The knowledge your team deserves.

Use this reference during design reviews, when evaluating vendor interfaces, or when someone asks why a design decision matters. Each law includes an application prompt to turn the principle into a question you can ask about any interface.

Fitts's Law — Size and Distance

• Targets should be sized proportionally to how frequently and urgently they are used.
• Ask: Is the primary action the largest and closest interactive element on the screen?

Hick's Law — Choice Overload

• Every additional option increases decision time. Remove options that do not serve the user's current goal.
• Ask: What is the minimum number of choices needed at this step? Can anything be moved to a secondary screen or progressive disclosure?

Jakob's Law — Familiar Patterns

• Users transfer expectations from other products. Deviate from conventions only when you have a compelling reason and the design benefit is clear.
• Ask: Which conventions is this design relying on, and which is it breaking? Is each break intentional and justified?

Miller's Law — Chunking

• Group related items. Break long forms into steps. Limit navigation items. Seven is the upper bound, not the target.
• Ask: Are related elements grouped visually? Does the user ever need to hold more than 5 to 7 things in mind at once?

Peak-End Rule — Memory is Not Average

• Design the most emotionally significant moments and the final step with extra care. A bad ending overwrites a good middle.
• Ask: What is the peak emotional moment in this flow? What is the last thing the user experiences? Are both good?

Tesler's Law — Irreducible Complexity

• Complexity cannot be eliminated, only moved. Decide consciously where it lives: in the system, the design team, or the user.
• Ask: Whose job is this complexity? Have we made it our problem or the user's problem?

Von Restorff Effect — Stand Out to Be Remembered

• One thing can stand out. When multiple things try to stand out, nothing does. Use visual distinction deliberately and sparingly.
• Ask: What is the one thing on this screen that should be remembered or acted on? Is it visually distinct from everything else?

Zeigarnik Effect — Incomplete Tasks Pull

• Visible progress creates a pull toward completion. Show users where they are in a process.
• Ask: Does the user know how far they have come and how far they have to go? What would make them more likely to finish?

Aesthetic-Usability Effect — Beauty Creates Patience

• Visually polished products receive more goodwill from users when they encounter friction. Quality signals trustworthiness.
• Ask: Does the visual quality of this interface match the quality of the experience we want users to have?

Doherty Threshold — Speed is a Feature

• Interactions that take longer than 400ms feel slow. Perceived performance matters as much as actual performance.
• Ask: Where are the latency moments in this flow? What can be made faster, preloaded, or shown with a skeleton state?

Goal-Gradient Effect — Acceleration Near the Finish

• People work harder as they get closer to a goal. Showing progress — even artificially — increases completion rates.
• Ask: Does the user feel like they are getting closer to something? What signals that they are making progress?

Serial Position Effect — First and Last

• The first and last items in any sequence are best remembered. Put what matters most at the beginning and end of lists, menus, and flows.
• Ask: Are the most important navigation items or options in the first or last positions?

Parkinson's Law — Constraints Shape Output

• Open-ended inputs produce unfocused outputs. Set expectations explicitly — character limits, time suggestions, example formats.
• Ask: Have we given the user enough constraint to succeed? Or too much freedom to flounder?

Postel's Law — Accept Gracefully, Output Precisely

• Accept varied input formats without error. Output consistently formatted, clear information.
• Ask: What input formats are we rejecting that we could accept? What are we outputting that could be clearer?

This template structures an accessibility audit across four areas: automated scanning, manual keyboard testing, screen reader testing, and content review. Use it before launch, after significant redesigns, or as part of a periodic compliance review. Always supplement automated results with manual testing — automated tools catch roughly 30 to 40 percent of issues.

Section 1 — Product Overview & Audit Scope

• Product or page URL(s) being audited
• Target conformance level: WCAG 2.1 AA (recommended baseline)
• Applicable legal standards: ADA, Section 508, EAA, AODA — check which apply to your organization
• Audit date and auditor name
• Testing environment: browser, screen reader, operating system used

Section 2 — Automated Scan Results

• Run axe DevTools, WAVE, or Lighthouse accessibility audit. Log each issue by WCAG criterion, severity, and element location.
• Severity tiers: Critical (blocks access entirely), Serious (significantly degrades experience), Moderate (creates friction), Minor (best practice violation).
• Do not mark automated scan complete as the full audit. It is the starting point.

