[{"data":1,"prerenderedAt":154},["ShallowReactive",2],{"blog-/blog/2026-02-27-business-rules-technical-debt":3},{"id":4,"title":5,"body":6,"date":141,"description":142,"draft":143,"extension":144,"meta":145,"navigation":146,"path":147,"seo":148,"stem":149,"tags":150,"__hash__":153},"blog/blog/2026-02-27-business-rules-technical-debt.md","Your Business Rules Are Technical Debt You Don't Track",{"type":7,"value":8,"toc":131},"minimark",[9,14,18,21,24,27,30,34,37,40,43,46,53,59,65,71,73,77,80,83,86,89,91,95,98,101,104,110,116,119,121,125,128],[10,11,13],"h2",{"id":12},"the-debt-that-doesnt-show-up-on-any-dashboard","The debt that doesn't show up on any dashboard",[15,16,17],"p",{},"McKinsey describes technical debt as \"digital dark matter\": you can infer its impact, but you can't see or measure it. Their research found that some business units carry up to 58% additional hidden cost in their IT total cost of ownership due to accumulated technical debt. CISQ's 2022 Cost of Poor Software Quality Report estimates accumulated software technical debt in the US at approximately $1.52 trillion.",[15,19,20],{},"These numbers are well-known. What's less discussed is a specific category of this debt that lives outside the codebase, outside the infrastructure, and often outside anyone's awareness: the business rules that govern how your organization actually makes decisions.",[15,22,23],{},"Every business runs on rules. Pricing logic. Approval thresholds. Routing conditions. Eligibility criteria. Escalation policies. Risk classifications. These rules determine who gets approved, what gets flagged, how much gets charged, and where requests get routed. They are the operating logic of the business.",[15,25,26],{},"And in most organizations, they are scattered across codebases, spreadsheets, configuration files, and — most dangerously — in the institutional memory of individual employees.",[28,29],"hr",{},[10,31,33],{"id":32},"how-rules-become-invisible-debt","How rules become invisible debt",[15,35,36],{},"McKinsey's analysis of technical debt identifies a pattern that applies directly to business rules: \"temporary fixes that inevitably become permanent, solutions that become outdated, and one-off implementations to meet business priorities.\" One company they studied suspected 50+ legacy applications carried major debt — but analysis showed just 20 asset types drove the majority, and just 4 debt types drove 50-60% of the impact.",[15,38,39],{},"Business rules follow the same pattern, but with an additional complication: unlike code, rules are rarely treated as first-class engineering artifacts. They don't get version control. They don't get automated tests. They don't get code review. They live in if/else blocks buried in application code, in Excel files on someone's desktop, or in policy documents that haven't been updated since the person who wrote them left.",[15,41,42],{},"A Fintech Today article on \"process debt\" in financial institutions describes exactly this: \"legacy steps that are long divorced from their original rationale but remain in place because of the sunk IT costs and established routines built upon them.\" The article argues that process debt is \"more hidden than technical debt\" because it's \"deeply embedded in culture and institutional routines.\"",[15,44,45],{},"This creates a specific set of problems:",[15,47,48,52],{},[49,50,51],"strong",{},"The change bottleneck."," When a business rule lives in code, changing it requires a development ticket, code modification, code review, testing, and deployment. CodeScene's technical-debt whitepaper reports that, on average, 40–50% of development time is spent on unplanned work; rules buried in code can be one contributing factor. A business analyst identifies that a threshold needs to change from 50 to 75. The actual change is one number. The process to deploy that change can take days or weeks.",[15,54,55,58],{},[49,56,57],{},"The knowledge dependency."," When rules exist as tribal knowledge, the organization is one resignation away from not understanding its own decision logic. This isn't hypothetical — it's the most common pattern in enterprise software. MIT's Project NANDA report argues that the core barrier to scaling enterprise GenAI is learning: systems fail due to brittle workflows, lack of contextual learning, and misalignment with day-to-day operations. Rules that nobody can explain are rules that nobody can automate.",[15,60,61,64],{},[49,62,63],{},"The testing gap."," In software engineering, untested code is considered a liability. Yet most business rules have never been systematically tested. There's no coverage report for your pricing logic. There's no regression suite for your approval matrix. When a rule changes, the test is production — and the test subjects are real customers.",[15,66,67,70],{},[49,68,69],{},"The audit black hole."," In regulated industries, the question \"why did the system make this decision?