Governance Design · Security Operations · Design Systems · AI

Governing the system behind the system

How I reframed a usability request as a governance problem, and designed the infrastructure that lets the people closest to operations change the system safely, without going through engineering.

My Role
Sole Product Designer
Surfaces
Warden · Warden Mobile · Emergency App
Team
22 people · Product Manager · Tech Lead · Engineering
Timeline
Feb 2026 – Present
Warden Global Security Operations Center: three operators monitoring real-time incident data across a wall of screens showing facility maps, active incidents, and analytics dashboards Warden dark-mode interface showing the Super Admin configuration platform and incident management dashboard

Security operations at global scale

Warden is Walmart's global security operations ecosystem, built across two surfaces: the Emergency App, a mobile tool for store-level staff to report incidents; and the Warden platform, a desktop system used by the Global Security Operations Center to monitor and coordinate response.

It follows a four-stage lifecycle: Facility (routine monitoring) → Watch Item (suspicious activity) → Incident (emergency response) → Event (multi-location coordination). What operators are asked, what's required, and what triggers a notification all change by stage.

Store manager at a Walmart location using the Emergency App to report an incident in real time

Store Managers · Emergency App

  • Report suspicious activity in real time
  • Request emergency assistance
  • Submit incident details from the field
  • No access to Warden platform content
Security operator at the Global Security Operations Center monitoring real-time camera feeds and incident data across multiple screens

Security Operators · Warden

  • Monitor cameras and incoming reports
  • Investigate and escalate incidents
  • Create Watch Items, Incidents, and Events
  • Coordinate emergency response
Super Admin user at a workstation configuring incident questionnaires and managing permissions in the Warden admin platform

Super Admins · Manual Process

  • Own questionnaire content and compliance rules
  • Coordinate changes across multiple approval layers
  • Rely on spreadsheets and meetings to track every update
  • No direct path to change the system they're accountable for
Incident lifecycle diagram showing four stages: Facility (routine monitoring), Watch Item (suspicious activity tracking), Incident (active emergency response), and Event (coordinated multi-location situation)
Incident lifecycle: a facility under routine monitoring escalates to a Watch Item when suspicious behavior is detected, then to an active Incident triggering emergency response, and to an Event when multiple locations are involved.

A platform that had outgrown its foundations

Warden was built fast. Growth from a handful of incident types to 72+ across 11 categories (more regions, more compliance requirements, and a designer transition along the way) left a system that had never been designed to be maintained at this scale. I joined in February 2026 as the sole designer, embedded in a 22-person team: 5 business stakeholders, 1 product manager, 1 tech lead, and developers across features.

Operational Complexity

72+ incident types across 11 categories and an evolving taxonomy, with regional and compliance rules that varied with no unified logic.

UX Debt

Material UI, Ant Design, and custom styling mixed across surfaces. A previous designer's sub-system helped but was only partly adopted and never reconciled with the enterprise standard.

Governance Bottleneck

Every questionnaire change needed a spreadsheet, approval meetings, an engineering ticket, and a release cycle. Operational needs outpaced the system.

Solo Coverage

As the only designer, I covered new feature design, design-system alignment across three layers, and AI evaluation, with no handover from the previous designer.


Three different problems. One root cause.

I interviewed three stakeholders with different vantage points: the Director of Operations, the Director of Security Operations who owned questionnaire content, and the Product Manager who bore the cost of every change request.

Rick, Director of Operations and Technology at the Global Security Operations Center
Rick
Director, Operations & Technology · GSOC
"When something changes operationally, we need to update the questionnaire quickly, but by the time a change reaches operators, the situation has already moved on."
Lizzy, Director of Security Operations and questionnaire content owner
Lizzy
Director, Security Operations · Content Owner
"I maintain a huge spreadsheet of questions, and every change requires reviews and approvals from multiple leaders before anything can go to engineering."
Mike, Product Manager for the Warden project
Mike
Product Manager · Warden Project
"Every questionnaire change becomes an engineering effort. We need to reduce the friction and manual work without creating compliance or data risks."
Cross-interview insight

Workflow ownership was trapped in spreadsheets, approvals, and release cycles. The people who understood what needed to change had no direct path to change it.


