Case Study

Structural Governance Assessment. Finding what a controls audit can't.

A worked example of the diagnostic run blind on a stacked-framework governance suite: what it caught, what it correctly let pass, and why structural reading sees failures a checklist never will.

This is the WorkLattice diagnostic, run on a stacked-framework governance suite.

A certification audit verifies that each control exists. It does not test whether the decision architecture those controls sit in actually closes.

Closing means authority assigned once, every obligation reaching an owner who enacts it, every record feeding a decision. Stack two mandatory frameworks onto one organisation (a defence supplier under both the ISM and the DSPF) and the seams between them are exactly where authority diffuses, enactment drops, and accreditation gets mistaken for authorisation. None of it shows up on a checklist, because for each gap the control is present somewhere.

So we built a sample to prove the point: five governing documents for a fictional PROTECTED-level defence supplier, every control traceable to a real ISM or DSPF clause, a suite that passes a control-by-control review. Into it we planted real structural failures, alongside clean clauses engineered to look like failures. The diagnostic was run blind and scored against a withheld answer key.

Results

It read structure, not surface.

Structural failure families detected authority voids, authority overlays, broken delegation chains, dead-end records 4 / 4
Decoys correctly passed clauses that look broken but aren’t 6 / 6
Delegated-but-not-enacted failures surfaced obligations one document delegates and another never enacts Every instance

The result that matters: the diagnostic distinguished real structural failures from clauses engineered to look like them. It didn't raise a single decoy. That is the line between reading the structure of a decision architecture and reading the surface of the text.

And it caught the failure class a checklist structurally cannot: a policy that mandates Critical incidents be reported to two external authorities "in accordance with" the incident-response plan, where the plan escalates internally and stops, and neither external report is ever made. The control is present. The chain is broken. Only reading the documents as one connected system surfaces it.

Every finding is graded for confidence and chained to the verbatim clause it rests on: checkable in seconds, and defensible in a room where someone is paid to doubt it.

Why it's a category

Two complete frameworks on one decision architecture.

Organisations under stacked mandatory frameworks (defence and AUKUS suppliers carrying ISM, DSPF and PSPF at once) face a structural problem no control-by-control audit addresses: two complete frameworks on one decision architecture multiplies the surface where they must reconcile, and the seams are where governance silently fails. A certification audit checks that controls exist within each framework. We test whether the architecture closes across all of them.

The corpus

Read them as an auditor would, then read what the diagnostic found.

A complete, internally consistent suite that would pass a control-by-control review. The structural failures are present in these documents, but none is visible from any single one read in isolation.

Each control traces to a real ISM or DSPF clause. The organisation is fictional; the regulatory framework is real. Structural findings describe the documented architecture; validation against practice is a subsequent step.

See the method applied to a representative document set from your environment.

A first conversation establishes whether a structural governance assessment fits. Thirty minutes, no commitment.