Boards receive reports about access, vendors, cybersecurity and delegated authority. The decisive question is rarely asked: can the institution end that authority now? A founder remains the domain owner. A managed-service provider controls the administrator accounts. A former executive is still recognised by a bank. A critical software vendor can suspend service during a dispute. The board may hold formal oversight while practical revocation belongs elsewhere. Governance without revocation is commentary.
Every grant creates an exit obligation
When the institution grants authority, access or dependency, it should define how that relationship ends.
- Who may order revocation?
- Which systems and counterparties must act?
- What evidence proves completion?
- How quickly must the authority disappear?
- What business function might fail as a result?
- What records and property must be returned or preserved?
- What happens if the holder refuses or is unavailable?
Value object — The Revocation Readiness Report
For the board’s material authority domains, report:
- Domain: identity, banking, data, infrastructure, communications, physical access or governance.
- Current authority holders, including providers and machine identities.
- Revocation owner and required approvals.
- Maximum credible revocation time.
- Operational consequence and prepared fallback.
- Last tested date and evidence.
- Exceptions where the institution lacks unilateral control.
The report should be short enough to expose concentration, not bury it in user-level detail.
Test unilateral control
The institution need not be able to operate without every provider. It should know whether it can contain that provider’s authority without the provider’s cooperation. Can it recover the domain, keys, records and administrator path? Can it notify counterparties through an independent route? Can it preserve service long enough to transition?
Separate removal from destruction
Fear of disruption causes organisations to retain excessive access. The answer is staged revocation. Suspend high-risk actions, preserve read access where legally necessary, move credentials, establish replacement administration and then remove remaining privileges. Do not leave a dangerous account active simply because nobody understands the dependency.
Include non-human authority
APIs, service accounts, certificates and automated agents may hold more effective authority than employees. Their revocation can also break critical workflows. Require ownership, scope, expiry and replacement plans for machine identities. A board risk report that covers only people misses the fastest-growing authority layer.
Revocation is a live capability
Policies and contractual rights are not evidence. Exercise a representative revocation: an administrator, provider integration or delegated approval role. Measure time, missing authority and collateral failure. Correct the gaps before a hostile departure or incident chooses the conditions.
The governance standard
A board governs when it can understand where consequential authority sits, change that distribution and verify the result. Approval begins the relationship. Revocation proves who controls it.
