Compliance is behaviour, not information

Why more information does not build the behaviour we want

There is a good line from Derek Sivers: if more information was the answer, we would all be billionaires with perfect abs. We know what we are supposed to do. We just do not do it. And yet the whole field of compliance is built on the opposite assumption: that if people just got the information one more time, more thoroughly, with more detail, they would do the right thing. This is the story of why that is not true, and what works instead.

Take compliance completely seriously for a moment

What is compliance, really? If we take it literally, it is something people do. Remembering to lock the door. Not sending a file to the wrong person. Saying it out loud when a data breach happens anyway. It is behaviour, every single time. It is not something people know, it is something they do, often under time pressure, often in the middle of everything else.

But look at how compliance gets made in practice. It is treated as information. The policy has to include every detail. The course has to cover every exception. There is almost a negotiation to get every last nuance in, because otherwise you are not "covered". The result is a document or an e-learning module that is complete, legally watertight, and that nobody changes their behaviour because of.

I have built this kind of training for many years. I know when it does not work, because I have built it. And the point is not that people are lazy or unwilling. Most people genuinely want to do the right thing. The point is that we are talking to them in a way that cannot build the behaviour, and then we wonder why the behaviour does not show up.

The false chain

The assumption underneath all of this can be drawn as a chain with three links:

Information → Learning → Behaviour

Give people the information, then they learn it, and then they do it. It sounds obvious. But there are two weak links in that chain, and they are weak independently of each other.

The first weak link: information does not automatically turn into learning. Having read the notes is not the same as being able to do the thing. Anyone who has ever been handed 200 pages before a meeting knows this. The second weak link is even more important: learning does not automatically turn into behaviour. You can know exactly what you should do and still not do it, because something in the situation itself pulls the other way. Learning is actually the longest road to behaviour.

So the whole chain rests on two jumps that do not happen on their own. And when we do the thing we always do, namely push more information in at the top, we do not make the jumps easier. We make them heavier.

Why it is like this, and not just bad luck

This is where friction theory comes in, and where it does something most compliance books cannot: it explains why more information works against behaviour, right down at the mechanics. If you want the pictures behind it, they are on the water page. In short:

Behaviour is a won route, not a stored rule. When you are standing at the door under time pressure, a little race is running inside you between several possible actions. The action with the deepest groove, the one you have done the most times, wins the race. The written policy is not even in the race, unless it has had time to become a groove. You do not act on what the manual says. You act on whichever route is dug the deepest.

More detail means more competing routes, and that makes the groove harder to dig. This is the important part, and it is counterintuitive. When a policy tries to cover every nuance, it presents the brain with many routes at once. It is the widest, most divided input there is. And that exact input gets encoded the worst and is the least likely to win the race when it counts. So the negotiation about "getting all the detail in" optimises the very variable that destroys the encoding. This is where the theory turns intuition on its head. We think we are being more thorough; we are making it weaker.

"Do not do X" switches X on. To understand a prohibition, you have to picture the action. A compliance text that describes everything forbidden in detail actually raises the activation of exactly those forbidden routes. We have measured it directly in language models: instructions that say "never do X" make X more likely, not less. A prohibition stated positively, that is, "do Y instead", works better, because it builds the route you actually want.

"Compliance as written" is a state that cannot exist. The perfectly followed policy assumes a being that is 100% rational and has unlimited time and capacity in every moment. Daniel Kahneman calls that being an "econ", as opposed to a human. It does not exist. It is like a vacuum: an ideal state you can calculate with, but not stand inside. Under real pressure the race is settled faster, and then the deepest-grooved route wins even more clearly. The greater the pressure, the further from the ideal. This is not human weakness. It is physics.

Add the four things together and you get a result there is no way around: an exhaustive, detail-heavy, prohibition-worded compliance text is not merely ineffective. It actively works against the behaviour it is supposed to create. It optimises the wrong thing.

What actually works

If behaviour is a route that has to be dug, the recipe almost follows on its own. It is not about more information. It is about three other things:

Build the route. Make a short behaviour-recipe instead of a long manual. Few actions, clearly stated, repeated over time with a little variation each time, so the groove gets wide enough to win under pressure. It is the same mechanic as when you learn something: a little resistance along the way sticks deeper than a smooth read-through. You can see it laid out under learning and memory.

Lower the pressure where the action happens. Most compliance work happens far from the situation itself, in a course months earlier. But the race is settled in the moment. A small aid right at hand, in the moment the decision is made, beats a thorough course given in advance. That is the whole point of Atul Gawande's checklist: it works not because it contains the most information, but because it is short, situated, and triggers one specific route exactly when it is needed.

Remove the competing routes. Kurt Lewin said it long ago: if you want to move behaviour, remove the barriers instead of turning up the driving force. If the right thing is awkward and the wrong thing is easy, the right thing loses the race no matter how much you inform. BJ Fogg gathers it into a simple formula: behaviour happens when motivation, ability and a trigger meet at the same time. Information only touches the first link, and the weakest one.