Section 3 — Keyboard Navigation Test

• Tab through every interactive element. Confirm visible focus indicator at each stop.
• Complete every user-facing task using keyboard only: form submission, navigation, modals, dropdowns, date pickers.
• Confirm Tab order is logical and matches visual reading order.
• Verify no keyboard trap exists — you should be able to navigate into and out of every component.
• Log any element where keyboard access fails or focus indicator is absent.

Section 4 — Screen Reader Test

• Test with at least one screen reader. NVDA + Chrome or VoiceOver + Safari are the most common pairings.
• Confirm all images have meaningful alt text (or are marked decorative with empty alt attribute).
• Confirm form labels are programmatically associated with their inputs.
• Confirm error messages are announced without requiring a page refresh.
• Confirm headings follow a logical hierarchy (H1 → H2 → H3) that reflects page structure.
• Confirm modal dialogs trap focus correctly and return focus on close.
• Confirm dynamic content updates (alerts, toasts, loading states) are announced via ARIA live regions.

Section 5 — Color, Contrast & Content

• Check contrast ratio for all text against its background. Minimum 4.5:1 for normal text, 3:1 for large text (WCAG AA).
• Confirm no information is conveyed by color alone. Red error states need an icon or text label, not just color.
• Run UI through a color blindness simulator (deuteranopia at minimum).
• Check body text is minimum 16px with 1.5 line height. Text resizes to 200% without content loss.
• Assess reading level of key content using Flesch-Kincaid or similar tool. Target 8th grade or below for public-facing content.
• Review any motion or animation. Confirm prefers-reduced-motion is respected. Confirm nothing flashes more than 3 times per second.

Section 6 — Findings & Remediation Matrix

• List each finding with: WCAG criterion violated, severity, location, description, remediation recommendation, and assigned owner.
• Prioritize Critical and Serious findings for immediate remediation before launch or next release.
• Moderate and Minor findings go into the backlog with target sprint or quarter.
• Track remediation completion and retest each finding after fix is deployed.

Section 7 — Accessibility Statement

An accessibility statement should include:

• The organization name and product covered
• The WCAG version and conformance level targeted
• Known limitations and workarounds where applicable
• Date of last review
• Contact method for users to report accessibility barriers (email preferred — phone and TTY for federal contexts)
• Feedback response commitment — how quickly will you acknowledge and respond?

This framework is for the part that governance documentation usually skips: how you actually get people to change. The policy exists. The training happened. Now what?

Step 1: Diagnose the Resistance

Before trying to fix the behavior, understand why it's happening. Most resistance falls into one of four categories:

• Capacity resistance: "I don't have time for this." The process feels like added work on top of an already full workload. Fix: reduce friction in the compliant process and demonstrate time savings downstream.
• Clarity resistance: "I don't know what I'm supposed to do." The expectation was communicated but not demonstrated. Fix: show the process, don't just describe it. Walk through a real example.
• Credibility resistance: "Nobody actually follows this." The policy exists but enforcement is inconsistent. Fix: consistency matters more than perfection. Apply the standard everywhere or people will find the gaps.
• Consequence resistance: "Nothing happens when I don't do it." The risk of non-compliance is abstract and the effort of compliance is immediate. Fix: connect the specific habit to a specific outcome that people can relate to, like a failed audit, a data incident, or a broken integration.

Step 2: Design the Transition

• Pick the highest-risk habit to address first. Not the easiest one. Pick the one that carries the most organizational exposure if left unchanged.
• Define what "done" looks like. What does the correct process look like, step by step, in the actual tools your team uses?
• Set a parallel lane period, typically 30 to 60 days, where both the old and new approaches are acceptable. Announce the end date up front.
• Assign an owner for the transition who isn't also responsible for enforcing it. The person driving adoption should be a guide, not a gatekeeper.
• Identify the informal influencers on each affected team and get their input before the rollout. Not their permission. Their perspective. There's a difference.

