What makes a requirements document a graveyard of assumptions?

Open your last PRD. Page two, second paragraph. Read the line that says something like "The system shall provide robust user input validation." Stop there. Now ask yourself honestly: do you know exactly what "robust" means in that sentence? If you shipped code tomorrow that validated email addresses but not phone numbers, if you rejected empty fields but accepted spaces, if you showed an error message in English for all locales, would that be "robust" enough? The PRD does not say. You have been interpreting "robust" through your own lens. Someone in testing is interpreting it differently. The business stakeholder has a third interpretation sitting in their head, unwritten and never challenged. The PRD looks like a decision. It is actually a consensus hallucination.

This happens because requirements workshops are not structured discovery sessions. They are performances. The team sits in a room, the Business Analyst reads off a list of capabilities, people nod (because staying late in meetings to ask clarifying questions feels rude), and everyone walks out believing they said the same thing. They did not. They populated a document with words that sound specific, then each person filled in the blanks from their own experience. That happens 40 times per project. By the time development starts, your specification is 40% agreement and 60% invisible landmines.

What do real hidden assumptions look like?

I want to show you three examples from conversations I have had with teams over the past 18 months. Company names are changed; the assumptions are exact copies from their actual documents.

Example 1: The password reset that meant three different things

From a fintech startup building account recovery for their platform.

"Users may reset their password via email verification."

Done. Ship it. Except: does the email go immediately or on a delay? How long does the reset token stay valid (one hour, one day, never expire)? If the user clicks the reset link but does not complete the new password entry for 30 minutes, does the token expire? If the user requests a reset, then requests a second reset before completing the first one, do both tokens work or does the first invalidate? If the system detects the reset from an unusual IP address, does it require additional verification or send a notification? What if the mail service fails and the reset email never arrives?

The Business Analyst had one mental model. The senior developer had a different one. The security person had a third. Every assumption diverged. The requirement looked finished because one sentence covered it. It was actually 11 separate requirements hiding under one phrase.

Example 2: The search feature that locked up in production

From a Business-to-Business (B2B) SaaS company in the energy sector.

"The search box shall return results quickly."

What does "quickly" mean? Under 500ms? Under 2 seconds? What happens if the search index is corrupted or slow? Does the search timeout or wait indefinitely? What is the maximum number of results the system returns (10, 100, all matching records)? When the user enters special characters (ampersands, quotes, backslashes), how does the search handle them?

The development team assumed "quickly" meant "no artificial timeout." They built it to return every result. One customer with a million records in the database ran a search and crashed their instance. The requirement was in the document. The problem was the assumption that lived inside the word.

Example 3: The permissions model that assumed hierarchy

From a healthcare software vendor managing access controls.

"Role-based access control shall be implemented."

Role-based means what, exactly? Hierarchical roles (Admin > Manager > User, each with escalating permissions)? Or flat roles (Clinician, Pharmacist, Administrator, each with independent permissions)? Can a user have multiple roles at the same time? Can a manager delegate specific permissions without assigning a full role? Does role assignment happen at the user level or at the department level? If a user moves departments, do their roles carry over or reset?

The specification writer was thinking hierarchical. The implementation team built flat roles. Neither was wrong according to the four-word requirement. Both were building different products. When UAT revealed the gap, the codebase needed six weeks of surgery.

From the Field · Knight Capital Group, 2012

The most expensive hidden assumption in software history probably cost $440 million in 45 minutes. Knight Capital Group deployed a new automated trading system in August 2012. Inside the codebase was a dormant code path tied to an old flag called "Power of the Cap." A documented requirement said to activate a configuration flag on deployment. It did not say which flag, or that an old flag with the same name now triggered entirely different behavior. Engineers assumed the flag was safe to use. It was not.

The system executed 4 million unintended stock orders across 154 equities before anyone could stop it. By the time the kill switch was reached, the assumption had become a defect and the defect had become a catastrophe. The formal post-mortem, documented in the SEC enforcement action (Release No. 70694), cited the absence of clear requirements around the system's legacy code behavior. A buried assumption. Four words in a deployment checklist. $440 million.

Source: SEC Release No. 34-70694 (2013) · Knight Capital Group Administrative Proceeding

41%
of software teams identified incomplete or ambiguous requirements as their top source of defects found during integration testing
SmartBear State of Software Quality Report, 2021 · 5,000+ professionals across 35 countries

Why do stakeholders treat assumptions as agreed decisions?

Not stupidity. Not laziness. It is how human communication works under deadline pressure.

