Remote companies often hit the same invisible wall. Small teams — under 20 people — are extraordinarily productive. Something starts to crack around 50. By 100, systems that were never properly built begin failing visibly. Robert Phelps, President of CreativeIT, calls this the invisible ceiling of growth, and at Running Remote 2026 he spent his session methodically exposing where it comes from and how to fix it before it becomes a crisis.
Five vulnerabilities, and most organisations have at least one
Phelps outlined five challenges that consistently expose remote organisations at scale, across every industry and size. The value of the framework is that most teams, when they hear these, recognise themselves in one or more of them — even when they thought they were fine.
The first is the knowledge gap. New employees waste hours searching for information that someone else already knows, or rely on managers to informally teach things that should be documented. The organisation is effectively paying people to be search engines rather than to do their jobs. What looks like an onboarding problem is often a knowledge infrastructure problem.
The second is coordination sludge — the accumulation of meetings about meetings, status updates that could be async communications, and synchronous time used for things that documents could handle. When a team needs three meetings to have one meeting with a client, something structural has gone wrong.
The third is shadow IT, which Phelps described as one of the most underestimated risks in remote organisations. When companies provide equipment stipends and employees buy cheap laptops and pocket the difference, the security architecture becomes what he called ‘Swiss cheese.’ He shared a recent case where an AI tool enrolled in a company’s Google Workspace and held them ransom for $2 million after deleting their data. This is not a hypothetical risk.
The fourth is policy management failure. The 50-page employee handbook that no one reads, that gets built once and rarely updated, that exists primarily to give legal cover rather than to actually guide behaviour. When issues arise, the team firefights reactively because the guidance was never accessible to begin with.
The fifth is the skill gap — not the technical skills of the role, but the skills required to work remotely in this organisation specifically. How the company uses its tools, what their communication norms are, what async actually looks like here. What someone learned at their last company, even with identical software, may not apply.
Solutions scaled by company size
One of the most useful parts of the session was Phelps’ insistence on scaling solutions to company size rather than imposing enterprise systems on ten-person teams. For each of the five vulnerabilities, he walked through what the appropriate solution looks like at four stages: 1-10 employees, 10-50, 50-100, and 100 or more.
For knowledge management, a startup can rely on verbal communication and a shared folder. At 10-50, a basic wiki or Google Drive structure becomes necessary. At 50-100, a structured knowledge base organised by workflow. At 100+, an AI-powered searchable system trained on the organisation’s own SOPs.
For security, a startup should at minimum provide or specify the hardware employees buy. By 10-50, password management, device tracking, and 24/7 security resources become essential. At larger scale, dedicated onboarding and offboarding staff, and ultimately compliance and governance frameworks.
The logic throughout: meet your current phase requirements while building toward the next phase before you reach it. The worst outcome is waiting until you are 100 people to build systems for 100 people.
The four-checkpoint audit
Phelps closed with a practical, immediate diagnostic. Four questions any organisation can answer today to identify their most critical vulnerability.
One: can a new hire find your PTO policy in 30 seconds? If the answer is no, your knowledge and policy infrastructure is failing.
Two: if a senior leader’s laptop is stolen right now, can you remotely lock it? If not, your device management is inadequate regardless of your other security measures.
Three: if a compliance auditor knocked on your door tomorrow — whether for GDPR, CCPA, SOC 2, or a client contractual requirement — could you demonstrate what you committed to in your contracts? Most companies discover they have compliance obligations they do not know exist, embedded in client agreements.
Four: if you needed to deploy a training on a new process to all employees today and track completion, could you do it? If not, your learning infrastructure is not ready for the organisation you are trying to build.
Over the past few months, CreativeIT vetted more than a hundred AI tools on behalf of clients. Only about half passed security testing. The failures were not obvious — they were tools with legitimate-sounding names and polished interfaces that shared data with training models, sold usage information to third parties, or had inadequate privacy controls. The implication is straightforward: every AI tool your team is using right now deserves the same scrutiny. Most have not received it.