Step 3: The Buy-In Conversation

This conversation works better when it's direct. Here's a structure that tends to land well:

• Start with the problem, not the policy. "Here's what's happened when this wasn't in place" lands better than "here's what the policy requires."
• Acknowledge the real cost of the change. If it takes more time upfront, say so honestly. Then explain what it prevents and what it makes easier later.
• Give people a visible path to raise concerns. "What would make this harder to implement on your team?" signals that you're designing this with them, not at them.
• Be clear about the end state. People can tolerate temporary difficulty when they know what it's leading to and when it ends.
• Follow up individually with anyone who pushed back. Group sessions bring out the vocal objections. The quiet resistance is often more powerful and goes unaddressed.

Step 4: Managing Exceptions Without Losing the Standard

• Exceptions will happen. The goal isn't to prevent all of them. The goal is to make sure they're documented, approved, and time-bound rather than silent.
• Create a simple exception request process: what is the exception, why is it needed, who approved it, and when does it expire? Keep it light enough that people actually use it.
• Review exceptions periodically. If the same exception is being requested repeatedly by the same team, that's a signal the process needs to be redesigned for their context, not just waived repeatedly.
• Never let an exception become the default. "We've always done it this way for this project" is how workarounds become permanent fixtures.

Rollout Communication Checklist

• Written summary of what's changing, why, and by when, sent before any training or working session
• A concrete before-and-after example of the old process vs. the new one
• Named owner people can go to with questions
• Transition window start and end dates in writing
• Confirmation of what happens after the transition window closes
• A feedback channel, even a simple one, for people to flag issues
• A follow-up check-in scheduled 2-3 weeks after rollout to catch problems early

A standard SWOT gives you a list. This version asks you to back up each item with evidence and connect every finding to a specific next move. The extra steps are where the value is.

How to Run It

• Before the session: Assign an owner to each quadrant. They come prepared with data, not impressions.
• In the session: For every item listed, ask how you know it's true. If the answer is "we think so," it needs more work before it goes in.
• Score each item: Strengths and Opportunities by magnitude (1-5). Weaknesses and Threats by urgency and likelihood (1-5 each).
• Map the moves: SO, WO, ST, WT. Each move references at least one item from two quadrants.
• End with three actions: Each gets an owner, a timeline, and a success metric. Everything else goes to a backlog.

Strengths

• What can we do that would be genuinely hard for a competitor to replicate?
• Where do we have data showing we outperform?
• What relationships, systems, or people give us a real and lasting advantage?
• Where does our culture or talent actually show up as a differentiator?

Weaknesses

• Where do things consistently break, get redone, or generate complaints?
• What are we running on tribal knowledge or technical debt?
• Where are we under-resourced relative to what we've committed to?
• What have we kept pushing off, and what is that actually costing us?

Opportunities

• What regulatory or market shifts create a window if we move on them?
• Where are competitors falling short in ways we could address?
• What are customers or users asking for that no one is delivering well?
• What partnerships, talent pools, or technologies are accessible now that may not be in 12 months?

Threats

• What policy or regulatory changes could affect operations in the next two years?
• What could a competitor do that would hurt us most?
• Where are we exposed to a single point of failure: a vendor, a system, or a person?
• What external scenarios would make our current strategy look fragile?

A timeline is not a roadmap. A roadmap shows what you're doing, why, in what order, and whether you actually have the capacity to do it. Those are four different questions and most roadmaps only answer one.

Four Things a Roadmap Should Show

• Time horizon: Now (0-90 days), Next (3-12 months), Later (12-36 months). These represent commitment levels, not sprint cycles. Later items don't have owners yet.
• Strategic category: Quick Wins (high value, low effort), Bets (high value, significant effort), Enablers (things that make other things possible), Maintenance (things you have to do regardless).
• Ownership: Every initiative has a sponsor and a delivery lead. The sponsor provides cover and removes blockers. The delivery lead is accountable for the work. These are two different people.
• Capacity check: Add up the hours per week your Now initiatives require. If it exceeds what's actually available, something moves or someone gets deprioritized. Put that in the roadmap too.

Before an Initiative Goes on the Roadmap

• What strategic objective does this support? If the answer is "it seems useful," it goes to the backlog.
• What's the measurable outcome, and who owns tracking it?
• What dependencies exist: technology, people, vendors, process changes?
• What is the full cost, including staff time and opportunity cost, not just licensing?
• What happens if we don't do this in 90 days? In a year? That tells you how urgent it actually is.