When a stakeholder says "The system should be user-friendly," they are not being vague intentionally. They are using a word that means something specific in their domain context. To the UI person, "user-friendly" might mean a two-step flow with iconography. To the accessibility person, it means semantic HTML and ARIA labels. To the customer success team, it means the onboarding helps new users reach their first value milestone in under five minutes. All three interpretations are reasonable. None are mutually exclusive. They are just different focal points. In a slow, structured workshop where each interpretation gets named and tested, the team converges on a shared definition. In a 90-minute requirements meeting with 12 people on Zoom, the team nods and leaves with 12 private definitions.

The nod is the killer. A nod looks like agreement. It is not. A nod is a timeout: it means "I do not want to hold up the meeting, and this phrase is close enough to my mental model that I will not object." That is extremely different from alignment.

Add time pressure, add distance (Zoom calls flatten context), add a Slack backlog waiting for requirements to ship, and the default becomes: write it down and move on. The assumption burial happens not because the team is bad. It happens because the system is broken. Broken, not careless.

ONE REQUIREMENT. THREE MENTAL MODELS. ZERO ALIGNMENT. "The system shall be user-friendly" BUSINESS ANALYST "A 2-step flow with helpful tooltips" DEVELOPER "Strict validation on all 14 fields" SECURITY ANALYST "Rate limiting + input sanitization" Same requirement. Three different products being built simultaneously. No one knows.
The same four words send three people in three different directions. Nobody is wrong. Nobody is aligned.

How does a Red Team session surface what nobody questioned?

The highest-confidence way to find hidden assumptions is to bring distinct expert perspectives into a structured challenge session. Not a meeting. A session. A meeting is about alignment. A challenge session is about stress-testing.

Here is the pattern that works:

  1. Take one requirement. Pick the one that feels most critical or most vague. "The API shall support real-time updates."
  2. Assign perspective roles. Each person embodies a different lens:
    • Business Analyst: "What is the user trying to do? What are they measuring success by?"
    • UX Researcher: "What mental model does the user bring to this? Where will they get confused?"
    • Solutions Architect: "What systems does this touch? What happens if one fails? What is the blast radius?"
    • Security Analyst: "Who has permission? What if someone with less authority tries to do this? Can they spoof it?"
    • Red Team Critic: "What is the worst interpretation of this requirement a developer could take and still be technically correct?"
  3. Each perspective asks questions for 10 minutes. No answering yet. Collect the questions.
  4. Group the questions by theme. "These five questions are all about token expiration." "These three are about quota limits."
  5. For each theme, pick one question as a test. If the answer to that question changes, the requirement changes. Write that down.
  6. Mark assumptions as discovered. "We are assuming token expiration is 15 minutes. If that assumption changes, the implementation changes. Do we want to document this?"

The Red Team approach works because it makes assumptions visible before they turn into defects. Visible. Named. Owned. It also creates a paper trail: when development starts and someone asks "why did we decide token expiration is 15 minutes," you have a record. That record prevents three weeks of rework.

Key Takeaway: Five Perspectives, One Structured Session

  • Business Analyst: surfaces unstated success criteria and user goals
  • UX Researcher: surfaces usability assumptions and mental model gaps
  • Solutions Architect: surfaces integration assumptions and failure modes
  • Security Analyst: surfaces authorization assumptions and attack surfaces
  • Red Team Critic: surfaces worst-case interpretations the developer could legally build

A 90-minute Red Team session on your 10 most critical requirements will find more assumptions than six weeks of UAT. The question is which discovery you want to pay for.

What are the five questions that surface hidden assumptions?

You do not need a full Red Team session to start finding assumptions. Ask these five questions about any requirement that matters:

Question 1: What does success look like for each persona?

Not for the system. For the person using it. "The system shall provide real-time updates" does not tell you what the Business Analyst needs to see, what the developer needs to see, or what the end user needs to see. Assume different personas have different success criteria. Force the requirement to state what each one is measuring.

Question 2: What is the failure mode?

What happens when this requirement is not met? What happens when the system is slow? When the network is down? When the user has permissions for only part of what they are trying to access? Good requirements describe what the system does when the happy path fails. Most requirements skip this entirely. That gap is where assumptions hide.

Question 3: What is the edge case that is not in scope?

Every requirement has a boundary. "Users may reset their password" does not address: what if the user forgets the email they registered with? What if the email address has been deleted from the ISP? Define scope explicitly. Say what is in, what is out, and why. "Out of scope by decision" is a very different document entry from "out of scope because nobody thought about it."

Question 4: Who has authority to change this later?

If an assumption turns out to be wrong during development, who decides to change it? The Product Manager? The security team? The customer? Unanswered, this creates a second problem: the team makes a unilateral change that collides with a stakeholder's expectation, and nobody finds out until UAT.

