[tetrep]

There's similar issues with computer security and having projects reviewed before being shipped, with the classic story of people avoiding review because they didn't think they needed it at the start of their project (not that they're qualified to determine that) and by the time someone told them about it, it was "too late" and they'd miss important deadlines by going through the requisite review.

The only sane solution I've seen to that is to make everything go through security review, even if the review is a simple "we don't need to review this." If everyone knows everything needs review, it makes it very hard to forget about it and incentivizes people to involve security folks with their projects ASAP in the hopes of getting review done early on / avoiding being blocked by it.

You'll always need exceptions to the rule, so you can have some sufficiently high up VP or similar sign off on releasing things without review (and with the caveat that it's still going to get reviewed, it just won't block release), but that's a lot easier to manage than dealing with random developers deciding it for themselves.

It also helps a lot to have a culture where developers learn about security too, but just like researchers and ethics, they'll have perverse incentives to downplay/ignore risks so you still need other, differently incentivized people, to enforce "checks and balances."

It sounds like IRBs are not designed to review all or even most (animal?) experiments and I think that's unfortunate. It seems like a win for everyone if we get better ethics coverage.