Seventy-five percent of HR leaders report that managers are overwhelmed and not equipped to lead change. But before you dismiss this as a middle management problem, consider: by the time information reaches the CEO, it has been filtered, softened, and "customised to cater to superiors' expectations" at every level. Researchers call it "interpreting upwards."

You're not leading the organization you think you're leading. You're leading the organization people want you to believe exists.

And that organization is a fiction.

In This Episode:

• The CEO Bubble Is Real
  • Gartner 2025: 75% of managers overwhelmed and unequipped to lead change
  • CEIBS research: Information is "interpreted upwards" at each level—filtered, softened, divorced from ground truth
  • 66% of employees hide aspects of themselves from senior leaders
  • 80% of C-suite executives "cover" with almost everyone around them
• You Cannot Move an Organization You Don't Understand
  • The org chart is a legal fiction—necessary for compliance, useless for understanding how work gets done
  • The 80/20 reality: 20% of people drive 80% of influence—and they're not always the people with titles
  • With just 20 influential employees identified through ONA, companies can reach 70% of the entire organization
• The Seven Types of Informal Power
  • Expertise-Based Power (technical knowledge, organizational memory)
  • Reputational Power (track record, reliability)
  • Relational Power (access to key people, social capital)
  • Cultural Gatekeeping (control over "how things are done here")
  • Information Brokerage (bridging disconnected groups)
  • Resource Control (informal control over budgets, tools, access)
  • Positional Proximity (closeness to decision-makers)
• Network Position Metrics That Matter
  • Degree Centrality: Direct connections—ability to spread information or resistance quickly
  • Betweenness Centrality: Bridge between disconnected groups—the brokers with cross-silo perspective
  • Eigenvector Centrality: Connected to other highly connected people—systemic influence
• Why Your AI Governance Initiative Will Fail
  • You'll launch through formal channels targeting formal authority
  • You'll miss the informal systems that actually determine what people do
  • Predictable arc: announcement → compliance → erosion → irrelevance
  • Wells Fargo, Boeing: Executives were the last to know about problems employees understood clearly

Your Seven-Day Action Plan:

Days 1-3: Map one network—ask 15 people across levels: "When you need to get something done outside the normal process, who do you go to?" Days 4-5: Schedule three skip-level conversations two to three levels down Days 6-7: Identify one gap between the organization you thought you had and the organization you actually have

Ready to see your actual organization?

Understanding informal power structures isn't optional for AI governance success. It's the foundation everything else depends on.

organizational network analysis, informal power structures, executive blindness, AI governance failure, organizational psychology, skip-level meetings, change management, CEO bubble, interpreting upwards, informal influencers, psychological safety, organizational intelligence

Six months ago, I worked with a healthcare technology company that had everything CRA compliance requires on paper: executive sponsorship confirmed, steering committee formed, product inventory complete, SBOM tools selected, documentation templates created. Six months of planning. Six months of meetings. Six months of preparing to prepare.

When I asked how many products had achieved conformity-ready status, the answer was zero.

They had mistaken planning for progress. And September 2026 was now six months closer.

In This Episode:

• Why Knowledge Isn't the Barrier—Execution Is
  • CRA requires simultaneous changes across Engineering, Product, Security, Legal, Quality, and Documentation
  • Each function has competing priorities and limited capacity
  • Without structured change management, organizational capacity overwhelms and implementation stalls
• The Three-Phase Implementation Roadmap
  • Phase One (Now → Early 2026): Governance, inventory, SBOM infrastructure, documentation systems
  • Phase Two (Mid-2026 → September 2026): PSIRT operationalization, vulnerability reporting workflows, 24-hour response verification
  • Phase Three (Late 2026 → December 2027): Complete documentation, conformity assessment, EU Declaration preparation
• Quick Wins That Build Momentum
  • Week 1: Executive sponsor announcement
  • Week 2: Single business unit inventory
  • Week 3: First compliant SBOM
  • Week 4: Pilot product risk assessment
  • Week 6: Control mapping to existing frameworks
  • Week 8: Complete documentation package for pilot product
  • Week 12: Tabletop vulnerability exercise
• Overcoming the Five Resistance Patterns
  • "We don't have time" → Explicit deprioritization decisions
  • "This isn't my responsibility" → RACI matrix clarity
  • "We already do this" → Evidence-based gap analysis
  • "The deadline is far away" → Phase gate accountability
  • "Let's wait for regulatory clarity" → Risk-based implementation
• The Cost of Delay (Quantified)
  • 20 months remaining allows phased implementation
  • 14 months remaining requires 30% faster implementation
  • 8 months remaining requires 2.5x resource multiplication
  • Notified body calendars are filling NOW
  • Talent competition is intensifying
• From Project to Operational Discipline
  • December 2027 isn't the finish line—it's the starting line
  • SBOM generation must become permanent pipeline capability
  • Vulnerability monitoring must become continuous
  • Documentation must be maintained as products evolve
  • Conformity must be reassessed when products change materially

