The mandate is not a framework imposed from outside. It is the logical consequence of what the structural diagnosis exposed – and the Operator's duty of care demands it.
The governance void exists because three actors govern rationally within their own domains and none governs the boundary between them. Resolving it requires asking a prior question: whose obligation is it? The answer is structural, not political. Consequence concentrates at the Operator. A digital instruction that reaches a physical actuator produces its effect in the Operator's domain – on the Operator's equipment, in the Operator's process, within the Operator's duty of care. The Operator can delegate implementation. It cannot delegate consequence.
That non-delegable consequence-ownership runs from the Board through the governance mandate into the operational domain. The Board carries the duty of care. The mandate gives it institutional form. The OT domain – repositioned as a governed business domain within the enterprise, not an operational function subordinate to IT – provides it with an institutional home. And from that institutional home, three governance foundations must be installed in sequence to give the mandate structural weight.
Formalised authority comes first: named executive accountability, non-discretionary scope, the power to enforce across domains, tied to the duty of care. Without formalised authority, decision rights have no one to answer to. Without decision rights, architectural controls have no governance intent to encode. The dependency is strict – each foundation requires the previous.
Allocated decision rights come second: who decides what, at which boundaries, under what escalation paths. Consequence-based allocation, stable under operational pressure. These are the decisions that currently default to precedent, convenience, or whichever actor happens to be nearest – and whose governance logic is often the narrowest.
Encoded architectural control comes third: governance intent embedded in structure rather than carried in individual vigilance. Zoning by consequence, conduit governance, enforced without oversight. A policy requires someone to enforce it. A decision right requires someone to invoke it. An architectural control requires no one – it operates continuously, independently, and does not erode between board meetings. This is what distinguishes governance that holds from governance that is documented.
Every persistent vendor connection is a permanent expansion of the Operator's governance burden. The vendor ecosystem is an essential participant in the Operator's business model – but every vendor interaction exists under one of three mediation conditions, and the governance task is to move every interaction toward the first.
Under governed mediation, the Operator governs the boundary. The TGB mediates all vendor interaction, the vendor's platform operates south of the boundary under defined conditions, and the south-side governance interface handles contested-middle decisions through a two-key handshake. Crossing records are auditable, vendor containment is enforced, handshake outcomes are logged.
Under vendor-unilateral mediation, the vendor both executes crossings and operates the mechanism that controls them. The governing mechanism is not independent of the governed party – a structural conflict of interest. This is the collapsed-boundary architecture: the vendor self-reports compliance, the Operator cannot verify.
Under unmediated gaps, no boundary function exists. The vendor's platform connects directly to enterprise or OT systems without mediation, translation, or monitoring. No crossing route, no governance identity change, no audit trail. Consequence exposure is total.
Most enterprises operate across all three conditions simultaneously. The governance task is not to eliminate vendors – it is to move every interaction toward Condition 1, where the Operator governs what crosses.
Corporate IT's default reaction to any OT governance proposal falls into one of two patterns: "we already do this" (extending the myth that standard enterprise governance applies) or "this is not our problem" (abdicating the converged space entirely). The governance mandate answers both – and gives Corporate IT a clearer, more defensible role than the current condition provides.
The mandate is explicit: provide the enterprise digital services the converged estate requires – identity, monitoring, data platforms, network infrastructure – and apply enterprise digital governance with consequence-awareness. IT does not absorb OT. IT extends its governance logic with an awareness of what changes when the consequence domain is physical rather than commercial. TGB-AUTHORITY – the sovereign control plane through which the Operator's governance reaches every site in the estate – sits in the Corporate IT domain, operated by Corporate IT under the OT governance function's content authority. This is a fundamental and substantial role, clearly scoped.
The governed state is the destination, but most organisations cannot reach it in a single step. The transition path is sequenced around the dependency logic of the three foundations: formalised authority first, because without it decision rights have no accountability; decision rights next, because without them architectural controls have no governance intent to encode; encoded architectural control last, because it is the form governance takes when it is built to persist.
Progress on the transition path is measured by structural indicators – binary conditions tested by whether each foundation has been used under operational pressure, not whether it has been documented. A governance foundation that has never been exercised under pressure is not a foundation. The TGB readiness position – the point at which the governance foundations are sufficiently installed to sustain an architectural implementation – gates the transition to the governed boundary itself.
The governance framework above is developed in full across eleven chapters in The Governance Mandate – from the Operator's obligation through OT as a governed business domain, the governance operating model, the vendor regime, Corporate IT's restructured mandate, operational resilience and lifecycle, the transition path, the operating model in practice, to qualification as a System of Governance. Each chapter derives its argument from the structural diagnosis; nothing is assumed.
The White Paper summarises the framework for the reader who wants the scope before the book.