**Policy Change:** My department (\~200 software engineers) instituted a policy "All code changes must be installed on all servers within 2 weeks,...
This is an automated archive made by the Lemmit Bot.

The original was posted on /r/maliciouscompliance by /u/LaconicLacedaemonian on 2025-03-21 16:14:44+00:00.

Policy Change: My department (~200 software engineers) instituted a policy “All code changes must be installed on all servers within 2 weeks, or have manager approval.”

Context: I work in software at large companies. Eventually, software that is written needs to be deployed to a computer somewhere. Software changes are one of the biggest reasons for bugs or outages. But, the way many software companies work is every change increments a version number.

Think “I’m deploying version 111” to a server somewhere, and if the previous version that was deployed was version 101, that means 10 changes are going out. If one of them fails, we basically need to sift through the changes to find the bug and revert the changes.

Deploying regularly is good practice and keeps the amount of code being deployed low and allows us to quickly identify failures.

Problem:

It was literally impossible to follow this rule as simple code changes implied >100 deployments. If this sounds insane, it is, but only because it wasn’t automated. This meant that pretty much any change required manager approval.

I called this out, and suggested changing the code such that we could make changes to individual systems at a time (~ 3 months of work). This was not funded by management.

The Malicious Compliance:

I blocked literally every change because “we’re not following policy” and made them ask for manager approval. This forced managers to confront the unfollowable policy and to understand the complexity of what they were asking. But they kept approving changes anyway…

So I kept it up; every change was going to follow this policy. Then, management would be forced to (1) approve the change anyway, (2) invest in the code changes to isolate services, or (3) abandon the policy. While there was an initiative for automation, time to delivery was long and only reduced the number of manual actions to about 30.

After 9 months, and dozens of overrides, a new initiative that was critical required rapid changes. I made a document outlining how may times the policy had been overridden, what could be done to follow the policy, but ultimately recommended that we either invest now in the changes to allow this to work, slow down the critical project to follow policy, or abandon it.

It was abandoned*.*

The Aftermath:

I received an exemplary performance review, with people noting my commitment to quality and a champion of this policy.

TL;DR: Management made a policy that was fine on paper but impossible given current circumstances, and required approval to deviate from the policy. So I forced them to approve literally everything, documented it all, and used the documentation and a critical project to get the policy killed.