The problem is not that governance has failed. The problem is that no governance framework was ever built for the territory convergence created.
Information Technology and Operational Technology are not two branches of a common discipline. They are fundamentally different in purpose, in structure, and – critically – in their relationship to physical consequence. IT describes the world. OT acts on it. When an IT system fails, a description breaks – a transaction is lost, a report is delayed, a record becomes inconsistent. When an OT system fails, a valve stays open, a motor runs unchecked, a safety interlock does not engage.
IT builds distributed landscapes of specialised systems sharing data through integrations. OT builds layered architectures where each layer has a defined function, a defined failure mode, and a defined independence from the layers around it. IT governs through Confidentiality, Integrity, and Availability. OT governs through Health, Safety, and Environment – the HSE triad that defines the consequence domain in which operational technology operates. The two disciplines evolved separately because they had to – their governing constraints are not equivalent.
Convergence did not merge these disciplines. It forced them into shared infrastructure, shared data, and shared decision space without providing a governance framework for the interaction. The connectivity is real. The consequences are physical. The governance, overwhelmingly, is absent.
Data crosses the IT/OT boundary in both directions, and each direction carries its own governance obligation. Northbound – from the operational domain into the enterprise – data travels as measurement: sensor readings, process states, equipment conditions. The governance mandate here is fidelity of representation. The enterprise must receive data that accurately mirrors the physical reality it claims to describe. A temperature reading that arrives without its engineering units, without its quality flags, without its timestamp authority is not data – it is noise dressed as information.
Southbound – from the enterprise into the operational domain – data travels as instruction. A setpoint change, a recipe download, a firmware update. Here the governance mandate inverts. The obligation is not fidelity of representation but safety of action. A digital instruction that reaches a physical actuator has left the domain where failure breaks a description and entered the domain where failure produces a physical consequence. The governance of that crossing is non-delegable.
And between the two directions, a third mandate governs: the integrity of the interaction itself. The boundary must preserve meaning across domains, ensure that identity and authority translate correctly, and prevent conditions that are locally valid in each domain but globally unsafe when combined.
Three actors operate at the IT/OT boundary. The Operator carries consequence-ownership – the non-delegable accountability for the safety of the physical process. Corporate IT carries enterprise digital governance – the mandate to manage the organisation's digital infrastructure, services, and security. The Vendor ecosystem carries product-boundary governance – the technical authority over the platforms and connectivity their products require.
Each actor governs rationally within its own domain. The Operator assumes its operational understanding is sufficient. Corporate IT assumes standard enterprise governance applies. The Vendor assumes connectivity is a product capability – a feature to be delivered, not a governance burden to be negotiated. Each assumption is internally coherent. Each produces rational behaviour. None encompasses the boundary where all three meet.
The result is a structural void. Not a gap that can be closed by policy, not a resourcing problem that more budget will fix, not a cybersecurity deficiency that another tool will address. A void – the absence of a governing framework at the crossing between two separately governed domains. It does not close by itself, does not close through policy alone, and does not close through cybersecurity investment without architectural commitment.
If the void is structural, the resolution must be architectural. The TGB – The Governed Boundary – is that resolution. It descends from the enterprise DMZ and the industrial IDMZ, but it is not equivalent to either. The DMZ filtered traffic between two IT trust domains. The IDMZ segmented the industrial network from the enterprise network. The TGB does something neither predecessor attempted: it governs the interaction between domains of fundamentally different consequence.
It does this through three inseparable functions:
Traffic mediation alone is an IDMZ – network segmentation, firewall rules, access control lists. Necessary, but not sufficient. An implementation that performs only traffic mediation governs what may cross but not under what authority, and not what the crossing means. All three functions together are the TGB. The three functions are inseparable because the governance problem they address is inseparable: you cannot govern a boundary crossing by controlling the traffic without knowing the authority, and you cannot know the authority without preserving the meaning.
The TGB's three functions decompose into eighteen capabilities – from north and south firewalls through identity and PKI, data exchange brokering, safety validation, patch staging, and jump servers, to semantic translation services and monitoring. These are not a product feature list. They are the architectural specification of what a governed boundary must do to hold under operational pressure, vendor compromise, and the attention cycles that erode every policy-based governance regime.
The argument above is developed in full across seven chapters in The Structural Diagnosis – from the foundational distinction between the two disciplines of IT and OT, through the governance myths that mask the void, to the TGB as the architectural mechanism that resolves it. The book establishes every construct the series depends on: the three governance mandates, the two conversations, tandem sensing, consequence-bounded autonomy, and the governance void as a named structural condition.
The White Paper summarises the full argument for the reader who wants the scope before the book.