Prioritization: Effort vs. Impact

• High impact, low effort: do these now.
• High impact, high effort: plan carefully, staff appropriately, don't rush.
• Low impact, low effort: batch and schedule when there's space.
• Low impact, high effort: cut them. These drain resources and produce little.

Vendor selection without a scoring framework is mostly a gut-feel exercise with paperwork attached. This matrix gives the process structure and builds in disqualifiers that no score can override.

Eight Evaluation Categories

• Functional Fit (25%): Does it actually do what you need? Score each requirement as Met, Partially Met, or Not Met. A vendor that misses a must-have shouldn't advance regardless of other scores.
• Implementation and Onboarding (15%): What does the realistic timeline look like? Who specifically will be assigned to your account? What do reference clients say about their actual onboarding experience?
• Security and Compliance (20%): Is a SOC 2 Type II available? What certifications do they hold? How do they handle incidents? Who are their subprocessors?
• Total Cost of Ownership (15%): License plus implementation plus integration plus training plus support, across three years. Year 1 cost alone is not the right number.
• Vendor Financial Stability (10%): Public financials or a D&B report. How long have they been operating? What's their customer retention rate?
• Support and SLAs (5%): Uptime commitment with financial penalties, not just remediation promises. Is there a real escalation path?
• Product Roadmap (5%): What percentage of their roadmap commitments were delivered on time in the last year? What's driving the roadmap, customer need or investor timeline?
• Fit (5%): Do they understand your space? Are they willing to negotiate terms? Is there any indication this will be a real relationship or just a transaction?

Automatic Disqualifiers

• Won't share SOC 2 Type II under NDA.
• No data portability or exit provision in the contract.
• References are all executive sponsors with no operational or technical contacts available.
• Implementation timeline was set entirely by the vendor with no internal readiness discussion.
• Annual pricing escalation is uncapped.

Step 1: Define the Capability, Not the Tool

Before evaluating anything, write down what you actually need to be able to do. "We need a fraud detection platform" is a procurement statement. "We need to detect synthetic identity fraud at account opening with a false positive rate below 3%" is a capability definition. The specificity changes every decision that follows.

Step 2: Core vs. Context

• Core: Capabilities that directly affect how you compete or how you manage risk. Worth building internally when the conditions are right.
• Context: Capabilities every organization needs but that don't differentiate anyone. HR software, expense tools, commodity workflows. Buy these.
• Worth asking honestly: do we want to own this because it's genuinely core, or because it feels like it should be ours?

Step 3: Three-Year Cost Comparison

• Build: Engineering hours to design, build, test, and deploy, plus ongoing maintenance (typically 20-30% of build cost per year), infrastructure, security review, and documentation.
• Buy: License fees across three years including escalation, plus implementation, integration work, training, internal admin overhead, and exit costs.
• If build comes within a reasonable range of buy and the capability is core, build deserves serious consideration.

Step 4: Organizational Readiness

• Do we have engineers who can build this and keep it running, not just ship version one?
• Do we have the capacity to maintain it alongside everything else?
• Will this actually get prioritized when there's always a next project waiting?
• Do we have the product management discipline to own a roadmap for something we built ourselves?

Step 5: The Third Option

Often the right answer isn't pure build or pure buy. Buy the commodity component. Build the workflow, governance layer, and integrations on top of it. That's usually where the real organizational value lives anyway.

Three Options and When Each Makes Sense

• Hire full-time when the role is permanent, the capability needs to grow inside the organization, and you need someone invested in the long-term outcome. Hiring for a project is a workforce planning problem disguised as a staffing solution.
• Develop internally when the foundation is already there and the person has the drive to grow into it. You get loyalty and institutional knowledge in return for the investment of time.
• Bring in a contractor for time-boxed, specific work. Make knowledge transfer a stated requirement, not an afterthought. A contractor who walks out with all the context is expensive temporary labor.

Writing Better Job Descriptions

• If a job description lists 22 tools, it's describing a technology inventory, not a role. Start with what you need someone to be able to do, not what they need to have used.
• Separate what someone needs on day one from what you'd expect them to develop in the first year. Conflating the two narrows your candidate pool without making the hire better.
• Define what success looks like at 30, 60, and 90 days. Candidates who ask about this in interviews are usually the ones worth hiring.
• For technical roles, communication matters as much as technical skill. Someone who can explain a complex system clearly to a non-technical audience is a different and often more valuable asset.

