Skip to content

SGF

Security Governance Framework

Governance as a first-class system property, designed in rather than bolted on.

developing

Vision

Governance bolted on after launch is theater. The Security Governance Framework treats accountability and provenance as structural properties of a system - present in the design, enforced by the architecture, and visible in the record - so that control is something the system has rather than something a policy claims.

Governance is an architecture problem

Most organizations treat governance as a documentation exercise. A policy is written, a committee approves it, and the actual system goes on doing whatever it was built to do. The gap between the policy and the system is where every governance failure lives.

The Security Governance Framework starts from the opposite premise: governance is a property of the architecture, not a layer of paperwork on top of it. If you cannot answer who may decide what, on what evidence, with what record - directly from the system itself - then you do not have governance. You have a description of governance.

A control that isn’t enforced by the architecture is a suggestion. A record that has to be reconstructed after the fact is a story.

The three questions every system must answer

Governance reduces to three questions, and a well-designed system answers all three by construction.

Who may decide what

Decision rights have to be explicit and enforced, not implied by org charts or access lists that drift out of date. The system should make unauthorized actions structurally difficult, not merely discouraged.

On what evidence

Every consequential action rests on evidence. Governance means that evidence is captured at the moment of decision and bound to the action it justified. Reconstructing it later - under audit, under pressure - is exactly when it is least reliable.

With what record

The record is not a log file. It is a durable, queryable account of what happened, who was accountable, and why. Provenance designed in from the start is cheap and trustworthy. Provenance retrofitted is expensive and contestable. IRIS is built around making this record a first-class output of the system rather than a forensic afterthought.

Designed in, not bolted on

The recurring failure is sequencing. Teams build the system first, then ask how to govern it. By then the seams where control belongs have already closed, and governance becomes a matter of wrapping the system in approvals and reviews that slow it down without actually constraining it.

Designing governance in means choosing, at architecture time, where control points live, what provenance gets captured, and how accountability is represented. It costs almost nothing at the origin and becomes nearly impossible to add later at full fidelity. That asymmetry is the entire case for treating governance as a founding decision rather than a compliance task.

For the broader stance, see security and governance thinking and the Architecture Atlas.

Roadmap

How this framework evolves

  1. 2025 Q4 done

    Control model specification

    A formal model of decision rights, evidence requirements, and the record each action must leave.

  2. 2026 Q1 active

    Provenance-by-design patterns

    Reference patterns for capturing provenance at the point of action rather than reconstructing it under audit.

  3. 2026 Q3 planned

    Accountability instrumentation

    Methods to make the control model legible and queryable, so governance can be observed rather than assumed.

  4. 2026 Q4 planned

    Audit and attestation toolkit

    Tooling to turn the system's own record into defensible evidence for regulators and reviewers.