The real problem was workflow governance, not the workflow itself

What looked like a UX problem was structural. The deeper issue was invisible: a simple content edit had downstream effects on compliance reporting, dashboards, and notification subscriptions, none of which were visible to the person requesting the change.

Five-step pain pipeline: Content Change → Spreadsheet → Meetings → Engineering → Release, with callouts showing the costs at each step: slow updates, conflicting requirements, engineering dependency, operational overhead
Pain pipeline: mapping the content change process revealed friction at every step, and a gap between the speed at which operational needs changed and the speed at which the system could respond.

Designing the boundary between flexibility and governance

The opportunity was to move the ability to change the questionnaire out of engineering and into operations, without compromising compliance or content integrity. That made the central design question what to allow, not just what to show. Phase 1 gave Super Admins four configurable dimensions, held inside two governance guardrails.

Visibility
Show or hide each question within an incident type
Ordering
Drag to reorder the question sequence
Requiredness
Toggle each question required or optional
Country rules
Apply region-based question logic
Compliance locks
Super Admins lock individual questions, preventing lower-access users from changing them.
Audit trail
Every change is logged, who, what, when, surfaced in the configuration view, not buried in settings.
Super Admin configuration platform showing incident question management interface with controls for visibility toggle, drag-to-reorder, required/optional toggle, country/region selector, compliance locks, and audit trail. Phase 1 capabilities annotated, upcoming phases shown in sidebar.
Super Admin configuration platform: Phase 1 capabilities are annotated; deferred capabilities are visible in the sidebar to communicate the roadmap without creating premature expectations.

Conditional logic and the sub-question system

Beyond Phase 1, I prototyped a conditional logic model for future question authoring, where answering a question can trigger a relevant follow-up, constrained enough to keep unreviewed content out of compliance-sensitive workflows.

QUESTION "Were emergency services notified?" Operator response Yes No SUB-QUESTION TRIGGERED "Who was notified?" 911 Fire Department EMS Medical Services Other (specify) No follow-up shown Flow continues normally CONFIGURED BY SUPER ADMIN Single-select · Multi-select · Free-text
Conditional sub-question logic: administrators define which answers trigger follow-up questions, keeping the form concise while capturing the right detail when it matters.

Earning trust before expanding capability

The most important decision was what not to build yet. Question creation, editing, and removal were excluded from Phase 1, not for technical reasons, but because the taxonomy was mid-consolidation, approval workflows weren't formalized, and premature authoring access would have created real compliance exposure. Phase 1 was designed to earn trust before expanding capability, with the roadmap communicated openly through the deferred-capabilities sidebar.

Phase 1 · Shipped
  • Show / hide questions per incident type
  • Drag-to-reorder question sequence
  • Toggle required vs. optional
  • Country and region rules
  • Compliance locks to restrict changes by lower-access users
  • Full audit trail with user, timestamp, and change record
Upcoming Phases
  • Create and edit questions
  • Remove questions from incident types
  • Sub-question and conditional logic authoring
  • Incident type and category management
  • Historical versioning and change rollback
  • AI-assisted configuration

Aligning three sources of truth simultaneously

I inherited three overlapping design system layers, each at a different level of maturity. I aligned new work to LD 3.5 where possible, and documented Warden-specific patterns for formal LD 3.5 review so they could enter the backlog rather than remain one-off implementations.