\" must have a traceable answer. When rules live in code, the answer requires a developer to read the code, understand the execution path, and reconstruct the reasoning. When rules live in someone's head, there is no answer.",[28,72],{},[10,74,76],{"id":75},"the-compounding-effect-with-ai","The compounding effect with AI",[15,78,79],{},"This problem isn't new. But it has become significantly more urgent with the adoption of AI agents.",[15,81,82],{},"When business rules are clear, versioned, and testable, adding an AI component is relatively straightforward: the AI handles the unstructured part (interpreting a document, extracting data from natural language), and the rules handle the decision part. The boundary is clean.",[15,84,85],{},"When business rules are opaque — buried in code, scattered across systems, undocumented — adding AI doesn't solve the problem. It compounds it. Now you have an opaque AI model feeding into opaque business rules, producing outcomes that nobody can explain, trace, or reproduce. OneTrust's 2025 AI-Ready Governance Report surveyed 1,250 governance-focused IT decision-makers and found that 90% of advanced AI adopters said AI exposed the limits of their siloed or manual processes. Even among organizations still experimenting, 63% reported the same strain.",[15,87,88],{},"The Cyberhaven Labs 2026 AI Adoption & Risk Report reinforces this: AI adoption is becoming fragmented, with the highest usage often occurring in environments with the least mature governance and visibility. The problem isn't AI — it's the absence of structured, governable logic underneath it.",[28,90],{},[10,92,94],{"id":93},"what-rules-as-a-managed-artifact-looks-like","What \"rules as a managed artifact\" looks like",[15,96,97],{},"The alternative is treating business rules with the same engineering discipline that we apply to code: versioned, tested, auditable, and owned by the people who understand the business logic.",[15,99,100],{},"This isn't a new idea. The Decision Model and Notation (DMN) standard — published by the Object Management Group (OMG) — has existed for years and is used for decision modeling in regulated environments including banking, insurance, and financial services. DMN defines a format for decision tables that are readable by business analysts, executable by machines, and versionable like any other artifact.",[15,102,103],{},"The practical difference:",[15,105,106,109],{},[49,107,108],{},"With rules in code:"," Business analyst writes a requirements document → Developer interprets it into code → Code reviewer checks syntax, not business logic → QA tests the feature, not the rule → Rule goes to production → Nobody can trace which rule produced which outcome.",[15,111,112,115],{},[49,113,114],{},"With rules as managed artifacts:"," Business analyst writes or edits the rule directly in a decision table → Test suite runs automatically → Rule is versioned with author, timestamp, and diff → Rule deploys → Every decision in production traces back to a specific rule, a specific version, authored by a specific person.",[15,117,118],{},"The difference isn't just speed (McKinsey describes a case where this kind of analysis identified $200–300M in trackable benefits over 3–5 years). The difference is that the organization can answer the question: \"Why did the system do that?\" — with a precise, auditable answer.",[28,120],{},[10,122,124],{"id":123},"the-question-to-ask-yourself","The question to ask yourself",[15,126,127],{},"If someone on your team left tomorrow — the person who built the pricing logic, the approval workflow, the routing rules — could the rest of the team explain exactly how those rules work? Could they change a threshold without a code deployment? Could they show an auditor which rule, which version, with which conditions produced a specific outcome?",[15,129,130],{},"If the answer is no, you have business rule debt. And unlike code debt, nobody is tracking it.",{"title":132,"searchDepth":133,"depth":133,"links":134},"",3,[135,137,138,139,140],{"id":12,"depth":136,"text":13},2,{"id":32,"depth":136,"text":33},{"id":75,"depth":136,"text":76},{"id":93,"depth":136,"text":94},{"id":123,"depth":136,"text":124},"2026-02-27","Pricing logic, approval thresholds, routing conditions — scattered across code, spreadsheets, and institutional memory. The debt that no dashboard shows.",false,"md",{},true,"/blog/2026-02-27-business-rules-technical-debt",{"title":5,"description":142},"blog/2026-02-27-business-rules-technical-debt",[151,152],"business-rules","compliance","cw5qY8OhxlIxtuLgvT7xvJvjL82o27XgI-h3GYcYEV4",1772500485126]