The One-Person Problem: How Tribal Knowledge Becomes Your Biggest Liability

03/07/2026

Test Gadget Preview Image

Every organization has that person.

The one who knows where all the passwords live. The one who remembers why that integration works the way it does. The one who can fix the thing that breaks every third Tuesday.

When they’re out sick, things slow down. When they leave, things collapse.

That’s not expertise. That’s a single point of failure wearing a badge.

I see this pattern constantly. A company looks stable on the surface. Systems run. Users get support. Leadership feels confident. But underneath, everything depends on institutional memory locked inside one person’s head.

The problem isn’t the person. It’s the design.

When critical knowledge lives in someone’s brain instead of in your systems, you’re not building infrastructure. You’re building risk.

The Bus Factor: A Metric That Measures Fragility

There’s a term for this in software development: the bus factor.

It measures how many people on your team could suddenly disappear before your project fails. If your bus factor is one, you have a single point of failure. If it’s two, you’re only slightly better off.

Studies of 133 popular GitHub projects found that 65% have a bus factor of 2 or less. Less than 10% have a bus factor greater than 10.

That means most organizations are dangerously dependent on just one or two people.

In IT operations, this shows up everywhere:

  • Only one person knows the admin credentials for critical systems

  • Access changes require a specific technician who “knows how it’s set up”

  • Integrations work because someone manually monitors them every night

  • Security policies exist on paper but enforcement lives in someone’s routine

When that person is unavailable, the organization doesn’t just slow down. It becomes blind to risk.

What Tribal Knowledge Actually Costs

The financial impact of this problem is staggering.

Companies lose $31.5 billion annually due to poor knowledge sharing. For a company with 1,000 employees, that translates to roughly $2.4 million in lost productivity per year. For an organization with 30,000 employees, the number jumps to $72 million.

But the real cost isn’t just productivity.

Research shows that an average of 42% of the expertise and skills an employee performs are only known to them. When they leave, new hires have to learn those skills from scratch. There’s no documentation. No process. No transfer.

Replacing that knowledge can cost up to 213% of an individual’s salary because it takes up to two years to get a new hire to the same level of efficiency.

I saw this play out with a client where everything flowed through a single CTO who was managing both product development and IT operations.

On paper, they had IT support through a large national MSP. In reality, that MSP was reactive and didn’t enforce standards. Over time, the CTO became the safety net for everything: access, vendors, systems, security, decisions.

The first thing that broke wasn’t a server. It was capacity.

He couldn’t keep up with both worlds. Product work slowed. IT decisions were delayed. Issues piled up. Leadership realized they were one resignation away from operational failure.

When we started untangling the environment, we found:

  • Widespread shared accounts

  • No enforced single sign-on or multi-factor authentication

  • No clear ownership of applications

  • No approval process for new tools

  • No consistent identity or access model

Everyone “had access,” but no one really knew who owned what. It worked until it didn’t.

The Warning Signs You’re Already Dependent

Tribal knowledge doesn’t announce itself. It accumulates quietly until it becomes critical.

Here are the patterns that tell you it’s already a problem:

People say “Only [Name] knows how to do that.”

If you hear this phrase regularly, you have a documentation problem. When specific tasks or systems are tied to individual names, you’re operating on memory instead of process.

Onboarding takes forever and feels chaotic.

New employees should be able to get up to speed using documented systems and clear workflows. If onboarding requires shadowing specific people for weeks, your knowledge isn’t institutionalized.

Support requests get routed to individuals, not systems.

When users bypass your ticketing system to email specific technicians directly, it means those technicians hold knowledge that isn’t accessible anywhere else.

Changes only happen when certain people are available.

If vacations, sick days, or turnover create noticeable disruption, stability lives in people’s heads instead of in your infrastructure.

Documentation is always “in progress.”

If your team is constantly planning to document things but never finishing, it’s because the environment is too chaotic to document. That chaos is usually caused by accumulated tribal knowledge.

How Tribal Knowledge Creates Security Risk

The 2014 Heartbleed vulnerability in OpenSSL showed exactly what happens when critical infrastructure depends on too few people.

A severe memory leak bug persisted undetected for over two years because the project had a low bus factor. Only a handful of developers were maintaining the code. Patches were delayed. The vulnerability enabled potential data theft across millions of internet-connected systems.

That’s not just an open-source problem. It’s a design problem.

When knowledge is concentrated in one person:

  • Security reviews become inconsistent

  • Access controls drift over time

  • Incidents take longer to detect and resolve

  • Compliance evidence becomes harder to produce

  • Risk accumulates invisibly

I’ve seen environments where reporting, backups, integrations, and access management were all being handled manually by one senior person. Every night, every weekend, they were checking jobs, fixing sync issues, re-running failed processes, and cleaning up access problems before anyone noticed.

From the outside, leadership thought things were running smoothly. No major outages. No headlines. No obvious failures.

But that stability was artificial. It existed only because one person was absorbing the system’s design flaws with their time and energy.

