Governance Design · Security Operations · Design Systems · AI

Governing the system behind the system

How I reframed a usability request as a governance problem, and designed the infrastructure that lets the people closest to operations change the system safely, without going through engineering.

My Role

Sole Product Designer

Surfaces

Warden · Warden Mobile · Emergency App

Team

~40 people · Product + Engineering

Timeline

Feb 2026 – Present

Warden Global Security Operations Center: three operators monitoring real-time incident data across a wall of screens showing facility maps, active incidents, and analytics dashboards

Warden dark-mode interface showing the Super Admin configuration platform and incident management dashboard

The Platform

Security operations at global scale

Warden is Walmart's global security operations ecosystem, built across two surfaces: the Emergency App, a mobile tool for store-level staff to report incidents; and the Warden platform, a desktop system used by the Global Security Operations Center to monitor and coordinate response.

It follows a four-stage lifecycle: Facility (routine monitoring) → Watch Item (suspicious activity) → Incident (emergency response) → Event (multi-location coordination). What operators are asked, what's required, and what triggers a notification all change by stage.

Store manager at a Walmart location using the Emergency App to report an incident in real time

Store Managers · Emergency App

Report suspicious activity in real time
Request emergency assistance
Submit incident details from the field
No access to Warden platform content

Security operator at the Global Security Operations Center monitoring real-time camera feeds and incident data across multiple screens

Security Operators · Warden

Monitor cameras and incoming reports
Investigate and escalate incidents
Create Watch Items, Incidents, and Events
Coordinate emergency response

Super Admin user at a workstation configuring incident questionnaires and managing permissions in the Warden admin platform

Super Admins · Manual Process

Own questionnaire content and compliance rules
Coordinate changes across multiple approval layers
Rely on spreadsheets and meetings to track every update
No direct path to change the system they're accountable for

Incident lifecycle diagram showing four stages: Facility (routine monitoring), Watch Item (suspicious activity tracking), Incident (active emergency response), and Event (coordinated multi-location situation) — **Incident lifecycle:** a facility under routine monitoring escalates to a Watch Item when suspicious behavior is detected, then to an active Incident triggering emergency response, and to an Event when multiple locations are involved.

The Situation I Inherited

A platform that had outgrown its foundations

Warden was built fast. Growth from a handful of incident types to 72+ across 11 categories (more regions, more compliance requirements, and a designer transition along the way) left a system that had never been designed to be maintained at this scale. I joined in February 2026 as the sole designer on a ~40-person team, inheriting three surfaces and an open set of problems.

Operational Complexity

72+ incident types, 11+ categories, 80+ question categories, and a taxonomy still actively evolving. Regional requirements and compliance rules varied across the system with no unified logic.

UX Debt

The codebase mixed Material UI, Ant Design, and custom styling. Patterns were inconsistent across surfaces. A previous designer had built a Warden sub-system that improved usability, but adoption was partial and it had never been reconciled with Walmart's enterprise design standard.

Governance Bottleneck

Every questionnaire change (even minor ones) required a spreadsheet, multiple approval meetings, an engineering ticket, and a release cycle. Operational needs moved faster than the system could adapt.

Solo Coverage

As the only designer, I was simultaneously responsible for new feature design, design system alignment across three layers, and AI feature evaluation, with no design coverage handover from the previous designer.

Stakeholder Research

Three different problems. One root cause.

I interviewed three stakeholders with different vantage points: the Director of Operations, the Director of Security Operations who owned questionnaire content, and the Product Manager who bore the cost of every change request.

Rick

Director, Operations & Technology · GSOC

"When something changes operationally, we need to update the questionnaire quickly, but by the time a change reaches operators, the situation has already moved on."

Lizzy

Director, Security Operations · Content Owner

"I maintain a huge spreadsheet of questions, and every change requires reviews and approvals from multiple leaders before anything can go to engineering."

Mike

Product Manager · Warden Project

"Every questionnaire change becomes an engineering effort. We need to reduce the friction and manual work without creating compliance or data risks."

Cross-interview insight

Workflow ownership was trapped in spreadsheets, approvals, and release cycles. The people who understood what needed to change had no direct path to change it.