Live Product
What shipped
Mixed Material UI + Ant Design Inconsistent patterns
Warden Sub-system
Previous designer
Dark-mode optimized Partially adopted
Walmart LD 3.5
Enterprise standard
Company-wide, required Dark mode in progress
One alignment strategy, anchored to LD 3.5
Three evolving systems: a live product, a partially adopted sub-system, and the required enterprise standard, all aligned at once under a single LD 3.5 anchored strategy.
Current product UI showing the live Warden incident list with legacy dark-mode components built from mixed Material UI and Ant Design libraries
Current product reality: legacy implementation with fragmented component libraries and inconsistent patterns
Warden UX sub-system built by the previous designer, showing improved dark-mode components and more consistent interaction patterns
Warden UX sub-system: dark-mode patterns built by the previous designer, partially adopted in engineering
Walmart LD 3.5 design system component documentation showing dark mode components marked as work-in-progress and not yet available
Walmart LD 3.5: required enterprise standard with dark mode components still in progress at time of this work

Evaluating AI in high-stakes workflows

As the sole designer, I was also responsible for evaluating two AI features that had already been built. The features existed, but the interaction model hadn't been validated for the accountability risks specific to a security operations context. My discovery work focused on understanding where the current flows created trust gaps, and defining the guardrails needed before operators could rely on AI output in time-sensitive situations.

AI-assisted incident reporting

Store managers who can't stop to fill out a form describe the situation in plain language, and the AI pre-populates the incident form as an editable draft: ambiguities flagged for confirmation, never submitted on their behalf.

AI-assisted incident summary

Operators handling many concurrent incidents can tap to surface a one-paragraph summary of any open report, enough to assess severity and act without reading the full response. On demand, never auto-shown.

AI Incident Agent chat interface showing a narrative incident report submitted by a store manager, with the AI asking a disambiguation question about which 'Maria' is the reporter, showing three options by name and employee ID
Disambiguation checkpoint: when the AI is uncertain, it surfaces the ambiguity for human resolution rather than guessing. The human confirms before the system proceeds.
AI Incident Agent interface alongside a pre-populated incident form showing extracted fields: incident type 'Person with a gun', category 'Threat', location 'Front Parking Lot', severity 'Critical'. All fields are editable before submission.
Human-editable draft: the AI generates a structured form pre-fill, presented as a draft. Every field is editable. The operator reviews and submits, and the AI never submits on their behalf.
Design Principle

AI assists documentation. Humans remain accountable. Every interaction pattern in the AI features (disambiguation prompts, editable drafts, explicit accuracy reminders) was designed to support this principle. The risk in a high-stakes workflow is not AI failing to extract data correctly. It's an operator trusting AI output they didn't verify.


What was delivered, and what comes next

Phase 1 was handed off to engineering at launch-ready fidelity, with annotated specs and implementation support through the build. The governance framework and interaction model it established will carry forward into subsequent phases.

0→1
Super Admin configuration platform, no comparable tooling existed before this project
3
surfaces aligned under a unified governance and design system strategy for the first time
∞→1
design system layers reduced to a single documented alignment strategy with LD 3.5

Intended success measures (directional, not baselined): reduced engineering dependency for workflow changes, faster questionnaire updates, and stronger governance visibility through the audit trail.


From designing screens to designing systems

The stated request was to improve usability. Research revealed that the inconsistencies, the slow workflows, the frustrated operators all traced back to a governance bottleneck that UI refinement couldn't fix. That reframe changed the scope, the stakeholders, and what "done" meant.

  • I'd push for instrumentation from day one. There was almost no baseline data: how long changes took, how often operators hit irrelevant questions. Measurement as a first-class requirement would have made Phase 1 success criteria far more concrete.

  • The design system work deserved earlier ownership alignment. The three-layer challenge (product → sub-system → LD 3.5) was complex, but some of that complexity was avoidable ambiguity about who owned each layer. Brokering that earlier would have reduced a lot of reactive navigation.

  • The most valuable outcome was the governance framework itself: a clear boundary between what's configurable and what requires engineering, an audit trail as an accountability mechanism, and a phased model that builds trust before expanding authority. That's the infrastructure that makes the platform improvable over time.

Governance Design Security Operations 0→1 Platform Design Systems AI-Assisted UX Enterprise SaaS
Visitor Check-in Experience
Related work

Visitor Check-in Experience

How I unified Walmart's campus visitor check-in from twelve isolated, inaccessible systems into a single accessible service across every US and India campus.