The Structural Diagnosis

Why IT/OT Convergence Is Ungoverned by Design

The problem is not that governance has failed. The problem is that no governance framework was ever built for the territory convergence created.

Two disciplines, not two branches

IT architecture – distributed by design, specialised systems sharing data across a landscape. OT architecture – layered by necessity, each layer a defined function and failure mode.
IT is distributed by design. OT is layered by necessity. The same failure in one domain breaks a description; in the other, it produces a physical consequence.

Information Technology and Operational Technology are not two branches of a common discipline. They are fundamentally different in purpose, in structure, and – critically – in their relationship to physical consequence. IT describes the world. OT acts on it. When an IT system fails, a description breaks – a transaction is lost, a report is delayed, a record becomes inconsistent. When an OT system fails, a valve stays open, a motor runs unchecked, a safety interlock does not engage.

IT builds distributed landscapes of specialised systems sharing data through integrations. OT builds layered architectures where each layer has a defined function, a defined failure mode, and a defined independence from the layers around it. IT governs through Confidentiality, Integrity, and Availability. OT governs through Health, Safety, and Environment – the HSE triad that defines the consequence domain in which operational technology operates. The two disciplines evolved separately because they had to – their governing constraints are not equivalent.

Convergence did not merge these disciplines. It forced them into shared infrastructure, shared data, and shared decision space without providing a governance framework for the interaction. The connectivity is real. The consequences are physical. The governance, overwhelmingly, is absent.

Where data crosses the boundary

Data value progression from bits and bytes through structured data, information, and knowledge to action – IT's return path leads to commercial consequence; OT's return path leads to physical consequence.
Same data, fundamentally different consequence domains. In IT, action operates on digital constructs. In OT, the bits themselves act.

Data crosses the IT/OT boundary in both directions, and each direction carries its own governance obligation. Northbound – from the operational domain into the enterprise – data travels as measurement: sensor readings, process states, equipment conditions. The governance mandate here is fidelity of representation. The enterprise must receive data that accurately mirrors the physical reality it claims to describe. A temperature reading that arrives without its engineering units, without its quality flags, without its timestamp authority is not data – it is noise dressed as information.

Southbound – from the enterprise into the operational domain – data travels as instruction. A setpoint change, a recipe download, a firmware update. Here the governance mandate inverts. The obligation is not fidelity of representation but safety of action. A digital instruction that reaches a physical actuator has left the domain where failure breaks a description and entered the domain where failure produces a physical consequence. The governance of that crossing is non-delegable.

And between the two directions, a third mandate governs: the integrity of the interaction itself. The boundary must preserve meaning across domains, ensure that identity and authority translate correctly, and prevent conditions that are locally valid in each domain but globally unsafe when combined.

Three actors, three myths, one void

Venn diagram of three governance logics – Operator, Corporate IT, and Vendor – meeting at a centre marked with a question mark.
Each assumption is internally coherent. Each produces rational behaviour. None encompasses the boundary where all three meet.

Three actors operate at the IT/OT boundary. The Operator carries consequence-ownership – the non-delegable accountability for the safety of the physical process. Corporate IT carries enterprise digital governance – the mandate to manage the organisation's digital infrastructure, services, and security. The Vendor ecosystem carries product-boundary governance – the technical authority over the platforms and connectivity their products require.

Each actor governs rationally within its own domain. The Operator assumes its operational understanding is sufficient. Corporate IT assumes standard enterprise governance applies. The Vendor assumes connectivity is a product capability – a feature to be delivered, not a governance burden to be negotiated. Each assumption is internally coherent. Each produces rational behaviour. None encompasses the boundary where all three meet.

The result is a structural void. Not a gap that can be closed by policy, not a resourcing problem that more budget will fix, not a cybersecurity deficiency that another tool will address. A void – the absence of a governing framework at the crossing between two separately governed domains. It does not close by itself, does not close through policy alone, and does not close through cybersecurity investment without architectural commitment.

The resolution: architecture that governs the boundary

If the void is structural, the resolution must be architectural. The TGB – The Governed Boundary – is that resolution. It descends from the enterprise DMZ and the industrial IDMZ, but it is not equivalent to either. The DMZ filtered traffic between two IT trust domains. The IDMZ segmented the industrial network from the enterprise network. The TGB does something neither predecessor attempted: it governs the interaction between domains of fundamentally different consequence.

It does this through three inseparable functions:

  • Traffic mediation determines whether interaction is possible at all. No system in one domain communicates directly with any system in the other.
  • Governance translation determines whether interaction is authorised, and under what conditions across its lifecycle. It manages the transition of identity, authority, and accountability.
  • Semantic translation determines what the interaction means and whether that meaning remains valid across domains.
The governance void resolved by the TGB with its three functions: traffic mediation, governance translation, and semantic translation.
The governance void – no actor owns the boundary – resolved by the TGB. Traffic mediation alone is an IDMZ. All three functions together are the TGB. The three functions are inseparable.

Traffic mediation alone is an IDMZ – network segmentation, firewall rules, access control lists. Necessary, but not sufficient. An implementation that performs only traffic mediation governs what may cross but not under what authority, and not what the crossing means. All three functions together are the TGB. The three functions are inseparable because the governance problem they address is inseparable: you cannot govern a boundary crossing by controlling the traffic without knowing the authority, and you cannot know the authority without preserving the meaning.

The TGB's three functions decompose into eighteen capabilities – from north and south firewalls through identity and PKI, data exchange brokering, safety validation, patch staging, and jump servers, to semantic translation services and monitoring. These are not a product feature list. They are the architectural specification of what a governed boundary must do to hold under operational pressure, vendor compromise, and the attention cycles that erode every policy-based governance regime.

Book 1 – The Structural Diagnosis

The argument above is developed in full across seven chapters in The Structural Diagnosis – from the foundational distinction between the two disciplines of IT and OT, through the governance myths that mask the void, to the TGB as the architectural mechanism that resolves it. The book establishes every construct the series depends on: the three governance mandates, the two conversations, tandem sensing, consequence-bounded autonomy, and the governance void as a named structural condition.

The White Paper summarises the full argument for the reader who wants the scope before the book.

White Paper – The Structural Diagnosis