Visibility Is Valuable Until Customers Need to Move

One thing I have spent a lot of time thinking about while working on security experiences is how products evolve from surfacing information toward helping customers take action. At first glance, this seems straightforward. If customers understand the problem, the natural next step is helping them fix it.

In practice, it feels much more complicated.

Many products begin with visibility because visibility itself creates value. Customers discover assets they did not know existed, understand relationships they previously could not see, or identify risks that were previously hidden. Simply surfacing this information can already create meaningful outcomes because customers cannot protect what they do not understand.

What I find interesting is that visibility alone rarely feels sufficient for long.

Eventually customers want to know what matters, what they should prioritize, and what they should do next. This naturally pushes experiences toward recommendations, remediation workflows, and increasingly, automation.

What makes this progression difficult is that action depends heavily on trust.

I remember repeatedly hearing questions around why experiences could not simply become one-click. If the product already understands the problem, why not automatically recommend the solution or even perform the action itself?

The difficult part is that customers do not automatically trust recommendations simply because recommendations exist. Customers trust recommendations when they trust the underlying signals.

When surfaced data feels incomplete, relationships feel inaccurate, inventory feels noisy, or findings feel disconnected from reality, customers become skeptical long before remediation enters the conversation. In many cases, the bigger nightmare is when recommendations stop feeling like recommendations and start feeling like vehicles for driving usage or pushing deeper adoption. Customers are not naive. They can immediately tell when a recommendation exists primarily to promote a feature, encourage expansion, or steer behavior rather than genuinely help solve a problem. That kind of recommendation does not build trust. It destroys it. In some cases, introducing recommendations too early can make this skepticism worse because the product begins asking customers to trust actions before trust itself has been established.

This is partly why I keep coming back to the Subtraction Playbook — sometimes the most credible thing a product can do is refuse to recommend, refuse to score, refuse to nudge, until the underlying picture is honest enough to earn the right.

One-click action also becomes difficult when the change is not truly reversible. Rollback cannot simply mean deleting a policy and assuming the environment is restored. A real rollback means returning the customer to a state where the action was never taken, including the downstream effects that action may have triggered. That kind of rollback mechanism is expensive, technically complex, and not always available in security products. It is also the reason I keep writing the same eight-second window into every queue I work on — the argument lives in the Reversible Queue Playbook, and it is the rule I defend hardest in review. Without genuine reversibility, every “act” button is a small contract the product cannot back.

This is where the desire for one-click remediation often meets reality. Leadership may want the simplicity of a single action, but customers need confidence that the action is accurate, safe, explainable, and reversible. Without those conditions, one-click can feel less like convenience and more like risk.

Security products face an additional challenge because customers are already cautious. These products frequently ask customers to change configurations, introduce restrictions, accept risk calculations, or make decisions using imperfect information. Skepticism in these environments is understandable.

This is partly why I increasingly think visibility, recommendations, remediation, and automation are less like competing approaches and more like stages of maturity.

Visibility helps customers understand.

Recommendations help customers decide.

Remediation helps customers move.

Automation only becomes useful when customers trust enough to let go.

What makes this more interesting now is the introduction of agents and increasingly action-oriented AI experiences. If systems can identify problems, evaluate options, recommend solutions, and execute actions with human oversight, the conversation shifts again.

The challenge may no longer simply be surfacing information or even recommending actions.

The harder challenge may be building enough trust that customers are willing to act at all.