There is a certain bleak poetry in a security audit. The word audit evokes clipboards, compliance spreadsheets, and the faint smell of burnt patience. But beneath the bureaucracy lies something far more interesting: an act of seeing.
A real audit, not compliance theatre, but the kind that leaves everyone quietly re-evaluating their life choices, is less about ticking boxes than about mapping the hidden currents that actually keep an organisation secure. Which is why it belongs not in the company of frameworks, but in the orbit of Virginia Satir, Eyal Weizman, and Trevor Paglen.
Satir gave us the seven A’s, a sequence for transforming human systems without pretending they are tidy. Weizman taught us that space remembers what people try to forget. Paglen photographs what power hides in plain sight. Together, they offer a way to audit not just systems, but the cultures that build and maintain them.
An audit, done properly, is less about documentation and more about anthropology with a clipboard. The seven A’s, Awareness, Acceptance, Acknowledgment, Allowing, Action, Assimilation, and Appreciation, provide a rhythm for this kind of inquiry. What follows is how that rhythm feels inside a real audit, where people are flawed, controls are fictional, and truth has to be coaxed out gently with tea and understatement.
The first uncomfortable gaze
Every audit begins in the dark. You are told, politely, that “we are fully compliant”. You nod, knowing this translates to we have a SharePoint folder of PDFs that say so.
Awareness, in Satir’s sense, is the first flicker of real light. It is noticing that the document management system is really a hope management system. It is spotting what is absent from the risk register: the whispered shortcuts, the heroic bypasses, the “temporary” admin accounts that have survived three reorganisations.
Like Weizman reading the negative space of a bombed building, awareness in an audit means learning to see through absence, to interpret what the silences say. And, as Paglen reminds us, it also means looking at what’s looking back, the cameras, dashboards, and “visibility tools” that surveil but never truly see.
Start with a map that isn’t a policy. Walk the corridors, both digital and human. Ask: “Where do people work around the system?” Watch their eyes, not their slides.
The art of not flinching
Once you’ve seen it, the next challenge is not to recoil. Acceptance is not approval; it’s the refusal to look away.
- You accept that the “policy framework” is really three PDFs and an oral tradition.
- You accept that the CISO sincerely believes phishing simulations are character development.
- You accept that the helpdesk runs on caffeine, gallows humour, and trauma bonding.
Paglen’s lens never shames; it witnesses. He doesn’t scold the satellite, he frames it, exposing its quiet menace in orbit. Acceptance is that same forensic composure: to see a flawed system clearly, without moral panic or managerial perfume.
Run a short debrief where the only rule is “no fixing yet”. Each sentence is to begin with “We see that…”. The silence afterwards is part of the work.
Naming the ghosts
Acknowledgment is where the real forensics begin. It means naming what everyone already knows but no one dares to document.
- You note that the VPN logs are “missing” because the logging was never switched on.
- You observe that the “segmented network” is a single joyous flatland of broadcast traffic.
- You gently inquire why the data retention policy reads like a prayer rather than a plan.
Each acknowledgment is an act of quiet rebellion, a refusal to participate in organisational gaslighting. Weizman would call this counter-forensics: turning the system’s own artefacts into evidence of its blind spots.
Put these ghosts on paper. Make them visible enough to be discussed, not just whispered about. Treat every absence as an artefact.
Making space for discomfort
Allowing is Satir’s most radical and least practised step. It is the pause between the finding and the fix, the silence where the truth lands.
Auditors rarely linger here. They rush to “remediation”. But genuine transformation demands a small mourning period. Allowing means sitting together in that collective oh dear, it really is that bad and letting it sting a little.
In architectural terms, it’s leaving the rubble exposed long enough to understand how the building fell. It’s what separates an ethical audit from a witch-hunt.
Delay the remediation meeting by a day. Let people digest. The next conversation will be slower, kinder, and far more useful.
Where the paperwork catches fire
Most frameworks begin here, mistaking motion for meaning. But without awareness, acceptance, acknowledgment, and allowing, your Action is just noise with a budget.
Real action looks more like reconstruction. You stop writing findings as commandments and start sketching interventions like Weizman mapping ruins: spatially, precisely, with respect for what still stands. You treat evidence as material, not ammunition.
Paglen’s influence returns here too: the move from secrecy to legibility. You take what was hidden and make it visible enough to be cared for, not just controlled.
When writing corrective plans, ask: which part of the system are we respecting by keeping this control alive? Then design accordingly.
The slow digestion of truth
Assimilation is what happens after the drama ends. It’s when new practices settle into muscle memory, and old excuses begin to sound ridiculous.
Most organisations fail here because they treat audits as exorcisms: the ghosts are gone, we’ve passed. Assimilation says otherwise. The ghosts have simply been renamed “lessons learned”. They now share an office with you.
The true sign of assimilation is when people keep talking about what they learned, not because compliance demands it, but because it still matters.
Six months later, listen. Are people still referencing the audit unprompted? That’s cultural digestion, not compliance theatre.
The strange grace of the honest map
Finally, Appreciation. Not the smug “we passed the audit” variety, but a quieter gratitude for visibility itself.
The audit is not punishment; it is a mirror. It shows the organisation its shape, its fractures, its improvisations, its accidental brilliance. Satir’s appreciation restores empathy; Weizman’s restores memory; Paglen’s restores vision.
To appreciate is to understand that compliance and consciousness are, occasionally, the same thing.
End the audit not with a summary, but a thank-you, to the people who revealed, not concealed. Visibility deserves appreciation.
The ruins of “best practice”
The seven A’s do not replace the audit process. They humanise it. They remind us that behind every nonconformity is a story, behind every evidence trail a set of choices, and behind every “best practice” an architecture of power.
Each A counters a familiar pathology: Awareness against denial, Acceptance against defensiveness, Acknowledgment against pretence, Allowing against panic, Action against noise, Assimilation against amnesia, and Appreciation against arrogance.
“Best practice” was always a mirage, the fantasy that control could outwit complexity. The seven A’s offer something humbler and truer: a blueprint for awareness inside bureaucracy. They remind us that security is not achieved through ritual obedience but through the courage to look, name, and stay present.
Using Weizman’s forensic poetics, Satir’s radical empathy, and Paglen’s covert cartography, or something else entirely, it still stands that a true audit is an x-ray, not a checklist. It reveals, and in that exposure, awkward, forensic, sometimes darkly funny, lies the only kind of security worth having: the kind that knows what it looks like when it breaks.