Interview Questions Worth Asking

• "Tell me about an implementation that didn't go as planned. What were the root causes and what did you do differently after?"
• "Walk me through how you'd document a new system integration for an audit or compliance review."
• "A vendor says their implementation will take six months. What's the first question you'd ask internally before agreeing to that timeline?"
• "How do you raise a risk concern when leadership has already moved past it?"

This template came out of a real audit request, the kind where someone asks for evidence of who can access a system, how data moves through it, and what security protocols are in place. Most teams don't have that documentation ready. This gives you a structure to build it before someone asks.

What It Covers

• Section 1, Access Control: Who is authorized to modify the integration configuration, how roles are assigned, and what the change control process looks like. Includes an evidence exhibit for screenshots.
• Section 2a, Data Flow: Source system, target system, integration pattern, what data moves, and the step-by-step sequence of how it moves.
• Section 2b, Transport Security: HTTPS and TLS version, certificate details, endpoint and port. Written confirmation that encryption is in place.
• Section 2c, Authentication: Which method is used: OAuth2, API key, or service account. Documented without exposing actual credentials.
• Section 3, Additional Controls: Logging, monitoring, error handling, reconciliation, and a regulatory alignment checklist.
• Section 4, Evidence Index: A lettered exhibit table that maps each screenshot to the section it supports.
• Section 5, Sign-Off: Approval block with named roles and dates.

When to Use It

• Before any new integration goes to production.
• As part of an annual IT controls review.
• After any significant change to an existing integration: configuration, authentication method, or data flow.
• When preparing evidence for an audit, security review, or compliance request.

This is a starting point, not a finished policy. Take the structure, adapt the language to your organization, and have legal and compliance review it before it goes anywhere official. AI governance requirements vary by industry and are still evolving.

Section 1: Purpose and Scope

• This policy covers the use of AI and machine learning tools by employees, contractors, and third parties working on behalf of [Organization].
• Includes generative AI tools, AI-assisted automation, ML-based decisioning models, and AI features embedded in approved platforms.
• Does not cover traditional rule-based automation, which is addressed separately under [RPA / Workflow Automation Policy].

Section 2: Approved Tools and AI Inventory

• Only tools that have gone through the organizational review process and appear on the Approved AI Tool Registry may be used for work purposes.
• Employees may not use personal or unapproved AI tools to process organizational data, regardless of sensitivity level.
• The AI Inventory is maintained by [IT/Risk Function] and reviewed regularly. Anyone wanting to use a new tool submits a request through [designated process].

Section 3: Data Classification and AI Use

Section 4: Use Case Approval

• New AI use cases should document the business purpose, data inputs and their classification, expected outputs, how humans stay in the loop, and what success and failure look like.
• Use cases involving customer data, high-consequence decisions, or regulatory reporting should go through compliance and legal review before approval.
• Approved use cases get logged in the AI Inventory with the approval date, approving authority, and when they will be reviewed again.

Section 5: Human Review Requirements

• AI tools can support decisions. They should not independently execute consequential actions without a defined human review step.
• Low-risk outputs such as internal drafts or research summaries: author reviews before use.
• Medium-risk outputs such as customer communications or risk flags: supervisor or compliance review with a documented approval.
• High-risk outputs such as regulatory filings or account decisions: a qualified human decision-maker with a full audit trail.
• Automated AI actions are only permissible where the decision logic is fully documented, tested, explainable, and has an exception process.

Section 6: AI Incidents

• An AI incident is any event where a tool produces output that causes or could cause harm. That includes hallucinated content in a formal document, decisions affecting protected classes, unauthorized data exposure.
• Incidents should be reported to [designated function] within [24/48] hours of discovery.
• The use case involved is paused pending root cause analysis unless specifically re-authorized by [designated authority].

Section 7: Vendor Due Diligence

• Data Processing Agreement executed before any organizational data goes in.
• Model training opt-out confirmed for enterprise accounts.
• Zero data retention commitment or a documented data retention policy.
• Subprocessor list reviewed.
• Data residency confirmed.
• Security certifications reviewed: SOC 2 Type II, ISO 27001, or equivalent.
• Incident notification timeline confirmed: how quickly will you hear about a breach or model failure affecting your data?