Field Notes · Software · 2026-05-08 · Five minutes read · By Wouessi Engineering

Why accessibility and security have to be designed from day one

We have done the math twice on the same project. Designing for accessibility from day one costs roughly the same as ignoring it. Retrofitting accessibility after launch costs eight times that. For security, the multiplier is closer to thirty. Here is why both have to be in the first sprint.

The numbers

Across the last three years of Wouessi engagements where we measured the cost of accessibility and security work, here is what we saw:

• Designing for WCAG 2.2 AA from kickoff: roughly 5–8% of build cost. Most of it is design and tooling, not engineering hours.
• Retrofitting WCAG 2.2 AA after launch: 40–60% of original build cost. A non-trivial portion is rewriting the design system, which means rewriting every page that uses it.
• Designing for SOC 2-aligned security from kickoff: 8–12% of build cost. Most of it is decisions made early about identity, secrets, logging, and the auth boundary.
• Retrofitting SOC 2-aligned security after launch: 200–400% of original build cost. The exact multiplier depends on whether the auth boundary survives or has to be redone.

The pattern is the same in both cases: the cost of the discipline is roughly the cost of the discipline. The cost of the retrofit is the cost of the discipline plus the cost of every decision you made in the meantime that you now have to reverse.

Why the retrofit is so expensive

Accessibility and security are not features. They are properties of the system. A feature can be added in a sprint. A property has to be true everywhere, every component, every page, every API call, every database row.

When you retrofit accessibility, you discover that:

• The design system did not encode focus states, so every component has to be touched.
• The toast notifications announce success visually but are silent to screen readers, so the notification system needs a rewrite.
• The data tables use colour to indicate state, so the colour palette needs a replacement that survives both 4.5:1 contrast and protanopia simulation.
• The form errors point to the wrong element with aria-describedby, so every form has to be re-tested.

None of those are big problems individually. Collectively they are a re-platform.

Security retrofits are worse because they touch the auth boundary. The auth boundary is the single most expensive thing in any application to change. When a buyer says "we just need to add SSO and audit logging," the truthful answer is often "we need to rebuild the identity layer."

What “day one” actually means

Day one accessibility and security do not mean writing a long policy document on day one. They mean:

For accessibility

• The design system has focus states, contrast tokens, and target-size minimums baked into the components, not added later.
• The CI pipeline runs axe-core on every PR. Merges that introduce new WCAG violations are blocked.
• Every form has a keyboard-only test in the QA checklist.
• Every page has one H1, in the right place. (You would be surprised how often this fails.)
• The team has a screen reader installed. NVDA on Windows, VoiceOver on Mac, JAWS for serious work. Engineers use them weekly, not annually.

For security

• The identity layer is built around a managed provider (Auth0, Cognito, Azure AD, Entra ID, Keycloak in your perimeter). Never roll your own.
• Secrets live in a vault from day one. AWS Secrets Manager, Doppler, Vault, Azure Key Vault, never in .env files committed to the repo.
• The CI pipeline runs SBOM generation, dependency scanning, and SAST on every PR. Critical findings block.
• Every API call is authenticated and authorized. There is no internal endpoint that “skips auth because it is internal.”
• Logging is append-only from the first day. The audit log is queryable from a separate role with read-only credentials. The auditor's path to a query is documented.

The pattern that makes both work

The pattern in both cases is the same: the discipline is enforced by the build, not by hope. The CI pipeline blocks regressions. The design system blocks inconsistent components. The identity layer blocks accidental auth bypasses.

Buyers sometimes ask if there is a way to ship faster by skipping these. The honest answer is yes, if you are willing to pay the multiplier later. For systems that will live for years and be reviewed by auditors, that math does not work. For a throwaway prototype, it does.

What this looks like at Wouessi

Every system Wouessi ships gets a hand-back package that includes the accessibility report, the security threat model, the SBOM, and the auditor-readable architecture diagram. We do this for our own protection as much as our clients', if a system we shipped fails an audit five years from now, the artifact trail makes it easy to defend.

If you are at the start of a build and want to know what the discipline looks like at your scale, the next useful conversation is twenty minutes. We will share the templates either way.

---

About the author. The Wouessi engineering bench. The piece reflects what we have learned shipping into Canadian banks, federal departments, and provincial health systems.