Beyond legacy:

When critical public services and regulated functions rely on systems built decades ago, the risk is not theoretical. It is operational, human, and increasingly visible.
 

Across governments and highly regulated organizations, long-lived platforms continue to underpin essential services. Many of these systems were designed for a different policy environment, different service expectations, and a very different workforce. While they often remain stable at scale, the capability to safely maintain, understand, and evolve them is steadily diminishing.
 

Leaders are grappling with interconnected pressures spanning legacy systems, workforce capability, procurement models, and rising expectations from citizens and customers. What is becoming clear is that modernization cannot be framed solely as a technology uplift. It is a coordinated transformation of people, operating models, and risk posture.
 

The following five insights highlight not only the scale of the challenge but also the practical levers leaders can use to move from legacy exposure to delivery readiness.

1. Treat legacy system age as a critical operational risk

Across government and regulated sectors, core systems approaching or exceeding 40 years of age remain in active service. Mainframes from the 1960s, ERPs nearing the end of vendor support, and production code written decades ago still underpin critical national and commercial functions.
 

While these platforms often remain reliable in terms of transaction volume, they are increasingly brittle to change. Each year, they become harder to secure, more expensive to maintain, and more exposed to talent attrition. Small policy or service changes can carry disproportionate risk, and recovery from incidents becomes more complex.
 

For senior decision makers, the implication is clear. Legacy systems are no longer just technical debt. They represent a growing operational, financial, and reputational risk that must be actively managed.

2. Protect institutional knowledge before it becomes a single point of failure

The most significant legacy risk is often not the technology itself, but the shrinking number of people who understand it.
 

In many organizations, knowledge of how critical systems behave in production exists only in the experience of a small number of long-tenured staff. Over time, undocumented business rules, workarounds, and dependencies accumulate. As those individuals retire or move on, that knowledge disappears with them.
 

This creates a dual risk. Modernization becomes harder because no one fully understands the existing system, while day-to-day operations become more fragile as fewer people can diagnose or resolve issues.
 

Without deliberate effort to capture and transfer institutional knowledge, organizations risk reaching a point where both change and stability are compromised.


 

3. Close the gap between recognizing talent risk and acting on it

There is broad awareness across government and regulated industries that workforce capability is a constraint on modernization. Far fewer organizations have acted on this risk in a sustained, structural way.
 

Short-term measures such as contractor reliance, isolated upskilling initiatives, or flexible work arrangements can provide temporary relief, but they do not address the underlying issue. Modernization requires deliberate investment in career pathways, capability development, and team structures that enable knowledge sharing rather than siloing.
 

For executives, workforce strategy must be treated as a core pillar of modernization, not an adjacent HR concern. Without it, improvements to systems, security, and service outcomes will remain fragile.


 

4. Turn AI ambition into delivery through structured execution

AI now features prominently in strategies across government and regulated sectors, but progress remains uneven. Many organizations are experimenting with use cases, yet struggle to move beyond pilots into production.
 

A useful way to frame AI adoption is through layers of impact:

• Layer 1: AI that supports and accelerates delivery teams

• Layer 2: AI that reduces inefficiency in operational workflows such as triage, verification, or compliance processing

• Layer 3: AI that transforms citizen- or customer-facing services at scale

Most organizations are constrained in the middle layer, where fragmented data, uneven AI literacy, and risk concerns limit progress.
 

Rather than large, high-risk programs, leaders are increasingly finding value in incremental delivery. Short, structured cycles that demonstrate tangible value or measurable risk reduction help build confidence, capability, and organizational alignment over time.
 

In practice, this shift toward incremental, risk-managed AI delivery is supported by advances in agentic platforms that help teams move from experimentation into production more reliably. Thoughtworks’ AI/works™ platform is designed to support this model by embedding governance, delivery patterns, and safety considerations directly into how AI-enabled systems are built and operated. It reflects the same execution discipline outlined here: enabling teams to deliver value early, manage risk continuously, and scale AI responsibly in complex, regulated environments.


 

5. Start modernization with procurement changes leaders control today

Procurement remains one of the most powerful, and underutilized, levers available to leaders in government and regulated organizations.
 

Traditional procurement models were designed for large, fixed-scope projects and capital purchases, not for iterative delivery or learning-led change. This often reinforces big-bang programs that are expensive, slow to adapt, and difficult to course-correct.
 

An alternative approach is to fund modernization in small, production-ready slices under existing executive delegation. This reduces upfront commitment, shortens feedback loops, and allows organizations to demonstrate progress before scaling investment.
 

Importantly, this shift can often be achieved within existing policy and regulatory frameworks. It does not require wholesale reform to begin reducing risk and increasing momentum.

Moving from legacy exposure to readiness

Legacy systems do not fail only because they are old. They fail because the knowledge, skills, and structures needed to operate and evolve them safely erode over time.
 

Modernization succeeds when leaders treat it as a continuous capability-building discipline that spans technology, people, procurement, and governance. The actions that matter now are pragmatic and within reach:

• Protect institutional knowledge before it becomes a single point of failure

• Modernize in visible, incremental slices that reduce risk and build confidence

• Strengthen data foundations so AI can move beyond pilots into trusted use

• Evolve procurement to support faster learning and lower-risk delivery

• Anchor every decision to citizen and customer outcomes

This is how organizations move from legacy burden to adaptive, resilient service delivery in environments where trust, continuity, and compliance are essential.
 

As one senior leader put it, “You cannot be future-proof, but you can be future-ready. And readiness is built step by step.”