Email to schedule an appointment: contact@abatis.ch
Why Organisations With More Governance Than Ever Continue To Lose Control
Modern organisations have invested heavily in governance, risk management and cybersecurity. Boards receive regular cyber risk briefings, regulators impose increasingly demanding resilience requirements and enterprises devote significant resources to security technologies, compliance programmes and operational oversight. The result is an environment in which visibility, monitoring and accountability have become central components of corporate governance.
On the surface, this should represent a success story. Organisations have access to more information about their environments than at any point in history. Security teams possess extensive monitoring capabilities. Audit trails are more comprehensive, compliance frameworks more mature and governance structures more sophisticated than those available to previous generations. Yet despite these developments, some of the most significant operational disruptions of recent years have occurred within organisations that possessed substantial security investments, mature governance programmes and extensive oversight mechanisms.
This apparent contradiction lies at the heart of what may be described as the Control Paradox.
Seeing everything is not the same as controlling anything.
Whilst organisations have become increasingly effective at governing money, information, physical assets and operational processes, they often exercise comparatively less authority over the software execution and change mechanisms that underpin their digital environments. Organisations routinely apply rigorous governance to financial transactions, access to facilities and the handling of sensitive information. Significant expenditure may require multiple approvals, segregation of duties and extensive audit trails before it is authorised. Yet software capable of modifying operating systems, altering configurations, affecting critical services or disrupting millions of devices is frequently introduced through mechanisms that receive comparatively less direct governance.
As organisations have pursued efficiency, interoperability and scale, they have also become increasingly dependent upon external software suppliers, cloud platforms, security vendors and digital ecosystems operating at the core of their operations. This dependency has created a subtle but important distinction between governance and control.
Governance provides visibility into activity, establishes accountability for decisions and supports informed oversight. Control determines whether those decisions can be enforced before harmful change propagates through the environment. The two concepts are related, but they are not synonymous. An organisation may possess extensive governance structures whilst retaining only limited authority over the mechanisms through which software execution and operational change are introduced.
Governance provides oversight. Control determines what can actually happen.
Recent history provides several examples of this phenomenon:
The SolarWinds compromise demonstrated how a trusted software supplier could become an attack vector affecting thousands of organisations through a widely deployed software platform. The incident did not occur because affected organisations lacked governance frameworks or security tooling. Rather, it highlighted the extent to which modern enterprises depend upon software supply chains that operate beyond their direct control.
The Colonial Pipeline incident illustrated a different dimension of the same broader problem. In response to a ransomware attack, the company proactively shut down pipeline operations to contain the threat. The significance of the incident lay not only in the cyber intrusion itself, but in the speed with which a digital event affecting one organisation produced wider economic and societal consequences. It demonstrated how cyber disruption can propagate beyond the immediate victim when critical operations depend upon tightly integrated digital systems.
In July 2024, the CrowdStrike outage provided perhaps the clearest illustration of the Control Paradox. A faulty update issued by a trusted cybersecurity vendor affected an estimated 8.5 million Windows devices worldwide. Airlines, healthcare providers, banks, retailers, government departments and critical services experienced significant disruption. The incident was notable not because it involved an advanced threat actor, but because it showed how a trusted security product operating with privileged access could introduce systemic risk at extraordinary scale.
The event also highlighted a broader structural reality. Modern organisations increasingly depend upon a relatively small number of technology providers whose products and services sit close to the centre of business operations. Service disruptions involving major cloud or platform providers have shown how faults within widely adopted digital infrastructure can propagate rapidly across large portions of the economy, affecting organisations that are operationally dependent even when they are not directly responsible for the underlying failure.
8.5 Million Devices
The CrowdStrike outage showed how a trusted update can become a global operational event.
The same pattern can be observed beyond the technology sector itself. High profile cyber incidents affecting Marks & Spencer, Co-op, Harrods and Jaguar Land Rover demonstrated how quickly operational disruption can spread through modern enterprises. Supply chains, customer services, internal operations and external communications can all be affected when digital dependencies are tightly coupled and change propagates faster than organisations can contain it.
Although these incidents differed significantly in their technical causes, they reveal a consistent theme. The organisations affected were not lacking visibility, governance frameworks or cybersecurity products. In many cases they possessed sophisticated monitoring capabilities, dedicated security teams and mature operational processes. Yet despite these investments, they still lost practical authority over critical execution paths, operational change mechanisms or digital dependencies operating at the centre of their environments.