Discovery

The real problem was workflow governance, not the workflow itself

What looked like a UX problem was structural. A single questionnaire change followed this path: spreadsheet → approval meetings → engineering ticket → release cycle. Weeks, for what was essentially a content edit. Worse, a simple change had downstream effects on compliance reporting, dashboards, and notification subscriptions, none of which were visible to the person requesting it. That invisibility was the real problem.

Five-step pain pipeline: Content Change → Spreadsheet → Meetings → Engineering → Release, with callouts showing the costs at each step: slow updates, conflicting requirements, engineering dependency, operational overhead — **Pain pipeline:** mapping the content change process revealed friction at every step, and a gap between the speed at which operational needs changed and the speed at which the system could respond.

"Operational needs change fast, but our process doesn't." The result of a change pipeline that treated questionnaire content as code, not configuration

Opportunity

Moving workflow ownership closer to operations

The core opportunity: move the ability to change the questionnaire out of engineering and into operations, without compromising compliance or content integrity. Meaningful flexibility within real constraints: approvals still required, taxonomy still consolidating, compliance non-negotiable. The design challenge was finding that boundary.

0→1 Design

Designing the boundary between flexibility and governance

The central design question: what to allow, not just what to show. Phase 1 gave Super Admins four configurable dimensions: visibility (show/hide per question within an incident type), ordering (drag-to-reorder), requiredness (required vs. optional), and country rules (region-based question logic). Super Admins can also lock individual questions based on compliance or policy requirements, preventing users with lower access from making changes to those questions.

Every change is logged in a persistent audit trail: who changed what, when, and on which incident type. Auditability was a first-class requirement, surfaced at the bottom of the configuration view rather than buried in settings.

Super Admin configuration platform showing incident question management interface with controls for visibility toggle, drag-to-reorder, required/optional toggle, country/region selector, compliance locks, and audit trail. Phase 1 capabilities annotated, upcoming phases shown in sidebar. — **Super Admin configuration platform:** Phase 1 capabilities are annotated; deferred capabilities are visible in the sidebar to communicate the roadmap without creating premature expectations.

Conditional logic and the sub-question system

Beyond Phase 1, I prototyped a conditional logic model for future question authoring, where answering a question can trigger a relevant follow-up, constrained enough to keep unreviewed content out of compliance-sensitive workflows.

Conditional sub-question logic: administrators define which answers trigger follow-up questions, keeping the form concise while capturing the right detail when it matters.

Design Strategy

Earning trust before expanding capability

The most important decision was what not to build yet. Question creation, editing, and removal were excluded from Phase 1, not for technical reasons, but because the taxonomy was mid-consolidation, approval workflows weren't formalized, and premature authoring access would have created real compliance exposure. Phase 1 was designed to earn trust before expanding capability, with the roadmap communicated openly through the deferred-capabilities sidebar.

Phase 1 · Shipped

Show / hide questions per incident type
Drag-to-reorder question sequence
Toggle required vs. optional
Country and region rules
Compliance locks to restrict changes by lower-access users
Full audit trail with user, timestamp, and change record

Upcoming Phases

Create and edit questions
Remove questions from incident types
Sub-question and conditional logic authoring
Incident type and category management
Historical versioning and change rollback
AI-assisted configuration

Full authoring from day one

Allow Super Admins to create, edit, and remove questions immediately. Maximum flexibility, but the taxonomy was mid-consolidation, approval processes weren't established, and question changes cascade into compliance reports, dashboards, and subscription logic.

Configuration-first, authoring later

Phase 1 introduces meaningful operational control (visibility, ordering, requiredness) while deferring authoring until governance structures mature. Builds trust and adoption before expanding capability. A question's content stays stable; only its behavior is configurable.

Design Governance

Aligning three sources of truth simultaneously

I inherited three overlapping design system layers: a live product built on mixed Material UI and Ant Design; a Warden UX sub-system built by the previous designer (dark-mode-optimized, partially adopted); and Walmart's LD 3.5, a new company-wide standard whose dark mode components were still in progress. I audited inconsistencies between the live product and the sub-system, aligned new work to LD 3.5 where possible, and documented Warden-specific patterns for formal LD 3.5 review, so they could enter the backlog rather than remain one-off implementations.