Question 5: What would a conservative implementation look like, and what would an aggressive one look like?

Conservative: the system rejects invalid input and shows an error message. Aggressive: the system auto-corrects the input and proceeds. "The system shall handle invalid input" could mean either. Force the requirement to pick a position. The reason you picked it reveals the assumption underneath.

How do you build assumption discovery into your validation checklist?

Do this once on a small project. You will not do it the same way twice. But the pattern holds:

  1. Before starting development, take your 10 most critical requirements.
  2. For each one, ask: "What are we assuming here that we never stated?"
  3. Write those assumptions down explicitly. Name them. Make them testable.
  4. Get a stakeholder to sign off on each assumption. Not a nod. A signature or an email saying "Yes, this is what I meant."
  5. Give the list to the development team. Tell them: "If you discover we were wrong about any of these assumptions, stop and ask before you change course."

This is not extra work. This is preventing rework. When a team spends three weeks building something and discovers the requirement was misunderstood, that is catastrophic. When a team spends four hours in discovery and surfaces an assumption, that is four hours well spent. The math is simple; the discipline is harder.

What changes when teams surface assumptions early?

Teams that surface assumptions early report one consistent outcome: rework goes down, but discovery time goes up. You spend more time asking questions before code starts. You spend less time fixing bugs during testing. The trade is almost always favorable. A project that spends three weeks on validated requirements takes eight weeks to build and ship. A project that skips discovery and spends two weeks on assumption-laden specs takes 12 weeks to build, test, rework, and ship. Front-loaded investment compresses total delivery time.

More importantly, the team ships what the stakeholder actually wanted. Not what they think they wanted. Not what the developers guessed they wanted. The actual thing.

This is what 25 years of watching projects fail has taught me: the specifications that cause the most damage are not the vague ones. They are the ones that sound specific but contain 40 invisible assumptions. Count them. Your next PRD probably has 40 right now. Opening it and starting to count is the first step to building something that does not need to be rebuilt.

What are the most common questions about hidden requirements assumptions?

A hidden assumption is a belief about how the system should work that is never explicitly tested or documented. Example: "The system shall validate user input" sounds specific, but it hides dozens of assumptions about which fields validate, what the error message says, when validation happens, and how edge cases are handled. Each assumption is a potential defect.

Because requirements workshops are performances, not discovery sessions. A nod looks like agreement. It is actually a timeout: "I do not want to hold up the meeting." Each person fills in blanks from their own experience. That is extremely different from alignment.

The Red Team approach works well: take a requirement and ask each expert perspective to challenge it. A Business Analyst, UX Researcher, Solutions Architect, Security Analyst, and Red Team Critic each ask different questions. The gaps and contradictions that emerge are your hidden assumptions.

A vague requirement is obviously incomplete: "The system should be fast" gives you almost nothing to build. Everyone sees the problem. A requirement with hidden assumptions looks complete: "Users may reset their password via email verification." On the surface this seems clear, but it contains dozens of unstated assumptions. Vagueness triggers questions. Specificity without validation triggers false confidence.

You make it safe to say "I do not understand." Pointing out an assumption is not a personal attack. It is a gift: you are preventing a defect. Teams that surface assumptions early celebrate the person who found them. Teams that surface assumptions late blame the person who wrote the requirement. Set the expectation explicitly: finding gaps is the goal, not avoiding them.

When hidden assumptions surface late (in testing or UAT), they cause rework, timeline slips, and team friction. When they surface early (in validated discovery), they become documented decisions. According to SmartBear's 2021 State of Software Quality survey, 41% of teams named incomplete or ambiguous requirements as their top source of integration-phase defects, making it the most cited cause ahead of code quality issues.

Continue reading

Requirements Discovery

How to Compress Requirements Discovery Without Cutting Corners

The 3-6 week requirements phase is a symptom, not a standard. Here is how to run structured discovery in half the time without losing coverage.
Economics

The 29x Rule: Why Every Dollar on Requirements Saves $29 in Production

The math behind early discovery is not controversial. The behavior is. Here is why teams keep skipping the cheapest phase in software development.
Project Failures

The Hidden Cost of Missed Requirements

The rework you track is only the surface. The real cost of missed requirements lives in wrong architectures and missed market windows.
Nicolas Payette, CEO and Founder of Specira AI
Nicolas Payette
CEO and Founder, Specira AI

Nicolas Payette has spent 25 years in enterprise software delivery, leading digital transformations across financial services, logistics, and technology sectors. He founded Specira AI to solve the root cause of project failure: unclear, incomplete, and untested requirements.