent without handling raw control-plane power.
Enforce progression
Make each action valid only as the next move from the correct state.
Collapse automatically
End authority when the mission ends, not when somebody remembers cleanup.
5. Prove the path is closed
Use regression tests: authority cannot be minted without prerequisite state; the invalid transition fails outside the paved road; terminal authority collapses; and the paved road works end to end for the real use case.
Restore the business. Name the pressure. Patch the constraint. Prove the path is closed.
Monday-morning prompt
Which single workflow currently turns a reasonable local decision into broad, persistent, or cross-boundary authority? What is the first unsafe future you can delete without stopping the business?