The audit tells you where you're exposed. It doesn't tell you what to do about it, and that's a different kind of decision entirely. Once the failure points are on the table, you're not managing a technical backlog anymore. You're making a capital allocation decision: a finite amount of organizational attention, against a list of risks that are not equally urgent, not equally visible, and not equally fixable on any given week.

This is where most leadership teams get it backwards. They fund whatever is most visible first, because visibility is what gets rewarded internally. The foundational risk, the one nobody can see yet, stays unfunded until it surfaces as a much more expensive problem downstream. By then it's not a roadmap conversation anymore. It's a postmortem. McKinsey's research on technical debt puts a number on exactly this pattern: CIOs report that 10 to 20 percent of the budget meant for new products gets diverted to resolving debt that was deferred rather than funded early, and 60 percent say that debt has risen materially over the past three years.

Here's how I think about sequencing once the risks are identified.

Exposure Readiness Unlock value

Three lenses, not a checklist

Is the exposure isolated, or is it sitting underneath active investment? The test I actually run isn't severity, it's exposure: how much of this quarter's spend is being built directly on top of the gap, right now. A gap with no active initiative depending on it is expensive to leave unresolved, but it's not getting worse; nothing new is being added to the liability. A gap sitting underneath two or three initiatives currently in flight is a different category of risk, because every dollar invested this quarter is being invested on top of the same instability, and unwinding it later means unwinding everything that got built on top of it in the meantime. I rank exposure-under-active-investment well above whatever severity score the underlying gap would earn on its own, because by the time it's visible enough for leadership to flag, it's already sitting underneath work that's expensive to touch. IDC's 2026 CIO Agenda research quantifies this exact dynamic: organizations that delay remediation face a projected 50 percent higher AI failure rate by 2027, driven not by the original gap worsening on its own, but by how much gets invested on top of it before anyone addresses it.

What does the organization actually have the standing to fix right now? Severity and readiness are different axes. A genuinely critical risk that requires multiple teams to agree on new ownership before anyone can act on it is, practically speaking, not yet fixable, and that's rarely a technical limitation. It's an alignment one. The organizations that move fastest here aren't the ones with the cleanest backlog. They're the ones where every function involved already rows in the same direction, with a shared definition of who's accountable for what, no matter how a company structures its teams today, or how AI ends up reshaping that structure tomorrow. RAND's research on AI project failure backs this up: the root causes of failed AI initiatives are overwhelmingly organizational rather than technical, misaligned ownership and fading sponsorship sink more initiatives than any modeling decision does. I've learned to separate "how bad is this" from "can this actually move this quarter," because conflating the two is how roadmaps get built around problems the organization isn't yet structured to solve, and stall there.

Does fixing this expand what's possible afterward, or does it only resolve what's directly in front of it? This question doesn't care whether the fix lives in how a company structures its teams or in the architecture itself. Some fixes are isolated. Others are foundational, whether that means a rebuilt schema or a reorganized ownership structure, because either one makes every subsequent initiative faster, cheaper, and lower-risk, by handing the next team a stable base instead of an unstable one. Early in any engagement, I weight heavily toward the foundational fixes, not because they're more urgent on paper, but because they're what earn the credibility to keep investing in the harder, less visible work later. McKinsey's analysis of 220 companies found that organizations in the top 20 percent for technical debt health saw revenue growth 20 percent higher than those in the bottom 20 percent, the compounding return that foundational fixes generate, measured at scale.

50%
Higher AI failure rate when remediation is delayedIDC, 2026
20%
More revenue growth for organizations with healthy technical debtMcKinsey
1 in 5
AI initiatives that actually achieve ROIGartner

Why this is a leadership question, not an engineering one

A standard backlog ranks by effort against impact, which works fine for feature work, where impact is usually legible to everyone in the room. It breaks down here, because in data and martech infrastructure, the most obviously high-impact ask, the new AI feature, the personalization engine the board has been asking about, is rarely the right first move. Gartner's own research on AI roadmaps found that only one in five AI initiatives achieve ROI, and just one in fifty deliver true transformation, which tracks with what I've seen: ranking purely by expected impact produces a roadmap that looks financially rational and turns out to be organizationally naive. Nobody on the leadership team is going to request "stable data ownership" by name. But it's frequently the actual precondition for the thing they did ask for, and treating it as a side issue rather than the critical path is how good initiatives get built on infrastructure that can't support them.

This is the product strategy discipline applied somewhere most organizations don't think to apply it. A roadmap isn't a list of what's wanted most. It's a sequence designed so that early decisions create the trust and the technical room to make the harder decisions later. Sequencing risk this way isn't a concession to leadership impatience. It's how you give leadership what they're actually asking for, just in the order that makes it durable instead of temporary.

What this changes in practice

Build the loud thing first → rebuilt twice Fund the foundation first → lands faster

When the loudest initiative on the roadmap turns out to depend on a foundational fix nobody asked for, the temptation is to build the loud thing anyway and hope the foundation holds. It rarely does. The more durable path, even though it looks slower at first, is to fund the foundational fix as the actual first deliverable, frame it in terms leadership cares about (timeline, risk, cost of rework), and let the visible initiative land on stable ground when its turn comes. It almost always lands faster than it would have otherwise, because it's no longer being rebuilt twice.

This is the step that turns an audit into an actual roadmap, and where most of the value in an engagement gets created. If you've already identified your exposure and aren't sure how to sequence the response, let's talk.

← Back to Selected Thinking