Current product UI showing the live Warden incident list with legacy dark-mode components built from mixed Material UI and Ant Design libraries — **Current product reality:** legacy implementation with fragmented component libraries and inconsistent patterns

Warden UX sub-system built by the previous designer, showing improved dark-mode components and more consistent interaction patterns — **Warden UX sub-system:** dark-mode patterns built by the previous designer, partially adopted in engineering

Walmart LD 3.5 design system component documentation showing dark mode components marked as work-in-progress and not yet available — **Walmart LD 3.5:** required enterprise standard with dark mode components still in progress at time of this work

Three evolving systems, each at a different level of completeness and dark-mode readiness, all requiring alignment at the same time.

Scope Beyond the Platform

Evaluating AI in high-stakes workflows

As the sole designer, I was also responsible for evaluating two AI features that had already been built. The features existed, but the interaction model hadn't been validated for the accountability risks specific to a security operations context. My discovery work focused on understanding where the current flows created trust gaps, and defining the guardrails needed before operators could rely on AI output in time-sensitive situations.

AI-assisted incident reporting

Store managers in the field can't always stop to fill out a form. The AI reporting flow lets them describe the situation in plain language and pre-populates the incident form from that narrative. The AI presents its output as a draft (every field editable, ambiguities flagged for human confirmation, and a persistent note reminding operators to verify before submitting). The AI never submits on their behalf.

AI-assisted incident summary

Operators managing high volumes of concurrent incidents can tap to surface a one-paragraph AI summary of any open report, enough to assess severity and act, without reading through a full questionnaire response. Always on demand, never auto-shown.

AI Incident Agent chat interface showing a narrative incident report submitted by a store manager, with the AI asking a disambiguation question about which 'Maria' is the reporter, showing three options by name and employee ID — **Disambiguation checkpoint:** when the AI is uncertain, it surfaces the ambiguity for human resolution rather than guessing. The human confirms before the system proceeds.

AI Incident Agent interface alongside a pre-populated incident form showing extracted fields: incident type 'Person with a gun', category 'Threat', location 'Front Parking Lot', severity 'Critical'. All fields are editable before submission. — **Human-editable draft:** the AI generates a structured form pre-fill, presented as a draft. Every field is editable. The operator reviews and submits, and the AI never submits on their behalf.

Design Principle

AI assists documentation. Humans remain accountable. Every interaction pattern in the AI features (disambiguation prompts, editable drafts, explicit accuracy reminders) was designed to support this principle. The risk in a high-stakes workflow is not AI failing to extract data correctly. It's an operator trusting AI output they didn't verify.

Impact

What was delivered, and what comes next

Phase 1 was handed off to engineering at launch-ready fidelity, with annotated specs and implementation support through the build. The governance framework and interaction model it established will carry forward into subsequent phases.

0→1

Super Admin configuration platform, no comparable tooling existed before this project

surfaces aligned under a unified governance and design system strategy for the first time

∞→1

design system layers reduced to a single documented alignment strategy with LD 3.5

Intended success measures (directional, not baselined): reduced engineering dependency for workflow changes, faster questionnaire updates, and stronger governance visibility through the audit trail.

Reflection

From designing screens to designing systems

The stated request was to improve usability. Research revealed that the inconsistencies, the slow workflows, the frustrated operators all traced back to a governance bottleneck that UI refinement couldn't fix. That reframe changed the scope, the stakeholders, and what "done" meant.

I'd push for instrumentation from day one. There was almost no baseline data: how long changes took, how often operators hit irrelevant questions. Measurement as a first-class requirement would have made Phase 1 success criteria far more concrete.
The design system work deserved earlier ownership alignment. The three-layer challenge (product → sub-system → LD 3.5) was complex, but some of that complexity was avoidable ambiguity about who owned each layer. Brokering that earlier would have reduced a lot of reactive navigation.
The most valuable outcome was the governance framework itself: a clear boundary between what's configurable and what requires engineering, an audit trail as an accountability mechanism, and a phased model that builds trust before expanding authority. That's the infrastructure that makes the platform improvable over time.

Governance Design Security Operations 0→1 Platform Design Systems AI-Assisted UX Enterprise SaaS

Next project

Related work

Visitor Check-in Experience

How I unified Walmart's campus visitor check-in from twelve isolated, inaccessible systems into a single accessible service across every US and India campus.