Your Fourteen-Day Action Plan:

Days 1-3: Formalize executive commitment with documented engagement cadence Days 4-6: Identify specific individuals for CRA work with time allocation Days 7-9: Select three quick wins achievable in 90 days with owners and dates Days 10-12: Define Phase One milestones with specific completion dates Days 13-14: Prepare and distribute program kickoff communication

Deliverables:

1. Documented executive commitment with engagement cadence
2. Named resource allocation with sponsor approval
3. Selected quick wins with owners and dates
4. Phase One milestone schedule
5. Program kickoff communication

Ready to convert knowledge into action?

The First Witness Stress Test reveals where your organization stands today—and builds the implementation roadmap that converts planning into progress. Stop preparing to prepare. Start executing.

CRA implementation, CRA change management, compliance program execution, CRA roadmap, September 2026 compliance, CRA quick wins, compliance momentum, CRA phase gates, regulatory implementation, CRA operational discipline, compliance transformation, CRA program management

A healthcare technology CEO told me last quarter that she wasn't worried about CRA because her products were medical devices regulated under MDR. She was half right. Her Class IIa infusion management system is indeed exempt from CRA product requirements. But the cloud platform that aggregates patient data from those devices? Not exempt. The mobile application clinicians use to monitor alerts? Not exempt. The integration APIs that connect to hospital EHR systems? Not exempt.

Her MDR exemption protected one product. Her ecosystem has seventeen products in CRA scope that nobody was tracking.

In This Episode:

• Healthcare: Why Your MDR Exemption Is Narrower Than You Think
  • MDR exempts medical devices with medical purpose—not the digital ecosystem surrounding them
  • Cloud platforms, clinician dashboards, mobile alert apps, integration APIs: likely in CRA scope
  • The proposed MDR revision (COM(2025)1023): enhanced cybersecurity requirements coming for certified devices
  • Radio Equipment Directive (RED) overlay for WiFi/Bluetooth-enabled products
• Finance: Why DORA Doesn't Satisfy CRA
  • DORA is entity-level regulation (your organization's ICT risk management)
  • CRA is product-level regulation (products placed on the market)
  • Your mobile banking app needs DORA compliance AND CRA compliance—separately
  • Financial industry exemption requests have not prevailed
• The Silo Problem in Both Sectors
  • Healthcare: MDR teams lack DevSecOps velocity; IT Security lacks regulatory documentation expertise
  • Finance: DORA teams don't address product-level compliance; product teams operate outside regulatory structure
  • Result: competent functional performance producing collective compliance failure
• The Integration Opportunity
  • ISO 27001 implementations provide ~60% CRA requirement coverage
  • Healthcare: Extend MDR QMS to cover CRA requirements
  • Finance: Map DORA ICT controls to CRA essential requirements
  • Organizations aren't starting from zero—they're closing specific gaps from established foundations
• Sector-Specific Implementation Paths
  • Healthcare: Ecosystem inventory → QMS extension → Notified body harmonization → RED overlay
  • Finance: Product-vs-entity analysis → DORA-CRA mapping → Evidence integration → Dual reporting

Your Fourteen-Day Action Plan:

Days 1-3: Exemption analysis with documented regulatory rationale Days 4-7: Existing framework inventory (MDR QMS, DORA ICT, ISO 27001, NIST CSF) Days 8-11: Control mapping—CRA requirements vs. existing controls Days 12-13: Gap prioritization by examination risk and implementation effort Day 14: Integration strategy documentation for executive approval

Deliverables:

1. Exemption analysis with documented rationale
2. Existing framework inventory
3. Control mapping showing CRA coverage percentage
4. Gap prioritization with preliminary roadmap

Ready to map your regulatory overlaps?

The First Witness Stress Test includes sector-specific analysis—mapping your existing MDR, DORA, or ISO 27001 controls against CRA requirements to reveal how much coverage you already have and where genuine gaps remain. Stop duplicating compliance effort. Start integrating it.

CRA MDR exemption, healthcare CRA compliance, financial services CRA, DORA CRA overlap, medical device regulation cybersecurity, CRA ISO 27001 mapping, integrated compliance framework, CRA healthcare ecosystem, fintech CRA requirements, connected medical devices, regulatory integration, CRA control mapping