The false checkbox

Here it gets sharp. Today the sender of a compliance initiative can tick a box and call themselves compliant, regardless of whether the behaviour changes. The course is delivered, the receipt is filed, the rule is published. But the route is not built. From the e-learning side I call it "learning theatre": we just pretend learning is happening. In the compliance world the equivalent is "compliance theatre". It is the same phenomenon seen from two professions: an initiative that looks as if it creates the behaviour, put into the world so the sender can document that it was delivered, but that mechanically cannot build the route.

Friction theory turns that accusation into a measurement. "This does not work" is otherwise just a feeling, and feelings can be argued about. But once we can say why it does not work, because it speaks to an ideal route that cannot be instantiated, because it is the widest and worst-encoded input, because it switches the forbidden routes on, then "theatre" becomes something you can test. A checkbox is not compliance if the behaviour it was supposed to create mechanically cannot be built by it. That is a claim with teeth, and it is one you can disprove if it is wrong.

A case: welfare technology in a local council

A concrete example I have seen up close. A council wants to get more welfare technology out into care work. The decision is: make a course for the managers, and the managers will get the staff to use the technology. It fails, and it fails predictably.

The managers are not teachers, and many of them are not interested in the technology themselves. For them it creates friction, it does not solve it. So the chain "information → managers → staff" leaks at every link. But the deeper problem is a misdiagnosis. The whole rollout treats it as a competence problem: the staff lack a skill, so we give them a course. It is most likely a meaning problem. Care staff chose the job for the contact with people, and the technology reduces exactly that contact. On top of that there is often an insecurity: do I feel threatened, will I become redundant? A course in the buttons touches neither of those two things.

This is where the behavioural part of the theory gives you a tool. It points to four fields a barrier can sit in: security, meaning, ability and effort. An initiative that assumes an ability problem and delivers a course, while the real barrier is meaning and security, solves the wrong friction. It is not just "the course was bad". It is a systematic error in which field you think the problem sits. And it explains why so many well-meant rollouts end in nothing: they carefully address the field where the problem is not.

The big new application: when an AI has to be compliant

Companies are handing more and more work to artificial intelligence, and often precisely in the regulated areas where compliance matters. And then the question arises: how do you instruct that AI? The first thing everyone does is pour the whole policy into the system's instructions. "Now it is covered."

That is exactly the same mistake, just one layer up. Putting the whole manual into the system instruction is handing it to working memory, not building a route. It gives the illusion of compliance without the lasting groove. We have shown on language models that putting information in the context is not the same as having learned it. Under long or hostile context, which is the pressure version for a model, the manual-in-the-prompt degrades, and the deepest-trained route wins, not the one written in the instruction.

When the one who has to be compliant is a human, the transfer from language model to organisation is a claim that has to be tested. But when the compliant party is itself a language model, it is no longer an analogy. It is the direct mechanism, on the same substrate. The full-manual-in-the-prompt is the widest input. "Never do X" raises X. What works is training the behaviour in, varied and in context, not dumping the rulebook once. It is measurable on the models we already run. And the prediction follows: the more exhaustive you make the AI's compliance instruction, the less robust its actual behaviour becomes under pressure. The human error reproduces itself at the AI layer, and this time we can measure it directly.

If you want to see the free signal we measure in the models, it is here: Friction-Guided Inference.

What it means for the profession

Compliance today is largely a legal field, and the governing assumption is: if it is written down, people do it. That is exactly the assumption everything above contradicts. The lawyer optimises for the rule being covered, that is, written, published and signed off, not for the route being built.

If the point here holds, a consequence follows for the profession: working with compliance is fundamentally a teaching job and a behaviour-design job. It is about listening to what people actually do, hearing where the real problem sits, and helping build the new route. Not phrasing the exhaustive rule even more precisely. That is also why the safety researcher Erik Hollnagel points the same way with his distinction between work-as-imagined and work-as-done: if you want to get hold of reality, you have to start in what people actually do, not in the procedure. Friction theory supplies the mechanics under his observation. Work-as-imagined does not fail by accident. It is the ideal route the substrate can never win a race on under pressure.

So the conclusion is not "compliance departments are doing it wrong". It is more precise than that: compliance is a learning job, and we have set it up and staffed it as a legal job. That is why it produces theatre.

How certain is this?

Let me be honest about what is what. This is a mechanism and an invitation to test it, not a finished study and not advice about what a particular department should do tomorrow. The measured evidence is on the language-model substrate: that information in the context is not the same as learned, that variation beats repetition, that prohibitions switch the forbidden route on. Those findings are real, and they can be looked up. The transfer to people and organisations is the part that still has to prove out. That is the falsifiable claim, not a settled truth.

It also means there are clear things you can test. Does a short behaviour-recipe give better actual compliance than a full manual, measured on behaviour and not on a quiz? Does the gap between procedure and practice grow with pressure? Does pure information without route-building move behaviour at all? If the answers are no, no and no, the framework is wrong, and then it should fall. I think it holds, but it is a belief you can put to the test, and that is the whole point.

There is a full paper on the way about this, where the mechanism and the testable predictions will be laid out properly. This page is the idea in short form.

← Back to plain-English home · Disclosure · ORCID