In many organisations we have scanners for code, monitoring for systems, and multiple layers of controls and audit. But the business process itself is rarely checked for logical vulnerabilities before it goes live.

Processes like KYC onboarding, approvals, payments or compliance workflows are often designed in meetings and documented later. Over time more controls get added and monitoring improves, but the underlying process logic is rarely tested.

Which raises a simple question: can this process be bypassed?

I started experimenting with describing processes as state machines and running static checks on them. Things like reachability, missing review steps, irreversible actions without compensation, and similar structural issues.

The idea is to detect what you might call "business process vulnerabilities by design" before the process is deployed.

The page explains the concept and shows a small prototype. The prototype lets you describe a process as a state machine and run automated checks against rule sets (for example operational risk or resilience rules).

What I’m mainly trying to understand is whether this is actually a real problem in practice.

For people working in fintech, banking, risk or operations:

Do process bypasses or design gaps show up in real systems? How are new processes usually reviewed before they go live? Where do things tend to break down? Paper: veilgovernance.com/research/missing-first-line-of-defence