When that person eventually stepped back, multiple systems failed within weeks. Not because anything changed, but because the hidden safety net disappeared.

How to Systematically Remove Tribal Knowledge

Eliminating tribal knowledge isn’t about documenting everything. It’s about designing systems that don’t require heroics to function.

Here’s how we approach it:

1. Standardize the Foundation

Your uniqueness should live in how you serve customers and build products. Not in how passwords, laptops, and permissions are handled.

We start by standardizing core infrastructure:

  • Identity: Centralize authentication in a single identity provider with enforced MFA

  • Devices: Manage all endpoints through a consistent MDM platform

  • Access: Implement role-based access control with clear approval workflows

  • Applications: Define ownership and scoped permissions for every system

  • Security: Build conditional access policies that enforce compliance automatically

With one client, we standardized around core “pillar” systems like Microsoft 365, Zoom, and Salesforce. We centralized identity in Entra. We enforced a real password manager. We built an actual application approval and ownership process.

As part of that cleanup, we eliminated redundant tools and shadow IT. Annual software spend dropped by $40,000.

Within a few months, the environment felt completely different. Less panic. More confidence. Predictable onboarding. And the CTO could focus on building the product instead of being the emergency backstop for the entire company.

2. Build Systems That Generate Evidence Automatically

Real governance produces artifacts as a byproduct of normal operations.

If compliance requires people to remember to document, it’s fragile. If compliance is embedded in workflows, evidence is unavoidable.

For example, access reviews should happen inside your identity system. Managers approve access through managed processes. Those approvals are logged automatically. Removals are timestamped. Exceptions are tracked.

When an auditor asks for evidence, you export it. You don’t assemble it.

The same applies to:

  • Device compliance reports from MDM

  • MFA enforcement logs from identity providers

  • Conditional access evaluation records

  • Audit trails from ticketing and change systems

When governance is designed into the platform, tribal knowledge becomes irrelevant. The system documents itself.

3. Assign Real Ownership to Every System

Before implementing any new tool or platform, I ask three questions:

Who owns this long-term?

Not who requested it. Not who’s excited about it. Who is responsible for this system six months from now when something breaks, when access needs to change, when compliance questions come up.

If no one can clearly answer that, the technology isn’t the problem yet. The accountability gap is.

What problem are we actually solving?

If we can’t tie the system to a specific, measurable business outcome, it’s going to become shelfware or shadow IT.

What are we willing to standardize or change to support this?

Every new platform introduces structure around access, workflows, security, and support. If the organization isn’t willing to adjust behavior to fit that structure, the implementation will fail no matter how good the tool is.

Those three questions stop bad decisions before they become expensive ones.

4. Automate What Others Do Manually

When we mapped out one client’s environment, we realized critical processes weren’t automated:

  • No reliable alerts

  • Failures were discovered manually

  • Backups weren’t consistently verified

  • Access reviews happened in someone’s head

Fixing it required redesigning workflows, rebuilding monitoring, documenting systems, and reworking access controls. It took months and cost far more than if it had been done correctly upfront.

But once automation was in place, the environment stopped requiring constant attention. Support effort dropped by 40–60% in core IT workflows. Onboarding went from 3–5 hours of hands-on work to 30–60 minutes, much of it automated.

The organization didn’t just move faster. It became calmer.

5. Make Knowledge Transfer Continuous, Not Episodic

Documentation shouldn’t be a project. It should be a byproduct of how you work.

We build documentation into workflows:

  • Every change includes updated runbooks

  • Every incident includes root cause analysis

  • Every system includes architecture diagrams and ownership records

  • Every process includes step-by-step procedures

When documentation is continuous, it stays current. When it’s episodic, it becomes outdated the moment it’s finished.

What Changes When You Eliminate Tribal Knowledge

The shift from “everything is custom” to “the foundation is standard” creates measurable capacity.

Support effort stops scaling linearly with headcount. New users, devices, and applications no longer add friction. Onboarding becomes predictable. Issues get resolved from known patterns instead of requiring investigation.

But the bigger gain is cognitive capacity.

In custom-heavy environments, IT spends most of its time remembering how things work. In standardized environments, they spend time improving how things work.

Leaders stop asking “Who knows how this works?” and start asking “How do we optimize this?”

You also see measurable changes in:

  • Incident frequency: Fewer recurring issues

  • Mean time to resolution: Often cut in half

  • Change failure rates: Significantly lower

  • Shadow IT: Reduced because approved systems are easier to use

The organization doesn’t just become more efficient. It becomes more resilient.

The Real Question

Here’s what I ask leaders who recognize this pattern in their own organizations:

If your most knowledgeable person left tomorrow, how long would it take before something critical broke?

If the answer is “days” or “weeks,” you don’t have an IT problem. You have a design problem.

Tribal knowledge feels like stability until the person holding it is gone. Then it reveals itself as the liability it always was.

You can keep depending on heroics. Or you can build systems that don’t require them.

The choice determines whether your IT scales or collapses under its own weight.

Share