The Board Cannot Govern What It Cannot Revoke

A board may approve strategy and risk while lacking the practical ability to remove administrators, vendors or delegated authority. Revocation is the control.

The answer

Boards receive reports about access, vendors, cybersecurity and delegated authority. The decisive question is rarely asked: can the institution end that authority now? A founder remains the domain owner.

Boards receive reports about access, vendors, cybersecurity and delegated authority. The decisive question is rarely asked: can the institution end that authority now? A founder remains the domain owner. A managed-service provider controls the administrator accounts. A former executive is still recognised by a bank. A critical software vendor can suspend service during a dispute. The board may hold formal oversight while practical revocation belongs elsewhere. Governance without revocation is commentary.

Every grant creates an exit obligation

When the institution grants authority, access or dependency, it should define how that relationship ends.

  • Who may order revocation?
  • Which systems and counterparties must act?
  • What evidence proves completion?
  • How quickly must the authority disappear?
  • What business function might fail as a result?
  • What records and property must be returned or preserved?
  • What happens if the holder refuses or is unavailable?

Value object — The Revocation Readiness Report

For the board’s material authority domains, report:

  • Domain: identity, banking, data, infrastructure, communications, physical access or governance.
  • Current authority holders, including providers and machine identities.
  • Revocation owner and required approvals.
  • Maximum credible revocation time.
  • Operational consequence and prepared fallback.
  • Last tested date and evidence.
  • Exceptions where the institution lacks unilateral control.

The report should be short enough to expose concentration, not bury it in user-level detail.

Test unilateral control

The institution need not be able to operate without every provider. It should know whether it can contain that provider’s authority without the provider’s cooperation. Can it recover the domain, keys, records and administrator path? Can it notify counterparties through an independent route? Can it preserve service long enough to transition?

Separate removal from destruction

Fear of disruption causes organisations to retain excessive access. The answer is staged revocation. Suspend high-risk actions, preserve read access where legally necessary, move credentials, establish replacement administration and then remove remaining privileges. Do not leave a dangerous account active simply because nobody understands the dependency.

Include non-human authority

APIs, service accounts, certificates and automated agents may hold more effective authority than employees. Their revocation can also break critical workflows. Require ownership, scope, expiry and replacement plans for machine identities. A board risk report that covers only people misses the fastest-growing authority layer.

Revocation is a live capability

Policies and contractual rights are not evidence. Exercise a representative revocation: an administrator, provider integration or delegated approval role. Measure time, missing authority and collateral failure. Correct the gaps before a hostile departure or incident chooses the conditions.

The governance standard

A board governs when it can understand where consequential authority sits, change that distribution and verify the result. Approval begins the relationship. Revocation proves who controls it.

Sources

  1. NIST: Cybersecurity Framework 2.0NIST: Cybersecurity Framework 2.0

    Primary authority

  2. FINMA: Revised circular on operational risks and resilienceFINMA: Revised circular on operational risks and resilience

    Primary authority

  3. NIST SP 800-207: Zero Trust ArchitectureNIST SP 800-207: Zero Trust Architecture

    Primary authority

Adam J. De CollibusFounding Partner, Svperior / Systems Engineering

Ross Belhomme

Ross leads Legal within Svperior GmbH. His work draws on more than two decades across international fiduciary, wealth-structuring, and private-client environments, combining legal, financial, and technical judgment around governance, privacy, assets, authority, and cross-border operating conditions.

Legal strategy / Governance / Private-client structuring / Digital assets

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry