Crisis Decision Hierarchy
Organisations do not lose systems first. They lose decision authority — then everything else follows.
—
— Principles · Doctrine —
100 Principles of Enterprise Governance & Cyber Strategy
Board-grade doctrine engineered for cyber governance, operational resilience, AI accountability, regulatory trust, and contract-winning advisory.
Market Heat — board, regulator and media salience right now (0–10).
Mandate Conversion — likelihood the principle converts a board conversation into a retained mandate (0–10).
Board-Survivable Cyber Architecture™
Boards do not buy cyber technology. They buy the absence of unrecoverable downside.
—
Evidence Chain Model™
If the evidence chain breaks before the regulator opens the file, the control was never a control.
—
Decision Rights Architecture™
Authority that cannot be exercised under pressure is decorative. Document it as theatre or redesign it as power.
—
Recoverability Mandate™
Recovery is not a phase. It is the discipline that proves whether the programme is real.
—
Contract Control Matrix™
Every clause your counterparty would not sign on incident day must be removed or rewritten today.
—
AI Accountability Stack™
Autonomy without accountability is liability dressed as innovation. Govern both with the same instrument.
—
Operational Defensibility
Time-to-defensible is the only metric your supervisor, board, and insurer will ever agree on.
—
Doctrine Durability
Control posture survives leadership turnover only when doctrine outlives the doctrine's author.
—
Asymmetric Disclosure Doctrine™
Counterparties forgive incidents. They do not forgive the second disclosure that contradicts the first.
—
Third-Party Liability Inversion™
Your supplier's weakest control becomes your strongest liability when the regulator names you together.
—
Cyber Insurance Renegotiation Principle™
The pre-incident premium is tuition. The renewal is the exam your control posture sits in writing.
—
Identity-as-Perimeter Doctrine™
There is no boundary left to harden. Identity is the control plane and every assertion is an audit contract.
—
Crypto-Agility Mandate™
Quantum-resilient cryptography is not research. It is next decade's audit finding written today.
—
Operational Resilience Threshold™
The hour you cannot operate degraded is the hour your continuity plan becomes evidence against you.
—
Model Risk Governance Doctrine™
Every AI decision touching a customer leaves a paper trail. Write it before the regulator does.
—
Sovereign Risk Geometry™
Data residency is not policy. It is the geometry of who can compel disclosure and from where.
—
Zero Trust Engineering Admission™
Zero Trust is not a product line. It is the admission that inherited trust was already wrong.
—
First Call Hierarchy™
The first call after breach is not legal. It is the executive who owns the consequence.
—
Vendor Concentration Trap™
A single-provider stack is efficiency until the regulator calls it concentration risk.
—
Insider Threat Realism™
The insider does not merely appear in the threat model. The insider often builds it. Govern accordingly.
—
SBOM Provenance Mandate™
Code you cannot enumerate is risk you cannot disclose. The SBOM is the receipt for every signature.
—
Run-Time Truth Doctrine™
Build-time guarantees expire when the workload starts. Runtime evidence is what regulators accept.
—
Defaults-Become-Decisions Doctrine™
Every configuration you did not change is a decision you signed without reading.
—
Critical Skill Concentration Risk™
When the one engineer who understands the control leaves, the control leaves with them.
—
Programme Discipline
A programme that cannot state its next decision in one sentence is not a programme. It is a process.
—
Operating Tempo Doctrine
Tempo is the only governance metric that compounds. Improve it and every other metric follows.
—
Single-Threaded Authority
Distributed authority is theatre. Real authority is single-threaded, accountable, and revocable.
—
Threat Intelligence Hierarchy
Intelligence that does not change a decision is content. Intelligence that does is doctrine.
—
Crown-Jewel Inversion Principle
Crown jewels are not where value sits. They are where consequence collapses if compromised.
—
Detection Engineering Mandate
Every detection that triggers without an owned response is a notification, not a control.
—
Forensic Readiness Discipline
If your incident investigation begins after the incident, you have already lost it.
—
Encryption Decree
Encryption without key custody is decorative. Custody without rotation is fossilised.
—
Public-Cloud Sovereignty Test
Sovereignty in cloud is measured in keys you hold and clauses you signed — nothing else.
—
Configuration Drift Doctrine
Configuration drift is the slowest, costliest breach. It has no perimeter and no headline.
—
Patch Cadence Realism
Patch cadence is published as policy and audited as legend. Reconcile or remove.
—
Vulnerability Triage Hierarchy
Severity ratings sort vulnerabilities. Exploitability decides which ones move you out of bed.
—
Logging Sufficiency Test
Logs that cannot reconstruct the timeline within minutes are storage costs, not security.
—
Identity Lifecycle Discipline
Joiners, movers, leavers: the boring loop that decides whether identity is governance or theatre.
—
Privileged Access Minimum
Standing privileged access is liability dressed as convenience. Default it to ephemeral.
—
Shadow IT Recognition
Shadow IT is not policy failure. It is a measurement of how easily the organisation can be told no.
—
Vendor Onboarding Mandate
A vendor onboarded without evidence becomes a vendor offboarded under provable loss.
—
Contractual Asymmetry Principle
Every clause not actively negotiated is a clause negotiated for someone else.
—
Procurement Cyber Gate
Procurement that skips cyber pre-qualification is procurement that bypasses governance.
—
Insurance Underwriting Realism
Cyber underwriters price what they can see. Make sure it survives forensic review.
—
Claim-Defensibility Doctrine
A control that cannot defend a claim is a control that will become an exclusion.
—
Quantification Sobriety
Quantification is useful only when it changes a decision. Otherwise, it is performance.
—
Risk Appetite Coherence
Risk appetite means nothing until exceeded. Put the tripwires in before the breach.