Artificial Intelligence further complicates this challenge. For decades, cybersecurity has relied heavily upon recognition, classification and behavioural analysis. Security technologies have sought to identify malicious activity by recognising patterns, signatures, anomalies or indicators associated with known threats.
Increasingly capable AI systems are changing this dynamic. Large language models and other generative technologies are accelerating the creation of novel attack techniques, convincing phishing campaigns, adaptive malware and machine-speed variations of existing threats. Activities that previously required significant expertise can now be performed more quickly, more cheaply and at greater scale.
This development raises an important strategic question. As the volume and speed of attack generation continue to increase, can detection and response systems continue to scale at the same rate as AI driven attack creation? Or does resilience increasingly depend upon maintaining authority over execution itself, irrespective of how a threat was created or delivered?
As AI accelerates attack creation, execution remains the constant.
This observation becomes particularly relevant when viewed alongside the evolution of Zero Trust.
John Kindervag, widely recognised as the creator of Zero Trust, has argued that trust is a human emotion and does not belong within digital systems. The purpose of Zero Trust is not to establish trust, but to continuously validate whether a connection should be permitted. This represented an important departure from traditional security models, which often assumed that systems operating within a trusted network boundary should be granted a degree of implicit confidence.
The success of Zero Trust raises an important question:
If organisations should continuously validate who is permitted to connect, should they not also determine what is permitted to execute?
For decades, cybersecurity has focused heavily on identity, access management and network connectivity. These remain essential disciplines. However, every meaningful change within a digital environment ultimately depends upon execution. Software updates, administrative tools, security products, scripts and applications all influence the operational state of a system through execution. It is execution that transforms intention into action and it is execution through which both legitimate change and operational disruption become possible. Consequently, the challenge facing modern organisations extends beyond validating users and connections. It includes maintaining authority over execution itself.
This distinction is becoming increasingly significant as governments, regulators and critical infrastructure operators place greater emphasis on resilience and cyber sovereignty. Discussions surrounding sovereignty frequently concentrate on data residency, cloud infrastructure and jurisdiction. Whilst these issues are important, they do not by themselves resolve the question of control.
An organisation may own its infrastructure, retain possession of its data and operate entirely within a sovereign jurisdiction. Yet it may still remain dependent on external platforms, external analytics or third party decision processes for material elements of security enforcement and software control. Ownership, visibility and validation are all important, but none of them automatically confer authority over execution. This is where the concept of Execution Authority becomes relevant.
The central question is no longer who may connect, but what is permitted to execute.
Execution Authority is the ability to determine which software, scripts, processes and execution paths are permitted to operate within a trusted environment. It applies governance directly to the execution layer and provides organisations with greater authority over change, resilience and operational risk. If Zero Trust challenged assumptions surrounding trusted networks, Execution Authority challenges assumptions surrounding trusted execution.
The distinction is subtle but significant. Modern organisations do not lack visibility. They do not lack governance frameworks. Nor do they lack cybersecurity products. What many organisations increasingly lack is direct authority over the mechanisms through which software execution and change occur.
The lesson from SolarWinds, Colonial Pipeline, CrowdStrike and many other major digital disruptions is not that organisations should isolate themselves from suppliers or wider digital ecosystems. Such an approach would be neither practical nor desirable. Rather, the lesson is that participation in those ecosystems should not require the surrender of authority over the critical mechanisms through which software execution, operational change and resilience are determined.
The organisations most likely to succeed in the coming decade will not necessarily be those that collect the greatest volume of data or deploy the largest number of security tools. They will be those that combine visibility with authority, resilience with governance and connectivity with control.
The question of what is permitted to execute is no longer simply a technical issue. It is increasingly a governance issue, a resilience issue and a sovereignty issue. Organisations seeking greater control over their digital futures must consider not only who may access their systems, but who ultimately retains authority over the mechanisms through which change is introduced into them. The central challenge is no longer simply determining who may connect to a system, but determining what is permitted to execute once they do.
That is the Control Paradox.
Access detailed technical papers covering DXI, Abatis, Aegis, Praesidium, and more.
Request a live technical demonstration.
This site uses cookies to provide you with the best experience on our website. Please, accept cookies for optimal performance. For full details, see our Privacy Policy