—
Risk-Register Realism
A risk register without owners, dates, and money is a literature review.
—
Audit Findings Discipline
An audit finding without a board-approved remediation date is a finding the board does not own.
—
Continuous Assurance Mandate
Annual attestation is a snapshot. Continuous assurance is a contract.
—
Three-Lines Operational Truth
Three lines of defence collapse to one when only the first knows what is happening.
—
Internal-Audit Independence Test
Audit independence is measured by what the auditor may write to the board.
—
Whistleblower Doctrine
If anomaly-to-accountability runs through command, it is not a route. It is a filter.
—
Crisis Communications Mandate
Crisis communications drafted during crisis confess that there was no plan.
—
Forensic Custody Chain
Chain of custody preserved badly is chain of custody not preserved at all.
—
Tabletop Exercise Realism
Tabletop exercises that do not end in a board decision are calendar entries.
—
Restoration-Tested Backups
Backups that have not been restored are not backups. They are encrypted hope.
—
Recovery-Time Honesty
Recovery-time objectives unverified by drills are aspirations the board should reject.
—
Operational-Resilience Inversion
Resilience is not what technology does. It is what the institution does when technology does not.
—
Severance & Liability Doctrine
Liability that cannot be transferred, insured, or absorbed must be reduced. There is no fourth option.
—
Data Sovereignty Discipline
Data sovereignty is decided at the contract, not at the data centre.
—
Cross-Border Transfer Mandate
Every cross-border transfer is a contract. Absence of one is a breach in waiting.
—
Privacy-by-Design Realism
Privacy retrofitted is privacy lost. Build it in or rebuild around it.
—
Subject-Rights Operating Model
Subject-rights requests test the operating model. If you fail at scale, fix the model.
—
Data Minimisation Mandate
Every field you do not collect is a breach you do not suffer. Discipline shows in what is absent.
—
Retention Mandate
Data kept past purpose becomes evidence in someone else's case. Retention is governance, not storage.
—
Cyber-Physical Engineering Mandate
OT cyber is engineering, not IT. Apply IT thinking and the plant teaches you the difference.
—
Safety-Cyber Convergence
Safety integrity and cyber integrity now share a budget, regulator, and failure mode.
—
ICS Patch Doctrine
ICS patching is a maintenance window, a safety case, and a vendor negotiation — in that order.
—
Critical-Infrastructure Inversion
Critical infrastructure is critical until incident. After incident it is public consequence.
—
National-Resilience Mandate
Operators of essential services answer to two regimes: the supervisor's and the public's.
—
Geopolitical Cyber Realism
Your threat model is your geography. Update it as the map changes.
—
Sanctions Compliance Mandate
Sanctions compliance is a cyber control. Treat it as one and your blast radius shrinks.
—
State-Aligned Threat Doctrine
State-aligned threats are now baseline threats. Architecting around them is architecting for everyone.
—
Quantum-Risk Time Horizon
Quantum risk is a 2026 problem because 2030 data is being copied today.
—
Post-Quantum Migration Mandate
Crypto migration is a multi-year programme. Start it the day you classify the data.
—
Cipher Inventory Discipline
If you cannot list every cipher in your estate, you cannot migrate any of them.
—
Hardware Trust Doctrine
Hardware roots of trust are policy, supply chain, and physics. Lose one and you lose the root.
—
Firmware Governance Mandate
Firmware is the controlled substance of cyber. Track it like one or expect the breach equivalent.
—
SBOM Mandate
If your supplier cannot produce an SBOM, you cannot produce a defence.
—
Open-Source Stewardship
Open source is a dependency, not a gift. Govern it as a supplier with no SLA.
—
AI Provenance Mandate
Every AI decision must be traceable to data, weights, and authority. Lose one and accountability collapses.
—
Model Drift Discipline
Models drift. Decisions drift with them. Govern drift or stop calling it governance.
—
Training-Data Custody
Training data is a regulated asset. Treat it as one or watch it become evidence.
—
Prompt-Injection Realism
Prompt injection is the new SQL injection. The lesson is unchanged: trust no input.
—
Agentic-Autonomy Test
Every autonomous action your system can take must have a named human accountable for its outcome.
—
AI-Assisted Decision Provenance
If you cannot explain why the AI agreed, you cannot defend why you did.
—
Bias-Audit Mandate
Bias audited annually is bias governed. Bias audited at incident is bias litigated.
—
Disinformation Operational Test
Operational disinformation is now cyber risk. Reputation is an attack surface.
—
Insider Threat Realism Update
Insider threat is no longer the disgruntled employee. It is the privileged identity used by anyone.
—
Talent Concentration Inversion
Talent that cannot be cross-trained becomes risk. Talent that cannot be retained becomes liability.
—
Hiring-Pipeline Discipline
A hiring pipeline is governance infrastructure. Underfund it and audit findings repeat.
—
Skills-Currency Mandate
Skills lapse faster than certifications. Audit currency, not credentials.
—
Doctrine-Author Continuity
Doctrine that depends on its author ends with its author. Codify or expect collapse.
—
Knowledge-Capture Discipline
Tribal knowledge is a fault line. Convert it to doctrine before the senior leaver takes production with them.
—
Board-Reporting Honesty
Board reports that omit what went wrong are confidence trades. Eventually one fails.
—
Materiality Calibration
Materiality is decided by the board before the incident — or by the regulator after.
—
Disclosure-Timing Discipline
Disclosure timing is a board-level decision. Push it down and it will land on the news cycle.
—
Doctrine Closing Principle
A doctrine that survives twenty years and three regulators is no longer doctrine. It is institutional architecture.
—
Turn cyber governance into board confidence, regulator defensibility, and contract-winning institutional architecture.
Pressure-test your board pack, supplier risk model, AI governance framework, and regulatory evidence chain — under signed mandate.